From: Pratyush Yadav ptyadav@amazon.de
full_hit() directly uses cpu as an array index. Since RING_BUFFER_ALL_CPUS == -1, calling full_hit() with cpu == RING_BUFFER_ALL_CPUS will cause an invalid memory access.
The upstream commit 42fb0a1e84ff ("tracing/ring-buffer: Have polling block on watermark") already does this. This was missed when backporting to v5.4.y.
This bug was discovered and resolved using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc.
Fixes: e65ac2bdda54 ("tracing/ring-buffer: Have polling block on watermark") Signed-off-by: Pratyush Yadav ptyadav@amazon.de Acked-by: Steven Rostedt (Google) rostedt@goodmis.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- kernel/trace/ring_buffer.c | 1 + 1 file changed, 1 insertion(+)
--- a/kernel/trace/ring_buffer.c +++ b/kernel/trace/ring_buffer.c @@ -727,6 +727,7 @@ __poll_t ring_buffer_poll_wait(struct ri
if (cpu == RING_BUFFER_ALL_CPUS) { work = &buffer->irq_work; + full = 0; } else { if (!cpumask_test_cpu(cpu, buffer->cpumask)) return -EINVAL;