From: Sasha Levin Date: Fri, 11 Oct 2024 12:10:05 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v5.10.227~81 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1e8e7192b096c62942f9115754eae8144ae1d3c3;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/drm-crtc-fix-uninitialized-variable-use-even-harder.patch b/queue-5.10/drm-crtc-fix-uninitialized-variable-use-even-harder.patch new file mode 100644 index 00000000000..41b279d4a54 --- /dev/null +++ b/queue-5.10/drm-crtc-fix-uninitialized-variable-use-even-harder.patch @@ -0,0 +1,40 @@ +From 83c8cf9ab53888ba19d8ddde5dc085ee7a179664 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Feb 2024 13:55:34 -0800 +Subject: drm/crtc: fix uninitialized variable use even harder + +From: Rob Clark + +[ Upstream commit b6802b61a9d0e99dcfa6fff7c50db7c48a9623d3 ] + +DRM_MODESET_LOCK_ALL_BEGIN() has a hidden trap-door (aka retry loop), +which means we can't rely too much on variable initializers. + +Fixes: 6e455f5dcdd1 ("drm/crtc: fix uninitialized variable use") +Signed-off-by: Rob Clark +Reviewed-by: Daniel Vetter +Reviewed-by: Abhinav Kumar +Reviewed-by: Dmitry Baryshkov +Tested-by: Dmitry Baryshkov # sc7180, sdm845 +Link: https://patchwork.freedesktop.org/patch/msgid/20240212215534.190682-1-robdclark@gmail.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_crtc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c +index 4ed3fc28d4dab..5d2cbff02df12 100644 +--- a/drivers/gpu/drm/drm_crtc.c ++++ b/drivers/gpu/drm/drm_crtc.c +@@ -754,6 +754,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data, + connector_set = NULL; + fb = NULL; + mode = NULL; ++ num_connectors = 0; + + DRM_MODESET_LOCK_ALL_END(dev, ctx, ret); + +-- +2.43.0 + diff --git a/queue-5.10/input-synaptics-rmi4-fix-uaf-of-irq-domain-on-driver.patch b/queue-5.10/input-synaptics-rmi4-fix-uaf-of-irq-domain-on-driver.patch new file mode 100644 index 00000000000..eadc55efed4 --- /dev/null +++ b/queue-5.10/input-synaptics-rmi4-fix-uaf-of-irq-domain-on-driver.patch @@ -0,0 +1,55 @@ +From d2c0d8ff6b2d3299afa24f40e050467d8b3563ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2024 05:42:01 +0000 +Subject: Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal + +From: Mathias Krause + +commit fbf8d71742557abaf558d8efb96742d442720cc2 upstream. + +Calling irq_domain_remove() will lead to freeing the IRQ domain +prematurely. The domain is still referenced and will be attempted to get +used via rmi_free_function_list() -> rmi_unregister_function() -> +irq_dispose_mapping() -> irq_get_irq_data()'s ->domain pointer. + +With PaX's MEMORY_SANITIZE this will lead to an access fault when +attempting to dereference embedded pointers, as in Torsten's report that +was faulting on the 'domain->ops->unmap' test. + +Fix this by releasing the IRQ domain only after all related IRQs have +been deactivated. + +Fixes: 24d28e4f1271 ("Input: synaptics-rmi4 - convert irq distribution to irq_domain") +Reported-by: Torsten Hilbrich +Signed-off-by: Mathias Krause +Link: https://lore.kernel.org/r/20240222142654.856566-1-minipli@grsecurity.net +Signed-off-by: Dmitry Torokhov +Signed-off-by: Tzung-Bi Shih +Signed-off-by: Sasha Levin +--- + drivers/input/rmi4/rmi_driver.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/input/rmi4/rmi_driver.c b/drivers/input/rmi4/rmi_driver.c +index aa32371f04af6..ef9ea295f9e03 100644 +--- a/drivers/input/rmi4/rmi_driver.c ++++ b/drivers/input/rmi4/rmi_driver.c +@@ -978,12 +978,12 @@ static int rmi_driver_remove(struct device *dev) + + rmi_disable_irq(rmi_dev, false); + +- irq_domain_remove(data->irqdomain); +- data->irqdomain = NULL; +- + rmi_f34_remove_sysfs(rmi_dev); + rmi_free_function_list(rmi_dev); + ++ irq_domain_remove(data->irqdomain); ++ data->irqdomain = NULL; ++ + return 0; + } + +-- +2.43.0 + diff --git a/queue-5.10/kallsyms-make-kallsyms_on_each_symbol-generally-avai.patch b/queue-5.10/kallsyms-make-kallsyms_on_each_symbol-generally-avai.patch new file mode 100644 index 00000000000..283ca51282c --- /dev/null +++ b/queue-5.10/kallsyms-make-kallsyms_on_each_symbol-generally-avai.patch @@ -0,0 +1,82 @@ +From c13d5ec497c48382911f5492d82595ae8bdb8d57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 15:29:45 -0700 +Subject: kallsyms: Make kallsyms_on_each_symbol generally available + +From: Jiri Olsa + +[ Upstream commit d721def7392a7348ffb9f3583b264239cbd3702c ] + +Making kallsyms_on_each_symbol generally available, so it can be +used outside CONFIG_LIVEPATCH option in following changes. + +Rather than adding another ifdef option let's make the function +generally available (when CONFIG_KALLSYMS option is defined). + +Cc: Christoph Hellwig +Reviewed-by: Masami Hiramatsu +Signed-off-by: Jiri Olsa +Link: https://lore.kernel.org/r/20220510122616.2652285-2-jolsa@kernel.org +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +Stable-dep-of: b022f0c7e404 ("tracing/kprobes: Return EADDRNOTAVAIL when +func matches several symbols") +Signed-off-by: Sherry Yang +Signed-off-by: Sasha Levin +--- + include/linux/kallsyms.h | 7 ++++++- + kernel/kallsyms.c | 2 -- + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/include/linux/kallsyms.h b/include/linux/kallsyms.h +index 465060acc9816..430f1cefbb9e1 100644 +--- a/include/linux/kallsyms.h ++++ b/include/linux/kallsyms.h +@@ -71,11 +71,11 @@ static inline void *dereference_symbol_descriptor(void *ptr) + return ptr; + } + ++#ifdef CONFIG_KALLSYMS + int kallsyms_on_each_symbol(int (*fn)(void *, const char *, struct module *, + unsigned long), + void *data); + +-#ifdef CONFIG_KALLSYMS + /* Lookup the address for a symbol. Returns 0 if not found. */ + unsigned long kallsyms_lookup_name(const char *name); + +@@ -155,6 +155,11 @@ static inline bool kallsyms_show_value(const struct cred *cred) + return false; + } + ++static inline int kallsyms_on_each_symbol(int (*fn)(void *, const char *, struct module *, ++ unsigned long), void *data) ++{ ++ return -EOPNOTSUPP; ++} + #endif /*CONFIG_KALLSYMS*/ + + static inline void print_ip_sym(const char *loglvl, unsigned long ip) +diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c +index 8043a90aa50ed..a0d3f0865916f 100644 +--- a/kernel/kallsyms.c ++++ b/kernel/kallsyms.c +@@ -177,7 +177,6 @@ unsigned long kallsyms_lookup_name(const char *name) + return module_kallsyms_lookup_name(name); + } + +-#ifdef CONFIG_LIVEPATCH + /* + * Iterate over all symbols in vmlinux. For symbols from modules use + * module_kallsyms_on_each_symbol instead. +@@ -199,7 +198,6 @@ int kallsyms_on_each_symbol(int (*fn)(void *, const char *, struct module *, + } + return 0; + } +-#endif /* CONFIG_LIVEPATCH */ + + static unsigned long get_symbol_pos(unsigned long addr, + unsigned long *symbolsize, +-- +2.43.0 + diff --git a/queue-5.10/kallsyms-make-module_kallsyms_on_each_symbol-general.patch b/queue-5.10/kallsyms-make-module_kallsyms_on_each_symbol-general.patch new file mode 100644 index 00000000000..cd7d6375189 --- /dev/null +++ b/queue-5.10/kallsyms-make-module_kallsyms_on_each_symbol-general.patch @@ -0,0 +1,79 @@ +From fbb3ba4e5e1c5f35eb35d421cc1b477bc377c3a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 15:29:46 -0700 +Subject: kallsyms: Make module_kallsyms_on_each_symbol generally available + +From: Jiri Olsa + +commit 73feb8d5fa3b755bb51077c0aabfb6aa556fd498 upstream. + +Making module_kallsyms_on_each_symbol generally available, so it +can be used outside CONFIG_LIVEPATCH option in following changes. + +Rather than adding another ifdef option let's make the function +generally available (when CONFIG_KALLSYMS and CONFIG_MODULES +options are defined). + +Cc: Christoph Hellwig +Acked-by: Song Liu +Signed-off-by: Jiri Olsa +Link: https://lore.kernel.org/r/20221025134148.3300700-2-jolsa@kernel.org +Signed-off-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 926fe783c8a6 ("tracing/kprobes: Fix symbol counting logic by looking at modules as well") +Signed-off-by: Markus Boehme +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 329197033bb0 ("tracing/kprobes: Fix symbol counting logic +by looking at modules as well") +Signed-off-by: Sherry Yang +Signed-off-by: Sasha Levin +--- + include/linux/module.h | 9 +++++++++ + kernel/module.c | 2 -- + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/include/linux/module.h b/include/linux/module.h +index a55a40c28568e..63fe94e6ae6f1 100644 +--- a/include/linux/module.h ++++ b/include/linux/module.h +@@ -875,8 +875,17 @@ static inline bool module_sig_ok(struct module *module) + } + #endif /* CONFIG_MODULE_SIG */ + ++#if defined(CONFIG_MODULES) && defined(CONFIG_KALLSYMS) + int module_kallsyms_on_each_symbol(int (*fn)(void *, const char *, + struct module *, unsigned long), + void *data); ++#else ++static inline int module_kallsyms_on_each_symbol(int (*fn)(void *, const char *, ++ struct module *, unsigned long), ++ void *data) ++{ ++ return -EOPNOTSUPP; ++} ++#endif /* CONFIG_MODULES && CONFIG_KALLSYMS */ + + #endif /* _LINUX_MODULE_H */ +diff --git a/kernel/module.c b/kernel/module.c +index edc7b99cb16fa..7f3ba597af6c1 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -4444,7 +4444,6 @@ unsigned long module_kallsyms_lookup_name(const char *name) + return ret; + } + +-#ifdef CONFIG_LIVEPATCH + int module_kallsyms_on_each_symbol(int (*fn)(void *, const char *, + struct module *, unsigned long), + void *data) +@@ -4475,7 +4474,6 @@ int module_kallsyms_on_each_symbol(int (*fn)(void *, const char *, + mutex_unlock(&module_mutex); + return ret; + } +-#endif /* CONFIG_LIVEPATCH */ + #endif /* CONFIG_KALLSYMS */ + + /* Maximum number of characters written by module_flags() */ +-- +2.43.0 + diff --git a/queue-5.10/net-ethernet-cortina-drop-tso-support.patch b/queue-5.10/net-ethernet-cortina-drop-tso-support.patch new file mode 100644 index 00000000000..ee710389189 --- /dev/null +++ b/queue-5.10/net-ethernet-cortina-drop-tso-support.patch @@ -0,0 +1,88 @@ +From f53038aa6ffec2e121c51c3a5952252df2fb4e8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 Jan 2024 01:12:22 +0100 +Subject: net: ethernet: cortina: Drop TSO support + +From: Linus Walleij + +[ Upstream commit ac631873c9e7a50d2a8de457cfc4b9f86666403e ] + +The recent change to allow large frames without hardware checksumming +slotted in software checksumming in the driver if hardware could not +do it. + +This will however upset TSO (TCP Segment Offloading). Typical +error dumps includes this: + +skb len=2961 headroom=222 headlen=66 tailroom=0 +(...) +WARNING: CPU: 0 PID: 956 at net/core/dev.c:3259 skb_warn_bad_offload+0x7c/0x108 +gemini-ethernet-port: caps=(0x0000010000154813, 0x00002007ffdd7889) + +And the packets do not go through. + +The TSO implementation is bogus: a TSO enabled driver must propagate +the skb_shinfo(skb)->gso_size value to the TSO engine on the NIC. + +Drop the size check and TSO offloading features for now: this +needs to be fixed up properly. + +After this ethernet works fine on Gemini devices with a direct connected +PHY such as D-Link DNS-313. + +Also tested to still be working with a DSA switch using the Gemini +ethernet as conduit interface. + +Link: https://lore.kernel.org/netdev/CANn89iJLfxng1sYL5Zk0mknXpyYQPCp83m3KgD2KJ2_hKCpEUg@mail.gmail.com/ +Suggested-by: Eric Dumazet +Fixes: d4d0c5b4d279 ("net: ethernet: cortina: Handle large frames") +Signed-off-by: Linus Walleij +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cortina/gemini.c | 15 ++------------- + 1 file changed, 2 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c +index fa46854fd697c..04a034cd5183f 100644 +--- a/drivers/net/ethernet/cortina/gemini.c ++++ b/drivers/net/ethernet/cortina/gemini.c +@@ -80,8 +80,7 @@ MODULE_PARM_DESC(debug, "Debug level (0=none,...,16=all)"); + #define GMAC0_IRQ4_8 (GMAC0_MIB_INT_BIT | GMAC0_RX_OVERRUN_INT_BIT) + + #define GMAC_OFFLOAD_FEATURES (NETIF_F_SG | NETIF_F_IP_CSUM | \ +- NETIF_F_IPV6_CSUM | NETIF_F_RXCSUM | \ +- NETIF_F_TSO | NETIF_F_TSO_ECN | NETIF_F_TSO6) ++ NETIF_F_IPV6_CSUM | NETIF_F_RXCSUM) + + /** + * struct gmac_queue_page - page buffer per-page info +@@ -1149,23 +1148,13 @@ static int gmac_map_tx_bufs(struct net_device *netdev, struct sk_buff *skb, + struct gmac_txdesc *txd; + skb_frag_t *skb_frag; + dma_addr_t mapping; +- unsigned short mtu; + void *buffer; + int ret; + +- mtu = ETH_HLEN; +- mtu += netdev->mtu; +- if (skb->protocol == htons(ETH_P_8021Q)) +- mtu += VLAN_HLEN; +- ++ /* TODO: implement proper TSO using MTU in word3 */ + word1 = skb->len; + word3 = SOF_BIT; + +- if (word1 > mtu) { +- word1 |= TSS_MTU_ENABLE_BIT; +- word3 |= mtu; +- } +- + if (skb->len >= ETH_FRAME_LEN) { + /* Hardware offloaded checksumming isn't working on frames + * bigger than 1514 bytes. A hypothesis about this is that the +-- +2.43.0 + diff --git a/queue-5.10/s390-zcore-no-need-to-check-return-value-of-debugfs_.patch b/queue-5.10/s390-zcore-no-need-to-check-return-value-of-debugfs_.patch new file mode 100644 index 00000000000..585b79050b3 --- /dev/null +++ b/queue-5.10/s390-zcore-no-need-to-check-return-value-of-debugfs_.patch @@ -0,0 +1,60 @@ +From 8ea752ce4a33788843523afdad0c8669d3ae6617 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Feb 2021 11:21:05 +0100 +Subject: s390/zcore: no need to check return value of debugfs_create functions + +From: Alexander Egorenkov + +[ Upstream commit 7449ca87312a5b0390b765be65a126e6e5451026 ] + +When calling debugfs functions, there is no need to ever check the +return value. The function can work or not, but the code logic should +never do something different based on this. + +See commit 7dd541a3fb34 ("s390: no need to check return value of debugfs_create functions"). + +Signed-off-by: Alexander Egorenkov +Signed-off-by: Heiko Carstens +Stable-dep-of: 0b18c852cc6f ("tracing: Have saved_cmdlines arrays all in one allocation") +Signed-off-by: Sasha Levin +--- + drivers/s390/char/zcore.c | 18 +----------------- + 1 file changed, 1 insertion(+), 17 deletions(-) + +diff --git a/drivers/s390/char/zcore.c b/drivers/s390/char/zcore.c +index 3841c0e77df69..5f659fa9224a3 100644 +--- a/drivers/s390/char/zcore.c ++++ b/drivers/s390/char/zcore.c +@@ -302,28 +302,12 @@ static int __init zcore_init(void) + goto fail; + + zcore_dir = debugfs_create_dir("zcore" , NULL); +- if (!zcore_dir) { +- rc = -ENOMEM; +- goto fail; +- } + zcore_reipl_file = debugfs_create_file("reipl", S_IRUSR, zcore_dir, + NULL, &zcore_reipl_fops); +- if (!zcore_reipl_file) { +- rc = -ENOMEM; +- goto fail_dir; +- } + zcore_hsa_file = debugfs_create_file("hsa", S_IRUSR|S_IWUSR, zcore_dir, + NULL, &zcore_hsa_fops); +- if (!zcore_hsa_file) { +- rc = -ENOMEM; +- goto fail_reipl_file; +- } +- return 0; + +-fail_reipl_file: +- debugfs_remove(zcore_reipl_file); +-fail_dir: +- debugfs_remove(zcore_dir); ++ return 0; + fail: + diag308(DIAG308_REL_HSA, NULL); + return rc; +-- +2.43.0 + diff --git a/queue-5.10/s390-zcore-release-dump-save-area-on-restart-or-powe.patch b/queue-5.10/s390-zcore-release-dump-save-area-on-restart-or-powe.patch new file mode 100644 index 00000000000..5223e1f854f --- /dev/null +++ b/queue-5.10/s390-zcore-release-dump-save-area-on-restart-or-powe.patch @@ -0,0 +1,77 @@ +From 1aa06df8ec106228daa96889e6f252790296b28a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Feb 2021 14:28:52 +0100 +Subject: s390/zcore: release dump save area on restart or power down + +From: Alexander Egorenkov + +[ Upstream commit dabdfac0e85c8c1e811b10c08742f49285e78a17 ] + +The zFCP/NVMe standalone dumper is supposed to release the dump save area +resource as soon as possible but might fail to do so, for instance, if it +crashes. To avoid this situation, register a reboot notifier and ensure +the dump save area resource is released on reboot or power down. + +Signed-off-by: Alexander Egorenkov +Reviewed-by: Heiko Carstens +Signed-off-by: Heiko Carstens +Stable-dep-of: 0b18c852cc6f ("tracing: Have saved_cmdlines arrays all in one allocation") +Signed-off-by: Sasha Levin +--- + drivers/s390/char/zcore.c | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/drivers/s390/char/zcore.c b/drivers/s390/char/zcore.c +index 5f659fa9224a3..1aee6b2ae66fb 100644 +--- a/drivers/s390/char/zcore.c ++++ b/drivers/s390/char/zcore.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -247,6 +248,28 @@ static int __init zcore_reipl_init(void) + return 0; + } + ++static int zcore_reboot_and_on_panic_handler(struct notifier_block *self, ++ unsigned long event, ++ void *data) ++{ ++ if (hsa_available) ++ release_hsa(); ++ ++ return NOTIFY_OK; ++} ++ ++static struct notifier_block zcore_reboot_notifier = { ++ .notifier_call = zcore_reboot_and_on_panic_handler, ++ /* we need to be notified before reipl and kdump */ ++ .priority = INT_MAX, ++}; ++ ++static struct notifier_block zcore_on_panic_notifier = { ++ .notifier_call = zcore_reboot_and_on_panic_handler, ++ /* we need to be notified before reipl and kdump */ ++ .priority = INT_MAX, ++}; ++ + static int __init zcore_init(void) + { + unsigned char arch; +@@ -307,6 +330,9 @@ static int __init zcore_init(void) + zcore_hsa_file = debugfs_create_file("hsa", S_IRUSR|S_IWUSR, zcore_dir, + NULL, &zcore_hsa_fops); + ++ register_reboot_notifier(&zcore_reboot_notifier); ++ atomic_notifier_chain_register(&panic_notifier_list, &zcore_on_panic_notifier); ++ + return 0; + fail: + diag308(DIAG308_REL_HSA, NULL); +-- +2.43.0 + diff --git a/queue-5.10/series b/queue-5.10/series index ae5f260fa9d..b75289c8eeb 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -440,3 +440,15 @@ ext4-fix-inode-tree-inconsistency-caused-by-enomem.patch vhost-scsi-null-ptr-dereference-in-vhost_scsi_get_req.patch clk-imx6ul-fix-failed-to-get-parent-error.patch unicode-don-t-special-case-ignorable-code-points.patch +net-ethernet-cortina-drop-tso-support.patch +tracing-remove-precision-vsnprintf-check-from-print-.patch +drm-crtc-fix-uninitialized-variable-use-even-harder.patch +s390-zcore-no-need-to-check-return-value-of-debugfs_.patch +s390-zcore-release-dump-save-area-on-restart-or-powe.patch +tracing-have-saved_cmdlines-arrays-all-in-one-alloca.patch +virtio_console-fix-misc-probe-bugs.patch +kallsyms-make-kallsyms_on_each_symbol-generally-avai.patch +kallsyms-make-module_kallsyms_on_each_symbol-general.patch +tracing-kprobes-return-eaddrnotavail-when-func-match.patch +tracing-kprobes-fix-symbol-counting-logic-by-looking.patch +input-synaptics-rmi4-fix-uaf-of-irq-domain-on-driver.patch diff --git a/queue-5.10/tracing-have-saved_cmdlines-arrays-all-in-one-alloca.patch b/queue-5.10/tracing-have-saved_cmdlines-arrays-all-in-one-alloca.patch new file mode 100644 index 00000000000..83abeb21171 --- /dev/null +++ b/queue-5.10/tracing-have-saved_cmdlines-arrays-all-in-one-alloca.patch @@ -0,0 +1,104 @@ +From f1fc32fddc4d664dadb302191b5cd33fe03eb70c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Feb 2024 09:06:14 -0500 +Subject: tracing: Have saved_cmdlines arrays all in one allocation + +From: Steven Rostedt (Google) + +[ Upstream commit 0b18c852cc6fb8284ac0ab97e3e840974a6a8a64 ] + +The saved_cmdlines have three arrays for mapping PIDs to COMMs: + + - map_pid_to_cmdline[] + - map_cmdline_to_pid[] + - saved_cmdlines + +The map_pid_to_cmdline[] is PID_MAX_DEFAULT in size and holds the index +into the other arrays. The map_cmdline_to_pid[] is a mapping back to the +full pid as it can be larger than PID_MAX_DEFAULT. And the +saved_cmdlines[] just holds the COMMs associated to the pids. + +Currently the map_pid_to_cmdline[] and saved_cmdlines[] are allocated +together (in reality the saved_cmdlines is just in the memory of the +rounding of the allocation of the structure as it is always allocated in +powers of two). The map_cmdline_to_pid[] array is allocated separately. + +Since the rounding to a power of two is rather large (it allows for 8000 +elements in saved_cmdlines), also include the map_cmdline_to_pid[] array. +(This drops it to 6000 by default, which is still plenty for most use +cases). This saves even more memory as the map_cmdline_to_pid[] array +doesn't need to be allocated. + +Link: https://lore.kernel.org/linux-trace-kernel/20240212174011.068211d9@gandalf.local.home/ +Link: https://lore.kernel.org/linux-trace-kernel/20240220140703.182330529@goodmis.org + +Cc: Mark Rutland +Cc: Mathieu Desnoyers +Cc: Andrew Morton +Cc: Tim Chen +Cc: Vincent Donnefort +Cc: Sven Schnelle +Cc: Mete Durlu +Fixes: 44dc5c41b5b1 ("tracing: Fix wasted memory in saved_cmdlines logic") +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index b16291f4c5731..9f5b9036f001d 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -2244,6 +2244,10 @@ struct saved_cmdlines_buffer { + }; + static struct saved_cmdlines_buffer *savedcmd; + ++/* Holds the size of a cmdline and pid element */ ++#define SAVED_CMDLINE_MAP_ELEMENT_SIZE(s) \ ++ (TASK_COMM_LEN + sizeof((s)->map_cmdline_to_pid[0])) ++ + static inline char *get_saved_cmdlines(int idx) + { + return &savedcmd->saved_cmdlines[idx * TASK_COMM_LEN]; +@@ -2258,7 +2262,6 @@ static void free_saved_cmdlines_buffer(struct saved_cmdlines_buffer *s) + { + int order = get_order(sizeof(*s) + s->cmdline_num * TASK_COMM_LEN); + +- kfree(s->map_cmdline_to_pid); + kmemleak_free(s); + free_pages((unsigned long)s, order); + } +@@ -2271,7 +2274,7 @@ static struct saved_cmdlines_buffer *allocate_cmdlines_buffer(unsigned int val) + int order; + + /* Figure out how much is needed to hold the given number of cmdlines */ +- orig_size = sizeof(*s) + val * TASK_COMM_LEN; ++ orig_size = sizeof(*s) + val * SAVED_CMDLINE_MAP_ELEMENT_SIZE(s); + order = get_order(orig_size); + size = 1 << (order + PAGE_SHIFT); + page = alloc_pages(GFP_KERNEL, order); +@@ -2283,16 +2286,11 @@ static struct saved_cmdlines_buffer *allocate_cmdlines_buffer(unsigned int val) + memset(s, 0, sizeof(*s)); + + /* Round up to actual allocation */ +- val = (size - sizeof(*s)) / TASK_COMM_LEN; ++ val = (size - sizeof(*s)) / SAVED_CMDLINE_MAP_ELEMENT_SIZE(s); + s->cmdline_num = val; + +- s->map_cmdline_to_pid = kmalloc_array(val, +- sizeof(*s->map_cmdline_to_pid), +- GFP_KERNEL); +- if (!s->map_cmdline_to_pid) { +- free_saved_cmdlines_buffer(s); +- return NULL; +- } ++ /* Place map_cmdline_to_pid array right after saved_cmdlines */ ++ s->map_cmdline_to_pid = (unsigned *)&s->saved_cmdlines[val * TASK_COMM_LEN]; + + s->cmdline_idx = 0; + memset(&s->map_pid_to_cmdline, NO_CMDLINE_MAP, +-- +2.43.0 + diff --git a/queue-5.10/tracing-kprobes-fix-symbol-counting-logic-by-looking.patch b/queue-5.10/tracing-kprobes-fix-symbol-counting-logic-by-looking.patch new file mode 100644 index 00000000000..416835d92d7 --- /dev/null +++ b/queue-5.10/tracing-kprobes-fix-symbol-counting-logic-by-looking.patch @@ -0,0 +1,52 @@ +From c8ce567da9750645c1bd9c65fd11a23c8c0ef991 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 15:29:48 -0700 +Subject: tracing/kprobes: Fix symbol counting logic by looking at modules as + well + +From: Andrii Nakryiko + +commit 926fe783c8a64b33997fec405cf1af3e61aed441 upstream. + +Recent changes to count number of matching symbols when creating +a kprobe event failed to take into account kernel modules. As such, it +breaks kprobes on kernel module symbols, by assuming there is no match. + +Fix this my calling module_kallsyms_on_each_symbol() in addition to +kallsyms_on_each_match_symbol() to perform a proper counting. + +Link: https://lore.kernel.org/all/20231027233126.2073148-1-andrii@kernel.org/ + +Cc: Francis Laniel +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Cc: Steven Rostedt +Fixes: b022f0c7e404 ("tracing/kprobes: Return EADDRNOTAVAIL when func matches several symbols") +Signed-off-by: Andrii Nakryiko +Acked-by: Song Liu +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Markus Boehme +Signed-off-by: Greg Kroah-Hartman +[Sherry: It's a fix for previous backport, thus backport together] +Signed-off-by: Sherry Yang +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_kprobe.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c +index 91dfe8cf1ce8b..ae059345ddf4c 100644 +--- a/kernel/trace/trace_kprobe.c ++++ b/kernel/trace/trace_kprobe.c +@@ -742,6 +742,8 @@ static unsigned int number_of_same_symbols(char *func_name) + + kallsyms_on_each_symbol(count_symbols, &args); + ++ module_kallsyms_on_each_symbol(count_symbols, &args); ++ + return args.count; + } + +-- +2.43.0 + diff --git a/queue-5.10/tracing-kprobes-return-eaddrnotavail-when-func-match.patch b/queue-5.10/tracing-kprobes-return-eaddrnotavail-when-func-match.patch new file mode 100644 index 00000000000..55b4aa29471 --- /dev/null +++ b/queue-5.10/tracing-kprobes-return-eaddrnotavail-when-func-match.patch @@ -0,0 +1,164 @@ +From 225b8fa07ad0b6a981d8d9bcf3742be0125e8f96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 15:29:47 -0700 +Subject: tracing/kprobes: Return EADDRNOTAVAIL when func matches several + symbols + +From: Francis Laniel + +commit b022f0c7e404887a7c5229788fc99eff9f9a80d5 upstream. + +When a kprobe is attached to a function that's name is not unique (is +static and shares the name with other functions in the kernel), the +kprobe is attached to the first function it finds. This is a bug as the +function that it is attaching to is not necessarily the one that the +user wants to attach to. + +Instead of blindly picking a function to attach to what is ambiguous, +error with EADDRNOTAVAIL to let the user know that this function is not +unique, and that the user must use another unique function with an +address offset to get to the function they want to attach to. + +Link: https://lore.kernel.org/all/20231020104250.9537-2-flaniel@linux.microsoft.com/ + +Cc: stable@vger.kernel.org +Fixes: 413d37d1eb69 ("tracing: Add kprobe-based event tracer") +Suggested-by: Masami Hiramatsu +Signed-off-by: Francis Laniel +Link: https://lore.kernel.org/lkml/20230819101105.b0c104ae4494a7d1f2eea742@kernel.org/ +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Greg Kroah-Hartman +[Sherry: 5.10.y added a new kselftest kprobe_non_uniq_symbol.tc by +backporting commit 09bcf9254838 ("selftests/ftrace: Add new test case which +checks non unique symbol"). However, 5.10.y didn't backport this commit which +provides unique symbol check suppport from kernel side. Minor conflicts due to +context change, ignore context change] +Signed-off-by: Sherry Yang +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_kprobe.c | 74 +++++++++++++++++++++++++++++++++++++ + kernel/trace/trace_probe.h | 1 + + 2 files changed, 75 insertions(+) + +diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c +index 5453af26ff764..91dfe8cf1ce8b 100644 +--- a/kernel/trace/trace_kprobe.c ++++ b/kernel/trace/trace_kprobe.c +@@ -715,6 +715,36 @@ static inline void sanitize_event_name(char *name) + *name = '_'; + } + ++struct count_symbols_struct { ++ const char *func_name; ++ unsigned int count; ++}; ++ ++static int count_symbols(void *data, const char *name, struct module *unused0, ++ unsigned long unused1) ++{ ++ struct count_symbols_struct *args = data; ++ ++ if (strcmp(args->func_name, name)) ++ return 0; ++ ++ args->count++; ++ ++ return 0; ++} ++ ++static unsigned int number_of_same_symbols(char *func_name) ++{ ++ struct count_symbols_struct args = { ++ .func_name = func_name, ++ .count = 0, ++ }; ++ ++ kallsyms_on_each_symbol(count_symbols, &args); ++ ++ return args.count; ++} ++ + static int trace_kprobe_create(int argc, const char *argv[]) + { + /* +@@ -842,6 +872,31 @@ static int trace_kprobe_create(int argc, const char *argv[]) + } + } + ++ if (symbol && !strchr(symbol, ':')) { ++ unsigned int count; ++ ++ count = number_of_same_symbols(symbol); ++ if (count > 1) { ++ /* ++ * Users should use ADDR to remove the ambiguity of ++ * using KSYM only. ++ */ ++ trace_probe_log_err(0, NON_UNIQ_SYMBOL); ++ ret = -EADDRNOTAVAIL; ++ ++ goto error; ++ } else if (count == 0) { ++ /* ++ * We can return ENOENT earlier than when register the ++ * kprobe. ++ */ ++ trace_probe_log_err(0, BAD_PROBE_ADDR); ++ ret = -ENOENT; ++ ++ goto error; ++ } ++ } ++ + trace_probe_log_set_index(0); + if (event) { + ret = traceprobe_parse_event_name(&event, &group, buf, +@@ -1805,6 +1860,7 @@ static int unregister_kprobe_event(struct trace_kprobe *tk) + } + + #ifdef CONFIG_PERF_EVENTS ++ + /* create a trace_kprobe, but don't add it to global lists */ + struct trace_event_call * + create_local_trace_kprobe(char *func, void *addr, unsigned long offs, +@@ -1814,6 +1870,24 @@ create_local_trace_kprobe(char *func, void *addr, unsigned long offs, + int ret; + char *event; + ++ if (func) { ++ unsigned int count; ++ ++ count = number_of_same_symbols(func); ++ if (count > 1) ++ /* ++ * Users should use addr to remove the ambiguity of ++ * using func only. ++ */ ++ return ERR_PTR(-EADDRNOTAVAIL); ++ else if (count == 0) ++ /* ++ * We can return ENOENT earlier than when register the ++ * kprobe. ++ */ ++ return ERR_PTR(-ENOENT); ++ } ++ + /* + * local trace_kprobes are not added to dyn_event, so they are never + * searched in find_trace_kprobe(). Therefore, there is no concern of +diff --git a/kernel/trace/trace_probe.h b/kernel/trace/trace_probe.h +index d4a69b83902e1..22c05ca977587 100644 +--- a/kernel/trace/trace_probe.h ++++ b/kernel/trace/trace_probe.h +@@ -390,6 +390,7 @@ extern int traceprobe_define_arg_fields(struct trace_event_call *event_call, + C(BAD_MAXACT, "Invalid maxactive number"), \ + C(MAXACT_TOO_BIG, "Maxactive is too big"), \ + C(BAD_PROBE_ADDR, "Invalid probed address or symbol"), \ ++ C(NON_UNIQ_SYMBOL, "The symbol is not unique"), \ + C(BAD_RETPROBE, "Retprobe address must be an function entry"), \ + C(BAD_ADDR_SUFFIX, "Invalid probed address suffix"), \ + C(NO_GROUP_NAME, "Group name is not specified"), \ +-- +2.43.0 + diff --git a/queue-5.10/tracing-remove-precision-vsnprintf-check-from-print-.patch b/queue-5.10/tracing-remove-precision-vsnprintf-check-from-print-.patch new file mode 100644 index 00000000000..3beaddde005 --- /dev/null +++ b/queue-5.10/tracing-remove-precision-vsnprintf-check-from-print-.patch @@ -0,0 +1,69 @@ +From 05863ffae406209dced50ea821bb5e3cd9040d2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Mar 2024 17:43:41 -0500 +Subject: tracing: Remove precision vsnprintf() check from print event + +From: Steven Rostedt (Google) + +[ Upstream commit 5efd3e2aef91d2d812290dcb25b2058e6f3f532c ] + +This reverts 60be76eeabb3d ("tracing: Add size check when printing +trace_marker output"). The only reason the precision check was added +was because of a bug that miscalculated the write size of the string into +the ring buffer and it truncated it removing the terminating nul byte. On +reading the trace it crashed the kernel. But this was due to the bug in +the code that happened during development and should never happen in +practice. If anything, the precision can hide bugs where the string in the +ring buffer isn't nul terminated and it will not be checked. + +Link: https://lore.kernel.org/all/C7E7AF1A-D30F-4D18-B8E5-AF1EF58004F5@linux.ibm.com/ +Link: https://lore.kernel.org/linux-trace-kernel/20240227125706.04279ac2@gandalf.local.home +Link: https://lore.kernel.org/all/20240302111244.3a1674be@gandalf.local.home/ +Link: https://lore.kernel.org/linux-trace-kernel/20240304174341.2a561d9f@gandalf.local.home + +Cc: Masami Hiramatsu +Cc: Linus Torvalds +Fixes: 60be76eeabb3d ("tracing: Add size check when printing trace_marker output") +Reported-by: Sachin Sant +Tested-by: Sachin Sant +Reviewed-by: Mathieu Desnoyers +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_output.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c +index 753b84c50848a..94b0991717b6d 100644 +--- a/kernel/trace/trace_output.c ++++ b/kernel/trace/trace_output.c +@@ -1313,12 +1313,11 @@ static enum print_line_t trace_print_print(struct trace_iterator *iter, + { + struct print_entry *field; + struct trace_seq *s = &iter->seq; +- int max = iter->ent_size - offsetof(struct print_entry, buf); + + trace_assign_type(field, iter->ent); + + seq_print_ip_sym(s, field->ip, flags); +- trace_seq_printf(s, ": %.*s", max, field->buf); ++ trace_seq_printf(s, ": %s", field->buf); + + return trace_handle_return(s); + } +@@ -1327,11 +1326,10 @@ static enum print_line_t trace_print_raw(struct trace_iterator *iter, int flags, + struct trace_event *event) + { + struct print_entry *field; +- int max = iter->ent_size - offsetof(struct print_entry, buf); + + trace_assign_type(field, iter->ent); + +- trace_seq_printf(&iter->seq, "# %lx %.*s", field->ip, max, field->buf); ++ trace_seq_printf(&iter->seq, "# %lx %s", field->ip, field->buf); + + return trace_handle_return(&iter->seq); + } +-- +2.43.0 + diff --git a/queue-5.10/virtio_console-fix-misc-probe-bugs.patch b/queue-5.10/virtio_console-fix-misc-probe-bugs.patch new file mode 100644 index 00000000000..09eb2982154 --- /dev/null +++ b/queue-5.10/virtio_console-fix-misc-probe-bugs.patch @@ -0,0 +1,71 @@ +From 162d7ac0283953028ff1a442c79e918c74825fe4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Sep 2024 14:16:44 -0400 +Subject: virtio_console: fix misc probe bugs + +From: Michael S. Tsirkin + +[ Upstream commit b9efbe2b8f0177fa97bfab290d60858900aa196b ] + +This fixes the following issue discovered by code review: + +after vqs have been created, a buggy device can send an interrupt. + +A control vq callback will then try to schedule control_work which has +not been initialized yet. Similarly for config interrupt. Further, in +and out vq callbacks invoke find_port_by_vq which attempts to take +ports_lock which also has not been initialized. + +To fix, init all locks and work before creating vqs. + +Message-ID: +Fixes: 17634ba25544 ("virtio: console: Add a new MULTIPORT feature, support for generic ports") +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/char/virtio_console.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c +index 6d361420ffe82..1734b4341585c 100644 +--- a/drivers/char/virtio_console.c ++++ b/drivers/char/virtio_console.c +@@ -2049,25 +2049,27 @@ static int virtcons_probe(struct virtio_device *vdev) + multiport = true; + } + +- err = init_vqs(portdev); +- if (err < 0) { +- dev_err(&vdev->dev, "Error %d initializing vqs\n", err); +- goto free_chrdev; +- } +- + spin_lock_init(&portdev->ports_lock); + INIT_LIST_HEAD(&portdev->ports); + INIT_LIST_HEAD(&portdev->list); + +- virtio_device_ready(portdev->vdev); +- + INIT_WORK(&portdev->config_work, &config_work_handler); + INIT_WORK(&portdev->control_work, &control_work_handler); + + if (multiport) { + spin_lock_init(&portdev->c_ivq_lock); + spin_lock_init(&portdev->c_ovq_lock); ++ } + ++ err = init_vqs(portdev); ++ if (err < 0) { ++ dev_err(&vdev->dev, "Error %d initializing vqs\n", err); ++ goto free_chrdev; ++ } ++ ++ virtio_device_ready(portdev->vdev); ++ ++ if (multiport) { + err = fill_queue(portdev->c_ivq, &portdev->c_ivq_lock); + if (err < 0) { + dev_err(&vdev->dev, +-- +2.43.0 +