From nobody Sat Feb  7 11:30:49 2026
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4D5B935950
	for <linux-kernel@vger.kernel.org>; Fri,  2 May 2025 14:46:42 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1746197203; cv=none;
 b=l0Pk8zi5vpFqHkjgYVyW8DvAMlh5ol49YGpDxu8JjaGV6rmP5zceEKIHij7jGhP/qH5g20mx/7ny0/K4bXgC6ox4lmVJa5JttZzs/5HyG9WCuHT5MtLcvcGjJ9dJ7nAiBtutjKMhsgDDUpn2JwaBbakfgiyj7qfI9SbyzIRLeFg=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1746197203; c=relaxed/simple;
	bh=BTbAWGyPvTmDexqJ2SsFmLFuM+6YA9TNNsCFweJ8EwU=;
	h=Message-ID:Date:From:To:Cc:Subject:References:MIME-Version:
	 Content-Type;
 b=D4avnlJTSctrLBpzErMkN30h52jbknq1mpiDeW4y7UzehiMVMvT/N0r13RbUIrlt11Ze3dpPKUXx5Pt8UEOJC2Or3YiTqt0wKw6L6pATKA541TBlayRwaZZb3P0b+ldqJ6W0BNST5xJMHRNa9t+RiixEpFmUtgoCYF5ahTlu3kc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
Received: by smtp.kernel.org (Postfix) with ESMTPSA id C9BD4C4CEE4;
	Fri,  2 May 2025 14:46:42 +0000 (UTC)
Received: from rostedt by gandalf with local (Exim 4.98.2)
	(envelope-from <rostedt@goodmis.org>)
	id 1uArf9-000000032uV-19lC;
	Fri, 02 May 2025 10:46:51 -0400
Message-ID: <20250502144651.127313773@goodmis.org>
User-Agent: quilt/0.68
Date: Fri, 02 May 2025 10:46:08 -0400
From: Steven Rostedt <rostedt@goodmis.org>
To: linux-kernel@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>,
 Mark Rutland <mark.rutland@arm.com>,
 Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
 Andrew Morton <akpm@linux-foundation.org>,
 syzbot+c8cd2d2c412b868263fb@syzkaller.appspotmail.com,
 Jeongjun Park <aha310510@gmail.com>
Subject: [for-linus][PATCH 1/4] tracing: Fix oob write in
 trace_seq_to_buffer()
References: <20250502144607.785079223@goodmis.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Jeongjun Park <aha310510@gmail.com>

syzbot reported this bug:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
BUG: KASAN: slab-out-of-bounds in trace_seq_to_buffer kernel/trace/trace.c:=
1830 [inline]
BUG: KASAN: slab-out-of-bounds in tracing_splice_read_pipe+0x6be/0xdd0 kern=
el/trace/trace.c:6822
Write of size 4507 at addr ffff888032b6b000 by task syz.2.320/7260

CPU: 1 UID: 0 PID: 7260 Comm: syz.2.320 Not tainted 6.15.0-rc1-syzkaller-00=
301-g3bde70a2c827 #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Goo=
gle 02/12/2025
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0xc3/0x670 mm/kasan/report.c:521
 kasan_report+0xe0/0x110 mm/kasan/report.c:634
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189
 __asan_memcpy+0x3c/0x60 mm/kasan/shadow.c:106
 trace_seq_to_buffer kernel/trace/trace.c:1830 [inline]
 tracing_splice_read_pipe+0x6be/0xdd0 kernel/trace/trace.c:6822
 ....
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

It has been reported that trace_seq_to_buffer() tries to copy more data
than PAGE_SIZE to buf. Therefore, to prevent this, we should use the
smaller of trace_seq_used(&iter->seq) and PAGE_SIZE as an argument.

Link: https://lore.kernel.org/20250422113026.13308-1-aha310510@gmail.com
Reported-by: syzbot+c8cd2d2c412b868263fb@syzkaller.appspotmail.com
Fixes: 3c56819b14b0 ("tracing: splice support for tracing_pipe")
Suggested-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
---
 kernel/trace/trace.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index 8ddf6b17215c..6d52dc108f00 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -6821,13 +6821,14 @@ static ssize_t tracing_splice_read_pipe(struct file=
 *filp,
 		/* Copy the data into the page, so we can start over. */
 		ret =3D trace_seq_to_buffer(&iter->seq,
 					  page_address(spd.pages[i]),
-					  trace_seq_used(&iter->seq));
+					  min((size_t)trace_seq_used(&iter->seq),
+						  PAGE_SIZE));
 		if (ret < 0) {
 			__free_page(spd.pages[i]);
 			break;
 		}
 		spd.partial[i].offset =3D 0;
-		spd.partial[i].len =3D trace_seq_used(&iter->seq);
+		spd.partial[i].len =3D ret;
=20
 		trace_seq_init(&iter->seq);
 	}
--=20
2.47.2
From nobody Sat Feb  7 11:30:49 2026
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 65F5224633C
	for <linux-kernel@vger.kernel.org>; Fri,  2 May 2025 14:46:43 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1746197203; cv=none;
 b=i+FpqYr5jdWGvkibQv3/lxAeynnIwVHJvpo/+blRv8vKqiWBDTEKJ/b53Gg1W06O998pjQV3qcp1ZqiXgftyFPLAEluYCtknfaE/NgKO9NOQlr3iR7qbhKHZSQwRGU5t592TTuZYsDzKIK04/WActkLv+i2cwlrRb39iUNJo85Q=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1746197203; c=relaxed/simple;
	bh=4VSTUK75e6ExlaSRDWdOhoFJqfP55CWdU0n41/kp+Gg=;
	h=Message-ID:Date:From:To:Cc:Subject:References:MIME-Version:
	 Content-Type;
 b=LyR2JiKLiiyXH/Stad70R6uZAaw0v88mUGnG2Oux7MbtQ/mvXBQSO6XUCk6p8vVVn8Aw+v/zn3wC/bX5U14HCj5uCrRAQxDHciQrB53csHiI/kTsoEvtlopZGALxfasfVtd7IntZTt5DvDd33IcxflCETYcC8cY8qVoq39U5xSc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
Received: by smtp.kernel.org (Postfix) with ESMTPSA id E1908C4CEEE;
	Fri,  2 May 2025 14:46:42 +0000 (UTC)
Received: from rostedt by gandalf with local (Exim 4.98.2)
	(envelope-from <rostedt@goodmis.org>)
	id 1uArf9-000000032v0-1qy8;
	Fri, 02 May 2025 10:46:51 -0400
Message-ID: <20250502144651.297180675@goodmis.org>
User-Agent: quilt/0.68
Date: Fri, 02 May 2025 10:46:09 -0400
From: Steven Rostedt <rostedt@goodmis.org>
To: linux-kernel@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>,
 Mark Rutland <mark.rutland@arm.com>,
 Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
 Andrew Morton <akpm@linux-foundation.org>,
 Colin Ian King <colin.i.king@gmail.com>
Subject: [for-linus][PATCH 2/4] ftrace: Fix NULL memory allocation check
References: <20250502144607.785079223@goodmis.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Colin Ian King <colin.i.king@gmail.com>

The check for a failed memory location is incorrectly checking
the wrong level of pointer indirection by checking !filter_hash
rather than !*filter_hash.  Fix this.

Cc: asami Hiramatsu <mhiramat@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Link: https://lore.kernel.org/20250422221335.89896-1-colin.i.king@gmail.com
Fixes: 0ae6b8ce200d ("ftrace: Fix accounting of subop hashes")
Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
---
 kernel/trace/ftrace.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
index 61130bb34d6c..6981830c3128 100644
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -3436,7 +3436,7 @@ static int add_next_hash(struct ftrace_hash **filter_=
hash, struct ftrace_hash **
=20
 		/* Copy the subops hash */
 		*filter_hash =3D alloc_and_copy_ftrace_hash(size_bits, subops_hash->filt=
er_hash);
-		if (!filter_hash)
+		if (!*filter_hash)
 			return -ENOMEM;
 		/* Remove any notrace functions from the copy */
 		remove_hash(*filter_hash, subops_hash->notrace_hash);
--=20
2.47.2
From nobody Sat Feb  7 11:30:49 2026
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 65FAE246765
	for <linux-kernel@vger.kernel.org>; Fri,  2 May 2025 14:46:43 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1746197203; cv=none;
 b=Uz6N2xgED4yPsVhPg/Mc9fv5qLpPSC1pPXBh2k2EahHTGvhT28chxaWN8zKCi/ad2cdq7+kr6LZrW5q9lRP5mYZ1Bu1go1/oYd4mSgABdlwRs1DsNYDv7PFEB5sQPHojDjMOYtOWmwEAfcVsTrKoaDhUYoRn4K/9xRuAAlviXT8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1746197203; c=relaxed/simple;
	bh=YGOOaAzygCCrD+nd0bR3A9SoxsGxOdIiiuIkhpvn5Sk=;
	h=Message-ID:Date:From:To:Cc:Subject:References:MIME-Version:
	 Content-Type;
 b=F8Savo9vOn107dVUJVxIZLoDfmlDx35wIBi3Zwv15UmcVin7hzVRbhW0gj6ZZfsG1JtfzbI38SrRZ1Qbe+MSp6ILKkwuqdwIqaOofvGC8uF2W23O+SvrR/d7cmxiv+4vQJ0K5Xss+6WXdzQdPUCNHxZxhtFXkIV+ZVNvDpH2p/k=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 140F7C4CEF2;
	Fri,  2 May 2025 14:46:43 +0000 (UTC)
Received: from rostedt by gandalf with local (Exim 4.98.2)
	(envelope-from <rostedt@goodmis.org>)
	id 1uArf9-000000032vU-2aZv;
	Fri, 02 May 2025 10:46:51 -0400
Message-ID: <20250502144651.463362779@goodmis.org>
User-Agent: quilt/0.68
Date: Fri, 02 May 2025 10:46:10 -0400
From: Steven Rostedt <rostedt@goodmis.org>
To: linux-kernel@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>,
 Mark Rutland <mark.rutland@arm.com>,
 Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
 Andrew Morton <akpm@linux-foundation.org>
Subject: [for-linus][PATCH 3/4] tracing: Fix trace_adjust_address() when there
 is no modules in
 scratch area
References: <20250502144607.785079223@goodmis.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Steven Rostedt <rostedt@goodmis.org>

The function trace_adjust_address() is used to map addresses of modules
stored in the persistent memory and are also loaded in the current boot to
return the current address for the module.

If there's only one module entry, it will simply use that, otherwise it
performs a bsearch of the entry array to find the modules to offset with.

The issue is if there are no modules in the array. The code does not
account for that and ends up referencing the first element in the array
which does not exist and causes a crash.

If nr_entries is zero, exit out early as if this was a core kernel
address.

Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Link: https://lore.kernel.org/20250501151909.65910359@gandalf.local.home
Fixes: 35a380ddbc653 ("tracing: Show last module text symbols in the stackt=
race")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
---
 kernel/trace/trace.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index 6d52dc108f00..5b8db27fb6ef 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -6043,8 +6043,10 @@ unsigned long trace_adjust_address(struct trace_arra=
y *tr, unsigned long addr)
 	tscratch =3D tr->scratch;
 	/* if there is no tscrach, module_delta must be NULL. */
 	module_delta =3D READ_ONCE(tr->module_delta);
-	if (!module_delta || tscratch->entries[0].mod_addr > addr)
+	if (!module_delta || !tscratch->nr_entries ||
+	    tscratch->entries[0].mod_addr > addr) {
 		return addr + tr->text_delta;
+	}
=20
 	/* Note that entries must be sorted. */
 	nr_entries =3D tscratch->nr_entries;
--=20
2.47.2
From nobody Sat Feb  7 11:30:49 2026
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 88359255F5A;
	Fri,  2 May 2025 14:46:43 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1746197203; cv=none;
 b=nsA1G0It+rH8ZB1Q6coTId3L1OYz9tgzVdpFqL+hHboMgC3iMB4gwbg7y8AnhoIoMBMW/KCCggUppesJlFtV0htDH0An1dWUxfAj6rOV6enQHQQOfss/jObQODXbVNN1tuRySv7ksls3yB+paDGgISwmT3hcNlnf0BCLN8kNGmU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1746197203; c=relaxed/simple;
	bh=UuuKgeE+zprAuA6fZuA79Fi7jQ7fBKhV8Bq5rjoWyvw=;
	h=Message-ID:Date:From:To:Cc:Subject:References:MIME-Version:
	 Content-Type;
 b=HdudS1jWJeBge0LkIADTbvhj6NjXjLxMbKwAnsOl/yusUFMbmebQWy3TTI5zseZkMYIBBmVOY01PVc92qQ+aZO5FJx6fgk/023rQs48zmkQvAu4EJmpx7xgp3aqIPpehy9rs081VT+Ju8t8qguL4rEEmvUaOifHNuCPNthIPfk8=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 332CEC4CEF5;
	Fri,  2 May 2025 14:46:43 +0000 (UTC)
Received: from rostedt by gandalf with local (Exim 4.98.2)
	(envelope-from <rostedt@goodmis.org>)
	id 1uArf9-000000032vy-3Hmf;
	Fri, 02 May 2025 10:46:51 -0400
Message-ID: <20250502144651.638397805@goodmis.org>
User-Agent: quilt/0.68
Date: Fri, 02 May 2025 10:46:11 -0400
From: Steven Rostedt <rostedt@goodmis.org>
To: linux-kernel@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>,
 Mark Rutland <mark.rutland@arm.com>,
 Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
 Andrew Morton <akpm@linux-foundation.org>,
 stable@vger.kernel.org,
 syzbot+441582c1592938fccf09@syzkaller.appspotmail.com
Subject: [for-linus][PATCH 4/4] tracing: Do not take trace_event_sem in
 print_event_fields()
References: <20250502144607.785079223@goodmis.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Steven Rostedt <rostedt@goodmis.org>

On some paths in print_event_fields() it takes the trace_event_sem for
read, even though it should always be held when the function is called.

Remove the taking of that mutex and add a lockdep_assert_held_read() to
make sure the trace_event_sem is held when print_event_fields() is called.

Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Link: https://lore.kernel.org/20250501224128.0b1f0571@batman.local.home
Fixes: 80a76994b2d88 ("tracing: Add "fields" option to show raw trace event=
 fields")
Reported-by: syzbot+441582c1592938fccf09@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/6813ff5e.050a0220.14dd7d.001b.GAE@googl=
e.com/
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
---
 kernel/trace/trace_output.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c
index fee40ffbd490..b9ab06c99543 100644
--- a/kernel/trace/trace_output.c
+++ b/kernel/trace/trace_output.c
@@ -1042,11 +1042,12 @@ enum print_line_t print_event_fields(struct trace_i=
terator *iter,
 	struct trace_event_call *call;
 	struct list_head *head;
=20
+	lockdep_assert_held_read(&trace_event_sem);
+
 	/* ftrace defined events have separate call structures */
 	if (event->type <=3D __TRACE_LAST_TYPE) {
 		bool found =3D false;
=20
-		down_read(&trace_event_sem);
 		list_for_each_entry(call, &ftrace_events, list) {
 			if (call->event.type =3D=3D event->type) {
 				found =3D true;
@@ -1056,7 +1057,6 @@ enum print_line_t print_event_fields(struct trace_ite=
rator *iter,
 			if (call->event.type > __TRACE_LAST_TYPE)
 				break;
 		}
-		up_read(&trace_event_sem);
 		if (!found) {
 			trace_seq_printf(&iter->seq, "UNKNOWN TYPE %d\n", event->type);
 			goto out;
--=20
2.47.2