From 5170cac9aa937818dc242aeaea31da148b98d49a Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 9 Sep 2022 20:39:21 +0200 Subject: [PATCH] 5.15-stable patches added patches: alsa-aloop-fix-random-zeros-in-capture-data-when-using-jiffies-timer.patch alsa-emu10k1-fix-out-of-bounds-access-in-snd_emu10k1_pcm_channel_alloc.patch alsa-pcm-oss-fix-race-at-sndctl_dsp_sync.patch alsa-usb-audio-fix-an-out-of-bounds-bug-in-__snd_usb_parse_audio_interface.patch alsa-usb-audio-split-endpoint-setups-for-hw_params-and-prepare.patch btrfs-zoned-set-pseudo-max-append-zone-limit-in-zone-emulation-mode.patch kprobes-prohibit-probes-in-gate-area.patch tracing-fix-to-check-event_mutex-is-held-while-accessing-trigger-list.patch vfio-type1-unpin-zero-pages.patch --- ...apture-data-when-using-jiffies-timer.patch | 49 +++++ ...ess-in-snd_emu10k1_pcm_channel_alloc.patch | 66 ++++++ ...-pcm-oss-fix-race-at-sndctl_dsp_sync.patch | 51 +++++ ...g-in-__snd_usb_parse_audio_interface.patch | 34 +++ ...int-setups-for-hw_params-and-prepare.patch | 193 ++++++++++++++++++ ...nd-zone-limit-in-zone-emulation-mode.patch | 58 ++++++ ...kprobes-prohibit-probes-in-gate-area.patch | 117 +++++++++++ queue-5.15/series | 9 + ...is-held-while-accessing-trigger-list.patch | 51 +++++ queue-5.15/vfio-type1-unpin-zero-pages.patch | 53 +++++ 10 files changed, 681 insertions(+) create mode 100644 queue-5.15/alsa-aloop-fix-random-zeros-in-capture-data-when-using-jiffies-timer.patch create mode 100644 queue-5.15/alsa-emu10k1-fix-out-of-bounds-access-in-snd_emu10k1_pcm_channel_alloc.patch create mode 100644 queue-5.15/alsa-pcm-oss-fix-race-at-sndctl_dsp_sync.patch create mode 100644 queue-5.15/alsa-usb-audio-fix-an-out-of-bounds-bug-in-__snd_usb_parse_audio_interface.patch create mode 100644 queue-5.15/alsa-usb-audio-split-endpoint-setups-for-hw_params-and-prepare.patch create mode 100644 queue-5.15/btrfs-zoned-set-pseudo-max-append-zone-limit-in-zone-emulation-mode.patch create mode 100644 queue-5.15/kprobes-prohibit-probes-in-gate-area.patch create mode 100644 queue-5.15/tracing-fix-to-check-event_mutex-is-held-while-accessing-trigger-list.patch create mode 100644 queue-5.15/vfio-type1-unpin-zero-pages.patch diff --git a/queue-5.15/alsa-aloop-fix-random-zeros-in-capture-data-when-using-jiffies-timer.patch b/queue-5.15/alsa-aloop-fix-random-zeros-in-capture-data-when-using-jiffies-timer.patch new file mode 100644 index 00000000000..1dfcaa24398 --- /dev/null +++ b/queue-5.15/alsa-aloop-fix-random-zeros-in-capture-data-when-using-jiffies-timer.patch @@ -0,0 +1,49 @@ +From 3e48940abee88b8dbbeeaf8a07e7b2b6be1271b3 Mon Sep 17 00:00:00 2001 +From: Pattara Teerapong +Date: Thu, 1 Sep 2022 14:40:36 +0000 +Subject: ALSA: aloop: Fix random zeros in capture data when using jiffies timer + +From: Pattara Teerapong + +commit 3e48940abee88b8dbbeeaf8a07e7b2b6be1271b3 upstream. + +In loopback_jiffies_timer_pos_update(), we are getting jiffies twice. +First time for playback, second time for capture. Jiffies can be updated +between these two calls and if the capture jiffies is larger, extra zeros +will be filled in the capture buffer. + +Change to get jiffies once and use it for both playback and capture. + +Signed-off-by: Pattara Teerapong +Cc: +Link: https://lore.kernel.org/r/20220901144036.4049060-1-pteerapong@chromium.org +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/drivers/aloop.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/sound/drivers/aloop.c ++++ b/sound/drivers/aloop.c +@@ -605,17 +605,18 @@ static unsigned int loopback_jiffies_tim + cable->streams[SNDRV_PCM_STREAM_PLAYBACK]; + struct loopback_pcm *dpcm_capt = + cable->streams[SNDRV_PCM_STREAM_CAPTURE]; +- unsigned long delta_play = 0, delta_capt = 0; ++ unsigned long delta_play = 0, delta_capt = 0, cur_jiffies; + unsigned int running, count1, count2; + ++ cur_jiffies = jiffies; + running = cable->running ^ cable->pause; + if (running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) { +- delta_play = jiffies - dpcm_play->last_jiffies; ++ delta_play = cur_jiffies - dpcm_play->last_jiffies; + dpcm_play->last_jiffies += delta_play; + } + + if (running & (1 << SNDRV_PCM_STREAM_CAPTURE)) { +- delta_capt = jiffies - dpcm_capt->last_jiffies; ++ delta_capt = cur_jiffies - dpcm_capt->last_jiffies; + dpcm_capt->last_jiffies += delta_capt; + } + diff --git a/queue-5.15/alsa-emu10k1-fix-out-of-bounds-access-in-snd_emu10k1_pcm_channel_alloc.patch b/queue-5.15/alsa-emu10k1-fix-out-of-bounds-access-in-snd_emu10k1_pcm_channel_alloc.patch new file mode 100644 index 00000000000..7e54326b384 --- /dev/null +++ b/queue-5.15/alsa-emu10k1-fix-out-of-bounds-access-in-snd_emu10k1_pcm_channel_alloc.patch @@ -0,0 +1,66 @@ +From d29f59051d3a07b81281b2df2b8c9dfe4716067f Mon Sep 17 00:00:00 2001 +From: Tasos Sahanidis +Date: Wed, 7 Sep 2022 04:18:00 +0300 +Subject: ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc() + +From: Tasos Sahanidis + +commit d29f59051d3a07b81281b2df2b8c9dfe4716067f upstream. + +The voice allocator sometimes begins allocating from near the end of the +array and then wraps around, however snd_emu10k1_pcm_channel_alloc() +accesses the newly allocated voices as if it never wrapped around. + +This results in out of bounds access if the first voice has a high enough +index so that first_voice + requested_voice_count > NUM_G (64). +The more voices are requested, the more likely it is for this to occur. + +This was initially discovered using PipeWire, however it can be reproduced +by calling aplay multiple times with 16 channels: +aplay -r 48000 -D plughw:CARD=Live,DEV=3 -c 16 /dev/zero + +UBSAN: array-index-out-of-bounds in sound/pci/emu10k1/emupcm.c:127:40 +index 65 is out of range for type 'snd_emu10k1_voice [64]' +CPU: 1 PID: 31977 Comm: aplay Tainted: G W IOE 6.0.0-rc2-emu10k1+ #7 +Hardware name: ASUSTEK COMPUTER INC P5W DH Deluxe/P5W DH Deluxe, BIOS 3002 07/22/2010 +Call Trace: + +dump_stack_lvl+0x49/0x63 +dump_stack+0x10/0x16 +ubsan_epilogue+0x9/0x3f +__ubsan_handle_out_of_bounds.cold+0x44/0x49 +snd_emu10k1_playback_hw_params+0x3bc/0x420 [snd_emu10k1] +snd_pcm_hw_params+0x29f/0x600 [snd_pcm] +snd_pcm_common_ioctl+0x188/0x1410 [snd_pcm] +? exit_to_user_mode_prepare+0x35/0x170 +? do_syscall_64+0x69/0x90 +? syscall_exit_to_user_mode+0x26/0x50 +? do_syscall_64+0x69/0x90 +? exit_to_user_mode_prepare+0x35/0x170 +snd_pcm_ioctl+0x27/0x40 [snd_pcm] +__x64_sys_ioctl+0x95/0xd0 +do_syscall_64+0x5c/0x90 +? do_syscall_64+0x69/0x90 +? do_syscall_64+0x69/0x90 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Signed-off-by: Tasos Sahanidis +Cc: +Link: https://lore.kernel.org/r/3707dcab-320a-62ff-63c0-73fc201ef756@tasossah.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/emu10k1/emupcm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/emu10k1/emupcm.c ++++ b/sound/pci/emu10k1/emupcm.c +@@ -124,7 +124,7 @@ static int snd_emu10k1_pcm_channel_alloc + epcm->voices[0]->epcm = epcm; + if (voices > 1) { + for (i = 1; i < voices; i++) { +- epcm->voices[i] = &epcm->emu->voices[epcm->voices[0]->number + i]; ++ epcm->voices[i] = &epcm->emu->voices[(epcm->voices[0]->number + i) % NUM_G]; + epcm->voices[i]->epcm = epcm; + } + } diff --git a/queue-5.15/alsa-pcm-oss-fix-race-at-sndctl_dsp_sync.patch b/queue-5.15/alsa-pcm-oss-fix-race-at-sndctl_dsp_sync.patch new file mode 100644 index 00000000000..47e2e6bfd91 --- /dev/null +++ b/queue-5.15/alsa-pcm-oss-fix-race-at-sndctl_dsp_sync.patch @@ -0,0 +1,51 @@ +From 8423f0b6d513b259fdab9c9bf4aaa6188d054c2d Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 5 Sep 2022 08:07:14 +0200 +Subject: ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC + +From: Takashi Iwai + +commit 8423f0b6d513b259fdab9c9bf4aaa6188d054c2d upstream. + +There is a small race window at snd_pcm_oss_sync() that is called from +OSS PCM SNDCTL_DSP_SYNC ioctl; namely the function calls +snd_pcm_oss_make_ready() at first, then takes the params_lock mutex +for the rest. When the stream is set up again by another thread +between them, it leads to inconsistency, and may result in unexpected +results such as NULL dereference of OSS buffer as a fuzzer spotted +recently. + +The fix is simply to cover snd_pcm_oss_make_ready() call into the same +params_lock mutex with snd_pcm_oss_make_ready_locked() variant. + +Reported-and-tested-by: butt3rflyh4ck +Reviewed-by: Jaroslav Kysela +Cc: +Link: https://lore.kernel.org/r/CAFcO6XN7JDM4xSXGhtusQfS2mSBcx50VJKwQpCq=WeLt57aaZA@mail.gmail.com +Link: https://lore.kernel.org/r/20220905060714.22549-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/oss/pcm_oss.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/sound/core/oss/pcm_oss.c ++++ b/sound/core/oss/pcm_oss.c +@@ -1664,14 +1664,14 @@ static int snd_pcm_oss_sync(struct snd_p + runtime = substream->runtime; + if (atomic_read(&substream->mmap_count)) + goto __direct; +- err = snd_pcm_oss_make_ready(substream); +- if (err < 0) +- return err; + atomic_inc(&runtime->oss.rw_ref); + if (mutex_lock_interruptible(&runtime->oss.params_lock)) { + atomic_dec(&runtime->oss.rw_ref); + return -ERESTARTSYS; + } ++ err = snd_pcm_oss_make_ready_locked(substream); ++ if (err < 0) ++ goto unlock; + format = snd_pcm_oss_format_from(runtime->oss.format); + width = snd_pcm_format_physical_width(format); + if (runtime->oss.buffer_used > 0) { diff --git a/queue-5.15/alsa-usb-audio-fix-an-out-of-bounds-bug-in-__snd_usb_parse_audio_interface.patch b/queue-5.15/alsa-usb-audio-fix-an-out-of-bounds-bug-in-__snd_usb_parse_audio_interface.patch new file mode 100644 index 00000000000..2dbc7daf43e --- /dev/null +++ b/queue-5.15/alsa-usb-audio-fix-an-out-of-bounds-bug-in-__snd_usb_parse_audio_interface.patch @@ -0,0 +1,34 @@ +From e53f47f6c1a56d2af728909f1cb894da6b43d9bf Mon Sep 17 00:00:00 2001 +From: Dongxiang Ke +Date: Tue, 6 Sep 2022 10:49:28 +0800 +Subject: ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface() + +From: Dongxiang Ke + +commit e53f47f6c1a56d2af728909f1cb894da6b43d9bf upstream. + +There may be a bad USB audio device with a USB ID of (0x04fa, 0x4201) and +the number of it's interfaces less than 4, an out-of-bounds read bug occurs +when parsing the interface descriptor for this device. + +Fix this by checking the number of interfaces. + +Signed-off-by: Dongxiang Ke +Link: https://lore.kernel.org/r/20220906024928.10951-1-kdx.glider@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/stream.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/usb/stream.c ++++ b/sound/usb/stream.c +@@ -1105,7 +1105,7 @@ static int __snd_usb_parse_audio_interfa + * Dallas DS4201 workaround: It presents 5 altsettings, but the last + * one misses syncpipe, and does not produce any sound. + */ +- if (chip->usb_id == USB_ID(0x04fa, 0x4201)) ++ if (chip->usb_id == USB_ID(0x04fa, 0x4201) && num >= 4) + num = 4; + + for (i = 0; i < num; i++) { diff --git a/queue-5.15/alsa-usb-audio-split-endpoint-setups-for-hw_params-and-prepare.patch b/queue-5.15/alsa-usb-audio-split-endpoint-setups-for-hw_params-and-prepare.patch new file mode 100644 index 00000000000..fa44ac25194 --- /dev/null +++ b/queue-5.15/alsa-usb-audio-split-endpoint-setups-for-hw_params-and-prepare.patch @@ -0,0 +1,193 @@ +From ff878b408a03bef5d610b7e2302702e16a53636e Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 1 Sep 2022 14:41:36 +0200 +Subject: ALSA: usb-audio: Split endpoint setups for hw_params and prepare + +From: Takashi Iwai + +commit ff878b408a03bef5d610b7e2302702e16a53636e upstream. + +One of the former changes for the endpoint management was the more +consistent setup of endpoints at hw_params. +snd_usb_endpoint_configure() is a single function that does the full +setup, and it's called from both PCM hw_params and prepare callbacks. +Although the EP setup at the prepare phase is usually skipped (by +checking need_setup flag), it may be still effective in some cases +like suspend/resume that requires the interface setup again. + +As it's a full and single setup, the invocation of +snd_usb_endpoint_configure() includes not only the USB interface setup +but also the buffer release and allocation. OTOH, doing the buffer +release and re-allocation at PCM prepare phase is rather superfluous, +and better to be done only in the hw_params phase. + +For those optimizations, this patch splits the endpoint setup to two +phases: snd_usb_endpoint_set_params() and snd_usb_endpoint_prepare(), +to be called from hw_params and from prepare, respectively. + +Note that this patch changes the driver operation slightly, +effectively moving the USB interface setup again to PCM prepare stage +instead of hw_params stage, while the buffer allocation and such +initializations are still done at hw_params stage. + +And, the change of the USB interface setup timing (moving to prepare) +gave an interesting "fix", too: it was reported that the recent +kernels caused silent output at the beginning on playbacks on some +devices on Android, and this change casually fixed the regression. +It seems that those devices are picky about the sample rate change (or +the interface change?), and don't follow the too immediate rate +changes. + +Meanwhile, Android operates the PCM in the following order: +- open, then hw_params with the possibly highest sample rate +- close without prepare +- re-open, hw_params with the normal sample rate +- prepare, and start streaming +This procedure ended up the hw_params twice with different rates, and +because the recent kernel did set up the sample rate twice one and +after, it screwed up the device. OTOH, the earlier kernels didn't set +up the USB interface at hw_params, hence this problem didn't appear. + +Now, with this patch, the USB interface setup is again back to the +prepare phase, and it works around the problem automagically. +Although we should address the sample rate problem in a more solid +way in future, let's keep things working as before for now. + +Fixes: bf6313a0ff76 ("ALSA: usb-audio: Refactor endpoint management") +Cc: +Reported-by: chihhao chen +Link: https://lore.kernel.org/r/87e6d6ae69d68dc588ac9acc8c0f24d6188375c3.camel@mediatek.com +Link: https://lore.kernel.org/r/20220901124136.4984-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/endpoint.c | 23 +++++++++-------------- + sound/usb/endpoint.h | 6 ++++-- + sound/usb/pcm.c | 14 ++++++++++---- + 3 files changed, 23 insertions(+), 20 deletions(-) + +--- a/sound/usb/endpoint.c ++++ b/sound/usb/endpoint.c +@@ -731,7 +731,8 @@ bool snd_usb_endpoint_compatible(struct + * The endpoint needs to be closed via snd_usb_endpoint_close() later. + * + * Note that this function doesn't configure the endpoint. The substream +- * needs to set it up later via snd_usb_endpoint_configure(). ++ * needs to set it up later via snd_usb_endpoint_set_params() and ++ * snd_usb_endpoint_prepare(). + */ + struct snd_usb_endpoint * + snd_usb_endpoint_open(struct snd_usb_audio *chip, +@@ -1254,12 +1255,13 @@ out_of_memory: + /* + * snd_usb_endpoint_set_params: configure an snd_usb_endpoint + * ++ * It's called either from hw_params callback. + * Determine the number of URBs to be used on this endpoint. + * An endpoint must be configured before it can be started. + * An endpoint that is already running can not be reconfigured. + */ +-static int snd_usb_endpoint_set_params(struct snd_usb_audio *chip, +- struct snd_usb_endpoint *ep) ++int snd_usb_endpoint_set_params(struct snd_usb_audio *chip, ++ struct snd_usb_endpoint *ep) + { + const struct audioformat *fmt = ep->cur_audiofmt; + int err; +@@ -1315,18 +1317,18 @@ static int snd_usb_endpoint_set_params(s + } + + /* +- * snd_usb_endpoint_configure: Configure the endpoint ++ * snd_usb_endpoint_prepare: Prepare the endpoint + * + * This function sets up the EP to be fully usable state. +- * It's called either from hw_params or prepare callback. ++ * It's called either from prepare callback. + * The function checks need_setup flag, and performs nothing unless needed, + * so it's safe to call this multiple times. + * + * This returns zero if unchanged, 1 if the configuration has changed, + * or a negative error code. + */ +-int snd_usb_endpoint_configure(struct snd_usb_audio *chip, +- struct snd_usb_endpoint *ep) ++int snd_usb_endpoint_prepare(struct snd_usb_audio *chip, ++ struct snd_usb_endpoint *ep) + { + bool iface_first; + int err = 0; +@@ -1348,9 +1350,6 @@ int snd_usb_endpoint_configure(struct sn + if (err < 0) + goto unlock; + } +- err = snd_usb_endpoint_set_params(chip, ep); +- if (err < 0) +- goto unlock; + goto done; + } + +@@ -1378,10 +1377,6 @@ int snd_usb_endpoint_configure(struct sn + if (err < 0) + goto unlock; + +- err = snd_usb_endpoint_set_params(chip, ep); +- if (err < 0) +- goto unlock; +- + err = snd_usb_select_mode_quirk(chip, ep->cur_audiofmt); + if (err < 0) + goto unlock; +--- a/sound/usb/endpoint.h ++++ b/sound/usb/endpoint.h +@@ -17,8 +17,10 @@ snd_usb_endpoint_open(struct snd_usb_aud + bool is_sync_ep); + void snd_usb_endpoint_close(struct snd_usb_audio *chip, + struct snd_usb_endpoint *ep); +-int snd_usb_endpoint_configure(struct snd_usb_audio *chip, +- struct snd_usb_endpoint *ep); ++int snd_usb_endpoint_set_params(struct snd_usb_audio *chip, ++ struct snd_usb_endpoint *ep); ++int snd_usb_endpoint_prepare(struct snd_usb_audio *chip, ++ struct snd_usb_endpoint *ep); + int snd_usb_endpoint_get_clock_rate(struct snd_usb_audio *chip, int clock); + + bool snd_usb_endpoint_compatible(struct snd_usb_audio *chip, +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -443,17 +443,17 @@ static int configure_endpoints(struct sn + if (stop_endpoints(subs, false)) + sync_pending_stops(subs); + if (subs->sync_endpoint) { +- err = snd_usb_endpoint_configure(chip, subs->sync_endpoint); ++ err = snd_usb_endpoint_prepare(chip, subs->sync_endpoint); + if (err < 0) + return err; + } +- err = snd_usb_endpoint_configure(chip, subs->data_endpoint); ++ err = snd_usb_endpoint_prepare(chip, subs->data_endpoint); + if (err < 0) + return err; + snd_usb_set_format_quirk(subs, subs->cur_audiofmt); + } else { + if (subs->sync_endpoint) { +- err = snd_usb_endpoint_configure(chip, subs->sync_endpoint); ++ err = snd_usb_endpoint_prepare(chip, subs->sync_endpoint); + if (err < 0) + return err; + } +@@ -551,7 +551,13 @@ static int snd_usb_hw_params(struct snd_ + subs->cur_audiofmt = fmt; + mutex_unlock(&chip->mutex); + +- ret = configure_endpoints(chip, subs); ++ if (subs->sync_endpoint) { ++ ret = snd_usb_endpoint_set_params(chip, subs->sync_endpoint); ++ if (ret < 0) ++ goto unlock; ++ } ++ ++ ret = snd_usb_endpoint_set_params(chip, subs->data_endpoint); + + unlock: + if (ret < 0) diff --git a/queue-5.15/btrfs-zoned-set-pseudo-max-append-zone-limit-in-zone-emulation-mode.patch b/queue-5.15/btrfs-zoned-set-pseudo-max-append-zone-limit-in-zone-emulation-mode.patch new file mode 100644 index 00000000000..fe063ed2b37 --- /dev/null +++ b/queue-5.15/btrfs-zoned-set-pseudo-max-append-zone-limit-in-zone-emulation-mode.patch @@ -0,0 +1,58 @@ +From cac5c44c48c9fb9cc31bea15ebd9ef0c6462314f Mon Sep 17 00:00:00 2001 +From: Shin'ichiro Kawasaki +Date: Fri, 26 Aug 2022 16:42:15 +0900 +Subject: btrfs: zoned: set pseudo max append zone limit in zone emulation mode + +From: Shin'ichiro Kawasaki + +commit cac5c44c48c9fb9cc31bea15ebd9ef0c6462314f upstream. + +The commit 7d7672bc5d10 ("btrfs: convert count_max_extents() to use +fs_info->max_extent_size") introduced a division by +fs_info->max_extent_size. This max_extent_size is initialized with max +zone append limit size of the device btrfs runs on. However, in zone +emulation mode, the device is not zoned then its zone append limit is +zero. This resulted in zero value of fs_info->max_extent_size and caused +zero division error. + +Fix the error by setting non-zero pseudo value to max append zone limit +in zone emulation mode. Set the pseudo value based on max_segments as +suggested in the commit c2ae7b772ef4 ("btrfs: zoned: revive +max_zone_append_bytes"). + +Fixes: 7d7672bc5d10 ("btrfs: convert count_max_extents() to use fs_info->max_extent_size") +CC: stable@vger.kernel.org # 5.12+ +Reviewed-by: Johannes Thumshirn +Reviewed-by: Naohiro Aota +Signed-off-by: Shin'ichiro Kawasaki +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/zoned.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/fs/btrfs/zoned.c ++++ b/fs/btrfs/zoned.c +@@ -392,10 +392,19 @@ int btrfs_get_dev_zone_info(struct btrfs + * since btrfs adds the pages one by one to a bio, and btrfs cannot + * increase the metadata reservation even if it increases the number of + * extents, it is safe to stick with the limit. ++ * ++ * With the zoned emulation, we can have non-zoned device on the zoned ++ * mode. In this case, we don't have a valid max zone append size. So, ++ * use max_segments * PAGE_SIZE as the pseudo max_zone_append_size. + */ +- zone_info->max_zone_append_size = +- min_t(u64, (u64)bdev_max_zone_append_sectors(bdev) << SECTOR_SHIFT, +- (u64)bdev_max_segments(bdev) << PAGE_SHIFT); ++ if (bdev_is_zoned(bdev)) { ++ zone_info->max_zone_append_size = min_t(u64, ++ (u64)bdev_max_zone_append_sectors(bdev) << SECTOR_SHIFT, ++ (u64)bdev_max_segments(bdev) << PAGE_SHIFT); ++ } else { ++ zone_info->max_zone_append_size = ++ (u64)bdev_max_segments(bdev) << PAGE_SHIFT; ++ } + if (!IS_ALIGNED(nr_sectors, zone_sectors)) + zone_info->nr_zones++; + diff --git a/queue-5.15/kprobes-prohibit-probes-in-gate-area.patch b/queue-5.15/kprobes-prohibit-probes-in-gate-area.patch new file mode 100644 index 00000000000..2b1e64a0a52 --- /dev/null +++ b/queue-5.15/kprobes-prohibit-probes-in-gate-area.patch @@ -0,0 +1,117 @@ +From 1efda38d6f9ba26ac88b359c6277f1172db03f1e Mon Sep 17 00:00:00 2001 +From: "Christian A. Ehrhardt" +Date: Wed, 7 Sep 2022 22:09:17 +0200 +Subject: kprobes: Prohibit probes in gate area + +From: Christian A. Ehrhardt + +commit 1efda38d6f9ba26ac88b359c6277f1172db03f1e upstream. + +The system call gate area counts as kernel text but trying +to install a kprobe in this area fails with an Oops later on. +To fix this explicitly disallow the gate area for kprobes. + +Found by syzkaller with the following reproducer: +perf_event_open$cgroup(&(0x7f00000001c0)={0x6, 0x80, 0x0, 0x0, 0x0, 0x0, 0x80ffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext={0x0, 0xffffffffff600000}}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) + +Sample report: +BUG: unable to handle page fault for address: fffffbfff3ac6000 +PGD 6dfcb067 P4D 6dfcb067 PUD 6df8f067 PMD 6de4d067 PTE 0 +Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI +CPU: 0 PID: 21978 Comm: syz-executor.2 Not tainted 6.0.0-rc3-00363-g7726d4c3e60b-dirty #6 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +RIP: 0010:__insn_get_emulate_prefix arch/x86/lib/insn.c:91 [inline] +RIP: 0010:insn_get_emulate_prefix arch/x86/lib/insn.c:106 [inline] +RIP: 0010:insn_get_prefixes.part.0+0xa8/0x1110 arch/x86/lib/insn.c:134 +Code: 49 be 00 00 00 00 00 fc ff df 48 8b 40 60 48 89 44 24 08 e9 81 00 00 00 e8 e5 4b 39 ff 4c 89 fa 4c 89 f9 48 c1 ea 03 83 e1 07 <42> 0f b6 14 32 38 ca 7f 08 84 d2 0f 85 06 10 00 00 48 89 d8 48 89 +RSP: 0018:ffffc900088bf860 EFLAGS: 00010246 +RAX: 0000000000040000 RBX: ffffffff9b9bebc0 RCX: 0000000000000000 +RDX: 1ffffffff3ac6000 RSI: ffffc90002d82000 RDI: ffffc900088bf9e8 +RBP: ffffffff9d630001 R08: 0000000000000000 R09: ffffc900088bf9e8 +R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001 +R13: ffffffff9d630000 R14: dffffc0000000000 R15: ffffffff9d630000 +FS: 00007f63eef63640(0000) GS:ffff88806d000000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: fffffbfff3ac6000 CR3: 0000000029d90005 CR4: 0000000000770ef0 +PKRU: 55555554 +Call Trace: + + insn_get_prefixes arch/x86/lib/insn.c:131 [inline] + insn_get_opcode arch/x86/lib/insn.c:272 [inline] + insn_get_modrm+0x64a/0x7b0 arch/x86/lib/insn.c:343 + insn_get_sib+0x29a/0x330 arch/x86/lib/insn.c:421 + insn_get_displacement+0x350/0x6b0 arch/x86/lib/insn.c:464 + insn_get_immediate arch/x86/lib/insn.c:632 [inline] + insn_get_length arch/x86/lib/insn.c:707 [inline] + insn_decode+0x43a/0x490 arch/x86/lib/insn.c:747 + can_probe+0xfc/0x1d0 arch/x86/kernel/kprobes/core.c:282 + arch_prepare_kprobe+0x79/0x1c0 arch/x86/kernel/kprobes/core.c:739 + prepare_kprobe kernel/kprobes.c:1160 [inline] + register_kprobe kernel/kprobes.c:1641 [inline] + register_kprobe+0xb6e/0x1690 kernel/kprobes.c:1603 + __register_trace_kprobe kernel/trace/trace_kprobe.c:509 [inline] + __register_trace_kprobe+0x26a/0x2d0 kernel/trace/trace_kprobe.c:477 + create_local_trace_kprobe+0x1f7/0x350 kernel/trace/trace_kprobe.c:1833 + perf_kprobe_init+0x18c/0x280 kernel/trace/trace_event_perf.c:271 + perf_kprobe_event_init+0xf8/0x1c0 kernel/events/core.c:9888 + perf_try_init_event+0x12d/0x570 kernel/events/core.c:11261 + perf_init_event kernel/events/core.c:11325 [inline] + perf_event_alloc.part.0+0xf7f/0x36a0 kernel/events/core.c:11619 + perf_event_alloc kernel/events/core.c:12059 [inline] + __do_sys_perf_event_open+0x4a8/0x2a00 kernel/events/core.c:12157 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7f63ef7efaed +Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f63eef63028 EFLAGS: 00000246 ORIG_RAX: 000000000000012a +RAX: ffffffffffffffda RBX: 00007f63ef90ff80 RCX: 00007f63ef7efaed +RDX: 0000000000000000 RSI: ffffffffffffffff RDI: 00000000200001c0 +RBP: 00007f63ef86019c R08: 0000000000000000 R09: 0000000000000000 +R10: ffffffffffffffff R11: 0000000000000246 R12: 0000000000000000 +R13: 0000000000000002 R14: 00007f63ef90ff80 R15: 00007f63eef43000 + +Modules linked in: +CR2: fffffbfff3ac6000 +---[ end trace 0000000000000000 ]--- +RIP: 0010:__insn_get_emulate_prefix arch/x86/lib/insn.c:91 [inline] +RIP: 0010:insn_get_emulate_prefix arch/x86/lib/insn.c:106 [inline] +RIP: 0010:insn_get_prefixes.part.0+0xa8/0x1110 arch/x86/lib/insn.c:134 +Code: 49 be 00 00 00 00 00 fc ff df 48 8b 40 60 48 89 44 24 08 e9 81 00 00 00 e8 e5 4b 39 ff 4c 89 fa 4c 89 f9 48 c1 ea 03 83 e1 07 <42> 0f b6 14 32 38 ca 7f 08 84 d2 0f 85 06 10 00 00 48 89 d8 48 89 +RSP: 0018:ffffc900088bf860 EFLAGS: 00010246 +RAX: 0000000000040000 RBX: ffffffff9b9bebc0 RCX: 0000000000000000 +RDX: 1ffffffff3ac6000 RSI: ffffc90002d82000 RDI: ffffc900088bf9e8 +RBP: ffffffff9d630001 R08: 0000000000000000 R09: ffffc900088bf9e8 +R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001 +R13: ffffffff9d630000 R14: dffffc0000000000 R15: ffffffff9d630000 +FS: 00007f63eef63640(0000) GS:ffff88806d000000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: fffffbfff3ac6000 CR3: 0000000029d90005 CR4: 0000000000770ef0 +PKRU: 55555554 +================================================================== + +Link: https://lkml.kernel.org/r/20220907200917.654103-1-lk@c--e.de + +cc: "Naveen N. Rao" +cc: Anil S Keshavamurthy +cc: "David S. Miller" +Cc: stable@vger.kernel.org +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Christian A. Ehrhardt +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/kprobes.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -1561,6 +1561,7 @@ static int check_kprobe_address_safe(str + /* Ensure it is not in reserved area nor out of text */ + if (!(core_kernel_text((unsigned long) p->addr) || + is_module_text_address((unsigned long) p->addr)) || ++ in_gate_area_no_mm((unsigned long) p->addr) || + within_kprobe_blacklist((unsigned long) p->addr) || + jump_label_text_reserved(p->addr, p->addr) || + static_call_text_reserved(p->addr, p->addr) || diff --git a/queue-5.15/series b/queue-5.15/series index 7e575045d17..1c75f004bec 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -24,3 +24,12 @@ md-flush-workqueue-md_rdev_misc_wq-in-md_alloc.patch fbdev-fbcon-destroy-mutex-on-freeing-struct-fb_info.patch fbdev-chipsfb-add-missing-pci_disable_device-in-chip.patch drm-amdgpu-mmvm_l2_cntl3-register-not-initialized-co.patch +alsa-pcm-oss-fix-race-at-sndctl_dsp_sync.patch +alsa-emu10k1-fix-out-of-bounds-access-in-snd_emu10k1_pcm_channel_alloc.patch +alsa-aloop-fix-random-zeros-in-capture-data-when-using-jiffies-timer.patch +alsa-usb-audio-split-endpoint-setups-for-hw_params-and-prepare.patch +alsa-usb-audio-fix-an-out-of-bounds-bug-in-__snd_usb_parse_audio_interface.patch +tracing-fix-to-check-event_mutex-is-held-while-accessing-trigger-list.patch +btrfs-zoned-set-pseudo-max-append-zone-limit-in-zone-emulation-mode.patch +vfio-type1-unpin-zero-pages.patch +kprobes-prohibit-probes-in-gate-area.patch diff --git a/queue-5.15/tracing-fix-to-check-event_mutex-is-held-while-accessing-trigger-list.patch b/queue-5.15/tracing-fix-to-check-event_mutex-is-held-while-accessing-trigger-list.patch new file mode 100644 index 00000000000..eba082a3f3b --- /dev/null +++ b/queue-5.15/tracing-fix-to-check-event_mutex-is-held-while-accessing-trigger-list.patch @@ -0,0 +1,51 @@ +From cecf8e128ec69149fe53c9a7bafa505a4bee25d9 Mon Sep 17 00:00:00 2001 +From: "Masami Hiramatsu (Google)" +Date: Sun, 4 Sep 2022 13:12:29 +0900 +Subject: tracing: Fix to check event_mutex is held while accessing trigger list + +From: Masami Hiramatsu (Google) + +commit cecf8e128ec69149fe53c9a7bafa505a4bee25d9 upstream. + +Since the check_user_trigger() is called outside of RCU +read lock, this list_for_each_entry_rcu() caused a suspicious +RCU usage warning. + + # echo hist:keys=pid > events/sched/sched_stat_runtime/trigger + # cat events/sched/sched_stat_runtime/trigger +[ 43.167032] +[ 43.167418] ============================= +[ 43.167992] WARNING: suspicious RCU usage +[ 43.168567] 5.19.0-rc5-00029-g19ebe4651abf #59 Not tainted +[ 43.169283] ----------------------------- +[ 43.169863] kernel/trace/trace_events_trigger.c:145 RCU-list traversed in non-reader section!! +... + +However, this file->triggers list is safe when it is accessed +under event_mutex is held. +To fix this warning, adds a lockdep_is_held check to the +list_for_each_entry_rcu(). + +Link: https://lkml.kernel.org/r/166226474977.223837.1992182913048377113.stgit@devnote2 + +Cc: stable@vger.kernel.org +Fixes: 7491e2c44278 ("tracing: Add a probe that attaches to trace events") +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events_trigger.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/trace/trace_events_trigger.c ++++ b/kernel/trace/trace_events_trigger.c +@@ -128,7 +128,8 @@ static bool check_user_trigger(struct tr + { + struct event_trigger_data *data; + +- list_for_each_entry_rcu(data, &file->triggers, list) { ++ list_for_each_entry_rcu(data, &file->triggers, list, ++ lockdep_is_held(&event_mutex)) { + if (data->flags & EVENT_TRIGGER_FL_PROBE) + continue; + return true; diff --git a/queue-5.15/vfio-type1-unpin-zero-pages.patch b/queue-5.15/vfio-type1-unpin-zero-pages.patch new file mode 100644 index 00000000000..681467243fc --- /dev/null +++ b/queue-5.15/vfio-type1-unpin-zero-pages.patch @@ -0,0 +1,53 @@ +From 873aefb376bbc0ed1dd2381ea1d6ec88106fdbd4 Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Mon, 29 Aug 2022 21:05:40 -0600 +Subject: vfio/type1: Unpin zero pages + +From: Alex Williamson + +commit 873aefb376bbc0ed1dd2381ea1d6ec88106fdbd4 upstream. + +There's currently a reference count leak on the zero page. We increment +the reference via pin_user_pages_remote(), but the page is later handled +as an invalid/reserved page, therefore it's not accounted against the +user and not unpinned by our put_pfn(). + +Introducing special zero page handling in put_pfn() would resolve the +leak, but without accounting of the zero page, a single user could +still create enough mappings to generate a reference count overflow. + +The zero page is always resident, so for our purposes there's no reason +to keep it pinned. Therefore, add a loop to walk pages returned from +pin_user_pages_remote() and unpin any zero pages. + +Cc: stable@vger.kernel.org +Reported-by: Luboslav Pivarc +Reviewed-by: David Hildenbrand +Link: https://lore.kernel.org/r/166182871735.3518559.8884121293045337358.stgit@omen +Signed-off-by: Alex Williamson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vfio/vfio_iommu_type1.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/vfio/vfio_iommu_type1.c ++++ b/drivers/vfio/vfio_iommu_type1.c +@@ -561,6 +561,18 @@ static int vaddr_get_pfns(struct mm_stru + ret = pin_user_pages_remote(mm, vaddr, npages, flags | FOLL_LONGTERM, + pages, NULL, NULL); + if (ret > 0) { ++ int i; ++ ++ /* ++ * The zero page is always resident, we don't need to pin it ++ * and it falls into our invalid/reserved test so we don't ++ * unpin in put_pfn(). Unpin all zero pages in the batch here. ++ */ ++ for (i = 0 ; i < ret; i++) { ++ if (unlikely(is_zero_pfn(page_to_pfn(pages[i])))) ++ unpin_user_page(pages[i]); ++ } ++ + *pfn = page_to_pfn(pages[0]); + goto done; + } -- 2.47.3