ring-buffer: Fix buffer locking in ring_buffer_subbuf_order_set()

commit 40ee2afafc1d9fe3aa44a6fbe440d78a5c96a72e upstream.

Enlarge the critical section in ring_buffer_subbuf_order_set() to
ensure that error handling takes place with per-buffer mutex held,
thus preventing list corruption and other concurrency-related issues.

Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Tzvetomir Stoyanov <tz.stoyanov@gmail.com>
Link: https://lore.kernel.org/20250606112242.1510605-1-dmantipov@yandex.ru
Reported-by: syzbot+05d673e83ec640f0ced9@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=05d673e83ec640f0ced9
Fixes: f9b94daa542a8 ("ring-buffer: Set new size of the ring buffer sub page")
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
index 154d4d78acb50f755b4068bd1be465622bc0f7b1..e95e96cd29d3b5a63a45652d303dc59f675d49d3 100644 (file)
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -6754,7 +6754,7 @@ int ring_buffer_subbuf_order_set(struct trace_buffer *buffer, int order)
        old_size = buffer->subbuf_size;
 
        /* prevent another thread from changing buffer sizes */
-       mutex_lock(&buffer->mutex);
+       guard(mutex)(&buffer->mutex);
        atomic_inc(&buffer->record_disabled);
 
        /* Make sure all commits have finished */
@@ -6859,7 +6859,6 @@ int ring_buffer_subbuf_order_set(struct trace_buffer *buffer, int order)
        }
 
        atomic_dec(&buffer->record_disabled);
-       mutex_unlock(&buffer->mutex);
 
        return 0;
 
@@ -6868,7 +6867,6 @@ error:
        buffer->subbuf_size = old_size;
 
        atomic_dec(&buffer->record_disabled);
-       mutex_unlock(&buffer->mutex);
 
        for_each_buffer_cpu(buffer, cpu) {
                cpu_buffer = buffer->buffers[cpu];