linux.git/kernel/trace, branch v7.2-rc1 Linux kernel source tree bpf: Add missing access_ok call to copy_user_syms 2026-06-22T01:01:33+00:00 Jiri Olsa jolsa@kernel.org 2026-06-16T08:30:56+00:00 d5dc200c3a3f217de072af269dd90adddf90e48d As reported by sashiko we use __get_user without prior access_ok call on the user space pointer. Adding the missing call for the whole pointer array. Plus removing the err check in the error path, because it's not needed and also we can return -ENOMEM directly from the first kvmalloc_array fail path. Cc: stable@vger.kernel.org [1] https://lore.kernel.org/bpf/20260611115503.AC16D1F00893@smtp.kernel.org/ Fixes: 0236fec57a15 ("bpf: Resolve symbols with ftrace_lookup_symbols for kprobe multi link") Reported-by: Sashiko <sashiko-bot@kernel.org> Closes: https://lore.kernel.org/bpf/20260611115503.AC16D1F00893@smtp.kernel.org/ Signed-off-by: Jiri Olsa <jolsa@kernel.org> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Link: https://lore.kernel.org/r/20260616083056.405652-1-jolsa@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org> 
As reported by sashiko we use __get_user without prior access_ok call on the
user space pointer. Adding the missing call for the whole pointer array.

Plus removing the err check in the error path, because it's not needed and
also we can return -ENOMEM directly from the first kvmalloc_array fail path.

Cc: stable@vger.kernel.org
[1] https://lore.kernel.org/bpf/20260611115503.AC16D1F00893@smtp.kernel.org/
Fixes: 0236fec57a15 ("bpf: Resolve symbols with ftrace_lookup_symbols for kprobe multi link")
Reported-by: Sashiko <sashiko-bot@kernel.org>
Closes: https://lore.kernel.org/bpf/20260611115503.AC16D1F00893@smtp.kernel.org/
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Link: https://lore.kernel.org/r/20260616083056.405652-1-jolsa@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Merge tag 'trace-ring-buffer-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace 2026-06-19T04:23:22+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-19T04:23:22+00:00 9ecfb2f7287a967b418ba69f10d45ead0d360593 Pull ring-buffer updates from Steven Rostedt - Do not invalidate entire buffer for invalid sub-buffers For the persistent ring buffer, if one sub-buffer is found to be invalid, it invalidates the entire per CPU ring buffer. This can lose a lot of valuable data if there's some corruption with the writes to the buffer not syncing properly on a hard crash. Instead, if a sub-buffer is found to be invalid, simply zero it out and mark it for "missed events". When the persistent ring buffer is read and a sub-buffer that was cleared due to being invalid on boot up is discovered, the output will show "[LOST EVENTS]" to let the user know that events were missing at that location. Displaying the events from valid buffers can still be useful. - Add a test to be able to test corrupted sub-buffers If a persistent ring buffer is created as "ptraingtest" and the new config that adds the test is enabled, when a panic happens, the kernel will randomly corrupt one of the per CPU ring buffers. On boot up, the sub-buffers with the corruption should be cleared and flagged. When reading this buffer, the missed events should should [LOST EVENTS]. - Add commit number in the sub-buffer meta debug info The commit is used to know the content of a meta page. Add it to the buffer_meta file that is shown for each per CPU buffer. - Clean up the persistent ring buffer validation code Add some helper functions and make variable names more consistent. * tag 'trace-ring-buffer-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: ring-buffer: Better comment the use of RB_MISSED_EVENTS ring-buffer: Show persistent buffer dropped events in trace_pipe file ring-buffer: Show persistent buffer dropped events in trace file ring-buffer: Have dropped subbuffers be persistent across reboots ring-buffer: Cleanup buffer_data_page related code ring-buffer: Cleanup persistent ring buffer validation ring-buffer: Show commit numbers in buffer_meta file ring-buffer: Add persistent ring buffer invalid-page inject test ring-buffer: Skip invalid sub-buffers when rewinding persistent ring buffer ring-buffer: Skip invalid sub-buffers when validating persistent ring buffer 
Pull ring-buffer updates from Steven Rostedt

 - Do not invalidate entire buffer for invalid sub-buffers

   For the persistent ring buffer, if one sub-buffer is found to be
   invalid, it invalidates the entire per CPU ring buffer. This can lose
   a lot of valuable data if there's some corruption with the writes to
   the buffer not syncing properly on a hard crash. Instead, if a
   sub-buffer is found to be invalid, simply zero it out and mark it for
   "missed events".

   When the persistent ring buffer is read and a sub-buffer that was
   cleared due to being invalid on boot up is discovered, the output
   will show "[LOST EVENTS]" to let the user know that events were
   missing at that location. Displaying the events from valid buffers
   can still be useful.

 - Add a test to be able to test corrupted sub-buffers

   If a persistent ring buffer is created as "ptraingtest" and the new
   config that adds the test is enabled, when a panic happens, the
   kernel will randomly corrupt one of the per CPU ring buffers. On boot
   up, the sub-buffers with the corruption should be cleared and
   flagged. When reading this buffer, the missed events should should
   [LOST EVENTS].

 - Add commit number in the sub-buffer meta debug info

   The commit is used to know the content of a meta page. Add it to the
   buffer_meta file that is shown for each per CPU buffer.

 - Clean up the persistent ring buffer validation code

   Add some helper functions and make variable names more consistent.

* tag 'trace-ring-buffer-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
  ring-buffer: Better comment the use of RB_MISSED_EVENTS
  ring-buffer: Show persistent buffer dropped events in trace_pipe file
  ring-buffer: Show persistent buffer dropped events in trace file
  ring-buffer: Have dropped subbuffers be persistent across reboots
  ring-buffer: Cleanup buffer_data_page related code
  ring-buffer: Cleanup persistent ring buffer validation
  ring-buffer: Show commit numbers in buffer_meta file
  ring-buffer: Add persistent ring buffer invalid-page inject test
  ring-buffer: Skip invalid sub-buffers when rewinding persistent ring buffer
  ring-buffer: Skip invalid sub-buffers when validating persistent ring buffer
Merge tag 'trace-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace 2026-06-19T03:53:00+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-19T03:53:00+00:00 23b5d045ae5df0a2d509915cedcd82f93261d7bc Pull tracing updates from Steven Rostedt: - Remove a redundant IS_ERR() check trace_pipe_open() already checks for IS_ERR() and does it again in the return path. Remove the return check. - Export seq_buf_putmem_hex() to allow kunit tests against them To add Kunit tests on seq_buf_putmem_hex(), it needs to be exported. - Replace strcat() and strcpy() with seq_buf() logic The code for synthetic events uses a series of strcat() and strcpy() which can be error prone. Replace them with seq_buf() logic that does all the necessary bound checking. - Add a lockdep rcu_is_watching() to trace_##event##_enabled() call The trace_##event##_enabled() is a static branch that is true if the "event" is enabled. But this can hide bugs if this logic is in a location where RCU is disabled and not "watching". It would only trigger if lockdep is enabled and the event is enabled. Add a "rcu_is_watching()" warning if lockdep is enabled in that helper function to trigger regardless if the event is enabled or not. - Remove the local variable in the trace_printk() macro For name space integrity, remove the _______STR variable in the trace_printk() macro for using the sizeof() macro directly. - Use guard()s for the trace_recursion_record.c file - Fix typo in a comment of eventfs_callback() kerneldoc - Use trace_call__##event() in events within trace_##event##_enabled() A couple of events are called within an if block guarded by trace_##event##_enabled(). That is a static key that is only enabled when the event is enabled. The trace_call_##event() calls the tracepoint code directly without adding a redundant static key for that check. - Allow perf to read synthetic events Currently, perf does not have the ability to enable a synthetic event. If it does, it will either cause a kernel warning or error with "No such device". Synthetic events are not much different than kprobes and perf can handle fine with a few modifications. - Replace printk(KERN_WARNING ...) with pr_warn() - Replace krealloc() on an array with krealloc_array() - Fix README file path name for synthetic events - Change tracing_map tracing_map_array to use a flexible array Instead of allocating a separate pointer to hold the pages field of tracing_map_array, allocate the pages field as a flexible array when allocating the structure. - Fold trace_iterator_increment() into trace_find_next_entry_inc() The function trace_iterator_increment() was only used by trace_find_next_entry_inc(). It's not big enough to be a helper function for one user. Fold it into its caller. - Make field_var_str field a flexible array of hist_elt_data Instead of allocating a separate pointer for the field_var_str array of the hist_elt_data structure, allocate it as a flexible array when allocating the structure. - Disable KCOV for trace_irqsoff.c Like trace_preemptirq.c, trace_irqsoff.c has code that will crash when KCOV is enabled on ARM. The irqsoff tracing can be called on ARM because the irqsoff tracing code can be run from early interrupt code and produce coverage unrelated to syscall inputs. - Fix warning in __unregister_ftrace_function() called by perf Perf calls unregister_ftrace_function() without checking if its ftrace_ops has already been unregistered. There's an error path where on clean up it will unregister the ftrace_ops even if it wasn't registered and causes a warning. * tag 'trace-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: perf/ftrace: Fix WARNING in __unregister_ftrace_function tracing: Disable KCOV instrumentation for trace_irqsoff.o tracing: Turn hist_elt_data field_var_str into a flexible array tracing: Move trace_iterator_increment() into trace_find_next_entry_inc() tracing: Simplify pages allocation for tracing_map logic tracing: Fix README path for synthetic_events tracing: Use krealloc_array() for trace option array growth tracing/branch: Use pr_warn() instead of printk(KERN_WARNING) tracing: Allow perf to read synthetic events HID: Use trace_call__##name() at guarded tracepoint call sites cpufreq: amd-pstate: Use trace_call__##name() at guarded tracepoint call site tracefs: Fix typo in a comment of eventfs_callback() kerneldoc tracing: Switch trace_recursion_record.c code over to use guard() tracing: Remove local variable for argument detection from trace_printk() tracepoint: Add lockdep rcu_is_watching() check to trace_##name##_enabled() tracing: Bound synthetic-field strings with seq_buf seq_buf: Export seq_buf_putmem_hex() and add KUnit tests tracing: Remove redundant IS_ERR() check in trace_pipe_open() 
Pull tracing updates from Steven Rostedt:

 - Remove a redundant IS_ERR() check

   trace_pipe_open() already checks for IS_ERR() and does it again in
   the return path. Remove the return check.

 - Export seq_buf_putmem_hex() to allow kunit tests against them

   To add Kunit tests on seq_buf_putmem_hex(), it needs to be exported.

 - Replace strcat() and strcpy() with seq_buf() logic

   The code for synthetic events uses a series of strcat() and strcpy()
   which can be error prone. Replace them with seq_buf() logic that does
   all the necessary bound checking.

 - Add a lockdep rcu_is_watching() to trace_##event##_enabled() call

   The trace_##event##_enabled() is a static branch that is true if the
   "event" is enabled. But this can hide bugs if this logic is in a
   location where RCU is disabled and not "watching". It would only
   trigger if lockdep is enabled and the event is enabled.

   Add a "rcu_is_watching()" warning if lockdep is enabled in that
   helper function to trigger regardless if the event is enabled or not.

 - Remove the local variable in the trace_printk() macro

   For name space integrity, remove the _______STR variable in the
   trace_printk() macro for using the sizeof() macro directly.

 - Use guard()s for the trace_recursion_record.c file

 - Fix typo in a comment of eventfs_callback() kerneldoc

 - Use trace_call__##event() in events within trace_##event##_enabled()

   A couple of events are called within an if block guarded by
   trace_##event##_enabled(). That is a static key that is only enabled
   when the event is enabled. The trace_call_##event() calls the
   tracepoint code directly without adding a redundant static key for
   that check.

 - Allow perf to read synthetic events

   Currently, perf does not have the ability to enable a synthetic
   event. If it does, it will either cause a kernel warning or error
   with "No such device". Synthetic events are not much different than
   kprobes and perf can handle fine with a few modifications.

 - Replace printk(KERN_WARNING ...) with pr_warn()

 - Replace krealloc() on an array with krealloc_array()

 - Fix README file path name for synthetic events

 - Change tracing_map tracing_map_array to use a flexible array

   Instead of allocating a separate pointer to hold the pages field of
   tracing_map_array, allocate the pages field as a flexible array when
   allocating the structure.

 - Fold trace_iterator_increment() into trace_find_next_entry_inc()

   The function trace_iterator_increment() was only used by
   trace_find_next_entry_inc(). It's not big enough to be a helper
   function for one user. Fold it into its caller.

 - Make field_var_str field a flexible array of hist_elt_data

   Instead of allocating a separate pointer for the field_var_str array
   of the hist_elt_data structure, allocate it as a flexible array when
   allocating the structure.

 - Disable KCOV for trace_irqsoff.c

   Like trace_preemptirq.c, trace_irqsoff.c has code that will crash
   when KCOV is enabled on ARM. The irqsoff tracing can be called on ARM
   because the irqsoff tracing code can be run from early interrupt code
   and produce coverage unrelated to syscall inputs.

 - Fix warning in __unregister_ftrace_function() called by perf

   Perf calls unregister_ftrace_function() without checking if its
   ftrace_ops has already been unregistered. There's an error path where
   on clean up it will unregister the ftrace_ops even if it wasn't
   registered and causes a warning.

* tag 'trace-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
  perf/ftrace: Fix WARNING in __unregister_ftrace_function
  tracing: Disable KCOV instrumentation for trace_irqsoff.o
  tracing: Turn hist_elt_data field_var_str into a flexible array
  tracing: Move trace_iterator_increment() into trace_find_next_entry_inc()
  tracing: Simplify pages allocation for tracing_map logic
  tracing: Fix README path for synthetic_events
  tracing: Use krealloc_array() for trace option array growth
  tracing/branch: Use pr_warn() instead of printk(KERN_WARNING)
  tracing: Allow perf to read synthetic events
  HID: Use trace_call__##name() at guarded tracepoint call sites
  cpufreq: amd-pstate: Use trace_call__##name() at guarded tracepoint call site
  tracefs: Fix typo in a comment of eventfs_callback() kerneldoc
  tracing: Switch trace_recursion_record.c code over to use guard()
  tracing: Remove local variable for argument detection from trace_printk()
  tracepoint: Add lockdep rcu_is_watching() check to trace_##name##_enabled()
  tracing: Bound synthetic-field strings with seq_buf
  seq_buf: Export seq_buf_putmem_hex() and add KUnit tests
  tracing: Remove redundant IS_ERR() check in trace_pipe_open()
Merge tag 'bpf-next-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2026-06-17T08:18:14+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-17T08:18:14+00:00 9c87e61e3c5797277407ba5eae4eac8a52be3fa3 Pull bpf updates from Alexei Starovoitov: "Major changes: - Recover from BPF arena page faults using a scratch page and add ptep_try_set() for lockless empty-slot installs on x86 and arm64. This allows BPF kfuncs to access arena pointers directly. The 'arena_direct_access' stable branch was created for this work and was pulled into sched-ext and bpf-next trees (Tejun Heo, Kumar Kartikeya Dwivedi) - Lift old restriction and support 6+ arguments in BPF programs and kfuncs on x86 and arm64 (Yonghong Song, Puranjay Mohan) Other features and fixes: - Add 24-bit BTF vlen and reclaim unused bits in the BTF UAPI to ease addition of new BTF kinds (Alan Maguire) - Raise the maximum BPF call chain depth from 8 to 16 frames (Alexei Starovoitov) - Refactor object relationship tracking in the verifier and fix a dynptr use-after-free bug (Amery Hung) - Harden the signed program loader and reject exclusive maps as inner maps (Daniel Borkmann) - Replace the verifier min/max bounds fields with a circular number (cnum) representation and improve 32->64 bit range refinements (Eduard Zingerman) - Introduce the arena library and runtime (libarena) with a buddy allocator, rbtree and SPMC queue data structures, ASAN support and a parallel test harness. Allow subprograms to return arena pointers and switch to a BTF type-tag based __arena annotation (Emil Tsalapatis) - Cache build IDs in the sleepable stackmap path and avoid faultable build ID reads under mm locks (Ihor Solodrai) - Introduce the tracing_multi link to attach a single BPF program to many kernel functions at once. Allow specifying the uprobe_multi target via FD (Jiri Olsa) - Extend the bpf_list family of kfuncs with bpf_list_add/del(), and bpf_list_is_first/is_last/empty() (Kaitao Cheng) - Extend the BPF syscall with common attributes support for prog_load, btf_load and map_create (Leon Hwang) - Wrap rhashtable as BPF map (Mykyta Yatsenko, Herbert Xu) - Add sleepable support for tracepoint programs and fix deadlocks in LRU map due to NMI reentry (Mykyta Yatsenko) - Fix OOB access in bpf_flow_keys, fix nullness analysis of inner arrays, enforce write checks for global subprograms (Nuoqi Gui) - Report the maximum combined stack depth and print a breakdown of instructions processed per subprogram (Paul Chaignon) - Add an XDP load-balancer benchmark and arm64 JIT support for stack arguments (Puranjay Mohan) - Add kfuncs to traverse over wakeup_sources (Samuel Wu) - Allow sleepable BPF programs to use LPM trie maps directly (Vlad Poenaru) - Many more fixes and cleanups across the verifier, BTF, sockmap, devmap, bpffs, security hooks, s390/riscv/loongarch JITs, rqspinlock, libbpf, bpftool, selftests" * tag 'bpf-next-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next: (336 commits) selftests/bpf: Work around llvm stack overflow in crypto progs selftests/bpf: add test for bpf_msg_pop_data() overflow bpf, sockmap: fix integer overflow in bpf_msg_pop_data() bounds check sockmap: Fix use-after-free in udp_bpf_recvmsg() bpf, sockmap: keep sk_msg copy state in sync bpf, sockmap: Fix wrong rsge offset in bpf_msg_push_data() bpf, sockmap: reject overflowing copy + len in bpf_msg_push_data() selftsets/bpf: Retry map update on helper_fill_hashmap() selftests/bpf: Add test for sleepable lsm_cgroup rejection selftests/bpf: Add test to verify the fix for bpf_setsockopt() helper bpf: Fix bpf_get/setsockopt to tos for ipv4-mapped ipv6 socket selftests/bpf: Avoid static LLVM linking for cross builds selftests/bpf: Use common CFLAGS for urandom_read selftests/bpf: Initialize operation name before use tools/bpf: build: Append extra cflags libbpf: Initialize CFLAGS before including Makefile.include bpftool: Append extra host flags bpftool: Avoid adding EXTRA_CFLAGS to HOST_CFLAGS bpftool: Pass host flags to bootstrap libbpf selftests/bpf: correct CONFIG_PPC64 macro name in comment ... 
Pull bpf updates from Alexei Starovoitov:
 "Major changes:

   - Recover from BPF arena page faults using a scratch page and add
     ptep_try_set() for lockless empty-slot installs on x86 and arm64.

     This allows BPF kfuncs to access arena pointers directly.

     The 'arena_direct_access' stable branch was created for this work
     and was pulled into sched-ext and bpf-next trees (Tejun Heo, Kumar
     Kartikeya Dwivedi)

   - Lift old restriction and support 6+ arguments in BPF programs and
     kfuncs on x86 and arm64 (Yonghong Song, Puranjay Mohan)

  Other features and fixes:

   - Add 24-bit BTF vlen and reclaim unused bits in the BTF UAPI to ease
     addition of new BTF kinds (Alan Maguire)

   - Raise the maximum BPF call chain depth from 8 to 16 frames (Alexei
     Starovoitov)

   - Refactor object relationship tracking in the verifier and fix a
     dynptr use-after-free bug (Amery Hung)

   - Harden the signed program loader and reject exclusive maps as inner
     maps (Daniel Borkmann)

   - Replace the verifier min/max bounds fields with a circular number
     (cnum) representation and improve 32->64 bit range refinements
     (Eduard Zingerman)

   - Introduce the arena library and runtime (libarena) with a buddy
     allocator, rbtree and SPMC queue data structures, ASAN support and
     a parallel test harness. Allow subprograms to return arena pointers
     and switch to a BTF type-tag based __arena annotation (Emil
     Tsalapatis)

   - Cache build IDs in the sleepable stackmap path and avoid faultable
     build ID reads under mm locks (Ihor Solodrai)

   - Introduce the tracing_multi link to attach a single BPF program to
     many kernel functions at once. Allow specifying the uprobe_multi
     target via FD (Jiri Olsa)

   - Extend the bpf_list family of kfuncs with bpf_list_add/del(), and
     bpf_list_is_first/is_last/empty() (Kaitao Cheng)

   - Extend the BPF syscall with common attributes support for
     prog_load, btf_load and map_create (Leon Hwang)

   - Wrap rhashtable as BPF map (Mykyta Yatsenko, Herbert Xu)

   - Add sleepable support for tracepoint programs and fix deadlocks in
     LRU map due to NMI reentry (Mykyta Yatsenko)

   - Fix OOB access in bpf_flow_keys, fix nullness analysis of inner
     arrays, enforce write checks for global subprograms (Nuoqi Gui)

   - Report the maximum combined stack depth and print a breakdown of
     instructions processed per subprogram (Paul Chaignon)

   - Add an XDP load-balancer benchmark and arm64 JIT support for stack
     arguments (Puranjay Mohan)

   - Add kfuncs to traverse over wakeup_sources (Samuel Wu)

   - Allow sleepable BPF programs to use LPM trie maps directly (Vlad
     Poenaru)

   - Many more fixes and cleanups across the verifier, BTF, sockmap,
     devmap, bpffs, security hooks, s390/riscv/loongarch JITs,
     rqspinlock, libbpf, bpftool, selftests"

* tag 'bpf-next-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next: (336 commits)
  selftests/bpf: Work around llvm stack overflow in crypto progs
  selftests/bpf: add test for bpf_msg_pop_data() overflow
  bpf, sockmap: fix integer overflow in bpf_msg_pop_data() bounds check
  sockmap: Fix use-after-free in udp_bpf_recvmsg()
  bpf, sockmap: keep sk_msg copy state in sync
  bpf, sockmap: Fix wrong rsge offset in bpf_msg_push_data()
  bpf, sockmap: reject overflowing copy + len in bpf_msg_push_data()
  selftsets/bpf: Retry map update on helper_fill_hashmap()
  selftests/bpf: Add test for sleepable lsm_cgroup rejection
  selftests/bpf: Add test to verify the fix for bpf_setsockopt() helper
  bpf: Fix bpf_get/setsockopt to tos for ipv4-mapped ipv6 socket
  selftests/bpf: Avoid static LLVM linking for cross builds
  selftests/bpf: Use common CFLAGS for urandom_read
  selftests/bpf: Initialize operation name before use
  tools/bpf: build: Append extra cflags
  libbpf: Initialize CFLAGS before including Makefile.include
  bpftool: Append extra host flags
  bpftool: Avoid adding EXTRA_CFLAGS to HOST_CFLAGS
  bpftool: Pass host flags to bootstrap libbpf
  selftests/bpf: correct CONFIG_PPC64 macro name in comment
  ...
Merge tag 'trace-latency-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace 2026-06-16T12:08:19+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-16T12:08:19+00:00 c071a4fbb0ec26fd5831c6633762e38720350718 Pull tracing latency updates from Steven Rostedt: - Dump the stack to the buffer on timerlat uret threashold event Record the stack trace in the buffer for THREAD_URET as well as THREAD_CONTEXT when the threshold is hit. Otherwise, if the threshold was not hit at task wakeup, but was at task return, it will not produce a stack trace making it harder to debug. - Have osnoise trace prints print to all buffers The osnoise tracer is allowed to print to the main buffer. Add a osnoise_print() helper function and use trace_array_vprintk() to print osnoise output. * tag 'trace-latency-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: tracing/osnoise: Array printk init and cleanup tracing/osnoise: Dump stack on timerlat uret threshold event 
Pull tracing latency updates from Steven Rostedt:

 - Dump the stack to the buffer on timerlat uret threashold event

   Record the stack trace in the buffer for THREAD_URET as well as
   THREAD_CONTEXT when the threshold is hit. Otherwise, if the threshold
   was not hit at task wakeup, but was at task return, it will not
   produce a stack trace making it harder to debug.

 - Have osnoise trace prints print to all buffers

   The osnoise tracer is allowed to print to the main buffer. Add a
   osnoise_print() helper function and use trace_array_vprintk() to
   print osnoise output.

* tag 'trace-latency-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
  tracing/osnoise: Array printk init and cleanup
  tracing/osnoise: Dump stack on timerlat uret threshold event
Merge tag 'probes-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace 2026-06-16T12:03:20+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-16T12:03:20+00:00 18ecdd4d0aabc428318bbc2ca6134483a90ea697 Pull probes updates from Masami Hiramatsu: - BTF support for dereferencing pointers Add syntax to the parsing of eprobes to typecast structure pointer trace event fields, enabling BTF-based dereferencing instead of relying on manual offsets. - Improvements and robustness enhancements - Use flexible array for entry fetch code. Store probe entry fetch instructions in the probe_entry_arg allocation via a flexible array member to simplify memory allocation and lifetime management. - Replace BUG_ON with lockdep_assert_held in uprobe_buffer functions Replace BUG_ON() calls with lockdep_assert_held() in uprobe buffer enable/disable paths to prevent kernel crashes and better verify lock ownership. - Ensure the uprobe buffer size is bigger than event size. Add a BUILD_BUG_ON() assertion to guarantee that the per-CPU uprobe working buffer size is always larger than the maximum probe event size. * tag 'probes-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: tracing/eprobes: Allow use of BTF names to dereference pointers tracing: Replace BUG_ON with lockdep_assert_held in uprobe_buffer functions tracing: Use flexible array for entry fetch code tracing/probes: Ensure the uprobe buffer size is bigger than event size 
Pull probes updates from Masami Hiramatsu:

 - BTF support for dereferencing pointers

   Add syntax to the parsing of eprobes to typecast structure pointer
   trace event fields, enabling BTF-based dereferencing instead of
   relying on manual offsets.

 - Improvements and robustness enhancements

    - Use flexible array for entry fetch code.

      Store probe entry fetch instructions in the probe_entry_arg
      allocation via a flexible array member to simplify memory
      allocation and lifetime management.

    - Replace BUG_ON with lockdep_assert_held in uprobe_buffer functions

      Replace BUG_ON() calls with lockdep_assert_held() in uprobe buffer
      enable/disable paths to prevent kernel crashes and better verify
      lock ownership.

    - Ensure the uprobe buffer size is bigger than event size.

      Add a BUILD_BUG_ON() assertion to guarantee that the per-CPU
      uprobe working buffer size is always larger than the maximum probe
      event size.

* tag 'probes-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
  tracing/eprobes: Allow use of BTF names to dereference pointers
  tracing: Replace BUG_ON with lockdep_assert_held in uprobe_buffer functions
  tracing: Use flexible array for entry fetch code
  tracing/probes: Ensure the uprobe buffer size is bigger than event size
Merge tag 'sched-core-2026-06-14' of gitolite.kernel.org:pub/scm/linux/kernel/git/tip/tip 2026-06-15T09:20:18+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-15T09:20:18+00:00 2cbf335f8ccc7a6418159858dc03e36df8e3e5cf Pull scheduler updates from Ingo Molnar: "SMP load-balancing updates: - A large series to introduce infrastructure for cache-aware load balancing, with the goal of co-locating tasks that share data within the same Last Level Cache (LLC) domain. By improving cache locality, the scheduler can reduce cache bouncing and cache misses, ultimately improving data access efficiency. Implemented by Chen Yu and Tim Chen, based on early prototype work by Peter Zijlstra, with fixes by Jianyong Wu, Peter Zijlstra and Shrikanth Hegde. - A series to simplify CONFIG_SCHED_SMT ifdef usage (Shrikanth Hegde) Fair scheduler updates: - A series to improve SD_ASYM_CPUCAPACITY scheduling by introducing SMT awareness (Andrea Righi, K Prateek Nayak) - A series to optimize cfs_rq and sched_entity allocation for better data locality (Zecheng Li) - A preparatory series to change fair/cgroup scheduling to a single runqueue, without the final change (Peter Zijlstra) - Auto-manage ext/fair dl_server bandwidth (Andrea Righi) - Fix cpu_util runnable_avg arithmetic (Hongyan Xia) - Optimize update_tg_load_avg()'s rate-limiting code (Rik van Riel) - Allow account_cfs_rq_runtime() to throttle current hierarchy (K Prateek Nayak) - Update util_est after updating util_avg during dequeue, to fix the util signal update logic, which reduces signal noise (Vincent Guittot) Scheduler topology updates: - Allow multiple domains to claim sched_domain_shared (K Prateek Nayak) - Add parameter to split LLC (Peter Zijlstra) Core scheduler updates: - Use trace_call__<tp>() to save a static branch (Gabriele Monaco) Scheduler statistics updates: - Drop now-stale mul_u64_u64_div_u64() cputime over-approximation guard (Nicolas Pitre) Deadline scheduler updates: - Reject debugfs dl_server writes for offline CPUs (Andrea Righi) - Fix replenishment logic for non-deferred servers (Yuri Andriaccio) RT scheduling updates: - Turn RT_PUSH_IPI default off for non PREEMPT_RT (Steven Rostedt) - Update default bandwidth for real-time tasks to 1.0 (Yuri Andriaccio) Proxy scheduling updates: - A series to implement Optimized Donor Migration for Proxy Execution (John Stultz, Peter Zijlstra) - Various proxy scheduling cleanups and fixes (Peter Zijlstra, K Prateek Nayak) Misc fixes, improvements and cleanups by Aaron Lu, Andrea Righi, Zenghui Yu, Chen Yu, Guanyou.Chen, John Stultz, Shrikanth Hegde, Peter Zijlstra, Liang Luo and Yiyang Chen" * tag 'sched-core-2026-06-14' of gitolite.kernel.org:pub/scm/linux/kernel/git/tip/tip: (91 commits) sched/fair: Fix newidle vs core-sched sched/deadline: Use task_on_rq_migrating() helper sched/core: Combine separate 'else' and 'if' statements sched/fair: Fix cpu_util runnable_avg arithmetic sched/fair: Unify cfs_rq throttling via account_cfs_rq_runtime() sched/fair: Move the throttled tasks to a local list in tg_unthrottle_up() sched/fair: Call update_curr() before unthrottling the hierarchy sched/fair: Use throttled_csd_list for local unthrottle sched/fair: Convert cfs bandwidth throttling to use guards sched/fair: Allocate cfs_tg_state with percpu allocator sched/fair: Remove task_group->se pointer array sched/fair: Co-locate cfs_rq and sched_entity in cfs_tg_state sched: restore timer_slack_ns when resetting RT policy on fork MAINTAINERS: Fix spelling mistake in Peter's name sched: Simplify ttwu_runnable() sched/proxy: Remove superfluous clear_task_blocked_in() sched/proxy: Remove PROXY_WAKING sched/proxy: Switch proxy to use p->is_blocked sched/proxy: Only return migrate when needed sched: Be more strict about p->is_blocked ... 
Pull scheduler updates from Ingo Molnar:
 "SMP load-balancing updates:

   - A large series to introduce infrastructure for cache-aware load
     balancing, with the goal of co-locating tasks that share data
     within the same Last Level Cache (LLC) domain. By improving cache
     locality, the scheduler can reduce cache bouncing and cache misses,
     ultimately improving data access efficiency.

     Implemented by Chen Yu and Tim Chen, based on early prototype work
     by Peter Zijlstra, with fixes by Jianyong Wu, Peter Zijlstra and
     Shrikanth Hegde.

   - A series to simplify CONFIG_SCHED_SMT ifdef usage (Shrikanth Hegde)

  Fair scheduler updates:

   - A series to improve SD_ASYM_CPUCAPACITY scheduling by introducing
     SMT awareness (Andrea Righi, K Prateek Nayak)

   - A series to optimize cfs_rq and sched_entity allocation for better
     data locality (Zecheng Li)

   - A preparatory series to change fair/cgroup scheduling to a single
     runqueue, without the final change (Peter Zijlstra)

   - Auto-manage ext/fair dl_server bandwidth (Andrea Righi)

   - Fix cpu_util runnable_avg arithmetic (Hongyan Xia)

   - Optimize update_tg_load_avg()'s rate-limiting code (Rik van Riel)

   - Allow account_cfs_rq_runtime() to throttle current hierarchy
     (K Prateek Nayak)

   - Update util_est after updating util_avg during dequeue, to fix the
     util signal update logic, which reduces signal noise (Vincent
     Guittot)

  Scheduler topology updates:

   - Allow multiple domains to claim sched_domain_shared (K Prateek
     Nayak)

   - Add parameter to split LLC (Peter Zijlstra)

  Core scheduler updates:

   - Use trace_call__<tp>() to save a static branch (Gabriele Monaco)

  Scheduler statistics updates:

   - Drop now-stale mul_u64_u64_div_u64() cputime over-approximation
     guard (Nicolas Pitre)

  Deadline scheduler updates:

   - Reject debugfs dl_server writes for offline CPUs (Andrea Righi)

   - Fix replenishment logic for non-deferred servers (Yuri Andriaccio)

  RT scheduling updates:

   - Turn RT_PUSH_IPI default off for non PREEMPT_RT (Steven Rostedt)

   - Update default bandwidth for real-time tasks to 1.0 (Yuri
     Andriaccio)

  Proxy scheduling updates:

   - A series to implement Optimized Donor Migration for Proxy Execution
     (John Stultz, Peter Zijlstra)

   - Various proxy scheduling cleanups and fixes (Peter Zijlstra,
     K Prateek Nayak)

  Misc fixes, improvements and cleanups by Aaron Lu, Andrea Righi,
  Zenghui Yu, Chen Yu, Guanyou.Chen, John Stultz, Shrikanth Hegde,
  Peter Zijlstra, Liang Luo and Yiyang Chen"

* tag 'sched-core-2026-06-14' of gitolite.kernel.org:pub/scm/linux/kernel/git/tip/tip: (91 commits)
  sched/fair: Fix newidle vs core-sched
  sched/deadline: Use task_on_rq_migrating() helper
  sched/core: Combine separate 'else' and 'if' statements
  sched/fair: Fix cpu_util runnable_avg arithmetic
  sched/fair: Unify cfs_rq throttling via account_cfs_rq_runtime()
  sched/fair: Move the throttled tasks to a local list in tg_unthrottle_up()
  sched/fair: Call update_curr() before unthrottling the hierarchy
  sched/fair: Use throttled_csd_list for local unthrottle
  sched/fair: Convert cfs bandwidth throttling to use guards
  sched/fair: Allocate cfs_tg_state with percpu allocator
  sched/fair: Remove task_group->se pointer array
  sched/fair: Co-locate cfs_rq and sched_entity in cfs_tg_state
  sched: restore timer_slack_ns when resetting RT policy on fork
  MAINTAINERS: Fix spelling mistake in Peter's name
  sched: Simplify ttwu_runnable()
  sched/proxy: Remove superfluous clear_task_blocked_in()
  sched/proxy: Remove PROXY_WAKING
  sched/proxy: Switch proxy to use p->is_blocked
  sched/proxy: Only return migrate when needed
  sched: Be more strict about p->is_blocked
  ...
bpf: Add support to specify uprobe_multi target via file descriptor 2026-06-15T00:24:25+00:00 Jiri Olsa jolsa@kernel.org 2026-06-11T11:42:26+00:00 26330a9226417c9a3395db9fdb403f7d7371e6b7 Allow uprobe_multi link to identify the target binary by an already opened file descriptor. Adding new BPF_F_UPROBE_MULTI_PATH_FD flag and the path_fd field for the attr.link_create.uprobe_multi struct. When the flag is set, we resolve the target from path_fd, without the flag, we keep the existing string path behavior. I don't see a use case for supporting O_PATH file descriptors, because we need to read the binary first to get probes offsets, so I'm using the CLASS(fd, f), which fails for O_PATH fds. Assisted-by: Codex:GPT-5.4 Signed-off-by: Jiri Olsa <jolsa@kernel.org> Link: https://lore.kernel.org/r/20260611114230.950379-4-jolsa@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org> 
Allow uprobe_multi link to identify the target binary by an already
opened file descriptor.

Adding new BPF_F_UPROBE_MULTI_PATH_FD flag and the path_fd field for
the attr.link_create.uprobe_multi struct.

When the flag is set, we resolve the target from path_fd, without the
flag, we keep the existing string path behavior.

I don't see a use case for supporting O_PATH file descriptors, because
we need to read the binary first to get probes offsets, so I'm using
the CLASS(fd, f), which fails for O_PATH fds.

Assisted-by: Codex:GPT-5.4
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Link: https://lore.kernel.org/r/20260611114230.950379-4-jolsa@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
bpf: Use user_path_at for path resolution in uprobe_multi 2026-06-15T00:24:25+00:00 Jiri Olsa jolsa@kernel.org 2026-06-11T11:42:25+00:00 65d81609e93140d8dd745fd41eb8a195f83ba7cd Resolve the uprobe_multi user path with user_path_at() instead of copying the string with strndup_user() and passing it to kern_path(). This removes the temporary allocation and keeps the lookup logic in one helper. Signed-off-by: Jiri Olsa <jolsa@kernel.org> Link: https://lore.kernel.org/r/20260611114230.950379-3-jolsa@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org> 
Resolve the uprobe_multi user path with user_path_at() instead of copying
the string with strndup_user() and passing it to kern_path(). This removes
the temporary allocation and keeps the lookup logic in one helper.

Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Link: https://lore.kernel.org/r/20260611114230.950379-3-jolsa@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
bpf: Guard __get_user acesss with access_ok for uprobe_multi data 2026-06-15T00:24:25+00:00 Jiri Olsa jolsa@kernel.org 2026-06-11T11:42:24+00:00 4d87a251d45b4a95eb4c0abcfab809c9f231258a As reported by sashiko [1] we need to use access_ok to check the user space data bounds before we use __get-user to get it. [1] https://lore.kernel.org/bpf/20260610145235.CB1441F00893@smtp.kernel.org/ Fixes: 0b779b61f651 ("bpf: Add cookies support for uprobe_multi link") Fixes: 89ae89f53d20 ("bpf: Add multi uprobe link") Signed-off-by: Jiri Olsa <jolsa@kernel.org> Link: https://lore.kernel.org/r/20260611114230.950379-2-jolsa@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org> 
As reported by sashiko [1] we need to use access_ok to check the user
space data bounds before we use __get-user to get it.

[1] https://lore.kernel.org/bpf/20260610145235.CB1441F00893@smtp.kernel.org/
Fixes: 0b779b61f651 ("bpf: Add cookies support for uprobe_multi link")
Fixes: 89ae89f53d20 ("bpf: Add multi uprobe link")
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Link: https://lore.kernel.org/r/20260611114230.950379-2-jolsa@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>