From 73949d75b6bd65ed8f5a4d41240390bcbc85a686 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 6 Feb 2020 14:54:06 +0000 Subject: [PATCH] 5.5-stable patches added patches: alsa-pcm-fix-memory-leak-at-closing-a-stream-without-hw_free.patch ipc-msg.c-consolidate-all-xxxctl_down-functions.patch media-uvcvideo-avoid-cyclic-entity-chains-due-to-malformed-usb-descriptors.patch mfd-dln2-more-sanity-checking-for-endpoints.patch netfilter-ipset-fix-suspicious-rcu-usage-in-find_set_and_id.patch rcu-avoid-data-race-in-rcu_gp_fqs_check_wake.patch rcu-use-_once-to-protect-lockless-expmask-accesses.patch rcu-use-read_once-for-expmask-in-rcu_read_unlock_special.patch srcu-apply-_once-to-srcu_last_gp_end.patch tracing-fix-sched-switch-start-stop-refcount-racy-updates.patch tracing-kprobes-have-uname-use-__get_str-in-print_fmt.patch --- ...-at-closing-a-stream-without-hw_free.patch | 81 +++++++++ ...onsolidate-all-xxxctl_down-functions.patch | 154 ++++++++++++++++++ ...ins-due-to-malformed-usb-descriptors.patch | 114 +++++++++++++ ...2-more-sanity-checking-for-endpoints.patch | 55 +++++++ ...picious-rcu-usage-in-find_set_and_id.patch | 120 ++++++++++++++ ...d-data-race-in-rcu_gp_fqs_check_wake.patch | 107 ++++++++++++ ...to-protect-lockless-expmask-accesses.patch | 106 ++++++++++++ ...r-expmask-in-rcu_read_unlock_special.patch | 35 ++++ queue-5.5/series | 11 ++ ...srcu-apply-_once-to-srcu_last_gp_end.patch | 53 ++++++ ...tch-start-stop-refcount-racy-updates.patch | 50 ++++++ ...ave-uname-use-__get_str-in-print_fmt.patch | 85 ++++++++++ 12 files changed, 971 insertions(+) create mode 100644 queue-5.5/alsa-pcm-fix-memory-leak-at-closing-a-stream-without-hw_free.patch create mode 100644 queue-5.5/ipc-msg.c-consolidate-all-xxxctl_down-functions.patch create mode 100644 queue-5.5/media-uvcvideo-avoid-cyclic-entity-chains-due-to-malformed-usb-descriptors.patch create mode 100644 queue-5.5/mfd-dln2-more-sanity-checking-for-endpoints.patch create mode 100644 queue-5.5/netfilter-ipset-fix-suspicious-rcu-usage-in-find_set_and_id.patch create mode 100644 queue-5.5/rcu-avoid-data-race-in-rcu_gp_fqs_check_wake.patch create mode 100644 queue-5.5/rcu-use-_once-to-protect-lockless-expmask-accesses.patch create mode 100644 queue-5.5/rcu-use-read_once-for-expmask-in-rcu_read_unlock_special.patch create mode 100644 queue-5.5/srcu-apply-_once-to-srcu_last_gp_end.patch create mode 100644 queue-5.5/tracing-fix-sched-switch-start-stop-refcount-racy-updates.patch create mode 100644 queue-5.5/tracing-kprobes-have-uname-use-__get_str-in-print_fmt.patch diff --git a/queue-5.5/alsa-pcm-fix-memory-leak-at-closing-a-stream-without-hw_free.patch b/queue-5.5/alsa-pcm-fix-memory-leak-at-closing-a-stream-without-hw_free.patch new file mode 100644 index 00000000000..da5e6d64a3c --- /dev/null +++ b/queue-5.5/alsa-pcm-fix-memory-leak-at-closing-a-stream-without-hw_free.patch @@ -0,0 +1,81 @@ +From 66f2d19f8116e16898f8d82e28573a384ddc430d Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 29 Jan 2020 20:59:07 +0100 +Subject: ALSA: pcm: Fix memory leak at closing a stream without hw_free + +From: Takashi Iwai + +commit 66f2d19f8116e16898f8d82e28573a384ddc430d upstream. + +ALSA PCM core recently introduced a new managed PCM buffer allocation +mode that does allocate / free automatically at hw_params and +hw_free. However, it overlooked the code path directly calling +hw_free PCM ops at releasing the PCM substream, and it may result in a +memory leak as spotted by syzkaller when no buffer preallocation is +used (e.g. vmalloc buffer). + +This patch papers over it with a slight refactoring. The hw_free ops +call and relevant tasks are unified in a new helper function, and call +it from both places. + +Fixes: 0dba808eae26 ("ALSA: pcm: Introduce managed buffer allocation mode") +Reported-by: syzbot+30edd0f34bfcdc548ac4@syzkaller.appspotmail.com +Cc: +Link: https://lore.kernel.org/r/20200129195907.12197-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/pcm_native.c | 24 +++++++++++++++--------- + 1 file changed, 15 insertions(+), 9 deletions(-) + +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -785,10 +785,22 @@ end: + return err; + } + ++static int do_hw_free(struct snd_pcm_substream *substream) ++{ ++ int result = 0; ++ ++ snd_pcm_sync_stop(substream); ++ if (substream->ops->hw_free) ++ result = substream->ops->hw_free(substream); ++ if (substream->managed_buffer_alloc) ++ snd_pcm_lib_free_pages(substream); ++ return result; ++} ++ + static int snd_pcm_hw_free(struct snd_pcm_substream *substream) + { + struct snd_pcm_runtime *runtime; +- int result = 0; ++ int result; + + if (PCM_RUNTIME_CHECK(substream)) + return -ENXIO; +@@ -805,11 +817,7 @@ static int snd_pcm_hw_free(struct snd_pc + snd_pcm_stream_unlock_irq(substream); + if (atomic_read(&substream->mmap_count)) + return -EBADFD; +- snd_pcm_sync_stop(substream); +- if (substream->ops->hw_free) +- result = substream->ops->hw_free(substream); +- if (substream->managed_buffer_alloc) +- snd_pcm_lib_free_pages(substream); ++ result = do_hw_free(substream); + snd_pcm_set_state(substream, SNDRV_PCM_STATE_OPEN); + pm_qos_remove_request(&substream->latency_pm_qos_req); + return result; +@@ -2466,9 +2474,7 @@ void snd_pcm_release_substream(struct sn + + snd_pcm_drop(substream); + if (substream->hw_opened) { +- if (substream->ops->hw_free && +- substream->runtime->status->state != SNDRV_PCM_STATE_OPEN) +- substream->ops->hw_free(substream); ++ do_hw_free(substream); + substream->ops->close(substream); + substream->hw_opened = 0; + } diff --git a/queue-5.5/ipc-msg.c-consolidate-all-xxxctl_down-functions.patch b/queue-5.5/ipc-msg.c-consolidate-all-xxxctl_down-functions.patch new file mode 100644 index 00000000000..dcaa5edd627 --- /dev/null +++ b/queue-5.5/ipc-msg.c-consolidate-all-xxxctl_down-functions.patch @@ -0,0 +1,154 @@ +From 889b331724c82c11e15ba0a60979cf7bded0a26c Mon Sep 17 00:00:00 2001 +From: Lu Shuaibing +Date: Mon, 3 Feb 2020 17:34:46 -0800 +Subject: ipc/msg.c: consolidate all xxxctl_down() functions + +From: Lu Shuaibing + +commit 889b331724c82c11e15ba0a60979cf7bded0a26c upstream. + +A use of uninitialized memory in msgctl_down() because msqid64 in +ksys_msgctl hasn't been initialized. The local | msqid64 | is created in +ksys_msgctl() and then passed into msgctl_down(). Along the way msqid64 +is never initialized before msgctl_down() checks msqid64->msg_qbytes. + +KUMSAN(KernelUninitializedMemorySantizer, a new error detection tool) +reports: + +================================================================== +BUG: KUMSAN: use of uninitialized memory in msgctl_down+0x94/0x300 +Read of size 8 at addr ffff88806bb97eb8 by task syz-executor707/2022 + +CPU: 0 PID: 2022 Comm: syz-executor707 Not tainted 5.2.0-rc4+ #63 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 +Call Trace: + dump_stack+0x75/0xae + __kumsan_report+0x17c/0x3e6 + kumsan_report+0xe/0x20 + msgctl_down+0x94/0x300 + ksys_msgctl.constprop.14+0xef/0x260 + do_syscall_64+0x7e/0x1f0 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x4400e9 +Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007ffd869e0598 EFLAGS: 00000246 ORIG_RAX: 0000000000000047 +RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004400e9 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 +R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000401970 +R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000 + +The buggy address belongs to the page: +page:ffffea0001aee5c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 +flags: 0x100000000000000() +raw: 0100000000000000 0000000000000000 ffffffff01ae0101 0000000000000000 +raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 +page dumped because: kumsan: bad access detected +================================================================== + +Syzkaller reproducer: +msgctl$IPC_RMID(0x0, 0x0) + +C reproducer: +// autogenerated by syzkaller (https://github.com/google/syzkaller) + +int main(void) +{ + syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); + syscall(__NR_msgctl, 0, 0, 0); + return 0; +} + +[natechancellor@gmail.com: adjust indentation in ksys_msgctl] + Link: https://github.com/ClangBuiltLinux/linux/issues/829 + Link: http://lkml.kernel.org/r/20191218032932.37479-1-natechancellor@gmail.com +Link: http://lkml.kernel.org/r/20190613014044.24234-1-shuaibinglu@126.com +Signed-off-by: Lu Shuaibing +Signed-off-by: Nathan Chancellor +Suggested-by: Arnd Bergmann +Cc: Davidlohr Bueso +Cc: Manfred Spraul +Cc: NeilBrown +From: Andrew Morton +Subject: ipc/msg.c: consolidate all xxxctl_down() functions + +Each line here overflows 80 cols by exactly one character. Delete one tab +per line to fix. + +Cc: Shaohua Li +Cc: Jens Axboe +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + ipc/msg.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +--- a/ipc/msg.c ++++ b/ipc/msg.c +@@ -377,7 +377,7 @@ copy_msqid_from_user(struct msqid64_ds * + * NOTE: no locks must be held, the rwsem is taken inside this function. + */ + static int msgctl_down(struct ipc_namespace *ns, int msqid, int cmd, +- struct msqid64_ds *msqid64) ++ struct ipc64_perm *perm, int msg_qbytes) + { + struct kern_ipc_perm *ipcp; + struct msg_queue *msq; +@@ -387,7 +387,7 @@ static int msgctl_down(struct ipc_namesp + rcu_read_lock(); + + ipcp = ipcctl_obtain_check(ns, &msg_ids(ns), msqid, cmd, +- &msqid64->msg_perm, msqid64->msg_qbytes); ++ perm, msg_qbytes); + if (IS_ERR(ipcp)) { + err = PTR_ERR(ipcp); + goto out_unlock1; +@@ -409,18 +409,18 @@ static int msgctl_down(struct ipc_namesp + { + DEFINE_WAKE_Q(wake_q); + +- if (msqid64->msg_qbytes > ns->msg_ctlmnb && ++ if (msg_qbytes > ns->msg_ctlmnb && + !capable(CAP_SYS_RESOURCE)) { + err = -EPERM; + goto out_unlock1; + } + + ipc_lock_object(&msq->q_perm); +- err = ipc_update_perm(&msqid64->msg_perm, ipcp); ++ err = ipc_update_perm(perm, ipcp); + if (err) + goto out_unlock0; + +- msq->q_qbytes = msqid64->msg_qbytes; ++ msq->q_qbytes = msg_qbytes; + + msq->q_ctime = ktime_get_real_seconds(); + /* +@@ -601,9 +601,10 @@ static long ksys_msgctl(int msqid, int c + case IPC_SET: + if (copy_msqid_from_user(&msqid64, buf, version)) + return -EFAULT; +- /* fallthru */ ++ return msgctl_down(ns, msqid, cmd, &msqid64.msg_perm, ++ msqid64.msg_qbytes); + case IPC_RMID: +- return msgctl_down(ns, msqid, cmd, &msqid64); ++ return msgctl_down(ns, msqid, cmd, NULL, 0); + default: + return -EINVAL; + } +@@ -735,9 +736,9 @@ static long compat_ksys_msgctl(int msqid + case IPC_SET: + if (copy_compat_msqid_from_user(&msqid64, uptr, version)) + return -EFAULT; +- /* fallthru */ ++ return msgctl_down(ns, msqid, cmd, &msqid64.msg_perm, msqid64.msg_qbytes); + case IPC_RMID: +- return msgctl_down(ns, msqid, cmd, &msqid64); ++ return msgctl_down(ns, msqid, cmd, NULL, 0); + default: + return -EINVAL; + } diff --git a/queue-5.5/media-uvcvideo-avoid-cyclic-entity-chains-due-to-malformed-usb-descriptors.patch b/queue-5.5/media-uvcvideo-avoid-cyclic-entity-chains-due-to-malformed-usb-descriptors.patch new file mode 100644 index 00000000000..c061c6b0f1f --- /dev/null +++ b/queue-5.5/media-uvcvideo-avoid-cyclic-entity-chains-due-to-malformed-usb-descriptors.patch @@ -0,0 +1,114 @@ +From 68035c80e129c4cfec659aac4180354530b26527 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Fri, 8 Nov 2019 16:48:38 +0100 +Subject: media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors + +From: Will Deacon + +commit 68035c80e129c4cfec659aac4180354530b26527 upstream. + +Way back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked +up the following WARNING from the UVC chain scanning code: + + | list_add double add: new=ffff880069084010, prev=ffff880069084010, + | next=ffff880067d22298. + | ------------[ cut here ]------------ + | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0 + | Modules linked in: + | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted + | 4.14.0-rc2-42613-g1488251d1a98 #238 + | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + | Workqueue: usb_hub_wq hub_event + | task: ffff88006b01ca40 task.stack: ffff880064358000 + | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29 + | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286 + | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000 + | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac + | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000 + | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010 + | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0 + | FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000 + | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0 + | Call Trace: + | __list_add ./include/linux/list.h:59 + | list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92 + | uvc_scan_chain_forward.isra.8+0x373/0x416 + | drivers/media/usb/uvc/uvc_driver.c:1471 + | uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585 + | uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769 + | uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104 + +Looking into the output from usbmon, the interesting part is the +following data packet: + + ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080 + 00090403 00000e01 00000924 03000103 7c003328 010204db + +If we drop the lead configuration and interface descriptors, we're left +with an output terminal descriptor describing a generic display: + + /* Output terminal descriptor */ + buf[0] 09 + buf[1] 24 + buf[2] 03 /* UVC_VC_OUTPUT_TERMINAL */ + buf[3] 00 /* ID */ + buf[4] 01 /* type == 0x0301 (UVC_OTT_DISPLAY) */ + buf[5] 03 + buf[6] 7c + buf[7] 00 /* source ID refers to self! */ + buf[8] 33 + +The problem with this descriptor is that it is self-referential: the +source ID of 0 matches itself! This causes the 'struct uvc_entity' +representing the display to be added to its chain list twice during +'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is +processed directly from the 'dev->entities' list and then again +immediately afterwards when trying to follow the source ID in +'uvc_scan_chain_forward()' + +Add a check before adding an entity to a chain list to ensure that the +entity is not already part of a chain. + +Link: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/ + +Cc: +Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver") +Reported-by: Andrey Konovalov +Signed-off-by: Will Deacon +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/uvc/uvc_driver.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -1493,6 +1493,11 @@ static int uvc_scan_chain_forward(struct + break; + if (forward == prev) + continue; ++ if (forward->chain.next || forward->chain.prev) { ++ uvc_trace(UVC_TRACE_DESCR, "Found reference to " ++ "entity %d already in chain.\n", forward->id); ++ return -EINVAL; ++ } + + switch (UVC_ENTITY_TYPE(forward)) { + case UVC_VC_EXTENSION_UNIT: +@@ -1574,6 +1579,13 @@ static int uvc_scan_chain_backward(struc + return -1; + } + ++ if (term->chain.next || term->chain.prev) { ++ uvc_trace(UVC_TRACE_DESCR, "Found reference to " ++ "entity %d already in chain.\n", ++ term->id); ++ return -EINVAL; ++ } ++ + if (uvc_trace_param & UVC_TRACE_PROBE) + printk(KERN_CONT " %d", term->id); + diff --git a/queue-5.5/mfd-dln2-more-sanity-checking-for-endpoints.patch b/queue-5.5/mfd-dln2-more-sanity-checking-for-endpoints.patch new file mode 100644 index 00000000000..0f09e295f8c --- /dev/null +++ b/queue-5.5/mfd-dln2-more-sanity-checking-for-endpoints.patch @@ -0,0 +1,55 @@ +From 2b8bd606b1e60ca28c765f69c1eedd7d2a2e9dca Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 21 Nov 2019 11:28:10 +0100 +Subject: mfd: dln2: More sanity checking for endpoints + +From: Oliver Neukum + +commit 2b8bd606b1e60ca28c765f69c1eedd7d2a2e9dca upstream. + +It is not enough to check for the number of endpoints. +The types must also be correct. + +Reported-and-tested-by: syzbot+48a2851be24583b864dc@syzkaller.appspotmail.com +Signed-off-by: Oliver Neukum +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mfd/dln2.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/mfd/dln2.c ++++ b/drivers/mfd/dln2.c +@@ -722,6 +722,8 @@ static int dln2_probe(struct usb_interfa + const struct usb_device_id *usb_id) + { + struct usb_host_interface *hostif = interface->cur_altsetting; ++ struct usb_endpoint_descriptor *epin; ++ struct usb_endpoint_descriptor *epout; + struct device *dev = &interface->dev; + struct dln2_dev *dln2; + int ret; +@@ -731,12 +733,19 @@ static int dln2_probe(struct usb_interfa + hostif->desc.bNumEndpoints < 2) + return -ENODEV; + ++ epin = &hostif->endpoint[0].desc; ++ epout = &hostif->endpoint[1].desc; ++ if (!usb_endpoint_is_bulk_out(epout)) ++ return -ENODEV; ++ if (!usb_endpoint_is_bulk_in(epin)) ++ return -ENODEV; ++ + dln2 = kzalloc(sizeof(*dln2), GFP_KERNEL); + if (!dln2) + return -ENOMEM; + +- dln2->ep_out = hostif->endpoint[0].desc.bEndpointAddress; +- dln2->ep_in = hostif->endpoint[1].desc.bEndpointAddress; ++ dln2->ep_out = epout->bEndpointAddress; ++ dln2->ep_in = epin->bEndpointAddress; + dln2->usb_dev = usb_get_dev(interface_to_usbdev(interface)); + dln2->interface = interface; + usb_set_intfdata(interface, dln2); diff --git a/queue-5.5/netfilter-ipset-fix-suspicious-rcu-usage-in-find_set_and_id.patch b/queue-5.5/netfilter-ipset-fix-suspicious-rcu-usage-in-find_set_and_id.patch new file mode 100644 index 00000000000..662278af9cb --- /dev/null +++ b/queue-5.5/netfilter-ipset-fix-suspicious-rcu-usage-in-find_set_and_id.patch @@ -0,0 +1,120 @@ +From 5038517119d50ed0240059b1d7fc2faa92371c08 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Kadlecsik=20J=C3=B3zsef?= +Date: Sat, 25 Jan 2020 20:39:25 +0100 +Subject: netfilter: ipset: fix suspicious RCU usage in find_set_and_id + +From: Kadlecsik József + +commit 5038517119d50ed0240059b1d7fc2faa92371c08 upstream. + +find_set_and_id() is called when the NFNL_SUBSYS_IPSET mutex is held. +However, in the error path there can be a follow-up recvmsg() without +the mutex held. Use the start() function of struct netlink_dump_control +instead of dump() to verify and report if the specified set does not +exist. + +Thanks to Pablo Neira Ayuso for helping me to understand the subleties +of the netlink protocol. + +Reported-by: syzbot+fc69d7cb21258ab4ae4d@syzkaller.appspotmail.com +Signed-off-by: Jozsef Kadlecsik +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/ipset/ip_set_core.c | 41 +++++++++++++++++++------------------- + 1 file changed, 21 insertions(+), 20 deletions(-) + +--- a/net/netfilter/ipset/ip_set_core.c ++++ b/net/netfilter/ipset/ip_set_core.c +@@ -1483,31 +1483,34 @@ ip_set_dump_policy[IPSET_ATTR_CMD_MAX + + }; + + static int +-dump_init(struct netlink_callback *cb, struct ip_set_net *inst) ++ip_set_dump_start(struct netlink_callback *cb) + { + struct nlmsghdr *nlh = nlmsg_hdr(cb->skb); + int min_len = nlmsg_total_size(sizeof(struct nfgenmsg)); + struct nlattr *cda[IPSET_ATTR_CMD_MAX + 1]; + struct nlattr *attr = (void *)nlh + min_len; ++ struct sk_buff *skb = cb->skb; ++ struct ip_set_net *inst = ip_set_pernet(sock_net(skb->sk)); + u32 dump_type; +- ip_set_id_t index; + int ret; + + ret = nla_parse(cda, IPSET_ATTR_CMD_MAX, attr, + nlh->nlmsg_len - min_len, + ip_set_dump_policy, NULL); + if (ret) +- return ret; ++ goto error; + + cb->args[IPSET_CB_PROTO] = nla_get_u8(cda[IPSET_ATTR_PROTOCOL]); + if (cda[IPSET_ATTR_SETNAME]) { ++ ip_set_id_t index; + struct ip_set *set; + + set = find_set_and_id(inst, nla_data(cda[IPSET_ATTR_SETNAME]), + &index); +- if (!set) +- return -ENOENT; +- ++ if (!set) { ++ ret = -ENOENT; ++ goto error; ++ } + dump_type = DUMP_ONE; + cb->args[IPSET_CB_INDEX] = index; + } else { +@@ -1523,10 +1526,17 @@ dump_init(struct netlink_callback *cb, s + cb->args[IPSET_CB_DUMP] = dump_type; + + return 0; ++ ++error: ++ /* We have to create and send the error message manually :-( */ ++ if (nlh->nlmsg_flags & NLM_F_ACK) { ++ netlink_ack(cb->skb, nlh, ret, NULL); ++ } ++ return ret; + } + + static int +-ip_set_dump_start(struct sk_buff *skb, struct netlink_callback *cb) ++ip_set_dump_do(struct sk_buff *skb, struct netlink_callback *cb) + { + ip_set_id_t index = IPSET_INVALID_ID, max; + struct ip_set *set = NULL; +@@ -1537,18 +1547,8 @@ ip_set_dump_start(struct sk_buff *skb, s + bool is_destroyed; + int ret = 0; + +- if (!cb->args[IPSET_CB_DUMP]) { +- ret = dump_init(cb, inst); +- if (ret < 0) { +- nlh = nlmsg_hdr(cb->skb); +- /* We have to create and send the error message +- * manually :-( +- */ +- if (nlh->nlmsg_flags & NLM_F_ACK) +- netlink_ack(cb->skb, nlh, ret, NULL); +- return ret; +- } +- } ++ if (!cb->args[IPSET_CB_DUMP]) ++ return -EINVAL; + + if (cb->args[IPSET_CB_INDEX] >= inst->ip_set_max) + goto out; +@@ -1684,7 +1684,8 @@ static int ip_set_dump(struct net *net, + + { + struct netlink_dump_control c = { +- .dump = ip_set_dump_start, ++ .start = ip_set_dump_start, ++ .dump = ip_set_dump_do, + .done = ip_set_dump_done, + }; + return netlink_dump_start(ctnl, skb, nlh, &c); diff --git a/queue-5.5/rcu-avoid-data-race-in-rcu_gp_fqs_check_wake.patch b/queue-5.5/rcu-avoid-data-race-in-rcu_gp_fqs_check_wake.patch new file mode 100644 index 00000000000..453b1278d7c --- /dev/null +++ b/queue-5.5/rcu-avoid-data-race-in-rcu_gp_fqs_check_wake.patch @@ -0,0 +1,107 @@ +From 6935c3983b246d5fbfebd3b891c825e65c118f2d Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 9 Oct 2019 14:21:54 -0700 +Subject: rcu: Avoid data-race in rcu_gp_fqs_check_wake() + +From: Eric Dumazet + +commit 6935c3983b246d5fbfebd3b891c825e65c118f2d upstream. + +The rcu_gp_fqs_check_wake() function uses rcu_preempt_blocked_readers_cgp() +to read ->gp_tasks while other cpus might overwrite this field. + +We need READ_ONCE()/WRITE_ONCE() pairs to avoid compiler +tricks and KCSAN splats like the following : + +BUG: KCSAN: data-race in rcu_gp_fqs_check_wake / rcu_preempt_deferred_qs_irqrestore + +write to 0xffffffff85a7f190 of 8 bytes by task 7317 on cpu 0: + rcu_preempt_deferred_qs_irqrestore+0x43d/0x580 kernel/rcu/tree_plugin.h:507 + rcu_read_unlock_special+0xec/0x370 kernel/rcu/tree_plugin.h:659 + __rcu_read_unlock+0xcf/0xe0 kernel/rcu/tree_plugin.h:394 + rcu_read_unlock include/linux/rcupdate.h:645 [inline] + __ip_queue_xmit+0x3b0/0xa40 net/ipv4/ip_output.c:533 + ip_queue_xmit+0x45/0x60 include/net/ip.h:236 + __tcp_transmit_skb+0xdeb/0x1cd0 net/ipv4/tcp_output.c:1158 + __tcp_send_ack+0x246/0x300 net/ipv4/tcp_output.c:3685 + tcp_send_ack+0x34/0x40 net/ipv4/tcp_output.c:3691 + tcp_cleanup_rbuf+0x130/0x360 net/ipv4/tcp.c:1575 + tcp_recvmsg+0x633/0x1a30 net/ipv4/tcp.c:2179 + inet_recvmsg+0xbb/0x250 net/ipv4/af_inet.c:838 + sock_recvmsg_nosec net/socket.c:871 [inline] + sock_recvmsg net/socket.c:889 [inline] + sock_recvmsg+0x92/0xb0 net/socket.c:885 + sock_read_iter+0x15f/0x1e0 net/socket.c:967 + call_read_iter include/linux/fs.h:1864 [inline] + new_sync_read+0x389/0x4f0 fs/read_write.c:414 + +read to 0xffffffff85a7f190 of 8 bytes by task 10 on cpu 1: + rcu_gp_fqs_check_wake kernel/rcu/tree.c:1556 [inline] + rcu_gp_fqs_check_wake+0x93/0xd0 kernel/rcu/tree.c:1546 + rcu_gp_fqs_loop+0x36c/0x580 kernel/rcu/tree.c:1611 + rcu_gp_kthread+0x143/0x220 kernel/rcu/tree.c:1768 + kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 10 Comm: rcu_preempt Not tainted 5.3.0+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Signed-off-by: Eric Dumazet +Reported-by: syzbot +[ paulmck: Added another READ_ONCE() for RCU CPU stall warnings. ] +Signed-off-by: Paul E. McKenney +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/rcu/tree_plugin.h | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/kernel/rcu/tree_plugin.h ++++ b/kernel/rcu/tree_plugin.h +@@ -220,7 +220,7 @@ static void rcu_preempt_ctxt_queue(struc + * blocked tasks. + */ + if (!rnp->gp_tasks && (blkd_state & RCU_GP_BLKD)) { +- rnp->gp_tasks = &t->rcu_node_entry; ++ WRITE_ONCE(rnp->gp_tasks, &t->rcu_node_entry); + WARN_ON_ONCE(rnp->completedqs == rnp->gp_seq); + } + if (!rnp->exp_tasks && (blkd_state & RCU_EXP_BLKD)) +@@ -340,7 +340,7 @@ EXPORT_SYMBOL_GPL(rcu_note_context_switc + */ + static int rcu_preempt_blocked_readers_cgp(struct rcu_node *rnp) + { +- return rnp->gp_tasks != NULL; ++ return READ_ONCE(rnp->gp_tasks) != NULL; + } + + /* Bias and limit values for ->rcu_read_lock_nesting. */ +@@ -493,7 +493,7 @@ rcu_preempt_deferred_qs_irqrestore(struc + trace_rcu_unlock_preempted_task(TPS("rcu_preempt"), + rnp->gp_seq, t->pid); + if (&t->rcu_node_entry == rnp->gp_tasks) +- rnp->gp_tasks = np; ++ WRITE_ONCE(rnp->gp_tasks, np); + if (&t->rcu_node_entry == rnp->exp_tasks) + rnp->exp_tasks = np; + if (IS_ENABLED(CONFIG_RCU_BOOST)) { +@@ -663,7 +663,7 @@ static void rcu_preempt_check_blocked_ta + dump_blkd_tasks(rnp, 10); + if (rcu_preempt_has_tasks(rnp) && + (rnp->qsmaskinit || rnp->wait_blkd_tasks)) { +- rnp->gp_tasks = rnp->blkd_tasks.next; ++ WRITE_ONCE(rnp->gp_tasks, rnp->blkd_tasks.next); + t = container_of(rnp->gp_tasks, struct task_struct, + rcu_node_entry); + trace_rcu_unlock_preempted_task(TPS("rcu_preempt-GPS"), +@@ -757,7 +757,8 @@ dump_blkd_tasks(struct rcu_node *rnp, in + pr_info("%s: %d:%d ->qsmask %#lx ->qsmaskinit %#lx ->qsmaskinitnext %#lx\n", + __func__, rnp1->grplo, rnp1->grphi, rnp1->qsmask, rnp1->qsmaskinit, rnp1->qsmaskinitnext); + pr_info("%s: ->gp_tasks %p ->boost_tasks %p ->exp_tasks %p\n", +- __func__, rnp->gp_tasks, rnp->boost_tasks, rnp->exp_tasks); ++ __func__, READ_ONCE(rnp->gp_tasks), rnp->boost_tasks, ++ rnp->exp_tasks); + pr_info("%s: ->blkd_tasks", __func__); + i = 0; + list_for_each(lhp, &rnp->blkd_tasks) { diff --git a/queue-5.5/rcu-use-_once-to-protect-lockless-expmask-accesses.patch b/queue-5.5/rcu-use-_once-to-protect-lockless-expmask-accesses.patch new file mode 100644 index 00000000000..dc24728945d --- /dev/null +++ b/queue-5.5/rcu-use-_once-to-protect-lockless-expmask-accesses.patch @@ -0,0 +1,106 @@ +From 15c7c972cd26d89a26788e609c53b5a465324a6c Mon Sep 17 00:00:00 2001 +From: "Paul E. McKenney" +Date: Mon, 7 Oct 2019 18:53:18 -0700 +Subject: rcu: Use *_ONCE() to protect lockless ->expmask accesses + +From: Paul E. McKenney + +commit 15c7c972cd26d89a26788e609c53b5a465324a6c upstream. + +The rcu_node structure's ->expmask field is accessed locklessly when +starting a new expedited grace period and when reporting an expedited +RCU CPU stall warning. This commit therefore handles the former by +taking a snapshot of ->expmask while the lock is held and the latter +by applying READ_ONCE() to lockless reads and WRITE_ONCE() to the +corresponding updates. + +Link: https://lore.kernel.org/lkml/CANpmjNNmSOagbTpffHr4=Yedckx9Rm2NuGqC9UqE+AOz5f1-ZQ@mail.gmail.com +Reported-by: syzbot+134336b86f728d6e55a0@syzkaller.appspotmail.com +Signed-off-by: Paul E. McKenney +Acked-by: Marco Elver +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/rcu/tree_exp.h | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +--- a/kernel/rcu/tree_exp.h ++++ b/kernel/rcu/tree_exp.h +@@ -134,7 +134,7 @@ static void __maybe_unused sync_exp_rese + rcu_for_each_node_breadth_first(rnp) { + raw_spin_lock_irqsave_rcu_node(rnp, flags); + WARN_ON_ONCE(rnp->expmask); +- rnp->expmask = rnp->expmaskinit; ++ WRITE_ONCE(rnp->expmask, rnp->expmaskinit); + raw_spin_unlock_irqrestore_rcu_node(rnp, flags); + } + } +@@ -211,7 +211,7 @@ static void __rcu_report_exp_rnp(struct + rnp = rnp->parent; + raw_spin_lock_rcu_node(rnp); /* irqs already disabled */ + WARN_ON_ONCE(!(rnp->expmask & mask)); +- rnp->expmask &= ~mask; ++ WRITE_ONCE(rnp->expmask, rnp->expmask & ~mask); + } + } + +@@ -241,7 +241,7 @@ static void rcu_report_exp_cpu_mult(stru + raw_spin_unlock_irqrestore_rcu_node(rnp, flags); + return; + } +- rnp->expmask &= ~mask; ++ WRITE_ONCE(rnp->expmask, rnp->expmask & ~mask); + __rcu_report_exp_rnp(rnp, wake, flags); /* Releases rnp->lock. */ + } + +@@ -372,12 +372,10 @@ static void sync_rcu_exp_select_node_cpu + raw_spin_unlock_irqrestore_rcu_node(rnp, flags); + + /* IPI the remaining CPUs for expedited quiescent state. */ +- for_each_leaf_node_cpu_mask(rnp, cpu, rnp->expmask) { ++ for_each_leaf_node_cpu_mask(rnp, cpu, mask_ofl_ipi) { + unsigned long mask = leaf_node_cpu_bit(rnp, cpu); + struct rcu_data *rdp = per_cpu_ptr(&rcu_data, cpu); + +- if (!(mask_ofl_ipi & mask)) +- continue; + retry_ipi: + if (rcu_dynticks_in_eqs_since(rdp, rdp->exp_dynticks_snap)) { + mask_ofl_test |= mask; +@@ -491,7 +489,7 @@ static void synchronize_sched_expedited_ + struct rcu_data *rdp; + + mask = leaf_node_cpu_bit(rnp, cpu); +- if (!(rnp->expmask & mask)) ++ if (!(READ_ONCE(rnp->expmask) & mask)) + continue; + ndetected++; + rdp = per_cpu_ptr(&rcu_data, cpu); +@@ -503,7 +501,8 @@ static void synchronize_sched_expedited_ + } + pr_cont(" } %lu jiffies s: %lu root: %#lx/%c\n", + jiffies - jiffies_start, rcu_state.expedited_sequence, +- rnp_root->expmask, ".T"[!!rnp_root->exp_tasks]); ++ READ_ONCE(rnp_root->expmask), ++ ".T"[!!rnp_root->exp_tasks]); + if (ndetected) { + pr_err("blocking rcu_node structures:"); + rcu_for_each_node_breadth_first(rnp) { +@@ -513,7 +512,7 @@ static void synchronize_sched_expedited_ + continue; + pr_cont(" l=%u:%d-%d:%#lx/%c", + rnp->level, rnp->grplo, rnp->grphi, +- rnp->expmask, ++ READ_ONCE(rnp->expmask), + ".T"[!!rnp->exp_tasks]); + } + pr_cont("\n"); +@@ -521,7 +520,7 @@ static void synchronize_sched_expedited_ + rcu_for_each_leaf_node(rnp) { + for_each_leaf_node_possible_cpu(rnp, cpu) { + mask = leaf_node_cpu_bit(rnp, cpu); +- if (!(rnp->expmask & mask)) ++ if (!(READ_ONCE(rnp->expmask) & mask)) + continue; + dump_cpu_task(cpu); + } diff --git a/queue-5.5/rcu-use-read_once-for-expmask-in-rcu_read_unlock_special.patch b/queue-5.5/rcu-use-read_once-for-expmask-in-rcu_read_unlock_special.patch new file mode 100644 index 00000000000..2b697c9f14b --- /dev/null +++ b/queue-5.5/rcu-use-read_once-for-expmask-in-rcu_read_unlock_special.patch @@ -0,0 +1,35 @@ +From c51f83c315c392d9776c33eb16a2fe1349d65c7f Mon Sep 17 00:00:00 2001 +From: "Paul E. McKenney" +Date: Mon, 4 Nov 2019 08:22:45 -0800 +Subject: rcu: Use READ_ONCE() for ->expmask in rcu_read_unlock_special() + +From: Paul E. McKenney + +commit c51f83c315c392d9776c33eb16a2fe1349d65c7f upstream. + +The rcu_node structure's ->expmask field is updated only when holding the +->lock, but is also accessed locklessly. This means that all ->expmask +updates must use WRITE_ONCE() and all reads carried out without holding +->lock must use READ_ONCE(). This commit therefore changes the lockless +->expmask read in rcu_read_unlock_special() to use READ_ONCE(). + +Reported-by: syzbot+99f4ddade3c22ab0cf23@syzkaller.appspotmail.com +Signed-off-by: Paul E. McKenney +Acked-by: Marco Elver +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/rcu/tree_plugin.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/rcu/tree_plugin.h ++++ b/kernel/rcu/tree_plugin.h +@@ -612,7 +612,7 @@ static void rcu_read_unlock_special(stru + + t->rcu_read_unlock_special.b.exp_hint = false; + exp = (t->rcu_blocked_node && t->rcu_blocked_node->exp_tasks) || +- (rdp->grpmask & rnp->expmask) || ++ (rdp->grpmask & READ_ONCE(rnp->expmask)) || + tick_nohz_full_cpu(rdp->cpu); + // Need to defer quiescent state until everything is enabled. + if (irqs_were_disabled && use_softirq && diff --git a/queue-5.5/series b/queue-5.5/series index 05c42ec825a..3045d253be5 100644 --- a/queue-5.5/series +++ b/queue-5.5/series @@ -24,3 +24,14 @@ ionic-fix-rxq-comp-packet-type-mask.patch maintainers-correct-entries-for-isdn-misdn-section.patch netdevsim-fix-stack-out-of-bounds-in-nsim_dev_debugfs_init.patch bnxt_en-fix-logic-that-disables-bus-master-during-firmware-reset.patch +media-uvcvideo-avoid-cyclic-entity-chains-due-to-malformed-usb-descriptors.patch +mfd-dln2-more-sanity-checking-for-endpoints.patch +netfilter-ipset-fix-suspicious-rcu-usage-in-find_set_and_id.patch +alsa-pcm-fix-memory-leak-at-closing-a-stream-without-hw_free.patch +ipc-msg.c-consolidate-all-xxxctl_down-functions.patch +tracing-kprobes-have-uname-use-__get_str-in-print_fmt.patch +tracing-fix-sched-switch-start-stop-refcount-racy-updates.patch +rcu-use-_once-to-protect-lockless-expmask-accesses.patch +rcu-avoid-data-race-in-rcu_gp_fqs_check_wake.patch +srcu-apply-_once-to-srcu_last_gp_end.patch +rcu-use-read_once-for-expmask-in-rcu_read_unlock_special.patch diff --git a/queue-5.5/srcu-apply-_once-to-srcu_last_gp_end.patch b/queue-5.5/srcu-apply-_once-to-srcu_last_gp_end.patch new file mode 100644 index 00000000000..d9648aa58c1 --- /dev/null +++ b/queue-5.5/srcu-apply-_once-to-srcu_last_gp_end.patch @@ -0,0 +1,53 @@ +From 844a378de3372c923909681706d62336d702531e Mon Sep 17 00:00:00 2001 +From: "Paul E. McKenney" +Date: Mon, 4 Nov 2019 08:08:30 -0800 +Subject: srcu: Apply *_ONCE() to ->srcu_last_gp_end + +From: Paul E. McKenney + +commit 844a378de3372c923909681706d62336d702531e upstream. + +The ->srcu_last_gp_end field is accessed from any CPU at any time +by synchronize_srcu(), so non-initialization references need to use +READ_ONCE() and WRITE_ONCE(). This commit therefore makes that change. + +Reported-by: syzbot+08f3e9d26e5541e1ecf2@syzkaller.appspotmail.com +Acked-by: Marco Elver +Signed-off-by: Paul E. McKenney +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/rcu/srcutree.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/kernel/rcu/srcutree.c ++++ b/kernel/rcu/srcutree.c +@@ -530,7 +530,7 @@ static void srcu_gp_end(struct srcu_stru + idx = rcu_seq_state(ssp->srcu_gp_seq); + WARN_ON_ONCE(idx != SRCU_STATE_SCAN2); + cbdelay = srcu_get_delay(ssp); +- ssp->srcu_last_gp_end = ktime_get_mono_fast_ns(); ++ WRITE_ONCE(ssp->srcu_last_gp_end, ktime_get_mono_fast_ns()); + rcu_seq_end(&ssp->srcu_gp_seq); + gpseq = rcu_seq_current(&ssp->srcu_gp_seq); + if (ULONG_CMP_LT(ssp->srcu_gp_seq_needed_exp, gpseq)) +@@ -762,6 +762,7 @@ static bool srcu_might_be_idle(struct sr + unsigned long flags; + struct srcu_data *sdp; + unsigned long t; ++ unsigned long tlast; + + /* If the local srcu_data structure has callbacks, not idle. */ + local_irq_save(flags); +@@ -780,9 +781,9 @@ static bool srcu_might_be_idle(struct sr + + /* First, see if enough time has passed since the last GP. */ + t = ktime_get_mono_fast_ns(); ++ tlast = READ_ONCE(ssp->srcu_last_gp_end); + if (exp_holdoff == 0 || +- time_in_range_open(t, ssp->srcu_last_gp_end, +- ssp->srcu_last_gp_end + exp_holdoff)) ++ time_in_range_open(t, tlast, tlast + exp_holdoff)) + return false; /* Too soon after last GP. */ + + /* Next, check for probable idleness. */ diff --git a/queue-5.5/tracing-fix-sched-switch-start-stop-refcount-racy-updates.patch b/queue-5.5/tracing-fix-sched-switch-start-stop-refcount-racy-updates.patch new file mode 100644 index 00000000000..04381128afa --- /dev/null +++ b/queue-5.5/tracing-fix-sched-switch-start-stop-refcount-racy-updates.patch @@ -0,0 +1,50 @@ +From 64ae572bc7d0060429e40e1c8d803ce5eb31a0d6 Mon Sep 17 00:00:00 2001 +From: Mathieu Desnoyers +Date: Sat, 17 Aug 2019 10:12:08 -0400 +Subject: tracing: Fix sched switch start/stop refcount racy updates + +From: Mathieu Desnoyers + +commit 64ae572bc7d0060429e40e1c8d803ce5eb31a0d6 upstream. + +Reading the sched_cmdline_ref and sched_tgid_ref initial state within +tracing_start_sched_switch without holding the sched_register_mutex is +racy against concurrent updates, which can lead to tracepoint probes +being registered more than once (and thus trigger warnings within +tracepoint.c). + +[ May be the fix for this bug ] +Link: https://lore.kernel.org/r/000000000000ab6f84056c786b93@google.com + +Link: http://lkml.kernel.org/r/20190817141208.15226-1-mathieu.desnoyers@efficios.com + +Cc: stable@vger.kernel.org +CC: Steven Rostedt (VMware) +CC: Joel Fernandes (Google) +CC: Peter Zijlstra +CC: Thomas Gleixner +CC: Paul E. McKenney +Reported-by: syzbot+774fddf07b7ab29a1e55@syzkaller.appspotmail.com +Fixes: d914ba37d7145 ("tracing: Add support for recording tgid of tasks") +Signed-off-by: Mathieu Desnoyers +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_sched_switch.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/kernel/trace/trace_sched_switch.c ++++ b/kernel/trace/trace_sched_switch.c +@@ -89,8 +89,10 @@ static void tracing_sched_unregister(voi + + static void tracing_start_sched_switch(int ops) + { +- bool sched_register = (!sched_cmdline_ref && !sched_tgid_ref); ++ bool sched_register; ++ + mutex_lock(&sched_register_mutex); ++ sched_register = (!sched_cmdline_ref && !sched_tgid_ref); + + switch (ops) { + case RECORD_CMDLINE: diff --git a/queue-5.5/tracing-kprobes-have-uname-use-__get_str-in-print_fmt.patch b/queue-5.5/tracing-kprobes-have-uname-use-__get_str-in-print_fmt.patch new file mode 100644 index 00000000000..1572c8569a0 --- /dev/null +++ b/queue-5.5/tracing-kprobes-have-uname-use-__get_str-in-print_fmt.patch @@ -0,0 +1,85 @@ +From 20279420ae3a8ef4c5d9fedc360a2c37a1dbdf1b Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Fri, 24 Jan 2020 10:07:42 -0500 +Subject: tracing/kprobes: Have uname use __get_str() in print_fmt + +From: Steven Rostedt (VMware) + +commit 20279420ae3a8ef4c5d9fedc360a2c37a1dbdf1b upstream. + +Thomas Richter reported: + +> Test case 66 'Use vfs_getname probe to get syscall args filenames' +> is broken on s390, but works on x86. The test case fails with: +> +> [root@m35lp76 perf]# perf test -F 66 +> 66: Use vfs_getname probe to get syscall args filenames +> :Recording open file: +> [ perf record: Woken up 1 times to write data ] +> [ perf record: Captured and wrote 0.004 MB /tmp/__perf_test.perf.data.TCdYj\ +> (20 samples) ] +> Looking at perf.data file for vfs_getname records for the file we touched: +> FAILED! +> [root@m35lp76 perf]# + +The root cause was the print_fmt of the kprobe event that referenced the +"ustring" + +> Setting up the kprobe event using perf command: +> +> # ./perf probe "vfs_getname=getname_flags:72 pathname=filename:ustring" +> +> generates this format file: +> [root@m35lp76 perf]# cat /sys/kernel/debug/tracing/events/probe/\ +> vfs_getname/format +> name: vfs_getname +> ID: 1172 +> format: +> field:unsigned short common_type; offset:0; size:2; signed:0; +> field:unsigned char common_flags; offset:2; size:1; signed:0; +> field:unsigned char common_preempt_count; offset:3; size:1; signed:0; +> field:int common_pid; offset:4; size:4; signed:1; +> +> field:unsigned long __probe_ip; offset:8; size:8; signed:0; +> field:__data_loc char[] pathname; offset:16; size:4; signed:1; +> +> print fmt: "(%lx) pathname=\"%s\"", REC->__probe_ip, REC->pathname + +Instead of using "__get_str(pathname)" it referenced it directly. + +Link: http://lkml.kernel.org/r/20200124100742.4050c15e@gandalf.local.home + +Cc: stable@vger.kernel.org +Fixes: 88903c464321 ("tracing/probe: Add ustring type for user-space string") +Acked-by: Masami Hiramatsu +Reported-by: Thomas Richter +Tested-by: Thomas Richter +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_probe.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/kernel/trace/trace_probe.c ++++ b/kernel/trace/trace_probe.c +@@ -876,7 +876,8 @@ static int __set_print_fmt(struct trace_ + for (i = 0; i < tp->nr_args; i++) { + parg = tp->args + i; + if (parg->count) { +- if (strcmp(parg->type->name, "string") == 0) ++ if ((strcmp(parg->type->name, "string") == 0) || ++ (strcmp(parg->type->name, "ustring") == 0)) + fmt = ", __get_str(%s[%d])"; + else + fmt = ", REC->%s[%d]"; +@@ -884,7 +885,8 @@ static int __set_print_fmt(struct trace_ + pos += snprintf(buf + pos, LEN_OR_ZERO, + fmt, parg->name, j); + } else { +- if (strcmp(parg->type->name, "string") == 0) ++ if ((strcmp(parg->type->name, "string") == 0) || ++ (strcmp(parg->type->name, "ustring") == 0)) + fmt = ", __get_str(%s)"; + else + fmt = ", REC->%s"; -- 2.47.3