]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
6.12-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 15 Jul 2026 15:38:20 +0000 (17:38 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 15 Jul 2026 15:38:20 +0000 (17:38 +0200)
added patches:
audit-fix-potential-integer-overflow-in-audit_log_n_hex.patch
exfat-bound-uniname-advance-in-exfat_find_dir_entry.patch
mm-do-file-ownership-checks-with-the-proper-mount-idmap.patch
mm-fix-mmap-errno-value-when-map_droppable-is-not-supported.patch
module-decompress-check-return-value-of-module_extend_max_pages.patch
nfsv4-include-may_write-in-open-permission-mask-for-o_trunc.patch
ntb-epf-fix-request_irq-unwind-in-ntb_epf_init_isr.patch
riscv-mm-define-direct_map_physmem_end.patch
riscv-mm-unconditionally-sfence.vma-for-spurious-fault.patch
selftests-mm-fix-and-speedup-droppable-test.patch
selftests-mm-pagemap_ioctl-use-the-correct-page-size-for-transact_test.patch
tracing-prevent-out-of-bounds-read-in-glob-matching.patch

13 files changed:
queue-6.12/audit-fix-potential-integer-overflow-in-audit_log_n_hex.patch [new file with mode: 0644]
queue-6.12/exfat-bound-uniname-advance-in-exfat_find_dir_entry.patch [new file with mode: 0644]
queue-6.12/mm-do-file-ownership-checks-with-the-proper-mount-idmap.patch [new file with mode: 0644]
queue-6.12/mm-fix-mmap-errno-value-when-map_droppable-is-not-supported.patch [new file with mode: 0644]
queue-6.12/module-decompress-check-return-value-of-module_extend_max_pages.patch [new file with mode: 0644]
queue-6.12/nfsv4-include-may_write-in-open-permission-mask-for-o_trunc.patch [new file with mode: 0644]
queue-6.12/ntb-epf-fix-request_irq-unwind-in-ntb_epf_init_isr.patch [new file with mode: 0644]
queue-6.12/riscv-mm-define-direct_map_physmem_end.patch [new file with mode: 0644]
queue-6.12/riscv-mm-unconditionally-sfence.vma-for-spurious-fault.patch [new file with mode: 0644]
queue-6.12/selftests-mm-fix-and-speedup-droppable-test.patch [new file with mode: 0644]
queue-6.12/selftests-mm-pagemap_ioctl-use-the-correct-page-size-for-transact_test.patch [new file with mode: 0644]
queue-6.12/series
queue-6.12/tracing-prevent-out-of-bounds-read-in-glob-matching.patch [new file with mode: 0644]

diff --git a/queue-6.12/audit-fix-potential-integer-overflow-in-audit_log_n_hex.patch b/queue-6.12/audit-fix-potential-integer-overflow-in-audit_log_n_hex.patch
new file mode 100644 (file)
index 0000000..1c1ba37
--- /dev/null
@@ -0,0 +1,62 @@
+From 65dfde57d1e29ce2b76fc23dd565eccd5c0bc0f0 Mon Sep 17 00:00:00 2001
+From: Ricardo Robaina <rrobaina@redhat.com>
+Date: Thu, 2 Jul 2026 11:04:11 -0300
+Subject: audit: fix potential integer overflow in audit_log_n_hex()
+
+From: Ricardo Robaina <rrobaina@redhat.com>
+
+commit 65dfde57d1e29ce2b76fc23dd565eccd5c0bc0f0 upstream.
+
+The function calculates new_len as len << 1 for hex encoding. This
+has two overflow risks: the shift itself can overflow when len is
+large, and the result can be truncated when assigned to new_len
+(declared as int) from the size_t calculation.
+
+Fix by using check_shl_overflow() to catch shift overflow and
+changing new_len and loop counter i to size_t to prevent truncation.
+
+Cc: stable@vger.kernel.org
+Fixes: 168b7173959f ("AUDIT: Clean up logging of untrusted strings")
+Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Ricardo Robaina <rrobaina@redhat.com>
+[PM: remove vertical whitspace noise]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/audit.c |   11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -47,6 +47,7 @@
+ #include <linux/mutex.h>
+ #include <linux/gfp.h>
+ #include <linux/pid.h>
++#include <linux/overflow.h>
+ #include <linux/audit.h>
+@@ -2030,7 +2031,8 @@ void audit_log_format(struct audit_buffe
+ void audit_log_n_hex(struct audit_buffer *ab, const unsigned char *buf,
+               size_t len)
+ {
+-      int i, avail, new_len;
++      int avail;
++      size_t i, new_len;
+       unsigned char *ptr;
+       struct sk_buff *skb;
+@@ -2040,7 +2042,12 @@ void audit_log_n_hex(struct audit_buffer
+       BUG_ON(!ab->skb);
+       skb = ab->skb;
+       avail = skb_tailroom(skb);
+-      new_len = len<<1;
++
++      if (check_shl_overflow(len, 1, &new_len)) {
++              audit_log_format(ab, "?");
++              return;
++      }
++
+       if (new_len >= avail) {
+               /* Round the buffer request up to the next multiple */
+               new_len = AUDIT_BUFSIZ*(((new_len-avail)/AUDIT_BUFSIZ) + 1);
diff --git a/queue-6.12/exfat-bound-uniname-advance-in-exfat_find_dir_entry.patch b/queue-6.12/exfat-bound-uniname-advance-in-exfat_find_dir_entry.patch
new file mode 100644 (file)
index 0000000..a4ba720
--- /dev/null
@@ -0,0 +1,79 @@
+From 3a1230e7b043c62737b05a3e9275ca83a43ad20a Mon Sep 17 00:00:00 2001
+From: Bryam Vargas <hexlabsecurity@proton.me>
+Date: Fri, 12 Jun 2026 14:29:06 -0500
+Subject: exfat: bound uniname advance in exfat_find_dir_entry()
+
+From: Bryam Vargas <hexlabsecurity@proton.me>
+
+commit 3a1230e7b043c62737b05a3e9275ca83a43ad20a upstream.
+
+In exfat_find_dir_entry(), each TYPE_EXTEND (file name) entry advances the
+output pointer by a fixed amount while the loop guard only tracks the
+accumulated name length:
+
+       if (++order == 2)
+               uniname = p_uniname->name;
+       else
+               uniname += EXFAT_FILE_NAME_LEN;
+       len = exfat_extract_uni_name(ep, entry_uniname);
+       name_len += len;
+       unichar = *(uniname+len);
+       *(uniname+len) = 0x0;
+
+uniname grows by EXFAT_FILE_NAME_LEN (15) per name entry, but name_len
+grows only by the actual extracted length, which is shorter when a name
+fragment contains an early NUL.  The only guard is
+`name_len >= MAX_NAME_LENGTH`, so a crafted directory with many short
+name fragments lets uniname run far past the
+p_uniname->name[MAX_NAME_LENGTH + 3] buffer while name_len stays small,
+causing an out-of-bounds read and write at *(uniname+len).
+
+The sibling extractor exfat_get_uniname_from_ext_entry() already stops
+on a short fragment (the lockstep `len != EXFAT_FILE_NAME_LEN` guard
+added in commit d42334578eba ("exfat: check if filename entries exceeds
+max filename length")); exfat_find_dir_entry() never got the
+equivalent.  Track the per-entry write offset as a count and reject a
+fragment once the offset, or the offset plus the extracted length, would
+exceed MAX_NAME_LENGTH, before forming the output pointer.
+
+Fixes: ca06197382bd ("exfat: add directory operations")
+Cc: stable@vger.kernel.org
+Suggested-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/exfat/dir.c |   13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/fs/exfat/dir.c
++++ b/fs/exfat/dir.c
+@@ -1102,6 +1102,7 @@ rewind:
+                       if (entry_type == TYPE_EXTEND) {
+                               unsigned short entry_uniname[16], unichar;
++                              unsigned int offset;
+                               if (step != DIRENT_STEP_NAME ||
+                                   name_len >= MAX_NAME_LENGTH) {
+@@ -1110,13 +1111,15 @@ rewind:
+                                       continue;
+                               }
+-                              if (++order == 2)
+-                                      uniname = p_uniname->name;
+-                              else
+-                                      uniname += EXFAT_FILE_NAME_LEN;
+-
++                              offset = (++order - 2) * EXFAT_FILE_NAME_LEN;
+                               len = exfat_extract_uni_name(ep, entry_uniname);
+                               brelse(bh);
++                              if (offset > MAX_NAME_LENGTH ||
++                                  len > MAX_NAME_LENGTH - offset) {
++                                      step = DIRENT_STEP_FILE;
++                                      continue;
++                              }
++                              uniname = p_uniname->name + offset;
+                               name_len += len;
+                               unichar = *(uniname+len);
diff --git a/queue-6.12/mm-do-file-ownership-checks-with-the-proper-mount-idmap.patch b/queue-6.12/mm-do-file-ownership-checks-with-the-proper-mount-idmap.patch
new file mode 100644 (file)
index 0000000..0b2fb02
--- /dev/null
@@ -0,0 +1,102 @@
+From e187bc02f8fa4226d62814592cf064ee4557c470 Mon Sep 17 00:00:00 2001
+From: Pedro Falcato <pfalcato@suse.de>
+Date: Thu, 25 Jun 2026 16:38:53 +0100
+Subject: mm: do file ownership checks with the proper mount idmap
+
+From: Pedro Falcato <pfalcato@suse.de>
+
+commit e187bc02f8fa4226d62814592cf064ee4557c470 upstream.
+
+Ever since idmapped mounts were introduced, inode ownership checks (for
+side-channel protection) in mincore() and madvise(MADV_PAGEOUT) were done
+against the nop_mnt_idmap, which completely ignores the file's mount's
+idmap.  This results in odd edgecases like:
+
+1) mount/bind-mount with an idmap userA:userB:1
+2) userB runs an owner_or_capable() check on file that is owned by userA
+on-disk/in-memory, but owned by userB after idmap translation
+3) owner_or_capable() mysteriously fails as the correct idmap wasn't supplied
+
+In the case of mincore/madvise MADV_PAGEOUT, this is usually benign,
+because file_permission(file, MAY_WRITE) will probably succeed, as it uses
+the proper idmap internally, but it does not need to be the case on e.g a
+0444 file where even the owner itself doesn't have permissions to write to
+it.
+
+Since this is clearly not trivial to get right, introduce a
+file_owner_or_capable() that can carry the correct semantics, and switch
+the various users in mm to it.
+
+The issue was found by manual code inspection & an off-list discussion
+with Jan Kara.
+
+Link: https://lore.kernel.org/20260625153853.913949-1-pfalcato@suse.de
+Fixes: 9caccd41541a ("fs: introduce MOUNT_ATTR_IDMAP")
+Signed-off-by: Pedro Falcato <pfalcato@suse.de>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Christian Brauner (Amutable) <brauner@kernel.org>
+Acked-by: David Hildenbrand (Arm) <david@kernel.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Jann Horn <jannh@google.com>
+Cc: Liam R. Howlett <liam@infradead.org>
+Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
+Cc: Vlastimil Babka <vbabka@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/fs.h |    5 +++++
+ mm/filemap.c       |    2 +-
+ mm/madvise.c       |    3 +--
+ mm/mincore.c       |    3 +--
+ 4 files changed, 8 insertions(+), 5 deletions(-)
+
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -2704,6 +2704,11 @@ static inline struct mnt_idmap *file_mnt
+       return mnt_idmap(file->f_path.mnt);
+ }
++static inline bool file_owner_or_capable(const struct file *file)
++{
++      return inode_owner_or_capable(file_mnt_idmap(file), file_inode(file));
++}
++
+ /**
+  * is_idmapped_mnt - check whether a mount is mapped
+  * @mnt: the mount to check
+--- a/mm/filemap.c
++++ b/mm/filemap.c
+@@ -4420,7 +4420,7 @@ static inline bool can_do_cachestat(stru
+ {
+       if (f->f_mode & FMODE_WRITE)
+               return true;
+-      if (inode_owner_or_capable(file_mnt_idmap(f), file_inode(f)))
++      if (file_owner_or_capable(f))
+               return true;
+       return file_permission(f, MAY_WRITE) == 0;
+ }
+--- a/mm/madvise.c
++++ b/mm/madvise.c
+@@ -316,8 +316,7 @@ static inline bool can_do_file_pageout(s
+        * otherwise we'd be including shared non-exclusive mappings, which
+        * opens a side channel.
+        */
+-      return inode_owner_or_capable(&nop_mnt_idmap,
+-                                    file_inode(vma->vm_file)) ||
++      return file_owner_or_capable(vma->vm_file) ||
+              file_permission(vma->vm_file, MAY_WRITE) == 0;
+ }
+--- a/mm/mincore.c
++++ b/mm/mincore.c
+@@ -167,8 +167,7 @@ static inline bool can_do_mincore(struct
+        * for writing; otherwise we'd be including shared non-exclusive
+        * mappings, which opens a side channel.
+        */
+-      return inode_owner_or_capable(&nop_mnt_idmap,
+-                                    file_inode(vma->vm_file)) ||
++      return file_owner_or_capable(vma->vm_file) ||
+              file_permission(vma->vm_file, MAY_WRITE) == 0;
+ }
diff --git a/queue-6.12/mm-fix-mmap-errno-value-when-map_droppable-is-not-supported.patch b/queue-6.12/mm-fix-mmap-errno-value-when-map_droppable-is-not-supported.patch
new file mode 100644 (file)
index 0000000..47e381d
--- /dev/null
@@ -0,0 +1,72 @@
+From d86c9e971af2315119a78c564a802fafcebf1b6b Mon Sep 17 00:00:00 2001
+From: Anthony Yznaga <anthony.yznaga@oracle.com>
+Date: Wed, 15 Apr 2026 20:39:37 -0700
+Subject: mm: fix mmap errno value when MAP_DROPPABLE is not supported
+
+From: Anthony Yznaga <anthony.yznaga@oracle.com>
+
+commit d86c9e971af2315119a78c564a802fafcebf1b6b upstream.
+
+Patch series "fix MAP_DROPPABLE not supported errno", v4.
+
+Mark Brown reported seeing a regression in -next on 32 bit arm with the
+mlock selftests.  Before exiting and marking the tests failed, the
+following message was logged after an attempt to create a MAP_DROPPABLE
+mapping:
+
+Bail out! mmap error: Unknown error 524
+
+It turns out error 524 is ENOTSUPP which is an error that userspace is not
+supposed to see, but it indicates in this instance that MAP_DROPPABLE is
+not supported.
+
+The first patch changes the errno returned to EOPNOTSUPP.  The second
+patch is a second version of a prior patch to introduce selftests to
+verify locking behavior with droppable mappings with the additional change
+to skip the tests when MAP_DROPPABLE is not supported.  The third patch
+fixes the MAP_DROPPABLE selftest so that it is run by the framework and
+skips if MAP_DROPPABLE is not supported.
+
+
+This patch (of 3):
+
+On configs where MAP_DROPPABLE is not supported (currently any 32-bit
+config except for PPC32), mmap fails with errno set to ENOTSUPP.  However,
+ENOTSUPP is not a standard error value that userspace knows about.  The
+acceptable userspace-visible errno to use is EOPNOTSUPP.  checkpatch.pl
+has a warning to this effect.
+
+Link: https://lore.kernel.org/20260416033939.49981-1-anthony.yznaga@oracle.com
+Link: https://lore.kernel.org/20260416033939.49981-2-anthony.yznaga@oracle.com
+Fixes: 9651fcedf7b9 ("mm: add MAP_DROPPABLE for designating always lazily freeable mappings")
+Signed-off-by: Anthony Yznaga <anthony.yznaga@oracle.com>
+Acked-by: David Hildenbrand (Arm) <david@kernel.org>
+Acked-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
+Reported-by: Mark Brown <broonie@kernel.org>
+Reviewed-by: Pedro Falcato <pfalcato@suse.de>
+Reviewed-by: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
+Cc: Jann Horn <jannh@google.com>
+Cc: Jason A. Donenfeld <jason@zx2c4.com>
+Cc: Liam Howlett <liam@infradead.org>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Mike Rapoport <rppt@kernel.org>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Suren Baghdasaryan <surenb@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/mmap.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -450,7 +450,7 @@ unsigned long do_mmap(struct file *file,
+                       break;
+               case MAP_DROPPABLE:
+                       if (VM_DROPPABLE == VM_NONE)
+-                              return -ENOTSUPP;
++                              return -EOPNOTSUPP;
+                       /*
+                        * A locked or stack area makes no sense to be droppable.
+                        *
diff --git a/queue-6.12/module-decompress-check-return-value-of-module_extend_max_pages.patch b/queue-6.12/module-decompress-check-return-value-of-module_extend_max_pages.patch
new file mode 100644 (file)
index 0000000..f285661
--- /dev/null
@@ -0,0 +1,48 @@
+From 786d2d84416a9a1c1a47b71a68d679d886284be2 Mon Sep 17 00:00:00 2001
+From: Andrii Kuchmenko <capyenglishlite@gmail.com>
+Date: Mon, 18 May 2026 17:32:33 +0300
+Subject: module: decompress: check return value of module_extend_max_pages()
+
+From: Andrii Kuchmenko <capyenglishlite@gmail.com>
+
+commit 786d2d84416a9a1c1a47b71a68d679d886284be2 upstream.
+
+module_extend_max_pages() calls kvrealloc() internally and returns
+-ENOMEM on allocation failure. The return value is never checked.
+
+If the initial allocation fails, info->pages remains NULL and
+info->max_pages remains 0. Subsequent calls to module_get_next_page()
+will attempt to dynamically grow the array by calling
+module_extend_max_pages(info, 0) since info->used_pages is 0. This
+results in kvrealloc(NULL, 0) returning ZERO_SIZE_PTR, which is treated
+as a success, leading to a dereference of ZERO_SIZE_PTR and a kernel
+oops.
+
+Fix: add the missing error check after module_extend_max_pages() and
+return immediately on failure. This matches the pattern used by every
+other kvrealloc() caller in the module loading path.
+
+Fixes: b1ae6dc41eaa ("module: add in-kernel support for decompressing")
+Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Cc: Luis Chamberlain <mcgrof@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Andrii Kuchmenko <capyenglishlite@gmail.com>
+Reviewed-by: Christophe Leroy (CS GROUP) <chleroy@kernel.org>
+[Sami: Corrected the analysis in the commit message.]
+Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/module/decompress.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/module/decompress.c
++++ b/kernel/module/decompress.c
+@@ -307,6 +307,8 @@ int module_decompress(struct load_info *
+        */
+       n_pages = DIV_ROUND_UP(size, PAGE_SIZE) * 2;
+       error = module_extend_max_pages(info, n_pages);
++      if (error)
++              return error;
+       data_size = MODULE_DECOMPRESS_FN(info, buf, size);
+       if (data_size < 0) {
diff --git a/queue-6.12/nfsv4-include-may_write-in-open-permission-mask-for-o_trunc.patch b/queue-6.12/nfsv4-include-may_write-in-open-permission-mask-for-o_trunc.patch
new file mode 100644 (file)
index 0000000..1b91c88
--- /dev/null
@@ -0,0 +1,48 @@
+From 5140f099ecd8a2f2808b7f7b720ee1bad8468974 Mon Sep 17 00:00:00 2001
+From: Benjamin Coddington <ben.coddington@hammerspace.com>
+Date: Thu, 11 Jun 2026 17:02:15 -0400
+Subject: NFSv4: include MAY_WRITE in open permission mask for O_TRUNC
+
+From: Benjamin Coddington <ben.coddington@hammerspace.com>
+
+commit 5140f099ecd8a2f2808b7f7b720ee1bad8468974 upstream.
+
+POSIX requires write permission to truncate a file, so an open() that
+specifies O_TRUNC must be authorized for write access regardless of the
+O_ACCMODE access mode.
+
+nfs_open_permission_mask() builds the access mask passed to
+nfs_may_open(), which is the local authorization gate for OPENs the
+client serves itself from a cached write delegation via the
+can_open_delegated() path in nfs4_try_open_cached().  The mask is
+derived from O_ACCMODE alone, so an open(O_RDONLY | O_TRUNC) against a
+file the caller cannot write requests only MAY_READ and passes the
+local check.  The OPEN is then satisfied locally and the truncation is
+issued to the server as a SETATTR(size=0) over the delegation stateid,
+which the server accepts under standard write-delegation semantics.
+POSIX requires that this open fail with EACCES.
+
+Include MAY_WRITE in the mask whenever O_TRUNC is set so the local
+check matches the access the server would have enforced.
+
+Suggested-by: Trond Myklebust <trondmy@kernel.org>
+Fixes: af22f94ae02a ("NFSv4: Simplify _nfs4_do_access()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Benjamin Coddington <bcodding@hammerspace.com>
+Signed-off-by: Anna Schumaker <anna.schumaker@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/dir.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/nfs/dir.c
++++ b/fs/nfs/dir.c
+@@ -3318,6 +3318,8 @@ static int nfs_open_permission_mask(int
+                       mask |= MAY_READ;
+               if ((openflags & O_ACCMODE) != O_RDONLY)
+                       mask |= MAY_WRITE;
++              if (openflags & O_TRUNC)
++                      mask |= MAY_WRITE;
+       }
+       return mask;
diff --git a/queue-6.12/ntb-epf-fix-request_irq-unwind-in-ntb_epf_init_isr.patch b/queue-6.12/ntb-epf-fix-request_irq-unwind-in-ntb_epf_init_isr.patch
new file mode 100644 (file)
index 0000000..20fcae4
--- /dev/null
@@ -0,0 +1,59 @@
+From fcba26efe5efc7441f5505f4ccc69791214b40be Mon Sep 17 00:00:00 2001
+From: Koichiro Den <den@valinux.co.jp>
+Date: Wed, 4 Mar 2026 17:30:27 +0900
+Subject: NTB: epf: Fix request_irq() unwind in ntb_epf_init_isr()
+
+From: Koichiro Den <den@valinux.co.jp>
+
+commit fcba26efe5efc7441f5505f4ccc69791214b40be upstream.
+
+ntb_epf_init_isr() requests multiple MSI/MSI-X vectors in a loop. If
+request_irq() fails part-way through, it jumps straight to
+pci_free_irq_vectors() without freeing already requested IRQs.
+
+Fix the error path by freeing any successfully requested IRQs before
+releasing the vectors.
+
+Fixes: 812ce2f8d14e ("NTB: Add support for EPF PCI Non-Transparent Bridge")
+Signed-off-by: Koichiro Den <den@valinux.co.jp>
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Cc: stable@vger.kernel.org # v5.12+
+Link: https://patch.msgid.link/20260304083028.1391068-2-den@valinux.co.jp
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ntb/hw/epf/ntb_hw_epf.c |   10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/drivers/ntb/hw/epf/ntb_hw_epf.c
++++ b/drivers/ntb/hw/epf/ntb_hw_epf.c
+@@ -357,7 +357,7 @@ static int ntb_epf_init_isr(struct ntb_e
+                                 0, "ntb_epf", ndev);
+               if (ret) {
+                       dev_err(dev, "Failed to request irq\n");
+-                      goto err_request_irq;
++                      goto err_free_irq;
+               }
+       }
+@@ -367,16 +367,14 @@ static int ntb_epf_init_isr(struct ntb_e
+                                  argument | irq);
+       if (ret) {
+               dev_err(dev, "Failed to configure doorbell\n");
+-              goto err_configure_db;
++              goto err_free_irq;
+       }
+       return 0;
+-err_configure_db:
+-      for (i = 0; i < ndev->db_count + 1; i++)
++err_free_irq:
++      while (i--)
+               free_irq(pci_irq_vector(pdev, i), ndev);
+-
+-err_request_irq:
+       pci_free_irq_vectors(pdev);
+       return ret;
diff --git a/queue-6.12/riscv-mm-define-direct_map_physmem_end.patch b/queue-6.12/riscv-mm-define-direct_map_physmem_end.patch
new file mode 100644 (file)
index 0000000..bc87a01
--- /dev/null
@@ -0,0 +1,47 @@
+From f3336b48cf9d3f2d1fc78e3289c0ded2f00876ee Mon Sep 17 00:00:00 2001
+From: Vivian Wang <wangruikang@iscas.ac.cn>
+Date: Sat, 6 Jun 2026 20:17:54 -0600
+Subject: riscv: mm: Define DIRECT_MAP_PHYSMEM_END
+
+From: Vivian Wang <wangruikang@iscas.ac.cn>
+
+commit f3336b48cf9d3f2d1fc78e3289c0ded2f00876ee upstream.
+
+On RISC-V, the actual mappable range of physical address space is
+dependent on the current MMU mode i.e. satp_mode (See
+Documentation/arch/riscv/vm-layout.rst).
+
+Define the DIRECT_MAP_PHYSMEM_END macro based on the existing virtual
+address space layout macros to expose this information to
+get_free_mem_region(). Otherwise, it returns a region that couldn't be
+mapped, which breaks ZONE_DEVICE.
+
+Cc: stable@vger.kernel.org # v6.13+
+Tested-by: Han Gao <gaohan@iscas.ac.cn> # SG2044
+Signed-off-by: Vivian Wang <wangruikang@iscas.ac.cn>
+Link: https://patch.msgid.link/20260309-riscv-sparsemem-vmemmap-limits-v1-2-f40efe18e3cd@iscas.ac.cn
+Signed-off-by: Paul Walmsley <pjw@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/include/asm/pgtable.h |   10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/arch/riscv/include/asm/pgtable.h
++++ b/arch/riscv/include/asm/pgtable.h
+@@ -89,6 +89,16 @@
+  */
+ #define vmemmap               ((struct page *)VMEMMAP_START - vmemmap_start_pfn)
++/* Needed to limit get_free_mem_region() */
++#if defined(CONFIG_FLATMEM)
++#define DIRECT_MAP_PHYSMEM_END (phys_ram_base + KERN_VIRT_SIZE - 1)
++#elif defined(CONFIG_SPARSEMEM_VMEMMAP)
++#define DIRECT_MAP_PHYSMEM_END \
++      ((vmemmap_start_pfn + VMEMMAP_SIZE / sizeof(struct page)) * PAGE_SIZE - 1)
++#elif defined(CONFIG_SPARSEMEM)
++/* DIRECT_MAP_PHYSMEM_END is not limited by VA space assignment in this case */
++#endif
++
+ #define PCI_IO_SIZE      SZ_16M
+ #define PCI_IO_END       VMEMMAP_START
+ #define PCI_IO_START     (PCI_IO_END - PCI_IO_SIZE)
diff --git a/queue-6.12/riscv-mm-unconditionally-sfence.vma-for-spurious-fault.patch b/queue-6.12/riscv-mm-unconditionally-sfence.vma-for-spurious-fault.patch
new file mode 100644 (file)
index 0000000..0a27a39
--- /dev/null
@@ -0,0 +1,43 @@
+From 1b2c6b56a9fa0dcbef461039937de22b1cbecc7d Mon Sep 17 00:00:00 2001
+From: Vivian Wang <wangruikang@iscas.ac.cn>
+Date: Tue, 3 Mar 2026 13:29:49 +0800
+Subject: riscv: mm: Unconditionally sfence.vma for spurious fault
+
+From: Vivian Wang <wangruikang@iscas.ac.cn>
+
+commit 1b2c6b56a9fa0dcbef461039937de22b1cbecc7d upstream.
+
+Svvptc does not guarantee that it's safe to just return here. Since we
+have already cleared our bit, if, theoretically, the bounded timeframe
+for the accessed page to become valid still hasn't happened after sret,
+we could fault again and actually crash.
+
+Hopefully, these spurious faults should be rare enough that this is an
+acceptable slowdown.
+
+Cc: stable@vger.kernel.org
+Fixes: 503638e0babf ("riscv: Stop emitting preventive sfence.vma for new vmalloc mappings")
+Signed-off-by: Vivian Wang <wangruikang@iscas.ac.cn>
+Link: https://patch.msgid.link/20260303-handle-kfence-protect-spurious-fault-v2-5-f80d8354d79d@iscas.ac.cn
+Signed-off-by: Paul Walmsley <pjw@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/kernel/entry.S |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/arch/riscv/kernel/entry.S
++++ b/arch/riscv/kernel/entry.S
+@@ -74,8 +74,11 @@
+       /* Atomically reset the current cpu bit in new_vmalloc */
+       amoxor.d        a0, a1, (a0)
+-      /* Only emit a sfence.vma if the uarch caches invalid entries */
+-      ALTERNATIVE("sfence.vma", "nop", 0, RISCV_ISA_EXT_SVVPTC, 1)
++      /*
++       * A sfence.vma is required here. Even if we had Svvptc, there's no
++       * guarantee that after returning we wouldn't just fault again.
++       */
++      sfence.vma
+       REG_L   a0, TASK_TI_A0(tp)
+       REG_L   a1, TASK_TI_A1(tp)
diff --git a/queue-6.12/selftests-mm-fix-and-speedup-droppable-test.patch b/queue-6.12/selftests-mm-fix-and-speedup-droppable-test.patch
new file mode 100644 (file)
index 0000000..451ae62
--- /dev/null
@@ -0,0 +1,126 @@
+From cc13a7a618fe8354f16d74c06aaf9565a68e9ebd Mon Sep 17 00:00:00 2001
+From: "David Hildenbrand (Arm)" <david@kernel.org>
+Date: Thu, 11 Jun 2026 12:01:55 +0200
+Subject: selftests: mm: fix and speedup "droppable" test
+
+From: David Hildenbrand (Arm) <david@kernel.org>
+
+commit cc13a7a618fe8354f16d74c06aaf9565a68e9ebd upstream.
+
+The droppable test currently relies on creating memory pressure in a child
+process to trigger dropping the droppable pages.
+
+That not only takes a long time on some machines (allocating and filling
+all that memory), on large machines this will not work as we hardcode the
+area size to 134217728 bytes.
+
+...  further, we rely on timeouts to detect that memory was not dropped,
+which is really suboptimal.
+
+Instead, let's just use MADV_PAGEOUT on a 2 MiB region.  MADV_PAGEOUT
+works with droppable memory even without swap.
+
+There is the low chance of MADV_PAGEOUT failing to drop a page because of
+speculative references.  We'll wait 1s and retry 10 times to rule that
+unlikely case out as best as we can.
+
+On a machine without swap:
+
+       $ ./droppable
+       TAP version 13
+       1..1
+       ok 1 madvise(MADV_PAGEOUT) behavior
+       # Totals: pass:1 fail:0 xfail:0 xpass:0 skip:0 error:0
+
+Link: https://lore.kernel.org/20260611-droppable_test-v1-1-b6a73d99f658@kernel.org
+Fixes: 9651fcedf7b9 ("mm: add MAP_DROPPABLE for designating always lazily freeable mappings")
+Signed-off-by: David Hildenbrand (Arm) <david@kernel.org>
+Reported-by: Aishwarya TCV <Aishwarya.TCV@arm.com>
+Tested-by: Sarthak Sharma <sarthak.sharma@arm.com>
+Tested-by: Lance Yang <lance.yang@linux.dev>
+Reviewed-by: Dev Jain <dev.jain@arm.com>
+Reviewed-by: SeongJae Park <sj@kernel.org>
+Tested-by: Lorenzo Stoakes <ljs@kernel.org>
+Reviewed-by: Lorenzo Stoakes <ljs@kernel.org>
+Reviewed-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Cc: Anthony Yznaga <anthony.yznaga@oracle.com>
+Cc: Liam R. Howlett <liam@infradead.org>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Mike Rapoport <rppt@kernel.org>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Suren Baghdasaryan <surenb@google.com>
+Cc: Vlastimil Babka <vbabka@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/mm/droppable.c |   46 ++++++++++++++++++---------------
+ 1 file changed, 26 insertions(+), 20 deletions(-)
+
+--- a/tools/testing/selftests/mm/droppable.c
++++ b/tools/testing/selftests/mm/droppable.c
+@@ -17,10 +17,10 @@
+ int main(int argc, char *argv[])
+ {
+-      size_t alloc_size = 134217728;
+-      size_t page_size = getpagesize();
++      const size_t alloc_size = 2 * 1024 * 1024;
++      int retry_count = 10;
++      bool dropped;
+       void *alloc;
+-      pid_t child;
+       ksft_print_header();
+       ksft_set_plan(1);
+@@ -28,26 +28,32 @@ int main(int argc, char *argv[])
+       alloc = mmap(0, alloc_size, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_DROPPABLE, -1, 0);
+       assert(alloc != MAP_FAILED);
+       memset(alloc, 'A', alloc_size);
+-      for (size_t i = 0; i < alloc_size; i += page_size)
+-              assert(*(uint8_t *)(alloc + i));
+-      child = fork();
+-      assert(child >= 0);
+-      if (!child) {
+-              for (;;)
+-                      *(char *)malloc(page_size) = 'B';
+-      }
+-
+-      for (bool done = false; !done;) {
+-              for (size_t i = 0; i < alloc_size; i += page_size) {
+-                      if (!*(uint8_t *)(alloc + i)) {
+-                              done = true;
+-                              break;
++      while (retry_count--) {
++              if (madvise(alloc, alloc_size, MADV_PAGEOUT)) {
++                      if (errno == EINVAL) {
++                              ksft_test_result_skip("madvise(MADV_PAGEOUT) not supported\n");
++                              exit(KSFT_SKIP);
+                       }
++                      ksft_test_result_fail("madvise(MADV_PAGEOUT) error: %s\n", strerror(errno));
++                      exit(KSFT_FAIL);
+               }
++
++              dropped = memchr(alloc, 'A', alloc_size) == NULL;
++
++              /*
++               * Speculative reference can temporarily prevent some
++               * pages from getting dropped. So sleep and retry.
++               *
++               * If a page is not droppable for 10s, something
++               * is seriously messed up and we want to fail.
++               */
++              if (dropped)
++                      break;
++              sleep(1);
+       }
+-      kill(child, SIGTERM);
+-      ksft_test_result_pass("MAP_DROPPABLE: PASS\n");
+-      exit(KSFT_PASS);
++      ksft_test_result(dropped, "madvise(MADV_PAGEOUT) behavior\n");
++
++      ksft_finished();
+ }
diff --git a/queue-6.12/selftests-mm-pagemap_ioctl-use-the-correct-page-size-for-transact_test.patch b/queue-6.12/selftests-mm-pagemap_ioctl-use-the-correct-page-size-for-transact_test.patch
new file mode 100644 (file)
index 0000000..1cc7b17
--- /dev/null
@@ -0,0 +1,88 @@
+From dccf636bf1e68c3fda92f0c9e1018ab7e0ac8b2c Mon Sep 17 00:00:00 2001
+From: Zenghui Yu <zenghui.yu@linux.dev>
+Date: Sun, 28 Jun 2026 18:11:18 +0800
+Subject: selftests/mm: pagemap_ioctl: use the correct page size for transact_test()
+
+From: Zenghui Yu <zenghui.yu@linux.dev>
+
+commit dccf636bf1e68c3fda92f0c9e1018ab7e0ac8b2c upstream.
+
+There are several places in transact_test() where we use the hardcoded
+0x1000 (4k) as page size, which is not always correct for architectures
+supporting multiple page sizes.
+
+Switch to use the correct page size.  Otherwise ./ksft_pagemap.sh on a
+16k-page-size arm64 box fails with
+
+ $ ./ksft_pagemap.sh
+ [...]
+ # ok 96 mprotect_tests Both pages written after remap and mprotect
+ # ok 97 mprotect_tests Clear and make the pages written
+ # Bail out! ioctl failed
+ # # Planned tests != run tests (117 != 97)
+ # # Totals: pass:97 fail:0 xfail:0 xpass:0 skip:0 error:0
+ # [FAIL]
+ not ok 1 pagemap_ioctl # exit=1
+ # SUMMARY: PASS=0 SKIP=0 FAIL=1
+ 1..1
+
+Link: https://lore.kernel.org/20260628101118.35861-1-zenghui.yu@linux.dev
+Fixes: 46fd75d4a3c9 ("selftests: mm: add pagemap ioctl tests")
+Signed-off-by: Zenghui Yu <zenghui.yu@linux.dev>
+Cc: Muhammad Usama Anjum <usama.anjum@arm.com>
+Cc: David Hildenbrand <david@kernel.org>
+Cc: Liam R. Howlett <liam@infradead.org>
+Cc: Lorenzo Stoakes <ljs@kernel.org>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Mike Rapoport <rppt@kernel.org>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Suren Baghdasaryan <surenb@google.com>
+Cc: Vlastimil Babka <vbabka@kernel.org>
+Cc: Zenghui Yu <zenghui.yu@linux.dev>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/mm/pagemap_ioctl.c |   12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/tools/testing/selftests/mm/pagemap_ioctl.c
++++ b/tools/testing/selftests/mm/pagemap_ioctl.c
+@@ -1366,7 +1366,7 @@ void *thread_proc(void *mem)
+                       ksft_exit_fail_msg("pthread_barrier_wait\n");
+               for (i = 0; i < access_per_thread; ++i)
+-                      __atomic_add_fetch(m + i * (0x1000 / sizeof(*m)), 1, __ATOMIC_SEQ_CST);
++                      __atomic_add_fetch(m + i * (page_size / sizeof(*m)), 1, __ATOMIC_SEQ_CST);
+               ret = pthread_barrier_wait(&end_barrier);
+               if (ret && ret != PTHREAD_BARRIER_SERIAL_THREAD)
+@@ -1401,15 +1401,15 @@ static void transact_test(int page_size)
+       if (pthread_barrier_init(&end_barrier, NULL, nthreads + 1))
+               ksft_exit_fail_msg("pthread_barrier_init\n");
+-      mem = mmap(NULL, 0x1000 * nthreads * pages_per_thread, PROT_READ | PROT_WRITE,
++      mem = mmap(NULL, page_size * nthreads * pages_per_thread, PROT_READ | PROT_WRITE,
+                  MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
+       if (mem == MAP_FAILED)
+               ksft_exit_fail_msg("Error mmap %s.\n", strerror(errno));
+-      wp_init(mem, 0x1000 * nthreads * pages_per_thread);
+-      wp_addr_range(mem, 0x1000 * nthreads * pages_per_thread);
++      wp_init(mem, page_size * nthreads * pages_per_thread);
++      wp_addr_range(mem, page_size * nthreads * pages_per_thread);
+-      memset(mem, 0, 0x1000 * nthreads * pages_per_thread);
++      memset(mem, 0, page_size * nthreads * pages_per_thread);
+       count = get_dirty_pages_reset(mem, nthreads * pages_per_thread, 1, page_size);
+       ksft_test_result(count > 0, "%s count %d\n", __func__, count);
+@@ -1418,7 +1418,7 @@ static void transact_test(int page_size)
+       finish = 0;
+       for (i = 0; i < nthreads; ++i)
+-              pthread_create(&th, NULL, thread_proc, mem + 0x1000 * i * pages_per_thread);
++              pthread_create(&th, NULL, thread_proc, mem + page_size * i * pages_per_thread);
+       extra_pages = 0;
+       for (i = 0; i < iter_count; ++i) {
index e2e8236820a8becdc4ad7693700191e34e28e916..dd2b3025c062f688e7ea21a27f060c958514e8f2 100644 (file)
@@ -301,3 +301,15 @@ edac-i10nm-don-t-fail-probing-if-adxl-is-missing.patch
 watchdog-apple-add-apple-t8103-wdt-compatible.patch
 regulator-scmi-fix-of_node-refcount-leak-in-scmi_regulator_probe.patch
 i2c-core-fix-hang-on-adapter-registration-failure.patch
+tracing-prevent-out-of-bounds-read-in-glob-matching.patch
+audit-fix-potential-integer-overflow-in-audit_log_n_hex.patch
+nfsv4-include-may_write-in-open-permission-mask-for-o_trunc.patch
+module-decompress-check-return-value-of-module_extend_max_pages.patch
+exfat-bound-uniname-advance-in-exfat_find_dir_entry.patch
+ntb-epf-fix-request_irq-unwind-in-ntb_epf_init_isr.patch
+riscv-mm-define-direct_map_physmem_end.patch
+riscv-mm-unconditionally-sfence.vma-for-spurious-fault.patch
+mm-fix-mmap-errno-value-when-map_droppable-is-not-supported.patch
+selftests-mm-fix-and-speedup-droppable-test.patch
+mm-do-file-ownership-checks-with-the-proper-mount-idmap.patch
+selftests-mm-pagemap_ioctl-use-the-correct-page-size-for-transact_test.patch
diff --git a/queue-6.12/tracing-prevent-out-of-bounds-read-in-glob-matching.patch b/queue-6.12/tracing-prevent-out-of-bounds-read-in-glob-matching.patch
new file mode 100644 (file)
index 0000000..62e2d1d
--- /dev/null
@@ -0,0 +1,132 @@
+From 0a6070839b1ef276d5b05bedfb787743e140fb17 Mon Sep 17 00:00:00 2001
+From: Huihui Huang <hhhuang@smu.edu.sg>
+Date: Wed, 1 Jul 2026 18:28:46 +0800
+Subject: tracing: Prevent out-of-bounds read in glob matching
+
+From: Huihui Huang <hhhuang@smu.edu.sg>
+
+commit 0a6070839b1ef276d5b05bedfb787743e140fb17 upstream.
+
+String event fields are not necessarily NUL-terminated, so the filter
+predicate functions (filter_pred_string(), filter_pred_strloc() and
+filter_pred_strrelloc()) pass the field length to the regex match
+callbacks, and the length-aware matchers honour it.
+
+regex_match_glob() was the exception: it ignored the length and called
+glob_match(), which scans the string until it hits a NUL byte. Some
+string fields are not NUL-terminated. One example is the dynamic char
+array of the xfs_* namespace tracepoints, which is copied without a
+trailing NUL. For such a field, glob matching reads past the end of
+the event field, causing a KASAN slab-out-of-bounds read in
+glob_match(), reached via regex_match_glob() and filter_match_preds()
+from the xfs_lookup tracepoint.
+
+Add a length-bounded glob_match_len() and use it from regex_match_glob()
+so glob matching always stops at the field boundary. The matching loop
+is factored into a shared helper so glob_match() keeps its behaviour.
+
+Fixes: 60f1d5e3bac4 ("ftrace: Support full glob matching")
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/da1aaf125fc3b63320b0c540fd6afa7c3d5b4f1a.1782836943.git.hhhuang@smu.edu.sg
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Assisted-by: Codex:GPT-5.4
+Signed-off-by: Huihui Huang <hhhuang@smu.edu.sg>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/glob.h               |    1 +
+ kernel/trace/trace_events_filter.c |    6 ++----
+ lib/glob.c                         |   31 +++++++++++++++++++++++++++++--
+ 3 files changed, 32 insertions(+), 6 deletions(-)
+
+--- a/include/linux/glob.h
++++ b/include/linux/glob.h
+@@ -6,5 +6,6 @@
+ #include <linux/compiler.h>   /* For __pure */
+ bool __pure glob_match(char const *pat, char const *str);
++bool __pure glob_match_len(char const *pat, char const *str, size_t len);
+ #endif        /* _LINUX_GLOB_H */
+--- a/kernel/trace/trace_events_filter.c
++++ b/kernel/trace/trace_events_filter.c
+@@ -1056,11 +1056,9 @@ static int regex_match_end(char *str, st
+       return 0;
+ }
+-static int regex_match_glob(char *str, struct regex *r, int len __maybe_unused)
++static int regex_match_glob(char *str, struct regex *r, int len)
+ {
+-      if (glob_match(r->pattern, str))
+-              return 1;
+-      return 0;
++      return glob_match_len(r->pattern, str, len) ? 1 : 0;
+ }
+ /**
+--- a/lib/glob.c
++++ b/lib/glob.c
+@@ -9,6 +9,9 @@
+ MODULE_DESCRIPTION("glob(7) matching");
+ MODULE_LICENSE("Dual MIT/GPL");
++static bool __pure glob_match_str(char const *pat, char const *str,
++                                char const *str_end);
++
+ /**
+  * glob_match - Shell-style pattern matching, like !fnmatch(pat, str, 0)
+  * @pat: Shell-style pattern to match, e.g. "*.[ch]".
+@@ -39,6 +42,29 @@ MODULE_LICENSE("Dual MIT/GPL");
+  */
+ bool __pure glob_match(char const *pat, char const *str)
+ {
++      return glob_match_str(pat, str, NULL);
++}
++EXPORT_SYMBOL(glob_match);
++
++/**
++ * glob_match_len - glob match against a length-bounded string
++ * @pat: Shell-style pattern to match.
++ * @str: String to match.  Need not be NUL-terminated.
++ * @len: Number of bytes of @str that may be read.
++ *
++ * Like glob_match(), but @str is only read up to @len bytes, so it can be
++ * used on buffers that are not NUL-terminated (e.g. trace event fields).
++ * A NUL byte within @len still terminates the string.
++ */
++bool __pure glob_match_len(char const *pat, char const *str, size_t len)
++{
++      return glob_match_str(pat, str, str + len);
++}
++EXPORT_SYMBOL(glob_match_len);
++
++static bool __pure glob_match_str(char const *pat, char const *str,
++                                char const *str_end)
++{
+       /*
+        * Backtrack to previous * on mismatch and retry starting one
+        * character later in the string.  Because * matches all characters
+@@ -53,9 +79,11 @@ bool __pure glob_match(char const *pat,
+        * on mismatch, or true after matching the trailing nul bytes.
+        */
+       for (;;) {
+-              unsigned char c = *str++;
++              unsigned char c = (str_end && str >= str_end) ? '\0' : *str;
+               unsigned char d = *pat++;
++              str++;
++
+               switch (d) {
+               case '?':       /* Wildcard: anything but nul */
+                       if (c == '\0')
+@@ -122,4 +150,3 @@ backtrack:
+               }
+       }
+ }
+-EXPORT_SYMBOL(glob_match);