From: Greg Kroah-Hartman Date: Mon, 6 Dec 2021 09:18:52 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.4.294~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=00110170a71c381f9d1bef1f24d8532a80641abe;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: parisc-fix-kbuild_image-for-self-extracting-kernel.patch parisc-fix-make-install-on-newer-debian-releases.patch serial-core-fix-transmit-buffer-reset-and-memleak.patch serial-pl011-add-acpi-sbsa-uart-match-id.patch tty-serial-msm_serial-deactivate-rx-dma-for-polling-support.patch usb-typec-tcpm-wait-in-snk_debounced-until-disconnect.patch vgacon-propagate-console-boot-parameters-before-calling-vc_resize.patch x86-64-mm-map-all-kernel-memory-into-trampoline_pgd.patch xhci-fix-commad-ring-abort-write-all-64-bits-to-crcr-register.patch --- diff --git a/queue-4.14/parisc-fix-kbuild_image-for-self-extracting-kernel.patch b/queue-4.14/parisc-fix-kbuild_image-for-self-extracting-kernel.patch new file mode 100644 index 00000000000..f1881c78ada --- /dev/null +++ b/queue-4.14/parisc-fix-kbuild_image-for-self-extracting-kernel.patch @@ -0,0 +1,35 @@ +From 1d7c29b77725d05faff6754d2f5e7c147aedcf93 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Fri, 26 Nov 2021 22:35:45 +0100 +Subject: parisc: Fix KBUILD_IMAGE for self-extracting kernel + +From: Helge Deller + +commit 1d7c29b77725d05faff6754d2f5e7c147aedcf93 upstream. + +Default KBUILD_IMAGE to $(boot)/bzImage if a self-extracting +(CONFIG_PARISC_SELF_EXTRACT=y) kernel is to be built. +This fixes the bindeb-pkg make target. + +Signed-off-by: Helge Deller +Cc: # v4.14+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/Makefile | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/parisc/Makefile ++++ b/arch/parisc/Makefile +@@ -17,7 +17,12 @@ + # Mike Shaver, Helge Deller and Martin K. Petersen + # + ++ifdef CONFIG_PARISC_SELF_EXTRACT ++boot := arch/parisc/boot ++KBUILD_IMAGE := $(boot)/bzImage ++else + KBUILD_IMAGE := vmlinuz ++endif + + KBUILD_DEFCONFIG := default_defconfig + diff --git a/queue-4.14/parisc-fix-make-install-on-newer-debian-releases.patch b/queue-4.14/parisc-fix-make-install-on-newer-debian-releases.patch new file mode 100644 index 00000000000..2d5d020482e --- /dev/null +++ b/queue-4.14/parisc-fix-make-install-on-newer-debian-releases.patch @@ -0,0 +1,30 @@ +From 0f9fee4cdebfbe695c297e5b603a275e2557c1cc Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sat, 4 Dec 2021 21:14:40 +0100 +Subject: parisc: Fix "make install" on newer debian releases + +From: Helge Deller + +commit 0f9fee4cdebfbe695c297e5b603a275e2557c1cc upstream. + +On newer debian releases the debian-provided "installkernel" script is +installed in /usr/sbin. Fix the kernel install.sh script to look for the +script in this directory as well. + +Signed-off-by: Helge Deller +Cc: # v3.13+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/install.sh | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/parisc/install.sh ++++ b/arch/parisc/install.sh +@@ -39,6 +39,7 @@ verify "$3" + if [ -n "${INSTALLKERNEL}" ]; then + if [ -x ~/bin/${INSTALLKERNEL} ]; then exec ~/bin/${INSTALLKERNEL} "$@"; fi + if [ -x /sbin/${INSTALLKERNEL} ]; then exec /sbin/${INSTALLKERNEL} "$@"; fi ++ if [ -x /usr/sbin/${INSTALLKERNEL} ]; then exec /usr/sbin/${INSTALLKERNEL} "$@"; fi + fi + + # Default install diff --git a/queue-4.14/serial-core-fix-transmit-buffer-reset-and-memleak.patch b/queue-4.14/serial-core-fix-transmit-buffer-reset-and-memleak.patch new file mode 100644 index 00000000000..07b39d23b42 --- /dev/null +++ b/queue-4.14/serial-core-fix-transmit-buffer-reset-and-memleak.patch @@ -0,0 +1,74 @@ +From 00de977f9e0aa9760d9a79d1e41ff780f74e3424 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 8 Nov 2021 09:54:31 +0100 +Subject: serial: core: fix transmit-buffer reset and memleak + +From: Johan Hovold + +commit 00de977f9e0aa9760d9a79d1e41ff780f74e3424 upstream. + +Commit 761ed4a94582 ("tty: serial_core: convert uart_close to use +tty_port_close") converted serial core to use tty_port_close() but +failed to notice that the transmit buffer still needs to be freed on +final close. + +Not freeing the transmit buffer means that the buffer is no longer +cleared on next open so that any ioctl() waiting for the buffer to drain +might wait indefinitely (e.g. on termios changes) or that stale data can +end up being transmitted in case tx is restarted. + +Furthermore, the buffer of any port that has been opened would leak on +driver unbind. + +Note that the port lock is held when clearing the buffer pointer due to +the ldisc race worked around by commit a5ba1d95e46e ("uart: fix race +between uart_put_char() and uart_shutdown()"). + +Also note that the tty-port shutdown() callback is not called for +console ports so it is not strictly necessary to free the buffer page +after releasing the lock (cf. d72402145ace ("tty/serial: do not free +trasnmit buffer page under port lock")). + +Link: https://lore.kernel.org/r/319321886d97c456203d5c6a576a5480d07c3478.1635781688.git.baruch@tkos.co.il +Fixes: 761ed4a94582 ("tty: serial_core: convert uart_close to use tty_port_close") +Cc: stable@vger.kernel.org # 4.9 +Cc: Rob Herring +Reported-by: Baruch Siach +Tested-by: Baruch Siach +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211108085431.12637-1-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/serial_core.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -1541,6 +1541,7 @@ static void uart_tty_port_shutdown(struc + { + struct uart_state *state = container_of(port, struct uart_state, port); + struct uart_port *uport = uart_port_check(state); ++ char *buf; + + /* + * At this point, we stop accepting input. To do this, we +@@ -1562,8 +1563,18 @@ static void uart_tty_port_shutdown(struc + */ + tty_port_set_suspended(port, 0); + +- uart_change_pm(state, UART_PM_STATE_OFF); ++ /* ++ * Free the transmit buffer. ++ */ ++ spin_lock_irq(&uport->lock); ++ buf = state->xmit.buf; ++ state->xmit.buf = NULL; ++ spin_unlock_irq(&uport->lock); ++ ++ if (buf) ++ free_page((unsigned long)buf); + ++ uart_change_pm(state, UART_PM_STATE_OFF); + } + + static void uart_wait_until_sent(struct tty_struct *tty, int timeout) diff --git a/queue-4.14/serial-pl011-add-acpi-sbsa-uart-match-id.patch b/queue-4.14/serial-pl011-add-acpi-sbsa-uart-match-id.patch new file mode 100644 index 00000000000..65a92d913f9 --- /dev/null +++ b/queue-4.14/serial-pl011-add-acpi-sbsa-uart-match-id.patch @@ -0,0 +1,40 @@ +From ac442a077acf9a6bf1db4320ec0c3f303be092b3 Mon Sep 17 00:00:00 2001 +From: Pierre Gondois +Date: Tue, 9 Nov 2021 17:22:48 +0000 +Subject: serial: pl011: Add ACPI SBSA UART match id + +From: Pierre Gondois + +commit ac442a077acf9a6bf1db4320ec0c3f303be092b3 upstream. + +The document 'ACPI for Arm Components 1.0' defines the following +_HID mappings: +-'Prime cell UART (PL011)': ARMH0011 +-'SBSA UART': ARMHB000 + +Use the sbsa-uart driver when a device is described with +the 'ARMHB000' _HID. + +Note: +PL011 devices currently use the sbsa-uart driver instead of the +uart-pl011 driver. Indeed, PL011 devices are not bound to a clock +in ACPI. It is not possible to change their baudrate. + +Cc: +Signed-off-by: Pierre Gondois +Link: https://lore.kernel.org/r/20211109172248.19061-1-Pierre.Gondois@arm.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/amba-pl011.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/tty/serial/amba-pl011.c ++++ b/drivers/tty/serial/amba-pl011.c +@@ -2790,6 +2790,7 @@ MODULE_DEVICE_TABLE(of, sbsa_uart_of_mat + + static const struct acpi_device_id sbsa_uart_acpi_match[] = { + { "ARMH0011", 0 }, ++ { "ARMHB000", 0 }, + {}, + }; + MODULE_DEVICE_TABLE(acpi, sbsa_uart_acpi_match); diff --git a/queue-4.14/series b/queue-4.14/series index 04cba80341c..64e5a61709c 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -94,3 +94,12 @@ net-mlx4_en-fix-an-use-after-free-bug-in-mlx4_en_try_alloc_resources.patch net-usb-lan78xx-lan78xx_phy_init-use-phy_poll-instead-of-0-if-no-irq-is-available.patch net-rds-correct-socket-tunable-error-in-rds_tcp_tune.patch net-smc-keep-smc_close_final-rc-during-active-close.patch +parisc-fix-kbuild_image-for-self-extracting-kernel.patch +parisc-fix-make-install-on-newer-debian-releases.patch +vgacon-propagate-console-boot-parameters-before-calling-vc_resize.patch +xhci-fix-commad-ring-abort-write-all-64-bits-to-crcr-register.patch +usb-typec-tcpm-wait-in-snk_debounced-until-disconnect.patch +x86-64-mm-map-all-kernel-memory-into-trampoline_pgd.patch +tty-serial-msm_serial-deactivate-rx-dma-for-polling-support.patch +serial-pl011-add-acpi-sbsa-uart-match-id.patch +serial-core-fix-transmit-buffer-reset-and-memleak.patch diff --git a/queue-4.14/tty-serial-msm_serial-deactivate-rx-dma-for-polling-support.patch b/queue-4.14/tty-serial-msm_serial-deactivate-rx-dma-for-polling-support.patch new file mode 100644 index 00000000000..49bade0f9db --- /dev/null +++ b/queue-4.14/tty-serial-msm_serial-deactivate-rx-dma-for-polling-support.patch @@ -0,0 +1,55 @@ +From 7492ffc90fa126afb67d4392d56cb4134780194a Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Sat, 13 Nov 2021 13:10:50 +0100 +Subject: tty: serial: msm_serial: Deactivate RX DMA for polling support + +From: Sven Eckelmann + +commit 7492ffc90fa126afb67d4392d56cb4134780194a upstream. + +The CONSOLE_POLLING mode is used for tools like k(g)db. In this kind of +setup, it is often sharing a serial device with the normal system console. +This is usually no problem because the polling helpers can consume input +values directly (when in kgdb context) and the normal Linux handlers can +only consume new input values after kgdb switched back. + +This is not true anymore when RX DMA is enabled for UARTDM controllers. +Single input values can no longer be received correctly. Instead following +seems to happen: + +* on 1. input, some old input is read (continuously) +* on 2. input, two old inputs are read (continuously) +* on 3. input, three old input values are read (continuously) +* on 4. input, 4 previous inputs are received + +This repeats then for each group of 4 input values. + +This behavior changes slightly depending on what state the controller was +when the first input was received. But this makes working with kgdb +basically impossible because control messages are always corrupted when +kgdboc tries to parse them. + +RX DMA should therefore be off when CONSOLE_POLLING is enabled to avoid +these kind of problems. No such problem was noticed for TX DMA. + +Fixes: 99693945013a ("tty: serial: msm: Add RX DMA support") +Cc: stable@vger.kernel.org +Signed-off-by: Sven Eckelmann +Link: https://lore.kernel.org/r/20211113121050.7266-1-sven@narfation.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/msm_serial.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/tty/serial/msm_serial.c ++++ b/drivers/tty/serial/msm_serial.c +@@ -611,6 +611,9 @@ static void msm_start_rx_dma(struct msm_ + u32 val; + int ret; + ++ if (IS_ENABLED(CONFIG_CONSOLE_POLL)) ++ return; ++ + if (!dma->chan) + return; + diff --git a/queue-4.14/usb-typec-tcpm-wait-in-snk_debounced-until-disconnect.patch b/queue-4.14/usb-typec-tcpm-wait-in-snk_debounced-until-disconnect.patch new file mode 100644 index 00000000000..b64593d8061 --- /dev/null +++ b/queue-4.14/usb-typec-tcpm-wait-in-snk_debounced-until-disconnect.patch @@ -0,0 +1,82 @@ +From fbcd13df1e78eb2ba83a3c160eefe2d6f574beaf Mon Sep 17 00:00:00 2001 +From: Badhri Jagan Sridharan +Date: Mon, 29 Nov 2021 16:18:25 -0800 +Subject: usb: typec: tcpm: Wait in SNK_DEBOUNCED until disconnect + +From: Badhri Jagan Sridharan + +commit fbcd13df1e78eb2ba83a3c160eefe2d6f574beaf upstream. + +Stub from the spec: +"4.5.2.2.4.2 Exiting from AttachWait.SNK State +A Sink shall transition to Unattached.SNK when the state of both +the CC1 and CC2 pins is SNK.Open for at least tPDDebounce. +A DRP shall transition to Unattached.SRC when the state of both +the CC1 and CC2 pins is SNK.Open for at least tPDDebounce." + +This change makes TCPM to wait in SNK_DEBOUNCED state until +CC1 and CC2 pins is SNK.Open for at least tPDDebounce. Previously, +TCPM resets the port if vbus is not present in PD_T_PS_SOURCE_ON. +This causes TCPM to loop continuously when connected to a +faulty power source that does not present vbus. Waiting in +SNK_DEBOUNCED also ensures that TCPM is adherant to +"4.5.2.2.4.2 Exiting from AttachWait.SNK State" requirements. + +[ 6169.280751] CC1: 0 -> 0, CC2: 0 -> 5 [state TOGGLING, polarity 0, connected] +[ 6169.280759] state change TOGGLING -> SNK_ATTACH_WAIT [rev2 NONE_AMS] +[ 6169.280771] pending state change SNK_ATTACH_WAIT -> SNK_DEBOUNCED @ 170 ms [rev2 NONE_AMS] +[ 6169.282427] CC1: 0 -> 0, CC2: 5 -> 5 [state SNK_ATTACH_WAIT, polarity 0, connected] +[ 6169.450825] state change SNK_ATTACH_WAIT -> SNK_DEBOUNCED [delayed 170 ms] +[ 6169.450834] pending state change SNK_DEBOUNCED -> PORT_RESET @ 480 ms [rev2 NONE_AMS] +[ 6169.930892] state change SNK_DEBOUNCED -> PORT_RESET [delayed 480 ms] +[ 6169.931296] disable vbus discharge ret:0 +[ 6169.931301] Setting usb_comm capable false +[ 6169.932783] Setting voltage/current limit 0 mV 0 mA +[ 6169.932802] polarity 0 +[ 6169.933706] Requesting mux state 0, usb-role 0, orientation 0 +[ 6169.936689] cc:=0 +[ 6169.936812] pending state change PORT_RESET -> PORT_RESET_WAIT_OFF @ 100 ms [rev2 NONE_AMS] +[ 6169.937157] CC1: 0 -> 0, CC2: 5 -> 0 [state PORT_RESET, polarity 0, disconnected] +[ 6170.036880] state change PORT_RESET -> PORT_RESET_WAIT_OFF [delayed 100 ms] +[ 6170.036890] state change PORT_RESET_WAIT_OFF -> SNK_UNATTACHED [rev2 NONE_AMS] +[ 6170.036896] Start toggling +[ 6170.041412] CC1: 0 -> 0, CC2: 0 -> 0 [state TOGGLING, polarity 0, disconnected] +[ 6170.042973] CC1: 0 -> 0, CC2: 0 -> 5 [state TOGGLING, polarity 0, connected] +[ 6170.042976] state change TOGGLING -> SNK_ATTACH_WAIT [rev2 NONE_AMS] +[ 6170.042981] pending state change SNK_ATTACH_WAIT -> SNK_DEBOUNCED @ 170 ms [rev2 NONE_AMS] +[ 6170.213014] state change SNK_ATTACH_WAIT -> SNK_DEBOUNCED [delayed 170 ms] +[ 6170.213019] pending state change SNK_DEBOUNCED -> PORT_RESET @ 480 ms [rev2 NONE_AMS] +[ 6170.693068] state change SNK_DEBOUNCED -> PORT_RESET [delayed 480 ms] +[ 6170.693304] disable vbus discharge ret:0 +[ 6170.693308] Setting usb_comm capable false +[ 6170.695193] Setting voltage/current limit 0 mV 0 mA +[ 6170.695210] polarity 0 +[ 6170.695990] Requesting mux state 0, usb-role 0, orientation 0 +[ 6170.701896] cc:=0 +[ 6170.702181] pending state change PORT_RESET -> PORT_RESET_WAIT_OFF @ 100 ms [rev2 NONE_AMS] +[ 6170.703343] CC1: 0 -> 0, CC2: 5 -> 0 [state PORT_RESET, polarity 0, disconnected] + +Fixes: f0690a25a140b8 ("staging: typec: USB Type-C Port Manager (tcpm)") +Cc: stable@vger.kernel.org +Acked-by: Heikki Krogerus +Signed-off-by: Badhri Jagan Sridharan +Link: https://lore.kernel.org/r/20211130001825.3142830-1-badhri@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/typec/tcpm.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/drivers/staging/typec/tcpm.c ++++ b/drivers/staging/typec/tcpm.c +@@ -2386,11 +2386,7 @@ static void run_state_machine(struct tcp + tcpm_try_src(port) ? SRC_TRY + : SNK_ATTACHED, + 0); +- else +- /* Wait for VBUS, but not forever */ +- tcpm_set_state(port, PORT_RESET, PD_T_PS_SOURCE_ON); + break; +- + case SRC_TRY: + port->try_src_count++; + tcpm_set_cc(port, tcpm_rp_cc(port)); diff --git a/queue-4.14/vgacon-propagate-console-boot-parameters-before-calling-vc_resize.patch b/queue-4.14/vgacon-propagate-console-boot-parameters-before-calling-vc_resize.patch new file mode 100644 index 00000000000..f795edbeaac --- /dev/null +++ b/queue-4.14/vgacon-propagate-console-boot-parameters-before-calling-vc_resize.patch @@ -0,0 +1,94 @@ +From 3dfac26e2ef29ff2abc2a75aa4cd48fce25a2c4b Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Tue, 26 Oct 2021 00:26:22 +0200 +Subject: vgacon: Propagate console boot parameters before calling `vc_resize' + +From: Maciej W. Rozycki + +commit 3dfac26e2ef29ff2abc2a75aa4cd48fce25a2c4b upstream. + +Fix a division by zero in `vgacon_resize' with a backtrace like: + +vgacon_resize +vc_do_resize +vgacon_init +do_bind_con_driver +do_unbind_con_driver +fbcon_fb_unbind +do_unregister_framebuffer +do_register_framebuffer +register_framebuffer +__drm_fb_helper_initial_config_and_unlock +drm_helper_hpd_irq_event +dw_hdmi_irq +irq_thread +kthread + +caused by `c->vc_cell_height' not having been initialized. This has +only started to trigger with commit 860dafa90259 ("vt: Fix character +height handling with VT_RESIZEX"), however the ultimate offender is +commit 50ec42edd978 ("[PATCH] Detaching fbcon: fix vgacon to allow +retaking of the console"). + +Said commit has added a call to `vc_resize' whenever `vgacon_init' is +called with the `init' argument set to 0, which did not happen before. +And the call is made before a key vgacon boot parameter retrieved in +`vgacon_startup' has been propagated in `vgacon_init' for `vc_resize' to +use to the console structure being worked on. Previously the parameter +was `c->vc_font.height' and now it is `c->vc_cell_height'. + +In this particular scenario the registration of fbcon has failed and vt +resorts to vgacon. Now fbcon does have initialized `c->vc_font.height' +somehow, unlike `c->vc_cell_height', which is why this code did not +crash before, but either way the boot parameters should have been copied +to the console structure ahead of the call to `vc_resize' rather than +afterwards, so that first the call has a chance to use them and second +they do not change the console structure to something possibly different +from what was used by `vc_resize'. + +Move the propagation of the vgacon boot parameters ahead of the call to +`vc_resize' then. Adjust the comment accordingly. + +Fixes: 50ec42edd978 ("[PATCH] Detaching fbcon: fix vgacon to allow retaking of the console") +Cc: stable@vger.kernel.org # v2.6.18+ +Reported-by: Wim Osterholt +Reported-by: Pavel V. Panteleev +Signed-off-by: Maciej W. Rozycki +Link: https://lore.kernel.org/r/alpine.DEB.2.21.2110252317110.58149@angie.orcam.me.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/console/vgacon.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/drivers/video/console/vgacon.c ++++ b/drivers/video/console/vgacon.c +@@ -365,11 +365,17 @@ static void vgacon_init(struct vc_data * + struct uni_pagedir *p; + + /* +- * We cannot be loaded as a module, therefore init is always 1, +- * but vgacon_init can be called more than once, and init will +- * not be 1. ++ * We cannot be loaded as a module, therefore init will be 1 ++ * if we are the default console, however if we are a fallback ++ * console, for example if fbcon has failed registration, then ++ * init will be 0, so we need to make sure our boot parameters ++ * have been copied to the console structure for vgacon_resize ++ * ultimately called by vc_resize. Any subsequent calls to ++ * vgacon_init init will have init set to 0 too. + */ + c->vc_can_do_color = vga_can_do_color; ++ c->vc_scan_lines = vga_scan_lines; ++ c->vc_font.height = c->vc_cell_height = vga_video_font_height; + + /* set dimensions manually if init != 0 since vc_resize() will fail */ + if (init) { +@@ -378,8 +384,6 @@ static void vgacon_init(struct vc_data * + } else + vc_resize(c, vga_video_num_columns, vga_video_num_lines); + +- c->vc_scan_lines = vga_scan_lines; +- c->vc_font.height = c->vc_cell_height = vga_video_font_height; + c->vc_complement_mask = 0x7700; + if (vga_512_chars) + c->vc_hi_font_mask = 0x0800; diff --git a/queue-4.14/x86-64-mm-map-all-kernel-memory-into-trampoline_pgd.patch b/queue-4.14/x86-64-mm-map-all-kernel-memory-into-trampoline_pgd.patch new file mode 100644 index 00000000000..6f6dc5e697a --- /dev/null +++ b/queue-4.14/x86-64-mm-map-all-kernel-memory-into-trampoline_pgd.patch @@ -0,0 +1,93 @@ +From 51523ed1c26758de1af7e58730a656875f72f783 Mon Sep 17 00:00:00 2001 +From: Joerg Roedel +Date: Thu, 2 Dec 2021 16:32:26 +0100 +Subject: x86/64/mm: Map all kernel memory into trampoline_pgd + +From: Joerg Roedel + +commit 51523ed1c26758de1af7e58730a656875f72f783 upstream. + +The trampoline_pgd only maps the 0xfffffff000000000-0xffffffffffffffff +range of kernel memory (with 4-level paging). This range contains the +kernel's text+data+bss mappings and the module mapping space but not the +direct mapping and the vmalloc area. + +This is enough to get the application processors out of real-mode, but +for code that switches back to real-mode the trampoline_pgd is missing +important parts of the address space. For example, consider this code +from arch/x86/kernel/reboot.c, function machine_real_restart() for a +64-bit kernel: + + #ifdef CONFIG_X86_32 + load_cr3(initial_page_table); + #else + write_cr3(real_mode_header->trampoline_pgd); + + /* Exiting long mode will fail if CR4.PCIDE is set. */ + if (boot_cpu_has(X86_FEATURE_PCID)) + cr4_clear_bits(X86_CR4_PCIDE); + #endif + + /* Jump to the identity-mapped low memory code */ + #ifdef CONFIG_X86_32 + asm volatile("jmpl *%0" : : + "rm" (real_mode_header->machine_real_restart_asm), + "a" (type)); + #else + asm volatile("ljmpl *%0" : : + "m" (real_mode_header->machine_real_restart_asm), + "D" (type)); + #endif + +The code switches to the trampoline_pgd, which unmaps the direct mapping +and also the kernel stack. The call to cr4_clear_bits() will find no +stack and crash the machine. The real_mode_header pointer below points +into the direct mapping, and dereferencing it also causes a crash. + +The reason this does not crash always is only that kernel mappings are +global and the CR3 switch does not flush those mappings. But if theses +mappings are not in the TLB already, the above code will crash before it +can jump to the real-mode stub. + +Extend the trampoline_pgd to contain all kernel mappings to prevent +these crashes and to make code which runs on this page-table more +robust. + +Signed-off-by: Joerg Roedel +Signed-off-by: Borislav Petkov +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20211202153226.22946-5-joro@8bytes.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/realmode/init.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/arch/x86/realmode/init.c ++++ b/arch/x86/realmode/init.c +@@ -57,6 +57,7 @@ static void __init setup_real_mode(void) + #ifdef CONFIG_X86_64 + u64 *trampoline_pgd; + u64 efer; ++ int i; + #endif + + base = (unsigned char *)real_mode_header; +@@ -114,8 +115,17 @@ static void __init setup_real_mode(void) + trampoline_header->flags |= TH_FLAGS_SME_ACTIVE; + + trampoline_pgd = (u64 *) __va(real_mode_header->trampoline_pgd); ++ ++ /* Map the real mode stub as virtual == physical */ + trampoline_pgd[0] = trampoline_pgd_entry.pgd; +- trampoline_pgd[511] = init_top_pgt[511].pgd; ++ ++ /* ++ * Include the entirety of the kernel mapping into the trampoline ++ * PGD. This way, all mappings present in the normal kernel page ++ * tables are usable while running on trampoline_pgd. ++ */ ++ for (i = pgd_index(__PAGE_OFFSET); i < PTRS_PER_PGD; i++) ++ trampoline_pgd[i] = init_top_pgt[i].pgd; + #endif + } + diff --git a/queue-4.14/xhci-fix-commad-ring-abort-write-all-64-bits-to-crcr-register.patch b/queue-4.14/xhci-fix-commad-ring-abort-write-all-64-bits-to-crcr-register.patch new file mode 100644 index 00000000000..164b1df794e --- /dev/null +++ b/queue-4.14/xhci-fix-commad-ring-abort-write-all-64-bits-to-crcr-register.patch @@ -0,0 +1,70 @@ +From 09f736aa95476631227d2dc0e6b9aeee1ad7ed58 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Fri, 26 Nov 2021 14:23:40 +0200 +Subject: xhci: Fix commad ring abort, write all 64 bits to CRCR register. + +From: Mathias Nyman + +commit 09f736aa95476631227d2dc0e6b9aeee1ad7ed58 upstream. + +Turns out some xHC controllers require all 64 bits in the CRCR register +to be written to execute a command abort. + +The lower 32 bits containing the command abort bit is written first. +In case the command ring stops before we write the upper 32 bits then +hardware may use these upper bits to set the commnd ring dequeue pointer. + +Solve this by making sure the upper 32 bits contain a valid command +ring dequeue pointer. + +The original patch that only wrote the first 32 to stop the ring went +to stable, so this fix should go there as well. + +Fixes: ff0e50d3564f ("xhci: Fix command ring pointer corruption while aborting a command") +Cc: stable@vger.kernel.org +Tested-by: Pavankumar Kondeti +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20211126122340.1193239-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-ring.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -350,7 +350,9 @@ static void xhci_handle_stopped_cmd_ring + /* Must be called with xhci->lock held, releases and aquires lock back */ + static int xhci_abort_cmd_ring(struct xhci_hcd *xhci, unsigned long flags) + { +- u32 temp_32; ++ struct xhci_segment *new_seg = xhci->cmd_ring->deq_seg; ++ union xhci_trb *new_deq = xhci->cmd_ring->dequeue; ++ u64 crcr; + int ret; + + xhci_dbg(xhci, "Abort command ring\n"); +@@ -359,13 +361,18 @@ static int xhci_abort_cmd_ring(struct xh + + /* + * The control bits like command stop, abort are located in lower +- * dword of the command ring control register. Limit the write +- * to the lower dword to avoid corrupting the command ring pointer +- * in case if the command ring is stopped by the time upper dword +- * is written. ++ * dword of the command ring control register. ++ * Some controllers require all 64 bits to be written to abort the ring. ++ * Make sure the upper dword is valid, pointing to the next command, ++ * avoiding corrupting the command ring pointer in case the command ring ++ * is stopped by the time the upper dword is written. + */ +- temp_32 = readl(&xhci->op_regs->cmd_ring); +- writel(temp_32 | CMD_RING_ABORT, &xhci->op_regs->cmd_ring); ++ next_trb(xhci, NULL, &new_seg, &new_deq); ++ if (trb_is_link(new_deq)) ++ next_trb(xhci, NULL, &new_seg, &new_deq); ++ ++ crcr = xhci_trb_virt_to_dma(new_seg, new_deq); ++ xhci_write_64(xhci, crcr | CMD_RING_ABORT, &xhci->op_regs->cmd_ring); + + /* Section 4.6.1.2 of xHCI 1.0 spec says software should also time the + * completion of the Command Abort operation. If CRR is not negated in 5