From: Greg Kroah-Hartman Date: Fri, 15 Nov 2024 05:24:22 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v4.19.324~16 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5638d9d4f39346bbbea780cb0c1a085ea2395421;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: bluetooth-l2cap-fix-uaf-in-l2cap_connect.patch drm-amdkfd-amdkfd_free_gtt_mem-clear-the-correct-pointer.patch ext4-fix-timer-use-after-free-on-failed-mount.patch fs-ntfs3-fix-general-protection-fault-in-run_is_mapped_full.patch io_uring-fix-possible-deadlock-in-io_register_iowq_max_workers.patch md-raid10-improve-code-of-mrdev-in-raid10_sync_request.patch mm-krealloc-fix-mte-false-alarm-in-__do_krealloc.patch platform-x86-x86-android-tablets-fix-use-after-free-on-platform_device_register-errors.patch uprobe-avoid-out-of-bounds-memory-access-of-fetching-args.patch uprobes-encapsulate-preparation-of-uprobe-args-buffer.patch --- diff --git a/queue-6.1/bluetooth-l2cap-fix-uaf-in-l2cap_connect.patch b/queue-6.1/bluetooth-l2cap-fix-uaf-in-l2cap_connect.patch new file mode 100644 index 00000000000..bcef391b726 --- /dev/null +++ b/queue-6.1/bluetooth-l2cap-fix-uaf-in-l2cap_connect.patch @@ -0,0 +1,124 @@ +From 333b4fd11e89b29c84c269123f871883a30be586 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Mon, 23 Sep 2024 12:47:39 -0400 +Subject: Bluetooth: L2CAP: Fix uaf in l2cap_connect + +From: Luiz Augusto von Dentz + +commit 333b4fd11e89b29c84c269123f871883a30be586 upstream. + +[Syzbot reported] +BUG: KASAN: slab-use-after-free in l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949 +Read of size 8 at addr ffff8880241e9800 by task kworker/u9:0/54 + +CPU: 0 UID: 0 PID: 54 Comm: kworker/u9:0 Not tainted 6.11.0-rc6-syzkaller-00268-g788220eee30d #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 +Workqueue: hci2 hci_rx_work +Call Trace: + + __dump_stack lib/dump_stack.c:93 [inline] + dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119 + print_address_description mm/kasan/report.c:377 [inline] + print_report+0xc3/0x620 mm/kasan/report.c:488 + kasan_report+0xd9/0x110 mm/kasan/report.c:601 + l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949 + l2cap_connect_req net/bluetooth/l2cap_core.c:4080 [inline] + l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:4772 [inline] + l2cap_sig_channel net/bluetooth/l2cap_core.c:5543 [inline] + l2cap_recv_frame+0xf0b/0x8eb0 net/bluetooth/l2cap_core.c:6825 + l2cap_recv_acldata+0x9b4/0xb70 net/bluetooth/l2cap_core.c:7514 + hci_acldata_packet net/bluetooth/hci_core.c:3791 [inline] + hci_rx_work+0xaab/0x1610 net/bluetooth/hci_core.c:4028 + process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231 + process_scheduled_works kernel/workqueue.c:3312 [inline] + worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389 + kthread+0x2c1/0x3a0 kernel/kthread.c:389 + ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 +... + +Freed by task 5245: + kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 + kasan_save_track+0x14/0x30 mm/kasan/common.c:68 + kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579 + poison_slab_object+0xf7/0x160 mm/kasan/common.c:240 + __kasan_slab_free+0x32/0x50 mm/kasan/common.c:256 + kasan_slab_free include/linux/kasan.h:184 [inline] + slab_free_hook mm/slub.c:2256 [inline] + slab_free mm/slub.c:4477 [inline] + kfree+0x12a/0x3b0 mm/slub.c:4598 + l2cap_conn_free net/bluetooth/l2cap_core.c:1810 [inline] + kref_put include/linux/kref.h:65 [inline] + l2cap_conn_put net/bluetooth/l2cap_core.c:1822 [inline] + l2cap_conn_del+0x59d/0x730 net/bluetooth/l2cap_core.c:1802 + l2cap_connect_cfm+0x9e6/0xf80 net/bluetooth/l2cap_core.c:7241 + hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline] + hci_conn_failed+0x1c3/0x370 net/bluetooth/hci_conn.c:1265 + hci_abort_conn_sync+0x75a/0xb50 net/bluetooth/hci_sync.c:5583 + abort_conn_sync+0x197/0x360 net/bluetooth/hci_conn.c:2917 + hci_cmd_sync_work+0x1a4/0x410 net/bluetooth/hci_sync.c:328 + process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231 + process_scheduled_works kernel/workqueue.c:3312 [inline] + worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389 + kthread+0x2c1/0x3a0 kernel/kthread.c:389 + ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 + +Reported-by: syzbot+c12e2f941af1feb5632c@syzkaller.appspotmail.com +Tested-by: syzbot+c12e2f941af1feb5632c@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=c12e2f941af1feb5632c +Fixes: 7b064edae38d ("Bluetooth: Fix authentication if acl data comes before remote feature evt") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +[Xiangyu: Modified to bp this commit to fix CVE-2024-49950] +Signed-off-by: Xiangyu Chen +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/hci_core.c | 2 ++ + net/bluetooth/hci_event.c | 2 +- + net/bluetooth/l2cap_core.c | 9 --------- + 3 files changed, 3 insertions(+), 10 deletions(-) + +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -3846,6 +3846,8 @@ static void hci_acldata_packet(struct hc + + hci_dev_lock(hdev); + conn = hci_conn_hash_lookup_handle(hdev, handle); ++ if (conn && hci_dev_test_flag(hdev, HCI_MGMT)) ++ mgmt_device_connected(hdev, conn, NULL, 0); + hci_dev_unlock(hdev); + + if (conn) { +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -3789,7 +3789,7 @@ static void hci_remote_features_evt(stru + goto unlock; + } + +- if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) { ++ if (!ev->status) { + struct hci_cp_remote_name_req cp; + memset(&cp, 0, sizeof(cp)); + bacpy(&cp.bdaddr, &conn->dst); +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -4300,18 +4300,9 @@ sendresp: + static int l2cap_connect_req(struct l2cap_conn *conn, + struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data) + { +- struct hci_dev *hdev = conn->hcon->hdev; +- struct hci_conn *hcon = conn->hcon; +- + if (cmd_len < sizeof(struct l2cap_conn_req)) + return -EPROTO; + +- hci_dev_lock(hdev); +- if (hci_dev_test_flag(hdev, HCI_MGMT) && +- !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags)) +- mgmt_device_connected(hdev, hcon, NULL, 0); +- hci_dev_unlock(hdev); +- + l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0); + return 0; + } diff --git a/queue-6.1/drm-amdkfd-amdkfd_free_gtt_mem-clear-the-correct-pointer.patch b/queue-6.1/drm-amdkfd-amdkfd_free_gtt_mem-clear-the-correct-pointer.patch new file mode 100644 index 00000000000..ce812922eee --- /dev/null +++ b/queue-6.1/drm-amdkfd-amdkfd_free_gtt_mem-clear-the-correct-pointer.patch @@ -0,0 +1,148 @@ +From c86ad39140bbcb9dc75a10046c2221f657e8083b Mon Sep 17 00:00:00 2001 +From: Philip Yang +Date: Sun, 14 Jul 2024 11:11:05 -0400 +Subject: drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Philip Yang + +commit c86ad39140bbcb9dc75a10046c2221f657e8083b upstream. + +Pass pointer reference to amdgpu_bo_unref to clear the correct pointer, +otherwise amdgpu_bo_unref clear the local variable, the original pointer +not set to NULL, this could cause use-after-free bug. + +Signed-off-by: Philip Yang +Reviewed-by: Felix Kuehling +Acked-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Vamsi Krishna Brahmajosyula +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c | 14 +++++++------- + drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 2 +- + drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 2 +- + drivers/gpu/drm/amd/amdkfd/kfd_device.c | 4 ++-- + drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 2 +- + drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.c | 2 +- + drivers/gpu/drm/amd/amdkfd/kfd_process.c | 2 +- + drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 4 ++-- + 8 files changed, 16 insertions(+), 16 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c +@@ -344,15 +344,15 @@ allocate_mem_reserve_bo_failed: + return r; + } + +-void amdgpu_amdkfd_free_gtt_mem(struct amdgpu_device *adev, void *mem_obj) ++void amdgpu_amdkfd_free_gtt_mem(struct amdgpu_device *adev, void **mem_obj) + { +- struct amdgpu_bo *bo = (struct amdgpu_bo *) mem_obj; ++ struct amdgpu_bo **bo = (struct amdgpu_bo **) mem_obj; + +- amdgpu_bo_reserve(bo, true); +- amdgpu_bo_kunmap(bo); +- amdgpu_bo_unpin(bo); +- amdgpu_bo_unreserve(bo); +- amdgpu_bo_unref(&(bo)); ++ amdgpu_bo_reserve(*bo, true); ++ amdgpu_bo_kunmap(*bo); ++ amdgpu_bo_unpin(*bo); ++ amdgpu_bo_unreserve(*bo); ++ amdgpu_bo_unref(bo); + } + + int amdgpu_amdkfd_alloc_gws(struct amdgpu_device *adev, size_t size, +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h +@@ -210,7 +210,7 @@ int amdgpu_amdkfd_evict_userptr(struct k + int amdgpu_amdkfd_alloc_gtt_mem(struct amdgpu_device *adev, size_t size, + void **mem_obj, uint64_t *gpu_addr, + void **cpu_ptr, bool mqd_gfx9); +-void amdgpu_amdkfd_free_gtt_mem(struct amdgpu_device *adev, void *mem_obj); ++void amdgpu_amdkfd_free_gtt_mem(struct amdgpu_device *adev, void **mem_obj); + int amdgpu_amdkfd_alloc_gws(struct amdgpu_device *adev, size_t size, + void **mem_obj); + void amdgpu_amdkfd_free_gws(struct amdgpu_device *adev, void *mem_obj); +--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c +@@ -408,7 +408,7 @@ static int kfd_ioctl_create_queue(struct + + err_create_queue: + if (wptr_bo) +- amdgpu_amdkfd_free_gtt_mem(dev->adev, wptr_bo); ++ amdgpu_amdkfd_free_gtt_mem(dev->adev, (void **)&wptr_bo); + err_wptr_map_gart: + err_alloc_doorbells: + err_bind_process: +--- a/drivers/gpu/drm/amd/amdkfd/kfd_device.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device.c +@@ -673,7 +673,7 @@ kfd_interrupt_error: + kfd_doorbell_error: + kfd_gtt_sa_fini(kfd); + kfd_gtt_sa_init_error: +- amdgpu_amdkfd_free_gtt_mem(kfd->adev, kfd->gtt_mem); ++ amdgpu_amdkfd_free_gtt_mem(kfd->adev, &kfd->gtt_mem); + alloc_gtt_mem_failure: + if (kfd->gws) + amdgpu_amdkfd_free_gws(kfd->adev, kfd->gws); +@@ -693,7 +693,7 @@ void kgd2kfd_device_exit(struct kfd_dev + kfd_doorbell_fini(kfd); + ida_destroy(&kfd->doorbell_ida); + kfd_gtt_sa_fini(kfd); +- amdgpu_amdkfd_free_gtt_mem(kfd->adev, kfd->gtt_mem); ++ amdgpu_amdkfd_free_gtt_mem(kfd->adev, &kfd->gtt_mem); + if (kfd->gws) + amdgpu_amdkfd_free_gws(kfd->adev, kfd->gws); + } +--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c +@@ -2392,7 +2392,7 @@ static void deallocate_hiq_sdma_mqd(stru + { + WARN(!mqd, "No hiq sdma mqd trunk to free"); + +- amdgpu_amdkfd_free_gtt_mem(dev->adev, mqd->gtt_mem); ++ amdgpu_amdkfd_free_gtt_mem(dev->adev, &mqd->gtt_mem); + } + + void device_queue_manager_uninit(struct device_queue_manager *dqm) +--- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.c +@@ -204,7 +204,7 @@ void kfd_free_mqd_cp(struct mqd_manager + struct kfd_mem_obj *mqd_mem_obj) + { + if (mqd_mem_obj->gtt_mem) { +- amdgpu_amdkfd_free_gtt_mem(mm->dev->adev, mqd_mem_obj->gtt_mem); ++ amdgpu_amdkfd_free_gtt_mem(mm->dev->adev, &mqd_mem_obj->gtt_mem); + kfree(mqd_mem_obj); + } else { + kfd_gtt_sa_free(mm->dev, mqd_mem_obj); +--- a/drivers/gpu/drm/amd/amdkfd/kfd_process.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_process.c +@@ -1052,7 +1052,7 @@ static void kfd_process_destroy_pdds(str + + if (pdd->dev->shared_resources.enable_mes) + amdgpu_amdkfd_free_gtt_mem(pdd->dev->adev, +- pdd->proc_ctx_bo); ++ &pdd->proc_ctx_bo); + /* + * before destroying pdd, make sure to report availability + * for auto suspend +--- a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c +@@ -441,9 +441,9 @@ int pqm_destroy_queue(struct process_que + + if (dev->shared_resources.enable_mes) { + amdgpu_amdkfd_free_gtt_mem(dev->adev, +- pqn->q->gang_ctx_bo); ++ &pqn->q->gang_ctx_bo); + if (pqn->q->wptr_bo) +- amdgpu_amdkfd_free_gtt_mem(dev->adev, pqn->q->wptr_bo); ++ amdgpu_amdkfd_free_gtt_mem(dev->adev, (void **)&pqn->q->wptr_bo); + + } + uninit_queue(pqn->q); diff --git a/queue-6.1/ext4-fix-timer-use-after-free-on-failed-mount.patch b/queue-6.1/ext4-fix-timer-use-after-free-on-failed-mount.patch new file mode 100644 index 00000000000..1f8c8bdfc26 --- /dev/null +++ b/queue-6.1/ext4-fix-timer-use-after-free-on-failed-mount.patch @@ -0,0 +1,47 @@ +From 0ce160c5bdb67081a62293028dc85758a8efb22a Mon Sep 17 00:00:00 2001 +From: Xiaxi Shen +Date: Sun, 14 Jul 2024 21:33:36 -0700 +Subject: ext4: fix timer use-after-free on failed mount + +From: Xiaxi Shen + +commit 0ce160c5bdb67081a62293028dc85758a8efb22a upstream. + +Syzbot has found an ODEBUG bug in ext4_fill_super + +The del_timer_sync function cancels the s_err_report timer, +which reminds about filesystem errors daily. We should +guarantee the timer is no longer active before kfree(sbi). + +When filesystem mounting fails, the flow goes to failed_mount3, +where an error occurs when ext4_stop_mmpd is called, causing +a read I/O failure. This triggers the ext4_handle_error function +that ultimately re-arms the timer, +leaving the s_err_report timer active before kfree(sbi) is called. + +Fix the issue by canceling the s_err_report timer after calling ext4_stop_mmpd. + +Signed-off-by: Xiaxi Shen +Reported-and-tested-by: syzbot+59e0101c430934bc9a36@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=59e0101c430934bc9a36 +Link: https://patch.msgid.link/20240715043336.98097-1-shenxiaxi26@gmail.com +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Xiangyu Chen +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -5617,8 +5617,8 @@ failed_mount3a: + failed_mount3: + /* flush s_error_work before sbi destroy */ + flush_work(&sbi->s_error_work); +- del_timer_sync(&sbi->s_err_report); + ext4_stop_mmpd(sbi); ++ del_timer_sync(&sbi->s_err_report); + ext4_group_desc_free(sbi); + failed_mount: + if (sbi->s_chksum_driver) diff --git a/queue-6.1/fs-ntfs3-fix-general-protection-fault-in-run_is_mapped_full.patch b/queue-6.1/fs-ntfs3-fix-general-protection-fault-in-run_is_mapped_full.patch new file mode 100644 index 00000000000..9f4af79be94 --- /dev/null +++ b/queue-6.1/fs-ntfs3-fix-general-protection-fault-in-run_is_mapped_full.patch @@ -0,0 +1,38 @@ +From a33fb016e49e37aafab18dc3c8314d6399cb4727 Mon Sep 17 00:00:00 2001 +From: Konstantin Komarov +Date: Fri, 30 Aug 2024 13:50:18 +0300 +Subject: fs/ntfs3: Fix general protection fault in run_is_mapped_full + +From: Konstantin Komarov + +commit a33fb016e49e37aafab18dc3c8314d6399cb4727 upstream. + +Fixed deleating of a non-resident attribute in ntfs_create_inode() +rollback. + +Reported-by: syzbot+9af29acd8f27fbce94bc@syzkaller.appspotmail.com +Signed-off-by: Konstantin Komarov +Signed-off-by: Bin Lan +Signed-off-by: Greg Kroah-Hartman +--- + fs/ntfs3/inode.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/fs/ntfs3/inode.c ++++ b/fs/ntfs3/inode.c +@@ -1646,6 +1646,15 @@ out7: + le16_to_cpu(new_de->key_size), sbi); + /* ni_unlock(dir_ni); will be called later. */ + out6: ++ attr = ni_find_attr(ni, NULL, NULL, ATTR_EA, NULL, 0, NULL, NULL); ++ if (attr && attr->non_res) { ++ /* Delete ATTR_EA, if non-resident. */ ++ struct runs_tree run; ++ run_init(&run); ++ attr_set_size(ni, ATTR_EA, NULL, 0, &run, 0, NULL, false, NULL); ++ run_close(&run); ++ } ++ + if (rp_inserted) + ntfs_remove_reparse(sbi, IO_REPARSE_TAG_SYMLINK, &new_de->ref); + diff --git a/queue-6.1/io_uring-fix-possible-deadlock-in-io_register_iowq_max_workers.patch b/queue-6.1/io_uring-fix-possible-deadlock-in-io_register_iowq_max_workers.patch new file mode 100644 index 00000000000..20c5f5317ed --- /dev/null +++ b/queue-6.1/io_uring-fix-possible-deadlock-in-io_register_iowq_max_workers.patch @@ -0,0 +1,55 @@ +From 73254a297c2dd094abec7c9efee32455ae875bdf Mon Sep 17 00:00:00 2001 +From: Hagar Hemdan +Date: Tue, 4 Jun 2024 13:05:27 +0000 +Subject: io_uring: fix possible deadlock in io_register_iowq_max_workers() + +From: Hagar Hemdan + +commit 73254a297c2dd094abec7c9efee32455ae875bdf upstream. + +The io_register_iowq_max_workers() function calls io_put_sq_data(), +which acquires the sqd->lock without releasing the uring_lock. +Similar to the commit 009ad9f0c6ee ("io_uring: drop ctx->uring_lock +before acquiring sqd->lock"), this can lead to a potential deadlock +situation. + +To resolve this issue, the uring_lock is released before calling +io_put_sq_data(), and then it is re-acquired after the function call. + +This change ensures that the locks are acquired in the correct +order, preventing the possibility of a deadlock. + +Suggested-by: Maximilian Heyne +Signed-off-by: Hagar Hemdan +Link: https://lore.kernel.org/r/20240604130527.3597-1-hagarhem@amazon.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io_uring.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -3921,8 +3921,10 @@ static __cold int io_register_iowq_max_w + } + + if (sqd) { ++ mutex_unlock(&ctx->uring_lock); + mutex_unlock(&sqd->lock); + io_put_sq_data(sqd); ++ mutex_lock(&ctx->uring_lock); + } + + if (copy_to_user(arg, new_count, sizeof(new_count))) +@@ -3947,8 +3949,11 @@ static __cold int io_register_iowq_max_w + return 0; + err: + if (sqd) { ++ mutex_unlock(&ctx->uring_lock); + mutex_unlock(&sqd->lock); + io_put_sq_data(sqd); ++ mutex_lock(&ctx->uring_lock); ++ + } + return ret; + } diff --git a/queue-6.1/md-raid10-improve-code-of-mrdev-in-raid10_sync_request.patch b/queue-6.1/md-raid10-improve-code-of-mrdev-in-raid10_sync_request.patch new file mode 100644 index 00000000000..9b2da8888f2 --- /dev/null +++ b/queue-6.1/md-raid10-improve-code-of-mrdev-in-raid10_sync_request.patch @@ -0,0 +1,97 @@ +From 59f8f0b54c8ffb4521f6bbd1cb6f4dfa5022e75e Mon Sep 17 00:00:00 2001 +From: Li Nan +Date: Sat, 27 May 2023 15:22:16 +0800 +Subject: md/raid10: improve code of mrdev in raid10_sync_request + +From: Li Nan + +commit 59f8f0b54c8ffb4521f6bbd1cb6f4dfa5022e75e upstream. + +'need_recover' and 'mrdev' are equivalent in raid10_sync_request(), and +inc mrdev->nr_pending is unreasonable if don't need recovery. Replace +'need_recover' with 'mrdev', and only inc nr_pending when needed. + +Signed-off-by: Li Nan +Reviewed-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230527072218.2365857-3-linan666@huaweicloud.com +Cc: Hagar Gamal Halim +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid10.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -3432,7 +3432,6 @@ static sector_t raid10_sync_request(stru + sector_t sect; + int must_sync; + int any_working; +- int need_recover = 0; + struct raid10_info *mirror = &conf->mirrors[i]; + struct md_rdev *mrdev, *mreplace; + +@@ -3440,14 +3439,13 @@ static sector_t raid10_sync_request(stru + mrdev = rcu_dereference(mirror->rdev); + mreplace = rcu_dereference(mirror->replacement); + +- if (mrdev != NULL && +- !test_bit(Faulty, &mrdev->flags) && +- !test_bit(In_sync, &mrdev->flags)) +- need_recover = 1; ++ if (mrdev && (test_bit(Faulty, &mrdev->flags) || ++ test_bit(In_sync, &mrdev->flags))) ++ mrdev = NULL; + if (mreplace && test_bit(Faulty, &mreplace->flags)) + mreplace = NULL; + +- if (!need_recover && !mreplace) { ++ if (!mrdev && !mreplace) { + rcu_read_unlock(); + continue; + } +@@ -3481,7 +3479,8 @@ static sector_t raid10_sync_request(stru + rcu_read_unlock(); + continue; + } +- atomic_inc(&mrdev->nr_pending); ++ if (mrdev) ++ atomic_inc(&mrdev->nr_pending); + if (mreplace) + atomic_inc(&mreplace->nr_pending); + rcu_read_unlock(); +@@ -3568,7 +3567,7 @@ static sector_t raid10_sync_request(stru + r10_bio->devs[1].devnum = i; + r10_bio->devs[1].addr = to_addr; + +- if (need_recover) { ++ if (mrdev) { + bio = r10_bio->devs[1].bio; + bio->bi_next = biolist; + biolist = bio; +@@ -3613,7 +3612,7 @@ static sector_t raid10_sync_request(stru + for (k = 0; k < conf->copies; k++) + if (r10_bio->devs[k].devnum == i) + break; +- if (!test_bit(In_sync, ++ if (mrdev && !test_bit(In_sync, + &mrdev->flags) + && !rdev_set_badblocks( + mrdev, +@@ -3639,12 +3638,14 @@ static sector_t raid10_sync_request(stru + if (rb2) + atomic_dec(&rb2->remaining); + r10_bio = rb2; +- rdev_dec_pending(mrdev, mddev); ++ if (mrdev) ++ rdev_dec_pending(mrdev, mddev); + if (mreplace) + rdev_dec_pending(mreplace, mddev); + break; + } +- rdev_dec_pending(mrdev, mddev); ++ if (mrdev) ++ rdev_dec_pending(mrdev, mddev); + if (mreplace) + rdev_dec_pending(mreplace, mddev); + if (r10_bio->devs[0].bio->bi_opf & MD_FAILFAST) { diff --git a/queue-6.1/mm-krealloc-fix-mte-false-alarm-in-__do_krealloc.patch b/queue-6.1/mm-krealloc-fix-mte-false-alarm-in-__do_krealloc.patch new file mode 100644 index 00000000000..e048a8c4297 --- /dev/null +++ b/queue-6.1/mm-krealloc-fix-mte-false-alarm-in-__do_krealloc.patch @@ -0,0 +1,75 @@ +From 704573851b51808b45dae2d62059d1d8189138a2 Mon Sep 17 00:00:00 2001 +From: Qun-Wei Lin +Date: Fri, 25 Oct 2024 16:58:11 +0800 +Subject: mm: krealloc: Fix MTE false alarm in __do_krealloc + +From: Qun-Wei Lin + +commit 704573851b51808b45dae2d62059d1d8189138a2 upstream. + +This patch addresses an issue introduced by commit 1a83a716ec233 ("mm: +krealloc: consider spare memory for __GFP_ZERO") which causes MTE +(Memory Tagging Extension) to falsely report a slab-out-of-bounds error. + +The problem occurs when zeroing out spare memory in __do_krealloc. The +original code only considered software-based KASAN and did not account +for MTE. It does not reset the KASAN tag before calling memset, leading +to a mismatch between the pointer tag and the memory tag, resulting +in a false positive. + +Example of the error: +================================================================== +swapper/0: BUG: KASAN: slab-out-of-bounds in __memset+0x84/0x188 +swapper/0: Write at addr f4ffff8005f0fdf0 by task swapper/0/1 +swapper/0: Pointer tag: [f4], memory tag: [fe] +swapper/0: +swapper/0: CPU: 4 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12. +swapper/0: Hardware name: MT6991(ENG) (DT) +swapper/0: Call trace: +swapper/0: dump_backtrace+0xfc/0x17c +swapper/0: show_stack+0x18/0x28 +swapper/0: dump_stack_lvl+0x40/0xa0 +swapper/0: print_report+0x1b8/0x71c +swapper/0: kasan_report+0xec/0x14c +swapper/0: __do_kernel_fault+0x60/0x29c +swapper/0: do_bad_area+0x30/0xdc +swapper/0: do_tag_check_fault+0x20/0x34 +swapper/0: do_mem_abort+0x58/0x104 +swapper/0: el1_abort+0x3c/0x5c +swapper/0: el1h_64_sync_handler+0x80/0xcc +swapper/0: el1h_64_sync+0x68/0x6c +swapper/0: __memset+0x84/0x188 +swapper/0: btf_populate_kfunc_set+0x280/0x3d8 +swapper/0: __register_btf_kfunc_id_set+0x43c/0x468 +swapper/0: register_btf_kfunc_id_set+0x48/0x60 +swapper/0: register_nf_nat_bpf+0x1c/0x40 +swapper/0: nf_nat_init+0xc0/0x128 +swapper/0: do_one_initcall+0x184/0x464 +swapper/0: do_initcall_level+0xdc/0x1b0 +swapper/0: do_initcalls+0x70/0xc0 +swapper/0: do_basic_setup+0x1c/0x28 +swapper/0: kernel_init_freeable+0x144/0x1b8 +swapper/0: kernel_init+0x20/0x1a8 +swapper/0: ret_from_fork+0x10/0x20 +================================================================== + +Fixes: 1a83a716ec233 ("mm: krealloc: consider spare memory for __GFP_ZERO") +Signed-off-by: Qun-Wei Lin +Acked-by: David Rientjes +Signed-off-by: Vlastimil Babka +Signed-off-by: Greg Kroah-Hartman +--- + mm/slab_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/slab_common.c ++++ b/mm/slab_common.c +@@ -1325,7 +1325,7 @@ __do_krealloc(const void *p, size_t new_ + /* Zero out spare memory. */ + if (want_init_on_alloc(flags)) { + kasan_disable_current(); +- memset((void *)p + new_size, 0, ks - new_size); ++ memset(kasan_reset_tag(p) + new_size, 0, ks - new_size); + kasan_enable_current(); + } + diff --git a/queue-6.1/platform-x86-x86-android-tablets-fix-use-after-free-on-platform_device_register-errors.patch b/queue-6.1/platform-x86-x86-android-tablets-fix-use-after-free-on-platform_device_register-errors.patch new file mode 100644 index 00000000000..56954143920 --- /dev/null +++ b/queue-6.1/platform-x86-x86-android-tablets-fix-use-after-free-on-platform_device_register-errors.patch @@ -0,0 +1,43 @@ +From 2fae3129c0c08e72b1fe93e61fd8fd203252094a Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sat, 5 Oct 2024 15:05:45 +0200 +Subject: platform/x86: x86-android-tablets: Fix use after free on platform_device_register() errors + +From: Hans de Goede + +commit 2fae3129c0c08e72b1fe93e61fd8fd203252094a upstream. + +x86_android_tablet_remove() frees the pdevs[] array, so it should not +be used after calling x86_android_tablet_remove(). + +When platform_device_register() fails, store the pdevs[x] PTR_ERR() value +into the local ret variable before calling x86_android_tablet_remove() +to avoid using pdevs[] after it has been freed. + +Fixes: 5eba0141206e ("platform/x86: x86-android-tablets: Add support for instantiating platform-devs") +Fixes: e2200d3f26da ("platform/x86: x86-android-tablets: Add gpio_keys support to x86_android_tablet_init()") +Cc: stable@vger.kernel.org +Reported-by: Aleksandr Burakov +Closes: https://lore.kernel.org/platform-driver-x86/20240917120458.7300-1-a.burakov@rosalinux.ru/ +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20241005130545.64136-1-hdegoede@redhat.com +[Xiangyu: Modified file path to backport this commit to fix CVE: CVE-2024-49986] +Signed-off-by: Xiangyu Chen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/x86-android-tablets.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/platform/x86/x86-android-tablets.c ++++ b/drivers/platform/x86/x86-android-tablets.c +@@ -1853,8 +1853,9 @@ static __init int x86_android_tablet_ini + for (i = 0; i < pdev_count; i++) { + pdevs[i] = platform_device_register_full(&dev_info->pdev_info[i]); + if (IS_ERR(pdevs[i])) { ++ ret = PTR_ERR(pdevs[i]); + x86_android_tablet_cleanup(); +- return PTR_ERR(pdevs[i]); ++ return ret; + } + } + diff --git a/queue-6.1/series b/queue-6.1/series index cc3f120e958..399cffd6080 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -26,3 +26,13 @@ hid-multitouch-add-quirk-for-logitech-bolt-receiver-.patch hid-lenovo-add-support-for-thinkpad-x1-tablet-gen-3-.patch loongarch-use-exception-return-address-to-comment-er.patch net-usb-qmi_wwan-add-fibocom-fg132-0x0112-compositio.patch +md-raid10-improve-code-of-mrdev-in-raid10_sync_request.patch +io_uring-fix-possible-deadlock-in-io_register_iowq_max_workers.patch +uprobes-encapsulate-preparation-of-uprobe-args-buffer.patch +uprobe-avoid-out-of-bounds-memory-access-of-fetching-args.patch +drm-amdkfd-amdkfd_free_gtt_mem-clear-the-correct-pointer.patch +ext4-fix-timer-use-after-free-on-failed-mount.patch +bluetooth-l2cap-fix-uaf-in-l2cap_connect.patch +mm-krealloc-fix-mte-false-alarm-in-__do_krealloc.patch +platform-x86-x86-android-tablets-fix-use-after-free-on-platform_device_register-errors.patch +fs-ntfs3-fix-general-protection-fault-in-run_is_mapped_full.patch diff --git a/queue-6.1/uprobe-avoid-out-of-bounds-memory-access-of-fetching-args.patch b/queue-6.1/uprobe-avoid-out-of-bounds-memory-access-of-fetching-args.patch new file mode 100644 index 00000000000..d1f6ae90fec --- /dev/null +++ b/queue-6.1/uprobe-avoid-out-of-bounds-memory-access-of-fetching-args.patch @@ -0,0 +1,180 @@ +From 373b9338c9722a368925d83bc622c596896b328e Mon Sep 17 00:00:00 2001 +From: Qiao Ma +Date: Tue, 15 Oct 2024 14:01:48 +0800 +Subject: uprobe: avoid out-of-bounds memory access of fetching args + +From: Qiao Ma + +commit 373b9338c9722a368925d83bc622c596896b328e upstream. + +Uprobe needs to fetch args into a percpu buffer, and then copy to ring +buffer to avoid non-atomic context problem. + +Sometimes user-space strings, arrays can be very large, but the size of +percpu buffer is only page size. And store_trace_args() won't check +whether these data exceeds a single page or not, caused out-of-bounds +memory access. + +It could be reproduced by following steps: +1. build kernel with CONFIG_KASAN enabled +2. save follow program as test.c + +``` +\#include +\#include +\#include + +// If string length large than MAX_STRING_SIZE, the fetch_store_strlen() +// will return 0, cause __get_data_size() return shorter size, and +// store_trace_args() will not trigger out-of-bounds access. +// So make string length less than 4096. +\#define STRLEN 4093 + +void generate_string(char *str, int n) +{ + int i; + for (i = 0; i < n; ++i) + { + char c = i % 26 + 'a'; + str[i] = c; + } + str[n-1] = '\0'; +} + +void print_string(char *str) +{ + printf("%s\n", str); +} + +int main() +{ + char tmp[STRLEN]; + + generate_string(tmp, STRLEN); + print_string(tmp); + + return 0; +} +``` +3. compile program +`gcc -o test test.c` + +4. get the offset of `print_string()` +``` +objdump -t test | grep -w print_string +0000000000401199 g F .text 000000000000001b print_string +``` + +5. configure uprobe with offset 0x1199 +``` +off=0x1199 + +cd /sys/kernel/debug/tracing/ +echo "p /root/test:${off} arg1=+0(%di):ustring arg2=\$comm arg3=+0(%di):ustring" + > uprobe_events +echo 1 > events/uprobes/enable +echo 1 > tracing_on +``` + +6. run `test`, and kasan will report error. +================================================================== +BUG: KASAN: use-after-free in strncpy_from_user+0x1d6/0x1f0 +Write of size 8 at addr ffff88812311c004 by task test/499CPU: 0 UID: 0 PID: 499 Comm: test Not tainted 6.12.0-rc3+ #18 +Hardware name: Red Hat KVM, BIOS 1.16.0-4.al8 04/01/2014 +Call Trace: + + dump_stack_lvl+0x55/0x70 + print_address_description.constprop.0+0x27/0x310 + kasan_report+0x10f/0x120 + ? strncpy_from_user+0x1d6/0x1f0 + strncpy_from_user+0x1d6/0x1f0 + ? rmqueue.constprop.0+0x70d/0x2ad0 + process_fetch_insn+0xb26/0x1470 + ? __pfx_process_fetch_insn+0x10/0x10 + ? _raw_spin_lock+0x85/0xe0 + ? __pfx__raw_spin_lock+0x10/0x10 + ? __pte_offset_map+0x1f/0x2d0 + ? unwind_next_frame+0xc5f/0x1f80 + ? arch_stack_walk+0x68/0xf0 + ? is_bpf_text_address+0x23/0x30 + ? kernel_text_address.part.0+0xbb/0xd0 + ? __kernel_text_address+0x66/0xb0 + ? unwind_get_return_address+0x5e/0xa0 + ? __pfx_stack_trace_consume_entry+0x10/0x10 + ? arch_stack_walk+0xa2/0xf0 + ? _raw_spin_lock_irqsave+0x8b/0xf0 + ? __pfx__raw_spin_lock_irqsave+0x10/0x10 + ? depot_alloc_stack+0x4c/0x1f0 + ? _raw_spin_unlock_irqrestore+0xe/0x30 + ? stack_depot_save_flags+0x35d/0x4f0 + ? kasan_save_stack+0x34/0x50 + ? kasan_save_stack+0x24/0x50 + ? mutex_lock+0x91/0xe0 + ? __pfx_mutex_lock+0x10/0x10 + prepare_uprobe_buffer.part.0+0x2cd/0x500 + uprobe_dispatcher+0x2c3/0x6a0 + ? __pfx_uprobe_dispatcher+0x10/0x10 + ? __kasan_slab_alloc+0x4d/0x90 + handler_chain+0xdd/0x3e0 + handle_swbp+0x26e/0x3d0 + ? __pfx_handle_swbp+0x10/0x10 + ? uprobe_pre_sstep_notifier+0x151/0x1b0 + irqentry_exit_to_user_mode+0xe2/0x1b0 + asm_exc_int3+0x39/0x40 +RIP: 0033:0x401199 +Code: 01 c2 0f b6 45 fb 88 02 83 45 fc 01 8b 45 fc 3b 45 e4 7c b7 8b 45 e4 48 98 48 8d 50 ff 48 8b 45 e8 48 01 d0 ce +RSP: 002b:00007ffdf00576a8 EFLAGS: 00000206 +RAX: 00007ffdf00576b0 RBX: 0000000000000000 RCX: 0000000000000ff2 +RDX: 0000000000000ffc RSI: 0000000000000ffd RDI: 00007ffdf00576b0 +RBP: 00007ffdf00586b0 R08: 00007feb2f9c0d20 R09: 00007feb2f9c0d20 +R10: 0000000000000001 R11: 0000000000000202 R12: 0000000000401040 +R13: 00007ffdf0058780 R14: 0000000000000000 R15: 0000000000000000 + + +This commit enforces the buffer's maxlen less than a page-size to avoid +store_trace_args() out-of-memory access. + +Link: https://lore.kernel.org/all/20241015060148.1108331-1-mqaio@linux.alibaba.com/ + +Fixes: dcad1a204f72 ("tracing/uprobes: Fetch args before reserving a ring buffer") +Signed-off-by: Qiao Ma +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +Signed-off-by: Vamsi Krishna Brahmajosyula +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_uprobe.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/kernel/trace/trace_uprobe.c ++++ b/kernel/trace/trace_uprobe.c +@@ -862,6 +862,7 @@ struct uprobe_cpu_buffer { + }; + static struct uprobe_cpu_buffer __percpu *uprobe_cpu_buffer; + static int uprobe_buffer_refcnt; ++#define MAX_UCB_BUFFER_SIZE PAGE_SIZE + + static int uprobe_buffer_init(void) + { +@@ -960,6 +961,11 @@ static struct uprobe_cpu_buffer *prepare + ucb = uprobe_buffer_get(); + ucb->dsize = tu->tp.size + dsize; + ++ if (WARN_ON_ONCE(ucb->dsize > MAX_UCB_BUFFER_SIZE)) { ++ ucb->dsize = MAX_UCB_BUFFER_SIZE; ++ dsize = MAX_UCB_BUFFER_SIZE - tu->tp.size; ++ } ++ + store_trace_args(ucb->buf, &tu->tp, regs, esize, dsize); + + return ucb; +@@ -978,9 +984,6 @@ static void __uprobe_trace_func(struct t + + WARN_ON(call != trace_file->event_call); + +- if (WARN_ON_ONCE(ucb->dsize > PAGE_SIZE)) +- return; +- + if (trace_trigger_soft_disabled(trace_file)) + return; + diff --git a/queue-6.1/uprobes-encapsulate-preparation-of-uprobe-args-buffer.patch b/queue-6.1/uprobes-encapsulate-preparation-of-uprobe-args-buffer.patch new file mode 100644 index 00000000000..d0495aa4358 --- /dev/null +++ b/queue-6.1/uprobes-encapsulate-preparation-of-uprobe-args-buffer.patch @@ -0,0 +1,254 @@ +From 3eaea21b4d27cff0017c20549aeb53034c58fc23 Mon Sep 17 00:00:00 2001 +From: Andrii Nakryiko +Date: Mon, 18 Mar 2024 11:17:26 -0700 +Subject: uprobes: encapsulate preparation of uprobe args buffer + +From: Andrii Nakryiko + +commit 3eaea21b4d27cff0017c20549aeb53034c58fc23 upstream. + +Move the logic of fetching temporary per-CPU uprobe buffer and storing +uprobes args into it to a new helper function. Store data size as part +of this buffer, simplifying interfaces a bit, as now we only pass single +uprobe_cpu_buffer reference around, instead of pointer + dsize. + +This logic was duplicated across uprobe_dispatcher and uretprobe_dispatcher, +and now will be centralized. All this is also in preparation to make +this uprobe_cpu_buffer handling logic optional in the next patch. + +Link: https://lore.kernel.org/all/20240318181728.2795838-2-andrii@kernel.org/ +[Masami: update for v6.9-rc3 kernel] + +Signed-off-by: Andrii Nakryiko +Reviewed-by: Jiri Olsa +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Masami Hiramatsu (Google) +Stable-dep-of: 373b9338c972 ("uprobe: avoid out-of-bounds memory access of fetching args") +Signed-off-by: Sasha Levin +Signed-off-by: Vamsi Krishna Brahmajosyula +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_uprobe.c | 79 ++++++++++++++++++++++---------------------- + 1 file changed, 41 insertions(+), 38 deletions(-) + +--- a/kernel/trace/trace_uprobe.c ++++ b/kernel/trace/trace_uprobe.c +@@ -858,6 +858,7 @@ static const struct file_operations upro + struct uprobe_cpu_buffer { + struct mutex mutex; + void *buf; ++ int dsize; + }; + static struct uprobe_cpu_buffer __percpu *uprobe_cpu_buffer; + static int uprobe_buffer_refcnt; +@@ -947,9 +948,26 @@ static void uprobe_buffer_put(struct upr + mutex_unlock(&ucb->mutex); + } + ++static struct uprobe_cpu_buffer *prepare_uprobe_buffer(struct trace_uprobe *tu, ++ struct pt_regs *regs) ++{ ++ struct uprobe_cpu_buffer *ucb; ++ int dsize, esize; ++ ++ esize = SIZEOF_TRACE_ENTRY(is_ret_probe(tu)); ++ dsize = __get_data_size(&tu->tp, regs); ++ ++ ucb = uprobe_buffer_get(); ++ ucb->dsize = tu->tp.size + dsize; ++ ++ store_trace_args(ucb->buf, &tu->tp, regs, esize, dsize); ++ ++ return ucb; ++} ++ + static void __uprobe_trace_func(struct trace_uprobe *tu, + unsigned long func, struct pt_regs *regs, +- struct uprobe_cpu_buffer *ucb, int dsize, ++ struct uprobe_cpu_buffer *ucb, + struct trace_event_file *trace_file) + { + struct uprobe_trace_entry_head *entry; +@@ -960,14 +978,14 @@ static void __uprobe_trace_func(struct t + + WARN_ON(call != trace_file->event_call); + +- if (WARN_ON_ONCE(tu->tp.size + dsize > PAGE_SIZE)) ++ if (WARN_ON_ONCE(ucb->dsize > PAGE_SIZE)) + return; + + if (trace_trigger_soft_disabled(trace_file)) + return; + + esize = SIZEOF_TRACE_ENTRY(is_ret_probe(tu)); +- size = esize + tu->tp.size + dsize; ++ size = esize + ucb->dsize; + entry = trace_event_buffer_reserve(&fbuffer, trace_file, size); + if (!entry) + return; +@@ -981,14 +999,14 @@ static void __uprobe_trace_func(struct t + data = DATAOF_TRACE_ENTRY(entry, false); + } + +- memcpy(data, ucb->buf, tu->tp.size + dsize); ++ memcpy(data, ucb->buf, ucb->dsize); + + trace_event_buffer_commit(&fbuffer); + } + + /* uprobe handler */ + static int uprobe_trace_func(struct trace_uprobe *tu, struct pt_regs *regs, +- struct uprobe_cpu_buffer *ucb, int dsize) ++ struct uprobe_cpu_buffer *ucb) + { + struct event_file_link *link; + +@@ -997,7 +1015,7 @@ static int uprobe_trace_func(struct trac + + rcu_read_lock(); + trace_probe_for_each_link_rcu(link, &tu->tp) +- __uprobe_trace_func(tu, 0, regs, ucb, dsize, link->file); ++ __uprobe_trace_func(tu, 0, regs, ucb, link->file); + rcu_read_unlock(); + + return 0; +@@ -1005,13 +1023,13 @@ static int uprobe_trace_func(struct trac + + static void uretprobe_trace_func(struct trace_uprobe *tu, unsigned long func, + struct pt_regs *regs, +- struct uprobe_cpu_buffer *ucb, int dsize) ++ struct uprobe_cpu_buffer *ucb) + { + struct event_file_link *link; + + rcu_read_lock(); + trace_probe_for_each_link_rcu(link, &tu->tp) +- __uprobe_trace_func(tu, func, regs, ucb, dsize, link->file); ++ __uprobe_trace_func(tu, func, regs, ucb, link->file); + rcu_read_unlock(); + } + +@@ -1339,7 +1357,7 @@ static bool uprobe_perf_filter(struct up + + static void __uprobe_perf_func(struct trace_uprobe *tu, + unsigned long func, struct pt_regs *regs, +- struct uprobe_cpu_buffer *ucb, int dsize) ++ struct uprobe_cpu_buffer *ucb) + { + struct trace_event_call *call = trace_probe_event_call(&tu->tp); + struct uprobe_trace_entry_head *entry; +@@ -1360,7 +1378,7 @@ static void __uprobe_perf_func(struct tr + + esize = SIZEOF_TRACE_ENTRY(is_ret_probe(tu)); + +- size = esize + tu->tp.size + dsize; ++ size = esize + ucb->dsize; + size = ALIGN(size + sizeof(u32), sizeof(u64)) - sizeof(u32); + if (WARN_ONCE(size > PERF_MAX_TRACE_SIZE, "profile buffer not large enough")) + return; +@@ -1383,13 +1401,10 @@ static void __uprobe_perf_func(struct tr + data = DATAOF_TRACE_ENTRY(entry, false); + } + +- memcpy(data, ucb->buf, tu->tp.size + dsize); +- +- if (size - esize > tu->tp.size + dsize) { +- int len = tu->tp.size + dsize; ++ memcpy(data, ucb->buf, ucb->dsize); + +- memset(data + len, 0, size - esize - len); +- } ++ if (size - esize > ucb->dsize) ++ memset(data + ucb->dsize, 0, size - esize - ucb->dsize); + + perf_trace_buf_submit(entry, size, rctx, call->event.type, 1, regs, + head, NULL); +@@ -1399,21 +1414,21 @@ static void __uprobe_perf_func(struct tr + + /* uprobe profile handler */ + static int uprobe_perf_func(struct trace_uprobe *tu, struct pt_regs *regs, +- struct uprobe_cpu_buffer *ucb, int dsize) ++ struct uprobe_cpu_buffer *ucb) + { + if (!uprobe_perf_filter(&tu->consumer, 0, current->mm)) + return UPROBE_HANDLER_REMOVE; + + if (!is_ret_probe(tu)) +- __uprobe_perf_func(tu, 0, regs, ucb, dsize); ++ __uprobe_perf_func(tu, 0, regs, ucb); + return 0; + } + + static void uretprobe_perf_func(struct trace_uprobe *tu, unsigned long func, + struct pt_regs *regs, +- struct uprobe_cpu_buffer *ucb, int dsize) ++ struct uprobe_cpu_buffer *ucb) + { +- __uprobe_perf_func(tu, func, regs, ucb, dsize); ++ __uprobe_perf_func(tu, func, regs, ucb); + } + + int bpf_get_uprobe_info(const struct perf_event *event, u32 *fd_type, +@@ -1479,10 +1494,8 @@ static int uprobe_dispatcher(struct upro + struct trace_uprobe *tu; + struct uprobe_dispatch_data udd; + struct uprobe_cpu_buffer *ucb; +- int dsize, esize; + int ret = 0; + +- + tu = container_of(con, struct trace_uprobe, consumer); + tu->nhit++; + +@@ -1494,18 +1507,14 @@ static int uprobe_dispatcher(struct upro + if (WARN_ON_ONCE(!uprobe_cpu_buffer)) + return 0; + +- dsize = __get_data_size(&tu->tp, regs); +- esize = SIZEOF_TRACE_ENTRY(is_ret_probe(tu)); +- +- ucb = uprobe_buffer_get(); +- store_trace_args(ucb->buf, &tu->tp, regs, esize, dsize); ++ ucb = prepare_uprobe_buffer(tu, regs); + + if (trace_probe_test_flag(&tu->tp, TP_FLAG_TRACE)) +- ret |= uprobe_trace_func(tu, regs, ucb, dsize); ++ ret |= uprobe_trace_func(tu, regs, ucb); + + #ifdef CONFIG_PERF_EVENTS + if (trace_probe_test_flag(&tu->tp, TP_FLAG_PROFILE)) +- ret |= uprobe_perf_func(tu, regs, ucb, dsize); ++ ret |= uprobe_perf_func(tu, regs, ucb); + #endif + uprobe_buffer_put(ucb); + return ret; +@@ -1517,7 +1526,6 @@ static int uretprobe_dispatcher(struct u + struct trace_uprobe *tu; + struct uprobe_dispatch_data udd; + struct uprobe_cpu_buffer *ucb; +- int dsize, esize; + + tu = container_of(con, struct trace_uprobe, consumer); + +@@ -1529,18 +1537,13 @@ static int uretprobe_dispatcher(struct u + if (WARN_ON_ONCE(!uprobe_cpu_buffer)) + return 0; + +- dsize = __get_data_size(&tu->tp, regs); +- esize = SIZEOF_TRACE_ENTRY(is_ret_probe(tu)); +- +- ucb = uprobe_buffer_get(); +- store_trace_args(ucb->buf, &tu->tp, regs, esize, dsize); +- ++ ucb = prepare_uprobe_buffer(tu, regs); + if (trace_probe_test_flag(&tu->tp, TP_FLAG_TRACE)) +- uretprobe_trace_func(tu, func, regs, ucb, dsize); ++ uretprobe_trace_func(tu, func, regs, ucb); + + #ifdef CONFIG_PERF_EVENTS + if (trace_probe_test_flag(&tu->tp, TP_FLAG_PROFILE)) +- uretprobe_perf_func(tu, func, regs, ucb, dsize); ++ uretprobe_perf_func(tu, func, regs, ucb); + #endif + uprobe_buffer_put(ucb); + return 0;