--- /dev/null
+From 66cf7633bc242f88113816ddb1682dd6e6b6f7e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 15:40:03 -0800
+Subject: Input: i8042 - fix leaking of platform device on module removal
+
+From: Chen Jun <chenjun102@huawei.com>
+
+[ Upstream commit 81cd7e8489278d28794e7b272950c3e00c344e44 ]
+
+Avoid resetting the module-wide i8042_platform_device pointer in
+i8042_probe() or i8042_remove(), so that the device can be properly
+destroyed by i8042_exit() on module unload.
+
+Fixes: 9222ba68c3f4 ("Input: i8042 - add deferred probe support")
+Signed-off-by: Chen Jun <chenjun102@huawei.com>
+Link: https://lore.kernel.org/r/20221109034148.23821-1-chenjun102@huawei.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/serio/i8042.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/input/serio/i8042.c b/drivers/input/serio/i8042.c
+index bb76ff2f6b1d..dc40f6099dcf 100644
+--- a/drivers/input/serio/i8042.c
++++ b/drivers/input/serio/i8042.c
+@@ -1540,8 +1540,6 @@ static int i8042_probe(struct platform_device *dev)
+ {
+ int error;
+
+- i8042_platform_device = dev;
+-
+ if (i8042_reset == I8042_RESET_ALWAYS) {
+ error = i8042_controller_selftest();
+ if (error)
+@@ -1579,7 +1577,6 @@ static int i8042_probe(struct platform_device *dev)
+ i8042_free_aux_ports(); /* in case KBD failed but AUX not */
+ i8042_free_irqs();
+ i8042_controller_reset(false);
+- i8042_platform_device = NULL;
+
+ return error;
+ }
+@@ -1589,7 +1586,6 @@ static int i8042_remove(struct platform_device *dev)
+ i8042_unregister_ports();
+ i8042_free_irqs();
+ i8042_controller_reset(false);
+- i8042_platform_device = NULL;
+
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From e81fbce4b78da31a10781c28a8e337589ae31404 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 10:15:34 +0900
+Subject: kprobes: Skip clearing aggrprobe's post_handler in kprobe-on-ftrace
+ case
+
+From: Li Huafei <lihuafei1@huawei.com>
+
+[ Upstream commit 5dd7caf0bdc5d0bae7cf9776b4d739fb09bd5ebb ]
+
+In __unregister_kprobe_top(), if the currently unregistered probe has
+post_handler but other child probes of the aggrprobe do not have
+post_handler, the post_handler of the aggrprobe is cleared. If this is
+a ftrace-based probe, there is a problem. In later calls to
+disarm_kprobe(), we will use kprobe_ftrace_ops because post_handler is
+NULL. But we're armed with kprobe_ipmodify_ops. This triggers a WARN in
+__disarm_kprobe_ftrace() and may even cause use-after-free:
+
+ Failed to disarm kprobe-ftrace at kernel_clone+0x0/0x3c0 (error -2)
+ WARNING: CPU: 5 PID: 137 at kernel/kprobes.c:1135 __disarm_kprobe_ftrace.isra.21+0xcf/0xe0
+ Modules linked in: testKprobe_007(-)
+ CPU: 5 PID: 137 Comm: rmmod Not tainted 6.1.0-rc4-dirty #18
+ [...]
+ Call Trace:
+ <TASK>
+ __disable_kprobe+0xcd/0xe0
+ __unregister_kprobe_top+0x12/0x150
+ ? mutex_lock+0xe/0x30
+ unregister_kprobes.part.23+0x31/0xa0
+ unregister_kprobe+0x32/0x40
+ __x64_sys_delete_module+0x15e/0x260
+ ? do_user_addr_fault+0x2cd/0x6b0
+ do_syscall_64+0x3a/0x90
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+ [...]
+
+For the kprobe-on-ftrace case, we keep the post_handler setting to
+identify this aggrprobe armed with kprobe_ipmodify_ops. This way we
+can disarm it correctly.
+
+Link: https://lore.kernel.org/all/20221112070000.35299-1-lihuafei1@huawei.com/
+
+Fixes: 0bc11ed5ab60 ("kprobes: Allow kprobes coexist with livepatch")
+Reported-by: Zhao Gongyi <zhaogongyi@huawei.com>
+Suggested-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Li Huafei <lihuafei1@huawei.com>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/kprobes.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/kprobes.c b/kernel/kprobes.c
+index f8ea8cf694c6..3de56ca28017 100644
+--- a/kernel/kprobes.c
++++ b/kernel/kprobes.c
+@@ -1792,7 +1792,13 @@ static int __unregister_kprobe_top(struct kprobe *p)
+ if ((list_p != p) && (list_p->post_handler))
+ goto noclean;
+ }
+- ap->post_handler = NULL;
++ /*
++ * For the kprobe-on-ftrace case, we keep the
++ * post_handler setting to identify this aggrprobe
++ * armed with kprobe_ipmodify_ops.
++ */
++ if (!kprobe_ftrace(ap))
++ ap->post_handler = NULL;
+ }
+ noclean:
+ /*
+--
+2.35.1
+
--- /dev/null
+From 50164e4d5f8064d97c63971c92186ef2c56ec336 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Oct 2022 12:30:13 -0400
+Subject: ring-buffer: Include dropped pages in counting dirty patches
+
+From: Steven Rostedt (Google) <rostedt@goodmis.org>
+
+[ Upstream commit 31029a8b2c7e656a0289194ef16415050ae4c4ac ]
+
+The function ring_buffer_nr_dirty_pages() was created to find out how many
+pages are filled in the ring buffer. There's two running counters. One is
+incremented whenever a new page is touched (pages_touched) and the other
+is whenever a page is read (pages_read). The dirty count is the number
+touched minus the number read. This is used to determine if a blocked task
+should be woken up if the percentage of the ring buffer it is waiting for
+is hit.
+
+The problem is that it does not take into account dropped pages (when the
+new writes overwrite pages that were not read). And then the dirty pages
+will always be greater than the percentage.
+
+This makes the "buffer_percent" file inaccurate, as the number of dirty
+pages end up always being larger than the percentage, event when it's not
+and this causes user space to be woken up more than it wants to be.
+
+Add a new counter to keep track of lost pages, and include that in the
+accounting of dirty pages so that it is actually accurate.
+
+Link: https://lkml.kernel.org/r/20221021123013.55fb6055@gandalf.local.home
+
+Fixes: 2c2b0a78b3739 ("ring-buffer: Add percentage of ring buffer full to wake up reader")
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/ring_buffer.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
+index f1dd405b98a5..c4234430afea 100644
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -477,6 +477,7 @@ struct ring_buffer_per_cpu {
+ local_t committing;
+ local_t commits;
+ local_t pages_touched;
++ local_t pages_lost;
+ local_t pages_read;
+ long last_pages_touch;
+ size_t shortest_full;
+@@ -544,10 +545,18 @@ size_t ring_buffer_nr_pages(struct ring_buffer *buffer, int cpu)
+ size_t ring_buffer_nr_dirty_pages(struct ring_buffer *buffer, int cpu)
+ {
+ size_t read;
++ size_t lost;
+ size_t cnt;
+
+ read = local_read(&buffer->buffers[cpu]->pages_read);
++ lost = local_read(&buffer->buffers[cpu]->pages_lost);
+ cnt = local_read(&buffer->buffers[cpu]->pages_touched);
++
++ if (WARN_ON_ONCE(cnt < lost))
++ return 0;
++
++ cnt -= lost;
++
+ /* The reader can read an empty page, but not more than that */
+ if (cnt < read) {
+ WARN_ON_ONCE(read > cnt + 1);
+@@ -1599,6 +1608,7 @@ rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned long nr_pages)
+ */
+ local_add(page_entries, &cpu_buffer->overrun);
+ local_sub(BUF_PAGE_SIZE, &cpu_buffer->entries_bytes);
++ local_inc(&cpu_buffer->pages_lost);
+ }
+
+ /*
+@@ -2023,6 +2033,7 @@ rb_handle_head_page(struct ring_buffer_per_cpu *cpu_buffer,
+ */
+ local_add(entries, &cpu_buffer->overrun);
+ local_sub(BUF_PAGE_SIZE, &cpu_buffer->entries_bytes);
++ local_inc(&cpu_buffer->pages_lost);
+
+ /*
+ * The entries will be zeroed out when we move the
+@@ -4475,6 +4486,7 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
+ local_set(&cpu_buffer->committing, 0);
+ local_set(&cpu_buffer->commits, 0);
+ local_set(&cpu_buffer->pages_touched, 0);
++ local_set(&cpu_buffer->pages_lost, 0);
+ local_set(&cpu_buffer->pages_read, 0);
+ cpu_buffer->last_pages_touch = 0;
+ cpu_buffer->shortest_full = 0;
+--
+2.35.1
+
--- /dev/null
+From b0fcefbeacb1e346e1f5eadfdf5611c6bf366492 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 09:50:42 +0800
+Subject: scsi: target: tcm_loop: Fix possible name leak in
+ tcm_loop_setup_hba_bus()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit bc68e428d4963af0201e92159629ab96948f0893 ]
+
+If device_register() fails in tcm_loop_setup_hba_bus(), the name allocated
+by dev_set_name() need be freed. As comment of device_register() says, it
+should use put_device() to give up the reference in the error path. So fix
+this by calling put_device(), then the name can be freed in kobject_cleanup().
+The 'tl_hba' will be freed in tcm_loop_release_adapter(), so it don't need
+goto error label in this case.
+
+Fixes: 3703b2c5d041 ("[SCSI] tcm_loop: Add multi-fabric Linux/SCSI LLD fabric module")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221115015042.3652261-1-yangyingliang@huawei.com
+Reviewed-by: Mike Christie <michael.chritie@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/loopback/tcm_loop.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/target/loopback/tcm_loop.c b/drivers/target/loopback/tcm_loop.c
+index 16d5a4e117a2..5ae5d94c5b93 100644
+--- a/drivers/target/loopback/tcm_loop.c
++++ b/drivers/target/loopback/tcm_loop.c
+@@ -394,6 +394,7 @@ static int tcm_loop_setup_hba_bus(struct tcm_loop_hba *tl_hba, int tcm_loop_host
+ ret = device_register(&tl_hba->dev);
+ if (ret) {
+ pr_err("device_register() failed for tl_hba->dev: %d\n", ret);
++ put_device(&tl_hba->dev);
+ return -ENODEV;
+ }
+
+@@ -1072,7 +1073,7 @@ static struct se_wwn *tcm_loop_make_scsi_hba(
+ */
+ ret = tcm_loop_setup_hba_bus(tl_hba, tcm_loop_hba_no_cnt);
+ if (ret)
+- goto out;
++ return ERR_PTR(ret);
+
+ sh = tl_hba->sh;
+ tcm_loop_hba_no_cnt++;
+--
+2.35.1
+
docs-update-mediator-contact-information-in-coc-doc.patch
misc-vmw_vmci-fix-an-infoleak-in-vmci_host_do_receive_datagram.patch
serial-8250-flush-dma-rx-on-rlsi.patch
+ring-buffer-include-dropped-pages-in-counting-dirty-.patch
+scsi-target-tcm_loop-fix-possible-name-leak-in-tcm_l.patch
+kprobes-skip-clearing-aggrprobe-s-post_handler-in-kp.patch
+input-i8042-fix-leaking-of-platform-device-on-module.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
