From: Sasha Levin Date: Tue, 22 Nov 2022 15:17:59 +0000 (-0500) Subject: Fixes for 5.15 X-Git-Tag: v4.19.266~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2c3a793c0b7de14a034178b5458a55566ef8512c;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/input-i8042-fix-leaking-of-platform-device-on-module.patch b/queue-5.15/input-i8042-fix-leaking-of-platform-device-on-module.patch new file mode 100644 index 00000000000..2e03cd8553c --- /dev/null +++ b/queue-5.15/input-i8042-fix-leaking-of-platform-device-on-module.patch @@ -0,0 +1,54 @@ +From 8583482465c8e95cd4e1780c780f9b2fadb9483c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 15:40:03 -0800 +Subject: Input: i8042 - fix leaking of platform device on module removal + +From: Chen Jun + +[ Upstream commit 81cd7e8489278d28794e7b272950c3e00c344e44 ] + +Avoid resetting the module-wide i8042_platform_device pointer in +i8042_probe() or i8042_remove(), so that the device can be properly +destroyed by i8042_exit() on module unload. + +Fixes: 9222ba68c3f4 ("Input: i8042 - add deferred probe support") +Signed-off-by: Chen Jun +Link: https://lore.kernel.org/r/20221109034148.23821-1-chenjun102@huawei.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/serio/i8042.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/input/serio/i8042.c b/drivers/input/serio/i8042.c +index 3fc0a89cc785..f132d6dfc25e 100644 +--- a/drivers/input/serio/i8042.c ++++ b/drivers/input/serio/i8042.c +@@ -1543,8 +1543,6 @@ static int i8042_probe(struct platform_device *dev) + { + int error; + +- i8042_platform_device = dev; +- + if (i8042_reset == I8042_RESET_ALWAYS) { + error = i8042_controller_selftest(); + if (error) +@@ -1582,7 +1580,6 @@ static int i8042_probe(struct platform_device *dev) + i8042_free_aux_ports(); /* in case KBD failed but AUX not */ + i8042_free_irqs(); + i8042_controller_reset(false); +- i8042_platform_device = NULL; + + return error; + } +@@ -1592,7 +1589,6 @@ static int i8042_remove(struct platform_device *dev) + i8042_unregister_ports(); + i8042_free_irqs(); + i8042_controller_reset(false); +- i8042_platform_device = NULL; + + return 0; + } +-- +2.35.1 + diff --git a/queue-5.15/kprobes-skip-clearing-aggrprobe-s-post_handler-in-kp.patch b/queue-5.15/kprobes-skip-clearing-aggrprobe-s-post_handler-in-kp.patch new file mode 100644 index 00000000000..369152ce199 --- /dev/null +++ b/queue-5.15/kprobes-skip-clearing-aggrprobe-s-post_handler-in-kp.patch @@ -0,0 +1,75 @@ +From 5d219eee02e184a5553ea9ab9fb054ec16a6dd1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 10:15:34 +0900 +Subject: kprobes: Skip clearing aggrprobe's post_handler in kprobe-on-ftrace + case + +From: Li Huafei + +[ Upstream commit 5dd7caf0bdc5d0bae7cf9776b4d739fb09bd5ebb ] + +In __unregister_kprobe_top(), if the currently unregistered probe has +post_handler but other child probes of the aggrprobe do not have +post_handler, the post_handler of the aggrprobe is cleared. If this is +a ftrace-based probe, there is a problem. In later calls to +disarm_kprobe(), we will use kprobe_ftrace_ops because post_handler is +NULL. But we're armed with kprobe_ipmodify_ops. This triggers a WARN in +__disarm_kprobe_ftrace() and may even cause use-after-free: + + Failed to disarm kprobe-ftrace at kernel_clone+0x0/0x3c0 (error -2) + WARNING: CPU: 5 PID: 137 at kernel/kprobes.c:1135 __disarm_kprobe_ftrace.isra.21+0xcf/0xe0 + Modules linked in: testKprobe_007(-) + CPU: 5 PID: 137 Comm: rmmod Not tainted 6.1.0-rc4-dirty #18 + [...] + Call Trace: + + __disable_kprobe+0xcd/0xe0 + __unregister_kprobe_top+0x12/0x150 + ? mutex_lock+0xe/0x30 + unregister_kprobes.part.23+0x31/0xa0 + unregister_kprobe+0x32/0x40 + __x64_sys_delete_module+0x15e/0x260 + ? do_user_addr_fault+0x2cd/0x6b0 + do_syscall_64+0x3a/0x90 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + [...] + +For the kprobe-on-ftrace case, we keep the post_handler setting to +identify this aggrprobe armed with kprobe_ipmodify_ops. This way we +can disarm it correctly. + +Link: https://lore.kernel.org/all/20221112070000.35299-1-lihuafei1@huawei.com/ + +Fixes: 0bc11ed5ab60 ("kprobes: Allow kprobes coexist with livepatch") +Reported-by: Zhao Gongyi +Suggested-by: Masami Hiramatsu (Google) +Signed-off-by: Li Huafei +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +--- + kernel/kprobes.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/kernel/kprobes.c b/kernel/kprobes.c +index 55fffb7e6f1c..23af2f8e8563 100644 +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -1760,7 +1760,13 @@ static int __unregister_kprobe_top(struct kprobe *p) + if ((list_p != p) && (list_p->post_handler)) + goto noclean; + } +- ap->post_handler = NULL; ++ /* ++ * For the kprobe-on-ftrace case, we keep the ++ * post_handler setting to identify this aggrprobe ++ * armed with kprobe_ipmodify_ops. ++ */ ++ if (!kprobe_ftrace(ap)) ++ ap->post_handler = NULL; + } + noclean: + /* +-- +2.35.1 + diff --git a/queue-5.15/l2tp-serialize-access-to-sk_user_data-with-sk_callba.patch b/queue-5.15/l2tp-serialize-access-to-sk_user_data-with-sk_callba.patch new file mode 100644 index 00000000000..37c956483bd --- /dev/null +++ b/queue-5.15/l2tp-serialize-access-to-sk_user_data-with-sk_callba.patch @@ -0,0 +1,122 @@ +From 66cc0051914a5ae7ce96f56e9cfda4edb8f8fe3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 20:16:19 +0100 +Subject: l2tp: Serialize access to sk_user_data with sk_callback_lock + +From: Jakub Sitnicki + +[ Upstream commit b68777d54fac21fc833ec26ea1a2a84f975ab035 ] + +sk->sk_user_data has multiple users, which are not compatible with each +other. Writers must synchronize by grabbing the sk->sk_callback_lock. + +l2tp currently fails to grab the lock when modifying the underlying tunnel +socket fields. Fix it by adding appropriate locking. + +We err on the side of safety and grab the sk_callback_lock also inside the +sk_destruct callback overridden by l2tp, even though there should be no +refs allowing access to the sock at the time when sk_destruct gets called. + +v4: +- serialize write to sk_user_data in l2tp sk_destruct + +v3: +- switch from sock lock to sk_callback_lock +- document write-protection for sk_user_data + +v2: +- update Fixes to point to origin of the bug +- use real names in Reported/Tested-by tags + +Cc: Tom Parkin +Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core") +Reported-by: Haowei Yan +Signed-off-by: Jakub Sitnicki +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 2 +- + net/l2tp/l2tp_core.c | 19 +++++++++++++------ + 2 files changed, 14 insertions(+), 7 deletions(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index e1a303e4f0f7..3e9db5146765 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -323,7 +323,7 @@ struct bpf_local_storage; + * @sk_tskey: counter to disambiguate concurrent tstamp requests + * @sk_zckey: counter to order MSG_ZEROCOPY notifications + * @sk_socket: Identd and reporting IO signals +- * @sk_user_data: RPC layer private data ++ * @sk_user_data: RPC layer private data. Write-protected by @sk_callback_lock. + * @sk_frag: cached page frag + * @sk_peek_off: current peek_offset value + * @sk_send_head: front of stuff to transmit +diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c +index 93271a2632b8..c77032638a06 100644 +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -1150,8 +1150,10 @@ static void l2tp_tunnel_destruct(struct sock *sk) + } + + /* Remove hooks into tunnel socket */ ++ write_lock_bh(&sk->sk_callback_lock); + sk->sk_destruct = tunnel->old_sk_destruct; + sk->sk_user_data = NULL; ++ write_unlock_bh(&sk->sk_callback_lock); + + /* Call the original destructor */ + if (sk->sk_destruct) +@@ -1471,16 +1473,18 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, + sock = sockfd_lookup(tunnel->fd, &ret); + if (!sock) + goto err; +- +- ret = l2tp_validate_socket(sock->sk, net, tunnel->encap); +- if (ret < 0) +- goto err_sock; + } + ++ sk = sock->sk; ++ write_lock(&sk->sk_callback_lock); ++ ++ ret = l2tp_validate_socket(sk, net, tunnel->encap); ++ if (ret < 0) ++ goto err_sock; ++ + tunnel->l2tp_net = net; + pn = l2tp_pernet(net); + +- sk = sock->sk; + sock_hold(sk); + tunnel->sock = sk; + +@@ -1506,7 +1510,7 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, + + setup_udp_tunnel_sock(net, sock, &udp_cfg); + } else { +- sk->sk_user_data = tunnel; ++ rcu_assign_sk_user_data(sk, tunnel); + } + + tunnel->old_sk_destruct = sk->sk_destruct; +@@ -1520,6 +1524,7 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, + if (tunnel->fd >= 0) + sockfd_put(sock); + ++ write_unlock(&sk->sk_callback_lock); + return 0; + + err_sock: +@@ -1527,6 +1532,8 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, + sock_release(sock); + else + sockfd_put(sock); ++ ++ write_unlock(&sk->sk_callback_lock); + err: + return ret; + } +-- +2.35.1 + diff --git a/queue-5.15/net-use-struct_group-to-copy-ip-ipv6-header-addresse.patch b/queue-5.15/net-use-struct_group-to-copy-ip-ipv6-header-addresse.patch new file mode 100644 index 00000000000..dfdc0f4a063 --- /dev/null +++ b/queue-5.15/net-use-struct_group-to-copy-ip-ipv6-header-addresse.patch @@ -0,0 +1,111 @@ +From 34f39f88b5e2a8448e622faf3060acd490bcc680 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Nov 2022 22:24:00 +0800 +Subject: net: use struct_group to copy ip/ipv6 header addresses +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hangbin Liu + +[ Upstream commit 58e0be1ef6118c5352b56a4d06e974c5599993a5 ] + +kernel test robot reported warnings when build bonding module with +make W=1 O=build_dir ARCH=x86_64 SHELL=/bin/bash drivers/net/bonding/: + + from ../drivers/net/bonding/bond_main.c:35: +In function ‘fortify_memcpy_chk’, + inlined from ‘iph_to_flow_copy_v4addrs’ at ../include/net/ip.h:566:2, + inlined from ‘bond_flow_ip’ at ../drivers/net/bonding/bond_main.c:3984:3: +../include/linux/fortify-string.h:413:25: warning: call to ‘__read_overflow2_field’ declared with attribute warning: detected read beyond size of f +ield (2nd parameter); maybe use struct_group()? [-Wattribute-warning] + 413 | __read_overflow2_field(q_size_field, size); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +In function ‘fortify_memcpy_chk’, + inlined from ‘iph_to_flow_copy_v6addrs’ at ../include/net/ipv6.h:900:2, + inlined from ‘bond_flow_ip’ at ../drivers/net/bonding/bond_main.c:3994:3: +../include/linux/fortify-string.h:413:25: warning: call to ‘__read_overflow2_field’ declared with attribute warning: detected read beyond size of f +ield (2nd parameter); maybe use struct_group()? [-Wattribute-warning] + 413 | __read_overflow2_field(q_size_field, size); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +This is because we try to copy the whole ip/ip6 address to the flow_key, +while we only point the to ip/ip6 saddr. Note that since these are UAPI +headers, __struct_group() is used to avoid the compiler warnings. + +Reported-by: kernel test robot +Fixes: c3f8324188fa ("net: Add full IPv6 addresses to flow_keys") +Signed-off-by: Hangbin Liu +Link: https://lore.kernel.org/r/20221115142400.1204786-1-liuhangbin@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + include/net/ip.h | 2 +- + include/net/ipv6.h | 2 +- + include/uapi/linux/ip.h | 6 ++++-- + include/uapi/linux/ipv6.h | 6 ++++-- + 4 files changed, 10 insertions(+), 6 deletions(-) + +diff --git a/include/net/ip.h b/include/net/ip.h +index 8462ced0c21e..6ae923c55cf4 100644 +--- a/include/net/ip.h ++++ b/include/net/ip.h +@@ -559,7 +559,7 @@ static inline void iph_to_flow_copy_v4addrs(struct flow_keys *flow, + BUILD_BUG_ON(offsetof(typeof(flow->addrs), v4addrs.dst) != + offsetof(typeof(flow->addrs), v4addrs.src) + + sizeof(flow->addrs.v4addrs.src)); +- memcpy(&flow->addrs.v4addrs, &iph->saddr, sizeof(flow->addrs.v4addrs)); ++ memcpy(&flow->addrs.v4addrs, &iph->addrs, sizeof(flow->addrs.v4addrs)); + flow->control.addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS; + } + +diff --git a/include/net/ipv6.h b/include/net/ipv6.h +index 359540dfc033..a5e18d65c82d 100644 +--- a/include/net/ipv6.h ++++ b/include/net/ipv6.h +@@ -843,7 +843,7 @@ static inline void iph_to_flow_copy_v6addrs(struct flow_keys *flow, + BUILD_BUG_ON(offsetof(typeof(flow->addrs), v6addrs.dst) != + offsetof(typeof(flow->addrs), v6addrs.src) + + sizeof(flow->addrs.v6addrs.src)); +- memcpy(&flow->addrs.v6addrs, &iph->saddr, sizeof(flow->addrs.v6addrs)); ++ memcpy(&flow->addrs.v6addrs, &iph->addrs, sizeof(flow->addrs.v6addrs)); + flow->control.addr_type = FLOW_DISSECTOR_KEY_IPV6_ADDRS; + } + +diff --git a/include/uapi/linux/ip.h b/include/uapi/linux/ip.h +index e42d13b55cf3..d2f143393780 100644 +--- a/include/uapi/linux/ip.h ++++ b/include/uapi/linux/ip.h +@@ -100,8 +100,10 @@ struct iphdr { + __u8 ttl; + __u8 protocol; + __sum16 check; +- __be32 saddr; +- __be32 daddr; ++ __struct_group(/* no tag */, addrs, /* no attrs */, ++ __be32 saddr; ++ __be32 daddr; ++ ); + /*The options start here. */ + }; + +diff --git a/include/uapi/linux/ipv6.h b/include/uapi/linux/ipv6.h +index b243a53fa985..62e5e16ef539 100644 +--- a/include/uapi/linux/ipv6.h ++++ b/include/uapi/linux/ipv6.h +@@ -130,8 +130,10 @@ struct ipv6hdr { + __u8 nexthdr; + __u8 hop_limit; + +- struct in6_addr saddr; +- struct in6_addr daddr; ++ __struct_group(/* no tag */, addrs, /* no attrs */, ++ struct in6_addr saddr; ++ struct in6_addr daddr; ++ ); + }; + + +-- +2.35.1 + diff --git a/queue-5.15/perf-improve-missing-sigtrap-checking.patch b/queue-5.15/perf-improve-missing-sigtrap-checking.patch new file mode 100644 index 00000000000..1d756b59c20 --- /dev/null +++ b/queue-5.15/perf-improve-missing-sigtrap-checking.patch @@ -0,0 +1,102 @@ +From 642f2fb052023b0d51613d682d26ceab3ac1a5f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Oct 2022 10:35:13 +0100 +Subject: perf: Improve missing SIGTRAP checking + +From: Marco Elver + +[ Upstream commit bb88f9695460bec25aa30ba9072595025cf6c8af ] + +To catch missing SIGTRAP we employ a WARN in __perf_event_overflow(), +which fires if pending_sigtrap was already set: returning to user space +without consuming pending_sigtrap, and then having the event fire again +would re-enter the kernel and trigger the WARN. + +This, however, seemed to miss the case where some events not associated +with progress in the user space task can fire and the interrupt handler +runs before the IRQ work meant to consume pending_sigtrap (and generate +the SIGTRAP). + +syzbot gifted us this stack trace: + + | WARNING: CPU: 0 PID: 3607 at kernel/events/core.c:9313 __perf_event_overflow + | Modules linked in: + | CPU: 0 PID: 3607 Comm: syz-executor100 Not tainted 6.1.0-rc2-syzkaller-00073-g88619e77b33d #0 + | Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 + | RIP: 0010:__perf_event_overflow+0x498/0x540 kernel/events/core.c:9313 + | <...> + | Call Trace: + | + | perf_swevent_hrtimer+0x34f/0x3c0 kernel/events/core.c:10729 + | __run_hrtimer kernel/time/hrtimer.c:1685 [inline] + | __hrtimer_run_queues+0x1c6/0xfb0 kernel/time/hrtimer.c:1749 + | hrtimer_interrupt+0x31c/0x790 kernel/time/hrtimer.c:1811 + | local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1096 [inline] + | __sysvec_apic_timer_interrupt+0x17c/0x640 arch/x86/kernel/apic/apic.c:1113 + | sysvec_apic_timer_interrupt+0x40/0xc0 arch/x86/kernel/apic/apic.c:1107 + | asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:649 + | <...> + | + +In this case, syzbot produced a program with event type +PERF_TYPE_SOFTWARE and config PERF_COUNT_SW_CPU_CLOCK. The hrtimer +manages to fire again before the IRQ work got a chance to run, all while +never having returned to user space. + +Improve the WARN to check for real progress in user space: approximate +this by storing a 32-bit hash of the current IP into pending_sigtrap, +and if an event fires while pending_sigtrap still matches the previous +IP, we assume no progress (false negatives are possible given we could +return to user space and trigger again on the same IP). + +Fixes: ca6c21327c6a ("perf: Fix missing SIGTRAPs") +Reported-by: syzbot+b8ded3e2e2c6adde4990@syzkaller.appspotmail.com +Signed-off-by: Marco Elver +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20221031093513.3032814-1-elver@google.com +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 59654c737168..60cb300fa0d0 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -9323,14 +9323,27 @@ static int __perf_event_overflow(struct perf_event *event, + } + + if (event->attr.sigtrap) { +- /* +- * Should not be able to return to user space without processing +- * pending_sigtrap (kernel events can overflow multiple times). +- */ +- WARN_ON_ONCE(event->pending_sigtrap && event->attr.exclude_kernel); ++ unsigned int pending_id = 1; ++ ++ if (regs) ++ pending_id = hash32_ptr((void *)instruction_pointer(regs)) ?: 1; + if (!event->pending_sigtrap) { +- event->pending_sigtrap = 1; ++ event->pending_sigtrap = pending_id; + local_inc(&event->ctx->nr_pending); ++ } else if (event->attr.exclude_kernel) { ++ /* ++ * Should not be able to return to user space without ++ * consuming pending_sigtrap; with exceptions: ++ * ++ * 1. Where !exclude_kernel, events can overflow again ++ * in the kernel without returning to user space. ++ * ++ * 2. Events that can overflow again before the IRQ- ++ * work without user space progress (e.g. hrtimer). ++ * To approximate progress (with false negatives), ++ * check 32-bit hash of the current IP. ++ */ ++ WARN_ON_ONCE(event->pending_sigtrap != pending_id); + } + event->pending_addr = data->addr; + irq_work_queue(&event->pending_irq); +-- +2.35.1 + diff --git a/queue-5.15/ring-buffer-include-dropped-pages-in-counting-dirty-.patch b/queue-5.15/ring-buffer-include-dropped-pages-in-counting-dirty-.patch new file mode 100644 index 00000000000..de90cca25f4 --- /dev/null +++ b/queue-5.15/ring-buffer-include-dropped-pages-in-counting-dirty-.patch @@ -0,0 +1,95 @@ +From c1aaa4422d76f8db97f699d89c63dde8ea5bf700 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Oct 2022 12:30:13 -0400 +Subject: ring-buffer: Include dropped pages in counting dirty patches + +From: Steven Rostedt (Google) + +[ Upstream commit 31029a8b2c7e656a0289194ef16415050ae4c4ac ] + +The function ring_buffer_nr_dirty_pages() was created to find out how many +pages are filled in the ring buffer. There's two running counters. One is +incremented whenever a new page is touched (pages_touched) and the other +is whenever a page is read (pages_read). The dirty count is the number +touched minus the number read. This is used to determine if a blocked task +should be woken up if the percentage of the ring buffer it is waiting for +is hit. + +The problem is that it does not take into account dropped pages (when the +new writes overwrite pages that were not read). And then the dirty pages +will always be greater than the percentage. + +This makes the "buffer_percent" file inaccurate, as the number of dirty +pages end up always being larger than the percentage, event when it's not +and this causes user space to be woken up more than it wants to be. + +Add a new counter to keep track of lost pages, and include that in the +accounting of dirty pages so that it is actually accurate. + +Link: https://lkml.kernel.org/r/20221021123013.55fb6055@gandalf.local.home + +Fixes: 2c2b0a78b3739 ("ring-buffer: Add percentage of ring buffer full to wake up reader") +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/ring_buffer.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index 5346405fc4b9..ffc8696e6746 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -510,6 +510,7 @@ struct ring_buffer_per_cpu { + local_t committing; + local_t commits; + local_t pages_touched; ++ local_t pages_lost; + local_t pages_read; + long last_pages_touch; + size_t shortest_full; +@@ -858,10 +859,18 @@ size_t ring_buffer_nr_pages(struct trace_buffer *buffer, int cpu) + size_t ring_buffer_nr_dirty_pages(struct trace_buffer *buffer, int cpu) + { + size_t read; ++ size_t lost; + size_t cnt; + + read = local_read(&buffer->buffers[cpu]->pages_read); ++ lost = local_read(&buffer->buffers[cpu]->pages_lost); + cnt = local_read(&buffer->buffers[cpu]->pages_touched); ++ ++ if (WARN_ON_ONCE(cnt < lost)) ++ return 0; ++ ++ cnt -= lost; ++ + /* The reader can read an empty page, but not more than that */ + if (cnt < read) { + WARN_ON_ONCE(read > cnt + 1); +@@ -1995,6 +2004,7 @@ rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned long nr_pages) + */ + local_add(page_entries, &cpu_buffer->overrun); + local_sub(BUF_PAGE_SIZE, &cpu_buffer->entries_bytes); ++ local_inc(&cpu_buffer->pages_lost); + } + + /* +@@ -2479,6 +2489,7 @@ rb_handle_head_page(struct ring_buffer_per_cpu *cpu_buffer, + */ + local_add(entries, &cpu_buffer->overrun); + local_sub(BUF_PAGE_SIZE, &cpu_buffer->entries_bytes); ++ local_inc(&cpu_buffer->pages_lost); + + /* + * The entries will be zeroed out when we move the +@@ -5223,6 +5234,7 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer) + local_set(&cpu_buffer->committing, 0); + local_set(&cpu_buffer->commits, 0); + local_set(&cpu_buffer->pages_touched, 0); ++ local_set(&cpu_buffer->pages_lost, 0); + local_set(&cpu_buffer->pages_read, 0); + cpu_buffer->last_pages_touch = 0; + cpu_buffer->shortest_full = 0; +-- +2.35.1 + diff --git a/queue-5.15/scsi-scsi_debug-fix-possible-uaf-in-sdebug_add_host_.patch b/queue-5.15/scsi-scsi_debug-fix-possible-uaf-in-sdebug_add_host_.patch new file mode 100644 index 00000000000..586df4eab97 --- /dev/null +++ b/queue-5.15/scsi-scsi_debug-fix-possible-uaf-in-sdebug_add_host_.patch @@ -0,0 +1,44 @@ +From 9471d628c033bfb072cf97b96f70a391dad92927 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 08:44:21 +0000 +Subject: scsi: scsi_debug: Fix possible UAF in sdebug_add_host_helper() + +From: Yuan Can + +[ Upstream commit e208a1d795a08d1ac0398c79ad9c58106531bcc5 ] + +If device_register() fails in sdebug_add_host_helper(), it will goto clean +and sdbg_host will be freed, but sdbg_host->host_list will not be removed +from sdebug_host_list, then list traversal may cause UAF. Fix it. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yuan Can +Link: https://lore.kernel.org/r/20221117084421.58918-1-yuancan@huawei.com +Acked-by: Douglas Gilbert +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_debug.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c +index 747e1cbb7ec9..2b5e249f5d5b 100644 +--- a/drivers/scsi/scsi_debug.c ++++ b/drivers/scsi/scsi_debug.c +@@ -7132,8 +7132,12 @@ static int sdebug_add_host_helper(int per_host_idx) + dev_set_name(&sdbg_host->dev, "adapter%d", sdebug_num_hosts); + + error = device_register(&sdbg_host->dev); +- if (error) ++ if (error) { ++ spin_lock(&sdebug_host_list_lock); ++ list_del(&sdbg_host->host_list); ++ spin_unlock(&sdebug_host_list_lock); + goto clean; ++ } + + ++sdebug_num_hosts; + return 0; +-- +2.35.1 + diff --git a/queue-5.15/scsi-target-tcm_loop-fix-possible-name-leak-in-tcm_l.patch b/queue-5.15/scsi-target-tcm_loop-fix-possible-name-leak-in-tcm_l.patch new file mode 100644 index 00000000000..f3c066d4d38 --- /dev/null +++ b/queue-5.15/scsi-target-tcm_loop-fix-possible-name-leak-in-tcm_l.patch @@ -0,0 +1,51 @@ +From 8b804f56a3a65c22059b4fa2f339188d52e107c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Nov 2022 09:50:42 +0800 +Subject: scsi: target: tcm_loop: Fix possible name leak in + tcm_loop_setup_hba_bus() + +From: Yang Yingliang + +[ Upstream commit bc68e428d4963af0201e92159629ab96948f0893 ] + +If device_register() fails in tcm_loop_setup_hba_bus(), the name allocated +by dev_set_name() need be freed. As comment of device_register() says, it +should use put_device() to give up the reference in the error path. So fix +this by calling put_device(), then the name can be freed in kobject_cleanup(). +The 'tl_hba' will be freed in tcm_loop_release_adapter(), so it don't need +goto error label in this case. + +Fixes: 3703b2c5d041 ("[SCSI] tcm_loop: Add multi-fabric Linux/SCSI LLD fabric module") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221115015042.3652261-1-yangyingliang@huawei.com +Reviewed-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/loopback/tcm_loop.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/target/loopback/tcm_loop.c b/drivers/target/loopback/tcm_loop.c +index 52db28d868d5..600a4d1ee45f 100644 +--- a/drivers/target/loopback/tcm_loop.c ++++ b/drivers/target/loopback/tcm_loop.c +@@ -397,6 +397,7 @@ static int tcm_loop_setup_hba_bus(struct tcm_loop_hba *tl_hba, int tcm_loop_host + ret = device_register(&tl_hba->dev); + if (ret) { + pr_err("device_register() failed for tl_hba->dev: %d\n", ret); ++ put_device(&tl_hba->dev); + return -ENODEV; + } + +@@ -1073,7 +1074,7 @@ static struct se_wwn *tcm_loop_make_scsi_hba( + */ + ret = tcm_loop_setup_hba_bus(tl_hba, tcm_loop_hba_no_cnt); + if (ret) +- goto out; ++ return ERR_PTR(ret); + + sh = tl_hba->sh; + tcm_loop_hba_no_cnt++; +-- +2.35.1 + diff --git a/queue-5.15/series b/queue-5.15/series index 3d38e097009..e38e52b982e 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -157,3 +157,12 @@ perf-x86-intel-pt-fix-sampling-using-single-range-output.patch nvme-restrict-management-ioctls-to-admin.patch nvme-ensure-subsystem-reset-is-single-threaded.patch serial-8250_lpss-use-16b-dma-burst-with-elkhart-lake.patch +perf-improve-missing-sigtrap-checking.patch +l2tp-serialize-access-to-sk_user_data-with-sk_callba.patch +ring-buffer-include-dropped-pages-in-counting-dirty-.patch +tracing-fix-warning-on-variable-struct-trace_array.patch +net-use-struct_group-to-copy-ip-ipv6-header-addresse.patch +scsi-target-tcm_loop-fix-possible-name-leak-in-tcm_l.patch +scsi-scsi_debug-fix-possible-uaf-in-sdebug_add_host_.patch +kprobes-skip-clearing-aggrprobe-s-post_handler-in-kp.patch +input-i8042-fix-leaking-of-platform-device-on-module.patch diff --git a/queue-5.15/tracing-fix-warning-on-variable-struct-trace_array.patch b/queue-5.15/tracing-fix-warning-on-variable-struct-trace_array.patch new file mode 100644 index 00000000000..50d63a5d319 --- /dev/null +++ b/queue-5.15/tracing-fix-warning-on-variable-struct-trace_array.patch @@ -0,0 +1,54 @@ +From ef6b60196262189aec7b237ebc3cb9aef6180d8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 21:35:56 +0530 +Subject: tracing: Fix warning on variable 'struct trace_array' + +From: Aashish Sharma + +[ Upstream commit bedf06833b1f63c2627bd5634602e05592129d7a ] + +Move the declaration of 'struct trace_array' out of #ifdef +CONFIG_TRACING block, to fix the following warning when CONFIG_TRACING +is not set: + +>> include/linux/trace.h:63:45: warning: 'struct trace_array' declared +inside parameter list will not be visible outside of this definition or +declaration + +Link: https://lkml.kernel.org/r/20221107160556.2139463-1-shraash@google.com + +Fixes: 1a77dd1c2bb5 ("scsi: tracing: Fix compile error in trace_array calls when TRACING is disabled") +Cc: "Martin K. Petersen" +Cc: Arun Easi +Acked-by: Masami Hiramatsu (Google) +Reviewed-by: Guenter Roeck +Signed-off-by: Aashish Sharma +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + include/linux/trace.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/trace.h b/include/linux/trace.h +index b5e16e438448..80ffda871749 100644 +--- a/include/linux/trace.h ++++ b/include/linux/trace.h +@@ -26,13 +26,13 @@ struct trace_export { + int flags; + }; + ++struct trace_array; ++ + #ifdef CONFIG_TRACING + + int register_ftrace_export(struct trace_export *export); + int unregister_ftrace_export(struct trace_export *export); + +-struct trace_array; +- + void trace_printk_init_buffers(void); + __printf(3, 4) + int trace_array_printk(struct trace_array *tr, unsigned long ip, +-- +2.35.1 +