From: Greg Kroah-Hartman Date: Mon, 21 Nov 2022 11:23:42 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v4.19.266~39 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9df2bc73434fdec9f25a240f6a416d7b6527e6f7;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: alsa-hda-realtek-fix-speakers-for-samsung-galaxy-book-pro.patch alsa-hda-realtek-fix-the-speaker-output-on-samsung-galaxy-book-pro-360.patch alsa-usb-audio-drop-snd_bug_on-from-snd_usbmidi_output_open.patch ftrace-fix-null-pointer-dereference-in-ftrace_add_mod.patch ftrace-fix-the-possible-incorrect-kernel-message.patch ftrace-optimize-the-allocation-for-mcount-entries.patch ring_buffer-do-not-deactivate-non-existant-pages.patch tracing-fix-memory-leak-in-test_gen_synth_cmd-and-test_empty_synth_event.patch tracing-fix-wild-memory-access-in-register_synth_event.patch tracing-kprobe-fix-potential-null-ptr-deref-on-trace_array-in-kprobe_event_gen_test_exit.patch tracing-kprobe-fix-potential-null-ptr-deref-on-trace_event_file-in-kprobe_event_gen_test_exit.patch tracing-ring-buffer-have-polling-block-on-watermark.patch --- diff --git a/queue-5.10/alsa-hda-realtek-fix-speakers-for-samsung-galaxy-book-pro.patch b/queue-5.10/alsa-hda-realtek-fix-speakers-for-samsung-galaxy-book-pro.patch new file mode 100644 index 00000000000..1bf12d7b6fb --- /dev/null +++ b/queue-5.10/alsa-hda-realtek-fix-speakers-for-samsung-galaxy-book-pro.patch @@ -0,0 +1,34 @@ +From b18a456330e1c1ca207b57b45872f10336741388 Mon Sep 17 00:00:00 2001 +From: Emil Flink +Date: Tue, 15 Nov 2022 15:45:01 +0100 +Subject: ALSA: hda/realtek: fix speakers for Samsung Galaxy Book Pro + +From: Emil Flink + +commit b18a456330e1c1ca207b57b45872f10336741388 upstream. + +The Samsung Galaxy Book Pro seems to have the same issue as a few +other Samsung laptops, detailed in kernel bug report 207423. Sound from +headphone jack works, but not the built-in speakers. + +alsa-info: http://alsa-project.org/db/?f=b40ba609dc6ae28dc84ad404a0d8a4bbcd8bea6d + +Signed-off-by: Emil Flink +Cc: +Link: https://lore.kernel.org/r/20221115144500.7782-1-emil.flink@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9007,6 +9007,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x144d, 0xc176, "Samsung Notebook 9 Pro (NP930MBE-K04US)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc189, "Samsung Galaxy Flex Book (NT950QCG-X716)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc18a, "Samsung Galaxy Book Ion (NP930XCJ-K01US)", ALC298_FIXUP_SAMSUNG_AMP), ++ SND_PCI_QUIRK(0x144d, 0xc1a3, "Samsung Galaxy Book Pro (NP935XDB-KC1SE)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc740, "Samsung Ativ book 8 (NP870Z5G)", ALC269_FIXUP_ATIV_BOOK_8), + SND_PCI_QUIRK(0x144d, 0xc812, "Samsung Notebook Pen S (NT950SBE-X58)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc830, "Samsung Galaxy Book Ion (NT950XCJ-X716A)", ALC298_FIXUP_SAMSUNG_AMP), diff --git a/queue-5.10/alsa-hda-realtek-fix-the-speaker-output-on-samsung-galaxy-book-pro-360.patch b/queue-5.10/alsa-hda-realtek-fix-the-speaker-output-on-samsung-galaxy-book-pro-360.patch new file mode 100644 index 00000000000..e00bfb8b8ec --- /dev/null +++ b/queue-5.10/alsa-hda-realtek-fix-the-speaker-output-on-samsung-galaxy-book-pro-360.patch @@ -0,0 +1,32 @@ +From 1abfd71ee8f3ed99c5d0df5d9843a360541d6808 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 15 Nov 2022 18:02:35 +0100 +Subject: ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book Pro 360 + +From: Takashi Iwai + +commit 1abfd71ee8f3ed99c5d0df5d9843a360541d6808 upstream. + +Samsung Galaxy Book Pro 360 (13" 2021 NP930QBD-ke1US) with codec SSID +144d:c1a6 requires the same workaround for enabling the speaker amp +like other Samsung models with ALC298 codec. + +Link: https://bugzilla.opensuse.org/show_bug.cgi?id=1205100 +Cc: +Link: https://lore.kernel.org/r/20221115170235.18875-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9008,6 +9008,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x144d, 0xc189, "Samsung Galaxy Flex Book (NT950QCG-X716)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc18a, "Samsung Galaxy Book Ion (NP930XCJ-K01US)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc1a3, "Samsung Galaxy Book Pro (NP935XDB-KC1SE)", ALC298_FIXUP_SAMSUNG_AMP), ++ SND_PCI_QUIRK(0x144d, 0xc1a6, "Samsung Galaxy Book Pro 360 (NP930QBD)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc740, "Samsung Ativ book 8 (NP870Z5G)", ALC269_FIXUP_ATIV_BOOK_8), + SND_PCI_QUIRK(0x144d, 0xc812, "Samsung Notebook Pen S (NT950SBE-X58)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc830, "Samsung Galaxy Book Ion (NT950XCJ-X716A)", ALC298_FIXUP_SAMSUNG_AMP), diff --git a/queue-5.10/alsa-usb-audio-drop-snd_bug_on-from-snd_usbmidi_output_open.patch b/queue-5.10/alsa-usb-audio-drop-snd_bug_on-from-snd_usbmidi_output_open.patch new file mode 100644 index 00000000000..0c21ca9037e --- /dev/null +++ b/queue-5.10/alsa-usb-audio-drop-snd_bug_on-from-snd_usbmidi_output_open.patch @@ -0,0 +1,41 @@ +From ad72c3c3f6eb81d2cb189ec71e888316adada5df Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sat, 12 Nov 2022 15:12:23 +0100 +Subject: ALSA: usb-audio: Drop snd_BUG_ON() from snd_usbmidi_output_open() + +From: Takashi Iwai + +commit ad72c3c3f6eb81d2cb189ec71e888316adada5df upstream. + +snd_usbmidi_output_open() has a check of the NULL port with +snd_BUG_ON(). snd_BUG_ON() was used as this shouldn't have happened, +but in reality, the NULL port may be seen when the device gives an +invalid endpoint setup at the descriptor, hence the driver skips the +allocation. That is, the check itself is valid and snd_BUG_ON() +should be dropped from there. Otherwise it's confusing as if it were +a real bug, as recently syzbot stumbled on it. + +Reported-by: syzbot+9abda841d636d86c41da@syzkaller.appspotmail.com +Cc: +Link: https://lore.kernel.org/r/syzbot+9abda841d636d86c41da@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20221112141223.6144-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/midi.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/sound/usb/midi.c ++++ b/sound/usb/midi.c +@@ -1149,10 +1149,8 @@ static int snd_usbmidi_output_open(struc + port = &umidi->endpoints[i].out->ports[j]; + break; + } +- if (!port) { +- snd_BUG(); ++ if (!port) + return -ENXIO; +- } + + substream->runtime->private_data = port; + port->state = STATE_UNKNOWN; diff --git a/queue-5.10/ftrace-fix-null-pointer-dereference-in-ftrace_add_mod.patch b/queue-5.10/ftrace-fix-null-pointer-dereference-in-ftrace_add_mod.patch new file mode 100644 index 00000000000..89fd719d539 --- /dev/null +++ b/queue-5.10/ftrace-fix-null-pointer-dereference-in-ftrace_add_mod.patch @@ -0,0 +1,55 @@ +From 19ba6c8af9382c4c05dc6a0a79af3013b9a35cd0 Mon Sep 17 00:00:00 2001 +From: Xiu Jianfeng +Date: Wed, 16 Nov 2022 09:52:07 +0800 +Subject: ftrace: Fix null pointer dereference in ftrace_add_mod() + +From: Xiu Jianfeng + +commit 19ba6c8af9382c4c05dc6a0a79af3013b9a35cd0 upstream. + +The @ftrace_mod is allocated by kzalloc(), so both the members {prev,next} +of @ftrace_mode->list are NULL, it's not a valid state to call list_del(). +If kstrdup() for @ftrace_mod->{func|module} fails, it goes to @out_free +tag and calls free_ftrace_mod() to destroy @ftrace_mod, then list_del() +will write prev->next and next->prev, where null pointer dereference +happens. + +BUG: kernel NULL pointer dereference, address: 0000000000000008 +Oops: 0002 [#1] PREEMPT SMP NOPTI +Call Trace: + + ftrace_mod_callback+0x20d/0x220 + ? do_filp_open+0xd9/0x140 + ftrace_process_regex.isra.51+0xbf/0x130 + ftrace_regex_write.isra.52.part.53+0x6e/0x90 + vfs_write+0xee/0x3a0 + ? __audit_filter_op+0xb1/0x100 + ? auditd_test_task+0x38/0x50 + ksys_write+0xa5/0xe0 + do_syscall_64+0x3a/0x90 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +Kernel panic - not syncing: Fatal exception + +So call INIT_LIST_HEAD() to initialize the list member to fix this issue. + +Link: https://lkml.kernel.org/r/20221116015207.30858-1-xiujianfeng@huawei.com + +Cc: stable@vger.kernel.org +Fixes: 673feb9d76ab ("ftrace: Add :mod: caching infrastructure to trace_array") +Signed-off-by: Xiu Jianfeng +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ftrace.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -1295,6 +1295,7 @@ static int ftrace_add_mod(struct trace_a + if (!ftrace_mod) + return -ENOMEM; + ++ INIT_LIST_HEAD(&ftrace_mod->list); + ftrace_mod->func = kstrdup(func, GFP_KERNEL); + ftrace_mod->module = kstrdup(module, GFP_KERNEL); + ftrace_mod->enable = enable; diff --git a/queue-5.10/ftrace-fix-the-possible-incorrect-kernel-message.patch b/queue-5.10/ftrace-fix-the-possible-incorrect-kernel-message.patch new file mode 100644 index 00000000000..98095850770 --- /dev/null +++ b/queue-5.10/ftrace-fix-the-possible-incorrect-kernel-message.patch @@ -0,0 +1,36 @@ +From 08948caebe93482db1adfd2154eba124f66d161d Mon Sep 17 00:00:00 2001 +From: Wang Wensheng +Date: Wed, 9 Nov 2022 09:44:32 +0000 +Subject: ftrace: Fix the possible incorrect kernel message + +From: Wang Wensheng + +commit 08948caebe93482db1adfd2154eba124f66d161d upstream. + +If the number of mcount entries is an integer multiple of +ENTRIES_PER_PAGE, the page count showing on the console would be wrong. + +Link: https://lkml.kernel.org/r/20221109094434.84046-2-wangwensheng4@huawei.com + +Cc: +Cc: +Cc: stable@vger.kernel.org +Fixes: 5821e1b74f0d0 ("function tracing: fix wrong pos computing when read buffer has been fulfilled") +Signed-off-by: Wang Wensheng +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ftrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -6877,7 +6877,7 @@ void __init ftrace_init(void) + } + + pr_info("ftrace: allocating %ld entries in %ld pages\n", +- count, count / ENTRIES_PER_PAGE + 1); ++ count, DIV_ROUND_UP(count, ENTRIES_PER_PAGE)); + + last_ftrace_enabled = ftrace_enabled = 1; + diff --git a/queue-5.10/ftrace-optimize-the-allocation-for-mcount-entries.patch b/queue-5.10/ftrace-optimize-the-allocation-for-mcount-entries.patch new file mode 100644 index 00000000000..fd18634ce4e --- /dev/null +++ b/queue-5.10/ftrace-optimize-the-allocation-for-mcount-entries.patch @@ -0,0 +1,36 @@ +From bcea02b096333dc74af987cb9685a4dbdd820840 Mon Sep 17 00:00:00 2001 +From: Wang Wensheng +Date: Wed, 9 Nov 2022 09:44:33 +0000 +Subject: ftrace: Optimize the allocation for mcount entries + +From: Wang Wensheng + +commit bcea02b096333dc74af987cb9685a4dbdd820840 upstream. + +If we can't allocate this size, try something smaller with half of the +size. Its order should be decreased by one instead of divided by two. + +Link: https://lkml.kernel.org/r/20221109094434.84046-3-wangwensheng4@huawei.com + +Cc: +Cc: +Cc: stable@vger.kernel.org +Fixes: a79008755497d ("ftrace: Allocate the mcount record pages as groups") +Signed-off-by: Wang Wensheng +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ftrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -3178,7 +3178,7 @@ static int ftrace_allocate_records(struc + /* if we can't allocate this size, try something smaller */ + if (!order) + return -ENOMEM; +- order >>= 1; ++ order--; + goto again; + } + diff --git a/queue-5.10/ring_buffer-do-not-deactivate-non-existant-pages.patch b/queue-5.10/ring_buffer-do-not-deactivate-non-existant-pages.patch new file mode 100644 index 00000000000..0c52eed053a --- /dev/null +++ b/queue-5.10/ring_buffer-do-not-deactivate-non-existant-pages.patch @@ -0,0 +1,40 @@ +From 56f4ca0a79a9f1af98f26c54b9b89ba1f9bcc6bd Mon Sep 17 00:00:00 2001 +From: Daniil Tatianin +Date: Mon, 14 Nov 2022 17:31:29 +0300 +Subject: ring_buffer: Do not deactivate non-existant pages + +From: Daniil Tatianin + +commit 56f4ca0a79a9f1af98f26c54b9b89ba1f9bcc6bd upstream. + +rb_head_page_deactivate() expects cpu_buffer to contain a valid list of +->pages, so verify that the list is actually present before calling it. + +Found by Linux Verification Center (linuxtesting.org) with the SVACE +static analysis tool. + +Link: https://lkml.kernel.org/r/20221114143129.3534443-1-d-tatianin@yandex-team.ru + +Cc: stable@vger.kernel.org +Fixes: 77ae365eca895 ("ring-buffer: make lockless") +Signed-off-by: Daniil Tatianin +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ring_buffer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -1635,9 +1635,9 @@ static void rb_free_cpu_buffer(struct ri + + free_buffer_page(cpu_buffer->reader_page); + +- rb_head_page_deactivate(cpu_buffer); +- + if (head) { ++ rb_head_page_deactivate(cpu_buffer); ++ + list_for_each_entry_safe(bpage, tmp, head, list) { + list_del_init(&bpage->list); + free_buffer_page(bpage); diff --git a/queue-5.10/series b/queue-5.10/series index f6939884b81..ac37295a60b 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -79,3 +79,15 @@ net-x25-fix-skb-leak-in-x25_lapb_receive_frame.patch cifs-fix-wrong-return-value-checking-when-getflags.patch net-thunderbolt-fix-error-handling-in-tbnet_init.patch cifs-add-check-for-returning-value-of-smb2_set_info_.patch +ftrace-fix-the-possible-incorrect-kernel-message.patch +ftrace-optimize-the-allocation-for-mcount-entries.patch +ftrace-fix-null-pointer-dereference-in-ftrace_add_mod.patch +ring_buffer-do-not-deactivate-non-existant-pages.patch +tracing-ring-buffer-have-polling-block-on-watermark.patch +tracing-fix-memory-leak-in-test_gen_synth_cmd-and-test_empty_synth_event.patch +tracing-fix-wild-memory-access-in-register_synth_event.patch +tracing-kprobe-fix-potential-null-ptr-deref-on-trace_event_file-in-kprobe_event_gen_test_exit.patch +tracing-kprobe-fix-potential-null-ptr-deref-on-trace_array-in-kprobe_event_gen_test_exit.patch +alsa-usb-audio-drop-snd_bug_on-from-snd_usbmidi_output_open.patch +alsa-hda-realtek-fix-speakers-for-samsung-galaxy-book-pro.patch +alsa-hda-realtek-fix-the-speaker-output-on-samsung-galaxy-book-pro-360.patch diff --git a/queue-5.10/tracing-fix-memory-leak-in-test_gen_synth_cmd-and-test_empty_synth_event.patch b/queue-5.10/tracing-fix-memory-leak-in-test_gen_synth_cmd-and-test_empty_synth_event.patch new file mode 100644 index 00000000000..6e0c39c78c1 --- /dev/null +++ b/queue-5.10/tracing-fix-memory-leak-in-test_gen_synth_cmd-and-test_empty_synth_event.patch @@ -0,0 +1,98 @@ +From a4527fef9afe5c903c718d0cd24609fe9c754250 Mon Sep 17 00:00:00 2001 +From: Shang XiaoJing +Date: Thu, 17 Nov 2022 09:23:45 +0800 +Subject: tracing: Fix memory leak in test_gen_synth_cmd() and test_empty_synth_event() + +From: Shang XiaoJing + +commit a4527fef9afe5c903c718d0cd24609fe9c754250 upstream. + +test_gen_synth_cmd() only free buf in fail path, hence buf will leak +when there is no failure. Add kfree(buf) to prevent the memleak. The +same reason and solution in test_empty_synth_event(). + +unreferenced object 0xffff8881127de000 (size 2048): + comm "modprobe", pid 247, jiffies 4294972316 (age 78.756s) + hex dump (first 32 bytes): + 20 67 65 6e 5f 73 79 6e 74 68 5f 74 65 73 74 20 gen_synth_test + 20 70 69 64 5f 74 20 6e 65 78 74 5f 70 69 64 5f pid_t next_pid_ + backtrace: + [<000000004254801a>] kmalloc_trace+0x26/0x100 + [<0000000039eb1cf5>] 0xffffffffa00083cd + [<000000000e8c3bc8>] 0xffffffffa00086ba + [<00000000c293d1ea>] do_one_initcall+0xdb/0x480 + [<00000000aa189e6d>] do_init_module+0x1cf/0x680 + [<00000000d513222b>] load_module+0x6a50/0x70a0 + [<000000001fd4d529>] __do_sys_finit_module+0x12f/0x1c0 + [<00000000b36c4c0f>] do_syscall_64+0x3f/0x90 + [<00000000bbf20cf3>] entry_SYSCALL_64_after_hwframe+0x63/0xcd +unreferenced object 0xffff8881127df000 (size 2048): + comm "modprobe", pid 247, jiffies 4294972324 (age 78.728s) + hex dump (first 32 bytes): + 20 65 6d 70 74 79 5f 73 79 6e 74 68 5f 74 65 73 empty_synth_tes + 74 20 20 70 69 64 5f 74 20 6e 65 78 74 5f 70 69 t pid_t next_pi + backtrace: + [<000000004254801a>] kmalloc_trace+0x26/0x100 + [<00000000d4db9a3d>] 0xffffffffa0008071 + [<00000000c31354a5>] 0xffffffffa00086ce + [<00000000c293d1ea>] do_one_initcall+0xdb/0x480 + [<00000000aa189e6d>] do_init_module+0x1cf/0x680 + [<00000000d513222b>] load_module+0x6a50/0x70a0 + [<000000001fd4d529>] __do_sys_finit_module+0x12f/0x1c0 + [<00000000b36c4c0f>] do_syscall_64+0x3f/0x90 + [<00000000bbf20cf3>] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Link: https://lkml.kernel.org/r/20221117012346.22647-2-shangxiaojing@huawei.com + +Cc: +Cc: +Cc: +Cc: stable@vger.kernel.org +Fixes: 9fe41efaca08 ("tracing: Add synth event generation test module") +Signed-off-by: Shang XiaoJing +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/synth_event_gen_test.c | 16 ++++++---------- + 1 file changed, 6 insertions(+), 10 deletions(-) + +--- a/kernel/trace/synth_event_gen_test.c ++++ b/kernel/trace/synth_event_gen_test.c +@@ -120,15 +120,13 @@ static int __init test_gen_synth_cmd(voi + + /* Now generate a gen_synth_test event */ + ret = synth_event_trace_array(gen_synth_test, vals, ARRAY_SIZE(vals)); +- out: ++ free: ++ kfree(buf); + return ret; + delete: + /* We got an error after creating the event, delete it */ + synth_event_delete("gen_synth_test"); +- free: +- kfree(buf); +- +- goto out; ++ goto free; + } + + /* +@@ -227,15 +225,13 @@ static int __init test_empty_synth_event + + /* Now trace an empty_synth_test event */ + ret = synth_event_trace_array(empty_synth_test, vals, ARRAY_SIZE(vals)); +- out: ++ free: ++ kfree(buf); + return ret; + delete: + /* We got an error after creating the event, delete it */ + synth_event_delete("empty_synth_test"); +- free: +- kfree(buf); +- +- goto out; ++ goto free; + } + + static struct synth_field_desc create_synth_test_fields[] = { diff --git a/queue-5.10/tracing-fix-wild-memory-access-in-register_synth_event.patch b/queue-5.10/tracing-fix-wild-memory-access-in-register_synth_event.patch new file mode 100644 index 00000000000..b14ee4ca51e --- /dev/null +++ b/queue-5.10/tracing-fix-wild-memory-access-in-register_synth_event.patch @@ -0,0 +1,94 @@ +From 1b5f1c34d3f5a664a57a5a7557a50e4e3cc2505c Mon Sep 17 00:00:00 2001 +From: Shang XiaoJing +Date: Thu, 17 Nov 2022 09:23:46 +0800 +Subject: tracing: Fix wild-memory-access in register_synth_event() + +From: Shang XiaoJing + +commit 1b5f1c34d3f5a664a57a5a7557a50e4e3cc2505c upstream. + +In register_synth_event(), if set_synth_event_print_fmt() failed, then +both trace_remove_event_call() and unregister_trace_event() will be +called, which means the trace_event_call will call +__unregister_trace_event() twice. As the result, the second unregister +will causes the wild-memory-access. + +register_synth_event + set_synth_event_print_fmt failed + trace_remove_event_call + event_remove + if call->event.funcs then + __unregister_trace_event (first call) + unregister_trace_event + __unregister_trace_event (second call) + +Fix the bug by avoiding to call the second __unregister_trace_event() by +checking if the first one is called. + +general protection fault, probably for non-canonical address + 0xfbd59c0000000024: 0000 [#1] SMP KASAN PTI +KASAN: maybe wild-memory-access in range +[0xdead000000000120-0xdead000000000127] +CPU: 0 PID: 3807 Comm: modprobe Not tainted +6.1.0-rc1-00186-g76f33a7eedb4 #299 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 +RIP: 0010:unregister_trace_event+0x6e/0x280 +Code: 00 fc ff df 4c 89 ea 48 c1 ea 03 80 3c 02 00 0f 85 0e 02 00 00 48 +b8 00 00 00 00 00 fc ff df 4c 8b 63 08 4c 89 e2 48 c1 ea 03 <80> 3c 02 +00 0f 85 e2 01 00 00 49 89 2c 24 48 85 ed 74 28 e8 7a 9b +RSP: 0018:ffff88810413f370 EFLAGS: 00010a06 +RAX: dffffc0000000000 RBX: ffff888105d050b0 RCX: 0000000000000000 +RDX: 1bd5a00000000024 RSI: ffff888119e276e0 RDI: ffffffff835a8b20 +RBP: dead000000000100 R08: 0000000000000000 R09: fffffbfff0913481 +R10: ffffffff8489a407 R11: fffffbfff0913480 R12: dead000000000122 +R13: ffff888105d050b8 R14: 0000000000000000 R15: ffff888105d05028 +FS: 00007f7823e8d540(0000) GS:ffff888119e00000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f7823e7ebec CR3: 000000010a058002 CR4: 0000000000330ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + __create_synth_event+0x1e37/0x1eb0 + create_or_delete_synth_event+0x110/0x250 + synth_event_run_command+0x2f/0x110 + test_gen_synth_cmd+0x170/0x2eb [synth_event_gen_test] + synth_event_gen_test_init+0x76/0x9bc [synth_event_gen_test] + do_one_initcall+0xdb/0x480 + do_init_module+0x1cf/0x680 + load_module+0x6a50/0x70a0 + __do_sys_finit_module+0x12f/0x1c0 + do_syscall_64+0x3f/0x90 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Link: https://lkml.kernel.org/r/20221117012346.22647-3-shangxiaojing@huawei.com + +Fixes: 4b147936fa50 ("tracing: Add support for 'synthetic' events") +Signed-off-by: Shang XiaoJing +Cc: stable@vger.kernel.org +Cc: +Cc: +Cc: +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events_synth.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/kernel/trace/trace_events_synth.c ++++ b/kernel/trace/trace_events_synth.c +@@ -791,10 +791,9 @@ static int register_synth_event(struct s + } + + ret = set_synth_event_print_fmt(call); +- if (ret < 0) { ++ /* unregister_trace_event() will be called inside */ ++ if (ret < 0) + trace_remove_event_call(call); +- goto err; +- } + out: + return ret; + err: diff --git a/queue-5.10/tracing-kprobe-fix-potential-null-ptr-deref-on-trace_array-in-kprobe_event_gen_test_exit.patch b/queue-5.10/tracing-kprobe-fix-potential-null-ptr-deref-on-trace_array-in-kprobe_event_gen_test_exit.patch new file mode 100644 index 00000000000..159d6e691ab --- /dev/null +++ b/queue-5.10/tracing-kprobe-fix-potential-null-ptr-deref-on-trace_array-in-kprobe_event_gen_test_exit.patch @@ -0,0 +1,83 @@ +From 22ea4ca9631eb137e64e5ab899e9c89cb6670959 Mon Sep 17 00:00:00 2001 +From: Shang XiaoJing +Date: Fri, 18 Nov 2022 10:15:34 +0900 +Subject: tracing: kprobe: Fix potential null-ptr-deref on trace_array in kprobe_event_gen_test_exit() + +From: Shang XiaoJing + +commit 22ea4ca9631eb137e64e5ab899e9c89cb6670959 upstream. + +When test_gen_kprobe_cmd() failed after kprobe_event_gen_cmd_end(), it +will goto delete, which will call kprobe_event_delete() and release the +corresponding resource. However, the trace_array in gen_kretprobe_test +will point to the invalid resource. Set gen_kretprobe_test to NULL +after called kprobe_event_delete() to prevent null-ptr-deref. + +BUG: kernel NULL pointer dereference, address: 0000000000000070 +PGD 0 P4D 0 +Oops: 0000 [#1] SMP PTI +CPU: 0 PID: 246 Comm: modprobe Tainted: G W +6.1.0-rc1-00174-g9522dc5c87da-dirty #248 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 +RIP: 0010:__ftrace_set_clr_event_nolock+0x53/0x1b0 +Code: e8 82 26 fc ff 49 8b 1e c7 44 24 0c ea ff ff ff 49 39 de 0f 84 3c +01 00 00 c7 44 24 18 00 00 00 00 e8 61 26 fc ff 48 8b 6b 10 <44> 8b 65 +70 4c 8b 6d 18 41 f7 c4 00 02 00 00 75 2f +RSP: 0018:ffffc9000159fe00 EFLAGS: 00010293 +RAX: 0000000000000000 RBX: ffff88810971d268 RCX: 0000000000000000 +RDX: ffff8881080be600 RSI: ffffffff811b48ff RDI: ffff88810971d058 +RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001 +R10: ffffc9000159fe58 R11: 0000000000000001 R12: ffffffffa0001064 +R13: ffffffffa000106c R14: ffff88810971d238 R15: 0000000000000000 +FS: 00007f89eeff6540(0000) GS:ffff88813b600000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000070 CR3: 000000010599e004 CR4: 0000000000330ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + __ftrace_set_clr_event+0x3e/0x60 + trace_array_set_clr_event+0x35/0x50 + ? 0xffffffffa0000000 + kprobe_event_gen_test_exit+0xcd/0x10b [kprobe_event_gen_test] + __x64_sys_delete_module+0x206/0x380 + ? lockdep_hardirqs_on_prepare+0xd8/0x190 + ? syscall_enter_from_user_mode+0x1c/0x50 + do_syscall_64+0x3f/0x90 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7f89eeb061b7 + +Link: https://lore.kernel.org/all/20221108015130.28326-3-shangxiaojing@huawei.com/ + +Fixes: 64836248dda2 ("tracing: Add kprobe event command generation test module") +Signed-off-by: Shang XiaoJing +Cc: stable@vger.kernel.org +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/kprobe_event_gen_test.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/kernel/trace/kprobe_event_gen_test.c ++++ b/kernel/trace/kprobe_event_gen_test.c +@@ -143,6 +143,8 @@ static int __init test_gen_kprobe_cmd(vo + kfree(buf); + return ret; + delete: ++ if (trace_event_file_is_valid(gen_kprobe_test)) ++ gen_kprobe_test = NULL; + /* We got an error after creating the event, delete it */ + ret = kprobe_event_delete("gen_kprobe_test"); + goto out; +@@ -206,6 +208,8 @@ static int __init test_gen_kretprobe_cmd + kfree(buf); + return ret; + delete: ++ if (trace_event_file_is_valid(gen_kretprobe_test)) ++ gen_kretprobe_test = NULL; + /* We got an error after creating the event, delete it */ + ret = kprobe_event_delete("gen_kretprobe_test"); + goto out; diff --git a/queue-5.10/tracing-kprobe-fix-potential-null-ptr-deref-on-trace_event_file-in-kprobe_event_gen_test_exit.patch b/queue-5.10/tracing-kprobe-fix-potential-null-ptr-deref-on-trace_event_file-in-kprobe_event_gen_test_exit.patch new file mode 100644 index 00000000000..06e9bf388e7 --- /dev/null +++ b/queue-5.10/tracing-kprobe-fix-potential-null-ptr-deref-on-trace_event_file-in-kprobe_event_gen_test_exit.patch @@ -0,0 +1,129 @@ +From e0d75267f59d7084e0468bd68beeb1bf9c71d7c0 Mon Sep 17 00:00:00 2001 +From: Shang XiaoJing +Date: Fri, 18 Nov 2022 10:15:33 +0900 +Subject: tracing: kprobe: Fix potential null-ptr-deref on trace_event_file in kprobe_event_gen_test_exit() + +From: Shang XiaoJing + +commit e0d75267f59d7084e0468bd68beeb1bf9c71d7c0 upstream. + +When trace_get_event_file() failed, gen_kretprobe_test will be assigned +as the error code. If module kprobe_event_gen_test is removed now, the +null pointer dereference will happen in kprobe_event_gen_test_exit(). +Check if gen_kprobe_test or gen_kretprobe_test is error code or NULL +before dereference them. + +BUG: kernel NULL pointer dereference, address: 0000000000000012 +PGD 0 P4D 0 +Oops: 0000 [#1] SMP PTI +CPU: 3 PID: 2210 Comm: modprobe Not tainted +6.1.0-rc1-00171-g2159299a3b74-dirty #217 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 +RIP: 0010:kprobe_event_gen_test_exit+0x1c/0xb5 [kprobe_event_gen_test] +Code: Unable to access opcode bytes at 0xffffffff9ffffff2. +RSP: 0018:ffffc900015bfeb8 EFLAGS: 00010246 +RAX: ffffffffffffffea RBX: ffffffffa0002080 RCX: 0000000000000000 +RDX: ffffffffa0001054 RSI: ffffffffa0001064 RDI: ffffffffdfc6349c +RBP: ffffffffa0000000 R08: 0000000000000004 R09: 00000000001e95c0 +R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000800 +R13: ffffffffa0002420 R14: 0000000000000000 R15: 0000000000000000 +FS: 00007f56b75be540(0000) GS:ffff88813bc00000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffffff9ffffff2 CR3: 000000010874a006 CR4: 0000000000330ee0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + __x64_sys_delete_module+0x206/0x380 + ? lockdep_hardirqs_on_prepare+0xd8/0x190 + ? syscall_enter_from_user_mode+0x1c/0x50 + do_syscall_64+0x3f/0x90 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Link: https://lore.kernel.org/all/20221108015130.28326-2-shangxiaojing@huawei.com/ + +Fixes: 64836248dda2 ("tracing: Add kprobe event command generation test module") +Signed-off-by: Shang XiaoJing +Acked-by: Masami Hiramatsu (Google) +Cc: stable@vger.kernel.org +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/kprobe_event_gen_test.c | 44 ++++++++++++++++++++++------------- + 1 file changed, 28 insertions(+), 16 deletions(-) + +--- a/kernel/trace/kprobe_event_gen_test.c ++++ b/kernel/trace/kprobe_event_gen_test.c +@@ -73,6 +73,10 @@ static struct trace_event_file *gen_kret + #define KPROBE_GEN_TEST_ARG3 NULL + #endif + ++static bool trace_event_file_is_valid(struct trace_event_file *input) ++{ ++ return input && !IS_ERR(input); ++} + + /* + * Test to make sure we can create a kprobe event, then add more +@@ -217,10 +221,12 @@ static int __init kprobe_event_gen_test_ + + ret = test_gen_kretprobe_cmd(); + if (ret) { +- WARN_ON(trace_array_set_clr_event(gen_kretprobe_test->tr, +- "kprobes", +- "gen_kretprobe_test", false)); +- trace_put_event_file(gen_kretprobe_test); ++ if (trace_event_file_is_valid(gen_kretprobe_test)) { ++ WARN_ON(trace_array_set_clr_event(gen_kretprobe_test->tr, ++ "kprobes", ++ "gen_kretprobe_test", false)); ++ trace_put_event_file(gen_kretprobe_test); ++ } + WARN_ON(kprobe_event_delete("gen_kretprobe_test")); + } + +@@ -229,24 +235,30 @@ static int __init kprobe_event_gen_test_ + + static void __exit kprobe_event_gen_test_exit(void) + { +- /* Disable the event or you can't remove it */ +- WARN_ON(trace_array_set_clr_event(gen_kprobe_test->tr, +- "kprobes", +- "gen_kprobe_test", false)); ++ if (trace_event_file_is_valid(gen_kprobe_test)) { ++ /* Disable the event or you can't remove it */ ++ WARN_ON(trace_array_set_clr_event(gen_kprobe_test->tr, ++ "kprobes", ++ "gen_kprobe_test", false)); ++ ++ /* Now give the file and instance back */ ++ trace_put_event_file(gen_kprobe_test); ++ } + +- /* Now give the file and instance back */ +- trace_put_event_file(gen_kprobe_test); + + /* Now unregister and free the event */ + WARN_ON(kprobe_event_delete("gen_kprobe_test")); + +- /* Disable the event or you can't remove it */ +- WARN_ON(trace_array_set_clr_event(gen_kretprobe_test->tr, +- "kprobes", +- "gen_kretprobe_test", false)); ++ if (trace_event_file_is_valid(gen_kretprobe_test)) { ++ /* Disable the event or you can't remove it */ ++ WARN_ON(trace_array_set_clr_event(gen_kretprobe_test->tr, ++ "kprobes", ++ "gen_kretprobe_test", false)); ++ ++ /* Now give the file and instance back */ ++ trace_put_event_file(gen_kretprobe_test); ++ } + +- /* Now give the file and instance back */ +- trace_put_event_file(gen_kretprobe_test); + + /* Now unregister and free the event */ + WARN_ON(kprobe_event_delete("gen_kretprobe_test")); diff --git a/queue-5.10/tracing-ring-buffer-have-polling-block-on-watermark.patch b/queue-5.10/tracing-ring-buffer-have-polling-block-on-watermark.patch new file mode 100644 index 00000000000..d45e7f9e599 --- /dev/null +++ b/queue-5.10/tracing-ring-buffer-have-polling-block-on-watermark.patch @@ -0,0 +1,187 @@ +From 42fb0a1e84ff525ebe560e2baf9451ab69127e2b Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Google)" +Date: Thu, 20 Oct 2022 23:14:27 -0400 +Subject: tracing/ring-buffer: Have polling block on watermark + +From: Steven Rostedt (Google) + +commit 42fb0a1e84ff525ebe560e2baf9451ab69127e2b upstream. + +Currently the way polling works on the ring buffer is broken. It will +return immediately if there's any data in the ring buffer whereas a read +will block until the watermark (defined by the tracefs buffer_percent file) +is hit. + +That is, a select() or poll() will return as if there's data available, +but then the following read will block. This is broken for the way +select()s and poll()s are supposed to work. + +Have the polling on the ring buffer also block the same way reads and +splice does on the ring buffer. + +Link: https://lkml.kernel.org/r/20221020231427.41be3f26@gandalf.local.home + +Cc: Linux Trace Kernel +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Cc: Primiano Tucci +Cc: stable@vger.kernel.org +Fixes: 1e0d6714aceb7 ("ring-buffer: Do not wake up a splice waiter when page is not full") +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/ring_buffer.h | 2 - + kernel/trace/ring_buffer.c | 55 ++++++++++++++++++++++++++++---------------- + kernel/trace/trace.c | 2 - + 3 files changed, 38 insertions(+), 21 deletions(-) + +--- a/include/linux/ring_buffer.h ++++ b/include/linux/ring_buffer.h +@@ -99,7 +99,7 @@ __ring_buffer_alloc(unsigned long size, + + int ring_buffer_wait(struct trace_buffer *buffer, int cpu, int full); + __poll_t ring_buffer_poll_wait(struct trace_buffer *buffer, int cpu, +- struct file *filp, poll_table *poll_table); ++ struct file *filp, poll_table *poll_table, int full); + void ring_buffer_wake_waiters(struct trace_buffer *buffer, int cpu); + + #define RING_BUFFER_ALL_CPUS -1 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -784,6 +784,21 @@ size_t ring_buffer_nr_dirty_pages(struct + return cnt - read; + } + ++static __always_inline bool full_hit(struct trace_buffer *buffer, int cpu, int full) ++{ ++ struct ring_buffer_per_cpu *cpu_buffer = buffer->buffers[cpu]; ++ size_t nr_pages; ++ size_t dirty; ++ ++ nr_pages = cpu_buffer->nr_pages; ++ if (!nr_pages || !full) ++ return true; ++ ++ dirty = ring_buffer_nr_dirty_pages(buffer, cpu); ++ ++ return (dirty * 100) > (full * nr_pages); ++} ++ + /* + * rb_wake_up_waiters - wake up tasks waiting for ring buffer input + * +@@ -912,22 +927,20 @@ int ring_buffer_wait(struct trace_buffer + !ring_buffer_empty_cpu(buffer, cpu)) { + unsigned long flags; + bool pagebusy; +- size_t nr_pages; +- size_t dirty; ++ bool done; + + if (!full) + break; + + raw_spin_lock_irqsave(&cpu_buffer->reader_lock, flags); + pagebusy = cpu_buffer->reader_page == cpu_buffer->commit_page; +- nr_pages = cpu_buffer->nr_pages; +- dirty = ring_buffer_nr_dirty_pages(buffer, cpu); ++ done = !pagebusy && full_hit(buffer, cpu, full); ++ + if (!cpu_buffer->shortest_full || + cpu_buffer->shortest_full > full) + cpu_buffer->shortest_full = full; + raw_spin_unlock_irqrestore(&cpu_buffer->reader_lock, flags); +- if (!pagebusy && +- (!nr_pages || (dirty * 100) > full * nr_pages)) ++ if (done) + break; + } + +@@ -953,6 +966,7 @@ int ring_buffer_wait(struct trace_buffer + * @cpu: the cpu buffer to wait on + * @filp: the file descriptor + * @poll_table: The poll descriptor ++ * @full: wait until the percentage of pages are available, if @cpu != RING_BUFFER_ALL_CPUS + * + * If @cpu == RING_BUFFER_ALL_CPUS then the task will wake up as soon + * as data is added to any of the @buffer's cpu buffers. Otherwise +@@ -962,14 +976,15 @@ int ring_buffer_wait(struct trace_buffer + * zero otherwise. + */ + __poll_t ring_buffer_poll_wait(struct trace_buffer *buffer, int cpu, +- struct file *filp, poll_table *poll_table) ++ struct file *filp, poll_table *poll_table, int full) + { + struct ring_buffer_per_cpu *cpu_buffer; + struct rb_irq_work *work; + +- if (cpu == RING_BUFFER_ALL_CPUS) ++ if (cpu == RING_BUFFER_ALL_CPUS) { + work = &buffer->irq_work; +- else { ++ full = 0; ++ } else { + if (!cpumask_test_cpu(cpu, buffer->cpumask)) + return -EINVAL; + +@@ -977,8 +992,14 @@ __poll_t ring_buffer_poll_wait(struct tr + work = &cpu_buffer->irq_work; + } + +- poll_wait(filp, &work->waiters, poll_table); +- work->waiters_pending = true; ++ if (full) { ++ poll_wait(filp, &work->full_waiters, poll_table); ++ work->full_waiters_pending = true; ++ } else { ++ poll_wait(filp, &work->waiters, poll_table); ++ work->waiters_pending = true; ++ } ++ + /* + * There's a tight race between setting the waiters_pending and + * checking if the ring buffer is empty. Once the waiters_pending bit +@@ -994,6 +1015,9 @@ __poll_t ring_buffer_poll_wait(struct tr + */ + smp_mb(); + ++ if (full) ++ return full_hit(buffer, cpu, full) ? EPOLLIN | EPOLLRDNORM : 0; ++ + if ((cpu == RING_BUFFER_ALL_CPUS && !ring_buffer_empty(buffer)) || + (cpu != RING_BUFFER_ALL_CPUS && !ring_buffer_empty_cpu(buffer, cpu))) + return EPOLLIN | EPOLLRDNORM; +@@ -3033,10 +3057,6 @@ static void rb_commit(struct ring_buffer + static __always_inline void + rb_wakeups(struct trace_buffer *buffer, struct ring_buffer_per_cpu *cpu_buffer) + { +- size_t nr_pages; +- size_t dirty; +- size_t full; +- + if (buffer->irq_work.waiters_pending) { + buffer->irq_work.waiters_pending = false; + /* irq_work_queue() supplies it's own memory barriers */ +@@ -3060,10 +3080,7 @@ rb_wakeups(struct trace_buffer *buffer, + + cpu_buffer->last_pages_touch = local_read(&cpu_buffer->pages_touched); + +- full = cpu_buffer->shortest_full; +- nr_pages = cpu_buffer->nr_pages; +- dirty = ring_buffer_nr_dirty_pages(buffer, cpu_buffer->cpu); +- if (full && nr_pages && (dirty * 100) <= full * nr_pages) ++ if (!full_hit(buffer, cpu_buffer->cpu, cpu_buffer->shortest_full)) + return; + + cpu_buffer->irq_work.wakeup_full = true; +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -6263,7 +6263,7 @@ trace_poll(struct trace_iterator *iter, + return EPOLLIN | EPOLLRDNORM; + else + return ring_buffer_poll_wait(iter->array_buffer->buffer, iter->cpu_file, +- filp, poll_table); ++ filp, poll_table, iter->tr->buffer_percent); + } + + static __poll_t