From: Greg Kroah-Hartman Date: Fri, 15 May 2026 15:04:11 +0000 (+0200) Subject: 6.12-stable patches X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0ac3eb6db09240939b95bc54a84de8b737746448;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: batman-adv-stop-tp_meter-sessions-during-mesh-teardown.patch batman-adv-tp_meter-fix-tp_num-leak-on-kmalloc-failure.patch bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_get_sndtimeo_cb.patch btrfs-fix-btrfs_ioctl_space_info-slot_count-toctou-which-can-lead-to-info-leak.patch btrfs-fix-double-free-in-create_space_info_sub_group-error-path.patch btrfs-remove-fs_info-argument-from-btrfs_sysfs_add_space_info_type.patch tracing-probes-limit-size-of-event-probe-to-3k.patch --- diff --git a/queue-6.12/batman-adv-stop-tp_meter-sessions-during-mesh-teardown.patch b/queue-6.12/batman-adv-stop-tp_meter-sessions-during-mesh-teardown.patch new file mode 100644 index 0000000000..666b995ff2 --- /dev/null +++ b/queue-6.12/batman-adv-stop-tp_meter-sessions-during-mesh-teardown.patch @@ -0,0 +1,237 @@ +From stable+bounces-247655-greg=kroah.com@vger.kernel.org Fri May 15 13:26:37 2026 +From: Sven Eckelmann +Date: Fri, 15 May 2026 12:54:15 +0200 +Subject: batman-adv: stop tp_meter sessions during mesh teardown +To: stable@vger.kernel.org +Cc: Jiexun Wang , stable@kernel.org, Yuan Tan , Yifan Wu , Juefei Pu , Xin Liu , Luxing Yin , Ren Wei , Sven Eckelmann +Message-ID: <20260515105416.153949-1-sven@narfation.org> + +From: Jiexun Wang + +commit 3d3cf6a7314aca4df0a6dde28ce784a2a30d0166 upstream. + +TP meter sessions remain linked on bat_priv->tp_list after the netlink +request has already finished. When the mesh interface is removed, +batadv_mesh_free() currently tears down the mesh without first draining +these sessions. + +A running sender thread or a late incoming tp_meter packet can then keep +processing against a mesh instance which is already shutting down. +Synchronize tp_meter with the mesh lifetime by stopping all active +sessions from batadv_mesh_free() and waiting for sender threads to exit +before teardown continues. + +Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation") +Cc: stable@kernel.org +Reported-by: Yuan Tan +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Reported-by: Xin Liu +Co-developed-by: Luxing Yin +Signed-off-by: Luxing Yin +Signed-off-by: Jiexun Wang +Signed-off-by: Ren Wei +[ Context ] +Signed-off-by: Sven Eckelmann +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/main.c | 1 + net/batman-adv/tp_meter.c | 94 +++++++++++++++++++++++++++++++++++++--------- + net/batman-adv/tp_meter.h | 1 + net/batman-adv/types.h | 4 + + 4 files changed, 82 insertions(+), 18 deletions(-) + +--- a/net/batman-adv/main.c ++++ b/net/batman-adv/main.c +@@ -263,6 +263,7 @@ void batadv_mesh_free(struct net_device + atomic_set(&bat_priv->mesh_state, BATADV_MESH_DEACTIVATING); + + batadv_purge_outstanding_packets(bat_priv, NULL); ++ batadv_tp_stop_all(bat_priv); + + batadv_gw_node_free(bat_priv); + +--- a/net/batman-adv/tp_meter.c ++++ b/net/batman-adv/tp_meter.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -365,23 +366,38 @@ static void batadv_tp_vars_put(struct ba + } + + /** +- * batadv_tp_sender_cleanup() - cleanup sender data and drop and timer +- * @bat_priv: the bat priv with all the soft interface information +- * @tp_vars: the private data of the current TP meter session to cleanup ++ * batadv_tp_list_detach() - remove tp session from mesh session list once ++ * @tp_vars: the private data of the current TP meter session + */ +-static void batadv_tp_sender_cleanup(struct batadv_priv *bat_priv, +- struct batadv_tp_vars *tp_vars) ++static void batadv_tp_list_detach(struct batadv_tp_vars *tp_vars) + { +- cancel_delayed_work(&tp_vars->finish_work); ++ bool detached = false; + + spin_lock_bh(&tp_vars->bat_priv->tp_list_lock); +- hlist_del_rcu(&tp_vars->list); ++ if (!hlist_unhashed(&tp_vars->list)) { ++ hlist_del_init_rcu(&tp_vars->list); ++ detached = true; ++ } + spin_unlock_bh(&tp_vars->bat_priv->tp_list_lock); + ++ if (!detached) ++ return; ++ ++ atomic_dec(&tp_vars->bat_priv->tp_num); ++ + /* drop list reference */ + batadv_tp_vars_put(tp_vars); ++} + +- atomic_dec(&tp_vars->bat_priv->tp_num); ++/** ++ * batadv_tp_sender_cleanup() - cleanup sender data and drop and timer ++ * @tp_vars: the private data of the current TP meter session to cleanup ++ */ ++static void batadv_tp_sender_cleanup(struct batadv_tp_vars *tp_vars) ++{ ++ cancel_delayed_work_sync(&tp_vars->finish_work); ++ ++ batadv_tp_list_detach(tp_vars); + + /* kill the timer and remove its reference */ + del_timer_sync(&tp_vars->timer); +@@ -886,7 +902,8 @@ out: + batadv_orig_node_put(orig_node); + + batadv_tp_sender_end(bat_priv, tp_vars); +- batadv_tp_sender_cleanup(bat_priv, tp_vars); ++ batadv_tp_sender_cleanup(tp_vars); ++ complete(&tp_vars->finished); + + batadv_tp_vars_put(tp_vars); + +@@ -918,7 +935,8 @@ static void batadv_tp_start_kthread(stru + batadv_tp_vars_put(tp_vars); + + /* cleanup of failed tp meter variables */ +- batadv_tp_sender_cleanup(bat_priv, tp_vars); ++ batadv_tp_sender_cleanup(tp_vars); ++ complete(&tp_vars->finished); + return; + } + +@@ -1024,6 +1042,7 @@ void batadv_tp_start(struct batadv_priv + tp_vars->start_time = jiffies; + + init_waitqueue_head(&tp_vars->more_bytes); ++ init_completion(&tp_vars->finished); + + spin_lock_init(&tp_vars->unacked_lock); + INIT_LIST_HEAD(&tp_vars->unacked_list); +@@ -1126,14 +1145,7 @@ static void batadv_tp_receiver_shutdown( + "Shutting down for inactivity (more than %dms) from %pM\n", + BATADV_TP_RECV_TIMEOUT, tp_vars->other_end); + +- spin_lock_bh(&tp_vars->bat_priv->tp_list_lock); +- hlist_del_rcu(&tp_vars->list); +- spin_unlock_bh(&tp_vars->bat_priv->tp_list_lock); +- +- /* drop list reference */ +- batadv_tp_vars_put(tp_vars); +- +- atomic_dec(&bat_priv->tp_num); ++ batadv_tp_list_detach(tp_vars); + + spin_lock_bh(&tp_vars->unacked_lock); + list_for_each_entry_safe(un, safe, &tp_vars->unacked_list, list) { +@@ -1497,6 +1509,52 @@ out: + } + + /** ++ * batadv_tp_stop_all() - stop all currently running tp meter sessions ++ * @bat_priv: the bat priv with all the mesh interface information ++ */ ++void batadv_tp_stop_all(struct batadv_priv *bat_priv) ++{ ++ struct batadv_tp_vars *tp_vars[BATADV_TP_MAX_NUM]; ++ struct batadv_tp_vars *tp_var; ++ size_t count = 0; ++ size_t i; ++ ++ spin_lock_bh(&bat_priv->tp_list_lock); ++ hlist_for_each_entry(tp_var, &bat_priv->tp_list, list) { ++ if (WARN_ON_ONCE(count >= BATADV_TP_MAX_NUM)) ++ break; ++ ++ if (!kref_get_unless_zero(&tp_var->refcount)) ++ continue; ++ ++ tp_vars[count++] = tp_var; ++ } ++ spin_unlock_bh(&bat_priv->tp_list_lock); ++ ++ for (i = 0; i < count; i++) { ++ tp_var = tp_vars[i]; ++ ++ switch (tp_var->role) { ++ case BATADV_TP_SENDER: ++ batadv_tp_sender_shutdown(tp_var, ++ BATADV_TP_REASON_CANCEL); ++ wake_up(&tp_var->more_bytes); ++ wait_for_completion(&tp_var->finished); ++ break; ++ case BATADV_TP_RECEIVER: ++ batadv_tp_list_detach(tp_var); ++ if (timer_shutdown_sync(&tp_var->timer)) ++ batadv_tp_vars_put(tp_var); ++ break; ++ } ++ ++ batadv_tp_vars_put(tp_var); ++ } ++ ++ synchronize_net(); ++} ++ ++/** + * batadv_tp_meter_init() - initialize global tp_meter structures + */ + void __init batadv_tp_meter_init(void) +--- a/net/batman-adv/tp_meter.h ++++ b/net/batman-adv/tp_meter.h +@@ -17,6 +17,7 @@ void batadv_tp_start(struct batadv_priv + u32 test_length, u32 *cookie); + void batadv_tp_stop(struct batadv_priv *bat_priv, const u8 *dst, + u8 return_value); ++void batadv_tp_stop_all(struct batadv_priv *bat_priv); + void batadv_tp_meter_recv(struct batadv_priv *bat_priv, struct sk_buff *skb); + + #endif /* _NET_BATMAN_ADV_TP_METER_H_ */ +--- a/net/batman-adv/types.h ++++ b/net/batman-adv/types.h +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1466,6 +1467,9 @@ struct batadv_tp_vars { + /** @finish_work: work item for the finishing procedure */ + struct delayed_work finish_work; + ++ /** @finished: completion signaled when a sender thread exits */ ++ struct completion finished; ++ + /** @test_length: test length in milliseconds */ + u32 test_length; + diff --git a/queue-6.12/batman-adv-tp_meter-fix-tp_num-leak-on-kmalloc-failure.patch b/queue-6.12/batman-adv-tp_meter-fix-tp_num-leak-on-kmalloc-failure.patch new file mode 100644 index 0000000000..8653b421ce --- /dev/null +++ b/queue-6.12/batman-adv-tp_meter-fix-tp_num-leak-on-kmalloc-failure.patch @@ -0,0 +1,54 @@ +From stable+bounces-247706-greg=kroah.com@vger.kernel.org Fri May 15 14:25:59 2026 +From: Sven Eckelmann +Date: Fri, 15 May 2026 13:47:18 +0200 +Subject: batman-adv: tp_meter: fix tp_num leak on kmalloc failure +To: stable@vger.kernel.org +Cc: Sven Eckelmann , stable@kernel.org +Message-ID: <20260515114718.410490-1-sven@narfation.org> + +From: Sven Eckelmann + +commit ce425dd05d0fe7594930a0fb103634f35ac47bb6 upstream. + +When batadv_tp_start() or batadv_tp_init_recv() fail to allocate a new +tp_vars object, the previously incremented bat_priv->tp_num counter is +never decremented. This causes tp_num to drift upward on each allocation +failure. Since only BATADV_TP_MAX_NUM sessions can be started and the count +is never reduced for these failed allocations, it causes to an exhaustion +of throughput meter sessions. In worst case, no new throughput meter +session can be started until the mesh interface is removed. + +The error handling must decrement tp_num releasing the lock and aborting +the creation of an throughput meter session + +Cc: stable@kernel.org +Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation") +[ Context ] +Signed-off-by: Sven Eckelmann +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/tp_meter.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/batman-adv/tp_meter.c ++++ b/net/batman-adv/tp_meter.c +@@ -994,6 +994,7 @@ void batadv_tp_start(struct batadv_priv + + tp_vars = kmalloc(sizeof(*tp_vars), GFP_ATOMIC); + if (!tp_vars) { ++ atomic_dec(&bat_priv->tp_num); + spin_unlock_bh(&bat_priv->tp_list_lock); + batadv_dbg(BATADV_DBG_TP_METER, bat_priv, + "Meter: %s cannot allocate list elements\n", +@@ -1366,8 +1367,10 @@ batadv_tp_init_recv(struct batadv_priv * + } + + tp_vars = kmalloc(sizeof(*tp_vars), GFP_ATOMIC); +- if (!tp_vars) ++ if (!tp_vars) { ++ atomic_dec(&bat_priv->tp_num); + goto out_unlock; ++ } + + ether_addr_copy(tp_vars->other_end, icmp->orig); + tp_vars->role = BATADV_TP_RECEIVER; diff --git a/queue-6.12/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_get_sndtimeo_cb.patch b/queue-6.12/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_get_sndtimeo_cb.patch new file mode 100644 index 0000000000..9df5c30854 --- /dev/null +++ b/queue-6.12/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_get_sndtimeo_cb.patch @@ -0,0 +1,33 @@ +From 78a88d43dab8d23aeef934ed8ce34d40e6b3d613 Mon Sep 17 00:00:00 2001 +From: Siwei Zhang +Date: Wed, 15 Apr 2026 16:53:36 -0400 +Subject: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb() + +From: Siwei Zhang + +commit 78a88d43dab8d23aeef934ed8ce34d40e6b3d613 upstream. + +Add the same NULL guard already present in +l2cap_sock_resume_cb() and l2cap_sock_ready_cb(). + +Fixes: 8d836d71e222 ("Bluetooth: Access sk_sndtimeo indirectly in l2cap_core.c") +Cc: stable@kernel.org +Signed-off-by: Siwei Zhang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/l2cap_sock.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1734,6 +1734,9 @@ static long l2cap_sock_get_sndtimeo_cb(s + { + struct sock *sk = chan->data; + ++ if (!sk) ++ return 0; ++ + return sk->sk_sndtimeo; + } + diff --git a/queue-6.12/btrfs-fix-btrfs_ioctl_space_info-slot_count-toctou-which-can-lead-to-info-leak.patch b/queue-6.12/btrfs-fix-btrfs_ioctl_space_info-slot_count-toctou-which-can-lead-to-info-leak.patch new file mode 100644 index 0000000000..14dbf506cb --- /dev/null +++ b/queue-6.12/btrfs-fix-btrfs_ioctl_space_info-slot_count-toctou-which-can-lead-to-info-leak.patch @@ -0,0 +1,59 @@ +From stable+bounces-247712-greg=kroah.com@vger.kernel.org Fri May 15 14:34:39 2026 +From: Sasha Levin +Date: Fri, 15 May 2026 07:56:09 -0400 +Subject: btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak +To: stable@vger.kernel.org +Cc: Yochai Eisenrich , Yochai Eisenrich , David Sterba , Sasha Levin +Message-ID: <20260515115609.3040954-1-sashal@kernel.org> + +From: Yochai Eisenrich + +[ Upstream commit 973e57c726c1f8e77259d1c8e519519f1e9aea77 ] + +btrfs_ioctl_space_info() has a TOCTOU race between two passes over the +block group RAID type lists. The first pass counts entries to determine +the allocation size, then the second pass fills the buffer. The +groups_sem rwlock is released between passes, allowing concurrent block +group removal to reduce the entry count. + +When the second pass fills fewer entries than the first pass counted, +copy_to_user() copies the full alloc_size bytes including trailing +uninitialized kmalloc bytes to userspace. + +Fix by copying only total_spaces entries (the actually-filled count from +the second pass) instead of alloc_size bytes, and switch to kzalloc so +any future copy size mismatch cannot leak heap data. + +Fixes: 7fde62bffb57 ("Btrfs: buffer results in the space_info ioctl") +CC: stable@vger.kernel.org # 3.0 +Signed-off-by: Yochai Eisenrich +Reviewed-by: David Sterba +Signed-off-by: David Sterba +[ adapted upstream's `return -EFAULT;` to stable's `ret = -EFAULT;` fall-through to existing `out:` cleanup label ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/ioctl.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -3113,7 +3113,7 @@ static long btrfs_ioctl_space_info(struc + return -ENOMEM; + + space_args.total_spaces = 0; +- dest = kmalloc(alloc_size, GFP_KERNEL); ++ dest = kzalloc(alloc_size, GFP_KERNEL); + if (!dest) + return -ENOMEM; + dest_orig = dest; +@@ -3169,7 +3169,8 @@ static long btrfs_ioctl_space_info(struc + user_dest = (struct btrfs_ioctl_space_info __user *) + (arg + sizeof(struct btrfs_ioctl_space_args)); + +- if (copy_to_user(user_dest, dest_orig, alloc_size)) ++ if (copy_to_user(user_dest, dest_orig, ++ space_args.total_spaces * sizeof(*dest_orig))) + ret = -EFAULT; + + kfree(dest_orig); diff --git a/queue-6.12/btrfs-fix-double-free-in-create_space_info_sub_group-error-path.patch b/queue-6.12/btrfs-fix-double-free-in-create_space_info_sub_group-error-path.patch new file mode 100644 index 0000000000..513f2ed46a --- /dev/null +++ b/queue-6.12/btrfs-fix-double-free-in-create_space_info_sub_group-error-path.patch @@ -0,0 +1,58 @@ +From stable+bounces-247740-greg=kroah.com@vger.kernel.org Fri May 15 14:38:28 2026 +From: Sasha Levin +Date: Fri, 15 May 2026 08:15:28 -0400 +Subject: btrfs: fix double free in create_space_info_sub_group() error path +To: stable@vger.kernel.org +Cc: Guangshuo Li , Qu Wenruo , David Sterba , Sasha Levin +Message-ID: <20260515121528.3130102-2-sashal@kernel.org> + +From: Guangshuo Li + +[ Upstream commit a7449edf96143f192606ec8647e3167e1ecbd728 ] + +When kobject_init_and_add() fails, the call chain is: + +create_space_info_sub_group() +-> btrfs_sysfs_add_space_info_type() +-> kobject_init_and_add() +-> failure +-> kobject_put(&sub_group->kobj) +-> space_info_release() +-> kfree(sub_group) + +Then control returns to create_space_info_sub_group(), where: + +btrfs_sysfs_add_space_info_type() returns error +-> kfree(sub_group) + +Thus, sub_group is freed twice. + +Keep parent->sub_group[index] = NULL for the failure path, but after +btrfs_sysfs_add_space_info_type() has called kobject_put(), let the +kobject release callback handle the cleanup. + +Fixes: f92ee31e031c ("btrfs: introduce btrfs_space_info sub-group") +CC: stable@vger.kernel.org # 6.18+ +Reviewed-by: Qu Wenruo +Signed-off-by: Guangshuo Li +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/space-info.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/fs/btrfs/space-info.c ++++ b/fs/btrfs/space-info.c +@@ -266,10 +266,8 @@ static int create_space_info_sub_group(s + sub_group->subgroup_id = id; + + ret = btrfs_sysfs_add_space_info_type(sub_group); +- if (ret) { +- kfree(sub_group); ++ if (ret) + parent->sub_group[index] = NULL; +- } + return ret; + } + diff --git a/queue-6.12/btrfs-remove-fs_info-argument-from-btrfs_sysfs_add_space_info_type.patch b/queue-6.12/btrfs-remove-fs_info-argument-from-btrfs_sysfs_add_space_info_type.patch new file mode 100644 index 0000000000..6dcde71327 --- /dev/null +++ b/queue-6.12/btrfs-remove-fs_info-argument-from-btrfs_sysfs_add_space_info_type.patch @@ -0,0 +1,78 @@ +From stable+bounces-247739-greg=kroah.com@vger.kernel.org Fri May 15 15:18:17 2026 +From: Sasha Levin +Date: Fri, 15 May 2026 08:15:27 -0400 +Subject: btrfs: remove fs_info argument from btrfs_sysfs_add_space_info_type() +To: stable@vger.kernel.org +Cc: Filipe Manana , Johannes Thumshirn , David Sterba , Sasha Levin +Message-ID: <20260515121528.3130102-1-sashal@kernel.org> + +From: Filipe Manana + +[ Upstream commit 771af6ff72e0ed0eb8bf97e5ae4fa5094e0c5d1d ] + +We don't need it since we can grab fs_info from the given space_info. +So remove the fs_info argument. + +Reviewed-by: Johannes Thumshirn +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Stable-dep-of: a7449edf9614 ("btrfs: fix double free in create_space_info_sub_group() error path") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/space-info.c | 4 ++-- + fs/btrfs/sysfs.c | 5 ++--- + fs/btrfs/sysfs.h | 3 +-- + 3 files changed, 5 insertions(+), 7 deletions(-) + +--- a/fs/btrfs/space-info.c ++++ b/fs/btrfs/space-info.c +@@ -265,7 +265,7 @@ static int create_space_info_sub_group(s + sub_group->parent = parent; + sub_group->subgroup_id = id; + +- ret = btrfs_sysfs_add_space_info_type(fs_info, sub_group); ++ ret = btrfs_sysfs_add_space_info_type(sub_group); + if (ret) { + kfree(sub_group); + parent->sub_group[index] = NULL; +@@ -294,7 +294,7 @@ static int create_space_info(struct btrf + goto out_free; + } + +- ret = btrfs_sysfs_add_space_info_type(info, space_info); ++ ret = btrfs_sysfs_add_space_info_type(space_info); + if (ret) + return ret; + +--- a/fs/btrfs/sysfs.c ++++ b/fs/btrfs/sysfs.c +@@ -1825,13 +1825,12 @@ static const char *alloc_name(struct btr + * Create a sysfs entry for a space info type at path + * /sys/fs/btrfs/UUID/allocation/TYPE + */ +-int btrfs_sysfs_add_space_info_type(struct btrfs_fs_info *fs_info, +- struct btrfs_space_info *space_info) ++int btrfs_sysfs_add_space_info_type(struct btrfs_space_info *space_info) + { + int ret; + + ret = kobject_init_and_add(&space_info->kobj, &space_info_ktype, +- fs_info->space_info_kobj, "%s", ++ space_info->fs_info->space_info_kobj, "%s", + alloc_name(space_info)); + if (ret) { + kobject_put(&space_info->kobj); +--- a/fs/btrfs/sysfs.h ++++ b/fs/btrfs/sysfs.h +@@ -36,8 +36,7 @@ void __cold btrfs_exit_sysfs(void); + int btrfs_sysfs_add_mounted(struct btrfs_fs_info *fs_info); + void btrfs_sysfs_remove_mounted(struct btrfs_fs_info *fs_info); + void btrfs_sysfs_add_block_group_type(struct btrfs_block_group *cache); +-int btrfs_sysfs_add_space_info_type(struct btrfs_fs_info *fs_info, +- struct btrfs_space_info *space_info); ++int btrfs_sysfs_add_space_info_type(struct btrfs_space_info *space_info); + void btrfs_sysfs_remove_space_info(struct btrfs_space_info *space_info); + void btrfs_sysfs_update_devid(struct btrfs_device *device); + diff --git a/queue-6.12/series b/queue-6.12/series index f3909c1773..eee6494e01 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -128,3 +128,10 @@ rust-allow-clippy-collapsible_match-globally.patch rust-allow-clippy-collapsible_if-globally.patch bonding-fix-use-after-free-due-to-enslave-fail-after-slave-array-update.patch io_uring-kbuf-support-min-length-left-for-incremental-buffers.patch +bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_get_sndtimeo_cb.patch +btrfs-remove-fs_info-argument-from-btrfs_sysfs_add_space_info_type.patch +btrfs-fix-double-free-in-create_space_info_sub_group-error-path.patch +btrfs-fix-btrfs_ioctl_space_info-slot_count-toctou-which-can-lead-to-info-leak.patch +tracing-probes-limit-size-of-event-probe-to-3k.patch +batman-adv-stop-tp_meter-sessions-during-mesh-teardown.patch +batman-adv-tp_meter-fix-tp_num-leak-on-kmalloc-failure.patch diff --git a/queue-6.12/tracing-probes-limit-size-of-event-probe-to-3k.patch b/queue-6.12/tracing-probes-limit-size-of-event-probe-to-3k.patch new file mode 100644 index 0000000000..800e55942b --- /dev/null +++ b/queue-6.12/tracing-probes-limit-size-of-event-probe-to-3k.patch @@ -0,0 +1,70 @@ +From stable+bounces-247678-greg=kroah.com@vger.kernel.org Fri May 15 14:22:09 2026 +From: Sasha Levin +Date: Fri, 15 May 2026 07:45:10 -0400 +Subject: tracing/probes: Limit size of event probe to 3K +To: stable@vger.kernel.org +Cc: Steven Rostedt , Mathieu Desnoyers , "Masami Hiramatsu (Google)" , Sasha Levin +Message-ID: <20260515114510.3021593-1-sashal@kernel.org> + +From: Steven Rostedt + +[ Upstream commit b2aa3b4d64e460ac606f386c24e7d8a873ce6f1a ] + +There currently isn't a max limit an event probe can be. One could make an +event greater than PAGE_SIZE, which makes the event useless because if +it's bigger than the max event that can be recorded into the ring buffer, +then it will never be recorded. + +A event probe should never need to be greater than 3K, so make that the +max size. As long as the max is less than the max that can be recorded +onto the ring buffer, it should be fine. + +Cc: stable@vger.kernel.org +Cc: Mathieu Desnoyers +Acked-by: Masami Hiramatsu (Google) +Fixes: 93ccae7a22274 ("tracing/kprobes: Support basic types on dynamic events") +Link: https://patch.msgid.link/20260428122302.706610ba@gandalf.local.home +Signed-off-by: Steven Rostedt +[ dropped TOO_MANY_ARGS/TOO_MANY_EARGS entries from ERRORS macro list ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_probe.c | 6 ++++++ + kernel/trace/trace_probe.h | 4 +++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +--- a/kernel/trace/trace_probe.c ++++ b/kernel/trace/trace_probe.c +@@ -1501,6 +1501,12 @@ static int traceprobe_parse_probe_arg_bo + parg->offset = *size; + *size += parg->type->size * (parg->count ?: 1); + ++ if (*size > MAX_PROBE_EVENT_SIZE) { ++ ret = -E2BIG; ++ trace_probe_log_err(ctx->offset, EVENT_TOO_BIG); ++ goto fail; ++ } ++ + if (parg->count) { + len = strlen(parg->type->fmttype) + 6; + parg->fmt = kmalloc(len, GFP_KERNEL); +--- a/kernel/trace/trace_probe.h ++++ b/kernel/trace/trace_probe.h +@@ -36,6 +36,7 @@ + #define MAX_BTF_ARGS_LEN 128 + #define MAX_DENTRY_ARGS_LEN 256 + #define MAX_STRING_SIZE PATH_MAX ++#define MAX_PROBE_EVENT_SIZE 3072 + + /* Reserved field names */ + #define FIELD_STRING_IP "__probe_ip" +@@ -549,7 +550,8 @@ extern int traceprobe_define_arg_fields( + C(NO_BTF_FIELD, "This field is not found."), \ + C(BAD_BTF_TID, "Failed to get BTF type info."),\ + C(BAD_TYPE4STR, "This type does not fit for string."),\ +- C(NEED_STRING_TYPE, "$comm and immediate-string only accepts string type"), ++ C(NEED_STRING_TYPE, "$comm and immediate-string only accepts string type"),\ ++ C(EVENT_TOO_BIG, "Event too big (too many fields?)"), + + #undef C + #define C(a, b) TP_ERR_##a