From: Greg Kroah-Hartman Date: Sun, 10 Nov 2024 05:21:35 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v5.15.172~37 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=630fd417f5211a0e52886e17a7139616afc46f62;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: media-uvcvideo-skip-parsing-frames-of-type-uvc_vs_undefined-in-uvc_parse_format.patch net-do-not-delay-dst_entries_add-in-dst_release.patch perf-session-add-missing-evlist__delete-when-deleting-a-session.patch revert-perf-hist-add-missing-puts-to-hist__account_cycles.patch --- diff --git a/queue-5.10/media-uvcvideo-skip-parsing-frames-of-type-uvc_vs_undefined-in-uvc_parse_format.patch b/queue-5.10/media-uvcvideo-skip-parsing-frames-of-type-uvc_vs_undefined-in-uvc_parse_format.patch new file mode 100644 index 00000000000..f5b66385778 --- /dev/null +++ b/queue-5.10/media-uvcvideo-skip-parsing-frames-of-type-uvc_vs_undefined-in-uvc_parse_format.patch @@ -0,0 +1,35 @@ +From ecf2b43018da9579842c774b7f35dbe11b5c38dd Mon Sep 17 00:00:00 2001 +From: Benoit Sevens +Date: Thu, 7 Nov 2024 14:22:02 +0000 +Subject: media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format + +From: Benoit Sevens + +commit ecf2b43018da9579842c774b7f35dbe11b5c38dd upstream. + +This can lead to out of bounds writes since frames of this type were not +taken into account when calculating the size of the frames buffer in +uvc_parse_streaming. + +Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver") +Signed-off-by: Benoit Sevens +Cc: stable@vger.kernel.org +Acked-by: Greg Kroah-Hartman +Reviewed-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_driver.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -661,7 +661,7 @@ static int uvc_parse_format(struct uvc_d + /* Parse the frame descriptors. Only uncompressed, MJPEG and frame + * based formats have frame descriptors. + */ +- while (buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE && ++ while (ftype && buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE && + buffer[2] == ftype) { + frame = &format->frame[format->nframes]; + if (ftype != UVC_VS_FRAME_FRAME_BASED) diff --git a/queue-5.10/net-do-not-delay-dst_entries_add-in-dst_release.patch b/queue-5.10/net-do-not-delay-dst_entries_add-in-dst_release.patch new file mode 100644 index 00000000000..403e74e9a86 --- /dev/null +++ b/queue-5.10/net-do-not-delay-dst_entries_add-in-dst_release.patch @@ -0,0 +1,99 @@ +From ac888d58869bb99753e7652be19a151df9ecb35d Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Tue, 8 Oct 2024 14:31:10 +0000 +Subject: net: do not delay dst_entries_add() in dst_release() + +From: Eric Dumazet + +commit ac888d58869bb99753e7652be19a151df9ecb35d upstream. + +dst_entries_add() uses per-cpu data that might be freed at netns +dismantle from ip6_route_net_exit() calling dst_entries_destroy() + +Before ip6_route_net_exit() can be called, we release all +the dsts associated with this netns, via calls to dst_release(), +which waits an rcu grace period before calling dst_destroy() + +dst_entries_add() use in dst_destroy() is racy, because +dst_entries_destroy() could have been called already. + +Decrementing the number of dsts must happen sooner. + +Notes: + +1) in CONFIG_XFRM case, dst_destroy() can call + dst_release_immediate(child), this might also cause UAF + if the child does not have DST_NOCOUNT set. + IPSEC maintainers might take a look and see how to address this. + +2) There is also discussion about removing this count of dst, + which might happen in future kernels. + +Fixes: f88649721268 ("ipv4: fix dst race in sk_dst_get()") +Closes: https://lore.kernel.org/lkml/CANn89iLCCGsP7SFn9HKpvnKu96Td4KD08xf7aGtiYgZnkjaL=w@mail.gmail.com/T/ +Reported-by: Naresh Kamboju +Tested-by: Linux Kernel Functional Testing +Tested-by: Naresh Kamboju +Signed-off-by: Eric Dumazet +Cc: Xin Long +Cc: Steffen Klassert +Reviewed-by: Xin Long +Link: https://patch.msgid.link/20241008143110.1064899-1-edumazet@google.com +Signed-off-by: Paolo Abeni +[ resolved conflict due to bc9d3a9f2afc ("net: dst: Switch to rcuref_t + reference counting") is not in the tree ] +Signed-off-by: Abdelkareem Abdelsaamad +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dst.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/net/core/dst.c ++++ b/net/core/dst.c +@@ -109,9 +109,6 @@ struct dst_entry *dst_destroy(struct dst + child = xdst->child; + } + #endif +- if (!(dst->flags & DST_NOCOUNT)) +- dst_entries_add(dst->ops, -1); +- + if (dst->ops->destroy) + dst->ops->destroy(dst); + if (dst->dev) +@@ -162,6 +159,12 @@ void dst_dev_put(struct dst_entry *dst) + } + EXPORT_SYMBOL(dst_dev_put); + ++static void dst_count_dec(struct dst_entry *dst) ++{ ++ if (!(dst->flags & DST_NOCOUNT)) ++ dst_entries_add(dst->ops, -1); ++} ++ + void dst_release(struct dst_entry *dst) + { + if (dst) { +@@ -171,8 +174,10 @@ void dst_release(struct dst_entry *dst) + if (WARN_ONCE(newrefcnt < 0, "dst_release underflow")) + net_warn_ratelimited("%s: dst:%p refcnt:%d\n", + __func__, dst, newrefcnt); +- if (!newrefcnt) ++ if (!newrefcnt){ ++ dst_count_dec(dst); + call_rcu(&dst->rcu_head, dst_destroy_rcu); ++ } + } + } + EXPORT_SYMBOL(dst_release); +@@ -186,8 +191,10 @@ void dst_release_immediate(struct dst_en + if (WARN_ONCE(newrefcnt < 0, "dst_release_immediate underflow")) + net_warn_ratelimited("%s: dst:%p refcnt:%d\n", + __func__, dst, newrefcnt); +- if (!newrefcnt) ++ if (!newrefcnt){ ++ dst_count_dec(dst); + dst_destroy(dst); ++ } + } + } + EXPORT_SYMBOL(dst_release_immediate); diff --git a/queue-5.10/perf-session-add-missing-evlist__delete-when-deleting-a-session.patch b/queue-5.10/perf-session-add-missing-evlist__delete-when-deleting-a-session.patch new file mode 100644 index 00000000000..224006ac0b1 --- /dev/null +++ b/queue-5.10/perf-session-add-missing-evlist__delete-when-deleting-a-session.patch @@ -0,0 +1,145 @@ +From xueshuai@linux.alibaba.com Mon Nov 4 12:27:57 2024 +From: Shuai Xue +Date: Mon, 4 Nov 2024 19:27:36 +0800 +Subject: perf session: Add missing evlist__delete when deleting a session +To: stable@vger.kernel.org, linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, acme@kernel.org, gregkh@linuxfoundation.org +Cc: adrian.hunter@intel.com, alexander.shishkin@linux.intel.com, irogers@google.com, mark.rutland@arm.com, namhyung@kernel.org, peterz@infradead.org, acme@redhat.com, kprateek.nayak@amd.com, ravi.bangoria@amd.com, sandipan.das@amd.com, anshuman.khandual@arm.com, german.gomez@arm.com, james.clark@arm.com, terrelln@fb.com, seanjc@google.com, changbin.du@huawei.com, liuwenyu7@huawei.com, yangjihong1@huawei.com, mhiramat@kernel.org, ojeda@kernel.org, song@kernel.org, leo.yan@linaro.org, kjain@linux.ibm.com, ak@linux.intel.com, kan.liang@linux.intel.com, atrajeev@linux.vnet.ibm.com, siyanteng@loongson.cn, liam.howlett@oracle.com, pbonzini@redhat.com, jolsa@kernel.org +Message-ID: <20241104112736.28554-3-xueshuai@linux.alibaba.com> + +From: Riccardo Mancini + +commit cf96b8e45a9bf74d2a6f1e1f88a41b10e9357c6b upstream. + +ASan reports a memory leak caused by evlist not being deleted on exit in +perf-report, perf-script and perf-data. +The problem is caused by evlist->session not being deleted, which is +allocated in perf_session__read_header, called in perf_session__new if +perf_data is in read mode. +In case of write mode, the session->evlist is filled by the caller. +This patch solves the problem by calling evlist__delete in +perf_session__delete if perf_data is in read mode. + +Changes in v2: + - call evlist__delete from within perf_session__delete + +v1: https://lore.kernel.org/lkml/20210621234317.235545-1-rickyman7@gmail.com/ + +ASan report follows: + +$ ./perf script report flamegraph +================================================================= +==227640==ERROR: LeakSanitizer: detected memory leaks + + + +Indirect leak of 2704 byte(s) in 1 object(s) allocated from: + #0 0x4f4137 in calloc (/home/user/linux/tools/perf/perf+0x4f4137) + #1 0xbe3d56 in zalloc /home/user/linux/tools/lib/perf/../../lib/zalloc.c:8:9 + #2 0x7f999e in evlist__new /home/user/linux/tools/perf/util/evlist.c:77:26 + #3 0x8ad938 in perf_session__read_header /home/user/linux/tools/perf/util/header.c:3797:20 + #4 0x8ec714 in perf_session__open /home/user/linux/tools/perf/util/session.c:109:6 + #5 0x8ebe83 in perf_session__new /home/user/linux/tools/perf/util/session.c:213:10 + #6 0x60c6de in cmd_script /home/user/linux/tools/perf/builtin-script.c:3856:12 + #7 0x7b2930 in run_builtin /home/user/linux/tools/perf/perf.c:313:11 + #8 0x7b120f in handle_internal_command /home/user/linux/tools/perf/perf.c:365:8 + #9 0x7b2493 in run_argv /home/user/linux/tools/perf/perf.c:409:2 + #10 0x7b0c89 in main /home/user/linux/tools/perf/perf.c:539:3 + #11 0x7f5260654b74 (/lib64/libc.so.6+0x27b74) + +Indirect leak of 568 byte(s) in 1 object(s) allocated from: + #0 0x4f4137 in calloc (/home/user/linux/tools/perf/perf+0x4f4137) + #1 0xbe3d56 in zalloc /home/user/linux/tools/lib/perf/../../lib/zalloc.c:8:9 + #2 0x80ce88 in evsel__new_idx /home/user/linux/tools/perf/util/evsel.c:268:24 + #3 0x8aed93 in evsel__new /home/user/linux/tools/perf/util/evsel.h:210:9 + #4 0x8ae07e in perf_session__read_header /home/user/linux/tools/perf/util/header.c:3853:11 + #5 0x8ec714 in perf_session__open /home/user/linux/tools/perf/util/session.c:109:6 + #6 0x8ebe83 in perf_session__new /home/user/linux/tools/perf/util/session.c:213:10 + #7 0x60c6de in cmd_script /home/user/linux/tools/perf/builtin-script.c:3856:12 + #8 0x7b2930 in run_builtin /home/user/linux/tools/perf/perf.c:313:11 + #9 0x7b120f in handle_internal_command /home/user/linux/tools/perf/perf.c:365:8 + #10 0x7b2493 in run_argv /home/user/linux/tools/perf/perf.c:409:2 + #11 0x7b0c89 in main /home/user/linux/tools/perf/perf.c:539:3 + #12 0x7f5260654b74 (/lib64/libc.so.6+0x27b74) + +Indirect leak of 264 byte(s) in 1 object(s) allocated from: + #0 0x4f4137 in calloc (/home/user/linux/tools/perf/perf+0x4f4137) + #1 0xbe3d56 in zalloc /home/user/linux/tools/lib/perf/../../lib/zalloc.c:8:9 + #2 0xbe3e70 in xyarray__new /home/user/linux/tools/lib/perf/xyarray.c:10:23 + #3 0xbd7754 in perf_evsel__alloc_id /home/user/linux/tools/lib/perf/evsel.c:361:21 + #4 0x8ae201 in perf_session__read_header /home/user/linux/tools/perf/util/header.c:3871:7 + #5 0x8ec714 in perf_session__open /home/user/linux/tools/perf/util/session.c:109:6 + #6 0x8ebe83 in perf_session__new /home/user/linux/tools/perf/util/session.c:213:10 + #7 0x60c6de in cmd_script /home/user/linux/tools/perf/builtin-script.c:3856:12 + #8 0x7b2930 in run_builtin /home/user/linux/tools/perf/perf.c:313:11 + #9 0x7b120f in handle_internal_command /home/user/linux/tools/perf/perf.c:365:8 + #10 0x7b2493 in run_argv /home/user/linux/tools/perf/perf.c:409:2 + #11 0x7b0c89 in main /home/user/linux/tools/perf/perf.c:539:3 + #12 0x7f5260654b74 (/lib64/libc.so.6+0x27b74) + +Indirect leak of 32 byte(s) in 1 object(s) allocated from: + #0 0x4f4137 in calloc (/home/user/linux/tools/perf/perf+0x4f4137) + #1 0xbe3d56 in zalloc /home/user/linux/tools/lib/perf/../../lib/zalloc.c:8:9 + #2 0xbd77e0 in perf_evsel__alloc_id /home/user/linux/tools/lib/perf/evsel.c:365:14 + #3 0x8ae201 in perf_session__read_header /home/user/linux/tools/perf/util/header.c:3871:7 + #4 0x8ec714 in perf_session__open /home/user/linux/tools/perf/util/session.c:109:6 + #5 0x8ebe83 in perf_session__new /home/user/linux/tools/perf/util/session.c:213:10 + #6 0x60c6de in cmd_script /home/user/linux/tools/perf/builtin-script.c:3856:12 + #7 0x7b2930 in run_builtin /home/user/linux/tools/perf/perf.c:313:11 + #8 0x7b120f in handle_internal_command /home/user/linux/tools/perf/perf.c:365:8 + #9 0x7b2493 in run_argv /home/user/linux/tools/perf/perf.c:409:2 + #10 0x7b0c89 in main /home/user/linux/tools/perf/perf.c:539:3 + #11 0x7f5260654b74 (/lib64/libc.so.6+0x27b74) + +Indirect leak of 7 byte(s) in 1 object(s) allocated from: + #0 0x4b8207 in strdup (/home/user/linux/tools/perf/perf+0x4b8207) + #1 0x8b4459 in evlist__set_event_name /home/user/linux/tools/perf/util/header.c:2292:16 + #2 0x89d862 in process_event_desc /home/user/linux/tools/perf/util/header.c:2313:3 + #3 0x8af319 in perf_file_section__process /home/user/linux/tools/perf/util/header.c:3651:9 + #4 0x8aa6e9 in perf_header__process_sections /home/user/linux/tools/perf/util/header.c:3427:9 + #5 0x8ae3e7 in perf_session__read_header /home/user/linux/tools/perf/util/header.c:3886:2 + #6 0x8ec714 in perf_session__open /home/user/linux/tools/perf/util/session.c:109:6 + #7 0x8ebe83 in perf_session__new /home/user/linux/tools/perf/util/session.c:213:10 + #8 0x60c6de in cmd_script /home/user/linux/tools/perf/builtin-script.c:3856:12 + #9 0x7b2930 in run_builtin /home/user/linux/tools/perf/perf.c:313:11 + #10 0x7b120f in handle_internal_command /home/user/linux/tools/perf/perf.c:365:8 + #11 0x7b2493 in run_argv /home/user/linux/tools/perf/perf.c:409:2 + #12 0x7b0c89 in main /home/user/linux/tools/perf/perf.c:539:3 + #13 0x7f5260654b74 (/lib64/libc.so.6+0x27b74) + +SUMMARY: AddressSanitizer: 3728 byte(s) leaked in 7 allocation(s). + +Signed-off-by: Riccardo Mancini +Acked-by: Ian Rogers +Acked-by: Jiri Olsa +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Kan Liang +Cc: Leo Yan +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/20210624231926.212208-1-rickyman7@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Cc: stable@vger.kernel.org # 5.10.228 +Signed-off-by: Shuai Xue +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/session.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/tools/perf/util/session.c ++++ b/tools/perf/util/session.c +@@ -299,8 +299,11 @@ void perf_session__delete(struct perf_se + perf_session__release_decomp_events(session); + perf_env__exit(&session->header.env); + machines__exit(&session->machines); +- if (session->data) ++ if (session->data) { ++ if (perf_data__is_read(session->data)) ++ evlist__delete(session->evlist); + perf_data__close(session->data); ++ } + free(session); + } + diff --git a/queue-5.10/revert-perf-hist-add-missing-puts-to-hist__account_cycles.patch b/queue-5.10/revert-perf-hist-add-missing-puts-to-hist__account_cycles.patch new file mode 100644 index 00000000000..f5bf14d484e --- /dev/null +++ b/queue-5.10/revert-perf-hist-add-missing-puts-to-hist__account_cycles.patch @@ -0,0 +1,108 @@ +From xueshuai@linux.alibaba.com Mon Nov 4 12:27:55 2024 +From: Shuai Xue +Date: Mon, 4 Nov 2024 19:27:35 +0800 +Subject: Revert "perf hist: Add missing puts to hist__account_cycles" +To: stable@vger.kernel.org, linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, acme@kernel.org, gregkh@linuxfoundation.org +Cc: adrian.hunter@intel.com, alexander.shishkin@linux.intel.com, irogers@google.com, mark.rutland@arm.com, namhyung@kernel.org, peterz@infradead.org, acme@redhat.com, kprateek.nayak@amd.com, ravi.bangoria@amd.com, sandipan.das@amd.com, anshuman.khandual@arm.com, german.gomez@arm.com, james.clark@arm.com, terrelln@fb.com, seanjc@google.com, changbin.du@huawei.com, liuwenyu7@huawei.com, yangjihong1@huawei.com, mhiramat@kernel.org, ojeda@kernel.org, song@kernel.org, leo.yan@linaro.org, kjain@linux.ibm.com, ak@linux.intel.com, kan.liang@linux.intel.com, atrajeev@linux.vnet.ibm.com, siyanteng@loongson.cn, liam.howlett@oracle.com, pbonzini@redhat.com, jolsa@kernel.org +Message-ID: <20241104112736.28554-2-xueshuai@linux.alibaba.com> + +From: Shuai Xue + +Revert "perf hist: Add missing puts to hist__account_cycles" + +This reverts commit a83fc293acd5c5050a4828eced4a71d2b2fffdd3. + +On x86 platform, kernel v5.10.228, perf-report command aborts due to "free(): +invalid pointer" when perf-record command is run with taken branch stack +sampling enabled. This regression can be reproduced with the following steps: + + - sudo perf record -b + - sudo perf report + +The root cause is that bi[i].to.ms.maps does not always point to thread->maps, +which is a buffer dynamically allocated by maps_new(). Instead, it may point to +&machine->kmaps, while kmaps is not a pointer but a variable. The original +upstream commit c1149037f65b ("perf hist: Add missing puts to +hist__account_cycles") worked well because machine->kmaps had been refactored to +a pointer by the previous commit 1a97cee604dc ("perf maps: Use a pointer for +kmaps"). + +To this end, just revert commit a83fc293acd5c5050a4828eced4a71d2b2fffdd3. + +It is worth noting that the memory leak issue, which the reverted patch intended +to fix, has been solved by commit cf96b8e45a9b ("perf session: Add missing +evlist__delete when deleting a session"). The root cause is that the evlist is +not being deleted on exit in perf-report, perf-script, and perf-data. +Consequently, the reference count of the thread increased by thread__get() in +hist_entry__init() is not decremented in hist_entry__delete(). As a result, +thread->maps is not properly freed. + +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Arnaldo Carvalho de Melo +Cc: K Prateek Nayak +Cc: Ravi Bangoria +Cc: Sandipan Das +Cc: Anshuman Khandual +Cc: German Gomez +Cc: James Clark +Cc: Nick Terrell +Cc: Sean Christopherson +Cc: Changbin Du +Cc: liuwenyu +Cc: Yang Jihong +Cc: Masami Hiramatsu +Cc: Miguel Ojeda +Cc: Song Liu +Cc: Leo Yan +Cc: Kajol Jain +Cc: Andi Kleen +Cc: Kan Liang +Cc: Athira Rajeev +Cc: Yanteng Si +Cc: Liam Howlett +Cc: Paolo Bonzini +Cc: stable@vger.kernel.org # 5.10.228 +Signed-off-by: Shuai Xue +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/hist.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +--- a/tools/perf/util/hist.c ++++ b/tools/perf/util/hist.c +@@ -2624,6 +2624,8 @@ void hist__account_cycles(struct branch_ + + /* If we have branch cycles always annotate them. */ + if (bs && bs->nr && entries[0].flags.cycles) { ++ int i; ++ + bi = sample__resolve_bstack(sample, al); + if (bi) { + struct addr_map_symbol *prev = NULL; +@@ -2638,7 +2640,7 @@ void hist__account_cycles(struct branch_ + * Note that perf stores branches reversed from + * program order! + */ +- for (int i = bs->nr - 1; i >= 0; i--) { ++ for (i = bs->nr - 1; i >= 0; i--) { + addr_map_symbol__account_cycles(&bi[i].from, + nonany_branch_mode ? NULL : prev, + bi[i].flags.cycles); +@@ -2647,12 +2649,6 @@ void hist__account_cycles(struct branch_ + if (total_cycles) + *total_cycles += bi[i].flags.cycles; + } +- for (unsigned int i = 0; i < bs->nr; i++) { +- map__put(bi[i].to.ms.map); +- maps__put(bi[i].to.ms.maps); +- map__put(bi[i].from.ms.map); +- maps__put(bi[i].from.ms.maps); +- } + free(bi); + } + } diff --git a/queue-5.10/series b/queue-5.10/series index bf443f6c027..54cd70410e7 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -48,3 +48,7 @@ splice-don-t-generate-zero-len-segement-bvecs.patch spi-fix-deadlock-when-adding-spi-controllers-on-spi-buses.patch spi-fix-use-after-free-of-the-add_lock-mutex.patch net-bridge-xmit-make-sure-we-have-at-least-eth-header-len-bytes.patch +revert-perf-hist-add-missing-puts-to-hist__account_cycles.patch +perf-session-add-missing-evlist__delete-when-deleting-a-session.patch +net-do-not-delay-dst_entries_add-in-dst_release.patch +media-uvcvideo-skip-parsing-frames-of-type-uvc_vs_undefined-in-uvc_parse_format.patch