[PATCH] tracing/probes: Limit size of event probe to 3K

Tue, 28 Apr 2026 09:25:49 -0700 

From: Steven Rostedt <[email protected]>

There currently isn't a max limit an event probe can be. One could make an
event greater than PAGE_SIZE, which makes the event useless because if
it's bigger than the max event that can be recorded into the ring buffer,
then it will never be recorded.

A event probe should never need to be greater than 3K, so make that the
max size. As long as the max is less than the max that can be recorded
onto the ring buffer, it should be fine.

Cc: [email protected]
Fixes: 93ccae7a22274 ("tracing/kprobes: Support basic types on dynamic events")
Signed-off-by: Steven Rostedt <[email protected]>
---
 kernel/trace/trace_probe.c | 6 ++++++
 kernel/trace/trace_probe.h | 4 +++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c
index e1c73065dae5..e0d3a0da26af 100644
--- a/kernel/trace/trace_probe.c
+++ b/kernel/trace/trace_probe.c
@@ -1523,6 +1523,12 @@ static int traceprobe_parse_probe_arg_body(const char 
*argv, ssize_t *size,
        parg->offset = *size;
        *size += parg->type->size * (parg->count ?: 1);
 
+       if (*size > MAX_PROBE_EVENT_SIZE) {
+               ret = -E2BIG;
+               trace_probe_log_err(ctx->offset, EVENT_TOO_BIG);
+               goto fail;
+       }
+
        if (parg->count) {
                len = strlen(parg->type->fmttype) + 6;
                parg->fmt = kmalloc(len, GFP_KERNEL);
diff --git a/kernel/trace/trace_probe.h b/kernel/trace/trace_probe.h
index 9fc56c937130..262d8707a3df 100644
--- a/kernel/trace/trace_probe.h
+++ b/kernel/trace/trace_probe.h
@@ -38,6 +38,7 @@
 #define MAX_BTF_ARGS_LEN       128
 #define MAX_DENTRY_ARGS_LEN    256
 #define MAX_STRING_SIZE                PATH_MAX
+#define MAX_PROBE_EVENT_SIZE   3072
 
 /* Reserved field names */
 #define FIELD_STRING_IP                "__probe_ip"
@@ -561,7 +562,8 @@ extern int traceprobe_define_arg_fields(struct 
trace_event_call *event_call,
        C(BAD_TYPE4STR,         "This type does not fit for string."),\
        C(NEED_STRING_TYPE,     "$comm and immediate-string only accepts string 
type"),\
        C(TOO_MANY_ARGS,        "Too many arguments are specified"),    \
-       C(TOO_MANY_EARGS,       "Too many entry arguments specified"),
+       C(TOO_MANY_EARGS,       "Too many entry arguments specified"),  \
+       C(EVENT_TOO_BIG,        "Event too big (too many fields?)"),
 
 #undef C
 #define C(a, b)                TP_ERR_##a
-- 
2.53.0

Reply via email to