From 01c1576fa16c2de99061b9a2a91319f744fb6f31 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 21 Nov 2022 12:29:41 +0100 Subject: [PATCH] 5.15-stable patches added patches: alsa-hda-realtek-fix-speakers-for-samsung-galaxy-book-pro.patch alsa-hda-realtek-fix-the-speaker-output-on-samsung-galaxy-book-pro-360.patch alsa-usb-audio-drop-snd_bug_on-from-snd_usbmidi_output_open.patch drm-amd-display-add-hubp-surface-flip-interrupt-handler.patch ftrace-fix-null-pointer-dereference-in-ftrace_add_mod.patch ftrace-fix-the-possible-incorrect-kernel-message.patch ftrace-optimize-the-allocation-for-mcount-entries.patch revert-usb-dwc3-disable-usb-core-phy-management.patch ring_buffer-do-not-deactivate-non-existant-pages.patch tracing-fix-memory-leak-in-test_gen_synth_cmd-and-test_empty_synth_event.patch tracing-fix-memory-leak-in-tracing_read_pipe.patch tracing-fix-race-where-eprobes-can-be-called-before-the-event.patch tracing-fix-wild-memory-access-in-register_synth_event.patch tracing-kprobe-fix-potential-null-ptr-deref-on-trace_array-in-kprobe_event_gen_test_exit.patch tracing-kprobe-fix-potential-null-ptr-deref-on-trace_event_file-in-kprobe_event_gen_test_exit.patch tracing-ring-buffer-have-polling-block-on-watermark.patch --- ...speakers-for-samsung-galaxy-book-pro.patch | 34 ++++ ...utput-on-samsung-galaxy-book-pro-360.patch | 32 +++ ..._bug_on-from-snd_usbmidi_output_open.patch | 41 ++++ ...-hubp-surface-flip-interrupt-handler.patch | 50 +++++ ...ointer-dereference-in-ftrace_add_mod.patch | 55 ++++++ ...he-possible-incorrect-kernel-message.patch | 36 ++++ ...ze-the-allocation-for-mcount-entries.patch | 36 ++++ ...dwc3-disable-usb-core-phy-management.patch | 71 +++++++ ...do-not-deactivate-non-existant-pages.patch | 40 ++++ queue-5.15/series | 16 ++ ...synth_cmd-and-test_empty_synth_event.patch | 98 +++++++++ ...fix-memory-leak-in-tracing_read_pipe.patch | 56 ++++++ ...robes-can-be-called-before-the-event.patch | 45 +++++ ...emory-access-in-register_synth_event.patch | 94 +++++++++ ..._array-in-kprobe_event_gen_test_exit.patch | 83 ++++++++ ...t_file-in-kprobe_event_gen_test_exit.patch | 129 ++++++++++++ ...ffer-have-polling-block-on-watermark.patch | 187 ++++++++++++++++++ 17 files changed, 1103 insertions(+) create mode 100644 queue-5.15/alsa-hda-realtek-fix-speakers-for-samsung-galaxy-book-pro.patch create mode 100644 queue-5.15/alsa-hda-realtek-fix-the-speaker-output-on-samsung-galaxy-book-pro-360.patch create mode 100644 queue-5.15/alsa-usb-audio-drop-snd_bug_on-from-snd_usbmidi_output_open.patch create mode 100644 queue-5.15/drm-amd-display-add-hubp-surface-flip-interrupt-handler.patch create mode 100644 queue-5.15/ftrace-fix-null-pointer-dereference-in-ftrace_add_mod.patch create mode 100644 queue-5.15/ftrace-fix-the-possible-incorrect-kernel-message.patch create mode 100644 queue-5.15/ftrace-optimize-the-allocation-for-mcount-entries.patch create mode 100644 queue-5.15/revert-usb-dwc3-disable-usb-core-phy-management.patch create mode 100644 queue-5.15/ring_buffer-do-not-deactivate-non-existant-pages.patch create mode 100644 queue-5.15/tracing-fix-memory-leak-in-test_gen_synth_cmd-and-test_empty_synth_event.patch create mode 100644 queue-5.15/tracing-fix-memory-leak-in-tracing_read_pipe.patch create mode 100644 queue-5.15/tracing-fix-race-where-eprobes-can-be-called-before-the-event.patch create mode 100644 queue-5.15/tracing-fix-wild-memory-access-in-register_synth_event.patch create mode 100644 queue-5.15/tracing-kprobe-fix-potential-null-ptr-deref-on-trace_array-in-kprobe_event_gen_test_exit.patch create mode 100644 queue-5.15/tracing-kprobe-fix-potential-null-ptr-deref-on-trace_event_file-in-kprobe_event_gen_test_exit.patch create mode 100644 queue-5.15/tracing-ring-buffer-have-polling-block-on-watermark.patch diff --git a/queue-5.15/alsa-hda-realtek-fix-speakers-for-samsung-galaxy-book-pro.patch b/queue-5.15/alsa-hda-realtek-fix-speakers-for-samsung-galaxy-book-pro.patch new file mode 100644 index 00000000000..d0c785f42da --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-fix-speakers-for-samsung-galaxy-book-pro.patch @@ -0,0 +1,34 @@ +From b18a456330e1c1ca207b57b45872f10336741388 Mon Sep 17 00:00:00 2001 +From: Emil Flink +Date: Tue, 15 Nov 2022 15:45:01 +0100 +Subject: ALSA: hda/realtek: fix speakers for Samsung Galaxy Book Pro + +From: Emil Flink + +commit b18a456330e1c1ca207b57b45872f10336741388 upstream. + +The Samsung Galaxy Book Pro seems to have the same issue as a few +other Samsung laptops, detailed in kernel bug report 207423. Sound from +headphone jack works, but not the built-in speakers. + +alsa-info: http://alsa-project.org/db/?f=b40ba609dc6ae28dc84ad404a0d8a4bbcd8bea6d + +Signed-off-by: Emil Flink +Cc: +Link: https://lore.kernel.org/r/20221115144500.7782-1-emil.flink@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9078,6 +9078,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x144d, 0xc176, "Samsung Notebook 9 Pro (NP930MBE-K04US)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc189, "Samsung Galaxy Flex Book (NT950QCG-X716)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc18a, "Samsung Galaxy Book Ion (NP930XCJ-K01US)", ALC298_FIXUP_SAMSUNG_AMP), ++ SND_PCI_QUIRK(0x144d, 0xc1a3, "Samsung Galaxy Book Pro (NP935XDB-KC1SE)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc740, "Samsung Ativ book 8 (NP870Z5G)", ALC269_FIXUP_ATIV_BOOK_8), + SND_PCI_QUIRK(0x144d, 0xc812, "Samsung Notebook Pen S (NT950SBE-X58)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc830, "Samsung Galaxy Book Ion (NT950XCJ-X716A)", ALC298_FIXUP_SAMSUNG_AMP), diff --git a/queue-5.15/alsa-hda-realtek-fix-the-speaker-output-on-samsung-galaxy-book-pro-360.patch b/queue-5.15/alsa-hda-realtek-fix-the-speaker-output-on-samsung-galaxy-book-pro-360.patch new file mode 100644 index 00000000000..17b9416b27c --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-fix-the-speaker-output-on-samsung-galaxy-book-pro-360.patch @@ -0,0 +1,32 @@ +From 1abfd71ee8f3ed99c5d0df5d9843a360541d6808 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 15 Nov 2022 18:02:35 +0100 +Subject: ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book Pro 360 + +From: Takashi Iwai + +commit 1abfd71ee8f3ed99c5d0df5d9843a360541d6808 upstream. + +Samsung Galaxy Book Pro 360 (13" 2021 NP930QBD-ke1US) with codec SSID +144d:c1a6 requires the same workaround for enabling the speaker amp +like other Samsung models with ALC298 codec. + +Link: https://bugzilla.opensuse.org/show_bug.cgi?id=1205100 +Cc: +Link: https://lore.kernel.org/r/20221115170235.18875-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9079,6 +9079,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x144d, 0xc189, "Samsung Galaxy Flex Book (NT950QCG-X716)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc18a, "Samsung Galaxy Book Ion (NP930XCJ-K01US)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc1a3, "Samsung Galaxy Book Pro (NP935XDB-KC1SE)", ALC298_FIXUP_SAMSUNG_AMP), ++ SND_PCI_QUIRK(0x144d, 0xc1a6, "Samsung Galaxy Book Pro 360 (NP930QBD)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc740, "Samsung Ativ book 8 (NP870Z5G)", ALC269_FIXUP_ATIV_BOOK_8), + SND_PCI_QUIRK(0x144d, 0xc812, "Samsung Notebook Pen S (NT950SBE-X58)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc830, "Samsung Galaxy Book Ion (NT950XCJ-X716A)", ALC298_FIXUP_SAMSUNG_AMP), diff --git a/queue-5.15/alsa-usb-audio-drop-snd_bug_on-from-snd_usbmidi_output_open.patch b/queue-5.15/alsa-usb-audio-drop-snd_bug_on-from-snd_usbmidi_output_open.patch new file mode 100644 index 00000000000..fdd90f8b25c --- /dev/null +++ b/queue-5.15/alsa-usb-audio-drop-snd_bug_on-from-snd_usbmidi_output_open.patch @@ -0,0 +1,41 @@ +From ad72c3c3f6eb81d2cb189ec71e888316adada5df Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sat, 12 Nov 2022 15:12:23 +0100 +Subject: ALSA: usb-audio: Drop snd_BUG_ON() from snd_usbmidi_output_open() + +From: Takashi Iwai + +commit ad72c3c3f6eb81d2cb189ec71e888316adada5df upstream. + +snd_usbmidi_output_open() has a check of the NULL port with +snd_BUG_ON(). snd_BUG_ON() was used as this shouldn't have happened, +but in reality, the NULL port may be seen when the device gives an +invalid endpoint setup at the descriptor, hence the driver skips the +allocation. That is, the check itself is valid and snd_BUG_ON() +should be dropped from there. Otherwise it's confusing as if it were +a real bug, as recently syzbot stumbled on it. + +Reported-by: syzbot+9abda841d636d86c41da@syzkaller.appspotmail.com +Cc: +Link: https://lore.kernel.org/r/syzbot+9abda841d636d86c41da@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20221112141223.6144-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/midi.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/sound/usb/midi.c ++++ b/sound/usb/midi.c +@@ -1133,10 +1133,8 @@ static int snd_usbmidi_output_open(struc + port = &umidi->endpoints[i].out->ports[j]; + break; + } +- if (!port) { +- snd_BUG(); ++ if (!port) + return -ENXIO; +- } + + substream->runtime->private_data = port; + port->state = STATE_UNKNOWN; diff --git a/queue-5.15/drm-amd-display-add-hubp-surface-flip-interrupt-handler.patch b/queue-5.15/drm-amd-display-add-hubp-surface-flip-interrupt-handler.patch new file mode 100644 index 00000000000..b5094186754 --- /dev/null +++ b/queue-5.15/drm-amd-display-add-hubp-surface-flip-interrupt-handler.patch @@ -0,0 +1,50 @@ +From 7af87fc1ba136143314c870059b8f60180247cbd Mon Sep 17 00:00:00 2001 +From: Rodrigo Siqueira +Date: Mon, 31 Oct 2022 14:58:12 -0400 +Subject: drm/amd/display: Add HUBP surface flip interrupt handler + +From: Rodrigo Siqueira + +commit 7af87fc1ba136143314c870059b8f60180247cbd upstream. + +On IGT, there is a test named amd_hotplug, and when the subtest basic is +executed on DCN31, we get the following error: + +[drm] *ERROR* [CRTC:71:crtc-0] flip_done timed out +[drm] *ERROR* flip_done timed out +[drm] *ERROR* [CRTC:71:crtc-0] commit wait timed out +[drm] *ERROR* flip_done timed out +[drm] *ERROR* [CONNECTOR:88:DP-1] commit wait timed out +[drm] *ERROR* flip_done timed out +[drm] *ERROR* [PLANE:59:plane-3] commit wait timed out + +After enable the page flip log with the below command: + + echo -n 'format "[PFLIP]" +p' > /sys/kernel/debug/dynamic_debug/control + +It is possible to see that the flip was submitted, but DC never replied +back, which generates time-out issues. This is an indication that the +HUBP surface flip is missing. This commit fixes this issue by adding +hubp1_set_flip_int to DCN31. + +Reviewed-by: Nicholas Kazlauskas +Acked-by: Tom Chung +Signed-off-by: Rodrigo Siqueira +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hubp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hubp.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hubp.c +@@ -79,6 +79,7 @@ static struct hubp_funcs dcn31_hubp_func + .hubp_init = hubp3_init, + .set_unbounded_requesting = hubp31_set_unbounded_requesting, + .hubp_soft_reset = hubp31_soft_reset, ++ .hubp_set_flip_int = hubp1_set_flip_int, + .hubp_in_blank = hubp1_in_blank, + }; + diff --git a/queue-5.15/ftrace-fix-null-pointer-dereference-in-ftrace_add_mod.patch b/queue-5.15/ftrace-fix-null-pointer-dereference-in-ftrace_add_mod.patch new file mode 100644 index 00000000000..89fd719d539 --- /dev/null +++ b/queue-5.15/ftrace-fix-null-pointer-dereference-in-ftrace_add_mod.patch @@ -0,0 +1,55 @@ +From 19ba6c8af9382c4c05dc6a0a79af3013b9a35cd0 Mon Sep 17 00:00:00 2001 +From: Xiu Jianfeng +Date: Wed, 16 Nov 2022 09:52:07 +0800 +Subject: ftrace: Fix null pointer dereference in ftrace_add_mod() + +From: Xiu Jianfeng + +commit 19ba6c8af9382c4c05dc6a0a79af3013b9a35cd0 upstream. + +The @ftrace_mod is allocated by kzalloc(), so both the members {prev,next} +of @ftrace_mode->list are NULL, it's not a valid state to call list_del(). +If kstrdup() for @ftrace_mod->{func|module} fails, it goes to @out_free +tag and calls free_ftrace_mod() to destroy @ftrace_mod, then list_del() +will write prev->next and next->prev, where null pointer dereference +happens. + +BUG: kernel NULL pointer dereference, address: 0000000000000008 +Oops: 0002 [#1] PREEMPT SMP NOPTI +Call Trace: + + ftrace_mod_callback+0x20d/0x220 + ? do_filp_open+0xd9/0x140 + ftrace_process_regex.isra.51+0xbf/0x130 + ftrace_regex_write.isra.52.part.53+0x6e/0x90 + vfs_write+0xee/0x3a0 + ? __audit_filter_op+0xb1/0x100 + ? auditd_test_task+0x38/0x50 + ksys_write+0xa5/0xe0 + do_syscall_64+0x3a/0x90 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +Kernel panic - not syncing: Fatal exception + +So call INIT_LIST_HEAD() to initialize the list member to fix this issue. + +Link: https://lkml.kernel.org/r/20221116015207.30858-1-xiujianfeng@huawei.com + +Cc: stable@vger.kernel.org +Fixes: 673feb9d76ab ("ftrace: Add :mod: caching infrastructure to trace_array") +Signed-off-by: Xiu Jianfeng +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ftrace.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -1295,6 +1295,7 @@ static int ftrace_add_mod(struct trace_a + if (!ftrace_mod) + return -ENOMEM; + ++ INIT_LIST_HEAD(&ftrace_mod->list); + ftrace_mod->func = kstrdup(func, GFP_KERNEL); + ftrace_mod->module = kstrdup(module, GFP_KERNEL); + ftrace_mod->enable = enable; diff --git a/queue-5.15/ftrace-fix-the-possible-incorrect-kernel-message.patch b/queue-5.15/ftrace-fix-the-possible-incorrect-kernel-message.patch new file mode 100644 index 00000000000..95f27b929fa --- /dev/null +++ b/queue-5.15/ftrace-fix-the-possible-incorrect-kernel-message.patch @@ -0,0 +1,36 @@ +From 08948caebe93482db1adfd2154eba124f66d161d Mon Sep 17 00:00:00 2001 +From: Wang Wensheng +Date: Wed, 9 Nov 2022 09:44:32 +0000 +Subject: ftrace: Fix the possible incorrect kernel message + +From: Wang Wensheng + +commit 08948caebe93482db1adfd2154eba124f66d161d upstream. + +If the number of mcount entries is an integer multiple of +ENTRIES_PER_PAGE, the page count showing on the console would be wrong. + +Link: https://lkml.kernel.org/r/20221109094434.84046-2-wangwensheng4@huawei.com + +Cc: +Cc: +Cc: stable@vger.kernel.org +Fixes: 5821e1b74f0d0 ("function tracing: fix wrong pos computing when read buffer has been fulfilled") +Signed-off-by: Wang Wensheng +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ftrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -6870,7 +6870,7 @@ void __init ftrace_init(void) + } + + pr_info("ftrace: allocating %ld entries in %ld pages\n", +- count, count / ENTRIES_PER_PAGE + 1); ++ count, DIV_ROUND_UP(count, ENTRIES_PER_PAGE)); + + last_ftrace_enabled = ftrace_enabled = 1; + diff --git a/queue-5.15/ftrace-optimize-the-allocation-for-mcount-entries.patch b/queue-5.15/ftrace-optimize-the-allocation-for-mcount-entries.patch new file mode 100644 index 00000000000..b8f78edb896 --- /dev/null +++ b/queue-5.15/ftrace-optimize-the-allocation-for-mcount-entries.patch @@ -0,0 +1,36 @@ +From bcea02b096333dc74af987cb9685a4dbdd820840 Mon Sep 17 00:00:00 2001 +From: Wang Wensheng +Date: Wed, 9 Nov 2022 09:44:33 +0000 +Subject: ftrace: Optimize the allocation for mcount entries + +From: Wang Wensheng + +commit bcea02b096333dc74af987cb9685a4dbdd820840 upstream. + +If we can't allocate this size, try something smaller with half of the +size. Its order should be decreased by one instead of divided by two. + +Link: https://lkml.kernel.org/r/20221109094434.84046-3-wangwensheng4@huawei.com + +Cc: +Cc: +Cc: stable@vger.kernel.org +Fixes: a79008755497d ("ftrace: Allocate the mcount record pages as groups") +Signed-off-by: Wang Wensheng +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ftrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -3174,7 +3174,7 @@ static int ftrace_allocate_records(struc + /* if we can't allocate this size, try something smaller */ + if (!order) + return -ENOMEM; +- order >>= 1; ++ order--; + goto again; + } + diff --git a/queue-5.15/revert-usb-dwc3-disable-usb-core-phy-management.patch b/queue-5.15/revert-usb-dwc3-disable-usb-core-phy-management.patch new file mode 100644 index 00000000000..3bf391ed555 --- /dev/null +++ b/queue-5.15/revert-usb-dwc3-disable-usb-core-phy-management.patch @@ -0,0 +1,71 @@ +From 5c294de36e7fb3e0cba0c4e1ef9a5f57bc080d0f Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 3 Nov 2022 15:46:48 +0100 +Subject: Revert "usb: dwc3: disable USB core PHY management" + +From: Johan Hovold + +commit 5c294de36e7fb3e0cba0c4e1ef9a5f57bc080d0f upstream. + +This reverts commit 6000b8d900cd5f52fbcd0776d0cc396e88c8c2ea. + +The offending commit disabled the USB core PHY management as the dwc3 +already manages the PHYs in question. + +Unfortunately some platforms have started relying on having USB core +also controlling the PHY and this is specifically currently needed on +some Exynos platforms for PHY calibration or connected device may fail +to enumerate. + +The PHY calibration was previously handled in the dwc3 driver, but to +work around some issues related to how the dwc3 driver interacts with +xhci (e.g. using multiple drivers) this was moved to USB core by commits +34c7ed72f4f0 ("usb: core: phy: add support for PHY calibration") and +a0a465569b45 ("usb: dwc3: remove generic PHY calibrate() calls"). + +The same PHY obviously should not be controlled from two different +places, which for example do no agree on the PHY mode or power state +during suspend, but as the offending patch was backported to stable, +let's revert it for now. + +Reported-by: Stefan Agner +Link: https://lore.kernel.org/lkml/808bdba846bb60456adf10a3016911ee@agner.ch/ +Fixes: 6000b8d900cd ("usb: dwc3: disable USB core PHY management") +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Tested-by: Marek Szyprowski +Acked-by: Thinh Nguyen +Link: https://lore.kernel.org/r/20221103144648.14197-1-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/host.c | 10 ---------- + 1 file changed, 10 deletions(-) + +--- a/drivers/usb/dwc3/host.c ++++ b/drivers/usb/dwc3/host.c +@@ -10,13 +10,8 @@ + #include + #include + +-#include "../host/xhci-plat.h" + #include "core.h" + +-static const struct xhci_plat_priv dwc3_xhci_plat_priv = { +- .quirks = XHCI_SKIP_PHY_INIT, +-}; +- + static int dwc3_host_get_irq(struct dwc3 *dwc) + { + struct platform_device *dwc3_pdev = to_platform_device(dwc->dev); +@@ -92,11 +87,6 @@ int dwc3_host_init(struct dwc3 *dwc) + goto err; + } + +- ret = platform_device_add_data(xhci, &dwc3_xhci_plat_priv, +- sizeof(dwc3_xhci_plat_priv)); +- if (ret) +- goto err; +- + memset(props, 0, sizeof(struct property_entry) * ARRAY_SIZE(props)); + + if (dwc->usb3_lpm_capable) diff --git a/queue-5.15/ring_buffer-do-not-deactivate-non-existant-pages.patch b/queue-5.15/ring_buffer-do-not-deactivate-non-existant-pages.patch new file mode 100644 index 00000000000..b6e1c7df9d9 --- /dev/null +++ b/queue-5.15/ring_buffer-do-not-deactivate-non-existant-pages.patch @@ -0,0 +1,40 @@ +From 56f4ca0a79a9f1af98f26c54b9b89ba1f9bcc6bd Mon Sep 17 00:00:00 2001 +From: Daniil Tatianin +Date: Mon, 14 Nov 2022 17:31:29 +0300 +Subject: ring_buffer: Do not deactivate non-existant pages + +From: Daniil Tatianin + +commit 56f4ca0a79a9f1af98f26c54b9b89ba1f9bcc6bd upstream. + +rb_head_page_deactivate() expects cpu_buffer to contain a valid list of +->pages, so verify that the list is actually present before calling it. + +Found by Linux Verification Center (linuxtesting.org) with the SVACE +static analysis tool. + +Link: https://lkml.kernel.org/r/20221114143129.3534443-1-d-tatianin@yandex-team.ru + +Cc: stable@vger.kernel.org +Fixes: 77ae365eca895 ("ring-buffer: make lockless") +Signed-off-by: Daniil Tatianin +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ring_buffer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -1733,9 +1733,9 @@ static void rb_free_cpu_buffer(struct ri + + free_buffer_page(cpu_buffer->reader_page); + +- rb_head_page_deactivate(cpu_buffer); +- + if (head) { ++ rb_head_page_deactivate(cpu_buffer); ++ + list_for_each_entry_safe(bpage, tmp, head, list) { + list_del_init(&bpage->list); + free_buffer_page(bpage); diff --git a/queue-5.15/series b/queue-5.15/series index 4a5f2bdf27f..44fd11e0091 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -104,3 +104,19 @@ net-microchip-sparx5-fix-potential-null-ptr-deref-in.patch net-thunderbolt-fix-error-handling-in-tbnet_init.patch l2tp-serialize-access-to-sk_user_data-with-sk_callba.patch cifs-add-check-for-returning-value-of-smb2_set_info_.patch +ftrace-fix-the-possible-incorrect-kernel-message.patch +ftrace-optimize-the-allocation-for-mcount-entries.patch +ftrace-fix-null-pointer-dereference-in-ftrace_add_mod.patch +ring_buffer-do-not-deactivate-non-existant-pages.patch +tracing-fix-memory-leak-in-tracing_read_pipe.patch +tracing-ring-buffer-have-polling-block-on-watermark.patch +tracing-fix-memory-leak-in-test_gen_synth_cmd-and-test_empty_synth_event.patch +tracing-fix-wild-memory-access-in-register_synth_event.patch +tracing-fix-race-where-eprobes-can-be-called-before-the-event.patch +tracing-kprobe-fix-potential-null-ptr-deref-on-trace_event_file-in-kprobe_event_gen_test_exit.patch +tracing-kprobe-fix-potential-null-ptr-deref-on-trace_array-in-kprobe_event_gen_test_exit.patch +drm-amd-display-add-hubp-surface-flip-interrupt-handler.patch +alsa-usb-audio-drop-snd_bug_on-from-snd_usbmidi_output_open.patch +alsa-hda-realtek-fix-speakers-for-samsung-galaxy-book-pro.patch +alsa-hda-realtek-fix-the-speaker-output-on-samsung-galaxy-book-pro-360.patch +revert-usb-dwc3-disable-usb-core-phy-management.patch diff --git a/queue-5.15/tracing-fix-memory-leak-in-test_gen_synth_cmd-and-test_empty_synth_event.patch b/queue-5.15/tracing-fix-memory-leak-in-test_gen_synth_cmd-and-test_empty_synth_event.patch new file mode 100644 index 00000000000..6e0c39c78c1 --- /dev/null +++ b/queue-5.15/tracing-fix-memory-leak-in-test_gen_synth_cmd-and-test_empty_synth_event.patch @@ -0,0 +1,98 @@ +From a4527fef9afe5c903c718d0cd24609fe9c754250 Mon Sep 17 00:00:00 2001 +From: Shang XiaoJing +Date: Thu, 17 Nov 2022 09:23:45 +0800 +Subject: tracing: Fix memory leak in test_gen_synth_cmd() and test_empty_synth_event() + +From: Shang XiaoJing + +commit a4527fef9afe5c903c718d0cd24609fe9c754250 upstream. + +test_gen_synth_cmd() only free buf in fail path, hence buf will leak +when there is no failure. Add kfree(buf) to prevent the memleak. The +same reason and solution in test_empty_synth_event(). + +unreferenced object 0xffff8881127de000 (size 2048): + comm "modprobe", pid 247, jiffies 4294972316 (age 78.756s) + hex dump (first 32 bytes): + 20 67 65 6e 5f 73 79 6e 74 68 5f 74 65 73 74 20 gen_synth_test + 20 70 69 64 5f 74 20 6e 65 78 74 5f 70 69 64 5f pid_t next_pid_ + backtrace: + [<000000004254801a>] kmalloc_trace+0x26/0x100 + [<0000000039eb1cf5>] 0xffffffffa00083cd + [<000000000e8c3bc8>] 0xffffffffa00086ba + [<00000000c293d1ea>] do_one_initcall+0xdb/0x480 + [<00000000aa189e6d>] do_init_module+0x1cf/0x680 + [<00000000d513222b>] load_module+0x6a50/0x70a0 + [<000000001fd4d529>] __do_sys_finit_module+0x12f/0x1c0 + [<00000000b36c4c0f>] do_syscall_64+0x3f/0x90 + [<00000000bbf20cf3>] entry_SYSCALL_64_after_hwframe+0x63/0xcd +unreferenced object 0xffff8881127df000 (size 2048): + comm "modprobe", pid 247, jiffies 4294972324 (age 78.728s) + hex dump (first 32 bytes): + 20 65 6d 70 74 79 5f 73 79 6e 74 68 5f 74 65 73 empty_synth_tes + 74 20 20 70 69 64 5f 74 20 6e 65 78 74 5f 70 69 t pid_t next_pi + backtrace: + [<000000004254801a>] kmalloc_trace+0x26/0x100 + [<00000000d4db9a3d>] 0xffffffffa0008071 + [<00000000c31354a5>] 0xffffffffa00086ce + [<00000000c293d1ea>] do_one_initcall+0xdb/0x480 + [<00000000aa189e6d>] do_init_module+0x1cf/0x680 + [<00000000d513222b>] load_module+0x6a50/0x70a0 + [<000000001fd4d529>] __do_sys_finit_module+0x12f/0x1c0 + [<00000000b36c4c0f>] do_syscall_64+0x3f/0x90 + [<00000000bbf20cf3>] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Link: https://lkml.kernel.org/r/20221117012346.22647-2-shangxiaojing@huawei.com + +Cc: +Cc: +Cc: +Cc: stable@vger.kernel.org +Fixes: 9fe41efaca08 ("tracing: Add synth event generation test module") +Signed-off-by: Shang XiaoJing +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/synth_event_gen_test.c | 16 ++++++---------- + 1 file changed, 6 insertions(+), 10 deletions(-) + +--- a/kernel/trace/synth_event_gen_test.c ++++ b/kernel/trace/synth_event_gen_test.c +@@ -120,15 +120,13 @@ static int __init test_gen_synth_cmd(voi + + /* Now generate a gen_synth_test event */ + ret = synth_event_trace_array(gen_synth_test, vals, ARRAY_SIZE(vals)); +- out: ++ free: ++ kfree(buf); + return ret; + delete: + /* We got an error after creating the event, delete it */ + synth_event_delete("gen_synth_test"); +- free: +- kfree(buf); +- +- goto out; ++ goto free; + } + + /* +@@ -227,15 +225,13 @@ static int __init test_empty_synth_event + + /* Now trace an empty_synth_test event */ + ret = synth_event_trace_array(empty_synth_test, vals, ARRAY_SIZE(vals)); +- out: ++ free: ++ kfree(buf); + return ret; + delete: + /* We got an error after creating the event, delete it */ + synth_event_delete("empty_synth_test"); +- free: +- kfree(buf); +- +- goto out; ++ goto free; + } + + static struct synth_field_desc create_synth_test_fields[] = { diff --git a/queue-5.15/tracing-fix-memory-leak-in-tracing_read_pipe.patch b/queue-5.15/tracing-fix-memory-leak-in-tracing_read_pipe.patch new file mode 100644 index 00000000000..1f9b85a38d8 --- /dev/null +++ b/queue-5.15/tracing-fix-memory-leak-in-tracing_read_pipe.patch @@ -0,0 +1,56 @@ +From 649e72070cbbb8600eb823833e4748f5a0815116 Mon Sep 17 00:00:00 2001 +From: Wang Yufen +Date: Mon, 7 Nov 2022 19:04:50 +0800 +Subject: tracing: Fix memory leak in tracing_read_pipe() + +From: Wang Yufen + +commit 649e72070cbbb8600eb823833e4748f5a0815116 upstream. + +kmemleak reports this issue: + +unreferenced object 0xffff888105a18900 (size 128): + comm "test_progs", pid 18933, jiffies 4336275356 (age 22801.766s) + hex dump (first 32 bytes): + 25 73 00 90 81 88 ff ff 26 05 00 00 42 01 58 04 %s......&...B.X. + 03 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000560143a1>] __kmalloc_node_track_caller+0x4a/0x140 + [<000000006af00822>] krealloc+0x8d/0xf0 + [<00000000c309be6a>] trace_iter_expand_format+0x99/0x150 + [<000000005a53bdb6>] trace_check_vprintf+0x1e0/0x11d0 + [<0000000065629d9d>] trace_event_printf+0xb6/0xf0 + [<000000009a690dc7>] trace_raw_output_bpf_trace_printk+0x89/0xc0 + [<00000000d22db172>] print_trace_line+0x73c/0x1480 + [<00000000cdba76ba>] tracing_read_pipe+0x45c/0x9f0 + [<0000000015b58459>] vfs_read+0x17b/0x7c0 + [<000000004aeee8ed>] ksys_read+0xed/0x1c0 + [<0000000063d3d898>] do_syscall_64+0x3b/0x90 + [<00000000a06dda7f>] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +iter->fmt alloced in + tracing_read_pipe() -> .. ->trace_iter_expand_format(), but not +freed, to fix, add free in tracing_release_pipe() + +Link: https://lkml.kernel.org/r/1667819090-4643-1-git-send-email-wangyufen@huawei.com + +Cc: stable@vger.kernel.org +Fixes: efbbdaa22bb7 ("tracing: Show real address for trace event arguments") +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Wang Yufen +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -6630,6 +6630,7 @@ static int tracing_release_pipe(struct i + mutex_unlock(&trace_types_lock); + + free_cpumask_var(iter->started); ++ kfree(iter->fmt); + mutex_destroy(&iter->mutex); + kfree(iter); + diff --git a/queue-5.15/tracing-fix-race-where-eprobes-can-be-called-before-the-event.patch b/queue-5.15/tracing-fix-race-where-eprobes-can-be-called-before-the-event.patch new file mode 100644 index 00000000000..ce6304ac11c --- /dev/null +++ b/queue-5.15/tracing-fix-race-where-eprobes-can-be-called-before-the-event.patch @@ -0,0 +1,45 @@ +From 94eedf3dded5fb472ce97bfaf3ac1c6c29c35d26 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Google)" +Date: Thu, 17 Nov 2022 21:42:49 -0500 +Subject: tracing: Fix race where eprobes can be called before the event + +From: Steven Rostedt (Google) + +commit 94eedf3dded5fb472ce97bfaf3ac1c6c29c35d26 upstream. + +The flag that tells the event to call its triggers after reading the event +is set for eprobes after the eprobe is enabled. This leads to a race where +the eprobe may be triggered at the beginning of the event where the record +information is NULL. The eprobe then dereferences the NULL record causing +a NULL kernel pointer bug. + +Test for a NULL record to keep this from happening. + +Link: https://lore.kernel.org/linux-trace-kernel/20221116192552.1066630-1-rafaelmendsr@gmail.com/ +Link: https://lore.kernel.org/linux-trace-kernel/20221117214249.2addbe10@gandalf.local.home + +Cc: Linux Trace Kernel +Cc: Tzvetomir Stoyanov +Cc: Tom Zanussi +Cc: stable@vger.kernel.org +Fixes: 7491e2c442781 ("tracing: Add a probe that attaches to trace events") +Acked-by: Masami Hiramatsu (Google) +Reported-by: Rafael Mendonca +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_eprobe.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/kernel/trace/trace_eprobe.c ++++ b/kernel/trace/trace_eprobe.c +@@ -567,6 +567,9 @@ static void eprobe_trigger_func(struct e + { + struct eprobe_data *edata = data->private_data; + ++ if (unlikely(!rec)) ++ return; ++ + __eprobe_trace_func(edata, rec); + } + diff --git a/queue-5.15/tracing-fix-wild-memory-access-in-register_synth_event.patch b/queue-5.15/tracing-fix-wild-memory-access-in-register_synth_event.patch new file mode 100644 index 00000000000..0630bd20f79 --- /dev/null +++ b/queue-5.15/tracing-fix-wild-memory-access-in-register_synth_event.patch @@ -0,0 +1,94 @@ +From 1b5f1c34d3f5a664a57a5a7557a50e4e3cc2505c Mon Sep 17 00:00:00 2001 +From: Shang XiaoJing +Date: Thu, 17 Nov 2022 09:23:46 +0800 +Subject: tracing: Fix wild-memory-access in register_synth_event() + +From: Shang XiaoJing + +commit 1b5f1c34d3f5a664a57a5a7557a50e4e3cc2505c upstream. + +In register_synth_event(), if set_synth_event_print_fmt() failed, then +both trace_remove_event_call() and unregister_trace_event() will be +called, which means the trace_event_call will call +__unregister_trace_event() twice. As the result, the second unregister +will causes the wild-memory-access. + +register_synth_event + set_synth_event_print_fmt failed + trace_remove_event_call + event_remove + if call->event.funcs then + __unregister_trace_event (first call) + unregister_trace_event + __unregister_trace_event (second call) + +Fix the bug by avoiding to call the second __unregister_trace_event() by +checking if the first one is called. + +general protection fault, probably for non-canonical address + 0xfbd59c0000000024: 0000 [#1] SMP KASAN PTI +KASAN: maybe wild-memory-access in range +[0xdead000000000120-0xdead000000000127] +CPU: 0 PID: 3807 Comm: modprobe Not tainted +6.1.0-rc1-00186-g76f33a7eedb4 #299 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 +RIP: 0010:unregister_trace_event+0x6e/0x280 +Code: 00 fc ff df 4c 89 ea 48 c1 ea 03 80 3c 02 00 0f 85 0e 02 00 00 48 +b8 00 00 00 00 00 fc ff df 4c 8b 63 08 4c 89 e2 48 c1 ea 03 <80> 3c 02 +00 0f 85 e2 01 00 00 49 89 2c 24 48 85 ed 74 28 e8 7a 9b +RSP: 0018:ffff88810413f370 EFLAGS: 00010a06 +RAX: dffffc0000000000 RBX: ffff888105d050b0 RCX: 0000000000000000 +RDX: 1bd5a00000000024 RSI: ffff888119e276e0 RDI: ffffffff835a8b20 +RBP: dead000000000100 R08: 0000000000000000 R09: fffffbfff0913481 +R10: ffffffff8489a407 R11: fffffbfff0913480 R12: dead000000000122 +R13: ffff888105d050b8 R14: 0000000000000000 R15: ffff888105d05028 +FS: 00007f7823e8d540(0000) GS:ffff888119e00000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f7823e7ebec CR3: 000000010a058002 CR4: 0000000000330ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + __create_synth_event+0x1e37/0x1eb0 + create_or_delete_synth_event+0x110/0x250 + synth_event_run_command+0x2f/0x110 + test_gen_synth_cmd+0x170/0x2eb [synth_event_gen_test] + synth_event_gen_test_init+0x76/0x9bc [synth_event_gen_test] + do_one_initcall+0xdb/0x480 + do_init_module+0x1cf/0x680 + load_module+0x6a50/0x70a0 + __do_sys_finit_module+0x12f/0x1c0 + do_syscall_64+0x3f/0x90 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Link: https://lkml.kernel.org/r/20221117012346.22647-3-shangxiaojing@huawei.com + +Fixes: 4b147936fa50 ("tracing: Add support for 'synthetic' events") +Signed-off-by: Shang XiaoJing +Cc: stable@vger.kernel.org +Cc: +Cc: +Cc: +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events_synth.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/kernel/trace/trace_events_synth.c ++++ b/kernel/trace/trace_events_synth.c +@@ -820,10 +820,9 @@ static int register_synth_event(struct s + } + + ret = set_synth_event_print_fmt(call); +- if (ret < 0) { ++ /* unregister_trace_event() will be called inside */ ++ if (ret < 0) + trace_remove_event_call(call); +- goto err; +- } + out: + return ret; + err: diff --git a/queue-5.15/tracing-kprobe-fix-potential-null-ptr-deref-on-trace_array-in-kprobe_event_gen_test_exit.patch b/queue-5.15/tracing-kprobe-fix-potential-null-ptr-deref-on-trace_array-in-kprobe_event_gen_test_exit.patch new file mode 100644 index 00000000000..159d6e691ab --- /dev/null +++ b/queue-5.15/tracing-kprobe-fix-potential-null-ptr-deref-on-trace_array-in-kprobe_event_gen_test_exit.patch @@ -0,0 +1,83 @@ +From 22ea4ca9631eb137e64e5ab899e9c89cb6670959 Mon Sep 17 00:00:00 2001 +From: Shang XiaoJing +Date: Fri, 18 Nov 2022 10:15:34 +0900 +Subject: tracing: kprobe: Fix potential null-ptr-deref on trace_array in kprobe_event_gen_test_exit() + +From: Shang XiaoJing + +commit 22ea4ca9631eb137e64e5ab899e9c89cb6670959 upstream. + +When test_gen_kprobe_cmd() failed after kprobe_event_gen_cmd_end(), it +will goto delete, which will call kprobe_event_delete() and release the +corresponding resource. However, the trace_array in gen_kretprobe_test +will point to the invalid resource. Set gen_kretprobe_test to NULL +after called kprobe_event_delete() to prevent null-ptr-deref. + +BUG: kernel NULL pointer dereference, address: 0000000000000070 +PGD 0 P4D 0 +Oops: 0000 [#1] SMP PTI +CPU: 0 PID: 246 Comm: modprobe Tainted: G W +6.1.0-rc1-00174-g9522dc5c87da-dirty #248 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 +RIP: 0010:__ftrace_set_clr_event_nolock+0x53/0x1b0 +Code: e8 82 26 fc ff 49 8b 1e c7 44 24 0c ea ff ff ff 49 39 de 0f 84 3c +01 00 00 c7 44 24 18 00 00 00 00 e8 61 26 fc ff 48 8b 6b 10 <44> 8b 65 +70 4c 8b 6d 18 41 f7 c4 00 02 00 00 75 2f +RSP: 0018:ffffc9000159fe00 EFLAGS: 00010293 +RAX: 0000000000000000 RBX: ffff88810971d268 RCX: 0000000000000000 +RDX: ffff8881080be600 RSI: ffffffff811b48ff RDI: ffff88810971d058 +RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001 +R10: ffffc9000159fe58 R11: 0000000000000001 R12: ffffffffa0001064 +R13: ffffffffa000106c R14: ffff88810971d238 R15: 0000000000000000 +FS: 00007f89eeff6540(0000) GS:ffff88813b600000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000070 CR3: 000000010599e004 CR4: 0000000000330ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + __ftrace_set_clr_event+0x3e/0x60 + trace_array_set_clr_event+0x35/0x50 + ? 0xffffffffa0000000 + kprobe_event_gen_test_exit+0xcd/0x10b [kprobe_event_gen_test] + __x64_sys_delete_module+0x206/0x380 + ? lockdep_hardirqs_on_prepare+0xd8/0x190 + ? syscall_enter_from_user_mode+0x1c/0x50 + do_syscall_64+0x3f/0x90 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7f89eeb061b7 + +Link: https://lore.kernel.org/all/20221108015130.28326-3-shangxiaojing@huawei.com/ + +Fixes: 64836248dda2 ("tracing: Add kprobe event command generation test module") +Signed-off-by: Shang XiaoJing +Cc: stable@vger.kernel.org +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/kprobe_event_gen_test.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/kernel/trace/kprobe_event_gen_test.c ++++ b/kernel/trace/kprobe_event_gen_test.c +@@ -143,6 +143,8 @@ static int __init test_gen_kprobe_cmd(vo + kfree(buf); + return ret; + delete: ++ if (trace_event_file_is_valid(gen_kprobe_test)) ++ gen_kprobe_test = NULL; + /* We got an error after creating the event, delete it */ + ret = kprobe_event_delete("gen_kprobe_test"); + goto out; +@@ -206,6 +208,8 @@ static int __init test_gen_kretprobe_cmd + kfree(buf); + return ret; + delete: ++ if (trace_event_file_is_valid(gen_kretprobe_test)) ++ gen_kretprobe_test = NULL; + /* We got an error after creating the event, delete it */ + ret = kprobe_event_delete("gen_kretprobe_test"); + goto out; diff --git a/queue-5.15/tracing-kprobe-fix-potential-null-ptr-deref-on-trace_event_file-in-kprobe_event_gen_test_exit.patch b/queue-5.15/tracing-kprobe-fix-potential-null-ptr-deref-on-trace_event_file-in-kprobe_event_gen_test_exit.patch new file mode 100644 index 00000000000..06e9bf388e7 --- /dev/null +++ b/queue-5.15/tracing-kprobe-fix-potential-null-ptr-deref-on-trace_event_file-in-kprobe_event_gen_test_exit.patch @@ -0,0 +1,129 @@ +From e0d75267f59d7084e0468bd68beeb1bf9c71d7c0 Mon Sep 17 00:00:00 2001 +From: Shang XiaoJing +Date: Fri, 18 Nov 2022 10:15:33 +0900 +Subject: tracing: kprobe: Fix potential null-ptr-deref on trace_event_file in kprobe_event_gen_test_exit() + +From: Shang XiaoJing + +commit e0d75267f59d7084e0468bd68beeb1bf9c71d7c0 upstream. + +When trace_get_event_file() failed, gen_kretprobe_test will be assigned +as the error code. If module kprobe_event_gen_test is removed now, the +null pointer dereference will happen in kprobe_event_gen_test_exit(). +Check if gen_kprobe_test or gen_kretprobe_test is error code or NULL +before dereference them. + +BUG: kernel NULL pointer dereference, address: 0000000000000012 +PGD 0 P4D 0 +Oops: 0000 [#1] SMP PTI +CPU: 3 PID: 2210 Comm: modprobe Not tainted +6.1.0-rc1-00171-g2159299a3b74-dirty #217 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 +RIP: 0010:kprobe_event_gen_test_exit+0x1c/0xb5 [kprobe_event_gen_test] +Code: Unable to access opcode bytes at 0xffffffff9ffffff2. +RSP: 0018:ffffc900015bfeb8 EFLAGS: 00010246 +RAX: ffffffffffffffea RBX: ffffffffa0002080 RCX: 0000000000000000 +RDX: ffffffffa0001054 RSI: ffffffffa0001064 RDI: ffffffffdfc6349c +RBP: ffffffffa0000000 R08: 0000000000000004 R09: 00000000001e95c0 +R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000800 +R13: ffffffffa0002420 R14: 0000000000000000 R15: 0000000000000000 +FS: 00007f56b75be540(0000) GS:ffff88813bc00000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffffff9ffffff2 CR3: 000000010874a006 CR4: 0000000000330ee0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + __x64_sys_delete_module+0x206/0x380 + ? lockdep_hardirqs_on_prepare+0xd8/0x190 + ? syscall_enter_from_user_mode+0x1c/0x50 + do_syscall_64+0x3f/0x90 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Link: https://lore.kernel.org/all/20221108015130.28326-2-shangxiaojing@huawei.com/ + +Fixes: 64836248dda2 ("tracing: Add kprobe event command generation test module") +Signed-off-by: Shang XiaoJing +Acked-by: Masami Hiramatsu (Google) +Cc: stable@vger.kernel.org +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/kprobe_event_gen_test.c | 44 ++++++++++++++++++++++------------- + 1 file changed, 28 insertions(+), 16 deletions(-) + +--- a/kernel/trace/kprobe_event_gen_test.c ++++ b/kernel/trace/kprobe_event_gen_test.c +@@ -73,6 +73,10 @@ static struct trace_event_file *gen_kret + #define KPROBE_GEN_TEST_ARG3 NULL + #endif + ++static bool trace_event_file_is_valid(struct trace_event_file *input) ++{ ++ return input && !IS_ERR(input); ++} + + /* + * Test to make sure we can create a kprobe event, then add more +@@ -217,10 +221,12 @@ static int __init kprobe_event_gen_test_ + + ret = test_gen_kretprobe_cmd(); + if (ret) { +- WARN_ON(trace_array_set_clr_event(gen_kretprobe_test->tr, +- "kprobes", +- "gen_kretprobe_test", false)); +- trace_put_event_file(gen_kretprobe_test); ++ if (trace_event_file_is_valid(gen_kretprobe_test)) { ++ WARN_ON(trace_array_set_clr_event(gen_kretprobe_test->tr, ++ "kprobes", ++ "gen_kretprobe_test", false)); ++ trace_put_event_file(gen_kretprobe_test); ++ } + WARN_ON(kprobe_event_delete("gen_kretprobe_test")); + } + +@@ -229,24 +235,30 @@ static int __init kprobe_event_gen_test_ + + static void __exit kprobe_event_gen_test_exit(void) + { +- /* Disable the event or you can't remove it */ +- WARN_ON(trace_array_set_clr_event(gen_kprobe_test->tr, +- "kprobes", +- "gen_kprobe_test", false)); ++ if (trace_event_file_is_valid(gen_kprobe_test)) { ++ /* Disable the event or you can't remove it */ ++ WARN_ON(trace_array_set_clr_event(gen_kprobe_test->tr, ++ "kprobes", ++ "gen_kprobe_test", false)); ++ ++ /* Now give the file and instance back */ ++ trace_put_event_file(gen_kprobe_test); ++ } + +- /* Now give the file and instance back */ +- trace_put_event_file(gen_kprobe_test); + + /* Now unregister and free the event */ + WARN_ON(kprobe_event_delete("gen_kprobe_test")); + +- /* Disable the event or you can't remove it */ +- WARN_ON(trace_array_set_clr_event(gen_kretprobe_test->tr, +- "kprobes", +- "gen_kretprobe_test", false)); ++ if (trace_event_file_is_valid(gen_kretprobe_test)) { ++ /* Disable the event or you can't remove it */ ++ WARN_ON(trace_array_set_clr_event(gen_kretprobe_test->tr, ++ "kprobes", ++ "gen_kretprobe_test", false)); ++ ++ /* Now give the file and instance back */ ++ trace_put_event_file(gen_kretprobe_test); ++ } + +- /* Now give the file and instance back */ +- trace_put_event_file(gen_kretprobe_test); + + /* Now unregister and free the event */ + WARN_ON(kprobe_event_delete("gen_kretprobe_test")); diff --git a/queue-5.15/tracing-ring-buffer-have-polling-block-on-watermark.patch b/queue-5.15/tracing-ring-buffer-have-polling-block-on-watermark.patch new file mode 100644 index 00000000000..a7770c727d1 --- /dev/null +++ b/queue-5.15/tracing-ring-buffer-have-polling-block-on-watermark.patch @@ -0,0 +1,187 @@ +From 42fb0a1e84ff525ebe560e2baf9451ab69127e2b Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Google)" +Date: Thu, 20 Oct 2022 23:14:27 -0400 +Subject: tracing/ring-buffer: Have polling block on watermark + +From: Steven Rostedt (Google) + +commit 42fb0a1e84ff525ebe560e2baf9451ab69127e2b upstream. + +Currently the way polling works on the ring buffer is broken. It will +return immediately if there's any data in the ring buffer whereas a read +will block until the watermark (defined by the tracefs buffer_percent file) +is hit. + +That is, a select() or poll() will return as if there's data available, +but then the following read will block. This is broken for the way +select()s and poll()s are supposed to work. + +Have the polling on the ring buffer also block the same way reads and +splice does on the ring buffer. + +Link: https://lkml.kernel.org/r/20221020231427.41be3f26@gandalf.local.home + +Cc: Linux Trace Kernel +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Cc: Primiano Tucci +Cc: stable@vger.kernel.org +Fixes: 1e0d6714aceb7 ("ring-buffer: Do not wake up a splice waiter when page is not full") +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/ring_buffer.h | 2 - + kernel/trace/ring_buffer.c | 55 ++++++++++++++++++++++++++++---------------- + kernel/trace/trace.c | 2 - + 3 files changed, 38 insertions(+), 21 deletions(-) + +--- a/include/linux/ring_buffer.h ++++ b/include/linux/ring_buffer.h +@@ -100,7 +100,7 @@ __ring_buffer_alloc(unsigned long size, + + int ring_buffer_wait(struct trace_buffer *buffer, int cpu, int full); + __poll_t ring_buffer_poll_wait(struct trace_buffer *buffer, int cpu, +- struct file *filp, poll_table *poll_table); ++ struct file *filp, poll_table *poll_table, int full); + void ring_buffer_wake_waiters(struct trace_buffer *buffer, int cpu); + + #define RING_BUFFER_ALL_CPUS -1 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -871,6 +871,21 @@ size_t ring_buffer_nr_dirty_pages(struct + return cnt - read; + } + ++static __always_inline bool full_hit(struct trace_buffer *buffer, int cpu, int full) ++{ ++ struct ring_buffer_per_cpu *cpu_buffer = buffer->buffers[cpu]; ++ size_t nr_pages; ++ size_t dirty; ++ ++ nr_pages = cpu_buffer->nr_pages; ++ if (!nr_pages || !full) ++ return true; ++ ++ dirty = ring_buffer_nr_dirty_pages(buffer, cpu); ++ ++ return (dirty * 100) > (full * nr_pages); ++} ++ + /* + * rb_wake_up_waiters - wake up tasks waiting for ring buffer input + * +@@ -1010,22 +1025,20 @@ int ring_buffer_wait(struct trace_buffer + !ring_buffer_empty_cpu(buffer, cpu)) { + unsigned long flags; + bool pagebusy; +- size_t nr_pages; +- size_t dirty; ++ bool done; + + if (!full) + break; + + raw_spin_lock_irqsave(&cpu_buffer->reader_lock, flags); + pagebusy = cpu_buffer->reader_page == cpu_buffer->commit_page; +- nr_pages = cpu_buffer->nr_pages; +- dirty = ring_buffer_nr_dirty_pages(buffer, cpu); ++ done = !pagebusy && full_hit(buffer, cpu, full); ++ + if (!cpu_buffer->shortest_full || + cpu_buffer->shortest_full > full) + cpu_buffer->shortest_full = full; + raw_spin_unlock_irqrestore(&cpu_buffer->reader_lock, flags); +- if (!pagebusy && +- (!nr_pages || (dirty * 100) > full * nr_pages)) ++ if (done) + break; + } + +@@ -1051,6 +1064,7 @@ int ring_buffer_wait(struct trace_buffer + * @cpu: the cpu buffer to wait on + * @filp: the file descriptor + * @poll_table: The poll descriptor ++ * @full: wait until the percentage of pages are available, if @cpu != RING_BUFFER_ALL_CPUS + * + * If @cpu == RING_BUFFER_ALL_CPUS then the task will wake up as soon + * as data is added to any of the @buffer's cpu buffers. Otherwise +@@ -1060,14 +1074,15 @@ int ring_buffer_wait(struct trace_buffer + * zero otherwise. + */ + __poll_t ring_buffer_poll_wait(struct trace_buffer *buffer, int cpu, +- struct file *filp, poll_table *poll_table) ++ struct file *filp, poll_table *poll_table, int full) + { + struct ring_buffer_per_cpu *cpu_buffer; + struct rb_irq_work *work; + +- if (cpu == RING_BUFFER_ALL_CPUS) ++ if (cpu == RING_BUFFER_ALL_CPUS) { + work = &buffer->irq_work; +- else { ++ full = 0; ++ } else { + if (!cpumask_test_cpu(cpu, buffer->cpumask)) + return -EINVAL; + +@@ -1075,8 +1090,14 @@ __poll_t ring_buffer_poll_wait(struct tr + work = &cpu_buffer->irq_work; + } + +- poll_wait(filp, &work->waiters, poll_table); +- work->waiters_pending = true; ++ if (full) { ++ poll_wait(filp, &work->full_waiters, poll_table); ++ work->full_waiters_pending = true; ++ } else { ++ poll_wait(filp, &work->waiters, poll_table); ++ work->waiters_pending = true; ++ } ++ + /* + * There's a tight race between setting the waiters_pending and + * checking if the ring buffer is empty. Once the waiters_pending bit +@@ -1092,6 +1113,9 @@ __poll_t ring_buffer_poll_wait(struct tr + */ + smp_mb(); + ++ if (full) ++ return full_hit(buffer, cpu, full) ? EPOLLIN | EPOLLRDNORM : 0; ++ + if ((cpu == RING_BUFFER_ALL_CPUS && !ring_buffer_empty(buffer)) || + (cpu != RING_BUFFER_ALL_CPUS && !ring_buffer_empty_cpu(buffer, cpu))) + return EPOLLIN | EPOLLRDNORM; +@@ -3112,10 +3136,6 @@ static void rb_commit(struct ring_buffer + static __always_inline void + rb_wakeups(struct trace_buffer *buffer, struct ring_buffer_per_cpu *cpu_buffer) + { +- size_t nr_pages; +- size_t dirty; +- size_t full; +- + if (buffer->irq_work.waiters_pending) { + buffer->irq_work.waiters_pending = false; + /* irq_work_queue() supplies it's own memory barriers */ +@@ -3139,10 +3159,7 @@ rb_wakeups(struct trace_buffer *buffer, + + cpu_buffer->last_pages_touch = local_read(&cpu_buffer->pages_touched); + +- full = cpu_buffer->shortest_full; +- nr_pages = cpu_buffer->nr_pages; +- dirty = ring_buffer_nr_dirty_pages(buffer, cpu_buffer->cpu); +- if (full && nr_pages && (dirty * 100) <= full * nr_pages) ++ if (!full_hit(buffer, cpu_buffer->cpu, cpu_buffer->shortest_full)) + return; + + cpu_buffer->irq_work.wakeup_full = true; +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -6655,7 +6655,7 @@ trace_poll(struct trace_iterator *iter, + return EPOLLIN | EPOLLRDNORM; + else + return ring_buffer_poll_wait(iter->array_buffer->buffer, iter->cpu_file, +- filp, poll_table); ++ filp, poll_table, iter->tr->buffer_percent); + } + + static __poll_t -- 2.47.3