From 5ce34e0814ff8d018b4d7dcb7d5c2e2c587714c8 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 9 Sep 2022 20:38:19 +0200 Subject: [PATCH] 5.19-stable patches added patches: alsa-aloop-fix-random-zeros-in-capture-data-when-using-jiffies-timer.patch alsa-emu10k1-fix-out-of-bounds-access-in-snd_emu10k1_pcm_channel_alloc.patch alsa-hda-once-again-fix-regression-of-page-allocations-with-iommu.patch alsa-pcm-oss-fix-race-at-sndctl_dsp_sync.patch alsa-usb-audio-clear-fixed-clock-rate-at-closing-ep.patch alsa-usb-audio-fix-an-out-of-bounds-bug-in-__snd_usb_parse_audio_interface.patch alsa-usb-audio-split-endpoint-setups-for-hw_params-and-prepare.patch btrfs-zoned-fix-api-misuse-of-zone-finish-waiting.patch btrfs-zoned-set-pseudo-max-append-zone-limit-in-zone-emulation-mode.patch kprobes-prohibit-probes-in-gate-area.patch perf-risc-v-fix-access-beyond-allocated-array.patch tracefs-only-clobber-mode-uid-gid-on-remount-if-asked.patch tracing-fix-to-check-event_mutex-is-held-while-accessing-trigger-list.patch tracing-hold-caller_addr-to-hardirq_-enable-disable-_ip.patch vfio-type1-unpin-zero-pages.patch --- ...apture-data-when-using-jiffies-timer.patch | 49 +++++ ...ess-in-snd_emu10k1_pcm_channel_alloc.patch | 66 ++++++ ...ssion-of-page-allocations-with-iommu.patch | 81 ++++++++ ...-pcm-oss-fix-race-at-sndctl_dsp_sync.patch | 51 +++++ ...clear-fixed-clock-rate-at-closing-ep.patch | 50 +++++ ...g-in-__snd_usb_parse_audio_interface.patch | 34 +++ ...int-setups-for-hw_params-and-prepare.patch | 193 ++++++++++++++++++ ...ix-api-misuse-of-zone-finish-waiting.patch | 80 ++++++++ ...nd-zone-limit-in-zone-emulation-mode.patch | 58 ++++++ ...kprobes-prohibit-probes-in-gate-area.patch | 117 +++++++++++ ...-v-fix-access-beyond-allocated-array.patch | 39 ++++ queue-5.19/series | 15 ++ ...ber-mode-uid-gid-on-remount-if-asked.patch | 138 +++++++++++++ ...is-held-while-accessing-trigger-list.patch | 51 +++++ ..._addr-to-hardirq_-enable-disable-_ip.patch | 53 +++++ queue-5.19/vfio-type1-unpin-zero-pages.patch | 53 +++++ 16 files changed, 1128 insertions(+) create mode 100644 queue-5.19/alsa-aloop-fix-random-zeros-in-capture-data-when-using-jiffies-timer.patch create mode 100644 queue-5.19/alsa-emu10k1-fix-out-of-bounds-access-in-snd_emu10k1_pcm_channel_alloc.patch create mode 100644 queue-5.19/alsa-hda-once-again-fix-regression-of-page-allocations-with-iommu.patch create mode 100644 queue-5.19/alsa-pcm-oss-fix-race-at-sndctl_dsp_sync.patch create mode 100644 queue-5.19/alsa-usb-audio-clear-fixed-clock-rate-at-closing-ep.patch create mode 100644 queue-5.19/alsa-usb-audio-fix-an-out-of-bounds-bug-in-__snd_usb_parse_audio_interface.patch create mode 100644 queue-5.19/alsa-usb-audio-split-endpoint-setups-for-hw_params-and-prepare.patch create mode 100644 queue-5.19/btrfs-zoned-fix-api-misuse-of-zone-finish-waiting.patch create mode 100644 queue-5.19/btrfs-zoned-set-pseudo-max-append-zone-limit-in-zone-emulation-mode.patch create mode 100644 queue-5.19/kprobes-prohibit-probes-in-gate-area.patch create mode 100644 queue-5.19/perf-risc-v-fix-access-beyond-allocated-array.patch create mode 100644 queue-5.19/tracefs-only-clobber-mode-uid-gid-on-remount-if-asked.patch create mode 100644 queue-5.19/tracing-fix-to-check-event_mutex-is-held-while-accessing-trigger-list.patch create mode 100644 queue-5.19/tracing-hold-caller_addr-to-hardirq_-enable-disable-_ip.patch create mode 100644 queue-5.19/vfio-type1-unpin-zero-pages.patch diff --git a/queue-5.19/alsa-aloop-fix-random-zeros-in-capture-data-when-using-jiffies-timer.patch b/queue-5.19/alsa-aloop-fix-random-zeros-in-capture-data-when-using-jiffies-timer.patch new file mode 100644 index 00000000000..1dfcaa24398 --- /dev/null +++ b/queue-5.19/alsa-aloop-fix-random-zeros-in-capture-data-when-using-jiffies-timer.patch @@ -0,0 +1,49 @@ +From 3e48940abee88b8dbbeeaf8a07e7b2b6be1271b3 Mon Sep 17 00:00:00 2001 +From: Pattara Teerapong +Date: Thu, 1 Sep 2022 14:40:36 +0000 +Subject: ALSA: aloop: Fix random zeros in capture data when using jiffies timer + +From: Pattara Teerapong + +commit 3e48940abee88b8dbbeeaf8a07e7b2b6be1271b3 upstream. + +In loopback_jiffies_timer_pos_update(), we are getting jiffies twice. +First time for playback, second time for capture. Jiffies can be updated +between these two calls and if the capture jiffies is larger, extra zeros +will be filled in the capture buffer. + +Change to get jiffies once and use it for both playback and capture. + +Signed-off-by: Pattara Teerapong +Cc: +Link: https://lore.kernel.org/r/20220901144036.4049060-1-pteerapong@chromium.org +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/drivers/aloop.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/sound/drivers/aloop.c ++++ b/sound/drivers/aloop.c +@@ -605,17 +605,18 @@ static unsigned int loopback_jiffies_tim + cable->streams[SNDRV_PCM_STREAM_PLAYBACK]; + struct loopback_pcm *dpcm_capt = + cable->streams[SNDRV_PCM_STREAM_CAPTURE]; +- unsigned long delta_play = 0, delta_capt = 0; ++ unsigned long delta_play = 0, delta_capt = 0, cur_jiffies; + unsigned int running, count1, count2; + ++ cur_jiffies = jiffies; + running = cable->running ^ cable->pause; + if (running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) { +- delta_play = jiffies - dpcm_play->last_jiffies; ++ delta_play = cur_jiffies - dpcm_play->last_jiffies; + dpcm_play->last_jiffies += delta_play; + } + + if (running & (1 << SNDRV_PCM_STREAM_CAPTURE)) { +- delta_capt = jiffies - dpcm_capt->last_jiffies; ++ delta_capt = cur_jiffies - dpcm_capt->last_jiffies; + dpcm_capt->last_jiffies += delta_capt; + } + diff --git a/queue-5.19/alsa-emu10k1-fix-out-of-bounds-access-in-snd_emu10k1_pcm_channel_alloc.patch b/queue-5.19/alsa-emu10k1-fix-out-of-bounds-access-in-snd_emu10k1_pcm_channel_alloc.patch new file mode 100644 index 00000000000..7e54326b384 --- /dev/null +++ b/queue-5.19/alsa-emu10k1-fix-out-of-bounds-access-in-snd_emu10k1_pcm_channel_alloc.patch @@ -0,0 +1,66 @@ +From d29f59051d3a07b81281b2df2b8c9dfe4716067f Mon Sep 17 00:00:00 2001 +From: Tasos Sahanidis +Date: Wed, 7 Sep 2022 04:18:00 +0300 +Subject: ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc() + +From: Tasos Sahanidis + +commit d29f59051d3a07b81281b2df2b8c9dfe4716067f upstream. + +The voice allocator sometimes begins allocating from near the end of the +array and then wraps around, however snd_emu10k1_pcm_channel_alloc() +accesses the newly allocated voices as if it never wrapped around. + +This results in out of bounds access if the first voice has a high enough +index so that first_voice + requested_voice_count > NUM_G (64). +The more voices are requested, the more likely it is for this to occur. + +This was initially discovered using PipeWire, however it can be reproduced +by calling aplay multiple times with 16 channels: +aplay -r 48000 -D plughw:CARD=Live,DEV=3 -c 16 /dev/zero + +UBSAN: array-index-out-of-bounds in sound/pci/emu10k1/emupcm.c:127:40 +index 65 is out of range for type 'snd_emu10k1_voice [64]' +CPU: 1 PID: 31977 Comm: aplay Tainted: G W IOE 6.0.0-rc2-emu10k1+ #7 +Hardware name: ASUSTEK COMPUTER INC P5W DH Deluxe/P5W DH Deluxe, BIOS 3002 07/22/2010 +Call Trace: + +dump_stack_lvl+0x49/0x63 +dump_stack+0x10/0x16 +ubsan_epilogue+0x9/0x3f +__ubsan_handle_out_of_bounds.cold+0x44/0x49 +snd_emu10k1_playback_hw_params+0x3bc/0x420 [snd_emu10k1] +snd_pcm_hw_params+0x29f/0x600 [snd_pcm] +snd_pcm_common_ioctl+0x188/0x1410 [snd_pcm] +? exit_to_user_mode_prepare+0x35/0x170 +? do_syscall_64+0x69/0x90 +? syscall_exit_to_user_mode+0x26/0x50 +? do_syscall_64+0x69/0x90 +? exit_to_user_mode_prepare+0x35/0x170 +snd_pcm_ioctl+0x27/0x40 [snd_pcm] +__x64_sys_ioctl+0x95/0xd0 +do_syscall_64+0x5c/0x90 +? do_syscall_64+0x69/0x90 +? do_syscall_64+0x69/0x90 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Signed-off-by: Tasos Sahanidis +Cc: +Link: https://lore.kernel.org/r/3707dcab-320a-62ff-63c0-73fc201ef756@tasossah.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/emu10k1/emupcm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/emu10k1/emupcm.c ++++ b/sound/pci/emu10k1/emupcm.c +@@ -124,7 +124,7 @@ static int snd_emu10k1_pcm_channel_alloc + epcm->voices[0]->epcm = epcm; + if (voices > 1) { + for (i = 1; i < voices; i++) { +- epcm->voices[i] = &epcm->emu->voices[epcm->voices[0]->number + i]; ++ epcm->voices[i] = &epcm->emu->voices[(epcm->voices[0]->number + i) % NUM_G]; + epcm->voices[i]->epcm = epcm; + } + } diff --git a/queue-5.19/alsa-hda-once-again-fix-regression-of-page-allocations-with-iommu.patch b/queue-5.19/alsa-hda-once-again-fix-regression-of-page-allocations-with-iommu.patch new file mode 100644 index 00000000000..9dc8327887f --- /dev/null +++ b/queue-5.19/alsa-hda-once-again-fix-regression-of-page-allocations-with-iommu.patch @@ -0,0 +1,81 @@ +From 37137ec26c2c03039d8064c00f6eae176841ee0d Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 6 Sep 2022 11:03:19 +0200 +Subject: ALSA: hda: Once again fix regression of page allocations with IOMMU + +From: Takashi Iwai + +commit 37137ec26c2c03039d8064c00f6eae176841ee0d upstream. + +The last fix for trying to recover the regression on AMD platforms, +unfortunately, leaded to yet another regression: it turned out that +IOMMUs don't like the usage of raw page allocations. + +This is yet another attempt for addressing the log saga; at this time, +we re-use the existing buffer allocation mechanism with SG-pages +although we require only single pages. The SG buffer allocation +itself was confirmed to work for stream buffers, so it's relatively +easy to adapt for other places. + +The only problem is: although the HD-audio code is accessing the +address directly via dmab->address field, SG-pages don't set up it. +For the ease of adaption, we now set up the dmab->addr field from the +address of the first page as default, so that it can run with the +HD-audio driver code as-is without the excessive call of +snd_sgbuf_get_addr() multiple times; that's the only change in the +memalloc helper side. The rest is nothing but a flip of the dma_type +field in the HD-audio side. + +Fixes: a8d302a0b770 ("ALSA: memalloc: Revive x86-specific WC page allocations again") +Reported-by: Mikhail Gavrilov +Tested-by: Mikhail Gavrilov +Cc: +Link: https://lore.kernel.org/r/CABXGCsO+kB2t5QyHY-rUe76npr1m0-5JOtt8g8SiHUo34ur7Ww@mail.gmail.com +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216112 +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216363 +Link: https://lore.kernel.org/r/20220906090319.23358-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/memalloc.c | 9 +++++++-- + sound/pci/hda/hda_intel.c | 2 +- + 2 files changed, 8 insertions(+), 3 deletions(-) + +--- a/sound/core/memalloc.c ++++ b/sound/core/memalloc.c +@@ -535,10 +535,13 @@ static void *snd_dma_noncontig_alloc(str + dmab->dev.need_sync = dma_need_sync(dmab->dev.dev, + sg_dma_address(sgt->sgl)); + p = dma_vmap_noncontiguous(dmab->dev.dev, size, sgt); +- if (p) ++ if (p) { + dmab->private_data = sgt; +- else ++ /* store the first page address for convenience */ ++ dmab->addr = snd_sgbuf_get_addr(dmab, 0); ++ } else { + dma_free_noncontiguous(dmab->dev.dev, size, sgt, dmab->dev.dir); ++ } + return p; + } + +@@ -772,6 +775,8 @@ static void *snd_dma_sg_fallback_alloc(s + if (!p) + goto error; + dmab->private_data = sgbuf; ++ /* store the first page address for convenience */ ++ dmab->addr = snd_sgbuf_get_addr(dmab, 0); + return p; + + error: +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -1817,7 +1817,7 @@ static int azx_create(struct snd_card *c + + /* use the non-cached pages in non-snoop mode */ + if (!azx_snoop(chip)) +- azx_bus(chip)->dma_type = SNDRV_DMA_TYPE_DEV_WC; ++ azx_bus(chip)->dma_type = SNDRV_DMA_TYPE_DEV_WC_SG; + + if (chip->driver_type == AZX_DRIVER_NVIDIA) { + dev_dbg(chip->card->dev, "Enable delay in RIRB handling\n"); diff --git a/queue-5.19/alsa-pcm-oss-fix-race-at-sndctl_dsp_sync.patch b/queue-5.19/alsa-pcm-oss-fix-race-at-sndctl_dsp_sync.patch new file mode 100644 index 00000000000..19481263d3d --- /dev/null +++ b/queue-5.19/alsa-pcm-oss-fix-race-at-sndctl_dsp_sync.patch @@ -0,0 +1,51 @@ +From 8423f0b6d513b259fdab9c9bf4aaa6188d054c2d Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 5 Sep 2022 08:07:14 +0200 +Subject: ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC + +From: Takashi Iwai + +commit 8423f0b6d513b259fdab9c9bf4aaa6188d054c2d upstream. + +There is a small race window at snd_pcm_oss_sync() that is called from +OSS PCM SNDCTL_DSP_SYNC ioctl; namely the function calls +snd_pcm_oss_make_ready() at first, then takes the params_lock mutex +for the rest. When the stream is set up again by another thread +between them, it leads to inconsistency, and may result in unexpected +results such as NULL dereference of OSS buffer as a fuzzer spotted +recently. + +The fix is simply to cover snd_pcm_oss_make_ready() call into the same +params_lock mutex with snd_pcm_oss_make_ready_locked() variant. + +Reported-and-tested-by: butt3rflyh4ck +Reviewed-by: Jaroslav Kysela +Cc: +Link: https://lore.kernel.org/r/CAFcO6XN7JDM4xSXGhtusQfS2mSBcx50VJKwQpCq=WeLt57aaZA@mail.gmail.com +Link: https://lore.kernel.org/r/20220905060714.22549-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/oss/pcm_oss.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/sound/core/oss/pcm_oss.c ++++ b/sound/core/oss/pcm_oss.c +@@ -1672,14 +1672,14 @@ static int snd_pcm_oss_sync(struct snd_p + runtime = substream->runtime; + if (atomic_read(&substream->mmap_count)) + goto __direct; +- err = snd_pcm_oss_make_ready(substream); +- if (err < 0) +- return err; + atomic_inc(&runtime->oss.rw_ref); + if (mutex_lock_interruptible(&runtime->oss.params_lock)) { + atomic_dec(&runtime->oss.rw_ref); + return -ERESTARTSYS; + } ++ err = snd_pcm_oss_make_ready_locked(substream); ++ if (err < 0) ++ goto unlock; + format = snd_pcm_oss_format_from(runtime->oss.format); + width = snd_pcm_format_physical_width(format); + if (runtime->oss.buffer_used > 0) { diff --git a/queue-5.19/alsa-usb-audio-clear-fixed-clock-rate-at-closing-ep.patch b/queue-5.19/alsa-usb-audio-clear-fixed-clock-rate-at-closing-ep.patch new file mode 100644 index 00000000000..6e411b663ce --- /dev/null +++ b/queue-5.19/alsa-usb-audio-clear-fixed-clock-rate-at-closing-ep.patch @@ -0,0 +1,50 @@ +From 809f44a0cc5ad4b1209467a6287f8ac0eb49d393 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 7 Sep 2022 12:04:21 +0200 +Subject: ALSA: usb-audio: Clear fixed clock rate at closing EP + +From: Takashi Iwai + +commit 809f44a0cc5ad4b1209467a6287f8ac0eb49d393 upstream. + +The recent commit c11117b634f4 ("ALSA: usb-audio: Refcount multiple +accesses on the single clock") tries to manage the clock rate shared +by several endpoints. This was intended for avoiding the unmatched +rate by a different endpoint, but unfortunately, it introduced a +regression for PulseAudio and pipewire, too; those applications try to +probe the multiple possible rates (44.1k and 48kHz) and setting up the +normal rate fails but only the last rate is applied. + +The cause is that the last sample rate is still left to the clock +reference even after closing the endpoint, and this value is still +used at the next open. It happens only when applications set up via +PCM prepare but don't start/stop the stream; the rate is reset when +the stream is stopped, but it's not cleared at close. + +This patch addresses the issue above, simply by clearing the rate set +in the clock reference at the last close of each endpoint. + +Fixes: c11117b634f4 ("ALSA: usb-audio: Refcount multiple accesses on the single clock") +Reported-by: Jason A. Donenfeld +Tested-by: Jason A. Donenfeld +Cc: +Link: https://lore.kernel.org/all/YxXIWv8dYmg1tnXP@zx2c4.com/ +Link: https://gitlab.freedesktop.org/pipewire/pipewire/-/issues/2620 +Link: https://lore.kernel.org/r/20220907100421.6443-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/endpoint.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/usb/endpoint.c ++++ b/sound/usb/endpoint.c +@@ -925,6 +925,8 @@ void snd_usb_endpoint_close(struct snd_u + endpoint_set_interface(chip, ep, false); + + if (!--ep->opened) { ++ if (ep->clock_ref && !atomic_read(&ep->clock_ref->locked)) ++ ep->clock_ref->rate = 0; + ep->iface = 0; + ep->altsetting = 0; + ep->cur_audiofmt = NULL; diff --git a/queue-5.19/alsa-usb-audio-fix-an-out-of-bounds-bug-in-__snd_usb_parse_audio_interface.patch b/queue-5.19/alsa-usb-audio-fix-an-out-of-bounds-bug-in-__snd_usb_parse_audio_interface.patch new file mode 100644 index 00000000000..2dbc7daf43e --- /dev/null +++ b/queue-5.19/alsa-usb-audio-fix-an-out-of-bounds-bug-in-__snd_usb_parse_audio_interface.patch @@ -0,0 +1,34 @@ +From e53f47f6c1a56d2af728909f1cb894da6b43d9bf Mon Sep 17 00:00:00 2001 +From: Dongxiang Ke +Date: Tue, 6 Sep 2022 10:49:28 +0800 +Subject: ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface() + +From: Dongxiang Ke + +commit e53f47f6c1a56d2af728909f1cb894da6b43d9bf upstream. + +There may be a bad USB audio device with a USB ID of (0x04fa, 0x4201) and +the number of it's interfaces less than 4, an out-of-bounds read bug occurs +when parsing the interface descriptor for this device. + +Fix this by checking the number of interfaces. + +Signed-off-by: Dongxiang Ke +Link: https://lore.kernel.org/r/20220906024928.10951-1-kdx.glider@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/stream.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/usb/stream.c ++++ b/sound/usb/stream.c +@@ -1105,7 +1105,7 @@ static int __snd_usb_parse_audio_interfa + * Dallas DS4201 workaround: It presents 5 altsettings, but the last + * one misses syncpipe, and does not produce any sound. + */ +- if (chip->usb_id == USB_ID(0x04fa, 0x4201)) ++ if (chip->usb_id == USB_ID(0x04fa, 0x4201) && num >= 4) + num = 4; + + for (i = 0; i < num; i++) { diff --git a/queue-5.19/alsa-usb-audio-split-endpoint-setups-for-hw_params-and-prepare.patch b/queue-5.19/alsa-usb-audio-split-endpoint-setups-for-hw_params-and-prepare.patch new file mode 100644 index 00000000000..b7007fc7f43 --- /dev/null +++ b/queue-5.19/alsa-usb-audio-split-endpoint-setups-for-hw_params-and-prepare.patch @@ -0,0 +1,193 @@ +From ff878b408a03bef5d610b7e2302702e16a53636e Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 1 Sep 2022 14:41:36 +0200 +Subject: ALSA: usb-audio: Split endpoint setups for hw_params and prepare + +From: Takashi Iwai + +commit ff878b408a03bef5d610b7e2302702e16a53636e upstream. + +One of the former changes for the endpoint management was the more +consistent setup of endpoints at hw_params. +snd_usb_endpoint_configure() is a single function that does the full +setup, and it's called from both PCM hw_params and prepare callbacks. +Although the EP setup at the prepare phase is usually skipped (by +checking need_setup flag), it may be still effective in some cases +like suspend/resume that requires the interface setup again. + +As it's a full and single setup, the invocation of +snd_usb_endpoint_configure() includes not only the USB interface setup +but also the buffer release and allocation. OTOH, doing the buffer +release and re-allocation at PCM prepare phase is rather superfluous, +and better to be done only in the hw_params phase. + +For those optimizations, this patch splits the endpoint setup to two +phases: snd_usb_endpoint_set_params() and snd_usb_endpoint_prepare(), +to be called from hw_params and from prepare, respectively. + +Note that this patch changes the driver operation slightly, +effectively moving the USB interface setup again to PCM prepare stage +instead of hw_params stage, while the buffer allocation and such +initializations are still done at hw_params stage. + +And, the change of the USB interface setup timing (moving to prepare) +gave an interesting "fix", too: it was reported that the recent +kernels caused silent output at the beginning on playbacks on some +devices on Android, and this change casually fixed the regression. +It seems that those devices are picky about the sample rate change (or +the interface change?), and don't follow the too immediate rate +changes. + +Meanwhile, Android operates the PCM in the following order: +- open, then hw_params with the possibly highest sample rate +- close without prepare +- re-open, hw_params with the normal sample rate +- prepare, and start streaming +This procedure ended up the hw_params twice with different rates, and +because the recent kernel did set up the sample rate twice one and +after, it screwed up the device. OTOH, the earlier kernels didn't set +up the USB interface at hw_params, hence this problem didn't appear. + +Now, with this patch, the USB interface setup is again back to the +prepare phase, and it works around the problem automagically. +Although we should address the sample rate problem in a more solid +way in future, let's keep things working as before for now. + +Fixes: bf6313a0ff76 ("ALSA: usb-audio: Refactor endpoint management") +Cc: +Reported-by: chihhao chen +Link: https://lore.kernel.org/r/87e6d6ae69d68dc588ac9acc8c0f24d6188375c3.camel@mediatek.com +Link: https://lore.kernel.org/r/20220901124136.4984-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/endpoint.c | 23 +++++++++-------------- + sound/usb/endpoint.h | 6 ++++-- + sound/usb/pcm.c | 14 ++++++++++---- + 3 files changed, 23 insertions(+), 20 deletions(-) + +--- a/sound/usb/endpoint.c ++++ b/sound/usb/endpoint.c +@@ -758,7 +758,8 @@ bool snd_usb_endpoint_compatible(struct + * The endpoint needs to be closed via snd_usb_endpoint_close() later. + * + * Note that this function doesn't configure the endpoint. The substream +- * needs to set it up later via snd_usb_endpoint_configure(). ++ * needs to set it up later via snd_usb_endpoint_set_params() and ++ * snd_usb_endpoint_prepare(). + */ + struct snd_usb_endpoint * + snd_usb_endpoint_open(struct snd_usb_audio *chip, +@@ -1290,12 +1291,13 @@ out_of_memory: + /* + * snd_usb_endpoint_set_params: configure an snd_usb_endpoint + * ++ * It's called either from hw_params callback. + * Determine the number of URBs to be used on this endpoint. + * An endpoint must be configured before it can be started. + * An endpoint that is already running can not be reconfigured. + */ +-static int snd_usb_endpoint_set_params(struct snd_usb_audio *chip, +- struct snd_usb_endpoint *ep) ++int snd_usb_endpoint_set_params(struct snd_usb_audio *chip, ++ struct snd_usb_endpoint *ep) + { + const struct audioformat *fmt = ep->cur_audiofmt; + int err; +@@ -1378,18 +1380,18 @@ static int init_sample_rate(struct snd_u + } + + /* +- * snd_usb_endpoint_configure: Configure the endpoint ++ * snd_usb_endpoint_prepare: Prepare the endpoint + * + * This function sets up the EP to be fully usable state. +- * It's called either from hw_params or prepare callback. ++ * It's called either from prepare callback. + * The function checks need_setup flag, and performs nothing unless needed, + * so it's safe to call this multiple times. + * + * This returns zero if unchanged, 1 if the configuration has changed, + * or a negative error code. + */ +-int snd_usb_endpoint_configure(struct snd_usb_audio *chip, +- struct snd_usb_endpoint *ep) ++int snd_usb_endpoint_prepare(struct snd_usb_audio *chip, ++ struct snd_usb_endpoint *ep) + { + bool iface_first; + int err = 0; +@@ -1410,9 +1412,6 @@ int snd_usb_endpoint_configure(struct sn + if (err < 0) + goto unlock; + } +- err = snd_usb_endpoint_set_params(chip, ep); +- if (err < 0) +- goto unlock; + goto done; + } + +@@ -1440,10 +1439,6 @@ int snd_usb_endpoint_configure(struct sn + if (err < 0) + goto unlock; + +- err = snd_usb_endpoint_set_params(chip, ep); +- if (err < 0) +- goto unlock; +- + err = snd_usb_select_mode_quirk(chip, ep->cur_audiofmt); + if (err < 0) + goto unlock; +--- a/sound/usb/endpoint.h ++++ b/sound/usb/endpoint.h +@@ -17,8 +17,10 @@ snd_usb_endpoint_open(struct snd_usb_aud + bool is_sync_ep); + void snd_usb_endpoint_close(struct snd_usb_audio *chip, + struct snd_usb_endpoint *ep); +-int snd_usb_endpoint_configure(struct snd_usb_audio *chip, +- struct snd_usb_endpoint *ep); ++int snd_usb_endpoint_set_params(struct snd_usb_audio *chip, ++ struct snd_usb_endpoint *ep); ++int snd_usb_endpoint_prepare(struct snd_usb_audio *chip, ++ struct snd_usb_endpoint *ep); + int snd_usb_endpoint_get_clock_rate(struct snd_usb_audio *chip, int clock); + + bool snd_usb_endpoint_compatible(struct snd_usb_audio *chip, +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -443,17 +443,17 @@ static int configure_endpoints(struct sn + if (stop_endpoints(subs, false)) + sync_pending_stops(subs); + if (subs->sync_endpoint) { +- err = snd_usb_endpoint_configure(chip, subs->sync_endpoint); ++ err = snd_usb_endpoint_prepare(chip, subs->sync_endpoint); + if (err < 0) + return err; + } +- err = snd_usb_endpoint_configure(chip, subs->data_endpoint); ++ err = snd_usb_endpoint_prepare(chip, subs->data_endpoint); + if (err < 0) + return err; + snd_usb_set_format_quirk(subs, subs->cur_audiofmt); + } else { + if (subs->sync_endpoint) { +- err = snd_usb_endpoint_configure(chip, subs->sync_endpoint); ++ err = snd_usb_endpoint_prepare(chip, subs->sync_endpoint); + if (err < 0) + return err; + } +@@ -551,7 +551,13 @@ static int snd_usb_hw_params(struct snd_ + subs->cur_audiofmt = fmt; + mutex_unlock(&chip->mutex); + +- ret = configure_endpoints(chip, subs); ++ if (subs->sync_endpoint) { ++ ret = snd_usb_endpoint_set_params(chip, subs->sync_endpoint); ++ if (ret < 0) ++ goto unlock; ++ } ++ ++ ret = snd_usb_endpoint_set_params(chip, subs->data_endpoint); + + unlock: + if (ret < 0) diff --git a/queue-5.19/btrfs-zoned-fix-api-misuse-of-zone-finish-waiting.patch b/queue-5.19/btrfs-zoned-fix-api-misuse-of-zone-finish-waiting.patch new file mode 100644 index 00000000000..d0a22aec971 --- /dev/null +++ b/queue-5.19/btrfs-zoned-fix-api-misuse-of-zone-finish-waiting.patch @@ -0,0 +1,80 @@ +From d5b81ced74afded85619ffbbe9c32ba9d82c9b1e Mon Sep 17 00:00:00 2001 +From: Naohiro Aota +Date: Wed, 31 Aug 2022 13:55:48 +0900 +Subject: btrfs: zoned: fix API misuse of zone finish waiting + +From: Naohiro Aota + +commit d5b81ced74afded85619ffbbe9c32ba9d82c9b1e upstream. + +The commit 2ce543f47843 ("btrfs: zoned: wait until zone is finished when +allocation didn't progress") implemented a zone finish waiting mechanism +to the write path of zoned mode. However, using +wait_var_event()/wake_up_all() on fs_info->zone_finish_wait is wrong and +wait_var_event() just hangs because no one ever wakes it up once it goes +into sleep. + +Instead, we can simply use wait_on_bit_io() and clear_and_wake_up_bit() +on fs_info->flags with a proper barrier installed. + +Fixes: 2ce543f47843 ("btrfs: zoned: wait until zone is finished when allocation didn't progress") +CC: stable@vger.kernel.org # 5.16+ +Signed-off-by: Naohiro Aota +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/ctree.h | 2 -- + fs/btrfs/disk-io.c | 1 - + fs/btrfs/inode.c | 7 +++---- + fs/btrfs/zoned.c | 3 +-- + 4 files changed, 4 insertions(+), 9 deletions(-) + +--- a/fs/btrfs/ctree.h ++++ b/fs/btrfs/ctree.h +@@ -1065,8 +1065,6 @@ struct btrfs_fs_info { + + spinlock_t zone_active_bgs_lock; + struct list_head zone_active_bgs; +- /* Waiters when BTRFS_FS_NEED_ZONE_FINISH is set */ +- wait_queue_head_t zone_finish_wait; + + #ifdef CONFIG_BTRFS_FS_REF_VERIFY + spinlock_t ref_verify_lock; +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -3173,7 +3173,6 @@ void btrfs_init_fs_info(struct btrfs_fs_ + init_waitqueue_head(&fs_info->transaction_blocked_wait); + init_waitqueue_head(&fs_info->async_submit_wait); + init_waitqueue_head(&fs_info->delayed_iputs_wait); +- init_waitqueue_head(&fs_info->zone_finish_wait); + + /* Usable values until the real ones are cached from the superblock */ + fs_info->nodesize = 4096; +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -1643,10 +1643,9 @@ static noinline int run_delalloc_zoned(s + done_offset = end; + + if (done_offset == start) { +- struct btrfs_fs_info *info = inode->root->fs_info; +- +- wait_var_event(&info->zone_finish_wait, +- !test_bit(BTRFS_FS_NEED_ZONE_FINISH, &info->flags)); ++ wait_on_bit_io(&inode->root->fs_info->flags, ++ BTRFS_FS_NEED_ZONE_FINISH, ++ TASK_UNINTERRUPTIBLE); + continue; + } + +--- a/fs/btrfs/zoned.c ++++ b/fs/btrfs/zoned.c +@@ -2016,8 +2016,7 @@ static int do_zone_finish(struct btrfs_b + /* For active_bg_list */ + btrfs_put_block_group(block_group); + +- clear_bit(BTRFS_FS_NEED_ZONE_FINISH, &fs_info->flags); +- wake_up_all(&fs_info->zone_finish_wait); ++ clear_and_wake_up_bit(BTRFS_FS_NEED_ZONE_FINISH, &fs_info->flags); + + return 0; + } diff --git a/queue-5.19/btrfs-zoned-set-pseudo-max-append-zone-limit-in-zone-emulation-mode.patch b/queue-5.19/btrfs-zoned-set-pseudo-max-append-zone-limit-in-zone-emulation-mode.patch new file mode 100644 index 00000000000..2477212ccf6 --- /dev/null +++ b/queue-5.19/btrfs-zoned-set-pseudo-max-append-zone-limit-in-zone-emulation-mode.patch @@ -0,0 +1,58 @@ +From cac5c44c48c9fb9cc31bea15ebd9ef0c6462314f Mon Sep 17 00:00:00 2001 +From: Shin'ichiro Kawasaki +Date: Fri, 26 Aug 2022 16:42:15 +0900 +Subject: btrfs: zoned: set pseudo max append zone limit in zone emulation mode + +From: Shin'ichiro Kawasaki + +commit cac5c44c48c9fb9cc31bea15ebd9ef0c6462314f upstream. + +The commit 7d7672bc5d10 ("btrfs: convert count_max_extents() to use +fs_info->max_extent_size") introduced a division by +fs_info->max_extent_size. This max_extent_size is initialized with max +zone append limit size of the device btrfs runs on. However, in zone +emulation mode, the device is not zoned then its zone append limit is +zero. This resulted in zero value of fs_info->max_extent_size and caused +zero division error. + +Fix the error by setting non-zero pseudo value to max append zone limit +in zone emulation mode. Set the pseudo value based on max_segments as +suggested in the commit c2ae7b772ef4 ("btrfs: zoned: revive +max_zone_append_bytes"). + +Fixes: 7d7672bc5d10 ("btrfs: convert count_max_extents() to use fs_info->max_extent_size") +CC: stable@vger.kernel.org # 5.12+ +Reviewed-by: Johannes Thumshirn +Reviewed-by: Naohiro Aota +Signed-off-by: Shin'ichiro Kawasaki +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/zoned.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/fs/btrfs/zoned.c ++++ b/fs/btrfs/zoned.c +@@ -421,10 +421,19 @@ int btrfs_get_dev_zone_info(struct btrfs + * since btrfs adds the pages one by one to a bio, and btrfs cannot + * increase the metadata reservation even if it increases the number of + * extents, it is safe to stick with the limit. ++ * ++ * With the zoned emulation, we can have non-zoned device on the zoned ++ * mode. In this case, we don't have a valid max zone append size. So, ++ * use max_segments * PAGE_SIZE as the pseudo max_zone_append_size. + */ +- zone_info->max_zone_append_size = +- min_t(u64, (u64)bdev_max_zone_append_sectors(bdev) << SECTOR_SHIFT, +- (u64)bdev_max_segments(bdev) << PAGE_SHIFT); ++ if (bdev_is_zoned(bdev)) { ++ zone_info->max_zone_append_size = min_t(u64, ++ (u64)bdev_max_zone_append_sectors(bdev) << SECTOR_SHIFT, ++ (u64)bdev_max_segments(bdev) << PAGE_SHIFT); ++ } else { ++ zone_info->max_zone_append_size = ++ (u64)bdev_max_segments(bdev) << PAGE_SHIFT; ++ } + if (!IS_ALIGNED(nr_sectors, zone_sectors)) + zone_info->nr_zones++; + diff --git a/queue-5.19/kprobes-prohibit-probes-in-gate-area.patch b/queue-5.19/kprobes-prohibit-probes-in-gate-area.patch new file mode 100644 index 00000000000..366d87622db --- /dev/null +++ b/queue-5.19/kprobes-prohibit-probes-in-gate-area.patch @@ -0,0 +1,117 @@ +From 1efda38d6f9ba26ac88b359c6277f1172db03f1e Mon Sep 17 00:00:00 2001 +From: "Christian A. Ehrhardt" +Date: Wed, 7 Sep 2022 22:09:17 +0200 +Subject: kprobes: Prohibit probes in gate area + +From: Christian A. Ehrhardt + +commit 1efda38d6f9ba26ac88b359c6277f1172db03f1e upstream. + +The system call gate area counts as kernel text but trying +to install a kprobe in this area fails with an Oops later on. +To fix this explicitly disallow the gate area for kprobes. + +Found by syzkaller with the following reproducer: +perf_event_open$cgroup(&(0x7f00000001c0)={0x6, 0x80, 0x0, 0x0, 0x0, 0x0, 0x80ffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext={0x0, 0xffffffffff600000}}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) + +Sample report: +BUG: unable to handle page fault for address: fffffbfff3ac6000 +PGD 6dfcb067 P4D 6dfcb067 PUD 6df8f067 PMD 6de4d067 PTE 0 +Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI +CPU: 0 PID: 21978 Comm: syz-executor.2 Not tainted 6.0.0-rc3-00363-g7726d4c3e60b-dirty #6 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +RIP: 0010:__insn_get_emulate_prefix arch/x86/lib/insn.c:91 [inline] +RIP: 0010:insn_get_emulate_prefix arch/x86/lib/insn.c:106 [inline] +RIP: 0010:insn_get_prefixes.part.0+0xa8/0x1110 arch/x86/lib/insn.c:134 +Code: 49 be 00 00 00 00 00 fc ff df 48 8b 40 60 48 89 44 24 08 e9 81 00 00 00 e8 e5 4b 39 ff 4c 89 fa 4c 89 f9 48 c1 ea 03 83 e1 07 <42> 0f b6 14 32 38 ca 7f 08 84 d2 0f 85 06 10 00 00 48 89 d8 48 89 +RSP: 0018:ffffc900088bf860 EFLAGS: 00010246 +RAX: 0000000000040000 RBX: ffffffff9b9bebc0 RCX: 0000000000000000 +RDX: 1ffffffff3ac6000 RSI: ffffc90002d82000 RDI: ffffc900088bf9e8 +RBP: ffffffff9d630001 R08: 0000000000000000 R09: ffffc900088bf9e8 +R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001 +R13: ffffffff9d630000 R14: dffffc0000000000 R15: ffffffff9d630000 +FS: 00007f63eef63640(0000) GS:ffff88806d000000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: fffffbfff3ac6000 CR3: 0000000029d90005 CR4: 0000000000770ef0 +PKRU: 55555554 +Call Trace: + + insn_get_prefixes arch/x86/lib/insn.c:131 [inline] + insn_get_opcode arch/x86/lib/insn.c:272 [inline] + insn_get_modrm+0x64a/0x7b0 arch/x86/lib/insn.c:343 + insn_get_sib+0x29a/0x330 arch/x86/lib/insn.c:421 + insn_get_displacement+0x350/0x6b0 arch/x86/lib/insn.c:464 + insn_get_immediate arch/x86/lib/insn.c:632 [inline] + insn_get_length arch/x86/lib/insn.c:707 [inline] + insn_decode+0x43a/0x490 arch/x86/lib/insn.c:747 + can_probe+0xfc/0x1d0 arch/x86/kernel/kprobes/core.c:282 + arch_prepare_kprobe+0x79/0x1c0 arch/x86/kernel/kprobes/core.c:739 + prepare_kprobe kernel/kprobes.c:1160 [inline] + register_kprobe kernel/kprobes.c:1641 [inline] + register_kprobe+0xb6e/0x1690 kernel/kprobes.c:1603 + __register_trace_kprobe kernel/trace/trace_kprobe.c:509 [inline] + __register_trace_kprobe+0x26a/0x2d0 kernel/trace/trace_kprobe.c:477 + create_local_trace_kprobe+0x1f7/0x350 kernel/trace/trace_kprobe.c:1833 + perf_kprobe_init+0x18c/0x280 kernel/trace/trace_event_perf.c:271 + perf_kprobe_event_init+0xf8/0x1c0 kernel/events/core.c:9888 + perf_try_init_event+0x12d/0x570 kernel/events/core.c:11261 + perf_init_event kernel/events/core.c:11325 [inline] + perf_event_alloc.part.0+0xf7f/0x36a0 kernel/events/core.c:11619 + perf_event_alloc kernel/events/core.c:12059 [inline] + __do_sys_perf_event_open+0x4a8/0x2a00 kernel/events/core.c:12157 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7f63ef7efaed +Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f63eef63028 EFLAGS: 00000246 ORIG_RAX: 000000000000012a +RAX: ffffffffffffffda RBX: 00007f63ef90ff80 RCX: 00007f63ef7efaed +RDX: 0000000000000000 RSI: ffffffffffffffff RDI: 00000000200001c0 +RBP: 00007f63ef86019c R08: 0000000000000000 R09: 0000000000000000 +R10: ffffffffffffffff R11: 0000000000000246 R12: 0000000000000000 +R13: 0000000000000002 R14: 00007f63ef90ff80 R15: 00007f63eef43000 + +Modules linked in: +CR2: fffffbfff3ac6000 +---[ end trace 0000000000000000 ]--- +RIP: 0010:__insn_get_emulate_prefix arch/x86/lib/insn.c:91 [inline] +RIP: 0010:insn_get_emulate_prefix arch/x86/lib/insn.c:106 [inline] +RIP: 0010:insn_get_prefixes.part.0+0xa8/0x1110 arch/x86/lib/insn.c:134 +Code: 49 be 00 00 00 00 00 fc ff df 48 8b 40 60 48 89 44 24 08 e9 81 00 00 00 e8 e5 4b 39 ff 4c 89 fa 4c 89 f9 48 c1 ea 03 83 e1 07 <42> 0f b6 14 32 38 ca 7f 08 84 d2 0f 85 06 10 00 00 48 89 d8 48 89 +RSP: 0018:ffffc900088bf860 EFLAGS: 00010246 +RAX: 0000000000040000 RBX: ffffffff9b9bebc0 RCX: 0000000000000000 +RDX: 1ffffffff3ac6000 RSI: ffffc90002d82000 RDI: ffffc900088bf9e8 +RBP: ffffffff9d630001 R08: 0000000000000000 R09: ffffc900088bf9e8 +R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001 +R13: ffffffff9d630000 R14: dffffc0000000000 R15: ffffffff9d630000 +FS: 00007f63eef63640(0000) GS:ffff88806d000000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: fffffbfff3ac6000 CR3: 0000000029d90005 CR4: 0000000000770ef0 +PKRU: 55555554 +================================================================== + +Link: https://lkml.kernel.org/r/20220907200917.654103-1-lk@c--e.de + +cc: "Naveen N. Rao" +cc: Anil S Keshavamurthy +cc: "David S. Miller" +Cc: stable@vger.kernel.org +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Christian A. Ehrhardt +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/kprobes.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -1562,6 +1562,7 @@ static int check_kprobe_address_safe(str + /* Ensure it is not in reserved area nor out of text */ + if (!(core_kernel_text((unsigned long) p->addr) || + is_module_text_address((unsigned long) p->addr)) || ++ in_gate_area_no_mm((unsigned long) p->addr) || + within_kprobe_blacklist((unsigned long) p->addr) || + jump_label_text_reserved(p->addr, p->addr) || + static_call_text_reserved(p->addr, p->addr) || diff --git a/queue-5.19/perf-risc-v-fix-access-beyond-allocated-array.patch b/queue-5.19/perf-risc-v-fix-access-beyond-allocated-array.patch new file mode 100644 index 00000000000..9ec8296166a --- /dev/null +++ b/queue-5.19/perf-risc-v-fix-access-beyond-allocated-array.patch @@ -0,0 +1,39 @@ +From 20e0fbab16003ae23a9e86a64bcb93e3121587ca Mon Sep 17 00:00:00 2001 +From: Sergey Matyukevich +Date: Tue, 30 Aug 2022 18:53:04 +0300 +Subject: perf: RISC-V: fix access beyond allocated array + +From: Sergey Matyukevich + +commit 20e0fbab16003ae23a9e86a64bcb93e3121587ca upstream. + +SBI firmware should report total number of firmware and hardware counters +including unused ones or special ones. In this case the kernel doesn't need +to make any assumptions about gaps in reported counters, e.g. excluded timer +counter. That was fixed in OpenSBI v1.1 by commit 3f66465fb6bf ("lib: pmu: +allow to use the highest available counter"). This kernel patch has no effect +if SBI firmware behaves correctly. However it eliminates access beyond the +allocated pmu_ctr_list if the kernel is used with OpenSBI older than v1.1. + +Fixes: e9991434596f ("RISC-V: Add perf platform driver based on SBI PMU extension") +Signed-off-by: Sergey Matyukevich +Reviewed-by: Atish Patra +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20220830155306.301714-2-geomatsi@gmail.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + drivers/perf/riscv_pmu_sbi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/perf/riscv_pmu_sbi.c ++++ b/drivers/perf/riscv_pmu_sbi.c +@@ -467,7 +467,7 @@ static int pmu_sbi_get_ctrinfo(int nctr) + if (!pmu_ctr_list) + return -ENOMEM; + +- for (i = 0; i <= nctr; i++) { ++ for (i = 0; i < nctr; i++) { + ret = sbi_ecall(SBI_EXT_PMU, SBI_EXT_PMU_COUNTER_GET_INFO, i, 0, 0, 0, 0, 0); + if (ret.error) + /* The logical counter ids are not expected to be contiguous */ diff --git a/queue-5.19/series b/queue-5.19/series index 19d05f034e9..6e629176284 100644 --- a/queue-5.19/series +++ b/queue-5.19/series @@ -32,3 +32,18 @@ fbdev-chipsfb-add-missing-pci_disable_device-in-chip.patch x86-sev-mark-snp_abort-noreturn.patch drm-amdgpu-add-sdma-instance-check-for-gfx11-cgcg.patch drm-amdgpu-mmvm_l2_cntl3-register-not-initialized-co.patch +alsa-pcm-oss-fix-race-at-sndctl_dsp_sync.patch +alsa-emu10k1-fix-out-of-bounds-access-in-snd_emu10k1_pcm_channel_alloc.patch +alsa-hda-once-again-fix-regression-of-page-allocations-with-iommu.patch +alsa-aloop-fix-random-zeros-in-capture-data-when-using-jiffies-timer.patch +alsa-usb-audio-split-endpoint-setups-for-hw_params-and-prepare.patch +alsa-usb-audio-clear-fixed-clock-rate-at-closing-ep.patch +alsa-usb-audio-fix-an-out-of-bounds-bug-in-__snd_usb_parse_audio_interface.patch +tracefs-only-clobber-mode-uid-gid-on-remount-if-asked.patch +tracing-hold-caller_addr-to-hardirq_-enable-disable-_ip.patch +tracing-fix-to-check-event_mutex-is-held-while-accessing-trigger-list.patch +btrfs-zoned-set-pseudo-max-append-zone-limit-in-zone-emulation-mode.patch +btrfs-zoned-fix-api-misuse-of-zone-finish-waiting.patch +vfio-type1-unpin-zero-pages.patch +kprobes-prohibit-probes-in-gate-area.patch +perf-risc-v-fix-access-beyond-allocated-array.patch diff --git a/queue-5.19/tracefs-only-clobber-mode-uid-gid-on-remount-if-asked.patch b/queue-5.19/tracefs-only-clobber-mode-uid-gid-on-remount-if-asked.patch new file mode 100644 index 00000000000..de4e133f3c6 --- /dev/null +++ b/queue-5.19/tracefs-only-clobber-mode-uid-gid-on-remount-if-asked.patch @@ -0,0 +1,138 @@ +From 47311db8e8f33011d90dee76b39c8886120cdda4 Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Fri, 26 Aug 2022 17:44:17 -0700 +Subject: tracefs: Only clobber mode/uid/gid on remount if asked + +From: Brian Norris + +commit 47311db8e8f33011d90dee76b39c8886120cdda4 upstream. + +Users may have explicitly configured their tracefs permissions; we +shouldn't overwrite those just because a second mount appeared. + +Only clobber if the options were provided at mount time. + +Note: the previous behavior was especially surprising in the presence of +automounted /sys/kernel/debug/tracing/. + +Existing behavior: + + ## Pre-existing status: tracefs is 0755. + # stat -c '%A' /sys/kernel/tracing/ + drwxr-xr-x + + ## (Re)trigger the automount. + # umount /sys/kernel/debug/tracing + # stat -c '%A' /sys/kernel/debug/tracing/. + drwx------ + + ## Unexpected: the automount changed mode for other mount instances. + # stat -c '%A' /sys/kernel/tracing/ + drwx------ + +New behavior (after this change): + + ## Pre-existing status: tracefs is 0755. + # stat -c '%A' /sys/kernel/tracing/ + drwxr-xr-x + + ## (Re)trigger the automount. + # umount /sys/kernel/debug/tracing + # stat -c '%A' /sys/kernel/debug/tracing/. + drwxr-xr-x + + ## Expected: the automount does not change other mount instances. + # stat -c '%A' /sys/kernel/tracing/ + drwxr-xr-x + +Link: https://lkml.kernel.org/r/20220826174353.2.Iab6e5ea57963d6deca5311b27fb7226790d44406@changeid + +Cc: stable@vger.kernel.org +Fixes: 4282d60689d4f ("tracefs: Add new tracefs file system") +Signed-off-by: Brian Norris +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + fs/tracefs/inode.c | 31 +++++++++++++++++++++++-------- + 1 file changed, 23 insertions(+), 8 deletions(-) + +--- a/fs/tracefs/inode.c ++++ b/fs/tracefs/inode.c +@@ -141,6 +141,8 @@ struct tracefs_mount_opts { + kuid_t uid; + kgid_t gid; + umode_t mode; ++ /* Opt_* bitfield. */ ++ unsigned int opts; + }; + + enum { +@@ -241,6 +243,7 @@ static int tracefs_parse_options(char *d + kgid_t gid; + char *p; + ++ opts->opts = 0; + opts->mode = TRACEFS_DEFAULT_MODE; + + while ((p = strsep(&data, ",")) != NULL) { +@@ -275,24 +278,36 @@ static int tracefs_parse_options(char *d + * but traditionally tracefs has ignored all mount options + */ + } ++ ++ opts->opts |= BIT(token); + } + + return 0; + } + +-static int tracefs_apply_options(struct super_block *sb) ++static int tracefs_apply_options(struct super_block *sb, bool remount) + { + struct tracefs_fs_info *fsi = sb->s_fs_info; + struct inode *inode = d_inode(sb->s_root); + struct tracefs_mount_opts *opts = &fsi->mount_opts; + +- inode->i_mode &= ~S_IALLUGO; +- inode->i_mode |= opts->mode; ++ /* ++ * On remount, only reset mode/uid/gid if they were provided as mount ++ * options. ++ */ ++ ++ if (!remount || opts->opts & BIT(Opt_mode)) { ++ inode->i_mode &= ~S_IALLUGO; ++ inode->i_mode |= opts->mode; ++ } + +- inode->i_uid = opts->uid; ++ if (!remount || opts->opts & BIT(Opt_uid)) ++ inode->i_uid = opts->uid; + +- /* Set all the group ids to the mount option */ +- set_gid(sb->s_root, opts->gid); ++ if (!remount || opts->opts & BIT(Opt_gid)) { ++ /* Set all the group ids to the mount option */ ++ set_gid(sb->s_root, opts->gid); ++ } + + return 0; + } +@@ -307,7 +322,7 @@ static int tracefs_remount(struct super_ + if (err) + goto fail; + +- tracefs_apply_options(sb); ++ tracefs_apply_options(sb, true); + + fail: + return err; +@@ -359,7 +374,7 @@ static int trace_fill_super(struct super + + sb->s_op = &tracefs_super_operations; + +- tracefs_apply_options(sb); ++ tracefs_apply_options(sb, false); + + return 0; + diff --git a/queue-5.19/tracing-fix-to-check-event_mutex-is-held-while-accessing-trigger-list.patch b/queue-5.19/tracing-fix-to-check-event_mutex-is-held-while-accessing-trigger-list.patch new file mode 100644 index 00000000000..5280b9029c6 --- /dev/null +++ b/queue-5.19/tracing-fix-to-check-event_mutex-is-held-while-accessing-trigger-list.patch @@ -0,0 +1,51 @@ +From cecf8e128ec69149fe53c9a7bafa505a4bee25d9 Mon Sep 17 00:00:00 2001 +From: "Masami Hiramatsu (Google)" +Date: Sun, 4 Sep 2022 13:12:29 +0900 +Subject: tracing: Fix to check event_mutex is held while accessing trigger list + +From: Masami Hiramatsu (Google) + +commit cecf8e128ec69149fe53c9a7bafa505a4bee25d9 upstream. + +Since the check_user_trigger() is called outside of RCU +read lock, this list_for_each_entry_rcu() caused a suspicious +RCU usage warning. + + # echo hist:keys=pid > events/sched/sched_stat_runtime/trigger + # cat events/sched/sched_stat_runtime/trigger +[ 43.167032] +[ 43.167418] ============================= +[ 43.167992] WARNING: suspicious RCU usage +[ 43.168567] 5.19.0-rc5-00029-g19ebe4651abf #59 Not tainted +[ 43.169283] ----------------------------- +[ 43.169863] kernel/trace/trace_events_trigger.c:145 RCU-list traversed in non-reader section!! +... + +However, this file->triggers list is safe when it is accessed +under event_mutex is held. +To fix this warning, adds a lockdep_is_held check to the +list_for_each_entry_rcu(). + +Link: https://lkml.kernel.org/r/166226474977.223837.1992182913048377113.stgit@devnote2 + +Cc: stable@vger.kernel.org +Fixes: 7491e2c44278 ("tracing: Add a probe that attaches to trace events") +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events_trigger.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/trace/trace_events_trigger.c ++++ b/kernel/trace/trace_events_trigger.c +@@ -142,7 +142,8 @@ static bool check_user_trigger(struct tr + { + struct event_trigger_data *data; + +- list_for_each_entry_rcu(data, &file->triggers, list) { ++ list_for_each_entry_rcu(data, &file->triggers, list, ++ lockdep_is_held(&event_mutex)) { + if (data->flags & EVENT_TRIGGER_FL_PROBE) + continue; + return true; diff --git a/queue-5.19/tracing-hold-caller_addr-to-hardirq_-enable-disable-_ip.patch b/queue-5.19/tracing-hold-caller_addr-to-hardirq_-enable-disable-_ip.patch new file mode 100644 index 00000000000..e7ffb2782a7 --- /dev/null +++ b/queue-5.19/tracing-hold-caller_addr-to-hardirq_-enable-disable-_ip.patch @@ -0,0 +1,53 @@ +From 54c3931957f6a6194d5972eccc36d052964b2abe Mon Sep 17 00:00:00 2001 +From: Yipeng Zou +Date: Thu, 1 Sep 2022 18:45:14 +0800 +Subject: tracing: hold caller_addr to hardirq_{enable,disable}_ip + +From: Yipeng Zou + +commit 54c3931957f6a6194d5972eccc36d052964b2abe upstream. + +Currently, The arguments passing to lockdep_hardirqs_{on,off} was fixed +in CALLER_ADDR0. +The function trace_hardirqs_on_caller should have been intended to use +caller_addr to represent the address that caller wants to be traced. + +For example, lockdep log in riscv showing the last {enabled,disabled} at +__trace_hardirqs_{on,off} all the time(if called by): +[ 57.853175] hardirqs last enabled at (2519): __trace_hardirqs_on+0xc/0x14 +[ 57.853848] hardirqs last disabled at (2520): __trace_hardirqs_off+0xc/0x14 + +After use trace_hardirqs_xx_caller, we can get more effective information: +[ 53.781428] hardirqs last enabled at (2595): restore_all+0xe/0x66 +[ 53.782185] hardirqs last disabled at (2596): ret_from_exception+0xa/0x10 + +Link: https://lkml.kernel.org/r/20220901104515.135162-2-zouyipeng@huawei.com + +Cc: stable@vger.kernel.org +Fixes: c3bc8fd637a96 ("tracing: Centralize preemptirq tracepoints and unify their usage") +Signed-off-by: Yipeng Zou +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_preemptirq.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/trace/trace_preemptirq.c ++++ b/kernel/trace/trace_preemptirq.c +@@ -95,14 +95,14 @@ __visible void trace_hardirqs_on_caller( + } + + lockdep_hardirqs_on_prepare(); +- lockdep_hardirqs_on(CALLER_ADDR0); ++ lockdep_hardirqs_on(caller_addr); + } + EXPORT_SYMBOL(trace_hardirqs_on_caller); + NOKPROBE_SYMBOL(trace_hardirqs_on_caller); + + __visible void trace_hardirqs_off_caller(unsigned long caller_addr) + { +- lockdep_hardirqs_off(CALLER_ADDR0); ++ lockdep_hardirqs_off(caller_addr); + + if (!this_cpu_read(tracing_irq_cpu)) { + this_cpu_write(tracing_irq_cpu, 1); diff --git a/queue-5.19/vfio-type1-unpin-zero-pages.patch b/queue-5.19/vfio-type1-unpin-zero-pages.patch new file mode 100644 index 00000000000..6ae83dee00f --- /dev/null +++ b/queue-5.19/vfio-type1-unpin-zero-pages.patch @@ -0,0 +1,53 @@ +From 873aefb376bbc0ed1dd2381ea1d6ec88106fdbd4 Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Mon, 29 Aug 2022 21:05:40 -0600 +Subject: vfio/type1: Unpin zero pages + +From: Alex Williamson + +commit 873aefb376bbc0ed1dd2381ea1d6ec88106fdbd4 upstream. + +There's currently a reference count leak on the zero page. We increment +the reference via pin_user_pages_remote(), but the page is later handled +as an invalid/reserved page, therefore it's not accounted against the +user and not unpinned by our put_pfn(). + +Introducing special zero page handling in put_pfn() would resolve the +leak, but without accounting of the zero page, a single user could +still create enough mappings to generate a reference count overflow. + +The zero page is always resident, so for our purposes there's no reason +to keep it pinned. Therefore, add a loop to walk pages returned from +pin_user_pages_remote() and unpin any zero pages. + +Cc: stable@vger.kernel.org +Reported-by: Luboslav Pivarc +Reviewed-by: David Hildenbrand +Link: https://lore.kernel.org/r/166182871735.3518559.8884121293045337358.stgit@omen +Signed-off-by: Alex Williamson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vfio/vfio_iommu_type1.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/vfio/vfio_iommu_type1.c ++++ b/drivers/vfio/vfio_iommu_type1.c +@@ -557,6 +557,18 @@ static int vaddr_get_pfns(struct mm_stru + ret = pin_user_pages_remote(mm, vaddr, npages, flags | FOLL_LONGTERM, + pages, NULL, NULL); + if (ret > 0) { ++ int i; ++ ++ /* ++ * The zero page is always resident, we don't need to pin it ++ * and it falls into our invalid/reserved test so we don't ++ * unpin in put_pfn(). Unpin all zero pages in the batch here. ++ */ ++ for (i = 0 ; i < ret; i++) { ++ if (unlikely(is_zero_pfn(page_to_pfn(pages[i])))) ++ unpin_user_page(pages[i]); ++ } ++ + *pfn = page_to_pfn(pages[0]); + goto done; + } -- 2.47.3