From: Greg Kroah-Hartman Date: Fri, 25 Feb 2022 11:41:15 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v4.9.304~66 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=27d85b5fa72407af77cf0dbb48383d2fd97de2c6;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: clk-jz4725b-fix-mmc0-clock-gating.patch drm-amd-display-protect-update_bw_bounding_box-fpu-code.patch drm-amd-pm-fix-some-oem-sku-specific-stability-issues.patch io_uring-disallow-modification-of-rsrc_data-during-quiesce.patch io_uring-don-t-convert-to-jiffies-for-waiting-on-timeouts.patch kvm-x86-mmu-make-apf-token-non-zero-to-fix-bug.patch parisc-unaligned-fix-fldd-and-fstd-unaligned-handlers-on-32-bit-kernel.patch parisc-unaligned-fix-ldw-and-stw-unalignment-handlers.patch selinux-fix-misuse-of-mutex_is_locked.patch vhost-vsock-don-t-check-owner-in-vhost_vsock_stop-while-releasing.patch --- diff --git a/queue-5.15/clk-jz4725b-fix-mmc0-clock-gating.patch b/queue-5.15/clk-jz4725b-fix-mmc0-clock-gating.patch new file mode 100644 index 00000000000..aed61af4322 --- /dev/null +++ b/queue-5.15/clk-jz4725b-fix-mmc0-clock-gating.patch @@ -0,0 +1,43 @@ +From 2f0754f27a230fee6e6d753f07585cee03bedfe3 Mon Sep 17 00:00:00 2001 +From: Siarhei Volkau +Date: Sat, 5 Feb 2022 20:18:49 +0300 +Subject: clk: jz4725b: fix mmc0 clock gating + +From: Siarhei Volkau + +commit 2f0754f27a230fee6e6d753f07585cee03bedfe3 upstream. + +The mmc0 clock gate bit was mistakenly assigned to "i2s" clock. +You can find that the same bit is assigned to "mmc0" too. +It leads to mmc0 hang for a long time after any sound activity +also it prevented PM_SLEEP to work properly. +I guess it was introduced by copy-paste from jz4740 driver +where it is really controls I2S clock gate. + +Fixes: 226dfa4726eb ("clk: Add Ingenic jz4725b CGU driver") +Signed-off-by: Siarhei Volkau +Tested-by: Siarhei Volkau +Reviewed-by: Paul Cercueil +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20220205171849.687805-2-lis8215@gmail.com +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/ingenic/jz4725b-cgu.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/clk/ingenic/jz4725b-cgu.c ++++ b/drivers/clk/ingenic/jz4725b-cgu.c +@@ -139,11 +139,10 @@ static const struct ingenic_cgu_clk_info + }, + + [JZ4725B_CLK_I2S] = { +- "i2s", CGU_CLK_MUX | CGU_CLK_DIV | CGU_CLK_GATE, ++ "i2s", CGU_CLK_MUX | CGU_CLK_DIV, + .parents = { JZ4725B_CLK_EXT, JZ4725B_CLK_PLL_HALF, -1, -1 }, + .mux = { CGU_REG_CPCCR, 31, 1 }, + .div = { CGU_REG_I2SCDR, 0, 1, 9, -1, -1, -1 }, +- .gate = { CGU_REG_CLKGR, 6 }, + }, + + [JZ4725B_CLK_SPI] = { diff --git a/queue-5.15/drm-amd-display-protect-update_bw_bounding_box-fpu-code.patch b/queue-5.15/drm-amd-display-protect-update_bw_bounding_box-fpu-code.patch new file mode 100644 index 00000000000..142e6cb66af --- /dev/null +++ b/queue-5.15/drm-amd-display-protect-update_bw_bounding_box-fpu-code.patch @@ -0,0 +1,53 @@ +From 1432108d00e42ffa383240bcac8d58f89ae19104 Mon Sep 17 00:00:00 2001 +From: Bas Nieuwenhuizen +Date: Sat, 12 Feb 2022 16:40:00 +0100 +Subject: drm/amd/display: Protect update_bw_bounding_box FPU code. + +From: Bas Nieuwenhuizen + +commit 1432108d00e42ffa383240bcac8d58f89ae19104 upstream. + +For DCN3/3.01/3.02 at least these use the fpu. + +v2: squash in build fix for when DCN is not enabled (Leo) + +Signed-off-by: Bas Nieuwenhuizen +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/clk_mgr/dcn30/dcn30_clk_mgr.c | 2 ++ + drivers/gpu/drm/amd/display/dc/core/dc.c | 7 +++++-- + 2 files changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn30/dcn30_clk_mgr.c ++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn30/dcn30_clk_mgr.c +@@ -437,8 +437,10 @@ static void dcn3_get_memclk_states_from_ + clk_mgr_base->bw_params->clk_table.num_entries = num_levels ? num_levels : 1; + + /* Refresh bounding box */ ++ DC_FP_START(); + clk_mgr_base->ctx->dc->res_pool->funcs->update_bw_bounding_box( + clk_mgr->base.ctx->dc, clk_mgr_base->bw_params); ++ DC_FP_END(); + } + + static bool dcn3_is_smu_present(struct clk_mgr *clk_mgr_base) +--- a/drivers/gpu/drm/amd/display/dc/core/dc.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c +@@ -891,10 +891,13 @@ static bool dc_construct(struct dc *dc, + goto fail; + #ifdef CONFIG_DRM_AMD_DC_DCN + dc->clk_mgr->force_smu_not_present = init_params->force_smu_not_present; +-#endif + +- if (dc->res_pool->funcs->update_bw_bounding_box) ++ if (dc->res_pool->funcs->update_bw_bounding_box) { ++ DC_FP_START(); + dc->res_pool->funcs->update_bw_bounding_box(dc, dc->clk_mgr->bw_params); ++ DC_FP_END(); ++ } ++#endif + + /* Creation of current_state must occur after dc->dml + * is initialized in dc_create_resource_pool because diff --git a/queue-5.15/drm-amd-pm-fix-some-oem-sku-specific-stability-issues.patch b/queue-5.15/drm-amd-pm-fix-some-oem-sku-specific-stability-issues.patch new file mode 100644 index 00000000000..5fdfcc39356 --- /dev/null +++ b/queue-5.15/drm-amd-pm-fix-some-oem-sku-specific-stability-issues.patch @@ -0,0 +1,69 @@ +From e3f3824874da78db5775a5cb9c0970cd1c6978bc Mon Sep 17 00:00:00 2001 +From: Evan Quan +Date: Thu, 20 Jan 2022 19:16:19 +0800 +Subject: drm/amd/pm: fix some OEM SKU specific stability issues + +From: Evan Quan + +commit e3f3824874da78db5775a5cb9c0970cd1c6978bc upstream. + +Add a quirk in sienna_cichlid_ppt.c to fix some OEM SKU +specific stability issues. + +Signed-off-by: Evan Quan +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c | 32 +++++++++++++++- + 1 file changed, 31 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c +@@ -418,6 +418,36 @@ static int sienna_cichlid_store_powerpla + return 0; + } + ++static int sienna_cichlid_patch_pptable_quirk(struct smu_context *smu) ++{ ++ struct amdgpu_device *adev = smu->adev; ++ uint32_t *board_reserved; ++ uint16_t *freq_table_gfx; ++ uint32_t i; ++ ++ /* Fix some OEM SKU specific stability issues */ ++ GET_PPTABLE_MEMBER(BoardReserved, &board_reserved); ++ if ((adev->pdev->device == 0x73DF) && ++ (adev->pdev->revision == 0XC3) && ++ (adev->pdev->subsystem_device == 0x16C2) && ++ (adev->pdev->subsystem_vendor == 0x1043)) ++ board_reserved[0] = 1387; ++ ++ GET_PPTABLE_MEMBER(FreqTableGfx, &freq_table_gfx); ++ if ((adev->pdev->device == 0x73DF) && ++ (adev->pdev->revision == 0XC3) && ++ ((adev->pdev->subsystem_device == 0x16C2) || ++ (adev->pdev->subsystem_device == 0x133C)) && ++ (adev->pdev->subsystem_vendor == 0x1043)) { ++ for (i = 0; i < NUM_GFXCLK_DPM_LEVELS; i++) { ++ if (freq_table_gfx[i] > 2500) ++ freq_table_gfx[i] = 2500; ++ } ++ } ++ ++ return 0; ++} ++ + static int sienna_cichlid_setup_pptable(struct smu_context *smu) + { + int ret = 0; +@@ -438,7 +468,7 @@ static int sienna_cichlid_setup_pptable( + if (ret) + return ret; + +- return ret; ++ return sienna_cichlid_patch_pptable_quirk(smu); + } + + static int sienna_cichlid_tables_init(struct smu_context *smu) diff --git a/queue-5.15/io_uring-disallow-modification-of-rsrc_data-during-quiesce.patch b/queue-5.15/io_uring-disallow-modification-of-rsrc_data-during-quiesce.patch new file mode 100644 index 00000000000..4d695080281 --- /dev/null +++ b/queue-5.15/io_uring-disallow-modification-of-rsrc_data-during-quiesce.patch @@ -0,0 +1,49 @@ +From 80912cef18f16f8fe59d1fb9548d4364342be360 Mon Sep 17 00:00:00 2001 +From: Dylan Yudaken +Date: Tue, 22 Feb 2022 08:17:51 -0800 +Subject: io_uring: disallow modification of rsrc_data during quiesce + +From: Dylan Yudaken + +commit 80912cef18f16f8fe59d1fb9548d4364342be360 upstream. + +io_rsrc_ref_quiesce will unlock the uring while it waits for references to +the io_rsrc_data to be killed. +There are other places to the data that might add references to data via +calls to io_rsrc_node_switch. +There is a race condition where this reference can be added after the +completion has been signalled. At this point the io_rsrc_ref_quiesce call +will wake up and relock the uring, assuming the data is unused and can be +freed - although it is actually being used. + +To fix this check in io_rsrc_ref_quiesce if a resource has been revived. + +Reported-by: syzbot+ca8bf833622a1662745b@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Dylan Yudaken +Link: https://lore.kernel.org/r/20220222161751.995746-1-dylany@fb.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + fs/io_uring.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -7818,7 +7818,15 @@ static int io_rsrc_ref_quiesce(struct io + ret = wait_for_completion_interruptible(&data->done); + if (!ret) { + mutex_lock(&ctx->uring_lock); +- break; ++ if (atomic_read(&data->refs) > 0) { ++ /* ++ * it has been revived by another thread while ++ * we were unlocked ++ */ ++ mutex_unlock(&ctx->uring_lock); ++ } else { ++ break; ++ } + } + + atomic_inc(&data->refs); diff --git a/queue-5.15/io_uring-don-t-convert-to-jiffies-for-waiting-on-timeouts.patch b/queue-5.15/io_uring-don-t-convert-to-jiffies-for-waiting-on-timeouts.patch new file mode 100644 index 00000000000..5913798874c --- /dev/null +++ b/queue-5.15/io_uring-don-t-convert-to-jiffies-for-waiting-on-timeouts.patch @@ -0,0 +1,77 @@ +From 228339662b398a59b3560cd571deb8b25b253c7e Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Mon, 21 Feb 2022 05:49:30 -0700 +Subject: io_uring: don't convert to jiffies for waiting on timeouts + +From: Jens Axboe + +commit 228339662b398a59b3560cd571deb8b25b253c7e upstream. + +If an application calls io_uring_enter(2) with a timespec passed in, +convert that timespec to ktime_t rather than jiffies. The latter does +not provide the granularity the application may expect, and may in +fact provided different granularity on different systems, depending +on what the HZ value is configured at. + +Turn the timespec into an absolute ktime_t, and use that with +schedule_hrtimeout() instead. + +Link: https://github.com/axboe/liburing/issues/531 +Cc: stable@vger.kernel.org +Reported-by: Bob Chen +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + fs/io_uring.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -7590,7 +7590,7 @@ static int io_run_task_work_sig(void) + /* when returns >0, the caller should retry */ + static inline int io_cqring_wait_schedule(struct io_ring_ctx *ctx, + struct io_wait_queue *iowq, +- signed long *timeout) ++ ktime_t timeout) + { + int ret; + +@@ -7602,8 +7602,9 @@ static inline int io_cqring_wait_schedul + if (test_bit(0, &ctx->check_cq_overflow)) + return 1; + +- *timeout = schedule_timeout(*timeout); +- return !*timeout ? -ETIME : 1; ++ if (!schedule_hrtimeout(&timeout, HRTIMER_MODE_ABS)) ++ return -ETIME; ++ return 1; + } + + /* +@@ -7616,7 +7617,7 @@ static int io_cqring_wait(struct io_ring + { + struct io_wait_queue iowq; + struct io_rings *rings = ctx->rings; +- signed long timeout = MAX_SCHEDULE_TIMEOUT; ++ ktime_t timeout = KTIME_MAX; + int ret; + + do { +@@ -7632,7 +7633,7 @@ static int io_cqring_wait(struct io_ring + + if (get_timespec64(&ts, uts)) + return -EFAULT; +- timeout = timespec64_to_jiffies(&ts); ++ timeout = ktime_add_ns(timespec64_to_ktime(ts), ktime_get_ns()); + } + + if (sig) { +@@ -7664,7 +7665,7 @@ static int io_cqring_wait(struct io_ring + } + prepare_to_wait_exclusive(&ctx->cq_wait, &iowq.wq, + TASK_INTERRUPTIBLE); +- ret = io_cqring_wait_schedule(ctx, &iowq, &timeout); ++ ret = io_cqring_wait_schedule(ctx, &iowq, timeout); + finish_wait(&ctx->cq_wait, &iowq.wq); + cond_resched(); + } while (ret > 0); diff --git a/queue-5.15/kvm-x86-mmu-make-apf-token-non-zero-to-fix-bug.patch b/queue-5.15/kvm-x86-mmu-make-apf-token-non-zero-to-fix-bug.patch new file mode 100644 index 00000000000..ced44c84aae --- /dev/null +++ b/queue-5.15/kvm-x86-mmu-make-apf-token-non-zero-to-fix-bug.patch @@ -0,0 +1,79 @@ +From 6f3c1fc53d86d580d8d6d749c4af23705e4f6f79 Mon Sep 17 00:00:00 2001 +From: Liang Zhang +Date: Tue, 22 Feb 2022 11:12:39 +0800 +Subject: KVM: x86/mmu: make apf token non-zero to fix bug + +From: Liang Zhang + +commit 6f3c1fc53d86d580d8d6d749c4af23705e4f6f79 upstream. + +In current async pagefault logic, when a page is ready, KVM relies on +kvm_arch_can_dequeue_async_page_present() to determine whether to deliver +a READY event to the Guest. This function test token value of struct +kvm_vcpu_pv_apf_data, which must be reset to zero by Guest kernel when a +READY event is finished by Guest. If value is zero meaning that a READY +event is done, so the KVM can deliver another. +But the kvm_arch_setup_async_pf() may produce a valid token with zero +value, which is confused with previous mention and may lead the loss of +this READY event. + +This bug may cause task blocked forever in Guest: + INFO: task stress:7532 blocked for more than 1254 seconds. + Not tainted 5.10.0 #16 + "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. + task:stress state:D stack: 0 pid: 7532 ppid: 1409 + flags:0x00000080 + Call Trace: + __schedule+0x1e7/0x650 + schedule+0x46/0xb0 + kvm_async_pf_task_wait_schedule+0xad/0xe0 + ? exit_to_user_mode_prepare+0x60/0x70 + __kvm_handle_async_pf+0x4f/0xb0 + ? asm_exc_page_fault+0x8/0x30 + exc_page_fault+0x6f/0x110 + ? asm_exc_page_fault+0x8/0x30 + asm_exc_page_fault+0x1e/0x30 + RIP: 0033:0x402d00 + RSP: 002b:00007ffd31912500 EFLAGS: 00010206 + RAX: 0000000000071000 RBX: ffffffffffffffff RCX: 00000000021a32b0 + RDX: 000000000007d011 RSI: 000000000007d000 RDI: 00000000021262b0 + RBP: 00000000021262b0 R08: 0000000000000003 R09: 0000000000000086 + R10: 00000000000000eb R11: 00007fefbdf2baa0 R12: 0000000000000000 + R13: 0000000000000002 R14: 000000000007d000 R15: 0000000000001000 + +Signed-off-by: Liang Zhang +Message-Id: <20220222031239.1076682-1-zhangliang5@huawei.com> +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/mmu/mmu.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/mmu/mmu.c ++++ b/arch/x86/kvm/mmu/mmu.c +@@ -3889,12 +3889,23 @@ static void shadow_page_table_clear_floo + walk_shadow_page_lockless_end(vcpu); + } + ++static u32 alloc_apf_token(struct kvm_vcpu *vcpu) ++{ ++ /* make sure the token value is not 0 */ ++ u32 id = vcpu->arch.apf.id; ++ ++ if (id << 12 == 0) ++ vcpu->arch.apf.id = 1; ++ ++ return (vcpu->arch.apf.id++ << 12) | vcpu->vcpu_id; ++} ++ + static bool kvm_arch_setup_async_pf(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa, + gfn_t gfn) + { + struct kvm_arch_async_pf arch; + +- arch.token = (vcpu->arch.apf.id++ << 12) | vcpu->vcpu_id; ++ arch.token = alloc_apf_token(vcpu); + arch.gfn = gfn; + arch.direct_map = vcpu->arch.mmu->direct_map; + arch.cr3 = vcpu->arch.mmu->get_guest_pgd(vcpu); diff --git a/queue-5.15/parisc-unaligned-fix-fldd-and-fstd-unaligned-handlers-on-32-bit-kernel.patch b/queue-5.15/parisc-unaligned-fix-fldd-and-fstd-unaligned-handlers-on-32-bit-kernel.patch new file mode 100644 index 00000000000..3676a1f860e --- /dev/null +++ b/queue-5.15/parisc-unaligned-fix-fldd-and-fstd-unaligned-handlers-on-32-bit-kernel.patch @@ -0,0 +1,80 @@ +From dd2288f4a020d693360e3e8d72f8b9d9c25f5ef6 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Fri, 18 Feb 2022 09:25:20 +0100 +Subject: parisc/unaligned: Fix fldd and fstd unaligned handlers on 32-bit kernel + +From: Helge Deller + +commit dd2288f4a020d693360e3e8d72f8b9d9c25f5ef6 upstream. + +Usually the kernel provides fixup routines to emulate the fldd and fstd +floating-point instructions if they load or store 8-byte from/to a not +natuarally aligned memory location. + +On a 32-bit kernel I noticed that those unaligned handlers didn't worked and +instead the application got a SEGV. +While checking the code I found two problems: + +First, the OPCODE_FLDD_L and OPCODE_FSTD_L cases were ifdef'ed out by the +CONFIG_PA20 option, and as such those weren't built on a pure 32-bit kernel. +This is now fixed by moving the CONFIG_PA20 #ifdef to prevent the compilation +of OPCODE_LDD_L and OPCODE_FSTD_L only, and handling the fldd and fstd +instructions. + +The second problem are two bugs in the 32-bit inline assembly code, where the +wrong registers where used. The calculation of the natural alignment used %2 +(vall) instead of %3 (ior), and the first word was stored back to address %1 +(valh) instead of %3 (ior). + +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/unaligned.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/parisc/kernel/unaligned.c ++++ b/arch/parisc/kernel/unaligned.c +@@ -397,7 +397,7 @@ static int emulate_std(struct pt_regs *r + __asm__ __volatile__ ( + " mtsp %4, %%sr1\n" + " zdep %2, 29, 2, %%r19\n" +-" dep %%r0, 31, 2, %2\n" ++" dep %%r0, 31, 2, %3\n" + " mtsar %%r19\n" + " zvdepi -2, 32, %%r19\n" + "1: ldw 0(%%sr1,%3),%%r20\n" +@@ -409,7 +409,7 @@ static int emulate_std(struct pt_regs *r + " andcm %%r21, %%r19, %%r21\n" + " or %1, %%r20, %1\n" + " or %2, %%r21, %2\n" +-"3: stw %1,0(%%sr1,%1)\n" ++"3: stw %1,0(%%sr1,%3)\n" + "4: stw %%r1,4(%%sr1,%3)\n" + "5: stw %2,8(%%sr1,%3)\n" + " copy %%r0, %0\n" +@@ -596,7 +596,6 @@ void handle_unaligned(struct pt_regs *re + ret = ERR_NOTHANDLED; /* "undefined", but lets kill them. */ + break; + } +-#ifdef CONFIG_PA20 + switch (regs->iir & OPCODE2_MASK) + { + case OPCODE_FLDD_L: +@@ -607,14 +606,15 @@ void handle_unaligned(struct pt_regs *re + flop=1; + ret = emulate_std(regs, R2(regs->iir),1); + break; ++#ifdef CONFIG_PA20 + case OPCODE_LDD_L: + ret = emulate_ldd(regs, R2(regs->iir),0); + break; + case OPCODE_STD_L: + ret = emulate_std(regs, R2(regs->iir),0); + break; +- } + #endif ++ } + switch (regs->iir & OPCODE3_MASK) + { + case OPCODE_FLDW_L: diff --git a/queue-5.15/parisc-unaligned-fix-ldw-and-stw-unalignment-handlers.patch b/queue-5.15/parisc-unaligned-fix-ldw-and-stw-unalignment-handlers.patch new file mode 100644 index 00000000000..2681d446ec4 --- /dev/null +++ b/queue-5.15/parisc-unaligned-fix-ldw-and-stw-unalignment-handlers.patch @@ -0,0 +1,49 @@ +From a97279836867b1cb50a3d4f0b1bf60e0abe6d46c Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Fri, 18 Feb 2022 23:40:14 +0100 +Subject: parisc/unaligned: Fix ldw() and stw() unalignment handlers + +From: Helge Deller + +commit a97279836867b1cb50a3d4f0b1bf60e0abe6d46c upstream. + +Fix 3 bugs: + +a) emulate_stw() doesn't return the error code value, so faulting +instructions are not reported and aborted. + +b) Tell emulate_ldw() to handle fldw_l as floating point instruction + +c) Tell emulate_ldw() to handle ldw_m as integer instruction + +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/unaligned.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/parisc/kernel/unaligned.c ++++ b/arch/parisc/kernel/unaligned.c +@@ -340,7 +340,7 @@ static int emulate_stw(struct pt_regs *r + : "r" (val), "r" (regs->ior), "r" (regs->isr) + : "r19", "r20", "r21", "r22", "r1", FIXUP_BRANCH_CLOBBER ); + +- return 0; ++ return ret; + } + static int emulate_std(struct pt_regs *regs, int frreg, int flop) + { +@@ -619,10 +619,10 @@ void handle_unaligned(struct pt_regs *re + { + case OPCODE_FLDW_L: + flop=1; +- ret = emulate_ldw(regs, R2(regs->iir),0); ++ ret = emulate_ldw(regs, R2(regs->iir), 1); + break; + case OPCODE_LDW_M: +- ret = emulate_ldw(regs, R2(regs->iir),1); ++ ret = emulate_ldw(regs, R2(regs->iir), 0); + break; + + case OPCODE_FSTW_L: diff --git a/queue-5.15/selinux-fix-misuse-of-mutex_is_locked.patch b/queue-5.15/selinux-fix-misuse-of-mutex_is_locked.patch new file mode 100644 index 00000000000..1e770b49f5b --- /dev/null +++ b/queue-5.15/selinux-fix-misuse-of-mutex_is_locked.patch @@ -0,0 +1,44 @@ +From ce2fc710c9d2b25afc710f49bb2065b4439a62bc Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Mon, 21 Feb 2022 15:06:49 +0100 +Subject: selinux: fix misuse of mutex_is_locked() + +From: Ondrej Mosnacek + +commit ce2fc710c9d2b25afc710f49bb2065b4439a62bc upstream. + +mutex_is_locked() tests whether the mutex is locked *by any task*, while +here we want to test if it is held *by the current task*. To avoid +false/missed WARNINGs, use lockdep_assert_is_held() and +lockdep_assert_is_not_held() instead, which do the right thing (though +they are a no-op if CONFIG_LOCKDEP=n). + +Cc: stable@vger.kernel.org +Fixes: 2554a48f4437 ("selinux: measure state and policy capabilities") +Signed-off-by: Ondrej Mosnacek +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + security/selinux/ima.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/security/selinux/ima.c ++++ b/security/selinux/ima.c +@@ -77,7 +77,7 @@ void selinux_ima_measure_state_locked(st + size_t policy_len; + int rc = 0; + +- WARN_ON(!mutex_is_locked(&state->policy_mutex)); ++ lockdep_assert_held(&state->policy_mutex); + + state_str = selinux_ima_collect_state(state); + if (!state_str) { +@@ -117,7 +117,7 @@ void selinux_ima_measure_state_locked(st + */ + void selinux_ima_measure_state(struct selinux_state *state) + { +- WARN_ON(mutex_is_locked(&state->policy_mutex)); ++ lockdep_assert_not_held(&state->policy_mutex); + + mutex_lock(&state->policy_mutex); + selinux_ima_measure_state_locked(state); diff --git a/queue-5.15/series b/queue-5.15/series index 31df633a32a..b892ae89519 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -4,3 +4,13 @@ cgroup-v1-correct-privileges-check-in-release_agent-writes.patch x86-ptrace-fix-xfpregs_set-s-incorrect-xmm-clearing.patch btrfs-tree-checker-check-item_size-for-inode_item.patch btrfs-tree-checker-check-item_size-for-dev_item.patch +clk-jz4725b-fix-mmc0-clock-gating.patch +io_uring-don-t-convert-to-jiffies-for-waiting-on-timeouts.patch +io_uring-disallow-modification-of-rsrc_data-during-quiesce.patch +selinux-fix-misuse-of-mutex_is_locked.patch +vhost-vsock-don-t-check-owner-in-vhost_vsock_stop-while-releasing.patch +parisc-unaligned-fix-fldd-and-fstd-unaligned-handlers-on-32-bit-kernel.patch +parisc-unaligned-fix-ldw-and-stw-unalignment-handlers.patch +kvm-x86-mmu-make-apf-token-non-zero-to-fix-bug.patch +drm-amd-display-protect-update_bw_bounding_box-fpu-code.patch +drm-amd-pm-fix-some-oem-sku-specific-stability-issues.patch diff --git a/queue-5.15/vhost-vsock-don-t-check-owner-in-vhost_vsock_stop-while-releasing.patch b/queue-5.15/vhost-vsock-don-t-check-owner-in-vhost_vsock_stop-while-releasing.patch new file mode 100644 index 00000000000..3cf8c5a79c1 --- /dev/null +++ b/queue-5.15/vhost-vsock-don-t-check-owner-in-vhost_vsock_stop-while-releasing.patch @@ -0,0 +1,85 @@ +From a58da53ffd70294ebea8ecd0eb45fd0d74add9f9 Mon Sep 17 00:00:00 2001 +From: Stefano Garzarella +Date: Tue, 22 Feb 2022 10:47:42 +0100 +Subject: vhost/vsock: don't check owner in vhost_vsock_stop() while releasing + +From: Stefano Garzarella + +commit a58da53ffd70294ebea8ecd0eb45fd0d74add9f9 upstream. + +vhost_vsock_stop() calls vhost_dev_check_owner() to check the device +ownership. It expects current->mm to be valid. + +vhost_vsock_stop() is also called by vhost_vsock_dev_release() when +the user has not done close(), so when we are in do_exit(). In this +case current->mm is invalid and we're releasing the device, so we +should clean it anyway. + +Let's check the owner only when vhost_vsock_stop() is called +by an ioctl. + +When invoked from release we can not fail so we don't check return +code of vhost_vsock_stop(). We need to stop vsock even if it's not +the owner. + +Fixes: 433fc58e6bf2 ("VSOCK: Introduce vhost_vsock.ko") +Cc: stable@vger.kernel.org +Reported-by: syzbot+1e3ea63db39f2b4440e0@syzkaller.appspotmail.com +Reported-and-tested-by: syzbot+3140b17cb44a7b174008@syzkaller.appspotmail.com +Signed-off-by: Stefano Garzarella +Acked-by: Jason Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/vsock.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +--- a/drivers/vhost/vsock.c ++++ b/drivers/vhost/vsock.c +@@ -633,16 +633,18 @@ err: + return ret; + } + +-static int vhost_vsock_stop(struct vhost_vsock *vsock) ++static int vhost_vsock_stop(struct vhost_vsock *vsock, bool check_owner) + { + size_t i; +- int ret; ++ int ret = 0; + + mutex_lock(&vsock->dev.mutex); + +- ret = vhost_dev_check_owner(&vsock->dev); +- if (ret) +- goto err; ++ if (check_owner) { ++ ret = vhost_dev_check_owner(&vsock->dev); ++ if (ret) ++ goto err; ++ } + + for (i = 0; i < ARRAY_SIZE(vsock->vqs); i++) { + struct vhost_virtqueue *vq = &vsock->vqs[i]; +@@ -757,7 +759,12 @@ static int vhost_vsock_dev_release(struc + * inefficient. Room for improvement here. */ + vsock_for_each_connected_socket(vhost_vsock_reset_orphans); + +- vhost_vsock_stop(vsock); ++ /* Don't check the owner, because we are in the release path, so we ++ * need to stop the vsock device in any case. ++ * vhost_vsock_stop() can not fail in this case, so we don't need to ++ * check the return code. ++ */ ++ vhost_vsock_stop(vsock, false); + vhost_vsock_flush(vsock); + vhost_dev_stop(&vsock->dev); + +@@ -872,7 +879,7 @@ static long vhost_vsock_dev_ioctl(struct + if (start) + return vhost_vsock_start(vsock); + else +- return vhost_vsock_stop(vsock); ++ return vhost_vsock_stop(vsock, true); + case VHOST_GET_FEATURES: + features = VHOST_VSOCK_FEATURES; + if (copy_to_user(argp, &features, sizeof(features)))