--- /dev/null
+From stable+bounces-247655-greg=kroah.com@vger.kernel.org Fri May 15 13:26:37 2026
+From: Sven Eckelmann <sven@narfation.org>
+Date: Fri, 15 May 2026 12:54:15 +0200
+Subject: batman-adv: stop tp_meter sessions during mesh teardown
+To: stable@vger.kernel.org
+Cc: Jiexun Wang <wangjiexun2025@gmail.com>, stable@kernel.org, Yuan Tan <yuantan098@gmail.com>, Yifan Wu <yifanwucs@gmail.com>, Juefei Pu <tomapufckgml@gmail.com>, Xin Liu <bird@lzu.edu.cn>, Luxing Yin <tr0jan@lzu.edu.cn>, Ren Wei <n05ec@lzu.edu.cn>, Sven Eckelmann <sven@narfation.org>
+Message-ID: <20260515105416.153949-1-sven@narfation.org>
+
+From: Jiexun Wang <wangjiexun2025@gmail.com>
+
+commit 3d3cf6a7314aca4df0a6dde28ce784a2a30d0166 upstream.
+
+TP meter sessions remain linked on bat_priv->tp_list after the netlink
+request has already finished. When the mesh interface is removed,
+batadv_mesh_free() currently tears down the mesh without first draining
+these sessions.
+
+A running sender thread or a late incoming tp_meter packet can then keep
+processing against a mesh instance which is already shutting down.
+Synchronize tp_meter with the mesh lifetime by stopping all active
+sessions from batadv_mesh_free() and waiting for sender threads to exit
+before teardown continues.
+
+Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Co-developed-by: Luxing Yin <tr0jan@lzu.edu.cn>
+Signed-off-by: Luxing Yin <tr0jan@lzu.edu.cn>
+Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+[ Context ]
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/main.c | 1
+ net/batman-adv/tp_meter.c | 94 +++++++++++++++++++++++++++++++++++++---------
+ net/batman-adv/tp_meter.h | 1
+ net/batman-adv/types.h | 4 +
+ 4 files changed, 82 insertions(+), 18 deletions(-)
+
+--- a/net/batman-adv/main.c
++++ b/net/batman-adv/main.c
+@@ -263,6 +263,7 @@ void batadv_mesh_free(struct net_device
+ atomic_set(&bat_priv->mesh_state, BATADV_MESH_DEACTIVATING);
+
+ batadv_purge_outstanding_packets(bat_priv, NULL);
++ batadv_tp_stop_all(bat_priv);
+
+ batadv_gw_node_free(bat_priv);
+
+--- a/net/batman-adv/tp_meter.c
++++ b/net/batman-adv/tp_meter.c
+@@ -12,6 +12,7 @@
+ #include <linux/byteorder/generic.h>
+ #include <linux/cache.h>
+ #include <linux/compiler.h>
++#include <linux/completion.h>
+ #include <linux/container_of.h>
+ #include <linux/err.h>
+ #include <linux/etherdevice.h>
+@@ -365,23 +366,38 @@ static void batadv_tp_vars_put(struct ba
+ }
+
+ /**
+- * batadv_tp_sender_cleanup() - cleanup sender data and drop and timer
+- * @bat_priv: the bat priv with all the soft interface information
+- * @tp_vars: the private data of the current TP meter session to cleanup
++ * batadv_tp_list_detach() - remove tp session from mesh session list once
++ * @tp_vars: the private data of the current TP meter session
+ */
+-static void batadv_tp_sender_cleanup(struct batadv_priv *bat_priv,
+- struct batadv_tp_vars *tp_vars)
++static void batadv_tp_list_detach(struct batadv_tp_vars *tp_vars)
+ {
+- cancel_delayed_work(&tp_vars->finish_work);
++ bool detached = false;
+
+ spin_lock_bh(&tp_vars->bat_priv->tp_list_lock);
+- hlist_del_rcu(&tp_vars->list);
++ if (!hlist_unhashed(&tp_vars->list)) {
++ hlist_del_init_rcu(&tp_vars->list);
++ detached = true;
++ }
+ spin_unlock_bh(&tp_vars->bat_priv->tp_list_lock);
+
++ if (!detached)
++ return;
++
++ atomic_dec(&tp_vars->bat_priv->tp_num);
++
+ /* drop list reference */
+ batadv_tp_vars_put(tp_vars);
++}
+
+- atomic_dec(&tp_vars->bat_priv->tp_num);
++/**
++ * batadv_tp_sender_cleanup() - cleanup sender data and drop and timer
++ * @tp_vars: the private data of the current TP meter session to cleanup
++ */
++static void batadv_tp_sender_cleanup(struct batadv_tp_vars *tp_vars)
++{
++ cancel_delayed_work_sync(&tp_vars->finish_work);
++
++ batadv_tp_list_detach(tp_vars);
+
+ /* kill the timer and remove its reference */
+ del_timer_sync(&tp_vars->timer);
+@@ -886,7 +902,8 @@ out:
+ batadv_orig_node_put(orig_node);
+
+ batadv_tp_sender_end(bat_priv, tp_vars);
+- batadv_tp_sender_cleanup(bat_priv, tp_vars);
++ batadv_tp_sender_cleanup(tp_vars);
++ complete(&tp_vars->finished);
+
+ batadv_tp_vars_put(tp_vars);
+
+@@ -918,7 +935,8 @@ static void batadv_tp_start_kthread(stru
+ batadv_tp_vars_put(tp_vars);
+
+ /* cleanup of failed tp meter variables */
+- batadv_tp_sender_cleanup(bat_priv, tp_vars);
++ batadv_tp_sender_cleanup(tp_vars);
++ complete(&tp_vars->finished);
+ return;
+ }
+
+@@ -1024,6 +1042,7 @@ void batadv_tp_start(struct batadv_priv
+ tp_vars->start_time = jiffies;
+
+ init_waitqueue_head(&tp_vars->more_bytes);
++ init_completion(&tp_vars->finished);
+
+ spin_lock_init(&tp_vars->unacked_lock);
+ INIT_LIST_HEAD(&tp_vars->unacked_list);
+@@ -1126,14 +1145,7 @@ static void batadv_tp_receiver_shutdown(
+ "Shutting down for inactivity (more than %dms) from %pM\n",
+ BATADV_TP_RECV_TIMEOUT, tp_vars->other_end);
+
+- spin_lock_bh(&tp_vars->bat_priv->tp_list_lock);
+- hlist_del_rcu(&tp_vars->list);
+- spin_unlock_bh(&tp_vars->bat_priv->tp_list_lock);
+-
+- /* drop list reference */
+- batadv_tp_vars_put(tp_vars);
+-
+- atomic_dec(&bat_priv->tp_num);
++ batadv_tp_list_detach(tp_vars);
+
+ spin_lock_bh(&tp_vars->unacked_lock);
+ list_for_each_entry_safe(un, safe, &tp_vars->unacked_list, list) {
+@@ -1497,6 +1509,52 @@ out:
+ }
+
+ /**
++ * batadv_tp_stop_all() - stop all currently running tp meter sessions
++ * @bat_priv: the bat priv with all the mesh interface information
++ */
++void batadv_tp_stop_all(struct batadv_priv *bat_priv)
++{
++ struct batadv_tp_vars *tp_vars[BATADV_TP_MAX_NUM];
++ struct batadv_tp_vars *tp_var;
++ size_t count = 0;
++ size_t i;
++
++ spin_lock_bh(&bat_priv->tp_list_lock);
++ hlist_for_each_entry(tp_var, &bat_priv->tp_list, list) {
++ if (WARN_ON_ONCE(count >= BATADV_TP_MAX_NUM))
++ break;
++
++ if (!kref_get_unless_zero(&tp_var->refcount))
++ continue;
++
++ tp_vars[count++] = tp_var;
++ }
++ spin_unlock_bh(&bat_priv->tp_list_lock);
++
++ for (i = 0; i < count; i++) {
++ tp_var = tp_vars[i];
++
++ switch (tp_var->role) {
++ case BATADV_TP_SENDER:
++ batadv_tp_sender_shutdown(tp_var,
++ BATADV_TP_REASON_CANCEL);
++ wake_up(&tp_var->more_bytes);
++ wait_for_completion(&tp_var->finished);
++ break;
++ case BATADV_TP_RECEIVER:
++ batadv_tp_list_detach(tp_var);
++ if (timer_shutdown_sync(&tp_var->timer))
++ batadv_tp_vars_put(tp_var);
++ break;
++ }
++
++ batadv_tp_vars_put(tp_var);
++ }
++
++ synchronize_net();
++}
++
++/**
+ * batadv_tp_meter_init() - initialize global tp_meter structures
+ */
+ void __init batadv_tp_meter_init(void)
+--- a/net/batman-adv/tp_meter.h
++++ b/net/batman-adv/tp_meter.h
+@@ -17,6 +17,7 @@ void batadv_tp_start(struct batadv_priv
+ u32 test_length, u32 *cookie);
+ void batadv_tp_stop(struct batadv_priv *bat_priv, const u8 *dst,
+ u8 return_value);
++void batadv_tp_stop_all(struct batadv_priv *bat_priv);
+ void batadv_tp_meter_recv(struct batadv_priv *bat_priv, struct sk_buff *skb);
+
+ #endif /* _NET_BATMAN_ADV_TP_METER_H_ */
+--- a/net/batman-adv/types.h
++++ b/net/batman-adv/types.h
+@@ -14,6 +14,7 @@
+ #include <linux/average.h>
+ #include <linux/bitops.h>
+ #include <linux/compiler.h>
++#include <linux/completion.h>
+ #include <linux/if.h>
+ #include <linux/if_ether.h>
+ #include <linux/kref.h>
+@@ -1466,6 +1467,9 @@ struct batadv_tp_vars {
+ /** @finish_work: work item for the finishing procedure */
+ struct delayed_work finish_work;
+
++ /** @finished: completion signaled when a sender thread exits */
++ struct completion finished;
++
+ /** @test_length: test length in milliseconds */
+ u32 test_length;
+
--- /dev/null
+From stable+bounces-247706-greg=kroah.com@vger.kernel.org Fri May 15 14:25:59 2026
+From: Sven Eckelmann <sven@narfation.org>
+Date: Fri, 15 May 2026 13:47:18 +0200
+Subject: batman-adv: tp_meter: fix tp_num leak on kmalloc failure
+To: stable@vger.kernel.org
+Cc: Sven Eckelmann <sven@narfation.org>, stable@kernel.org
+Message-ID: <20260515114718.410490-1-sven@narfation.org>
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit ce425dd05d0fe7594930a0fb103634f35ac47bb6 upstream.
+
+When batadv_tp_start() or batadv_tp_init_recv() fail to allocate a new
+tp_vars object, the previously incremented bat_priv->tp_num counter is
+never decremented. This causes tp_num to drift upward on each allocation
+failure. Since only BATADV_TP_MAX_NUM sessions can be started and the count
+is never reduced for these failed allocations, it causes to an exhaustion
+of throughput meter sessions. In worst case, no new throughput meter
+session can be started until the mesh interface is removed.
+
+The error handling must decrement tp_num releasing the lock and aborting
+the creation of an throughput meter session
+
+Cc: stable@kernel.org
+Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
+[ Context ]
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/tp_meter.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/batman-adv/tp_meter.c
++++ b/net/batman-adv/tp_meter.c
+@@ -994,6 +994,7 @@ void batadv_tp_start(struct batadv_priv
+
+ tp_vars = kmalloc(sizeof(*tp_vars), GFP_ATOMIC);
+ if (!tp_vars) {
++ atomic_dec(&bat_priv->tp_num);
+ spin_unlock_bh(&bat_priv->tp_list_lock);
+ batadv_dbg(BATADV_DBG_TP_METER, bat_priv,
+ "Meter: %s cannot allocate list elements\n",
+@@ -1366,8 +1367,10 @@ batadv_tp_init_recv(struct batadv_priv *
+ }
+
+ tp_vars = kmalloc(sizeof(*tp_vars), GFP_ATOMIC);
+- if (!tp_vars)
++ if (!tp_vars) {
++ atomic_dec(&bat_priv->tp_num);
+ goto out_unlock;
++ }
+
+ ether_addr_copy(tp_vars->other_end, icmp->orig);
+ tp_vars->role = BATADV_TP_RECEIVER;
--- /dev/null
+From 78a88d43dab8d23aeef934ed8ce34d40e6b3d613 Mon Sep 17 00:00:00 2001
+From: Siwei Zhang <oss@fourdim.xyz>
+Date: Wed, 15 Apr 2026 16:53:36 -0400
+Subject: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
+
+From: Siwei Zhang <oss@fourdim.xyz>
+
+commit 78a88d43dab8d23aeef934ed8ce34d40e6b3d613 upstream.
+
+Add the same NULL guard already present in
+l2cap_sock_resume_cb() and l2cap_sock_ready_cb().
+
+Fixes: 8d836d71e222 ("Bluetooth: Access sk_sndtimeo indirectly in l2cap_core.c")
+Cc: stable@kernel.org
+Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/l2cap_sock.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -1734,6 +1734,9 @@ static long l2cap_sock_get_sndtimeo_cb(s
+ {
+ struct sock *sk = chan->data;
+
++ if (!sk)
++ return 0;
++
+ return sk->sk_sndtimeo;
+ }
+
--- /dev/null
+From stable+bounces-247712-greg=kroah.com@vger.kernel.org Fri May 15 14:34:39 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 May 2026 07:56:09 -0400
+Subject: btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak
+To: stable@vger.kernel.org
+Cc: Yochai Eisenrich <yochaie@sweet.security>, Yochai Eisenrich <echelonh@gmail.com>, David Sterba <dsterba@suse.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260515115609.3040954-1-sashal@kernel.org>
+
+From: Yochai Eisenrich <yochaie@sweet.security>
+
+[ Upstream commit 973e57c726c1f8e77259d1c8e519519f1e9aea77 ]
+
+btrfs_ioctl_space_info() has a TOCTOU race between two passes over the
+block group RAID type lists. The first pass counts entries to determine
+the allocation size, then the second pass fills the buffer. The
+groups_sem rwlock is released between passes, allowing concurrent block
+group removal to reduce the entry count.
+
+When the second pass fills fewer entries than the first pass counted,
+copy_to_user() copies the full alloc_size bytes including trailing
+uninitialized kmalloc bytes to userspace.
+
+Fix by copying only total_spaces entries (the actually-filled count from
+the second pass) instead of alloc_size bytes, and switch to kzalloc so
+any future copy size mismatch cannot leak heap data.
+
+Fixes: 7fde62bffb57 ("Btrfs: buffer results in the space_info ioctl")
+CC: stable@vger.kernel.org # 3.0
+Signed-off-by: Yochai Eisenrich <echelonh@gmail.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+[ adapted upstream's `return -EFAULT;` to stable's `ret = -EFAULT;` fall-through to existing `out:` cleanup label ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/ioctl.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -3113,7 +3113,7 @@ static long btrfs_ioctl_space_info(struc
+ return -ENOMEM;
+
+ space_args.total_spaces = 0;
+- dest = kmalloc(alloc_size, GFP_KERNEL);
++ dest = kzalloc(alloc_size, GFP_KERNEL);
+ if (!dest)
+ return -ENOMEM;
+ dest_orig = dest;
+@@ -3169,7 +3169,8 @@ static long btrfs_ioctl_space_info(struc
+ user_dest = (struct btrfs_ioctl_space_info __user *)
+ (arg + sizeof(struct btrfs_ioctl_space_args));
+
+- if (copy_to_user(user_dest, dest_orig, alloc_size))
++ if (copy_to_user(user_dest, dest_orig,
++ space_args.total_spaces * sizeof(*dest_orig)))
+ ret = -EFAULT;
+
+ kfree(dest_orig);
--- /dev/null
+From stable+bounces-247740-greg=kroah.com@vger.kernel.org Fri May 15 14:38:28 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 May 2026 08:15:28 -0400
+Subject: btrfs: fix double free in create_space_info_sub_group() error path
+To: stable@vger.kernel.org
+Cc: Guangshuo Li <lgs201920130244@gmail.com>, Qu Wenruo <wqu@suse.com>, David Sterba <dsterba@suse.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260515121528.3130102-2-sashal@kernel.org>
+
+From: Guangshuo Li <lgs201920130244@gmail.com>
+
+[ Upstream commit a7449edf96143f192606ec8647e3167e1ecbd728 ]
+
+When kobject_init_and_add() fails, the call chain is:
+
+create_space_info_sub_group()
+-> btrfs_sysfs_add_space_info_type()
+-> kobject_init_and_add()
+-> failure
+-> kobject_put(&sub_group->kobj)
+-> space_info_release()
+-> kfree(sub_group)
+
+Then control returns to create_space_info_sub_group(), where:
+
+btrfs_sysfs_add_space_info_type() returns error
+-> kfree(sub_group)
+
+Thus, sub_group is freed twice.
+
+Keep parent->sub_group[index] = NULL for the failure path, but after
+btrfs_sysfs_add_space_info_type() has called kobject_put(), let the
+kobject release callback handle the cleanup.
+
+Fixes: f92ee31e031c ("btrfs: introduce btrfs_space_info sub-group")
+CC: stable@vger.kernel.org # 6.18+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/space-info.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/fs/btrfs/space-info.c
++++ b/fs/btrfs/space-info.c
+@@ -266,10 +266,8 @@ static int create_space_info_sub_group(s
+ sub_group->subgroup_id = id;
+
+ ret = btrfs_sysfs_add_space_info_type(sub_group);
+- if (ret) {
+- kfree(sub_group);
++ if (ret)
+ parent->sub_group[index] = NULL;
+- }
+ return ret;
+ }
+
--- /dev/null
+From stable+bounces-247739-greg=kroah.com@vger.kernel.org Fri May 15 15:18:17 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 May 2026 08:15:27 -0400
+Subject: btrfs: remove fs_info argument from btrfs_sysfs_add_space_info_type()
+To: stable@vger.kernel.org
+Cc: Filipe Manana <fdmanana@suse.com>, Johannes Thumshirn <johannes.thumshirn@wdc.com>, David Sterba <dsterba@suse.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260515121528.3130102-1-sashal@kernel.org>
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 771af6ff72e0ed0eb8bf97e5ae4fa5094e0c5d1d ]
+
+We don't need it since we can grab fs_info from the given space_info.
+So remove the fs_info argument.
+
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Stable-dep-of: a7449edf9614 ("btrfs: fix double free in create_space_info_sub_group() error path")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/space-info.c | 4 ++--
+ fs/btrfs/sysfs.c | 5 ++---
+ fs/btrfs/sysfs.h | 3 +--
+ 3 files changed, 5 insertions(+), 7 deletions(-)
+
+--- a/fs/btrfs/space-info.c
++++ b/fs/btrfs/space-info.c
+@@ -265,7 +265,7 @@ static int create_space_info_sub_group(s
+ sub_group->parent = parent;
+ sub_group->subgroup_id = id;
+
+- ret = btrfs_sysfs_add_space_info_type(fs_info, sub_group);
++ ret = btrfs_sysfs_add_space_info_type(sub_group);
+ if (ret) {
+ kfree(sub_group);
+ parent->sub_group[index] = NULL;
+@@ -294,7 +294,7 @@ static int create_space_info(struct btrf
+ goto out_free;
+ }
+
+- ret = btrfs_sysfs_add_space_info_type(info, space_info);
++ ret = btrfs_sysfs_add_space_info_type(space_info);
+ if (ret)
+ return ret;
+
+--- a/fs/btrfs/sysfs.c
++++ b/fs/btrfs/sysfs.c
+@@ -1825,13 +1825,12 @@ static const char *alloc_name(struct btr
+ * Create a sysfs entry for a space info type at path
+ * /sys/fs/btrfs/UUID/allocation/TYPE
+ */
+-int btrfs_sysfs_add_space_info_type(struct btrfs_fs_info *fs_info,
+- struct btrfs_space_info *space_info)
++int btrfs_sysfs_add_space_info_type(struct btrfs_space_info *space_info)
+ {
+ int ret;
+
+ ret = kobject_init_and_add(&space_info->kobj, &space_info_ktype,
+- fs_info->space_info_kobj, "%s",
++ space_info->fs_info->space_info_kobj, "%s",
+ alloc_name(space_info));
+ if (ret) {
+ kobject_put(&space_info->kobj);
+--- a/fs/btrfs/sysfs.h
++++ b/fs/btrfs/sysfs.h
+@@ -36,8 +36,7 @@ void __cold btrfs_exit_sysfs(void);
+ int btrfs_sysfs_add_mounted(struct btrfs_fs_info *fs_info);
+ void btrfs_sysfs_remove_mounted(struct btrfs_fs_info *fs_info);
+ void btrfs_sysfs_add_block_group_type(struct btrfs_block_group *cache);
+-int btrfs_sysfs_add_space_info_type(struct btrfs_fs_info *fs_info,
+- struct btrfs_space_info *space_info);
++int btrfs_sysfs_add_space_info_type(struct btrfs_space_info *space_info);
+ void btrfs_sysfs_remove_space_info(struct btrfs_space_info *space_info);
+ void btrfs_sysfs_update_devid(struct btrfs_device *device);
+
rust-allow-clippy-collapsible_if-globally.patch
bonding-fix-use-after-free-due-to-enslave-fail-after-slave-array-update.patch
io_uring-kbuf-support-min-length-left-for-incremental-buffers.patch
+bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_get_sndtimeo_cb.patch
+btrfs-remove-fs_info-argument-from-btrfs_sysfs_add_space_info_type.patch
+btrfs-fix-double-free-in-create_space_info_sub_group-error-path.patch
+btrfs-fix-btrfs_ioctl_space_info-slot_count-toctou-which-can-lead-to-info-leak.patch
+tracing-probes-limit-size-of-event-probe-to-3k.patch
+batman-adv-stop-tp_meter-sessions-during-mesh-teardown.patch
+batman-adv-tp_meter-fix-tp_num-leak-on-kmalloc-failure.patch
--- /dev/null
+From stable+bounces-247678-greg=kroah.com@vger.kernel.org Fri May 15 14:22:09 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 May 2026 07:45:10 -0400
+Subject: tracing/probes: Limit size of event probe to 3K
+To: stable@vger.kernel.org
+Cc: Steven Rostedt <rostedt@goodmis.org>, Mathieu Desnoyers <mathieu.desnoyers@efficios.com>, "Masami Hiramatsu (Google)" <mhiramat@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260515114510.3021593-1-sashal@kernel.org>
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+[ Upstream commit b2aa3b4d64e460ac606f386c24e7d8a873ce6f1a ]
+
+There currently isn't a max limit an event probe can be. One could make an
+event greater than PAGE_SIZE, which makes the event useless because if
+it's bigger than the max event that can be recorded into the ring buffer,
+then it will never be recorded.
+
+A event probe should never need to be greater than 3K, so make that the
+max size. As long as the max is less than the max that can be recorded
+onto the ring buffer, it should be fine.
+
+Cc: stable@vger.kernel.org
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Fixes: 93ccae7a22274 ("tracing/kprobes: Support basic types on dynamic events")
+Link: https://patch.msgid.link/20260428122302.706610ba@gandalf.local.home
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+[ dropped TOO_MANY_ARGS/TOO_MANY_EARGS entries from ERRORS macro list ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_probe.c | 6 ++++++
+ kernel/trace/trace_probe.h | 4 +++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/trace_probe.c
++++ b/kernel/trace/trace_probe.c
+@@ -1501,6 +1501,12 @@ static int traceprobe_parse_probe_arg_bo
+ parg->offset = *size;
+ *size += parg->type->size * (parg->count ?: 1);
+
++ if (*size > MAX_PROBE_EVENT_SIZE) {
++ ret = -E2BIG;
++ trace_probe_log_err(ctx->offset, EVENT_TOO_BIG);
++ goto fail;
++ }
++
+ if (parg->count) {
+ len = strlen(parg->type->fmttype) + 6;
+ parg->fmt = kmalloc(len, GFP_KERNEL);
+--- a/kernel/trace/trace_probe.h
++++ b/kernel/trace/trace_probe.h
+@@ -36,6 +36,7 @@
+ #define MAX_BTF_ARGS_LEN 128
+ #define MAX_DENTRY_ARGS_LEN 256
+ #define MAX_STRING_SIZE PATH_MAX
++#define MAX_PROBE_EVENT_SIZE 3072
+
+ /* Reserved field names */
+ #define FIELD_STRING_IP "__probe_ip"
+@@ -549,7 +550,8 @@ extern int traceprobe_define_arg_fields(
+ C(NO_BTF_FIELD, "This field is not found."), \
+ C(BAD_BTF_TID, "Failed to get BTF type info."),\
+ C(BAD_TYPE4STR, "This type does not fit for string."),\
+- C(NEED_STRING_TYPE, "$comm and immediate-string only accepts string type"),
++ C(NEED_STRING_TYPE, "$comm and immediate-string only accepts string type"),\
++ C(EVENT_TOO_BIG, "Event too big (too many fields?)"),
+
+ #undef C
+ #define C(a, b) TP_ERR_##a
projects / thirdparty / kernel / stable-queue.git / commitdiff
