• Steven Rostedt (VMware)'s avatar
    ring-buffer: Mask out the info bits when returning buffer page length · 9dc96489
    Steven Rostedt (VMware) authored
    commit 45d8b80c upstream.
    
    Two info bits were added to the "commit" part of the ring buffer data page
    when returned to be consumed. This was to inform the user space readers that
    events have been missed, and that the count may be stored at the end of the
    page.
    
    What wasn't handled, was the splice code that actually called a function to
    return the length of the data in order to zero out the rest of the page
    before sending it up to user space. These data bits were returned with the
    length making the value negative, and that negative value was not checked.
    It was compared to PAGE_SIZE, and only used if the size was less than
    PAGE_SIZE. Luckily PAGE_SIZE is unsigned long which made the compare an
    unsigned compare, meaning the negative size value did not end up causing a
    large portion of memory to be randomly zeroed out.
    
    Fixes: 66a8cb95 ("ring-buffer: Add place holder recording of dropped events")
    Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    9dc96489
ring_buffer.c 131 KB