From: Vincent Donnefort <vdonnefort@google.com>
Date: Fri, 10 Apr 2026 12:45:27 +0000 (+0100)
Subject: ring-buffer: Prevent off-by-one array access in ring_buffer_desc_page()
X-Git-Url: http://git.ipfire.org/index.cgi?a=commitdiff_plain;h=6170922f137231b98fc568571befef63e1edff3f;p=thirdparty%2Fkernel%2Flinux.git

ring-buffer: Prevent off-by-one array access in ring_buffer_desc_page()

As pointed out by Smatch, the ring-buffer descriptor array page_va is
counted by nr_page_va, but the accessor ring_buffer_desc_page() allows
access off by one.

Currently, this does not cause problems, as the page ID always comes
from a trusted source. Nonetheless, ensure robustness and fix the
accessor. While at it, make the page_id unsigned.

Link: https://patch.msgid.link/20260410124527.3563970-1-vdonnefort@google.com
Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Vincent Donnefort <vdonnefort@google.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
---

diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
index 839a6424d0edc..cef49f8871d2e 100644
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -2238,9 +2238,9 @@ static struct ring_buffer_desc *ring_buffer_desc(struct trace_buffer_desc *trace
 	return NULL;
 }
 
-static void *ring_buffer_desc_page(struct ring_buffer_desc *desc, int page_id)
+static void *ring_buffer_desc_page(struct ring_buffer_desc *desc, unsigned int page_id)
 {
-	return page_id > desc->nr_page_va ? NULL : (void *)desc->page_va[page_id];
+	return page_id >= desc->nr_page_va ? NULL : (void *)desc->page_va[page_id];
 }
 
 static int __rb_allocate_pages(struct ring_buffer_per_cpu *cpu_buffer,