--- /dev/null
+From 333b4fd11e89b29c84c269123f871883a30be586 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Mon, 23 Sep 2024 12:47:39 -0400
+Subject: Bluetooth: L2CAP: Fix uaf in l2cap_connect
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+commit 333b4fd11e89b29c84c269123f871883a30be586 upstream.
+
+[Syzbot reported]
+BUG: KASAN: slab-use-after-free in l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949
+Read of size 8 at addr ffff8880241e9800 by task kworker/u9:0/54
+
+CPU: 0 UID: 0 PID: 54 Comm: kworker/u9:0 Not tainted 6.11.0-rc6-syzkaller-00268-g788220eee30d #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
+Workqueue: hci2 hci_rx_work
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:93 [inline]
+ dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119
+ print_address_description mm/kasan/report.c:377 [inline]
+ print_report+0xc3/0x620 mm/kasan/report.c:488
+ kasan_report+0xd9/0x110 mm/kasan/report.c:601
+ l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949
+ l2cap_connect_req net/bluetooth/l2cap_core.c:4080 [inline]
+ l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:4772 [inline]
+ l2cap_sig_channel net/bluetooth/l2cap_core.c:5543 [inline]
+ l2cap_recv_frame+0xf0b/0x8eb0 net/bluetooth/l2cap_core.c:6825
+ l2cap_recv_acldata+0x9b4/0xb70 net/bluetooth/l2cap_core.c:7514
+ hci_acldata_packet net/bluetooth/hci_core.c:3791 [inline]
+ hci_rx_work+0xaab/0x1610 net/bluetooth/hci_core.c:4028
+ process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
+ process_scheduled_works kernel/workqueue.c:3312 [inline]
+ worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
+ kthread+0x2c1/0x3a0 kernel/kthread.c:389
+ ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
+...
+
+Freed by task 5245:
+ kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
+ kasan_save_track+0x14/0x30 mm/kasan/common.c:68
+ kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579
+ poison_slab_object+0xf7/0x160 mm/kasan/common.c:240
+ __kasan_slab_free+0x32/0x50 mm/kasan/common.c:256
+ kasan_slab_free include/linux/kasan.h:184 [inline]
+ slab_free_hook mm/slub.c:2256 [inline]
+ slab_free mm/slub.c:4477 [inline]
+ kfree+0x12a/0x3b0 mm/slub.c:4598
+ l2cap_conn_free net/bluetooth/l2cap_core.c:1810 [inline]
+ kref_put include/linux/kref.h:65 [inline]
+ l2cap_conn_put net/bluetooth/l2cap_core.c:1822 [inline]
+ l2cap_conn_del+0x59d/0x730 net/bluetooth/l2cap_core.c:1802
+ l2cap_connect_cfm+0x9e6/0xf80 net/bluetooth/l2cap_core.c:7241
+ hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]
+ hci_conn_failed+0x1c3/0x370 net/bluetooth/hci_conn.c:1265
+ hci_abort_conn_sync+0x75a/0xb50 net/bluetooth/hci_sync.c:5583
+ abort_conn_sync+0x197/0x360 net/bluetooth/hci_conn.c:2917
+ hci_cmd_sync_work+0x1a4/0x410 net/bluetooth/hci_sync.c:328
+ process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
+ process_scheduled_works kernel/workqueue.c:3312 [inline]
+ worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
+ kthread+0x2c1/0x3a0 kernel/kthread.c:389
+ ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
+
+Reported-by: syzbot+c12e2f941af1feb5632c@syzkaller.appspotmail.com
+Tested-by: syzbot+c12e2f941af1feb5632c@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=c12e2f941af1feb5632c
+Fixes: 7b064edae38d ("Bluetooth: Fix authentication if acl data comes before remote feature evt")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+[Xiangyu: Modified to bp this commit to fix CVE-2024-49950]
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_core.c | 2 ++
+ net/bluetooth/hci_event.c | 2 +-
+ net/bluetooth/l2cap_core.c | 9 ---------
+ 3 files changed, 3 insertions(+), 10 deletions(-)
+
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -3846,6 +3846,8 @@ static void hci_acldata_packet(struct hc
+
+ hci_dev_lock(hdev);
+ conn = hci_conn_hash_lookup_handle(hdev, handle);
++ if (conn && hci_dev_test_flag(hdev, HCI_MGMT))
++ mgmt_device_connected(hdev, conn, NULL, 0);
+ hci_dev_unlock(hdev);
+
+ if (conn) {
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -3789,7 +3789,7 @@ static void hci_remote_features_evt(stru
+ goto unlock;
+ }
+
+- if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
++ if (!ev->status) {
+ struct hci_cp_remote_name_req cp;
+ memset(&cp, 0, sizeof(cp));
+ bacpy(&cp.bdaddr, &conn->dst);
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -4300,18 +4300,9 @@ sendresp:
+ static int l2cap_connect_req(struct l2cap_conn *conn,
+ struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
+ {
+- struct hci_dev *hdev = conn->hcon->hdev;
+- struct hci_conn *hcon = conn->hcon;
+-
+ if (cmd_len < sizeof(struct l2cap_conn_req))
+ return -EPROTO;
+
+- hci_dev_lock(hdev);
+- if (hci_dev_test_flag(hdev, HCI_MGMT) &&
+- !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
+- mgmt_device_connected(hdev, hcon, NULL, 0);
+- hci_dev_unlock(hdev);
+-
+ l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
+ return 0;
+ }
--- /dev/null
+From c86ad39140bbcb9dc75a10046c2221f657e8083b Mon Sep 17 00:00:00 2001
+From: Philip Yang <Philip.Yang@amd.com>
+Date: Sun, 14 Jul 2024 11:11:05 -0400
+Subject: drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Philip Yang <Philip.Yang@amd.com>
+
+commit c86ad39140bbcb9dc75a10046c2221f657e8083b upstream.
+
+Pass pointer reference to amdgpu_bo_unref to clear the correct pointer,
+otherwise amdgpu_bo_unref clear the local variable, the original pointer
+not set to NULL, this could cause use-after-free bug.
+
+Signed-off-by: Philip Yang <Philip.Yang@amd.com>
+Reviewed-by: Felix Kuehling <felix.kuehling@amd.com>
+Acked-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Vamsi Krishna Brahmajosyula <vamsi-krishna.brahmajosyula@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c | 14 +++++++-------
+ drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 2 +-
+ drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 2 +-
+ drivers/gpu/drm/amd/amdkfd/kfd_device.c | 4 ++--
+ drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 2 +-
+ drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.c | 2 +-
+ drivers/gpu/drm/amd/amdkfd/kfd_process.c | 2 +-
+ drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 4 ++--
+ 8 files changed, 16 insertions(+), 16 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c
+@@ -344,15 +344,15 @@ allocate_mem_reserve_bo_failed:
+ return r;
+ }
+
+-void amdgpu_amdkfd_free_gtt_mem(struct amdgpu_device *adev, void *mem_obj)
++void amdgpu_amdkfd_free_gtt_mem(struct amdgpu_device *adev, void **mem_obj)
+ {
+- struct amdgpu_bo *bo = (struct amdgpu_bo *) mem_obj;
++ struct amdgpu_bo **bo = (struct amdgpu_bo **) mem_obj;
+
+- amdgpu_bo_reserve(bo, true);
+- amdgpu_bo_kunmap(bo);
+- amdgpu_bo_unpin(bo);
+- amdgpu_bo_unreserve(bo);
+- amdgpu_bo_unref(&(bo));
++ amdgpu_bo_reserve(*bo, true);
++ amdgpu_bo_kunmap(*bo);
++ amdgpu_bo_unpin(*bo);
++ amdgpu_bo_unreserve(*bo);
++ amdgpu_bo_unref(bo);
+ }
+
+ int amdgpu_amdkfd_alloc_gws(struct amdgpu_device *adev, size_t size,
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h
+@@ -210,7 +210,7 @@ int amdgpu_amdkfd_evict_userptr(struct k
+ int amdgpu_amdkfd_alloc_gtt_mem(struct amdgpu_device *adev, size_t size,
+ void **mem_obj, uint64_t *gpu_addr,
+ void **cpu_ptr, bool mqd_gfx9);
+-void amdgpu_amdkfd_free_gtt_mem(struct amdgpu_device *adev, void *mem_obj);
++void amdgpu_amdkfd_free_gtt_mem(struct amdgpu_device *adev, void **mem_obj);
+ int amdgpu_amdkfd_alloc_gws(struct amdgpu_device *adev, size_t size,
+ void **mem_obj);
+ void amdgpu_amdkfd_free_gws(struct amdgpu_device *adev, void *mem_obj);
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+@@ -408,7 +408,7 @@ static int kfd_ioctl_create_queue(struct
+
+ err_create_queue:
+ if (wptr_bo)
+- amdgpu_amdkfd_free_gtt_mem(dev->adev, wptr_bo);
++ amdgpu_amdkfd_free_gtt_mem(dev->adev, (void **)&wptr_bo);
+ err_wptr_map_gart:
+ err_alloc_doorbells:
+ err_bind_process:
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_device.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device.c
+@@ -673,7 +673,7 @@ kfd_interrupt_error:
+ kfd_doorbell_error:
+ kfd_gtt_sa_fini(kfd);
+ kfd_gtt_sa_init_error:
+- amdgpu_amdkfd_free_gtt_mem(kfd->adev, kfd->gtt_mem);
++ amdgpu_amdkfd_free_gtt_mem(kfd->adev, &kfd->gtt_mem);
+ alloc_gtt_mem_failure:
+ if (kfd->gws)
+ amdgpu_amdkfd_free_gws(kfd->adev, kfd->gws);
+@@ -693,7 +693,7 @@ void kgd2kfd_device_exit(struct kfd_dev
+ kfd_doorbell_fini(kfd);
+ ida_destroy(&kfd->doorbell_ida);
+ kfd_gtt_sa_fini(kfd);
+- amdgpu_amdkfd_free_gtt_mem(kfd->adev, kfd->gtt_mem);
++ amdgpu_amdkfd_free_gtt_mem(kfd->adev, &kfd->gtt_mem);
+ if (kfd->gws)
+ amdgpu_amdkfd_free_gws(kfd->adev, kfd->gws);
+ }
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
+@@ -2392,7 +2392,7 @@ static void deallocate_hiq_sdma_mqd(stru
+ {
+ WARN(!mqd, "No hiq sdma mqd trunk to free");
+
+- amdgpu_amdkfd_free_gtt_mem(dev->adev, mqd->gtt_mem);
++ amdgpu_amdkfd_free_gtt_mem(dev->adev, &mqd->gtt_mem);
+ }
+
+ void device_queue_manager_uninit(struct device_queue_manager *dqm)
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.c
+@@ -204,7 +204,7 @@ void kfd_free_mqd_cp(struct mqd_manager
+ struct kfd_mem_obj *mqd_mem_obj)
+ {
+ if (mqd_mem_obj->gtt_mem) {
+- amdgpu_amdkfd_free_gtt_mem(mm->dev->adev, mqd_mem_obj->gtt_mem);
++ amdgpu_amdkfd_free_gtt_mem(mm->dev->adev, &mqd_mem_obj->gtt_mem);
+ kfree(mqd_mem_obj);
+ } else {
+ kfd_gtt_sa_free(mm->dev, mqd_mem_obj);
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_process.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_process.c
+@@ -1052,7 +1052,7 @@ static void kfd_process_destroy_pdds(str
+
+ if (pdd->dev->shared_resources.enable_mes)
+ amdgpu_amdkfd_free_gtt_mem(pdd->dev->adev,
+- pdd->proc_ctx_bo);
++ &pdd->proc_ctx_bo);
+ /*
+ * before destroying pdd, make sure to report availability
+ * for auto suspend
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
+@@ -441,9 +441,9 @@ int pqm_destroy_queue(struct process_que
+
+ if (dev->shared_resources.enable_mes) {
+ amdgpu_amdkfd_free_gtt_mem(dev->adev,
+- pqn->q->gang_ctx_bo);
++ &pqn->q->gang_ctx_bo);
+ if (pqn->q->wptr_bo)
+- amdgpu_amdkfd_free_gtt_mem(dev->adev, pqn->q->wptr_bo);
++ amdgpu_amdkfd_free_gtt_mem(dev->adev, (void **)&pqn->q->wptr_bo);
+
+ }
+ uninit_queue(pqn->q);
--- /dev/null
+From 0ce160c5bdb67081a62293028dc85758a8efb22a Mon Sep 17 00:00:00 2001
+From: Xiaxi Shen <shenxiaxi26@gmail.com>
+Date: Sun, 14 Jul 2024 21:33:36 -0700
+Subject: ext4: fix timer use-after-free on failed mount
+
+From: Xiaxi Shen <shenxiaxi26@gmail.com>
+
+commit 0ce160c5bdb67081a62293028dc85758a8efb22a upstream.
+
+Syzbot has found an ODEBUG bug in ext4_fill_super
+
+The del_timer_sync function cancels the s_err_report timer,
+which reminds about filesystem errors daily. We should
+guarantee the timer is no longer active before kfree(sbi).
+
+When filesystem mounting fails, the flow goes to failed_mount3,
+where an error occurs when ext4_stop_mmpd is called, causing
+a read I/O failure. This triggers the ext4_handle_error function
+that ultimately re-arms the timer,
+leaving the s_err_report timer active before kfree(sbi) is called.
+
+Fix the issue by canceling the s_err_report timer after calling ext4_stop_mmpd.
+
+Signed-off-by: Xiaxi Shen <shenxiaxi26@gmail.com>
+Reported-and-tested-by: syzbot+59e0101c430934bc9a36@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=59e0101c430934bc9a36
+Link: https://patch.msgid.link/20240715043336.98097-1-shenxiaxi26@gmail.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -5617,8 +5617,8 @@ failed_mount3a:
+ failed_mount3:
+ /* flush s_error_work before sbi destroy */
+ flush_work(&sbi->s_error_work);
+- del_timer_sync(&sbi->s_err_report);
+ ext4_stop_mmpd(sbi);
++ del_timer_sync(&sbi->s_err_report);
+ ext4_group_desc_free(sbi);
+ failed_mount:
+ if (sbi->s_chksum_driver)
--- /dev/null
+From a33fb016e49e37aafab18dc3c8314d6399cb4727 Mon Sep 17 00:00:00 2001
+From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Date: Fri, 30 Aug 2024 13:50:18 +0300
+Subject: fs/ntfs3: Fix general protection fault in run_is_mapped_full
+
+From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+
+commit a33fb016e49e37aafab18dc3c8314d6399cb4727 upstream.
+
+Fixed deleating of a non-resident attribute in ntfs_create_inode()
+rollback.
+
+Reported-by: syzbot+9af29acd8f27fbce94bc@syzkaller.appspotmail.com
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ntfs3/inode.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/fs/ntfs3/inode.c
++++ b/fs/ntfs3/inode.c
+@@ -1646,6 +1646,15 @@ out7:
+ le16_to_cpu(new_de->key_size), sbi);
+ /* ni_unlock(dir_ni); will be called later. */
+ out6:
++ attr = ni_find_attr(ni, NULL, NULL, ATTR_EA, NULL, 0, NULL, NULL);
++ if (attr && attr->non_res) {
++ /* Delete ATTR_EA, if non-resident. */
++ struct runs_tree run;
++ run_init(&run);
++ attr_set_size(ni, ATTR_EA, NULL, 0, &run, 0, NULL, false, NULL);
++ run_close(&run);
++ }
++
+ if (rp_inserted)
+ ntfs_remove_reparse(sbi, IO_REPARSE_TAG_SYMLINK, &new_de->ref);
+
--- /dev/null
+From 73254a297c2dd094abec7c9efee32455ae875bdf Mon Sep 17 00:00:00 2001
+From: Hagar Hemdan <hagarhem@amazon.com>
+Date: Tue, 4 Jun 2024 13:05:27 +0000
+Subject: io_uring: fix possible deadlock in io_register_iowq_max_workers()
+
+From: Hagar Hemdan <hagarhem@amazon.com>
+
+commit 73254a297c2dd094abec7c9efee32455ae875bdf upstream.
+
+The io_register_iowq_max_workers() function calls io_put_sq_data(),
+which acquires the sqd->lock without releasing the uring_lock.
+Similar to the commit 009ad9f0c6ee ("io_uring: drop ctx->uring_lock
+before acquiring sqd->lock"), this can lead to a potential deadlock
+situation.
+
+To resolve this issue, the uring_lock is released before calling
+io_put_sq_data(), and then it is re-acquired after the function call.
+
+This change ensures that the locks are acquired in the correct
+order, preventing the possibility of a deadlock.
+
+Suggested-by: Maximilian Heyne <mheyne@amazon.de>
+Signed-off-by: Hagar Hemdan <hagarhem@amazon.com>
+Link: https://lore.kernel.org/r/20240604130527.3597-1-hagarhem@amazon.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/io_uring.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/io_uring/io_uring.c
++++ b/io_uring/io_uring.c
+@@ -3921,8 +3921,10 @@ static __cold int io_register_iowq_max_w
+ }
+
+ if (sqd) {
++ mutex_unlock(&ctx->uring_lock);
+ mutex_unlock(&sqd->lock);
+ io_put_sq_data(sqd);
++ mutex_lock(&ctx->uring_lock);
+ }
+
+ if (copy_to_user(arg, new_count, sizeof(new_count)))
+@@ -3947,8 +3949,11 @@ static __cold int io_register_iowq_max_w
+ return 0;
+ err:
+ if (sqd) {
++ mutex_unlock(&ctx->uring_lock);
+ mutex_unlock(&sqd->lock);
+ io_put_sq_data(sqd);
++ mutex_lock(&ctx->uring_lock);
++
+ }
+ return ret;
+ }
--- /dev/null
+From 59f8f0b54c8ffb4521f6bbd1cb6f4dfa5022e75e Mon Sep 17 00:00:00 2001
+From: Li Nan <linan122@huawei.com>
+Date: Sat, 27 May 2023 15:22:16 +0800
+Subject: md/raid10: improve code of mrdev in raid10_sync_request
+
+From: Li Nan <linan122@huawei.com>
+
+commit 59f8f0b54c8ffb4521f6bbd1cb6f4dfa5022e75e upstream.
+
+'need_recover' and 'mrdev' are equivalent in raid10_sync_request(), and
+inc mrdev->nr_pending is unreasonable if don't need recovery. Replace
+'need_recover' with 'mrdev', and only inc nr_pending when needed.
+
+Signed-off-by: Li Nan <linan122@huawei.com>
+Reviewed-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Link: https://lore.kernel.org/r/20230527072218.2365857-3-linan666@huaweicloud.com
+Cc: Hagar Gamal Halim <hagarhem@amazon.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/raid10.c | 23 ++++++++++++-----------
+ 1 file changed, 12 insertions(+), 11 deletions(-)
+
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -3432,7 +3432,6 @@ static sector_t raid10_sync_request(stru
+ sector_t sect;
+ int must_sync;
+ int any_working;
+- int need_recover = 0;
+ struct raid10_info *mirror = &conf->mirrors[i];
+ struct md_rdev *mrdev, *mreplace;
+
+@@ -3440,14 +3439,13 @@ static sector_t raid10_sync_request(stru
+ mrdev = rcu_dereference(mirror->rdev);
+ mreplace = rcu_dereference(mirror->replacement);
+
+- if (mrdev != NULL &&
+- !test_bit(Faulty, &mrdev->flags) &&
+- !test_bit(In_sync, &mrdev->flags))
+- need_recover = 1;
++ if (mrdev && (test_bit(Faulty, &mrdev->flags) ||
++ test_bit(In_sync, &mrdev->flags)))
++ mrdev = NULL;
+ if (mreplace && test_bit(Faulty, &mreplace->flags))
+ mreplace = NULL;
+
+- if (!need_recover && !mreplace) {
++ if (!mrdev && !mreplace) {
+ rcu_read_unlock();
+ continue;
+ }
+@@ -3481,7 +3479,8 @@ static sector_t raid10_sync_request(stru
+ rcu_read_unlock();
+ continue;
+ }
+- atomic_inc(&mrdev->nr_pending);
++ if (mrdev)
++ atomic_inc(&mrdev->nr_pending);
+ if (mreplace)
+ atomic_inc(&mreplace->nr_pending);
+ rcu_read_unlock();
+@@ -3568,7 +3567,7 @@ static sector_t raid10_sync_request(stru
+ r10_bio->devs[1].devnum = i;
+ r10_bio->devs[1].addr = to_addr;
+
+- if (need_recover) {
++ if (mrdev) {
+ bio = r10_bio->devs[1].bio;
+ bio->bi_next = biolist;
+ biolist = bio;
+@@ -3613,7 +3612,7 @@ static sector_t raid10_sync_request(stru
+ for (k = 0; k < conf->copies; k++)
+ if (r10_bio->devs[k].devnum == i)
+ break;
+- if (!test_bit(In_sync,
++ if (mrdev && !test_bit(In_sync,
+ &mrdev->flags)
+ && !rdev_set_badblocks(
+ mrdev,
+@@ -3639,12 +3638,14 @@ static sector_t raid10_sync_request(stru
+ if (rb2)
+ atomic_dec(&rb2->remaining);
+ r10_bio = rb2;
+- rdev_dec_pending(mrdev, mddev);
++ if (mrdev)
++ rdev_dec_pending(mrdev, mddev);
+ if (mreplace)
+ rdev_dec_pending(mreplace, mddev);
+ break;
+ }
+- rdev_dec_pending(mrdev, mddev);
++ if (mrdev)
++ rdev_dec_pending(mrdev, mddev);
+ if (mreplace)
+ rdev_dec_pending(mreplace, mddev);
+ if (r10_bio->devs[0].bio->bi_opf & MD_FAILFAST) {
--- /dev/null
+From 704573851b51808b45dae2d62059d1d8189138a2 Mon Sep 17 00:00:00 2001
+From: Qun-Wei Lin <qun-wei.lin@mediatek.com>
+Date: Fri, 25 Oct 2024 16:58:11 +0800
+Subject: mm: krealloc: Fix MTE false alarm in __do_krealloc
+
+From: Qun-Wei Lin <qun-wei.lin@mediatek.com>
+
+commit 704573851b51808b45dae2d62059d1d8189138a2 upstream.
+
+This patch addresses an issue introduced by commit 1a83a716ec233 ("mm:
+krealloc: consider spare memory for __GFP_ZERO") which causes MTE
+(Memory Tagging Extension) to falsely report a slab-out-of-bounds error.
+
+The problem occurs when zeroing out spare memory in __do_krealloc. The
+original code only considered software-based KASAN and did not account
+for MTE. It does not reset the KASAN tag before calling memset, leading
+to a mismatch between the pointer tag and the memory tag, resulting
+in a false positive.
+
+Example of the error:
+==================================================================
+swapper/0: BUG: KASAN: slab-out-of-bounds in __memset+0x84/0x188
+swapper/0: Write at addr f4ffff8005f0fdf0 by task swapper/0/1
+swapper/0: Pointer tag: [f4], memory tag: [fe]
+swapper/0:
+swapper/0: CPU: 4 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.
+swapper/0: Hardware name: MT6991(ENG) (DT)
+swapper/0: Call trace:
+swapper/0: dump_backtrace+0xfc/0x17c
+swapper/0: show_stack+0x18/0x28
+swapper/0: dump_stack_lvl+0x40/0xa0
+swapper/0: print_report+0x1b8/0x71c
+swapper/0: kasan_report+0xec/0x14c
+swapper/0: __do_kernel_fault+0x60/0x29c
+swapper/0: do_bad_area+0x30/0xdc
+swapper/0: do_tag_check_fault+0x20/0x34
+swapper/0: do_mem_abort+0x58/0x104
+swapper/0: el1_abort+0x3c/0x5c
+swapper/0: el1h_64_sync_handler+0x80/0xcc
+swapper/0: el1h_64_sync+0x68/0x6c
+swapper/0: __memset+0x84/0x188
+swapper/0: btf_populate_kfunc_set+0x280/0x3d8
+swapper/0: __register_btf_kfunc_id_set+0x43c/0x468
+swapper/0: register_btf_kfunc_id_set+0x48/0x60
+swapper/0: register_nf_nat_bpf+0x1c/0x40
+swapper/0: nf_nat_init+0xc0/0x128
+swapper/0: do_one_initcall+0x184/0x464
+swapper/0: do_initcall_level+0xdc/0x1b0
+swapper/0: do_initcalls+0x70/0xc0
+swapper/0: do_basic_setup+0x1c/0x28
+swapper/0: kernel_init_freeable+0x144/0x1b8
+swapper/0: kernel_init+0x20/0x1a8
+swapper/0: ret_from_fork+0x10/0x20
+==================================================================
+
+Fixes: 1a83a716ec233 ("mm: krealloc: consider spare memory for __GFP_ZERO")
+Signed-off-by: Qun-Wei Lin <qun-wei.lin@mediatek.com>
+Acked-by: David Rientjes <rientjes@google.com>
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/slab_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/slab_common.c
++++ b/mm/slab_common.c
+@@ -1325,7 +1325,7 @@ __do_krealloc(const void *p, size_t new_
+ /* Zero out spare memory. */
+ if (want_init_on_alloc(flags)) {
+ kasan_disable_current();
+- memset((void *)p + new_size, 0, ks - new_size);
++ memset(kasan_reset_tag(p) + new_size, 0, ks - new_size);
+ kasan_enable_current();
+ }
+
--- /dev/null
+From 2fae3129c0c08e72b1fe93e61fd8fd203252094a Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sat, 5 Oct 2024 15:05:45 +0200
+Subject: platform/x86: x86-android-tablets: Fix use after free on platform_device_register() errors
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 2fae3129c0c08e72b1fe93e61fd8fd203252094a upstream.
+
+x86_android_tablet_remove() frees the pdevs[] array, so it should not
+be used after calling x86_android_tablet_remove().
+
+When platform_device_register() fails, store the pdevs[x] PTR_ERR() value
+into the local ret variable before calling x86_android_tablet_remove()
+to avoid using pdevs[] after it has been freed.
+
+Fixes: 5eba0141206e ("platform/x86: x86-android-tablets: Add support for instantiating platform-devs")
+Fixes: e2200d3f26da ("platform/x86: x86-android-tablets: Add gpio_keys support to x86_android_tablet_init()")
+Cc: stable@vger.kernel.org
+Reported-by: Aleksandr Burakov <a.burakov@rosalinux.ru>
+Closes: https://lore.kernel.org/platform-driver-x86/20240917120458.7300-1-a.burakov@rosalinux.ru/
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20241005130545.64136-1-hdegoede@redhat.com
+[Xiangyu: Modified file path to backport this commit to fix CVE: CVE-2024-49986]
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/x86-android-tablets.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/platform/x86/x86-android-tablets.c
++++ b/drivers/platform/x86/x86-android-tablets.c
+@@ -1853,8 +1853,9 @@ static __init int x86_android_tablet_ini
+ for (i = 0; i < pdev_count; i++) {
+ pdevs[i] = platform_device_register_full(&dev_info->pdev_info[i]);
+ if (IS_ERR(pdevs[i])) {
++ ret = PTR_ERR(pdevs[i]);
+ x86_android_tablet_cleanup();
+- return PTR_ERR(pdevs[i]);
++ return ret;
+ }
+ }
+
hid-lenovo-add-support-for-thinkpad-x1-tablet-gen-3-.patch
loongarch-use-exception-return-address-to-comment-er.patch
net-usb-qmi_wwan-add-fibocom-fg132-0x0112-compositio.patch
+md-raid10-improve-code-of-mrdev-in-raid10_sync_request.patch
+io_uring-fix-possible-deadlock-in-io_register_iowq_max_workers.patch
+uprobes-encapsulate-preparation-of-uprobe-args-buffer.patch
+uprobe-avoid-out-of-bounds-memory-access-of-fetching-args.patch
+drm-amdkfd-amdkfd_free_gtt_mem-clear-the-correct-pointer.patch
+ext4-fix-timer-use-after-free-on-failed-mount.patch
+bluetooth-l2cap-fix-uaf-in-l2cap_connect.patch
+mm-krealloc-fix-mte-false-alarm-in-__do_krealloc.patch
+platform-x86-x86-android-tablets-fix-use-after-free-on-platform_device_register-errors.patch
+fs-ntfs3-fix-general-protection-fault-in-run_is_mapped_full.patch
--- /dev/null
+From 373b9338c9722a368925d83bc622c596896b328e Mon Sep 17 00:00:00 2001
+From: Qiao Ma <mqaio@linux.alibaba.com>
+Date: Tue, 15 Oct 2024 14:01:48 +0800
+Subject: uprobe: avoid out-of-bounds memory access of fetching args
+
+From: Qiao Ma <mqaio@linux.alibaba.com>
+
+commit 373b9338c9722a368925d83bc622c596896b328e upstream.
+
+Uprobe needs to fetch args into a percpu buffer, and then copy to ring
+buffer to avoid non-atomic context problem.
+
+Sometimes user-space strings, arrays can be very large, but the size of
+percpu buffer is only page size. And store_trace_args() won't check
+whether these data exceeds a single page or not, caused out-of-bounds
+memory access.
+
+It could be reproduced by following steps:
+1. build kernel with CONFIG_KASAN enabled
+2. save follow program as test.c
+
+```
+\#include <stdio.h>
+\#include <stdlib.h>
+\#include <string.h>
+
+// If string length large than MAX_STRING_SIZE, the fetch_store_strlen()
+// will return 0, cause __get_data_size() return shorter size, and
+// store_trace_args() will not trigger out-of-bounds access.
+// So make string length less than 4096.
+\#define STRLEN 4093
+
+void generate_string(char *str, int n)
+{
+ int i;
+ for (i = 0; i < n; ++i)
+ {
+ char c = i % 26 + 'a';
+ str[i] = c;
+ }
+ str[n-1] = '\0';
+}
+
+void print_string(char *str)
+{
+ printf("%s\n", str);
+}
+
+int main()
+{
+ char tmp[STRLEN];
+
+ generate_string(tmp, STRLEN);
+ print_string(tmp);
+
+ return 0;
+}
+```
+3. compile program
+`gcc -o test test.c`
+
+4. get the offset of `print_string()`
+```
+objdump -t test | grep -w print_string
+0000000000401199 g F .text 000000000000001b print_string
+```
+
+5. configure uprobe with offset 0x1199
+```
+off=0x1199
+
+cd /sys/kernel/debug/tracing/
+echo "p /root/test:${off} arg1=+0(%di):ustring arg2=\$comm arg3=+0(%di):ustring"
+ > uprobe_events
+echo 1 > events/uprobes/enable
+echo 1 > tracing_on
+```
+
+6. run `test`, and kasan will report error.
+==================================================================
+BUG: KASAN: use-after-free in strncpy_from_user+0x1d6/0x1f0
+Write of size 8 at addr ffff88812311c004 by task test/499CPU: 0 UID: 0 PID: 499 Comm: test Not tainted 6.12.0-rc3+ #18
+Hardware name: Red Hat KVM, BIOS 1.16.0-4.al8 04/01/2014
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x55/0x70
+ print_address_description.constprop.0+0x27/0x310
+ kasan_report+0x10f/0x120
+ ? strncpy_from_user+0x1d6/0x1f0
+ strncpy_from_user+0x1d6/0x1f0
+ ? rmqueue.constprop.0+0x70d/0x2ad0
+ process_fetch_insn+0xb26/0x1470
+ ? __pfx_process_fetch_insn+0x10/0x10
+ ? _raw_spin_lock+0x85/0xe0
+ ? __pfx__raw_spin_lock+0x10/0x10
+ ? __pte_offset_map+0x1f/0x2d0
+ ? unwind_next_frame+0xc5f/0x1f80
+ ? arch_stack_walk+0x68/0xf0
+ ? is_bpf_text_address+0x23/0x30
+ ? kernel_text_address.part.0+0xbb/0xd0
+ ? __kernel_text_address+0x66/0xb0
+ ? unwind_get_return_address+0x5e/0xa0
+ ? __pfx_stack_trace_consume_entry+0x10/0x10
+ ? arch_stack_walk+0xa2/0xf0
+ ? _raw_spin_lock_irqsave+0x8b/0xf0
+ ? __pfx__raw_spin_lock_irqsave+0x10/0x10
+ ? depot_alloc_stack+0x4c/0x1f0
+ ? _raw_spin_unlock_irqrestore+0xe/0x30
+ ? stack_depot_save_flags+0x35d/0x4f0
+ ? kasan_save_stack+0x34/0x50
+ ? kasan_save_stack+0x24/0x50
+ ? mutex_lock+0x91/0xe0
+ ? __pfx_mutex_lock+0x10/0x10
+ prepare_uprobe_buffer.part.0+0x2cd/0x500
+ uprobe_dispatcher+0x2c3/0x6a0
+ ? __pfx_uprobe_dispatcher+0x10/0x10
+ ? __kasan_slab_alloc+0x4d/0x90
+ handler_chain+0xdd/0x3e0
+ handle_swbp+0x26e/0x3d0
+ ? __pfx_handle_swbp+0x10/0x10
+ ? uprobe_pre_sstep_notifier+0x151/0x1b0
+ irqentry_exit_to_user_mode+0xe2/0x1b0
+ asm_exc_int3+0x39/0x40
+RIP: 0033:0x401199
+Code: 01 c2 0f b6 45 fb 88 02 83 45 fc 01 8b 45 fc 3b 45 e4 7c b7 8b 45 e4 48 98 48 8d 50 ff 48 8b 45 e8 48 01 d0 ce
+RSP: 002b:00007ffdf00576a8 EFLAGS: 00000206
+RAX: 00007ffdf00576b0 RBX: 0000000000000000 RCX: 0000000000000ff2
+RDX: 0000000000000ffc RSI: 0000000000000ffd RDI: 00007ffdf00576b0
+RBP: 00007ffdf00586b0 R08: 00007feb2f9c0d20 R09: 00007feb2f9c0d20
+R10: 0000000000000001 R11: 0000000000000202 R12: 0000000000401040
+R13: 00007ffdf0058780 R14: 0000000000000000 R15: 0000000000000000
+ </TASK>
+
+This commit enforces the buffer's maxlen less than a page-size to avoid
+store_trace_args() out-of-memory access.
+
+Link: https://lore.kernel.org/all/20241015060148.1108331-1-mqaio@linux.alibaba.com/
+
+Fixes: dcad1a204f72 ("tracing/uprobes: Fetch args before reserving a ring buffer")
+Signed-off-by: Qiao Ma <mqaio@linux.alibaba.com>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Vamsi Krishna Brahmajosyula <vamsi-krishna.brahmajosyula@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_uprobe.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/kernel/trace/trace_uprobe.c
++++ b/kernel/trace/trace_uprobe.c
+@@ -862,6 +862,7 @@ struct uprobe_cpu_buffer {
+ };
+ static struct uprobe_cpu_buffer __percpu *uprobe_cpu_buffer;
+ static int uprobe_buffer_refcnt;
++#define MAX_UCB_BUFFER_SIZE PAGE_SIZE
+
+ static int uprobe_buffer_init(void)
+ {
+@@ -960,6 +961,11 @@ static struct uprobe_cpu_buffer *prepare
+ ucb = uprobe_buffer_get();
+ ucb->dsize = tu->tp.size + dsize;
+
++ if (WARN_ON_ONCE(ucb->dsize > MAX_UCB_BUFFER_SIZE)) {
++ ucb->dsize = MAX_UCB_BUFFER_SIZE;
++ dsize = MAX_UCB_BUFFER_SIZE - tu->tp.size;
++ }
++
+ store_trace_args(ucb->buf, &tu->tp, regs, esize, dsize);
+
+ return ucb;
+@@ -978,9 +984,6 @@ static void __uprobe_trace_func(struct t
+
+ WARN_ON(call != trace_file->event_call);
+
+- if (WARN_ON_ONCE(ucb->dsize > PAGE_SIZE))
+- return;
+-
+ if (trace_trigger_soft_disabled(trace_file))
+ return;
+
--- /dev/null
+From 3eaea21b4d27cff0017c20549aeb53034c58fc23 Mon Sep 17 00:00:00 2001
+From: Andrii Nakryiko <andrii@kernel.org>
+Date: Mon, 18 Mar 2024 11:17:26 -0700
+Subject: uprobes: encapsulate preparation of uprobe args buffer
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+commit 3eaea21b4d27cff0017c20549aeb53034c58fc23 upstream.
+
+Move the logic of fetching temporary per-CPU uprobe buffer and storing
+uprobes args into it to a new helper function. Store data size as part
+of this buffer, simplifying interfaces a bit, as now we only pass single
+uprobe_cpu_buffer reference around, instead of pointer + dsize.
+
+This logic was duplicated across uprobe_dispatcher and uretprobe_dispatcher,
+and now will be centralized. All this is also in preparation to make
+this uprobe_cpu_buffer handling logic optional in the next patch.
+
+Link: https://lore.kernel.org/all/20240318181728.2795838-2-andrii@kernel.org/
+[Masami: update for v6.9-rc3 kernel]
+
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Reviewed-by: Jiri Olsa <jolsa@kernel.org>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Stable-dep-of: 373b9338c972 ("uprobe: avoid out-of-bounds memory access of fetching args")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Vamsi Krishna Brahmajosyula <vamsi-krishna.brahmajosyula@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_uprobe.c | 79 ++++++++++++++++++++++----------------------
+ 1 file changed, 41 insertions(+), 38 deletions(-)
+
+--- a/kernel/trace/trace_uprobe.c
++++ b/kernel/trace/trace_uprobe.c
+@@ -858,6 +858,7 @@ static const struct file_operations upro
+ struct uprobe_cpu_buffer {
+ struct mutex mutex;
+ void *buf;
++ int dsize;
+ };
+ static struct uprobe_cpu_buffer __percpu *uprobe_cpu_buffer;
+ static int uprobe_buffer_refcnt;
+@@ -947,9 +948,26 @@ static void uprobe_buffer_put(struct upr
+ mutex_unlock(&ucb->mutex);
+ }
+
++static struct uprobe_cpu_buffer *prepare_uprobe_buffer(struct trace_uprobe *tu,
++ struct pt_regs *regs)
++{
++ struct uprobe_cpu_buffer *ucb;
++ int dsize, esize;
++
++ esize = SIZEOF_TRACE_ENTRY(is_ret_probe(tu));
++ dsize = __get_data_size(&tu->tp, regs);
++
++ ucb = uprobe_buffer_get();
++ ucb->dsize = tu->tp.size + dsize;
++
++ store_trace_args(ucb->buf, &tu->tp, regs, esize, dsize);
++
++ return ucb;
++}
++
+ static void __uprobe_trace_func(struct trace_uprobe *tu,
+ unsigned long func, struct pt_regs *regs,
+- struct uprobe_cpu_buffer *ucb, int dsize,
++ struct uprobe_cpu_buffer *ucb,
+ struct trace_event_file *trace_file)
+ {
+ struct uprobe_trace_entry_head *entry;
+@@ -960,14 +978,14 @@ static void __uprobe_trace_func(struct t
+
+ WARN_ON(call != trace_file->event_call);
+
+- if (WARN_ON_ONCE(tu->tp.size + dsize > PAGE_SIZE))
++ if (WARN_ON_ONCE(ucb->dsize > PAGE_SIZE))
+ return;
+
+ if (trace_trigger_soft_disabled(trace_file))
+ return;
+
+ esize = SIZEOF_TRACE_ENTRY(is_ret_probe(tu));
+- size = esize + tu->tp.size + dsize;
++ size = esize + ucb->dsize;
+ entry = trace_event_buffer_reserve(&fbuffer, trace_file, size);
+ if (!entry)
+ return;
+@@ -981,14 +999,14 @@ static void __uprobe_trace_func(struct t
+ data = DATAOF_TRACE_ENTRY(entry, false);
+ }
+
+- memcpy(data, ucb->buf, tu->tp.size + dsize);
++ memcpy(data, ucb->buf, ucb->dsize);
+
+ trace_event_buffer_commit(&fbuffer);
+ }
+
+ /* uprobe handler */
+ static int uprobe_trace_func(struct trace_uprobe *tu, struct pt_regs *regs,
+- struct uprobe_cpu_buffer *ucb, int dsize)
++ struct uprobe_cpu_buffer *ucb)
+ {
+ struct event_file_link *link;
+
+@@ -997,7 +1015,7 @@ static int uprobe_trace_func(struct trac
+
+ rcu_read_lock();
+ trace_probe_for_each_link_rcu(link, &tu->tp)
+- __uprobe_trace_func(tu, 0, regs, ucb, dsize, link->file);
++ __uprobe_trace_func(tu, 0, regs, ucb, link->file);
+ rcu_read_unlock();
+
+ return 0;
+@@ -1005,13 +1023,13 @@ static int uprobe_trace_func(struct trac
+
+ static void uretprobe_trace_func(struct trace_uprobe *tu, unsigned long func,
+ struct pt_regs *regs,
+- struct uprobe_cpu_buffer *ucb, int dsize)
++ struct uprobe_cpu_buffer *ucb)
+ {
+ struct event_file_link *link;
+
+ rcu_read_lock();
+ trace_probe_for_each_link_rcu(link, &tu->tp)
+- __uprobe_trace_func(tu, func, regs, ucb, dsize, link->file);
++ __uprobe_trace_func(tu, func, regs, ucb, link->file);
+ rcu_read_unlock();
+ }
+
+@@ -1339,7 +1357,7 @@ static bool uprobe_perf_filter(struct up
+
+ static void __uprobe_perf_func(struct trace_uprobe *tu,
+ unsigned long func, struct pt_regs *regs,
+- struct uprobe_cpu_buffer *ucb, int dsize)
++ struct uprobe_cpu_buffer *ucb)
+ {
+ struct trace_event_call *call = trace_probe_event_call(&tu->tp);
+ struct uprobe_trace_entry_head *entry;
+@@ -1360,7 +1378,7 @@ static void __uprobe_perf_func(struct tr
+
+ esize = SIZEOF_TRACE_ENTRY(is_ret_probe(tu));
+
+- size = esize + tu->tp.size + dsize;
++ size = esize + ucb->dsize;
+ size = ALIGN(size + sizeof(u32), sizeof(u64)) - sizeof(u32);
+ if (WARN_ONCE(size > PERF_MAX_TRACE_SIZE, "profile buffer not large enough"))
+ return;
+@@ -1383,13 +1401,10 @@ static void __uprobe_perf_func(struct tr
+ data = DATAOF_TRACE_ENTRY(entry, false);
+ }
+
+- memcpy(data, ucb->buf, tu->tp.size + dsize);
+-
+- if (size - esize > tu->tp.size + dsize) {
+- int len = tu->tp.size + dsize;
++ memcpy(data, ucb->buf, ucb->dsize);
+
+- memset(data + len, 0, size - esize - len);
+- }
++ if (size - esize > ucb->dsize)
++ memset(data + ucb->dsize, 0, size - esize - ucb->dsize);
+
+ perf_trace_buf_submit(entry, size, rctx, call->event.type, 1, regs,
+ head, NULL);
+@@ -1399,21 +1414,21 @@ static void __uprobe_perf_func(struct tr
+
+ /* uprobe profile handler */
+ static int uprobe_perf_func(struct trace_uprobe *tu, struct pt_regs *regs,
+- struct uprobe_cpu_buffer *ucb, int dsize)
++ struct uprobe_cpu_buffer *ucb)
+ {
+ if (!uprobe_perf_filter(&tu->consumer, 0, current->mm))
+ return UPROBE_HANDLER_REMOVE;
+
+ if (!is_ret_probe(tu))
+- __uprobe_perf_func(tu, 0, regs, ucb, dsize);
++ __uprobe_perf_func(tu, 0, regs, ucb);
+ return 0;
+ }
+
+ static void uretprobe_perf_func(struct trace_uprobe *tu, unsigned long func,
+ struct pt_regs *regs,
+- struct uprobe_cpu_buffer *ucb, int dsize)
++ struct uprobe_cpu_buffer *ucb)
+ {
+- __uprobe_perf_func(tu, func, regs, ucb, dsize);
++ __uprobe_perf_func(tu, func, regs, ucb);
+ }
+
+ int bpf_get_uprobe_info(const struct perf_event *event, u32 *fd_type,
+@@ -1479,10 +1494,8 @@ static int uprobe_dispatcher(struct upro
+ struct trace_uprobe *tu;
+ struct uprobe_dispatch_data udd;
+ struct uprobe_cpu_buffer *ucb;
+- int dsize, esize;
+ int ret = 0;
+
+-
+ tu = container_of(con, struct trace_uprobe, consumer);
+ tu->nhit++;
+
+@@ -1494,18 +1507,14 @@ static int uprobe_dispatcher(struct upro
+ if (WARN_ON_ONCE(!uprobe_cpu_buffer))
+ return 0;
+
+- dsize = __get_data_size(&tu->tp, regs);
+- esize = SIZEOF_TRACE_ENTRY(is_ret_probe(tu));
+-
+- ucb = uprobe_buffer_get();
+- store_trace_args(ucb->buf, &tu->tp, regs, esize, dsize);
++ ucb = prepare_uprobe_buffer(tu, regs);
+
+ if (trace_probe_test_flag(&tu->tp, TP_FLAG_TRACE))
+- ret |= uprobe_trace_func(tu, regs, ucb, dsize);
++ ret |= uprobe_trace_func(tu, regs, ucb);
+
+ #ifdef CONFIG_PERF_EVENTS
+ if (trace_probe_test_flag(&tu->tp, TP_FLAG_PROFILE))
+- ret |= uprobe_perf_func(tu, regs, ucb, dsize);
++ ret |= uprobe_perf_func(tu, regs, ucb);
+ #endif
+ uprobe_buffer_put(ucb);
+ return ret;
+@@ -1517,7 +1526,6 @@ static int uretprobe_dispatcher(struct u
+ struct trace_uprobe *tu;
+ struct uprobe_dispatch_data udd;
+ struct uprobe_cpu_buffer *ucb;
+- int dsize, esize;
+
+ tu = container_of(con, struct trace_uprobe, consumer);
+
+@@ -1529,18 +1537,13 @@ static int uretprobe_dispatcher(struct u
+ if (WARN_ON_ONCE(!uprobe_cpu_buffer))
+ return 0;
+
+- dsize = __get_data_size(&tu->tp, regs);
+- esize = SIZEOF_TRACE_ENTRY(is_ret_probe(tu));
+-
+- ucb = uprobe_buffer_get();
+- store_trace_args(ucb->buf, &tu->tp, regs, esize, dsize);
+-
++ ucb = prepare_uprobe_buffer(tu, regs);
+ if (trace_probe_test_flag(&tu->tp, TP_FLAG_TRACE))
+- uretprobe_trace_func(tu, func, regs, ucb, dsize);
++ uretprobe_trace_func(tu, func, regs, ucb);
+
+ #ifdef CONFIG_PERF_EVENTS
+ if (trace_probe_test_flag(&tu->tp, TP_FLAG_PROFILE))
+- uretprobe_perf_func(tu, func, regs, ucb, dsize);
++ uretprobe_perf_func(tu, func, regs, ucb);
+ #endif
+ uprobe_buffer_put(ucb);
+ return 0;
projects / thirdparty / kernel / stable-queue.git / commitdiff
