From: Greg Kroah-Hartman Date: Wed, 7 Jun 2023 12:37:04 +0000 (+0200) Subject: 6.3-stable patches X-Git-Tag: v4.14.317~34 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c0d3c3b08703702c8b476650692b0e26f2d02d24;p=thirdparty%2Fkernel%2Fstable-queue.git 6.3-stable patches added patches: dmaengine-at_hdmac-extend-the-flow-controller-bitfield-to-three-bits.patch dmaengine-at_hdmac-repair-bitfield-macros-for-peripheral-id-handling.patch ext4-add-ea_inode-checking-to-ext4_iget.patch ext4-add-lockdep-annotations-for-i_data_sem-for-ea_inode-s.patch ext4-disallow-ea_inodes-with-extended-attributes.patch ext4-set-lockdep-subclass-for-the-ea_inode-in-ext4_xattr_inode_cache_find.patch fbcon-fix-null-ptr-deref-in-soft_cursor.patch io_uring-undeprecate-epoll_ctl-support.patch ksmbd-fix-credit-count-leakage.patch ksmbd-fix-incorrect-allocationsize-set-in-smb2_get_info.patch ksmbd-fix-multiple-out-of-bounds-read-during-context-decoding.patch ksmbd-fix-slab-out-of-bounds-read-in-smb2_handle_negotiate.patch ksmbd-fix-uaf-issue-from-opinfo-conn.patch kvm-arm64-drop-last-page-ref-in-kvm_pgtable_stage2_free_removed.patch kvm-arm64-populate-fault-info-for-watchpoint.patch kvm-x86-account-fastpath-only-vm-exits-in-vcpu-stats.patch kvm-x86-bail-from-kvm_recalculate_phys_map-if-x2apic-id-is-out-of-bounds.patch kvm-x86-mmu-grab-memslot-for-correct-address-space-in-nx-recovery-worker.patch mptcp-fix-active-subflow-finalization.patch mptcp-fix-connect-timeout-handling.patch mtdchar-mark-bits-of-ioctl-handler-noinline.patch powerpc-xmon-use-ksym_name_len-in-array-size.patch riscv-perf-fix-callchain-parse-error-with-kernel-tracepoint-events.patch selftests-mptcp-connect-skip-if-mptcp-is-not-supported.patch selftests-mptcp-diag-skip-if-mptcp-is-not-supported.patch selftests-mptcp-join-avoid-using-cmp-bytes.patch selftests-mptcp-join-skip-if-mptcp-is-not-supported.patch selftests-mptcp-pm-nl-skip-if-mptcp-is-not-supported.patch selftests-mptcp-simult-flows-skip-if-mptcp-is-not-supported.patch selftests-mptcp-sockopt-skip-if-mptcp-is-not-supported.patch selftests-mptcp-userspace-pm-skip-if-mptcp-is-not-supported.patch selinux-don-t-use-make-s-grouped-targets-feature-yet.patch serial-8250_tegra-fix-an-error-handling-path-in-tegra_uart_probe.patch serial-cpm_uart-fix-a-compile_test-dependency.patch test_firmware-fix-a-memory-leak-with-reqs-buffer.patch test_firmware-fix-the-memory-leak-of-the-allocated-firmware-buffer.patch test_firmware-prevent-race-conditions-by-a-correct-implementation-of-locking.patch tracing-histograms-allow-variables-to-have-some-modifiers.patch tracing-probe-trace_probe_primary_from_call-checked-list_first_entry.patch tracing-timerlat-always-wakeup-the-timerlat-thread.patch --- diff --git a/queue-6.3/dmaengine-at_hdmac-extend-the-flow-controller-bitfield-to-three-bits.patch b/queue-6.3/dmaengine-at_hdmac-extend-the-flow-controller-bitfield-to-three-bits.patch new file mode 100644 index 00000000000..dba5247c4f9 --- /dev/null +++ b/queue-6.3/dmaengine-at_hdmac-extend-the-flow-controller-bitfield-to-three-bits.patch @@ -0,0 +1,43 @@ +From e14fd2af7a1d621c167dad761f729135a7a76ff4 Mon Sep 17 00:00:00 2001 +From: Peter Rosin +Date: Tue, 23 May 2023 19:20:47 +0200 +Subject: dmaengine: at_hdmac: Extend the Flow Controller bitfield to three bits + +From: Peter Rosin + +commit e14fd2af7a1d621c167dad761f729135a7a76ff4 upstream. + +Some chips have two bits (e.g SAMA5D3), and some have three (e.g. +SAM9G45). A field width of three is compatible as long as valid +values are used for the different chips. + +There is no current use of any value needing three bits, so the +fixed bug is relatively benign. + +Fixes: d8840a7edcf0 ("dmaengine: at_hdmac: Use bitfield access macros") +Cc: stable@vger.kernel.org +Reviewed-by: Tudor Ambarus +Signed-off-by: Peter Rosin +Link: https://lore.kernel.org/r/e2c898ba-c3a3-5dd3-384b-0585661c79f2@axentia.se +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/at_hdmac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/at_hdmac.c b/drivers/dma/at_hdmac.c +index 6362013b90df..ee3a219e3a89 100644 +--- a/drivers/dma/at_hdmac.c ++++ b/drivers/dma/at_hdmac.c +@@ -132,7 +132,7 @@ + #define ATC_DST_PIP BIT(12) /* Destination Picture-in-Picture enabled */ + #define ATC_SRC_DSCR_DIS BIT(16) /* Src Descriptor fetch disable */ + #define ATC_DST_DSCR_DIS BIT(20) /* Dst Descriptor fetch disable */ +-#define ATC_FC GENMASK(22, 21) /* Choose Flow Controller */ ++#define ATC_FC GENMASK(23, 21) /* Choose Flow Controller */ + #define ATC_FC_MEM2MEM 0x0 /* Mem-to-Mem (DMA) */ + #define ATC_FC_MEM2PER 0x1 /* Mem-to-Periph (DMA) */ + #define ATC_FC_PER2MEM 0x2 /* Periph-to-Mem (DMA) */ +-- +2.41.0 + diff --git a/queue-6.3/dmaengine-at_hdmac-repair-bitfield-macros-for-peripheral-id-handling.patch b/queue-6.3/dmaengine-at_hdmac-repair-bitfield-macros-for-peripheral-id-handling.patch new file mode 100644 index 00000000000..a87c6802074 --- /dev/null +++ b/queue-6.3/dmaengine-at_hdmac-repair-bitfield-macros-for-peripheral-id-handling.patch @@ -0,0 +1,63 @@ +From 2a6c7e8cc74e58ba94b8c897035a8ef7f7349f76 Mon Sep 17 00:00:00 2001 +From: Peter Rosin +Date: Tue, 23 May 2023 19:20:37 +0200 +Subject: dmaengine: at_hdmac: Repair bitfield macros for peripheral ID handling + +From: Peter Rosin + +commit 2a6c7e8cc74e58ba94b8c897035a8ef7f7349f76 upstream. + +The MSB part of the peripheral IDs need to go into the ATC_SRC_PER_MSB +and ATC_DST_PER_MSB fields. Not the LSB part. + +This fixes a severe regression for TSE-850 devices (compatible +axentia,tse850v3) where output to the audio I2S codec (the main +purpose of the device) simply do not work. + +Fixes: d8840a7edcf0 ("dmaengine: at_hdmac: Use bitfield access macros") +Cc: stable@vger.kernel.org +Signed-off-by: Peter Rosin +Reviewed-by: Tudor Ambarus +Link: https://lore.kernel.org/r/01e5dae1-d4b0-cf31-516b-423b11b077f1@axentia.se +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/at_hdmac.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/drivers/dma/at_hdmac.c b/drivers/dma/at_hdmac.c +index 8858470246e1..6362013b90df 100644 +--- a/drivers/dma/at_hdmac.c ++++ b/drivers/dma/at_hdmac.c +@@ -153,8 +153,6 @@ + #define ATC_AUTO BIT(31) /* Auto multiple buffer tx enable */ + + /* Bitfields in CFG */ +-#define ATC_PER_MSB(h) ((0x30U & (h)) >> 4) /* Extract most significant bits of a handshaking identifier */ +- + #define ATC_SRC_PER GENMASK(3, 0) /* Channel src rq associated with periph handshaking ifc h */ + #define ATC_DST_PER GENMASK(7, 4) /* Channel dst rq associated with periph handshaking ifc h */ + #define ATC_SRC_REP BIT(8) /* Source Replay Mod */ +@@ -181,10 +179,15 @@ + #define ATC_DPIP_HOLE GENMASK(15, 0) + #define ATC_DPIP_BOUNDARY GENMASK(25, 16) + +-#define ATC_SRC_PER_ID(id) (FIELD_PREP(ATC_SRC_PER_MSB, (id)) | \ +- FIELD_PREP(ATC_SRC_PER, (id))) +-#define ATC_DST_PER_ID(id) (FIELD_PREP(ATC_DST_PER_MSB, (id)) | \ +- FIELD_PREP(ATC_DST_PER, (id))) ++#define ATC_PER_MSB GENMASK(5, 4) /* Extract MSBs of a handshaking identifier */ ++#define ATC_SRC_PER_ID(id) \ ++ ({ typeof(id) _id = (id); \ ++ FIELD_PREP(ATC_SRC_PER_MSB, FIELD_GET(ATC_PER_MSB, _id)) | \ ++ FIELD_PREP(ATC_SRC_PER, _id); }) ++#define ATC_DST_PER_ID(id) \ ++ ({ typeof(id) _id = (id); \ ++ FIELD_PREP(ATC_DST_PER_MSB, FIELD_GET(ATC_PER_MSB, _id)) | \ ++ FIELD_PREP(ATC_DST_PER, _id); }) + + + +-- +2.41.0 + diff --git a/queue-6.3/ext4-add-ea_inode-checking-to-ext4_iget.patch b/queue-6.3/ext4-add-ea_inode-checking-to-ext4_iget.patch new file mode 100644 index 00000000000..4fec7a75ad0 --- /dev/null +++ b/queue-6.3/ext4-add-ea_inode-checking-to-ext4_iget.patch @@ -0,0 +1,180 @@ +From b3e6bcb94590dea45396b9481e47b809b1be4afa Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Tue, 23 May 2023 23:49:48 -0400 +Subject: ext4: add EA_INODE checking to ext4_iget() + +From: Theodore Ts'o + +commit b3e6bcb94590dea45396b9481e47b809b1be4afa upstream. + +Add a new flag, EXT4_IGET_EA_INODE which indicates whether the inode +is expected to have the EA_INODE flag or not. If the flag is not +set/clear as expected, then fail the iget() operation and mark the +file system as corrupted. + +This commit also makes the ext4_iget() always perform the +is_bad_inode() check even when the inode is already inode cache. This +allows us to remove the is_bad_inode() check from the callers of +ext4_iget() in the ea_inode code. + +Reported-by: syzbot+cbb68193bdb95af4340a@syzkaller.appspotmail.com +Reported-by: syzbot+62120febbd1ee3c3c860@syzkaller.appspotmail.com +Reported-by: syzbot+edce54daffee36421b4c@syzkaller.appspotmail.com +Cc: stable@kernel.org +Signed-off-by: Theodore Ts'o +Link: https://lore.kernel.org/r/20230524034951.779531-2-tytso@mit.edu +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/ext4.h | 3 ++- + fs/ext4/inode.c | 31 ++++++++++++++++++++++++++----- + fs/ext4/xattr.c | 36 +++++++----------------------------- + 3 files changed, 35 insertions(+), 35 deletions(-) + +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -2992,7 +2992,8 @@ typedef enum { + EXT4_IGET_NORMAL = 0, + EXT4_IGET_SPECIAL = 0x0001, /* OK to iget a system inode */ + EXT4_IGET_HANDLE = 0x0002, /* Inode # is from a handle */ +- EXT4_IGET_BAD = 0x0004 /* Allow to iget a bad inode */ ++ EXT4_IGET_BAD = 0x0004, /* Allow to iget a bad inode */ ++ EXT4_IGET_EA_INODE = 0x0008 /* Inode should contain an EA value */ + } ext4_iget_flags; + + extern struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4835,6 +4835,21 @@ static inline void ext4_inode_set_iversi + inode_set_iversion_queried(inode, val); + } + ++static const char *check_igot_inode(struct inode *inode, ext4_iget_flags flags) ++ ++{ ++ if (flags & EXT4_IGET_EA_INODE) { ++ if (!(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) ++ return "missing EA_INODE flag"; ++ } else { ++ if ((EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) ++ return "unexpected EA_INODE flag"; ++ } ++ if (is_bad_inode(inode) && !(flags & EXT4_IGET_BAD)) ++ return "unexpected bad inode w/o EXT4_IGET_BAD"; ++ return NULL; ++} ++ + struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, + ext4_iget_flags flags, const char *function, + unsigned int line) +@@ -4844,6 +4859,7 @@ struct inode *__ext4_iget(struct super_b + struct ext4_inode_info *ei; + struct ext4_super_block *es = EXT4_SB(sb)->s_es; + struct inode *inode; ++ const char *err_str; + journal_t *journal = EXT4_SB(sb)->s_journal; + long ret; + loff_t size; +@@ -4871,8 +4887,14 @@ struct inode *__ext4_iget(struct super_b + inode = iget_locked(sb, ino); + if (!inode) + return ERR_PTR(-ENOMEM); +- if (!(inode->i_state & I_NEW)) ++ if (!(inode->i_state & I_NEW)) { ++ if ((err_str = check_igot_inode(inode, flags)) != NULL) { ++ ext4_error_inode(inode, function, line, 0, err_str); ++ iput(inode); ++ return ERR_PTR(-EFSCORRUPTED); ++ } + return inode; ++ } + + ei = EXT4_I(inode); + iloc.bh = NULL; +@@ -5138,10 +5160,9 @@ struct inode *__ext4_iget(struct super_b + if (IS_CASEFOLDED(inode) && !ext4_has_feature_casefold(inode->i_sb)) + ext4_error_inode(inode, function, line, 0, + "casefold flag without casefold feature"); +- if (is_bad_inode(inode) && !(flags & EXT4_IGET_BAD)) { +- ext4_error_inode(inode, function, line, 0, +- "bad inode without EXT4_IGET_BAD flag"); +- ret = -EUCLEAN; ++ if ((err_str = check_igot_inode(inode, flags)) != NULL) { ++ ext4_error_inode(inode, function, line, 0, err_str); ++ ret = -EFSCORRUPTED; + goto bad_inode; + } + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -433,7 +433,7 @@ static int ext4_xattr_inode_iget(struct + return -EFSCORRUPTED; + } + +- inode = ext4_iget(parent->i_sb, ea_ino, EXT4_IGET_NORMAL); ++ inode = ext4_iget(parent->i_sb, ea_ino, EXT4_IGET_EA_INODE); + if (IS_ERR(inode)) { + err = PTR_ERR(inode); + ext4_error(parent->i_sb, +@@ -441,23 +441,6 @@ static int ext4_xattr_inode_iget(struct + err); + return err; + } +- +- if (is_bad_inode(inode)) { +- ext4_error(parent->i_sb, +- "error while reading EA inode %lu is_bad_inode", +- ea_ino); +- err = -EIO; +- goto error; +- } +- +- if (!(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) { +- ext4_error(parent->i_sb, +- "EA inode %lu does not have EXT4_EA_INODE_FL flag", +- ea_ino); +- err = -EINVAL; +- goto error; +- } +- + ext4_xattr_inode_set_class(inode); + + /* +@@ -478,9 +461,6 @@ static int ext4_xattr_inode_iget(struct + + *ea_inode = inode; + return 0; +-error: +- iput(inode); +- return err; + } + + /* Remove entry from mbcache when EA inode is getting evicted */ +@@ -1557,11 +1537,10 @@ ext4_xattr_inode_cache_find(struct inode + + while (ce) { + ea_inode = ext4_iget(inode->i_sb, ce->e_value, +- EXT4_IGET_NORMAL); +- if (!IS_ERR(ea_inode) && +- !is_bad_inode(ea_inode) && +- (EXT4_I(ea_inode)->i_flags & EXT4_EA_INODE_FL) && +- i_size_read(ea_inode) == value_len && ++ EXT4_IGET_EA_INODE); ++ if (IS_ERR(ea_inode)) ++ goto next_entry; ++ if (i_size_read(ea_inode) == value_len && + !ext4_xattr_inode_read(ea_inode, ea_data, value_len) && + !ext4_xattr_inode_verify_hashes(ea_inode, NULL, ea_data, + value_len) && +@@ -1571,9 +1550,8 @@ ext4_xattr_inode_cache_find(struct inode + kvfree(ea_data); + return ea_inode; + } +- +- if (!IS_ERR(ea_inode)) +- iput(ea_inode); ++ iput(ea_inode); ++ next_entry: + ce = mb_cache_entry_find_next(ea_inode_cache, ce); + } + kvfree(ea_data); diff --git a/queue-6.3/ext4-add-lockdep-annotations-for-i_data_sem-for-ea_inode-s.patch b/queue-6.3/ext4-add-lockdep-annotations-for-i_data_sem-for-ea_inode-s.patch new file mode 100644 index 00000000000..a9fec1a463f --- /dev/null +++ b/queue-6.3/ext4-add-lockdep-annotations-for-i_data_sem-for-ea_inode-s.patch @@ -0,0 +1,57 @@ +From aff3bea95388299eec63440389b4545c8041b357 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Tue, 23 May 2023 23:49:51 -0400 +Subject: ext4: add lockdep annotations for i_data_sem for ea_inode's + +From: Theodore Ts'o + +commit aff3bea95388299eec63440389b4545c8041b357 upstream. + +Treat i_data_sem for ea_inodes as being in their own lockdep class to +avoid lockdep complaints about ext4_setattr's use of inode_lock() on +normal inodes potentially causing lock ordering with i_data_sem on +ea_inodes in ext4_xattr_inode_write(). However, ea_inodes will be +operated on by ext4_setattr(), so this isn't a problem. + +Cc: stable@kernel.org +Link: https://syzkaller.appspot.com/bug?extid=298c5d8fb4a128bc27b0 +Reported-by: syzbot+298c5d8fb4a128bc27b0@syzkaller.appspotmail.com +Signed-off-by: Theodore Ts'o +Link: https://lore.kernel.org/r/20230524034951.779531-5-tytso@mit.edu +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/ext4.h | 2 ++ + fs/ext4/xattr.c | 4 ++++ + 2 files changed, 6 insertions(+) + +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -1007,11 +1007,13 @@ do { \ + * where the second inode has larger inode number + * than the first + * I_DATA_SEM_QUOTA - Used for quota inodes only ++ * I_DATA_SEM_EA - Used for ea_inodes only + */ + enum { + I_DATA_SEM_NORMAL = 0, + I_DATA_SEM_OTHER, + I_DATA_SEM_QUOTA, ++ I_DATA_SEM_EA + }; + + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -125,7 +125,11 @@ ext4_expand_inode_array(struct ext4_xatt + #ifdef CONFIG_LOCKDEP + void ext4_xattr_inode_set_class(struct inode *ea_inode) + { ++ struct ext4_inode_info *ei = EXT4_I(ea_inode); ++ + lockdep_set_subclass(&ea_inode->i_rwsem, 1); ++ (void) ei; /* shut up clang warning if !CONFIG_LOCKDEP */ ++ lockdep_set_subclass(&ei->i_data_sem, I_DATA_SEM_EA); + } + #endif + diff --git a/queue-6.3/ext4-disallow-ea_inodes-with-extended-attributes.patch b/queue-6.3/ext4-disallow-ea_inodes-with-extended-attributes.patch new file mode 100644 index 00000000000..d8cefd6b525 --- /dev/null +++ b/queue-6.3/ext4-disallow-ea_inodes-with-extended-attributes.patch @@ -0,0 +1,35 @@ +From 2bc7e7c1a3bc9bd0cbf0f71006f6fe7ef24a00c2 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Tue, 23 May 2023 23:49:50 -0400 +Subject: ext4: disallow ea_inodes with extended attributes + +From: Theodore Ts'o + +commit 2bc7e7c1a3bc9bd0cbf0f71006f6fe7ef24a00c2 upstream. + +An ea_inode stores the value of an extended attribute; it can not have +extended attributes itself, or this will cause recursive nightmares. +Add a check in ext4_iget() to make sure this is the case. + +Cc: stable@kernel.org +Reported-by: syzbot+e44749b6ba4d0434cd47@syzkaller.appspotmail.com +Signed-off-by: Theodore Ts'o +Link: https://lore.kernel.org/r/20230524034951.779531-4-tytso@mit.edu +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/inode.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4841,6 +4841,9 @@ static const char *check_igot_inode(stru + if (flags & EXT4_IGET_EA_INODE) { + if (!(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) + return "missing EA_INODE flag"; ++ if (ext4_test_inode_state(inode, EXT4_STATE_XATTR) || ++ EXT4_I(inode)->i_file_acl) ++ return "ea_inode with extended attributes"; + } else { + if ((EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) + return "unexpected EA_INODE flag"; diff --git a/queue-6.3/ext4-set-lockdep-subclass-for-the-ea_inode-in-ext4_xattr_inode_cache_find.patch b/queue-6.3/ext4-set-lockdep-subclass-for-the-ea_inode-in-ext4_xattr_inode_cache_find.patch new file mode 100644 index 00000000000..245484c2e44 --- /dev/null +++ b/queue-6.3/ext4-set-lockdep-subclass-for-the-ea_inode-in-ext4_xattr_inode_cache_find.patch @@ -0,0 +1,34 @@ +From b928dfdcb27d8fa59917b794cfba53052a2f050f Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Tue, 23 May 2023 23:49:49 -0400 +Subject: ext4: set lockdep subclass for the ea_inode in ext4_xattr_inode_cache_find() + +From: Theodore Ts'o + +commit b928dfdcb27d8fa59917b794cfba53052a2f050f upstream. + +If the ea_inode has been pushed out of the inode cache while there is +still a reference in the mb_cache, the lockdep subclass will not be +set on the inode, which can lead to some lockdep false positives. + +Fixes: 33d201e0277b ("ext4: fix lockdep warning about recursive inode locking") +Cc: stable@kernel.org +Reported-by: syzbot+d4b971e744b1f5439336@syzkaller.appspotmail.com +Signed-off-by: Theodore Ts'o +Link: https://lore.kernel.org/r/20230524034951.779531-3-tytso@mit.edu +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/xattr.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1540,6 +1540,7 @@ ext4_xattr_inode_cache_find(struct inode + EXT4_IGET_EA_INODE); + if (IS_ERR(ea_inode)) + goto next_entry; ++ ext4_xattr_inode_set_class(ea_inode); + if (i_size_read(ea_inode) == value_len && + !ext4_xattr_inode_read(ea_inode, ea_data, value_len) && + !ext4_xattr_inode_verify_hashes(ea_inode, NULL, ea_data, diff --git a/queue-6.3/fbcon-fix-null-ptr-deref-in-soft_cursor.patch b/queue-6.3/fbcon-fix-null-ptr-deref-in-soft_cursor.patch new file mode 100644 index 00000000000..546e8a614bc --- /dev/null +++ b/queue-6.3/fbcon-fix-null-ptr-deref-in-soft_cursor.patch @@ -0,0 +1,58 @@ +From d78bd6cc68276bd57f766f7cb98bfe32c23ab327 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sat, 27 May 2023 08:41:09 +0200 +Subject: fbcon: Fix null-ptr-deref in soft_cursor + +From: Helge Deller + +commit d78bd6cc68276bd57f766f7cb98bfe32c23ab327 upstream. + +syzbot repored this bug in the softcursor code: + +BUG: KASAN: null-ptr-deref in soft_cursor+0x384/0x6b4 drivers/video/fbdev/core/softcursor.c:70 +Read of size 16 at addr 0000000000000200 by task kworker/u4:1/12 + +CPU: 0 PID: 12 Comm: kworker/u4:1 Not tainted 6.4.0-rc3-syzkaller-geb0f1697d729 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 +Workqueue: events_power_efficient fb_flashcursor +Call trace: + dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:233 + show_stack+0x2c/0x44 arch/arm64/kernel/stacktrace.c:240 + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106 + print_report+0xe4/0x514 mm/kasan/report.c:465 + kasan_report+0xd4/0x130 mm/kasan/report.c:572 + kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:187 + __asan_memcpy+0x3c/0x84 mm/kasan/shadow.c:105 + soft_cursor+0x384/0x6b4 drivers/video/fbdev/core/softcursor.c:70 + bit_cursor+0x113c/0x1a64 drivers/video/fbdev/core/bitblit.c:377 + fb_flashcursor+0x35c/0x54c drivers/video/fbdev/core/fbcon.c:380 + process_one_work+0x788/0x12d4 kernel/workqueue.c:2405 + worker_thread+0x8e0/0xfe8 kernel/workqueue.c:2552 + kthread+0x288/0x310 kernel/kthread.c:379 + ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:853 + +This fix let bit_cursor() bail out early when a font bitmap +isn't available yet. + +Signed-off-by: Helge Deller +Reported-by: syzbot+d910bd780e6efac35869@syzkaller.appspotmail.com +Acked-by: Sam Ravnborg +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/core/bitblit.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/video/fbdev/core/bitblit.c ++++ b/drivers/video/fbdev/core/bitblit.c +@@ -247,6 +247,9 @@ static void bit_cursor(struct vc_data *v + + cursor.set = 0; + ++ if (!vc->vc_font.data) ++ return; ++ + c = scr_readw((u16 *) vc->vc_pos); + attribute = get_attribute(info, c); + src = vc->vc_font.data + ((c & charmask) * (w * vc->vc_font.height)); diff --git a/queue-6.3/io_uring-undeprecate-epoll_ctl-support.patch b/queue-6.3/io_uring-undeprecate-epoll_ctl-support.patch new file mode 100644 index 00000000000..f9f623db9d9 --- /dev/null +++ b/queue-6.3/io_uring-undeprecate-epoll_ctl-support.patch @@ -0,0 +1,35 @@ +From 4ea0bf4b98d66a7a790abb285539f395596bae92 Mon Sep 17 00:00:00 2001 +From: Ben Noordhuis +Date: Sat, 6 May 2023 11:55:02 +0200 +Subject: io_uring: undeprecate epoll_ctl support + +From: Ben Noordhuis + +commit 4ea0bf4b98d66a7a790abb285539f395596bae92 upstream. + +Libuv recently started using it so there is at least one consumer now. + +Cc: stable@vger.kernel.org +Fixes: 61a2732af4b0 ("io_uring: deprecate epoll_ctl support") +Link: https://github.com/libuv/libuv/pull/3979 +Signed-off-by: Ben Noordhuis +Link: https://lore.kernel.org/r/20230506095502.13401-1-info@bnoordhuis.nl +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/epoll.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/io_uring/epoll.c ++++ b/io_uring/epoll.c +@@ -25,10 +25,6 @@ int io_epoll_ctl_prep(struct io_kiocb *r + { + struct io_epoll *epoll = io_kiocb_to_cmd(req, struct io_epoll); + +- pr_warn_once("%s: epoll_ctl support in io_uring is deprecated and will " +- "be removed in a future Linux kernel version.\n", +- current->comm); +- + if (sqe->buf_index || sqe->splice_fd_in) + return -EINVAL; + diff --git a/queue-6.3/ksmbd-fix-credit-count-leakage.patch b/queue-6.3/ksmbd-fix-credit-count-leakage.patch new file mode 100644 index 00000000000..02a1f9e5986 --- /dev/null +++ b/queue-6.3/ksmbd-fix-credit-count-leakage.patch @@ -0,0 +1,39 @@ +From 84c5aa47925a1f40d698b6a6a2bf67e99617433d Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Fri, 12 May 2023 23:29:12 +0900 +Subject: ksmbd: fix credit count leakage + +From: Namjae Jeon + +commit 84c5aa47925a1f40d698b6a6a2bf67e99617433d upstream. + +This patch fix the failure from smb2.credits.single_req_credits_granted +test. When client send 8192 credit request, ksmbd return 8191 credit +granted. ksmbd should give maximum possible credits that must be granted +within the range of not exceeding the max credit to client. + +Cc: stable@vger.kernel.org +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/smb2pdu.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/fs/ksmbd/smb2pdu.c ++++ b/fs/ksmbd/smb2pdu.c +@@ -326,13 +326,9 @@ int smb2_set_rsp_credits(struct ksmbd_wo + if (hdr->Command == SMB2_NEGOTIATE) + aux_max = 1; + else +- aux_max = conn->vals->max_credits - credit_charge; ++ aux_max = conn->vals->max_credits - conn->total_credits; + credits_granted = min_t(unsigned short, credits_requested, aux_max); + +- if (conn->vals->max_credits - conn->total_credits < credits_granted) +- credits_granted = conn->vals->max_credits - +- conn->total_credits; +- + conn->total_credits += credits_granted; + work->credits_granted += credits_granted; + diff --git a/queue-6.3/ksmbd-fix-incorrect-allocationsize-set-in-smb2_get_info.patch b/queue-6.3/ksmbd-fix-incorrect-allocationsize-set-in-smb2_get_info.patch new file mode 100644 index 00000000000..b31026bafe4 --- /dev/null +++ b/queue-6.3/ksmbd-fix-incorrect-allocationsize-set-in-smb2_get_info.patch @@ -0,0 +1,71 @@ +From 6cc2268f5647cbfde3d4fc2e4ee005070ea3a8d2 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Fri, 19 May 2023 23:11:33 +0900 +Subject: ksmbd: fix incorrect AllocationSize set in smb2_get_info + +From: Namjae Jeon + +commit 6cc2268f5647cbfde3d4fc2e4ee005070ea3a8d2 upstream. + +If filesystem support sparse file, ksmbd should return allocated size +using ->i_blocks instead of stat->size. This fix generic/694 xfstests. + +Cc: stable@vger.kernel.org +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/smb2pdu.c | 21 +++------------------ + 1 file changed, 3 insertions(+), 18 deletions(-) + +--- a/fs/ksmbd/smb2pdu.c ++++ b/fs/ksmbd/smb2pdu.c +@@ -4380,21 +4380,6 @@ static int get_file_basic_info(struct sm + return 0; + } + +-static unsigned long long get_allocation_size(struct inode *inode, +- struct kstat *stat) +-{ +- unsigned long long alloc_size = 0; +- +- if (!S_ISDIR(stat->mode)) { +- if ((inode->i_blocks << 9) <= stat->size) +- alloc_size = stat->size; +- else +- alloc_size = inode->i_blocks << 9; +- } +- +- return alloc_size; +-} +- + static void get_file_standard_info(struct smb2_query_info_rsp *rsp, + struct ksmbd_file *fp, void *rsp_org) + { +@@ -4409,7 +4394,7 @@ static void get_file_standard_info(struc + sinfo = (struct smb2_file_standard_info *)rsp->Buffer; + delete_pending = ksmbd_inode_pending_delete(fp); + +- sinfo->AllocationSize = cpu_to_le64(get_allocation_size(inode, &stat)); ++ sinfo->AllocationSize = cpu_to_le64(inode->i_blocks << 9); + sinfo->EndOfFile = S_ISDIR(stat.mode) ? 0 : cpu_to_le64(stat.size); + sinfo->NumberOfLinks = cpu_to_le32(get_nlink(&stat) - delete_pending); + sinfo->DeletePending = delete_pending; +@@ -4474,7 +4459,7 @@ static int get_file_all_info(struct ksmb + file_info->Attributes = fp->f_ci->m_fattr; + file_info->Pad1 = 0; + file_info->AllocationSize = +- cpu_to_le64(get_allocation_size(inode, &stat)); ++ cpu_to_le64(inode->i_blocks << 9); + file_info->EndOfFile = S_ISDIR(stat.mode) ? 0 : cpu_to_le64(stat.size); + file_info->NumberOfLinks = + cpu_to_le32(get_nlink(&stat) - delete_pending); +@@ -4663,7 +4648,7 @@ static int get_file_network_open_info(st + file_info->ChangeTime = cpu_to_le64(time); + file_info->Attributes = fp->f_ci->m_fattr; + file_info->AllocationSize = +- cpu_to_le64(get_allocation_size(inode, &stat)); ++ cpu_to_le64(inode->i_blocks << 9); + file_info->EndOfFile = S_ISDIR(stat.mode) ? 0 : cpu_to_le64(stat.size); + file_info->Reserved = cpu_to_le32(0); + rsp->OutputBufferLength = diff --git a/queue-6.3/ksmbd-fix-multiple-out-of-bounds-read-during-context-decoding.patch b/queue-6.3/ksmbd-fix-multiple-out-of-bounds-read-during-context-decoding.patch new file mode 100644 index 00000000000..aa5066364f9 --- /dev/null +++ b/queue-6.3/ksmbd-fix-multiple-out-of-bounds-read-during-context-decoding.patch @@ -0,0 +1,151 @@ +From 0512a5f89e1fae74251fde6893ff634f1c96c6fb Mon Sep 17 00:00:00 2001 +From: Kuan-Ting Chen +Date: Fri, 19 May 2023 23:00:24 +0900 +Subject: ksmbd: fix multiple out-of-bounds read during context decoding + +From: Kuan-Ting Chen + +commit 0512a5f89e1fae74251fde6893ff634f1c96c6fb upstream. + +Check the remaining data length before accessing the context structure +to ensure that the entire structure is contained within the packet. +Additionally, since the context data length `ctxt_len` has already been +checked against the total packet length `len_of_ctxts`, update the +comparison to use `ctxt_len`. + +Cc: stable@vger.kernel.org +Signed-off-by: Kuan-Ting Chen +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/smb2pdu.c | 53 ++++++++++++++++++++++++++++++++++------------------- + 1 file changed, 34 insertions(+), 19 deletions(-) + +--- a/fs/ksmbd/smb2pdu.c ++++ b/fs/ksmbd/smb2pdu.c +@@ -873,13 +873,14 @@ static void assemble_neg_contexts(struct + + static __le32 decode_preauth_ctxt(struct ksmbd_conn *conn, + struct smb2_preauth_neg_context *pneg_ctxt, +- int len_of_ctxts) ++ int ctxt_len) + { + /* + * sizeof(smb2_preauth_neg_context) assumes SMB311_SALT_SIZE Salt, + * which may not be present. Only check for used HashAlgorithms[1]. + */ +- if (len_of_ctxts < MIN_PREAUTH_CTXT_DATA_LEN) ++ if (ctxt_len < ++ sizeof(struct smb2_neg_context) + MIN_PREAUTH_CTXT_DATA_LEN) + return STATUS_INVALID_PARAMETER; + + if (pneg_ctxt->HashAlgorithms != SMB2_PREAUTH_INTEGRITY_SHA512) +@@ -891,15 +892,23 @@ static __le32 decode_preauth_ctxt(struct + + static void decode_encrypt_ctxt(struct ksmbd_conn *conn, + struct smb2_encryption_neg_context *pneg_ctxt, +- int len_of_ctxts) ++ int ctxt_len) + { +- int cph_cnt = le16_to_cpu(pneg_ctxt->CipherCount); +- int i, cphs_size = cph_cnt * sizeof(__le16); ++ int cph_cnt; ++ int i, cphs_size; ++ ++ if (sizeof(struct smb2_encryption_neg_context) > ctxt_len) { ++ pr_err("Invalid SMB2_ENCRYPTION_CAPABILITIES context size\n"); ++ return; ++ } + + conn->cipher_type = 0; + ++ cph_cnt = le16_to_cpu(pneg_ctxt->CipherCount); ++ cphs_size = cph_cnt * sizeof(__le16); ++ + if (sizeof(struct smb2_encryption_neg_context) + cphs_size > +- len_of_ctxts) { ++ ctxt_len) { + pr_err("Invalid cipher count(%d)\n", cph_cnt); + return; + } +@@ -947,15 +956,22 @@ static void decode_compress_ctxt(struct + + static void decode_sign_cap_ctxt(struct ksmbd_conn *conn, + struct smb2_signing_capabilities *pneg_ctxt, +- int len_of_ctxts) ++ int ctxt_len) + { +- int sign_algo_cnt = le16_to_cpu(pneg_ctxt->SigningAlgorithmCount); +- int i, sign_alos_size = sign_algo_cnt * sizeof(__le16); ++ int sign_algo_cnt; ++ int i, sign_alos_size; ++ ++ if (sizeof(struct smb2_signing_capabilities) > ctxt_len) { ++ pr_err("Invalid SMB2_SIGNING_CAPABILITIES context length\n"); ++ return; ++ } + + conn->signing_negotiated = false; ++ sign_algo_cnt = le16_to_cpu(pneg_ctxt->SigningAlgorithmCount); ++ sign_alos_size = sign_algo_cnt * sizeof(__le16); + + if (sizeof(struct smb2_signing_capabilities) + sign_alos_size > +- len_of_ctxts) { ++ ctxt_len) { + pr_err("Invalid signing algorithm count(%d)\n", sign_algo_cnt); + return; + } +@@ -993,18 +1009,16 @@ static __le32 deassemble_neg_contexts(st + len_of_ctxts = len_of_smb - offset; + + while (i++ < neg_ctxt_cnt) { +- int clen; +- +- /* check that offset is not beyond end of SMB */ +- if (len_of_ctxts == 0) +- break; ++ int clen, ctxt_len; + + if (len_of_ctxts < sizeof(struct smb2_neg_context)) + break; + + pctx = (struct smb2_neg_context *)((char *)pctx + offset); + clen = le16_to_cpu(pctx->DataLength); +- if (clen + sizeof(struct smb2_neg_context) > len_of_ctxts) ++ ctxt_len = clen + sizeof(struct smb2_neg_context); ++ ++ if (ctxt_len > len_of_ctxts) + break; + + if (pctx->ContextType == SMB2_PREAUTH_INTEGRITY_CAPABILITIES) { +@@ -1015,7 +1029,7 @@ static __le32 deassemble_neg_contexts(st + + status = decode_preauth_ctxt(conn, + (struct smb2_preauth_neg_context *)pctx, +- len_of_ctxts); ++ ctxt_len); + if (status != STATUS_SUCCESS) + break; + } else if (pctx->ContextType == SMB2_ENCRYPTION_CAPABILITIES) { +@@ -1026,7 +1040,7 @@ static __le32 deassemble_neg_contexts(st + + decode_encrypt_ctxt(conn, + (struct smb2_encryption_neg_context *)pctx, +- len_of_ctxts); ++ ctxt_len); + } else if (pctx->ContextType == SMB2_COMPRESSION_CAPABILITIES) { + ksmbd_debug(SMB, + "deassemble SMB2_COMPRESSION_CAPABILITIES context\n"); +@@ -1045,9 +1059,10 @@ static __le32 deassemble_neg_contexts(st + } else if (pctx->ContextType == SMB2_SIGNING_CAPABILITIES) { + ksmbd_debug(SMB, + "deassemble SMB2_SIGNING_CAPABILITIES context\n"); ++ + decode_sign_cap_ctxt(conn, + (struct smb2_signing_capabilities *)pctx, +- len_of_ctxts); ++ ctxt_len); + } + + /* offsets must be 8 byte aligned */ diff --git a/queue-6.3/ksmbd-fix-slab-out-of-bounds-read-in-smb2_handle_negotiate.patch b/queue-6.3/ksmbd-fix-slab-out-of-bounds-read-in-smb2_handle_negotiate.patch new file mode 100644 index 00000000000..f30c0196355 --- /dev/null +++ b/queue-6.3/ksmbd-fix-slab-out-of-bounds-read-in-smb2_handle_negotiate.patch @@ -0,0 +1,58 @@ +From d738950f112c8f40f0515fe967db998e8235a175 Mon Sep 17 00:00:00 2001 +From: Kuan-Ting Chen +Date: Fri, 19 May 2023 22:59:28 +0900 +Subject: ksmbd: fix slab-out-of-bounds read in smb2_handle_negotiate + +From: Kuan-Ting Chen + +commit d738950f112c8f40f0515fe967db998e8235a175 upstream. + +Check request_buf length first to avoid out-of-bounds read by +req->DialectCount. + +[ 3350.990282] BUG: KASAN: slab-out-of-bounds in smb2_handle_negotiate+0x35d7/0x3e60 +[ 3350.990282] Read of size 2 at addr ffff88810ad61346 by task kworker/5:0/276 +[ 3351.000406] Workqueue: ksmbd-io handle_ksmbd_work +[ 3351.003499] Call Trace: +[ 3351.006473] +[ 3351.006473] dump_stack_lvl+0x8d/0xe0 +[ 3351.006473] print_report+0xcc/0x620 +[ 3351.006473] kasan_report+0x92/0xc0 +[ 3351.006473] smb2_handle_negotiate+0x35d7/0x3e60 +[ 3351.014760] ksmbd_smb_negotiate_common+0x7a7/0xf00 +[ 3351.014760] handle_ksmbd_work+0x3f7/0x12d0 +[ 3351.014760] process_one_work+0xa85/0x1780 + +Cc: stable@vger.kernel.org +Signed-off-by: Kuan-Ting Chen +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/smb2pdu.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/fs/ksmbd/smb2pdu.c ++++ b/fs/ksmbd/smb2pdu.c +@@ -1081,16 +1081,16 @@ int smb2_handle_negotiate(struct ksmbd_w + return rc; + } + +- if (req->DialectCount == 0) { +- pr_err("malformed packet\n"); ++ smb2_buf_len = get_rfc1002_len(work->request_buf); ++ smb2_neg_size = offsetof(struct smb2_negotiate_req, Dialects); ++ if (smb2_neg_size > smb2_buf_len) { + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + rc = -EINVAL; + goto err_out; + } + +- smb2_buf_len = get_rfc1002_len(work->request_buf); +- smb2_neg_size = offsetof(struct smb2_negotiate_req, Dialects); +- if (smb2_neg_size > smb2_buf_len) { ++ if (req->DialectCount == 0) { ++ pr_err("malformed packet\n"); + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + rc = -EINVAL; + goto err_out; diff --git a/queue-6.3/ksmbd-fix-uaf-issue-from-opinfo-conn.patch b/queue-6.3/ksmbd-fix-uaf-issue-from-opinfo-conn.patch new file mode 100644 index 00000000000..0c271bbad43 --- /dev/null +++ b/queue-6.3/ksmbd-fix-uaf-issue-from-opinfo-conn.patch @@ -0,0 +1,193 @@ +From 36322523dddb11107e9f7f528675a0dec2536103 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Fri, 19 May 2023 23:09:48 +0900 +Subject: ksmbd: fix UAF issue from opinfo->conn + +From: Namjae Jeon + +commit 36322523dddb11107e9f7f528675a0dec2536103 upstream. + +If opinfo->conn is another connection and while ksmbd send oplock break +request to cient on current connection, The connection for opinfo->conn +can be disconnect and conn could be freed. When sending oplock break +request, this ksmbd_conn can be used and cause user-after-free issue. +When getting opinfo from the list, ksmbd check connection is being +released. If it is not released, Increase ->r_count to wait that connection +is freed. + +Cc: stable@vger.kernel.org +Reported-by: Per Forlin +Tested-by: Per Forlin +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/oplock.c | 72 +++++++++++++++++++++++++++++++++++------------------- + 1 file changed, 47 insertions(+), 25 deletions(-) + +--- a/fs/ksmbd/oplock.c ++++ b/fs/ksmbd/oplock.c +@@ -157,13 +157,42 @@ static struct oplock_info *opinfo_get_li + rcu_read_lock(); + opinfo = list_first_or_null_rcu(&ci->m_op_list, struct oplock_info, + op_entry); +- if (opinfo && !atomic_inc_not_zero(&opinfo->refcount)) +- opinfo = NULL; ++ if (opinfo) { ++ if (!atomic_inc_not_zero(&opinfo->refcount)) ++ opinfo = NULL; ++ else { ++ atomic_inc(&opinfo->conn->r_count); ++ if (ksmbd_conn_releasing(opinfo->conn)) { ++ atomic_dec(&opinfo->conn->r_count); ++ atomic_dec(&opinfo->refcount); ++ opinfo = NULL; ++ } ++ } ++ } ++ + rcu_read_unlock(); + + return opinfo; + } + ++static void opinfo_conn_put(struct oplock_info *opinfo) ++{ ++ struct ksmbd_conn *conn; ++ ++ if (!opinfo) ++ return; ++ ++ conn = opinfo->conn; ++ /* ++ * Checking waitqueue to dropping pending requests on ++ * disconnection. waitqueue_active is safe because it ++ * uses atomic operation for condition. ++ */ ++ if (!atomic_dec_return(&conn->r_count) && waitqueue_active(&conn->r_count_q)) ++ wake_up(&conn->r_count_q); ++ opinfo_put(opinfo); ++} ++ + void opinfo_put(struct oplock_info *opinfo) + { + if (!atomic_dec_and_test(&opinfo->refcount)) +@@ -666,13 +695,6 @@ static void __smb2_oplock_break_noti(str + + out: + ksmbd_free_work_struct(work); +- /* +- * Checking waitqueue to dropping pending requests on +- * disconnection. waitqueue_active is safe because it +- * uses atomic operation for condition. +- */ +- if (!atomic_dec_return(&conn->r_count) && waitqueue_active(&conn->r_count_q)) +- wake_up(&conn->r_count_q); + } + + /** +@@ -706,7 +728,6 @@ static int smb2_oplock_break_noti(struct + work->conn = conn; + work->sess = opinfo->sess; + +- atomic_inc(&conn->r_count); + if (opinfo->op_state == OPLOCK_ACK_WAIT) { + INIT_WORK(&work->work, __smb2_oplock_break_noti); + ksmbd_queue_work(work); +@@ -776,13 +797,6 @@ static void __smb2_lease_break_noti(stru + + out: + ksmbd_free_work_struct(work); +- /* +- * Checking waitqueue to dropping pending requests on +- * disconnection. waitqueue_active is safe because it +- * uses atomic operation for condition. +- */ +- if (!atomic_dec_return(&conn->r_count) && waitqueue_active(&conn->r_count_q)) +- wake_up(&conn->r_count_q); + } + + /** +@@ -822,7 +836,6 @@ static int smb2_lease_break_noti(struct + work->conn = conn; + work->sess = opinfo->sess; + +- atomic_inc(&conn->r_count); + if (opinfo->op_state == OPLOCK_ACK_WAIT) { + list_for_each_safe(tmp, t, &opinfo->interim_list) { + struct ksmbd_work *in_work; +@@ -1144,8 +1157,10 @@ int smb_grant_oplock(struct ksmbd_work * + } + prev_opinfo = opinfo_get_list(ci); + if (!prev_opinfo || +- (prev_opinfo->level == SMB2_OPLOCK_LEVEL_NONE && lctx)) ++ (prev_opinfo->level == SMB2_OPLOCK_LEVEL_NONE && lctx)) { ++ opinfo_conn_put(prev_opinfo); + goto set_lev; ++ } + prev_op_has_lease = prev_opinfo->is_lease; + if (prev_op_has_lease) + prev_op_state = prev_opinfo->o_lease->state; +@@ -1153,19 +1168,19 @@ int smb_grant_oplock(struct ksmbd_work * + if (share_ret < 0 && + prev_opinfo->level == SMB2_OPLOCK_LEVEL_EXCLUSIVE) { + err = share_ret; +- opinfo_put(prev_opinfo); ++ opinfo_conn_put(prev_opinfo); + goto err_out; + } + + if (prev_opinfo->level != SMB2_OPLOCK_LEVEL_BATCH && + prev_opinfo->level != SMB2_OPLOCK_LEVEL_EXCLUSIVE) { +- opinfo_put(prev_opinfo); ++ opinfo_conn_put(prev_opinfo); + goto op_break_not_needed; + } + + list_add(&work->interim_entry, &prev_opinfo->interim_list); + err = oplock_break(prev_opinfo, SMB2_OPLOCK_LEVEL_II); +- opinfo_put(prev_opinfo); ++ opinfo_conn_put(prev_opinfo); + if (err == -ENOENT) + goto set_lev; + /* Check all oplock was freed by close */ +@@ -1228,14 +1243,14 @@ static void smb_break_all_write_oplock(s + return; + if (brk_opinfo->level != SMB2_OPLOCK_LEVEL_BATCH && + brk_opinfo->level != SMB2_OPLOCK_LEVEL_EXCLUSIVE) { +- opinfo_put(brk_opinfo); ++ opinfo_conn_put(brk_opinfo); + return; + } + + brk_opinfo->open_trunc = is_trunc; + list_add(&work->interim_entry, &brk_opinfo->interim_list); + oplock_break(brk_opinfo, SMB2_OPLOCK_LEVEL_II); +- opinfo_put(brk_opinfo); ++ opinfo_conn_put(brk_opinfo); + } + + /** +@@ -1263,6 +1278,13 @@ void smb_break_all_levII_oplock(struct k + list_for_each_entry_rcu(brk_op, &ci->m_op_list, op_entry) { + if (!atomic_inc_not_zero(&brk_op->refcount)) + continue; ++ ++ atomic_inc(&brk_op->conn->r_count); ++ if (ksmbd_conn_releasing(brk_op->conn)) { ++ atomic_dec(&brk_op->conn->r_count); ++ continue; ++ } ++ + rcu_read_unlock(); + if (brk_op->is_lease && (brk_op->o_lease->state & + (~(SMB2_LEASE_READ_CACHING_LE | +@@ -1292,7 +1314,7 @@ void smb_break_all_levII_oplock(struct k + brk_op->open_trunc = is_trunc; + oplock_break(brk_op, SMB2_OPLOCK_LEVEL_NONE); + next: +- opinfo_put(brk_op); ++ opinfo_conn_put(brk_op); + rcu_read_lock(); + } + rcu_read_unlock(); diff --git a/queue-6.3/kvm-arm64-drop-last-page-ref-in-kvm_pgtable_stage2_free_removed.patch b/queue-6.3/kvm-arm64-drop-last-page-ref-in-kvm_pgtable_stage2_free_removed.patch new file mode 100644 index 00000000000..56dc4376d83 --- /dev/null +++ b/queue-6.3/kvm-arm64-drop-last-page-ref-in-kvm_pgtable_stage2_free_removed.patch @@ -0,0 +1,40 @@ +From f6a27d6dc51b288106adaf053cff9c9b9cc12c4e Mon Sep 17 00:00:00 2001 +From: Oliver Upton +Date: Tue, 30 May 2023 19:32:13 +0000 +Subject: KVM: arm64: Drop last page ref in kvm_pgtable_stage2_free_removed() + +From: Oliver Upton + +commit f6a27d6dc51b288106adaf053cff9c9b9cc12c4e upstream. + +The reference count on page table allocations is increased for every +'counted' PTE (valid or donated) in the table in addition to the initial +reference from ->zalloc_page(). kvm_pgtable_stage2_free_removed() fails +to drop the last reference on the root of the table walk, meaning we +leak memory. + +Fix it by dropping the last reference after the free walker returns, +at which point all references for 'counted' PTEs have been released. + +Cc: stable@vger.kernel.org +Fixes: 5c359cca1faf ("KVM: arm64: Tear down unlinked stage-2 subtree after break-before-make") +Reported-by: Yu Zhao +Signed-off-by: Oliver Upton +Tested-by: Yu Zhao +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20230530193213.1663411-1-oliver.upton@linux.dev +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/hyp/pgtable.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/arm64/kvm/hyp/pgtable.c ++++ b/arch/arm64/kvm/hyp/pgtable.c +@@ -1333,4 +1333,7 @@ void kvm_pgtable_stage2_free_removed(str + }; + + WARN_ON(__kvm_pgtable_walk(&data, mm_ops, ptep, level + 1)); ++ ++ WARN_ON(mm_ops->page_count(pgtable) != 1); ++ mm_ops->put_page(pgtable); + } diff --git a/queue-6.3/kvm-arm64-populate-fault-info-for-watchpoint.patch b/queue-6.3/kvm-arm64-populate-fault-info-for-watchpoint.patch new file mode 100644 index 00000000000..b00a947a787 --- /dev/null +++ b/queue-6.3/kvm-arm64-populate-fault-info-for-watchpoint.patch @@ -0,0 +1,82 @@ +From 811154e234db72f0a11557a84ba9640f8b3bc823 Mon Sep 17 00:00:00 2001 +From: Akihiko Odaki +Date: Tue, 30 May 2023 11:46:51 +0900 +Subject: KVM: arm64: Populate fault info for watchpoint + +From: Akihiko Odaki + +commit 811154e234db72f0a11557a84ba9640f8b3bc823 upstream. + +When handling ESR_ELx_EC_WATCHPT_LOW, far_el2 member of struct +kvm_vcpu_fault_info will be copied to far member of struct +kvm_debug_exit_arch and exposed to the userspace. The userspace will +see stale values from older faults if the fault info does not get +populated. + +Fixes: 8fb2046180a0 ("KVM: arm64: Move early handlers to per-EC handlers") +Suggested-by: Marc Zyngier +Signed-off-by: Akihiko Odaki +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20230530024651.10014-1-akihiko.odaki@daynix.com +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/hyp/include/hyp/switch.h | 8 ++++++-- + arch/arm64/kvm/hyp/nvhe/switch.c | 2 ++ + arch/arm64/kvm/hyp/vhe/switch.c | 1 + + 3 files changed, 9 insertions(+), 2 deletions(-) + +--- a/arch/arm64/kvm/hyp/include/hyp/switch.h ++++ b/arch/arm64/kvm/hyp/include/hyp/switch.h +@@ -351,17 +351,21 @@ static bool kvm_hyp_handle_cp15_32(struc + return false; + } + +-static bool kvm_hyp_handle_iabt_low(struct kvm_vcpu *vcpu, u64 *exit_code) ++static bool kvm_hyp_handle_memory_fault(struct kvm_vcpu *vcpu, u64 *exit_code) + { + if (!__populate_fault_info(vcpu)) + return true; + + return false; + } ++static bool kvm_hyp_handle_iabt_low(struct kvm_vcpu *vcpu, u64 *exit_code) ++ __alias(kvm_hyp_handle_memory_fault); ++static bool kvm_hyp_handle_watchpt_low(struct kvm_vcpu *vcpu, u64 *exit_code) ++ __alias(kvm_hyp_handle_memory_fault); + + static bool kvm_hyp_handle_dabt_low(struct kvm_vcpu *vcpu, u64 *exit_code) + { +- if (!__populate_fault_info(vcpu)) ++ if (kvm_hyp_handle_memory_fault(vcpu, exit_code)) + return true; + + if (static_branch_unlikely(&vgic_v2_cpuif_trap)) { +--- a/arch/arm64/kvm/hyp/nvhe/switch.c ++++ b/arch/arm64/kvm/hyp/nvhe/switch.c +@@ -186,6 +186,7 @@ static const exit_handler_fn hyp_exit_ha + [ESR_ELx_EC_FP_ASIMD] = kvm_hyp_handle_fpsimd, + [ESR_ELx_EC_IABT_LOW] = kvm_hyp_handle_iabt_low, + [ESR_ELx_EC_DABT_LOW] = kvm_hyp_handle_dabt_low, ++ [ESR_ELx_EC_WATCHPT_LOW] = kvm_hyp_handle_watchpt_low, + [ESR_ELx_EC_PAC] = kvm_hyp_handle_ptrauth, + }; + +@@ -196,6 +197,7 @@ static const exit_handler_fn pvm_exit_ha + [ESR_ELx_EC_FP_ASIMD] = kvm_hyp_handle_fpsimd, + [ESR_ELx_EC_IABT_LOW] = kvm_hyp_handle_iabt_low, + [ESR_ELx_EC_DABT_LOW] = kvm_hyp_handle_dabt_low, ++ [ESR_ELx_EC_WATCHPT_LOW] = kvm_hyp_handle_watchpt_low, + [ESR_ELx_EC_PAC] = kvm_hyp_handle_ptrauth, + }; + +--- a/arch/arm64/kvm/hyp/vhe/switch.c ++++ b/arch/arm64/kvm/hyp/vhe/switch.c +@@ -110,6 +110,7 @@ static const exit_handler_fn hyp_exit_ha + [ESR_ELx_EC_FP_ASIMD] = kvm_hyp_handle_fpsimd, + [ESR_ELx_EC_IABT_LOW] = kvm_hyp_handle_iabt_low, + [ESR_ELx_EC_DABT_LOW] = kvm_hyp_handle_dabt_low, ++ [ESR_ELx_EC_WATCHPT_LOW] = kvm_hyp_handle_watchpt_low, + [ESR_ELx_EC_PAC] = kvm_hyp_handle_ptrauth, + }; + diff --git a/queue-6.3/kvm-x86-account-fastpath-only-vm-exits-in-vcpu-stats.patch b/queue-6.3/kvm-x86-account-fastpath-only-vm-exits-in-vcpu-stats.patch new file mode 100644 index 00000000000..7116dc2c182 --- /dev/null +++ b/queue-6.3/kvm-x86-account-fastpath-only-vm-exits-in-vcpu-stats.patch @@ -0,0 +1,35 @@ +From 8b703a49c9df5e74870381ad7ba9c85d8a74ed2c Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Thu, 1 Jun 2023 18:19:19 -0700 +Subject: KVM: x86: Account fastpath-only VM-Exits in vCPU stats + +From: Sean Christopherson + +commit 8b703a49c9df5e74870381ad7ba9c85d8a74ed2c upstream. + +Increment vcpu->stat.exits when handling a fastpath VM-Exit without +going through any part of the "slow" path. Not bumping the exits stat +can result in wildly misleading exit counts, e.g. if the primary reason +the guest is exiting is to program the TSC deadline timer. + +Fixes: 404d5d7bff0d ("KVM: X86: Introduce more exit_fastpath_completion enum values") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230602011920.787844-2-seanjc@google.com +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -10682,6 +10682,9 @@ static int vcpu_enter_guest(struct kvm_v + exit_fastpath = EXIT_FASTPATH_EXIT_HANDLED; + break; + } ++ ++ /* Note, VM-Exits that go down the "slow" path are accounted below. */ ++ ++vcpu->stat.exits; + } + + /* diff --git a/queue-6.3/kvm-x86-bail-from-kvm_recalculate_phys_map-if-x2apic-id-is-out-of-bounds.patch b/queue-6.3/kvm-x86-bail-from-kvm_recalculate_phys_map-if-x2apic-id-is-out-of-bounds.patch new file mode 100644 index 00000000000..ad6221d5916 --- /dev/null +++ b/queue-6.3/kvm-x86-bail-from-kvm_recalculate_phys_map-if-x2apic-id-is-out-of-bounds.patch @@ -0,0 +1,78 @@ +From 4364b287982bd05bfafa461c80650c732001974b Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 2 Jun 2023 16:32:48 -0700 +Subject: KVM: x86: Bail from kvm_recalculate_phys_map() if x2APIC ID is out-of-bounds + +From: Sean Christopherson + +commit 4364b287982bd05bfafa461c80650c732001974b upstream. + +Bail from kvm_recalculate_phys_map() and disable the optimized map if the +target vCPU's x2APIC ID is out-of-bounds, i.e. if the vCPU was added +and/or enabled its local APIC after the map was allocated. This fixes an +out-of-bounds access bug in the !x2apic_format path where KVM would write +beyond the end of phys_map. + +Check the x2APIC ID regardless of whether or not x2APIC is enabled, +as KVM's hardcodes x2APIC ID to be the vCPU ID, i.e. it can't change, and +the map allocation in kvm_recalculate_apic_map() doesn't check for x2APIC +being enabled, i.e. the check won't get false postivies. + +Note, this also affects the x2apic_format path, which previously just +ignored the "x2apic_id > new->max_apic_id" case. That too is arguably a +bug fix, as ignoring the vCPU meant that KVM would not send interrupts to +the vCPU until the next map recalculation. In practice, that "bug" is +likely benign as a newly present vCPU/APIC would immediately trigger a +recalc. But, there's no functional downside to disabling the map, and +a future patch will gracefully handle the -E2BIG case by retrying instead +of simply disabling the optimized map. + +Opportunistically add a sanity check on the xAPIC ID size, along with a +comment explaining why the xAPIC ID is guaranteed to be "good". + +Reported-by: Michal Luczaj +Fixes: 5b84b0291702 ("KVM: x86: Honor architectural behavior for aliased 8-bit APIC IDs") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230602233250.1014316-2-seanjc@google.com +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/lapic.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -229,6 +229,23 @@ static int kvm_recalculate_phys_map(stru + u32 physical_id; + + /* ++ * For simplicity, KVM always allocates enough space for all possible ++ * xAPIC IDs. Yell, but don't kill the VM, as KVM can continue on ++ * without the optimized map. ++ */ ++ if (WARN_ON_ONCE(xapic_id > new->max_apic_id)) ++ return -EINVAL; ++ ++ /* ++ * Bail if a vCPU was added and/or enabled its APIC between allocating ++ * the map and doing the actual calculations for the map. Note, KVM ++ * hardcodes the x2APIC ID to vcpu_id, i.e. there's no TOCTOU bug if ++ * the compiler decides to reload x2apic_id after this check. ++ */ ++ if (x2apic_id > new->max_apic_id) ++ return -E2BIG; ++ ++ /* + * Deliberately truncate the vCPU ID when detecting a mismatched APIC + * ID to avoid false positives if the vCPU ID, i.e. x2APIC ID, is a + * 32-bit value. Any unwanted aliasing due to truncation results will +@@ -253,8 +270,7 @@ static int kvm_recalculate_phys_map(stru + */ + if (vcpu->kvm->arch.x2apic_format) { + /* See also kvm_apic_match_physical_addr(). */ +- if ((apic_x2apic_mode(apic) || x2apic_id > 0xff) && +- x2apic_id <= new->max_apic_id) ++ if (apic_x2apic_mode(apic) || x2apic_id > 0xff) + new->phys_map[x2apic_id] = apic; + + if (!apic_x2apic_mode(apic) && !new->phys_map[xapic_id]) diff --git a/queue-6.3/kvm-x86-mmu-grab-memslot-for-correct-address-space-in-nx-recovery-worker.patch b/queue-6.3/kvm-x86-mmu-grab-memslot-for-correct-address-space-in-nx-recovery-worker.patch new file mode 100644 index 00000000000..d5690924052 --- /dev/null +++ b/queue-6.3/kvm-x86-mmu-grab-memslot-for-correct-address-space-in-nx-recovery-worker.patch @@ -0,0 +1,80 @@ +From 817fa998362d6ea9fabd5e97af8e9e2eb5f0e6f2 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Thu, 1 Jun 2023 18:01:37 -0700 +Subject: KVM: x86/mmu: Grab memslot for correct address space in NX recovery worker + +From: Sean Christopherson + +commit 817fa998362d6ea9fabd5e97af8e9e2eb5f0e6f2 upstream. + +Factor in the address space (non-SMM vs. SMM) of the target shadow page +when recovering potential NX huge pages, otherwise KVM will retrieve the +wrong memslot when zapping shadow pages that were created for SMM. The +bug most visibly manifests as a WARN on the memslot being non-NULL, but +the worst case scenario is that KVM could unaccount the shadow page +without ensuring KVM won't install a huge page, i.e. if the non-SMM slot +is being dirty logged, but the SMM slot is not. + + ------------[ cut here ]------------ + WARNING: CPU: 1 PID: 3911 at arch/x86/kvm/mmu/mmu.c:7015 + kvm_nx_huge_page_recovery_worker+0x38c/0x3d0 [kvm] + CPU: 1 PID: 3911 Comm: kvm-nx-lpage-re + RIP: 0010:kvm_nx_huge_page_recovery_worker+0x38c/0x3d0 [kvm] + RSP: 0018:ffff99b284f0be68 EFLAGS: 00010246 + RAX: 0000000000000000 RBX: ffff99b284edd000 RCX: 0000000000000000 + RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 + RBP: ffff9271397024e0 R08: 0000000000000000 R09: ffff927139702450 + R10: 0000000000000000 R11: 0000000000000001 R12: ffff99b284f0be98 + R13: 0000000000000000 R14: ffff9270991fcd80 R15: 0000000000000003 + FS: 0000000000000000(0000) GS:ffff927f9f640000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007f0aacad3ae0 CR3: 000000088fc2c005 CR4: 00000000003726e0 + Call Trace: + +__pfx_kvm_nx_huge_page_recovery_worker+0x10/0x10 [kvm] + kvm_vm_worker_thread+0x106/0x1c0 [kvm] + kthread+0xd9/0x100 + ret_from_fork+0x2c/0x50 + + ---[ end trace 0000000000000000 ]--- + +This bug was exposed by commit edbdb43fc96b ("KVM: x86: Preserve TDP MMU +roots until they are explicitly invalidated"), which allowed KVM to retain +SMM TDP MMU roots effectively indefinitely. Before commit edbdb43fc96b, +KVM would zap all SMM TDP MMU roots and thus all SMM TDP MMU shadow pages +once all vCPUs exited SMM, which made the window where this bug (recovering +an SMM NX huge page) could be encountered quite tiny. To hit the bug, the +NX recovery thread would have to run while at least one vCPU was in SMM. +Most VMs typically only use SMM during boot, and so the problematic shadow +pages were gone by the time the NX recovery thread ran. + +Now that KVM preserves TDP MMU roots until they are explicitly invalidated +(e.g. by a memslot deletion), the window to trigger the bug is effectively +never closed because most VMMs don't delete memslots after boot (except +for a handful of special scenarios). + +Fixes: eb298605705a ("KVM: x86/mmu: Do not recover dirty-tracked NX Huge Pages") +Reported-by: Fabio Coatti +Closes: https://lore.kernel.org/all/CADpTngX9LESCdHVu_2mQkNGena_Ng2CphWNwsRGSMxzDsTjU2A@mail.gmail.com +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230602010137.784664-1-seanjc@google.com +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/mmu/mmu.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/mmu/mmu.c ++++ b/arch/x86/kvm/mmu/mmu.c +@@ -7011,7 +7011,10 @@ static void kvm_recover_nx_huge_pages(st + */ + slot = NULL; + if (atomic_read(&kvm->nr_memslots_dirty_logging)) { +- slot = gfn_to_memslot(kvm, sp->gfn); ++ struct kvm_memslots *slots; ++ ++ slots = kvm_memslots_for_spte_role(kvm, sp->role); ++ slot = __gfn_to_memslot(slots, sp->gfn); + WARN_ON_ONCE(!slot); + } + diff --git a/queue-6.3/mptcp-fix-active-subflow-finalization.patch b/queue-6.3/mptcp-fix-active-subflow-finalization.patch new file mode 100644 index 00000000000..197f7369b6c --- /dev/null +++ b/queue-6.3/mptcp-fix-active-subflow-finalization.patch @@ -0,0 +1,90 @@ +From 55b47ca7d80814ceb63d64e032e96cd6777811e5 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Wed, 31 May 2023 12:37:08 -0700 +Subject: mptcp: fix active subflow finalization + +From: Paolo Abeni + +commit 55b47ca7d80814ceb63d64e032e96cd6777811e5 upstream. + +Active subflow are inserted into the connection list at creation time. +When the MPJ handshake completes successfully, a new subflow creation +netlink event is generated correctly, but the current code wrongly +avoid initializing a couple of subflow data. + +The above will cause misbehavior on a few exceptional events: unneeded +mptcp-level retransmission on msk-level sequence wrap-around and infinite +mapping fallback even when a MPJ socket is present. + +Address the issue factoring out the needed initialization in a new helper +and invoking the latter from __mptcp_finish_join() time for passive +subflow and from mptcp_finish_join() for active ones. + +Fixes: 0530020a7c8f ("mptcp: track and update contiguous data status") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Paolo Abeni +Signed-off-by: Mat Martineau +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -812,6 +812,13 @@ void mptcp_data_ready(struct sock *sk, s + mptcp_data_unlock(sk); + } + ++static void mptcp_subflow_joined(struct mptcp_sock *msk, struct sock *ssk) ++{ ++ mptcp_subflow_ctx(ssk)->map_seq = READ_ONCE(msk->ack_seq); ++ WRITE_ONCE(msk->allow_infinite_fallback, false); ++ mptcp_event(MPTCP_EVENT_SUB_ESTABLISHED, msk, ssk, GFP_ATOMIC); ++} ++ + static bool __mptcp_finish_join(struct mptcp_sock *msk, struct sock *ssk) + { + struct sock *sk = (struct sock *)msk; +@@ -826,6 +833,7 @@ static bool __mptcp_finish_join(struct m + mptcp_sock_graft(ssk, sk->sk_socket); + + mptcp_sockopt_sync_locked(msk, ssk); ++ mptcp_subflow_joined(msk, ssk); + return true; + } + +@@ -3457,14 +3465,16 @@ bool mptcp_finish_join(struct sock *ssk) + return false; + } + +- if (!list_empty(&subflow->node)) +- goto out; ++ /* active subflow, already present inside the conn_list */ ++ if (!list_empty(&subflow->node)) { ++ mptcp_subflow_joined(msk, ssk); ++ return true; ++ } + + if (!mptcp_pm_allow_new_subflow(msk)) + goto err_prohibited; + +- /* active connections are already on conn_list. +- * If we can't acquire msk socket lock here, let the release callback ++ /* If we can't acquire msk socket lock here, let the release callback + * handle it + */ + mptcp_data_lock(parent); +@@ -3487,11 +3497,6 @@ err_prohibited: + return false; + } + +- subflow->map_seq = READ_ONCE(msk->ack_seq); +- WRITE_ONCE(msk->allow_infinite_fallback, false); +- +-out: +- mptcp_event(MPTCP_EVENT_SUB_ESTABLISHED, msk, ssk, GFP_ATOMIC); + return true; + } + diff --git a/queue-6.3/mptcp-fix-connect-timeout-handling.patch b/queue-6.3/mptcp-fix-connect-timeout-handling.patch new file mode 100644 index 00000000000..dc104aea461 --- /dev/null +++ b/queue-6.3/mptcp-fix-connect-timeout-handling.patch @@ -0,0 +1,127 @@ +From 786fc12457268cc9b555dde6c22ae7300d4b40e1 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Wed, 31 May 2023 12:37:03 -0700 +Subject: mptcp: fix connect timeout handling + +From: Paolo Abeni + +commit 786fc12457268cc9b555dde6c22ae7300d4b40e1 upstream. + +Ondrej reported a functional issue WRT timeout handling on connect +with a nice reproducer. + +The problem is that the current mptcp connect waits for both the +MPTCP socket level timeout, and the first subflow socket timeout. +The latter is not influenced/touched by the exposed setsockopt(). + +Overall the above makes the SO_SNDTIMEO a no-op on connect. + +Since mptcp_connect is invoked via inet_stream_connect and the +latter properly handle the MPTCP level timeout, we can address the +issue making the nested subflow level connect always unblocking. + +This also allow simplifying a bit the code, dropping an ugly hack +to handle the fastopen and custom proto_ops connect. + +The issues predates the blamed commit below, but the current resolution +requires the infrastructure introduced there. + +Fixes: 54f1944ed6d2 ("mptcp: factor out mptcp_connect()") +Reported-by: Ondrej Mosnacek +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/399 +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Paolo Abeni +Signed-off-by: Mat Martineau +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 29 +++++++---------------------- + net/mptcp/protocol.h | 1 - + 2 files changed, 7 insertions(+), 23 deletions(-) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -1671,7 +1671,6 @@ static int mptcp_sendmsg_fastopen(struct + + lock_sock(ssk); + msg->msg_flags |= MSG_DONTWAIT; +- msk->connect_flags = O_NONBLOCK; + msk->fastopening = 1; + ret = tcp_sendmsg_fastopen(ssk, msg, copied_syn, len, NULL); + msk->fastopening = 0; +@@ -3610,9 +3609,9 @@ static int mptcp_connect(struct sock *sk + * acquired the subflow socket lock, too. + */ + if (msk->fastopening) +- err = __inet_stream_connect(ssock, uaddr, addr_len, msk->connect_flags, 1); ++ err = __inet_stream_connect(ssock, uaddr, addr_len, O_NONBLOCK, 1); + else +- err = inet_stream_connect(ssock, uaddr, addr_len, msk->connect_flags); ++ err = inet_stream_connect(ssock, uaddr, addr_len, O_NONBLOCK); + inet_sk(sk)->defer_connect = inet_sk(ssock->sk)->defer_connect; + + /* on successful connect, the msk state will be moved to established by +@@ -3625,12 +3624,10 @@ static int mptcp_connect(struct sock *sk + + mptcp_copy_inaddrs(sk, ssock->sk); + +- /* unblocking connect, mptcp-level inet_stream_connect will error out +- * without changing the socket state, update it here. ++ /* silence EINPROGRESS and let the caller inet_stream_connect ++ * handle the connection in progress + */ +- if (err == -EINPROGRESS) +- sk->sk_socket->state = ssock->state; +- return err; ++ return 0; + } + + static struct proto mptcp_prot = { +@@ -3689,18 +3686,6 @@ unlock: + return err; + } + +-static int mptcp_stream_connect(struct socket *sock, struct sockaddr *uaddr, +- int addr_len, int flags) +-{ +- int ret; +- +- lock_sock(sock->sk); +- mptcp_sk(sock->sk)->connect_flags = flags; +- ret = __inet_stream_connect(sock, uaddr, addr_len, flags, 0); +- release_sock(sock->sk); +- return ret; +-} +- + static int mptcp_listen(struct socket *sock, int backlog) + { + struct mptcp_sock *msk = mptcp_sk(sock->sk); +@@ -3857,7 +3842,7 @@ static const struct proto_ops mptcp_stre + .owner = THIS_MODULE, + .release = inet_release, + .bind = mptcp_bind, +- .connect = mptcp_stream_connect, ++ .connect = inet_stream_connect, + .socketpair = sock_no_socketpair, + .accept = mptcp_stream_accept, + .getname = inet_getname, +@@ -3952,7 +3937,7 @@ static const struct proto_ops mptcp_v6_s + .owner = THIS_MODULE, + .release = inet6_release, + .bind = mptcp_bind, +- .connect = mptcp_stream_connect, ++ .connect = inet_stream_connect, + .socketpair = sock_no_socketpair, + .accept = mptcp_stream_accept, + .getname = inet6_getname, +--- a/net/mptcp/protocol.h ++++ b/net/mptcp/protocol.h +@@ -297,7 +297,6 @@ struct mptcp_sock { + nodelay:1, + fastopening:1, + in_accept_queue:1; +- int connect_flags; + struct work_struct work; + struct sk_buff *ooo_last_skb; + struct rb_root out_of_order_queue; diff --git a/queue-6.3/mtdchar-mark-bits-of-ioctl-handler-noinline.patch b/queue-6.3/mtdchar-mark-bits-of-ioctl-handler-noinline.patch new file mode 100644 index 00000000000..fff14029696 --- /dev/null +++ b/queue-6.3/mtdchar-mark-bits-of-ioctl-handler-noinline.patch @@ -0,0 +1,56 @@ +From 0ea923f443350c8c5cca6eef5b748d52b903f46c Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 17 Apr 2023 22:56:50 +0200 +Subject: mtdchar: mark bits of ioctl handler noinline + +From: Arnd Bergmann + +commit 0ea923f443350c8c5cca6eef5b748d52b903f46c upstream. + +The addition of the mtdchar_read_ioctl() function caused the stack usage +of mtdchar_ioctl() to grow beyond the warning limit on 32-bit architectures +with gcc-13: + +drivers/mtd/mtdchar.c: In function 'mtdchar_ioctl': +drivers/mtd/mtdchar.c:1229:1: error: the frame size of 1488 bytes is larger than 1024 bytes [-Werror=frame-larger-than=] + +Mark both the read and write portions as noinline_for_stack to ensure +they don't get inlined and use separate stack slots to reduce the +maximum usage, both in the mtdchar_ioctl() and combined with any +of its callees. + +Fixes: 095bb6e44eb1 ("mtdchar: add MEMREAD ioctl") +Cc: stable@vger.kernel.org +Signed-off-by: Arnd Bergmann +Reviewed-by: Richard Weinberger +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20230417205654.1982368-1-arnd@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/mtdchar.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/mtd/mtdchar.c ++++ b/drivers/mtd/mtdchar.c +@@ -590,8 +590,8 @@ static void adjust_oob_length(struct mtd + (end_page - start_page + 1) * oob_per_page); + } + +-static int mtdchar_write_ioctl(struct mtd_info *mtd, +- struct mtd_write_req __user *argp) ++static noinline_for_stack int ++mtdchar_write_ioctl(struct mtd_info *mtd, struct mtd_write_req __user *argp) + { + struct mtd_info *master = mtd_get_master(mtd); + struct mtd_write_req req; +@@ -688,8 +688,8 @@ static int mtdchar_write_ioctl(struct mt + return ret; + } + +-static int mtdchar_read_ioctl(struct mtd_info *mtd, +- struct mtd_read_req __user *argp) ++static noinline_for_stack int ++mtdchar_read_ioctl(struct mtd_info *mtd, struct mtd_read_req __user *argp) + { + struct mtd_info *master = mtd_get_master(mtd); + struct mtd_read_req req; diff --git a/queue-6.3/powerpc-xmon-use-ksym_name_len-in-array-size.patch b/queue-6.3/powerpc-xmon-use-ksym_name_len-in-array-size.patch new file mode 100644 index 00000000000..002f6de33a5 --- /dev/null +++ b/queue-6.3/powerpc-xmon-use-ksym_name_len-in-array-size.patch @@ -0,0 +1,44 @@ +From 719dfd5925e186e09a2a6f23016936ac436f3d78 Mon Sep 17 00:00:00 2001 +From: Maninder Singh +Date: Mon, 29 May 2023 16:43:37 +0530 +Subject: powerpc/xmon: Use KSYM_NAME_LEN in array size + +From: Maninder Singh + +commit 719dfd5925e186e09a2a6f23016936ac436f3d78 upstream. + +kallsyms_lookup() which in turn calls kallsyms_lookup_buildid() writes +to index "KSYM_NAME_LEN - 1". + +Thus the array passed as namebuf to kallsyms_lookup() should be +KSYM_NAME_LEN in size. + +In xmon.c the array was defined to be "128" bytes directly, without +using KSYM_NAME_LEN. Commit b8a94bfb3395 ("kallsyms: increase maximum +kernel symbol length to 512") changed the value to 512, but missed +updating the xmon code. + +Fixes: b8a94bfb3395 ("kallsyms: increase maximum kernel symbol length to 512") +Cc: stable@vger.kernel.org # v6.1+ +Co-developed-by: Onkarnath +Signed-off-by: Onkarnath +Signed-off-by: Maninder Singh +[mpe: Tweak change log wording and fix commit reference] +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230529111337.352990-2-maninder1.s@samsung.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/xmon/xmon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/xmon/xmon.c ++++ b/arch/powerpc/xmon/xmon.c +@@ -88,7 +88,7 @@ static unsigned long ndump = 64; + static unsigned long nidump = 16; + static unsigned long ncsum = 4096; + static int termch; +-static char tmpstr[128]; ++static char tmpstr[KSYM_NAME_LEN]; + static int tracing_enabled; + + static long bus_error_jmp[JMP_BUF_LEN]; diff --git a/queue-6.3/riscv-perf-fix-callchain-parse-error-with-kernel-tracepoint-events.patch b/queue-6.3/riscv-perf-fix-callchain-parse-error-with-kernel-tracepoint-events.patch new file mode 100644 index 00000000000..b6055b395a9 --- /dev/null +++ b/queue-6.3/riscv-perf-fix-callchain-parse-error-with-kernel-tracepoint-events.patch @@ -0,0 +1,76 @@ +From 9a7e8ec0d4cc64870ea449b4fce5779b77496cbb Mon Sep 17 00:00:00 2001 +From: Ism Hong +Date: Thu, 1 Jun 2023 17:53:55 +0800 +Subject: riscv: perf: Fix callchain parse error with kernel tracepoint events + +From: Ism Hong + +commit 9a7e8ec0d4cc64870ea449b4fce5779b77496cbb upstream. + +For RISC-V, when tracing with tracepoint events, the IP and status are +set to 0, preventing the perf code parsing the callchain and resolving +the symbols correctly. + + ./ply 'tracepoint:kmem/kmem_cache_alloc { @[stack]=count(); }' + @: + { }: 1 + +The fix is to implement perf_arch_fetch_caller_regs for riscv, which +fills several necessary registers used for callchain unwinding, +including epc, sp, s0 and status. It's similar to commit b3eac0265bf6 +("arm: perf: Fix callchain parse error with kernel tracepoint events") +and commit 5b09a094f2fb ("arm64: perf: Fix callchain parse error with +kernel tracepoint events"). + +With this patch, callchain can be parsed correctly as: + + ./ply 'tracepoint:kmem/kmem_cache_alloc { @[stack]=count(); }' + @: + { + __traceiter_kmem_cache_alloc+68 + __traceiter_kmem_cache_alloc+68 + kmem_cache_alloc+354 + __sigqueue_alloc+94 + __send_signal_locked+646 + send_signal_locked+154 + do_send_sig_info+84 + __kill_pgrp_info+130 + kill_pgrp+60 + isig+150 + n_tty_receive_signal_char+36 + n_tty_receive_buf_standard+2214 + n_tty_receive_buf_common+280 + n_tty_receive_buf2+26 + tty_ldisc_receive_buf+34 + tty_port_default_receive_buf+62 + flush_to_ldisc+158 + process_one_work+458 + worker_thread+138 + kthread+178 + riscv_cpufeature_patch_func+832 + }: 1 + +Signed-off-by: Ism Hong +Link: https://lore.kernel.org/r/20230601095355.1168910-1-ism.hong@gmail.com +Fixes: 178e9fc47aae ("perf: riscv: preliminary RISC-V support") +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/include/asm/perf_event.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/arch/riscv/include/asm/perf_event.h ++++ b/arch/riscv/include/asm/perf_event.h +@@ -10,4 +10,11 @@ + + #include + #define perf_arch_bpf_user_pt_regs(regs) (struct user_regs_struct *)regs ++ ++#define perf_arch_fetch_caller_regs(regs, __ip) { \ ++ (regs)->epc = (__ip); \ ++ (regs)->s0 = (unsigned long) __builtin_frame_address(0); \ ++ (regs)->sp = current_stack_pointer; \ ++ (regs)->status = SR_PP; \ ++} + #endif /* _ASM_RISCV_PERF_EVENT_H */ diff --git a/queue-6.3/selftests-mptcp-connect-skip-if-mptcp-is-not-supported.patch b/queue-6.3/selftests-mptcp-connect-skip-if-mptcp-is-not-supported.patch new file mode 100644 index 00000000000..5719d58ee15 --- /dev/null +++ b/queue-6.3/selftests-mptcp-connect-skip-if-mptcp-is-not-supported.patch @@ -0,0 +1,109 @@ +From d83013bdf90a7994a474b0e650a7fc94b0d4ded6 Mon Sep 17 00:00:00 2001 +From: Matthieu Baerts +Date: Sun, 28 May 2023 19:35:27 +0200 +Subject: selftests: mptcp: connect: skip if MPTCP is not supported + +From: Matthieu Baerts + +commit d83013bdf90a7994a474b0e650a7fc94b0d4ded6 upstream. + +Selftests are supposed to run on any kernels, including the old ones not +supporting MPTCP. + +A new check is then added to make sure MPTCP is supported. If not, the +test stops and is marked as "skipped". Note that this check can also +mark the test as failed if 'SELFTESTS_MPTCP_LIB_EXPECT_ALL_FEATURES' env +var is set to 1: by doing that, we can make sure a test is not being +skipped by mistake. + +A new shared file is added here to be able to re-used the same check in +the different selftests we have. + +Link: https://github.com/multipath-tcp/mptcp_net-next/issues/368 +Fixes: 048d19d444be ("mptcp: add basic kselftest for mptcp") +Cc: stable@vger.kernel.org +Acked-by: Paolo Abeni +Signed-off-by: Matthieu Baerts +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/Makefile | 2 - + tools/testing/selftests/net/mptcp/mptcp_connect.sh | 4 ++ + tools/testing/selftests/net/mptcp/mptcp_lib.sh | 40 +++++++++++++++++++++ + 3 files changed, 45 insertions(+), 1 deletion(-) + create mode 100644 tools/testing/selftests/net/mptcp/mptcp_lib.sh + +--- a/tools/testing/selftests/net/mptcp/Makefile ++++ b/tools/testing/selftests/net/mptcp/Makefile +@@ -9,7 +9,7 @@ TEST_PROGS := mptcp_connect.sh pm_netlin + + TEST_GEN_FILES = mptcp_connect pm_nl_ctl mptcp_sockopt mptcp_inq + +-TEST_FILES := settings ++TEST_FILES := mptcp_lib.sh settings + + EXTRA_CLEAN := *.pcap + +--- a/tools/testing/selftests/net/mptcp/mptcp_connect.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_connect.sh +@@ -1,6 +1,8 @@ + #!/bin/bash + # SPDX-License-Identifier: GPL-2.0 + ++. "$(dirname "${0}")/mptcp_lib.sh" ++ + time_start=$(date +%s) + + optstring="S:R:d:e:l:r:h4cm:f:tC" +@@ -141,6 +143,8 @@ cleanup() + done + } + ++mptcp_lib_check_mptcp ++ + ip -Version > /dev/null 2>&1 + if [ $? -ne 0 ];then + echo "SKIP: Could not run test without ip tool" +--- /dev/null ++++ b/tools/testing/selftests/net/mptcp/mptcp_lib.sh +@@ -0,0 +1,40 @@ ++#! /bin/bash ++# SPDX-License-Identifier: GPL-2.0 ++ ++readonly KSFT_FAIL=1 ++readonly KSFT_SKIP=4 ++ ++# SELFTESTS_MPTCP_LIB_EXPECT_ALL_FEATURES env var can be set when validating all ++# features using the last version of the kernel and the selftests to make sure ++# a test is not being skipped by mistake. ++mptcp_lib_expect_all_features() { ++ [ "${SELFTESTS_MPTCP_LIB_EXPECT_ALL_FEATURES:-}" = "1" ] ++} ++ ++# $1: msg ++mptcp_lib_fail_if_expected_feature() { ++ if mptcp_lib_expect_all_features; then ++ echo "ERROR: missing feature: ${*}" ++ exit ${KSFT_FAIL} ++ fi ++ ++ return 1 ++} ++ ++# $1: file ++mptcp_lib_has_file() { ++ local f="${1}" ++ ++ if [ -f "${f}" ]; then ++ return 0 ++ fi ++ ++ mptcp_lib_fail_if_expected_feature "${f} file not found" ++} ++ ++mptcp_lib_check_mptcp() { ++ if ! mptcp_lib_has_file "/proc/sys/net/mptcp/enabled"; then ++ echo "SKIP: MPTCP support is not available" ++ exit ${KSFT_SKIP} ++ fi ++} diff --git a/queue-6.3/selftests-mptcp-diag-skip-if-mptcp-is-not-supported.patch b/queue-6.3/selftests-mptcp-diag-skip-if-mptcp-is-not-supported.patch new file mode 100644 index 00000000000..8c42097a167 --- /dev/null +++ b/queue-6.3/selftests-mptcp-diag-skip-if-mptcp-is-not-supported.patch @@ -0,0 +1,46 @@ +From 46565acdd29facbf418a11e4a3791b3c8967308d Mon Sep 17 00:00:00 2001 +From: Matthieu Baerts +Date: Sun, 28 May 2023 19:35:30 +0200 +Subject: selftests: mptcp: diag: skip if MPTCP is not supported + +From: Matthieu Baerts + +commit 46565acdd29facbf418a11e4a3791b3c8967308d upstream. + +Selftests are supposed to run on any kernels, including the old ones not +supporting MPTCP. + +A new check is then added to make sure MPTCP is supported. If not, the +test stops and is marked as "skipped". + +Link: https://github.com/multipath-tcp/mptcp_net-next/issues/368 +Fixes: df62f2ec3df6 ("selftests/mptcp: add diag interface tests") +Cc: stable@vger.kernel.org +Acked-by: Paolo Abeni +Signed-off-by: Matthieu Baerts +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/diag.sh | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/tools/testing/selftests/net/mptcp/diag.sh ++++ b/tools/testing/selftests/net/mptcp/diag.sh +@@ -1,6 +1,8 @@ + #!/bin/bash + # SPDX-License-Identifier: GPL-2.0 + ++. "$(dirname "${0}")/mptcp_lib.sh" ++ + sec=$(date +%s) + rndh=$(printf %x $sec)-$(mktemp -u XXXXXX) + ns="ns1-$rndh" +@@ -31,6 +33,8 @@ cleanup() + ip netns del $ns + } + ++mptcp_lib_check_mptcp ++ + ip -Version > /dev/null 2>&1 + if [ $? -ne 0 ];then + echo "SKIP: Could not run test without ip tool" diff --git a/queue-6.3/selftests-mptcp-join-avoid-using-cmp-bytes.patch b/queue-6.3/selftests-mptcp-join-avoid-using-cmp-bytes.patch new file mode 100644 index 00000000000..bacbaaa81dc --- /dev/null +++ b/queue-6.3/selftests-mptcp-join-avoid-using-cmp-bytes.patch @@ -0,0 +1,75 @@ +From d328fe87067480cf2bd0b58dab428a98d31dbb7e Mon Sep 17 00:00:00 2001 +From: Matthieu Baerts +Date: Sun, 28 May 2023 19:35:26 +0200 +Subject: selftests: mptcp: join: avoid using 'cmp --bytes' + +From: Matthieu Baerts + +commit d328fe87067480cf2bd0b58dab428a98d31dbb7e upstream. + +BusyBox's 'cmp' command doesn't support the '--bytes' parameter. + +Some CIs -- i.e. LKFT -- use BusyBox and have the mptcp_join.sh test +failing [1] because their 'cmp' command doesn't support this '--bytes' +option: + + cmp: unrecognized option '--bytes=1024' + BusyBox v1.35.0 () multi-call binary. + + Usage: cmp [-ls] [-n NUM] FILE1 [FILE2] + +Instead, 'head --bytes' can be used as this option is supported by +BusyBox. A temporary file is needed for this operation. + +Because it is apparently quite common to use BusyBox, it is certainly +better to backport this fix to impacted kernels. + +Fixes: 6bf41020b72b ("selftests: mptcp: update and extend fastclose test-cases") +Cc: stable@vger.kernel.org +Link: https://qa-reports.linaro.org/lkft/linux-mainline-master/build/v6.3-rc5-5-g148341f0a2f5/testrun/16088933/suite/kselftest-net-mptcp/test/net_mptcp_userspace_pm_sh/log [1] +Suggested-by: Paolo Abeni +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_join.sh | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh +@@ -15,6 +15,7 @@ sout="" + cin="" + cinfail="" + cinsent="" ++tmpfile="" + cout="" + capout="" + ns1="" +@@ -175,6 +176,7 @@ cleanup() + { + rm -f "$cin" "$cout" "$sinfail" + rm -f "$sin" "$sout" "$cinsent" "$cinfail" ++ rm -f "$tmpfile" + rm -rf $evts_ns1 $evts_ns2 + cleanup_partial + } +@@ -382,9 +384,16 @@ check_transfer() + fail_test + return 1 + fi +- bytes="--bytes=${bytes}" ++ ++ # note: BusyBox's "cmp" command doesn't support --bytes ++ tmpfile=$(mktemp) ++ head --bytes="$bytes" "$in" > "$tmpfile" ++ mv "$tmpfile" "$in" ++ head --bytes="$bytes" "$out" > "$tmpfile" ++ mv "$tmpfile" "$out" ++ tmpfile="" + fi +- cmp -l "$in" "$out" ${bytes} | while read -r i a b; do ++ cmp -l "$in" "$out" | while read -r i a b; do + local sum=$((0${a} + 0${b})) + if [ $check_invert -eq 0 ] || [ $sum -ne $((0xff)) ]; then + echo "[ FAIL ] $what does not match (in, out):" diff --git a/queue-6.3/selftests-mptcp-join-skip-if-mptcp-is-not-supported.patch b/queue-6.3/selftests-mptcp-join-skip-if-mptcp-is-not-supported.patch new file mode 100644 index 00000000000..297af87839c --- /dev/null +++ b/queue-6.3/selftests-mptcp-join-skip-if-mptcp-is-not-supported.patch @@ -0,0 +1,46 @@ +From 715c78a82e00f848f99ef76e6f6b89216ccba268 Mon Sep 17 00:00:00 2001 +From: Matthieu Baerts +Date: Sun, 28 May 2023 19:35:29 +0200 +Subject: selftests: mptcp: join: skip if MPTCP is not supported + +From: Matthieu Baerts + +commit 715c78a82e00f848f99ef76e6f6b89216ccba268 upstream. + +Selftests are supposed to run on any kernels, including the old ones not +supporting MPTCP. + +A new check is then added to make sure MPTCP is supported. If not, the +test stops and is marked as "skipped". + +Link: https://github.com/multipath-tcp/mptcp_net-next/issues/368 +Fixes: b08fbf241064 ("selftests: add test-cases for MPTCP MP_JOIN") +Cc: stable@vger.kernel.org +Acked-by: Paolo Abeni +Signed-off-by: Matthieu Baerts +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_join.sh | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh +@@ -6,6 +6,8 @@ + # address all other issues detected by shellcheck. + #shellcheck disable=SC2086 + ++. "$(dirname "${0}")/mptcp_lib.sh" ++ + ret=0 + sin="" + sinfail="" +@@ -132,6 +134,8 @@ cleanup_partial() + + check_tools() + { ++ mptcp_lib_check_mptcp ++ + if ! ip -Version &> /dev/null; then + echo "SKIP: Could not run test without ip tool" + exit $ksft_skip diff --git a/queue-6.3/selftests-mptcp-pm-nl-skip-if-mptcp-is-not-supported.patch b/queue-6.3/selftests-mptcp-pm-nl-skip-if-mptcp-is-not-supported.patch new file mode 100644 index 00000000000..2c747310759 --- /dev/null +++ b/queue-6.3/selftests-mptcp-pm-nl-skip-if-mptcp-is-not-supported.patch @@ -0,0 +1,46 @@ +From 0f4955a40dafe18a1122e3714d8173e4b018e869 Mon Sep 17 00:00:00 2001 +From: Matthieu Baerts +Date: Sun, 28 May 2023 19:35:28 +0200 +Subject: selftests: mptcp: pm nl: skip if MPTCP is not supported + +From: Matthieu Baerts + +commit 0f4955a40dafe18a1122e3714d8173e4b018e869 upstream. + +Selftests are supposed to run on any kernels, including the old ones not +supporting MPTCP. + +A new check is then added to make sure MPTCP is supported. If not, the +test stops and is marked as "skipped". + +Link: https://github.com/multipath-tcp/mptcp_net-next/issues/368 +Fixes: eedbc685321b ("selftests: add PM netlink functional tests") +Cc: stable@vger.kernel.org +Acked-by: Paolo Abeni +Signed-off-by: Matthieu Baerts +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/pm_netlink.sh | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/tools/testing/selftests/net/mptcp/pm_netlink.sh ++++ b/tools/testing/selftests/net/mptcp/pm_netlink.sh +@@ -1,6 +1,8 @@ + #!/bin/bash + # SPDX-License-Identifier: GPL-2.0 + ++. "$(dirname "${0}")/mptcp_lib.sh" ++ + ksft_skip=4 + ret=0 + +@@ -34,6 +36,8 @@ cleanup() + ip netns del $ns1 + } + ++mptcp_lib_check_mptcp ++ + ip -Version > /dev/null 2>&1 + if [ $? -ne 0 ];then + echo "SKIP: Could not run test without ip tool" diff --git a/queue-6.3/selftests-mptcp-simult-flows-skip-if-mptcp-is-not-supported.patch b/queue-6.3/selftests-mptcp-simult-flows-skip-if-mptcp-is-not-supported.patch new file mode 100644 index 00000000000..0a493dda323 --- /dev/null +++ b/queue-6.3/selftests-mptcp-simult-flows-skip-if-mptcp-is-not-supported.patch @@ -0,0 +1,46 @@ +From 9161f21c74a1a0e7bb39eb84ea0c86b23c92fc87 Mon Sep 17 00:00:00 2001 +From: Matthieu Baerts +Date: Sun, 28 May 2023 19:35:31 +0200 +Subject: selftests: mptcp: simult flows: skip if MPTCP is not supported + +From: Matthieu Baerts + +commit 9161f21c74a1a0e7bb39eb84ea0c86b23c92fc87 upstream. + +Selftests are supposed to run on any kernels, including the old ones not +supporting MPTCP. + +A new check is then added to make sure MPTCP is supported. If not, the +test stops and is marked as "skipped". + +Link: https://github.com/multipath-tcp/mptcp_net-next/issues/368 +Fixes: 1a418cb8e888 ("mptcp: simult flow self-tests") +Cc: stable@vger.kernel.org +Acked-by: Paolo Abeni +Signed-off-by: Matthieu Baerts +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/simult_flows.sh | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/tools/testing/selftests/net/mptcp/simult_flows.sh ++++ b/tools/testing/selftests/net/mptcp/simult_flows.sh +@@ -1,6 +1,8 @@ + #!/bin/bash + # SPDX-License-Identifier: GPL-2.0 + ++. "$(dirname "${0}")/mptcp_lib.sh" ++ + sec=$(date +%s) + rndh=$(printf %x $sec)-$(mktemp -u XXXXXX) + ns1="ns1-$rndh" +@@ -34,6 +36,8 @@ cleanup() + done + } + ++mptcp_lib_check_mptcp ++ + ip -Version > /dev/null 2>&1 + if [ $? -ne 0 ];then + echo "SKIP: Could not run test without ip tool" diff --git a/queue-6.3/selftests-mptcp-sockopt-skip-if-mptcp-is-not-supported.patch b/queue-6.3/selftests-mptcp-sockopt-skip-if-mptcp-is-not-supported.patch new file mode 100644 index 00000000000..09b5d9135f2 --- /dev/null +++ b/queue-6.3/selftests-mptcp-sockopt-skip-if-mptcp-is-not-supported.patch @@ -0,0 +1,46 @@ +From cf6f0fda7af7e8e016070bfee6b189e671a0c776 Mon Sep 17 00:00:00 2001 +From: Matthieu Baerts +Date: Sun, 28 May 2023 19:35:32 +0200 +Subject: selftests: mptcp: sockopt: skip if MPTCP is not supported + +From: Matthieu Baerts + +commit cf6f0fda7af7e8e016070bfee6b189e671a0c776 upstream. + +Selftests are supposed to run on any kernels, including the old ones not +supporting MPTCP. + +A new check is then added to make sure MPTCP is supported. If not, the +test stops and is marked as "skipped". + +Link: https://github.com/multipath-tcp/mptcp_net-next/issues/368 +Fixes: dc65fe82fb07 ("selftests: mptcp: add packet mark test case") +Cc: stable@vger.kernel.org +Acked-by: Paolo Abeni +Signed-off-by: Matthieu Baerts +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_sockopt.sh | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/tools/testing/selftests/net/mptcp/mptcp_sockopt.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_sockopt.sh +@@ -1,6 +1,8 @@ + #!/bin/bash + # SPDX-License-Identifier: GPL-2.0 + ++. "$(dirname "${0}")/mptcp_lib.sh" ++ + ret=0 + sin="" + sout="" +@@ -84,6 +86,8 @@ cleanup() + rm -f "$sin" "$sout" + } + ++mptcp_lib_check_mptcp ++ + ip -Version > /dev/null 2>&1 + if [ $? -ne 0 ];then + echo "SKIP: Could not run test without ip tool" diff --git a/queue-6.3/selftests-mptcp-userspace-pm-skip-if-mptcp-is-not-supported.patch b/queue-6.3/selftests-mptcp-userspace-pm-skip-if-mptcp-is-not-supported.patch new file mode 100644 index 00000000000..0bceaab40c2 --- /dev/null +++ b/queue-6.3/selftests-mptcp-userspace-pm-skip-if-mptcp-is-not-supported.patch @@ -0,0 +1,39 @@ +From 63212608a92a1ff10ae56dbb14e9fb685f7e4ffa Mon Sep 17 00:00:00 2001 +From: Matthieu Baerts +Date: Sun, 28 May 2023 19:35:33 +0200 +Subject: selftests: mptcp: userspace pm: skip if MPTCP is not supported + +From: Matthieu Baerts + +commit 63212608a92a1ff10ae56dbb14e9fb685f7e4ffa upstream. + +Selftests are supposed to run on any kernels, including the old ones not +supporting MPTCP. + +A new check is then added to make sure MPTCP is supported. If not, the +test stops and is marked as "skipped". + +Link: https://github.com/multipath-tcp/mptcp_net-next/issues/368 +Fixes: 259a834fadda ("selftests: mptcp: functional tests for the userspace PM type") +Cc: stable@vger.kernel.org +Acked-by: Paolo Abeni +Signed-off-by: Matthieu Baerts +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/userspace_pm.sh | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/tools/testing/selftests/net/mptcp/userspace_pm.sh ++++ b/tools/testing/selftests/net/mptcp/userspace_pm.sh +@@ -1,6 +1,10 @@ + #!/bin/bash + # SPDX-License-Identifier: GPL-2.0 + ++. "$(dirname "${0}")/mptcp_lib.sh" ++ ++mptcp_lib_check_mptcp ++ + ip -Version > /dev/null 2>&1 + if [ $? -ne 0 ];then + echo "SKIP: Cannot not run test without ip tool" diff --git a/queue-6.3/selinux-don-t-use-make-s-grouped-targets-feature-yet.patch b/queue-6.3/selinux-don-t-use-make-s-grouped-targets-feature-yet.patch new file mode 100644 index 00000000000..66bd2e6b349 --- /dev/null +++ b/queue-6.3/selinux-don-t-use-make-s-grouped-targets-feature-yet.patch @@ -0,0 +1,42 @@ +From 42c4e97e06a839b07d834f640a10911ad84ec8b3 Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Thu, 1 Jun 2023 10:21:21 -0400 +Subject: selinux: don't use make's grouped targets feature yet + +From: Paul Moore + +commit 42c4e97e06a839b07d834f640a10911ad84ec8b3 upstream. + +The Linux Kernel currently only requires make v3.82 while the grouped +target functionality requires make v4.3. Removed the grouped target +introduced in 4ce1f694eb5d ("selinux: ensure av_permissions.h is +built when needed") as well as the multiple header file targets in +the make rule. This effectively reverts the problem commit. + +We will revisit this change when make >= 4.3 is required by the rest +of the kernel. + +Cc: stable@vger.kernel.org +Fixes: 4ce1f694eb5d ("selinux: ensure av_permissions.h is built when needed") +Reported-by: Erwan Velu +Reported-by: Luiz Capitulino +Tested-by: Luiz Capitulino +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + security/selinux/Makefile | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/security/selinux/Makefile ++++ b/security/selinux/Makefile +@@ -26,5 +26,9 @@ quiet_cmd_flask = GEN $(obj)/flask.h + cmd_flask = $< $(obj)/flask.h $(obj)/av_permissions.h + + targets += flask.h av_permissions.h +-$(obj)/flask.h $(obj)/av_permissions.h &: scripts/selinux/genheaders/genheaders FORCE ++# once make >= 4.3 is required, we can use grouped targets in the rule below, ++# which basically involves adding both headers and a '&' before the colon, see ++# the example below: ++# $(obj)/flask.h $(obj)/av_permissions.h &: scripts/selinux/... ++$(obj)/flask.h: scripts/selinux/genheaders/genheaders FORCE + $(call if_changed,flask) diff --git a/queue-6.3/serial-8250_tegra-fix-an-error-handling-path-in-tegra_uart_probe.patch b/queue-6.3/serial-8250_tegra-fix-an-error-handling-path-in-tegra_uart_probe.patch new file mode 100644 index 00000000000..30c9a8b91f1 --- /dev/null +++ b/queue-6.3/serial-8250_tegra-fix-an-error-handling-path-in-tegra_uart_probe.patch @@ -0,0 +1,41 @@ +From 134f49dec0b6aca3259cd8259de4c572048bd207 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Sun, 14 May 2023 13:25:42 +0200 +Subject: serial: 8250_tegra: Fix an error handling path in tegra_uart_probe() + +From: Christophe JAILLET + +commit 134f49dec0b6aca3259cd8259de4c572048bd207 upstream. + +If an error occurs after reset_control_deassert(), it must be re-asserted, +as already done in the .remove() function. + +Fixes: c6825c6395b7 ("serial: 8250_tegra: Create Tegra specific 8250 driver") +Cc: stable +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/f8130f35339cc80edc6b9aac4bb2a60b60a226bf.1684063511.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_tegra.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/8250/8250_tegra.c ++++ b/drivers/tty/serial/8250/8250_tegra.c +@@ -112,13 +112,15 @@ static int tegra_uart_probe(struct platf + + ret = serial8250_register_8250_port(&port8250); + if (ret < 0) +- goto err_clkdisable; ++ goto err_ctrl_assert; + + platform_set_drvdata(pdev, uart); + uart->line = ret; + + return 0; + ++err_ctrl_assert: ++ reset_control_assert(uart->rst); + err_clkdisable: + clk_disable_unprepare(uart->clk); + diff --git a/queue-6.3/serial-cpm_uart-fix-a-compile_test-dependency.patch b/queue-6.3/serial-cpm_uart-fix-a-compile_test-dependency.patch new file mode 100644 index 00000000000..5daf43f0a26 --- /dev/null +++ b/queue-6.3/serial-cpm_uart-fix-a-compile_test-dependency.patch @@ -0,0 +1,56 @@ +From 7183c37fd53eee1e795206e625da12a5d7ec1e1a Mon Sep 17 00:00:00 2001 +From: Herve Codina +Date: Tue, 23 May 2023 10:59:02 +0200 +Subject: serial: cpm_uart: Fix a COMPILE_TEST dependency + +From: Herve Codina + +commit 7183c37fd53eee1e795206e625da12a5d7ec1e1a upstream. + +In a COMPILE_TEST configuration, the cpm_uart driver uses symbols from +the cpm_uart_cpm2.c file. This file is compiled only when CONFIG_CPM2 is +set. + +Without this dependency, the linker fails with some missing symbols for +COMPILE_TEST configuration that needs SERIAL_CPM without enabling CPM2. + +This lead to: + depends on CPM2 || CPM1 || (PPC32 && CPM2 && COMPILE_TEST) + +This dependency does not make sense anymore and can be simplified +removing all the COMPILE_TEST part. + +Signed-off-by: Herve Codina +Reported-by: kernel test robot +Link: https://lore.kernel.org/oe-kbuild-all/202305160221.9XgweObz-lkp@intel.com/ +Fixes: e3e7b13bffae ("serial: allow COMPILE_TEST for some drivers") +Cc: stable +Link: https://lore.kernel.org/r/20230523085902.75837-3-herve.codina@bootlin.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/Kconfig | 2 +- + drivers/tty/serial/cpm_uart/cpm_uart.h | 2 -- + 2 files changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/tty/serial/Kconfig ++++ b/drivers/tty/serial/Kconfig +@@ -769,7 +769,7 @@ config SERIAL_PMACZILOG_CONSOLE + + config SERIAL_CPM + tristate "CPM SCC/SMC serial port support" +- depends on CPM2 || CPM1 || (PPC32 && COMPILE_TEST) ++ depends on CPM2 || CPM1 + select SERIAL_CORE + help + This driver supports the SCC and SMC serial ports on Motorola +--- a/drivers/tty/serial/cpm_uart/cpm_uart.h ++++ b/drivers/tty/serial/cpm_uart/cpm_uart.h +@@ -19,8 +19,6 @@ struct gpio_desc; + #include "cpm_uart_cpm2.h" + #elif defined(CONFIG_CPM1) + #include "cpm_uart_cpm1.h" +-#elif defined(CONFIG_COMPILE_TEST) +-#include "cpm_uart_cpm2.h" + #endif + + #define SERIAL_CPM_MAJOR 204 diff --git a/queue-6.3/series b/queue-6.3/series index 601bce641d6..3f8a2be8073 100644 --- a/queue-6.3/series +++ b/queue-6.3/series @@ -237,3 +237,43 @@ firmware-qcom_scm-use-fixed-width-src-vm-bitmap.patch misc-fastrpc-pass-proper-scm-arguments-for-secure-ma.patch btrfs-call-btrfs_orig_bbio_end_io-in-btrfs_end_bio_w.patch hid-hidpp-terminate-retry-loop-on-success.patch +dmaengine-at_hdmac-repair-bitfield-macros-for-peripheral-id-handling.patch +dmaengine-at_hdmac-extend-the-flow-controller-bitfield-to-three-bits.patch +riscv-perf-fix-callchain-parse-error-with-kernel-tracepoint-events.patch +io_uring-undeprecate-epoll_ctl-support.patch +selinux-don-t-use-make-s-grouped-targets-feature-yet.patch +mtdchar-mark-bits-of-ioctl-handler-noinline.patch +tracing-timerlat-always-wakeup-the-timerlat-thread.patch +tracing-histograms-allow-variables-to-have-some-modifiers.patch +tracing-probe-trace_probe_primary_from_call-checked-list_first_entry.patch +selftests-mptcp-connect-skip-if-mptcp-is-not-supported.patch +selftests-mptcp-pm-nl-skip-if-mptcp-is-not-supported.patch +selftests-mptcp-join-skip-if-mptcp-is-not-supported.patch +selftests-mptcp-join-avoid-using-cmp-bytes.patch +selftests-mptcp-diag-skip-if-mptcp-is-not-supported.patch +selftests-mptcp-simult-flows-skip-if-mptcp-is-not-supported.patch +selftests-mptcp-sockopt-skip-if-mptcp-is-not-supported.patch +selftests-mptcp-userspace-pm-skip-if-mptcp-is-not-supported.patch +mptcp-fix-connect-timeout-handling.patch +mptcp-fix-active-subflow-finalization.patch +ext4-add-ea_inode-checking-to-ext4_iget.patch +ext4-set-lockdep-subclass-for-the-ea_inode-in-ext4_xattr_inode_cache_find.patch +ext4-disallow-ea_inodes-with-extended-attributes.patch +ext4-add-lockdep-annotations-for-i_data_sem-for-ea_inode-s.patch +fbcon-fix-null-ptr-deref-in-soft_cursor.patch +serial-8250_tegra-fix-an-error-handling-path-in-tegra_uart_probe.patch +serial-cpm_uart-fix-a-compile_test-dependency.patch +powerpc-xmon-use-ksym_name_len-in-array-size.patch +test_firmware-prevent-race-conditions-by-a-correct-implementation-of-locking.patch +test_firmware-fix-a-memory-leak-with-reqs-buffer.patch +test_firmware-fix-the-memory-leak-of-the-allocated-firmware-buffer.patch +kvm-arm64-populate-fault-info-for-watchpoint.patch +kvm-arm64-drop-last-page-ref-in-kvm_pgtable_stage2_free_removed.patch +kvm-x86-mmu-grab-memslot-for-correct-address-space-in-nx-recovery-worker.patch +kvm-x86-account-fastpath-only-vm-exits-in-vcpu-stats.patch +kvm-x86-bail-from-kvm_recalculate_phys_map-if-x2apic-id-is-out-of-bounds.patch +ksmbd-fix-credit-count-leakage.patch +ksmbd-fix-uaf-issue-from-opinfo-conn.patch +ksmbd-fix-incorrect-allocationsize-set-in-smb2_get_info.patch +ksmbd-fix-slab-out-of-bounds-read-in-smb2_handle_negotiate.patch +ksmbd-fix-multiple-out-of-bounds-read-during-context-decoding.patch diff --git a/queue-6.3/test_firmware-fix-a-memory-leak-with-reqs-buffer.patch b/queue-6.3/test_firmware-fix-a-memory-leak-with-reqs-buffer.patch new file mode 100644 index 00000000000..191f979ee4c --- /dev/null +++ b/queue-6.3/test_firmware-fix-a-memory-leak-with-reqs-buffer.patch @@ -0,0 +1,67 @@ +From be37bed754ed90b2655382f93f9724b3c1aae847 Mon Sep 17 00:00:00 2001 +From: Mirsad Goran Todorovac +Date: Tue, 9 May 2023 10:47:47 +0200 +Subject: test_firmware: fix a memory leak with reqs buffer + +From: Mirsad Goran Todorovac + +commit be37bed754ed90b2655382f93f9724b3c1aae847 upstream. + +Dan Carpenter spotted that test_fw_config->reqs will be leaked if +trigger_batched_requests_store() is called two or more times. +The same appears with trigger_batched_requests_async_store(). + +This bug wasn't trigger by the tests, but observed by Dan's visual +inspection of the code. + +The recommended workaround was to return -EBUSY if test_fw_config->reqs +is already allocated. + +Fixes: 7feebfa487b92 ("test_firmware: add support for request_firmware_into_buf") +Cc: Luis Chamberlain +Cc: Greg Kroah-Hartman +Cc: Russ Weight +Cc: Tianfei Zhang +Cc: Shuah Khan +Cc: Colin Ian King +Cc: Randy Dunlap +Cc: linux-kselftest@vger.kernel.org +Cc: stable@vger.kernel.org # v5.4 +Suggested-by: Dan Carpenter +Suggested-by: Takashi Iwai +Signed-off-by: Mirsad Goran Todorovac +Reviewed-by: Dan Carpenter +Acked-by: Luis Chamberlain +Link: https://lore.kernel.org/r/20230509084746.48259-2-mirsad.todorovac@alu.unizg.hr +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + lib/test_firmware.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/lib/test_firmware.c ++++ b/lib/test_firmware.c +@@ -913,6 +913,11 @@ static ssize_t trigger_batched_requests_ + + mutex_lock(&test_fw_mutex); + ++ if (test_fw_config->reqs) { ++ rc = -EBUSY; ++ goto out_bail; ++ } ++ + test_fw_config->reqs = + vzalloc(array3_size(sizeof(struct test_batched_req), + test_fw_config->num_requests, 2)); +@@ -1011,6 +1016,11 @@ ssize_t trigger_batched_requests_async_s + + mutex_lock(&test_fw_mutex); + ++ if (test_fw_config->reqs) { ++ rc = -EBUSY; ++ goto out_bail; ++ } ++ + test_fw_config->reqs = + vzalloc(array3_size(sizeof(struct test_batched_req), + test_fw_config->num_requests, 2)); diff --git a/queue-6.3/test_firmware-fix-the-memory-leak-of-the-allocated-firmware-buffer.patch b/queue-6.3/test_firmware-fix-the-memory-leak-of-the-allocated-firmware-buffer.patch new file mode 100644 index 00000000000..0fd73d1cef1 --- /dev/null +++ b/queue-6.3/test_firmware-fix-the-memory-leak-of-the-allocated-firmware-buffer.patch @@ -0,0 +1,181 @@ +From 48e156023059e57a8fc68b498439832f7600ffff Mon Sep 17 00:00:00 2001 +From: Mirsad Goran Todorovac +Date: Tue, 9 May 2023 10:47:49 +0200 +Subject: test_firmware: fix the memory leak of the allocated firmware buffer + +From: Mirsad Goran Todorovac + +commit 48e156023059e57a8fc68b498439832f7600ffff upstream. + +The following kernel memory leak was noticed after running +tools/testing/selftests/firmware/fw_run_tests.sh: + +[root@pc-mtodorov firmware]# cat /sys/kernel/debug/kmemleak +. +. +. +unreferenced object 0xffff955389bc3400 (size 1024): + comm "test_firmware-0", pid 5451, jiffies 4294944822 (age 65.652s) + hex dump (first 32 bytes): + 47 48 34 35 36 37 0a 00 00 00 00 00 00 00 00 00 GH4567.......... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] slab_post_alloc_hook+0x8c/0x3c0 + [] __kmem_cache_alloc_node+0x184/0x240 + [] kmalloc_trace+0x2e/0xc0 + [] test_fw_run_batch_request+0x9d/0x180 + [] kthread+0x10b/0x140 + [] ret_from_fork+0x29/0x50 +unreferenced object 0xffff9553c334b400 (size 1024): + comm "test_firmware-1", pid 5452, jiffies 4294944822 (age 65.652s) + hex dump (first 32 bytes): + 47 48 34 35 36 37 0a 00 00 00 00 00 00 00 00 00 GH4567.......... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] slab_post_alloc_hook+0x8c/0x3c0 + [] __kmem_cache_alloc_node+0x184/0x240 + [] kmalloc_trace+0x2e/0xc0 + [] test_fw_run_batch_request+0x9d/0x180 + [] kthread+0x10b/0x140 + [] ret_from_fork+0x29/0x50 +unreferenced object 0xffff9553c334f000 (size 1024): + comm "test_firmware-2", pid 5453, jiffies 4294944822 (age 65.652s) + hex dump (first 32 bytes): + 47 48 34 35 36 37 0a 00 00 00 00 00 00 00 00 00 GH4567.......... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] slab_post_alloc_hook+0x8c/0x3c0 + [] __kmem_cache_alloc_node+0x184/0x240 + [] kmalloc_trace+0x2e/0xc0 + [] test_fw_run_batch_request+0x9d/0x180 + [] kthread+0x10b/0x140 + [] ret_from_fork+0x29/0x50 +unreferenced object 0xffff9553c3348400 (size 1024): + comm "test_firmware-3", pid 5454, jiffies 4294944822 (age 65.652s) + hex dump (first 32 bytes): + 47 48 34 35 36 37 0a 00 00 00 00 00 00 00 00 00 GH4567.......... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] slab_post_alloc_hook+0x8c/0x3c0 + [] __kmem_cache_alloc_node+0x184/0x240 + [] kmalloc_trace+0x2e/0xc0 + [] test_fw_run_batch_request+0x9d/0x180 + [] kthread+0x10b/0x140 + [] ret_from_fork+0x29/0x50 +[root@pc-mtodorov firmware]# + +Note that the size 1024 corresponds to the size of the test firmware +buffer. The actual number of the buffers leaked is around 70-110, +depending on the test run. + +The cause of the leak is the following: + +request_partial_firmware_into_buf() and request_firmware_into_buf() +provided firmware buffer isn't released on release_firmware(), we +have allocated it and we are responsible for deallocating it manually. +This is introduced in a number of context where previously only +release_firmware() was called, which was insufficient. + +Reported-by: Mirsad Goran Todorovac +Fixes: 7feebfa487b92 ("test_firmware: add support for request_firmware_into_buf") +Cc: Greg Kroah-Hartman +Cc: Dan Carpenter +Cc: Takashi Iwai +Cc: Luis Chamberlain +Cc: Russ Weight +Cc: Tianfei zhang +Cc: Christophe JAILLET +Cc: Zhengchao Shao +Cc: Colin Ian King +Cc: linux-kernel@vger.kernel.org +Cc: Kees Cook +Cc: Scott Branden +Cc: Luis R. Rodriguez +Cc: linux-kselftest@vger.kernel.org +Cc: stable@vger.kernel.org # v5.4 +Signed-off-by: Mirsad Goran Todorovac +Link: https://lore.kernel.org/r/20230509084746.48259-3-mirsad.todorovac@alu.unizg.hr +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + lib/test_firmware.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +--- a/lib/test_firmware.c ++++ b/lib/test_firmware.c +@@ -45,6 +45,7 @@ struct test_batched_req { + bool sent; + const struct firmware *fw; + const char *name; ++ const char *fw_buf; + struct completion completion; + struct task_struct *task; + struct device *dev; +@@ -175,8 +176,14 @@ static void __test_release_all_firmware( + + for (i = 0; i < test_fw_config->num_requests; i++) { + req = &test_fw_config->reqs[i]; +- if (req->fw) ++ if (req->fw) { ++ if (req->fw_buf) { ++ kfree_const(req->fw_buf); ++ req->fw_buf = NULL; ++ } + release_firmware(req->fw); ++ req->fw = NULL; ++ } + } + + vfree(test_fw_config->reqs); +@@ -670,6 +677,8 @@ static ssize_t trigger_request_store(str + + mutex_lock(&test_fw_mutex); + release_firmware(test_firmware); ++ if (test_fw_config->reqs) ++ __test_release_all_firmware(); + test_firmware = NULL; + rc = request_firmware(&test_firmware, name, dev); + if (rc) { +@@ -770,6 +779,8 @@ static ssize_t trigger_async_request_sto + mutex_lock(&test_fw_mutex); + release_firmware(test_firmware); + test_firmware = NULL; ++ if (test_fw_config->reqs) ++ __test_release_all_firmware(); + rc = request_firmware_nowait(THIS_MODULE, 1, name, dev, GFP_KERNEL, + NULL, trigger_async_request_cb); + if (rc) { +@@ -812,6 +823,8 @@ static ssize_t trigger_custom_fallback_s + + mutex_lock(&test_fw_mutex); + release_firmware(test_firmware); ++ if (test_fw_config->reqs) ++ __test_release_all_firmware(); + test_firmware = NULL; + rc = request_firmware_nowait(THIS_MODULE, FW_ACTION_NOUEVENT, name, + dev, GFP_KERNEL, NULL, +@@ -874,6 +887,8 @@ static int test_fw_run_batch_request(voi + test_fw_config->buf_size); + if (!req->fw) + kfree(test_buf); ++ else ++ req->fw_buf = test_buf; + } else { + req->rc = test_fw_config->req_firmware(&req->fw, + req->name, +@@ -934,6 +949,7 @@ static ssize_t trigger_batched_requests_ + req->fw = NULL; + req->idx = i; + req->name = test_fw_config->name; ++ req->fw_buf = NULL; + req->dev = dev; + init_completion(&req->completion); + req->task = kthread_run(test_fw_run_batch_request, req, +@@ -1038,6 +1054,7 @@ ssize_t trigger_batched_requests_async_s + for (i = 0; i < test_fw_config->num_requests; i++) { + req = &test_fw_config->reqs[i]; + req->name = test_fw_config->name; ++ req->fw_buf = NULL; + req->fw = NULL; + req->idx = i; + init_completion(&req->completion); diff --git a/queue-6.3/test_firmware-prevent-race-conditions-by-a-correct-implementation-of-locking.patch b/queue-6.3/test_firmware-prevent-race-conditions-by-a-correct-implementation-of-locking.patch new file mode 100644 index 00000000000..f75130905ac --- /dev/null +++ b/queue-6.3/test_firmware-prevent-race-conditions-by-a-correct-implementation-of-locking.patch @@ -0,0 +1,252 @@ +From 4acfe3dfde685a5a9eaec5555351918e2d7266a1 Mon Sep 17 00:00:00 2001 +From: Mirsad Goran Todorovac +Date: Tue, 9 May 2023 10:47:45 +0200 +Subject: test_firmware: prevent race conditions by a correct implementation of locking + +From: Mirsad Goran Todorovac + +commit 4acfe3dfde685a5a9eaec5555351918e2d7266a1 upstream. + +Dan Carpenter spotted a race condition in a couple of situations like +these in the test_firmware driver: + +static int test_dev_config_update_u8(const char *buf, size_t size, u8 *cfg) +{ + u8 val; + int ret; + + ret = kstrtou8(buf, 10, &val); + if (ret) + return ret; + + mutex_lock(&test_fw_mutex); + *(u8 *)cfg = val; + mutex_unlock(&test_fw_mutex); + + /* Always return full write size even if we didn't consume all */ + return size; +} + +static ssize_t config_num_requests_store(struct device *dev, + struct device_attribute *attr, + const char *buf, size_t count) +{ + int rc; + + mutex_lock(&test_fw_mutex); + if (test_fw_config->reqs) { + pr_err("Must call release_all_firmware prior to changing config\n"); + rc = -EINVAL; + mutex_unlock(&test_fw_mutex); + goto out; + } + mutex_unlock(&test_fw_mutex); + + rc = test_dev_config_update_u8(buf, count, + &test_fw_config->num_requests); + +out: + return rc; +} + +static ssize_t config_read_fw_idx_store(struct device *dev, + struct device_attribute *attr, + const char *buf, size_t count) +{ + return test_dev_config_update_u8(buf, count, + &test_fw_config->read_fw_idx); +} + +The function test_dev_config_update_u8() is called from both the locked +and the unlocked context, function config_num_requests_store() and +config_read_fw_idx_store() which can both be called asynchronously as +they are driver's methods, while test_dev_config_update_u8() and siblings +change their argument pointed to by u8 *cfg or similar pointer. + +To avoid deadlock on test_fw_mutex, the lock is dropped before calling +test_dev_config_update_u8() and re-acquired within test_dev_config_update_u8() +itself, but alas this creates a race condition. + +Having two locks wouldn't assure a race-proof mutual exclusion. + +This situation is best avoided by the introduction of a new, unlocked +function __test_dev_config_update_u8() which can be called from the locked +context and reducing test_dev_config_update_u8() to: + +static int test_dev_config_update_u8(const char *buf, size_t size, u8 *cfg) +{ + int ret; + + mutex_lock(&test_fw_mutex); + ret = __test_dev_config_update_u8(buf, size, cfg); + mutex_unlock(&test_fw_mutex); + + return ret; +} + +doing the locking and calling the unlocked primitive, which enables both +locked and unlocked versions without duplication of code. + +The similar approach was applied to all functions called from the locked +and the unlocked context, which safely mitigates both deadlocks and race +conditions in the driver. + +__test_dev_config_update_bool(), __test_dev_config_update_u8() and +__test_dev_config_update_size_t() unlocked versions of the functions +were introduced to be called from the locked contexts as a workaround +without releasing the main driver's lock and thereof causing a race +condition. + +The test_dev_config_update_bool(), test_dev_config_update_u8() and +test_dev_config_update_size_t() locked versions of the functions +are being called from driver methods without the unnecessary multiplying +of the locking and unlocking code for each method, and complicating +the code with saving of the return value across lock. + +Fixes: 7feebfa487b92 ("test_firmware: add support for request_firmware_into_buf") +Cc: Luis Chamberlain +Cc: Greg Kroah-Hartman +Cc: Russ Weight +Cc: Takashi Iwai +Cc: Tianfei Zhang +Cc: Shuah Khan +Cc: Colin Ian King +Cc: Randy Dunlap +Cc: linux-kselftest@vger.kernel.org +Cc: stable@vger.kernel.org # v5.4 +Suggested-by: Dan Carpenter +Signed-off-by: Mirsad Goran Todorovac +Link: https://lore.kernel.org/r/20230509084746.48259-1-mirsad.todorovac@alu.unizg.hr +Signed-off-by: Greg Kroah-Hartman +--- + lib/test_firmware.c | 52 +++++++++++++++++++++++++++++++++++----------------- + 1 file changed, 35 insertions(+), 17 deletions(-) + +--- a/lib/test_firmware.c ++++ b/lib/test_firmware.c +@@ -353,16 +353,26 @@ static ssize_t config_test_show_str(char + return len; + } + +-static int test_dev_config_update_bool(const char *buf, size_t size, ++static inline int __test_dev_config_update_bool(const char *buf, size_t size, + bool *cfg) + { + int ret; + +- mutex_lock(&test_fw_mutex); + if (kstrtobool(buf, cfg) < 0) + ret = -EINVAL; + else + ret = size; ++ ++ return ret; ++} ++ ++static int test_dev_config_update_bool(const char *buf, size_t size, ++ bool *cfg) ++{ ++ int ret; ++ ++ mutex_lock(&test_fw_mutex); ++ ret = __test_dev_config_update_bool(buf, size, cfg); + mutex_unlock(&test_fw_mutex); + + return ret; +@@ -373,7 +383,8 @@ static ssize_t test_dev_config_show_bool + return snprintf(buf, PAGE_SIZE, "%d\n", val); + } + +-static int test_dev_config_update_size_t(const char *buf, ++static int __test_dev_config_update_size_t( ++ const char *buf, + size_t size, + size_t *cfg) + { +@@ -384,9 +395,7 @@ static int test_dev_config_update_size_t + if (ret) + return ret; + +- mutex_lock(&test_fw_mutex); + *(size_t *)cfg = new; +- mutex_unlock(&test_fw_mutex); + + /* Always return full write size even if we didn't consume all */ + return size; +@@ -402,7 +411,7 @@ static ssize_t test_dev_config_show_int( + return snprintf(buf, PAGE_SIZE, "%d\n", val); + } + +-static int test_dev_config_update_u8(const char *buf, size_t size, u8 *cfg) ++static int __test_dev_config_update_u8(const char *buf, size_t size, u8 *cfg) + { + u8 val; + int ret; +@@ -411,14 +420,23 @@ static int test_dev_config_update_u8(con + if (ret) + return ret; + +- mutex_lock(&test_fw_mutex); + *(u8 *)cfg = val; +- mutex_unlock(&test_fw_mutex); + + /* Always return full write size even if we didn't consume all */ + return size; + } + ++static int test_dev_config_update_u8(const char *buf, size_t size, u8 *cfg) ++{ ++ int ret; ++ ++ mutex_lock(&test_fw_mutex); ++ ret = __test_dev_config_update_u8(buf, size, cfg); ++ mutex_unlock(&test_fw_mutex); ++ ++ return ret; ++} ++ + static ssize_t test_dev_config_show_u8(char *buf, u8 val) + { + return snprintf(buf, PAGE_SIZE, "%u\n", val); +@@ -471,10 +489,10 @@ static ssize_t config_num_requests_store + mutex_unlock(&test_fw_mutex); + goto out; + } +- mutex_unlock(&test_fw_mutex); + +- rc = test_dev_config_update_u8(buf, count, +- &test_fw_config->num_requests); ++ rc = __test_dev_config_update_u8(buf, count, ++ &test_fw_config->num_requests); ++ mutex_unlock(&test_fw_mutex); + + out: + return rc; +@@ -518,10 +536,10 @@ static ssize_t config_buf_size_store(str + mutex_unlock(&test_fw_mutex); + goto out; + } +- mutex_unlock(&test_fw_mutex); + +- rc = test_dev_config_update_size_t(buf, count, +- &test_fw_config->buf_size); ++ rc = __test_dev_config_update_size_t(buf, count, ++ &test_fw_config->buf_size); ++ mutex_unlock(&test_fw_mutex); + + out: + return rc; +@@ -548,10 +566,10 @@ static ssize_t config_file_offset_store( + mutex_unlock(&test_fw_mutex); + goto out; + } +- mutex_unlock(&test_fw_mutex); + +- rc = test_dev_config_update_size_t(buf, count, +- &test_fw_config->file_offset); ++ rc = __test_dev_config_update_size_t(buf, count, ++ &test_fw_config->file_offset); ++ mutex_unlock(&test_fw_mutex); + + out: + return rc; diff --git a/queue-6.3/tracing-histograms-allow-variables-to-have-some-modifiers.patch b/queue-6.3/tracing-histograms-allow-variables-to-have-some-modifiers.patch new file mode 100644 index 00000000000..257d6902ec7 --- /dev/null +++ b/queue-6.3/tracing-histograms-allow-variables-to-have-some-modifiers.patch @@ -0,0 +1,81 @@ +From e30fbc618e97b38dbb49f1d44dcd0778d3f23b8c Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Google)" +Date: Tue, 23 May 2023 22:11:08 -0400 +Subject: tracing/histograms: Allow variables to have some modifiers + +From: Steven Rostedt (Google) + +commit e30fbc618e97b38dbb49f1d44dcd0778d3f23b8c upstream. + +Modifiers are used to change the behavior of keys. For instance, they +can grouped into buckets, converted to syscall names (from the syscall +identifier), show task->comm of the current pid, be an array of longs +that represent a stacktrace, and more. + +It was found that nothing stopped a value from taking a modifier. As +values are simple counters. If this happened, it would call code that +was not expecting a modifier and crash the kernel. This was fixed by +having the ___create_val_field() function test if a modifier was present +and fail if one was. This fixed the crash. + +Now there's a problem with variables. Variables are used to pass fields +from one event to another. Variables are allowed to have some modifiers, +as the processing may need to happen at the time of the event (like +stacktraces and comm names of the current pid). The issue is that it too +uses __create_val_field(). Now that fails on modifiers, variables can no +longer use them (this is a regression). + +As not all modifiers are for variables, have them use a separate check. + +Link: https://lore.kernel.org/linux-trace-kernel/20230523221108.064a5d82@rorschach.local.home + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Cc: Tom Zanussi +Cc: Mark Rutland +Fixes: e0213434fe3e4 ("tracing: Do not let histogram values have some modifiers") +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events_hist.c | 23 ++++++++++++++++------- + 1 file changed, 16 insertions(+), 7 deletions(-) + +--- a/kernel/trace/trace_events_hist.c ++++ b/kernel/trace/trace_events_hist.c +@@ -4238,13 +4238,19 @@ static int __create_val_field(struct his + goto out; + } + +- /* Some types cannot be a value */ +- if (hist_field->flags & (HIST_FIELD_FL_GRAPH | HIST_FIELD_FL_PERCENT | +- HIST_FIELD_FL_BUCKET | HIST_FIELD_FL_LOG2 | +- HIST_FIELD_FL_SYM | HIST_FIELD_FL_SYM_OFFSET | +- HIST_FIELD_FL_SYSCALL | HIST_FIELD_FL_STACKTRACE)) { +- hist_err(file->tr, HIST_ERR_BAD_FIELD_MODIFIER, errpos(field_str)); +- ret = -EINVAL; ++ /* values and variables should not have some modifiers */ ++ if (hist_field->flags & HIST_FIELD_FL_VAR) { ++ /* Variable */ ++ if (hist_field->flags & (HIST_FIELD_FL_GRAPH | HIST_FIELD_FL_PERCENT | ++ HIST_FIELD_FL_BUCKET | HIST_FIELD_FL_LOG2)) ++ goto err; ++ } else { ++ /* Value */ ++ if (hist_field->flags & (HIST_FIELD_FL_GRAPH | HIST_FIELD_FL_PERCENT | ++ HIST_FIELD_FL_BUCKET | HIST_FIELD_FL_LOG2 | ++ HIST_FIELD_FL_SYM | HIST_FIELD_FL_SYM_OFFSET | ++ HIST_FIELD_FL_SYSCALL | HIST_FIELD_FL_STACKTRACE)) ++ goto err; + } + + hist_data->fields[val_idx] = hist_field; +@@ -4256,6 +4262,9 @@ static int __create_val_field(struct his + ret = -EINVAL; + out: + return ret; ++ err: ++ hist_err(file->tr, HIST_ERR_BAD_FIELD_MODIFIER, errpos(field_str)); ++ return -EINVAL; + } + + static int create_val_field(struct hist_trigger_data *hist_data, diff --git a/queue-6.3/tracing-probe-trace_probe_primary_from_call-checked-list_first_entry.patch b/queue-6.3/tracing-probe-trace_probe_primary_from_call-checked-list_first_entry.patch new file mode 100644 index 00000000000..48a5775fcb8 --- /dev/null +++ b/queue-6.3/tracing-probe-trace_probe_primary_from_call-checked-list_first_entry.patch @@ -0,0 +1,41 @@ +From 81d0fa4cb4fc0e1a49c2b22f92c43d9fe972ebcf Mon Sep 17 00:00:00 2001 +From: Pietro Borrello +Date: Sat, 28 Jan 2023 16:23:41 +0000 +Subject: tracing/probe: trace_probe_primary_from_call(): checked list_first_entry + +From: Pietro Borrello + +commit 81d0fa4cb4fc0e1a49c2b22f92c43d9fe972ebcf upstream. + +All callers of trace_probe_primary_from_call() check the return +value to be non NULL. However, the function returns +list_first_entry(&tpe->probes, ...) which can never be NULL. +Additionally, it does not check for the list being possibly empty, +possibly causing a type confusion on empty lists. +Use list_first_entry_or_null() which solves both problems. + +Link: https://lore.kernel.org/linux-trace-kernel/20230128-list-entry-null-check-v1-1-8bde6a3da2ef@diag.uniroma1.it/ + +Fixes: 60d53e2c3b75 ("tracing/probe: Split trace_event related data from trace_probe") +Signed-off-by: Pietro Borrello +Reviewed-by: Steven Rostedt (Google) +Acked-by: Masami Hiramatsu (Google) +Acked-by: Mukesh Ojha +Cc: stable@vger.kernel.org +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_probe.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/trace_probe.h ++++ b/kernel/trace/trace_probe.h +@@ -308,7 +308,7 @@ trace_probe_primary_from_call(struct tra + { + struct trace_probe_event *tpe = trace_probe_event_from_call(call); + +- return list_first_entry(&tpe->probes, struct trace_probe, list); ++ return list_first_entry_or_null(&tpe->probes, struct trace_probe, list); + } + + static inline struct list_head *trace_probe_probe_list(struct trace_probe *tp) diff --git a/queue-6.3/tracing-timerlat-always-wakeup-the-timerlat-thread.patch b/queue-6.3/tracing-timerlat-always-wakeup-the-timerlat-thread.patch new file mode 100644 index 00000000000..4c13048baa0 --- /dev/null +++ b/queue-6.3/tracing-timerlat-always-wakeup-the-timerlat-thread.patch @@ -0,0 +1,68 @@ +From 632478a05821bc1c9b55c3a1dd0fb1be7bfa1acc Mon Sep 17 00:00:00 2001 +From: Daniel Bristot de Oliveira +Date: Thu, 11 May 2023 18:32:01 +0200 +Subject: tracing/timerlat: Always wakeup the timerlat thread + +From: Daniel Bristot de Oliveira + +commit 632478a05821bc1c9b55c3a1dd0fb1be7bfa1acc upstream. + +While testing rtla timerlat auto analysis, I reach a condition where +the interface was not receiving tracing data. I was able to manually +reproduce the problem with these steps: + + # echo 0 > tracing_on # disable trace + # echo 1 > osnoise/stop_tracing_us # stop trace if timerlat irq > 1 us + # echo timerlat > current_tracer # enable timerlat tracer + # sleep 1 # wait... that is the time when rtla + # apply configs like prio or cgroup + # echo 1 > tracing_on # start tracing + # cat trace + # tracer: timerlat + # + # _-----=> irqs-off + # / _----=> need-resched + # | / _---=> hardirq/softirq + # || / _--=> preempt-depth + # ||| / _-=> migrate-disable + # |||| / delay + # ||||| ACTIVATION + # TASK-PID CPU# ||||| TIMESTAMP ID CONTEXT LATENCY + # | | | ||||| | | | | + NOTHING! + +Then, trying to enable tracing again with echo 1 > tracing_on resulted +in no change: the trace was still not tracing. + +This problem happens because the timerlat IRQ hits the stop tracing +condition while tracing is off, and do not wake up the timerlat thread, +so the timerlat threads are kept sleeping forever, resulting in no +trace, even after re-enabling the tracer. + +Avoid this condition by always waking up the threads, even after stopping +tracing, allowing the tracer to return to its normal operating after +a new tracing on. + +Link: https://lore.kernel.org/linux-trace-kernel/1ed8f830638b20a39d535d27d908e319a9a3c4e2.1683822622.git.bristot@kernel.org + +Cc: Juri Lelli +Cc: stable@vger.kernel.org +Fixes: a955d7eac177 ("trace: Add timerlat tracer") +Signed-off-by: Daniel Bristot de Oliveira +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_osnoise.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/trace/trace_osnoise.c ++++ b/kernel/trace/trace_osnoise.c +@@ -1652,6 +1652,8 @@ static enum hrtimer_restart timerlat_irq + osnoise_stop_tracing(); + notify_new_max_latency(diff); + ++ wake_up_process(tlat->kthread); ++ + return HRTIMER_NORESTART; + } + }