<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/kernel, branch v7.2-rc3</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>Merge tag 'trace-v7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace</title>
<updated>2026-07-12T16:46:37+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-07-12T16:46:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6205562c5904ee23786239298299043876b1a977'/>
<id>6205562c5904ee23786239298299043876b1a977</id>
<content type='text'>
Pull tracing fixes from Steven Rostedt:

 - Free field in error path of synthetic event parse

   In __create_synth_event() the field was allocated but was not freed
   in the error path

 - Fix ring_buffer_event_length() on 8 byte aligned architectures

   On architectures with CONFIG_HAVE_64BIT_ALIGNED_ACCESS set to y, the
   ring_buffer_event_length() may return the wrong size. This is because
   archs with that config set will always use the "big event meta
   header" as that is 8 bytes keeping the payload 8 bytes aligned, even
   when a 4 byte header could hold the size of the event

   But ring_buffer_event_length() doesn't take this into account and
   only subtracts 4 bytes for the meta header in the length when it
   should have subtracted 8 bytes

 - Have osnoise wait for a full rcu synchronization on unregister

   osnoise_unregister_instance() used to call synchronize_rcu() before
   freeing its copy of the instance but was switched to kfree_rcu(). The
   osniose tracer has code that traverses the instances that it uses,
   and inst is just a pointer to that instance. By using kfree_rcu()
   instead of synchronize_rcu(), the instance that the inst pointer is
   pointing to can be freed while the osnoise code is still referencing
   it

   That is, a rmdir on an instance first unregisters the tracer. When
   the unregister finishes, the rmdir expects that the tracer is
   finished with the instance that it is using. By putting back the
   synchronize_rcu() in osnoise_unregister_instance() the unregistering
   of osnoise will now return when all the users of the instance have
   finished

 - Remove an unused setting of "ret" in tracing_set_tracer()

 - Fix ring_buffer_read_page() copying events

   The commit that changed ring_buffer_read_page() to show dropped
   events from the buffer itself, split the "commit" variable between
   the commit value (with flags) and "size" that holds the size of the
   sub-buffer. A cut and paste error changed the test of the reading
   from checking the size of the buffer to the size of the event causing
   reads to only read one event at a time

 - Make tracepoint_printk a static variable

   When the tracing sysctl knobs were move from sysctl.c to trace.c, the
   variable tracepoint_printk no longer needed to be global. Make it
   static

 - Fix some typos

 - Fix NULL pointer dereference in func_set_flag()

   The flags update of the function tracer first checks if the value of
   the flag is the same and exits if they are, and then it checks if the
   current tracer is the function tracer and exits if it isn't. The
   problem is that these checks need to be in a reversed order, as if
   the tracer isn't the function tracer, then the flag being checked may
   not exist. Reverse the order of these checks

 - Fix ufs core trace events to not dereference a pointer in TP_printk()

   The TP_printk() part of the TRACE_EVENT() macro is called when the
   user reads the "trace" file. This can be seconds, minutes, hours,
   days, weeks, and even months after the data was recorded into the
   ring buffer. Thus, saving a pointer to an object into the ring buffer
   and then dereferencing it from TP_printk() can cause harm as the
   object the pointer is pointing to may no longer exist

   Fix all the trace events in ufs core to save the device name in the
   ring buffer instead of dereferencing the device descriptor from
   TP_printk()

 - Prevent out-of-bound reads in glob matching of trace events

   The filter logic of events allows simple glob logic to add wild cards
   to filter on strings. But some events have fields that may not have a
   terminating 'nul' character. This may cause the glob matching to go
   beyond the string. Change the logic to always pass in the length of
   the field that is being matched

 - Add no-rcu-check version of trace_##event##_enabled()

   The trace_##event##_enabled() usually wraps trace events to do extra
   work that is only needed when the trace event is enabled. But this
   can hide events that are placed in locations where RCU is not
   watching, and can make lockdep not see these bugs when the event is
   not enabled

   The trace_##event##_enabled() was updated to always test to make sure
   RCU is watching to catch locations that may call events without RCU
   being active

   This caused a false positive for the irq_disabled() and related
   events. As that use trace_irq_disabled_enabled() to force RCU to be
   watching when the event is enabled via the ct_irq_enter() function,
   calls the event, and then calls ct_irq_exit() to put RCU back to its
   original state

   The trace_irq_disabled_enabled() should not trigger a warning when
   RCU is not watching because the code within its block handles the
   case properly. Make a __trace_##event##_enabled() version for this
   event to use that doesn't check RCU is watching as it handles the
   case when it isn't

 - Fix use-after-free in user_event_mm_dup()

   When the enabler is removed from the link list, it is freed
   immediately. But it is protected via RCU and needs to be freed after
   an RCU grace period. Use queue_rcu_work() so that the event_mutex can
   also be taken as user_event_put() takes the mutex on the last
   reference is released

 - Free type string in error path of parse_synth_field()

   There's an error path in parse_synth_field() where the allocated type
   string is not freed

 - Add selftest that tests deferred event teardown

 - Fix leak in error path of trace_remote_alloc_buffer()

   If page allocation fails, the desc-&gt;nr_cpus is not incremented for
   the current CPU and the allocations done for it are not freed

 - Fix allocation length in trace_remote_alloc_buffer()

   The logic to calculate the struct_len was doing a double count and
   setting the value too large. Calculate the size upfront to fix the
   error and simplify the logic

 - Fix sparse CPU masks in ring_buffer_desc()

   If there are sparse CPUs (gaps in the numbering), the
   ring_buffer_desc() will fail as it tests the CPU number against the
   number of CPUs that are used

* tag 'trace-v7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
  ring-buffer: Allow sparse CPU masks in ring_buffer_desc()
  tracing/remotes: Fix struct_len in trace_remote_alloc_buffer()
  tracing/remotes: Fix leak in trace_remote_alloc_buffer() error path
  selftests/user_events: Wait for deferred event teardown after unregister
  tracing/synthetic: Free type string on error path
  tracing/user_events: Fix use-after-free in user_event_mm_dup()
  tracing: Add a no-rcu-check version of trace_##event##_enabled()
  tracing: Prevent out-of-bounds read in glob matching
  ufs: core: tracing: Do not dereference pointers in TP_printk()
  tracing: Fix NULL pointer dereference in func_set_flag()
  samples: ftrace: Fix typos in benchmark comment
  tracing: Make tracepoint_printk static as not exported
  ring-buffer: Fix ring_buffer_read_page() copying only one event per page
  tracing: Remove unused ret assignment in tracing_set_tracer()
  tracing/osnoise: Call synchronize_rcu() when unregistering
  ring-buffer: Fix event length with forced 8-byte alignment
  tracing/synthetic: Free pending field on error path
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull tracing fixes from Steven Rostedt:

 - Free field in error path of synthetic event parse

   In __create_synth_event() the field was allocated but was not freed
   in the error path

 - Fix ring_buffer_event_length() on 8 byte aligned architectures

   On architectures with CONFIG_HAVE_64BIT_ALIGNED_ACCESS set to y, the
   ring_buffer_event_length() may return the wrong size. This is because
   archs with that config set will always use the "big event meta
   header" as that is 8 bytes keeping the payload 8 bytes aligned, even
   when a 4 byte header could hold the size of the event

   But ring_buffer_event_length() doesn't take this into account and
   only subtracts 4 bytes for the meta header in the length when it
   should have subtracted 8 bytes

 - Have osnoise wait for a full rcu synchronization on unregister

   osnoise_unregister_instance() used to call synchronize_rcu() before
   freeing its copy of the instance but was switched to kfree_rcu(). The
   osniose tracer has code that traverses the instances that it uses,
   and inst is just a pointer to that instance. By using kfree_rcu()
   instead of synchronize_rcu(), the instance that the inst pointer is
   pointing to can be freed while the osnoise code is still referencing
   it

   That is, a rmdir on an instance first unregisters the tracer. When
   the unregister finishes, the rmdir expects that the tracer is
   finished with the instance that it is using. By putting back the
   synchronize_rcu() in osnoise_unregister_instance() the unregistering
   of osnoise will now return when all the users of the instance have
   finished

 - Remove an unused setting of "ret" in tracing_set_tracer()

 - Fix ring_buffer_read_page() copying events

   The commit that changed ring_buffer_read_page() to show dropped
   events from the buffer itself, split the "commit" variable between
   the commit value (with flags) and "size" that holds the size of the
   sub-buffer. A cut and paste error changed the test of the reading
   from checking the size of the buffer to the size of the event causing
   reads to only read one event at a time

 - Make tracepoint_printk a static variable

   When the tracing sysctl knobs were move from sysctl.c to trace.c, the
   variable tracepoint_printk no longer needed to be global. Make it
   static

 - Fix some typos

 - Fix NULL pointer dereference in func_set_flag()

   The flags update of the function tracer first checks if the value of
   the flag is the same and exits if they are, and then it checks if the
   current tracer is the function tracer and exits if it isn't. The
   problem is that these checks need to be in a reversed order, as if
   the tracer isn't the function tracer, then the flag being checked may
   not exist. Reverse the order of these checks

 - Fix ufs core trace events to not dereference a pointer in TP_printk()

   The TP_printk() part of the TRACE_EVENT() macro is called when the
   user reads the "trace" file. This can be seconds, minutes, hours,
   days, weeks, and even months after the data was recorded into the
   ring buffer. Thus, saving a pointer to an object into the ring buffer
   and then dereferencing it from TP_printk() can cause harm as the
   object the pointer is pointing to may no longer exist

   Fix all the trace events in ufs core to save the device name in the
   ring buffer instead of dereferencing the device descriptor from
   TP_printk()

 - Prevent out-of-bound reads in glob matching of trace events

   The filter logic of events allows simple glob logic to add wild cards
   to filter on strings. But some events have fields that may not have a
   terminating 'nul' character. This may cause the glob matching to go
   beyond the string. Change the logic to always pass in the length of
   the field that is being matched

 - Add no-rcu-check version of trace_##event##_enabled()

   The trace_##event##_enabled() usually wraps trace events to do extra
   work that is only needed when the trace event is enabled. But this
   can hide events that are placed in locations where RCU is not
   watching, and can make lockdep not see these bugs when the event is
   not enabled

   The trace_##event##_enabled() was updated to always test to make sure
   RCU is watching to catch locations that may call events without RCU
   being active

   This caused a false positive for the irq_disabled() and related
   events. As that use trace_irq_disabled_enabled() to force RCU to be
   watching when the event is enabled via the ct_irq_enter() function,
   calls the event, and then calls ct_irq_exit() to put RCU back to its
   original state

   The trace_irq_disabled_enabled() should not trigger a warning when
   RCU is not watching because the code within its block handles the
   case properly. Make a __trace_##event##_enabled() version for this
   event to use that doesn't check RCU is watching as it handles the
   case when it isn't

 - Fix use-after-free in user_event_mm_dup()

   When the enabler is removed from the link list, it is freed
   immediately. But it is protected via RCU and needs to be freed after
   an RCU grace period. Use queue_rcu_work() so that the event_mutex can
   also be taken as user_event_put() takes the mutex on the last
   reference is released

 - Free type string in error path of parse_synth_field()

   There's an error path in parse_synth_field() where the allocated type
   string is not freed

 - Add selftest that tests deferred event teardown

 - Fix leak in error path of trace_remote_alloc_buffer()

   If page allocation fails, the desc-&gt;nr_cpus is not incremented for
   the current CPU and the allocations done for it are not freed

 - Fix allocation length in trace_remote_alloc_buffer()

   The logic to calculate the struct_len was doing a double count and
   setting the value too large. Calculate the size upfront to fix the
   error and simplify the logic

 - Fix sparse CPU masks in ring_buffer_desc()

   If there are sparse CPUs (gaps in the numbering), the
   ring_buffer_desc() will fail as it tests the CPU number against the
   number of CPUs that are used

* tag 'trace-v7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
  ring-buffer: Allow sparse CPU masks in ring_buffer_desc()
  tracing/remotes: Fix struct_len in trace_remote_alloc_buffer()
  tracing/remotes: Fix leak in trace_remote_alloc_buffer() error path
  selftests/user_events: Wait for deferred event teardown after unregister
  tracing/synthetic: Free type string on error path
  tracing/user_events: Fix use-after-free in user_event_mm_dup()
  tracing: Add a no-rcu-check version of trace_##event##_enabled()
  tracing: Prevent out-of-bounds read in glob matching
  ufs: core: tracing: Do not dereference pointers in TP_printk()
  tracing: Fix NULL pointer dereference in func_set_flag()
  samples: ftrace: Fix typos in benchmark comment
  tracing: Make tracepoint_printk static as not exported
  ring-buffer: Fix ring_buffer_read_page() copying only one event per page
  tracing: Remove unused ret assignment in tracing_set_tracer()
  tracing/osnoise: Call synchronize_rcu() when unregistering
  ring-buffer: Fix event length with forced 8-byte alignment
  tracing/synthetic: Free pending field on error path
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'perf-urgent-2026-07-11' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip</title>
<updated>2026-07-11T17:11:45+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-07-11T17:11:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=cab9e339cfbc1a4e075e53e281dfb00391e1a6bb'/>
<id>cab9e339cfbc1a4e075e53e281dfb00391e1a6bb</id>
<content type='text'>
Pull perf events fixes from Ingo Molnar:

 - Fix SVM #GP on AMD CPUs that LBR but not BRS (Sandipan Das)

 - Fix UAF bug in the perf AUX code (Lee Jia Jie)

 - Fix address leakage in the AMD LBR code (Sandipan Das)

 - Fix address leakage in the AMD BRS code (Sandipan Das)

* tag 'perf-urgent-2026-07-11' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  perf/x86/amd/brs: Fix kernel address leakage
  perf/x86/amd/lbr: Fix kernel address leakage
  perf/aux: Fix page UAF in map_range()
  perf/x86/amd/core: Avoid enabling BRS from the SVM reload path
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull perf events fixes from Ingo Molnar:

 - Fix SVM #GP on AMD CPUs that LBR but not BRS (Sandipan Das)

 - Fix UAF bug in the perf AUX code (Lee Jia Jie)

 - Fix address leakage in the AMD LBR code (Sandipan Das)

 - Fix address leakage in the AMD BRS code (Sandipan Das)

* tag 'perf-urgent-2026-07-11' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  perf/x86/amd/brs: Fix kernel address leakage
  perf/x86/amd/lbr: Fix kernel address leakage
  perf/aux: Fix page UAF in map_range()
  perf/x86/amd/core: Avoid enabling BRS from the SVM reload path
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'timers-urgent-2026-07-11' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip</title>
<updated>2026-07-11T16:54:05+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-07-11T16:54:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=767707a53ef7d7cfe7d1b1f22c37fe4af17efc5e'/>
<id>767707a53ef7d7cfe7d1b1f22c37fe4af17efc5e</id>
<content type='text'>
Pull timer fix from Ingo Molnar:

 - Fix a subtle posix-cpu-timers vs. exec() race, which
   unearthed other races in the area (Thomas Gleixner)

* tag 'timers-urgent-2026-07-11' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  posix-cpu-timers: Prevent UAF caused by non-leader exec() race
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull timer fix from Ingo Molnar:

 - Fix a subtle posix-cpu-timers vs. exec() race, which
   unearthed other races in the area (Thomas Gleixner)

* tag 'timers-urgent-2026-07-11' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  posix-cpu-timers: Prevent UAF caused by non-leader exec() race
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'audit-pr-20260710' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit</title>
<updated>2026-07-11T02:03:37+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-07-11T02:03:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=bf124bae08c35cb8b5392ec8005f9890833b9056'/>
<id>bf124bae08c35cb8b5392ec8005f9890833b9056</id>
<content type='text'>
Pull audit fixes from Paul Moore:
 "Two relatively small audit patches to fix potential data races with
  the main audit backlog queue as well as possible integer overflows
  when logging data as hex strings"

* tag 'audit-pr-20260710' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit:
  audit: fix potential integer overflow in audit_log_n_hex()
  audit: Fix data races of skb_queue_len() readers on audit_queue
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull audit fixes from Paul Moore:
 "Two relatively small audit patches to fix potential data races with
  the main audit backlog queue as well as possible integer overflows
  when logging data as hex strings"

* tag 'audit-pr-20260710' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit:
  audit: fix potential integer overflow in audit_log_n_hex()
  audit: Fix data races of skb_queue_len() readers on audit_queue
</pre>
</div>
</content>
</entry>
<entry>
<title>ring-buffer: Allow sparse CPU masks in ring_buffer_desc()</title>
<updated>2026-07-10T18:04:26+00:00</updated>
<author>
<name>Vincent Donnefort</name>
<email>vdonnefort@google.com</email>
</author>
<published>2026-07-09T16:00:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=601ddaceb861be7eb557278109966320a6f3478c'/>
<id>601ddaceb861be7eb557278109966320a6f3478c</id>
<content type='text'>
No user currently relies on sparse CPU masks, but the descriptor logic already
supports them via linear fallback. Remove the arbitrary limitation.

Link: https://patch.msgid.link/20260709160017.1729517-4-vdonnefort@google.com
Fixes: 2e67fabd8b77 ("ring-buffer: Introduce ring-buffer remotes")
Reported-by: Sashiko &lt;sashiko-bot@kernel.org&gt;
Signed-off-by: Vincent Donnefort &lt;vdonnefort@google.com&gt;
Signed-off-by: Steven Rostedt &lt;rostedt@goodmis.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
No user currently relies on sparse CPU masks, but the descriptor logic already
supports them via linear fallback. Remove the arbitrary limitation.

Link: https://patch.msgid.link/20260709160017.1729517-4-vdonnefort@google.com
Fixes: 2e67fabd8b77 ("ring-buffer: Introduce ring-buffer remotes")
Reported-by: Sashiko &lt;sashiko-bot@kernel.org&gt;
Signed-off-by: Vincent Donnefort &lt;vdonnefort@google.com&gt;
Signed-off-by: Steven Rostedt &lt;rostedt@goodmis.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>tracing/remotes: Fix struct_len in trace_remote_alloc_buffer()</title>
<updated>2026-07-10T18:04:26+00:00</updated>
<author>
<name>Vincent Donnefort</name>
<email>vdonnefort@google.com</email>
</author>
<published>2026-07-09T16:00:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d471d4f86e8689ad15309e49da8e5e4e9bb9ce87'/>
<id>d471d4f86e8689ad15309e49da8e5e4e9bb9ce87</id>
<content type='text'>
Pre-calculate desc-&gt;struct_len up-front in trace_remote_alloc_buffer()
with trace_buffer_desc_size() to fix double-counting.

While at it, use the accessor __first_ring_buffer_desc().

Link: https://patch.msgid.link/20260709160017.1729517-3-vdonnefort@google.com
Fixes: 96e43537af54 ("tracing: Introduce trace remotes")
Reported-by: Sashiko &lt;sashiko-bot@kernel.org&gt;
Signed-off-by: Vincent Donnefort &lt;vdonnefort@google.com&gt;
Signed-off-by: Steven Rostedt &lt;rostedt@goodmis.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pre-calculate desc-&gt;struct_len up-front in trace_remote_alloc_buffer()
with trace_buffer_desc_size() to fix double-counting.

While at it, use the accessor __first_ring_buffer_desc().

Link: https://patch.msgid.link/20260709160017.1729517-3-vdonnefort@google.com
Fixes: 96e43537af54 ("tracing: Introduce trace remotes")
Reported-by: Sashiko &lt;sashiko-bot@kernel.org&gt;
Signed-off-by: Vincent Donnefort &lt;vdonnefort@google.com&gt;
Signed-off-by: Steven Rostedt &lt;rostedt@goodmis.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>tracing/remotes: Fix leak in trace_remote_alloc_buffer() error path</title>
<updated>2026-07-10T18:04:26+00:00</updated>
<author>
<name>Vincent Donnefort</name>
<email>vdonnefort@google.com</email>
</author>
<published>2026-07-09T16:00:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ec082d0b978b5fb4c11205ccce63587ac94c74e1'/>
<id>ec082d0b978b5fb4c11205ccce63587ac94c74e1</id>
<content type='text'>
If page allocation fails in trace_remote_alloc_buffer(), desc-&gt;nr_cpus
is not yet incremented for the current CPU. As a consequence, on error,
half-allocated rb_desc will not be freed in trace_remote_free_buffer().

Increment desc-&gt;nr_cpus as soon as the first allocation for the current
CPU has succeeded.

Link: https://patch.msgid.link/20260709160017.1729517-2-vdonnefort@google.com
Fixes: 96e43537af54 ("tracing: Introduce trace remotes")
Reported-by: Sashiko &lt;sashiko-bot@kernel.org&gt;
Signed-off-by: Vincent Donnefort &lt;vdonnefort@google.com&gt;
Signed-off-by: Steven Rostedt &lt;rostedt@goodmis.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
If page allocation fails in trace_remote_alloc_buffer(), desc-&gt;nr_cpus
is not yet incremented for the current CPU. As a consequence, on error,
half-allocated rb_desc will not be freed in trace_remote_free_buffer().

Increment desc-&gt;nr_cpus as soon as the first allocation for the current
CPU has succeeded.

Link: https://patch.msgid.link/20260709160017.1729517-2-vdonnefort@google.com
Fixes: 96e43537af54 ("tracing: Introduce trace remotes")
Reported-by: Sashiko &lt;sashiko-bot@kernel.org&gt;
Signed-off-by: Vincent Donnefort &lt;vdonnefort@google.com&gt;
Signed-off-by: Steven Rostedt &lt;rostedt@goodmis.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>perf/aux: Fix page UAF in map_range()</title>
<updated>2026-07-10T10:12:24+00:00</updated>
<author>
<name>Lee Jia Jie</name>
<email>jiajie.lee@starlabs.sg</email>
</author>
<published>2026-07-09T13:56:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5948aaf64f81f217a25dcc2bf6c0779bca19566c'/>
<id>5948aaf64f81f217a25dcc2bf6c0779bca19566c</id>
<content type='text'>
map_range() reads rb-&gt;aux_pages[], rb-&gt;aux_nr_pages and rb-&gt;aux_pgoff via
perf_mmap_to_page() while holding only event-&gt;mmap_mutex. Those fields are
serialized by rb-&gt;aux_mutex, and mmap_mutex is per event.

Thus, two events sharing one rb via PERF_EVENT_IOC_SET_OUTPUT can race
rb_alloc_aux() with map_range(), leading to a page-UAF scenario as follows:

  CPU 0                           CPU 1
  =====                           =====
  rb_alloc_aux()                  map_range()
  [1]: allocate rb-&gt;aux_pages[0]
  [2]: rb-&gt;aux_nr_pages++
                                  [3]: perf_mmap_to_page()
                                         returns rb-&gt;aux_pages[0]
                                  [4]: map it as VM_PFNMAP
  [5]: rb-&gt;aux_pgoff = 1

  munmap the page
  [6]: free rb-&gt;aux_pages[0]

Pages mapped as VM_PFNMAP have no refcount protection, so CPU 1 holds a
mapping to a freed physical frame.

Fix this by taking rb-&gt;aux_mutex across the page walk in map_range().

Fixes: b709eb872e19 ("perf: map pages in advance")
Signed-off-by: Lee Jia Jie &lt;jiajie.lee@starlabs.sg&gt;
Signed-off-by: Ingo Molnar &lt;mingo@kernel.org&gt;
Cc: stable@vger.kernel.org
Cc: Peter Zijlstra &lt;peterz@infradead.org&gt;
Cc: Arnaldo Carvalho de Melo &lt;acme@redhat.com&gt;
Cc: Namhyung Kim &lt;namhyung@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
map_range() reads rb-&gt;aux_pages[], rb-&gt;aux_nr_pages and rb-&gt;aux_pgoff via
perf_mmap_to_page() while holding only event-&gt;mmap_mutex. Those fields are
serialized by rb-&gt;aux_mutex, and mmap_mutex is per event.

Thus, two events sharing one rb via PERF_EVENT_IOC_SET_OUTPUT can race
rb_alloc_aux() with map_range(), leading to a page-UAF scenario as follows:

  CPU 0                           CPU 1
  =====                           =====
  rb_alloc_aux()                  map_range()
  [1]: allocate rb-&gt;aux_pages[0]
  [2]: rb-&gt;aux_nr_pages++
                                  [3]: perf_mmap_to_page()
                                         returns rb-&gt;aux_pages[0]
                                  [4]: map it as VM_PFNMAP
  [5]: rb-&gt;aux_pgoff = 1

  munmap the page
  [6]: free rb-&gt;aux_pages[0]

Pages mapped as VM_PFNMAP have no refcount protection, so CPU 1 holds a
mapping to a freed physical frame.

Fix this by taking rb-&gt;aux_mutex across the page walk in map_range().

Fixes: b709eb872e19 ("perf: map pages in advance")
Signed-off-by: Lee Jia Jie &lt;jiajie.lee@starlabs.sg&gt;
Signed-off-by: Ingo Molnar &lt;mingo@kernel.org&gt;
Cc: stable@vger.kernel.org
Cc: Peter Zijlstra &lt;peterz@infradead.org&gt;
Cc: Arnaldo Carvalho de Melo &lt;acme@redhat.com&gt;
Cc: Namhyung Kim &lt;namhyung@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>audit: fix potential integer overflow in audit_log_n_hex()</title>
<updated>2026-07-08T18:22:14+00:00</updated>
<author>
<name>Ricardo Robaina</name>
<email>rrobaina@redhat.com</email>
</author>
<published>2026-07-02T14:04:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=65dfde57d1e29ce2b76fc23dd565eccd5c0bc0f0'/>
<id>65dfde57d1e29ce2b76fc23dd565eccd5c0bc0f0</id>
<content type='text'>
The function calculates new_len as len &lt;&lt; 1 for hex encoding. This
has two overflow risks: the shift itself can overflow when len is
large, and the result can be truncated when assigned to new_len
(declared as int) from the size_t calculation.

Fix by using check_shl_overflow() to catch shift overflow and
changing new_len and loop counter i to size_t to prevent truncation.

Cc: stable@vger.kernel.org
Fixes: 168b7173959f ("AUDIT: Clean up logging of untrusted strings")
Reviewed-by: Richard Guy Briggs &lt;rgb@redhat.com&gt;
Signed-off-by: Ricardo Robaina &lt;rrobaina@redhat.com&gt;
[PM: remove vertical whitspace noise]
Signed-off-by: Paul Moore &lt;paul@paul-moore.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The function calculates new_len as len &lt;&lt; 1 for hex encoding. This
has two overflow risks: the shift itself can overflow when len is
large, and the result can be truncated when assigned to new_len
(declared as int) from the size_t calculation.

Fix by using check_shl_overflow() to catch shift overflow and
changing new_len and loop counter i to size_t to prevent truncation.

Cc: stable@vger.kernel.org
Fixes: 168b7173959f ("AUDIT: Clean up logging of untrusted strings")
Reviewed-by: Richard Guy Briggs &lt;rgb@redhat.com&gt;
Signed-off-by: Ricardo Robaina &lt;rrobaina@redhat.com&gt;
[PM: remove vertical whitspace noise]
Signed-off-by: Paul Moore &lt;paul@paul-moore.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>tracing/synthetic: Free type string on error path</title>
<updated>2026-07-07T17:59:55+00:00</updated>
<author>
<name>Yu Peng</name>
<email>pengyu@kylinos.cn</email>
</author>
<published>2026-06-03T06:25:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=05074bb90af94f2acbbc8f8ffaa507f914c273c8'/>
<id>05074bb90af94f2acbbc8f8ffaa507f914c273c8</id>
<content type='text'>
parse_synth_field() builds a "__data_loc ..." type string before
assigning it to field-&gt;type. If the seq_buf check fails, the common
cleanup cannot free the temporary string. Free it before leaving.

Link: https://patch.msgid.link/20260603062533.1096320-2-pengyu@kylinos.cn
Signed-off-by: Yu Peng &lt;pengyu@kylinos.cn&gt;
Signed-off-by: Steven Rostedt &lt;rostedt@goodmis.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
parse_synth_field() builds a "__data_loc ..." type string before
assigning it to field-&gt;type. If the seq_buf check fails, the common
cleanup cannot free the temporary string. Free it before leaving.

Link: https://patch.msgid.link/20260603062533.1096320-2-pengyu@kylinos.cn
Signed-off-by: Yu Peng &lt;pengyu@kylinos.cn&gt;
Signed-off-by: Steven Rostedt &lt;rostedt@goodmis.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
