Re: [PATCH] coresight: ultrasoc-smb: Fix OOB write in smb_sync_perf_buffer()

Next message: Andy Shevchenko: "[PATCH v1 1/1] fs/read_write: Do not export __kernel_write() to the entire world"
Previous message: Andrew Cooper: "Re: Save a WRMSR GS.base?"
In reply to: Junrui Luo: "[PATCH] coresight: ultrasoc-smb: Fix OOB write in smb_sync_perf_buffer()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Suzuki K Poulose

Date: Thu Jun 04 2026 - 05:30:54 EST

On Thu, 04 Jun 2026 15:34:25 +0800, Junrui Luo wrote:
> When the SMB sink is used as a perf AUX sink, smb_update_buffer() calls
> smb_sync_perf_buffer() to copy hardware trace data into the perf AUX ring
> buffer pages. It derives pg_idx = head >> PAGE_SHIFT from @head, which is
> handle->head, and indexes dst_pages[pg_idx]. The pg_idx %= nr_pages
> normalization is only applied after the first loop iteration.
>
> This leaves the initial page index underived from the buffer size, which
> can result in an out-of-bounds write past dst_pages[] when head exceeds
> the AUX buffer size.
>
> [...]

Applied, thanks!

[1/1] coresight: ultrasoc-smb: Fix OOB write in smb_sync_perf_buffer()
https://git.kernel.org/coresight/c/98495b5a4d77

Best regards,
--
Suzuki K Poulose <suzuki.poulose@xxxxxxx>