From 07a3d187e150c47b55a8cd3b385a07aa69f65c4d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 8 Jul 2022 13:09:48 +0200 Subject: [PATCH] 5.10-stable patches added patches: alsa-hda-realtek-add-quirk-for-clevo-l140pu.patch can-bcm-use-call_rcu-instead-of-costly-synchronize_rcu.patch can-grcan-grcan_probe-remove-extra-of_node_get.patch can-gs_usb-gs_usb_open-close-fix-memory-leak.patch mm-slub-add-missing-tid-updates-on-slab-deactivation.patch --- ...a-realtek-add-quirk-for-clevo-l140pu.patch | 30 +++++ ...cu-instead-of-costly-synchronize_rcu.patch | 97 ++++++++++++++ ...grcan_probe-remove-extra-of_node_get.patch | 33 +++++ ...sb-gs_usb_open-close-fix-memory-leak.patch | 113 ++++++++++++++++ ...ing-tid-updates-on-slab-deactivation.patch | 122 ++++++++++++++++++ queue-5.10/series | 5 + 6 files changed, 400 insertions(+) create mode 100644 queue-5.10/alsa-hda-realtek-add-quirk-for-clevo-l140pu.patch create mode 100644 queue-5.10/can-bcm-use-call_rcu-instead-of-costly-synchronize_rcu.patch create mode 100644 queue-5.10/can-grcan-grcan_probe-remove-extra-of_node_get.patch create mode 100644 queue-5.10/can-gs_usb-gs_usb_open-close-fix-memory-leak.patch create mode 100644 queue-5.10/mm-slub-add-missing-tid-updates-on-slab-deactivation.patch create mode 100644 queue-5.10/series diff --git a/queue-5.10/alsa-hda-realtek-add-quirk-for-clevo-l140pu.patch b/queue-5.10/alsa-hda-realtek-add-quirk-for-clevo-l140pu.patch new file mode 100644 index 00000000000..15baf2bbd0a --- /dev/null +++ b/queue-5.10/alsa-hda-realtek-add-quirk-for-clevo-l140pu.patch @@ -0,0 +1,30 @@ +From 11bea26929a1a3a9dd1a287b60c2f471701bf706 Mon Sep 17 00:00:00 2001 +From: Tim Crawford +Date: Fri, 24 Jun 2022 08:41:09 -0600 +Subject: ALSA: hda/realtek: Add quirk for Clevo L140PU + +From: Tim Crawford + +commit 11bea26929a1a3a9dd1a287b60c2f471701bf706 upstream. + +Fixes headset detection on Clevo L140PU. + +Signed-off-by: Tim Crawford +Cc: +Link: https://lore.kernel.org/r/20220624144109.3957-1-tcrawford@system76.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -8934,6 +8934,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1558, 0x70f4, "Clevo NH77EPY", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x70f6, "Clevo NH77DPQ-Y", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x7716, "Clevo NS50PU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1558, 0x7718, "Clevo L140PU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x8228, "Clevo NR40BU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x8520, "Clevo NH50D[CD]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x8521, "Clevo NH77D[CD]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), diff --git a/queue-5.10/can-bcm-use-call_rcu-instead-of-costly-synchronize_rcu.patch b/queue-5.10/can-bcm-use-call_rcu-instead-of-costly-synchronize_rcu.patch new file mode 100644 index 00000000000..2817cfd91d9 --- /dev/null +++ b/queue-5.10/can-bcm-use-call_rcu-instead-of-costly-synchronize_rcu.patch @@ -0,0 +1,97 @@ +From f1b4e32aca0811aa011c76e5d6cf2fa19224b386 Mon Sep 17 00:00:00 2001 +From: Oliver Hartkopp +Date: Fri, 20 May 2022 20:32:39 +0200 +Subject: can: bcm: use call_rcu() instead of costly synchronize_rcu() + +From: Oliver Hartkopp + +commit f1b4e32aca0811aa011c76e5d6cf2fa19224b386 upstream. + +In commit d5f9023fa61e ("can: bcm: delay release of struct bcm_op +after synchronize_rcu()") Thadeu Lima de Souza Cascardo introduced two +synchronize_rcu() calls in bcm_release() (only once at socket close) +and in bcm_delete_rx_op() (called on removal of each single bcm_op). + +Unfortunately this slow removal of the bcm_op's affects user space +applications like cansniffer where the modification of a filter +removes 2048 bcm_op's which blocks the cansniffer application for +40(!) seconds. + +In commit 181d4447905d ("can: gw: use call_rcu() instead of costly +synchronize_rcu()") Eric Dumazet replaced the synchronize_rcu() calls +with several call_rcu()'s to safely remove the data structures after +the removal of CAN ID subscriptions with can_rx_unregister() calls. + +This patch adopts Erics approach for the can-bcm which should be +applicable since the removal of tasklet_kill() in bcm_remove_op() and +the introduction of the HRTIMER_MODE_SOFT timer handling in Linux 5.4. + +Fixes: d5f9023fa61e ("can: bcm: delay release of struct bcm_op after synchronize_rcu()") # >= 5.4 +Link: https://lore.kernel.org/all/20220520183239.19111-1-socketcan@hartkopp.net +Cc: stable@vger.kernel.org +Cc: Eric Dumazet +Cc: Norbert Slusarek +Cc: Thadeu Lima de Souza Cascardo +Signed-off-by: Oliver Hartkopp +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/bcm.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -100,6 +100,7 @@ static inline u64 get_u64(const struct c + + struct bcm_op { + struct list_head list; ++ struct rcu_head rcu; + int ifindex; + canid_t can_id; + u32 flags; +@@ -718,10 +719,9 @@ static struct bcm_op *bcm_find_op(struct + return NULL; + } + +-static void bcm_remove_op(struct bcm_op *op) ++static void bcm_free_op_rcu(struct rcu_head *rcu_head) + { +- hrtimer_cancel(&op->timer); +- hrtimer_cancel(&op->thrtimer); ++ struct bcm_op *op = container_of(rcu_head, struct bcm_op, rcu); + + if ((op->frames) && (op->frames != &op->sframe)) + kfree(op->frames); +@@ -732,6 +732,14 @@ static void bcm_remove_op(struct bcm_op + kfree(op); + } + ++static void bcm_remove_op(struct bcm_op *op) ++{ ++ hrtimer_cancel(&op->timer); ++ hrtimer_cancel(&op->thrtimer); ++ ++ call_rcu(&op->rcu, bcm_free_op_rcu); ++} ++ + static void bcm_rx_unreg(struct net_device *dev, struct bcm_op *op) + { + if (op->rx_reg_dev == dev) { +@@ -757,6 +765,9 @@ static int bcm_delete_rx_op(struct list_ + if ((op->can_id == mh->can_id) && (op->ifindex == ifindex) && + (op->flags & CAN_FD_FRAME) == (mh->flags & CAN_FD_FRAME)) { + ++ /* disable automatic timer on frame reception */ ++ op->flags |= RX_NO_AUTOTIMER; ++ + /* + * Don't care if we're bound or not (due to netdev + * problems) can_rx_unregister() is always a save +@@ -785,7 +796,6 @@ static int bcm_delete_rx_op(struct list_ + bcm_rx_handler, op); + + list_del(&op->list); +- synchronize_rcu(); + bcm_remove_op(op); + return 1; /* done */ + } diff --git a/queue-5.10/can-grcan-grcan_probe-remove-extra-of_node_get.patch b/queue-5.10/can-grcan-grcan_probe-remove-extra-of_node_get.patch new file mode 100644 index 00000000000..a278bbcf0c3 --- /dev/null +++ b/queue-5.10/can-grcan-grcan_probe-remove-extra-of_node_get.patch @@ -0,0 +1,33 @@ +From 562fed945ea482833667f85496eeda766d511386 Mon Sep 17 00:00:00 2001 +From: Liang He +Date: Sun, 19 Jun 2022 15:02:57 +0800 +Subject: can: grcan: grcan_probe(): remove extra of_node_get() + +From: Liang He + +commit 562fed945ea482833667f85496eeda766d511386 upstream. + +In grcan_probe(), of_find_node_by_path() has already increased the +refcount. There is no need to call of_node_get() again, so remove it. + +Link: https://lore.kernel.org/all/20220619070257.4067022-1-windhl@126.com +Fixes: 1e93ed26acf0 ("can: grcan: grcan_probe(): fix broken system id check for errata workaround needs") +Cc: stable@vger.kernel.org # v5.18 +Cc: Andreas Larsson +Signed-off-by: Liang He +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/grcan.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/net/can/grcan.c ++++ b/drivers/net/can/grcan.c +@@ -1659,7 +1659,6 @@ static int grcan_probe(struct platform_d + */ + sysid_parent = of_find_node_by_path("/ambapp0"); + if (sysid_parent) { +- of_node_get(sysid_parent); + err = of_property_read_u32(sysid_parent, "systemid", &sysid); + if (!err && ((sysid & GRLIB_VERSION_MASK) >= + GRCAN_TXBUG_SAFE_GRLIB_VERSION)) diff --git a/queue-5.10/can-gs_usb-gs_usb_open-close-fix-memory-leak.patch b/queue-5.10/can-gs_usb-gs_usb_open-close-fix-memory-leak.patch new file mode 100644 index 00000000000..809d828bc43 --- /dev/null +++ b/queue-5.10/can-gs_usb-gs_usb_open-close-fix-memory-leak.patch @@ -0,0 +1,113 @@ +From 2bda24ef95c0311ab93bda00db40486acf30bd0a Mon Sep 17 00:00:00 2001 +From: Rhett Aultman +Date: Sun, 3 Jul 2022 19:33:06 +0200 +Subject: can: gs_usb: gs_usb_open/close(): fix memory leak + +From: Rhett Aultman + +commit 2bda24ef95c0311ab93bda00db40486acf30bd0a upstream. + +The gs_usb driver appears to suffer from a malady common to many USB +CAN adapter drivers in that it performs usb_alloc_coherent() to +allocate a number of USB request blocks (URBs) for RX, and then later +relies on usb_kill_anchored_urbs() to free them, but this doesn't +actually free them. As a result, this may be leaking DMA memory that's +been used by the driver. + +This commit is an adaptation of the techniques found in the esd_usb2 +driver where a similar design pattern led to a memory leak. It +explicitly frees the RX URBs and their DMA memory via a call to +usb_free_coherent(). Since the RX URBs were allocated in the +gs_can_open(), we remove them in gs_can_close() rather than in the +disconnect function as was done in esd_usb2. + +For more information, see the 928150fad41b ("can: esd_usb2: fix memory +leak"). + +Link: https://lore.kernel.org/all/alpine.DEB.2.22.394.2206031547001.1630869@thelappy +Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices") +Cc: stable@vger.kernel.org +Signed-off-by: Rhett Aultman +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/gs_usb.c | 23 +++++++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -184,6 +184,8 @@ struct gs_can { + + struct usb_anchor tx_submitted; + atomic_t active_tx_urbs; ++ void *rxbuf[GS_MAX_RX_URBS]; ++ dma_addr_t rxbuf_dma[GS_MAX_RX_URBS]; + }; + + /* usb interface struct */ +@@ -592,6 +594,7 @@ static int gs_can_open(struct net_device + for (i = 0; i < GS_MAX_RX_URBS; i++) { + struct urb *urb; + u8 *buf; ++ dma_addr_t buf_dma; + + /* alloc rx urb */ + urb = usb_alloc_urb(0, GFP_KERNEL); +@@ -602,7 +605,7 @@ static int gs_can_open(struct net_device + buf = usb_alloc_coherent(dev->udev, + sizeof(struct gs_host_frame), + GFP_KERNEL, +- &urb->transfer_dma); ++ &buf_dma); + if (!buf) { + netdev_err(netdev, + "No memory left for USB buffer\n"); +@@ -610,6 +613,8 @@ static int gs_can_open(struct net_device + return -ENOMEM; + } + ++ urb->transfer_dma = buf_dma; ++ + /* fill, anchor, and submit rx urb */ + usb_fill_bulk_urb(urb, + dev->udev, +@@ -633,10 +638,17 @@ static int gs_can_open(struct net_device + rc); + + usb_unanchor_urb(urb); ++ usb_free_coherent(dev->udev, ++ sizeof(struct gs_host_frame), ++ buf, ++ buf_dma); + usb_free_urb(urb); + break; + } + ++ dev->rxbuf[i] = buf; ++ dev->rxbuf_dma[i] = buf_dma; ++ + /* Drop reference, + * USB core will take care of freeing it + */ +@@ -701,13 +713,20 @@ static int gs_can_close(struct net_devic + int rc; + struct gs_can *dev = netdev_priv(netdev); + struct gs_usb *parent = dev->parent; ++ unsigned int i; + + netif_stop_queue(netdev); + + /* Stop polling */ + parent->active_channels--; +- if (!parent->active_channels) ++ if (!parent->active_channels) { + usb_kill_anchored_urbs(&parent->rx_submitted); ++ for (i = 0; i < GS_MAX_RX_URBS; i++) ++ usb_free_coherent(dev->udev, ++ sizeof(struct gs_host_frame), ++ dev->rxbuf[i], ++ dev->rxbuf_dma[i]); ++ } + + /* Stop sending URBs */ + usb_kill_anchored_urbs(&dev->tx_submitted); diff --git a/queue-5.10/mm-slub-add-missing-tid-updates-on-slab-deactivation.patch b/queue-5.10/mm-slub-add-missing-tid-updates-on-slab-deactivation.patch new file mode 100644 index 00000000000..3d8d1dee62f --- /dev/null +++ b/queue-5.10/mm-slub-add-missing-tid-updates-on-slab-deactivation.patch @@ -0,0 +1,122 @@ +From eeaa345e128515135ccb864c04482180c08e3259 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Wed, 8 Jun 2022 20:22:05 +0200 +Subject: mm/slub: add missing TID updates on slab deactivation + +From: Jann Horn + +commit eeaa345e128515135ccb864c04482180c08e3259 upstream. + +The fastpath in slab_alloc_node() assumes that c->slab is stable as long as +the TID stays the same. However, two places in __slab_alloc() currently +don't update the TID when deactivating the CPU slab. + +If multiple operations race the right way, this could lead to an object +getting lost; or, in an even more unlikely situation, it could even lead to +an object being freed onto the wrong slab's freelist, messing up the +`inuse` counter and eventually causing a page to be freed to the page +allocator while it still contains slab objects. + +(I haven't actually tested these cases though, this is just based on +looking at the code. Writing testcases for this stuff seems like it'd be +a pain...) + +The race leading to state inconsistency is (all operations on the same CPU +and kmem_cache): + + - task A: begin do_slab_free(): + - read TID + - read pcpu freelist (==NULL) + - check `slab == c->slab` (true) + - [PREEMPT A->B] + - task B: begin slab_alloc_node(): + - fastpath fails (`c->freelist` is NULL) + - enter __slab_alloc() + - slub_get_cpu_ptr() (disables preemption) + - enter ___slab_alloc() + - take local_lock_irqsave() + - read c->freelist as NULL + - get_freelist() returns NULL + - write `c->slab = NULL` + - drop local_unlock_irqrestore() + - goto new_slab + - slub_percpu_partial() is NULL + - get_partial() returns NULL + - slub_put_cpu_ptr() (enables preemption) + - [PREEMPT B->A] + - task A: finish do_slab_free(): + - this_cpu_cmpxchg_double() succeeds() + - [CORRUPT STATE: c->slab==NULL, c->freelist!=NULL] + +From there, the object on c->freelist will get lost if task B is allowed to +continue from here: It will proceed to the retry_load_slab label, +set c->slab, then jump to load_freelist, which clobbers c->freelist. + +But if we instead continue as follows, we get worse corruption: + + - task A: run __slab_free() on object from other struct slab: + - CPU_PARTIAL_FREE case (slab was on no list, is now on pcpu partial) + - task A: run slab_alloc_node() with NUMA node constraint: + - fastpath fails (c->slab is NULL) + - call __slab_alloc() + - slub_get_cpu_ptr() (disables preemption) + - enter ___slab_alloc() + - c->slab is NULL: goto new_slab + - slub_percpu_partial() is non-NULL + - set c->slab to slub_percpu_partial(c) + - [CORRUPT STATE: c->slab points to slab-1, c->freelist has objects + from slab-2] + - goto redo + - node_match() fails + - goto deactivate_slab + - existing c->freelist is passed into deactivate_slab() + - inuse count of slab-1 is decremented to account for object from + slab-2 + +At this point, the inuse count of slab-1 is 1 lower than it should be. +This means that if we free all allocated objects in slab-1 except for one, +SLUB will think that slab-1 is completely unused, and may free its page, +leading to use-after-free. + +Fixes: c17dda40a6a4e ("slub: Separate out kmem_cache_cpu processing from deactivate_slab") +Fixes: 03e404af26dc2 ("slub: fast release on full slab") +Cc: stable@vger.kernel.org +Signed-off-by: Jann Horn +Acked-by: Christoph Lameter +Acked-by: David Rientjes +Reviewed-by: Muchun Song +Tested-by: Hyeonggon Yoo <42.hyeyoo@gmail.com> +Signed-off-by: Vlastimil Babka +Link: https://lore.kernel.org/r/20220608182205.2945720-1-jannh@google.com +Signed-off-by: Greg Kroah-Hartman +--- + mm/slub.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -2297,6 +2297,7 @@ redo: + + c->page = NULL; + c->freelist = NULL; ++ c->tid = next_tid(c->tid); + } + + /* +@@ -2430,8 +2431,6 @@ static inline void flush_slab(struct kme + { + stat(s, CPUSLAB_FLUSH); + deactivate_slab(s, c->page, c->freelist, c); +- +- c->tid = next_tid(c->tid); + } + + /* +@@ -2717,6 +2716,7 @@ redo: + + if (!freelist) { + c->page = NULL; ++ c->tid = next_tid(c->tid); + stat(s, DEACTIVATE_BYPASS); + goto new_slab; + } diff --git a/queue-5.10/series b/queue-5.10/series new file mode 100644 index 00000000000..bd235bcb755 --- /dev/null +++ b/queue-5.10/series @@ -0,0 +1,5 @@ +mm-slub-add-missing-tid-updates-on-slab-deactivation.patch +alsa-hda-realtek-add-quirk-for-clevo-l140pu.patch +can-bcm-use-call_rcu-instead-of-costly-synchronize_rcu.patch +can-grcan-grcan_probe-remove-extra-of_node_get.patch +can-gs_usb-gs_usb_open-close-fix-memory-leak.patch -- 2.47.3