From: Greg Kroah-Hartman Date: Sat, 25 May 2024 15:13:44 +0000 (+0200) Subject: 6.9-stable patches X-Git-Tag: v6.9.3~28 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b863827181d80ae33f822dc74d32e377737858c2;p=thirdparty%2Fkernel%2Fstable-queue.git 6.9-stable patches added patches: dt-bindings-adc-axi-adc-add-clocks-property.patch f2fs-fix-false-alarm-on-invalid-block-address.patch io_uring-fail-nop-if-non-zero-op-flags-is-passed-in.patch io_uring-sqpoll-ensure-that-normal-task_work-is-also-run-timely.patch net-lan966x-remove-debugfs-directory-in-probe-error-path.patch net-mana-fix-the-extra-hz-in-mana_hwc_send_request.patch net-smc91x-fix-m68k-kernel-compilation-for-coldfire-cpu.patch net-ti-icssg_prueth-fix-null-pointer-dereference-in-prueth_probe.patch r8169-fix-possible-ring-buffer-corruption-on-fragmented-tx-packets.patch reapply-arm64-fpsimd-implement-lazy-restore-for-kernel-mode-fpsimd.patch revert-arm64-fpsimd-implement-lazy-restore-for-kernel-mode-fpsimd.patch revert-r8169-don-t-try-to-disable-interrupts-if-napi-is-scheduled-already.patch ring-buffer-fix-a-race-between-readers-and-resize-checks.patch tools-latency-collector-fix-wformat-security-compile-warns.patch tools-nolibc-stdlib-fix-memory-error-in-realloc.patch --- diff --git a/queue-6.9/arm64-fpsimd-avoid-erroneous-elide-of-user-state-reload.patch b/queue-6.9/arm64-fpsimd-avoid-erroneous-elide-of-user-state-reload.patch index 0482d721016..ebd2b584329 100644 --- a/queue-6.9/arm64-fpsimd-avoid-erroneous-elide-of-user-state-reload.patch +++ b/queue-6.9/arm64-fpsimd-avoid-erroneous-elide-of-user-state-reload.patch @@ -56,8 +56,8 @@ Signed-off-by: Greg Kroah-Hartman --- a/arch/arm64/kernel/fpsimd.c +++ b/arch/arm64/kernel/fpsimd.c -@@ -1535,6 +1535,27 @@ static void fpsimd_save_kernel_state(str - task->thread.kernel_fpsimd_cpu = smp_processor_id(); +@@ -1517,6 +1517,27 @@ static void fpsimd_save_kernel_state(str + fpsimd_save_state(&task->thread.kernel_fpsimd_state); } +/* @@ -84,7 +84,7 @@ Signed-off-by: Greg Kroah-Hartman void fpsimd_thread_switch(struct task_struct *next) { bool wrong_task, wrong_cpu; -@@ -1552,7 +1573,7 @@ void fpsimd_thread_switch(struct task_st +@@ -1534,7 +1555,7 @@ void fpsimd_thread_switch(struct task_st if (test_tsk_thread_flag(next, TIF_KERNEL_FPSTATE)) { fpsimd_load_kernel_state(next); @@ -93,7 +93,7 @@ Signed-off-by: Greg Kroah-Hartman } else { /* * Fix up TIF_FOREIGN_FPSTATE to correctly describe next's -@@ -1843,27 +1864,6 @@ void fpsimd_flush_task_state(struct task +@@ -1825,27 +1846,6 @@ void fpsimd_flush_task_state(struct task } /* diff --git a/queue-6.9/dt-bindings-adc-axi-adc-add-clocks-property.patch b/queue-6.9/dt-bindings-adc-axi-adc-add-clocks-property.patch new file mode 100644 index 00000000000..6bcdd66744d --- /dev/null +++ b/queue-6.9/dt-bindings-adc-axi-adc-add-clocks-property.patch @@ -0,0 +1,55 @@ +From 19fb11d7220b8abc016aa254dc7e6d9f2d49b178 Mon Sep 17 00:00:00 2001 +From: Nuno Sa +Date: Fri, 26 Apr 2024 17:42:12 +0200 +Subject: dt-bindings: adc: axi-adc: add clocks property + +From: Nuno Sa + +commit 19fb11d7220b8abc016aa254dc7e6d9f2d49b178 upstream. + +Add a required clock property as we can't access the device registers if +the AXI bus clock is not properly enabled. + +Note this clock is a very fundamental one that is typically enabled +pretty early during boot. Independently of that, we should really rely on +it to be enabled. + +Reviewed-by: Krzysztof Kozlowski +Fixes: 96553a44e96d ("dt-bindings: iio: adc: add bindings doc for AXI ADC driver") +Signed-off-by: Nuno Sa +Link: https://lore.kernel.org/r/20240426-ad9467-new-features-v2-3-6361fc3ba1cc@analog.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/iio/adc/adi,axi-adc.yaml | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/Documentation/devicetree/bindings/iio/adc/adi,axi-adc.yaml ++++ b/Documentation/devicetree/bindings/iio/adc/adi,axi-adc.yaml +@@ -28,6 +28,9 @@ properties: + reg: + maxItems: 1 + ++ clocks: ++ maxItems: 1 ++ + dmas: + maxItems: 1 + +@@ -48,6 +51,7 @@ required: + - compatible + - dmas + - reg ++ - clocks + + additionalProperties: false + +@@ -58,6 +62,7 @@ examples: + reg = <0x44a00000 0x10000>; + dmas = <&rx_dma 0>; + dma-names = "rx"; ++ clocks = <&axi_clk>; + #io-backend-cells = <0>; + }; + ... diff --git a/queue-6.9/f2fs-fix-false-alarm-on-invalid-block-address.patch b/queue-6.9/f2fs-fix-false-alarm-on-invalid-block-address.patch new file mode 100644 index 00000000000..e2abfdc8ef6 --- /dev/null +++ b/queue-6.9/f2fs-fix-false-alarm-on-invalid-block-address.patch @@ -0,0 +1,64 @@ +From b864ddb57eb00c4ea1e6801c7b2f70f1db2a7f4b Mon Sep 17 00:00:00 2001 +From: Jaegeuk Kim +Date: Tue, 9 Apr 2024 20:34:11 +0000 +Subject: f2fs: fix false alarm on invalid block address + +From: Jaegeuk Kim + +commit b864ddb57eb00c4ea1e6801c7b2f70f1db2a7f4b upstream. + +f2fs_ra_meta_pages can try to read ahead on invalid block address which is +not the corruption case. + +Cc: # v6.9+ +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=218770 +Fixes: 31f85ccc84b8 ("f2fs: unify the error handling of f2fs_is_valid_blkaddr") +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/checkpoint.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c +index 5d05a413f451..55d444bec5c0 100644 +--- a/fs/f2fs/checkpoint.c ++++ b/fs/f2fs/checkpoint.c +@@ -179,22 +179,22 @@ static bool __f2fs_is_valid_blkaddr(struct f2fs_sb_info *sbi, + break; + case META_SIT: + if (unlikely(blkaddr >= SIT_BLK_CNT(sbi))) +- goto err; ++ goto check_only; + break; + case META_SSA: + if (unlikely(blkaddr >= MAIN_BLKADDR(sbi) || + blkaddr < SM_I(sbi)->ssa_blkaddr)) +- goto err; ++ goto check_only; + break; + case META_CP: + if (unlikely(blkaddr >= SIT_I(sbi)->sit_base_addr || + blkaddr < __start_cp_addr(sbi))) +- goto err; ++ goto check_only; + break; + case META_POR: + if (unlikely(blkaddr >= MAX_BLKADDR(sbi) || + blkaddr < MAIN_BLKADDR(sbi))) +- goto err; ++ goto check_only; + break; + case DATA_GENERIC: + case DATA_GENERIC_ENHANCE: +@@ -228,6 +228,7 @@ static bool __f2fs_is_valid_blkaddr(struct f2fs_sb_info *sbi, + return true; + err: + f2fs_handle_error(sbi, ERROR_INVALID_BLKADDR); ++check_only: + return false; + } + +-- +2.45.1 + diff --git a/queue-6.9/io_uring-fail-nop-if-non-zero-op-flags-is-passed-in.patch b/queue-6.9/io_uring-fail-nop-if-non-zero-op-flags-is-passed-in.patch new file mode 100644 index 00000000000..64faa0eba7b --- /dev/null +++ b/queue-6.9/io_uring-fail-nop-if-non-zero-op-flags-is-passed-in.patch @@ -0,0 +1,38 @@ +From 3d8f874bd620ce03f75a5512847586828ab86544 Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Fri, 10 May 2024 11:50:27 +0800 +Subject: io_uring: fail NOP if non-zero op flags is passed in + +From: Ming Lei + +commit 3d8f874bd620ce03f75a5512847586828ab86544 upstream. + +The NOP op flags should have been checked from beginning like any other +opcode, otherwise NOP may not be extended with the op flags. + +Given both liburing and Rust io-uring crate always zeros SQE op flags, just +ignore users which play raw NOP uring interface without zeroing SQE, because +NOP is just for test purpose. Then we can save one NOP2 opcode. + +Suggested-by: Jens Axboe +Fixes: 2b188cc1bb85 ("Add io_uring IO interface") +Cc: stable@vger.kernel.org +Signed-off-by: Ming Lei +Link: https://lore.kernel.org/r/20240510035031.78874-2-ming.lei@redhat.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/nop.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/io_uring/nop.c ++++ b/io_uring/nop.c +@@ -12,6 +12,8 @@ + + int io_nop_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe) + { ++ if (READ_ONCE(sqe->rw_flags)) ++ return -EINVAL; + return 0; + } + diff --git a/queue-6.9/io_uring-sqpoll-ensure-that-normal-task_work-is-also-run-timely.patch b/queue-6.9/io_uring-sqpoll-ensure-that-normal-task_work-is-also-run-timely.patch new file mode 100644 index 00000000000..2f52b81d038 --- /dev/null +++ b/queue-6.9/io_uring-sqpoll-ensure-that-normal-task_work-is-also-run-timely.patch @@ -0,0 +1,49 @@ +From d13ddd9c893f0e8498526bf88c6b5fad01f0edd8 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Tue, 21 May 2024 12:31:12 -0600 +Subject: io_uring/sqpoll: ensure that normal task_work is also run timely + +From: Jens Axboe + +commit d13ddd9c893f0e8498526bf88c6b5fad01f0edd8 upstream. + +With the move to private task_work, SQPOLL neglected to also run the +normal task_work, if any is pending. This will eventually get run, but +we should run it with the private task_work to ensure that things like +a final fput() is processed in a timely fashion. + +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/313824bc-799d-414f-96b7-e6de57c7e21d@gmail.com/ +Reported-by: Andrew Udvare +Fixes: af5d68f8892f ("io_uring/sqpoll: manage task_work privately") +Tested-by: Christian Heusel +Tested-by: Andrew Udvare +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/sqpoll.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/io_uring/sqpoll.c b/io_uring/sqpoll.c +index 554c7212aa46..b3722e5275e7 100644 +--- a/io_uring/sqpoll.c ++++ b/io_uring/sqpoll.c +@@ -238,11 +238,13 @@ static unsigned int io_sq_tw(struct llist_node **retry_list, int max_entries) + if (*retry_list) { + *retry_list = io_handle_tw_list(*retry_list, &count, max_entries); + if (count >= max_entries) +- return count; ++ goto out; + max_entries -= count; + } +- + *retry_list = tctx_task_work_run(tctx, max_entries, &count); ++out: ++ if (task_work_pending(current)) ++ task_work_run(); + return count; + } + +-- +2.45.1 + diff --git a/queue-6.9/net-lan966x-remove-debugfs-directory-in-probe-error-path.patch b/queue-6.9/net-lan966x-remove-debugfs-directory-in-probe-error-path.patch new file mode 100644 index 00000000000..e40d99747b5 --- /dev/null +++ b/queue-6.9/net-lan966x-remove-debugfs-directory-in-probe-error-path.patch @@ -0,0 +1,57 @@ +From 99975ad644c7836414183fa7be4f883a4fb2bf64 Mon Sep 17 00:00:00 2001 +From: Herve Codina +Date: Mon, 13 May 2024 13:18:53 +0200 +Subject: net: lan966x: remove debugfs directory in probe() error path + +From: Herve Codina + +commit 99975ad644c7836414183fa7be4f883a4fb2bf64 upstream. + +A debugfs directory entry is create early during probe(). This entry is +not removed on error path leading to some "already present" issues in +case of EPROBE_DEFER. + +Create this entry later in the probe() code to avoid the need to change +many 'return' in 'goto' and add the removal in the already present error +path. + +Fixes: 942814840127 ("net: lan966x: Add VCAP debugFS support") +Cc: +Signed-off-by: Herve Codina +Reviewed-by: Andrew Lunn +Reviewed-by: Horatiu Vultur +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/microchip/lan966x/lan966x_main.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c ++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c +@@ -1087,8 +1087,6 @@ static int lan966x_probe(struct platform + platform_set_drvdata(pdev, lan966x); + lan966x->dev = &pdev->dev; + +- lan966x->debugfs_root = debugfs_create_dir("lan966x", NULL); +- + if (!device_get_mac_address(&pdev->dev, mac_addr)) { + ether_addr_copy(lan966x->base_mac, mac_addr); + } else { +@@ -1179,6 +1177,8 @@ static int lan966x_probe(struct platform + return dev_err_probe(&pdev->dev, -ENODEV, + "no ethernet-ports child found\n"); + ++ lan966x->debugfs_root = debugfs_create_dir("lan966x", NULL); ++ + /* init switch */ + lan966x_init(lan966x); + lan966x_stats_init(lan966x); +@@ -1257,6 +1257,8 @@ cleanup_ports: + destroy_workqueue(lan966x->stats_queue); + mutex_destroy(&lan966x->stats_lock); + ++ debugfs_remove_recursive(lan966x->debugfs_root); ++ + return err; + } + diff --git a/queue-6.9/net-mana-fix-the-extra-hz-in-mana_hwc_send_request.patch b/queue-6.9/net-mana-fix-the-extra-hz-in-mana_hwc_send_request.patch new file mode 100644 index 00000000000..0f6918ac302 --- /dev/null +++ b/queue-6.9/net-mana-fix-the-extra-hz-in-mana_hwc_send_request.patch @@ -0,0 +1,35 @@ +From 9c91c7fadb1771dcc2815c5271d14566366d05c5 Mon Sep 17 00:00:00 2001 +From: Souradeep Chakrabarti +Date: Sun, 19 May 2024 23:05:04 -0700 +Subject: net: mana: Fix the extra HZ in mana_hwc_send_request + +From: Souradeep Chakrabarti + +commit 9c91c7fadb1771dcc2815c5271d14566366d05c5 upstream. + +Commit 62c1bff593b7 added an extra HZ along with msecs_to_jiffies. +This patch fixes that. + +Cc: stable@vger.kernel.org +Fixes: 62c1bff593b7 ("net: mana: Configure hwc timeout from hardware") +Signed-off-by: Souradeep Chakrabarti +Reviewed-by: Brett Creeley +Reviewed-by: Dexuan Cui +Link: https://lore.kernel.org/r/1716185104-31658-1-git-send-email-schakrabarti@linux.microsoft.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/microsoft/mana/hw_channel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/microsoft/mana/hw_channel.c ++++ b/drivers/net/ethernet/microsoft/mana/hw_channel.c +@@ -848,7 +848,7 @@ int mana_hwc_send_request(struct hw_chan + } + + if (!wait_for_completion_timeout(&ctx->comp_event, +- (msecs_to_jiffies(hwc->hwc_timeout) * HZ))) { ++ (msecs_to_jiffies(hwc->hwc_timeout)))) { + dev_err(hwc->dev, "HWC: Request timed out!\n"); + err = -ETIMEDOUT; + goto out; diff --git a/queue-6.9/net-smc91x-fix-m68k-kernel-compilation-for-coldfire-cpu.patch b/queue-6.9/net-smc91x-fix-m68k-kernel-compilation-for-coldfire-cpu.patch new file mode 100644 index 00000000000..99fd084a25d --- /dev/null +++ b/queue-6.9/net-smc91x-fix-m68k-kernel-compilation-for-coldfire-cpu.patch @@ -0,0 +1,58 @@ +From 5eefb477d21a26183bc3499aeefa991198315a2d Mon Sep 17 00:00:00 2001 +From: Thorsten Blum +Date: Fri, 10 May 2024 13:30:55 +0200 +Subject: net: smc91x: Fix m68k kernel compilation for ColdFire CPU +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thorsten Blum + +commit 5eefb477d21a26183bc3499aeefa991198315a2d upstream. + +Compiling the m68k kernel with support for the ColdFire CPU family fails +with the following error: + +In file included from drivers/net/ethernet/smsc/smc91x.c:80: +drivers/net/ethernet/smsc/smc91x.c: In function ‘smc_reset’: +drivers/net/ethernet/smsc/smc91x.h:160:40: error: implicit declaration of function ‘_swapw’; did you mean ‘swap’? [-Werror=implicit-function-declaration] + 160 | #define SMC_outw(lp, v, a, r) writew(_swapw(v), (a) + (r)) + | ^~~~~~ +drivers/net/ethernet/smsc/smc91x.h:904:25: note: in expansion of macro ‘SMC_outw’ + 904 | SMC_outw(lp, x, ioaddr, BANK_SELECT); \ + | ^~~~~~~~ +drivers/net/ethernet/smsc/smc91x.c:250:9: note: in expansion of macro ‘SMC_SELECT_BANK’ + 250 | SMC_SELECT_BANK(lp, 2); + | ^~~~~~~~~~~~~~~ +cc1: some warnings being treated as errors + +The function _swapw() was removed in commit d97cf70af097 ("m68k: use +asm-generic/io.h for non-MMU io access functions"), but is still used in +drivers/net/ethernet/smsc/smc91x.h. + +Use ioread16be() and iowrite16be() to resolve the error. + +Cc: stable@vger.kernel.org +Fixes: d97cf70af097 ("m68k: use asm-generic/io.h for non-MMU io access functions") +Signed-off-by: Thorsten Blum +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20240510113054.186648-2-thorsten.blum@toblux.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/smsc/smc91x.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/smsc/smc91x.h ++++ b/drivers/net/ethernet/smsc/smc91x.h +@@ -156,8 +156,8 @@ static inline void mcf_outsw(void *a, un + writew(*wp++, a); + } + +-#define SMC_inw(a, r) _swapw(readw((a) + (r))) +-#define SMC_outw(lp, v, a, r) writew(_swapw(v), (a) + (r)) ++#define SMC_inw(a, r) ioread16be((a) + (r)) ++#define SMC_outw(lp, v, a, r) iowrite16be(v, (a) + (r)) + #define SMC_insw(a, r, p, l) mcf_insw(a + r, p, l) + #define SMC_outsw(a, r, p, l) mcf_outsw(a + r, p, l) + diff --git a/queue-6.9/net-ti-icssg_prueth-fix-null-pointer-dereference-in-prueth_probe.patch b/queue-6.9/net-ti-icssg_prueth-fix-null-pointer-dereference-in-prueth_probe.patch new file mode 100644 index 00000000000..b8dca30e90b --- /dev/null +++ b/queue-6.9/net-ti-icssg_prueth-fix-null-pointer-dereference-in-prueth_probe.patch @@ -0,0 +1,58 @@ +From b31c7e78086127a7fcaa761e8d336ee855a920c6 Mon Sep 17 00:00:00 2001 +From: Romain Gantois +Date: Tue, 21 May 2024 14:44:11 +0200 +Subject: net: ti: icssg_prueth: Fix NULL pointer dereference in prueth_probe() + +From: Romain Gantois + +commit b31c7e78086127a7fcaa761e8d336ee855a920c6 upstream. + +In the prueth_probe() function, if one of the calls to emac_phy_connect() +fails due to of_phy_connect() returning NULL, then the subsequent call to +phy_attached_info() will dereference a NULL pointer. + +Check the return code of emac_phy_connect and fail cleanly if there is an +error. + +Fixes: 128d5874c082 ("net: ti: icssg-prueth: Add ICSSG ethernet driver") +Cc: stable@vger.kernel.org +Signed-off-by: Romain Gantois +Reviewed-by: Simon Horman +Reviewed-by: MD Danish Anwar +Link: https://lore.kernel.org/r/20240521-icssg-prueth-fix-v1-1-b4b17b1433e9@bootlin.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ti/icssg/icssg_prueth.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/ti/icssg/icssg_prueth.c ++++ b/drivers/net/ethernet/ti/icssg/icssg_prueth.c +@@ -2152,7 +2152,12 @@ static int prueth_probe(struct platform_ + + prueth->registered_netdevs[PRUETH_MAC0] = prueth->emac[PRUETH_MAC0]->ndev; + +- emac_phy_connect(prueth->emac[PRUETH_MAC0]); ++ ret = emac_phy_connect(prueth->emac[PRUETH_MAC0]); ++ if (ret) { ++ dev_err(dev, ++ "can't connect to MII0 PHY, error -%d", ret); ++ goto netdev_unregister; ++ } + phy_attached_info(prueth->emac[PRUETH_MAC0]->ndev->phydev); + } + +@@ -2164,7 +2169,12 @@ static int prueth_probe(struct platform_ + } + + prueth->registered_netdevs[PRUETH_MAC1] = prueth->emac[PRUETH_MAC1]->ndev; +- emac_phy_connect(prueth->emac[PRUETH_MAC1]); ++ ret = emac_phy_connect(prueth->emac[PRUETH_MAC1]); ++ if (ret) { ++ dev_err(dev, ++ "can't connect to MII1 PHY, error %d", ret); ++ goto netdev_unregister; ++ } + phy_attached_info(prueth->emac[PRUETH_MAC1]->ndev->phydev); + } + diff --git a/queue-6.9/r8169-fix-possible-ring-buffer-corruption-on-fragmented-tx-packets.patch b/queue-6.9/r8169-fix-possible-ring-buffer-corruption-on-fragmented-tx-packets.patch new file mode 100644 index 00000000000..adf30ac11c6 --- /dev/null +++ b/queue-6.9/r8169-fix-possible-ring-buffer-corruption-on-fragmented-tx-packets.patch @@ -0,0 +1,55 @@ +From c71e3a5cffd5309d7f84444df03d5b72600cc417 Mon Sep 17 00:00:00 2001 +From: Ken Milmore +Date: Tue, 21 May 2024 23:45:50 +0100 +Subject: r8169: Fix possible ring buffer corruption on fragmented Tx packets. + +From: Ken Milmore + +commit c71e3a5cffd5309d7f84444df03d5b72600cc417 upstream. + +An issue was found on the RTL8125b when transmitting small fragmented +packets, whereby invalid entries were inserted into the transmit ring +buffer, subsequently leading to calls to dma_unmap_single() with a null +address. + +This was caused by rtl8169_start_xmit() not noticing changes to nr_frags +which may occur when small packets are padded (to work around hardware +quirks) in rtl8169_tso_csum_v2(). + +To fix this, postpone inspecting nr_frags until after any padding has been +applied. + +Fixes: 9020845fb5d6 ("r8169: improve rtl8169_start_xmit") +Cc: stable@vger.kernel.org +Signed-off-by: Ken Milmore +Reviewed-by: Heiner Kallweit +Link: https://lore.kernel.org/r/27ead18b-c23d-4f49-a020-1fc482c5ac95@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/realtek/r8169_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -4335,11 +4335,11 @@ static void rtl8169_doorbell(struct rtl8 + static netdev_tx_t rtl8169_start_xmit(struct sk_buff *skb, + struct net_device *dev) + { +- unsigned int frags = skb_shinfo(skb)->nr_frags; + struct rtl8169_private *tp = netdev_priv(dev); + unsigned int entry = tp->cur_tx % NUM_TX_DESC; + struct TxDesc *txd_first, *txd_last; + bool stop_queue, door_bell; ++ unsigned int frags; + u32 opts[2]; + + if (unlikely(!rtl_tx_slots_avail(tp))) { +@@ -4362,6 +4362,7 @@ static netdev_tx_t rtl8169_start_xmit(st + + txd_first = tp->TxDescArray + entry; + ++ frags = skb_shinfo(skb)->nr_frags; + if (frags) { + if (rtl8169_xmit_frags(tp, skb, opts, entry)) + goto err_dma_1; diff --git a/queue-6.9/reapply-arm64-fpsimd-implement-lazy-restore-for-kernel-mode-fpsimd.patch b/queue-6.9/reapply-arm64-fpsimd-implement-lazy-restore-for-kernel-mode-fpsimd.patch new file mode 100644 index 00000000000..6bc1cc25574 --- /dev/null +++ b/queue-6.9/reapply-arm64-fpsimd-implement-lazy-restore-for-kernel-mode-fpsimd.patch @@ -0,0 +1,66 @@ +From f481bb32d60e45fb3d19ea68ce79c5629f3fc3a0 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Wed, 22 May 2024 11:53:05 +0100 +Subject: Reapply "arm64: fpsimd: Implement lazy restore for kernel mode FPSIMD" + +From: Will Deacon + +commit f481bb32d60e45fb3d19ea68ce79c5629f3fc3a0 upstream. + +This reverts commit b8995a18417088bb53f87c49d200ec72a9dd4ec1. + +Ard managed to reproduce the dm-crypt corruption problem and got to the +bottom of it, so re-apply the problematic patch in preparation for +fixing things properly. + +Cc: stable@vger.kernel.org +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/processor.h | 1 + + arch/arm64/kernel/fpsimd.c | 18 ++++++++++++++++++ + 2 files changed, 19 insertions(+) + +--- a/arch/arm64/include/asm/processor.h ++++ b/arch/arm64/include/asm/processor.h +@@ -171,6 +171,7 @@ struct thread_struct { + struct debug_info debug; /* debugging */ + + struct user_fpsimd_state kernel_fpsimd_state; ++ unsigned int kernel_fpsimd_cpu; + #ifdef CONFIG_ARM64_PTR_AUTH + struct ptrauth_keys_user keys_user; + #ifdef CONFIG_ARM64_PTR_AUTH_KERNEL +--- a/arch/arm64/kernel/fpsimd.c ++++ b/arch/arm64/kernel/fpsimd.c +@@ -1509,12 +1509,30 @@ void do_fpsimd_exc(unsigned long esr, st + + static void fpsimd_load_kernel_state(struct task_struct *task) + { ++ struct cpu_fp_state *last = this_cpu_ptr(&fpsimd_last_state); ++ ++ /* ++ * Elide the load if this CPU holds the most recent kernel mode ++ * FPSIMD context of the current task. ++ */ ++ if (last->st == &task->thread.kernel_fpsimd_state && ++ task->thread.kernel_fpsimd_cpu == smp_processor_id()) ++ return; ++ + fpsimd_load_state(&task->thread.kernel_fpsimd_state); + } + + static void fpsimd_save_kernel_state(struct task_struct *task) + { ++ struct cpu_fp_state cpu_fp_state = { ++ .st = &task->thread.kernel_fpsimd_state, ++ .to_save = FP_STATE_FPSIMD, ++ }; ++ + fpsimd_save_state(&task->thread.kernel_fpsimd_state); ++ fpsimd_bind_state_to_cpu(&cpu_fp_state); ++ ++ task->thread.kernel_fpsimd_cpu = smp_processor_id(); + } + + /* diff --git a/queue-6.9/revert-arm64-fpsimd-implement-lazy-restore-for-kernel-mode-fpsimd.patch b/queue-6.9/revert-arm64-fpsimd-implement-lazy-restore-for-kernel-mode-fpsimd.patch new file mode 100644 index 00000000000..0a377389683 --- /dev/null +++ b/queue-6.9/revert-arm64-fpsimd-implement-lazy-restore-for-kernel-mode-fpsimd.patch @@ -0,0 +1,68 @@ +From b8995a18417088bb53f87c49d200ec72a9dd4ec1 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Fri, 17 May 2024 12:55:55 +0100 +Subject: Revert "arm64: fpsimd: Implement lazy restore for kernel mode FPSIMD" + +From: Will Deacon + +commit b8995a18417088bb53f87c49d200ec72a9dd4ec1 upstream. + +This reverts commit 2632e25217696712681dd1f3ecc0d71624ea3b23. + +Johannes (and others) report data corruption with dm-crypt on Apple M1 +which has been bisected to this change. Revert the offending commit +while we figure out what's going on. + +Cc: stable@vger.kernel.org +Reported-by: Johannes Nixdorf +Link: https://lore.kernel.org/all/D1B7GPIR9K1E.5JFV37G0YTIF@shadowice.org/ +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/processor.h | 1 - + arch/arm64/kernel/fpsimd.c | 18 ------------------ + 2 files changed, 19 deletions(-) + +--- a/arch/arm64/include/asm/processor.h ++++ b/arch/arm64/include/asm/processor.h +@@ -171,7 +171,6 @@ struct thread_struct { + struct debug_info debug; /* debugging */ + + struct user_fpsimd_state kernel_fpsimd_state; +- unsigned int kernel_fpsimd_cpu; + #ifdef CONFIG_ARM64_PTR_AUTH + struct ptrauth_keys_user keys_user; + #ifdef CONFIG_ARM64_PTR_AUTH_KERNEL +--- a/arch/arm64/kernel/fpsimd.c ++++ b/arch/arm64/kernel/fpsimd.c +@@ -1509,30 +1509,12 @@ void do_fpsimd_exc(unsigned long esr, st + + static void fpsimd_load_kernel_state(struct task_struct *task) + { +- struct cpu_fp_state *last = this_cpu_ptr(&fpsimd_last_state); +- +- /* +- * Elide the load if this CPU holds the most recent kernel mode +- * FPSIMD context of the current task. +- */ +- if (last->st == &task->thread.kernel_fpsimd_state && +- task->thread.kernel_fpsimd_cpu == smp_processor_id()) +- return; +- + fpsimd_load_state(&task->thread.kernel_fpsimd_state); + } + + static void fpsimd_save_kernel_state(struct task_struct *task) + { +- struct cpu_fp_state cpu_fp_state = { +- .st = &task->thread.kernel_fpsimd_state, +- .to_save = FP_STATE_FPSIMD, +- }; +- + fpsimd_save_state(&task->thread.kernel_fpsimd_state); +- fpsimd_bind_state_to_cpu(&cpu_fp_state); +- +- task->thread.kernel_fpsimd_cpu = smp_processor_id(); + } + + void fpsimd_thread_switch(struct task_struct *next) diff --git a/queue-6.9/revert-r8169-don-t-try-to-disable-interrupts-if-napi-is-scheduled-already.patch b/queue-6.9/revert-r8169-don-t-try-to-disable-interrupts-if-napi-is-scheduled-already.patch new file mode 100644 index 00000000000..aeaa5915d1a --- /dev/null +++ b/queue-6.9/revert-r8169-don-t-try-to-disable-interrupts-if-napi-is-scheduled-already.patch @@ -0,0 +1,44 @@ +From eabb8a9be1e4a12f3bf37ceb7411083e3775672d Mon Sep 17 00:00:00 2001 +From: Heiner Kallweit +Date: Wed, 15 May 2024 08:18:01 +0200 +Subject: Revert "r8169: don't try to disable interrupts if NAPI is, scheduled already" + +From: Heiner Kallweit + +commit eabb8a9be1e4a12f3bf37ceb7411083e3775672d upstream. + +This reverts commit 7274c4147afbf46f45b8501edbdad6da8cd013b9. + +Ken reported that RTL8125b can lock up if gro_flush_timeout has the +default value of 20000 and napi_defer_hard_irqs is set to 0. +In this scenario device interrupts aren't disabled, what seems to +trigger some silicon bug under heavy load. I was able to reproduce this +behavior on RTL8168h. Fix this by reverting 7274c4147afb. + +Fixes: 7274c4147afb ("r8169: don't try to disable interrupts if NAPI is scheduled already") +Cc: stable@vger.kernel.org +Reported-by: Ken Milmore +Signed-off-by: Heiner Kallweit +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/9b5b6f4c-4f54-4b90-b0b3-8d8023c2e780@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/realtek/r8169_main.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -4655,10 +4655,8 @@ static irqreturn_t rtl8169_interrupt(int + rtl_schedule_task(tp, RTL_FLAG_TASK_RESET_PENDING); + } + +- if (napi_schedule_prep(&tp->napi)) { +- rtl_irq_disable(tp); +- __napi_schedule(&tp->napi); +- } ++ rtl_irq_disable(tp); ++ napi_schedule(&tp->napi); + out: + rtl_ack_events(tp, status); + diff --git a/queue-6.9/ring-buffer-fix-a-race-between-readers-and-resize-checks.patch b/queue-6.9/ring-buffer-fix-a-race-between-readers-and-resize-checks.patch new file mode 100644 index 00000000000..91a6a05a451 --- /dev/null +++ b/queue-6.9/ring-buffer-fix-a-race-between-readers-and-resize-checks.patch @@ -0,0 +1,134 @@ +From c2274b908db05529980ec056359fae916939fdaa Mon Sep 17 00:00:00 2001 +From: Petr Pavlu +Date: Fri, 17 May 2024 15:40:08 +0200 +Subject: ring-buffer: Fix a race between readers and resize checks + +From: Petr Pavlu + +commit c2274b908db05529980ec056359fae916939fdaa upstream. + +The reader code in rb_get_reader_page() swaps a new reader page into the +ring buffer by doing cmpxchg on old->list.prev->next to point it to the +new page. Following that, if the operation is successful, +old->list.next->prev gets updated too. This means the underlying +doubly-linked list is temporarily inconsistent, page->prev->next or +page->next->prev might not be equal back to page for some page in the +ring buffer. + +The resize operation in ring_buffer_resize() can be invoked in parallel. +It calls rb_check_pages() which can detect the described inconsistency +and stop further tracing: + +[ 190.271762] ------------[ cut here ]------------ +[ 190.271771] WARNING: CPU: 1 PID: 6186 at kernel/trace/ring_buffer.c:1467 rb_check_pages.isra.0+0x6a/0xa0 +[ 190.271789] Modules linked in: [...] +[ 190.271991] Unloaded tainted modules: intel_uncore_frequency(E):1 skx_edac(E):1 +[ 190.272002] CPU: 1 PID: 6186 Comm: cmd.sh Kdump: loaded Tainted: G E 6.9.0-rc6-default #5 158d3e1e6d0b091c34c3b96bfd99a1c58306d79f +[ 190.272011] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552c-rebuilt.opensuse.org 04/01/2014 +[ 190.272015] RIP: 0010:rb_check_pages.isra.0+0x6a/0xa0 +[ 190.272023] Code: [...] +[ 190.272028] RSP: 0018:ffff9c37463abb70 EFLAGS: 00010206 +[ 190.272034] RAX: ffff8eba04b6cb80 RBX: 0000000000000007 RCX: ffff8eba01f13d80 +[ 190.272038] RDX: ffff8eba01f130c0 RSI: ffff8eba04b6cd00 RDI: ffff8eba0004c700 +[ 190.272042] RBP: ffff8eba0004c700 R08: 0000000000010002 R09: 0000000000000000 +[ 190.272045] R10: 00000000ffff7f52 R11: ffff8eba7f600000 R12: ffff8eba0004c720 +[ 190.272049] R13: ffff8eba00223a00 R14: 0000000000000008 R15: ffff8eba067a8000 +[ 190.272053] FS: 00007f1bd64752c0(0000) GS:ffff8eba7f680000(0000) knlGS:0000000000000000 +[ 190.272057] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 190.272061] CR2: 00007f1bd6662590 CR3: 000000010291e001 CR4: 0000000000370ef0 +[ 190.272070] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 190.272073] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 190.272077] Call Trace: +[ 190.272098] +[ 190.272189] ring_buffer_resize+0x2ab/0x460 +[ 190.272199] __tracing_resize_ring_buffer.part.0+0x23/0xa0 +[ 190.272206] tracing_resize_ring_buffer+0x65/0x90 +[ 190.272216] tracing_entries_write+0x74/0xc0 +[ 190.272225] vfs_write+0xf5/0x420 +[ 190.272248] ksys_write+0x67/0xe0 +[ 190.272256] do_syscall_64+0x82/0x170 +[ 190.272363] entry_SYSCALL_64_after_hwframe+0x76/0x7e +[ 190.272373] RIP: 0033:0x7f1bd657d263 +[ 190.272381] Code: [...] +[ 190.272385] RSP: 002b:00007ffe72b643f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[ 190.272391] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f1bd657d263 +[ 190.272395] RDX: 0000000000000002 RSI: 0000555a6eb538e0 RDI: 0000000000000001 +[ 190.272398] RBP: 0000555a6eb538e0 R08: 000000000000000a R09: 0000000000000000 +[ 190.272401] R10: 0000555a6eb55190 R11: 0000000000000246 R12: 00007f1bd6662500 +[ 190.272404] R13: 0000000000000002 R14: 00007f1bd6667c00 R15: 0000000000000002 +[ 190.272412] +[ 190.272414] ---[ end trace 0000000000000000 ]--- + +Note that ring_buffer_resize() calls rb_check_pages() only if the parent +trace_buffer has recording disabled. Recent commit d78ab792705c +("tracing: Stop current tracer when resizing buffer") causes that it is +now always the case which makes it more likely to experience this issue. + +The window to hit this race is nonetheless very small. To help +reproducing it, one can add a delay loop in rb_get_reader_page(): + + ret = rb_head_page_replace(reader, cpu_buffer->reader_page); + if (!ret) + goto spin; + for (unsigned i = 0; i < 1U << 26; i++) /* inserted delay loop */ + __asm__ __volatile__ ("" : : : "memory"); + rb_list_head(reader->list.next)->prev = &cpu_buffer->reader_page->list; + +.. and then run the following commands on the target system: + + echo 1 > /sys/kernel/tracing/events/sched/sched_switch/enable + while true; do + echo 16 > /sys/kernel/tracing/buffer_size_kb; sleep 0.1 + echo 8 > /sys/kernel/tracing/buffer_size_kb; sleep 0.1 + done & + while true; do + for i in /sys/kernel/tracing/per_cpu/*; do + timeout 0.1 cat $i/trace_pipe; sleep 0.2 + done + done + +To fix the problem, make sure ring_buffer_resize() doesn't invoke +rb_check_pages() concurrently with a reader operating on the same +ring_buffer_per_cpu by taking its cpu_buffer->reader_lock. + +Link: https://lore.kernel.org/linux-trace-kernel/20240517134008.24529-3-petr.pavlu@suse.com + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Fixes: 659f451ff213 ("ring-buffer: Add integrity check at end of iter read") +Signed-off-by: Petr Pavlu +[ Fixed whitespace ] +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ring_buffer.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -1449,6 +1449,11 @@ static void rb_check_bpage(struct ring_b + * + * As a safety measure we check to make sure the data pages have not + * been corrupted. ++ * ++ * Callers of this function need to guarantee that the list of pages doesn't get ++ * modified during the check. In particular, if it's possible that the function ++ * is invoked with concurrent readers which can swap in a new reader page then ++ * the caller should take cpu_buffer->reader_lock. + */ + static void rb_check_pages(struct ring_buffer_per_cpu *cpu_buffer) + { +@@ -2200,8 +2205,12 @@ int ring_buffer_resize(struct trace_buff + */ + synchronize_rcu(); + for_each_buffer_cpu(buffer, cpu) { ++ unsigned long flags; ++ + cpu_buffer = buffer->buffers[cpu]; ++ raw_spin_lock_irqsave(&cpu_buffer->reader_lock, flags); + rb_check_pages(cpu_buffer); ++ raw_spin_unlock_irqrestore(&cpu_buffer->reader_lock, flags); + } + atomic_dec(&buffer->record_disabled); + } diff --git a/queue-6.9/series b/queue-6.9/series index b0f23f50340..7ea52eece30 100644 --- a/queue-6.9/series +++ b/queue-6.9/series @@ -1,4 +1,6 @@ +revert-arm64-fpsimd-implement-lazy-restore-for-kernel-mode-fpsimd.patch arm64-fpsimd-avoid-erroneous-elide-of-user-state-reload.patch +reapply-arm64-fpsimd-implement-lazy-restore-for-kernel-mode-fpsimd.patch tty-n_gsm-fix-possible-out-of-bounds-in-gsm0_receive.patch tty-n_gsm-fix-missing-receive-state-reset-after-mode-switch.patch speakup-fix-sizeof-vs-array_size-bug.patch @@ -6,3 +8,16 @@ serial-sc16is7xx-fix-bug-in-sc16is7xx_set_baud-when-using-prescaler.patch serial-8250_bcm7271-use-default_mux_rate-if-possible.patch serial-8520_mtk-set-rts-on-shutdown-for-rx-in-band-wakeup.patch input-try-trimming-too-long-modalias-strings.patch +io_uring-fail-nop-if-non-zero-op-flags-is-passed-in.patch +io_uring-sqpoll-ensure-that-normal-task_work-is-also-run-timely.patch +revert-r8169-don-t-try-to-disable-interrupts-if-napi-is-scheduled-already.patch +r8169-fix-possible-ring-buffer-corruption-on-fragmented-tx-packets.patch +ring-buffer-fix-a-race-between-readers-and-resize-checks.patch +net-mana-fix-the-extra-hz-in-mana_hwc_send_request.patch +tools-latency-collector-fix-wformat-security-compile-warns.patch +tools-nolibc-stdlib-fix-memory-error-in-realloc.patch +net-ti-icssg_prueth-fix-null-pointer-dereference-in-prueth_probe.patch +net-lan966x-remove-debugfs-directory-in-probe-error-path.patch +net-smc91x-fix-m68k-kernel-compilation-for-coldfire-cpu.patch +f2fs-fix-false-alarm-on-invalid-block-address.patch +dt-bindings-adc-axi-adc-add-clocks-property.patch diff --git a/queue-6.9/tools-latency-collector-fix-wformat-security-compile-warns.patch b/queue-6.9/tools-latency-collector-fix-wformat-security-compile-warns.patch new file mode 100644 index 00000000000..337deb87833 --- /dev/null +++ b/queue-6.9/tools-latency-collector-fix-wformat-security-compile-warns.patch @@ -0,0 +1,84 @@ +From df73757cf8f66fa54c4721c53b0916af3c4d9818 Mon Sep 17 00:00:00 2001 +From: Shuah Khan +Date: Wed, 3 Apr 2024 19:10:09 -0600 +Subject: tools/latency-collector: Fix -Wformat-security compile warns +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Shuah Khan + +commit df73757cf8f66fa54c4721c53b0916af3c4d9818 upstream. + +Fix the following -Wformat-security compile warnings adding missing +format arguments: + +latency-collector.c: In function ‘show_available’: +latency-collector.c:938:17: warning: format not a string literal and +no format arguments [-Wformat-security] + 938 | warnx(no_tracer_msg); + | ^~~~~ + +latency-collector.c:943:17: warning: format not a string literal and +no format arguments [-Wformat-security] + 943 | warnx(no_latency_tr_msg); + | ^~~~~ + +latency-collector.c: In function ‘find_default_tracer’: +latency-collector.c:986:25: warning: format not a string literal and +no format arguments [-Wformat-security] + 986 | errx(EXIT_FAILURE, no_tracer_msg); + | + ^~~~ +latency-collector.c: In function ‘scan_arguments’: +latency-collector.c:1881:33: warning: format not a string literal and +no format arguments [-Wformat-security] + 1881 | errx(EXIT_FAILURE, no_tracer_msg); + | ^~~~ + +Link: https://lore.kernel.org/linux-trace-kernel/20240404011009.32945-1-skhan@linuxfoundation.org + +Cc: stable@vger.kernel.org +Fixes: e23db805da2df ("tracing/tools: Add the latency-collector to tools directory") +Signed-off-by: Shuah Khan +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + tools/tracing/latency/latency-collector.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/tools/tracing/latency/latency-collector.c ++++ b/tools/tracing/latency/latency-collector.c +@@ -935,12 +935,12 @@ static void show_available(void) + } + + if (!tracers) { +- warnx(no_tracer_msg); ++ warnx("%s", no_tracer_msg); + return; + } + + if (!found) { +- warnx(no_latency_tr_msg); ++ warnx("%s", no_latency_tr_msg); + tracefs_list_free(tracers); + return; + } +@@ -983,7 +983,7 @@ static const char *find_default_tracer(v + for (i = 0; relevant_tracers[i]; i++) { + valid = tracer_valid(relevant_tracers[i], ¬racer); + if (notracer) +- errx(EXIT_FAILURE, no_tracer_msg); ++ errx(EXIT_FAILURE, "%s", no_tracer_msg); + if (valid) + return relevant_tracers[i]; + } +@@ -1878,7 +1878,7 @@ static void scan_arguments(int argc, cha + } + valid = tracer_valid(current_tracer, ¬racer); + if (notracer) +- errx(EXIT_FAILURE, no_tracer_msg); ++ errx(EXIT_FAILURE, "%s", no_tracer_msg); + if (!valid) + errx(EXIT_FAILURE, + "The tracer %s is not supported by your kernel!\n", current_tracer); diff --git a/queue-6.9/tools-nolibc-stdlib-fix-memory-error-in-realloc.patch b/queue-6.9/tools-nolibc-stdlib-fix-memory-error-in-realloc.patch new file mode 100644 index 00000000000..98d46f01027 --- /dev/null +++ b/queue-6.9/tools-nolibc-stdlib-fix-memory-error-in-realloc.patch @@ -0,0 +1,38 @@ +From 791f4641142e2aced85de082e5783b4fb0b977c2 Mon Sep 17 00:00:00 2001 +From: Brennan Xavier McManus +Date: Tue, 9 Jan 2024 18:44:02 -0500 +Subject: tools/nolibc/stdlib: fix memory error in realloc() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Brennan Xavier McManus + +commit 791f4641142e2aced85de082e5783b4fb0b977c2 upstream. + +Pass user_p_len to memcpy() instead of heap->len to prevent realloc() +from copying an extra sizeof(heap) bytes from beyond the allocated +region. + +Signed-off-by: Brennan Xavier McManus +Cc: stable@vger.kernel.org +Reviewed-by: Ammar Faizi +Fixes: 0e0ff638400be8f497a35b51a4751fd823f6bd6a ("tools/nolibc/stdlib: Implement `malloc()`, `calloc()`, `realloc()` and `free()`") +Signed-off-by: Willy Tarreau +Signed-off-by: Thomas Weißschuh +Signed-off-by: Greg Kroah-Hartman +--- + tools/include/nolibc/stdlib.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/include/nolibc/stdlib.h ++++ b/tools/include/nolibc/stdlib.h +@@ -185,7 +185,7 @@ void *realloc(void *old_ptr, size_t new_ + if (__builtin_expect(!ret, 0)) + return NULL; + +- memcpy(ret, heap->user_p, heap->len); ++ memcpy(ret, heap->user_p, user_p_len); + munmap(heap, heap->len); + return ret; + }