--- /dev/null
+From d447e794a37288ec7a080aa1b044a8d9deebbab7 Mon Sep 17 00:00:00 2001
+From: Volker Lendecke <vl@samba.org>
+Date: Wed, 11 Jan 2023 12:37:58 +0100
+Subject: cifs: Fix uninitialized memory read in smb3_qfs_tcon()
+
+From: Volker Lendecke <vl@samba.org>
+
+commit d447e794a37288ec7a080aa1b044a8d9deebbab7 upstream.
+
+oparms was not fully initialized
+
+Signed-off-by: Volker Lendecke <vl@samba.org>
+Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
+Cc: stable@vger.kernel.org
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/smb2ops.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -859,12 +859,13 @@ smb3_qfs_tcon(const unsigned int xid, st
+ bool no_cached_open = tcon->nohandlecache;
+ struct cached_fid *cfid = NULL;
+
+- oparms.tcon = tcon;
+- oparms.desired_access = FILE_READ_ATTRIBUTES;
+- oparms.disposition = FILE_OPEN;
+- oparms.create_options = cifs_create_options(cifs_sb, 0);
+- oparms.fid = &fid;
+- oparms.reconnect = false;
++ oparms = (struct cifs_open_parms) {
++ .tcon = tcon,
++ .desired_access = FILE_READ_ATTRIBUTES,
++ .disposition = FILE_OPEN,
++ .create_options = cifs_create_options(cifs_sb, 0),
++ .fid = &fid,
++ };
+
+ if (no_cached_open) {
+ rc = SMB2_open(xid, &oparms, &srch_path, &oplock, NULL, NULL,
--- /dev/null
+From e9c9cb90e76ffaabcc7ca8f275d9e82195fd6367 Mon Sep 17 00:00:00 2001
+From: Ilya Leoshkevich <iii@linux.ibm.com>
+Date: Mon, 23 Jan 2023 22:50:32 +0100
+Subject: s390: discard .interp section
+
+From: Ilya Leoshkevich <iii@linux.ibm.com>
+
+commit e9c9cb90e76ffaabcc7ca8f275d9e82195fd6367 upstream.
+
+When debugging vmlinux with QEMU + GDB, the following GDB error may
+occur:
+
+ (gdb) c
+ Continuing.
+ Warning:
+ Cannot insert breakpoint -1.
+ Cannot access memory at address 0xffffffffffff95c0
+
+ Command aborted.
+ (gdb)
+
+The reason is that, when .interp section is present, GDB tries to
+locate the file specified in it in memory and put a number of
+breakpoints there (see enable_break() function in gdb/solib-svr4.c).
+Sometimes GDB finds a bogus location that matches its heuristics,
+fails to set a breakpoint and stops. This makes further debugging
+impossible.
+
+The .interp section contains misleading information anyway (vmlinux
+does not need ld.so), so fix by discarding it.
+
+Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kernel/vmlinux.lds.S | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/s390/kernel/vmlinux.lds.S
++++ b/arch/s390/kernel/vmlinux.lds.S
+@@ -188,5 +188,6 @@ SECTIONS
+ DISCARDS
+ /DISCARD/ : {
+ *(.eh_frame)
++ *(.interp)
+ }
+ }
--- /dev/null
+From 8c42dd78df148c90e48efff204cce38743906a79 Mon Sep 17 00:00:00 2001
+From: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
+Date: Mon, 27 Feb 2023 20:03:00 +0100
+Subject: s390/extmem: return correct segment type in __segment_load()
+
+From: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
+
+commit 8c42dd78df148c90e48efff204cce38743906a79 upstream.
+
+Commit f05f62d04271f ("s390/vmem: get rid of memory segment list")
+reshuffled the call to vmem_add_mapping() in __segment_load(), which now
+overwrites rc after it was set to contain the segment type code.
+
+As result, __segment_load() will now always return 0 on success, which
+corresponds to the segment type code SEG_TYPE_SW, i.e. a writeable
+segment. This results in a kernel crash when loading a read-only segment
+as dcssblk block device, and trying to write to it.
+
+Instead of reshuffling code again, make sure to return the segment type
+on success, and also describe this rather delicate and unexpected logic
+in the function comment. Also initialize new segtype variable with
+invalid value, to prevent possible future confusion.
+
+Fixes: f05f62d04271 ("s390/vmem: get rid of memory segment list")
+Cc: <stable@vger.kernel.org> # 5.9+
+Signed-off-by: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
+Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/mm/extmem.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/arch/s390/mm/extmem.c
++++ b/arch/s390/mm/extmem.c
+@@ -289,15 +289,17 @@ segment_overlaps_others (struct dcss_seg
+
+ /*
+ * real segment loading function, called from segment_load
++ * Must return either an error code < 0, or the segment type code >= 0
+ */
+ static int
+ __segment_load (char *name, int do_nonshared, unsigned long *addr, unsigned long *end)
+ {
+ unsigned long start_addr, end_addr, dummy;
+ struct dcss_segment *seg;
+- int rc, diag_cc;
++ int rc, diag_cc, segtype;
+
+ start_addr = end_addr = 0;
++ segtype = -1;
+ seg = kmalloc(sizeof(*seg), GFP_KERNEL | GFP_DMA);
+ if (seg == NULL) {
+ rc = -ENOMEM;
+@@ -326,9 +328,9 @@ __segment_load (char *name, int do_nonsh
+ seg->res_name[8] = '\0';
+ strlcat(seg->res_name, " (DCSS)", sizeof(seg->res_name));
+ seg->res->name = seg->res_name;
+- rc = seg->vm_segtype;
+- if (rc == SEG_TYPE_SC ||
+- ((rc == SEG_TYPE_SR || rc == SEG_TYPE_ER) && !do_nonshared))
++ segtype = seg->vm_segtype;
++ if (segtype == SEG_TYPE_SC ||
++ ((segtype == SEG_TYPE_SR || segtype == SEG_TYPE_ER) && !do_nonshared))
+ seg->res->flags |= IORESOURCE_READONLY;
+
+ /* Check for overlapping resources before adding the mapping. */
+@@ -386,7 +388,7 @@ __segment_load (char *name, int do_nonsh
+ out_free:
+ kfree(seg);
+ out:
+- return rc;
++ return rc < 0 ? rc : segtype;
+ }
+
+ /*
--- /dev/null
+From cd57953936f2213dfaccce10d20f396956222c7d Mon Sep 17 00:00:00 2001
+From: Vasily Gorbik <gor@linux.ibm.com>
+Date: Wed, 1 Mar 2023 17:58:06 +0100
+Subject: s390/kprobes: fix current_kprobe never cleared after kprobes reenter
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+commit cd57953936f2213dfaccce10d20f396956222c7d upstream.
+
+Recent test_kprobe_missed kprobes kunit test uncovers the following
+problem. Once kprobe is triggered from another kprobe (kprobe reenter),
+all future kprobes on this cpu are considered as kprobe reenter, thus
+pre_handler and post_handler are not being called and kprobes are counted
+as "missed".
+
+Commit b9599798f953 ("[S390] kprobes: activation and deactivation")
+introduced a simpler scheme for kprobes (de)activation and status
+tracking by using push_kprobe/pop_kprobe, which supposed to work for
+both initial kprobe entry as well as kprobe reentry and helps to avoid
+handling those two cases differently. The problem is that a sequence of
+calls in case of kprobes reenter:
+push_kprobe() <- NULL (current_kprobe)
+push_kprobe() <- kprobe1 (current_kprobe)
+pop_kprobe() -> kprobe1 (current_kprobe)
+pop_kprobe() -> kprobe1 (current_kprobe)
+leaves "kprobe1" as "current_kprobe" on this cpu, instead of setting it
+to NULL. In fact push_kprobe/pop_kprobe can only store a single state
+(there is just one prev_kprobe in kprobe_ctlblk). Which is a hack but
+sufficient, there is no need to have another prev_kprobe just to store
+NULL. To make a simple and backportable fix simply reset "prev_kprobe"
+when kprobe is poped from this "stack". No need to worry about
+"kprobe_status" in this case, because its value is only checked when
+current_kprobe != NULL.
+
+Cc: stable@vger.kernel.org
+Fixes: b9599798f953 ("[S390] kprobes: activation and deactivation")
+Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kernel/kprobes.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/s390/kernel/kprobes.c
++++ b/arch/s390/kernel/kprobes.c
+@@ -241,6 +241,7 @@ static void pop_kprobe(struct kprobe_ctl
+ {
+ __this_cpu_write(current_kprobe, kcb->prev_kprobe.kp);
+ kcb->kprobe_status = kcb->prev_kprobe.status;
++ kcb->prev_kprobe.kp = NULL;
+ }
+ NOKPROBE_SYMBOL(pop_kprobe);
+
--- /dev/null
+From 42e19e6f04984088b6f9f0507c4c89a8152d9730 Mon Sep 17 00:00:00 2001
+From: Vasily Gorbik <gor@linux.ibm.com>
+Date: Wed, 1 Mar 2023 02:23:08 +0100
+Subject: s390/kprobes: fix irq mask clobbering on kprobe reenter from post_handler
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+commit 42e19e6f04984088b6f9f0507c4c89a8152d9730 upstream.
+
+Recent test_kprobe_missed kprobes kunit test uncovers the following error
+(reported when CONFIG_DEBUG_ATOMIC_SLEEP is enabled):
+
+BUG: sleeping function called from invalid context at kernel/locking/mutex.c:580
+in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 662, name: kunit_try_catch
+preempt_count: 0, expected: 0
+RCU nest depth: 0, expected: 0
+no locks held by kunit_try_catch/662.
+irq event stamp: 280
+hardirqs last enabled at (279): [<00000003e60a3d42>] __do_pgm_check+0x17a/0x1c0
+hardirqs last disabled at (280): [<00000003e3bd774a>] kprobe_exceptions_notify+0x27a/0x318
+softirqs last enabled at (0): [<00000003e3c5c890>] copy_process+0x14a8/0x4c80
+softirqs last disabled at (0): [<0000000000000000>] 0x0
+CPU: 46 PID: 662 Comm: kunit_try_catch Tainted: G N 6.2.0-173644-g44c18d77f0c0 #2
+Hardware name: IBM 3931 A01 704 (LPAR)
+Call Trace:
+ [<00000003e60a3a00>] dump_stack_lvl+0x120/0x198
+ [<00000003e3d02e82>] __might_resched+0x60a/0x668
+ [<00000003e60b9908>] __mutex_lock+0xc0/0x14e0
+ [<00000003e60bad5a>] mutex_lock_nested+0x32/0x40
+ [<00000003e3f7b460>] unregister_kprobe+0x30/0xd8
+ [<00000003e51b2602>] test_kprobe_missed+0xf2/0x268
+ [<00000003e51b5406>] kunit_try_run_case+0x10e/0x290
+ [<00000003e51b7dfa>] kunit_generic_run_threadfn_adapter+0x62/0xb8
+ [<00000003e3ce30f8>] kthread+0x2d0/0x398
+ [<00000003e3b96afa>] __ret_from_fork+0x8a/0xe8
+ [<00000003e60ccada>] ret_from_fork+0xa/0x40
+
+The reason for this error report is that kprobes handling code failed
+to restore irqs.
+
+The problem is that when kprobe is triggered from another kprobe
+post_handler current sequence of enable_singlestep / disable_singlestep
+is the following:
+enable_singlestep <- original kprobe (saves kprobe_saved_imask)
+enable_singlestep <- kprobe triggered from post_handler (clobbers kprobe_saved_imask)
+disable_singlestep <- kprobe triggered from post_handler (restores kprobe_saved_imask)
+disable_singlestep <- original kprobe (restores wrong clobbered kprobe_saved_imask)
+
+There is just one kprobe_ctlblk per cpu and both calls saves and
+loads irq mask to kprobe_saved_imask. To fix the problem simply move
+resume_execution (which calls disable_singlestep) before calling
+post_handler. This also fixes the problem that post_handler is called
+with pt_regs which were not yet adjusted after single-stepping.
+
+Cc: stable@vger.kernel.org
+Fixes: 4ba069b802c2 ("[S390] add kprobes support.")
+Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kernel/kprobes.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/s390/kernel/kprobes.c
++++ b/arch/s390/kernel/kprobes.c
+@@ -402,12 +402,11 @@ static int post_kprobe_handler(struct pt
+ if (!p)
+ return 0;
+
++ resume_execution(p, regs);
+ if (kcb->kprobe_status != KPROBE_REENTER && p->post_handler) {
+ kcb->kprobe_status = KPROBE_HIT_SSDONE;
+ p->post_handler(p, regs, 0);
+ }
+-
+- resume_execution(p, regs);
+ pop_kprobe(kcb);
+ preempt_enable_no_resched();
+
firmware-coreboot-framebuffer-ignore-reserved-pixel-color-bits.patch
rtc-pm8xxx-fix-set-alarm-race.patch
ipmi_ssif-rename-idle-state-and-check.patch
+s390-extmem-return-correct-segment-type-in-__segment_load.patch
+s390-discard-.interp-section.patch
+s390-kprobes-fix-irq-mask-clobbering-on-kprobe-reenter-from-post_handler.patch
+s390-kprobes-fix-current_kprobe-never-cleared-after-kprobes-reenter.patch
+cifs-fix-uninitialized-memory-read-in-smb3_qfs_tcon.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
