--- /dev/null
+From 8583482465c8e95cd4e1780c780f9b2fadb9483c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 15:40:03 -0800
+Subject: Input: i8042 - fix leaking of platform device on module removal
+
+From: Chen Jun <chenjun102@huawei.com>
+
+[ Upstream commit 81cd7e8489278d28794e7b272950c3e00c344e44 ]
+
+Avoid resetting the module-wide i8042_platform_device pointer in
+i8042_probe() or i8042_remove(), so that the device can be properly
+destroyed by i8042_exit() on module unload.
+
+Fixes: 9222ba68c3f4 ("Input: i8042 - add deferred probe support")
+Signed-off-by: Chen Jun <chenjun102@huawei.com>
+Link: https://lore.kernel.org/r/20221109034148.23821-1-chenjun102@huawei.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/serio/i8042.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/input/serio/i8042.c b/drivers/input/serio/i8042.c
+index 3fc0a89cc785..f132d6dfc25e 100644
+--- a/drivers/input/serio/i8042.c
++++ b/drivers/input/serio/i8042.c
+@@ -1543,8 +1543,6 @@ static int i8042_probe(struct platform_device *dev)
+ {
+ int error;
+
+- i8042_platform_device = dev;
+-
+ if (i8042_reset == I8042_RESET_ALWAYS) {
+ error = i8042_controller_selftest();
+ if (error)
+@@ -1582,7 +1580,6 @@ static int i8042_probe(struct platform_device *dev)
+ i8042_free_aux_ports(); /* in case KBD failed but AUX not */
+ i8042_free_irqs();
+ i8042_controller_reset(false);
+- i8042_platform_device = NULL;
+
+ return error;
+ }
+@@ -1592,7 +1589,6 @@ static int i8042_remove(struct platform_device *dev)
+ i8042_unregister_ports();
+ i8042_free_irqs();
+ i8042_controller_reset(false);
+- i8042_platform_device = NULL;
+
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From 5d219eee02e184a5553ea9ab9fb054ec16a6dd1d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 10:15:34 +0900
+Subject: kprobes: Skip clearing aggrprobe's post_handler in kprobe-on-ftrace
+ case
+
+From: Li Huafei <lihuafei1@huawei.com>
+
+[ Upstream commit 5dd7caf0bdc5d0bae7cf9776b4d739fb09bd5ebb ]
+
+In __unregister_kprobe_top(), if the currently unregistered probe has
+post_handler but other child probes of the aggrprobe do not have
+post_handler, the post_handler of the aggrprobe is cleared. If this is
+a ftrace-based probe, there is a problem. In later calls to
+disarm_kprobe(), we will use kprobe_ftrace_ops because post_handler is
+NULL. But we're armed with kprobe_ipmodify_ops. This triggers a WARN in
+__disarm_kprobe_ftrace() and may even cause use-after-free:
+
+ Failed to disarm kprobe-ftrace at kernel_clone+0x0/0x3c0 (error -2)
+ WARNING: CPU: 5 PID: 137 at kernel/kprobes.c:1135 __disarm_kprobe_ftrace.isra.21+0xcf/0xe0
+ Modules linked in: testKprobe_007(-)
+ CPU: 5 PID: 137 Comm: rmmod Not tainted 6.1.0-rc4-dirty #18
+ [...]
+ Call Trace:
+ <TASK>
+ __disable_kprobe+0xcd/0xe0
+ __unregister_kprobe_top+0x12/0x150
+ ? mutex_lock+0xe/0x30
+ unregister_kprobes.part.23+0x31/0xa0
+ unregister_kprobe+0x32/0x40
+ __x64_sys_delete_module+0x15e/0x260
+ ? do_user_addr_fault+0x2cd/0x6b0
+ do_syscall_64+0x3a/0x90
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+ [...]
+
+For the kprobe-on-ftrace case, we keep the post_handler setting to
+identify this aggrprobe armed with kprobe_ipmodify_ops. This way we
+can disarm it correctly.
+
+Link: https://lore.kernel.org/all/20221112070000.35299-1-lihuafei1@huawei.com/
+
+Fixes: 0bc11ed5ab60 ("kprobes: Allow kprobes coexist with livepatch")
+Reported-by: Zhao Gongyi <zhaogongyi@huawei.com>
+Suggested-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Li Huafei <lihuafei1@huawei.com>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/kprobes.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/kprobes.c b/kernel/kprobes.c
+index 55fffb7e6f1c..23af2f8e8563 100644
+--- a/kernel/kprobes.c
++++ b/kernel/kprobes.c
+@@ -1760,7 +1760,13 @@ static int __unregister_kprobe_top(struct kprobe *p)
+ if ((list_p != p) && (list_p->post_handler))
+ goto noclean;
+ }
+- ap->post_handler = NULL;
++ /*
++ * For the kprobe-on-ftrace case, we keep the
++ * post_handler setting to identify this aggrprobe
++ * armed with kprobe_ipmodify_ops.
++ */
++ if (!kprobe_ftrace(ap))
++ ap->post_handler = NULL;
+ }
+ noclean:
+ /*
+--
+2.35.1
+
--- /dev/null
+From 66cc0051914a5ae7ce96f56e9cfda4edb8f8fe3f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 20:16:19 +0100
+Subject: l2tp: Serialize access to sk_user_data with sk_callback_lock
+
+From: Jakub Sitnicki <jakub@cloudflare.com>
+
+[ Upstream commit b68777d54fac21fc833ec26ea1a2a84f975ab035 ]
+
+sk->sk_user_data has multiple users, which are not compatible with each
+other. Writers must synchronize by grabbing the sk->sk_callback_lock.
+
+l2tp currently fails to grab the lock when modifying the underlying tunnel
+socket fields. Fix it by adding appropriate locking.
+
+We err on the side of safety and grab the sk_callback_lock also inside the
+sk_destruct callback overridden by l2tp, even though there should be no
+refs allowing access to the sock at the time when sk_destruct gets called.
+
+v4:
+- serialize write to sk_user_data in l2tp sk_destruct
+
+v3:
+- switch from sock lock to sk_callback_lock
+- document write-protection for sk_user_data
+
+v2:
+- update Fixes to point to origin of the bug
+- use real names in Reported/Tested-by tags
+
+Cc: Tom Parkin <tparkin@katalix.com>
+Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core")
+Reported-by: Haowei Yan <g1042620637@gmail.com>
+Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sock.h | 2 +-
+ net/l2tp/l2tp_core.c | 19 +++++++++++++------
+ 2 files changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/include/net/sock.h b/include/net/sock.h
+index e1a303e4f0f7..3e9db5146765 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -323,7 +323,7 @@ struct bpf_local_storage;
+ * @sk_tskey: counter to disambiguate concurrent tstamp requests
+ * @sk_zckey: counter to order MSG_ZEROCOPY notifications
+ * @sk_socket: Identd and reporting IO signals
+- * @sk_user_data: RPC layer private data
++ * @sk_user_data: RPC layer private data. Write-protected by @sk_callback_lock.
+ * @sk_frag: cached page frag
+ * @sk_peek_off: current peek_offset value
+ * @sk_send_head: front of stuff to transmit
+diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
+index 93271a2632b8..c77032638a06 100644
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -1150,8 +1150,10 @@ static void l2tp_tunnel_destruct(struct sock *sk)
+ }
+
+ /* Remove hooks into tunnel socket */
++ write_lock_bh(&sk->sk_callback_lock);
+ sk->sk_destruct = tunnel->old_sk_destruct;
+ sk->sk_user_data = NULL;
++ write_unlock_bh(&sk->sk_callback_lock);
+
+ /* Call the original destructor */
+ if (sk->sk_destruct)
+@@ -1471,16 +1473,18 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
+ sock = sockfd_lookup(tunnel->fd, &ret);
+ if (!sock)
+ goto err;
+-
+- ret = l2tp_validate_socket(sock->sk, net, tunnel->encap);
+- if (ret < 0)
+- goto err_sock;
+ }
+
++ sk = sock->sk;
++ write_lock(&sk->sk_callback_lock);
++
++ ret = l2tp_validate_socket(sk, net, tunnel->encap);
++ if (ret < 0)
++ goto err_sock;
++
+ tunnel->l2tp_net = net;
+ pn = l2tp_pernet(net);
+
+- sk = sock->sk;
+ sock_hold(sk);
+ tunnel->sock = sk;
+
+@@ -1506,7 +1510,7 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
+
+ setup_udp_tunnel_sock(net, sock, &udp_cfg);
+ } else {
+- sk->sk_user_data = tunnel;
++ rcu_assign_sk_user_data(sk, tunnel);
+ }
+
+ tunnel->old_sk_destruct = sk->sk_destruct;
+@@ -1520,6 +1524,7 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
+ if (tunnel->fd >= 0)
+ sockfd_put(sock);
+
++ write_unlock(&sk->sk_callback_lock);
+ return 0;
+
+ err_sock:
+@@ -1527,6 +1532,8 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
+ sock_release(sock);
+ else
+ sockfd_put(sock);
++
++ write_unlock(&sk->sk_callback_lock);
+ err:
+ return ret;
+ }
+--
+2.35.1
+
--- /dev/null
+From 34f39f88b5e2a8448e622faf3060acd490bcc680 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 22:24:00 +0800
+Subject: net: use struct_group to copy ip/ipv6 header addresses
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 58e0be1ef6118c5352b56a4d06e974c5599993a5 ]
+
+kernel test robot reported warnings when build bonding module with
+make W=1 O=build_dir ARCH=x86_64 SHELL=/bin/bash drivers/net/bonding/:
+
+ from ../drivers/net/bonding/bond_main.c:35:
+In function ‘fortify_memcpy_chk’,
+ inlined from ‘iph_to_flow_copy_v4addrs’ at ../include/net/ip.h:566:2,
+ inlined from ‘bond_flow_ip’ at ../drivers/net/bonding/bond_main.c:3984:3:
+../include/linux/fortify-string.h:413:25: warning: call to ‘__read_overflow2_field’ declared with attribute warning: detected read beyond size of f
+ield (2nd parameter); maybe use struct_group()? [-Wattribute-warning]
+ 413 | __read_overflow2_field(q_size_field, size);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+In function ‘fortify_memcpy_chk’,
+ inlined from ‘iph_to_flow_copy_v6addrs’ at ../include/net/ipv6.h:900:2,
+ inlined from ‘bond_flow_ip’ at ../drivers/net/bonding/bond_main.c:3994:3:
+../include/linux/fortify-string.h:413:25: warning: call to ‘__read_overflow2_field’ declared with attribute warning: detected read beyond size of f
+ield (2nd parameter); maybe use struct_group()? [-Wattribute-warning]
+ 413 | __read_overflow2_field(q_size_field, size);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This is because we try to copy the whole ip/ip6 address to the flow_key,
+while we only point the to ip/ip6 saddr. Note that since these are UAPI
+headers, __struct_group() is used to avoid the compiler warnings.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Fixes: c3f8324188fa ("net: Add full IPv6 addresses to flow_keys")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Link: https://lore.kernel.org/r/20221115142400.1204786-1-liuhangbin@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/ip.h | 2 +-
+ include/net/ipv6.h | 2 +-
+ include/uapi/linux/ip.h | 6 ++++--
+ include/uapi/linux/ipv6.h | 6 ++++--
+ 4 files changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/include/net/ip.h b/include/net/ip.h
+index 8462ced0c21e..6ae923c55cf4 100644
+--- a/include/net/ip.h
++++ b/include/net/ip.h
+@@ -559,7 +559,7 @@ static inline void iph_to_flow_copy_v4addrs(struct flow_keys *flow,
+ BUILD_BUG_ON(offsetof(typeof(flow->addrs), v4addrs.dst) !=
+ offsetof(typeof(flow->addrs), v4addrs.src) +
+ sizeof(flow->addrs.v4addrs.src));
+- memcpy(&flow->addrs.v4addrs, &iph->saddr, sizeof(flow->addrs.v4addrs));
++ memcpy(&flow->addrs.v4addrs, &iph->addrs, sizeof(flow->addrs.v4addrs));
+ flow->control.addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS;
+ }
+
+diff --git a/include/net/ipv6.h b/include/net/ipv6.h
+index 359540dfc033..a5e18d65c82d 100644
+--- a/include/net/ipv6.h
++++ b/include/net/ipv6.h
+@@ -843,7 +843,7 @@ static inline void iph_to_flow_copy_v6addrs(struct flow_keys *flow,
+ BUILD_BUG_ON(offsetof(typeof(flow->addrs), v6addrs.dst) !=
+ offsetof(typeof(flow->addrs), v6addrs.src) +
+ sizeof(flow->addrs.v6addrs.src));
+- memcpy(&flow->addrs.v6addrs, &iph->saddr, sizeof(flow->addrs.v6addrs));
++ memcpy(&flow->addrs.v6addrs, &iph->addrs, sizeof(flow->addrs.v6addrs));
+ flow->control.addr_type = FLOW_DISSECTOR_KEY_IPV6_ADDRS;
+ }
+
+diff --git a/include/uapi/linux/ip.h b/include/uapi/linux/ip.h
+index e42d13b55cf3..d2f143393780 100644
+--- a/include/uapi/linux/ip.h
++++ b/include/uapi/linux/ip.h
+@@ -100,8 +100,10 @@ struct iphdr {
+ __u8 ttl;
+ __u8 protocol;
+ __sum16 check;
+- __be32 saddr;
+- __be32 daddr;
++ __struct_group(/* no tag */, addrs, /* no attrs */,
++ __be32 saddr;
++ __be32 daddr;
++ );
+ /*The options start here. */
+ };
+
+diff --git a/include/uapi/linux/ipv6.h b/include/uapi/linux/ipv6.h
+index b243a53fa985..62e5e16ef539 100644
+--- a/include/uapi/linux/ipv6.h
++++ b/include/uapi/linux/ipv6.h
+@@ -130,8 +130,10 @@ struct ipv6hdr {
+ __u8 nexthdr;
+ __u8 hop_limit;
+
+- struct in6_addr saddr;
+- struct in6_addr daddr;
++ __struct_group(/* no tag */, addrs, /* no attrs */,
++ struct in6_addr saddr;
++ struct in6_addr daddr;
++ );
+ };
+
+
+--
+2.35.1
+
--- /dev/null
+From 642f2fb052023b0d51613d682d26ceab3ac1a5f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Oct 2022 10:35:13 +0100
+Subject: perf: Improve missing SIGTRAP checking
+
+From: Marco Elver <elver@google.com>
+
+[ Upstream commit bb88f9695460bec25aa30ba9072595025cf6c8af ]
+
+To catch missing SIGTRAP we employ a WARN in __perf_event_overflow(),
+which fires if pending_sigtrap was already set: returning to user space
+without consuming pending_sigtrap, and then having the event fire again
+would re-enter the kernel and trigger the WARN.
+
+This, however, seemed to miss the case where some events not associated
+with progress in the user space task can fire and the interrupt handler
+runs before the IRQ work meant to consume pending_sigtrap (and generate
+the SIGTRAP).
+
+syzbot gifted us this stack trace:
+
+ | WARNING: CPU: 0 PID: 3607 at kernel/events/core.c:9313 __perf_event_overflow
+ | Modules linked in:
+ | CPU: 0 PID: 3607 Comm: syz-executor100 Not tainted 6.1.0-rc2-syzkaller-00073-g88619e77b33d #0
+ | Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
+ | RIP: 0010:__perf_event_overflow+0x498/0x540 kernel/events/core.c:9313
+ | <...>
+ | Call Trace:
+ | <TASK>
+ | perf_swevent_hrtimer+0x34f/0x3c0 kernel/events/core.c:10729
+ | __run_hrtimer kernel/time/hrtimer.c:1685 [inline]
+ | __hrtimer_run_queues+0x1c6/0xfb0 kernel/time/hrtimer.c:1749
+ | hrtimer_interrupt+0x31c/0x790 kernel/time/hrtimer.c:1811
+ | local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1096 [inline]
+ | __sysvec_apic_timer_interrupt+0x17c/0x640 arch/x86/kernel/apic/apic.c:1113
+ | sysvec_apic_timer_interrupt+0x40/0xc0 arch/x86/kernel/apic/apic.c:1107
+ | asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:649
+ | <...>
+ | </TASK>
+
+In this case, syzbot produced a program with event type
+PERF_TYPE_SOFTWARE and config PERF_COUNT_SW_CPU_CLOCK. The hrtimer
+manages to fire again before the IRQ work got a chance to run, all while
+never having returned to user space.
+
+Improve the WARN to check for real progress in user space: approximate
+this by storing a 32-bit hash of the current IP into pending_sigtrap,
+and if an event fires while pending_sigtrap still matches the previous
+IP, we assume no progress (false negatives are possible given we could
+return to user space and trigger again on the same IP).
+
+Fixes: ca6c21327c6a ("perf: Fix missing SIGTRAPs")
+Reported-by: syzbot+b8ded3e2e2c6adde4990@syzkaller.appspotmail.com
+Signed-off-by: Marco Elver <elver@google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20221031093513.3032814-1-elver@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/core.c | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index 59654c737168..60cb300fa0d0 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -9323,14 +9323,27 @@ static int __perf_event_overflow(struct perf_event *event,
+ }
+
+ if (event->attr.sigtrap) {
+- /*
+- * Should not be able to return to user space without processing
+- * pending_sigtrap (kernel events can overflow multiple times).
+- */
+- WARN_ON_ONCE(event->pending_sigtrap && event->attr.exclude_kernel);
++ unsigned int pending_id = 1;
++
++ if (regs)
++ pending_id = hash32_ptr((void *)instruction_pointer(regs)) ?: 1;
+ if (!event->pending_sigtrap) {
+- event->pending_sigtrap = 1;
++ event->pending_sigtrap = pending_id;
+ local_inc(&event->ctx->nr_pending);
++ } else if (event->attr.exclude_kernel) {
++ /*
++ * Should not be able to return to user space without
++ * consuming pending_sigtrap; with exceptions:
++ *
++ * 1. Where !exclude_kernel, events can overflow again
++ * in the kernel without returning to user space.
++ *
++ * 2. Events that can overflow again before the IRQ-
++ * work without user space progress (e.g. hrtimer).
++ * To approximate progress (with false negatives),
++ * check 32-bit hash of the current IP.
++ */
++ WARN_ON_ONCE(event->pending_sigtrap != pending_id);
+ }
+ event->pending_addr = data->addr;
+ irq_work_queue(&event->pending_irq);
+--
+2.35.1
+
--- /dev/null
+From c1aaa4422d76f8db97f699d89c63dde8ea5bf700 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Oct 2022 12:30:13 -0400
+Subject: ring-buffer: Include dropped pages in counting dirty patches
+
+From: Steven Rostedt (Google) <rostedt@goodmis.org>
+
+[ Upstream commit 31029a8b2c7e656a0289194ef16415050ae4c4ac ]
+
+The function ring_buffer_nr_dirty_pages() was created to find out how many
+pages are filled in the ring buffer. There's two running counters. One is
+incremented whenever a new page is touched (pages_touched) and the other
+is whenever a page is read (pages_read). The dirty count is the number
+touched minus the number read. This is used to determine if a blocked task
+should be woken up if the percentage of the ring buffer it is waiting for
+is hit.
+
+The problem is that it does not take into account dropped pages (when the
+new writes overwrite pages that were not read). And then the dirty pages
+will always be greater than the percentage.
+
+This makes the "buffer_percent" file inaccurate, as the number of dirty
+pages end up always being larger than the percentage, event when it's not
+and this causes user space to be woken up more than it wants to be.
+
+Add a new counter to keep track of lost pages, and include that in the
+accounting of dirty pages so that it is actually accurate.
+
+Link: https://lkml.kernel.org/r/20221021123013.55fb6055@gandalf.local.home
+
+Fixes: 2c2b0a78b3739 ("ring-buffer: Add percentage of ring buffer full to wake up reader")
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/ring_buffer.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
+index 5346405fc4b9..ffc8696e6746 100644
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -510,6 +510,7 @@ struct ring_buffer_per_cpu {
+ local_t committing;
+ local_t commits;
+ local_t pages_touched;
++ local_t pages_lost;
+ local_t pages_read;
+ long last_pages_touch;
+ size_t shortest_full;
+@@ -858,10 +859,18 @@ size_t ring_buffer_nr_pages(struct trace_buffer *buffer, int cpu)
+ size_t ring_buffer_nr_dirty_pages(struct trace_buffer *buffer, int cpu)
+ {
+ size_t read;
++ size_t lost;
+ size_t cnt;
+
+ read = local_read(&buffer->buffers[cpu]->pages_read);
++ lost = local_read(&buffer->buffers[cpu]->pages_lost);
+ cnt = local_read(&buffer->buffers[cpu]->pages_touched);
++
++ if (WARN_ON_ONCE(cnt < lost))
++ return 0;
++
++ cnt -= lost;
++
+ /* The reader can read an empty page, but not more than that */
+ if (cnt < read) {
+ WARN_ON_ONCE(read > cnt + 1);
+@@ -1995,6 +2004,7 @@ rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned long nr_pages)
+ */
+ local_add(page_entries, &cpu_buffer->overrun);
+ local_sub(BUF_PAGE_SIZE, &cpu_buffer->entries_bytes);
++ local_inc(&cpu_buffer->pages_lost);
+ }
+
+ /*
+@@ -2479,6 +2489,7 @@ rb_handle_head_page(struct ring_buffer_per_cpu *cpu_buffer,
+ */
+ local_add(entries, &cpu_buffer->overrun);
+ local_sub(BUF_PAGE_SIZE, &cpu_buffer->entries_bytes);
++ local_inc(&cpu_buffer->pages_lost);
+
+ /*
+ * The entries will be zeroed out when we move the
+@@ -5223,6 +5234,7 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
+ local_set(&cpu_buffer->committing, 0);
+ local_set(&cpu_buffer->commits, 0);
+ local_set(&cpu_buffer->pages_touched, 0);
++ local_set(&cpu_buffer->pages_lost, 0);
+ local_set(&cpu_buffer->pages_read, 0);
+ cpu_buffer->last_pages_touch = 0;
+ cpu_buffer->shortest_full = 0;
+--
+2.35.1
+
--- /dev/null
+From 9471d628c033bfb072cf97b96f70a391dad92927 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 08:44:21 +0000
+Subject: scsi: scsi_debug: Fix possible UAF in sdebug_add_host_helper()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit e208a1d795a08d1ac0398c79ad9c58106531bcc5 ]
+
+If device_register() fails in sdebug_add_host_helper(), it will goto clean
+and sdbg_host will be freed, but sdbg_host->host_list will not be removed
+from sdebug_host_list, then list traversal may cause UAF. Fix it.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Link: https://lore.kernel.org/r/20221117084421.58918-1-yuancan@huawei.com
+Acked-by: Douglas Gilbert <dgilbert@interlog.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_debug.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
+index 747e1cbb7ec9..2b5e249f5d5b 100644
+--- a/drivers/scsi/scsi_debug.c
++++ b/drivers/scsi/scsi_debug.c
+@@ -7132,8 +7132,12 @@ static int sdebug_add_host_helper(int per_host_idx)
+ dev_set_name(&sdbg_host->dev, "adapter%d", sdebug_num_hosts);
+
+ error = device_register(&sdbg_host->dev);
+- if (error)
++ if (error) {
++ spin_lock(&sdebug_host_list_lock);
++ list_del(&sdbg_host->host_list);
++ spin_unlock(&sdebug_host_list_lock);
+ goto clean;
++ }
+
+ ++sdebug_num_hosts;
+ return 0;
+--
+2.35.1
+
--- /dev/null
+From 8b804f56a3a65c22059b4fa2f339188d52e107c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 09:50:42 +0800
+Subject: scsi: target: tcm_loop: Fix possible name leak in
+ tcm_loop_setup_hba_bus()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit bc68e428d4963af0201e92159629ab96948f0893 ]
+
+If device_register() fails in tcm_loop_setup_hba_bus(), the name allocated
+by dev_set_name() need be freed. As comment of device_register() says, it
+should use put_device() to give up the reference in the error path. So fix
+this by calling put_device(), then the name can be freed in kobject_cleanup().
+The 'tl_hba' will be freed in tcm_loop_release_adapter(), so it don't need
+goto error label in this case.
+
+Fixes: 3703b2c5d041 ("[SCSI] tcm_loop: Add multi-fabric Linux/SCSI LLD fabric module")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221115015042.3652261-1-yangyingliang@huawei.com
+Reviewed-by: Mike Christie <michael.chritie@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/loopback/tcm_loop.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/target/loopback/tcm_loop.c b/drivers/target/loopback/tcm_loop.c
+index 52db28d868d5..600a4d1ee45f 100644
+--- a/drivers/target/loopback/tcm_loop.c
++++ b/drivers/target/loopback/tcm_loop.c
+@@ -397,6 +397,7 @@ static int tcm_loop_setup_hba_bus(struct tcm_loop_hba *tl_hba, int tcm_loop_host
+ ret = device_register(&tl_hba->dev);
+ if (ret) {
+ pr_err("device_register() failed for tl_hba->dev: %d\n", ret);
++ put_device(&tl_hba->dev);
+ return -ENODEV;
+ }
+
+@@ -1073,7 +1074,7 @@ static struct se_wwn *tcm_loop_make_scsi_hba(
+ */
+ ret = tcm_loop_setup_hba_bus(tl_hba, tcm_loop_hba_no_cnt);
+ if (ret)
+- goto out;
++ return ERR_PTR(ret);
+
+ sh = tl_hba->sh;
+ tcm_loop_hba_no_cnt++;
+--
+2.35.1
+
nvme-restrict-management-ioctls-to-admin.patch
nvme-ensure-subsystem-reset-is-single-threaded.patch
serial-8250_lpss-use-16b-dma-burst-with-elkhart-lake.patch
+perf-improve-missing-sigtrap-checking.patch
+l2tp-serialize-access-to-sk_user_data-with-sk_callba.patch
+ring-buffer-include-dropped-pages-in-counting-dirty-.patch
+tracing-fix-warning-on-variable-struct-trace_array.patch
+net-use-struct_group-to-copy-ip-ipv6-header-addresse.patch
+scsi-target-tcm_loop-fix-possible-name-leak-in-tcm_l.patch
+scsi-scsi_debug-fix-possible-uaf-in-sdebug_add_host_.patch
+kprobes-skip-clearing-aggrprobe-s-post_handler-in-kp.patch
+input-i8042-fix-leaking-of-platform-device-on-module.patch
--- /dev/null
+From ef6b60196262189aec7b237ebc3cb9aef6180d8a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 21:35:56 +0530
+Subject: tracing: Fix warning on variable 'struct trace_array'
+
+From: Aashish Sharma <shraash@google.com>
+
+[ Upstream commit bedf06833b1f63c2627bd5634602e05592129d7a ]
+
+Move the declaration of 'struct trace_array' out of #ifdef
+CONFIG_TRACING block, to fix the following warning when CONFIG_TRACING
+is not set:
+
+>> include/linux/trace.h:63:45: warning: 'struct trace_array' declared
+inside parameter list will not be visible outside of this definition or
+declaration
+
+Link: https://lkml.kernel.org/r/20221107160556.2139463-1-shraash@google.com
+
+Fixes: 1a77dd1c2bb5 ("scsi: tracing: Fix compile error in trace_array calls when TRACING is disabled")
+Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
+Cc: Arun Easi <aeasi@marvell.com>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Aashish Sharma <shraash@google.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/trace.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/trace.h b/include/linux/trace.h
+index b5e16e438448..80ffda871749 100644
+--- a/include/linux/trace.h
++++ b/include/linux/trace.h
+@@ -26,13 +26,13 @@ struct trace_export {
+ int flags;
+ };
+
++struct trace_array;
++
+ #ifdef CONFIG_TRACING
+
+ int register_ftrace_export(struct trace_export *export);
+ int unregister_ftrace_export(struct trace_export *export);
+
+-struct trace_array;
+-
+ void trace_printk_init_buffers(void);
+ __printf(3, 4)
+ int trace_array_printk(struct trace_array *tr, unsigned long ip,
+--
+2.35.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
