From 71553e92a59974b22558814e70109c938e6e70ab Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 21 Nov 2022 12:19:09 +0100 Subject: [PATCH] 4.14-stable patches added patches: alsa-usb-audio-drop-snd_bug_on-from-snd_usbmidi_output_open.patch ftrace-fix-null-pointer-dereference-in-ftrace_add_mod.patch ftrace-fix-the-possible-incorrect-kernel-message.patch ftrace-optimize-the-allocation-for-mcount-entries.patch ring_buffer-do-not-deactivate-non-existant-pages.patch --- ..._bug_on-from-snd_usbmidi_output_open.patch | 41 ++++++++++++++ ...ointer-dereference-in-ftrace_add_mod.patch | 55 +++++++++++++++++++ ...he-possible-incorrect-kernel-message.patch | 36 ++++++++++++ ...ze-the-allocation-for-mcount-entries.patch | 36 ++++++++++++ ...do-not-deactivate-non-existant-pages.patch | 40 ++++++++++++++ queue-4.14/series | 5 ++ 6 files changed, 213 insertions(+) create mode 100644 queue-4.14/alsa-usb-audio-drop-snd_bug_on-from-snd_usbmidi_output_open.patch create mode 100644 queue-4.14/ftrace-fix-null-pointer-dereference-in-ftrace_add_mod.patch create mode 100644 queue-4.14/ftrace-fix-the-possible-incorrect-kernel-message.patch create mode 100644 queue-4.14/ftrace-optimize-the-allocation-for-mcount-entries.patch create mode 100644 queue-4.14/ring_buffer-do-not-deactivate-non-existant-pages.patch diff --git a/queue-4.14/alsa-usb-audio-drop-snd_bug_on-from-snd_usbmidi_output_open.patch b/queue-4.14/alsa-usb-audio-drop-snd_bug_on-from-snd_usbmidi_output_open.patch new file mode 100644 index 00000000000..99604a01ace --- /dev/null +++ b/queue-4.14/alsa-usb-audio-drop-snd_bug_on-from-snd_usbmidi_output_open.patch @@ -0,0 +1,41 @@ +From ad72c3c3f6eb81d2cb189ec71e888316adada5df Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sat, 12 Nov 2022 15:12:23 +0100 +Subject: ALSA: usb-audio: Drop snd_BUG_ON() from snd_usbmidi_output_open() + +From: Takashi Iwai + +commit ad72c3c3f6eb81d2cb189ec71e888316adada5df upstream. + +snd_usbmidi_output_open() has a check of the NULL port with +snd_BUG_ON(). snd_BUG_ON() was used as this shouldn't have happened, +but in reality, the NULL port may be seen when the device gives an +invalid endpoint setup at the descriptor, hence the driver skips the +allocation. That is, the check itself is valid and snd_BUG_ON() +should be dropped from there. Otherwise it's confusing as if it were +a real bug, as recently syzbot stumbled on it. + +Reported-by: syzbot+9abda841d636d86c41da@syzkaller.appspotmail.com +Cc: +Link: https://lore.kernel.org/r/syzbot+9abda841d636d86c41da@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20221112141223.6144-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/midi.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/sound/usb/midi.c ++++ b/sound/usb/midi.c +@@ -1148,10 +1148,8 @@ static int snd_usbmidi_output_open(struc + port = &umidi->endpoints[i].out->ports[j]; + break; + } +- if (!port) { +- snd_BUG(); ++ if (!port) + return -ENXIO; +- } + + substream->runtime->private_data = port; + port->state = STATE_UNKNOWN; diff --git a/queue-4.14/ftrace-fix-null-pointer-dereference-in-ftrace_add_mod.patch b/queue-4.14/ftrace-fix-null-pointer-dereference-in-ftrace_add_mod.patch new file mode 100644 index 00000000000..eadf3d55359 --- /dev/null +++ b/queue-4.14/ftrace-fix-null-pointer-dereference-in-ftrace_add_mod.patch @@ -0,0 +1,55 @@ +From 19ba6c8af9382c4c05dc6a0a79af3013b9a35cd0 Mon Sep 17 00:00:00 2001 +From: Xiu Jianfeng +Date: Wed, 16 Nov 2022 09:52:07 +0800 +Subject: ftrace: Fix null pointer dereference in ftrace_add_mod() + +From: Xiu Jianfeng + +commit 19ba6c8af9382c4c05dc6a0a79af3013b9a35cd0 upstream. + +The @ftrace_mod is allocated by kzalloc(), so both the members {prev,next} +of @ftrace_mode->list are NULL, it's not a valid state to call list_del(). +If kstrdup() for @ftrace_mod->{func|module} fails, it goes to @out_free +tag and calls free_ftrace_mod() to destroy @ftrace_mod, then list_del() +will write prev->next and next->prev, where null pointer dereference +happens. + +BUG: kernel NULL pointer dereference, address: 0000000000000008 +Oops: 0002 [#1] PREEMPT SMP NOPTI +Call Trace: + + ftrace_mod_callback+0x20d/0x220 + ? do_filp_open+0xd9/0x140 + ftrace_process_regex.isra.51+0xbf/0x130 + ftrace_regex_write.isra.52.part.53+0x6e/0x90 + vfs_write+0xee/0x3a0 + ? __audit_filter_op+0xb1/0x100 + ? auditd_test_task+0x38/0x50 + ksys_write+0xa5/0xe0 + do_syscall_64+0x3a/0x90 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +Kernel panic - not syncing: Fatal exception + +So call INIT_LIST_HEAD() to initialize the list member to fix this issue. + +Link: https://lkml.kernel.org/r/20221116015207.30858-1-xiujianfeng@huawei.com + +Cc: stable@vger.kernel.org +Fixes: 673feb9d76ab ("ftrace: Add :mod: caching infrastructure to trace_array") +Signed-off-by: Xiu Jianfeng +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ftrace.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -1396,6 +1396,7 @@ static int ftrace_add_mod(struct trace_a + if (!ftrace_mod) + return -ENOMEM; + ++ INIT_LIST_HEAD(&ftrace_mod->list); + ftrace_mod->func = kstrdup(func, GFP_KERNEL); + ftrace_mod->module = kstrdup(module, GFP_KERNEL); + ftrace_mod->enable = enable; diff --git a/queue-4.14/ftrace-fix-the-possible-incorrect-kernel-message.patch b/queue-4.14/ftrace-fix-the-possible-incorrect-kernel-message.patch new file mode 100644 index 00000000000..cb8107227f3 --- /dev/null +++ b/queue-4.14/ftrace-fix-the-possible-incorrect-kernel-message.patch @@ -0,0 +1,36 @@ +From 08948caebe93482db1adfd2154eba124f66d161d Mon Sep 17 00:00:00 2001 +From: Wang Wensheng +Date: Wed, 9 Nov 2022 09:44:32 +0000 +Subject: ftrace: Fix the possible incorrect kernel message + +From: Wang Wensheng + +commit 08948caebe93482db1adfd2154eba124f66d161d upstream. + +If the number of mcount entries is an integer multiple of +ENTRIES_PER_PAGE, the page count showing on the console would be wrong. + +Link: https://lkml.kernel.org/r/20221109094434.84046-2-wangwensheng4@huawei.com + +Cc: +Cc: +Cc: stable@vger.kernel.org +Fixes: 5821e1b74f0d0 ("function tracing: fix wrong pos computing when read buffer has been fulfilled") +Signed-off-by: Wang Wensheng +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ftrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -6015,7 +6015,7 @@ void __init ftrace_init(void) + } + + pr_info("ftrace: allocating %ld entries in %ld pages\n", +- count, count / ENTRIES_PER_PAGE + 1); ++ count, DIV_ROUND_UP(count, ENTRIES_PER_PAGE)); + + last_ftrace_enabled = ftrace_enabled = 1; + diff --git a/queue-4.14/ftrace-optimize-the-allocation-for-mcount-entries.patch b/queue-4.14/ftrace-optimize-the-allocation-for-mcount-entries.patch new file mode 100644 index 00000000000..f948650bcb8 --- /dev/null +++ b/queue-4.14/ftrace-optimize-the-allocation-for-mcount-entries.patch @@ -0,0 +1,36 @@ +From bcea02b096333dc74af987cb9685a4dbdd820840 Mon Sep 17 00:00:00 2001 +From: Wang Wensheng +Date: Wed, 9 Nov 2022 09:44:33 +0000 +Subject: ftrace: Optimize the allocation for mcount entries + +From: Wang Wensheng + +commit bcea02b096333dc74af987cb9685a4dbdd820840 upstream. + +If we can't allocate this size, try something smaller with half of the +size. Its order should be decreased by one instead of divided by two. + +Link: https://lkml.kernel.org/r/20221109094434.84046-3-wangwensheng4@huawei.com + +Cc: +Cc: +Cc: stable@vger.kernel.org +Fixes: a79008755497d ("ftrace: Allocate the mcount record pages as groups") +Signed-off-by: Wang Wensheng +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ftrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -3105,7 +3105,7 @@ static int ftrace_allocate_records(struc + /* if we can't allocate this size, try something smaller */ + if (!order) + return -ENOMEM; +- order >>= 1; ++ order--; + goto again; + } + diff --git a/queue-4.14/ring_buffer-do-not-deactivate-non-existant-pages.patch b/queue-4.14/ring_buffer-do-not-deactivate-non-existant-pages.patch new file mode 100644 index 00000000000..288005f2848 --- /dev/null +++ b/queue-4.14/ring_buffer-do-not-deactivate-non-existant-pages.patch @@ -0,0 +1,40 @@ +From 56f4ca0a79a9f1af98f26c54b9b89ba1f9bcc6bd Mon Sep 17 00:00:00 2001 +From: Daniil Tatianin +Date: Mon, 14 Nov 2022 17:31:29 +0300 +Subject: ring_buffer: Do not deactivate non-existant pages + +From: Daniil Tatianin + +commit 56f4ca0a79a9f1af98f26c54b9b89ba1f9bcc6bd upstream. + +rb_head_page_deactivate() expects cpu_buffer to contain a valid list of +->pages, so verify that the list is actually present before calling it. + +Found by Linux Verification Center (linuxtesting.org) with the SVACE +static analysis tool. + +Link: https://lkml.kernel.org/r/20221114143129.3534443-1-d-tatianin@yandex-team.ru + +Cc: stable@vger.kernel.org +Fixes: 77ae365eca895 ("ring-buffer: make lockless") +Signed-off-by: Daniil Tatianin +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ring_buffer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -1271,9 +1271,9 @@ static void rb_free_cpu_buffer(struct ri + + free_buffer_page(cpu_buffer->reader_page); + +- rb_head_page_deactivate(cpu_buffer); +- + if (head) { ++ rb_head_page_deactivate(cpu_buffer); ++ + list_for_each_entry_safe(bpage, tmp, head, list) { + list_del_init(&bpage->list); + free_buffer_page(bpage); diff --git a/queue-4.14/series b/queue-4.14/series index f8c90321d73..ee5a9900047 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -50,3 +50,8 @@ xen-pcpu-fix-possible-memory-leak-in-register_pcpu.patch drbd-use-after-free-in-drbd_create_device.patch net-x25-fix-skb-leak-in-x25_lapb_receive_frame.patch cifs-fix-wrong-return-value-checking-when-getflags.patch +ftrace-fix-the-possible-incorrect-kernel-message.patch +ftrace-optimize-the-allocation-for-mcount-entries.patch +ftrace-fix-null-pointer-dereference-in-ftrace_add_mod.patch +ring_buffer-do-not-deactivate-non-existant-pages.patch +alsa-usb-audio-drop-snd_bug_on-from-snd_usbmidi_output_open.patch -- 2.47.3