--- /dev/null
+From f1e09150ed6fb7a83a7a0d1de6e392e3a4094d49 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 15:56:01 +0800
+Subject: arm64/mm: fix incorrect file_map_count for non-leaf pmd/pud
+
+From: Liu Shixin <liushixin2@huawei.com>
+
+[ Upstream commit 5b47348fc0b18a78c96f8474cc90b7525ad1bbfe ]
+
+The page table check trigger BUG_ON() unexpectedly when collapse hugepage:
+
+ ------------[ cut here ]------------
+ kernel BUG at mm/page_table_check.c:82!
+ Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
+ Dumping ftrace buffer:
+ (ftrace buffer empty)
+ Modules linked in:
+ CPU: 6 PID: 68 Comm: khugepaged Not tainted 6.1.0-rc3+ #750
+ Hardware name: linux,dummy-virt (DT)
+ pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ pc : page_table_check_clear.isra.0+0x258/0x3f0
+ lr : page_table_check_clear.isra.0+0x240/0x3f0
+[...]
+ Call trace:
+ page_table_check_clear.isra.0+0x258/0x3f0
+ __page_table_check_pmd_clear+0xbc/0x108
+ pmdp_collapse_flush+0xb0/0x160
+ collapse_huge_page+0xa08/0x1080
+ hpage_collapse_scan_pmd+0xf30/0x1590
+ khugepaged_scan_mm_slot.constprop.0+0x52c/0xac8
+ khugepaged+0x338/0x518
+ kthread+0x278/0x2f8
+ ret_from_fork+0x10/0x20
+[...]
+
+Since pmd_user_accessible_page() doesn't check if a pmd is leaf, it
+decrease file_map_count for a non-leaf pmd comes from collapse_huge_page().
+and so trigger BUG_ON() unexpectedly.
+
+Fix this problem by using pmd_leaf() insteal of pmd_present() in
+pmd_user_accessible_page(). Moreover, use pud_leaf() for
+pud_user_accessible_page() too.
+
+Fixes: 42b2547137f5 ("arm64/mm: enable ARCH_SUPPORTS_PAGE_TABLE_CHECK")
+Reported-by: Denys Vlasenko <dvlasenk@redhat.com>
+Signed-off-by: Liu Shixin <liushixin2@huawei.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Acked-by: Pasha Tatashin <pasha.tatashin@soleen.com>
+Reviewed-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Acked-by: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20221117075602.2904324-2-liushixin2@huawei.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/pgtable.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/include/asm/pgtable.h b/arch/arm64/include/asm/pgtable.h
+index b5df82aa99e6..d78e69293d12 100644
+--- a/arch/arm64/include/asm/pgtable.h
++++ b/arch/arm64/include/asm/pgtable.h
+@@ -863,12 +863,12 @@ static inline bool pte_user_accessible_page(pte_t pte)
+
+ static inline bool pmd_user_accessible_page(pmd_t pmd)
+ {
+- return pmd_present(pmd) && (pmd_user(pmd) || pmd_user_exec(pmd));
++ return pmd_leaf(pmd) && (pmd_user(pmd) || pmd_user_exec(pmd));
+ }
+
+ static inline bool pud_user_accessible_page(pud_t pud)
+ {
+- return pud_present(pud) && pud_user(pud);
++ return pud_leaf(pud) && pud_user(pud);
+ }
+ #endif
+
+--
+2.35.1
+
--- /dev/null
+From 20dba073e3aff01187cc01abaa6230db99daf62a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 11:04:33 +0200
+Subject: ASoC: SOF: topology: No need to assign core ID if token parsing
+ failed
+
+From: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+
+[ Upstream commit 3d59eaef49ca2db581156a7b77c9afc0546eefc0 ]
+
+Move the return value check before attempting to assign the core ID to the
+swidget since we are going to fail the sof_widget_ready() and free up
+swidget anyways.
+
+Fixes: 909dadf21aae ("ASoC: SOF: topology: Make DAI widget parsing IPC agnostic")
+
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Link: https://lore.kernel.org/r/20221107090433.5146-1-peter.ujfalusi@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/topology.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c
+index 9273a70fec25..e1b7f07de7fc 100644
+--- a/sound/soc/sof/topology.c
++++ b/sound/soc/sof/topology.c
+@@ -1346,16 +1346,6 @@ static int sof_widget_ready(struct snd_soc_component *scomp, int index,
+ break;
+ }
+
+- if (sof_debug_check_flag(SOF_DBG_DISABLE_MULTICORE)) {
+- swidget->core = SOF_DSP_PRIMARY_CORE;
+- } else {
+- int core = sof_get_token_value(SOF_TKN_COMP_CORE_ID, swidget->tuples,
+- swidget->num_tuples);
+-
+- if (core >= 0)
+- swidget->core = core;
+- }
+-
+ /* check token parsing reply */
+ if (ret < 0) {
+ dev_err(scomp->dev,
+@@ -1367,6 +1357,16 @@ static int sof_widget_ready(struct snd_soc_component *scomp, int index,
+ return ret;
+ }
+
++ if (sof_debug_check_flag(SOF_DBG_DISABLE_MULTICORE)) {
++ swidget->core = SOF_DSP_PRIMARY_CORE;
++ } else {
++ int core = sof_get_token_value(SOF_TKN_COMP_CORE_ID, swidget->tuples,
++ swidget->num_tuples);
++
++ if (core >= 0)
++ swidget->core = core;
++ }
++
+ /* bind widget to external event */
+ if (tw->event_type) {
+ if (widget_ops[w->id].bind_event) {
+--
+2.35.1
+
--- /dev/null
+From 63c00d84a78609f0df759fab434e27747557f665 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 15:40:03 -0800
+Subject: Input: i8042 - fix leaking of platform device on module removal
+
+From: Chen Jun <chenjun102@huawei.com>
+
+[ Upstream commit 81cd7e8489278d28794e7b272950c3e00c344e44 ]
+
+Avoid resetting the module-wide i8042_platform_device pointer in
+i8042_probe() or i8042_remove(), so that the device can be properly
+destroyed by i8042_exit() on module unload.
+
+Fixes: 9222ba68c3f4 ("Input: i8042 - add deferred probe support")
+Signed-off-by: Chen Jun <chenjun102@huawei.com>
+Link: https://lore.kernel.org/r/20221109034148.23821-1-chenjun102@huawei.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/serio/i8042.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/input/serio/i8042.c b/drivers/input/serio/i8042.c
+index 3fc0a89cc785..f132d6dfc25e 100644
+--- a/drivers/input/serio/i8042.c
++++ b/drivers/input/serio/i8042.c
+@@ -1543,8 +1543,6 @@ static int i8042_probe(struct platform_device *dev)
+ {
+ int error;
+
+- i8042_platform_device = dev;
+-
+ if (i8042_reset == I8042_RESET_ALWAYS) {
+ error = i8042_controller_selftest();
+ if (error)
+@@ -1582,7 +1580,6 @@ static int i8042_probe(struct platform_device *dev)
+ i8042_free_aux_ports(); /* in case KBD failed but AUX not */
+ i8042_free_irqs();
+ i8042_controller_reset(false);
+- i8042_platform_device = NULL;
+
+ return error;
+ }
+@@ -1592,7 +1589,6 @@ static int i8042_remove(struct platform_device *dev)
+ i8042_unregister_ports();
+ i8042_free_irqs();
+ i8042_controller_reset(false);
+- i8042_platform_device = NULL;
+
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From 0a098ad26b743fbf96c74d3ae8187ed5a53e3a65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 10:15:34 +0900
+Subject: kprobes: Skip clearing aggrprobe's post_handler in kprobe-on-ftrace
+ case
+
+From: Li Huafei <lihuafei1@huawei.com>
+
+[ Upstream commit 5dd7caf0bdc5d0bae7cf9776b4d739fb09bd5ebb ]
+
+In __unregister_kprobe_top(), if the currently unregistered probe has
+post_handler but other child probes of the aggrprobe do not have
+post_handler, the post_handler of the aggrprobe is cleared. If this is
+a ftrace-based probe, there is a problem. In later calls to
+disarm_kprobe(), we will use kprobe_ftrace_ops because post_handler is
+NULL. But we're armed with kprobe_ipmodify_ops. This triggers a WARN in
+__disarm_kprobe_ftrace() and may even cause use-after-free:
+
+ Failed to disarm kprobe-ftrace at kernel_clone+0x0/0x3c0 (error -2)
+ WARNING: CPU: 5 PID: 137 at kernel/kprobes.c:1135 __disarm_kprobe_ftrace.isra.21+0xcf/0xe0
+ Modules linked in: testKprobe_007(-)
+ CPU: 5 PID: 137 Comm: rmmod Not tainted 6.1.0-rc4-dirty #18
+ [...]
+ Call Trace:
+ <TASK>
+ __disable_kprobe+0xcd/0xe0
+ __unregister_kprobe_top+0x12/0x150
+ ? mutex_lock+0xe/0x30
+ unregister_kprobes.part.23+0x31/0xa0
+ unregister_kprobe+0x32/0x40
+ __x64_sys_delete_module+0x15e/0x260
+ ? do_user_addr_fault+0x2cd/0x6b0
+ do_syscall_64+0x3a/0x90
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+ [...]
+
+For the kprobe-on-ftrace case, we keep the post_handler setting to
+identify this aggrprobe armed with kprobe_ipmodify_ops. This way we
+can disarm it correctly.
+
+Link: https://lore.kernel.org/all/20221112070000.35299-1-lihuafei1@huawei.com/
+
+Fixes: 0bc11ed5ab60 ("kprobes: Allow kprobes coexist with livepatch")
+Reported-by: Zhao Gongyi <zhaogongyi@huawei.com>
+Suggested-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Li Huafei <lihuafei1@huawei.com>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/kprobes.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/kprobes.c b/kernel/kprobes.c
+index 917b92ae2382..6d2a8623ec7b 100644
+--- a/kernel/kprobes.c
++++ b/kernel/kprobes.c
+@@ -1762,7 +1762,13 @@ static int __unregister_kprobe_top(struct kprobe *p)
+ if ((list_p != p) && (list_p->post_handler))
+ goto noclean;
+ }
+- ap->post_handler = NULL;
++ /*
++ * For the kprobe-on-ftrace case, we keep the
++ * post_handler setting to identify this aggrprobe
++ * armed with kprobe_ipmodify_ops.
++ */
++ if (!kprobe_ftrace(ap))
++ ap->post_handler = NULL;
+ }
+ noclean:
+ /*
+--
+2.35.1
+
--- /dev/null
+From 1ea60c1db42da0b5b40eb7e9bf8d5937f6f475cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 20:16:19 +0100
+Subject: l2tp: Serialize access to sk_user_data with sk_callback_lock
+
+From: Jakub Sitnicki <jakub@cloudflare.com>
+
+[ Upstream commit b68777d54fac21fc833ec26ea1a2a84f975ab035 ]
+
+sk->sk_user_data has multiple users, which are not compatible with each
+other. Writers must synchronize by grabbing the sk->sk_callback_lock.
+
+l2tp currently fails to grab the lock when modifying the underlying tunnel
+socket fields. Fix it by adding appropriate locking.
+
+We err on the side of safety and grab the sk_callback_lock also inside the
+sk_destruct callback overridden by l2tp, even though there should be no
+refs allowing access to the sock at the time when sk_destruct gets called.
+
+v4:
+- serialize write to sk_user_data in l2tp sk_destruct
+
+v3:
+- switch from sock lock to sk_callback_lock
+- document write-protection for sk_user_data
+
+v2:
+- update Fixes to point to origin of the bug
+- use real names in Reported/Tested-by tags
+
+Cc: Tom Parkin <tparkin@katalix.com>
+Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core")
+Reported-by: Haowei Yan <g1042620637@gmail.com>
+Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sock.h | 2 +-
+ net/l2tp/l2tp_core.c | 19 +++++++++++++------
+ 2 files changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/include/net/sock.h b/include/net/sock.h
+index f6e6838c82df..03a4ebe3ccc8 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -323,7 +323,7 @@ struct sk_filter;
+ * @sk_tskey: counter to disambiguate concurrent tstamp requests
+ * @sk_zckey: counter to order MSG_ZEROCOPY notifications
+ * @sk_socket: Identd and reporting IO signals
+- * @sk_user_data: RPC layer private data
++ * @sk_user_data: RPC layer private data. Write-protected by @sk_callback_lock.
+ * @sk_frag: cached page frag
+ * @sk_peek_off: current peek_offset value
+ * @sk_send_head: front of stuff to transmit
+diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
+index 7499c51b1850..754fdda8a5f5 100644
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -1150,8 +1150,10 @@ static void l2tp_tunnel_destruct(struct sock *sk)
+ }
+
+ /* Remove hooks into tunnel socket */
++ write_lock_bh(&sk->sk_callback_lock);
+ sk->sk_destruct = tunnel->old_sk_destruct;
+ sk->sk_user_data = NULL;
++ write_unlock_bh(&sk->sk_callback_lock);
+
+ /* Call the original destructor */
+ if (sk->sk_destruct)
+@@ -1469,16 +1471,18 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
+ sock = sockfd_lookup(tunnel->fd, &ret);
+ if (!sock)
+ goto err;
+-
+- ret = l2tp_validate_socket(sock->sk, net, tunnel->encap);
+- if (ret < 0)
+- goto err_sock;
+ }
+
++ sk = sock->sk;
++ write_lock(&sk->sk_callback_lock);
++
++ ret = l2tp_validate_socket(sk, net, tunnel->encap);
++ if (ret < 0)
++ goto err_sock;
++
+ tunnel->l2tp_net = net;
+ pn = l2tp_pernet(net);
+
+- sk = sock->sk;
+ sock_hold(sk);
+ tunnel->sock = sk;
+
+@@ -1504,7 +1508,7 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
+
+ setup_udp_tunnel_sock(net, sock, &udp_cfg);
+ } else {
+- sk->sk_user_data = tunnel;
++ rcu_assign_sk_user_data(sk, tunnel);
+ }
+
+ tunnel->old_sk_destruct = sk->sk_destruct;
+@@ -1518,6 +1522,7 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
+ if (tunnel->fd >= 0)
+ sockfd_put(sock);
+
++ write_unlock(&sk->sk_callback_lock);
+ return 0;
+
+ err_sock:
+@@ -1525,6 +1530,8 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
+ sock_release(sock);
+ else
+ sockfd_put(sock);
++
++ write_unlock(&sk->sk_callback_lock);
+ err:
+ return ret;
+ }
+--
+2.35.1
+
--- /dev/null
+From 4d6ea530dd3cb2ac584f8e3a68c865cffd7fb966 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 13:44:34 +0200
+Subject: net: usb: smsc95xx: fix external PHY reset
+
+From: Alexandru Tachici <alexandru.tachici@analog.com>
+
+[ Upstream commit 809ff97a677ff85dfb7ce2b63be261d1633dcf29 ]
+
+An external PHY needs settling time after power up or reset.
+In the bind() function an mdio bus is registered. If at this point
+the external PHY is still initialising, no valid PHY ID will be
+read and on phy_find_first() the bind() function will fail.
+
+If an external PHY is present, wait the maximum time specified
+in 802.3 45.2.7.1.1.
+
+Fixes: 05b35e7eb9a1 ("smsc95xx: add phylib support")
+Signed-off-by: Alexandru Tachici <alexandru.tachici@analog.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/20221115114434.9991-2-alexandru.tachici@analog.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/smsc95xx.c | 46 ++++++++++++++++++++++++++++++++++----
+ 1 file changed, 42 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c
+index bfb58c91db04..32d2c60d334d 100644
+--- a/drivers/net/usb/smsc95xx.c
++++ b/drivers/net/usb/smsc95xx.c
+@@ -66,6 +66,7 @@ struct smsc95xx_priv {
+ spinlock_t mac_cr_lock;
+ u8 features;
+ u8 suspend_flags;
++ bool is_internal_phy;
+ struct irq_chip irqchip;
+ struct irq_domain *irqdomain;
+ struct fwnode_handle *irqfwnode;
+@@ -252,6 +253,43 @@ static void smsc95xx_mdio_write(struct usbnet *dev, int phy_id, int idx,
+ mutex_unlock(&dev->phy_mutex);
+ }
+
++static int smsc95xx_mdiobus_reset(struct mii_bus *bus)
++{
++ struct smsc95xx_priv *pdata;
++ struct usbnet *dev;
++ u32 val;
++ int ret;
++
++ dev = bus->priv;
++ pdata = dev->driver_priv;
++
++ if (pdata->is_internal_phy)
++ return 0;
++
++ mutex_lock(&dev->phy_mutex);
++
++ ret = smsc95xx_read_reg(dev, PM_CTRL, &val);
++ if (ret < 0)
++ goto reset_out;
++
++ val |= PM_CTL_PHY_RST_;
++
++ ret = smsc95xx_write_reg(dev, PM_CTRL, val);
++ if (ret < 0)
++ goto reset_out;
++
++ /* Driver has no knowledge at this point about the external PHY.
++ * The 802.3 specifies that the reset process shall
++ * be completed within 0.5 s.
++ */
++ fsleep(500000);
++
++reset_out:
++ mutex_unlock(&dev->phy_mutex);
++
++ return 0;
++}
++
+ static int smsc95xx_mdiobus_read(struct mii_bus *bus, int phy_id, int idx)
+ {
+ struct usbnet *dev = bus->priv;
+@@ -1052,7 +1090,6 @@ static void smsc95xx_handle_link_change(struct net_device *net)
+ static int smsc95xx_bind(struct usbnet *dev, struct usb_interface *intf)
+ {
+ struct smsc95xx_priv *pdata;
+- bool is_internal_phy;
+ char usb_path[64];
+ int ret, phy_irq;
+ u32 val;
+@@ -1133,13 +1170,14 @@ static int smsc95xx_bind(struct usbnet *dev, struct usb_interface *intf)
+ if (ret < 0)
+ goto free_mdio;
+
+- is_internal_phy = !(val & HW_CFG_PSEL_);
+- if (is_internal_phy)
++ pdata->is_internal_phy = !(val & HW_CFG_PSEL_);
++ if (pdata->is_internal_phy)
+ pdata->mdiobus->phy_mask = ~(1u << SMSC95XX_INTERNAL_PHY_ID);
+
+ pdata->mdiobus->priv = dev;
+ pdata->mdiobus->read = smsc95xx_mdiobus_read;
+ pdata->mdiobus->write = smsc95xx_mdiobus_write;
++ pdata->mdiobus->reset = smsc95xx_mdiobus_reset;
+ pdata->mdiobus->name = "smsc95xx-mdiobus";
+ pdata->mdiobus->parent = &dev->udev->dev;
+
+@@ -1160,7 +1198,7 @@ static int smsc95xx_bind(struct usbnet *dev, struct usb_interface *intf)
+ }
+
+ pdata->phydev->irq = phy_irq;
+- pdata->phydev->is_internal = is_internal_phy;
++ pdata->phydev->is_internal = pdata->is_internal_phy;
+
+ /* detect device revision as different features may be available */
+ ret = smsc95xx_read_reg(dev, ID_REV, &val);
+--
+2.35.1
+
--- /dev/null
+From 7d9b3afd0bda689591bc6f2ddf885c705148216c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 22:24:00 +0800
+Subject: net: use struct_group to copy ip/ipv6 header addresses
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 58e0be1ef6118c5352b56a4d06e974c5599993a5 ]
+
+kernel test robot reported warnings when build bonding module with
+make W=1 O=build_dir ARCH=x86_64 SHELL=/bin/bash drivers/net/bonding/:
+
+ from ../drivers/net/bonding/bond_main.c:35:
+In function ‘fortify_memcpy_chk’,
+ inlined from ‘iph_to_flow_copy_v4addrs’ at ../include/net/ip.h:566:2,
+ inlined from ‘bond_flow_ip’ at ../drivers/net/bonding/bond_main.c:3984:3:
+../include/linux/fortify-string.h:413:25: warning: call to ‘__read_overflow2_field’ declared with attribute warning: detected read beyond size of f
+ield (2nd parameter); maybe use struct_group()? [-Wattribute-warning]
+ 413 | __read_overflow2_field(q_size_field, size);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+In function ‘fortify_memcpy_chk’,
+ inlined from ‘iph_to_flow_copy_v6addrs’ at ../include/net/ipv6.h:900:2,
+ inlined from ‘bond_flow_ip’ at ../drivers/net/bonding/bond_main.c:3994:3:
+../include/linux/fortify-string.h:413:25: warning: call to ‘__read_overflow2_field’ declared with attribute warning: detected read beyond size of f
+ield (2nd parameter); maybe use struct_group()? [-Wattribute-warning]
+ 413 | __read_overflow2_field(q_size_field, size);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This is because we try to copy the whole ip/ip6 address to the flow_key,
+while we only point the to ip/ip6 saddr. Note that since these are UAPI
+headers, __struct_group() is used to avoid the compiler warnings.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Fixes: c3f8324188fa ("net: Add full IPv6 addresses to flow_keys")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Link: https://lore.kernel.org/r/20221115142400.1204786-1-liuhangbin@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/ip.h | 2 +-
+ include/net/ipv6.h | 2 +-
+ include/uapi/linux/ip.h | 6 ++++--
+ include/uapi/linux/ipv6.h | 6 ++++--
+ 4 files changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/include/net/ip.h b/include/net/ip.h
+index 1c979fd1904c..1eca38ac6c67 100644
+--- a/include/net/ip.h
++++ b/include/net/ip.h
+@@ -563,7 +563,7 @@ static inline void iph_to_flow_copy_v4addrs(struct flow_keys *flow,
+ BUILD_BUG_ON(offsetof(typeof(flow->addrs), v4addrs.dst) !=
+ offsetof(typeof(flow->addrs), v4addrs.src) +
+ sizeof(flow->addrs.v4addrs.src));
+- memcpy(&flow->addrs.v4addrs, &iph->saddr, sizeof(flow->addrs.v4addrs));
++ memcpy(&flow->addrs.v4addrs, &iph->addrs, sizeof(flow->addrs.v4addrs));
+ flow->control.addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS;
+ }
+
+diff --git a/include/net/ipv6.h b/include/net/ipv6.h
+index de9dcc5652c4..59125562c1a4 100644
+--- a/include/net/ipv6.h
++++ b/include/net/ipv6.h
+@@ -897,7 +897,7 @@ static inline void iph_to_flow_copy_v6addrs(struct flow_keys *flow,
+ BUILD_BUG_ON(offsetof(typeof(flow->addrs), v6addrs.dst) !=
+ offsetof(typeof(flow->addrs), v6addrs.src) +
+ sizeof(flow->addrs.v6addrs.src));
+- memcpy(&flow->addrs.v6addrs, &iph->saddr, sizeof(flow->addrs.v6addrs));
++ memcpy(&flow->addrs.v6addrs, &iph->addrs, sizeof(flow->addrs.v6addrs));
+ flow->control.addr_type = FLOW_DISSECTOR_KEY_IPV6_ADDRS;
+ }
+
+diff --git a/include/uapi/linux/ip.h b/include/uapi/linux/ip.h
+index 961ec16a26b8..874a92349bf5 100644
+--- a/include/uapi/linux/ip.h
++++ b/include/uapi/linux/ip.h
+@@ -100,8 +100,10 @@ struct iphdr {
+ __u8 ttl;
+ __u8 protocol;
+ __sum16 check;
+- __be32 saddr;
+- __be32 daddr;
++ __struct_group(/* no tag */, addrs, /* no attrs */,
++ __be32 saddr;
++ __be32 daddr;
++ );
+ /*The options start here. */
+ };
+
+diff --git a/include/uapi/linux/ipv6.h b/include/uapi/linux/ipv6.h
+index 03cdbe798fe3..81f4243bebb1 100644
+--- a/include/uapi/linux/ipv6.h
++++ b/include/uapi/linux/ipv6.h
+@@ -130,8 +130,10 @@ struct ipv6hdr {
+ __u8 nexthdr;
+ __u8 hop_limit;
+
+- struct in6_addr saddr;
+- struct in6_addr daddr;
++ __struct_group(/* no tag */, addrs, /* no attrs */,
++ struct in6_addr saddr;
++ struct in6_addr daddr;
++ );
+ };
+
+
+--
+2.35.1
+
--- /dev/null
+From bea7b9eef5fb7e1dfd577c968382ea7189bece94 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Oct 2022 10:35:13 +0100
+Subject: perf: Improve missing SIGTRAP checking
+
+From: Marco Elver <elver@google.com>
+
+[ Upstream commit bb88f9695460bec25aa30ba9072595025cf6c8af ]
+
+To catch missing SIGTRAP we employ a WARN in __perf_event_overflow(),
+which fires if pending_sigtrap was already set: returning to user space
+without consuming pending_sigtrap, and then having the event fire again
+would re-enter the kernel and trigger the WARN.
+
+This, however, seemed to miss the case where some events not associated
+with progress in the user space task can fire and the interrupt handler
+runs before the IRQ work meant to consume pending_sigtrap (and generate
+the SIGTRAP).
+
+syzbot gifted us this stack trace:
+
+ | WARNING: CPU: 0 PID: 3607 at kernel/events/core.c:9313 __perf_event_overflow
+ | Modules linked in:
+ | CPU: 0 PID: 3607 Comm: syz-executor100 Not tainted 6.1.0-rc2-syzkaller-00073-g88619e77b33d #0
+ | Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
+ | RIP: 0010:__perf_event_overflow+0x498/0x540 kernel/events/core.c:9313
+ | <...>
+ | Call Trace:
+ | <TASK>
+ | perf_swevent_hrtimer+0x34f/0x3c0 kernel/events/core.c:10729
+ | __run_hrtimer kernel/time/hrtimer.c:1685 [inline]
+ | __hrtimer_run_queues+0x1c6/0xfb0 kernel/time/hrtimer.c:1749
+ | hrtimer_interrupt+0x31c/0x790 kernel/time/hrtimer.c:1811
+ | local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1096 [inline]
+ | __sysvec_apic_timer_interrupt+0x17c/0x640 arch/x86/kernel/apic/apic.c:1113
+ | sysvec_apic_timer_interrupt+0x40/0xc0 arch/x86/kernel/apic/apic.c:1107
+ | asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:649
+ | <...>
+ | </TASK>
+
+In this case, syzbot produced a program with event type
+PERF_TYPE_SOFTWARE and config PERF_COUNT_SW_CPU_CLOCK. The hrtimer
+manages to fire again before the IRQ work got a chance to run, all while
+never having returned to user space.
+
+Improve the WARN to check for real progress in user space: approximate
+this by storing a 32-bit hash of the current IP into pending_sigtrap,
+and if an event fires while pending_sigtrap still matches the previous
+IP, we assume no progress (false negatives are possible given we could
+return to user space and trigger again on the same IP).
+
+Fixes: ca6c21327c6a ("perf: Fix missing SIGTRAPs")
+Reported-by: syzbot+b8ded3e2e2c6adde4990@syzkaller.appspotmail.com
+Signed-off-by: Marco Elver <elver@google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20221031093513.3032814-1-elver@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/core.c | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index 072ab26269c0..bec18d81b116 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -9282,14 +9282,27 @@ static int __perf_event_overflow(struct perf_event *event,
+ }
+
+ if (event->attr.sigtrap) {
+- /*
+- * Should not be able to return to user space without processing
+- * pending_sigtrap (kernel events can overflow multiple times).
+- */
+- WARN_ON_ONCE(event->pending_sigtrap && event->attr.exclude_kernel);
++ unsigned int pending_id = 1;
++
++ if (regs)
++ pending_id = hash32_ptr((void *)instruction_pointer(regs)) ?: 1;
+ if (!event->pending_sigtrap) {
+- event->pending_sigtrap = 1;
++ event->pending_sigtrap = pending_id;
+ local_inc(&event->ctx->nr_pending);
++ } else if (event->attr.exclude_kernel) {
++ /*
++ * Should not be able to return to user space without
++ * consuming pending_sigtrap; with exceptions:
++ *
++ * 1. Where !exclude_kernel, events can overflow again
++ * in the kernel without returning to user space.
++ *
++ * 2. Events that can overflow again before the IRQ-
++ * work without user space progress (e.g. hrtimer).
++ * To approximate progress (with false negatives),
++ * check 32-bit hash of the current IP.
++ */
++ WARN_ON_ONCE(event->pending_sigtrap != pending_id);
+ }
+ event->pending_addr = data->addr;
+ irq_work_queue(&event->pending_irq);
+--
+2.35.1
+
--- /dev/null
+From d9d9ea383fd81ec7c6c99102c6253a102c83a146 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 10:10:29 +0530
+Subject: perf/x86/amd: Fix crash due to race between amd_pmu_enable_all, perf
+ NMI and throttling
+
+From: Ravi Bangoria <ravi.bangoria@amd.com>
+
+[ Upstream commit baa014b9543c8e5e94f5d15b66abfe60750b8284 ]
+
+amd_pmu_enable_all() does:
+
+ if (!test_bit(idx, cpuc->active_mask))
+ continue;
+
+ amd_pmu_enable_event(cpuc->events[idx]);
+
+A perf NMI of another event can come between these two steps. Perf NMI
+handler internally disables and enables _all_ events, including the one
+which nmi-intercepted amd_pmu_enable_all() was in process of enabling.
+If that unintentionally enabled event has very low sampling period and
+causes immediate successive NMI, causing the event to be throttled,
+cpuc->events[idx] and cpuc->active_mask gets cleared by x86_pmu_stop().
+This will result in amd_pmu_enable_event() getting called with event=NULL
+when amd_pmu_enable_all() resumes after handling the NMIs. This causes a
+kernel crash:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000198
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ [...]
+ Call Trace:
+ <TASK>
+ amd_pmu_enable_all+0x68/0xb0
+ ctx_resched+0xd9/0x150
+ event_function+0xb8/0x130
+ ? hrtimer_start_range_ns+0x141/0x4a0
+ ? perf_duration_warn+0x30/0x30
+ remote_function+0x4d/0x60
+ __flush_smp_call_function_queue+0xc4/0x500
+ flush_smp_call_function_queue+0x11d/0x1b0
+ do_idle+0x18f/0x2d0
+ cpu_startup_entry+0x19/0x20
+ start_secondary+0x121/0x160
+ secondary_startup_64_no_verify+0xe5/0xeb
+ </TASK>
+
+amd_pmu_disable_all()/amd_pmu_enable_all() calls inside perf NMI handler
+were recently added as part of BRS enablement but I'm not sure whether
+we really need them. We can just disable BRS in the beginning and enable
+it back while returning from NMI. This will solve the issue by not
+enabling those events whose active_masks are set but are not yet enabled
+in hw pmu.
+
+Fixes: ada543459cab ("perf/x86/amd: Add AMD Fam19h Branch Sampling support")
+Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
+Signed-off-by: Ravi Bangoria <ravi.bangoria@amd.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20221114044029.373-1-ravi.bangoria@amd.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/amd/core.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/events/amd/core.c b/arch/x86/events/amd/core.c
+index 9ac3718410ce..7e39c47d7759 100644
+--- a/arch/x86/events/amd/core.c
++++ b/arch/x86/events/amd/core.c
+@@ -896,8 +896,7 @@ static int amd_pmu_handle_irq(struct pt_regs *regs)
+ pmu_enabled = cpuc->enabled;
+ cpuc->enabled = 0;
+
+- /* stop everything (includes BRS) */
+- amd_pmu_disable_all();
++ amd_brs_disable_all();
+
+ /* Drain BRS is in use (could be inactive) */
+ if (cpuc->lbr_users)
+@@ -908,7 +907,7 @@ static int amd_pmu_handle_irq(struct pt_regs *regs)
+
+ cpuc->enabled = pmu_enabled;
+ if (pmu_enabled)
+- amd_pmu_enable_all(0);
++ amd_brs_enable_all();
+
+ return amd_pmu_adjust_nmi_window(handled);
+ }
+--
+2.35.1
+
--- /dev/null
+From 128a0f81a4f301ed6ca352a12bbd4124c4b6061b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Oct 2022 12:30:13 -0400
+Subject: ring-buffer: Include dropped pages in counting dirty patches
+
+From: Steven Rostedt (Google) <rostedt@goodmis.org>
+
+[ Upstream commit 31029a8b2c7e656a0289194ef16415050ae4c4ac ]
+
+The function ring_buffer_nr_dirty_pages() was created to find out how many
+pages are filled in the ring buffer. There's two running counters. One is
+incremented whenever a new page is touched (pages_touched) and the other
+is whenever a page is read (pages_read). The dirty count is the number
+touched minus the number read. This is used to determine if a blocked task
+should be woken up if the percentage of the ring buffer it is waiting for
+is hit.
+
+The problem is that it does not take into account dropped pages (when the
+new writes overwrite pages that were not read). And then the dirty pages
+will always be greater than the percentage.
+
+This makes the "buffer_percent" file inaccurate, as the number of dirty
+pages end up always being larger than the percentage, event when it's not
+and this causes user space to be woken up more than it wants to be.
+
+Add a new counter to keep track of lost pages, and include that in the
+accounting of dirty pages so that it is actually accurate.
+
+Link: https://lkml.kernel.org/r/20221021123013.55fb6055@gandalf.local.home
+
+Fixes: 2c2b0a78b3739 ("ring-buffer: Add percentage of ring buffer full to wake up reader")
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/ring_buffer.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
+index c7e17f9f4935..0b93dc17457d 100644
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -519,6 +519,7 @@ struct ring_buffer_per_cpu {
+ local_t committing;
+ local_t commits;
+ local_t pages_touched;
++ local_t pages_lost;
+ local_t pages_read;
+ long last_pages_touch;
+ size_t shortest_full;
+@@ -894,10 +895,18 @@ size_t ring_buffer_nr_pages(struct trace_buffer *buffer, int cpu)
+ size_t ring_buffer_nr_dirty_pages(struct trace_buffer *buffer, int cpu)
+ {
+ size_t read;
++ size_t lost;
+ size_t cnt;
+
+ read = local_read(&buffer->buffers[cpu]->pages_read);
++ lost = local_read(&buffer->buffers[cpu]->pages_lost);
+ cnt = local_read(&buffer->buffers[cpu]->pages_touched);
++
++ if (WARN_ON_ONCE(cnt < lost))
++ return 0;
++
++ cnt -= lost;
++
+ /* The reader can read an empty page, but not more than that */
+ if (cnt < read) {
+ WARN_ON_ONCE(read > cnt + 1);
+@@ -2031,6 +2040,7 @@ rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned long nr_pages)
+ */
+ local_add(page_entries, &cpu_buffer->overrun);
+ local_sub(BUF_PAGE_SIZE, &cpu_buffer->entries_bytes);
++ local_inc(&cpu_buffer->pages_lost);
+ }
+
+ /*
+@@ -2515,6 +2525,7 @@ rb_handle_head_page(struct ring_buffer_per_cpu *cpu_buffer,
+ */
+ local_add(entries, &cpu_buffer->overrun);
+ local_sub(BUF_PAGE_SIZE, &cpu_buffer->entries_bytes);
++ local_inc(&cpu_buffer->pages_lost);
+
+ /*
+ * The entries will be zeroed out when we move the
+@@ -5265,6 +5276,7 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
+ local_set(&cpu_buffer->committing, 0);
+ local_set(&cpu_buffer->commits, 0);
+ local_set(&cpu_buffer->pages_touched, 0);
++ local_set(&cpu_buffer->pages_lost, 0);
+ local_set(&cpu_buffer->pages_read, 0);
+ cpu_buffer->last_pages_touch = 0;
+ cpu_buffer->shortest_full = 0;
+--
+2.35.1
+
--- /dev/null
+From b5b714e455d4ee595ce24b917f990c3a0d2c265b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 08:44:21 +0000
+Subject: scsi: scsi_debug: Fix possible UAF in sdebug_add_host_helper()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit e208a1d795a08d1ac0398c79ad9c58106531bcc5 ]
+
+If device_register() fails in sdebug_add_host_helper(), it will goto clean
+and sdbg_host will be freed, but sdbg_host->host_list will not be removed
+from sdebug_host_list, then list traversal may cause UAF. Fix it.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Link: https://lore.kernel.org/r/20221117084421.58918-1-yuancan@huawei.com
+Acked-by: Douglas Gilbert <dgilbert@interlog.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_debug.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
+index b8a76b89f85a..95f940f5c996 100644
+--- a/drivers/scsi/scsi_debug.c
++++ b/drivers/scsi/scsi_debug.c
+@@ -7316,8 +7316,12 @@ static int sdebug_add_host_helper(int per_host_idx)
+ dev_set_name(&sdbg_host->dev, "adapter%d", sdebug_num_hosts);
+
+ error = device_register(&sdbg_host->dev);
+- if (error)
++ if (error) {
++ spin_lock(&sdebug_host_list_lock);
++ list_del(&sdbg_host->host_list);
++ spin_unlock(&sdebug_host_list_lock);
+ goto clean;
++ }
+
+ ++sdebug_num_hosts;
+ return 0;
+--
+2.35.1
+
--- /dev/null
+From 8b9944c87d5b0750a8c85e0af2d464bf4c23eddf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 09:50:42 +0800
+Subject: scsi: target: tcm_loop: Fix possible name leak in
+ tcm_loop_setup_hba_bus()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit bc68e428d4963af0201e92159629ab96948f0893 ]
+
+If device_register() fails in tcm_loop_setup_hba_bus(), the name allocated
+by dev_set_name() need be freed. As comment of device_register() says, it
+should use put_device() to give up the reference in the error path. So fix
+this by calling put_device(), then the name can be freed in kobject_cleanup().
+The 'tl_hba' will be freed in tcm_loop_release_adapter(), so it don't need
+goto error label in this case.
+
+Fixes: 3703b2c5d041 ("[SCSI] tcm_loop: Add multi-fabric Linux/SCSI LLD fabric module")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221115015042.3652261-1-yangyingliang@huawei.com
+Reviewed-by: Mike Christie <michael.chritie@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/loopback/tcm_loop.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/target/loopback/tcm_loop.c b/drivers/target/loopback/tcm_loop.c
+index 4407b56aa6d1..139031ccb700 100644
+--- a/drivers/target/loopback/tcm_loop.c
++++ b/drivers/target/loopback/tcm_loop.c
+@@ -397,6 +397,7 @@ static int tcm_loop_setup_hba_bus(struct tcm_loop_hba *tl_hba, int tcm_loop_host
+ ret = device_register(&tl_hba->dev);
+ if (ret) {
+ pr_err("device_register() failed for tl_hba->dev: %d\n", ret);
++ put_device(&tl_hba->dev);
+ return -ENODEV;
+ }
+
+@@ -1073,7 +1074,7 @@ static struct se_wwn *tcm_loop_make_scsi_hba(
+ */
+ ret = tcm_loop_setup_hba_bus(tl_hba, tcm_loop_hba_no_cnt);
+ if (ret)
+- goto out;
++ return ERR_PTR(ret);
+
+ sh = tl_hba->sh;
+ tcm_loop_hba_no_cnt++;
+--
+2.35.1
+
perf-x86-intel-pt-fix-sampling-using-single-range-output.patch
nvme-restrict-management-ioctls-to-admin.patch
nvme-ensure-subsystem-reset-is-single-threaded.patch
+asoc-sof-topology-no-need-to-assign-core-id-if-token.patch
+perf-improve-missing-sigtrap-checking.patch
+vfio-rename-vfio_ioctl_check_extension.patch
+vfio-split-the-register_device-ops-call-into-functio.patch
+perf-x86-amd-fix-crash-due-to-race-between-amd_pmu_e.patch
+l2tp-serialize-access-to-sk_user_data-with-sk_callba.patch
+ring-buffer-include-dropped-pages-in-counting-dirty-.patch
+tracing-fix-warning-on-variable-struct-trace_array.patch
+net-usb-smsc95xx-fix-external-phy-reset.patch
+net-use-struct_group-to-copy-ip-ipv6-header-addresse.patch
+scsi-target-tcm_loop-fix-possible-name-leak-in-tcm_l.patch
+scsi-scsi_debug-fix-possible-uaf-in-sdebug_add_host_.patch
+kprobes-skip-clearing-aggrprobe-s-post_handler-in-kp.patch
+tracing-fix-potential-null-pointer-access-of-entry-i.patch
+arm64-mm-fix-incorrect-file_map_count-for-non-leaf-p.patch
+input-i8042-fix-leaking-of-platform-device-on-module.patch
--- /dev/null
+From b679f6ae7c244262ea01122ef5549c8d6859feeb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 18:46:32 +0800
+Subject: tracing: Fix potential null-pointer-access of entry in list
+ 'tr->err_log'
+
+From: Zheng Yejian <zhengyejian1@huawei.com>
+
+[ Upstream commit 067df9e0ad48a97382ab2179bbe773a13a846028 ]
+
+Entries in list 'tr->err_log' will be reused after entry number
+exceed TRACING_LOG_ERRS_MAX.
+
+The cmd string of the to be reused entry will be freed first then
+allocated a new one. If the allocation failed, then the entry will
+still be in list 'tr->err_log' but its 'cmd' field is set to be NULL,
+later access of 'cmd' is risky.
+
+Currently above problem can cause the loss of 'cmd' information of first
+entry in 'tr->err_log'. When execute `cat /sys/kernel/tracing/error_log`,
+reproduce logs like:
+ [ 37.495100] trace_kprobe: error: Maxactive is not for kprobe(null) ^
+ [ 38.412517] trace_kprobe: error: Maxactive is not for kprobe
+ Command: p4:myprobe2 do_sys_openat2
+ ^
+
+Link: https://lore.kernel.org/linux-trace-kernel/20221114104632.3547266-1-zhengyejian1@huawei.com
+
+Fixes: 1581a884b7ca ("tracing: Remove size restriction on tracing_log_err cmd strings")
+Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
+index 87d2f04152f9..7132e21e90d6 100644
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -7803,6 +7803,7 @@ static struct tracing_log_err *get_tracing_log_err(struct trace_array *tr,
+ int len)
+ {
+ struct tracing_log_err *err;
++ char *cmd;
+
+ if (tr->n_err_log_entries < TRACING_LOG_ERRS_MAX) {
+ err = alloc_tracing_log_err(len);
+@@ -7811,12 +7812,12 @@ static struct tracing_log_err *get_tracing_log_err(struct trace_array *tr,
+
+ return err;
+ }
+-
++ cmd = kzalloc(len, GFP_KERNEL);
++ if (!cmd)
++ return ERR_PTR(-ENOMEM);
+ err = list_first_entry(&tr->err_log, struct tracing_log_err, list);
+ kfree(err->cmd);
+- err->cmd = kzalloc(len, GFP_KERNEL);
+- if (!err->cmd)
+- return ERR_PTR(-ENOMEM);
++ err->cmd = cmd;
+ list_del(&err->list);
+
+ return err;
+--
+2.35.1
+
--- /dev/null
+From ac5cfa5b6327ef2b727476193747490e2856f224 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 21:35:56 +0530
+Subject: tracing: Fix warning on variable 'struct trace_array'
+
+From: Aashish Sharma <shraash@google.com>
+
+[ Upstream commit bedf06833b1f63c2627bd5634602e05592129d7a ]
+
+Move the declaration of 'struct trace_array' out of #ifdef
+CONFIG_TRACING block, to fix the following warning when CONFIG_TRACING
+is not set:
+
+>> include/linux/trace.h:63:45: warning: 'struct trace_array' declared
+inside parameter list will not be visible outside of this definition or
+declaration
+
+Link: https://lkml.kernel.org/r/20221107160556.2139463-1-shraash@google.com
+
+Fixes: 1a77dd1c2bb5 ("scsi: tracing: Fix compile error in trace_array calls when TRACING is disabled")
+Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
+Cc: Arun Easi <aeasi@marvell.com>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Aashish Sharma <shraash@google.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/trace.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/trace.h b/include/linux/trace.h
+index b5e16e438448..80ffda871749 100644
+--- a/include/linux/trace.h
++++ b/include/linux/trace.h
+@@ -26,13 +26,13 @@ struct trace_export {
+ int flags;
+ };
+
++struct trace_array;
++
+ #ifdef CONFIG_TRACING
+
+ int register_ftrace_export(struct trace_export *export);
+ int unregister_ftrace_export(struct trace_export *export);
+
+-struct trace_array;
+-
+ void trace_printk_init_buffers(void);
+ __printf(3, 4)
+ int trace_array_printk(struct trace_array *tr, unsigned long ip,
+--
+2.35.1
+
--- /dev/null
+From 90308f9e61d67966cf039b10e2c63e5f2aa31d64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Sep 2022 16:20:24 -0300
+Subject: vfio: Rename vfio_ioctl_check_extension()
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit 1408640d578887d7860737221043d91fc6d5a723 ]
+
+To vfio_container_ioctl_check_extension().
+
+A following patch will turn this into a non-static function, make it clear
+it is related to the container.
+
+Reviewed-by: Kevin Tian <kevin.tian@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Link: https://lore.kernel.org/r/6-v3-297af71838d2+b9-vfio_container_split_jgg@nvidia.com
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Stable-dep-of: 7fdba0011157 ("vfio: Fix container device registration life cycle")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/vfio_main.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/vfio/vfio_main.c b/drivers/vfio/vfio_main.c
+index 7cb56c382c97..c555d497e9e8 100644
+--- a/drivers/vfio/vfio_main.c
++++ b/drivers/vfio/vfio_main.c
+@@ -710,8 +710,9 @@ EXPORT_SYMBOL_GPL(vfio_unregister_group_dev);
+ /*
+ * VFIO base fd, /dev/vfio/vfio
+ */
+-static long vfio_ioctl_check_extension(struct vfio_container *container,
+- unsigned long arg)
++static long
++vfio_container_ioctl_check_extension(struct vfio_container *container,
++ unsigned long arg)
+ {
+ struct vfio_iommu_driver *driver;
+ long ret = 0;
+@@ -868,7 +869,7 @@ static long vfio_fops_unl_ioctl(struct file *filep,
+ ret = VFIO_API_VERSION;
+ break;
+ case VFIO_CHECK_EXTENSION:
+- ret = vfio_ioctl_check_extension(container, arg);
++ ret = vfio_container_ioctl_check_extension(container, arg);
+ break;
+ case VFIO_SET_IOMMU:
+ ret = vfio_ioctl_set_iommu(container, arg);
+@@ -1763,8 +1764,8 @@ bool vfio_file_enforced_coherent(struct file *file)
+
+ down_read(&group->group_rwsem);
+ if (group->container) {
+- ret = vfio_ioctl_check_extension(group->container,
+- VFIO_DMA_CC_IOMMU);
++ ret = vfio_container_ioctl_check_extension(group->container,
++ VFIO_DMA_CC_IOMMU);
+ } else {
+ /*
+ * Since the coherency state is determined only once a container
+--
+2.35.1
+
--- /dev/null
+From 1c3b4f3d8e581e587322e2fb950294ee21f615a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Sep 2022 16:20:25 -0300
+Subject: vfio: Split the register_device ops call into functions
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit 9446162e740aefff95c324ac0887f0b68c739695 ]
+
+This is a container item.
+
+A following patch will move the vfio_container functions to their own .c
+file.
+
+Reviewed-by: Kevin Tian <kevin.tian@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Link: https://lore.kernel.org/r/7-v3-297af71838d2+b9-vfio_container_split_jgg@nvidia.com
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Stable-dep-of: 7fdba0011157 ("vfio: Fix container device registration life cycle")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/vfio_main.c | 39 +++++++++++++++++++++++----------------
+ 1 file changed, 23 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/vfio/vfio_main.c b/drivers/vfio/vfio_main.c
+index c555d497e9e8..48ceca04d9b8 100644
+--- a/drivers/vfio/vfio_main.c
++++ b/drivers/vfio/vfio_main.c
+@@ -1086,9 +1086,28 @@ static void vfio_device_unassign_container(struct vfio_device *device)
+ up_write(&device->group->group_rwsem);
+ }
+
++static void vfio_device_container_register(struct vfio_device *device)
++{
++ struct vfio_iommu_driver *iommu_driver =
++ device->group->container->iommu_driver;
++
++ if (iommu_driver && iommu_driver->ops->register_device)
++ iommu_driver->ops->register_device(
++ device->group->container->iommu_data, device);
++}
++
++static void vfio_device_container_unregister(struct vfio_device *device)
++{
++ struct vfio_iommu_driver *iommu_driver =
++ device->group->container->iommu_driver;
++
++ if (iommu_driver && iommu_driver->ops->unregister_device)
++ iommu_driver->ops->unregister_device(
++ device->group->container->iommu_data, device);
++}
++
+ static struct file *vfio_device_open(struct vfio_device *device)
+ {
+- struct vfio_iommu_driver *iommu_driver;
+ struct file *filep;
+ int ret;
+
+@@ -1119,12 +1138,7 @@ static struct file *vfio_device_open(struct vfio_device *device)
+ if (ret)
+ goto err_undo_count;
+ }
+-
+- iommu_driver = device->group->container->iommu_driver;
+- if (iommu_driver && iommu_driver->ops->register_device)
+- iommu_driver->ops->register_device(
+- device->group->container->iommu_data, device);
+-
++ vfio_device_container_register(device);
+ up_read(&device->group->group_rwsem);
+ }
+ mutex_unlock(&device->dev_set->lock);
+@@ -1162,10 +1176,7 @@ static struct file *vfio_device_open(struct vfio_device *device)
+ if (device->open_count == 1 && device->ops->close_device) {
+ device->ops->close_device(device);
+
+- iommu_driver = device->group->container->iommu_driver;
+- if (iommu_driver && iommu_driver->ops->unregister_device)
+- iommu_driver->ops->unregister_device(
+- device->group->container->iommu_data, device);
++ vfio_device_container_unregister(device);
+ }
+ err_undo_count:
+ up_read(&device->group->group_rwsem);
+@@ -1361,7 +1372,6 @@ static const struct file_operations vfio_group_fops = {
+ static int vfio_device_fops_release(struct inode *inode, struct file *filep)
+ {
+ struct vfio_device *device = filep->private_data;
+- struct vfio_iommu_driver *iommu_driver;
+
+ mutex_lock(&device->dev_set->lock);
+ vfio_assert_device_open(device);
+@@ -1369,10 +1379,7 @@ static int vfio_device_fops_release(struct inode *inode, struct file *filep)
+ if (device->open_count == 1 && device->ops->close_device)
+ device->ops->close_device(device);
+
+- iommu_driver = device->group->container->iommu_driver;
+- if (iommu_driver && iommu_driver->ops->unregister_device)
+- iommu_driver->ops->unregister_device(
+- device->group->container->iommu_data, device);
++ vfio_device_container_unregister(device);
+ up_read(&device->group->group_rwsem);
+ device->open_count--;
+ if (device->open_count == 0)
+--
+2.35.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
