--- /dev/null
+From b18a456330e1c1ca207b57b45872f10336741388 Mon Sep 17 00:00:00 2001
+From: Emil Flink <emil.flink@gmail.com>
+Date: Tue, 15 Nov 2022 15:45:01 +0100
+Subject: ALSA: hda/realtek: fix speakers for Samsung Galaxy Book Pro
+
+From: Emil Flink <emil.flink@gmail.com>
+
+commit b18a456330e1c1ca207b57b45872f10336741388 upstream.
+
+The Samsung Galaxy Book Pro seems to have the same issue as a few
+other Samsung laptops, detailed in kernel bug report 207423. Sound from
+headphone jack works, but not the built-in speakers.
+
+alsa-info: http://alsa-project.org/db/?f=b40ba609dc6ae28dc84ad404a0d8a4bbcd8bea6d
+
+Signed-off-by: Emil Flink <emil.flink@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20221115144500.7782-1-emil.flink@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -9007,6 +9007,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x144d, 0xc176, "Samsung Notebook 9 Pro (NP930MBE-K04US)", ALC298_FIXUP_SAMSUNG_AMP),
+ SND_PCI_QUIRK(0x144d, 0xc189, "Samsung Galaxy Flex Book (NT950QCG-X716)", ALC298_FIXUP_SAMSUNG_AMP),
+ SND_PCI_QUIRK(0x144d, 0xc18a, "Samsung Galaxy Book Ion (NP930XCJ-K01US)", ALC298_FIXUP_SAMSUNG_AMP),
++ SND_PCI_QUIRK(0x144d, 0xc1a3, "Samsung Galaxy Book Pro (NP935XDB-KC1SE)", ALC298_FIXUP_SAMSUNG_AMP),
+ SND_PCI_QUIRK(0x144d, 0xc740, "Samsung Ativ book 8 (NP870Z5G)", ALC269_FIXUP_ATIV_BOOK_8),
+ SND_PCI_QUIRK(0x144d, 0xc812, "Samsung Notebook Pen S (NT950SBE-X58)", ALC298_FIXUP_SAMSUNG_AMP),
+ SND_PCI_QUIRK(0x144d, 0xc830, "Samsung Galaxy Book Ion (NT950XCJ-X716A)", ALC298_FIXUP_SAMSUNG_AMP),
--- /dev/null
+From 1abfd71ee8f3ed99c5d0df5d9843a360541d6808 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 15 Nov 2022 18:02:35 +0100
+Subject: ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book Pro 360
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 1abfd71ee8f3ed99c5d0df5d9843a360541d6808 upstream.
+
+Samsung Galaxy Book Pro 360 (13" 2021 NP930QBD-ke1US) with codec SSID
+144d:c1a6 requires the same workaround for enabling the speaker amp
+like other Samsung models with ALC298 codec.
+
+Link: https://bugzilla.opensuse.org/show_bug.cgi?id=1205100
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20221115170235.18875-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -9008,6 +9008,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x144d, 0xc189, "Samsung Galaxy Flex Book (NT950QCG-X716)", ALC298_FIXUP_SAMSUNG_AMP),
+ SND_PCI_QUIRK(0x144d, 0xc18a, "Samsung Galaxy Book Ion (NP930XCJ-K01US)", ALC298_FIXUP_SAMSUNG_AMP),
+ SND_PCI_QUIRK(0x144d, 0xc1a3, "Samsung Galaxy Book Pro (NP935XDB-KC1SE)", ALC298_FIXUP_SAMSUNG_AMP),
++ SND_PCI_QUIRK(0x144d, 0xc1a6, "Samsung Galaxy Book Pro 360 (NP930QBD)", ALC298_FIXUP_SAMSUNG_AMP),
+ SND_PCI_QUIRK(0x144d, 0xc740, "Samsung Ativ book 8 (NP870Z5G)", ALC269_FIXUP_ATIV_BOOK_8),
+ SND_PCI_QUIRK(0x144d, 0xc812, "Samsung Notebook Pen S (NT950SBE-X58)", ALC298_FIXUP_SAMSUNG_AMP),
+ SND_PCI_QUIRK(0x144d, 0xc830, "Samsung Galaxy Book Ion (NT950XCJ-X716A)", ALC298_FIXUP_SAMSUNG_AMP),
--- /dev/null
+From ad72c3c3f6eb81d2cb189ec71e888316adada5df Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sat, 12 Nov 2022 15:12:23 +0100
+Subject: ALSA: usb-audio: Drop snd_BUG_ON() from snd_usbmidi_output_open()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit ad72c3c3f6eb81d2cb189ec71e888316adada5df upstream.
+
+snd_usbmidi_output_open() has a check of the NULL port with
+snd_BUG_ON(). snd_BUG_ON() was used as this shouldn't have happened,
+but in reality, the NULL port may be seen when the device gives an
+invalid endpoint setup at the descriptor, hence the driver skips the
+allocation. That is, the check itself is valid and snd_BUG_ON()
+should be dropped from there. Otherwise it's confusing as if it were
+a real bug, as recently syzbot stumbled on it.
+
+Reported-by: syzbot+9abda841d636d86c41da@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/syzbot+9abda841d636d86c41da@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/20221112141223.6144-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/midi.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/sound/usb/midi.c
++++ b/sound/usb/midi.c
+@@ -1149,10 +1149,8 @@ static int snd_usbmidi_output_open(struc
+ port = &umidi->endpoints[i].out->ports[j];
+ break;
+ }
+- if (!port) {
+- snd_BUG();
++ if (!port)
+ return -ENXIO;
+- }
+
+ substream->runtime->private_data = port;
+ port->state = STATE_UNKNOWN;
--- /dev/null
+From 19ba6c8af9382c4c05dc6a0a79af3013b9a35cd0 Mon Sep 17 00:00:00 2001
+From: Xiu Jianfeng <xiujianfeng@huawei.com>
+Date: Wed, 16 Nov 2022 09:52:07 +0800
+Subject: ftrace: Fix null pointer dereference in ftrace_add_mod()
+
+From: Xiu Jianfeng <xiujianfeng@huawei.com>
+
+commit 19ba6c8af9382c4c05dc6a0a79af3013b9a35cd0 upstream.
+
+The @ftrace_mod is allocated by kzalloc(), so both the members {prev,next}
+of @ftrace_mode->list are NULL, it's not a valid state to call list_del().
+If kstrdup() for @ftrace_mod->{func|module} fails, it goes to @out_free
+tag and calls free_ftrace_mod() to destroy @ftrace_mod, then list_del()
+will write prev->next and next->prev, where null pointer dereference
+happens.
+
+BUG: kernel NULL pointer dereference, address: 0000000000000008
+Oops: 0002 [#1] PREEMPT SMP NOPTI
+Call Trace:
+ <TASK>
+ ftrace_mod_callback+0x20d/0x220
+ ? do_filp_open+0xd9/0x140
+ ftrace_process_regex.isra.51+0xbf/0x130
+ ftrace_regex_write.isra.52.part.53+0x6e/0x90
+ vfs_write+0xee/0x3a0
+ ? __audit_filter_op+0xb1/0x100
+ ? auditd_test_task+0x38/0x50
+ ksys_write+0xa5/0xe0
+ do_syscall_64+0x3a/0x90
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+Kernel panic - not syncing: Fatal exception
+
+So call INIT_LIST_HEAD() to initialize the list member to fix this issue.
+
+Link: https://lkml.kernel.org/r/20221116015207.30858-1-xiujianfeng@huawei.com
+
+Cc: stable@vger.kernel.org
+Fixes: 673feb9d76ab ("ftrace: Add :mod: caching infrastructure to trace_array")
+Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/ftrace.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -1295,6 +1295,7 @@ static int ftrace_add_mod(struct trace_a
+ if (!ftrace_mod)
+ return -ENOMEM;
+
++ INIT_LIST_HEAD(&ftrace_mod->list);
+ ftrace_mod->func = kstrdup(func, GFP_KERNEL);
+ ftrace_mod->module = kstrdup(module, GFP_KERNEL);
+ ftrace_mod->enable = enable;
--- /dev/null
+From 08948caebe93482db1adfd2154eba124f66d161d Mon Sep 17 00:00:00 2001
+From: Wang Wensheng <wangwensheng4@huawei.com>
+Date: Wed, 9 Nov 2022 09:44:32 +0000
+Subject: ftrace: Fix the possible incorrect kernel message
+
+From: Wang Wensheng <wangwensheng4@huawei.com>
+
+commit 08948caebe93482db1adfd2154eba124f66d161d upstream.
+
+If the number of mcount entries is an integer multiple of
+ENTRIES_PER_PAGE, the page count showing on the console would be wrong.
+
+Link: https://lkml.kernel.org/r/20221109094434.84046-2-wangwensheng4@huawei.com
+
+Cc: <mhiramat@kernel.org>
+Cc: <mark.rutland@arm.com>
+Cc: stable@vger.kernel.org
+Fixes: 5821e1b74f0d0 ("function tracing: fix wrong pos computing when read buffer has been fulfilled")
+Signed-off-by: Wang Wensheng <wangwensheng4@huawei.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/ftrace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -6877,7 +6877,7 @@ void __init ftrace_init(void)
+ }
+
+ pr_info("ftrace: allocating %ld entries in %ld pages\n",
+- count, count / ENTRIES_PER_PAGE + 1);
++ count, DIV_ROUND_UP(count, ENTRIES_PER_PAGE));
+
+ last_ftrace_enabled = ftrace_enabled = 1;
+
--- /dev/null
+From bcea02b096333dc74af987cb9685a4dbdd820840 Mon Sep 17 00:00:00 2001
+From: Wang Wensheng <wangwensheng4@huawei.com>
+Date: Wed, 9 Nov 2022 09:44:33 +0000
+Subject: ftrace: Optimize the allocation for mcount entries
+
+From: Wang Wensheng <wangwensheng4@huawei.com>
+
+commit bcea02b096333dc74af987cb9685a4dbdd820840 upstream.
+
+If we can't allocate this size, try something smaller with half of the
+size. Its order should be decreased by one instead of divided by two.
+
+Link: https://lkml.kernel.org/r/20221109094434.84046-3-wangwensheng4@huawei.com
+
+Cc: <mhiramat@kernel.org>
+Cc: <mark.rutland@arm.com>
+Cc: stable@vger.kernel.org
+Fixes: a79008755497d ("ftrace: Allocate the mcount record pages as groups")
+Signed-off-by: Wang Wensheng <wangwensheng4@huawei.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/ftrace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -3178,7 +3178,7 @@ static int ftrace_allocate_records(struc
+ /* if we can't allocate this size, try something smaller */
+ if (!order)
+ return -ENOMEM;
+- order >>= 1;
++ order--;
+ goto again;
+ }
+
--- /dev/null
+From 56f4ca0a79a9f1af98f26c54b9b89ba1f9bcc6bd Mon Sep 17 00:00:00 2001
+From: Daniil Tatianin <d-tatianin@yandex-team.ru>
+Date: Mon, 14 Nov 2022 17:31:29 +0300
+Subject: ring_buffer: Do not deactivate non-existant pages
+
+From: Daniil Tatianin <d-tatianin@yandex-team.ru>
+
+commit 56f4ca0a79a9f1af98f26c54b9b89ba1f9bcc6bd upstream.
+
+rb_head_page_deactivate() expects cpu_buffer to contain a valid list of
+->pages, so verify that the list is actually present before calling it.
+
+Found by Linux Verification Center (linuxtesting.org) with the SVACE
+static analysis tool.
+
+Link: https://lkml.kernel.org/r/20221114143129.3534443-1-d-tatianin@yandex-team.ru
+
+Cc: stable@vger.kernel.org
+Fixes: 77ae365eca895 ("ring-buffer: make lockless")
+Signed-off-by: Daniil Tatianin <d-tatianin@yandex-team.ru>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/ring_buffer.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -1635,9 +1635,9 @@ static void rb_free_cpu_buffer(struct ri
+
+ free_buffer_page(cpu_buffer->reader_page);
+
+- rb_head_page_deactivate(cpu_buffer);
+-
+ if (head) {
++ rb_head_page_deactivate(cpu_buffer);
++
+ list_for_each_entry_safe(bpage, tmp, head, list) {
+ list_del_init(&bpage->list);
+ free_buffer_page(bpage);
cifs-fix-wrong-return-value-checking-when-getflags.patch
net-thunderbolt-fix-error-handling-in-tbnet_init.patch
cifs-add-check-for-returning-value-of-smb2_set_info_.patch
+ftrace-fix-the-possible-incorrect-kernel-message.patch
+ftrace-optimize-the-allocation-for-mcount-entries.patch
+ftrace-fix-null-pointer-dereference-in-ftrace_add_mod.patch
+ring_buffer-do-not-deactivate-non-existant-pages.patch
+tracing-ring-buffer-have-polling-block-on-watermark.patch
+tracing-fix-memory-leak-in-test_gen_synth_cmd-and-test_empty_synth_event.patch
+tracing-fix-wild-memory-access-in-register_synth_event.patch
+tracing-kprobe-fix-potential-null-ptr-deref-on-trace_event_file-in-kprobe_event_gen_test_exit.patch
+tracing-kprobe-fix-potential-null-ptr-deref-on-trace_array-in-kprobe_event_gen_test_exit.patch
+alsa-usb-audio-drop-snd_bug_on-from-snd_usbmidi_output_open.patch
+alsa-hda-realtek-fix-speakers-for-samsung-galaxy-book-pro.patch
+alsa-hda-realtek-fix-the-speaker-output-on-samsung-galaxy-book-pro-360.patch
--- /dev/null
+From a4527fef9afe5c903c718d0cd24609fe9c754250 Mon Sep 17 00:00:00 2001
+From: Shang XiaoJing <shangxiaojing@huawei.com>
+Date: Thu, 17 Nov 2022 09:23:45 +0800
+Subject: tracing: Fix memory leak in test_gen_synth_cmd() and test_empty_synth_event()
+
+From: Shang XiaoJing <shangxiaojing@huawei.com>
+
+commit a4527fef9afe5c903c718d0cd24609fe9c754250 upstream.
+
+test_gen_synth_cmd() only free buf in fail path, hence buf will leak
+when there is no failure. Add kfree(buf) to prevent the memleak. The
+same reason and solution in test_empty_synth_event().
+
+unreferenced object 0xffff8881127de000 (size 2048):
+ comm "modprobe", pid 247, jiffies 4294972316 (age 78.756s)
+ hex dump (first 32 bytes):
+ 20 67 65 6e 5f 73 79 6e 74 68 5f 74 65 73 74 20 gen_synth_test
+ 20 70 69 64 5f 74 20 6e 65 78 74 5f 70 69 64 5f pid_t next_pid_
+ backtrace:
+ [<000000004254801a>] kmalloc_trace+0x26/0x100
+ [<0000000039eb1cf5>] 0xffffffffa00083cd
+ [<000000000e8c3bc8>] 0xffffffffa00086ba
+ [<00000000c293d1ea>] do_one_initcall+0xdb/0x480
+ [<00000000aa189e6d>] do_init_module+0x1cf/0x680
+ [<00000000d513222b>] load_module+0x6a50/0x70a0
+ [<000000001fd4d529>] __do_sys_finit_module+0x12f/0x1c0
+ [<00000000b36c4c0f>] do_syscall_64+0x3f/0x90
+ [<00000000bbf20cf3>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+unreferenced object 0xffff8881127df000 (size 2048):
+ comm "modprobe", pid 247, jiffies 4294972324 (age 78.728s)
+ hex dump (first 32 bytes):
+ 20 65 6d 70 74 79 5f 73 79 6e 74 68 5f 74 65 73 empty_synth_tes
+ 74 20 20 70 69 64 5f 74 20 6e 65 78 74 5f 70 69 t pid_t next_pi
+ backtrace:
+ [<000000004254801a>] kmalloc_trace+0x26/0x100
+ [<00000000d4db9a3d>] 0xffffffffa0008071
+ [<00000000c31354a5>] 0xffffffffa00086ce
+ [<00000000c293d1ea>] do_one_initcall+0xdb/0x480
+ [<00000000aa189e6d>] do_init_module+0x1cf/0x680
+ [<00000000d513222b>] load_module+0x6a50/0x70a0
+ [<000000001fd4d529>] __do_sys_finit_module+0x12f/0x1c0
+ [<00000000b36c4c0f>] do_syscall_64+0x3f/0x90
+ [<00000000bbf20cf3>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Link: https://lkml.kernel.org/r/20221117012346.22647-2-shangxiaojing@huawei.com
+
+Cc: <mhiramat@kernel.org>
+Cc: <zanussi@kernel.org>
+Cc: <fengguang.wu@intel.com>
+Cc: stable@vger.kernel.org
+Fixes: 9fe41efaca08 ("tracing: Add synth event generation test module")
+Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/synth_event_gen_test.c | 16 ++++++----------
+ 1 file changed, 6 insertions(+), 10 deletions(-)
+
+--- a/kernel/trace/synth_event_gen_test.c
++++ b/kernel/trace/synth_event_gen_test.c
+@@ -120,15 +120,13 @@ static int __init test_gen_synth_cmd(voi
+
+ /* Now generate a gen_synth_test event */
+ ret = synth_event_trace_array(gen_synth_test, vals, ARRAY_SIZE(vals));
+- out:
++ free:
++ kfree(buf);
+ return ret;
+ delete:
+ /* We got an error after creating the event, delete it */
+ synth_event_delete("gen_synth_test");
+- free:
+- kfree(buf);
+-
+- goto out;
++ goto free;
+ }
+
+ /*
+@@ -227,15 +225,13 @@ static int __init test_empty_synth_event
+
+ /* Now trace an empty_synth_test event */
+ ret = synth_event_trace_array(empty_synth_test, vals, ARRAY_SIZE(vals));
+- out:
++ free:
++ kfree(buf);
+ return ret;
+ delete:
+ /* We got an error after creating the event, delete it */
+ synth_event_delete("empty_synth_test");
+- free:
+- kfree(buf);
+-
+- goto out;
++ goto free;
+ }
+
+ static struct synth_field_desc create_synth_test_fields[] = {
--- /dev/null
+From 1b5f1c34d3f5a664a57a5a7557a50e4e3cc2505c Mon Sep 17 00:00:00 2001
+From: Shang XiaoJing <shangxiaojing@huawei.com>
+Date: Thu, 17 Nov 2022 09:23:46 +0800
+Subject: tracing: Fix wild-memory-access in register_synth_event()
+
+From: Shang XiaoJing <shangxiaojing@huawei.com>
+
+commit 1b5f1c34d3f5a664a57a5a7557a50e4e3cc2505c upstream.
+
+In register_synth_event(), if set_synth_event_print_fmt() failed, then
+both trace_remove_event_call() and unregister_trace_event() will be
+called, which means the trace_event_call will call
+__unregister_trace_event() twice. As the result, the second unregister
+will causes the wild-memory-access.
+
+register_synth_event
+ set_synth_event_print_fmt failed
+ trace_remove_event_call
+ event_remove
+ if call->event.funcs then
+ __unregister_trace_event (first call)
+ unregister_trace_event
+ __unregister_trace_event (second call)
+
+Fix the bug by avoiding to call the second __unregister_trace_event() by
+checking if the first one is called.
+
+general protection fault, probably for non-canonical address
+ 0xfbd59c0000000024: 0000 [#1] SMP KASAN PTI
+KASAN: maybe wild-memory-access in range
+[0xdead000000000120-0xdead000000000127]
+CPU: 0 PID: 3807 Comm: modprobe Not tainted
+6.1.0-rc1-00186-g76f33a7eedb4 #299
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
+RIP: 0010:unregister_trace_event+0x6e/0x280
+Code: 00 fc ff df 4c 89 ea 48 c1 ea 03 80 3c 02 00 0f 85 0e 02 00 00 48
+b8 00 00 00 00 00 fc ff df 4c 8b 63 08 4c 89 e2 48 c1 ea 03 <80> 3c 02
+00 0f 85 e2 01 00 00 49 89 2c 24 48 85 ed 74 28 e8 7a 9b
+RSP: 0018:ffff88810413f370 EFLAGS: 00010a06
+RAX: dffffc0000000000 RBX: ffff888105d050b0 RCX: 0000000000000000
+RDX: 1bd5a00000000024 RSI: ffff888119e276e0 RDI: ffffffff835a8b20
+RBP: dead000000000100 R08: 0000000000000000 R09: fffffbfff0913481
+R10: ffffffff8489a407 R11: fffffbfff0913480 R12: dead000000000122
+R13: ffff888105d050b8 R14: 0000000000000000 R15: ffff888105d05028
+FS: 00007f7823e8d540(0000) GS:ffff888119e00000(0000)
+knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f7823e7ebec CR3: 000000010a058002 CR4: 0000000000330ef0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ __create_synth_event+0x1e37/0x1eb0
+ create_or_delete_synth_event+0x110/0x250
+ synth_event_run_command+0x2f/0x110
+ test_gen_synth_cmd+0x170/0x2eb [synth_event_gen_test]
+ synth_event_gen_test_init+0x76/0x9bc [synth_event_gen_test]
+ do_one_initcall+0xdb/0x480
+ do_init_module+0x1cf/0x680
+ load_module+0x6a50/0x70a0
+ __do_sys_finit_module+0x12f/0x1c0
+ do_syscall_64+0x3f/0x90
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Link: https://lkml.kernel.org/r/20221117012346.22647-3-shangxiaojing@huawei.com
+
+Fixes: 4b147936fa50 ("tracing: Add support for 'synthetic' events")
+Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
+Cc: stable@vger.kernel.org
+Cc: <mhiramat@kernel.org>
+Cc: <zanussi@kernel.org>
+Cc: <fengguang.wu@intel.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_events_synth.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/kernel/trace/trace_events_synth.c
++++ b/kernel/trace/trace_events_synth.c
+@@ -791,10 +791,9 @@ static int register_synth_event(struct s
+ }
+
+ ret = set_synth_event_print_fmt(call);
+- if (ret < 0) {
++ /* unregister_trace_event() will be called inside */
++ if (ret < 0)
+ trace_remove_event_call(call);
+- goto err;
+- }
+ out:
+ return ret;
+ err:
--- /dev/null
+From 22ea4ca9631eb137e64e5ab899e9c89cb6670959 Mon Sep 17 00:00:00 2001
+From: Shang XiaoJing <shangxiaojing@huawei.com>
+Date: Fri, 18 Nov 2022 10:15:34 +0900
+Subject: tracing: kprobe: Fix potential null-ptr-deref on trace_array in kprobe_event_gen_test_exit()
+
+From: Shang XiaoJing <shangxiaojing@huawei.com>
+
+commit 22ea4ca9631eb137e64e5ab899e9c89cb6670959 upstream.
+
+When test_gen_kprobe_cmd() failed after kprobe_event_gen_cmd_end(), it
+will goto delete, which will call kprobe_event_delete() and release the
+corresponding resource. However, the trace_array in gen_kretprobe_test
+will point to the invalid resource. Set gen_kretprobe_test to NULL
+after called kprobe_event_delete() to prevent null-ptr-deref.
+
+BUG: kernel NULL pointer dereference, address: 0000000000000070
+PGD 0 P4D 0
+Oops: 0000 [#1] SMP PTI
+CPU: 0 PID: 246 Comm: modprobe Tainted: G W
+6.1.0-rc1-00174-g9522dc5c87da-dirty #248
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
+RIP: 0010:__ftrace_set_clr_event_nolock+0x53/0x1b0
+Code: e8 82 26 fc ff 49 8b 1e c7 44 24 0c ea ff ff ff 49 39 de 0f 84 3c
+01 00 00 c7 44 24 18 00 00 00 00 e8 61 26 fc ff 48 8b 6b 10 <44> 8b 65
+70 4c 8b 6d 18 41 f7 c4 00 02 00 00 75 2f
+RSP: 0018:ffffc9000159fe00 EFLAGS: 00010293
+RAX: 0000000000000000 RBX: ffff88810971d268 RCX: 0000000000000000
+RDX: ffff8881080be600 RSI: ffffffff811b48ff RDI: ffff88810971d058
+RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
+R10: ffffc9000159fe58 R11: 0000000000000001 R12: ffffffffa0001064
+R13: ffffffffa000106c R14: ffff88810971d238 R15: 0000000000000000
+FS: 00007f89eeff6540(0000) GS:ffff88813b600000(0000)
+knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000070 CR3: 000000010599e004 CR4: 0000000000330ef0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ __ftrace_set_clr_event+0x3e/0x60
+ trace_array_set_clr_event+0x35/0x50
+ ? 0xffffffffa0000000
+ kprobe_event_gen_test_exit+0xcd/0x10b [kprobe_event_gen_test]
+ __x64_sys_delete_module+0x206/0x380
+ ? lockdep_hardirqs_on_prepare+0xd8/0x190
+ ? syscall_enter_from_user_mode+0x1c/0x50
+ do_syscall_64+0x3f/0x90
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+RIP: 0033:0x7f89eeb061b7
+
+Link: https://lore.kernel.org/all/20221108015130.28326-3-shangxiaojing@huawei.com/
+
+Fixes: 64836248dda2 ("tracing: Add kprobe event command generation test module")
+Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
+Cc: stable@vger.kernel.org
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/kprobe_event_gen_test.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/kernel/trace/kprobe_event_gen_test.c
++++ b/kernel/trace/kprobe_event_gen_test.c
+@@ -143,6 +143,8 @@ static int __init test_gen_kprobe_cmd(vo
+ kfree(buf);
+ return ret;
+ delete:
++ if (trace_event_file_is_valid(gen_kprobe_test))
++ gen_kprobe_test = NULL;
+ /* We got an error after creating the event, delete it */
+ ret = kprobe_event_delete("gen_kprobe_test");
+ goto out;
+@@ -206,6 +208,8 @@ static int __init test_gen_kretprobe_cmd
+ kfree(buf);
+ return ret;
+ delete:
++ if (trace_event_file_is_valid(gen_kretprobe_test))
++ gen_kretprobe_test = NULL;
+ /* We got an error after creating the event, delete it */
+ ret = kprobe_event_delete("gen_kretprobe_test");
+ goto out;
--- /dev/null
+From e0d75267f59d7084e0468bd68beeb1bf9c71d7c0 Mon Sep 17 00:00:00 2001
+From: Shang XiaoJing <shangxiaojing@huawei.com>
+Date: Fri, 18 Nov 2022 10:15:33 +0900
+Subject: tracing: kprobe: Fix potential null-ptr-deref on trace_event_file in kprobe_event_gen_test_exit()
+
+From: Shang XiaoJing <shangxiaojing@huawei.com>
+
+commit e0d75267f59d7084e0468bd68beeb1bf9c71d7c0 upstream.
+
+When trace_get_event_file() failed, gen_kretprobe_test will be assigned
+as the error code. If module kprobe_event_gen_test is removed now, the
+null pointer dereference will happen in kprobe_event_gen_test_exit().
+Check if gen_kprobe_test or gen_kretprobe_test is error code or NULL
+before dereference them.
+
+BUG: kernel NULL pointer dereference, address: 0000000000000012
+PGD 0 P4D 0
+Oops: 0000 [#1] SMP PTI
+CPU: 3 PID: 2210 Comm: modprobe Not tainted
+6.1.0-rc1-00171-g2159299a3b74-dirty #217
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
+RIP: 0010:kprobe_event_gen_test_exit+0x1c/0xb5 [kprobe_event_gen_test]
+Code: Unable to access opcode bytes at 0xffffffff9ffffff2.
+RSP: 0018:ffffc900015bfeb8 EFLAGS: 00010246
+RAX: ffffffffffffffea RBX: ffffffffa0002080 RCX: 0000000000000000
+RDX: ffffffffa0001054 RSI: ffffffffa0001064 RDI: ffffffffdfc6349c
+RBP: ffffffffa0000000 R08: 0000000000000004 R09: 00000000001e95c0
+R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000800
+R13: ffffffffa0002420 R14: 0000000000000000 R15: 0000000000000000
+FS: 00007f56b75be540(0000) GS:ffff88813bc00000(0000)
+knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffffff9ffffff2 CR3: 000000010874a006 CR4: 0000000000330ee0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ __x64_sys_delete_module+0x206/0x380
+ ? lockdep_hardirqs_on_prepare+0xd8/0x190
+ ? syscall_enter_from_user_mode+0x1c/0x50
+ do_syscall_64+0x3f/0x90
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Link: https://lore.kernel.org/all/20221108015130.28326-2-shangxiaojing@huawei.com/
+
+Fixes: 64836248dda2 ("tracing: Add kprobe event command generation test module")
+Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/kprobe_event_gen_test.c | 44 ++++++++++++++++++++++-------------
+ 1 file changed, 28 insertions(+), 16 deletions(-)
+
+--- a/kernel/trace/kprobe_event_gen_test.c
++++ b/kernel/trace/kprobe_event_gen_test.c
+@@ -73,6 +73,10 @@ static struct trace_event_file *gen_kret
+ #define KPROBE_GEN_TEST_ARG3 NULL
+ #endif
+
++static bool trace_event_file_is_valid(struct trace_event_file *input)
++{
++ return input && !IS_ERR(input);
++}
+
+ /*
+ * Test to make sure we can create a kprobe event, then add more
+@@ -217,10 +221,12 @@ static int __init kprobe_event_gen_test_
+
+ ret = test_gen_kretprobe_cmd();
+ if (ret) {
+- WARN_ON(trace_array_set_clr_event(gen_kretprobe_test->tr,
+- "kprobes",
+- "gen_kretprobe_test", false));
+- trace_put_event_file(gen_kretprobe_test);
++ if (trace_event_file_is_valid(gen_kretprobe_test)) {
++ WARN_ON(trace_array_set_clr_event(gen_kretprobe_test->tr,
++ "kprobes",
++ "gen_kretprobe_test", false));
++ trace_put_event_file(gen_kretprobe_test);
++ }
+ WARN_ON(kprobe_event_delete("gen_kretprobe_test"));
+ }
+
+@@ -229,24 +235,30 @@ static int __init kprobe_event_gen_test_
+
+ static void __exit kprobe_event_gen_test_exit(void)
+ {
+- /* Disable the event or you can't remove it */
+- WARN_ON(trace_array_set_clr_event(gen_kprobe_test->tr,
+- "kprobes",
+- "gen_kprobe_test", false));
++ if (trace_event_file_is_valid(gen_kprobe_test)) {
++ /* Disable the event or you can't remove it */
++ WARN_ON(trace_array_set_clr_event(gen_kprobe_test->tr,
++ "kprobes",
++ "gen_kprobe_test", false));
++
++ /* Now give the file and instance back */
++ trace_put_event_file(gen_kprobe_test);
++ }
+
+- /* Now give the file and instance back */
+- trace_put_event_file(gen_kprobe_test);
+
+ /* Now unregister and free the event */
+ WARN_ON(kprobe_event_delete("gen_kprobe_test"));
+
+- /* Disable the event or you can't remove it */
+- WARN_ON(trace_array_set_clr_event(gen_kretprobe_test->tr,
+- "kprobes",
+- "gen_kretprobe_test", false));
++ if (trace_event_file_is_valid(gen_kretprobe_test)) {
++ /* Disable the event or you can't remove it */
++ WARN_ON(trace_array_set_clr_event(gen_kretprobe_test->tr,
++ "kprobes",
++ "gen_kretprobe_test", false));
++
++ /* Now give the file and instance back */
++ trace_put_event_file(gen_kretprobe_test);
++ }
+
+- /* Now give the file and instance back */
+- trace_put_event_file(gen_kretprobe_test);
+
+ /* Now unregister and free the event */
+ WARN_ON(kprobe_event_delete("gen_kretprobe_test"));
--- /dev/null
+From 42fb0a1e84ff525ebe560e2baf9451ab69127e2b Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (Google)" <rostedt@goodmis.org>
+Date: Thu, 20 Oct 2022 23:14:27 -0400
+Subject: tracing/ring-buffer: Have polling block on watermark
+
+From: Steven Rostedt (Google) <rostedt@goodmis.org>
+
+commit 42fb0a1e84ff525ebe560e2baf9451ab69127e2b upstream.
+
+Currently the way polling works on the ring buffer is broken. It will
+return immediately if there's any data in the ring buffer whereas a read
+will block until the watermark (defined by the tracefs buffer_percent file)
+is hit.
+
+That is, a select() or poll() will return as if there's data available,
+but then the following read will block. This is broken for the way
+select()s and poll()s are supposed to work.
+
+Have the polling on the ring buffer also block the same way reads and
+splice does on the ring buffer.
+
+Link: https://lkml.kernel.org/r/20221020231427.41be3f26@gandalf.local.home
+
+Cc: Linux Trace Kernel <linux-trace-kernel@vger.kernel.org>
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Primiano Tucci <primiano@google.com>
+Cc: stable@vger.kernel.org
+Fixes: 1e0d6714aceb7 ("ring-buffer: Do not wake up a splice waiter when page is not full")
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/ring_buffer.h | 2 -
+ kernel/trace/ring_buffer.c | 55 ++++++++++++++++++++++++++++----------------
+ kernel/trace/trace.c | 2 -
+ 3 files changed, 38 insertions(+), 21 deletions(-)
+
+--- a/include/linux/ring_buffer.h
++++ b/include/linux/ring_buffer.h
+@@ -99,7 +99,7 @@ __ring_buffer_alloc(unsigned long size,
+
+ int ring_buffer_wait(struct trace_buffer *buffer, int cpu, int full);
+ __poll_t ring_buffer_poll_wait(struct trace_buffer *buffer, int cpu,
+- struct file *filp, poll_table *poll_table);
++ struct file *filp, poll_table *poll_table, int full);
+ void ring_buffer_wake_waiters(struct trace_buffer *buffer, int cpu);
+
+ #define RING_BUFFER_ALL_CPUS -1
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -784,6 +784,21 @@ size_t ring_buffer_nr_dirty_pages(struct
+ return cnt - read;
+ }
+
++static __always_inline bool full_hit(struct trace_buffer *buffer, int cpu, int full)
++{
++ struct ring_buffer_per_cpu *cpu_buffer = buffer->buffers[cpu];
++ size_t nr_pages;
++ size_t dirty;
++
++ nr_pages = cpu_buffer->nr_pages;
++ if (!nr_pages || !full)
++ return true;
++
++ dirty = ring_buffer_nr_dirty_pages(buffer, cpu);
++
++ return (dirty * 100) > (full * nr_pages);
++}
++
+ /*
+ * rb_wake_up_waiters - wake up tasks waiting for ring buffer input
+ *
+@@ -912,22 +927,20 @@ int ring_buffer_wait(struct trace_buffer
+ !ring_buffer_empty_cpu(buffer, cpu)) {
+ unsigned long flags;
+ bool pagebusy;
+- size_t nr_pages;
+- size_t dirty;
++ bool done;
+
+ if (!full)
+ break;
+
+ raw_spin_lock_irqsave(&cpu_buffer->reader_lock, flags);
+ pagebusy = cpu_buffer->reader_page == cpu_buffer->commit_page;
+- nr_pages = cpu_buffer->nr_pages;
+- dirty = ring_buffer_nr_dirty_pages(buffer, cpu);
++ done = !pagebusy && full_hit(buffer, cpu, full);
++
+ if (!cpu_buffer->shortest_full ||
+ cpu_buffer->shortest_full > full)
+ cpu_buffer->shortest_full = full;
+ raw_spin_unlock_irqrestore(&cpu_buffer->reader_lock, flags);
+- if (!pagebusy &&
+- (!nr_pages || (dirty * 100) > full * nr_pages))
++ if (done)
+ break;
+ }
+
+@@ -953,6 +966,7 @@ int ring_buffer_wait(struct trace_buffer
+ * @cpu: the cpu buffer to wait on
+ * @filp: the file descriptor
+ * @poll_table: The poll descriptor
++ * @full: wait until the percentage of pages are available, if @cpu != RING_BUFFER_ALL_CPUS
+ *
+ * If @cpu == RING_BUFFER_ALL_CPUS then the task will wake up as soon
+ * as data is added to any of the @buffer's cpu buffers. Otherwise
+@@ -962,14 +976,15 @@ int ring_buffer_wait(struct trace_buffer
+ * zero otherwise.
+ */
+ __poll_t ring_buffer_poll_wait(struct trace_buffer *buffer, int cpu,
+- struct file *filp, poll_table *poll_table)
++ struct file *filp, poll_table *poll_table, int full)
+ {
+ struct ring_buffer_per_cpu *cpu_buffer;
+ struct rb_irq_work *work;
+
+- if (cpu == RING_BUFFER_ALL_CPUS)
++ if (cpu == RING_BUFFER_ALL_CPUS) {
+ work = &buffer->irq_work;
+- else {
++ full = 0;
++ } else {
+ if (!cpumask_test_cpu(cpu, buffer->cpumask))
+ return -EINVAL;
+
+@@ -977,8 +992,14 @@ __poll_t ring_buffer_poll_wait(struct tr
+ work = &cpu_buffer->irq_work;
+ }
+
+- poll_wait(filp, &work->waiters, poll_table);
+- work->waiters_pending = true;
++ if (full) {
++ poll_wait(filp, &work->full_waiters, poll_table);
++ work->full_waiters_pending = true;
++ } else {
++ poll_wait(filp, &work->waiters, poll_table);
++ work->waiters_pending = true;
++ }
++
+ /*
+ * There's a tight race between setting the waiters_pending and
+ * checking if the ring buffer is empty. Once the waiters_pending bit
+@@ -994,6 +1015,9 @@ __poll_t ring_buffer_poll_wait(struct tr
+ */
+ smp_mb();
+
++ if (full)
++ return full_hit(buffer, cpu, full) ? EPOLLIN | EPOLLRDNORM : 0;
++
+ if ((cpu == RING_BUFFER_ALL_CPUS && !ring_buffer_empty(buffer)) ||
+ (cpu != RING_BUFFER_ALL_CPUS && !ring_buffer_empty_cpu(buffer, cpu)))
+ return EPOLLIN | EPOLLRDNORM;
+@@ -3033,10 +3057,6 @@ static void rb_commit(struct ring_buffer
+ static __always_inline void
+ rb_wakeups(struct trace_buffer *buffer, struct ring_buffer_per_cpu *cpu_buffer)
+ {
+- size_t nr_pages;
+- size_t dirty;
+- size_t full;
+-
+ if (buffer->irq_work.waiters_pending) {
+ buffer->irq_work.waiters_pending = false;
+ /* irq_work_queue() supplies it's own memory barriers */
+@@ -3060,10 +3080,7 @@ rb_wakeups(struct trace_buffer *buffer,
+
+ cpu_buffer->last_pages_touch = local_read(&cpu_buffer->pages_touched);
+
+- full = cpu_buffer->shortest_full;
+- nr_pages = cpu_buffer->nr_pages;
+- dirty = ring_buffer_nr_dirty_pages(buffer, cpu_buffer->cpu);
+- if (full && nr_pages && (dirty * 100) <= full * nr_pages)
++ if (!full_hit(buffer, cpu_buffer->cpu, cpu_buffer->shortest_full))
+ return;
+
+ cpu_buffer->irq_work.wakeup_full = true;
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -6263,7 +6263,7 @@ trace_poll(struct trace_iterator *iter,
+ return EPOLLIN | EPOLLRDNORM;
+ else
+ return ring_buffer_poll_wait(iter->array_buffer->buffer, iter->cpu_file,
+- filp, poll_table);
++ filp, poll_table, iter->tr->buffer_percent);
+ }
+
+ static __poll_t
projects / thirdparty / kernel / stable-queue.git / commitdiff
