From: Greg Kroah-Hartman Date: Mon, 25 Apr 2022 10:38:17 +0000 (+0200) Subject: 5.17-stable patches X-Git-Tag: v4.9.312~45 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2b99f6057a5c5aeb96a0d619534bdb292cd6315f;p=thirdparty%2Fkernel%2Fstable-queue.git 5.17-stable patches added patches: arc-entry-fix-syscall_trace_exit-argument.patch asoc-rt5682-fix-an-incorrect-null-check-on-list-iterator.patch asoc-soc-dapm-fix-two-incorrect-uses-of-list-iterator.patch cifs-fix-null-ptr-dereference-in-refresh_mounts.patch cifs-use-correct-lock-type-in-cifs_reconnect.patch codecs-rt5682s-fix-an-incorrect-null-check-on-list-iterator.patch drm-vmwgfx-fix-gem-refcounting-and-memory-evictions.patch e1000e-fix-possible-overflow-in-ltr-decoding.patch fs-fix-acl-translation.patch gpio-request-interrupts-after-irq-is-initialized.patch openvswitch-fix-oob-access-in-reserve_sfa_size.patch xtensa-fix-a7-clobbering-in-coprocessor-context-load-store.patch xtensa-patch_text-fixup-last-cpu-should-be-master.patch --- diff --git a/queue-5.17/arc-entry-fix-syscall_trace_exit-argument.patch b/queue-5.17/arc-entry-fix-syscall_trace_exit-argument.patch new file mode 100644 index 00000000000..c23458d848e --- /dev/null +++ b/queue-5.17/arc-entry-fix-syscall_trace_exit-argument.patch @@ -0,0 +1,31 @@ +From b1c6ecfdd06907554518ec384ce8e99889d15193 Mon Sep 17 00:00:00 2001 +From: Sergey Matyukevich +Date: Thu, 14 Apr 2022 11:17:22 +0300 +Subject: ARC: entry: fix syscall_trace_exit argument + +From: Sergey Matyukevich + +commit b1c6ecfdd06907554518ec384ce8e99889d15193 upstream. + +Function syscall_trace_exit expects pointer to pt_regs. However +r0 is also used to keep syscall return value. Restore pointer +to pt_regs before calling syscall_trace_exit. + +Cc: +Signed-off-by: Sergey Matyukevich +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman +--- + arch/arc/kernel/entry.S | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arc/kernel/entry.S ++++ b/arch/arc/kernel/entry.S +@@ -196,6 +196,7 @@ tracesys_exit: + st r0, [sp, PT_r0] ; sys call return value in pt_regs + + ;POST Sys Call Ptrace Hook ++ mov r0, sp ; pt_regs needed + bl @syscall_trace_exit + b ret_from_exception ; NOT ret_from_system_call at is saves r0 which + ; we'd done before calling post hook above diff --git a/queue-5.17/asoc-rt5682-fix-an-incorrect-null-check-on-list-iterator.patch b/queue-5.17/asoc-rt5682-fix-an-incorrect-null-check-on-list-iterator.patch new file mode 100644 index 00000000000..90b5b3347d4 --- /dev/null +++ b/queue-5.17/asoc-rt5682-fix-an-incorrect-null-check-on-list-iterator.patch @@ -0,0 +1,55 @@ +From c8618d65007ba68d7891130642d73e89372101e8 Mon Sep 17 00:00:00 2001 +From: Xiaomeng Tong +Date: Sun, 27 Mar 2022 16:10:02 +0800 +Subject: ASoC: rt5682: fix an incorrect NULL check on list iterator + +From: Xiaomeng Tong + +commit c8618d65007ba68d7891130642d73e89372101e8 upstream. + +The bug is here: + if (!dai) { + +The list iterator value 'dai' will *always* be set and non-NULL +by for_each_component_dais(), so it is incorrect to assume that +the iterator value will be NULL if the list is empty or no element +is found (In fact, it will be a bogus pointer to an invalid struct +object containing the HEAD). Otherwise it will bypass the check +'if (!dai) {' (never call dev_err() and never return -ENODEV;) +and lead to invalid memory access lately when calling +'rt5682_set_bclk1_ratio(dai, factor);'. + +To fix the bug, just return rt5682_set_bclk1_ratio(dai, factor); +when found the 'dai', otherwise dev_err() and return -ENODEV; + +Cc: stable@vger.kernel.org +Fixes: ebbfabc16d23d ("ASoC: rt5682: Add CCF usage for providing I2S clks") +Signed-off-by: Xiaomeng Tong +Link: https://lore.kernel.org/r/20220327081002.12684-1-xiam0nd.tong@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/rt5682.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +--- a/sound/soc/codecs/rt5682.c ++++ b/sound/soc/codecs/rt5682.c +@@ -2822,14 +2822,11 @@ static int rt5682_bclk_set_rate(struct c + + for_each_component_dais(component, dai) + if (dai->id == RT5682_AIF1) +- break; +- if (!dai) { +- dev_err(rt5682->i2c_dev, "dai %d not found in component\n", +- RT5682_AIF1); +- return -ENODEV; +- } ++ return rt5682_set_bclk1_ratio(dai, factor); + +- return rt5682_set_bclk1_ratio(dai, factor); ++ dev_err(rt5682->i2c_dev, "dai %d not found in component\n", ++ RT5682_AIF1); ++ return -ENODEV; + } + + static const struct clk_ops rt5682_dai_clk_ops[RT5682_DAI_NUM_CLKS] = { diff --git a/queue-5.17/asoc-soc-dapm-fix-two-incorrect-uses-of-list-iterator.patch b/queue-5.17/asoc-soc-dapm-fix-two-incorrect-uses-of-list-iterator.patch new file mode 100644 index 00000000000..c893c11d431 --- /dev/null +++ b/queue-5.17/asoc-soc-dapm-fix-two-incorrect-uses-of-list-iterator.patch @@ -0,0 +1,59 @@ +From f730a46b931d894816af34a0ff8e4ad51565b39f Mon Sep 17 00:00:00 2001 +From: Xiaomeng Tong +Date: Tue, 29 Mar 2022 09:21:34 +0800 +Subject: ASoC: soc-dapm: fix two incorrect uses of list iterator + +From: Xiaomeng Tong + +commit f730a46b931d894816af34a0ff8e4ad51565b39f upstream. + +These two bug are here: + list_for_each_entry_safe_continue(w, n, list, + power_list); + list_for_each_entry_safe_continue(w, n, list, + power_list); + +After the list_for_each_entry_safe_continue() exits, the list iterator +will always be a bogus pointer which point to an invalid struct objdect +containing HEAD member. The funciton poniter 'w->event' will be a +invalid value which can lead to a control-flow hijack if the 'w' can be +controlled. + +The original intention was to continue the outer list_for_each_entry_safe() +loop with the same entry if w->event is NULL, but misunderstanding the +meaning of list_for_each_entry_safe_continue(). + +So just add a 'continue;' to fix the bug. + +Cc: stable@vger.kernel.org +Fixes: 163cac061c973 ("ASoC: Factor out DAPM sequence execution") +Signed-off-by: Xiaomeng Tong +Link: https://lore.kernel.org/r/20220329012134.9375-1-xiam0nd.tong@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/soc-dapm.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/sound/soc/soc-dapm.c ++++ b/sound/soc/soc-dapm.c +@@ -1687,8 +1687,7 @@ static void dapm_seq_run(struct snd_soc_ + switch (w->id) { + case snd_soc_dapm_pre: + if (!w->event) +- list_for_each_entry_safe_continue(w, n, list, +- power_list); ++ continue; + + if (event == SND_SOC_DAPM_STREAM_START) + ret = w->event(w, +@@ -1700,8 +1699,7 @@ static void dapm_seq_run(struct snd_soc_ + + case snd_soc_dapm_post: + if (!w->event) +- list_for_each_entry_safe_continue(w, n, list, +- power_list); ++ continue; + + if (event == SND_SOC_DAPM_STREAM_START) + ret = w->event(w, diff --git a/queue-5.17/cifs-fix-null-ptr-dereference-in-refresh_mounts.patch b/queue-5.17/cifs-fix-null-ptr-dereference-in-refresh_mounts.patch new file mode 100644 index 00000000000..5448fdd54ba --- /dev/null +++ b/queue-5.17/cifs-fix-null-ptr-dereference-in-refresh_mounts.patch @@ -0,0 +1,129 @@ +From 41f10081a92a0ed280008218a8ec18ad8ba0fceb Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Wed, 20 Apr 2022 21:05:45 -0300 +Subject: cifs: fix NULL ptr dereference in refresh_mounts() + +From: Paulo Alcantara + +commit 41f10081a92a0ed280008218a8ec18ad8ba0fceb upstream. + +Either mount(2) or automount might not have server->origin_fullpath +set yet while refresh_cache_worker() is attempting to refresh DFS +referrals. Add missing NULL check and locking around it. + +This fixes bellow crash: + +[ 1070.276835] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI +[ 1070.277676] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +[ 1070.278219] CPU: 1 PID: 8506 Comm: kworker/u8:1 Not tainted 5.18.0-rc3 #10 +[ 1070.278701] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014 +[ 1070.279495] Workqueue: cifs-dfscache refresh_cache_worker [cifs] +[ 1070.280044] RIP: 0010:strcasecmp+0x34/0x150 +[ 1070.280359] Code: 00 00 00 fc ff df 41 54 55 48 89 fd 53 48 83 ec 10 eb 03 4c 89 fe 48 89 ef 48 83 c5 01 48 89 f8 48 89 fa 48 c1 e8 03 83 e2 07 <42> 0f b6 04 28 38 d0 7f 08 84 c0 0f 85 bc 00 00 00 0f b6 45 ff 44 +[ 1070.281729] RSP: 0018:ffffc90008367958 EFLAGS: 00010246 +[ 1070.282114] RAX: 0000000000000000 RBX: dffffc0000000000 RCX: 0000000000000000 +[ 1070.282691] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +[ 1070.283273] RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffff873eda27 +[ 1070.283857] R10: ffffc900083679a0 R11: 0000000000000001 R12: ffff88812624c000 +[ 1070.284436] R13: dffffc0000000000 R14: ffff88810e6e9a88 R15: ffff888119bb9000 +[ 1070.284990] FS: 0000000000000000(0000) GS:ffff888151200000(0000) knlGS:0000000000000000 +[ 1070.285625] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1070.286100] CR2: 0000561a4d922418 CR3: 000000010aecc000 CR4: 0000000000350ee0 +[ 1070.286683] Call Trace: +[ 1070.286890] +[ 1070.287070] refresh_cache_worker+0x895/0xd20 [cifs] +[ 1070.287475] ? __refresh_tcon.isra.0+0xfb0/0xfb0 [cifs] +[ 1070.287905] ? __lock_acquire+0xcd1/0x6960 +[ 1070.288247] ? is_dynamic_key+0x1a0/0x1a0 +[ 1070.288591] ? lockdep_hardirqs_on_prepare+0x410/0x410 +[ 1070.289012] ? lock_downgrade+0x6f0/0x6f0 +[ 1070.289318] process_one_work+0x7bd/0x12d0 +[ 1070.289637] ? worker_thread+0x160/0xec0 +[ 1070.289970] ? pwq_dec_nr_in_flight+0x230/0x230 +[ 1070.290318] ? _raw_spin_lock_irq+0x5e/0x90 +[ 1070.290619] worker_thread+0x5ac/0xec0 +[ 1070.290891] ? process_one_work+0x12d0/0x12d0 +[ 1070.291199] kthread+0x2a5/0x350 +[ 1070.291430] ? kthread_complete_and_exit+0x20/0x20 +[ 1070.291770] ret_from_fork+0x22/0x30 +[ 1070.292050] +[ 1070.292223] Modules linked in: bpfilter cifs cifs_arc4 cifs_md4 +[ 1070.292765] ---[ end trace 0000000000000000 ]--- +[ 1070.293108] RIP: 0010:strcasecmp+0x34/0x150 +[ 1070.293471] Code: 00 00 00 fc ff df 41 54 55 48 89 fd 53 48 83 ec 10 eb 03 4c 89 fe 48 89 ef 48 83 c5 01 48 89 f8 48 89 fa 48 c1 e8 03 83 e2 07 <42> 0f b6 04 28 38 d0 7f 08 84 c0 0f 85 bc 00 00 00 0f b6 45 ff 44 +[ 1070.297718] RSP: 0018:ffffc90008367958 EFLAGS: 00010246 +[ 1070.298622] RAX: 0000000000000000 RBX: dffffc0000000000 RCX: 0000000000000000 +[ 1070.299428] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +[ 1070.300296] RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffff873eda27 +[ 1070.301204] R10: ffffc900083679a0 R11: 0000000000000001 R12: ffff88812624c000 +[ 1070.301932] R13: dffffc0000000000 R14: ffff88810e6e9a88 R15: ffff888119bb9000 +[ 1070.302645] FS: 0000000000000000(0000) GS:ffff888151200000(0000) knlGS:0000000000000000 +[ 1070.303462] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1070.304131] CR2: 0000561a4d922418 CR3: 000000010aecc000 CR4: 0000000000350ee0 +[ 1070.305004] Kernel panic - not syncing: Fatal exception +[ 1070.305711] Kernel Offset: disabled +[ 1070.305971] ---[ end Kernel panic - not syncing: Fatal exception ]--- + +Signed-off-by: Paulo Alcantara (SUSE) +Cc: stable@vger.kernel.org +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/connect.c | 2 ++ + fs/cifs/dfs_cache.c | 19 ++++++++++++------- + 2 files changed, 14 insertions(+), 7 deletions(-) + +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -3675,9 +3675,11 @@ static void setup_server_referral_paths( + { + struct TCP_Server_Info *server = mnt_ctx->server; + ++ mutex_lock(&server->refpath_lock); + server->origin_fullpath = mnt_ctx->origin_fullpath; + server->leaf_fullpath = mnt_ctx->leaf_fullpath; + server->current_fullpath = mnt_ctx->leaf_fullpath; ++ mutex_unlock(&server->refpath_lock); + mnt_ctx->origin_fullpath = mnt_ctx->leaf_fullpath = NULL; + } + +--- a/fs/cifs/dfs_cache.c ++++ b/fs/cifs/dfs_cache.c +@@ -1422,12 +1422,14 @@ static int refresh_tcon(struct cifs_ses + struct TCP_Server_Info *server = tcon->ses->server; + + mutex_lock(&server->refpath_lock); +- if (strcasecmp(server->leaf_fullpath, server->origin_fullpath)) +- __refresh_tcon(server->leaf_fullpath + 1, sessions, tcon, force_refresh); ++ if (server->origin_fullpath) { ++ if (server->leaf_fullpath && strcasecmp(server->leaf_fullpath, ++ server->origin_fullpath)) ++ __refresh_tcon(server->leaf_fullpath + 1, sessions, tcon, force_refresh); ++ __refresh_tcon(server->origin_fullpath + 1, sessions, tcon, force_refresh); ++ } + mutex_unlock(&server->refpath_lock); + +- __refresh_tcon(server->origin_fullpath + 1, sessions, tcon, force_refresh); +- + return 0; + } + +@@ -1530,11 +1532,14 @@ static void refresh_mounts(struct cifs_s + list_del_init(&tcon->ulist); + + mutex_lock(&server->refpath_lock); +- if (strcasecmp(server->leaf_fullpath, server->origin_fullpath)) +- __refresh_tcon(server->leaf_fullpath + 1, sessions, tcon, false); ++ if (server->origin_fullpath) { ++ if (server->leaf_fullpath && strcasecmp(server->leaf_fullpath, ++ server->origin_fullpath)) ++ __refresh_tcon(server->leaf_fullpath + 1, sessions, tcon, false); ++ __refresh_tcon(server->origin_fullpath + 1, sessions, tcon, false); ++ } + mutex_unlock(&server->refpath_lock); + +- __refresh_tcon(server->origin_fullpath + 1, sessions, tcon, false); + cifs_put_tcon(tcon); + } + } diff --git a/queue-5.17/cifs-use-correct-lock-type-in-cifs_reconnect.patch b/queue-5.17/cifs-use-correct-lock-type-in-cifs_reconnect.patch new file mode 100644 index 00000000000..79a9dc43c68 --- /dev/null +++ b/queue-5.17/cifs-use-correct-lock-type-in-cifs_reconnect.patch @@ -0,0 +1,45 @@ +From cd70a3e8988a999c42d307d2616a5e7b6a33c7c8 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Wed, 20 Apr 2022 21:05:46 -0300 +Subject: cifs: use correct lock type in cifs_reconnect() + +From: Paulo Alcantara + +commit cd70a3e8988a999c42d307d2616a5e7b6a33c7c8 upstream. + +TCP_Server_Info::origin_fullpath and TCP_Server_Info::leaf_fullpath +are protected by refpath_lock mutex and not cifs_tcp_ses_lock +spinlock. + +Signed-off-by: Paulo Alcantara (SUSE) +Cc: stable@vger.kernel.org +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/connect.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -534,12 +534,19 @@ int cifs_reconnect(struct TCP_Server_Inf + { + /* If tcp session is not an dfs connection, then reconnect to last target server */ + spin_lock(&cifs_tcp_ses_lock); +- if (!server->is_dfs_conn || !server->origin_fullpath || !server->leaf_fullpath) { ++ if (!server->is_dfs_conn) { + spin_unlock(&cifs_tcp_ses_lock); + return __cifs_reconnect(server, mark_smb_session); + } + spin_unlock(&cifs_tcp_ses_lock); + ++ mutex_lock(&server->refpath_lock); ++ if (!server->origin_fullpath || !server->leaf_fullpath) { ++ mutex_unlock(&server->refpath_lock); ++ return __cifs_reconnect(server, mark_smb_session); ++ } ++ mutex_unlock(&server->refpath_lock); ++ + return reconnect_dfs_server(server); + } + #else diff --git a/queue-5.17/codecs-rt5682s-fix-an-incorrect-null-check-on-list-iterator.patch b/queue-5.17/codecs-rt5682s-fix-an-incorrect-null-check-on-list-iterator.patch new file mode 100644 index 00000000000..5096097445f --- /dev/null +++ b/queue-5.17/codecs-rt5682s-fix-an-incorrect-null-check-on-list-iterator.patch @@ -0,0 +1,55 @@ +From acc72863e0f11cd0bedc888b663700229f9ba5ff Mon Sep 17 00:00:00 2001 +From: Xiaomeng Tong +Date: Sun, 27 Mar 2022 16:13:00 +0800 +Subject: codecs: rt5682s: fix an incorrect NULL check on list iterator + +From: Xiaomeng Tong + +commit acc72863e0f11cd0bedc888b663700229f9ba5ff upstream. + +The bug is here: + if (!dai) { + +The list iterator value 'dai' will *always* be set and non-NULL +by for_each_component_dais(), so it is incorrect to assume that +the iterator value will be NULL if the list is empty or no element +is found (In fact, it will be a bogus pointer to an invalid struct +object containing the HEAD). Otherwise it will bypass the check +'if (!dai) {' (never call dev_err() and never return -ENODEV;) +and lead to invalid memory access lately when calling +'rt5682s_set_bclk1_ratio(dai, factor);'. + +To fix the bug, just return rt5682s_set_bclk1_ratio(dai, factor); +when found the 'dai', otherwise dev_err() and return -ENODEV; + +Cc: stable@vger.kernel.org +Fixes: bdd229ab26be9 ("ASoC: rt5682s: Add driver for ALC5682I-VS codec") +Signed-off-by: Xiaomeng Tong +Link: https://lore.kernel.org/r/20220327081300.12962-1-xiam0nd.tong@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/rt5682s.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +--- a/sound/soc/codecs/rt5682s.c ++++ b/sound/soc/codecs/rt5682s.c +@@ -2679,14 +2679,11 @@ static int rt5682s_bclk_set_rate(struct + + for_each_component_dais(component, dai) + if (dai->id == RT5682S_AIF1) +- break; +- if (!dai) { +- dev_err(component->dev, "dai %d not found in component\n", +- RT5682S_AIF1); +- return -ENODEV; +- } ++ return rt5682s_set_bclk1_ratio(dai, factor); + +- return rt5682s_set_bclk1_ratio(dai, factor); ++ dev_err(component->dev, "dai %d not found in component\n", ++ RT5682S_AIF1); ++ return -ENODEV; + } + + static const struct clk_ops rt5682s_dai_clk_ops[RT5682S_DAI_NUM_CLKS] = { diff --git a/queue-5.17/drm-vmwgfx-fix-gem-refcounting-and-memory-evictions.patch b/queue-5.17/drm-vmwgfx-fix-gem-refcounting-and-memory-evictions.patch new file mode 100644 index 00000000000..13af1cdd9ea --- /dev/null +++ b/queue-5.17/drm-vmwgfx-fix-gem-refcounting-and-memory-evictions.patch @@ -0,0 +1,189 @@ +From 298799a28264ce400d9ff95c51b7adcb123d866e Mon Sep 17 00:00:00 2001 +From: Zack Rusin +Date: Wed, 20 Apr 2022 00:03:28 -0400 +Subject: drm/vmwgfx: Fix gem refcounting and memory evictions + +From: Zack Rusin + +commit 298799a28264ce400d9ff95c51b7adcb123d866e upstream. + +v2: Add the last part of the ref count fix which was spotted by +Philipp Sieweck where the ref count of cpu writers is off due to +ERESTARTSYS or EBUSY during bo waits. + +The initial GEM port broke refcounting on shareable (prime) surfaces and +memory evictions. The prime surfaces broke because the parent surfaces +weren't increasing the ref count on GEM surfaces, which meant that +the memory backing textures could have been deleted while the texture +was still accessible. The evictions broke due to a typo, the code was +supposed to exit if the passed buffers were not vmw_buffer_object +not if they were. They're tied because the evictions depend on having +memory to actually evict. + +This fixes crashes with XA state tracker which is used for xrender +acceleration on xf86-video-vmware, apps/tests which use a lot of +memory (a good test being the piglit's streaming-texture-leak) and +desktops. + +Signed-off-by: Zack Rusin +Fixes: 8afa13a0583f ("drm/vmwgfx: Implement DRIVER_GEM") +Reported-by: Philipp Sieweck +Cc: # v5.17+ +Reviewed-by: Maaz Mombasawala +Reviewed-by: Martin Krastev +Link: https://patchwork.freedesktop.org/patch/msgid/20220420040328.1007409-1-zack@kde.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/vmwgfx/vmwgfx_bo.c | 43 ++++++++++++++------------------ + drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 8 +---- + drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 7 ++++- + 3 files changed, 28 insertions(+), 30 deletions(-) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c +@@ -46,6 +46,21 @@ vmw_buffer_object(struct ttm_buffer_obje + return container_of(bo, struct vmw_buffer_object, base); + } + ++/** ++ * bo_is_vmw - check if the buffer object is a &vmw_buffer_object ++ * @bo: ttm buffer object to be checked ++ * ++ * Uses destroy function associated with the object to determine if this is ++ * a &vmw_buffer_object. ++ * ++ * Returns: ++ * true if the object is of &vmw_buffer_object type, false if not. ++ */ ++static bool bo_is_vmw(struct ttm_buffer_object *bo) ++{ ++ return bo->destroy == &vmw_bo_bo_free || ++ bo->destroy == &vmw_gem_destroy; ++} + + /** + * vmw_bo_pin_in_placement - Validate a buffer to placement. +@@ -615,8 +630,9 @@ int vmw_user_bo_synccpu_ioctl(struct drm + + ret = vmw_user_bo_synccpu_grab(vbo, arg->flags); + vmw_bo_unreference(&vbo); +- if (unlikely(ret != 0 && ret != -ERESTARTSYS && +- ret != -EBUSY)) { ++ if (unlikely(ret != 0)) { ++ if (ret == -ERESTARTSYS || ret == -EBUSY) ++ return -EBUSY; + DRM_ERROR("Failed synccpu grab on handle 0x%08x.\n", + (unsigned int) arg->handle); + return ret; +@@ -798,7 +814,7 @@ int vmw_dumb_create(struct drm_file *fil + void vmw_bo_swap_notify(struct ttm_buffer_object *bo) + { + /* Is @bo embedded in a struct vmw_buffer_object? */ +- if (vmw_bo_is_vmw_bo(bo)) ++ if (!bo_is_vmw(bo)) + return; + + /* Kill any cached kernel maps before swapout */ +@@ -822,7 +838,7 @@ void vmw_bo_move_notify(struct ttm_buffe + struct vmw_buffer_object *vbo; + + /* Make sure @bo is embedded in a struct vmw_buffer_object? */ +- if (vmw_bo_is_vmw_bo(bo)) ++ if (!bo_is_vmw(bo)) + return; + + vbo = container_of(bo, struct vmw_buffer_object, base); +@@ -843,22 +859,3 @@ void vmw_bo_move_notify(struct ttm_buffe + if (mem->mem_type != VMW_PL_MOB && bo->resource->mem_type == VMW_PL_MOB) + vmw_resource_unbind_list(vbo); + } +- +-/** +- * vmw_bo_is_vmw_bo - check if the buffer object is a &vmw_buffer_object +- * @bo: buffer object to be checked +- * +- * Uses destroy function associated with the object to determine if this is +- * a &vmw_buffer_object. +- * +- * Returns: +- * true if the object is of &vmw_buffer_object type, false if not. +- */ +-bool vmw_bo_is_vmw_bo(struct ttm_buffer_object *bo) +-{ +- if (bo->destroy == &vmw_bo_bo_free || +- bo->destroy == &vmw_gem_destroy) +- return true; +- +- return false; +-} +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c +@@ -997,13 +997,10 @@ static int vmw_driver_load(struct vmw_pr + goto out_no_fman; + } + +- drm_vma_offset_manager_init(&dev_priv->vma_manager, +- DRM_FILE_PAGE_OFFSET_START, +- DRM_FILE_PAGE_OFFSET_SIZE); + ret = ttm_device_init(&dev_priv->bdev, &vmw_bo_driver, + dev_priv->drm.dev, + dev_priv->drm.anon_inode->i_mapping, +- &dev_priv->vma_manager, ++ dev_priv->drm.vma_offset_manager, + dev_priv->map_mode == vmw_dma_alloc_coherent, + false); + if (unlikely(ret != 0)) { +@@ -1173,7 +1170,6 @@ static void vmw_driver_unload(struct drm + vmw_devcaps_destroy(dev_priv); + vmw_vram_manager_fini(dev_priv); + ttm_device_fini(&dev_priv->bdev); +- drm_vma_offset_manager_destroy(&dev_priv->vma_manager); + vmw_release_device_late(dev_priv); + vmw_fence_manager_takedown(dev_priv->fman); + if (dev_priv->capabilities & SVGA_CAP_IRQMASK) +@@ -1397,7 +1393,7 @@ vmw_get_unmapped_area(struct file *file, + struct vmw_private *dev_priv = vmw_priv(file_priv->minor->dev); + + return drm_get_unmapped_area(file, uaddr, len, pgoff, flags, +- &dev_priv->vma_manager); ++ dev_priv->drm.vma_offset_manager); + } + + static int vmwgfx_pm_notifier(struct notifier_block *nb, unsigned long val, +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c +@@ -683,6 +683,9 @@ static void vmw_user_surface_base_releas + container_of(base, struct vmw_user_surface, prime.base); + struct vmw_resource *res = &user_srf->srf.res; + ++ if (base->shareable && res && res->backup) ++ drm_gem_object_put(&res->backup->base.base); ++ + *p_base = NULL; + vmw_resource_unreference(&res); + } +@@ -857,6 +860,7 @@ int vmw_surface_define_ioctl(struct drm_ + goto out_unlock; + } + vmw_bo_reference(res->backup); ++ drm_gem_object_get(&res->backup->base.base); + } + + tmp = vmw_resource_reference(&srf->res); +@@ -1513,7 +1517,6 @@ vmw_gb_surface_define_internal(struct dr + &res->backup); + if (ret == 0) + vmw_bo_reference(res->backup); +- + } + + if (unlikely(ret != 0)) { +@@ -1561,6 +1564,8 @@ vmw_gb_surface_define_internal(struct dr + drm_vma_node_offset_addr(&res->backup->base.base.vma_node); + rep->buffer_size = res->backup->base.base.size; + rep->buffer_handle = backup_handle; ++ if (user_srf->prime.base.shareable) ++ drm_gem_object_get(&res->backup->base.base); + } else { + rep->buffer_map_handle = 0; + rep->buffer_size = 0; diff --git a/queue-5.17/e1000e-fix-possible-overflow-in-ltr-decoding.patch b/queue-5.17/e1000e-fix-possible-overflow-in-ltr-decoding.patch new file mode 100644 index 00000000000..634a2c8ade6 --- /dev/null +++ b/queue-5.17/e1000e-fix-possible-overflow-in-ltr-decoding.patch @@ -0,0 +1,52 @@ +From 04ebaa1cfddae5f240cc7404f009133bb0389a47 Mon Sep 17 00:00:00 2001 +From: Sasha Neftin +Date: Tue, 5 Apr 2022 18:56:01 +0300 +Subject: e1000e: Fix possible overflow in LTR decoding + +From: Sasha Neftin + +commit 04ebaa1cfddae5f240cc7404f009133bb0389a47 upstream. + +When we decode the latency and the max_latency, u16 value may not fit +the required size and could lead to the wrong LTR representation. + +Scaling is represented as: +scale 0 - 1 (2^(5*0)) = 2^0 +scale 1 - 32 (2^(5 *1))= 2^5 +scale 2 - 1024 (2^(5 *2)) =2^10 +scale 3 - 32768 (2^(5 *3)) =2^15 +scale 4 - 1048576 (2^(5 *4)) = 2^20 +scale 5 - 33554432 (2^(5 *4)) = 2^25 +scale 4 and scale 5 required 20 and 25 bits respectively. +scale 6 reserved. + +Replace the u16 type with the u32 type and allow corrected LTR +representation. + +Cc: stable@vger.kernel.org +Fixes: 44a13a5d99c7 ("e1000e: Fix the max snoop/no-snoop latency for 10M") +Reported-by: James Hutchinson +Link: https://bugzilla.kernel.org/show_bug.cgi?id=215689 +Suggested-by: Dima Ruinskiy +Signed-off-by: Sasha Neftin +Tested-by: Naama Meir +Tested-by: James Hutchinson +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/e1000e/ich8lan.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/intel/e1000e/ich8lan.c ++++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c +@@ -1009,8 +1009,8 @@ static s32 e1000_platform_pm_pch_lpt(str + { + u32 reg = link << (E1000_LTRV_REQ_SHIFT + E1000_LTRV_NOSNOOP_SHIFT) | + link << E1000_LTRV_REQ_SHIFT | E1000_LTRV_SEND; +- u16 max_ltr_enc_d = 0; /* maximum LTR decoded by platform */ +- u16 lat_enc_d = 0; /* latency decoded */ ++ u32 max_ltr_enc_d = 0; /* maximum LTR decoded by platform */ ++ u32 lat_enc_d = 0; /* latency decoded */ + u16 lat_enc = 0; /* latency encoded */ + + if (link) { diff --git a/queue-5.17/fs-fix-acl-translation.patch b/queue-5.17/fs-fix-acl-translation.patch new file mode 100644 index 00000000000..85cc4c3a27a --- /dev/null +++ b/queue-5.17/fs-fix-acl-translation.patch @@ -0,0 +1,123 @@ +From 705191b03d507744c7e097f78d583621c14988ac Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Tue, 19 Apr 2022 15:14:23 +0200 +Subject: fs: fix acl translation + +From: Christian Brauner + +commit 705191b03d507744c7e097f78d583621c14988ac upstream. + +Last cycle we extended the idmapped mounts infrastructure to support +idmapped mounts of idmapped filesystems (No such filesystem yet exist.). +Since then, the meaning of an idmapped mount is a mount whose idmapping +is different from the filesystems idmapping. + +While doing that work we missed to adapt the acl translation helpers. +They still assume that checking for the identity mapping is enough. But +they need to use the no_idmapping() helper instead. + +Note, POSIX ACLs are always translated right at the userspace-kernel +boundary using the caller's current idmapping and the initial idmapping. +The order depends on whether we're coming from or going to userspace. +The filesystem's idmapping doesn't matter at the border. + +Consequently, if a non-idmapped mount is passed we need to make sure to +always pass the initial idmapping as the mount's idmapping and not the +filesystem idmapping. Since it's irrelevant here it would yield invalid +ids and prevent setting acls for filesystems that are mountable in a +userns and support posix acls (tmpfs and fuse). + +I verified the regression reported in [1] and verified that this patch +fixes it. A regression test will be added to xfstests in parallel. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=215849 [1] +Fixes: bd303368b776 ("fs: support mapped mounts of mapped filesystems") +Cc: Seth Forshee +Cc: Christoph Hellwig +Cc: # 5.17 +Cc: +Signed-off-by: Christian Brauner (Microsoft) +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/posix_acl.c | 10 ++++++++++ + fs/xattr.c | 6 ++++-- + include/linux/posix_acl_xattr.h | 4 ++++ + 3 files changed, 18 insertions(+), 2 deletions(-) + +--- a/fs/posix_acl.c ++++ b/fs/posix_acl.c +@@ -759,9 +759,14 @@ static void posix_acl_fix_xattr_userns( + } + + void posix_acl_fix_xattr_from_user(struct user_namespace *mnt_userns, ++ struct inode *inode, + void *value, size_t size) + { + struct user_namespace *user_ns = current_user_ns(); ++ ++ /* Leave ids untouched on non-idmapped mounts. */ ++ if (no_idmapping(mnt_userns, i_user_ns(inode))) ++ mnt_userns = &init_user_ns; + if ((user_ns == &init_user_ns) && (mnt_userns == &init_user_ns)) + return; + posix_acl_fix_xattr_userns(&init_user_ns, user_ns, mnt_userns, value, +@@ -769,9 +774,14 @@ void posix_acl_fix_xattr_from_user(struc + } + + void posix_acl_fix_xattr_to_user(struct user_namespace *mnt_userns, ++ struct inode *inode, + void *value, size_t size) + { + struct user_namespace *user_ns = current_user_ns(); ++ ++ /* Leave ids untouched on non-idmapped mounts. */ ++ if (no_idmapping(mnt_userns, i_user_ns(inode))) ++ mnt_userns = &init_user_ns; + if ((user_ns == &init_user_ns) && (mnt_userns == &init_user_ns)) + return; + posix_acl_fix_xattr_userns(user_ns, &init_user_ns, mnt_userns, value, +--- a/fs/xattr.c ++++ b/fs/xattr.c +@@ -569,7 +569,8 @@ setxattr(struct user_namespace *mnt_user + } + if ((strcmp(kname, XATTR_NAME_POSIX_ACL_ACCESS) == 0) || + (strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0)) +- posix_acl_fix_xattr_from_user(mnt_userns, kvalue, size); ++ posix_acl_fix_xattr_from_user(mnt_userns, d_inode(d), ++ kvalue, size); + } + + error = vfs_setxattr(mnt_userns, d, kname, kvalue, size, flags); +@@ -667,7 +668,8 @@ getxattr(struct user_namespace *mnt_user + if (error > 0) { + if ((strcmp(kname, XATTR_NAME_POSIX_ACL_ACCESS) == 0) || + (strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0)) +- posix_acl_fix_xattr_to_user(mnt_userns, kvalue, error); ++ posix_acl_fix_xattr_to_user(mnt_userns, d_inode(d), ++ kvalue, error); + if (size && copy_to_user(value, kvalue, error)) + error = -EFAULT; + } else if (error == -ERANGE && size >= XATTR_SIZE_MAX) { +--- a/include/linux/posix_acl_xattr.h ++++ b/include/linux/posix_acl_xattr.h +@@ -34,15 +34,19 @@ posix_acl_xattr_count(size_t size) + + #ifdef CONFIG_FS_POSIX_ACL + void posix_acl_fix_xattr_from_user(struct user_namespace *mnt_userns, ++ struct inode *inode, + void *value, size_t size); + void posix_acl_fix_xattr_to_user(struct user_namespace *mnt_userns, ++ struct inode *inode, + void *value, size_t size); + #else + static inline void posix_acl_fix_xattr_from_user(struct user_namespace *mnt_userns, ++ struct inode *inode, + void *value, size_t size) + { + } + static inline void posix_acl_fix_xattr_to_user(struct user_namespace *mnt_userns, ++ struct inode *inode, + void *value, size_t size) + { + } diff --git a/queue-5.17/gpio-request-interrupts-after-irq-is-initialized.patch b/queue-5.17/gpio-request-interrupts-after-irq-is-initialized.patch new file mode 100644 index 00000000000..32c7809d9b9 --- /dev/null +++ b/queue-5.17/gpio-request-interrupts-after-irq-is-initialized.patch @@ -0,0 +1,73 @@ +From 06fb4ecfeac7e00d6704fa5ed19299f2fefb3cc9 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Fri, 22 Apr 2022 08:14:52 -0500 +Subject: gpio: Request interrupts after IRQ is initialized +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mario Limonciello + +commit 06fb4ecfeac7e00d6704fa5ed19299f2fefb3cc9 upstream. + +Commit 5467801f1fcb ("gpio: Restrict usage of GPIO chip irq members +before initialization") attempted to fix a race condition that lead to a +NULL pointer, but in the process caused a regression for _AEI/_EVT +declared GPIOs. + +This manifests in messages showing deferred probing while trying to +allocate IRQs like so: + + amd_gpio AMDI0030:00: Failed to translate GPIO pin 0x0000 to IRQ, err -517 + amd_gpio AMDI0030:00: Failed to translate GPIO pin 0x002C to IRQ, err -517 + amd_gpio AMDI0030:00: Failed to translate GPIO pin 0x003D to IRQ, err -517 + [ .. more of the same .. ] + +The code for walking _AEI doesn't handle deferred probing and so this +leads to non-functional GPIO interrupts. + +Fix this issue by moving the call to `acpi_gpiochip_request_interrupts` +to occur after gc->irc.initialized is set. + +Fixes: 5467801f1fcb ("gpio: Restrict usage of GPIO chip irq members before initialization") +Link: https://lore.kernel.org/linux-gpio/BL1PR12MB51577A77F000A008AA694675E2EF9@BL1PR12MB5157.namprd12.prod.outlook.com/ +Link: https://bugzilla.suse.com/show_bug.cgi?id=1198697 +Link: https://bugzilla.kernel.org/show_bug.cgi?id=215850 +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/1979 +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/1976 +Reported-by: Mario Limonciello +Signed-off-by: Mario Limonciello +Reviewed-by: Shreeya Patel +Tested-By: Samuel Čavoj +Tested-By: lukeluk498@gmail.com Link: +Reviewed-by: Andy Shevchenko +Acked-by: Linus Walleij +Reviewed-and-tested-by: Takashi Iwai +Cc: Shreeya Patel +Cc: stable@vger.kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpiolib.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -1601,8 +1601,6 @@ static int gpiochip_add_irqchip(struct g + + gpiochip_set_irq_hooks(gc); + +- acpi_gpiochip_request_interrupts(gc); +- + /* + * Using barrier() here to prevent compiler from reordering + * gc->irq.initialized before initialization of above +@@ -1612,6 +1610,8 @@ static int gpiochip_add_irqchip(struct g + + gc->irq.initialized = true; + ++ acpi_gpiochip_request_interrupts(gc); ++ + return 0; + } + diff --git a/queue-5.17/openvswitch-fix-oob-access-in-reserve_sfa_size.patch b/queue-5.17/openvswitch-fix-oob-access-in-reserve_sfa_size.patch new file mode 100644 index 00000000000..fdcb56120be --- /dev/null +++ b/queue-5.17/openvswitch-fix-oob-access-in-reserve_sfa_size.patch @@ -0,0 +1,83 @@ +From cefa91b2332d7009bc0be5d951d6cbbf349f90f8 Mon Sep 17 00:00:00 2001 +From: Paolo Valerio +Date: Fri, 15 Apr 2022 10:08:41 +0200 +Subject: openvswitch: fix OOB access in reserve_sfa_size() + +From: Paolo Valerio + +commit cefa91b2332d7009bc0be5d951d6cbbf349f90f8 upstream. + +Given a sufficiently large number of actions, while copying and +reserving memory for a new action of a new flow, if next_offset is +greater than MAX_ACTIONS_BUFSIZE, the function reserve_sfa_size() does +not return -EMSGSIZE as expected, but it allocates MAX_ACTIONS_BUFSIZE +bytes increasing actions_len by req_size. This can then lead to an OOB +write access, especially when further actions need to be copied. + +Fix it by rearranging the flow action size check. + +KASAN splat below: + +================================================================== +BUG: KASAN: slab-out-of-bounds in reserve_sfa_size+0x1ba/0x380 [openvswitch] +Write of size 65360 at addr ffff888147e4001c by task handler15/836 + +CPU: 1 PID: 836 Comm: handler15 Not tainted 5.18.0-rc1+ #27 +... +Call Trace: + + dump_stack_lvl+0x45/0x5a + print_report.cold+0x5e/0x5db + ? __lock_text_start+0x8/0x8 + ? reserve_sfa_size+0x1ba/0x380 [openvswitch] + kasan_report+0xb5/0x130 + ? reserve_sfa_size+0x1ba/0x380 [openvswitch] + kasan_check_range+0xf5/0x1d0 + memcpy+0x39/0x60 + reserve_sfa_size+0x1ba/0x380 [openvswitch] + __add_action+0x24/0x120 [openvswitch] + ovs_nla_add_action+0xe/0x20 [openvswitch] + ovs_ct_copy_action+0x29d/0x1130 [openvswitch] + ? __kernel_text_address+0xe/0x30 + ? unwind_get_return_address+0x56/0xa0 + ? create_prof_cpu_mask+0x20/0x20 + ? ovs_ct_verify+0xf0/0xf0 [openvswitch] + ? prep_compound_page+0x198/0x2a0 + ? __kasan_check_byte+0x10/0x40 + ? kasan_unpoison+0x40/0x70 + ? ksize+0x44/0x60 + ? reserve_sfa_size+0x75/0x380 [openvswitch] + __ovs_nla_copy_actions+0xc26/0x2070 [openvswitch] + ? __zone_watermark_ok+0x420/0x420 + ? validate_set.constprop.0+0xc90/0xc90 [openvswitch] + ? __alloc_pages+0x1a9/0x3e0 + ? __alloc_pages_slowpath.constprop.0+0x1da0/0x1da0 + ? unwind_next_frame+0x991/0x1e40 + ? __mod_node_page_state+0x99/0x120 + ? __mod_lruvec_page_state+0x2e3/0x470 + ? __kasan_kmalloc_large+0x90/0xe0 + ovs_nla_copy_actions+0x1b4/0x2c0 [openvswitch] + ovs_flow_cmd_new+0x3cd/0xb10 [openvswitch] + ... + +Cc: stable@vger.kernel.org +Fixes: f28cd2af22a0 ("openvswitch: fix flow actions reallocation") +Signed-off-by: Paolo Valerio +Acked-by: Eelco Chaudron +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/openvswitch/flow_netlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/openvswitch/flow_netlink.c ++++ b/net/openvswitch/flow_netlink.c +@@ -2436,7 +2436,7 @@ static struct nlattr *reserve_sfa_size(s + new_acts_size = max(next_offset + req_size, ksize(*sfa) * 2); + + if (new_acts_size > MAX_ACTIONS_BUFSIZE) { +- if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) { ++ if ((next_offset + req_size) > MAX_ACTIONS_BUFSIZE) { + OVS_NLERR(log, "Flow action size exceeds max %u", + MAX_ACTIONS_BUFSIZE); + return ERR_PTR(-EMSGSIZE); diff --git a/queue-5.17/series b/queue-5.17/series index d1a2c344c1f..616beead70a 100644 --- a/queue-5.17/series +++ b/queue-5.17/series @@ -111,3 +111,16 @@ powerpc-perf-fix-power10-event-alternatives.patch arm-xen-fix-some-refcount-leaks.patch perf-script-always-allow-field-data_src-for-auxtrace.patch perf-report-set-perf_sample_data_src-bit-for-arm-spe.patch +fs-fix-acl-translation.patch +cifs-fix-null-ptr-dereference-in-refresh_mounts.patch +cifs-use-correct-lock-type-in-cifs_reconnect.patch +xtensa-patch_text-fixup-last-cpu-should-be-master.patch +xtensa-fix-a7-clobbering-in-coprocessor-context-load-store.patch +openvswitch-fix-oob-access-in-reserve_sfa_size.patch +gpio-request-interrupts-after-irq-is-initialized.patch +asoc-rt5682-fix-an-incorrect-null-check-on-list-iterator.patch +asoc-soc-dapm-fix-two-incorrect-uses-of-list-iterator.patch +e1000e-fix-possible-overflow-in-ltr-decoding.patch +codecs-rt5682s-fix-an-incorrect-null-check-on-list-iterator.patch +arc-entry-fix-syscall_trace_exit-argument.patch +drm-vmwgfx-fix-gem-refcounting-and-memory-evictions.patch diff --git a/queue-5.17/xtensa-fix-a7-clobbering-in-coprocessor-context-load-store.patch b/queue-5.17/xtensa-fix-a7-clobbering-in-coprocessor-context-load-store.patch new file mode 100644 index 00000000000..9b1fc8af72a --- /dev/null +++ b/queue-5.17/xtensa-fix-a7-clobbering-in-coprocessor-context-load-store.patch @@ -0,0 +1,43 @@ +From 839769c35477d4acc2369e45000ca7b0b6af39a7 Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Wed, 13 Apr 2022 22:44:36 -0700 +Subject: xtensa: fix a7 clobbering in coprocessor context load/store + +From: Max Filippov + +commit 839769c35477d4acc2369e45000ca7b0b6af39a7 upstream. + +Fast coprocessor exception handler saves a3..a6, but coprocessor context +load/store code uses a4..a7 as temporaries, potentially clobbering a7. +'Potentially' because coprocessor state load/store macros may not use +all four temporary registers (and neither FPU nor HiFi macros do). +Use a3..a6 as intended. + +Cc: stable@vger.kernel.org +Fixes: c658eac628aa ("[XTENSA] Add support for configurable registers and coprocessors") +Signed-off-by: Max Filippov +Signed-off-by: Greg Kroah-Hartman +--- + arch/xtensa/kernel/coprocessor.S | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/xtensa/kernel/coprocessor.S ++++ b/arch/xtensa/kernel/coprocessor.S +@@ -29,7 +29,7 @@ + .if XTENSA_HAVE_COPROCESSOR(x); \ + .align 4; \ + .Lsave_cp_regs_cp##x: \ +- xchal_cp##x##_store a2 a4 a5 a6 a7; \ ++ xchal_cp##x##_store a2 a3 a4 a5 a6; \ + jx a0; \ + .endif + +@@ -46,7 +46,7 @@ + .if XTENSA_HAVE_COPROCESSOR(x); \ + .align 4; \ + .Lload_cp_regs_cp##x: \ +- xchal_cp##x##_load a2 a4 a5 a6 a7; \ ++ xchal_cp##x##_load a2 a3 a4 a5 a6; \ + jx a0; \ + .endif + diff --git a/queue-5.17/xtensa-patch_text-fixup-last-cpu-should-be-master.patch b/queue-5.17/xtensa-patch_text-fixup-last-cpu-should-be-master.patch new file mode 100644 index 00000000000..64d28111def --- /dev/null +++ b/queue-5.17/xtensa-patch_text-fixup-last-cpu-should-be-master.patch @@ -0,0 +1,40 @@ +From ee69d4be8fd064cd08270b4808d2dfece3614ee0 Mon Sep 17 00:00:00 2001 +From: Guo Ren +Date: Thu, 7 Apr 2022 15:33:22 +0800 +Subject: xtensa: patch_text: Fixup last cpu should be master + +From: Guo Ren + +commit ee69d4be8fd064cd08270b4808d2dfece3614ee0 upstream. + +These patch_text implementations are using stop_machine_cpuslocked +infrastructure with atomic cpu_count. The original idea: When the +master CPU patch_text, the others should wait for it. But current +implementation is using the first CPU as master, which couldn't +guarantee the remaining CPUs are waiting. This patch changes the +last CPU as the master to solve the potential risk. + +Fixes: 64711f9a47d4 ("xtensa: implement jump_label support") +Signed-off-by: Guo Ren +Signed-off-by: Guo Ren +Reviewed-by: Max Filippov +Reviewed-by: Masami Hiramatsu +Cc: +Message-Id: <20220407073323.743224-4-guoren@kernel.org> +Signed-off-by: Max Filippov +Signed-off-by: Greg Kroah-Hartman +--- + arch/xtensa/kernel/jump_label.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/xtensa/kernel/jump_label.c ++++ b/arch/xtensa/kernel/jump_label.c +@@ -40,7 +40,7 @@ static int patch_text_stop_machine(void + { + struct patch *patch = data; + +- if (atomic_inc_return(&patch->cpu_count) == 1) { ++ if (atomic_inc_return(&patch->cpu_count) == num_online_cpus()) { + local_patch_text(patch->addr, patch->data, patch->sz); + atomic_inc(&patch->cpu_count); + } else {