From: Sasha Levin Date: Tue, 22 Nov 2022 15:18:00 +0000 (-0500) Subject: Fixes for 5.4 X-Git-Tag: v4.19.266~7 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d722a364c36eb5374391c6b76e511a6a8b6fc535;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/input-i8042-fix-leaking-of-platform-device-on-module.patch b/queue-5.4/input-i8042-fix-leaking-of-platform-device-on-module.patch new file mode 100644 index 00000000000..6f07f400e83 --- /dev/null +++ b/queue-5.4/input-i8042-fix-leaking-of-platform-device-on-module.patch @@ -0,0 +1,54 @@ +From 66cf7633bc242f88113816ddb1682dd6e6b6f7e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 15:40:03 -0800 +Subject: Input: i8042 - fix leaking of platform device on module removal + +From: Chen Jun + +[ Upstream commit 81cd7e8489278d28794e7b272950c3e00c344e44 ] + +Avoid resetting the module-wide i8042_platform_device pointer in +i8042_probe() or i8042_remove(), so that the device can be properly +destroyed by i8042_exit() on module unload. + +Fixes: 9222ba68c3f4 ("Input: i8042 - add deferred probe support") +Signed-off-by: Chen Jun +Link: https://lore.kernel.org/r/20221109034148.23821-1-chenjun102@huawei.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/serio/i8042.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/input/serio/i8042.c b/drivers/input/serio/i8042.c +index bb76ff2f6b1d..dc40f6099dcf 100644 +--- a/drivers/input/serio/i8042.c ++++ b/drivers/input/serio/i8042.c +@@ -1540,8 +1540,6 @@ static int i8042_probe(struct platform_device *dev) + { + int error; + +- i8042_platform_device = dev; +- + if (i8042_reset == I8042_RESET_ALWAYS) { + error = i8042_controller_selftest(); + if (error) +@@ -1579,7 +1577,6 @@ static int i8042_probe(struct platform_device *dev) + i8042_free_aux_ports(); /* in case KBD failed but AUX not */ + i8042_free_irqs(); + i8042_controller_reset(false); +- i8042_platform_device = NULL; + + return error; + } +@@ -1589,7 +1586,6 @@ static int i8042_remove(struct platform_device *dev) + i8042_unregister_ports(); + i8042_free_irqs(); + i8042_controller_reset(false); +- i8042_platform_device = NULL; + + return 0; + } +-- +2.35.1 + diff --git a/queue-5.4/kprobes-skip-clearing-aggrprobe-s-post_handler-in-kp.patch b/queue-5.4/kprobes-skip-clearing-aggrprobe-s-post_handler-in-kp.patch new file mode 100644 index 00000000000..ef9718da6e4 --- /dev/null +++ b/queue-5.4/kprobes-skip-clearing-aggrprobe-s-post_handler-in-kp.patch @@ -0,0 +1,75 @@ +From e81fbce4b78da31a10781c28a8e337589ae31404 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 10:15:34 +0900 +Subject: kprobes: Skip clearing aggrprobe's post_handler in kprobe-on-ftrace + case + +From: Li Huafei + +[ Upstream commit 5dd7caf0bdc5d0bae7cf9776b4d739fb09bd5ebb ] + +In __unregister_kprobe_top(), if the currently unregistered probe has +post_handler but other child probes of the aggrprobe do not have +post_handler, the post_handler of the aggrprobe is cleared. If this is +a ftrace-based probe, there is a problem. In later calls to +disarm_kprobe(), we will use kprobe_ftrace_ops because post_handler is +NULL. But we're armed with kprobe_ipmodify_ops. This triggers a WARN in +__disarm_kprobe_ftrace() and may even cause use-after-free: + + Failed to disarm kprobe-ftrace at kernel_clone+0x0/0x3c0 (error -2) + WARNING: CPU: 5 PID: 137 at kernel/kprobes.c:1135 __disarm_kprobe_ftrace.isra.21+0xcf/0xe0 + Modules linked in: testKprobe_007(-) + CPU: 5 PID: 137 Comm: rmmod Not tainted 6.1.0-rc4-dirty #18 + [...] + Call Trace: + + __disable_kprobe+0xcd/0xe0 + __unregister_kprobe_top+0x12/0x150 + ? mutex_lock+0xe/0x30 + unregister_kprobes.part.23+0x31/0xa0 + unregister_kprobe+0x32/0x40 + __x64_sys_delete_module+0x15e/0x260 + ? do_user_addr_fault+0x2cd/0x6b0 + do_syscall_64+0x3a/0x90 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + [...] + +For the kprobe-on-ftrace case, we keep the post_handler setting to +identify this aggrprobe armed with kprobe_ipmodify_ops. This way we +can disarm it correctly. + +Link: https://lore.kernel.org/all/20221112070000.35299-1-lihuafei1@huawei.com/ + +Fixes: 0bc11ed5ab60 ("kprobes: Allow kprobes coexist with livepatch") +Reported-by: Zhao Gongyi +Suggested-by: Masami Hiramatsu (Google) +Signed-off-by: Li Huafei +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +--- + kernel/kprobes.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/kernel/kprobes.c b/kernel/kprobes.c +index f8ea8cf694c6..3de56ca28017 100644 +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -1792,7 +1792,13 @@ static int __unregister_kprobe_top(struct kprobe *p) + if ((list_p != p) && (list_p->post_handler)) + goto noclean; + } +- ap->post_handler = NULL; ++ /* ++ * For the kprobe-on-ftrace case, we keep the ++ * post_handler setting to identify this aggrprobe ++ * armed with kprobe_ipmodify_ops. ++ */ ++ if (!kprobe_ftrace(ap)) ++ ap->post_handler = NULL; + } + noclean: + /* +-- +2.35.1 + diff --git a/queue-5.4/ring-buffer-include-dropped-pages-in-counting-dirty-.patch b/queue-5.4/ring-buffer-include-dropped-pages-in-counting-dirty-.patch new file mode 100644 index 00000000000..2040e99037f --- /dev/null +++ b/queue-5.4/ring-buffer-include-dropped-pages-in-counting-dirty-.patch @@ -0,0 +1,95 @@ +From 50164e4d5f8064d97c63971c92186ef2c56ec336 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Oct 2022 12:30:13 -0400 +Subject: ring-buffer: Include dropped pages in counting dirty patches + +From: Steven Rostedt (Google) + +[ Upstream commit 31029a8b2c7e656a0289194ef16415050ae4c4ac ] + +The function ring_buffer_nr_dirty_pages() was created to find out how many +pages are filled in the ring buffer. There's two running counters. One is +incremented whenever a new page is touched (pages_touched) and the other +is whenever a page is read (pages_read). The dirty count is the number +touched minus the number read. This is used to determine if a blocked task +should be woken up if the percentage of the ring buffer it is waiting for +is hit. + +The problem is that it does not take into account dropped pages (when the +new writes overwrite pages that were not read). And then the dirty pages +will always be greater than the percentage. + +This makes the "buffer_percent" file inaccurate, as the number of dirty +pages end up always being larger than the percentage, event when it's not +and this causes user space to be woken up more than it wants to be. + +Add a new counter to keep track of lost pages, and include that in the +accounting of dirty pages so that it is actually accurate. + +Link: https://lkml.kernel.org/r/20221021123013.55fb6055@gandalf.local.home + +Fixes: 2c2b0a78b3739 ("ring-buffer: Add percentage of ring buffer full to wake up reader") +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/ring_buffer.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index f1dd405b98a5..c4234430afea 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -477,6 +477,7 @@ struct ring_buffer_per_cpu { + local_t committing; + local_t commits; + local_t pages_touched; ++ local_t pages_lost; + local_t pages_read; + long last_pages_touch; + size_t shortest_full; +@@ -544,10 +545,18 @@ size_t ring_buffer_nr_pages(struct ring_buffer *buffer, int cpu) + size_t ring_buffer_nr_dirty_pages(struct ring_buffer *buffer, int cpu) + { + size_t read; ++ size_t lost; + size_t cnt; + + read = local_read(&buffer->buffers[cpu]->pages_read); ++ lost = local_read(&buffer->buffers[cpu]->pages_lost); + cnt = local_read(&buffer->buffers[cpu]->pages_touched); ++ ++ if (WARN_ON_ONCE(cnt < lost)) ++ return 0; ++ ++ cnt -= lost; ++ + /* The reader can read an empty page, but not more than that */ + if (cnt < read) { + WARN_ON_ONCE(read > cnt + 1); +@@ -1599,6 +1608,7 @@ rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned long nr_pages) + */ + local_add(page_entries, &cpu_buffer->overrun); + local_sub(BUF_PAGE_SIZE, &cpu_buffer->entries_bytes); ++ local_inc(&cpu_buffer->pages_lost); + } + + /* +@@ -2023,6 +2033,7 @@ rb_handle_head_page(struct ring_buffer_per_cpu *cpu_buffer, + */ + local_add(entries, &cpu_buffer->overrun); + local_sub(BUF_PAGE_SIZE, &cpu_buffer->entries_bytes); ++ local_inc(&cpu_buffer->pages_lost); + + /* + * The entries will be zeroed out when we move the +@@ -4475,6 +4486,7 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer) + local_set(&cpu_buffer->committing, 0); + local_set(&cpu_buffer->commits, 0); + local_set(&cpu_buffer->pages_touched, 0); ++ local_set(&cpu_buffer->pages_lost, 0); + local_set(&cpu_buffer->pages_read, 0); + cpu_buffer->last_pages_touch = 0; + cpu_buffer->shortest_full = 0; +-- +2.35.1 + diff --git a/queue-5.4/scsi-target-tcm_loop-fix-possible-name-leak-in-tcm_l.patch b/queue-5.4/scsi-target-tcm_loop-fix-possible-name-leak-in-tcm_l.patch new file mode 100644 index 00000000000..d61b7da5828 --- /dev/null +++ b/queue-5.4/scsi-target-tcm_loop-fix-possible-name-leak-in-tcm_l.patch @@ -0,0 +1,51 @@ +From b0fcefbeacb1e346e1f5eadfdf5611c6bf366492 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Nov 2022 09:50:42 +0800 +Subject: scsi: target: tcm_loop: Fix possible name leak in + tcm_loop_setup_hba_bus() + +From: Yang Yingliang + +[ Upstream commit bc68e428d4963af0201e92159629ab96948f0893 ] + +If device_register() fails in tcm_loop_setup_hba_bus(), the name allocated +by dev_set_name() need be freed. As comment of device_register() says, it +should use put_device() to give up the reference in the error path. So fix +this by calling put_device(), then the name can be freed in kobject_cleanup(). +The 'tl_hba' will be freed in tcm_loop_release_adapter(), so it don't need +goto error label in this case. + +Fixes: 3703b2c5d041 ("[SCSI] tcm_loop: Add multi-fabric Linux/SCSI LLD fabric module") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221115015042.3652261-1-yangyingliang@huawei.com +Reviewed-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/loopback/tcm_loop.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/target/loopback/tcm_loop.c b/drivers/target/loopback/tcm_loop.c +index 16d5a4e117a2..5ae5d94c5b93 100644 +--- a/drivers/target/loopback/tcm_loop.c ++++ b/drivers/target/loopback/tcm_loop.c +@@ -394,6 +394,7 @@ static int tcm_loop_setup_hba_bus(struct tcm_loop_hba *tl_hba, int tcm_loop_host + ret = device_register(&tl_hba->dev); + if (ret) { + pr_err("device_register() failed for tl_hba->dev: %d\n", ret); ++ put_device(&tl_hba->dev); + return -ENODEV; + } + +@@ -1072,7 +1073,7 @@ static struct se_wwn *tcm_loop_make_scsi_hba( + */ + ret = tcm_loop_setup_hba_bus(tl_hba, tcm_loop_hba_no_cnt); + if (ret) +- goto out; ++ return ERR_PTR(ret); + + sh = tl_hba->sh; + tcm_loop_hba_no_cnt++; +-- +2.35.1 + diff --git a/queue-5.4/series b/queue-5.4/series index 161c965e048..0309c224cb7 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -137,3 +137,7 @@ mmc-sdhci-pci-fix-possible-memory-leak-caused-by-missing-pci_dev_put.patch docs-update-mediator-contact-information-in-coc-doc.patch misc-vmw_vmci-fix-an-infoleak-in-vmci_host_do_receive_datagram.patch serial-8250-flush-dma-rx-on-rlsi.patch +ring-buffer-include-dropped-pages-in-counting-dirty-.patch +scsi-target-tcm_loop-fix-possible-name-leak-in-tcm_l.patch +kprobes-skip-clearing-aggrprobe-s-post_handler-in-kp.patch +input-i8042-fix-leaking-of-platform-device-on-module.patch