From: Greg Kroah-Hartman Date: Tue, 11 Apr 2023 11:40:04 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v5.15.107~28 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0299b816ca15e1f6499ae6618151c6733d4b4999;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: asoc-hdac_hdmi-use-set_stream-instead-of-set_tdm_slots.patch can-isotp-isotp_ops-fix-poll-to-not-report-false-epollout-events.patch can-j1939-j1939_tp_tx_dat_new-fix-out-of-bounds-memory-access.patch fs-drop-peer-group-ids-under-namespace-lock.patch ftrace-fix-issue-that-direct-addr-not-restored-in-modify_ftrace_direct.patch ftrace-mark-get_lock_parent_ip-__always_inline.patch tracing-free-error-logs-of-tracing-instances.patch --- diff --git a/queue-5.15/asoc-hdac_hdmi-use-set_stream-instead-of-set_tdm_slots.patch b/queue-5.15/asoc-hdac_hdmi-use-set_stream-instead-of-set_tdm_slots.patch new file mode 100644 index 00000000000..aa2a9466394 --- /dev/null +++ b/queue-5.15/asoc-hdac_hdmi-use-set_stream-instead-of-set_tdm_slots.patch @@ -0,0 +1,69 @@ +From f6887a71bdd2f0dcba9b8180dd2223cfa8637e85 Mon Sep 17 00:00:00 2001 +From: Jason Montleon +Date: Fri, 24 Mar 2023 13:07:11 -0400 +Subject: ASoC: hdac_hdmi: use set_stream() instead of set_tdm_slots() + +From: Jason Montleon + +commit f6887a71bdd2f0dcba9b8180dd2223cfa8637e85 upstream. + +hdac_hdmi was not updated to use set_stream() instead of set_tdm_slots() +in the original commit so HDMI no longer produces audio. + +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/regressions/CAJD_bPKQdtaExvVEKxhQ47G-ZXDA=k+gzhMJRHLBe=mysPnuKA@mail.gmail.com/ +Fixes: 636110411ca7 ("ASoC: Intel/SOF: use set_stream() instead of set_tdm_slots() for HDAudio") +Signed-off-by: Jason Montleon +Reviewed-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20230324170711.2526-1-jmontleo@redhat.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/hdac_hdmi.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +--- a/sound/soc/codecs/hdac_hdmi.c ++++ b/sound/soc/codecs/hdac_hdmi.c +@@ -436,23 +436,28 @@ static int hdac_hdmi_setup_audio_infofra + return 0; + } + +-static int hdac_hdmi_set_tdm_slot(struct snd_soc_dai *dai, +- unsigned int tx_mask, unsigned int rx_mask, +- int slots, int slot_width) ++static int hdac_hdmi_set_stream(struct snd_soc_dai *dai, ++ void *stream, int direction) + { + struct hdac_hdmi_priv *hdmi = snd_soc_dai_get_drvdata(dai); + struct hdac_device *hdev = hdmi->hdev; + struct hdac_hdmi_dai_port_map *dai_map; + struct hdac_hdmi_pcm *pcm; ++ struct hdac_stream *hstream; + +- dev_dbg(&hdev->dev, "%s: strm_tag: %d\n", __func__, tx_mask); ++ if (!stream) ++ return -EINVAL; ++ ++ hstream = (struct hdac_stream *)stream; ++ ++ dev_dbg(&hdev->dev, "%s: strm_tag: %d\n", __func__, hstream->stream_tag); + + dai_map = &hdmi->dai_map[dai->id]; + + pcm = hdac_hdmi_get_pcm_from_cvt(hdmi, dai_map->cvt); + + if (pcm) +- pcm->stream_tag = (tx_mask << 4); ++ pcm->stream_tag = (hstream->stream_tag << 4); + + return 0; + } +@@ -1544,7 +1549,7 @@ static const struct snd_soc_dai_ops hdmi + .startup = hdac_hdmi_pcm_open, + .shutdown = hdac_hdmi_pcm_close, + .hw_params = hdac_hdmi_set_hw_params, +- .set_tdm_slot = hdac_hdmi_set_tdm_slot, ++ .set_stream = hdac_hdmi_set_stream, + }; + + /* diff --git a/queue-5.15/can-isotp-isotp_ops-fix-poll-to-not-report-false-epollout-events.patch b/queue-5.15/can-isotp-isotp_ops-fix-poll-to-not-report-false-epollout-events.patch new file mode 100644 index 00000000000..17eed5993b9 --- /dev/null +++ b/queue-5.15/can-isotp-isotp_ops-fix-poll-to-not-report-false-epollout-events.patch @@ -0,0 +1,71 @@ +From 79e19fa79cb5d5f1b3bf3e3ae24989ccb93c7b7b Mon Sep 17 00:00:00 2001 +From: Michal Sojka +Date: Fri, 31 Mar 2023 14:55:11 +0200 +Subject: can: isotp: isotp_ops: fix poll() to not report false EPOLLOUT events + +From: Michal Sojka + +commit 79e19fa79cb5d5f1b3bf3e3ae24989ccb93c7b7b upstream. + +When using select()/poll()/epoll() with a non-blocking ISOTP socket to +wait for when non-blocking write is possible, a false EPOLLOUT event +is sometimes returned. This can happen at least after sending a +message which must be split to multiple CAN frames. + +The reason is that isotp_sendmsg() returns -EAGAIN when tx.state is +not equal to ISOTP_IDLE and this behavior is not reflected in +datagram_poll(), which is used in isotp_ops. + +This is fixed by introducing ISOTP-specific poll function, which +suppresses the EPOLLOUT events in that case. + +v2: https://lore.kernel.org/all/20230302092812.320643-1-michal.sojka@cvut.cz +v1: https://lore.kernel.org/all/20230224010659.48420-1-michal.sojka@cvut.cz + https://lore.kernel.org/all/b53a04a2-ba1f-3858-84c1-d3eb3301ae15@hartkopp.net + +Signed-off-by: Michal Sojka +Reported-by: Jakub Jira +Tested-by: Oliver Hartkopp +Acked-by: Oliver Hartkopp +Fixes: e057dd3fc20f ("can: add ISO 15765-2:2016 transport protocol") +Link: https://lore.kernel.org/all/20230331125511.372783-1-michal.sojka@cvut.cz +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/isotp.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +--- a/net/can/isotp.c ++++ b/net/can/isotp.c +@@ -1482,6 +1482,21 @@ static int isotp_init(struct sock *sk) + return 0; + } + ++static __poll_t isotp_poll(struct file *file, struct socket *sock, poll_table *wait) ++{ ++ struct sock *sk = sock->sk; ++ struct isotp_sock *so = isotp_sk(sk); ++ ++ __poll_t mask = datagram_poll(file, sock, wait); ++ poll_wait(file, &so->wait, wait); ++ ++ /* Check for false positives due to TX state */ ++ if ((mask & EPOLLWRNORM) && (so->tx.state != ISOTP_IDLE)) ++ mask &= ~(EPOLLOUT | EPOLLWRNORM); ++ ++ return mask; ++} ++ + static int isotp_sock_no_ioctlcmd(struct socket *sock, unsigned int cmd, + unsigned long arg) + { +@@ -1497,7 +1512,7 @@ static const struct proto_ops isotp_ops + .socketpair = sock_no_socketpair, + .accept = sock_no_accept, + .getname = isotp_getname, +- .poll = datagram_poll, ++ .poll = isotp_poll, + .ioctl = isotp_sock_no_ioctlcmd, + .gettstamp = sock_gettstamp, + .listen = sock_no_listen, diff --git a/queue-5.15/can-j1939-j1939_tp_tx_dat_new-fix-out-of-bounds-memory-access.patch b/queue-5.15/can-j1939-j1939_tp_tx_dat_new-fix-out-of-bounds-memory-access.patch new file mode 100644 index 00000000000..0f2cf2cd007 --- /dev/null +++ b/queue-5.15/can-j1939-j1939_tp_tx_dat_new-fix-out-of-bounds-memory-access.patch @@ -0,0 +1,53 @@ +From b45193cb4df556fe6251b285a5ce44046dd36b4a Mon Sep 17 00:00:00 2001 +From: Oleksij Rempel +Date: Tue, 4 Apr 2023 09:31:28 +0200 +Subject: can: j1939: j1939_tp_tx_dat_new(): fix out-of-bounds memory access + +From: Oleksij Rempel + +commit b45193cb4df556fe6251b285a5ce44046dd36b4a upstream. + +In the j1939_tp_tx_dat_new() function, an out-of-bounds memory access +could occur during the memcpy() operation if the size of skb->cb is +larger than the size of struct j1939_sk_buff_cb. This is because the +memcpy() operation uses the size of skb->cb, leading to a read beyond +the struct j1939_sk_buff_cb. + +Updated the memcpy() operation to use the size of struct +j1939_sk_buff_cb instead of the size of skb->cb. This ensures that the +memcpy() operation only reads the memory within the bounds of struct +j1939_sk_buff_cb, preventing out-of-bounds memory access. + +Additionally, add a BUILD_BUG_ON() to check that the size of skb->cb +is greater than or equal to the size of struct j1939_sk_buff_cb. This +ensures that the skb->cb buffer is large enough to hold the +j1939_sk_buff_cb structure. + +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Reported-by: Shuangpeng Bai +Tested-by: Shuangpeng Bai +Signed-off-by: Oleksij Rempel +Link: https://groups.google.com/g/syzkaller/c/G_LL-C3plRs/m/-8xCi6dCAgAJ +Link: https://lore.kernel.org/all/20230404073128.3173900-1-o.rempel@pengutronix.de +Cc: stable@vger.kernel.org +[mkl: rephrase commit message] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/j1939/transport.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/can/j1939/transport.c ++++ b/net/can/j1939/transport.c +@@ -604,7 +604,10 @@ sk_buff *j1939_tp_tx_dat_new(struct j193 + /* reserve CAN header */ + skb_reserve(skb, offsetof(struct can_frame, data)); + +- memcpy(skb->cb, re_skcb, sizeof(skb->cb)); ++ /* skb->cb must be large enough to hold a j1939_sk_buff_cb structure */ ++ BUILD_BUG_ON(sizeof(skb->cb) < sizeof(*re_skcb)); ++ ++ memcpy(skb->cb, re_skcb, sizeof(*re_skcb)); + skcb = j1939_skb_to_cb(skb); + if (swap_src_dst) + j1939_skbcb_swap(skcb); diff --git a/queue-5.15/fs-drop-peer-group-ids-under-namespace-lock.patch b/queue-5.15/fs-drop-peer-group-ids-under-namespace-lock.patch new file mode 100644 index 00000000000..06e4eeb3ca3 --- /dev/null +++ b/queue-5.15/fs-drop-peer-group-ids-under-namespace-lock.patch @@ -0,0 +1,37 @@ +From cb2239c198ad9fbd5aced22cf93e45562da781eb Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Thu, 30 Mar 2023 09:13:16 +0200 +Subject: fs: drop peer group ids under namespace lock + +From: Christian Brauner + +commit cb2239c198ad9fbd5aced22cf93e45562da781eb upstream. + +When cleaning up peer group ids in the failure path we need to make sure +to hold on to the namespace lock. Otherwise another thread might just +turn the mount from a shared into a non-shared mount concurrently. + +Link: https://lore.kernel.org/lkml/00000000000088694505f8132d77@google.com +Fixes: 2a1867219c7b ("fs: add mount_setattr()") +Reported-by: syzbot+8ac3859139c685c4f597@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org # 5.12+ +Message-Id: <20230330-vfs-mount_setattr-propagation-fix-v1-1-37548d91533b@kernel.org> +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/namespace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -4121,9 +4121,9 @@ static int do_mount_setattr(struct path + unlock_mount_hash(); + + if (kattr->propagation) { +- namespace_unlock(); + if (err) + cleanup_group_ids(mnt, NULL); ++ namespace_unlock(); + } + + return err; diff --git a/queue-5.15/ftrace-fix-issue-that-direct-addr-not-restored-in-modify_ftrace_direct.patch b/queue-5.15/ftrace-fix-issue-that-direct-addr-not-restored-in-modify_ftrace_direct.patch new file mode 100644 index 00000000000..f311cc33c97 --- /dev/null +++ b/queue-5.15/ftrace-fix-issue-that-direct-addr-not-restored-in-modify_ftrace_direct.patch @@ -0,0 +1,56 @@ +From 2a2d8c51defb446e8d89a83f42f8e5cd529111e9 Mon Sep 17 00:00:00 2001 +From: Zheng Yejian +Date: Thu, 30 Mar 2023 10:52:23 +0800 +Subject: ftrace: Fix issue that 'direct->addr' not restored in modify_ftrace_direct() + +From: Zheng Yejian + +commit 2a2d8c51defb446e8d89a83f42f8e5cd529111e9 upstream. + +Syzkaller report a WARNING: "WARN_ON(!direct)" in modify_ftrace_direct(). + +Root cause is 'direct->addr' was changed from 'old_addr' to 'new_addr' but +not restored if error happened on calling ftrace_modify_direct_caller(). +Then it can no longer find 'direct' by that 'old_addr'. + +To fix it, restore 'direct->addr' to 'old_addr' explicitly in error path. + +Link: https://lore.kernel.org/linux-trace-kernel/20230330025223.1046087-1-zhengyejian1@huawei.com + +Cc: stable@vger.kernel.org +Cc: +Cc: +Cc: +Cc: +Fixes: 8a141dd7f706 ("ftrace: Fix modify_ftrace_direct.") +Signed-off-by: Zheng Yejian +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ftrace.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -5383,12 +5383,15 @@ int modify_ftrace_direct(unsigned long i + ret = 0; + } + +- if (unlikely(ret && new_direct)) { +- direct->count++; +- list_del_rcu(&new_direct->next); +- synchronize_rcu_tasks(); +- kfree(new_direct); +- ftrace_direct_func_count--; ++ if (ret) { ++ direct->addr = old_addr; ++ if (unlikely(new_direct)) { ++ direct->count++; ++ list_del_rcu(&new_direct->next); ++ synchronize_rcu_tasks(); ++ kfree(new_direct); ++ ftrace_direct_func_count--; ++ } + } + + out_unlock: diff --git a/queue-5.15/ftrace-mark-get_lock_parent_ip-__always_inline.patch b/queue-5.15/ftrace-mark-get_lock_parent_ip-__always_inline.patch new file mode 100644 index 00000000000..ba269bff57c --- /dev/null +++ b/queue-5.15/ftrace-mark-get_lock_parent_ip-__always_inline.patch @@ -0,0 +1,37 @@ +From ea65b41807a26495ff2a73dd8b1bab2751940887 Mon Sep 17 00:00:00 2001 +From: John Keeping +Date: Mon, 27 Mar 2023 18:36:46 +0100 +Subject: ftrace: Mark get_lock_parent_ip() __always_inline + +From: John Keeping + +commit ea65b41807a26495ff2a73dd8b1bab2751940887 upstream. + +If the compiler decides not to inline this function then preemption +tracing will always show an IP inside the preemption disabling path and +never the function actually calling preempt_{enable,disable}. + +Link: https://lore.kernel.org/linux-trace-kernel/20230327173647.1690849-1-john@metanate.com + +Cc: Masami Hiramatsu +Cc: Mark Rutland +Cc: stable@vger.kernel.org +Fixes: f904f58263e1d ("sched/debug: Fix preempt_disable_ip recording for preempt_disable()") +Signed-off-by: John Keeping +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/ftrace.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/ftrace.h ++++ b/include/linux/ftrace.h +@@ -850,7 +850,7 @@ static inline void __ftrace_enabled_rest + #define CALLER_ADDR5 ((unsigned long)ftrace_return_address(5)) + #define CALLER_ADDR6 ((unsigned long)ftrace_return_address(6)) + +-static inline unsigned long get_lock_parent_ip(void) ++static __always_inline unsigned long get_lock_parent_ip(void) + { + unsigned long addr = CALLER_ADDR0; + diff --git a/queue-5.15/series b/queue-5.15/series index 58cee1903cd..ffab84e7499 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -78,3 +78,10 @@ smb3-allow-deferred-close-timeout-to-be-configurable.patch smb3-lower-default-deferred-close-timeout-to-address.patch cifs-sanitize-paths-in-cifs_update_super_prepath.patch perf-core-fix-the-same-task-check-in-perf_event_set_.patch +ftrace-mark-get_lock_parent_ip-__always_inline.patch +ftrace-fix-issue-that-direct-addr-not-restored-in-modify_ftrace_direct.patch +fs-drop-peer-group-ids-under-namespace-lock.patch +can-j1939-j1939_tp_tx_dat_new-fix-out-of-bounds-memory-access.patch +can-isotp-isotp_ops-fix-poll-to-not-report-false-epollout-events.patch +tracing-free-error-logs-of-tracing-instances.patch +asoc-hdac_hdmi-use-set_stream-instead-of-set_tdm_slots.patch diff --git a/queue-5.15/tracing-free-error-logs-of-tracing-instances.patch b/queue-5.15/tracing-free-error-logs-of-tracing-instances.patch new file mode 100644 index 00000000000..cc2fd83a43f --- /dev/null +++ b/queue-5.15/tracing-free-error-logs-of-tracing-instances.patch @@ -0,0 +1,93 @@ +From 3357c6e429643231e60447b52ffbb7ac895aca22 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Google)" +Date: Tue, 4 Apr 2023 19:45:04 -0400 +Subject: tracing: Free error logs of tracing instances + +From: Steven Rostedt (Google) + +commit 3357c6e429643231e60447b52ffbb7ac895aca22 upstream. + +When a tracing instance is removed, the error messages that hold errors +that occurred in the instance needs to be freed. The following reports a +memory leak: + + # cd /sys/kernel/tracing + # mkdir instances/foo + # echo 'hist:keys=x' > instances/foo/events/sched/sched_switch/trigger + # cat instances/foo/error_log + [ 117.404795] hist:sched:sched_switch: error: Couldn't find field + Command: hist:keys=x + ^ + # rmdir instances/foo + +Then check for memory leaks: + + # echo scan > /sys/kernel/debug/kmemleak + # cat /sys/kernel/debug/kmemleak +unreferenced object 0xffff88810d8ec700 (size 192): + comm "bash", pid 869, jiffies 4294950577 (age 215.752s) + hex dump (first 32 bytes): + 60 dd 68 61 81 88 ff ff 60 dd 68 61 81 88 ff ff `.ha....`.ha.... + a0 30 8c 83 ff ff ff ff 26 00 0a 00 00 00 00 00 .0......&....... + backtrace: + [<00000000dae26536>] kmalloc_trace+0x2a/0xa0 + [<00000000b2938940>] tracing_log_err+0x277/0x2e0 + [<000000004a0e1b07>] parse_atom+0x966/0xb40 + [<0000000023b24337>] parse_expr+0x5f3/0xdb0 + [<00000000594ad074>] event_hist_trigger_parse+0x27f8/0x3560 + [<00000000293a9645>] trigger_process_regex+0x135/0x1a0 + [<000000005c22b4f2>] event_trigger_write+0x87/0xf0 + [<000000002cadc509>] vfs_write+0x162/0x670 + [<0000000059c3b9be>] ksys_write+0xca/0x170 + [<00000000f1cddc00>] do_syscall_64+0x3e/0xc0 + [<00000000868ac68c>] entry_SYSCALL_64_after_hwframe+0x72/0xdc +unreferenced object 0xffff888170c35a00 (size 32): + comm "bash", pid 869, jiffies 4294950577 (age 215.752s) + hex dump (first 32 bytes): + 0a 20 20 43 6f 6d 6d 61 6e 64 3a 20 68 69 73 74 . Command: hist + 3a 6b 65 79 73 3d 78 0a 00 00 00 00 00 00 00 00 :keys=x......... + backtrace: + [<000000006a747de5>] __kmalloc+0x4d/0x160 + [<000000000039df5f>] tracing_log_err+0x29b/0x2e0 + [<000000004a0e1b07>] parse_atom+0x966/0xb40 + [<0000000023b24337>] parse_expr+0x5f3/0xdb0 + [<00000000594ad074>] event_hist_trigger_parse+0x27f8/0x3560 + [<00000000293a9645>] trigger_process_regex+0x135/0x1a0 + [<000000005c22b4f2>] event_trigger_write+0x87/0xf0 + [<000000002cadc509>] vfs_write+0x162/0x670 + [<0000000059c3b9be>] ksys_write+0xca/0x170 + [<00000000f1cddc00>] do_syscall_64+0x3e/0xc0 + [<00000000868ac68c>] entry_SYSCALL_64_after_hwframe+0x72/0xdc + +The problem is that the error log needs to be freed when the instance is +removed. + +Link: https://lore.kernel.org/lkml/76134d9f-a5ba-6a0d-37b3-28310b4a1e91@alu.unizg.hr/ +Link: https://lore.kernel.org/linux-trace-kernel/20230404194504.5790b95f@gandalf.local.home + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Cc: Andrew Morton +Cc: Mark Rutland +Cc: Thorsten Leemhuis +Cc: Ulf Hansson +Cc: Eric Biggers +Fixes: 2f754e771b1a6 ("tracing: Have the error logs show up in the proper instances") +Reported-by: Mirsad Goran Todorovac +Tested-by: Mirsad Todorovac +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -9416,6 +9416,7 @@ static int __remove_instance(struct trac + tracefs_remove(tr->dir); + free_percpu(tr->last_func_repeats); + free_trace_buffers(tr); ++ clear_tracing_err_log(tr); + + for (i = 0; i < tr->nr_topts; i++) { + kfree(tr->topts[i].topts);