From 8367a16ded911d39b465f8761956c48cb2474b6d Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Thu, 31 Oct 2024 23:01:30 -0400 Subject: [PATCH] Fixes for 5.15 Signed-off-by: Sasha Levin --- ...ge-handler_addr-type-to-void-pointer.patch | 50 ++++++ ...i_memory_runtime-block-for-prm-handl.patch | 119 +++++++++++++ ...i-prm-remove-unnecessary-blank-lines.patch | 58 +++++++ ...tial-overflow-issue-when-checking-ma.patch | 59 +++++++ ...user-after-free-from-session-log-off.patch | 162 ++++++++++++++++++ ...-incorrect-buffer-mirror-size-in-hmm.patch | 70 ++++++++ queue-5.15/series | 6 + 7 files changed, 524 insertions(+) create mode 100644 queue-5.15/acpi-prm-change-handler_addr-type-to-void-pointer.patch create mode 100644 queue-5.15/acpi-prm-find-efi_memory_runtime-block-for-prm-handl.patch create mode 100644 queue-5.15/acpi-prm-remove-unnecessary-blank-lines.patch create mode 100644 queue-5.15/cgroup-fix-potential-overflow-issue-when-checking-ma.patch create mode 100644 queue-5.15/ksmbd-fix-user-after-free-from-session-log-off.patch create mode 100644 queue-5.15/selftests-mm-fix-incorrect-buffer-mirror-size-in-hmm.patch create mode 100644 queue-5.15/series diff --git a/queue-5.15/acpi-prm-change-handler_addr-type-to-void-pointer.patch b/queue-5.15/acpi-prm-change-handler_addr-type-to-void-pointer.patch new file mode 100644 index 00000000000..d9a7df97342 --- /dev/null +++ b/queue-5.15/acpi-prm-change-handler_addr-type-to-void-pointer.patch @@ -0,0 +1,50 @@ +From e2e522ef7a01c48f39d4552bac619bfac2fb6745 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jun 2022 13:53:43 +0100 +Subject: ACPI: PRM: Change handler_addr type to void pointer + +From: Sudeep Holla + +[ Upstream commit 353efd5e97a7973d78f2634274b57309d0966e29 ] + +handler_addr is a virtual address passed to efi_call_virt_pointer. +While x86 currently type cast it into the pointer in it's arch specific +arch_efi_call_virt() implementation, ARM64 is restrictive for right +reasons. + +Convert the handler_addr type from u64 to void pointer. + +Signed-off-by: Sudeep Holla +Acked-by: Rafael J. Wysocki +Signed-off-by: Ard Biesheuvel +Stable-dep-of: 088984c8d54c ("ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM handler and context") +Signed-off-by: Sasha Levin +--- + drivers/acpi/prmt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/acpi/prmt.c b/drivers/acpi/prmt.c +index 8d876bdb08f68..6da424f1f133f 100644 +--- a/drivers/acpi/prmt.c ++++ b/drivers/acpi/prmt.c +@@ -53,7 +53,7 @@ static LIST_HEAD(prm_module_list); + + struct prm_handler_info { + guid_t guid; +- u64 handler_addr; ++ void *handler_addr; + u64 static_data_buffer_addr; + u64 acpi_param_buffer_addr; + +@@ -136,7 +136,7 @@ acpi_parse_prmt(union acpi_subtable_headers *header, const unsigned long end) + th = &tm->handlers[cur_handler]; + + guid_copy(&th->guid, (guid_t *)handler_info->handler_guid); +- th->handler_addr = efi_pa_va_lookup(handler_info->handler_address); ++ th->handler_addr = (void *)efi_pa_va_lookup(handler_info->handler_address); + th->static_data_buffer_addr = efi_pa_va_lookup(handler_info->static_data_buffer_address); + th->acpi_param_buffer_addr = efi_pa_va_lookup(handler_info->acpi_param_buffer_address); + } while (++cur_handler < tm->handler_count && (handler_info = get_next_handler(handler_info))); +-- +2.43.0 + diff --git a/queue-5.15/acpi-prm-find-efi_memory_runtime-block-for-prm-handl.patch b/queue-5.15/acpi-prm-find-efi_memory_runtime-block-for-prm-handl.patch new file mode 100644 index 00000000000..58f4b60027f --- /dev/null +++ b/queue-5.15/acpi-prm-find-efi_memory_runtime-block-for-prm-handl.patch @@ -0,0 +1,119 @@ +From 4829c847ef829ebcf36bebb1e4ca4fb8f03aaf06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Oct 2024 04:50:10 +0800 +Subject: ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM handler and context + +From: Koba Ko + +[ Upstream commit 088984c8d54c0053fc4ae606981291d741c5924b ] + +PRMT needs to find the correct type of block to translate the PA-VA +mapping for EFI runtime services. + +The issue arises because the PRMT is finding a block of type +EFI_CONVENTIONAL_MEMORY, which is not appropriate for runtime services +as described in Section 2.2.2 (Runtime Services) of the UEFI +Specification [1]. Since the PRM handler is a type of runtime service, +this causes an exception when the PRM handler is called. + + [Firmware Bug]: Unable to handle paging request in EFI runtime service + WARNING: CPU: 22 PID: 4330 at drivers/firmware/efi/runtime-wrappers.c:341 + __efi_queue_work+0x11c/0x170 + Call trace: + +Let PRMT find a block with EFI_MEMORY_RUNTIME for PRM handler and PRM +context. + +If no suitable block is found, a warning message will be printed, but +the procedure continues to manage the next PRM handler. + +However, if the PRM handler is actually called without proper allocation, +it would result in a failure during error handling. + +By using the correct memory types for runtime services, ensure that the +PRM handler and the context are properly mapped in the virtual address +space during runtime, preventing the paging request error. + +The issue is really that only memory that has been remapped for runtime +by the firmware can be used by the PRM handler, and so the region needs +to have the EFI_MEMORY_RUNTIME attribute. + +Link: https://uefi.org/sites/default/files/resources/UEFI_Spec_2_10_Aug29.pdf # [1] +Fixes: cefc7ca46235 ("ACPI: PRM: implement OperationRegion handler for the PlatformRtMechanism subtype") +Cc: All applicable +Signed-off-by: Koba Ko +Reviewed-by: Matthew R. Ochs +Reviewed-by: Zhang Rui +Reviewed-by: Ard Biesheuvel +Link: https://patch.msgid.link/20241012205010.4165798-1-kobak@nvidia.com +[ rjw: Subject and changelog edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/prmt.c | 27 ++++++++++++++++++++++----- + 1 file changed, 22 insertions(+), 5 deletions(-) + +diff --git a/drivers/acpi/prmt.c b/drivers/acpi/prmt.c +index 6da424f1f133f..63ead3f1d2947 100644 +--- a/drivers/acpi/prmt.c ++++ b/drivers/acpi/prmt.c +@@ -72,17 +72,21 @@ struct prm_module_info { + struct prm_handler_info handlers[]; + }; + +-static u64 efi_pa_va_lookup(u64 pa) ++static u64 efi_pa_va_lookup(efi_guid_t *guid, u64 pa) + { + efi_memory_desc_t *md; + u64 pa_offset = pa & ~PAGE_MASK; + u64 page = pa & PAGE_MASK; + + for_each_efi_memory_desc(md) { +- if (md->phys_addr < pa && pa < md->phys_addr + PAGE_SIZE * md->num_pages) ++ if ((md->attribute & EFI_MEMORY_RUNTIME) && ++ (md->phys_addr < pa && pa < md->phys_addr + PAGE_SIZE * md->num_pages)) { + return pa_offset + md->virt_addr + page - md->phys_addr; ++ } + } + ++ pr_warn("Failed to find VA for GUID: %pUL, PA: 0x%llx", guid, pa); ++ + return 0; + } + +@@ -136,9 +140,15 @@ acpi_parse_prmt(union acpi_subtable_headers *header, const unsigned long end) + th = &tm->handlers[cur_handler]; + + guid_copy(&th->guid, (guid_t *)handler_info->handler_guid); +- th->handler_addr = (void *)efi_pa_va_lookup(handler_info->handler_address); +- th->static_data_buffer_addr = efi_pa_va_lookup(handler_info->static_data_buffer_address); +- th->acpi_param_buffer_addr = efi_pa_va_lookup(handler_info->acpi_param_buffer_address); ++ th->handler_addr = ++ (void *)efi_pa_va_lookup(&th->guid, handler_info->handler_address); ++ ++ th->static_data_buffer_addr = ++ efi_pa_va_lookup(&th->guid, handler_info->static_data_buffer_address); ++ ++ th->acpi_param_buffer_addr = ++ efi_pa_va_lookup(&th->guid, handler_info->acpi_param_buffer_address); ++ + } while (++cur_handler < tm->handler_count && (handler_info = get_next_handler(handler_info))); + + return 0; +@@ -232,6 +242,13 @@ static acpi_status acpi_platformrt_space_handler(u32 function, + if (!handler || !module) + goto invalid_guid; + ++ if (!handler->handler_addr || ++ !handler->static_data_buffer_addr || ++ !handler->acpi_param_buffer_addr) { ++ buffer->prm_status = PRM_HANDLER_ERROR; ++ return AE_OK; ++ } ++ + ACPI_COPY_NAMESEG(context.signature, "PRMC"); + context.revision = 0x0; + context.reserved = 0x0; +-- +2.43.0 + diff --git a/queue-5.15/acpi-prm-remove-unnecessary-blank-lines.patch b/queue-5.15/acpi-prm-remove-unnecessary-blank-lines.patch new file mode 100644 index 00000000000..760200f5742 --- /dev/null +++ b/queue-5.15/acpi-prm-remove-unnecessary-blank-lines.patch @@ -0,0 +1,58 @@ +From 333b050cd932395cf09eb3962c21d8518d837dbc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 11:23:16 +0800 +Subject: ACPI: PRM: Remove unnecessary blank lines + +From: Aubrey Li + +[ Upstream commit caa2bd07f5c5f09acf62072906daeaa667e2b645 ] + +Just remove unnecessary blank lines, no other code changes + +Signed-off-by: Aubrey Li +Signed-off-by: Rafael J. Wysocki +Stable-dep-of: 088984c8d54c ("ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM handler and context") +Signed-off-by: Sasha Levin +--- + drivers/acpi/prmt.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/acpi/prmt.c b/drivers/acpi/prmt.c +index 09c0af8a46f0a..8d876bdb08f68 100644 +--- a/drivers/acpi/prmt.c ++++ b/drivers/acpi/prmt.c +@@ -49,7 +49,6 @@ struct prm_context_buffer { + }; + #pragma pack() + +- + static LIST_HEAD(prm_module_list); + + struct prm_handler_info { +@@ -73,7 +72,6 @@ struct prm_module_info { + struct prm_handler_info handlers[]; + }; + +- + static u64 efi_pa_va_lookup(u64 pa) + { + efi_memory_desc_t *md; +@@ -88,7 +86,6 @@ static u64 efi_pa_va_lookup(u64 pa) + return 0; + } + +- + #define get_first_handler(a) ((struct acpi_prmt_handler_info *) ((char *) (a) + a->handler_info_offset)) + #define get_next_handler(a) ((struct acpi_prmt_handler_info *) (sizeof(struct acpi_prmt_handler_info) + (char *) a)) + +@@ -171,7 +168,6 @@ static void *find_guid_info(const guid_t *guid, u8 mode) + return NULL; + } + +- + static struct prm_module_info *find_prm_module(const guid_t *guid) + { + return (struct prm_module_info *)find_guid_info(guid, GET_MODULE); +-- +2.43.0 + diff --git a/queue-5.15/cgroup-fix-potential-overflow-issue-when-checking-ma.patch b/queue-5.15/cgroup-fix-potential-overflow-issue-when-checking-ma.patch new file mode 100644 index 00000000000..8cbd8875c21 --- /dev/null +++ b/queue-5.15/cgroup-fix-potential-overflow-issue-when-checking-ma.patch @@ -0,0 +1,59 @@ +From c95aa34609c12072a7b27bbd6bd4726180365d79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Oct 2024 07:22:46 +0000 +Subject: cgroup: Fix potential overflow issue when checking max_depth +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Xiu Jianfeng + +[ Upstream commit 3cc4e13bb1617f6a13e5e6882465984148743cf4 ] + +cgroup.max.depth is the maximum allowed descent depth below the current +cgroup. If the actual descent depth is equal or larger, an attempt to +create a new child cgroup will fail. However due to the cgroup->max_depth +is of int type and having the default value INT_MAX, the condition +'level > cgroup->max_depth' will never be satisfied, and it will cause +an overflow of the level after it reaches to INT_MAX. + +Fix it by starting the level from 0 and using '>=' instead. + +It's worth mentioning that this issue is unlikely to occur in reality, +as it's impossible to have a depth of INT_MAX hierarchy, but should be +be avoided logically. + +Fixes: 1a926e0bbab8 ("cgroup: implement hierarchy limits") +Signed-off-by: Xiu Jianfeng +Reviewed-by: Michal Koutný +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/cgroup/cgroup.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c +index 999fef6d12282..9ba87c5de1a87 100644 +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -5527,7 +5527,7 @@ static bool cgroup_check_hierarchy_limits(struct cgroup *parent) + { + struct cgroup *cgroup; + int ret = false; +- int level = 1; ++ int level = 0; + + lockdep_assert_held(&cgroup_mutex); + +@@ -5535,7 +5535,7 @@ static bool cgroup_check_hierarchy_limits(struct cgroup *parent) + if (cgroup->nr_descendants >= cgroup->max_descendants) + goto fail; + +- if (level > cgroup->max_depth) ++ if (level >= cgroup->max_depth) + goto fail; + + level++; +-- +2.43.0 + diff --git a/queue-5.15/ksmbd-fix-user-after-free-from-session-log-off.patch b/queue-5.15/ksmbd-fix-user-after-free-from-session-log-off.patch new file mode 100644 index 00000000000..26b7b01e516 --- /dev/null +++ b/queue-5.15/ksmbd-fix-user-after-free-from-session-log-off.patch @@ -0,0 +1,162 @@ +From a5559d1a10da8405782f6232e67dc96d1b3e9b85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 22:42:57 +0900 +Subject: ksmbd: fix user-after-free from session log off + +From: Namjae Jeon + +[ Upstream commit 7aa8804c0b67b3cb263a472d17f2cb50d7f1a930 ] + +There is racy issue between smb2 session log off and smb2 session setup. +It will cause user-after-free from session log off. +This add session_lock when setting SMB2_SESSION_EXPIRED and referece +count to session struct not to free session while it is being used. + +Cc: stable@vger.kernel.org # v5.15+ +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-25282 +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/ksmbd/mgmt/user_session.c | 26 +++++++++++++++++++++----- + fs/ksmbd/mgmt/user_session.h | 4 ++++ + fs/ksmbd/server.c | 2 ++ + fs/ksmbd/smb2pdu.c | 8 +++++++- + 4 files changed, 34 insertions(+), 6 deletions(-) + +diff --git a/fs/ksmbd/mgmt/user_session.c b/fs/ksmbd/mgmt/user_session.c +index 15f68ee050894..844db95e66511 100644 +--- a/fs/ksmbd/mgmt/user_session.c ++++ b/fs/ksmbd/mgmt/user_session.c +@@ -176,9 +176,10 @@ static void ksmbd_expire_session(struct ksmbd_conn *conn) + + down_write(&conn->session_lock); + xa_for_each(&conn->sessions, id, sess) { +- if (sess->state != SMB2_SESSION_VALID || +- time_after(jiffies, +- sess->last_active + SMB2_SESSION_TIMEOUT)) { ++ if (atomic_read(&sess->refcnt) == 0 && ++ (sess->state != SMB2_SESSION_VALID || ++ time_after(jiffies, ++ sess->last_active + SMB2_SESSION_TIMEOUT))) { + xa_erase(&conn->sessions, sess->id); + hash_del(&sess->hlist); + ksmbd_session_destroy(sess); +@@ -268,8 +269,6 @@ struct ksmbd_session *ksmbd_session_lookup_slowpath(unsigned long long id) + + down_read(&sessions_table_lock); + sess = __session_lookup(id); +- if (sess) +- sess->last_active = jiffies; + up_read(&sessions_table_lock); + + return sess; +@@ -288,6 +287,22 @@ struct ksmbd_session *ksmbd_session_lookup_all(struct ksmbd_conn *conn, + return sess; + } + ++void ksmbd_user_session_get(struct ksmbd_session *sess) ++{ ++ atomic_inc(&sess->refcnt); ++} ++ ++void ksmbd_user_session_put(struct ksmbd_session *sess) ++{ ++ if (!sess) ++ return; ++ ++ if (atomic_read(&sess->refcnt) <= 0) ++ WARN_ON(1); ++ else ++ atomic_dec(&sess->refcnt); ++} ++ + struct preauth_session *ksmbd_preauth_session_alloc(struct ksmbd_conn *conn, + u64 sess_id) + { +@@ -356,6 +371,7 @@ static struct ksmbd_session *__session_create(int protocol) + xa_init(&sess->rpc_handle_list); + sess->sequence_number = 1; + rwlock_init(&sess->tree_conns_lock); ++ atomic_set(&sess->refcnt, 1); + + ret = __init_smb2_session(sess); + if (ret) +diff --git a/fs/ksmbd/mgmt/user_session.h b/fs/ksmbd/mgmt/user_session.h +index 63cb08fffde84..ce91b1d698e71 100644 +--- a/fs/ksmbd/mgmt/user_session.h ++++ b/fs/ksmbd/mgmt/user_session.h +@@ -61,6 +61,8 @@ struct ksmbd_session { + struct ksmbd_file_table file_table; + unsigned long last_active; + rwlock_t tree_conns_lock; ++ ++ atomic_t refcnt; + }; + + static inline int test_session_flag(struct ksmbd_session *sess, int bit) +@@ -101,4 +103,6 @@ void ksmbd_release_tree_conn_id(struct ksmbd_session *sess, int id); + int ksmbd_session_rpc_open(struct ksmbd_session *sess, char *rpc_name); + void ksmbd_session_rpc_close(struct ksmbd_session *sess, int id); + int ksmbd_session_rpc_method(struct ksmbd_session *sess, int id); ++void ksmbd_user_session_get(struct ksmbd_session *sess); ++void ksmbd_user_session_put(struct ksmbd_session *sess); + #endif /* __USER_SESSION_MANAGEMENT_H__ */ +diff --git a/fs/ksmbd/server.c b/fs/ksmbd/server.c +index 63b01f7d97031..09ebcf39d5bcb 100644 +--- a/fs/ksmbd/server.c ++++ b/fs/ksmbd/server.c +@@ -238,6 +238,8 @@ static void __handle_ksmbd_work(struct ksmbd_work *work, + } while (is_chained == true); + + send: ++ if (work->sess) ++ ksmbd_user_session_put(work->sess); + if (work->tcon) + ksmbd_tree_connect_put(work->tcon); + smb3_preauth_hash_rsp(work); +diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c +index 089dc2f51229a..54f7cf7a98b2b 100644 +--- a/fs/ksmbd/smb2pdu.c ++++ b/fs/ksmbd/smb2pdu.c +@@ -606,8 +606,10 @@ int smb2_check_user_session(struct ksmbd_work *work) + + /* Check for validity of user session */ + work->sess = ksmbd_session_lookup_all(conn, sess_id); +- if (work->sess) ++ if (work->sess) { ++ ksmbd_user_session_get(work->sess); + return 1; ++ } + ksmbd_debug(SMB, "Invalid user session, Uid %llu\n", sess_id); + return -ENOENT; + } +@@ -1761,6 +1763,7 @@ int smb2_sess_setup(struct ksmbd_work *work) + } + + conn->binding = true; ++ ksmbd_user_session_get(sess); + } else if ((conn->dialect < SMB30_PROT_ID || + server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL) && + (req->Flags & SMB2_SESSION_REQ_FLAG_BINDING)) { +@@ -1787,6 +1790,7 @@ int smb2_sess_setup(struct ksmbd_work *work) + } + + conn->binding = false; ++ ksmbd_user_session_get(sess); + } + work->sess = sess; + +@@ -2235,7 +2239,9 @@ int smb2_session_logoff(struct ksmbd_work *work) + } + + ksmbd_destroy_file_table(&sess->file_table); ++ down_write(&conn->session_lock); + sess->state = SMB2_SESSION_EXPIRED; ++ up_write(&conn->session_lock); + + ksmbd_free_user(sess->user); + sess->user = NULL; +-- +2.43.0 + diff --git a/queue-5.15/selftests-mm-fix-incorrect-buffer-mirror-size-in-hmm.patch b/queue-5.15/selftests-mm-fix-incorrect-buffer-mirror-size-in-hmm.patch new file mode 100644 index 00000000000..6f0c38c6209 --- /dev/null +++ b/queue-5.15/selftests-mm-fix-incorrect-buffer-mirror-size-in-hmm.patch @@ -0,0 +1,70 @@ +From f5078cf9efe2e44475472c36fcc0b3505d4cb941 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Sep 2024 00:07:52 -0500 +Subject: selftests/mm: fix incorrect buffer->mirror size in hmm2 double_map + test +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Donet Tom + +[ Upstream commit 76503e1fa1a53ef041a120825d5ce81c7fe7bdd7 ] + +The hmm2 double_map test was failing due to an incorrect buffer->mirror +size. The buffer->mirror size was 6, while buffer->ptr size was 6 * +PAGE_SIZE. The test failed because the kernel's copy_to_user function was +attempting to copy a 6 * PAGE_SIZE buffer to buffer->mirror. Since the +size of buffer->mirror was incorrect, copy_to_user failed. + +This patch corrects the buffer->mirror size to 6 * PAGE_SIZE. + +Test Result without this patch +============================== + # RUN hmm2.hmm2_device_private.double_map ... + # hmm-tests.c:1680:double_map:Expected ret (-14) == 0 (0) + # double_map: Test terminated by assertion + # FAIL hmm2.hmm2_device_private.double_map + not ok 53 hmm2.hmm2_device_private.double_map + +Test Result with this patch +=========================== + # RUN hmm2.hmm2_device_private.double_map ... + # OK hmm2.hmm2_device_private.double_map + ok 53 hmm2.hmm2_device_private.double_map + +Link: https://lkml.kernel.org/r/20240927050752.51066-1-donettom@linux.ibm.com +Fixes: fee9f6d1b8df ("mm/hmm/test: add selftests for HMM") +Signed-off-by: Donet Tom +Reviewed-by: Muhammad Usama Anjum +Cc: Jérôme Glisse +Cc: Kees Cook +Cc: Mark Brown +Cc: Przemek Kitszel +Cc: Ritesh Harjani (IBM) +Cc: Shuah Khan +Cc: Ralph Campbell +Cc: Jason Gunthorpe +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/vm/hmm-tests.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/vm/hmm-tests.c b/tools/testing/selftests/vm/hmm-tests.c +index 203323967b507..a8f69d991243d 100644 +--- a/tools/testing/selftests/vm/hmm-tests.c ++++ b/tools/testing/selftests/vm/hmm-tests.c +@@ -1482,7 +1482,7 @@ TEST_F(hmm2, double_map) + + buffer->fd = -1; + buffer->size = size; +- buffer->mirror = malloc(npages); ++ buffer->mirror = malloc(size); + ASSERT_NE(buffer->mirror, NULL); + + /* Reserve a range of addresses. */ +-- +2.43.0 + diff --git a/queue-5.15/series b/queue-5.15/series new file mode 100644 index 00000000000..c1805eb93d0 --- /dev/null +++ b/queue-5.15/series @@ -0,0 +1,6 @@ +selftests-mm-fix-incorrect-buffer-mirror-size-in-hmm.patch +ksmbd-fix-user-after-free-from-session-log-off.patch +acpi-prm-remove-unnecessary-blank-lines.patch +acpi-prm-change-handler_addr-type-to-void-pointer.patch +acpi-prm-find-efi_memory_runtime-block-for-prm-handl.patch +cgroup-fix-potential-overflow-issue-when-checking-ma.patch -- 2.47.2