From: Greg Kroah-Hartman Date: Mon, 22 Aug 2022 09:23:09 +0000 (+0200) Subject: 5.19-stable patches X-Git-Tag: v4.9.326~53 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=117da8206a3725507f41c3375ec2468028ca61a9;p=thirdparty%2Fkernel%2Fstable-queue.git 5.19-stable patches added patches: atm-idt77252-fix-use-after-free-bugs-caused-by-tst_timer.patch dpaa2-eth-trace-the-allocated-address-instead-of-page-struct.patch fscache-don-t-leak-cookie-access-refs-if-invalidation-is-in-progress-or-failed.patch geneve-fix-tos-inheriting-for-ipv4.patch i2c-qcom-geni-fix-gpi-dma-buffer-sync-back.patch nfp-ethtool-fix-the-display-error-of-ethtool-m-devname.patch ntb-ntb_tool-uninitialized-heap-data-in-tool_fn_write.patch nvme-fc-fix-the-fc_appid_store-return-value.patch perf-parse-events-fix-segfault-when-event-parser-gets-an-error.patch perf-probe-fix-an-error-handling-path-in-parse_perf_probe_command.patch perf-tests-fix-track-with-sched_switch-test-for-hybrid-case.patch tsnep-fix-tsnep_tx_unmap-error-path-usage.patch xen-xenbus-fix-return-type-in-xenbus_file_read.patch --- diff --git a/queue-5.19/atm-idt77252-fix-use-after-free-bugs-caused-by-tst_timer.patch b/queue-5.19/atm-idt77252-fix-use-after-free-bugs-caused-by-tst_timer.patch new file mode 100644 index 00000000000..2df54921dc8 --- /dev/null +++ b/queue-5.19/atm-idt77252-fix-use-after-free-bugs-caused-by-tst_timer.patch @@ -0,0 +1,51 @@ +From 3f4093e2bf4673f218c0bf17d8362337c400e77b Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Fri, 5 Aug 2022 15:00:08 +0800 +Subject: atm: idt77252: fix use-after-free bugs caused by tst_timer + +From: Duoming Zhou + +commit 3f4093e2bf4673f218c0bf17d8362337c400e77b upstream. + +There are use-after-free bugs caused by tst_timer. The root cause +is that there are no functions to stop tst_timer in idt77252_exit(). +One of the possible race conditions is shown below: + + (thread 1) | (thread 2) + | idt77252_init_one + | init_card + | fill_tst + | mod_timer(&card->tst_timer, ...) +idt77252_exit | (wait a time) + | tst_timer + | + | ... + kfree(card) // FREE | + | card->soft_tst[e] // USE + +The idt77252_dev is deallocated in idt77252_exit() and used in +timer handler. + +This patch adds del_timer_sync() in idt77252_exit() in order that +the timer handler could be stopped before the idt77252_dev is +deallocated. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Duoming Zhou +Link: https://lore.kernel.org/r/20220805070008.18007-1-duoming@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/atm/idt77252.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/atm/idt77252.c ++++ b/drivers/atm/idt77252.c +@@ -3752,6 +3752,7 @@ static void __exit idt77252_exit(void) + card = idt77252_chain; + dev = card->atmdev; + idt77252_chain = card->next; ++ del_timer_sync(&card->tst_timer); + + if (dev->phy->stop) + dev->phy->stop(dev); diff --git a/queue-5.19/dpaa2-eth-trace-the-allocated-address-instead-of-page-struct.patch b/queue-5.19/dpaa2-eth-trace-the-allocated-address-instead-of-page-struct.patch new file mode 100644 index 00000000000..238c051cebe --- /dev/null +++ b/queue-5.19/dpaa2-eth-trace-the-allocated-address-instead-of-page-struct.patch @@ -0,0 +1,34 @@ +From e34f49348f8b7a53205b6f77707a3a6a40cf420b Mon Sep 17 00:00:00 2001 +From: Chen Lin +Date: Thu, 11 Aug 2022 23:16:51 +0800 +Subject: dpaa2-eth: trace the allocated address instead of page struct + +From: Chen Lin + +commit e34f49348f8b7a53205b6f77707a3a6a40cf420b upstream. + +We should trace the allocated address instead of page struct. + +Fixes: 27c874867c4e ("dpaa2-eth: Use a single page per Rx buffer") +Signed-off-by: Chen Lin +Reviewed-by: Ioana Ciornei +Link: https://lore.kernel.org/r/20220811151651.3327-1-chen45464546@163.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c +@@ -1660,8 +1660,8 @@ static int dpaa2_eth_add_bufs(struct dpa + buf_array[i] = addr; + + /* tracing point */ +- trace_dpaa2_eth_buf_seed(priv->net_dev, +- page, DPAA2_ETH_RX_BUF_RAW_SIZE, ++ trace_dpaa2_eth_buf_seed(priv->net_dev, page_address(page), ++ DPAA2_ETH_RX_BUF_RAW_SIZE, + addr, priv->rx_buf_size, + bpid); + } diff --git a/queue-5.19/fscache-don-t-leak-cookie-access-refs-if-invalidation-is-in-progress-or-failed.patch b/queue-5.19/fscache-don-t-leak-cookie-access-refs-if-invalidation-is-in-progress-or-failed.patch new file mode 100644 index 00000000000..1648ebf3082 --- /dev/null +++ b/queue-5.19/fscache-don-t-leak-cookie-access-refs-if-invalidation-is-in-progress-or-failed.patch @@ -0,0 +1,55 @@ +From fb24771faf72a2fd62b3b6287af3c610c3ec9cf1 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Fri, 5 Aug 2022 06:42:45 -0400 +Subject: fscache: don't leak cookie access refs if invalidation is in progress or failed + +From: Jeff Layton + +commit fb24771faf72a2fd62b3b6287af3c610c3ec9cf1 upstream. + +It's possible for a request to invalidate a fscache_cookie will come in +while we're already processing an invalidation. If that happens we +currently take an extra access reference that will leak. Only call +__fscache_begin_cookie_access if the FSCACHE_COOKIE_DO_INVALIDATE bit +was previously clear. + +Also, ensure that we attempt to clear the bit when the cookie is +"FAILED" and put the reference to avoid an access leak. + +Fixes: 85e4ea1049c7 ("fscache: Fix invalidation/lookup race") +Suggested-by: David Howells +Signed-off-by: Jeff Layton +Signed-off-by: David Howells +Signed-off-by: Greg Kroah-Hartman +--- + fs/fscache/cookie.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/fs/fscache/cookie.c b/fs/fscache/cookie.c +index 74920826d8f6..26a6d395737a 100644 +--- a/fs/fscache/cookie.c ++++ b/fs/fscache/cookie.c +@@ -739,6 +739,9 @@ static void fscache_cookie_state_machine(struct fscache_cookie *cookie) + fallthrough; + + case FSCACHE_COOKIE_STATE_FAILED: ++ if (test_and_clear_bit(FSCACHE_COOKIE_DO_INVALIDATE, &cookie->flags)) ++ fscache_end_cookie_access(cookie, fscache_access_invalidate_cookie_end); ++ + if (atomic_read(&cookie->n_accesses) != 0) + break; + if (test_bit(FSCACHE_COOKIE_DO_RELINQUISH, &cookie->flags)) { +@@ -1063,8 +1066,8 @@ void __fscache_invalidate(struct fscache_cookie *cookie, + return; + + case FSCACHE_COOKIE_STATE_LOOKING_UP: +- __fscache_begin_cookie_access(cookie, fscache_access_invalidate_cookie); +- set_bit(FSCACHE_COOKIE_DO_INVALIDATE, &cookie->flags); ++ if (!test_and_set_bit(FSCACHE_COOKIE_DO_INVALIDATE, &cookie->flags)) ++ __fscache_begin_cookie_access(cookie, fscache_access_invalidate_cookie); + fallthrough; + case FSCACHE_COOKIE_STATE_CREATING: + spin_unlock(&cookie->lock); +-- +2.37.2 + diff --git a/queue-5.19/geneve-fix-tos-inheriting-for-ipv4.patch b/queue-5.19/geneve-fix-tos-inheriting-for-ipv4.patch new file mode 100644 index 00000000000..fe73574aa26 --- /dev/null +++ b/queue-5.19/geneve-fix-tos-inheriting-for-ipv4.patch @@ -0,0 +1,85 @@ +From b4ab94d6adaa5cf842b68bd28f4b50bc774496bd Mon Sep 17 00:00:00 2001 +From: Matthias May +Date: Fri, 5 Aug 2022 21:00:06 +0200 +Subject: geneve: fix TOS inheriting for ipv4 + +From: Matthias May + +commit b4ab94d6adaa5cf842b68bd28f4b50bc774496bd upstream. + +The current code retrieves the TOS field after the lookup +on the ipv4 routing table. The routing process currently +only allows routing based on the original 3 TOS bits, and +not on the full 6 DSCP bits. +As a result the retrieved TOS is cut to the 3 bits. +However for inheriting purposes the full 6 bits should be used. + +Extract the full 6 bits before the route lookup and use +that instead of the cut off 3 TOS bits. + +Fixes: e305ac6cf5a1 ("geneve: Add support to collect tunnel metadata.") +Signed-off-by: Matthias May +Acked-by: Guillaume Nault +Link: https://lore.kernel.org/r/20220805190006.8078-1-matthias.may@westermo.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/geneve.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/net/geneve.c ++++ b/drivers/net/geneve.c +@@ -797,7 +797,8 @@ static struct rtable *geneve_get_v4_rt(s + struct geneve_sock *gs4, + struct flowi4 *fl4, + const struct ip_tunnel_info *info, +- __be16 dport, __be16 sport) ++ __be16 dport, __be16 sport, ++ __u8 *full_tos) + { + bool use_cache = ip_tunnel_dst_cache_usable(skb, info); + struct geneve_dev *geneve = netdev_priv(dev); +@@ -823,6 +824,8 @@ static struct rtable *geneve_get_v4_rt(s + use_cache = false; + } + fl4->flowi4_tos = RT_TOS(tos); ++ if (full_tos) ++ *full_tos = tos; + + dst_cache = (struct dst_cache *)&info->dst_cache; + if (use_cache) { +@@ -910,6 +913,7 @@ static int geneve_xmit_skb(struct sk_buf + const struct ip_tunnel_key *key = &info->key; + struct rtable *rt; + struct flowi4 fl4; ++ __u8 full_tos; + __u8 tos, ttl; + __be16 df = 0; + __be16 sport; +@@ -920,7 +924,7 @@ static int geneve_xmit_skb(struct sk_buf + + sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); + rt = geneve_get_v4_rt(skb, dev, gs4, &fl4, info, +- geneve->cfg.info.key.tp_dst, sport); ++ geneve->cfg.info.key.tp_dst, sport, &full_tos); + if (IS_ERR(rt)) + return PTR_ERR(rt); + +@@ -964,7 +968,7 @@ static int geneve_xmit_skb(struct sk_buf + + df = key->tun_flags & TUNNEL_DONT_FRAGMENT ? htons(IP_DF) : 0; + } else { +- tos = ip_tunnel_ecn_encap(fl4.flowi4_tos, ip_hdr(skb), skb); ++ tos = ip_tunnel_ecn_encap(full_tos, ip_hdr(skb), skb); + if (geneve->cfg.ttl_inherit) + ttl = ip_tunnel_get_ttl(ip_hdr(skb), skb); + else +@@ -1148,7 +1152,7 @@ static int geneve_fill_metadata_dst(stru + 1, USHRT_MAX, true); + + rt = geneve_get_v4_rt(skb, dev, gs4, &fl4, info, +- geneve->cfg.info.key.tp_dst, sport); ++ geneve->cfg.info.key.tp_dst, sport, NULL); + if (IS_ERR(rt)) + return PTR_ERR(rt); + diff --git a/queue-5.19/i2c-qcom-geni-fix-gpi-dma-buffer-sync-back.patch b/queue-5.19/i2c-qcom-geni-fix-gpi-dma-buffer-sync-back.patch new file mode 100644 index 00000000000..6a48e75496b --- /dev/null +++ b/queue-5.19/i2c-qcom-geni-fix-gpi-dma-buffer-sync-back.patch @@ -0,0 +1,56 @@ +From 8689b80b22dbf1f5e993233370fe57f08731b14d Mon Sep 17 00:00:00 2001 +From: Robin Reckmann +Date: Sun, 7 Aug 2022 23:04:54 +0900 +Subject: i2c: qcom-geni: Fix GPI DMA buffer sync-back + +From: Robin Reckmann + +commit 8689b80b22dbf1f5e993233370fe57f08731b14d upstream. + +Fix i2c transfers using GPI DMA mode for all message types that do not set +the I2C_M_DMA_SAFE flag (e.g. SMBus "read byte"). + +In this case a bounce buffer is returned by i2c_get_dma_safe_msg_buf(), +and it has to synced back to the message after the transfer is done. + +Add missing assignment of dma buffer in geni_i2c_gpi(). + +Set xferred in i2c_put_dma_safe_msg_buf() to true in case of no error to +ensure the sync-back of this dma buffer to the message. + +Fixes: d8703554f4de ("i2c: qcom-geni: Add support for GPI DMA") +Signed-off-by: Robin Reckmann +Tested-by: Luca Weiss +Tested-by: Caleb Connolly +Reviewed-by: Konrad Dybcio +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-qcom-geni.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/i2c/busses/i2c-qcom-geni.c ++++ b/drivers/i2c/busses/i2c-qcom-geni.c +@@ -484,12 +484,12 @@ static void geni_i2c_gpi_unmap(struct ge + { + if (tx_buf) { + dma_unmap_single(gi2c->se.dev->parent, tx_addr, msg->len, DMA_TO_DEVICE); +- i2c_put_dma_safe_msg_buf(tx_buf, msg, false); ++ i2c_put_dma_safe_msg_buf(tx_buf, msg, !gi2c->err); + } + + if (rx_buf) { + dma_unmap_single(gi2c->se.dev->parent, rx_addr, msg->len, DMA_FROM_DEVICE); +- i2c_put_dma_safe_msg_buf(rx_buf, msg, false); ++ i2c_put_dma_safe_msg_buf(rx_buf, msg, !gi2c->err); + } + } + +@@ -553,6 +553,7 @@ static int geni_i2c_gpi(struct geni_i2c_ + desc->callback_param = gi2c; + + dmaengine_submit(desc); ++ *buf = dma_buf; + *dma_addr_p = addr; + + return 0; diff --git a/queue-5.19/nfp-ethtool-fix-the-display-error-of-ethtool-m-devname.patch b/queue-5.19/nfp-ethtool-fix-the-display-error-of-ethtool-m-devname.patch new file mode 100644 index 00000000000..14cccc5a49f --- /dev/null +++ b/queue-5.19/nfp-ethtool-fix-the-display-error-of-ethtool-m-devname.patch @@ -0,0 +1,43 @@ +From 4ae97cae07e15d41e5c0ebabba64c6eefdeb0bbe Mon Sep 17 00:00:00 2001 +From: Yu Xiao +Date: Tue, 2 Aug 2022 10:33:55 +0100 +Subject: nfp: ethtool: fix the display error of `ethtool -m DEVNAME` + +From: Yu Xiao + +commit 4ae97cae07e15d41e5c0ebabba64c6eefdeb0bbe upstream. + +The port flag isn't set to `NFP_PORT_CHANGED` when using +`ethtool -m DEVNAME` before, so the port state (e.g. interface) +cannot be updated. Therefore, it caused that `ethtool -m DEVNAME` +sometimes cannot read the correct information. + +E.g. `ethtool -m DEVNAME` cannot work when load driver before plug +in optical module, as the port interface is still NONE without port +update. + +Now update the port state before sending info to NIC to ensure that +port interface is correct (latest state). + +Fixes: 61f7c6f44870 ("nfp: implement ethtool get module EEPROM") +Reviewed-by: Louis Peens +Signed-off-by: Yu Xiao +Signed-off-by: Simon Horman +Link: https://lore.kernel.org/r/20220802093355.69065-1-simon.horman@corigine.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c ++++ b/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c +@@ -1230,6 +1230,8 @@ nfp_port_get_module_info(struct net_devi + u8 data; + + port = nfp_port_from_netdev(netdev); ++ /* update port state to get latest interface */ ++ set_bit(NFP_PORT_CHANGED, &port->flags); + eth_port = nfp_port_get_eth_port(port); + if (!eth_port) + return -EOPNOTSUPP; diff --git a/queue-5.19/ntb-ntb_tool-uninitialized-heap-data-in-tool_fn_write.patch b/queue-5.19/ntb-ntb_tool-uninitialized-heap-data-in-tool_fn_write.patch new file mode 100644 index 00000000000..842fe115887 --- /dev/null +++ b/queue-5.19/ntb-ntb_tool-uninitialized-heap-data-in-tool_fn_write.patch @@ -0,0 +1,52 @@ +From 45e1058b77feade4e36402828bfe3e0d3363177b Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 20 Jul 2022 21:28:18 +0300 +Subject: NTB: ntb_tool: uninitialized heap data in tool_fn_write() + +From: Dan Carpenter + +commit 45e1058b77feade4e36402828bfe3e0d3363177b upstream. + +The call to: + + ret = simple_write_to_buffer(buf, size, offp, ubuf, size); + +will return success if it is able to write even one byte to "buf". +The value of "*offp" controls which byte. This could result in +reading uninitialized data when we do the sscanf() on the next line. + +This code is not really desigined to handle partial writes where +*offp is non-zero and the "buf" is preserved and re-used between writes. +Just ban partial writes and replace the simple_write_to_buffer() with +copy_from_user(). + +Fixes: 578b881ba9c4 ("NTB: Add tool test client") +Signed-off-by: Dan Carpenter +Signed-off-by: Jon Mason +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ntb/test/ntb_tool.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/ntb/test/ntb_tool.c ++++ b/drivers/ntb/test/ntb_tool.c +@@ -367,14 +367,16 @@ static ssize_t tool_fn_write(struct tool + u64 bits; + int n; + ++ if (*offp) ++ return 0; ++ + buf = kmalloc(size + 1, GFP_KERNEL); + if (!buf) + return -ENOMEM; + +- ret = simple_write_to_buffer(buf, size, offp, ubuf, size); +- if (ret < 0) { ++ if (copy_from_user(buf, ubuf, size)) { + kfree(buf); +- return ret; ++ return -EFAULT; + } + + buf[size] = 0; diff --git a/queue-5.19/nvme-fc-fix-the-fc_appid_store-return-value.patch b/queue-5.19/nvme-fc-fix-the-fc_appid_store-return-value.patch new file mode 100644 index 00000000000..d7ba05948a7 --- /dev/null +++ b/queue-5.19/nvme-fc-fix-the-fc_appid_store-return-value.patch @@ -0,0 +1,51 @@ +From 9317d0014499182c77a03cd095e83bcfb0f53750 Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Sat, 6 Aug 2022 10:29:55 +0200 +Subject: nvme-fc: fix the fc_appid_store return value + +From: Christoph Hellwig + +commit 9317d0014499182c77a03cd095e83bcfb0f53750 upstream. + +"nvme-fc: fold t fc_update_appid into fc_appid_store" accidentally +changed the userspace interface for the appid attribute, because the code +that decrements "count" to remove a trailing '\n' in the parsing results +in the decremented value being incorrectly be returned from the sysfs +write. Fix this by keeping an orig_count variable for the full length +of the write. + +Fixes: c814153c83a8 ("nvme-fc: fold t fc_update_appid into fc_appid_store") +Signed-off-by: Christoph Hellwig +Reviewed-by: Chaitanya Kulkarni +Reviewed-by: Ewan D. Milne +Reviewed-by: James Smart +Tested-by: Muneendra Kumar M +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/fc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c +index 8d14df8eeab8..127abaf9ba5d 100644 +--- a/drivers/nvme/host/fc.c ++++ b/drivers/nvme/host/fc.c +@@ -3880,6 +3880,7 @@ static int fc_parse_cgrpid(const char *buf, u64 *id) + static ssize_t fc_appid_store(struct device *dev, + struct device_attribute *attr, const char *buf, size_t count) + { ++ size_t orig_count = count; + u64 cgrp_id; + int appid_len = 0; + int cgrpid_len = 0; +@@ -3904,7 +3905,7 @@ static ssize_t fc_appid_store(struct device *dev, + ret = blkcg_set_fc_appid(app_id, cgrp_id, sizeof(app_id)); + if (ret < 0) + return ret; +- return count; ++ return orig_count; + } + static DEVICE_ATTR(appid_store, 0200, NULL, fc_appid_store); + #endif /* CONFIG_BLK_CGROUP_FC_APPID */ +-- +2.37.2 + diff --git a/queue-5.19/perf-parse-events-fix-segfault-when-event-parser-gets-an-error.patch b/queue-5.19/perf-parse-events-fix-segfault-when-event-parser-gets-an-error.patch new file mode 100644 index 00000000000..46bfe2a59f9 --- /dev/null +++ b/queue-5.19/perf-parse-events-fix-segfault-when-event-parser-gets-an-error.patch @@ -0,0 +1,57 @@ +From 2e828582b81f5bc76a4fe8e7812df259ab208302 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Tue, 9 Aug 2022 11:07:00 +0300 +Subject: perf parse-events: Fix segfault when event parser gets an error + +From: Adrian Hunter + +commit 2e828582b81f5bc76a4fe8e7812df259ab208302 upstream. + +parse_events() is often called with parse_events_error set to NULL. +Make parse_events_error__handle() not segfault in that case. + +A subsequent patch changes to avoid passing NULL in the first place. + +Fixes: 43eb05d066795bdf ("perf tests: Support 'Track with sched_switch' test for hybrid") +Signed-off-by: Adrian Hunter +Cc: Ian Rogers +Cc: Jin Yao +Cc: Jiri Olsa +Cc: Namhyung Kim +Link: https://lore.kernel.org/r/20220809080702.6921-2-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/parse-events.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/tools/perf/util/parse-events.c ++++ b/tools/perf/util/parse-events.c +@@ -2391,9 +2391,12 @@ void parse_events_error__exit(struct par + void parse_events_error__handle(struct parse_events_error *err, int idx, + char *str, char *help) + { +- if (WARN(!str, "WARNING: failed to provide error string\n")) { +- free(help); +- return; ++ if (WARN(!str, "WARNING: failed to provide error string\n")) ++ goto out_free; ++ if (!err) { ++ /* Assume caller does not want message printed */ ++ pr_debug("event syntax error: %s\n", str); ++ goto out_free; + } + switch (err->num_errors) { + case 0: +@@ -2419,6 +2422,11 @@ void parse_events_error__handle(struct p + break; + } + err->num_errors++; ++ return; ++ ++out_free: ++ free(str); ++ free(help); + } + + #define MAX_WIDTH 1000 diff --git a/queue-5.19/perf-probe-fix-an-error-handling-path-in-parse_perf_probe_command.patch b/queue-5.19/perf-probe-fix-an-error-handling-path-in-parse_perf_probe_command.patch new file mode 100644 index 00000000000..00dced208b7 --- /dev/null +++ b/queue-5.19/perf-probe-fix-an-error-handling-path-in-parse_perf_probe_command.patch @@ -0,0 +1,44 @@ +From 4bf6dcaa93bcd083a13c278a91418fe10e6d23a0 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Sat, 6 Aug 2022 16:51:26 +0200 +Subject: perf probe: Fix an error handling path in 'parse_perf_probe_command()' + +From: Christophe JAILLET + +commit 4bf6dcaa93bcd083a13c278a91418fe10e6d23a0 upstream. + +If a memory allocation fail, we should branch to the error handling path +in order to free some resources allocated a few lines above. + +Fixes: 15354d54698648e2 ("perf probe: Generate event name with line number") +Signed-off-by: Christophe JAILLET +Acked-by: Masami Hiramatsu +Cc: Alexander Shishkin +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: kernel-janitors@vger.kernel.org +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/b71bcb01fa0c7b9778647235c3ab490f699ba278.1659797452.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/probe-event.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/tools/perf/util/probe-event.c ++++ b/tools/perf/util/probe-event.c +@@ -1775,8 +1775,10 @@ int parse_perf_probe_command(const char + if (!pev->event && pev->point.function && pev->point.line + && !pev->point.lazy_line && !pev->point.offset) { + if (asprintf(&pev->event, "%s_L%d", pev->point.function, +- pev->point.line) < 0) +- return -ENOMEM; ++ pev->point.line) < 0) { ++ ret = -ENOMEM; ++ goto out; ++ } + } + + /* Copy arguments and ensure return probe has no C argument */ diff --git a/queue-5.19/perf-tests-fix-track-with-sched_switch-test-for-hybrid-case.patch b/queue-5.19/perf-tests-fix-track-with-sched_switch-test-for-hybrid-case.patch new file mode 100644 index 00000000000..4cce405265c --- /dev/null +++ b/queue-5.19/perf-tests-fix-track-with-sched_switch-test-for-hybrid-case.patch @@ -0,0 +1,60 @@ +From 1da1d60774014137d776d0400fdf2f1779d8d4d5 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Tue, 9 Aug 2022 11:07:01 +0300 +Subject: perf tests: Fix Track with sched_switch test for hybrid case + +From: Adrian Hunter + +commit 1da1d60774014137d776d0400fdf2f1779d8d4d5 upstream. + +If cpu_core PMU event fails to parse, try also cpu_atom PMU event when +parsing cycles event. + +Fixes: 43eb05d066795bdf ("perf tests: Support 'Track with sched_switch' test for hybrid") +Signed-off-by: Adrian Hunter +Cc: Ian Rogers +Cc: Jin Yao +Cc: Jiri Olsa +Cc: Namhyung Kim +Link: https://lore.kernel.org/r/20220809080702.6921-3-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/tests/switch-tracking.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +--- a/tools/perf/tests/switch-tracking.c ++++ b/tools/perf/tests/switch-tracking.c +@@ -324,6 +324,7 @@ out_free_nodes: + static int test__switch_tracking(struct test_suite *test __maybe_unused, int subtest __maybe_unused) + { + const char *sched_switch = "sched:sched_switch"; ++ const char *cycles = "cycles:u"; + struct switch_tracking switch_tracking = { .tids = NULL, }; + struct record_opts opts = { + .mmap_pages = UINT_MAX, +@@ -372,12 +373,19 @@ static int test__switch_tracking(struct + cpu_clocks_evsel = evlist__last(evlist); + + /* Second event */ +- if (perf_pmu__has_hybrid()) +- err = parse_events(evlist, "cpu_core/cycles/u", NULL); +- else +- err = parse_events(evlist, "cycles:u", NULL); ++ if (perf_pmu__has_hybrid()) { ++ cycles = "cpu_core/cycles/u"; ++ err = parse_events(evlist, cycles, NULL); ++ if (err) { ++ cycles = "cpu_atom/cycles/u"; ++ pr_debug("Trying %s\n", cycles); ++ err = parse_events(evlist, cycles, NULL); ++ } ++ } else { ++ err = parse_events(evlist, cycles, NULL); ++ } + if (err) { +- pr_debug("Failed to parse event cycles:u\n"); ++ pr_debug("Failed to parse event %s\n", cycles); + goto out_err; + } + diff --git a/queue-5.19/series b/queue-5.19/series index e31c1eb8f99..a059b70314b 100644 --- a/queue-5.19/series +++ b/queue-5.19/series @@ -144,3 +144,16 @@ vdpa_sim_blk-set-number-of-address-spaces-and-virtqueue-groups.patch tools-testing-cxl-fix-cxl_hdm_decode_init-calling-convention.patch kbuild-dummy-tools-avoid-tmpdir-leak-in-dummy-gcc.patch tools-build-switch-to-new-openssl-api-for-test-libcrypto.patch +ntb-ntb_tool-uninitialized-heap-data-in-tool_fn_write.patch +nfp-ethtool-fix-the-display-error-of-ethtool-m-devname.patch +xen-xenbus-fix-return-type-in-xenbus_file_read.patch +tsnep-fix-tsnep_tx_unmap-error-path-usage.patch +atm-idt77252-fix-use-after-free-bugs-caused-by-tst_timer.patch +fscache-don-t-leak-cookie-access-refs-if-invalidation-is-in-progress-or-failed.patch +geneve-fix-tos-inheriting-for-ipv4.patch +nvme-fc-fix-the-fc_appid_store-return-value.patch +perf-probe-fix-an-error-handling-path-in-parse_perf_probe_command.patch +i2c-qcom-geni-fix-gpi-dma-buffer-sync-back.patch +perf-parse-events-fix-segfault-when-event-parser-gets-an-error.patch +perf-tests-fix-track-with-sched_switch-test-for-hybrid-case.patch +dpaa2-eth-trace-the-allocated-address-instead-of-page-struct.patch diff --git a/queue-5.19/tsnep-fix-tsnep_tx_unmap-error-path-usage.patch b/queue-5.19/tsnep-fix-tsnep_tx_unmap-error-path-usage.patch new file mode 100644 index 00000000000..b611e7e2fc6 --- /dev/null +++ b/queue-5.19/tsnep-fix-tsnep_tx_unmap-error-path-usage.patch @@ -0,0 +1,64 @@ +From b3bb8628bf64440065976c71e4ab09186c393597 Mon Sep 17 00:00:00 2001 +From: Gerhard Engleder +Date: Thu, 4 Aug 2022 20:39:35 +0200 +Subject: tsnep: Fix tsnep_tx_unmap() error path usage + +From: Gerhard Engleder + +commit b3bb8628bf64440065976c71e4ab09186c393597 upstream. + +If tsnep_tx_map() fails, then tsnep_tx_unmap() shall start at the write +index like tsnep_tx_map(). This is different to the normal operation. +Thus, add an additional parameter to tsnep_tx_unmap() to enable start at +different positions for successful TX and failed TX. + +Fixes: 403f69bbdbad ("tsnep: Add TSN endpoint Ethernet MAC driver") +Signed-off-by: Gerhard Engleder +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/engleder/tsnep_main.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/engleder/tsnep_main.c b/drivers/net/ethernet/engleder/tsnep_main.c +index d98199f3414b..a5f7152a1716 100644 +--- a/drivers/net/ethernet/engleder/tsnep_main.c ++++ b/drivers/net/ethernet/engleder/tsnep_main.c +@@ -340,14 +340,14 @@ static int tsnep_tx_map(struct sk_buff *skb, struct tsnep_tx *tx, int count) + return 0; + } + +-static void tsnep_tx_unmap(struct tsnep_tx *tx, int count) ++static void tsnep_tx_unmap(struct tsnep_tx *tx, int index, int count) + { + struct device *dmadev = tx->adapter->dmadev; + struct tsnep_tx_entry *entry; + int i; + + for (i = 0; i < count; i++) { +- entry = &tx->entry[(tx->read + i) % TSNEP_RING_SIZE]; ++ entry = &tx->entry[(index + i) % TSNEP_RING_SIZE]; + + if (entry->len) { + if (i == 0) +@@ -395,7 +395,7 @@ static netdev_tx_t tsnep_xmit_frame_ring(struct sk_buff *skb, + + retval = tsnep_tx_map(skb, tx, count); + if (retval != 0) { +- tsnep_tx_unmap(tx, count); ++ tsnep_tx_unmap(tx, tx->write, count); + dev_kfree_skb_any(entry->skb); + entry->skb = NULL; + +@@ -464,7 +464,7 @@ static bool tsnep_tx_poll(struct tsnep_tx *tx, int napi_budget) + if (skb_shinfo(entry->skb)->nr_frags > 0) + count += skb_shinfo(entry->skb)->nr_frags; + +- tsnep_tx_unmap(tx, count); ++ tsnep_tx_unmap(tx, tx->read, count); + + if ((skb_shinfo(entry->skb)->tx_flags & SKBTX_IN_PROGRESS) && + (__le32_to_cpu(entry->desc_wb->properties) & +-- +2.37.2 + diff --git a/queue-5.19/xen-xenbus-fix-return-type-in-xenbus_file_read.patch b/queue-5.19/xen-xenbus-fix-return-type-in-xenbus_file_read.patch new file mode 100644 index 00000000000..f116f03a96d --- /dev/null +++ b/queue-5.19/xen-xenbus-fix-return-type-in-xenbus_file_read.patch @@ -0,0 +1,48 @@ +From 32ad11127b95236dfc52375f3707853194a7f4b4 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 4 Aug 2022 10:11:33 +0300 +Subject: xen/xenbus: fix return type in xenbus_file_read() + +From: Dan Carpenter + +commit 32ad11127b95236dfc52375f3707853194a7f4b4 upstream. + +This code tries to store -EFAULT in an unsigned int. The +xenbus_file_read() function returns type ssize_t so the negative value +is returned as a positive value to the user. + +This change forces another change to the min() macro. Originally, the +min() macro used "unsigned" type which checkpatch complains about. Also +unsigned type would break if "len" were not capped at MAX_RW_COUNT. Use +size_t for the min(). (No effect on runtime for the min_t() change). + +Fixes: 2fb3683e7b16 ("xen: Add xenbus device driver") +Signed-off-by: Dan Carpenter +Reviewed-by: Oleksandr Tyshchenko +Link: https://lore.kernel.org/r/YutxJUaUYRG/VLVc@kili +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/xenbus/xenbus_dev_frontend.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/xen/xenbus/xenbus_dev_frontend.c ++++ b/drivers/xen/xenbus/xenbus_dev_frontend.c +@@ -128,7 +128,7 @@ static ssize_t xenbus_file_read(struct f + { + struct xenbus_file_priv *u = filp->private_data; + struct read_buffer *rb; +- unsigned i; ++ ssize_t i; + int ret; + + mutex_lock(&u->reply_mutex); +@@ -148,7 +148,7 @@ again: + rb = list_entry(u->read_buffers.next, struct read_buffer, list); + i = 0; + while (i < len) { +- unsigned sz = min((unsigned)len - i, rb->len - rb->cons); ++ size_t sz = min_t(size_t, len - i, rb->len - rb->cons); + + ret = copy_to_user(ubuf + i, &rb->msg[rb->cons], sz); +