From b0a66fd1c6207b7128485283fc8f04796d8114d9 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Tue, 22 Nov 2022 10:17:58 -0500 Subject: [PATCH] Fixes for 6.0 Signed-off-by: Sasha Levin --- ...orrect-file_map_count-for-non-leaf-p.patch | 79 ++++++++++++ ...y-no-need-to-assign-core-id-if-token.patch | 67 ++++++++++ ...leaking-of-platform-device-on-module.patch | 54 ++++++++ ...aring-aggrprobe-s-post_handler-in-kp.patch | 75 +++++++++++ ...ccess-to-sk_user_data-with-sk_callba.patch | 122 ++++++++++++++++++ ...-usb-smsc95xx-fix-external-phy-reset.patch | 120 +++++++++++++++++ ...roup-to-copy-ip-ipv6-header-addresse.patch | 111 ++++++++++++++++ ...erf-improve-missing-sigtrap-checking.patch | 102 +++++++++++++++ ...-crash-due-to-race-between-amd_pmu_e.patch | 90 +++++++++++++ ...ude-dropped-pages-in-counting-dirty-.patch | 95 ++++++++++++++ ...fix-possible-uaf-in-sdebug_add_host_.patch | 44 +++++++ ...loop-fix-possible-name-leak-in-tcm_l.patch | 51 ++++++++ queue-6.0/series | 16 +++ ...ntial-null-pointer-access-of-entry-i.patch | 69 ++++++++++ ...rning-on-variable-struct-trace_array.patch | 54 ++++++++ ...io-rename-vfio_ioctl_check_extension.patch | 63 +++++++++ ...egister_device-ops-call-into-functio.patch | 107 +++++++++++++++ 17 files changed, 1319 insertions(+) create mode 100644 queue-6.0/arm64-mm-fix-incorrect-file_map_count-for-non-leaf-p.patch create mode 100644 queue-6.0/asoc-sof-topology-no-need-to-assign-core-id-if-token.patch create mode 100644 queue-6.0/input-i8042-fix-leaking-of-platform-device-on-module.patch create mode 100644 queue-6.0/kprobes-skip-clearing-aggrprobe-s-post_handler-in-kp.patch create mode 100644 queue-6.0/l2tp-serialize-access-to-sk_user_data-with-sk_callba.patch create mode 100644 queue-6.0/net-usb-smsc95xx-fix-external-phy-reset.patch create mode 100644 queue-6.0/net-use-struct_group-to-copy-ip-ipv6-header-addresse.patch create mode 100644 queue-6.0/perf-improve-missing-sigtrap-checking.patch create mode 100644 queue-6.0/perf-x86-amd-fix-crash-due-to-race-between-amd_pmu_e.patch create mode 100644 queue-6.0/ring-buffer-include-dropped-pages-in-counting-dirty-.patch create mode 100644 queue-6.0/scsi-scsi_debug-fix-possible-uaf-in-sdebug_add_host_.patch create mode 100644 queue-6.0/scsi-target-tcm_loop-fix-possible-name-leak-in-tcm_l.patch create mode 100644 queue-6.0/tracing-fix-potential-null-pointer-access-of-entry-i.patch create mode 100644 queue-6.0/tracing-fix-warning-on-variable-struct-trace_array.patch create mode 100644 queue-6.0/vfio-rename-vfio_ioctl_check_extension.patch create mode 100644 queue-6.0/vfio-split-the-register_device-ops-call-into-functio.patch diff --git a/queue-6.0/arm64-mm-fix-incorrect-file_map_count-for-non-leaf-p.patch b/queue-6.0/arm64-mm-fix-incorrect-file_map_count-for-non-leaf-p.patch new file mode 100644 index 00000000000..da5aa6808ad --- /dev/null +++ b/queue-6.0/arm64-mm-fix-incorrect-file_map_count-for-non-leaf-p.patch @@ -0,0 +1,79 @@ +From f1e09150ed6fb7a83a7a0d1de6e392e3a4094d49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 15:56:01 +0800 +Subject: arm64/mm: fix incorrect file_map_count for non-leaf pmd/pud + +From: Liu Shixin + +[ Upstream commit 5b47348fc0b18a78c96f8474cc90b7525ad1bbfe ] + +The page table check trigger BUG_ON() unexpectedly when collapse hugepage: + + ------------[ cut here ]------------ + kernel BUG at mm/page_table_check.c:82! + Internal error: Oops - BUG: 00000000f2000800 [#1] SMP + Dumping ftrace buffer: + (ftrace buffer empty) + Modules linked in: + CPU: 6 PID: 68 Comm: khugepaged Not tainted 6.1.0-rc3+ #750 + Hardware name: linux,dummy-virt (DT) + pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : page_table_check_clear.isra.0+0x258/0x3f0 + lr : page_table_check_clear.isra.0+0x240/0x3f0 +[...] + Call trace: + page_table_check_clear.isra.0+0x258/0x3f0 + __page_table_check_pmd_clear+0xbc/0x108 + pmdp_collapse_flush+0xb0/0x160 + collapse_huge_page+0xa08/0x1080 + hpage_collapse_scan_pmd+0xf30/0x1590 + khugepaged_scan_mm_slot.constprop.0+0x52c/0xac8 + khugepaged+0x338/0x518 + kthread+0x278/0x2f8 + ret_from_fork+0x10/0x20 +[...] + +Since pmd_user_accessible_page() doesn't check if a pmd is leaf, it +decrease file_map_count for a non-leaf pmd comes from collapse_huge_page(). +and so trigger BUG_ON() unexpectedly. + +Fix this problem by using pmd_leaf() insteal of pmd_present() in +pmd_user_accessible_page(). Moreover, use pud_leaf() for +pud_user_accessible_page() too. + +Fixes: 42b2547137f5 ("arm64/mm: enable ARCH_SUPPORTS_PAGE_TABLE_CHECK") +Reported-by: Denys Vlasenko +Signed-off-by: Liu Shixin +Reviewed-by: David Hildenbrand +Acked-by: Pasha Tatashin +Reviewed-by: Kefeng Wang +Acked-by: Will Deacon +Link: https://lore.kernel.org/r/20221117075602.2904324-2-liushixin2@huawei.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/pgtable.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/include/asm/pgtable.h b/arch/arm64/include/asm/pgtable.h +index b5df82aa99e6..d78e69293d12 100644 +--- a/arch/arm64/include/asm/pgtable.h ++++ b/arch/arm64/include/asm/pgtable.h +@@ -863,12 +863,12 @@ static inline bool pte_user_accessible_page(pte_t pte) + + static inline bool pmd_user_accessible_page(pmd_t pmd) + { +- return pmd_present(pmd) && (pmd_user(pmd) || pmd_user_exec(pmd)); ++ return pmd_leaf(pmd) && (pmd_user(pmd) || pmd_user_exec(pmd)); + } + + static inline bool pud_user_accessible_page(pud_t pud) + { +- return pud_present(pud) && pud_user(pud); ++ return pud_leaf(pud) && pud_user(pud); + } + #endif + +-- +2.35.1 + diff --git a/queue-6.0/asoc-sof-topology-no-need-to-assign-core-id-if-token.patch b/queue-6.0/asoc-sof-topology-no-need-to-assign-core-id-if-token.patch new file mode 100644 index 00000000000..def11efe3f4 --- /dev/null +++ b/queue-6.0/asoc-sof-topology-no-need-to-assign-core-id-if-token.patch @@ -0,0 +1,67 @@ +From 20dba073e3aff01187cc01abaa6230db99daf62a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 11:04:33 +0200 +Subject: ASoC: SOF: topology: No need to assign core ID if token parsing + failed + +From: Peter Ujfalusi + +[ Upstream commit 3d59eaef49ca2db581156a7b77c9afc0546eefc0 ] + +Move the return value check before attempting to assign the core ID to the +swidget since we are going to fail the sof_widget_ready() and free up +swidget anyways. + +Fixes: 909dadf21aae ("ASoC: SOF: topology: Make DAI widget parsing IPC agnostic") + +Signed-off-by: Peter Ujfalusi +Reviewed-by: Pierre-Louis Bossart +Reviewed-by: Ranjani Sridharan +Link: https://lore.kernel.org/r/20221107090433.5146-1-peter.ujfalusi@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/topology.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c +index 9273a70fec25..e1b7f07de7fc 100644 +--- a/sound/soc/sof/topology.c ++++ b/sound/soc/sof/topology.c +@@ -1346,16 +1346,6 @@ static int sof_widget_ready(struct snd_soc_component *scomp, int index, + break; + } + +- if (sof_debug_check_flag(SOF_DBG_DISABLE_MULTICORE)) { +- swidget->core = SOF_DSP_PRIMARY_CORE; +- } else { +- int core = sof_get_token_value(SOF_TKN_COMP_CORE_ID, swidget->tuples, +- swidget->num_tuples); +- +- if (core >= 0) +- swidget->core = core; +- } +- + /* check token parsing reply */ + if (ret < 0) { + dev_err(scomp->dev, +@@ -1367,6 +1357,16 @@ static int sof_widget_ready(struct snd_soc_component *scomp, int index, + return ret; + } + ++ if (sof_debug_check_flag(SOF_DBG_DISABLE_MULTICORE)) { ++ swidget->core = SOF_DSP_PRIMARY_CORE; ++ } else { ++ int core = sof_get_token_value(SOF_TKN_COMP_CORE_ID, swidget->tuples, ++ swidget->num_tuples); ++ ++ if (core >= 0) ++ swidget->core = core; ++ } ++ + /* bind widget to external event */ + if (tw->event_type) { + if (widget_ops[w->id].bind_event) { +-- +2.35.1 + diff --git a/queue-6.0/input-i8042-fix-leaking-of-platform-device-on-module.patch b/queue-6.0/input-i8042-fix-leaking-of-platform-device-on-module.patch new file mode 100644 index 00000000000..4c69b4b07aa --- /dev/null +++ b/queue-6.0/input-i8042-fix-leaking-of-platform-device-on-module.patch @@ -0,0 +1,54 @@ +From 63c00d84a78609f0df759fab434e27747557f665 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 15:40:03 -0800 +Subject: Input: i8042 - fix leaking of platform device on module removal + +From: Chen Jun + +[ Upstream commit 81cd7e8489278d28794e7b272950c3e00c344e44 ] + +Avoid resetting the module-wide i8042_platform_device pointer in +i8042_probe() or i8042_remove(), so that the device can be properly +destroyed by i8042_exit() on module unload. + +Fixes: 9222ba68c3f4 ("Input: i8042 - add deferred probe support") +Signed-off-by: Chen Jun +Link: https://lore.kernel.org/r/20221109034148.23821-1-chenjun102@huawei.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/serio/i8042.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/input/serio/i8042.c b/drivers/input/serio/i8042.c +index 3fc0a89cc785..f132d6dfc25e 100644 +--- a/drivers/input/serio/i8042.c ++++ b/drivers/input/serio/i8042.c +@@ -1543,8 +1543,6 @@ static int i8042_probe(struct platform_device *dev) + { + int error; + +- i8042_platform_device = dev; +- + if (i8042_reset == I8042_RESET_ALWAYS) { + error = i8042_controller_selftest(); + if (error) +@@ -1582,7 +1580,6 @@ static int i8042_probe(struct platform_device *dev) + i8042_free_aux_ports(); /* in case KBD failed but AUX not */ + i8042_free_irqs(); + i8042_controller_reset(false); +- i8042_platform_device = NULL; + + return error; + } +@@ -1592,7 +1589,6 @@ static int i8042_remove(struct platform_device *dev) + i8042_unregister_ports(); + i8042_free_irqs(); + i8042_controller_reset(false); +- i8042_platform_device = NULL; + + return 0; + } +-- +2.35.1 + diff --git a/queue-6.0/kprobes-skip-clearing-aggrprobe-s-post_handler-in-kp.patch b/queue-6.0/kprobes-skip-clearing-aggrprobe-s-post_handler-in-kp.patch new file mode 100644 index 00000000000..1ff658eadaf --- /dev/null +++ b/queue-6.0/kprobes-skip-clearing-aggrprobe-s-post_handler-in-kp.patch @@ -0,0 +1,75 @@ +From 0a098ad26b743fbf96c74d3ae8187ed5a53e3a65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 10:15:34 +0900 +Subject: kprobes: Skip clearing aggrprobe's post_handler in kprobe-on-ftrace + case + +From: Li Huafei + +[ Upstream commit 5dd7caf0bdc5d0bae7cf9776b4d739fb09bd5ebb ] + +In __unregister_kprobe_top(), if the currently unregistered probe has +post_handler but other child probes of the aggrprobe do not have +post_handler, the post_handler of the aggrprobe is cleared. If this is +a ftrace-based probe, there is a problem. In later calls to +disarm_kprobe(), we will use kprobe_ftrace_ops because post_handler is +NULL. But we're armed with kprobe_ipmodify_ops. This triggers a WARN in +__disarm_kprobe_ftrace() and may even cause use-after-free: + + Failed to disarm kprobe-ftrace at kernel_clone+0x0/0x3c0 (error -2) + WARNING: CPU: 5 PID: 137 at kernel/kprobes.c:1135 __disarm_kprobe_ftrace.isra.21+0xcf/0xe0 + Modules linked in: testKprobe_007(-) + CPU: 5 PID: 137 Comm: rmmod Not tainted 6.1.0-rc4-dirty #18 + [...] + Call Trace: + + __disable_kprobe+0xcd/0xe0 + __unregister_kprobe_top+0x12/0x150 + ? mutex_lock+0xe/0x30 + unregister_kprobes.part.23+0x31/0xa0 + unregister_kprobe+0x32/0x40 + __x64_sys_delete_module+0x15e/0x260 + ? do_user_addr_fault+0x2cd/0x6b0 + do_syscall_64+0x3a/0x90 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + [...] + +For the kprobe-on-ftrace case, we keep the post_handler setting to +identify this aggrprobe armed with kprobe_ipmodify_ops. This way we +can disarm it correctly. + +Link: https://lore.kernel.org/all/20221112070000.35299-1-lihuafei1@huawei.com/ + +Fixes: 0bc11ed5ab60 ("kprobes: Allow kprobes coexist with livepatch") +Reported-by: Zhao Gongyi +Suggested-by: Masami Hiramatsu (Google) +Signed-off-by: Li Huafei +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +--- + kernel/kprobes.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/kernel/kprobes.c b/kernel/kprobes.c +index 917b92ae2382..6d2a8623ec7b 100644 +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -1762,7 +1762,13 @@ static int __unregister_kprobe_top(struct kprobe *p) + if ((list_p != p) && (list_p->post_handler)) + goto noclean; + } +- ap->post_handler = NULL; ++ /* ++ * For the kprobe-on-ftrace case, we keep the ++ * post_handler setting to identify this aggrprobe ++ * armed with kprobe_ipmodify_ops. ++ */ ++ if (!kprobe_ftrace(ap)) ++ ap->post_handler = NULL; + } + noclean: + /* +-- +2.35.1 + diff --git a/queue-6.0/l2tp-serialize-access-to-sk_user_data-with-sk_callba.patch b/queue-6.0/l2tp-serialize-access-to-sk_user_data-with-sk_callba.patch new file mode 100644 index 00000000000..2d0eb1cec4b --- /dev/null +++ b/queue-6.0/l2tp-serialize-access-to-sk_user_data-with-sk_callba.patch @@ -0,0 +1,122 @@ +From 1ea60c1db42da0b5b40eb7e9bf8d5937f6f475cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 20:16:19 +0100 +Subject: l2tp: Serialize access to sk_user_data with sk_callback_lock + +From: Jakub Sitnicki + +[ Upstream commit b68777d54fac21fc833ec26ea1a2a84f975ab035 ] + +sk->sk_user_data has multiple users, which are not compatible with each +other. Writers must synchronize by grabbing the sk->sk_callback_lock. + +l2tp currently fails to grab the lock when modifying the underlying tunnel +socket fields. Fix it by adding appropriate locking. + +We err on the side of safety and grab the sk_callback_lock also inside the +sk_destruct callback overridden by l2tp, even though there should be no +refs allowing access to the sock at the time when sk_destruct gets called. + +v4: +- serialize write to sk_user_data in l2tp sk_destruct + +v3: +- switch from sock lock to sk_callback_lock +- document write-protection for sk_user_data + +v2: +- update Fixes to point to origin of the bug +- use real names in Reported/Tested-by tags + +Cc: Tom Parkin +Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core") +Reported-by: Haowei Yan +Signed-off-by: Jakub Sitnicki +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 2 +- + net/l2tp/l2tp_core.c | 19 +++++++++++++------ + 2 files changed, 14 insertions(+), 7 deletions(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index f6e6838c82df..03a4ebe3ccc8 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -323,7 +323,7 @@ struct sk_filter; + * @sk_tskey: counter to disambiguate concurrent tstamp requests + * @sk_zckey: counter to order MSG_ZEROCOPY notifications + * @sk_socket: Identd and reporting IO signals +- * @sk_user_data: RPC layer private data ++ * @sk_user_data: RPC layer private data. Write-protected by @sk_callback_lock. + * @sk_frag: cached page frag + * @sk_peek_off: current peek_offset value + * @sk_send_head: front of stuff to transmit +diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c +index 7499c51b1850..754fdda8a5f5 100644 +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -1150,8 +1150,10 @@ static void l2tp_tunnel_destruct(struct sock *sk) + } + + /* Remove hooks into tunnel socket */ ++ write_lock_bh(&sk->sk_callback_lock); + sk->sk_destruct = tunnel->old_sk_destruct; + sk->sk_user_data = NULL; ++ write_unlock_bh(&sk->sk_callback_lock); + + /* Call the original destructor */ + if (sk->sk_destruct) +@@ -1469,16 +1471,18 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, + sock = sockfd_lookup(tunnel->fd, &ret); + if (!sock) + goto err; +- +- ret = l2tp_validate_socket(sock->sk, net, tunnel->encap); +- if (ret < 0) +- goto err_sock; + } + ++ sk = sock->sk; ++ write_lock(&sk->sk_callback_lock); ++ ++ ret = l2tp_validate_socket(sk, net, tunnel->encap); ++ if (ret < 0) ++ goto err_sock; ++ + tunnel->l2tp_net = net; + pn = l2tp_pernet(net); + +- sk = sock->sk; + sock_hold(sk); + tunnel->sock = sk; + +@@ -1504,7 +1508,7 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, + + setup_udp_tunnel_sock(net, sock, &udp_cfg); + } else { +- sk->sk_user_data = tunnel; ++ rcu_assign_sk_user_data(sk, tunnel); + } + + tunnel->old_sk_destruct = sk->sk_destruct; +@@ -1518,6 +1522,7 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, + if (tunnel->fd >= 0) + sockfd_put(sock); + ++ write_unlock(&sk->sk_callback_lock); + return 0; + + err_sock: +@@ -1525,6 +1530,8 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, + sock_release(sock); + else + sockfd_put(sock); ++ ++ write_unlock(&sk->sk_callback_lock); + err: + return ret; + } +-- +2.35.1 + diff --git a/queue-6.0/net-usb-smsc95xx-fix-external-phy-reset.patch b/queue-6.0/net-usb-smsc95xx-fix-external-phy-reset.patch new file mode 100644 index 00000000000..965ad8a8534 --- /dev/null +++ b/queue-6.0/net-usb-smsc95xx-fix-external-phy-reset.patch @@ -0,0 +1,120 @@ +From 4d6ea530dd3cb2ac584f8e3a68c865cffd7fb966 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Nov 2022 13:44:34 +0200 +Subject: net: usb: smsc95xx: fix external PHY reset + +From: Alexandru Tachici + +[ Upstream commit 809ff97a677ff85dfb7ce2b63be261d1633dcf29 ] + +An external PHY needs settling time after power up or reset. +In the bind() function an mdio bus is registered. If at this point +the external PHY is still initialising, no valid PHY ID will be +read and on phy_find_first() the bind() function will fail. + +If an external PHY is present, wait the maximum time specified +in 802.3 45.2.7.1.1. + +Fixes: 05b35e7eb9a1 ("smsc95xx: add phylib support") +Signed-off-by: Alexandru Tachici +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20221115114434.9991-2-alexandru.tachici@analog.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/smsc95xx.c | 46 ++++++++++++++++++++++++++++++++++---- + 1 file changed, 42 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c +index bfb58c91db04..32d2c60d334d 100644 +--- a/drivers/net/usb/smsc95xx.c ++++ b/drivers/net/usb/smsc95xx.c +@@ -66,6 +66,7 @@ struct smsc95xx_priv { + spinlock_t mac_cr_lock; + u8 features; + u8 suspend_flags; ++ bool is_internal_phy; + struct irq_chip irqchip; + struct irq_domain *irqdomain; + struct fwnode_handle *irqfwnode; +@@ -252,6 +253,43 @@ static void smsc95xx_mdio_write(struct usbnet *dev, int phy_id, int idx, + mutex_unlock(&dev->phy_mutex); + } + ++static int smsc95xx_mdiobus_reset(struct mii_bus *bus) ++{ ++ struct smsc95xx_priv *pdata; ++ struct usbnet *dev; ++ u32 val; ++ int ret; ++ ++ dev = bus->priv; ++ pdata = dev->driver_priv; ++ ++ if (pdata->is_internal_phy) ++ return 0; ++ ++ mutex_lock(&dev->phy_mutex); ++ ++ ret = smsc95xx_read_reg(dev, PM_CTRL, &val); ++ if (ret < 0) ++ goto reset_out; ++ ++ val |= PM_CTL_PHY_RST_; ++ ++ ret = smsc95xx_write_reg(dev, PM_CTRL, val); ++ if (ret < 0) ++ goto reset_out; ++ ++ /* Driver has no knowledge at this point about the external PHY. ++ * The 802.3 specifies that the reset process shall ++ * be completed within 0.5 s. ++ */ ++ fsleep(500000); ++ ++reset_out: ++ mutex_unlock(&dev->phy_mutex); ++ ++ return 0; ++} ++ + static int smsc95xx_mdiobus_read(struct mii_bus *bus, int phy_id, int idx) + { + struct usbnet *dev = bus->priv; +@@ -1052,7 +1090,6 @@ static void smsc95xx_handle_link_change(struct net_device *net) + static int smsc95xx_bind(struct usbnet *dev, struct usb_interface *intf) + { + struct smsc95xx_priv *pdata; +- bool is_internal_phy; + char usb_path[64]; + int ret, phy_irq; + u32 val; +@@ -1133,13 +1170,14 @@ static int smsc95xx_bind(struct usbnet *dev, struct usb_interface *intf) + if (ret < 0) + goto free_mdio; + +- is_internal_phy = !(val & HW_CFG_PSEL_); +- if (is_internal_phy) ++ pdata->is_internal_phy = !(val & HW_CFG_PSEL_); ++ if (pdata->is_internal_phy) + pdata->mdiobus->phy_mask = ~(1u << SMSC95XX_INTERNAL_PHY_ID); + + pdata->mdiobus->priv = dev; + pdata->mdiobus->read = smsc95xx_mdiobus_read; + pdata->mdiobus->write = smsc95xx_mdiobus_write; ++ pdata->mdiobus->reset = smsc95xx_mdiobus_reset; + pdata->mdiobus->name = "smsc95xx-mdiobus"; + pdata->mdiobus->parent = &dev->udev->dev; + +@@ -1160,7 +1198,7 @@ static int smsc95xx_bind(struct usbnet *dev, struct usb_interface *intf) + } + + pdata->phydev->irq = phy_irq; +- pdata->phydev->is_internal = is_internal_phy; ++ pdata->phydev->is_internal = pdata->is_internal_phy; + + /* detect device revision as different features may be available */ + ret = smsc95xx_read_reg(dev, ID_REV, &val); +-- +2.35.1 + diff --git a/queue-6.0/net-use-struct_group-to-copy-ip-ipv6-header-addresse.patch b/queue-6.0/net-use-struct_group-to-copy-ip-ipv6-header-addresse.patch new file mode 100644 index 00000000000..98d719ae825 --- /dev/null +++ b/queue-6.0/net-use-struct_group-to-copy-ip-ipv6-header-addresse.patch @@ -0,0 +1,111 @@ +From 7d9b3afd0bda689591bc6f2ddf885c705148216c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Nov 2022 22:24:00 +0800 +Subject: net: use struct_group to copy ip/ipv6 header addresses +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hangbin Liu + +[ Upstream commit 58e0be1ef6118c5352b56a4d06e974c5599993a5 ] + +kernel test robot reported warnings when build bonding module with +make W=1 O=build_dir ARCH=x86_64 SHELL=/bin/bash drivers/net/bonding/: + + from ../drivers/net/bonding/bond_main.c:35: +In function ‘fortify_memcpy_chk’, + inlined from ‘iph_to_flow_copy_v4addrs’ at ../include/net/ip.h:566:2, + inlined from ‘bond_flow_ip’ at ../drivers/net/bonding/bond_main.c:3984:3: +../include/linux/fortify-string.h:413:25: warning: call to ‘__read_overflow2_field’ declared with attribute warning: detected read beyond size of f +ield (2nd parameter); maybe use struct_group()? [-Wattribute-warning] + 413 | __read_overflow2_field(q_size_field, size); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +In function ‘fortify_memcpy_chk’, + inlined from ‘iph_to_flow_copy_v6addrs’ at ../include/net/ipv6.h:900:2, + inlined from ‘bond_flow_ip’ at ../drivers/net/bonding/bond_main.c:3994:3: +../include/linux/fortify-string.h:413:25: warning: call to ‘__read_overflow2_field’ declared with attribute warning: detected read beyond size of f +ield (2nd parameter); maybe use struct_group()? [-Wattribute-warning] + 413 | __read_overflow2_field(q_size_field, size); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +This is because we try to copy the whole ip/ip6 address to the flow_key, +while we only point the to ip/ip6 saddr. Note that since these are UAPI +headers, __struct_group() is used to avoid the compiler warnings. + +Reported-by: kernel test robot +Fixes: c3f8324188fa ("net: Add full IPv6 addresses to flow_keys") +Signed-off-by: Hangbin Liu +Link: https://lore.kernel.org/r/20221115142400.1204786-1-liuhangbin@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + include/net/ip.h | 2 +- + include/net/ipv6.h | 2 +- + include/uapi/linux/ip.h | 6 ++++-- + include/uapi/linux/ipv6.h | 6 ++++-- + 4 files changed, 10 insertions(+), 6 deletions(-) + +diff --git a/include/net/ip.h b/include/net/ip.h +index 1c979fd1904c..1eca38ac6c67 100644 +--- a/include/net/ip.h ++++ b/include/net/ip.h +@@ -563,7 +563,7 @@ static inline void iph_to_flow_copy_v4addrs(struct flow_keys *flow, + BUILD_BUG_ON(offsetof(typeof(flow->addrs), v4addrs.dst) != + offsetof(typeof(flow->addrs), v4addrs.src) + + sizeof(flow->addrs.v4addrs.src)); +- memcpy(&flow->addrs.v4addrs, &iph->saddr, sizeof(flow->addrs.v4addrs)); ++ memcpy(&flow->addrs.v4addrs, &iph->addrs, sizeof(flow->addrs.v4addrs)); + flow->control.addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS; + } + +diff --git a/include/net/ipv6.h b/include/net/ipv6.h +index de9dcc5652c4..59125562c1a4 100644 +--- a/include/net/ipv6.h ++++ b/include/net/ipv6.h +@@ -897,7 +897,7 @@ static inline void iph_to_flow_copy_v6addrs(struct flow_keys *flow, + BUILD_BUG_ON(offsetof(typeof(flow->addrs), v6addrs.dst) != + offsetof(typeof(flow->addrs), v6addrs.src) + + sizeof(flow->addrs.v6addrs.src)); +- memcpy(&flow->addrs.v6addrs, &iph->saddr, sizeof(flow->addrs.v6addrs)); ++ memcpy(&flow->addrs.v6addrs, &iph->addrs, sizeof(flow->addrs.v6addrs)); + flow->control.addr_type = FLOW_DISSECTOR_KEY_IPV6_ADDRS; + } + +diff --git a/include/uapi/linux/ip.h b/include/uapi/linux/ip.h +index 961ec16a26b8..874a92349bf5 100644 +--- a/include/uapi/linux/ip.h ++++ b/include/uapi/linux/ip.h +@@ -100,8 +100,10 @@ struct iphdr { + __u8 ttl; + __u8 protocol; + __sum16 check; +- __be32 saddr; +- __be32 daddr; ++ __struct_group(/* no tag */, addrs, /* no attrs */, ++ __be32 saddr; ++ __be32 daddr; ++ ); + /*The options start here. */ + }; + +diff --git a/include/uapi/linux/ipv6.h b/include/uapi/linux/ipv6.h +index 03cdbe798fe3..81f4243bebb1 100644 +--- a/include/uapi/linux/ipv6.h ++++ b/include/uapi/linux/ipv6.h +@@ -130,8 +130,10 @@ struct ipv6hdr { + __u8 nexthdr; + __u8 hop_limit; + +- struct in6_addr saddr; +- struct in6_addr daddr; ++ __struct_group(/* no tag */, addrs, /* no attrs */, ++ struct in6_addr saddr; ++ struct in6_addr daddr; ++ ); + }; + + +-- +2.35.1 + diff --git a/queue-6.0/perf-improve-missing-sigtrap-checking.patch b/queue-6.0/perf-improve-missing-sigtrap-checking.patch new file mode 100644 index 00000000000..6e9a948be2f --- /dev/null +++ b/queue-6.0/perf-improve-missing-sigtrap-checking.patch @@ -0,0 +1,102 @@ +From bea7b9eef5fb7e1dfd577c968382ea7189bece94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Oct 2022 10:35:13 +0100 +Subject: perf: Improve missing SIGTRAP checking + +From: Marco Elver + +[ Upstream commit bb88f9695460bec25aa30ba9072595025cf6c8af ] + +To catch missing SIGTRAP we employ a WARN in __perf_event_overflow(), +which fires if pending_sigtrap was already set: returning to user space +without consuming pending_sigtrap, and then having the event fire again +would re-enter the kernel and trigger the WARN. + +This, however, seemed to miss the case where some events not associated +with progress in the user space task can fire and the interrupt handler +runs before the IRQ work meant to consume pending_sigtrap (and generate +the SIGTRAP). + +syzbot gifted us this stack trace: + + | WARNING: CPU: 0 PID: 3607 at kernel/events/core.c:9313 __perf_event_overflow + | Modules linked in: + | CPU: 0 PID: 3607 Comm: syz-executor100 Not tainted 6.1.0-rc2-syzkaller-00073-g88619e77b33d #0 + | Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 + | RIP: 0010:__perf_event_overflow+0x498/0x540 kernel/events/core.c:9313 + | <...> + | Call Trace: + | + | perf_swevent_hrtimer+0x34f/0x3c0 kernel/events/core.c:10729 + | __run_hrtimer kernel/time/hrtimer.c:1685 [inline] + | __hrtimer_run_queues+0x1c6/0xfb0 kernel/time/hrtimer.c:1749 + | hrtimer_interrupt+0x31c/0x790 kernel/time/hrtimer.c:1811 + | local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1096 [inline] + | __sysvec_apic_timer_interrupt+0x17c/0x640 arch/x86/kernel/apic/apic.c:1113 + | sysvec_apic_timer_interrupt+0x40/0xc0 arch/x86/kernel/apic/apic.c:1107 + | asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:649 + | <...> + | + +In this case, syzbot produced a program with event type +PERF_TYPE_SOFTWARE and config PERF_COUNT_SW_CPU_CLOCK. The hrtimer +manages to fire again before the IRQ work got a chance to run, all while +never having returned to user space. + +Improve the WARN to check for real progress in user space: approximate +this by storing a 32-bit hash of the current IP into pending_sigtrap, +and if an event fires while pending_sigtrap still matches the previous +IP, we assume no progress (false negatives are possible given we could +return to user space and trigger again on the same IP). + +Fixes: ca6c21327c6a ("perf: Fix missing SIGTRAPs") +Reported-by: syzbot+b8ded3e2e2c6adde4990@syzkaller.appspotmail.com +Signed-off-by: Marco Elver +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20221031093513.3032814-1-elver@google.com +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 072ab26269c0..bec18d81b116 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -9282,14 +9282,27 @@ static int __perf_event_overflow(struct perf_event *event, + } + + if (event->attr.sigtrap) { +- /* +- * Should not be able to return to user space without processing +- * pending_sigtrap (kernel events can overflow multiple times). +- */ +- WARN_ON_ONCE(event->pending_sigtrap && event->attr.exclude_kernel); ++ unsigned int pending_id = 1; ++ ++ if (regs) ++ pending_id = hash32_ptr((void *)instruction_pointer(regs)) ?: 1; + if (!event->pending_sigtrap) { +- event->pending_sigtrap = 1; ++ event->pending_sigtrap = pending_id; + local_inc(&event->ctx->nr_pending); ++ } else if (event->attr.exclude_kernel) { ++ /* ++ * Should not be able to return to user space without ++ * consuming pending_sigtrap; with exceptions: ++ * ++ * 1. Where !exclude_kernel, events can overflow again ++ * in the kernel without returning to user space. ++ * ++ * 2. Events that can overflow again before the IRQ- ++ * work without user space progress (e.g. hrtimer). ++ * To approximate progress (with false negatives), ++ * check 32-bit hash of the current IP. ++ */ ++ WARN_ON_ONCE(event->pending_sigtrap != pending_id); + } + event->pending_addr = data->addr; + irq_work_queue(&event->pending_irq); +-- +2.35.1 + diff --git a/queue-6.0/perf-x86-amd-fix-crash-due-to-race-between-amd_pmu_e.patch b/queue-6.0/perf-x86-amd-fix-crash-due-to-race-between-amd_pmu_e.patch new file mode 100644 index 00000000000..74fe6011779 --- /dev/null +++ b/queue-6.0/perf-x86-amd-fix-crash-due-to-race-between-amd_pmu_e.patch @@ -0,0 +1,90 @@ +From d9d9ea383fd81ec7c6c99102c6253a102c83a146 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 10:10:29 +0530 +Subject: perf/x86/amd: Fix crash due to race between amd_pmu_enable_all, perf + NMI and throttling + +From: Ravi Bangoria + +[ Upstream commit baa014b9543c8e5e94f5d15b66abfe60750b8284 ] + +amd_pmu_enable_all() does: + + if (!test_bit(idx, cpuc->active_mask)) + continue; + + amd_pmu_enable_event(cpuc->events[idx]); + +A perf NMI of another event can come between these two steps. Perf NMI +handler internally disables and enables _all_ events, including the one +which nmi-intercepted amd_pmu_enable_all() was in process of enabling. +If that unintentionally enabled event has very low sampling period and +causes immediate successive NMI, causing the event to be throttled, +cpuc->events[idx] and cpuc->active_mask gets cleared by x86_pmu_stop(). +This will result in amd_pmu_enable_event() getting called with event=NULL +when amd_pmu_enable_all() resumes after handling the NMIs. This causes a +kernel crash: + + BUG: kernel NULL pointer dereference, address: 0000000000000198 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + [...] + Call Trace: + + amd_pmu_enable_all+0x68/0xb0 + ctx_resched+0xd9/0x150 + event_function+0xb8/0x130 + ? hrtimer_start_range_ns+0x141/0x4a0 + ? perf_duration_warn+0x30/0x30 + remote_function+0x4d/0x60 + __flush_smp_call_function_queue+0xc4/0x500 + flush_smp_call_function_queue+0x11d/0x1b0 + do_idle+0x18f/0x2d0 + cpu_startup_entry+0x19/0x20 + start_secondary+0x121/0x160 + secondary_startup_64_no_verify+0xe5/0xeb + + +amd_pmu_disable_all()/amd_pmu_enable_all() calls inside perf NMI handler +were recently added as part of BRS enablement but I'm not sure whether +we really need them. We can just disable BRS in the beginning and enable +it back while returning from NMI. This will solve the issue by not +enabling those events whose active_masks are set but are not yet enabled +in hw pmu. + +Fixes: ada543459cab ("perf/x86/amd: Add AMD Fam19h Branch Sampling support") +Reported-by: Linux Kernel Functional Testing +Signed-off-by: Ravi Bangoria +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20221114044029.373-1-ravi.bangoria@amd.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/amd/core.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/events/amd/core.c b/arch/x86/events/amd/core.c +index 9ac3718410ce..7e39c47d7759 100644 +--- a/arch/x86/events/amd/core.c ++++ b/arch/x86/events/amd/core.c +@@ -896,8 +896,7 @@ static int amd_pmu_handle_irq(struct pt_regs *regs) + pmu_enabled = cpuc->enabled; + cpuc->enabled = 0; + +- /* stop everything (includes BRS) */ +- amd_pmu_disable_all(); ++ amd_brs_disable_all(); + + /* Drain BRS is in use (could be inactive) */ + if (cpuc->lbr_users) +@@ -908,7 +907,7 @@ static int amd_pmu_handle_irq(struct pt_regs *regs) + + cpuc->enabled = pmu_enabled; + if (pmu_enabled) +- amd_pmu_enable_all(0); ++ amd_brs_enable_all(); + + return amd_pmu_adjust_nmi_window(handled); + } +-- +2.35.1 + diff --git a/queue-6.0/ring-buffer-include-dropped-pages-in-counting-dirty-.patch b/queue-6.0/ring-buffer-include-dropped-pages-in-counting-dirty-.patch new file mode 100644 index 00000000000..5d0e2ec346d --- /dev/null +++ b/queue-6.0/ring-buffer-include-dropped-pages-in-counting-dirty-.patch @@ -0,0 +1,95 @@ +From 128a0f81a4f301ed6ca352a12bbd4124c4b6061b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Oct 2022 12:30:13 -0400 +Subject: ring-buffer: Include dropped pages in counting dirty patches + +From: Steven Rostedt (Google) + +[ Upstream commit 31029a8b2c7e656a0289194ef16415050ae4c4ac ] + +The function ring_buffer_nr_dirty_pages() was created to find out how many +pages are filled in the ring buffer. There's two running counters. One is +incremented whenever a new page is touched (pages_touched) and the other +is whenever a page is read (pages_read). The dirty count is the number +touched minus the number read. This is used to determine if a blocked task +should be woken up if the percentage of the ring buffer it is waiting for +is hit. + +The problem is that it does not take into account dropped pages (when the +new writes overwrite pages that were not read). And then the dirty pages +will always be greater than the percentage. + +This makes the "buffer_percent" file inaccurate, as the number of dirty +pages end up always being larger than the percentage, event when it's not +and this causes user space to be woken up more than it wants to be. + +Add a new counter to keep track of lost pages, and include that in the +accounting of dirty pages so that it is actually accurate. + +Link: https://lkml.kernel.org/r/20221021123013.55fb6055@gandalf.local.home + +Fixes: 2c2b0a78b3739 ("ring-buffer: Add percentage of ring buffer full to wake up reader") +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/ring_buffer.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index c7e17f9f4935..0b93dc17457d 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -519,6 +519,7 @@ struct ring_buffer_per_cpu { + local_t committing; + local_t commits; + local_t pages_touched; ++ local_t pages_lost; + local_t pages_read; + long last_pages_touch; + size_t shortest_full; +@@ -894,10 +895,18 @@ size_t ring_buffer_nr_pages(struct trace_buffer *buffer, int cpu) + size_t ring_buffer_nr_dirty_pages(struct trace_buffer *buffer, int cpu) + { + size_t read; ++ size_t lost; + size_t cnt; + + read = local_read(&buffer->buffers[cpu]->pages_read); ++ lost = local_read(&buffer->buffers[cpu]->pages_lost); + cnt = local_read(&buffer->buffers[cpu]->pages_touched); ++ ++ if (WARN_ON_ONCE(cnt < lost)) ++ return 0; ++ ++ cnt -= lost; ++ + /* The reader can read an empty page, but not more than that */ + if (cnt < read) { + WARN_ON_ONCE(read > cnt + 1); +@@ -2031,6 +2040,7 @@ rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned long nr_pages) + */ + local_add(page_entries, &cpu_buffer->overrun); + local_sub(BUF_PAGE_SIZE, &cpu_buffer->entries_bytes); ++ local_inc(&cpu_buffer->pages_lost); + } + + /* +@@ -2515,6 +2525,7 @@ rb_handle_head_page(struct ring_buffer_per_cpu *cpu_buffer, + */ + local_add(entries, &cpu_buffer->overrun); + local_sub(BUF_PAGE_SIZE, &cpu_buffer->entries_bytes); ++ local_inc(&cpu_buffer->pages_lost); + + /* + * The entries will be zeroed out when we move the +@@ -5265,6 +5276,7 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer) + local_set(&cpu_buffer->committing, 0); + local_set(&cpu_buffer->commits, 0); + local_set(&cpu_buffer->pages_touched, 0); ++ local_set(&cpu_buffer->pages_lost, 0); + local_set(&cpu_buffer->pages_read, 0); + cpu_buffer->last_pages_touch = 0; + cpu_buffer->shortest_full = 0; +-- +2.35.1 + diff --git a/queue-6.0/scsi-scsi_debug-fix-possible-uaf-in-sdebug_add_host_.patch b/queue-6.0/scsi-scsi_debug-fix-possible-uaf-in-sdebug_add_host_.patch new file mode 100644 index 00000000000..e6383da8ac1 --- /dev/null +++ b/queue-6.0/scsi-scsi_debug-fix-possible-uaf-in-sdebug_add_host_.patch @@ -0,0 +1,44 @@ +From b5b714e455d4ee595ce24b917f990c3a0d2c265b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 08:44:21 +0000 +Subject: scsi: scsi_debug: Fix possible UAF in sdebug_add_host_helper() + +From: Yuan Can + +[ Upstream commit e208a1d795a08d1ac0398c79ad9c58106531bcc5 ] + +If device_register() fails in sdebug_add_host_helper(), it will goto clean +and sdbg_host will be freed, but sdbg_host->host_list will not be removed +from sdebug_host_list, then list traversal may cause UAF. Fix it. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yuan Can +Link: https://lore.kernel.org/r/20221117084421.58918-1-yuancan@huawei.com +Acked-by: Douglas Gilbert +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_debug.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c +index b8a76b89f85a..95f940f5c996 100644 +--- a/drivers/scsi/scsi_debug.c ++++ b/drivers/scsi/scsi_debug.c +@@ -7316,8 +7316,12 @@ static int sdebug_add_host_helper(int per_host_idx) + dev_set_name(&sdbg_host->dev, "adapter%d", sdebug_num_hosts); + + error = device_register(&sdbg_host->dev); +- if (error) ++ if (error) { ++ spin_lock(&sdebug_host_list_lock); ++ list_del(&sdbg_host->host_list); ++ spin_unlock(&sdebug_host_list_lock); + goto clean; ++ } + + ++sdebug_num_hosts; + return 0; +-- +2.35.1 + diff --git a/queue-6.0/scsi-target-tcm_loop-fix-possible-name-leak-in-tcm_l.patch b/queue-6.0/scsi-target-tcm_loop-fix-possible-name-leak-in-tcm_l.patch new file mode 100644 index 00000000000..c7a3d92b882 --- /dev/null +++ b/queue-6.0/scsi-target-tcm_loop-fix-possible-name-leak-in-tcm_l.patch @@ -0,0 +1,51 @@ +From 8b9944c87d5b0750a8c85e0af2d464bf4c23eddf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Nov 2022 09:50:42 +0800 +Subject: scsi: target: tcm_loop: Fix possible name leak in + tcm_loop_setup_hba_bus() + +From: Yang Yingliang + +[ Upstream commit bc68e428d4963af0201e92159629ab96948f0893 ] + +If device_register() fails in tcm_loop_setup_hba_bus(), the name allocated +by dev_set_name() need be freed. As comment of device_register() says, it +should use put_device() to give up the reference in the error path. So fix +this by calling put_device(), then the name can be freed in kobject_cleanup(). +The 'tl_hba' will be freed in tcm_loop_release_adapter(), so it don't need +goto error label in this case. + +Fixes: 3703b2c5d041 ("[SCSI] tcm_loop: Add multi-fabric Linux/SCSI LLD fabric module") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221115015042.3652261-1-yangyingliang@huawei.com +Reviewed-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/loopback/tcm_loop.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/target/loopback/tcm_loop.c b/drivers/target/loopback/tcm_loop.c +index 4407b56aa6d1..139031ccb700 100644 +--- a/drivers/target/loopback/tcm_loop.c ++++ b/drivers/target/loopback/tcm_loop.c +@@ -397,6 +397,7 @@ static int tcm_loop_setup_hba_bus(struct tcm_loop_hba *tl_hba, int tcm_loop_host + ret = device_register(&tl_hba->dev); + if (ret) { + pr_err("device_register() failed for tl_hba->dev: %d\n", ret); ++ put_device(&tl_hba->dev); + return -ENODEV; + } + +@@ -1073,7 +1074,7 @@ static struct se_wwn *tcm_loop_make_scsi_hba( + */ + ret = tcm_loop_setup_hba_bus(tl_hba, tcm_loop_hba_no_cnt); + if (ret) +- goto out; ++ return ERR_PTR(ret); + + sh = tl_hba->sh; + tcm_loop_hba_no_cnt++; +-- +2.35.1 + diff --git a/queue-6.0/series b/queue-6.0/series index 6b2db914c8c..f5f1295b212 100644 --- a/queue-6.0/series +++ b/queue-6.0/series @@ -280,3 +280,19 @@ perf-x86-amd-uncore-fix-memory-leak-for-events-array.patch perf-x86-intel-pt-fix-sampling-using-single-range-output.patch nvme-restrict-management-ioctls-to-admin.patch nvme-ensure-subsystem-reset-is-single-threaded.patch +asoc-sof-topology-no-need-to-assign-core-id-if-token.patch +perf-improve-missing-sigtrap-checking.patch +vfio-rename-vfio_ioctl_check_extension.patch +vfio-split-the-register_device-ops-call-into-functio.patch +perf-x86-amd-fix-crash-due-to-race-between-amd_pmu_e.patch +l2tp-serialize-access-to-sk_user_data-with-sk_callba.patch +ring-buffer-include-dropped-pages-in-counting-dirty-.patch +tracing-fix-warning-on-variable-struct-trace_array.patch +net-usb-smsc95xx-fix-external-phy-reset.patch +net-use-struct_group-to-copy-ip-ipv6-header-addresse.patch +scsi-target-tcm_loop-fix-possible-name-leak-in-tcm_l.patch +scsi-scsi_debug-fix-possible-uaf-in-sdebug_add_host_.patch +kprobes-skip-clearing-aggrprobe-s-post_handler-in-kp.patch +tracing-fix-potential-null-pointer-access-of-entry-i.patch +arm64-mm-fix-incorrect-file_map_count-for-non-leaf-p.patch +input-i8042-fix-leaking-of-platform-device-on-module.patch diff --git a/queue-6.0/tracing-fix-potential-null-pointer-access-of-entry-i.patch b/queue-6.0/tracing-fix-potential-null-pointer-access-of-entry-i.patch new file mode 100644 index 00000000000..d79f1dd18c7 --- /dev/null +++ b/queue-6.0/tracing-fix-potential-null-pointer-access-of-entry-i.patch @@ -0,0 +1,69 @@ +From b679f6ae7c244262ea01122ef5549c8d6859feeb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 18:46:32 +0800 +Subject: tracing: Fix potential null-pointer-access of entry in list + 'tr->err_log' + +From: Zheng Yejian + +[ Upstream commit 067df9e0ad48a97382ab2179bbe773a13a846028 ] + +Entries in list 'tr->err_log' will be reused after entry number +exceed TRACING_LOG_ERRS_MAX. + +The cmd string of the to be reused entry will be freed first then +allocated a new one. If the allocation failed, then the entry will +still be in list 'tr->err_log' but its 'cmd' field is set to be NULL, +later access of 'cmd' is risky. + +Currently above problem can cause the loss of 'cmd' information of first +entry in 'tr->err_log'. When execute `cat /sys/kernel/tracing/error_log`, +reproduce logs like: + [ 37.495100] trace_kprobe: error: Maxactive is not for kprobe(null) ^ + [ 38.412517] trace_kprobe: error: Maxactive is not for kprobe + Command: p4:myprobe2 do_sys_openat2 + ^ + +Link: https://lore.kernel.org/linux-trace-kernel/20221114104632.3547266-1-zhengyejian1@huawei.com + +Fixes: 1581a884b7ca ("tracing: Remove size restriction on tracing_log_err cmd strings") +Signed-off-by: Zheng Yejian +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 87d2f04152f9..7132e21e90d6 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -7803,6 +7803,7 @@ static struct tracing_log_err *get_tracing_log_err(struct trace_array *tr, + int len) + { + struct tracing_log_err *err; ++ char *cmd; + + if (tr->n_err_log_entries < TRACING_LOG_ERRS_MAX) { + err = alloc_tracing_log_err(len); +@@ -7811,12 +7812,12 @@ static struct tracing_log_err *get_tracing_log_err(struct trace_array *tr, + + return err; + } +- ++ cmd = kzalloc(len, GFP_KERNEL); ++ if (!cmd) ++ return ERR_PTR(-ENOMEM); + err = list_first_entry(&tr->err_log, struct tracing_log_err, list); + kfree(err->cmd); +- err->cmd = kzalloc(len, GFP_KERNEL); +- if (!err->cmd) +- return ERR_PTR(-ENOMEM); ++ err->cmd = cmd; + list_del(&err->list); + + return err; +-- +2.35.1 + diff --git a/queue-6.0/tracing-fix-warning-on-variable-struct-trace_array.patch b/queue-6.0/tracing-fix-warning-on-variable-struct-trace_array.patch new file mode 100644 index 00000000000..b9fa35c4b9d --- /dev/null +++ b/queue-6.0/tracing-fix-warning-on-variable-struct-trace_array.patch @@ -0,0 +1,54 @@ +From ac5cfa5b6327ef2b727476193747490e2856f224 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 21:35:56 +0530 +Subject: tracing: Fix warning on variable 'struct trace_array' + +From: Aashish Sharma + +[ Upstream commit bedf06833b1f63c2627bd5634602e05592129d7a ] + +Move the declaration of 'struct trace_array' out of #ifdef +CONFIG_TRACING block, to fix the following warning when CONFIG_TRACING +is not set: + +>> include/linux/trace.h:63:45: warning: 'struct trace_array' declared +inside parameter list will not be visible outside of this definition or +declaration + +Link: https://lkml.kernel.org/r/20221107160556.2139463-1-shraash@google.com + +Fixes: 1a77dd1c2bb5 ("scsi: tracing: Fix compile error in trace_array calls when TRACING is disabled") +Cc: "Martin K. Petersen" +Cc: Arun Easi +Acked-by: Masami Hiramatsu (Google) +Reviewed-by: Guenter Roeck +Signed-off-by: Aashish Sharma +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + include/linux/trace.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/trace.h b/include/linux/trace.h +index b5e16e438448..80ffda871749 100644 +--- a/include/linux/trace.h ++++ b/include/linux/trace.h +@@ -26,13 +26,13 @@ struct trace_export { + int flags; + }; + ++struct trace_array; ++ + #ifdef CONFIG_TRACING + + int register_ftrace_export(struct trace_export *export); + int unregister_ftrace_export(struct trace_export *export); + +-struct trace_array; +- + void trace_printk_init_buffers(void); + __printf(3, 4) + int trace_array_printk(struct trace_array *tr, unsigned long ip, +-- +2.35.1 + diff --git a/queue-6.0/vfio-rename-vfio_ioctl_check_extension.patch b/queue-6.0/vfio-rename-vfio_ioctl_check_extension.patch new file mode 100644 index 00000000000..a34492a3a63 --- /dev/null +++ b/queue-6.0/vfio-rename-vfio_ioctl_check_extension.patch @@ -0,0 +1,63 @@ +From 90308f9e61d67966cf039b10e2c63e5f2aa31d64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Sep 2022 16:20:24 -0300 +Subject: vfio: Rename vfio_ioctl_check_extension() + +From: Jason Gunthorpe + +[ Upstream commit 1408640d578887d7860737221043d91fc6d5a723 ] + +To vfio_container_ioctl_check_extension(). + +A following patch will turn this into a non-static function, make it clear +it is related to the container. + +Reviewed-by: Kevin Tian +Signed-off-by: Jason Gunthorpe +Link: https://lore.kernel.org/r/6-v3-297af71838d2+b9-vfio_container_split_jgg@nvidia.com +Signed-off-by: Alex Williamson +Stable-dep-of: 7fdba0011157 ("vfio: Fix container device registration life cycle") +Signed-off-by: Sasha Levin +--- + drivers/vfio/vfio_main.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/vfio/vfio_main.c b/drivers/vfio/vfio_main.c +index 7cb56c382c97..c555d497e9e8 100644 +--- a/drivers/vfio/vfio_main.c ++++ b/drivers/vfio/vfio_main.c +@@ -710,8 +710,9 @@ EXPORT_SYMBOL_GPL(vfio_unregister_group_dev); + /* + * VFIO base fd, /dev/vfio/vfio + */ +-static long vfio_ioctl_check_extension(struct vfio_container *container, +- unsigned long arg) ++static long ++vfio_container_ioctl_check_extension(struct vfio_container *container, ++ unsigned long arg) + { + struct vfio_iommu_driver *driver; + long ret = 0; +@@ -868,7 +869,7 @@ static long vfio_fops_unl_ioctl(struct file *filep, + ret = VFIO_API_VERSION; + break; + case VFIO_CHECK_EXTENSION: +- ret = vfio_ioctl_check_extension(container, arg); ++ ret = vfio_container_ioctl_check_extension(container, arg); + break; + case VFIO_SET_IOMMU: + ret = vfio_ioctl_set_iommu(container, arg); +@@ -1763,8 +1764,8 @@ bool vfio_file_enforced_coherent(struct file *file) + + down_read(&group->group_rwsem); + if (group->container) { +- ret = vfio_ioctl_check_extension(group->container, +- VFIO_DMA_CC_IOMMU); ++ ret = vfio_container_ioctl_check_extension(group->container, ++ VFIO_DMA_CC_IOMMU); + } else { + /* + * Since the coherency state is determined only once a container +-- +2.35.1 + diff --git a/queue-6.0/vfio-split-the-register_device-ops-call-into-functio.patch b/queue-6.0/vfio-split-the-register_device-ops-call-into-functio.patch new file mode 100644 index 00000000000..44f2e9d77a7 --- /dev/null +++ b/queue-6.0/vfio-split-the-register_device-ops-call-into-functio.patch @@ -0,0 +1,107 @@ +From 1c3b4f3d8e581e587322e2fb950294ee21f615a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Sep 2022 16:20:25 -0300 +Subject: vfio: Split the register_device ops call into functions + +From: Jason Gunthorpe + +[ Upstream commit 9446162e740aefff95c324ac0887f0b68c739695 ] + +This is a container item. + +A following patch will move the vfio_container functions to their own .c +file. + +Reviewed-by: Kevin Tian +Signed-off-by: Jason Gunthorpe +Link: https://lore.kernel.org/r/7-v3-297af71838d2+b9-vfio_container_split_jgg@nvidia.com +Signed-off-by: Alex Williamson +Stable-dep-of: 7fdba0011157 ("vfio: Fix container device registration life cycle") +Signed-off-by: Sasha Levin +--- + drivers/vfio/vfio_main.c | 39 +++++++++++++++++++++++---------------- + 1 file changed, 23 insertions(+), 16 deletions(-) + +diff --git a/drivers/vfio/vfio_main.c b/drivers/vfio/vfio_main.c +index c555d497e9e8..48ceca04d9b8 100644 +--- a/drivers/vfio/vfio_main.c ++++ b/drivers/vfio/vfio_main.c +@@ -1086,9 +1086,28 @@ static void vfio_device_unassign_container(struct vfio_device *device) + up_write(&device->group->group_rwsem); + } + ++static void vfio_device_container_register(struct vfio_device *device) ++{ ++ struct vfio_iommu_driver *iommu_driver = ++ device->group->container->iommu_driver; ++ ++ if (iommu_driver && iommu_driver->ops->register_device) ++ iommu_driver->ops->register_device( ++ device->group->container->iommu_data, device); ++} ++ ++static void vfio_device_container_unregister(struct vfio_device *device) ++{ ++ struct vfio_iommu_driver *iommu_driver = ++ device->group->container->iommu_driver; ++ ++ if (iommu_driver && iommu_driver->ops->unregister_device) ++ iommu_driver->ops->unregister_device( ++ device->group->container->iommu_data, device); ++} ++ + static struct file *vfio_device_open(struct vfio_device *device) + { +- struct vfio_iommu_driver *iommu_driver; + struct file *filep; + int ret; + +@@ -1119,12 +1138,7 @@ static struct file *vfio_device_open(struct vfio_device *device) + if (ret) + goto err_undo_count; + } +- +- iommu_driver = device->group->container->iommu_driver; +- if (iommu_driver && iommu_driver->ops->register_device) +- iommu_driver->ops->register_device( +- device->group->container->iommu_data, device); +- ++ vfio_device_container_register(device); + up_read(&device->group->group_rwsem); + } + mutex_unlock(&device->dev_set->lock); +@@ -1162,10 +1176,7 @@ static struct file *vfio_device_open(struct vfio_device *device) + if (device->open_count == 1 && device->ops->close_device) { + device->ops->close_device(device); + +- iommu_driver = device->group->container->iommu_driver; +- if (iommu_driver && iommu_driver->ops->unregister_device) +- iommu_driver->ops->unregister_device( +- device->group->container->iommu_data, device); ++ vfio_device_container_unregister(device); + } + err_undo_count: + up_read(&device->group->group_rwsem); +@@ -1361,7 +1372,6 @@ static const struct file_operations vfio_group_fops = { + static int vfio_device_fops_release(struct inode *inode, struct file *filep) + { + struct vfio_device *device = filep->private_data; +- struct vfio_iommu_driver *iommu_driver; + + mutex_lock(&device->dev_set->lock); + vfio_assert_device_open(device); +@@ -1369,10 +1379,7 @@ static int vfio_device_fops_release(struct inode *inode, struct file *filep) + if (device->open_count == 1 && device->ops->close_device) + device->ops->close_device(device); + +- iommu_driver = device->group->container->iommu_driver; +- if (iommu_driver && iommu_driver->ops->unregister_device) +- iommu_driver->ops->unregister_device( +- device->group->container->iommu_data, device); ++ vfio_device_container_unregister(device); + up_read(&device->group->group_rwsem); + device->open_count--; + if (device->open_count == 0) +-- +2.35.1 + -- 2.47.3