From: Greg Kroah-Hartman Date: Tue, 18 Jan 2022 08:22:25 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v5.16.2~19 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2528d7fc93889c0ef33b032d55347d59f429a6ef;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: 9p-only-copy-valid-iattrs-in-9p2000.l-setattr-implementation.patch kvm-s390-clarify-sigp-orders-versus-stop-restart.patch kvm-x86-don-t-print-when-fail-to-read-write-pv-eoi-memory.patch kvm-x86-register-perf-callbacks-after-calling-vendor-s-hardware_setup.patch kvm-x86-register-processor-trace-interrupt-hook-iff-pt-enabled-in-guest.patch media-uvcvideo-fix-division-by-zero-at-stream-start.patch orangefs-fix-the-size-of-a-memory-allocation-in-orangefs_bufmap_alloc.patch perf-protect-perf_guest_cbs-with-rcu.patch remoteproc-qcom-pas-add-missing-power-domain-mxc-for-cdsp.patch remoteproc-qcom-pil_info-don-t-memcpy_toio-more-than-is-provided.patch rtlwifi-rtl8192cu-fix-warning-when-calling-local_irq_restore-with-interrupts-enabled.patch vfs-fs_context-fix-up-param-length-parsing-in-legacy_parse_param.patch video-vga16fb-only-probe-for-ega-and-vga-16-color-graphic-cards.patch --- diff --git a/queue-5.15/9p-only-copy-valid-iattrs-in-9p2000.l-setattr-implementation.patch b/queue-5.15/9p-only-copy-valid-iattrs-in-9p2000.l-setattr-implementation.patch new file mode 100644 index 00000000000..99a6ecf6329 --- /dev/null +++ b/queue-5.15/9p-only-copy-valid-iattrs-in-9p2000.l-setattr-implementation.patch @@ -0,0 +1,79 @@ +From 3cb6ee991496b67ee284c6895a0ba007e2d7bac3 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Mon, 29 Nov 2021 12:44:34 +0100 +Subject: 9p: only copy valid iattrs in 9P2000.L setattr implementation + +From: Christian Brauner + +commit 3cb6ee991496b67ee284c6895a0ba007e2d7bac3 upstream. + +The 9P2000.L setattr method v9fs_vfs_setattr_dotl() copies struct iattr +values without checking whether they are valid causing unitialized +values to be copied. The 9P2000 setattr method v9fs_vfs_setattr() method +gets this right. Check whether struct iattr fields are valid first +before copying in v9fs_vfs_setattr_dotl() too and make sure that all +other fields are set to 0 apart from {g,u}id which should be set to +INVALID_{G,U}ID. This ensure that they can be safely sent over the wire +or printed for debugging later on. + +Link: https://lkml.kernel.org/r/20211129114434.3637938-1-brauner@kernel.org +Link: https://lkml.kernel.org/r/000000000000a0d53f05d1c72a4c%40google.com +Cc: Eric Van Hensbergen +Cc: Latchesar Ionkov +Cc: Dominique Martinet +Cc: stable@kernel.org +Cc: v9fs-developer@lists.sourceforge.net +Reported-by: syzbot+dfac92a50024b54acaa4@syzkaller.appspotmail.com +Signed-off-by: Christian Brauner +[Dominique: do not set a/mtime with just ATTR_A/MTIME as discussed] +Signed-off-by: Dominique Martinet +Signed-off-by: Greg Kroah-Hartman +--- + fs/9p/vfs_inode_dotl.c | 29 ++++++++++++++++++++--------- + 1 file changed, 20 insertions(+), 9 deletions(-) + +--- a/fs/9p/vfs_inode_dotl.c ++++ b/fs/9p/vfs_inode_dotl.c +@@ -553,7 +553,10 @@ int v9fs_vfs_setattr_dotl(struct user_na + { + int retval, use_dentry = 0; + struct p9_fid *fid = NULL; +- struct p9_iattr_dotl p9attr; ++ struct p9_iattr_dotl p9attr = { ++ .uid = INVALID_UID, ++ .gid = INVALID_GID, ++ }; + struct inode *inode = d_inode(dentry); + + p9_debug(P9_DEBUG_VFS, "\n"); +@@ -563,14 +566,22 @@ int v9fs_vfs_setattr_dotl(struct user_na + return retval; + + p9attr.valid = v9fs_mapped_iattr_valid(iattr->ia_valid); +- p9attr.mode = iattr->ia_mode; +- p9attr.uid = iattr->ia_uid; +- p9attr.gid = iattr->ia_gid; +- p9attr.size = iattr->ia_size; +- p9attr.atime_sec = iattr->ia_atime.tv_sec; +- p9attr.atime_nsec = iattr->ia_atime.tv_nsec; +- p9attr.mtime_sec = iattr->ia_mtime.tv_sec; +- p9attr.mtime_nsec = iattr->ia_mtime.tv_nsec; ++ if (iattr->ia_valid & ATTR_MODE) ++ p9attr.mode = iattr->ia_mode; ++ if (iattr->ia_valid & ATTR_UID) ++ p9attr.uid = iattr->ia_uid; ++ if (iattr->ia_valid & ATTR_GID) ++ p9attr.gid = iattr->ia_gid; ++ if (iattr->ia_valid & ATTR_SIZE) ++ p9attr.size = iattr->ia_size; ++ if (iattr->ia_valid & ATTR_ATIME_SET) { ++ p9attr.atime_sec = iattr->ia_atime.tv_sec; ++ p9attr.atime_nsec = iattr->ia_atime.tv_nsec; ++ } ++ if (iattr->ia_valid & ATTR_MTIME_SET) { ++ p9attr.mtime_sec = iattr->ia_mtime.tv_sec; ++ p9attr.mtime_nsec = iattr->ia_mtime.tv_nsec; ++ } + + if (iattr->ia_valid & ATTR_FILE) { + fid = iattr->ia_file->private_data; diff --git a/queue-5.15/kvm-s390-clarify-sigp-orders-versus-stop-restart.patch b/queue-5.15/kvm-s390-clarify-sigp-orders-versus-stop-restart.patch new file mode 100644 index 00000000000..46d7f548f6d --- /dev/null +++ b/queue-5.15/kvm-s390-clarify-sigp-orders-versus-stop-restart.patch @@ -0,0 +1,121 @@ +From 812de04661c4daa7ac385c0dfd62594540538034 Mon Sep 17 00:00:00 2001 +From: Eric Farman +Date: Mon, 13 Dec 2021 22:05:50 +0100 +Subject: KVM: s390: Clarify SIGP orders versus STOP/RESTART + +From: Eric Farman + +commit 812de04661c4daa7ac385c0dfd62594540538034 upstream. + +With KVM_CAP_S390_USER_SIGP, there are only five Signal Processor +orders (CONDITIONAL EMERGENCY SIGNAL, EMERGENCY SIGNAL, EXTERNAL CALL, +SENSE, and SENSE RUNNING STATUS) which are intended for frequent use +and thus are processed in-kernel. The remainder are sent to userspace +with the KVM_CAP_S390_USER_SIGP capability. Of those, three orders +(RESTART, STOP, and STOP AND STORE STATUS) have the potential to +inject work back into the kernel, and thus are asynchronous. + +Let's look for those pending IRQs when processing one of the in-kernel +SIGP orders, and return BUSY (CC2) if one is in process. This is in +agreement with the Principles of Operation, which states that only one +order can be "active" on a CPU at a time. + +Cc: stable@vger.kernel.org +Suggested-by: David Hildenbrand +Signed-off-by: Eric Farman +Reviewed-by: Christian Borntraeger +Acked-by: David Hildenbrand +Link: https://lore.kernel.org/r/20211213210550.856213-2-farman@linux.ibm.com +[borntraeger@linux.ibm.com: add stable tag] +Signed-off-by: Christian Borntraeger +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kvm/interrupt.c | 7 +++++++ + arch/s390/kvm/kvm-s390.c | 9 +++++++-- + arch/s390/kvm/kvm-s390.h | 1 + + arch/s390/kvm/sigp.c | 28 ++++++++++++++++++++++++++++ + 4 files changed, 43 insertions(+), 2 deletions(-) + +--- a/arch/s390/kvm/interrupt.c ++++ b/arch/s390/kvm/interrupt.c +@@ -2115,6 +2115,13 @@ int kvm_s390_is_stop_irq_pending(struct + return test_bit(IRQ_PEND_SIGP_STOP, &li->pending_irqs); + } + ++int kvm_s390_is_restart_irq_pending(struct kvm_vcpu *vcpu) ++{ ++ struct kvm_s390_local_interrupt *li = &vcpu->arch.local_int; ++ ++ return test_bit(IRQ_PEND_RESTART, &li->pending_irqs); ++} ++ + void kvm_s390_clear_stop_irq(struct kvm_vcpu *vcpu) + { + struct kvm_s390_local_interrupt *li = &vcpu->arch.local_int; +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -4642,10 +4642,15 @@ int kvm_s390_vcpu_stop(struct kvm_vcpu * + } + } + +- /* SIGP STOP and SIGP STOP AND STORE STATUS has been fully processed */ ++ /* ++ * Set the VCPU to STOPPED and THEN clear the interrupt flag, ++ * now that the SIGP STOP and SIGP STOP AND STORE STATUS orders ++ * have been fully processed. This will ensure that the VCPU ++ * is kept BUSY if another VCPU is inquiring with SIGP SENSE. ++ */ ++ kvm_s390_set_cpuflags(vcpu, CPUSTAT_STOPPED); + kvm_s390_clear_stop_irq(vcpu); + +- kvm_s390_set_cpuflags(vcpu, CPUSTAT_STOPPED); + __disable_ibs_on_vcpu(vcpu); + + for (i = 0; i < online_vcpus; i++) { +--- a/arch/s390/kvm/kvm-s390.h ++++ b/arch/s390/kvm/kvm-s390.h +@@ -418,6 +418,7 @@ void kvm_s390_destroy_adapters(struct kv + int kvm_s390_ext_call_pending(struct kvm_vcpu *vcpu); + extern struct kvm_device_ops kvm_flic_ops; + int kvm_s390_is_stop_irq_pending(struct kvm_vcpu *vcpu); ++int kvm_s390_is_restart_irq_pending(struct kvm_vcpu *vcpu); + void kvm_s390_clear_stop_irq(struct kvm_vcpu *vcpu); + int kvm_s390_set_irq_state(struct kvm_vcpu *vcpu, + void __user *buf, int len); +--- a/arch/s390/kvm/sigp.c ++++ b/arch/s390/kvm/sigp.c +@@ -288,6 +288,34 @@ static int handle_sigp_dst(struct kvm_vc + if (!dst_vcpu) + return SIGP_CC_NOT_OPERATIONAL; + ++ /* ++ * SIGP RESTART, SIGP STOP, and SIGP STOP AND STORE STATUS orders ++ * are processed asynchronously. Until the affected VCPU finishes ++ * its work and calls back into KVM to clear the (RESTART or STOP) ++ * interrupt, we need to return any new non-reset orders "busy". ++ * ++ * This is important because a single VCPU could issue: ++ * 1) SIGP STOP $DESTINATION ++ * 2) SIGP SENSE $DESTINATION ++ * ++ * If the SIGP SENSE would not be rejected as "busy", it could ++ * return an incorrect answer as to whether the VCPU is STOPPED ++ * or OPERATING. ++ */ ++ if (order_code != SIGP_INITIAL_CPU_RESET && ++ order_code != SIGP_CPU_RESET) { ++ /* ++ * Lockless check. Both SIGP STOP and SIGP (RE)START ++ * properly synchronize everything while processing ++ * their orders, while the guest cannot observe a ++ * difference when issuing other orders from two ++ * different VCPUs. ++ */ ++ if (kvm_s390_is_stop_irq_pending(dst_vcpu) || ++ kvm_s390_is_restart_irq_pending(dst_vcpu)) ++ return SIGP_CC_BUSY; ++ } ++ + switch (order_code) { + case SIGP_SENSE: + vcpu->stat.instruction_sigp_sense++; diff --git a/queue-5.15/kvm-x86-don-t-print-when-fail-to-read-write-pv-eoi-memory.patch b/queue-5.15/kvm-x86-don-t-print-when-fail-to-read-write-pv-eoi-memory.patch new file mode 100644 index 00000000000..5e7d7d761d8 --- /dev/null +++ b/queue-5.15/kvm-x86-don-t-print-when-fail-to-read-write-pv-eoi-memory.patch @@ -0,0 +1,64 @@ +From ce5977b181c1613072eafbc7546bcb6c463ea68c Mon Sep 17 00:00:00 2001 +From: Li RongQing +Date: Thu, 4 Nov 2021 19:56:13 +0800 +Subject: KVM: x86: don't print when fail to read/write pv eoi memory + +From: Li RongQing + +commit ce5977b181c1613072eafbc7546bcb6c463ea68c upstream. + +If guest gives MSR_KVM_PV_EOI_EN a wrong value, this printk() will +be trigged, and kernel log is spammed with the useless message + +Fixes: 0d88800d5472 ("kvm: x86: ioapic and apic debug macros cleanup") +Reported-by: Vitaly Kuznetsov +Reviewed-by: Vitaly Kuznetsov +Signed-off-by: Li RongQing +Cc: stable@kernel.org +Message-Id: <1636026974-50555-1-git-send-email-lirongqing@baidu.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/lapic.c | 18 ++++++------------ + 1 file changed, 6 insertions(+), 12 deletions(-) + +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -676,31 +676,25 @@ static inline bool pv_eoi_enabled(struct + static bool pv_eoi_get_pending(struct kvm_vcpu *vcpu) + { + u8 val; +- if (pv_eoi_get_user(vcpu, &val) < 0) { +- printk(KERN_WARNING "Can't read EOI MSR value: 0x%llx\n", +- (unsigned long long)vcpu->arch.pv_eoi.msr_val); ++ if (pv_eoi_get_user(vcpu, &val) < 0) + return false; +- } ++ + return val & KVM_PV_EOI_ENABLED; + } + + static void pv_eoi_set_pending(struct kvm_vcpu *vcpu) + { +- if (pv_eoi_put_user(vcpu, KVM_PV_EOI_ENABLED) < 0) { +- printk(KERN_WARNING "Can't set EOI MSR value: 0x%llx\n", +- (unsigned long long)vcpu->arch.pv_eoi.msr_val); ++ if (pv_eoi_put_user(vcpu, KVM_PV_EOI_ENABLED) < 0) + return; +- } ++ + __set_bit(KVM_APIC_PV_EOI_PENDING, &vcpu->arch.apic_attention); + } + + static void pv_eoi_clr_pending(struct kvm_vcpu *vcpu) + { +- if (pv_eoi_put_user(vcpu, KVM_PV_EOI_DISABLED) < 0) { +- printk(KERN_WARNING "Can't clear EOI MSR value: 0x%llx\n", +- (unsigned long long)vcpu->arch.pv_eoi.msr_val); ++ if (pv_eoi_put_user(vcpu, KVM_PV_EOI_DISABLED) < 0) + return; +- } ++ + __clear_bit(KVM_APIC_PV_EOI_PENDING, &vcpu->arch.apic_attention); + } + diff --git a/queue-5.15/kvm-x86-register-perf-callbacks-after-calling-vendor-s-hardware_setup.patch b/queue-5.15/kvm-x86-register-perf-callbacks-after-calling-vendor-s-hardware_setup.patch new file mode 100644 index 00000000000..d6514b1fd77 --- /dev/null +++ b/queue-5.15/kvm-x86-register-perf-callbacks-after-calling-vendor-s-hardware_setup.patch @@ -0,0 +1,66 @@ +From 5c7df80e2ce4c954c80eb4ecf5fa002a5ff5d2d6 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Thu, 11 Nov 2021 02:07:23 +0000 +Subject: KVM: x86: Register perf callbacks after calling vendor's hardware_setup() + +From: Sean Christopherson + +commit 5c7df80e2ce4c954c80eb4ecf5fa002a5ff5d2d6 upstream. + +Wait to register perf callbacks until after doing vendor hardaware setup. +VMX's hardware_setup() configures Intel Processor Trace (PT) mode, and a +future fix to register the Intel PT guest interrupt hook if and only if +Intel PT is exposed to the guest will consume the configured PT mode. + +Delaying registration to hardware setup is effectively a nop as KVM's perf +hooks all pivot on the per-CPU current_vcpu, which is non-NULL only when +KVM is handling an IRQ/NMI in a VM-Exit path. I.e. current_vcpu will be +NULL throughout both kvm_arch_init() and kvm_arch_hardware_setup(). + +Signed-off-by: Sean Christopherson +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Paolo Bonzini +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20211111020738.2512932-3-seanjc@google.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -8551,8 +8551,6 @@ int kvm_arch_init(void *opaque) + + kvm_timer_init(); + +- perf_register_guest_info_callbacks(&kvm_guest_cbs); +- + if (boot_cpu_has(X86_FEATURE_XSAVE)) { + host_xcr0 = xgetbv(XCR_XFEATURE_ENABLED_MASK); + supported_xcr0 = host_xcr0 & KVM_SUPPORTED_XCR0; +@@ -8586,7 +8584,6 @@ void kvm_arch_exit(void) + clear_hv_tscchange_cb(); + #endif + kvm_lapic_exit(); +- perf_unregister_guest_info_callbacks(&kvm_guest_cbs); + + if (!boot_cpu_has(X86_FEATURE_CONSTANT_TSC)) + cpufreq_unregister_notifier(&kvmclock_cpufreq_notifier_block, +@@ -11186,6 +11183,8 @@ int kvm_arch_hardware_setup(void *opaque + memcpy(&kvm_x86_ops, ops->runtime_ops, sizeof(kvm_x86_ops)); + kvm_ops_static_call_update(); + ++ perf_register_guest_info_callbacks(&kvm_guest_cbs); ++ + if (!kvm_cpu_cap_has(X86_FEATURE_XSAVES)) + supported_xss = 0; + +@@ -11213,6 +11212,8 @@ int kvm_arch_hardware_setup(void *opaque + + void kvm_arch_hardware_unsetup(void) + { ++ perf_unregister_guest_info_callbacks(&kvm_guest_cbs); ++ + static_call(kvm_x86_hardware_unsetup)(); + } + diff --git a/queue-5.15/kvm-x86-register-processor-trace-interrupt-hook-iff-pt-enabled-in-guest.patch b/queue-5.15/kvm-x86-register-processor-trace-interrupt-hook-iff-pt-enabled-in-guest.patch new file mode 100644 index 00000000000..9e199afb015 --- /dev/null +++ b/queue-5.15/kvm-x86-register-processor-trace-interrupt-hook-iff-pt-enabled-in-guest.patch @@ -0,0 +1,77 @@ +From f4b027c5c8199abd4fb6f00d67d380548dbfdfa8 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Thu, 11 Nov 2021 02:07:24 +0000 +Subject: KVM: x86: Register Processor Trace interrupt hook iff PT enabled in guest + +From: Sean Christopherson + +commit f4b027c5c8199abd4fb6f00d67d380548dbfdfa8 upstream. + +Override the Processor Trace (PT) interrupt handler for guest mode if and +only if PT is configured for host+guest mode, i.e. is being used +independently by both host and guest. If PT is configured for system +mode, the host fully controls PT and must handle all events. + +Fixes: 8479e04e7d6b ("KVM: x86: Inject PMI for KVM guest") +Reported-by: Alexander Shishkin +Reported-by: Artem Kashkanov +Signed-off-by: Sean Christopherson +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Paolo Bonzini +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20211111020738.2512932-4-seanjc@google.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/kvm_host.h | 1 + + arch/x86/kvm/vmx/vmx.c | 1 + + arch/x86/kvm/x86.c | 5 ++++- + 3 files changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -1509,6 +1509,7 @@ struct kvm_x86_init_ops { + int (*disabled_by_bios)(void); + int (*check_processor_compatibility)(void); + int (*hardware_setup)(void); ++ bool (*intel_pt_intr_in_guest)(void); + + struct kvm_x86_ops *runtime_ops; + }; +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -7899,6 +7899,7 @@ static struct kvm_x86_init_ops vmx_init_ + .disabled_by_bios = vmx_disabled_by_bios, + .check_processor_compatibility = vmx_check_processor_compat, + .hardware_setup = hardware_setup, ++ .intel_pt_intr_in_guest = vmx_pt_mode_is_host_guest, + + .runtime_ops = &vmx_x86_ops, + }; +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -8430,7 +8430,7 @@ static struct perf_guest_info_callbacks + .is_in_guest = kvm_is_in_guest, + .is_user_mode = kvm_is_user_mode, + .get_guest_ip = kvm_get_guest_ip, +- .handle_intel_pt_intr = kvm_handle_intel_pt_intr, ++ .handle_intel_pt_intr = NULL, + }; + + #ifdef CONFIG_X86_64 +@@ -11183,6 +11183,8 @@ int kvm_arch_hardware_setup(void *opaque + memcpy(&kvm_x86_ops, ops->runtime_ops, sizeof(kvm_x86_ops)); + kvm_ops_static_call_update(); + ++ if (ops->intel_pt_intr_in_guest && ops->intel_pt_intr_in_guest()) ++ kvm_guest_cbs.handle_intel_pt_intr = kvm_handle_intel_pt_intr; + perf_register_guest_info_callbacks(&kvm_guest_cbs); + + if (!kvm_cpu_cap_has(X86_FEATURE_XSAVES)) +@@ -11213,6 +11215,7 @@ int kvm_arch_hardware_setup(void *opaque + void kvm_arch_hardware_unsetup(void) + { + perf_unregister_guest_info_callbacks(&kvm_guest_cbs); ++ kvm_guest_cbs.handle_intel_pt_intr = NULL; + + static_call(kvm_x86_hardware_unsetup)(); + } diff --git a/queue-5.15/media-uvcvideo-fix-division-by-zero-at-stream-start.patch b/queue-5.15/media-uvcvideo-fix-division-by-zero-at-stream-start.patch new file mode 100644 index 00000000000..6309438658e --- /dev/null +++ b/queue-5.15/media-uvcvideo-fix-division-by-zero-at-stream-start.patch @@ -0,0 +1,43 @@ +From 8aa637bf6d70d2fb2ad4d708d8b9dd02b1c095df Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 26 Oct 2021 11:55:11 +0200 +Subject: media: uvcvideo: fix division by zero at stream start + +From: Johan Hovold + +commit 8aa637bf6d70d2fb2ad4d708d8b9dd02b1c095df upstream. + +Add the missing bulk-endpoint max-packet sanity check to +uvc_video_start_transfer() to avoid division by zero in +uvc_alloc_urb_buffers() in case a malicious device has broken +descriptors (or when doing descriptor fuzz testing). + +Note that USB core will reject URBs submitted for endpoints with zero +wMaxPacketSize but that drivers doing packet-size calculations still +need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip +endpoint descriptors with maxpacket=0")). + +Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver") +Cc: stable@vger.kernel.org # 2.6.26 +Signed-off-by: Johan Hovold +Reviewed-by: Kieran Bingham +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_video.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/media/usb/uvc/uvc_video.c ++++ b/drivers/media/usb/uvc/uvc_video.c +@@ -1963,6 +1963,10 @@ static int uvc_video_start_transfer(stru + if (ep == NULL) + return -EIO; + ++ /* Reject broken descriptors. */ ++ if (usb_endpoint_maxp(&ep->desc) == 0) ++ return -EIO; ++ + ret = uvc_init_video_bulk(stream, ep, gfp_flags); + } + diff --git a/queue-5.15/orangefs-fix-the-size-of-a-memory-allocation-in-orangefs_bufmap_alloc.patch b/queue-5.15/orangefs-fix-the-size-of-a-memory-allocation-in-orangefs_bufmap_alloc.patch new file mode 100644 index 00000000000..b86554429c3 --- /dev/null +++ b/queue-5.15/orangefs-fix-the-size-of-a-memory-allocation-in-orangefs_bufmap_alloc.patch @@ -0,0 +1,61 @@ +From 40a74870b2d1d3d44e13b3b73c6571dd34f5614d Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Mon, 27 Dec 2021 19:09:18 +0100 +Subject: orangefs: Fix the size of a memory allocation in orangefs_bufmap_alloc() + +From: Christophe JAILLET + +commit 40a74870b2d1d3d44e13b3b73c6571dd34f5614d upstream. + +'buffer_index_array' really looks like a bitmap. So it should be allocated +as such. +When kzalloc is called, a number of bytes is expected, but a number of +longs is passed instead. + +In get(), if not enough memory is allocated, un-allocated memory may be +read or written. + +So use bitmap_zalloc() to safely allocate the correct memory size and +avoid un-expected behavior. + +While at it, change the corresponding kfree() into bitmap_free() to keep +the semantic. + +Fixes: ea2c9c9f6574 ("orangefs: bufmap rewrite") +Signed-off-by: Christophe JAILLET +Signed-off-by: Mike Marshall +Signed-off-by: Greg Kroah-Hartman +--- + fs/orangefs/orangefs-bufmap.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/fs/orangefs/orangefs-bufmap.c ++++ b/fs/orangefs/orangefs-bufmap.c +@@ -176,7 +176,7 @@ orangefs_bufmap_free(struct orangefs_buf + { + kfree(bufmap->page_array); + kfree(bufmap->desc_array); +- kfree(bufmap->buffer_index_array); ++ bitmap_free(bufmap->buffer_index_array); + kfree(bufmap); + } + +@@ -226,8 +226,7 @@ orangefs_bufmap_alloc(struct ORANGEFS_de + bufmap->desc_size = user_desc->size; + bufmap->desc_shift = ilog2(bufmap->desc_size); + +- bufmap->buffer_index_array = +- kzalloc(DIV_ROUND_UP(bufmap->desc_count, BITS_PER_LONG), GFP_KERNEL); ++ bufmap->buffer_index_array = bitmap_zalloc(bufmap->desc_count, GFP_KERNEL); + if (!bufmap->buffer_index_array) + goto out_free_bufmap; + +@@ -250,7 +249,7 @@ orangefs_bufmap_alloc(struct ORANGEFS_de + out_free_desc_array: + kfree(bufmap->desc_array); + out_free_index_array: +- kfree(bufmap->buffer_index_array); ++ bitmap_free(bufmap->buffer_index_array); + out_free_bufmap: + kfree(bufmap); + out: diff --git a/queue-5.15/perf-protect-perf_guest_cbs-with-rcu.patch b/queue-5.15/perf-protect-perf_guest_cbs-with-rcu.patch new file mode 100644 index 00000000000..b3ccd170921 --- /dev/null +++ b/queue-5.15/perf-protect-perf_guest_cbs-with-rcu.patch @@ -0,0 +1,432 @@ +From ff083a2d972f56bebfd82409ca62e5dfce950961 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Thu, 11 Nov 2021 02:07:22 +0000 +Subject: perf: Protect perf_guest_cbs with RCU + +From: Sean Christopherson + +commit ff083a2d972f56bebfd82409ca62e5dfce950961 upstream. + +Protect perf_guest_cbs with RCU to fix multiple possible errors. Luckily, +all paths that read perf_guest_cbs already require RCU protection, e.g. to +protect the callback chains, so only the direct perf_guest_cbs touchpoints +need to be modified. + +Bug #1 is a simple lack of WRITE_ONCE/READ_ONCE behavior to ensure +perf_guest_cbs isn't reloaded between a !NULL check and a dereference. +Fixed via the READ_ONCE() in rcu_dereference(). + +Bug #2 is that on weakly-ordered architectures, updates to the callbacks +themselves are not guaranteed to be visible before the pointer is made +visible to readers. Fixed by the smp_store_release() in +rcu_assign_pointer() when the new pointer is non-NULL. + +Bug #3 is that, because the callbacks are global, it's possible for +readers to run in parallel with an unregisters, and thus a module +implementing the callbacks can be unloaded while readers are in flight, +resulting in a use-after-free. Fixed by a synchronize_rcu() call when +unregistering callbacks. + +Bug #1 escaped notice because it's extremely unlikely a compiler will +reload perf_guest_cbs in this sequence. perf_guest_cbs does get reloaded +for future derefs, e.g. for ->is_user_mode(), but the ->is_in_guest() +guard all but guarantees the consumer will win the race, e.g. to nullify +perf_guest_cbs, KVM has to completely exit the guest and teardown down +all VMs before KVM start its module unload / unregister sequence. This +also makes it all but impossible to encounter bug #3. + +Bug #2 has not been a problem because all architectures that register +callbacks are strongly ordered and/or have a static set of callbacks. + +But with help, unloading kvm_intel can trigger bug #1 e.g. wrapping +perf_guest_cbs with READ_ONCE in perf_misc_flags() while spamming +kvm_intel module load/unload leads to: + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: 0000 [#1] PREEMPT SMP + CPU: 6 PID: 1825 Comm: stress Not tainted 5.14.0-rc2+ #459 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 + RIP: 0010:perf_misc_flags+0x1c/0x70 + Call Trace: + perf_prepare_sample+0x53/0x6b0 + perf_event_output_forward+0x67/0x160 + __perf_event_overflow+0x52/0xf0 + handle_pmi_common+0x207/0x300 + intel_pmu_handle_irq+0xcf/0x410 + perf_event_nmi_handler+0x28/0x50 + nmi_handle+0xc7/0x260 + default_do_nmi+0x6b/0x170 + exc_nmi+0x103/0x130 + asm_exc_nmi+0x76/0xbf + +Fixes: 39447b386c84 ("perf: Enhance perf to allow for guest statistic collection from host") +Signed-off-by: Sean Christopherson +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Paolo Bonzini +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20211111020738.2512932-2-seanjc@google.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/kernel/perf_callchain.c | 17 +++++++++++------ + arch/arm64/kernel/perf_callchain.c | 18 ++++++++++++------ + arch/csky/kernel/perf_callchain.c | 6 ++++-- + arch/nds32/kernel/perf_event_cpu.c | 17 +++++++++++------ + arch/riscv/kernel/perf_callchain.c | 7 +++++-- + arch/x86/events/core.c | 17 +++++++++++------ + arch/x86/events/intel/core.c | 9 ++++++--- + include/linux/perf_event.h | 13 ++++++++++++- + kernel/events/core.c | 13 ++++++++++--- + 9 files changed, 82 insertions(+), 35 deletions(-) + +--- a/arch/arm/kernel/perf_callchain.c ++++ b/arch/arm/kernel/perf_callchain.c +@@ -62,9 +62,10 @@ user_backtrace(struct frame_tail __user + void + perf_callchain_user(struct perf_callchain_entry_ctx *entry, struct pt_regs *regs) + { ++ struct perf_guest_info_callbacks *guest_cbs = perf_get_guest_cbs(); + struct frame_tail __user *tail; + +- if (perf_guest_cbs && perf_guest_cbs->is_in_guest()) { ++ if (guest_cbs && guest_cbs->is_in_guest()) { + /* We don't support guest os callchain now */ + return; + } +@@ -98,9 +99,10 @@ callchain_trace(struct stackframe *fr, + void + perf_callchain_kernel(struct perf_callchain_entry_ctx *entry, struct pt_regs *regs) + { ++ struct perf_guest_info_callbacks *guest_cbs = perf_get_guest_cbs(); + struct stackframe fr; + +- if (perf_guest_cbs && perf_guest_cbs->is_in_guest()) { ++ if (guest_cbs && guest_cbs->is_in_guest()) { + /* We don't support guest os callchain now */ + return; + } +@@ -111,18 +113,21 @@ perf_callchain_kernel(struct perf_callch + + unsigned long perf_instruction_pointer(struct pt_regs *regs) + { +- if (perf_guest_cbs && perf_guest_cbs->is_in_guest()) +- return perf_guest_cbs->get_guest_ip(); ++ struct perf_guest_info_callbacks *guest_cbs = perf_get_guest_cbs(); ++ ++ if (guest_cbs && guest_cbs->is_in_guest()) ++ return guest_cbs->get_guest_ip(); + + return instruction_pointer(regs); + } + + unsigned long perf_misc_flags(struct pt_regs *regs) + { ++ struct perf_guest_info_callbacks *guest_cbs = perf_get_guest_cbs(); + int misc = 0; + +- if (perf_guest_cbs && perf_guest_cbs->is_in_guest()) { +- if (perf_guest_cbs->is_user_mode()) ++ if (guest_cbs && guest_cbs->is_in_guest()) { ++ if (guest_cbs->is_user_mode()) + misc |= PERF_RECORD_MISC_GUEST_USER; + else + misc |= PERF_RECORD_MISC_GUEST_KERNEL; +--- a/arch/arm64/kernel/perf_callchain.c ++++ b/arch/arm64/kernel/perf_callchain.c +@@ -102,7 +102,9 @@ compat_user_backtrace(struct compat_fram + void perf_callchain_user(struct perf_callchain_entry_ctx *entry, + struct pt_regs *regs) + { +- if (perf_guest_cbs && perf_guest_cbs->is_in_guest()) { ++ struct perf_guest_info_callbacks *guest_cbs = perf_get_guest_cbs(); ++ ++ if (guest_cbs && guest_cbs->is_in_guest()) { + /* We don't support guest os callchain now */ + return; + } +@@ -147,9 +149,10 @@ static bool callchain_trace(void *data, + void perf_callchain_kernel(struct perf_callchain_entry_ctx *entry, + struct pt_regs *regs) + { ++ struct perf_guest_info_callbacks *guest_cbs = perf_get_guest_cbs(); + struct stackframe frame; + +- if (perf_guest_cbs && perf_guest_cbs->is_in_guest()) { ++ if (guest_cbs && guest_cbs->is_in_guest()) { + /* We don't support guest os callchain now */ + return; + } +@@ -160,18 +163,21 @@ void perf_callchain_kernel(struct perf_c + + unsigned long perf_instruction_pointer(struct pt_regs *regs) + { +- if (perf_guest_cbs && perf_guest_cbs->is_in_guest()) +- return perf_guest_cbs->get_guest_ip(); ++ struct perf_guest_info_callbacks *guest_cbs = perf_get_guest_cbs(); ++ ++ if (guest_cbs && guest_cbs->is_in_guest()) ++ return guest_cbs->get_guest_ip(); + + return instruction_pointer(regs); + } + + unsigned long perf_misc_flags(struct pt_regs *regs) + { ++ struct perf_guest_info_callbacks *guest_cbs = perf_get_guest_cbs(); + int misc = 0; + +- if (perf_guest_cbs && perf_guest_cbs->is_in_guest()) { +- if (perf_guest_cbs->is_user_mode()) ++ if (guest_cbs && guest_cbs->is_in_guest()) { ++ if (guest_cbs->is_user_mode()) + misc |= PERF_RECORD_MISC_GUEST_USER; + else + misc |= PERF_RECORD_MISC_GUEST_KERNEL; +--- a/arch/csky/kernel/perf_callchain.c ++++ b/arch/csky/kernel/perf_callchain.c +@@ -86,10 +86,11 @@ static unsigned long user_backtrace(stru + void perf_callchain_user(struct perf_callchain_entry_ctx *entry, + struct pt_regs *regs) + { ++ struct perf_guest_info_callbacks *guest_cbs = perf_get_guest_cbs(); + unsigned long fp = 0; + + /* C-SKY does not support virtualization. */ +- if (perf_guest_cbs && perf_guest_cbs->is_in_guest()) ++ if (guest_cbs && guest_cbs->is_in_guest()) + return; + + fp = regs->regs[4]; +@@ -110,10 +111,11 @@ void perf_callchain_user(struct perf_cal + void perf_callchain_kernel(struct perf_callchain_entry_ctx *entry, + struct pt_regs *regs) + { ++ struct perf_guest_info_callbacks *guest_cbs = perf_get_guest_cbs(); + struct stackframe fr; + + /* C-SKY does not support virtualization. */ +- if (perf_guest_cbs && perf_guest_cbs->is_in_guest()) { ++ if (guest_cbs && guest_cbs->is_in_guest()) { + pr_warn("C-SKY does not support perf in guest mode!"); + return; + } +--- a/arch/nds32/kernel/perf_event_cpu.c ++++ b/arch/nds32/kernel/perf_event_cpu.c +@@ -1363,6 +1363,7 @@ void + perf_callchain_user(struct perf_callchain_entry_ctx *entry, + struct pt_regs *regs) + { ++ struct perf_guest_info_callbacks *guest_cbs = perf_get_guest_cbs(); + unsigned long fp = 0; + unsigned long gp = 0; + unsigned long lp = 0; +@@ -1371,7 +1372,7 @@ perf_callchain_user(struct perf_callchai + + leaf_fp = 0; + +- if (perf_guest_cbs && perf_guest_cbs->is_in_guest()) { ++ if (guest_cbs && guest_cbs->is_in_guest()) { + /* We don't support guest os callchain now */ + return; + } +@@ -1479,9 +1480,10 @@ void + perf_callchain_kernel(struct perf_callchain_entry_ctx *entry, + struct pt_regs *regs) + { ++ struct perf_guest_info_callbacks *guest_cbs = perf_get_guest_cbs(); + struct stackframe fr; + +- if (perf_guest_cbs && perf_guest_cbs->is_in_guest()) { ++ if (guest_cbs && guest_cbs->is_in_guest()) { + /* We don't support guest os callchain now */ + return; + } +@@ -1493,20 +1495,23 @@ perf_callchain_kernel(struct perf_callch + + unsigned long perf_instruction_pointer(struct pt_regs *regs) + { ++ struct perf_guest_info_callbacks *guest_cbs = perf_get_guest_cbs(); ++ + /* However, NDS32 does not support virtualization */ +- if (perf_guest_cbs && perf_guest_cbs->is_in_guest()) +- return perf_guest_cbs->get_guest_ip(); ++ if (guest_cbs && guest_cbs->is_in_guest()) ++ return guest_cbs->get_guest_ip(); + + return instruction_pointer(regs); + } + + unsigned long perf_misc_flags(struct pt_regs *regs) + { ++ struct perf_guest_info_callbacks *guest_cbs = perf_get_guest_cbs(); + int misc = 0; + + /* However, NDS32 does not support virtualization */ +- if (perf_guest_cbs && perf_guest_cbs->is_in_guest()) { +- if (perf_guest_cbs->is_user_mode()) ++ if (guest_cbs && guest_cbs->is_in_guest()) { ++ if (guest_cbs->is_user_mode()) + misc |= PERF_RECORD_MISC_GUEST_USER; + else + misc |= PERF_RECORD_MISC_GUEST_KERNEL; +--- a/arch/riscv/kernel/perf_callchain.c ++++ b/arch/riscv/kernel/perf_callchain.c +@@ -56,10 +56,11 @@ static unsigned long user_backtrace(stru + void perf_callchain_user(struct perf_callchain_entry_ctx *entry, + struct pt_regs *regs) + { ++ struct perf_guest_info_callbacks *guest_cbs = perf_get_guest_cbs(); + unsigned long fp = 0; + + /* RISC-V does not support perf in guest mode. */ +- if (perf_guest_cbs && perf_guest_cbs->is_in_guest()) ++ if (guest_cbs && guest_cbs->is_in_guest()) + return; + + fp = regs->s0; +@@ -78,8 +79,10 @@ static bool fill_callchain(void *entry, + void perf_callchain_kernel(struct perf_callchain_entry_ctx *entry, + struct pt_regs *regs) + { ++ struct perf_guest_info_callbacks *guest_cbs = perf_get_guest_cbs(); ++ + /* RISC-V does not support perf in guest mode. */ +- if (perf_guest_cbs && perf_guest_cbs->is_in_guest()) { ++ if (guest_cbs && guest_cbs->is_in_guest()) { + pr_warn("RISC-V does not support perf in guest mode!"); + return; + } +--- a/arch/x86/events/core.c ++++ b/arch/x86/events/core.c +@@ -2762,10 +2762,11 @@ static bool perf_hw_regs(struct pt_regs + void + perf_callchain_kernel(struct perf_callchain_entry_ctx *entry, struct pt_regs *regs) + { ++ struct perf_guest_info_callbacks *guest_cbs = perf_get_guest_cbs(); + struct unwind_state state; + unsigned long addr; + +- if (perf_guest_cbs && perf_guest_cbs->is_in_guest()) { ++ if (guest_cbs && guest_cbs->is_in_guest()) { + /* TODO: We don't support guest os callchain now */ + return; + } +@@ -2865,10 +2866,11 @@ perf_callchain_user32(struct pt_regs *re + void + perf_callchain_user(struct perf_callchain_entry_ctx *entry, struct pt_regs *regs) + { ++ struct perf_guest_info_callbacks *guest_cbs = perf_get_guest_cbs(); + struct stack_frame frame; + const struct stack_frame __user *fp; + +- if (perf_guest_cbs && perf_guest_cbs->is_in_guest()) { ++ if (guest_cbs && guest_cbs->is_in_guest()) { + /* TODO: We don't support guest os callchain now */ + return; + } +@@ -2945,18 +2947,21 @@ static unsigned long code_segment_base(s + + unsigned long perf_instruction_pointer(struct pt_regs *regs) + { +- if (perf_guest_cbs && perf_guest_cbs->is_in_guest()) +- return perf_guest_cbs->get_guest_ip(); ++ struct perf_guest_info_callbacks *guest_cbs = perf_get_guest_cbs(); ++ ++ if (guest_cbs && guest_cbs->is_in_guest()) ++ return guest_cbs->get_guest_ip(); + + return regs->ip + code_segment_base(regs); + } + + unsigned long perf_misc_flags(struct pt_regs *regs) + { ++ struct perf_guest_info_callbacks *guest_cbs = perf_get_guest_cbs(); + int misc = 0; + +- if (perf_guest_cbs && perf_guest_cbs->is_in_guest()) { +- if (perf_guest_cbs->is_user_mode()) ++ if (guest_cbs && guest_cbs->is_in_guest()) { ++ if (guest_cbs->is_user_mode()) + misc |= PERF_RECORD_MISC_GUEST_USER; + else + misc |= PERF_RECORD_MISC_GUEST_KERNEL; +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -2788,6 +2788,7 @@ static int handle_pmi_common(struct pt_r + { + struct perf_sample_data data; + struct cpu_hw_events *cpuc = this_cpu_ptr(&cpu_hw_events); ++ struct perf_guest_info_callbacks *guest_cbs; + int bit; + int handled = 0; + u64 intel_ctrl = hybrid(cpuc->pmu, intel_ctrl); +@@ -2854,9 +2855,11 @@ static int handle_pmi_common(struct pt_r + */ + if (__test_and_clear_bit(GLOBAL_STATUS_TRACE_TOPAPMI_BIT, (unsigned long *)&status)) { + handled++; +- if (unlikely(perf_guest_cbs && perf_guest_cbs->is_in_guest() && +- perf_guest_cbs->handle_intel_pt_intr)) +- perf_guest_cbs->handle_intel_pt_intr(); ++ ++ guest_cbs = perf_get_guest_cbs(); ++ if (unlikely(guest_cbs && guest_cbs->is_in_guest() && ++ guest_cbs->handle_intel_pt_intr)) ++ guest_cbs->handle_intel_pt_intr(); + else + intel_pt_interrupt(); + } +--- a/include/linux/perf_event.h ++++ b/include/linux/perf_event.h +@@ -1239,7 +1239,18 @@ extern void perf_event_bpf_event(struct + enum perf_bpf_event_type type, + u16 flags); + +-extern struct perf_guest_info_callbacks *perf_guest_cbs; ++extern struct perf_guest_info_callbacks __rcu *perf_guest_cbs; ++static inline struct perf_guest_info_callbacks *perf_get_guest_cbs(void) ++{ ++ /* ++ * Callbacks are RCU-protected and must be READ_ONCE to avoid reloading ++ * the callbacks between a !NULL check and dereferences, to ensure ++ * pending stores/changes to the callback pointers are visible before a ++ * non-NULL perf_guest_cbs is visible to readers, and to prevent a ++ * module from unloading callbacks while readers are active. ++ */ ++ return rcu_dereference(perf_guest_cbs); ++} + extern int perf_register_guest_info_callbacks(struct perf_guest_info_callbacks *callbacks); + extern int perf_unregister_guest_info_callbacks(struct perf_guest_info_callbacks *callbacks); + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -6526,18 +6526,25 @@ static void perf_pending_event(struct ir + * Later on, we might change it to a list if there is + * another virtualization implementation supporting the callbacks. + */ +-struct perf_guest_info_callbacks *perf_guest_cbs; ++struct perf_guest_info_callbacks __rcu *perf_guest_cbs; + + int perf_register_guest_info_callbacks(struct perf_guest_info_callbacks *cbs) + { +- perf_guest_cbs = cbs; ++ if (WARN_ON_ONCE(rcu_access_pointer(perf_guest_cbs))) ++ return -EBUSY; ++ ++ rcu_assign_pointer(perf_guest_cbs, cbs); + return 0; + } + EXPORT_SYMBOL_GPL(perf_register_guest_info_callbacks); + + int perf_unregister_guest_info_callbacks(struct perf_guest_info_callbacks *cbs) + { +- perf_guest_cbs = NULL; ++ if (WARN_ON_ONCE(rcu_access_pointer(perf_guest_cbs) != cbs)) ++ return -EINVAL; ++ ++ rcu_assign_pointer(perf_guest_cbs, NULL); ++ synchronize_rcu(); + return 0; + } + EXPORT_SYMBOL_GPL(perf_unregister_guest_info_callbacks); diff --git a/queue-5.15/remoteproc-qcom-pas-add-missing-power-domain-mxc-for-cdsp.patch b/queue-5.15/remoteproc-qcom-pas-add-missing-power-domain-mxc-for-cdsp.patch new file mode 100644 index 00000000000..efdbaf73a2a --- /dev/null +++ b/queue-5.15/remoteproc-qcom-pas-add-missing-power-domain-mxc-for-cdsp.patch @@ -0,0 +1,33 @@ +From dd585d9bfbf06fd08a6326c82978be1f06e7d1bd Mon Sep 17 00:00:00 2001 +From: Sibi Sankar +Date: Fri, 25 Jun 2021 00:03:25 +0530 +Subject: remoteproc: qcom: pas: Add missing power-domain "mxc" for CDSP + +From: Sibi Sankar + +commit dd585d9bfbf06fd08a6326c82978be1f06e7d1bd upstream. + +Add missing power-domain "mxc" required by CDSP PAS remoteproc on SM8350 +SoC. + +Fixes: e8b4e9a21af7 ("remoteproc: qcom: pas: Add SM8350 PAS remoteprocs") +Signed-off-by: Sibi Sankar +Cc: stable@vger.kernel.org +Tested-by: Bjorn Andersson +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/1624559605-29847-1-git-send-email-sibis@codeaurora.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/remoteproc/qcom_q6v5_pas.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/remoteproc/qcom_q6v5_pas.c ++++ b/drivers/remoteproc/qcom_q6v5_pas.c +@@ -661,6 +661,7 @@ static const struct adsp_data sm8350_cds + }, + .proxy_pd_names = (char*[]){ + "cx", ++ "mxc", + NULL + }, + .ssr_name = "cdsp", diff --git a/queue-5.15/remoteproc-qcom-pil_info-don-t-memcpy_toio-more-than-is-provided.patch b/queue-5.15/remoteproc-qcom-pil_info-don-t-memcpy_toio-more-than-is-provided.patch new file mode 100644 index 00000000000..6981542f6b3 --- /dev/null +++ b/queue-5.15/remoteproc-qcom-pil_info-don-t-memcpy_toio-more-than-is-provided.patch @@ -0,0 +1,80 @@ +From fdc12231d885119cc2e2b4f3e0fbba3155f37a56 Mon Sep 17 00:00:00 2001 +From: Stephen Boyd +Date: Tue, 16 Nov 2021 22:54:54 -0800 +Subject: remoteproc: qcom: pil_info: Don't memcpy_toio more than is provided + +From: Stephen Boyd + +commit fdc12231d885119cc2e2b4f3e0fbba3155f37a56 upstream. + +If the string passed into qcom_pil_info_store() isn't as long as +PIL_RELOC_NAME_LEN we'll try to copy the string assuming the length is +PIL_RELOC_NAME_LEN to the io space and go beyond the bounds of the +string. Let's only copy as many byes as the string is long, ignoring the +NUL terminator. + +This fixes the following KASAN error: + + BUG: KASAN: global-out-of-bounds in __memcpy_toio+0x124/0x140 + Read of size 1 at addr ffffffd35086e386 by task rmtfs/2392 + + CPU: 2 PID: 2392 Comm: rmtfs Tainted: G W 5.16.0-rc1-lockdep+ #10 + Hardware name: Google Lazor (rev3+) with KB Backlight (DT) + Call trace: + dump_backtrace+0x0/0x410 + show_stack+0x24/0x30 + dump_stack_lvl+0x7c/0xa0 + print_address_description+0x78/0x2bc + kasan_report+0x160/0x1a0 + __asan_report_load1_noabort+0x44/0x50 + __memcpy_toio+0x124/0x140 + qcom_pil_info_store+0x298/0x358 [qcom_pil_info] + q6v5_start+0xdf0/0x12e0 [qcom_q6v5_mss] + rproc_start+0x178/0x3a0 + rproc_boot+0x5f0/0xb90 + state_store+0x78/0x1bc + dev_attr_store+0x70/0x90 + sysfs_kf_write+0xf4/0x118 + kernfs_fop_write_iter+0x208/0x300 + vfs_write+0x55c/0x804 + ksys_pwrite64+0xc8/0x134 + __arm64_compat_sys_aarch32_pwrite64+0xc4/0xdc + invoke_syscall+0x78/0x20c + el0_svc_common+0x11c/0x1f0 + do_el0_svc_compat+0x50/0x60 + el0_svc_compat+0x5c/0xec + el0t_32_sync_handler+0xc0/0xf0 + el0t_32_sync+0x1a4/0x1a8 + + The buggy address belongs to the variable: + .str.59+0x6/0xffffffffffffec80 [qcom_q6v5_mss] + + Memory state around the buggy address: + ffffffd35086e280: 00 00 00 00 02 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 + ffffffd35086e300: 00 02 f9 f9 f9 f9 f9 f9 00 00 00 06 f9 f9 f9 f9 + >ffffffd35086e380: 06 f9 f9 f9 05 f9 f9 f9 00 00 00 00 00 06 f9 f9 + ^ + ffffffd35086e400: f9 f9 f9 f9 01 f9 f9 f9 04 f9 f9 f9 00 00 01 f9 + ffffffd35086e480: f9 f9 f9 f9 00 00 00 00 00 00 00 01 f9 f9 f9 f9 + +Fixes: 549b67da660d ("remoteproc: qcom: Introduce helper to store pil info in IMEM") +Signed-off-by: Stephen Boyd +Reviewed-by: Bjorn Andersson +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20211117065454.4142936-1-swboyd@chromium.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/remoteproc/qcom_pil_info.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/remoteproc/qcom_pil_info.c ++++ b/drivers/remoteproc/qcom_pil_info.c +@@ -104,7 +104,7 @@ int qcom_pil_info_store(const char *imag + return -ENOMEM; + + found_unused: +- memcpy_toio(entry, image, PIL_RELOC_NAME_LEN); ++ memcpy_toio(entry, image, strnlen(image, PIL_RELOC_NAME_LEN)); + found_existing: + /* Use two writel() as base is only aligned to 4 bytes on odd entries */ + writel(base, entry + PIL_RELOC_NAME_LEN); diff --git a/queue-5.15/rtlwifi-rtl8192cu-fix-warning-when-calling-local_irq_restore-with-interrupts-enabled.patch b/queue-5.15/rtlwifi-rtl8192cu-fix-warning-when-calling-local_irq_restore-with-interrupts-enabled.patch new file mode 100644 index 00000000000..4cabdafda79 --- /dev/null +++ b/queue-5.15/rtlwifi-rtl8192cu-fix-warning-when-calling-local_irq_restore-with-interrupts-enabled.patch @@ -0,0 +1,45 @@ +From 8b144dedb928e4e2f433a328d58f44c3c098d63e Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Wed, 15 Dec 2021 11:11:05 -0600 +Subject: rtlwifi: rtl8192cu: Fix WARNING when calling local_irq_restore() with interrupts enabled + +From: Larry Finger + +commit 8b144dedb928e4e2f433a328d58f44c3c098d63e upstream. + +Syzbot reports the following WARNING: + +[200~raw_local_irq_restore() called with IRQs enabled +WARNING: CPU: 1 PID: 1206 at kernel/locking/irqflag-debug.c:10 + warn_bogus_irq_restore+0x1d/0x20 kernel/locking/irqflag-debug.c:10 + +Hardware initialization for the rtl8188cu can run for as long as 350 ms, +and the routine may be called with interrupts disabled. To avoid locking +the machine for this long, the current routine saves the interrupt flags +and enables local interrupts. The problem is that it restores the flags +at the end without disabling local interrupts first. + +This patch fixes commit a53268be0cb9 ("rtlwifi: rtl8192cu: Fix too long +disable of IRQs"). + +Reported-by: syzbot+cce1ee31614c171f5595@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Fixes: a53268be0cb9 ("rtlwifi: rtl8192cu: Fix too long disable of IRQs") +Signed-off-by: Larry Finger +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211215171105.20623-1-Larry.Finger@lwfinger.net +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c +@@ -1000,6 +1000,7 @@ int rtl92cu_hw_init(struct ieee80211_hw + _initpabias(hw); + rtl92c_dm_init(hw); + exit: ++ local_irq_disable(); + local_irq_restore(flags); + return err; + } diff --git a/queue-5.15/series b/queue-5.15/series index 440987ade44..afe50772cc8 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -1,2 +1,15 @@ devtmpfs-regression-fix-reconfigure-on-each-mount.patch drm-amd-display-explicitly-set-is_dsc_supported-to-false-before-use.patch +orangefs-fix-the-size-of-a-memory-allocation-in-orangefs_bufmap_alloc.patch +remoteproc-qcom-pil_info-don-t-memcpy_toio-more-than-is-provided.patch +vfs-fs_context-fix-up-param-length-parsing-in-legacy_parse_param.patch +perf-protect-perf_guest_cbs-with-rcu.patch +kvm-x86-register-perf-callbacks-after-calling-vendor-s-hardware_setup.patch +kvm-x86-register-processor-trace-interrupt-hook-iff-pt-enabled-in-guest.patch +kvm-x86-don-t-print-when-fail-to-read-write-pv-eoi-memory.patch +kvm-s390-clarify-sigp-orders-versus-stop-restart.patch +remoteproc-qcom-pas-add-missing-power-domain-mxc-for-cdsp.patch +9p-only-copy-valid-iattrs-in-9p2000.l-setattr-implementation.patch +video-vga16fb-only-probe-for-ega-and-vga-16-color-graphic-cards.patch +media-uvcvideo-fix-division-by-zero-at-stream-start.patch +rtlwifi-rtl8192cu-fix-warning-when-calling-local_irq_restore-with-interrupts-enabled.patch diff --git a/queue-5.15/vfs-fs_context-fix-up-param-length-parsing-in-legacy_parse_param.patch b/queue-5.15/vfs-fs_context-fix-up-param-length-parsing-in-legacy_parse_param.patch new file mode 100644 index 00000000000..3fdaec4b7f4 --- /dev/null +++ b/queue-5.15/vfs-fs_context-fix-up-param-length-parsing-in-legacy_parse_param.patch @@ -0,0 +1,37 @@ +From 722d94847de29310e8aa03fcbdb41fc92c521756 Mon Sep 17 00:00:00 2001 +From: Jamie Hill-Daniel +Date: Tue, 18 Jan 2022 08:06:04 +0100 +Subject: vfs: fs_context: fix up param length parsing in legacy_parse_param + +From: Jamie Hill-Daniel + +commit 722d94847de29310e8aa03fcbdb41fc92c521756 upstream. + +The "PAGE_SIZE - 2 - size" calculation in legacy_parse_param() is an +unsigned type so a large value of "size" results in a high positive +value instead of a negative value as expected. Fix this by getting rid +of the subtraction. + +Signed-off-by: Jamie Hill-Daniel +Signed-off-by: William Liu +Tested-by: Salvatore Bonaccorso +Tested-by: Thadeu Lima de Souza Cascardo +Acked-by: Dan Carpenter +Acked-by: Al Viro +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/fs_context.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/fs_context.c ++++ b/fs/fs_context.c +@@ -548,7 +548,7 @@ static int legacy_parse_param(struct fs_ + param->key); + } + +- if (len > PAGE_SIZE - 2 - size) ++ if (size + len + 2 > PAGE_SIZE) + return invalf(fc, "VFS: Legacy: Cumulative options too large"); + if (strchr(param->key, ',') || + (param->type == fs_value_is_string && diff --git a/queue-5.15/video-vga16fb-only-probe-for-ega-and-vga-16-color-graphic-cards.patch b/queue-5.15/video-vga16fb-only-probe-for-ega-and-vga-16-color-graphic-cards.patch new file mode 100644 index 00000000000..cda2f35f23a --- /dev/null +++ b/queue-5.15/video-vga16fb-only-probe-for-ega-and-vga-16-color-graphic-cards.patch @@ -0,0 +1,77 @@ +From 0499f419b76f94ede08304aad5851144813ac55c Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Mon, 10 Jan 2022 10:56:25 +0100 +Subject: video: vga16fb: Only probe for EGA and VGA 16 color graphic cards + +From: Javier Martinez Canillas + +commit 0499f419b76f94ede08304aad5851144813ac55c upstream. + +The vga16fb framebuffer driver only supports Enhanced Graphics Adapter +(EGA) and Video Graphics Array (VGA) 16 color graphic cards. + +But it doesn't check if the adapter is one of those or if a VGA16 mode +is used. This means that the driver will be probed even if a VESA BIOS +Extensions (VBE) or Graphics Output Protocol (GOP) interface is used. + +This issue has been present for a long time but it was only exposed by +commit d391c5827107 ("drivers/firmware: move x86 Generic System +Framebuffers support") since the platform device registration to match +the {vesa,efi}fb drivers is done later as a consequence of that change. + +All non-x86 architectures though treat orig_video_isVGA as a boolean so +only do the supported video mode check for x86 and not for other arches. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=215001 +Fixes: d391c5827107 ("drivers/firmware: move x86 Generic System Framebuffers support") +Reported-by: Kris Karas +Cc: # 5.15.x +Signed-off-by: Javier Martinez Canillas +Tested-by: Kris Karas +Acked-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20220110095625.278836-3-javierm@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/vga16fb.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +--- a/drivers/video/fbdev/vga16fb.c ++++ b/drivers/video/fbdev/vga16fb.c +@@ -184,6 +184,25 @@ static inline void setindex(int index) + vga_io_w(VGA_GFX_I, index); + } + ++/* Check if the video mode is supported by the driver */ ++static inline int check_mode_supported(void) ++{ ++ /* non-x86 architectures treat orig_video_isVGA as a boolean flag */ ++#if defined(CONFIG_X86) ++ /* only EGA and VGA in 16 color graphic mode are supported */ ++ if (screen_info.orig_video_isVGA != VIDEO_TYPE_EGAC && ++ screen_info.orig_video_isVGA != VIDEO_TYPE_VGAC) ++ return -ENODEV; ++ ++ if (screen_info.orig_video_mode != 0x0D && /* 320x200/4 (EGA) */ ++ screen_info.orig_video_mode != 0x0E && /* 640x200/4 (EGA) */ ++ screen_info.orig_video_mode != 0x10 && /* 640x350/4 (EGA) */ ++ screen_info.orig_video_mode != 0x12) /* 640x480/4 (VGA) */ ++ return -ENODEV; ++#endif ++ return 0; ++} ++ + static void vga16fb_pan_var(struct fb_info *info, + struct fb_var_screeninfo *var) + { +@@ -1422,6 +1441,11 @@ static int __init vga16fb_init(void) + + vga16fb_setup(option); + #endif ++ ++ ret = check_mode_supported(); ++ if (ret) ++ return ret; ++ + ret = platform_driver_register(&vga16fb_driver); + + if (!ret) {