From: Greg Kroah-Hartman Date: Wed, 4 Jan 2023 14:22:00 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v6.1.4~54 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=961a02d0fad432e00c9d2de3efa2b04287397b7e;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: arm-9256-1-nwfpe-avoid-compiler-generated-__aeabi_uldivmod.patch cifs-fix-confusing-debug-message.patch media-dvb-core-fix-double-free-in-dvb_register_device.patch tracing-fix-infinite-loop-in-tracing_read_pipe-on-overflowed-print_trace_line.patch --- diff --git a/queue-4.9/arm-9256-1-nwfpe-avoid-compiler-generated-__aeabi_uldivmod.patch b/queue-4.9/arm-9256-1-nwfpe-avoid-compiler-generated-__aeabi_uldivmod.patch new file mode 100644 index 00000000000..5e9bbc2af1e --- /dev/null +++ b/queue-4.9/arm-9256-1-nwfpe-avoid-compiler-generated-__aeabi_uldivmod.patch @@ -0,0 +1,60 @@ +From 3220022038b9a3845eea762af85f1c5694b9f861 Mon Sep 17 00:00:00 2001 +From: Nick Desaulniers +Date: Tue, 11 Oct 2022 20:00:12 +0100 +Subject: ARM: 9256/1: NWFPE: avoid compiler-generated __aeabi_uldivmod + +From: Nick Desaulniers + +commit 3220022038b9a3845eea762af85f1c5694b9f861 upstream. + +clang-15's ability to elide loops completely became more aggressive when +it can deduce how a variable is being updated in a loop. Counting down +one variable by an increment of another can be replaced by a modulo +operation. + +For 64b variables on 32b ARM EABI targets, this can result in the +compiler generating calls to __aeabi_uldivmod, which it does for a do +while loop in float64_rem(). + +For the kernel, we'd generally prefer that developers not open code 64b +division via binary / operators and instead use the more explicit +helpers from div64.h. On arm-linux-gnuabi targets, failure to do so can +result in linkage failures due to undefined references to +__aeabi_uldivmod(). + +While developers can avoid open coding divisions on 64b variables, the +compiler doesn't know that the Linux kernel has a partial implementation +of a compiler runtime (--rtlib) to enforce this convention. + +It's also undecidable for the compiler whether the code in question +would be faster to execute the loop vs elide it and do the 64b division. + +While I actively avoid using the internal -mllvm command line flags, I +think we get better code than using barrier() here, which will force +reloads+spills in the loop for all toolchains. + +Link: https://github.com/ClangBuiltLinux/linux/issues/1666 + +Reported-by: Nathan Chancellor +Reviewed-by: Arnd Bergmann +Signed-off-by: Nick Desaulniers +Tested-by: Nathan Chancellor +Cc: stable@vger.kernel.org +Signed-off-by: Russell King (Oracle) +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/nwfpe/Makefile | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/arm/nwfpe/Makefile ++++ b/arch/arm/nwfpe/Makefile +@@ -10,3 +10,9 @@ nwfpe-y += fpa11.o fpa11_cpdo.o fpa11 + entry.o + + nwfpe-$(CONFIG_FPE_NWFPE_XP) += extended_cpdo.o ++ ++# Try really hard to avoid generating calls to __aeabi_uldivmod() from ++# float64_rem() due to loop elision. ++ifdef CONFIG_CC_IS_CLANG ++CFLAGS_softfloat.o += -mllvm -replexitval=never ++endif diff --git a/queue-4.9/cifs-fix-confusing-debug-message.patch b/queue-4.9/cifs-fix-confusing-debug-message.patch new file mode 100644 index 00000000000..aaac657d442 --- /dev/null +++ b/queue-4.9/cifs-fix-confusing-debug-message.patch @@ -0,0 +1,54 @@ +From a85ceafd41927e41a4103d228a993df7edd8823b Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Fri, 16 Dec 2022 22:03:41 -0300 +Subject: cifs: fix confusing debug message + +From: Paulo Alcantara + +commit a85ceafd41927e41a4103d228a993df7edd8823b upstream. + +Since rc was initialised to -ENOMEM in cifs_get_smb_ses(), when an +existing smb session was found, free_xid() would be called and then +print + + CIFS: fs/cifs/connect.c: Existing tcp session with server found + CIFS: fs/cifs/connect.c: VFS: in cifs_get_smb_ses as Xid: 44 with uid: 0 + CIFS: fs/cifs/connect.c: Existing smb sess found (status=1) + CIFS: fs/cifs/connect.c: VFS: leaving cifs_get_smb_ses (xid = 44) rc = -12 + +Fix this by initialising rc to 0 and then let free_xid() print this +instead + + CIFS: fs/cifs/connect.c: Existing tcp session with server found + CIFS: fs/cifs/connect.c: VFS: in cifs_get_smb_ses as Xid: 14 with uid: 0 + CIFS: fs/cifs/connect.c: Existing smb sess found (status=1) + CIFS: fs/cifs/connect.c: VFS: leaving cifs_get_smb_ses (xid = 14) rc = 0 + +Signed-off-by: Paulo Alcantara (SUSE) +Cc: stable@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/connect.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -2599,7 +2599,7 @@ cifs_set_cifscreds(struct smb_vol *vol _ + static struct cifs_ses * + cifs_get_smb_ses(struct TCP_Server_Info *server, struct smb_vol *volume_info) + { +- int rc = -ENOMEM; ++ int rc = 0; + unsigned int xid; + struct cifs_ses *ses; + struct sockaddr_in *addr = (struct sockaddr_in *)&server->dstaddr; +@@ -2641,6 +2641,8 @@ cifs_get_smb_ses(struct TCP_Server_Info + return ses; + } + ++ rc = -ENOMEM; ++ + cifs_dbg(FYI, "Existing smb sess not found\n"); + ses = sesInfoAlloc(); + if (ses == NULL) diff --git a/queue-4.9/media-dvb-core-fix-double-free-in-dvb_register_device.patch b/queue-4.9/media-dvb-core-fix-double-free-in-dvb_register_device.patch new file mode 100644 index 00000000000..52f0bae3345 --- /dev/null +++ b/queue-4.9/media-dvb-core-fix-double-free-in-dvb_register_device.patch @@ -0,0 +1,42 @@ +From 6b0d0477fce747d4137aa65856318b55fba72198 Mon Sep 17 00:00:00 2001 +From: Keita Suzuki +Date: Tue, 26 Apr 2022 06:29:19 +0100 +Subject: media: dvb-core: Fix double free in dvb_register_device() + +From: Keita Suzuki + +commit 6b0d0477fce747d4137aa65856318b55fba72198 upstream. + +In function dvb_register_device() -> dvb_register_media_device() -> +dvb_create_media_entity(), dvb->entity is allocated and initialized. If +the initialization fails, it frees the dvb->entity, and return an error +code. The caller takes the error code and handles the error by calling +dvb_media_device_free(), which unregisters the entity and frees the +field again if it is not NULL. As dvb->entity may not NULLed in +dvb_create_media_entity() when the allocation of dvbdev->pad fails, a +double free may occur. This may also cause an Use After free in +media_device_unregister_entity(). + +Fix this by storing NULL to dvb->entity when it is freed. + +Link: https://lore.kernel.org/linux-media/20220426052921.2088416-1-keitasuzuki.park@sslab.ics.keio.ac.jp +Fixes: fcd5ce4b3936 ("media: dvb-core: fix a memory leak bug") +Cc: stable@vger.kernel.org +Cc: Wenwen Wang +Signed-off-by: Keita Suzuki +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/dvb-core/dvbdev.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/dvb-core/dvbdev.c ++++ b/drivers/media/dvb-core/dvbdev.c +@@ -317,6 +317,7 @@ static int dvb_create_media_entity(struc + GFP_KERNEL); + if (!dvbdev->pads) { + kfree(dvbdev->entity); ++ dvbdev->entity = NULL; + return -ENOMEM; + } + } diff --git a/queue-4.9/series b/queue-4.9/series index dd6bab8f842..165ad1c4c7d 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -231,3 +231,7 @@ dm-thin-use-last-transaction-s-pmd-root-when-commit-failed.patch dm-thin-fix-uaf-in-run_timer_softirq.patch dm-cache-fix-uaf-in-destroy.patch dm-cache-set-needs_check-flag-after-aborting-metadata.patch +tracing-fix-infinite-loop-in-tracing_read_pipe-on-overflowed-print_trace_line.patch +arm-9256-1-nwfpe-avoid-compiler-generated-__aeabi_uldivmod.patch +media-dvb-core-fix-double-free-in-dvb_register_device.patch +cifs-fix-confusing-debug-message.patch diff --git a/queue-4.9/tracing-fix-infinite-loop-in-tracing_read_pipe-on-overflowed-print_trace_line.patch b/queue-4.9/tracing-fix-infinite-loop-in-tracing_read_pipe-on-overflowed-print_trace_line.patch new file mode 100644 index 00000000000..070856b0ff9 --- /dev/null +++ b/queue-4.9/tracing-fix-infinite-loop-in-tracing_read_pipe-on-overflowed-print_trace_line.patch @@ -0,0 +1,48 @@ +From c1ac03af6ed45d05786c219d102f37eb44880f28 Mon Sep 17 00:00:00 2001 +From: Yang Jihong +Date: Tue, 29 Nov 2022 19:30:09 +0800 +Subject: tracing: Fix infinite loop in tracing_read_pipe on overflowed print_trace_line + +From: Yang Jihong + +commit c1ac03af6ed45d05786c219d102f37eb44880f28 upstream. + +print_trace_line may overflow seq_file buffer. If the event is not +consumed, the while loop keeps peeking this event, causing a infinite loop. + +Link: https://lkml.kernel.org/r/20221129113009.182425-1-yangjihong1@huawei.com + +Cc: Masami Hiramatsu +Cc: stable@vger.kernel.org +Fixes: 088b1e427dbba ("ftrace: pipe fixes") +Signed-off-by: Yang Jihong +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -5226,7 +5226,20 @@ waitagain: + + ret = print_trace_line(iter); + if (ret == TRACE_TYPE_PARTIAL_LINE) { +- /* don't print partial lines */ ++ /* ++ * If one print_trace_line() fills entire trace_seq in one shot, ++ * trace_seq_to_user() will returns -EBUSY because save_len == 0, ++ * In this case, we need to consume it, otherwise, loop will peek ++ * this event next time, resulting in an infinite loop. ++ */ ++ if (save_len == 0) { ++ iter->seq.full = 0; ++ trace_seq_puts(&iter->seq, "[LINE TOO BIG]\n"); ++ trace_consume(iter); ++ break; ++ } ++ ++ /* In other cases, don't print partial lines */ + iter->seq.seq.len = save_len; + break; + }