From 96e2499e3ea82f3128864443ad9f91bc913bb4be Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 21 Apr 2025 16:18:39 +0200 Subject: [PATCH] 5.15-stable patches added patches: btrfs-correctly-escape-subvol-in-btrfs_show_options.patch crypto-caam-qi-fix-drv_ctx-refcount-bug.patch hfs-hfsplus-fix-slab-out-of-bounds-in-hfs_bnode_read_key.patch i2c-cros-ec-tunnel-defer-probe-if-parent-ec-is-not-present.patch isofs-prevent-the-use-of-too-small-fid.patch loop-loop_set_fd-send-uevents-for-partitions.patch loop-properly-send-kobj_changed-uevent-for-disk-device.patch mm-gup-fix-wrongly-calculated-returned-value-in-fault_in_safe_writeable.patch perf-x86-intel-allow-to-update-user-space-gprs-from-pebs-records.patch perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-icx.patch perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-snr.patch perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-spr.patch riscv-avoid-fortify-warning-in-syscall_get_arguments.patch tracing-fix-filter-string-testing.patch virtiofs-add-filesystem-context-source-name-check.patch --- ...-escape-subvol-in-btrfs_show_options.patch | 41 +++++++ ...pto-caam-qi-fix-drv_ctx-refcount-bug.patch | 45 ++++++++ ...-out-of-bounds-in-hfs_bnode_read_key.patch | 89 +++++++++++++++ ...er-probe-if-parent-ec-is-not-present.patch | 106 ++++++++++++++++++ ...ofs-prevent-the-use-of-too-small-fid.patch | 95 ++++++++++++++++ ...p_set_fd-send-uevents-for-partitions.patch | 54 +++++++++ ...-kobj_changed-uevent-for-disk-device.patch | 59 ++++++++++ ...ned-value-in-fault_in_safe_writeable.patch | 51 +++++++++ ...te-user-space-gprs-from-pebs-records.patch | 78 +++++++++++++ ...-of-iio-free-running-counters-on-icx.patch | 76 +++++++++++++ ...-of-iio-free-running-counters-on-snr.patch | 71 ++++++++++++ ...-of-iio-free-running-counters-on-spr.patch | 101 +++++++++++++++++ ...ify-warning-in-syscall_get_arguments.patch | 67 +++++++++++ queue-5.15/series | 15 +++ .../tracing-fix-filter-string-testing.patch | 62 ++++++++++ ...filesystem-context-source-name-check.patch | 35 ++++++ 16 files changed, 1045 insertions(+) create mode 100644 queue-5.15/btrfs-correctly-escape-subvol-in-btrfs_show_options.patch create mode 100644 queue-5.15/crypto-caam-qi-fix-drv_ctx-refcount-bug.patch create mode 100644 queue-5.15/hfs-hfsplus-fix-slab-out-of-bounds-in-hfs_bnode_read_key.patch create mode 100644 queue-5.15/i2c-cros-ec-tunnel-defer-probe-if-parent-ec-is-not-present.patch create mode 100644 queue-5.15/isofs-prevent-the-use-of-too-small-fid.patch create mode 100644 queue-5.15/loop-loop_set_fd-send-uevents-for-partitions.patch create mode 100644 queue-5.15/loop-properly-send-kobj_changed-uevent-for-disk-device.patch create mode 100644 queue-5.15/mm-gup-fix-wrongly-calculated-returned-value-in-fault_in_safe_writeable.patch create mode 100644 queue-5.15/perf-x86-intel-allow-to-update-user-space-gprs-from-pebs-records.patch create mode 100644 queue-5.15/perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-icx.patch create mode 100644 queue-5.15/perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-snr.patch create mode 100644 queue-5.15/perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-spr.patch create mode 100644 queue-5.15/riscv-avoid-fortify-warning-in-syscall_get_arguments.patch create mode 100644 queue-5.15/tracing-fix-filter-string-testing.patch create mode 100644 queue-5.15/virtiofs-add-filesystem-context-source-name-check.patch diff --git a/queue-5.15/btrfs-correctly-escape-subvol-in-btrfs_show_options.patch b/queue-5.15/btrfs-correctly-escape-subvol-in-btrfs_show_options.patch new file mode 100644 index 0000000000..339899b962 --- /dev/null +++ b/queue-5.15/btrfs-correctly-escape-subvol-in-btrfs_show_options.patch @@ -0,0 +1,41 @@ +From dc08c58696f8555e4a802f1f23c894a330d80ab7 Mon Sep 17 00:00:00 2001 +From: Johannes Kimmel +Date: Wed, 19 Mar 2025 22:49:00 +0100 +Subject: btrfs: correctly escape subvol in btrfs_show_options() + +From: Johannes Kimmel + +commit dc08c58696f8555e4a802f1f23c894a330d80ab7 upstream. + +Currently, displaying the btrfs subvol mount option doesn't escape ','. +This makes parsing /proc/self/mounts and /proc/self/mountinfo +ambiguous for subvolume names that contain commas. The text after the +comma could be mistaken for another option (think "subvol=foo,ro", where +ro is actually part of the subvolumes name). + +Replace the manual escape characters list with a call to +seq_show_option(). Thanks to Calvin Walton for suggesting this approach. + +Fixes: c8d3fe028f64 ("Btrfs: show subvol= and subvolid= in /proc/mounts") +CC: stable@vger.kernel.org # 5.4+ +Suggested-by: Calvin Walton +Signed-off-by: Johannes Kimmel +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/super.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -1559,8 +1559,7 @@ static int btrfs_show_options(struct seq + subvol_name = btrfs_get_subvol_name_from_objectid(info, + BTRFS_I(d_inode(dentry))->root->root_key.objectid); + if (!IS_ERR(subvol_name)) { +- seq_puts(seq, ",subvol="); +- seq_escape(seq, subvol_name, " \t\n\\"); ++ seq_show_option(seq, "subvol", subvol_name); + kfree(subvol_name); + } + return 0; diff --git a/queue-5.15/crypto-caam-qi-fix-drv_ctx-refcount-bug.patch b/queue-5.15/crypto-caam-qi-fix-drv_ctx-refcount-bug.patch new file mode 100644 index 0000000000..b47c455268 --- /dev/null +++ b/queue-5.15/crypto-caam-qi-fix-drv_ctx-refcount-bug.patch @@ -0,0 +1,45 @@ +From b7b39df7e710b0068356e4c696af07aa10e2cd3d Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Tue, 8 Apr 2025 13:17:20 +0800 +Subject: crypto: caam/qi - Fix drv_ctx refcount bug +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Herbert Xu + +commit b7b39df7e710b0068356e4c696af07aa10e2cd3d upstream. + +Ensure refcount is raised before request is enqueued since it could +be dequeued before the call returns. + +Reported-by: Sean Anderson +Cc: +Fixes: 11144416a755 ("crypto: caam/qi - optimize frame queue cleanup") +Signed-off-by: Herbert Xu +Reviewed-by: Horia Geantă +Tested-by: Sean Anderson +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/caam/qi.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/crypto/caam/qi.c ++++ b/drivers/crypto/caam/qi.c +@@ -115,12 +115,12 @@ int caam_qi_enqueue(struct device *qidev + qm_fd_addr_set64(&fd, addr); + + do { ++ refcount_inc(&req->drv_ctx->refcnt); + ret = qman_enqueue(req->drv_ctx->req_fq, &fd); +- if (likely(!ret)) { +- refcount_inc(&req->drv_ctx->refcnt); ++ if (likely(!ret)) + return 0; +- } + ++ refcount_dec(&req->drv_ctx->refcnt); + if (ret != -EBUSY) + break; + num_retries++; diff --git a/queue-5.15/hfs-hfsplus-fix-slab-out-of-bounds-in-hfs_bnode_read_key.patch b/queue-5.15/hfs-hfsplus-fix-slab-out-of-bounds-in-hfs_bnode_read_key.patch new file mode 100644 index 0000000000..d96f9d0b9b --- /dev/null +++ b/queue-5.15/hfs-hfsplus-fix-slab-out-of-bounds-in-hfs_bnode_read_key.patch @@ -0,0 +1,89 @@ +From bb5e07cb927724e0b47be371fa081141cfb14414 Mon Sep 17 00:00:00 2001 +From: Vasiliy Kovalev +Date: Sat, 19 Oct 2024 22:13:03 +0300 +Subject: hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key + +From: Vasiliy Kovalev + +commit bb5e07cb927724e0b47be371fa081141cfb14414 upstream. + +Syzbot reported an issue in hfs subsystem: + +BUG: KASAN: slab-out-of-bounds in memcpy_from_page include/linux/highmem.h:423 [inline] +BUG: KASAN: slab-out-of-bounds in hfs_bnode_read fs/hfs/bnode.c:35 [inline] +BUG: KASAN: slab-out-of-bounds in hfs_bnode_read_key+0x314/0x450 fs/hfs/bnode.c:70 +Write of size 94 at addr ffff8880123cd100 by task syz-executor237/5102 + +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:377 [inline] + print_report+0x169/0x550 mm/kasan/report.c:488 + kasan_report+0x143/0x180 mm/kasan/report.c:601 + kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 + __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106 + memcpy_from_page include/linux/highmem.h:423 [inline] + hfs_bnode_read fs/hfs/bnode.c:35 [inline] + hfs_bnode_read_key+0x314/0x450 fs/hfs/bnode.c:70 + hfs_brec_insert+0x7f3/0xbd0 fs/hfs/brec.c:159 + hfs_cat_create+0x41d/0xa50 fs/hfs/catalog.c:118 + hfs_mkdir+0x6c/0xe0 fs/hfs/dir.c:232 + vfs_mkdir+0x2f9/0x4f0 fs/namei.c:4257 + do_mkdirat+0x264/0x3a0 fs/namei.c:4280 + __do_sys_mkdir fs/namei.c:4300 [inline] + __se_sys_mkdir fs/namei.c:4298 [inline] + __x64_sys_mkdir+0x6c/0x80 fs/namei.c:4298 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7fbdd6057a99 + +Add a check for key length in hfs_bnode_read_key to prevent +out-of-bounds memory access. If the key length is invalid, the +key buffer is cleared, improving stability and reliability. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+5f3a973ed3dfb85a6683@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=5f3a973ed3dfb85a6683 +Cc: stable@vger.kernel.org +Signed-off-by: Vasiliy Kovalev +Link: https://lore.kernel.org/20241019191303.24048-1-kovalev@altlinux.org +Reviewed-by: Cengiz Can +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/hfs/bnode.c | 6 ++++++ + fs/hfsplus/bnode.c | 6 ++++++ + 2 files changed, 12 insertions(+) + +--- a/fs/hfs/bnode.c ++++ b/fs/hfs/bnode.c +@@ -70,6 +70,12 @@ void hfs_bnode_read_key(struct hfs_bnode + else + key_len = tree->max_key_len + 1; + ++ if (key_len > sizeof(hfs_btree_key) || key_len < 1) { ++ memset(key, 0, sizeof(hfs_btree_key)); ++ pr_err("hfs: Invalid key length: %d\n", key_len); ++ return; ++ } ++ + hfs_bnode_read(node, key, off, key_len); + } + +--- a/fs/hfsplus/bnode.c ++++ b/fs/hfsplus/bnode.c +@@ -69,6 +69,12 @@ void hfs_bnode_read_key(struct hfs_bnode + else + key_len = tree->max_key_len + 2; + ++ if (key_len > sizeof(hfsplus_btree_key) || key_len < 1) { ++ memset(key, 0, sizeof(hfsplus_btree_key)); ++ pr_err("hfsplus: Invalid key length: %d\n", key_len); ++ return; ++ } ++ + hfs_bnode_read(node, key, off, key_len); + } + diff --git a/queue-5.15/i2c-cros-ec-tunnel-defer-probe-if-parent-ec-is-not-present.patch b/queue-5.15/i2c-cros-ec-tunnel-defer-probe-if-parent-ec-is-not-present.patch new file mode 100644 index 0000000000..2e2533e809 --- /dev/null +++ b/queue-5.15/i2c-cros-ec-tunnel-defer-probe-if-parent-ec-is-not-present.patch @@ -0,0 +1,106 @@ +From 424eafe65647a8d6c690284536e711977153195a Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Mon, 7 Apr 2025 17:33:34 -0300 +Subject: i2c: cros-ec-tunnel: defer probe if parent EC is not present + +From: Thadeu Lima de Souza Cascardo + +commit 424eafe65647a8d6c690284536e711977153195a upstream. + +When i2c-cros-ec-tunnel and the EC driver are built-in, the EC parent +device will not be found, leading to NULL pointer dereference. + +That can also be reproduced by unbinding the controller driver and then +loading i2c-cros-ec-tunnel module (or binding the device). + +[ 271.991245] BUG: kernel NULL pointer dereference, address: 0000000000000058 +[ 271.998215] #PF: supervisor read access in kernel mode +[ 272.003351] #PF: error_code(0x0000) - not-present page +[ 272.008485] PGD 0 P4D 0 +[ 272.011022] Oops: Oops: 0000 [#1] SMP NOPTI +[ 272.015207] CPU: 0 UID: 0 PID: 3859 Comm: insmod Tainted: G S 6.15.0-rc1-00004-g44722359ed83 #30 PREEMPT(full) 3c7fb39a552e7d949de2ad921a7d6588d3a4fdc5 +[ 272.030312] Tainted: [S]=CPU_OUT_OF_SPEC +[ 272.034233] Hardware name: HP Berknip/Berknip, BIOS Google_Berknip.13434.356.0 05/17/2021 +[ 272.042400] RIP: 0010:ec_i2c_probe+0x2b/0x1c0 [i2c_cros_ec_tunnel] +[ 272.048577] Code: 1f 44 00 00 41 57 41 56 41 55 41 54 53 48 83 ec 10 65 48 8b 05 06 a0 6c e7 48 89 44 24 08 4c 8d 7f 10 48 8b 47 50 4c 8b 60 78 <49> 83 7c 24 58 00 0f 84 2f 01 00 00 48 89 fb be 30 06 00 00 4c 9 +[ 272.067317] RSP: 0018:ffffa32082a03940 EFLAGS: 00010282 +[ 272.072541] RAX: ffff969580b6a810 RBX: ffff969580b68c10 RCX: 0000000000000000 +[ 272.079672] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff969580b68c00 +[ 272.086804] RBP: 00000000fffffdfb R08: 0000000000000000 R09: 0000000000000000 +[ 272.093936] R10: 0000000000000000 R11: ffffffffc0600000 R12: 0000000000000000 +[ 272.101067] R13: ffffffffa666fbb8 R14: ffffffffc05b5528 R15: ffff969580b68c10 +[ 272.108198] FS: 00007b930906fc40(0000) GS:ffff969603149000(0000) knlGS:0000000000000000 +[ 272.116282] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 272.122024] CR2: 0000000000000058 CR3: 000000012631c000 CR4: 00000000003506f0 +[ 272.129155] Call Trace: +[ 272.131606] +[ 272.133709] ? acpi_dev_pm_attach+0xdd/0x110 +[ 272.137985] platform_probe+0x69/0xa0 +[ 272.141652] really_probe+0x152/0x310 +[ 272.145318] __driver_probe_device+0x77/0x110 +[ 272.149678] driver_probe_device+0x1e/0x190 +[ 272.153864] __driver_attach+0x10b/0x1e0 +[ 272.157790] ? driver_attach+0x20/0x20 +[ 272.161542] bus_for_each_dev+0x107/0x150 +[ 272.165553] bus_add_driver+0x15d/0x270 +[ 272.169392] driver_register+0x65/0x110 +[ 272.173232] ? cleanup_module+0xa80/0xa80 [i2c_cros_ec_tunnel 3a00532f3f4af4a9eade753f86b0f8dd4e4e5698] +[ 272.182617] do_one_initcall+0x110/0x350 +[ 272.186543] ? security_kernfs_init_security+0x49/0xd0 +[ 272.191682] ? __kernfs_new_node+0x1b9/0x240 +[ 272.195954] ? security_kernfs_init_security+0x49/0xd0 +[ 272.201093] ? __kernfs_new_node+0x1b9/0x240 +[ 272.205365] ? kernfs_link_sibling+0x105/0x130 +[ 272.209810] ? kernfs_next_descendant_post+0x1c/0xa0 +[ 272.214773] ? kernfs_activate+0x57/0x70 +[ 272.218699] ? kernfs_add_one+0x118/0x160 +[ 272.222710] ? __kernfs_create_file+0x71/0xa0 +[ 272.227069] ? sysfs_add_bin_file_mode_ns+0xd6/0x110 +[ 272.232033] ? internal_create_group+0x453/0x4a0 +[ 272.236651] ? __vunmap_range_noflush+0x214/0x2d0 +[ 272.241355] ? __free_frozen_pages+0x1dc/0x420 +[ 272.245799] ? free_vmap_area_noflush+0x10a/0x1c0 +[ 272.250505] ? load_module+0x1509/0x16f0 +[ 272.254431] do_init_module+0x60/0x230 +[ 272.258181] __se_sys_finit_module+0x27a/0x370 +[ 272.262627] do_syscall_64+0x6a/0xf0 +[ 272.266206] ? do_syscall_64+0x76/0xf0 +[ 272.269956] ? irqentry_exit_to_user_mode+0x79/0x90 +[ 272.274836] entry_SYSCALL_64_after_hwframe+0x55/0x5d +[ 272.279887] RIP: 0033:0x7b9309168d39 +[ 272.283466] Code: 5b 41 5c 5d c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d af 40 0c 00 f7 d8 64 89 01 8 +[ 272.302210] RSP: 002b:00007fff50f1a288 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 +[ 272.309774] RAX: ffffffffffffffda RBX: 000058bf9b50f6d0 RCX: 00007b9309168d39 +[ 272.316905] RDX: 0000000000000000 RSI: 000058bf6c103a77 RDI: 0000000000000003 +[ 272.324036] RBP: 00007fff50f1a2e0 R08: 00007fff50f19218 R09: 0000000021ec4150 +[ 272.331166] R10: 000058bf9b50f7f0 R11: 0000000000000246 R12: 0000000000000000 +[ 272.338296] R13: 00000000fffffffe R14: 0000000000000000 R15: 000058bf6c103a77 +[ 272.345428] +[ 272.347617] Modules linked in: i2c_cros_ec_tunnel(+) +[ 272.364585] gsmi: Log Shutdown Reason 0x03 + +Returning -EPROBE_DEFER will allow the device to be bound once the +controller is bound, in the case of built-in drivers. + +Fixes: 9d230c9e4f4e ("i2c: ChromeOS EC tunnel driver") +Signed-off-by: Thadeu Lima de Souza Cascardo +Cc: # v3.16+ +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/20250407-null-ec-parent-v1-1-f7dda62d3110@igalia.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-cros-ec-tunnel.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/i2c/busses/i2c-cros-ec-tunnel.c ++++ b/drivers/i2c/busses/i2c-cros-ec-tunnel.c +@@ -247,6 +247,9 @@ static int ec_i2c_probe(struct platform_ + u32 remote_bus; + int err; + ++ if (!ec) ++ return dev_err_probe(dev, -EPROBE_DEFER, "couldn't find parent EC device\n"); ++ + if (!ec->cmd_xfer) { + dev_err(dev, "Missing sendrecv\n"); + return -EINVAL; diff --git a/queue-5.15/isofs-prevent-the-use-of-too-small-fid.patch b/queue-5.15/isofs-prevent-the-use-of-too-small-fid.patch new file mode 100644 index 0000000000..039485a101 --- /dev/null +++ b/queue-5.15/isofs-prevent-the-use-of-too-small-fid.patch @@ -0,0 +1,95 @@ +From 0405d4b63d082861f4eaff9d39c78ee9dc34f845 Mon Sep 17 00:00:00 2001 +From: Edward Adam Davis +Date: Fri, 4 Apr 2025 13:31:29 +0800 +Subject: isofs: Prevent the use of too small fid + +From: Edward Adam Davis + +commit 0405d4b63d082861f4eaff9d39c78ee9dc34f845 upstream. + +syzbot reported a slab-out-of-bounds Read in isofs_fh_to_parent. [1] + +The handle_bytes value passed in by the reproducing program is equal to 12. +In handle_to_path(), only 12 bytes of memory are allocated for the structure +file_handle->f_handle member, which causes an out-of-bounds access when +accessing the member parent_block of the structure isofs_fid in isofs, +because accessing parent_block requires at least 16 bytes of f_handle. +Here, fh_len is used to indirectly confirm that the value of handle_bytes +is greater than 3 before accessing parent_block. + +[1] +BUG: KASAN: slab-out-of-bounds in isofs_fh_to_parent+0x1b8/0x210 fs/isofs/export.c:183 +Read of size 4 at addr ffff0000cc030d94 by task syz-executor215/6466 +CPU: 1 UID: 0 PID: 6466 Comm: syz-executor215 Not tainted 6.14.0-rc7-syzkaller-ga2392f333575 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 +Call trace: + show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C) + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:408 [inline] + print_report+0x198/0x550 mm/kasan/report.c:521 + kasan_report+0xd8/0x138 mm/kasan/report.c:634 + __asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380 + isofs_fh_to_parent+0x1b8/0x210 fs/isofs/export.c:183 + exportfs_decode_fh_raw+0x2dc/0x608 fs/exportfs/expfs.c:523 + do_handle_to_path+0xa0/0x198 fs/fhandle.c:257 + handle_to_path fs/fhandle.c:385 [inline] + do_handle_open+0x8cc/0xb8c fs/fhandle.c:403 + __do_sys_open_by_handle_at fs/fhandle.c:443 [inline] + __se_sys_open_by_handle_at fs/fhandle.c:434 [inline] + __arm64_sys_open_by_handle_at+0x80/0x94 fs/fhandle.c:434 + __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] + invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 + el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 + do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 + el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 + el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 + el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 + +Allocated by task 6466: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x40/0x78 mm/kasan/common.c:68 + kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:562 + poison_kmalloc_redzone mm/kasan/common.c:377 [inline] + __kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:394 + kasan_kmalloc include/linux/kasan.h:260 [inline] + __do_kmalloc_node mm/slub.c:4294 [inline] + __kmalloc_noprof+0x32c/0x54c mm/slub.c:4306 + kmalloc_noprof include/linux/slab.h:905 [inline] + handle_to_path fs/fhandle.c:357 [inline] + do_handle_open+0x5a4/0xb8c fs/fhandle.c:403 + __do_sys_open_by_handle_at fs/fhandle.c:443 [inline] + __se_sys_open_by_handle_at fs/fhandle.c:434 [inline] + __arm64_sys_open_by_handle_at+0x80/0x94 fs/fhandle.c:434 + __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] + invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 + el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 + do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 + el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 + el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 + el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 + +Reported-by: syzbot+4d7cd7dd0ce1aa8d5c65@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=4d7cd7dd0ce1aa8d5c65 +Tested-by: syzbot+4d7cd7dd0ce1aa8d5c65@syzkaller.appspotmail.com +CC: stable@vger.kernel.org +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Edward Adam Davis +Signed-off-by: Jan Kara +Link: https://patch.msgid.link/tencent_9C8CB8A7E7C6C512C7065DC98B6EDF6EC606@qq.com +Signed-off-by: Greg Kroah-Hartman +--- + fs/isofs/export.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/isofs/export.c ++++ b/fs/isofs/export.c +@@ -180,7 +180,7 @@ static struct dentry *isofs_fh_to_parent + return NULL; + + return isofs_export_iget(sb, +- fh_len > 2 ? ifid->parent_block : 0, ++ fh_len > 3 ? ifid->parent_block : 0, + ifid->parent_offset, + fh_len > 4 ? ifid->parent_generation : 0); + } diff --git a/queue-5.15/loop-loop_set_fd-send-uevents-for-partitions.patch b/queue-5.15/loop-loop_set_fd-send-uevents-for-partitions.patch new file mode 100644 index 0000000000..d5bd9c1e84 --- /dev/null +++ b/queue-5.15/loop-loop_set_fd-send-uevents-for-partitions.patch @@ -0,0 +1,54 @@ +From 0dba7a05b9e47d8b546399117b0ddf2426dc6042 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Tue, 15 Apr 2025 16:55:06 +0200 +Subject: loop: LOOP_SET_FD: send uevents for partitions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +commit 0dba7a05b9e47d8b546399117b0ddf2426dc6042 upstream. + +Remove the suppression of the uevents before scanning for partitions. +The partitions inherit their suppression settings from their parent device, +which lead to the uevents being dropped. + +This is similar to the same changes for LOOP_CONFIGURE done in +commit bb430b694226 ("loop: LOOP_CONFIGURE: send uevents for partitions"). + +Fixes: 498ef5c777d9 ("loop: suppress uevents while reconfiguring the device") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Weißschuh +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20250415-loop-uevent-changed-v3-1-60ff69ac6088@linutronix.de +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/loop.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -792,12 +792,12 @@ static int loop_change_fd(struct loop_de + * dependency. + */ + fput(old_file); ++ dev_set_uevent_suppress(disk_to_dev(lo->lo_disk), 0); + if (partscan) + loop_reread_partitions(lo); + + error = 0; + done: +- dev_set_uevent_suppress(disk_to_dev(lo->lo_disk), 0); + kobject_uevent(&disk_to_dev(lo->lo_disk)->kobj, KOBJ_CHANGE); + return error; + +@@ -805,6 +805,7 @@ out_err: + loop_global_unlock(lo, is_loop); + out_putf: + fput(file); ++ dev_set_uevent_suppress(disk_to_dev(lo->lo_disk), 0); + goto done; + } + diff --git a/queue-5.15/loop-properly-send-kobj_changed-uevent-for-disk-device.patch b/queue-5.15/loop-properly-send-kobj_changed-uevent-for-disk-device.patch new file mode 100644 index 0000000000..44bea9780e --- /dev/null +++ b/queue-5.15/loop-properly-send-kobj_changed-uevent-for-disk-device.patch @@ -0,0 +1,59 @@ +From e7bc0010ceb403d025100698586c8e760921d471 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Tue, 15 Apr 2025 10:51:47 +0200 +Subject: loop: properly send KOBJ_CHANGED uevent for disk device +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +commit e7bc0010ceb403d025100698586c8e760921d471 upstream. + +The original commit message and the wording "uncork" in the code comment +indicate that it is expected that the suppressed event instances are +automatically sent after unsuppressing. +This is not the case, instead they are discarded. +In effect this means that no "changed" events are emitted on the device +itself by default. +While each discovered partition does trigger a changed event on the +device, devices without partitions don't have any event emitted. + +This makes udev miss the device creation and prompted workarounds in +userspace. See the linked util-linux/losetup bug. + +Explicitly emit the events and drop the confusingly worded comments. + +Link: https://github.com/util-linux/util-linux/issues/2434 +Fixes: 498ef5c777d9 ("loop: suppress uevents while reconfiguring the device") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Weißschuh +Link: https://lore.kernel.org/r/20250415-loop-uevent-changed-v2-1-0c4e6a923b2a@linutronix.de +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/loop.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -797,8 +797,8 @@ static int loop_change_fd(struct loop_de + + error = 0; + done: +- /* enable and uncork uevent now that we are done */ + dev_set_uevent_suppress(disk_to_dev(lo->lo_disk), 0); ++ kobject_uevent(&disk_to_dev(lo->lo_disk)->kobj, KOBJ_CHANGE); + return error; + + out_err: +@@ -1316,8 +1316,8 @@ static int loop_configure(struct loop_de + if (partscan) + lo->lo_disk->flags &= ~GENHD_FL_NO_PART; + +- /* enable and uncork uevent now that we are done */ + dev_set_uevent_suppress(disk_to_dev(lo->lo_disk), 0); ++ kobject_uevent(&disk_to_dev(lo->lo_disk)->kobj, KOBJ_CHANGE); + + loop_global_unlock(lo, is_loop); + if (partscan) diff --git a/queue-5.15/mm-gup-fix-wrongly-calculated-returned-value-in-fault_in_safe_writeable.patch b/queue-5.15/mm-gup-fix-wrongly-calculated-returned-value-in-fault_in_safe_writeable.patch new file mode 100644 index 0000000000..332b657527 --- /dev/null +++ b/queue-5.15/mm-gup-fix-wrongly-calculated-returned-value-in-fault_in_safe_writeable.patch @@ -0,0 +1,51 @@ +From 8c03ebd7cdc06bd0d2fecb4d1a609ef1dbb7d0aa Mon Sep 17 00:00:00 2001 +From: Baoquan He +Date: Thu, 10 Apr 2025 11:57:14 +0800 +Subject: mm/gup: fix wrongly calculated returned value in fault_in_safe_writeable() + +From: Baoquan He + +commit 8c03ebd7cdc06bd0d2fecb4d1a609ef1dbb7d0aa upstream. + +Not like fault_in_readable() or fault_in_writeable(), in +fault_in_safe_writeable() local variable 'start' is increased page by page +to loop till the whole address range is handled. However, it mistakenly +calculates the size of the handled range with 'uaddr - start'. + +Fix it here. + +Andreas said: + +: In gfs2, fault_in_iov_iter_writeable() is used in +: gfs2_file_direct_read() and gfs2_file_read_iter(), so this potentially +: affects buffered as well as direct reads. This bug could cause those +: gfs2 functions to spin in a loop. + +Link: https://lkml.kernel.org/r/20250410035717.473207-1-bhe@redhat.com +Link: https://lkml.kernel.org/r/20250410035717.473207-2-bhe@redhat.com +Signed-off-by: Baoquan He +Fixes: fe673d3f5bf1 ("mm: gup: make fault_in_safe_writeable() use fixup_user_fault()") +Reviewed-by: Oscar Salvador +Acked-by: David Hildenbrand +Cc: Andreas Gruenbacher +Cc: Yanjun.Zhu +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/gup.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/mm/gup.c ++++ b/mm/gup.c +@@ -1768,8 +1768,8 @@ size_t fault_in_safe_writeable(const cha + } while (start != end); + mmap_read_unlock(mm); + +- if (size > (unsigned long)uaddr - start) +- return size - ((unsigned long)uaddr - start); ++ if (size > start - (unsigned long)uaddr) ++ return size - (start - (unsigned long)uaddr); + return 0; + } + EXPORT_SYMBOL(fault_in_safe_writeable); diff --git a/queue-5.15/perf-x86-intel-allow-to-update-user-space-gprs-from-pebs-records.patch b/queue-5.15/perf-x86-intel-allow-to-update-user-space-gprs-from-pebs-records.patch new file mode 100644 index 0000000000..61d7655450 --- /dev/null +++ b/queue-5.15/perf-x86-intel-allow-to-update-user-space-gprs-from-pebs-records.patch @@ -0,0 +1,78 @@ +From 71dcc11c2cd9e434c34a63154ecadca21c135ddd Mon Sep 17 00:00:00 2001 +From: Dapeng Mi +Date: Tue, 15 Apr 2025 10:41:35 +0000 +Subject: perf/x86/intel: Allow to update user space GPRs from PEBS records + +From: Dapeng Mi + +commit 71dcc11c2cd9e434c34a63154ecadca21c135ddd upstream. + +Currently when a user samples user space GPRs (--user-regs option) with +PEBS, the user space GPRs actually always come from software PMI +instead of from PEBS hardware. This leads to the sampled GPRs to +possibly be inaccurate for single PEBS record case because of the +skid between counter overflow and GPRs sampling on PMI. + +For the large PEBS case, it is even worse. If user sets the +exclude_kernel attribute, large PEBS would be used to sample user space +GPRs, but since PEBS GPRs group is not really enabled, it leads to all +samples in the large PEBS record to share the same piece of user space +GPRs, like this reproducer shows: + + $ perf record -e branches:pu --user-regs=ip,ax -c 100000 ./foo + $ perf report -D | grep "AX" + + .... AX 0x000000003a0d4ead + .... AX 0x000000003a0d4ead + .... AX 0x000000003a0d4ead + .... AX 0x000000003a0d4ead + .... AX 0x000000003a0d4ead + .... AX 0x000000003a0d4ead + .... AX 0x000000003a0d4ead + .... AX 0x000000003a0d4ead + .... AX 0x000000003a0d4ead + .... AX 0x000000003a0d4ead + .... AX 0x000000003a0d4ead + +So enable GPRs group for user space GPRs sampling and prioritize reading +GPRs from PEBS. If the PEBS sampled GPRs is not user space GPRs (single +PEBS record case), perf_sample_regs_user() modifies them to user space +GPRs. + +[ mingo: Clarified the changelog. ] + +Fixes: c22497f5838c ("perf/x86/intel: Support adaptive PEBS v4") +Signed-off-by: Dapeng Mi +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Ingo Molnar +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250415104135.318169-2-dapeng1.mi@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/ds.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/arch/x86/events/intel/ds.c ++++ b/arch/x86/events/intel/ds.c +@@ -1101,8 +1101,10 @@ static u64 pebs_update_adaptive_cfg(stru + * + precise_ip < 2 for the non event IP + * + For RTM TSX weight we need GPRs for the abort code. + */ +- gprs = (sample_type & PERF_SAMPLE_REGS_INTR) && +- (attr->sample_regs_intr & PEBS_GP_REGS); ++ gprs = ((sample_type & PERF_SAMPLE_REGS_INTR) && ++ (attr->sample_regs_intr & PEBS_GP_REGS)) || ++ ((sample_type & PERF_SAMPLE_REGS_USER) && ++ (attr->sample_regs_user & PEBS_GP_REGS)); + + tsx_weight = (sample_type & PERF_SAMPLE_WEIGHT_TYPE) && + ((attr->config & INTEL_ARCH_EVENT_MASK) == +@@ -1701,7 +1703,7 @@ static void setup_pebs_adaptive_sample_d + regs->flags &= ~PERF_EFLAGS_EXACT; + } + +- if (sample_type & PERF_SAMPLE_REGS_INTR) ++ if (sample_type & (PERF_SAMPLE_REGS_INTR | PERF_SAMPLE_REGS_USER)) + adaptive_pebs_save_regs(regs, gprs); + } + diff --git a/queue-5.15/perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-icx.patch b/queue-5.15/perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-icx.patch new file mode 100644 index 0000000000..1767514f8f --- /dev/null +++ b/queue-5.15/perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-icx.patch @@ -0,0 +1,76 @@ +From 32c7f1150225694d95a51110a93be25db03bb5db Mon Sep 17 00:00:00 2001 +From: Kan Liang +Date: Wed, 16 Apr 2025 07:24:25 -0700 +Subject: perf/x86/intel/uncore: Fix the scale of IIO free running counters on ICX + +From: Kan Liang + +commit 32c7f1150225694d95a51110a93be25db03bb5db upstream. + +There was a mistake in the ICX uncore spec too. The counter increments +for every 32 bytes rather than 4 bytes. + +The same as SNR, there are 1 ioclk and 8 IIO bandwidth in free running +counters. Reuse the snr_uncore_iio_freerunning_events(). + +Fixes: 2b3b76b5ec67 ("perf/x86/intel/uncore: Add Ice Lake server uncore support") +Reported-by: Tang Jun +Signed-off-by: Kan Liang +Signed-off-by: Ingo Molnar +Acked-by: Peter Zijlstra +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250416142426.3933977-2-kan.liang@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/uncore_snbep.c | 33 +-------------------------------- + 1 file changed, 1 insertion(+), 32 deletions(-) + +--- a/arch/x86/events/intel/uncore_snbep.c ++++ b/arch/x86/events/intel/uncore_snbep.c +@@ -5250,37 +5250,6 @@ static struct freerunning_counters icx_i + [ICX_IIO_MSR_BW_IN] = { 0xaa0, 0x1, 0x10, 8, 48, icx_iio_bw_freerunning_box_offsets }, + }; + +-static struct uncore_event_desc icx_uncore_iio_freerunning_events[] = { +- /* Free-Running IIO CLOCKS Counter */ +- INTEL_UNCORE_EVENT_DESC(ioclk, "event=0xff,umask=0x10"), +- /* Free-Running IIO BANDWIDTH IN Counters */ +- INTEL_UNCORE_EVENT_DESC(bw_in_port0, "event=0xff,umask=0x20"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port0.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port0.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port1, "event=0xff,umask=0x21"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port1.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port1.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port2, "event=0xff,umask=0x22"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port2.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port2.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port3, "event=0xff,umask=0x23"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port3.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port3.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port4, "event=0xff,umask=0x24"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port4.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port4.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port5, "event=0xff,umask=0x25"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port5.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port5.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port6, "event=0xff,umask=0x26"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port6.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port6.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port7, "event=0xff,umask=0x27"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port7.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port7.unit, "MiB"), +- { /* end: all zeroes */ }, +-}; +- + static struct intel_uncore_type icx_uncore_iio_free_running = { + .name = "iio_free_running", + .num_counters = 9, +@@ -5288,7 +5257,7 @@ static struct intel_uncore_type icx_unco + .num_freerunning_types = ICX_IIO_FREERUNNING_TYPE_MAX, + .freerunning = icx_iio_freerunning, + .ops = &skx_uncore_iio_freerunning_ops, +- .event_descs = icx_uncore_iio_freerunning_events, ++ .event_descs = snr_uncore_iio_freerunning_events, + .format_group = &skx_uncore_iio_freerunning_format_group, + }; + diff --git a/queue-5.15/perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-snr.patch b/queue-5.15/perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-snr.patch new file mode 100644 index 0000000000..17f3d4256e --- /dev/null +++ b/queue-5.15/perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-snr.patch @@ -0,0 +1,71 @@ +From 96a720db59ab330c8562b2437153faa45dac705f Mon Sep 17 00:00:00 2001 +From: Kan Liang +Date: Wed, 16 Apr 2025 07:24:24 -0700 +Subject: perf/x86/intel/uncore: Fix the scale of IIO free running counters on SNR + +From: Kan Liang + +commit 96a720db59ab330c8562b2437153faa45dac705f upstream. + +There was a mistake in the SNR uncore spec. The counter increments for +every 32 bytes of data sent from the IO agent to the SOC, not 4 bytes +which was documented in the spec. + +The event list has been updated: + + "EventName": "UNC_IIO_BANDWIDTH_IN.PART0_FREERUN", + "BriefDescription": "Free running counter that increments for every 32 + bytes of data sent from the IO agent to the SOC", + +Update the scale of the IIO bandwidth in free running counters as well. + +Fixes: 210cc5f9db7a ("perf/x86/intel/uncore: Add uncore support for Snow Ridge server") +Signed-off-by: Kan Liang +Signed-off-by: Ingo Molnar +Acked-by: Peter Zijlstra +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250416142426.3933977-1-kan.liang@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/uncore_snbep.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/arch/x86/events/intel/uncore_snbep.c ++++ b/arch/x86/events/intel/uncore_snbep.c +@@ -4656,28 +4656,28 @@ static struct uncore_event_desc snr_unco + INTEL_UNCORE_EVENT_DESC(ioclk, "event=0xff,umask=0x10"), + /* Free-Running IIO BANDWIDTH IN Counters */ + INTEL_UNCORE_EVENT_DESC(bw_in_port0, "event=0xff,umask=0x20"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port0.scale, "3.814697266e-6"), ++ INTEL_UNCORE_EVENT_DESC(bw_in_port0.scale, "3.0517578125e-5"), + INTEL_UNCORE_EVENT_DESC(bw_in_port0.unit, "MiB"), + INTEL_UNCORE_EVENT_DESC(bw_in_port1, "event=0xff,umask=0x21"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port1.scale, "3.814697266e-6"), ++ INTEL_UNCORE_EVENT_DESC(bw_in_port1.scale, "3.0517578125e-5"), + INTEL_UNCORE_EVENT_DESC(bw_in_port1.unit, "MiB"), + INTEL_UNCORE_EVENT_DESC(bw_in_port2, "event=0xff,umask=0x22"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port2.scale, "3.814697266e-6"), ++ INTEL_UNCORE_EVENT_DESC(bw_in_port2.scale, "3.0517578125e-5"), + INTEL_UNCORE_EVENT_DESC(bw_in_port2.unit, "MiB"), + INTEL_UNCORE_EVENT_DESC(bw_in_port3, "event=0xff,umask=0x23"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port3.scale, "3.814697266e-6"), ++ INTEL_UNCORE_EVENT_DESC(bw_in_port3.scale, "3.0517578125e-5"), + INTEL_UNCORE_EVENT_DESC(bw_in_port3.unit, "MiB"), + INTEL_UNCORE_EVENT_DESC(bw_in_port4, "event=0xff,umask=0x24"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port4.scale, "3.814697266e-6"), ++ INTEL_UNCORE_EVENT_DESC(bw_in_port4.scale, "3.0517578125e-5"), + INTEL_UNCORE_EVENT_DESC(bw_in_port4.unit, "MiB"), + INTEL_UNCORE_EVENT_DESC(bw_in_port5, "event=0xff,umask=0x25"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port5.scale, "3.814697266e-6"), ++ INTEL_UNCORE_EVENT_DESC(bw_in_port5.scale, "3.0517578125e-5"), + INTEL_UNCORE_EVENT_DESC(bw_in_port5.unit, "MiB"), + INTEL_UNCORE_EVENT_DESC(bw_in_port6, "event=0xff,umask=0x26"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port6.scale, "3.814697266e-6"), ++ INTEL_UNCORE_EVENT_DESC(bw_in_port6.scale, "3.0517578125e-5"), + INTEL_UNCORE_EVENT_DESC(bw_in_port6.unit, "MiB"), + INTEL_UNCORE_EVENT_DESC(bw_in_port7, "event=0xff,umask=0x27"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port7.scale, "3.814697266e-6"), ++ INTEL_UNCORE_EVENT_DESC(bw_in_port7.scale, "3.0517578125e-5"), + INTEL_UNCORE_EVENT_DESC(bw_in_port7.unit, "MiB"), + { /* end: all zeroes */ }, + }; diff --git a/queue-5.15/perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-spr.patch b/queue-5.15/perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-spr.patch new file mode 100644 index 0000000000..c310d578c9 --- /dev/null +++ b/queue-5.15/perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-spr.patch @@ -0,0 +1,101 @@ +From 506f981ab40f0b03a11a640cfd77f48b09aff330 Mon Sep 17 00:00:00 2001 +From: Kan Liang +Date: Wed, 16 Apr 2025 07:24:26 -0700 +Subject: perf/x86/intel/uncore: Fix the scale of IIO free running counters on SPR + +From: Kan Liang + +commit 506f981ab40f0b03a11a640cfd77f48b09aff330 upstream. + +The scale of IIO bandwidth in free running counters is inherited from +the ICX. The counter increments for every 32 bytes rather than 4 bytes. + +The IIO bandwidth out free running counters don't increment with a +consistent size. The increment depends on the requested size. It's +impossible to find a fixed increment. Remove it from the event_descs. + +Fixes: 0378c93a92e2 ("perf/x86/intel/uncore: Support IIO free-running counters on Sapphire Rapids server") +Reported-by: Tang Jun +Signed-off-by: Kan Liang +Signed-off-by: Ingo Molnar +Acked-by: Peter Zijlstra +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250416142426.3933977-3-kan.liang@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/uncore_snbep.c | 58 ----------------------------------- + 1 file changed, 1 insertion(+), 57 deletions(-) + +--- a/arch/x86/events/intel/uncore_snbep.c ++++ b/arch/x86/events/intel/uncore_snbep.c +@@ -5826,69 +5826,13 @@ static struct freerunning_counters spr_i + [SPR_IIO_MSR_BW_OUT] = { 0x3808, 0x1, 0x10, 8, 48 }, + }; + +-static struct uncore_event_desc spr_uncore_iio_freerunning_events[] = { +- /* Free-Running IIO CLOCKS Counter */ +- INTEL_UNCORE_EVENT_DESC(ioclk, "event=0xff,umask=0x10"), +- /* Free-Running IIO BANDWIDTH IN Counters */ +- INTEL_UNCORE_EVENT_DESC(bw_in_port0, "event=0xff,umask=0x20"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port0.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port0.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port1, "event=0xff,umask=0x21"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port1.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port1.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port2, "event=0xff,umask=0x22"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port2.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port2.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port3, "event=0xff,umask=0x23"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port3.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port3.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port4, "event=0xff,umask=0x24"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port4.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port4.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port5, "event=0xff,umask=0x25"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port5.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port5.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port6, "event=0xff,umask=0x26"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port6.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port6.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port7, "event=0xff,umask=0x27"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port7.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port7.unit, "MiB"), +- /* Free-Running IIO BANDWIDTH OUT Counters */ +- INTEL_UNCORE_EVENT_DESC(bw_out_port0, "event=0xff,umask=0x30"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port0.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port0.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port1, "event=0xff,umask=0x31"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port1.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port1.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port2, "event=0xff,umask=0x32"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port2.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port2.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port3, "event=0xff,umask=0x33"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port3.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port3.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port4, "event=0xff,umask=0x34"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port4.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port4.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port5, "event=0xff,umask=0x35"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port5.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port5.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port6, "event=0xff,umask=0x36"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port6.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port6.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port7, "event=0xff,umask=0x37"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port7.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port7.unit, "MiB"), +- { /* end: all zeroes */ }, +-}; +- + static struct intel_uncore_type spr_uncore_iio_free_running = { + .name = "iio_free_running", + .num_counters = 17, + .num_freerunning_types = SPR_IIO_FREERUNNING_TYPE_MAX, + .freerunning = spr_iio_freerunning, + .ops = &skx_uncore_iio_freerunning_ops, +- .event_descs = spr_uncore_iio_freerunning_events, ++ .event_descs = snr_uncore_iio_freerunning_events, + .format_group = &skx_uncore_iio_freerunning_format_group, + }; + diff --git a/queue-5.15/riscv-avoid-fortify-warning-in-syscall_get_arguments.patch b/queue-5.15/riscv-avoid-fortify-warning-in-syscall_get_arguments.patch new file mode 100644 index 0000000000..5bdfb88d2e --- /dev/null +++ b/queue-5.15/riscv-avoid-fortify-warning-in-syscall_get_arguments.patch @@ -0,0 +1,67 @@ +From adf53771a3123df99ca26e38818760fbcf5c05d0 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Wed, 9 Apr 2025 14:24:46 -0700 +Subject: riscv: Avoid fortify warning in syscall_get_arguments() + +From: Nathan Chancellor + +commit adf53771a3123df99ca26e38818760fbcf5c05d0 upstream. + +When building with CONFIG_FORTIFY_SOURCE=y and W=1, there is a warning +because of the memcpy() in syscall_get_arguments(): + + In file included from include/linux/string.h:392, + from include/linux/bitmap.h:13, + from include/linux/cpumask.h:12, + from arch/riscv/include/asm/processor.h:55, + from include/linux/sched.h:13, + from kernel/ptrace.c:13: + In function 'fortify_memcpy_chk', + inlined from 'syscall_get_arguments.isra' at arch/riscv/include/asm/syscall.h:66:2: + include/linux/fortify-string.h:580:25: error: call to '__read_overflow2_field' declared with attribute warning: detected read beyond size of field (2nd parameter); maybe use struct_group()? [-Werror=attribute-warning] + 580 | __read_overflow2_field(q_size_field, size); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + cc1: all warnings being treated as errors + +The fortified memcpy() routine enforces that the source is not overread +and the destination is not overwritten if the size of either field and +the size of the copy are known at compile time. The memcpy() in +syscall_get_arguments() intentionally overreads from a1 to a5 in +'struct pt_regs' but this is bigger than the size of a1. + +Normally, this could be solved by wrapping a1 through a5 with +struct_group() but there was already a struct_group() applied to these +members in commit bba547810c66 ("riscv: tracing: Fix +__write_overflow_field in ftrace_partial_regs()"). + +Just avoid memcpy() altogether and write the copying of args from regs +manually, which clears up the warning at the expense of three extra +lines of code. + +Signed-off-by: Nathan Chancellor +Reviewed-by: Dmitry V. Levin +Fixes: e2c0cdfba7f6 ("RISC-V: User-facing API") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250409-riscv-avoid-fortify-warning-syscall_get_arguments-v1-1-7853436d4755@kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/include/asm/syscall.h | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/arch/riscv/include/asm/syscall.h ++++ b/arch/riscv/include/asm/syscall.h +@@ -60,8 +60,11 @@ static inline void syscall_get_arguments + unsigned long *args) + { + args[0] = regs->orig_a0; +- args++; +- memcpy(args, ®s->a1, 5 * sizeof(args[0])); ++ args[1] = regs->a1; ++ args[2] = regs->a2; ++ args[3] = regs->a3; ++ args[4] = regs->a4; ++ args[5] = regs->a5; + } + + static inline void syscall_set_arguments(struct task_struct *task, diff --git a/queue-5.15/series b/queue-5.15/series index d23139c820..8f011e8167 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -159,3 +159,18 @@ asus-laptop-fix-an-uninitialized-variable.patch nfs-move-nfs_fhandle_hash-to-common-include-file.patch nfs-add-missing-selections-of-config_crc32.patch nfsd-decrease-sc_count-directly-if-fail-to-queue-dl_.patch +btrfs-correctly-escape-subvol-in-btrfs_show_options.patch +crypto-caam-qi-fix-drv_ctx-refcount-bug.patch +hfs-hfsplus-fix-slab-out-of-bounds-in-hfs_bnode_read_key.patch +i2c-cros-ec-tunnel-defer-probe-if-parent-ec-is-not-present.patch +isofs-prevent-the-use-of-too-small-fid.patch +loop-properly-send-kobj_changed-uevent-for-disk-device.patch +loop-loop_set_fd-send-uevents-for-partitions.patch +mm-gup-fix-wrongly-calculated-returned-value-in-fault_in_safe_writeable.patch +riscv-avoid-fortify-warning-in-syscall_get_arguments.patch +tracing-fix-filter-string-testing.patch +virtiofs-add-filesystem-context-source-name-check.patch +perf-x86-intel-allow-to-update-user-space-gprs-from-pebs-records.patch +perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-snr.patch +perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-icx.patch +perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-spr.patch diff --git a/queue-5.15/tracing-fix-filter-string-testing.patch b/queue-5.15/tracing-fix-filter-string-testing.patch new file mode 100644 index 0000000000..6176b59601 --- /dev/null +++ b/queue-5.15/tracing-fix-filter-string-testing.patch @@ -0,0 +1,62 @@ +From a8c5b0ed89a3f2c81c6ae0b041394e6eea0e7024 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Thu, 17 Apr 2025 18:30:03 -0400 +Subject: tracing: Fix filter string testing + +From: Steven Rostedt + +commit a8c5b0ed89a3f2c81c6ae0b041394e6eea0e7024 upstream. + +The filter string testing uses strncpy_from_kernel/user_nofault() to +retrieve the string to test the filter against. The if() statement was +incorrect as it considered 0 as a fault, when it is only negative that it +faulted. + +Running the following commands: + + # cd /sys/kernel/tracing + # echo "filename.ustring ~ \"/proc*\"" > events/syscalls/sys_enter_openat/filter + # echo 1 > events/syscalls/sys_enter_openat/enable + # ls /proc/$$/maps + # cat trace + +Would produce nothing, but with the fix it will produce something like: + + ls-1192 [007] ..... 8169.828333: sys_openat(dfd: ffffffffffffff9c, filename: 7efc18359904, flags: 80000, mode: 0) + +Link: https://lore.kernel.org/all/CAEf4BzbVPQ=BjWztmEwBPRKHUwNfKBkS3kce-Rzka6zvbQeVpg@mail.gmail.com/ + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Cc: Andrew Morton +Link: https://lore.kernel.org/20250417183003.505835fb@gandalf.local.home +Fixes: 77360f9bbc7e5 ("tracing: Add test for user space strings when filtering on string pointers") +Reported-by: Andrii Nakryiko +Reported-by: Mykyta Yatsenko +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events_filter.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/trace/trace_events_filter.c ++++ b/kernel/trace/trace_events_filter.c +@@ -676,7 +676,7 @@ static __always_inline char *test_string + kstr = ubuf->buffer; + + /* For safety, do not trust the string pointer */ +- if (!strncpy_from_kernel_nofault(kstr, str, USTRING_BUF_SIZE)) ++ if (strncpy_from_kernel_nofault(kstr, str, USTRING_BUF_SIZE) < 0) + return NULL; + return kstr; + } +@@ -695,7 +695,7 @@ static __always_inline char *test_ustrin + + /* user space address? */ + ustr = (char __user *)str; +- if (!strncpy_from_user_nofault(kstr, ustr, USTRING_BUF_SIZE)) ++ if (strncpy_from_user_nofault(kstr, ustr, USTRING_BUF_SIZE) < 0) + return NULL; + + return kstr; diff --git a/queue-5.15/virtiofs-add-filesystem-context-source-name-check.patch b/queue-5.15/virtiofs-add-filesystem-context-source-name-check.patch new file mode 100644 index 0000000000..1100638adc --- /dev/null +++ b/queue-5.15/virtiofs-add-filesystem-context-source-name-check.patch @@ -0,0 +1,35 @@ +From a94fd938df2b1628da66b498aa0eeb89593bc7a2 Mon Sep 17 00:00:00 2001 +From: Xiangsheng Hou +Date: Mon, 7 Apr 2025 19:50:49 +0800 +Subject: virtiofs: add filesystem context source name check + +From: Xiangsheng Hou + +commit a94fd938df2b1628da66b498aa0eeb89593bc7a2 upstream. + +In certain scenarios, for example, during fuzz testing, the source +name may be NULL, which could lead to a kernel panic. Therefore, an +extra check for the source name should be added. + +Fixes: a62a8ef9d97d ("virtio-fs: add virtiofs filesystem") +Cc: # all LTS kernels +Signed-off-by: Xiangsheng Hou +Link: https://lore.kernel.org/20250407115111.25535-1-xiangsheng.hou@mediatek.com +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/virtio_fs.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/fuse/virtio_fs.c ++++ b/fs/fuse/virtio_fs.c +@@ -1431,6 +1431,9 @@ static int virtio_fs_get_tree(struct fs_ + unsigned int virtqueue_size; + int err = -EIO; + ++ if (!fsc->source) ++ return invalf(fsc, "No source specified"); ++ + /* This gets a reference on virtio_fs object. This ptr gets installed + * in fc->iq->priv. Once fuse_conn is going away, it calls ->put() + * to drop the reference to this object. -- 2.47.3