From: Greg Kroah-Hartman Date: Tue, 11 Apr 2023 11:28:36 +0000 (+0200) Subject: 6.2-stable patches X-Git-Tag: v5.15.107~34 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bb4c6ed966a03190027652e90b32f705e18d8334;p=thirdparty%2Fkernel%2Fstable-queue.git 6.2-stable patches added patches: acpi-video-add-acpi_backlight-video-quirk-for-apple-imac14-1-and-imac14-2.patch acpi-video-add-acpi_backlight-video-quirk-for-lenovo-thinkpad-w530.patch acpi-video-add-auto_detect-arg-to-__acpi_video_get_backlight_type.patch acpi-video-make-acpi_backlight-video-work-independent-from-gpu-driver.patch asoc-hdac_hdmi-use-set_stream-instead-of-set_tdm_slots.patch asoc-sof-avoid-a-null-dereference-with-unsupported-widgets.patch can-isotp-fix-race-between-isotp_sendsmg-and-isotp_release.patch can-isotp-isotp_ops-fix-poll-to-not-report-false-epollout-events.patch can-isotp-isotp_recvmsg-use-sock_recv_cmsgs-to-get-sock_rxq_ovfl-infos.patch can-j1939-j1939_tp_tx_dat_new-fix-out-of-bounds-memory-access.patch fs-drop-peer-group-ids-under-namespace-lock.patch ftrace-fix-issue-that-direct-addr-not-restored-in-modify_ftrace_direct.patch ftrace-mark-get_lock_parent_ip-__always_inline.patch iommufd-check-for-uptr-overflow.patch iommufd-do-not-corrupt-the-pfn-list-when-doing-batch-carry.patch iommufd-fix-unpinning-of-pages-when-an-access-is-present.patch net-stmmac-add-queue-reset-into-stmmac_xdp_open-function.patch tracing-free-error-logs-of-tracing-instances.patch tracing-osnoise-fix-notify-new-tracing_max_latency.patch tracing-synthetic-fix-races-on-freeing-last_cmd.patch tracing-timerlat-notify-new-max-thread-latency.patch --- diff --git a/queue-6.2/acpi-video-add-acpi_backlight-video-quirk-for-apple-imac14-1-and-imac14-2.patch b/queue-6.2/acpi-video-add-acpi_backlight-video-quirk-for-apple-imac14-1-and-imac14-2.patch new file mode 100644 index 00000000000..269ca851c05 --- /dev/null +++ b/queue-6.2/acpi-video-add-acpi_backlight-video-quirk-for-apple-imac14-1-and-imac14-2.patch @@ -0,0 +1,65 @@ +From 2699107989431d6db44f8a9e809ea74c387336d1 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Tue, 4 Apr 2023 13:02:48 +0200 +Subject: ACPI: video: Add acpi_backlight=video quirk for Apple iMac14,1 and iMac14,2 + +From: Hans de Goede + +commit 2699107989431d6db44f8a9e809ea74c387336d1 upstream. + +On the Apple iMac14,1 and iMac14,2 all-in-ones (monitors with builtin "PC") +the connection between the GPU and the panel is seen by the GPU driver as +regular DP instead of eDP, causing the GPU driver to never call +acpi_video_register_backlight(). + +(GPU drivers only call acpi_video_register_backlight() when an internal + panel is detected, to avoid non working acpi_video# devices getting + registered on desktops which unfortunately is a real issue.) + +Fix the missing acpi_video# backlight device on these all-in-ones by +adding a acpi_backlight=video DMI quirk, so that video.ko will +immediately register the backlight device instead of waiting for +an acpi_video_register_backlight() call. + +Fixes: 5aa9d943e9b6 ("ACPI: video: Don't enable fallback path for creating ACPI backlight by default") +Cc: All applicable +Reviewed-by: Mario Limonciello +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/video_detect.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -277,6 +277,29 @@ static const struct dmi_system_id video_ + }, + + /* ++ * Models which need acpi_video backlight control where the GPU drivers ++ * do not call acpi_video_register_backlight() because no internal panel ++ * is detected. Typically these are all-in-ones (monitors with builtin ++ * PC) where the panel connection shows up as regular DP instead of eDP. ++ */ ++ { ++ .callback = video_detect_force_video, ++ /* Apple iMac14,1 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Apple Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "iMac14,1"), ++ }, ++ }, ++ { ++ .callback = video_detect_force_video, ++ /* Apple iMac14,2 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Apple Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "iMac14,2"), ++ }, ++ }, ++ ++ /* + * These models have a working acpi_video backlight control, and using + * native backlight causes a regression where backlight does not work + * when userspace is not handling brightness key events. Disable diff --git a/queue-6.2/acpi-video-add-acpi_backlight-video-quirk-for-lenovo-thinkpad-w530.patch b/queue-6.2/acpi-video-add-acpi_backlight-video-quirk-for-lenovo-thinkpad-w530.patch new file mode 100644 index 00000000000..efd68a4e92c --- /dev/null +++ b/queue-6.2/acpi-video-add-acpi_backlight-video-quirk-for-lenovo-thinkpad-w530.patch @@ -0,0 +1,64 @@ +From a5b2781dcab2c77979a4b8adda781d2543580901 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Tue, 4 Apr 2023 13:02:49 +0200 +Subject: ACPI: video: Add acpi_backlight=video quirk for Lenovo ThinkPad W530 + +From: Hans de Goede + +commit a5b2781dcab2c77979a4b8adda781d2543580901 upstream. + +The Lenovo ThinkPad W530 uses a nvidia k1000m GPU. When this gets used +together with one of the older nvidia binary driver series (the latest +series does not support it), then backlight control does not work. + +This is caused by commit 3dbc80a3e4c5 ("ACPI: video: Make backlight +class device registration a separate step (v2)") combined with +commit 5aa9d943e9b6 ("ACPI: video: Don't enable fallback path for +creating ACPI backlight by default"). + +After these changes the acpi_video# backlight device is only registered +when requested by a GPU driver calling acpi_video_register_backlight() +which the nvidia binary driver does not do. + +I realize that using the nvidia binary driver is not a supported use-case +and users can workaround this by adding acpi_backlight=video on the kernel +commandline, but the ThinkPad W530 is a popular model under Linux users, +so it seems worthwhile to add a quirk for this. + +I will also email Nvidia asking them to make the driver call +acpi_video_register_backlight() when an internal LCD panel is detected. +So maybe the next maintenance release of the drivers will fix this... + +Fixes: 5aa9d943e9b6 ("ACPI: video: Don't enable fallback path for creating ACPI backlight by default") +Cc: All applicable +Reviewed-by: Mario Limonciello +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/video_detect.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -300,6 +300,20 @@ static const struct dmi_system_id video_ + }, + + /* ++ * Older models with nvidia GPU which need acpi_video backlight ++ * control and where the old nvidia binary driver series does not ++ * call acpi_video_register_backlight(). ++ */ ++ { ++ .callback = video_detect_force_video, ++ /* ThinkPad W530 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad W530"), ++ }, ++ }, ++ ++ /* + * These models have a working acpi_video backlight control, and using + * native backlight causes a regression where backlight does not work + * when userspace is not handling brightness key events. Disable diff --git a/queue-6.2/acpi-video-add-auto_detect-arg-to-__acpi_video_get_backlight_type.patch b/queue-6.2/acpi-video-add-auto_detect-arg-to-__acpi_video_get_backlight_type.patch new file mode 100644 index 00000000000..59b43379936 --- /dev/null +++ b/queue-6.2/acpi-video-add-auto_detect-arg-to-__acpi_video_get_backlight_type.patch @@ -0,0 +1,110 @@ +From 78dfc9d1d1abb9e400386fa9c5724a8f7d75e3b9 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Tue, 4 Apr 2023 13:02:46 +0200 +Subject: ACPI: video: Add auto_detect arg to __acpi_video_get_backlight_type() + +From: Hans de Goede + +commit 78dfc9d1d1abb9e400386fa9c5724a8f7d75e3b9 upstream. + +Allow callers of __acpi_video_get_backlight_type() to pass a pointer +to a bool which will get set to false if the backlight-type comes from +the cmdline or a DMI quirk and set to true if auto-detection was used. + +And make __acpi_video_get_backlight_type() non static so that it can +be called directly outside of video_detect.c . + +While at it turn the acpi_video_get_backlight_type() and +acpi_video_backlight_use_native() wrappers into static inline functions +in include/acpi/video.h, so that we need to export one less symbol. + +Fixes: 5aa9d943e9b6 ("ACPI: video: Don't enable fallback path for creating ACPI backlight by default") +Cc: All applicable +Reviewed-by: Mario Limonciello +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/video_detect.c | 21 ++++++++------------- + include/acpi/video.h | 15 +++++++++++++-- + 2 files changed, 21 insertions(+), 15 deletions(-) + +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -774,7 +774,7 @@ static bool prefer_native_over_acpi_vide + * Determine which type of backlight interface to use on this system, + * First check cmdline, then dmi quirks, then do autodetect. + */ +-static enum acpi_backlight_type __acpi_video_get_backlight_type(bool native) ++enum acpi_backlight_type __acpi_video_get_backlight_type(bool native, bool *auto_detect) + { + static DEFINE_MUTEX(init_mutex); + static bool nvidia_wmi_ec_present; +@@ -799,6 +799,9 @@ static enum acpi_backlight_type __acpi_v + native_available = true; + mutex_unlock(&init_mutex); + ++ if (auto_detect) ++ *auto_detect = false; ++ + /* + * The below heuristics / detection steps are in order of descending + * presedence. The commandline takes presedence over anything else. +@@ -810,6 +813,9 @@ static enum acpi_backlight_type __acpi_v + if (acpi_backlight_dmi != acpi_backlight_undef) + return acpi_backlight_dmi; + ++ if (auto_detect) ++ *auto_detect = true; ++ + /* Special cases such as nvidia_wmi_ec and apple gmux. */ + if (nvidia_wmi_ec_present) + return acpi_backlight_nvidia_wmi_ec; +@@ -829,15 +835,4 @@ static enum acpi_backlight_type __acpi_v + /* No ACPI video/native (old hw), use vendor specific fw methods. */ + return acpi_backlight_vendor; + } +- +-enum acpi_backlight_type acpi_video_get_backlight_type(void) +-{ +- return __acpi_video_get_backlight_type(false); +-} +-EXPORT_SYMBOL(acpi_video_get_backlight_type); +- +-bool acpi_video_backlight_use_native(void) +-{ +- return __acpi_video_get_backlight_type(true) == acpi_backlight_native; +-} +-EXPORT_SYMBOL(acpi_video_backlight_use_native); ++EXPORT_SYMBOL(__acpi_video_get_backlight_type); +--- a/include/acpi/video.h ++++ b/include/acpi/video.h +@@ -59,8 +59,6 @@ extern void acpi_video_unregister(void); + extern void acpi_video_register_backlight(void); + extern int acpi_video_get_edid(struct acpi_device *device, int type, + int device_id, void **edid); +-extern enum acpi_backlight_type acpi_video_get_backlight_type(void); +-extern bool acpi_video_backlight_use_native(void); + /* + * Note: The value returned by acpi_video_handles_brightness_key_presses() + * may change over time and should not be cached. +@@ -69,6 +67,19 @@ extern bool acpi_video_handles_brightnes + extern int acpi_video_get_levels(struct acpi_device *device, + struct acpi_video_device_brightness **dev_br, + int *pmax_level); ++ ++extern enum acpi_backlight_type __acpi_video_get_backlight_type(bool native, ++ bool *auto_detect); ++ ++static inline enum acpi_backlight_type acpi_video_get_backlight_type(void) ++{ ++ return __acpi_video_get_backlight_type(false, NULL); ++} ++ ++static inline bool acpi_video_backlight_use_native(void) ++{ ++ return __acpi_video_get_backlight_type(true, NULL) == acpi_backlight_native; ++} + #else + static inline void acpi_video_report_nolcd(void) { return; }; + static inline int acpi_video_register(void) { return -ENODEV; } diff --git a/queue-6.2/acpi-video-make-acpi_backlight-video-work-independent-from-gpu-driver.patch b/queue-6.2/acpi-video-make-acpi_backlight-video-work-independent-from-gpu-driver.patch new file mode 100644 index 00000000000..a756f0a30b6 --- /dev/null +++ b/queue-6.2/acpi-video-make-acpi_backlight-video-work-independent-from-gpu-driver.patch @@ -0,0 +1,76 @@ +From e506731c8f35699d746c615164ed620cd53c00ca Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Tue, 4 Apr 2023 13:02:47 +0200 +Subject: ACPI: video: Make acpi_backlight=video work independent from GPU driver + +From: Hans de Goede + +commit e506731c8f35699d746c615164ed620cd53c00ca upstream. + +Commit 3dbc80a3e4c5 ("ACPI: video: Make backlight class device +registration a separate step (v2)") combined with +commit 5aa9d943e9b6 ("ACPI: video: Don't enable fallback path for +creating ACPI backlight by default") + +Means that the video.ko code now fully depends on the GPU driver calling +acpi_video_register_backlight() for the acpi_video# backlight class +devices to get registered. + +This means that if the GPU driver does not do this, acpi_backlight=video +on the cmdline, or DMI quirks for selecting acpi_video# will not work. + +This is a problem on for example Apple iMac14,1 all-in-ones where +the monitor's LCD panel shows up as a regular DP connection instead of +eDP so the GPU driver will not call acpi_video_register_backlight() [1]. + +Fix this by making video.ko directly register the acpi_video# devices +when these have been explicitly requested either on the cmdline or +through DMI quirks (rather then auto-detection being used). + +[1] GPU drivers only call acpi_video_register_backlight() when an internal +panel is detected, to avoid non working acpi_video# devices getting +registered on desktops which unfortunately is a real issue. + +Fixes: 5aa9d943e9b6 ("ACPI: video: Don't enable fallback path for creating ACPI backlight by default") +Cc: All applicable +Reviewed-by: Mario Limonciello +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpi_video.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/drivers/acpi/acpi_video.c ++++ b/drivers/acpi/acpi_video.c +@@ -1984,6 +1984,7 @@ static int instance; + static int acpi_video_bus_add(struct acpi_device *device) + { + struct acpi_video_bus *video; ++ bool auto_detect; + int error; + acpi_status status; + +@@ -2045,10 +2046,20 @@ static int acpi_video_bus_add(struct acp + mutex_unlock(&video_list_lock); + + /* +- * The userspace visible backlight_device gets registered separately +- * from acpi_video_register_backlight(). ++ * If backlight-type auto-detection is used then a native backlight may ++ * show up later and this may change the result from video to native. ++ * Therefor normally the userspace visible /sys/class/backlight device ++ * gets registered separately by the GPU driver calling ++ * acpi_video_register_backlight() when an internal panel is detected. ++ * Register the backlight now when not using auto-detection, so that ++ * when the kernel cmdline or DMI-quirks are used the backlight will ++ * get registered even if acpi_video_register_backlight() is not called. + */ + acpi_video_run_bcl_for_osi(video); ++ if (__acpi_video_get_backlight_type(false, &auto_detect) == acpi_backlight_video && ++ !auto_detect) ++ acpi_video_bus_register_backlight(video); ++ + acpi_video_bus_add_notify_handler(video); + + return 0; diff --git a/queue-6.2/asoc-hdac_hdmi-use-set_stream-instead-of-set_tdm_slots.patch b/queue-6.2/asoc-hdac_hdmi-use-set_stream-instead-of-set_tdm_slots.patch new file mode 100644 index 00000000000..aa2a9466394 --- /dev/null +++ b/queue-6.2/asoc-hdac_hdmi-use-set_stream-instead-of-set_tdm_slots.patch @@ -0,0 +1,69 @@ +From f6887a71bdd2f0dcba9b8180dd2223cfa8637e85 Mon Sep 17 00:00:00 2001 +From: Jason Montleon +Date: Fri, 24 Mar 2023 13:07:11 -0400 +Subject: ASoC: hdac_hdmi: use set_stream() instead of set_tdm_slots() + +From: Jason Montleon + +commit f6887a71bdd2f0dcba9b8180dd2223cfa8637e85 upstream. + +hdac_hdmi was not updated to use set_stream() instead of set_tdm_slots() +in the original commit so HDMI no longer produces audio. + +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/regressions/CAJD_bPKQdtaExvVEKxhQ47G-ZXDA=k+gzhMJRHLBe=mysPnuKA@mail.gmail.com/ +Fixes: 636110411ca7 ("ASoC: Intel/SOF: use set_stream() instead of set_tdm_slots() for HDAudio") +Signed-off-by: Jason Montleon +Reviewed-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20230324170711.2526-1-jmontleo@redhat.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/hdac_hdmi.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +--- a/sound/soc/codecs/hdac_hdmi.c ++++ b/sound/soc/codecs/hdac_hdmi.c +@@ -436,23 +436,28 @@ static int hdac_hdmi_setup_audio_infofra + return 0; + } + +-static int hdac_hdmi_set_tdm_slot(struct snd_soc_dai *dai, +- unsigned int tx_mask, unsigned int rx_mask, +- int slots, int slot_width) ++static int hdac_hdmi_set_stream(struct snd_soc_dai *dai, ++ void *stream, int direction) + { + struct hdac_hdmi_priv *hdmi = snd_soc_dai_get_drvdata(dai); + struct hdac_device *hdev = hdmi->hdev; + struct hdac_hdmi_dai_port_map *dai_map; + struct hdac_hdmi_pcm *pcm; ++ struct hdac_stream *hstream; + +- dev_dbg(&hdev->dev, "%s: strm_tag: %d\n", __func__, tx_mask); ++ if (!stream) ++ return -EINVAL; ++ ++ hstream = (struct hdac_stream *)stream; ++ ++ dev_dbg(&hdev->dev, "%s: strm_tag: %d\n", __func__, hstream->stream_tag); + + dai_map = &hdmi->dai_map[dai->id]; + + pcm = hdac_hdmi_get_pcm_from_cvt(hdmi, dai_map->cvt); + + if (pcm) +- pcm->stream_tag = (tx_mask << 4); ++ pcm->stream_tag = (hstream->stream_tag << 4); + + return 0; + } +@@ -1544,7 +1549,7 @@ static const struct snd_soc_dai_ops hdmi + .startup = hdac_hdmi_pcm_open, + .shutdown = hdac_hdmi_pcm_close, + .hw_params = hdac_hdmi_set_hw_params, +- .set_tdm_slot = hdac_hdmi_set_tdm_slot, ++ .set_stream = hdac_hdmi_set_stream, + }; + + /* diff --git a/queue-6.2/asoc-sof-avoid-a-null-dereference-with-unsupported-widgets.patch b/queue-6.2/asoc-sof-avoid-a-null-dereference-with-unsupported-widgets.patch new file mode 100644 index 00000000000..ab51a012853 --- /dev/null +++ b/queue-6.2/asoc-sof-avoid-a-null-dereference-with-unsupported-widgets.patch @@ -0,0 +1,40 @@ +From e3720f92e0237921da537e47a0b24e27899203f8 Mon Sep 17 00:00:00 2001 +From: Guennadi Liakhovetski +Date: Wed, 29 Mar 2023 14:38:28 +0300 +Subject: ASoC: SOF: avoid a NULL dereference with unsupported widgets + +From: Guennadi Liakhovetski + +commit e3720f92e0237921da537e47a0b24e27899203f8 upstream. + +If an IPC4 topology contains an unsupported widget, its .module_info +field won't be set, then sof_ipc4_route_setup() will cause a kernel +Oops trying to dereference it. Add a check for such cases. + +Cc: stable@vger.kernel.org # 6.2 +Signed-off-by: Guennadi Liakhovetski +Signed-off-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/20230329113828.28562-1-peter.ujfalusi@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/sof/ipc4-topology.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/sound/soc/sof/ipc4-topology.c ++++ b/sound/soc/sof/ipc4-topology.c +@@ -1686,6 +1686,14 @@ static int sof_ipc4_route_setup(struct s + u32 header, extension; + int ret; + ++ if (!src_fw_module || !sink_fw_module) { ++ /* The NULL module will print as "(efault)" */ ++ dev_err(sdev->dev, "source %s or sink %s widget weren't set up properly\n", ++ src_fw_module->man4_module_entry.name, ++ sink_fw_module->man4_module_entry.name); ++ return -ENODEV; ++ } ++ + sroute->src_queue_id = sof_ipc4_get_queue_id(src_widget, sink_widget, + SOF_PIN_TYPE_SOURCE); + if (sroute->src_queue_id < 0) { diff --git a/queue-6.2/can-isotp-fix-race-between-isotp_sendsmg-and-isotp_release.patch b/queue-6.2/can-isotp-fix-race-between-isotp_sendsmg-and-isotp_release.patch new file mode 100644 index 00000000000..bf737dc23ee --- /dev/null +++ b/queue-6.2/can-isotp-fix-race-between-isotp_sendsmg-and-isotp_release.patch @@ -0,0 +1,162 @@ +From 051737439eaee5bdd03d3c2ef5510d54a478fd05 Mon Sep 17 00:00:00 2001 +From: Oliver Hartkopp +Date: Fri, 31 Mar 2023 15:19:35 +0200 +Subject: can: isotp: fix race between isotp_sendsmg() and isotp_release() + +From: Oliver Hartkopp + +commit 051737439eaee5bdd03d3c2ef5510d54a478fd05 upstream. + +As discussed with Dae R. Jeong and Hillf Danton here [1] the sendmsg() +function in isotp.c might get into a race condition when restoring the +former tx.state from the old_state. + +Remove the old_state concept and implement proper locking for the +ISOTP_IDLE transitions in isotp_sendmsg(), inspired by a +simplification idea from Hillf Danton. + +Introduce a new tx.state ISOTP_SHUTDOWN and use the same locking +mechanism from isotp_release() which resolves a potential race between +isotp_sendsmg() and isotp_release(). + +[1] https://lore.kernel.org/linux-can/ZB%2F93xJxq%2FBUqAgG@dragonet + +v1: https://lore.kernel.org/all/20230331102114.15164-1-socketcan@hartkopp.net +v2: https://lore.kernel.org/all/20230331123600.3550-1-socketcan@hartkopp.net + take care of signal interrupts for wait_event_interruptible() in + isotp_release() +v3: https://lore.kernel.org/all/20230331130654.9886-1-socketcan@hartkopp.net + take care of signal interrupts for wait_event_interruptible() in + isotp_sendmsg() in the wait_tx_done case +v4: https://lore.kernel.org/all/20230331131935.21465-1-socketcan@hartkopp.net + take care of signal interrupts for wait_event_interruptible() in + isotp_sendmsg() in ALL cases + +Cc: Dae R. Jeong +Cc: Hillf Danton +Signed-off-by: Oliver Hartkopp +Fixes: 4f027cba8216 ("can: isotp: split tx timer into transmission and timeout") +Link: https://lore.kernel.org/all/20230331131935.21465-1-socketcan@hartkopp.net +Cc: stable@vger.kernel.org +[mkl: rephrase commit message] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/isotp.c | 55 +++++++++++++++++++++++++++++++------------------------ + 1 file changed, 31 insertions(+), 24 deletions(-) + +--- a/net/can/isotp.c ++++ b/net/can/isotp.c +@@ -119,7 +119,8 @@ enum { + ISOTP_WAIT_FIRST_FC, + ISOTP_WAIT_FC, + ISOTP_WAIT_DATA, +- ISOTP_SENDING ++ ISOTP_SENDING, ++ ISOTP_SHUTDOWN, + }; + + struct tpcon { +@@ -880,8 +881,8 @@ static enum hrtimer_restart isotp_tx_tim + txtimer); + struct sock *sk = &so->sk; + +- /* don't handle timeouts in IDLE state */ +- if (so->tx.state == ISOTP_IDLE) ++ /* don't handle timeouts in IDLE or SHUTDOWN state */ ++ if (so->tx.state == ISOTP_IDLE || so->tx.state == ISOTP_SHUTDOWN) + return HRTIMER_NORESTART; + + /* we did not get any flow control or echo frame in time */ +@@ -918,7 +919,6 @@ static int isotp_sendmsg(struct socket * + { + struct sock *sk = sock->sk; + struct isotp_sock *so = isotp_sk(sk); +- u32 old_state = so->tx.state; + struct sk_buff *skb; + struct net_device *dev; + struct canfd_frame *cf; +@@ -928,23 +928,24 @@ static int isotp_sendmsg(struct socket * + int off; + int err; + +- if (!so->bound) ++ if (!so->bound || so->tx.state == ISOTP_SHUTDOWN) + return -EADDRNOTAVAIL; + ++wait_free_buffer: + /* we do not support multiple buffers - for now */ +- if (cmpxchg(&so->tx.state, ISOTP_IDLE, ISOTP_SENDING) != ISOTP_IDLE || +- wq_has_sleeper(&so->wait)) { +- if (msg->msg_flags & MSG_DONTWAIT) { +- err = -EAGAIN; +- goto err_out; +- } ++ if (wq_has_sleeper(&so->wait) && (msg->msg_flags & MSG_DONTWAIT)) ++ return -EAGAIN; + +- /* wait for complete transmission of current pdu */ +- err = wait_event_interruptible(so->wait, so->tx.state == ISOTP_IDLE); +- if (err) +- goto err_out; ++ /* wait for complete transmission of current pdu */ ++ err = wait_event_interruptible(so->wait, so->tx.state == ISOTP_IDLE); ++ if (err) ++ goto err_event_drop; ++ ++ if (cmpxchg(&so->tx.state, ISOTP_IDLE, ISOTP_SENDING) != ISOTP_IDLE) { ++ if (so->tx.state == ISOTP_SHUTDOWN) ++ return -EADDRNOTAVAIL; + +- so->tx.state = ISOTP_SENDING; ++ goto wait_free_buffer; + } + + if (!size || size > MAX_MSG_LENGTH) { +@@ -1074,7 +1075,9 @@ static int isotp_sendmsg(struct socket * + + if (wait_tx_done) { + /* wait for complete transmission of current pdu */ +- wait_event_interruptible(so->wait, so->tx.state == ISOTP_IDLE); ++ err = wait_event_interruptible(so->wait, so->tx.state == ISOTP_IDLE); ++ if (err) ++ goto err_event_drop; + + if (sk->sk_err) + return -sk->sk_err; +@@ -1082,13 +1085,15 @@ static int isotp_sendmsg(struct socket * + + return size; + ++err_event_drop: ++ /* got signal: force tx state machine to be idle */ ++ so->tx.state = ISOTP_IDLE; ++ hrtimer_cancel(&so->txfrtimer); ++ hrtimer_cancel(&so->txtimer); + err_out_drop: + /* drop this PDU and unlock a potential wait queue */ +- old_state = ISOTP_IDLE; +-err_out: +- so->tx.state = old_state; +- if (so->tx.state == ISOTP_IDLE) +- wake_up_interruptible(&so->wait); ++ so->tx.state = ISOTP_IDLE; ++ wake_up_interruptible(&so->wait); + + return err; + } +@@ -1150,10 +1155,12 @@ static int isotp_release(struct socket * + net = sock_net(sk); + + /* wait for complete transmission of current pdu */ +- wait_event_interruptible(so->wait, so->tx.state == ISOTP_IDLE); ++ while (wait_event_interruptible(so->wait, so->tx.state == ISOTP_IDLE) == 0 && ++ cmpxchg(&so->tx.state, ISOTP_IDLE, ISOTP_SHUTDOWN) != ISOTP_IDLE) ++ ; + + /* force state machines to be idle also when a signal occurred */ +- so->tx.state = ISOTP_IDLE; ++ so->tx.state = ISOTP_SHUTDOWN; + so->rx.state = ISOTP_IDLE; + + spin_lock(&isotp_notifier_lock); diff --git a/queue-6.2/can-isotp-isotp_ops-fix-poll-to-not-report-false-epollout-events.patch b/queue-6.2/can-isotp-isotp_ops-fix-poll-to-not-report-false-epollout-events.patch new file mode 100644 index 00000000000..2f595292ae3 --- /dev/null +++ b/queue-6.2/can-isotp-isotp_ops-fix-poll-to-not-report-false-epollout-events.patch @@ -0,0 +1,71 @@ +From 79e19fa79cb5d5f1b3bf3e3ae24989ccb93c7b7b Mon Sep 17 00:00:00 2001 +From: Michal Sojka +Date: Fri, 31 Mar 2023 14:55:11 +0200 +Subject: can: isotp: isotp_ops: fix poll() to not report false EPOLLOUT events + +From: Michal Sojka + +commit 79e19fa79cb5d5f1b3bf3e3ae24989ccb93c7b7b upstream. + +When using select()/poll()/epoll() with a non-blocking ISOTP socket to +wait for when non-blocking write is possible, a false EPOLLOUT event +is sometimes returned. This can happen at least after sending a +message which must be split to multiple CAN frames. + +The reason is that isotp_sendmsg() returns -EAGAIN when tx.state is +not equal to ISOTP_IDLE and this behavior is not reflected in +datagram_poll(), which is used in isotp_ops. + +This is fixed by introducing ISOTP-specific poll function, which +suppresses the EPOLLOUT events in that case. + +v2: https://lore.kernel.org/all/20230302092812.320643-1-michal.sojka@cvut.cz +v1: https://lore.kernel.org/all/20230224010659.48420-1-michal.sojka@cvut.cz + https://lore.kernel.org/all/b53a04a2-ba1f-3858-84c1-d3eb3301ae15@hartkopp.net + +Signed-off-by: Michal Sojka +Reported-by: Jakub Jira +Tested-by: Oliver Hartkopp +Acked-by: Oliver Hartkopp +Fixes: e057dd3fc20f ("can: add ISO 15765-2:2016 transport protocol") +Link: https://lore.kernel.org/all/20230331125511.372783-1-michal.sojka@cvut.cz +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/isotp.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +--- a/net/can/isotp.c ++++ b/net/can/isotp.c +@@ -1615,6 +1615,21 @@ static int isotp_init(struct sock *sk) + return 0; + } + ++static __poll_t isotp_poll(struct file *file, struct socket *sock, poll_table *wait) ++{ ++ struct sock *sk = sock->sk; ++ struct isotp_sock *so = isotp_sk(sk); ++ ++ __poll_t mask = datagram_poll(file, sock, wait); ++ poll_wait(file, &so->wait, wait); ++ ++ /* Check for false positives due to TX state */ ++ if ((mask & EPOLLWRNORM) && (so->tx.state != ISOTP_IDLE)) ++ mask &= ~(EPOLLOUT | EPOLLWRNORM); ++ ++ return mask; ++} ++ + static int isotp_sock_no_ioctlcmd(struct socket *sock, unsigned int cmd, + unsigned long arg) + { +@@ -1630,7 +1645,7 @@ static const struct proto_ops isotp_ops + .socketpair = sock_no_socketpair, + .accept = sock_no_accept, + .getname = isotp_getname, +- .poll = datagram_poll, ++ .poll = isotp_poll, + .ioctl = isotp_sock_no_ioctlcmd, + .gettstamp = sock_gettstamp, + .listen = sock_no_listen, diff --git a/queue-6.2/can-isotp-isotp_recvmsg-use-sock_recv_cmsgs-to-get-sock_rxq_ovfl-infos.patch b/queue-6.2/can-isotp-isotp_recvmsg-use-sock_recv_cmsgs-to-get-sock_rxq_ovfl-infos.patch new file mode 100644 index 00000000000..5168946fa51 --- /dev/null +++ b/queue-6.2/can-isotp-isotp_recvmsg-use-sock_recv_cmsgs-to-get-sock_rxq_ovfl-infos.patch @@ -0,0 +1,33 @@ +From 0145462fc802cd447ef5d029758043c7f15b4b1e Mon Sep 17 00:00:00 2001 +From: Oliver Hartkopp +Date: Thu, 30 Mar 2023 19:02:48 +0200 +Subject: can: isotp: isotp_recvmsg(): use sock_recv_cmsgs() to get SOCK_RXQ_OVFL infos + +From: Oliver Hartkopp + +commit 0145462fc802cd447ef5d029758043c7f15b4b1e upstream. + +isotp.c was still using sock_recv_timestamp() which does not provide +control messages to detect dropped PDUs in the receive path. + +Fixes: e057dd3fc20f ("can: add ISO 15765-2:2016 transport protocol") +Signed-off-by: Oliver Hartkopp +Link: https://lore.kernel.org/all/20230330170248.62342-1-socketcan@hartkopp.net +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/isotp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/can/isotp.c ++++ b/net/can/isotp.c +@@ -1125,7 +1125,7 @@ static int isotp_recvmsg(struct socket * + if (ret < 0) + goto out_err; + +- sock_recv_timestamp(msg, sk, skb); ++ sock_recv_cmsgs(msg, sk, skb); + + if (msg->msg_name) { + __sockaddr_check_size(ISOTP_MIN_NAMELEN); diff --git a/queue-6.2/can-j1939-j1939_tp_tx_dat_new-fix-out-of-bounds-memory-access.patch b/queue-6.2/can-j1939-j1939_tp_tx_dat_new-fix-out-of-bounds-memory-access.patch new file mode 100644 index 00000000000..0f2cf2cd007 --- /dev/null +++ b/queue-6.2/can-j1939-j1939_tp_tx_dat_new-fix-out-of-bounds-memory-access.patch @@ -0,0 +1,53 @@ +From b45193cb4df556fe6251b285a5ce44046dd36b4a Mon Sep 17 00:00:00 2001 +From: Oleksij Rempel +Date: Tue, 4 Apr 2023 09:31:28 +0200 +Subject: can: j1939: j1939_tp_tx_dat_new(): fix out-of-bounds memory access + +From: Oleksij Rempel + +commit b45193cb4df556fe6251b285a5ce44046dd36b4a upstream. + +In the j1939_tp_tx_dat_new() function, an out-of-bounds memory access +could occur during the memcpy() operation if the size of skb->cb is +larger than the size of struct j1939_sk_buff_cb. This is because the +memcpy() operation uses the size of skb->cb, leading to a read beyond +the struct j1939_sk_buff_cb. + +Updated the memcpy() operation to use the size of struct +j1939_sk_buff_cb instead of the size of skb->cb. This ensures that the +memcpy() operation only reads the memory within the bounds of struct +j1939_sk_buff_cb, preventing out-of-bounds memory access. + +Additionally, add a BUILD_BUG_ON() to check that the size of skb->cb +is greater than or equal to the size of struct j1939_sk_buff_cb. This +ensures that the skb->cb buffer is large enough to hold the +j1939_sk_buff_cb structure. + +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Reported-by: Shuangpeng Bai +Tested-by: Shuangpeng Bai +Signed-off-by: Oleksij Rempel +Link: https://groups.google.com/g/syzkaller/c/G_LL-C3plRs/m/-8xCi6dCAgAJ +Link: https://lore.kernel.org/all/20230404073128.3173900-1-o.rempel@pengutronix.de +Cc: stable@vger.kernel.org +[mkl: rephrase commit message] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/j1939/transport.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/can/j1939/transport.c ++++ b/net/can/j1939/transport.c +@@ -604,7 +604,10 @@ sk_buff *j1939_tp_tx_dat_new(struct j193 + /* reserve CAN header */ + skb_reserve(skb, offsetof(struct can_frame, data)); + +- memcpy(skb->cb, re_skcb, sizeof(skb->cb)); ++ /* skb->cb must be large enough to hold a j1939_sk_buff_cb structure */ ++ BUILD_BUG_ON(sizeof(skb->cb) < sizeof(*re_skcb)); ++ ++ memcpy(skb->cb, re_skcb, sizeof(*re_skcb)); + skcb = j1939_skb_to_cb(skb); + if (swap_src_dst) + j1939_skbcb_swap(skcb); diff --git a/queue-6.2/fs-drop-peer-group-ids-under-namespace-lock.patch b/queue-6.2/fs-drop-peer-group-ids-under-namespace-lock.patch new file mode 100644 index 00000000000..aa4a39dbb5b --- /dev/null +++ b/queue-6.2/fs-drop-peer-group-ids-under-namespace-lock.patch @@ -0,0 +1,37 @@ +From cb2239c198ad9fbd5aced22cf93e45562da781eb Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Thu, 30 Mar 2023 09:13:16 +0200 +Subject: fs: drop peer group ids under namespace lock + +From: Christian Brauner + +commit cb2239c198ad9fbd5aced22cf93e45562da781eb upstream. + +When cleaning up peer group ids in the failure path we need to make sure +to hold on to the namespace lock. Otherwise another thread might just +turn the mount from a shared into a non-shared mount concurrently. + +Link: https://lore.kernel.org/lkml/00000000000088694505f8132d77@google.com +Fixes: 2a1867219c7b ("fs: add mount_setattr()") +Reported-by: syzbot+8ac3859139c685c4f597@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org # 5.12+ +Message-Id: <20230330-vfs-mount_setattr-propagation-fix-v1-1-37548d91533b@kernel.org> +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/namespace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -4286,9 +4286,9 @@ out: + unlock_mount_hash(); + + if (kattr->propagation) { +- namespace_unlock(); + if (err) + cleanup_group_ids(mnt, NULL); ++ namespace_unlock(); + } + + return err; diff --git a/queue-6.2/ftrace-fix-issue-that-direct-addr-not-restored-in-modify_ftrace_direct.patch b/queue-6.2/ftrace-fix-issue-that-direct-addr-not-restored-in-modify_ftrace_direct.patch new file mode 100644 index 00000000000..895242910eb --- /dev/null +++ b/queue-6.2/ftrace-fix-issue-that-direct-addr-not-restored-in-modify_ftrace_direct.patch @@ -0,0 +1,56 @@ +From 2a2d8c51defb446e8d89a83f42f8e5cd529111e9 Mon Sep 17 00:00:00 2001 +From: Zheng Yejian +Date: Thu, 30 Mar 2023 10:52:23 +0800 +Subject: ftrace: Fix issue that 'direct->addr' not restored in modify_ftrace_direct() + +From: Zheng Yejian + +commit 2a2d8c51defb446e8d89a83f42f8e5cd529111e9 upstream. + +Syzkaller report a WARNING: "WARN_ON(!direct)" in modify_ftrace_direct(). + +Root cause is 'direct->addr' was changed from 'old_addr' to 'new_addr' but +not restored if error happened on calling ftrace_modify_direct_caller(). +Then it can no longer find 'direct' by that 'old_addr'. + +To fix it, restore 'direct->addr' to 'old_addr' explicitly in error path. + +Link: https://lore.kernel.org/linux-trace-kernel/20230330025223.1046087-1-zhengyejian1@huawei.com + +Cc: stable@vger.kernel.org +Cc: +Cc: +Cc: +Cc: +Fixes: 8a141dd7f706 ("ftrace: Fix modify_ftrace_direct.") +Signed-off-by: Zheng Yejian +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ftrace.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -5568,12 +5568,15 @@ int modify_ftrace_direct(unsigned long i + ret = 0; + } + +- if (unlikely(ret && new_direct)) { +- direct->count++; +- list_del_rcu(&new_direct->next); +- synchronize_rcu_tasks(); +- kfree(new_direct); +- ftrace_direct_func_count--; ++ if (ret) { ++ direct->addr = old_addr; ++ if (unlikely(new_direct)) { ++ direct->count++; ++ list_del_rcu(&new_direct->next); ++ synchronize_rcu_tasks(); ++ kfree(new_direct); ++ ftrace_direct_func_count--; ++ } + } + + out_unlock: diff --git a/queue-6.2/ftrace-mark-get_lock_parent_ip-__always_inline.patch b/queue-6.2/ftrace-mark-get_lock_parent_ip-__always_inline.patch new file mode 100644 index 00000000000..6c0a5a97879 --- /dev/null +++ b/queue-6.2/ftrace-mark-get_lock_parent_ip-__always_inline.patch @@ -0,0 +1,37 @@ +From ea65b41807a26495ff2a73dd8b1bab2751940887 Mon Sep 17 00:00:00 2001 +From: John Keeping +Date: Mon, 27 Mar 2023 18:36:46 +0100 +Subject: ftrace: Mark get_lock_parent_ip() __always_inline + +From: John Keeping + +commit ea65b41807a26495ff2a73dd8b1bab2751940887 upstream. + +If the compiler decides not to inline this function then preemption +tracing will always show an IP inside the preemption disabling path and +never the function actually calling preempt_{enable,disable}. + +Link: https://lore.kernel.org/linux-trace-kernel/20230327173647.1690849-1-john@metanate.com + +Cc: Masami Hiramatsu +Cc: Mark Rutland +Cc: stable@vger.kernel.org +Fixes: f904f58263e1d ("sched/debug: Fix preempt_disable_ip recording for preempt_disable()") +Signed-off-by: John Keeping +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/ftrace.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/ftrace.h ++++ b/include/linux/ftrace.h +@@ -970,7 +970,7 @@ static inline void __ftrace_enabled_rest + #define CALLER_ADDR5 ((unsigned long)ftrace_return_address(5)) + #define CALLER_ADDR6 ((unsigned long)ftrace_return_address(6)) + +-static inline unsigned long get_lock_parent_ip(void) ++static __always_inline unsigned long get_lock_parent_ip(void) + { + unsigned long addr = CALLER_ADDR0; + diff --git a/queue-6.2/iommufd-check-for-uptr-overflow.patch b/queue-6.2/iommufd-check-for-uptr-overflow.patch new file mode 100644 index 00000000000..6c574b05c74 --- /dev/null +++ b/queue-6.2/iommufd-check-for-uptr-overflow.patch @@ -0,0 +1,80 @@ +From e4395701330fc4aee530905039516fe770b81417 Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Fri, 31 Mar 2023 12:32:24 -0300 +Subject: iommufd: Check for uptr overflow + +From: Jason Gunthorpe + +commit e4395701330fc4aee530905039516fe770b81417 upstream. + +syzkaller found that setting up a map with a user VA that wraps past zero +can trigger WARN_ONs, particularly from pin_user_pages weirdly returning 0 +due to invalid arguments. + +Prevent creating a pages with a uptr and size that would math overflow. + + WARNING: CPU: 0 PID: 518 at drivers/iommu/iommufd/pages.c:793 pfn_reader_user_pin+0x2e6/0x390 + Modules linked in: + CPU: 0 PID: 518 Comm: repro Not tainted 6.3.0-rc2-eeac8ede1755+ #1 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 + RIP: 0010:pfn_reader_user_pin+0x2e6/0x390 + Code: b1 11 e9 25 fe ff ff e8 28 e4 0f ff 31 ff 48 89 de e8 2e e6 0f ff 48 85 db 74 0a e8 14 e4 0f ff e9 4d ff ff ff e8 0a e4 0f ff <0f> 0b bb f2 ff ff ff e9 3c ff ff ff e8 f9 e3 0f ff ba 01 00 00 00 + RSP: 0018:ffffc90000f9fa30 EFLAGS: 00010246 + RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff821e2b72 + RDX: 0000000000000000 RSI: ffff888014184680 RDI: 0000000000000002 + RBP: ffffc90000f9fa78 R08: 00000000000000ff R09: 0000000079de6f4e + R10: ffffc90000f9f790 R11: ffff888014185418 R12: ffffc90000f9fc60 + R13: 0000000000000002 R14: ffff888007879800 R15: 0000000000000000 + FS: 00007f4227555740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000020000043 CR3: 000000000e748005 CR4: 0000000000770ef0 + PKRU: 55555554 + Call Trace: + + pfn_reader_next+0x14a/0x7b0 + ? interval_tree_double_span_iter_update+0x11a/0x140 + pfn_reader_first+0x140/0x1b0 + iopt_pages_rw_slow+0x71/0x280 + ? __this_cpu_preempt_check+0x20/0x30 + iopt_pages_rw_access+0x2b2/0x5b0 + iommufd_access_rw+0x19f/0x2f0 + iommufd_test+0xd11/0x16f0 + ? write_comp_data+0x2f/0x90 + iommufd_fops_ioctl+0x206/0x330 + __x64_sys_ioctl+0x10e/0x160 + ? __pfx_iommufd_fops_ioctl+0x10/0x10 + do_syscall_64+0x3b/0x90 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Cc: +Fixes: 8d160cd4d506 ("iommufd: Algorithms for PFN storage") +Link: https://lore.kernel.org/r/1-v1-ceab6a4d7d7a+94-iommufd_syz_jgg@nvidia.com +Reviewed-by: Kevin Tian +Reported-by: Pengfei Xu +Tested-by: Pengfei Xu +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/iommufd/pages.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/iommu/iommufd/pages.c ++++ b/drivers/iommu/iommufd/pages.c +@@ -1140,6 +1140,7 @@ struct iopt_pages *iopt_alloc_pages(void + bool writable) + { + struct iopt_pages *pages; ++ unsigned long end; + + /* + * The iommu API uses size_t as the length, and protect the DIV_ROUND_UP +@@ -1148,6 +1149,9 @@ struct iopt_pages *iopt_alloc_pages(void + if (length > SIZE_MAX - PAGE_SIZE || length == 0) + return ERR_PTR(-EINVAL); + ++ if (check_add_overflow((unsigned long)uptr, length, &end)) ++ return ERR_PTR(-EOVERFLOW); ++ + pages = kzalloc(sizeof(*pages), GFP_KERNEL_ACCOUNT); + if (!pages) + return ERR_PTR(-ENOMEM); diff --git a/queue-6.2/iommufd-do-not-corrupt-the-pfn-list-when-doing-batch-carry.patch b/queue-6.2/iommufd-do-not-corrupt-the-pfn-list-when-doing-batch-carry.patch new file mode 100644 index 00000000000..c57d8c0ebe6 --- /dev/null +++ b/queue-6.2/iommufd-do-not-corrupt-the-pfn-list-when-doing-batch-carry.patch @@ -0,0 +1,73 @@ +From 13a0d1ae7ee6b438f5537711a8c60cba00554943 Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Fri, 31 Mar 2023 12:32:26 -0300 +Subject: iommufd: Do not corrupt the pfn list when doing batch carry + +From: Jason Gunthorpe + +commit 13a0d1ae7ee6b438f5537711a8c60cba00554943 upstream. + +If batch->end is 0 then setting npfns[0] before computing the new value of +pfns will fail to adjust the pfn and result in various page accounting +corruptions. It should be ordered after. + +This seems to result in various kinds of page meta-data corruption related +failures: + + WARNING: CPU: 1 PID: 527 at mm/gup.c:75 try_grab_folio+0x503/0x740 + Modules linked in: + CPU: 1 PID: 527 Comm: repro Not tainted 6.3.0-rc2-eeac8ede1755+ #1 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 + RIP: 0010:try_grab_folio+0x503/0x740 + Code: e3 01 48 89 de e8 6d c1 dd ff 48 85 db 0f 84 7c fe ff ff e8 4f bf dd ff 49 8d 47 ff 48 89 45 d0 e9 73 fe ff ff e8 3d bf dd ff <0f> 0b 31 db e9 d0 fc ff ff e8 2f bf dd ff 48 8b 5d c8 31 ff 48 89 + RSP: 0018:ffffc90000f37908 EFLAGS: 00010046 + RAX: 0000000000000000 RBX: 00000000fffffc02 RCX: ffffffff81504c26 + RDX: 0000000000000000 RSI: ffff88800d030000 RDI: 0000000000000002 + RBP: ffffc90000f37948 R08: 000000000003ca24 R09: 0000000000000008 + R10: 000000000003ca00 R11: 0000000000000023 R12: ffffea000035d540 + R13: 0000000000000001 R14: 0000000000000000 R15: ffffea000035d540 + FS: 00007fecbf659740(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00000000200011c3 CR3: 000000000ef66006 CR4: 0000000000770ee0 + PKRU: 55555554 + Call Trace: + + internal_get_user_pages_fast+0xd32/0x2200 + pin_user_pages_fast+0x65/0x90 + pfn_reader_user_pin+0x376/0x390 + pfn_reader_next+0x14a/0x7b0 + pfn_reader_first+0x140/0x1b0 + iopt_area_fill_domain+0x74/0x210 + iopt_table_add_domain+0x30e/0x6e0 + iommufd_device_selftest_attach+0x7f/0x140 + iommufd_test+0x10ff/0x16f0 + iommufd_fops_ioctl+0x206/0x330 + __x64_sys_ioctl+0x10e/0x160 + do_syscall_64+0x3b/0x90 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Cc: +Fixes: f394576eb11d ("iommufd: PFN handling for iopt_pages") +Link: https://lore.kernel.org/r/3-v1-ceab6a4d7d7a+94-iommufd_syz_jgg@nvidia.com +Reviewed-by: Kevin Tian +Reported-by: Pengfei Xu +Tested-by: Pengfei Xu +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/iommufd/pages.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iommu/iommufd/pages.c ++++ b/drivers/iommu/iommufd/pages.c +@@ -294,9 +294,9 @@ static void batch_clear_carry(struct pfn + batch->npfns[batch->end - 1] < keep_pfns); + + batch->total_pfns = keep_pfns; +- batch->npfns[0] = keep_pfns; + batch->pfns[0] = batch->pfns[batch->end - 1] + + (batch->npfns[batch->end - 1] - keep_pfns); ++ batch->npfns[0] = keep_pfns; + batch->end = 0; + } + diff --git a/queue-6.2/iommufd-fix-unpinning-of-pages-when-an-access-is-present.patch b/queue-6.2/iommufd-fix-unpinning-of-pages-when-an-access-is-present.patch new file mode 100644 index 00000000000..4aa1919abfb --- /dev/null +++ b/queue-6.2/iommufd-fix-unpinning-of-pages-when-an-access-is-present.patch @@ -0,0 +1,86 @@ +From 727c28c1cef2bc013d2c8bb6c50e410a3882a04e Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Fri, 31 Mar 2023 12:32:25 -0300 +Subject: iommufd: Fix unpinning of pages when an access is present + +From: Jason Gunthorpe + +commit 727c28c1cef2bc013d2c8bb6c50e410a3882a04e upstream. + +syzkaller found that the calculation of batch_last_index should use +'start_index' since at input to this function the batch is either empty or +it has already been adjusted to cross any accesses so it will start at the +point we are unmapping from. + +Getting this wrong causes the unmap to run over the end of the pages +which corrupts pages that were never mapped. In most cases this triggers +the num pinned debugging: + + WARNING: CPU: 0 PID: 557 at drivers/iommu/iommufd/pages.c:294 __iopt_area_unfill_domain+0x152/0x560 + Modules linked in: + CPU: 0 PID: 557 Comm: repro Not tainted 6.3.0-rc2-eeac8ede1755 #1 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 + RIP: 0010:__iopt_area_unfill_domain+0x152/0x560 + Code: d2 0f ff 44 8b 64 24 54 48 8b 44 24 48 31 ff 44 89 e6 48 89 44 24 38 e8 fc d3 0f ff 45 85 e4 0f 85 eb 01 00 00 e8 0e d2 0f ff <0f> 0b e8 07 d2 0f ff 48 8b 44 24 38 89 5c 24 58 89 18 8b 44 24 54 + RSP: 0018:ffffc9000108baf0 EFLAGS: 00010246 + RAX: 0000000000000000 RBX: 00000000ffffffff RCX: ffffffff821e3f85 + RDX: 0000000000000000 RSI: ffff88800faf0000 RDI: 0000000000000002 + RBP: ffffc9000108bd18 R08: 000000000003ca25 R09: 0000000000000014 + R10: 000000000003ca00 R11: 0000000000000024 R12: 0000000000000004 + R13: 0000000000000801 R14: 00000000000007ff R15: 0000000000000800 + FS: 00007f3499ce1740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000020000243 CR3: 00000000179c2001 CR4: 0000000000770ef0 + PKRU: 55555554 + Call Trace: + + iopt_area_unfill_domain+0x32/0x40 + iopt_table_remove_domain+0x23f/0x4c0 + iommufd_device_selftest_detach+0x3a/0x90 + iommufd_selftest_destroy+0x55/0x70 + iommufd_object_destroy_user+0xce/0x130 + iommufd_destroy+0xa2/0xc0 + iommufd_fops_ioctl+0x206/0x330 + __x64_sys_ioctl+0x10e/0x160 + do_syscall_64+0x3b/0x90 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Also add some useful WARN_ON sanity checks. + +Cc: +Fixes: 8d160cd4d506 ("iommufd: Algorithms for PFN storage") +Link: https://lore.kernel.org/r/2-v1-ceab6a4d7d7a+94-iommufd_syz_jgg@nvidia.com +Reviewed-by: Kevin Tian +Reported-by: Pengfei Xu +Tested-by: Pengfei Xu +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/iommufd/pages.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/iommu/iommufd/pages.c ++++ b/drivers/iommu/iommufd/pages.c +@@ -1205,13 +1205,21 @@ iopt_area_unpin_domain(struct pfn_batch + unsigned long start = + max(start_index, *unmapped_end_index); + ++ if (IS_ENABLED(CONFIG_IOMMUFD_TEST) && ++ batch->total_pfns) ++ WARN_ON(*unmapped_end_index - ++ batch->total_pfns != ++ start_index); + batch_from_domain(batch, domain, area, start, + last_index); +- batch_last_index = start + batch->total_pfns - 1; ++ batch_last_index = start_index + batch->total_pfns - 1; + } else { + batch_last_index = last_index; + } + ++ if (IS_ENABLED(CONFIG_IOMMUFD_TEST)) ++ WARN_ON(batch_last_index > real_last_index); ++ + /* + * unmaps must always 'cut' at a place where the pfns are not + * contiguous to pair with the maps that always install diff --git a/queue-6.2/net-stmmac-add-queue-reset-into-stmmac_xdp_open-function.patch b/queue-6.2/net-stmmac-add-queue-reset-into-stmmac_xdp_open-function.patch new file mode 100644 index 00000000000..e8441fe5f0c --- /dev/null +++ b/queue-6.2/net-stmmac-add-queue-reset-into-stmmac_xdp_open-function.patch @@ -0,0 +1,37 @@ +From 24e3fce00c0b557491ff596c0682a29dee6fe848 Mon Sep 17 00:00:00 2001 +From: Song Yoong Siang +Date: Tue, 4 Apr 2023 12:48:23 +0800 +Subject: net: stmmac: Add queue reset into stmmac_xdp_open() function + +From: Song Yoong Siang + +commit 24e3fce00c0b557491ff596c0682a29dee6fe848 upstream. + +Queue reset was moved out from __init_dma_rx_desc_rings() and +__init_dma_tx_desc_rings() functions. Thus, the driver fails to transmit +and receive packet after XDP prog setup. + +This commit adds the missing queue reset into stmmac_xdp_open() function. + +Fixes: f9ec5723c3db ("net: ethernet: stmicro: stmmac: move queue reset to dedicated functions") +Cc: # 6.0+ +Signed-off-by: Song Yoong Siang +Reviewed-by: Alexander Duyck +Link: https://lore.kernel.org/r/20230404044823.3226144-1-yoong.siang.song@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -6629,6 +6629,8 @@ int stmmac_xdp_open(struct net_device *d + goto init_error; + } + ++ stmmac_reset_queues_param(priv); ++ + /* DMA CSR Channel configuration */ + for (chan = 0; chan < dma_csr_ch; chan++) { + stmmac_init_chan(priv, priv->ioaddr, priv->plat->dma_cfg, chan); diff --git a/queue-6.2/series b/queue-6.2/series index 0fd91bcd3f7..f119a30ccd5 100644 --- a/queue-6.2/series +++ b/queue-6.2/series @@ -106,6 +106,27 @@ coresight-etm4-fix-for-loop-drvdata-nr_addr_cmp-range-bug.patch counter-104-quad-8-fix-race-condition-between-flag-and-cntr-reads.patch counter-104-quad-8-fix-synapse-action-reported-for-index-signals.patch blk-mq-directly-poll-requests.patch +ftrace-mark-get_lock_parent_ip-__always_inline.patch +ftrace-fix-issue-that-direct-addr-not-restored-in-modify_ftrace_direct.patch +fs-drop-peer-group-ids-under-namespace-lock.patch +can-j1939-j1939_tp_tx_dat_new-fix-out-of-bounds-memory-access.patch +can-isotp-fix-race-between-isotp_sendsmg-and-isotp_release.patch +can-isotp-isotp_ops-fix-poll-to-not-report-false-epollout-events.patch +can-isotp-isotp_recvmsg-use-sock_recv_cmsgs-to-get-sock_rxq_ovfl-infos.patch +acpi-video-add-auto_detect-arg-to-__acpi_video_get_backlight_type.patch +acpi-video-make-acpi_backlight-video-work-independent-from-gpu-driver.patch +acpi-video-add-acpi_backlight-video-quirk-for-apple-imac14-1-and-imac14-2.patch +acpi-video-add-acpi_backlight-video-quirk-for-lenovo-thinkpad-w530.patch +net-stmmac-add-queue-reset-into-stmmac_xdp_open-function.patch +tracing-synthetic-fix-races-on-freeing-last_cmd.patch +tracing-timerlat-notify-new-max-thread-latency.patch +tracing-osnoise-fix-notify-new-tracing_max_latency.patch +tracing-free-error-logs-of-tracing-instances.patch +iommufd-check-for-uptr-overflow.patch +iommufd-fix-unpinning-of-pages-when-an-access-is-present.patch +iommufd-do-not-corrupt-the-pfn-list-when-doing-batch-carry.patch +asoc-hdac_hdmi-use-set_stream-instead-of-set_tdm_slots.patch +asoc-sof-avoid-a-null-dereference-with-unsupported-widgets.patch iio-adc-ad7791-fix-irq-flags.patch io_uring-fix-return-value-when-removing-provided-buf.patch io_uring-fix-memory-leak-when-removing-provided-buff.patch diff --git a/queue-6.2/tracing-free-error-logs-of-tracing-instances.patch b/queue-6.2/tracing-free-error-logs-of-tracing-instances.patch new file mode 100644 index 00000000000..59e62d33532 --- /dev/null +++ b/queue-6.2/tracing-free-error-logs-of-tracing-instances.patch @@ -0,0 +1,93 @@ +From 3357c6e429643231e60447b52ffbb7ac895aca22 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Google)" +Date: Tue, 4 Apr 2023 19:45:04 -0400 +Subject: tracing: Free error logs of tracing instances + +From: Steven Rostedt (Google) + +commit 3357c6e429643231e60447b52ffbb7ac895aca22 upstream. + +When a tracing instance is removed, the error messages that hold errors +that occurred in the instance needs to be freed. The following reports a +memory leak: + + # cd /sys/kernel/tracing + # mkdir instances/foo + # echo 'hist:keys=x' > instances/foo/events/sched/sched_switch/trigger + # cat instances/foo/error_log + [ 117.404795] hist:sched:sched_switch: error: Couldn't find field + Command: hist:keys=x + ^ + # rmdir instances/foo + +Then check for memory leaks: + + # echo scan > /sys/kernel/debug/kmemleak + # cat /sys/kernel/debug/kmemleak +unreferenced object 0xffff88810d8ec700 (size 192): + comm "bash", pid 869, jiffies 4294950577 (age 215.752s) + hex dump (first 32 bytes): + 60 dd 68 61 81 88 ff ff 60 dd 68 61 81 88 ff ff `.ha....`.ha.... + a0 30 8c 83 ff ff ff ff 26 00 0a 00 00 00 00 00 .0......&....... + backtrace: + [<00000000dae26536>] kmalloc_trace+0x2a/0xa0 + [<00000000b2938940>] tracing_log_err+0x277/0x2e0 + [<000000004a0e1b07>] parse_atom+0x966/0xb40 + [<0000000023b24337>] parse_expr+0x5f3/0xdb0 + [<00000000594ad074>] event_hist_trigger_parse+0x27f8/0x3560 + [<00000000293a9645>] trigger_process_regex+0x135/0x1a0 + [<000000005c22b4f2>] event_trigger_write+0x87/0xf0 + [<000000002cadc509>] vfs_write+0x162/0x670 + [<0000000059c3b9be>] ksys_write+0xca/0x170 + [<00000000f1cddc00>] do_syscall_64+0x3e/0xc0 + [<00000000868ac68c>] entry_SYSCALL_64_after_hwframe+0x72/0xdc +unreferenced object 0xffff888170c35a00 (size 32): + comm "bash", pid 869, jiffies 4294950577 (age 215.752s) + hex dump (first 32 bytes): + 0a 20 20 43 6f 6d 6d 61 6e 64 3a 20 68 69 73 74 . Command: hist + 3a 6b 65 79 73 3d 78 0a 00 00 00 00 00 00 00 00 :keys=x......... + backtrace: + [<000000006a747de5>] __kmalloc+0x4d/0x160 + [<000000000039df5f>] tracing_log_err+0x29b/0x2e0 + [<000000004a0e1b07>] parse_atom+0x966/0xb40 + [<0000000023b24337>] parse_expr+0x5f3/0xdb0 + [<00000000594ad074>] event_hist_trigger_parse+0x27f8/0x3560 + [<00000000293a9645>] trigger_process_regex+0x135/0x1a0 + [<000000005c22b4f2>] event_trigger_write+0x87/0xf0 + [<000000002cadc509>] vfs_write+0x162/0x670 + [<0000000059c3b9be>] ksys_write+0xca/0x170 + [<00000000f1cddc00>] do_syscall_64+0x3e/0xc0 + [<00000000868ac68c>] entry_SYSCALL_64_after_hwframe+0x72/0xdc + +The problem is that the error log needs to be freed when the instance is +removed. + +Link: https://lore.kernel.org/lkml/76134d9f-a5ba-6a0d-37b3-28310b4a1e91@alu.unizg.hr/ +Link: https://lore.kernel.org/linux-trace-kernel/20230404194504.5790b95f@gandalf.local.home + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Cc: Andrew Morton +Cc: Mark Rutland +Cc: Thorsten Leemhuis +Cc: Ulf Hansson +Cc: Eric Biggers +Fixes: 2f754e771b1a6 ("tracing: Have the error logs show up in the proper instances") +Reported-by: Mirsad Goran Todorovac +Tested-by: Mirsad Todorovac +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -9472,6 +9472,7 @@ static int __remove_instance(struct trac + tracefs_remove(tr->dir); + free_percpu(tr->last_func_repeats); + free_trace_buffers(tr); ++ clear_tracing_err_log(tr); + + for (i = 0; i < tr->nr_topts; i++) { + kfree(tr->topts[i].topts); diff --git a/queue-6.2/tracing-osnoise-fix-notify-new-tracing_max_latency.patch b/queue-6.2/tracing-osnoise-fix-notify-new-tracing_max_latency.patch new file mode 100644 index 00000000000..395df159731 --- /dev/null +++ b/queue-6.2/tracing-osnoise-fix-notify-new-tracing_max_latency.patch @@ -0,0 +1,36 @@ +From d3cba7f02cd82118c32651c73374d8a5a459d9a6 Mon Sep 17 00:00:00 2001 +From: Daniel Bristot de Oliveira +Date: Wed, 29 Mar 2023 17:50:16 +0200 +Subject: tracing/osnoise: Fix notify new tracing_max_latency + +From: Daniel Bristot de Oliveira + +commit d3cba7f02cd82118c32651c73374d8a5a459d9a6 upstream. + +osnoise/timerlat tracers are reporting new max latency on instances +where the tracing is off, creating inconsistencies between the max +reported values in the trace and in the tracing_max_latency. Thus +only report new tracing_max_latency on active tracing instances. + +Link: https://lkml.kernel.org/r/ecd109fde4a0c24ab0f00ba1e9a144ac19a91322.1680104184.git.bristot@kernel.org + +Cc: stable@vger.kernel.org +Fixes: dae181349f1e ("tracing/osnoise: Support a list of trace_array *tr") +Signed-off-by: Daniel Bristot de Oliveira +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_osnoise.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/trace_osnoise.c ++++ b/kernel/trace/trace_osnoise.c +@@ -1296,7 +1296,7 @@ static void notify_new_max_latency(u64 l + rcu_read_lock(); + list_for_each_entry_rcu(inst, &osnoise_instances, list) { + tr = inst->tr; +- if (tr->max_latency < latency) { ++ if (tracer_tracing_is_on(tr) && tr->max_latency < latency) { + tr->max_latency = latency; + latency_fsnotify(tr); + } diff --git a/queue-6.2/tracing-synthetic-fix-races-on-freeing-last_cmd.patch b/queue-6.2/tracing-synthetic-fix-races-on-freeing-last_cmd.patch new file mode 100644 index 00000000000..7b9164dca92 --- /dev/null +++ b/queue-6.2/tracing-synthetic-fix-races-on-freeing-last_cmd.patch @@ -0,0 +1,184 @@ +From 4ccf11c4e8a8e051499d53a12f502196c97a758e Mon Sep 17 00:00:00 2001 +From: Tze-nan Wu +Date: Tue, 21 Mar 2023 19:04:43 +0800 +Subject: tracing/synthetic: Fix races on freeing last_cmd + +From: Tze-nan Wu + +commit 4ccf11c4e8a8e051499d53a12f502196c97a758e upstream. + +Currently, the "last_cmd" variable can be accessed by multiple processes +asynchronously when multiple users manipulate synthetic_events node +at the same time, it could lead to use-after-free or double-free. + +This patch add "lastcmd_mutex" to prevent "last_cmd" from being accessed +asynchronously. + +================================================================ + +It's easy to reproduce in the KASAN environment by running the two +scripts below in different shells. + +script 1: + while : + do + echo -n -e '\x88' > /sys/kernel/tracing/synthetic_events + done + +script 2: + while : + do + echo -n -e '\xb0' > /sys/kernel/tracing/synthetic_events + done + +================================================================ +double-free scenario: + + process A process B +------------------- --------------- +1.kstrdup last_cmd + 2.free last_cmd +3.free last_cmd(double-free) + +================================================================ +use-after-free scenario: + + process A process B +------------------- --------------- +1.kstrdup last_cmd + 2.free last_cmd +3.tracing_log_err(use-after-free) + +================================================================ + +Appendix 1. KASAN report double-free: + +BUG: KASAN: double-free in kfree+0xdc/0x1d4 +Free of addr ***** by task sh/4879 +Call trace: + ... + kfree+0xdc/0x1d4 + create_or_delete_synth_event+0x60/0x1e8 + trace_parse_run_command+0x2bc/0x4b8 + synth_events_write+0x20/0x30 + vfs_write+0x200/0x830 + ... + +Allocated by task 4879: + ... + kstrdup+0x5c/0x98 + create_or_delete_synth_event+0x6c/0x1e8 + trace_parse_run_command+0x2bc/0x4b8 + synth_events_write+0x20/0x30 + vfs_write+0x200/0x830 + ... + +Freed by task 5464: + ... + kfree+0xdc/0x1d4 + create_or_delete_synth_event+0x60/0x1e8 + trace_parse_run_command+0x2bc/0x4b8 + synth_events_write+0x20/0x30 + vfs_write+0x200/0x830 + ... + +================================================================ +Appendix 2. KASAN report use-after-free: + +BUG: KASAN: use-after-free in strlen+0x5c/0x7c +Read of size 1 at addr ***** by task sh/5483 +sh: CPU: 7 PID: 5483 Comm: sh + ... + __asan_report_load1_noabort+0x34/0x44 + strlen+0x5c/0x7c + tracing_log_err+0x60/0x444 + create_or_delete_synth_event+0xc4/0x204 + trace_parse_run_command+0x2bc/0x4b8 + synth_events_write+0x20/0x30 + vfs_write+0x200/0x830 + ... + +Allocated by task 5483: + ... + kstrdup+0x5c/0x98 + create_or_delete_synth_event+0x80/0x204 + trace_parse_run_command+0x2bc/0x4b8 + synth_events_write+0x20/0x30 + vfs_write+0x200/0x830 + ... + +Freed by task 5480: + ... + kfree+0xdc/0x1d4 + create_or_delete_synth_event+0x74/0x204 + trace_parse_run_command+0x2bc/0x4b8 + synth_events_write+0x20/0x30 + vfs_write+0x200/0x830 + ... + +Link: https://lore.kernel.org/linux-trace-kernel/20230321110444.1587-1-Tze-nan.Wu@mediatek.com + +Fixes: 27c888da9867 ("tracing: Remove size restriction on synthetic event cmd error logging") +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Cc: Matthias Brugger +Cc: AngeloGioacchino Del Regno +Cc: "Tom Zanussi" +Signed-off-by: Tze-nan Wu +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events_synth.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +--- a/kernel/trace/trace_events_synth.c ++++ b/kernel/trace/trace_events_synth.c +@@ -44,14 +44,21 @@ enum { ERRORS }; + + static const char *err_text[] = { ERRORS }; + ++DEFINE_MUTEX(lastcmd_mutex); + static char *last_cmd; + + static int errpos(const char *str) + { ++ int ret = 0; ++ ++ mutex_lock(&lastcmd_mutex); + if (!str || !last_cmd) +- return 0; ++ goto out; + +- return err_pos(last_cmd, str); ++ ret = err_pos(last_cmd, str); ++ out: ++ mutex_unlock(&lastcmd_mutex); ++ return ret; + } + + static void last_cmd_set(const char *str) +@@ -59,18 +66,22 @@ static void last_cmd_set(const char *str + if (!str) + return; + ++ mutex_lock(&lastcmd_mutex); + kfree(last_cmd); +- + last_cmd = kstrdup(str, GFP_KERNEL); ++ mutex_unlock(&lastcmd_mutex); + } + + static void synth_err(u8 err_type, u16 err_pos) + { ++ mutex_lock(&lastcmd_mutex); + if (!last_cmd) +- return; ++ goto out; + + tracing_log_err(NULL, "synthetic_events", last_cmd, err_text, + err_type, err_pos); ++ out: ++ mutex_unlock(&lastcmd_mutex); + } + + static int create_synth_event(const char *raw_command); diff --git a/queue-6.2/tracing-timerlat-notify-new-max-thread-latency.patch b/queue-6.2/tracing-timerlat-notify-new-max-thread-latency.patch new file mode 100644 index 00000000000..9d729785489 --- /dev/null +++ b/queue-6.2/tracing-timerlat-notify-new-max-thread-latency.patch @@ -0,0 +1,37 @@ +From b9f451a9029a16eb7913ace09b92493d00f2e564 Mon Sep 17 00:00:00 2001 +From: Daniel Bristot de Oliveira +Date: Wed, 29 Mar 2023 17:50:15 +0200 +Subject: tracing/timerlat: Notify new max thread latency + +From: Daniel Bristot de Oliveira + +commit b9f451a9029a16eb7913ace09b92493d00f2e564 upstream. + +timerlat is not reporting a new tracing_max_latency for the thread +latency. The reason is that it is not calling notify_new_max_latency() +function after the new thread latency is sampled. + +Call notify_new_max_latency() after computing the thread latency. + +Link: https://lkml.kernel.org/r/16e18d61d69073d0192ace07bf61e405cca96e9c.1680104184.git.bristot@kernel.org + +Cc: stable@vger.kernel.org +Fixes: dae181349f1e ("tracing/osnoise: Support a list of trace_array *tr") +Signed-off-by: Daniel Bristot de Oliveira +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_osnoise.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/trace/trace_osnoise.c ++++ b/kernel/trace/trace_osnoise.c +@@ -1738,6 +1738,8 @@ static int timerlat_main(void *data) + + trace_timerlat_sample(&s); + ++ notify_new_max_latency(diff); ++ + timerlat_dump_stack(time_to_us(diff)); + + tlat->tracing_thread = false;