From: Greg Kroah-Hartman Date: Mon, 27 Dec 2021 11:38:44 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v4.4.297~28 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4c3d7783e07fd6a1dddeecbd2645168860e01fd7;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: alsa-drivers-opl3-fix-incorrect-use-of-vp-state.patch alsa-hda-hdmi-disable-silent-stream-on-glk.patch alsa-hda-realtek-add-new-alc285-hp-amp-init-model.patch alsa-hda-realtek-amp-init-fixup-for-hp-zbook-15-g6.patch alsa-hda-realtek-fix-mute-micmute-leds-for-a-hp-probook.patch alsa-hda-realtek-fix-quirk-for-clevo-nj51cu.patch alsa-jack-check-the-return-value-of-kstrdup.patch alsa-rawmidi-fix-the-uninitalized-user_pversion.patch asoc-meson-aiu-move-aiu_i2s_misc-hold-setting-to-aiu-fifo-i2s.patch asoc-tegra-add-dapm-switches-for-headphones-and-mic-jack.patch asoc-tegra-restore-headphones-jack-name-on-nyan-big.patch input-atmel_mxt_ts-fix-double-free-in-mxt_read_info_block.patch ipmi-bail-out-if-init_srcu_struct-fails.patch ipmi-fix-initialization-when-workqueue-allocation-fails.patch ipmi-ssif-initialize-ssif_info-client-early.patch kvm-nvmx-synthesize-triple_fault-for-l2-if-emulation-is-required.patch kvm-vmx-always-clear-vmx-fail-on-emulation_required.patch kvm-vmx-wake-vcpu-when-delivering-posted-irq-even-if-vcpu-this-vcpu.patch kvm-x86-always-set-kvm_run-if_flag.patch kvm-x86-mmu-don-t-advance-iterator-after-restart-due-to-yielding.patch parisc-correct-completer-in-lws-start.patch parisc-fix-mask-used-to-select-futex-spinlock.patch platform-x86-amd-pmc-only-use-callbacks-for-suspend.patch platform-x86-intel_pmc_core-fix-memleak-on-registration-failure.patch tee-handle-lookup-of-shm-with-reference-count-0.patch x86-pkey-fix-undefined-behaviour-with-pkru_wd_bit.patch --- diff --git a/queue-5.15/alsa-drivers-opl3-fix-incorrect-use-of-vp-state.patch b/queue-5.15/alsa-drivers-opl3-fix-incorrect-use-of-vp-state.patch new file mode 100644 index 00000000000..e95886458df --- /dev/null +++ b/queue-5.15/alsa-drivers-opl3-fix-incorrect-use-of-vp-state.patch @@ -0,0 +1,37 @@ +From 2dee54b289fbc810669a1b2b8a0887fa1c9a14d7 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Sun, 12 Dec 2021 17:20:25 +0000 +Subject: ALSA: drivers: opl3: Fix incorrect use of vp->state + +From: Colin Ian King + +commit 2dee54b289fbc810669a1b2b8a0887fa1c9a14d7 upstream. + +Static analysis with scan-build has found an assignment to vp2 that is +never used. It seems that the check on vp->state > 0 should be actually +on vp2->state instead. Fix this. + +This dates back to 2002, I found the offending commit from the git +history git://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git, +commit 91e39521bbf6 ("[PATCH] ALSA patch for 2.5.4") + +Signed-off-by: Colin Ian King +Cc: +Link: https://lore.kernel.org/r/20211212172025.470367-1-colin.i.king@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/drivers/opl3/opl3_midi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/drivers/opl3/opl3_midi.c ++++ b/sound/drivers/opl3/opl3_midi.c +@@ -397,7 +397,7 @@ void snd_opl3_note_on(void *p, int note, + } + if (instr_4op) { + vp2 = &opl3->voices[voice + 3]; +- if (vp->state > 0) { ++ if (vp2->state > 0) { + opl3_reg = reg_side | (OPL3_REG_KEYON_BLOCK + + voice_offset + 3); + reg_val = vp->keyon_reg & ~OPL3_KEYON_BIT; diff --git a/queue-5.15/alsa-hda-hdmi-disable-silent-stream-on-glk.patch b/queue-5.15/alsa-hda-hdmi-disable-silent-stream-on-glk.patch new file mode 100644 index 00000000000..29faff18129 --- /dev/null +++ b/queue-5.15/alsa-hda-hdmi-disable-silent-stream-on-glk.patch @@ -0,0 +1,100 @@ +From b6fd77472dea76b7a2bad3a338ade920152972b8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Wed, 22 Dec 2021 16:53:50 +0200 +Subject: ALSA: hda/hdmi: Disable silent stream on GLK +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit b6fd77472dea76b7a2bad3a338ade920152972b8 upstream. + +The silent stream stuff recurses back into i915 audio +component .get_power() from the .pin_eld_notify() hook. +On GLK this will deadlock as i915 may already be holding +the relevant modeset locks during .pin_eld_notify() and +the GLK audio vs. CDCLK workaround will try to grab the +same locks from .get_power(). + +Until someone comes up with a better fix just disable the +silent stream support on GLK. + +Cc: stable@vger.kernel.org +Cc: Harsha Priya +Cc: Emmanuel Jillela +Cc: Kai Vehmanen +Cc: Takashi Iwai +Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/2623 +Fixes: 951894cf30f4 ("ALSA: hda/hdmi: Add Intel silent stream support") +Signed-off-by: Ville Syrjälä +Reviewed-by: Kai Vehmanen +Link: https://lore.kernel.org/r/20211222145350.24342-1-ville.syrjala@linux.intel.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_hdmi.c | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -2947,7 +2947,8 @@ static int parse_intel_hdmi(struct hda_c + + /* Intel Haswell and onwards; audio component with eld notifier */ + static int intel_hsw_common_init(struct hda_codec *codec, hda_nid_t vendor_nid, +- const int *port_map, int port_num, int dev_num) ++ const int *port_map, int port_num, int dev_num, ++ bool send_silent_stream) + { + struct hdmi_spec *spec; + int err; +@@ -2980,7 +2981,7 @@ static int intel_hsw_common_init(struct + * Enable silent stream feature, if it is enabled via + * module param or Kconfig option + */ +- if (enable_silent_stream) ++ if (send_silent_stream) + spec->send_silent_stream = true; + + return parse_intel_hdmi(codec); +@@ -2988,12 +2989,18 @@ static int intel_hsw_common_init(struct + + static int patch_i915_hsw_hdmi(struct hda_codec *codec) + { +- return intel_hsw_common_init(codec, 0x08, NULL, 0, 3); ++ return intel_hsw_common_init(codec, 0x08, NULL, 0, 3, ++ enable_silent_stream); + } + + static int patch_i915_glk_hdmi(struct hda_codec *codec) + { +- return intel_hsw_common_init(codec, 0x0b, NULL, 0, 3); ++ /* ++ * Silent stream calls audio component .get_power() from ++ * .pin_eld_notify(). On GLK this will deadlock in i915 due ++ * to the audio vs. CDCLK workaround. ++ */ ++ return intel_hsw_common_init(codec, 0x0b, NULL, 0, 3, false); + } + + static int patch_i915_icl_hdmi(struct hda_codec *codec) +@@ -3004,7 +3011,8 @@ static int patch_i915_icl_hdmi(struct hd + */ + static const int map[] = {0x0, 0x4, 0x6, 0x8, 0xa, 0xb}; + +- return intel_hsw_common_init(codec, 0x02, map, ARRAY_SIZE(map), 3); ++ return intel_hsw_common_init(codec, 0x02, map, ARRAY_SIZE(map), 3, ++ enable_silent_stream); + } + + static int patch_i915_tgl_hdmi(struct hda_codec *codec) +@@ -3016,7 +3024,8 @@ static int patch_i915_tgl_hdmi(struct hd + static const int map[] = {0x4, 0x6, 0x8, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf}; + int ret; + +- ret = intel_hsw_common_init(codec, 0x02, map, ARRAY_SIZE(map), 4); ++ ret = intel_hsw_common_init(codec, 0x02, map, ARRAY_SIZE(map), 4, ++ enable_silent_stream); + if (!ret) { + struct hdmi_spec *spec = codec->spec; + diff --git a/queue-5.15/alsa-hda-realtek-add-new-alc285-hp-amp-init-model.patch b/queue-5.15/alsa-hda-realtek-add-new-alc285-hp-amp-init-model.patch new file mode 100644 index 00000000000..0275c04bbf1 --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-add-new-alc285-hp-amp-init-model.patch @@ -0,0 +1,46 @@ +From aa72394667e5cea3547e4c41ddff7ca8c632d764 Mon Sep 17 00:00:00 2001 +From: Bradley Scott +Date: Mon, 13 Dec 2021 11:22:47 -0500 +Subject: ALSA: hda/realtek: Add new alc285-hp-amp-init model + +From: Bradley Scott + +commit aa72394667e5cea3547e4c41ddff7ca8c632d764 upstream. + +Adds a new "alc285-hp-amp-init" model that can be used to apply the ALC285 +HP speaker amplifier initialization fixup to devices that are not already +known by passing "hda_model=alc285-hp-amp-init" to the +snd-sof-intel-hda-common module or "model=alc285-hp-amp-init" to the +snd-hda-intel module, depending on which is being used. + +Signed-off-by: Bradley Scott +Cc: +Link: https://lore.kernel.org/r/20211213162246.506838-1-bscott@teksavvy.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/sound/hd-audio/models.rst | 2 ++ + sound/pci/hda/patch_realtek.c | 1 + + 2 files changed, 3 insertions(+) + +--- a/Documentation/sound/hd-audio/models.rst ++++ b/Documentation/sound/hd-audio/models.rst +@@ -326,6 +326,8 @@ usi-headset + Headset support on USI machines + dual-codecs + Lenovo laptops with dual codecs ++alc285-hp-amp-init ++ HP laptops which require speaker amplifier initialization (ALC285) + + ALC680 + ====== +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9124,6 +9124,7 @@ static const struct hda_model_fixup alc2 + {.id = ALC287_FIXUP_IDEAPAD_BASS_SPK_AMP, .name = "alc287-ideapad-bass-spk-amp"}, + {.id = ALC623_FIXUP_LENOVO_THINKSTATION_P340, .name = "alc623-lenovo-thinkstation-p340"}, + {.id = ALC255_FIXUP_ACER_HEADPHONE_AND_MIC, .name = "alc255-acer-headphone-and-mic"}, ++ {.id = ALC285_FIXUP_HP_GPIO_AMP_INIT, .name = "alc285-hp-amp-init"}, + {} + }; + #define ALC225_STANDARD_PINS \ diff --git a/queue-5.15/alsa-hda-realtek-amp-init-fixup-for-hp-zbook-15-g6.patch b/queue-5.15/alsa-hda-realtek-amp-init-fixup-for-hp-zbook-15-g6.patch new file mode 100644 index 00000000000..8a23491aad0 --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-amp-init-fixup-for-hp-zbook-15-g6.patch @@ -0,0 +1,31 @@ +From d296a74b7b59ff9116236c17edb25f26935dbf70 Mon Sep 17 00:00:00 2001 +From: Bradley Scott +Date: Mon, 13 Dec 2021 10:49:39 -0500 +Subject: ALSA: hda/realtek: Amp init fixup for HP ZBook 15 G6 + +From: Bradley Scott + +commit d296a74b7b59ff9116236c17edb25f26935dbf70 upstream. + +HP ZBook 15 G6 (SSID 103c:860f) needs the same speaker amplifier +initialization as used on several other HP laptops using ALC285. + +Signed-off-by: Bradley Scott +Cc: +Link: https://lore.kernel.org/r/20211213154938.503201-1-Bradley.Scott@zebra.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -8660,6 +8660,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x84da, "HP OMEN dc0019-ur", ALC295_FIXUP_HP_OMEN), + SND_PCI_QUIRK(0x103c, 0x84e7, "HP Pavilion 15", ALC269_FIXUP_HP_MUTE_LED_MIC3), + SND_PCI_QUIRK(0x103c, 0x8519, "HP Spectre x360 15-df0xxx", ALC285_FIXUP_HP_SPECTRE_X360), ++ SND_PCI_QUIRK(0x103c, 0x860f, "HP ZBook 15 G6", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x861f, "HP Elite Dragonfly G1", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x869d, "HP", ALC236_FIXUP_HP_MUTE_LED), + SND_PCI_QUIRK(0x103c, 0x86c7, "HP Envy AiO 32", ALC274_FIXUP_HP_ENVY_GPIO), diff --git a/queue-5.15/alsa-hda-realtek-fix-mute-micmute-leds-for-a-hp-probook.patch b/queue-5.15/alsa-hda-realtek-fix-mute-micmute-leds-for-a-hp-probook.patch new file mode 100644 index 00000000000..8431184ff01 --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-fix-mute-micmute-leds-for-a-hp-probook.patch @@ -0,0 +1,32 @@ +From f7ac570d0f026cf5475d4cc4d8040bd947980b3a Mon Sep 17 00:00:00 2001 +From: Jeremy Szu +Date: Wed, 15 Dec 2021 00:41:54 +0800 +Subject: ALSA: hda/realtek: fix mute/micmute LEDs for a HP ProBook + +From: Jeremy Szu + +commit f7ac570d0f026cf5475d4cc4d8040bd947980b3a upstream. + +There is a HP ProBook which using ALC236 codec and need the +ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF quirk to make mute LED and +micmute LED work. + +Signed-off-by: Jeremy Szu +Cc: +Link: https://lore.kernel.org/r/20211214164156.49711-1-jeremy.szu@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -8706,6 +8706,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x8896, "HP EliteBook 855 G8 Notebook PC", ALC285_FIXUP_HP_MUTE_LED), + SND_PCI_QUIRK(0x103c, 0x8898, "HP EliteBook 845 G8 Notebook PC", ALC285_FIXUP_HP_LIMIT_INT_MIC_BOOST), + SND_PCI_QUIRK(0x103c, 0x88d0, "HP Pavilion 15-eh1xxx (mainboard 88D0)", ALC287_FIXUP_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x89ca, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x1043, 0x103e, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC), + SND_PCI_QUIRK(0x1043, 0x103f, "ASUS TX300", ALC282_FIXUP_ASUS_TX300), + SND_PCI_QUIRK(0x1043, 0x106d, "Asus K53BE", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), diff --git a/queue-5.15/alsa-hda-realtek-fix-quirk-for-clevo-nj51cu.patch b/queue-5.15/alsa-hda-realtek-fix-quirk-for-clevo-nj51cu.patch new file mode 100644 index 00000000000..f22db63b81c --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-fix-quirk-for-clevo-nj51cu.patch @@ -0,0 +1,86 @@ +From edca7cc4b0accfa69dc032442fe0684e59c691b8 Mon Sep 17 00:00:00 2001 +From: Werner Sembach +Date: Wed, 15 Dec 2021 20:16:46 +0100 +Subject: ALSA: hda/realtek: Fix quirk for Clevo NJ51CU + +From: Werner Sembach + +commit edca7cc4b0accfa69dc032442fe0684e59c691b8 upstream. + +The Clevo NJ51CU comes either with the ALC293 or the ALC256 codec, but uses +the 0x8686 subproduct id in both cases. The ALC256 codec needs a different +quirk for the headset microphone working and and edditional quirk for sound +working after suspend and resume. + +When waking up from s3 suspend the Coef 0x10 is set to 0x0220 instead of +0x0020 on the ALC256 codec. Setting the value manually makes the sound +work again. This patch does this automatically. + +[ minor coding style fix by tiwai ] + +Signed-off-by: Werner Sembach +Fixes: b5acfe152abaa ("ALSA: hda/realtek: Add some Clove SSID in the ALC293(ALC1220)") +Cc: +Link: https://lore.kernel.org/r/20211215191646.844644-1-wse@tuxedocomputers.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 26 +++++++++++++++++++++++++- + 1 file changed, 25 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6546,6 +6546,23 @@ static void alc233_fixup_no_audio_jack(s + alc_process_coef_fw(codec, alc233_fixup_no_audio_jack_coefs); + } + ++static void alc256_fixup_mic_no_presence_and_resume(struct hda_codec *codec, ++ const struct hda_fixup *fix, ++ int action) ++{ ++ /* ++ * The Clevo NJ51CU comes either with the ALC293 or the ALC256 codec, ++ * but uses the 0x8686 subproduct id in both cases. The ALC256 codec ++ * needs an additional quirk for sound working after suspend and resume. ++ */ ++ if (codec->core.vendor_id == 0x10ec0256) { ++ alc_update_coef_idx(codec, 0x10, 1<<9, 0); ++ snd_hda_codec_set_pincfg(codec, 0x19, 0x04a11120); ++ } else { ++ snd_hda_codec_set_pincfg(codec, 0x1a, 0x04a1113c); ++ } ++} ++ + enum { + ALC269_FIXUP_GPIO2, + ALC269_FIXUP_SONY_VAIO, +@@ -6766,6 +6783,7 @@ enum { + ALC256_FIXUP_SET_COEF_DEFAULTS, + ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE, + ALC233_FIXUP_NO_AUDIO_JACK, ++ ALC256_FIXUP_MIC_NO_PRESENCE_AND_RESUME, + }; + + static const struct hda_fixup alc269_fixups[] = { +@@ -8490,6 +8508,12 @@ static const struct hda_fixup alc269_fix + .type = HDA_FIXUP_FUNC, + .v.func = alc233_fixup_no_audio_jack, + }, ++ [ALC256_FIXUP_MIC_NO_PRESENCE_AND_RESUME] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc256_fixup_mic_no_presence_and_resume, ++ .chained = true, ++ .chain_id = ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC ++ }, + }; + + static const struct snd_pci_quirk alc269_fixup_tbl[] = { +@@ -8831,7 +8855,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1558, 0x8562, "Clevo NH[57][0-9]RZ[Q]", ALC269_FIXUP_DMIC), + SND_PCI_QUIRK(0x1558, 0x8668, "Clevo NP50B[BE]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x8680, "Clevo NJ50LU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), +- SND_PCI_QUIRK(0x1558, 0x8686, "Clevo NH50[CZ]U", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1558, 0x8686, "Clevo NH50[CZ]U", ALC256_FIXUP_MIC_NO_PRESENCE_AND_RESUME), + SND_PCI_QUIRK(0x1558, 0x8a20, "Clevo NH55DCQ-Y", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x8a51, "Clevo NH70RCQ-Y", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x8d50, "Clevo NH55RCQ-M", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), diff --git a/queue-5.15/alsa-jack-check-the-return-value-of-kstrdup.patch b/queue-5.15/alsa-jack-check-the-return-value-of-kstrdup.patch new file mode 100644 index 00000000000..678a3a29fc6 --- /dev/null +++ b/queue-5.15/alsa-jack-check-the-return-value-of-kstrdup.patch @@ -0,0 +1,33 @@ +From c01c1db1dc632edafb0dff32d40daf4f9c1a4e19 Mon Sep 17 00:00:00 2001 +From: Xiaoke Wang +Date: Mon, 13 Dec 2021 15:39:31 +0800 +Subject: ALSA: jack: Check the return value of kstrdup() + +From: Xiaoke Wang + +commit c01c1db1dc632edafb0dff32d40daf4f9c1a4e19 upstream. + +kstrdup() can return NULL, it is better to check the return value of it. + +Signed-off-by: Xiaoke Wang +Cc: +Link: https://lore.kernel.org/r/tencent_094816F3522E0DC704056C789352EBBF0606@qq.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/jack.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/core/jack.c ++++ b/sound/core/jack.c +@@ -509,6 +509,10 @@ int snd_jack_new(struct snd_card *card, + return -ENOMEM; + + jack->id = kstrdup(id, GFP_KERNEL); ++ if (jack->id == NULL) { ++ kfree(jack); ++ return -ENOMEM; ++ } + + /* don't creat input device for phantom jack */ + if (!phantom_jack) { diff --git a/queue-5.15/alsa-rawmidi-fix-the-uninitalized-user_pversion.patch b/queue-5.15/alsa-rawmidi-fix-the-uninitalized-user_pversion.patch new file mode 100644 index 00000000000..fbb155cf9fc --- /dev/null +++ b/queue-5.15/alsa-rawmidi-fix-the-uninitalized-user_pversion.patch @@ -0,0 +1,39 @@ +From 39a8fc4971a00d22536aeb7d446ee4a97810611b Mon Sep 17 00:00:00 2001 +From: Jaroslav Kysela +Date: Sat, 18 Dec 2021 13:39:25 +0100 +Subject: ALSA: rawmidi - fix the uninitalized user_pversion + +From: Jaroslav Kysela + +commit 39a8fc4971a00d22536aeb7d446ee4a97810611b upstream. + +The user_pversion was uninitialized for the user space file structure +in the open function, because the file private structure use +kmalloc for the allocation. + +The kernel ALSA sequencer code clears the file structure, so no additional +fixes are required. + +Cc: stable@kernel.org +Cc: broonie@kernel.org +BugLink: https://github.com/alsa-project/alsa-lib/issues/178 +Fixes: 09d23174402d ("ALSA: rawmidi: introduce SNDRV_RAWMIDI_IOCTL_USER_PVERSION") +Reported-by: syzbot+88412ee8811832b00dbe@syzkaller.appspotmail.com +Signed-off-by: Jaroslav Kysela +Link: https://lore.kernel.org/r/20211218123925.2583847-1-perex@perex.cz +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/rawmidi.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/core/rawmidi.c ++++ b/sound/core/rawmidi.c +@@ -447,6 +447,7 @@ static int snd_rawmidi_open(struct inode + err = -ENOMEM; + goto __error; + } ++ rawmidi_file->user_pversion = 0; + init_waitqueue_entry(&wait, current); + add_wait_queue(&rmidi->open_wait, &wait); + while (1) { diff --git a/queue-5.15/asoc-meson-aiu-move-aiu_i2s_misc-hold-setting-to-aiu-fifo-i2s.patch b/queue-5.15/asoc-meson-aiu-move-aiu_i2s_misc-hold-setting-to-aiu-fifo-i2s.patch new file mode 100644 index 00000000000..93e1fcbd9e8 --- /dev/null +++ b/queue-5.15/asoc-meson-aiu-move-aiu_i2s_misc-hold-setting-to-aiu-fifo-i2s.patch @@ -0,0 +1,144 @@ +From ee907afb0c39a41ee74b862882cfe12820c74b98 Mon Sep 17 00:00:00 2001 +From: Martin Blumenstingl +Date: Mon, 6 Dec 2021 22:08:04 +0100 +Subject: ASoC: meson: aiu: Move AIU_I2S_MISC hold setting to aiu-fifo-i2s + +From: Martin Blumenstingl + +commit ee907afb0c39a41ee74b862882cfe12820c74b98 upstream. + +The out-of-tree vendor driver uses the following approach to set the +AIU_I2S_MISC register: +1) write AIU_MEM_I2S_START_PTR and AIU_MEM_I2S_RD_PTR +2) configure AIU_I2S_MUTE_SWAP[15:0] +3) write AIU_MEM_I2S_END_PTR +4) set AIU_I2S_MISC[2] to 1 (documented as: "put I2S interface in hold + mode") +5) set AIU_I2S_MISC[4] to 1 (depending on the driver revision it always + stays at 1 while for older drivers this bit is unset in step 4) +6) set AIU_I2S_MISC[2] to 0 +7) write AIU_MEM_I2S_MASKS +8) toggle AIU_MEM_I2S_CONTROL[0] +9) toggle AIU_MEM_I2S_BUF_CNTL[0] + +Move setting the AIU_I2S_MISC[2] bit to aiu_fifo_i2s_hw_params() so it +resembles the flow in the vendor kernel more closely. While here also +configure AIU_I2S_MISC[4] (documented as: "force each audio data to +left or right according to the bit attached with the audio data") +similar to how the vendor driver does this. This fixes the infamous and +long-standing "machine gun noise" issue (a buffer underrun issue). + +Fixes: 6ae9ca9ce986bf ("ASoC: meson: aiu: add i2s and spdif support") +Reported-by: Christian Hewitt +Reported-by: Geraldo Nascimento +Tested-by: Christian Hewitt +Tested-by: Geraldo Nascimento +Acked-by: Jerome Brunet +Cc: stable@vger.kernel.org +Signed-off-by: Martin Blumenstingl +Link: https://lore.kernel.org/r/20211206210804.2512999-3-martin.blumenstingl@googlemail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/meson/aiu-encoder-i2s.c | 33 --------------------------------- + sound/soc/meson/aiu-fifo-i2s.c | 19 +++++++++++++++++++ + 2 files changed, 19 insertions(+), 33 deletions(-) + +--- a/sound/soc/meson/aiu-encoder-i2s.c ++++ b/sound/soc/meson/aiu-encoder-i2s.c +@@ -18,7 +18,6 @@ + #define AIU_RST_SOFT_I2S_FAST BIT(0) + + #define AIU_I2S_DAC_CFG_MSB_FIRST BIT(2) +-#define AIU_I2S_MISC_HOLD_EN BIT(2) + #define AIU_CLK_CTRL_I2S_DIV_EN BIT(0) + #define AIU_CLK_CTRL_I2S_DIV GENMASK(3, 2) + #define AIU_CLK_CTRL_AOCLK_INVERT BIT(6) +@@ -36,37 +35,6 @@ static void aiu_encoder_i2s_divider_enab + enable ? AIU_CLK_CTRL_I2S_DIV_EN : 0); + } + +-static void aiu_encoder_i2s_hold(struct snd_soc_component *component, +- bool enable) +-{ +- snd_soc_component_update_bits(component, AIU_I2S_MISC, +- AIU_I2S_MISC_HOLD_EN, +- enable ? AIU_I2S_MISC_HOLD_EN : 0); +-} +- +-static int aiu_encoder_i2s_trigger(struct snd_pcm_substream *substream, int cmd, +- struct snd_soc_dai *dai) +-{ +- struct snd_soc_component *component = dai->component; +- +- switch (cmd) { +- case SNDRV_PCM_TRIGGER_START: +- case SNDRV_PCM_TRIGGER_RESUME: +- case SNDRV_PCM_TRIGGER_PAUSE_RELEASE: +- aiu_encoder_i2s_hold(component, false); +- return 0; +- +- case SNDRV_PCM_TRIGGER_STOP: +- case SNDRV_PCM_TRIGGER_SUSPEND: +- case SNDRV_PCM_TRIGGER_PAUSE_PUSH: +- aiu_encoder_i2s_hold(component, true); +- return 0; +- +- default: +- return -EINVAL; +- } +-} +- + static int aiu_encoder_i2s_setup_desc(struct snd_soc_component *component, + struct snd_pcm_hw_params *params) + { +@@ -353,7 +321,6 @@ static void aiu_encoder_i2s_shutdown(str + } + + const struct snd_soc_dai_ops aiu_encoder_i2s_dai_ops = { +- .trigger = aiu_encoder_i2s_trigger, + .hw_params = aiu_encoder_i2s_hw_params, + .hw_free = aiu_encoder_i2s_hw_free, + .set_fmt = aiu_encoder_i2s_set_fmt, +--- a/sound/soc/meson/aiu-fifo-i2s.c ++++ b/sound/soc/meson/aiu-fifo-i2s.c +@@ -20,6 +20,8 @@ + #define AIU_MEM_I2S_CONTROL_MODE_16BIT BIT(6) + #define AIU_MEM_I2S_BUF_CNTL_INIT BIT(0) + #define AIU_RST_SOFT_I2S_FAST BIT(0) ++#define AIU_I2S_MISC_HOLD_EN BIT(2) ++#define AIU_I2S_MISC_FORCE_LEFT_RIGHT BIT(4) + + #define AIU_FIFO_I2S_BLOCK 256 + +@@ -90,6 +92,10 @@ static int aiu_fifo_i2s_hw_params(struct + unsigned int val; + int ret; + ++ snd_soc_component_update_bits(component, AIU_I2S_MISC, ++ AIU_I2S_MISC_HOLD_EN, ++ AIU_I2S_MISC_HOLD_EN); ++ + ret = aiu_fifo_hw_params(substream, params, dai); + if (ret) + return ret; +@@ -117,6 +123,19 @@ static int aiu_fifo_i2s_hw_params(struct + snd_soc_component_update_bits(component, AIU_MEM_I2S_MASKS, + AIU_MEM_I2S_MASKS_IRQ_BLOCK, val); + ++ /* ++ * Most (all?) supported SoCs have this bit set by default. The vendor ++ * driver however sets it manually (depending on the version either ++ * while un-setting AIU_I2S_MISC_HOLD_EN or right before that). Follow ++ * the same approach for consistency with the vendor driver. ++ */ ++ snd_soc_component_update_bits(component, AIU_I2S_MISC, ++ AIU_I2S_MISC_FORCE_LEFT_RIGHT, ++ AIU_I2S_MISC_FORCE_LEFT_RIGHT); ++ ++ snd_soc_component_update_bits(component, AIU_I2S_MISC, ++ AIU_I2S_MISC_HOLD_EN, 0); ++ + return 0; + } + diff --git a/queue-5.15/asoc-tegra-add-dapm-switches-for-headphones-and-mic-jack.patch b/queue-5.15/asoc-tegra-add-dapm-switches-for-headphones-and-mic-jack.patch new file mode 100644 index 00000000000..0272323ce57 --- /dev/null +++ b/queue-5.15/asoc-tegra-add-dapm-switches-for-headphones-and-mic-jack.patch @@ -0,0 +1,36 @@ +From d341b427c3c3fd6a58263ce01e01700d16861c28 Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Sun, 12 Dec 2021 02:11:45 +0300 +Subject: ASoC: tegra: Add DAPM switches for headphones and mic jack + +From: Dmitry Osipenko + +commit d341b427c3c3fd6a58263ce01e01700d16861c28 upstream. + +UCM of Acer Chromebook (Nyan) uses DAPM switches of headphones and mic +jack. These switches were lost by accident during unification of the +machine drivers, restore them. + +Cc: +Fixes: cc8f70f ("ASoC: tegra: Unify ASoC machine drivers") +Reported-by: Thomas Graichen # T124 Nyan Big +Tested-by: Thomas Graichen # T124 Nyan Big +Signed-off-by: Dmitry Osipenko +Link: https://lore.kernel.org/r/20211211231146.6137-1-digetx@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/tegra/tegra_asoc_machine.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/soc/tegra/tegra_asoc_machine.c ++++ b/sound/soc/tegra/tegra_asoc_machine.c +@@ -116,6 +116,8 @@ static const struct snd_kcontrol_new teg + SOC_DAPM_PIN_SWITCH("Headset Mic"), + SOC_DAPM_PIN_SWITCH("Internal Mic 1"), + SOC_DAPM_PIN_SWITCH("Internal Mic 2"), ++ SOC_DAPM_PIN_SWITCH("Headphones"), ++ SOC_DAPM_PIN_SWITCH("Mic Jack"), + }; + + int tegra_asoc_machine_init(struct snd_soc_pcm_runtime *rtd) diff --git a/queue-5.15/asoc-tegra-restore-headphones-jack-name-on-nyan-big.patch b/queue-5.15/asoc-tegra-restore-headphones-jack-name-on-nyan-big.patch new file mode 100644 index 00000000000..8e9532e8a49 --- /dev/null +++ b/queue-5.15/asoc-tegra-restore-headphones-jack-name-on-nyan-big.patch @@ -0,0 +1,64 @@ +From db635ba4fadf3ba676d07537f3b3f58166aa7b0e Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Sun, 12 Dec 2021 02:11:46 +0300 +Subject: ASoC: tegra: Restore headphones jack name on Nyan Big + +From: Dmitry Osipenko + +commit db635ba4fadf3ba676d07537f3b3f58166aa7b0e upstream. + +UCM of Acer Chromebook (Nyan) uses a different name for the headphones +jack. The name was changed during unification of the machine drivers and +UCM fails now to load because of that. Restore the old jack name. + +Cc: +Fixes: cc8f70f ("ASoC: tegra: Unify ASoC machine drivers") +Reported-by: Thomas Graichen # T124 Nyan Big +Tested-by: Thomas Graichen # T124 Nyan Big +Signed-off-by: Dmitry Osipenko +Link: https://lore.kernel.org/r/20211211231146.6137-2-digetx@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/tegra/tegra_asoc_machine.c | 9 ++++++++- + sound/soc/tegra/tegra_asoc_machine.h | 1 + + 2 files changed, 9 insertions(+), 1 deletion(-) + +--- a/sound/soc/tegra/tegra_asoc_machine.c ++++ b/sound/soc/tegra/tegra_asoc_machine.c +@@ -124,10 +124,16 @@ int tegra_asoc_machine_init(struct snd_s + { + struct snd_soc_card *card = rtd->card; + struct tegra_machine *machine = snd_soc_card_get_drvdata(card); ++ const char *jack_name; + int err; + + if (machine->gpiod_hp_det && machine->asoc->add_hp_jack) { +- err = snd_soc_card_jack_new(card, "Headphones Jack", ++ if (machine->asoc->hp_jack_name) ++ jack_name = machine->asoc->hp_jack_name; ++ else ++ jack_name = "Headphones Jack"; ++ ++ err = snd_soc_card_jack_new(card, jack_name, + SND_JACK_HEADPHONE, + &tegra_machine_hp_jack, + tegra_machine_hp_jack_pins, +@@ -660,6 +666,7 @@ static struct snd_soc_card snd_soc_tegra + static const struct tegra_asoc_data tegra_max98090_data = { + .mclk_rate = tegra_machine_mclk_rate_12mhz, + .card = &snd_soc_tegra_max98090, ++ .hp_jack_name = "Headphones", + .add_common_dapm_widgets = true, + .add_common_controls = true, + .add_common_snd_ops = true, +--- a/sound/soc/tegra/tegra_asoc_machine.h ++++ b/sound/soc/tegra/tegra_asoc_machine.h +@@ -14,6 +14,7 @@ struct snd_soc_pcm_runtime; + struct tegra_asoc_data { + unsigned int (*mclk_rate)(unsigned int srate); + const char *codec_dev_name; ++ const char *hp_jack_name; + struct snd_soc_card *card; + unsigned int mclk_id; + bool hp_jack_gpio_active_low; diff --git a/queue-5.15/input-atmel_mxt_ts-fix-double-free-in-mxt_read_info_block.patch b/queue-5.15/input-atmel_mxt_ts-fix-double-free-in-mxt_read_info_block.patch new file mode 100644 index 00000000000..7fce9390f2d --- /dev/null +++ b/queue-5.15/input-atmel_mxt_ts-fix-double-free-in-mxt_read_info_block.patch @@ -0,0 +1,39 @@ +From 12f247ab590a08856441efdbd351cf2cc8f60a2d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= +Date: Sun, 12 Dec 2021 21:01:49 -0800 +Subject: Input: atmel_mxt_ts - fix double free in mxt_read_info_block +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: José Expósito + +commit 12f247ab590a08856441efdbd351cf2cc8f60a2d upstream. + +The "id_buf" buffer is stored in "data->raw_info_block" and freed by +"mxt_free_object_table" in case of error. + +Return instead of jumping to avoid a double free. + +Addresses-Coverity-ID: 1474582 ("Double free") +Fixes: 068bdb67ef74 ("Input: atmel_mxt_ts - fix the firmware update") +Signed-off-by: José Expósito +Link: https://lore.kernel.org/r/20211212194257.68879-1-jose.exposito89@gmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/touchscreen/atmel_mxt_ts.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/touchscreen/atmel_mxt_ts.c ++++ b/drivers/input/touchscreen/atmel_mxt_ts.c +@@ -1882,7 +1882,7 @@ static int mxt_read_info_block(struct mx + if (error) { + dev_err(&client->dev, "Error %d parsing object table\n", error); + mxt_free_object_table(data); +- goto err_free_mem; ++ return error; + } + + data->object_table = (struct mxt_object *)(id_buf + MXT_OBJECT_START); diff --git a/queue-5.15/ipmi-bail-out-if-init_srcu_struct-fails.patch b/queue-5.15/ipmi-bail-out-if-init_srcu_struct-fails.patch new file mode 100644 index 00000000000..581ab2fe1d6 --- /dev/null +++ b/queue-5.15/ipmi-bail-out-if-init_srcu_struct-fails.patch @@ -0,0 +1,37 @@ +From 2b5160b12091285c5aca45980f100a9294af7b04 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Fri, 17 Dec 2021 12:44:09 -0300 +Subject: ipmi: bail out if init_srcu_struct fails + +From: Thadeu Lima de Souza Cascardo + +commit 2b5160b12091285c5aca45980f100a9294af7b04 upstream. + +In case, init_srcu_struct fails (because of memory allocation failure), we +might proceed with the driver initialization despite srcu_struct not being +entirely initialized. + +Fixes: 913a89f009d9 ("ipmi: Don't initialize anything in the core until something uses it") +Signed-off-by: Thadeu Lima de Souza Cascardo +Cc: Corey Minyard +Cc: stable@vger.kernel.org +Message-Id: <20211217154410.1228673-1-cascardo@canonical.com> +Signed-off-by: Corey Minyard +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/ipmi/ipmi_msghandler.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/char/ipmi/ipmi_msghandler.c ++++ b/drivers/char/ipmi/ipmi_msghandler.c +@@ -5148,7 +5148,9 @@ static int ipmi_init_msghandler(void) + if (initialized) + goto out; + +- init_srcu_struct(&ipmi_interfaces_srcu); ++ rv = init_srcu_struct(&ipmi_interfaces_srcu); ++ if (rv) ++ goto out; + + timer_setup(&ipmi_timer, ipmi_timeout, 0); + mod_timer(&ipmi_timer, jiffies + IPMI_TIMEOUT_JIFFIES); diff --git a/queue-5.15/ipmi-fix-initialization-when-workqueue-allocation-fails.patch b/queue-5.15/ipmi-fix-initialization-when-workqueue-allocation-fails.patch new file mode 100644 index 00000000000..77918f7cb2b --- /dev/null +++ b/queue-5.15/ipmi-fix-initialization-when-workqueue-allocation-fails.patch @@ -0,0 +1,59 @@ +From 75d70d76cb7b927cace2cb34265d68ebb3306b13 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Fri, 17 Dec 2021 12:44:10 -0300 +Subject: ipmi: fix initialization when workqueue allocation fails + +From: Thadeu Lima de Souza Cascardo + +commit 75d70d76cb7b927cace2cb34265d68ebb3306b13 upstream. + +If the workqueue allocation fails, the driver is marked as not initialized, +and timer and panic_notifier will be left registered. + +Instead of removing those when workqueue allocation fails, do the workqueue +initialization before doing it, and cleanup srcu_struct if it fails. + +Fixes: 1d49eb91e86e ("ipmi: Move remove_work to dedicated workqueue") +Signed-off-by: Thadeu Lima de Souza Cascardo +Cc: Corey Minyard +Cc: Ioanna Alifieraki +Cc: stable@vger.kernel.org +Message-Id: <20211217154410.1228673-2-cascardo@canonical.com> +Signed-off-by: Corey Minyard +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/ipmi/ipmi_msghandler.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/drivers/char/ipmi/ipmi_msghandler.c ++++ b/drivers/char/ipmi/ipmi_msghandler.c +@@ -5152,20 +5152,23 @@ static int ipmi_init_msghandler(void) + if (rv) + goto out; + +- timer_setup(&ipmi_timer, ipmi_timeout, 0); +- mod_timer(&ipmi_timer, jiffies + IPMI_TIMEOUT_JIFFIES); +- +- atomic_notifier_chain_register(&panic_notifier_list, &panic_block); +- + remove_work_wq = create_singlethread_workqueue("ipmi-msghandler-remove-wq"); + if (!remove_work_wq) { + pr_err("unable to create ipmi-msghandler-remove-wq workqueue"); + rv = -ENOMEM; +- goto out; ++ goto out_wq; + } + ++ timer_setup(&ipmi_timer, ipmi_timeout, 0); ++ mod_timer(&ipmi_timer, jiffies + IPMI_TIMEOUT_JIFFIES); ++ ++ atomic_notifier_chain_register(&panic_notifier_list, &panic_block); ++ + initialized = true; + ++out_wq: ++ if (rv) ++ cleanup_srcu_struct(&ipmi_interfaces_srcu); + out: + mutex_unlock(&ipmi_interfaces_mutex); + return rv; diff --git a/queue-5.15/ipmi-ssif-initialize-ssif_info-client-early.patch b/queue-5.15/ipmi-ssif-initialize-ssif_info-client-early.patch new file mode 100644 index 00000000000..e8993fda787 --- /dev/null +++ b/queue-5.15/ipmi-ssif-initialize-ssif_info-client-early.patch @@ -0,0 +1,71 @@ +From 34f35f8f14bc406efc06ee4ff73202c6fd245d15 Mon Sep 17 00:00:00 2001 +From: Mian Yousaf Kaukab +Date: Wed, 8 Dec 2021 10:32:39 +0100 +Subject: ipmi: ssif: initialize ssif_info->client early + +From: Mian Yousaf Kaukab + +commit 34f35f8f14bc406efc06ee4ff73202c6fd245d15 upstream. + +During probe ssif_info->client is dereferenced in error path. However, +it is set when some of the error checking has already been done. This +causes following kernel crash if an error path is taken: + +[ 30.645593][ T674] ipmi_ssif 0-000e: ipmi_ssif: Not probing, Interface already present +[ 30.657616][ T674] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000088 +... +[ 30.657723][ T674] pc : __dev_printk+0x28/0xa0 +[ 30.657732][ T674] lr : _dev_err+0x7c/0xa0 +... +[ 30.657772][ T674] Call trace: +[ 30.657775][ T674] __dev_printk+0x28/0xa0 +[ 30.657778][ T674] _dev_err+0x7c/0xa0 +[ 30.657781][ T674] ssif_probe+0x548/0x900 [ipmi_ssif 62ce4b08badc1458fd896206d9ef69a3c31f3d3e] +[ 30.657791][ T674] i2c_device_probe+0x37c/0x3c0 +... + +Initialize ssif_info->client before any error path can be taken. Clear +i2c_client data in the error path to prevent the dangling pointer from +leaking. + +Fixes: c4436c9149c5 ("ipmi_ssif: avoid registering duplicate ssif interface") +Cc: stable@vger.kernel.org # 5.4.x +Suggested-by: Takashi Iwai +Signed-off-by: Mian Yousaf Kaukab +Message-Id: <20211208093239.4432-1-ykaukab@suse.de> +Signed-off-by: Corey Minyard +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/ipmi/ipmi_ssif.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/char/ipmi/ipmi_ssif.c ++++ b/drivers/char/ipmi/ipmi_ssif.c +@@ -1659,6 +1659,9 @@ static int ssif_probe(struct i2c_client + } + } + ++ ssif_info->client = client; ++ i2c_set_clientdata(client, ssif_info); ++ + rv = ssif_check_and_remove(client, ssif_info); + /* If rv is 0 and addr source is not SI_ACPI, continue probing */ + if (!rv && ssif_info->addr_source == SI_ACPI) { +@@ -1679,9 +1682,6 @@ static int ssif_probe(struct i2c_client + ipmi_addr_src_to_str(ssif_info->addr_source), + client->addr, client->adapter->name, slave_addr); + +- ssif_info->client = client; +- i2c_set_clientdata(client, ssif_info); +- + /* Now check for system interface capabilities */ + msg[0] = IPMI_NETFN_APP_REQUEST << 2; + msg[1] = IPMI_GET_SYSTEM_INTERFACE_CAPABILITIES_CMD; +@@ -1881,6 +1881,7 @@ static int ssif_probe(struct i2c_client + + dev_err(&ssif_info->client->dev, + "Unable to start IPMI SSIF: %d\n", rv); ++ i2c_set_clientdata(client, NULL); + kfree(ssif_info); + } + kfree(resp); diff --git a/queue-5.15/kvm-nvmx-synthesize-triple_fault-for-l2-if-emulation-is-required.patch b/queue-5.15/kvm-nvmx-synthesize-triple_fault-for-l2-if-emulation-is-required.patch new file mode 100644 index 00000000000..c2c80de77f9 --- /dev/null +++ b/queue-5.15/kvm-nvmx-synthesize-triple_fault-for-l2-if-emulation-is-required.patch @@ -0,0 +1,139 @@ +From cd0e615c49e5e5d69885af9ac3b4fa7bb3387f58 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 7 Dec 2021 19:30:04 +0000 +Subject: KVM: nVMX: Synthesize TRIPLE_FAULT for L2 if emulation is required +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sean Christopherson + +commit cd0e615c49e5e5d69885af9ac3b4fa7bb3387f58 upstream. + +Synthesize a triple fault if L2 guest state is invalid at the time of +VM-Enter, which can happen if L1 modifies SMRAM or if userspace stuffs +guest state via ioctls(), e.g. KVM_SET_SREGS. KVM should never emulate +invalid guest state, since from L1's perspective, it's architecturally +impossible for L2 to have invalid state while L2 is running in hardware. +E.g. attempts to set CR0 or CR4 to unsupported values will either VM-Exit +or #GP. + +Modifying vCPU state via RSM+SMRAM and ioctl() are the only paths that +can trigger this scenario, as nested VM-Enter correctly rejects any +attempt to enter L2 with invalid state. + +RSM is a straightforward case as (a) KVM follows AMD's SMRAM layout and +behavior, and (b) Intel's SDM states that loading reserved CR0/CR4 bits +via RSM results in shutdown, i.e. there is precedent for KVM's behavior. +Following AMD's SMRAM layout is important as AMD's layout saves/restores +the descriptor cache information, including CS.RPL and SS.RPL, and also +defines all the fields relevant to invalid guest state as read-only, i.e. +so long as the vCPU had valid state before the SMI, which is guaranteed +for L2, RSM will generate valid state unless SMRAM was modified. Intel's +layout saves/restores only the selector, which means that scenarios where +the selector and cached RPL don't match, e.g. conforming code segments, +would yield invalid guest state. Intel CPUs fudge around this issued by +stuffing SS.RPL and CS.RPL on RSM. Per Intel's SDM on the "Default +Treatment of RSM", paraphrasing for brevity: + + IF internal storage indicates that the [CPU was post-VMXON] + THEN + enter VMX operation (root or non-root); + restore VMX-critical state as defined in Section 34.14.1; + set to their fixed values any bits in CR0 and CR4 whose values must + be fixed in VMX operation [unless coming from an unrestricted guest]; + IF RFLAGS.VM = 0 AND (in VMX root operation OR the + “unrestricted guest” VM-execution control is 0) + THEN + CS.RPL := SS.DPL; + SS.RPL := SS.DPL; + FI; + restore current VMCS pointer; + FI; + +Note that Intel CPUs also overwrite the fixed CR0/CR4 bits, whereas KVM +will sythesize TRIPLE_FAULT in this scenario. KVM's behavior is allowed +as both Intel and AMD define CR0/CR4 SMRAM fields as read-only, i.e. the +only way for CR0 and/or CR4 to have illegal values is if they were +modified by the L1 SMM handler, and Intel's SDM "SMRAM State Save Map" +section states "modifying these registers will result in unpredictable +behavior". + +KVM's ioctl() behavior is less straightforward. Because KVM allows +ioctls() to be executed in any order, rejecting an ioctl() if it would +result in invalid L2 guest state is not an option as KVM cannot know if +a future ioctl() would resolve the invalid state, e.g. KVM_SET_SREGS, or +drop the vCPU out of L2, e.g. KVM_SET_NESTED_STATE. Ideally, KVM would +reject KVM_RUN if L2 contained invalid guest state, but that carries the +risk of a false positive, e.g. if RSM loaded invalid guest state and KVM +exited to userspace. Setting a flag/request to detect such a scenario is +undesirable because (a) it's extremely unlikely to add value to KVM as a +whole, and (b) KVM would need to consider ioctl() interactions with such +a flag, e.g. if userspace migrated the vCPU while the flag were set. + +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-Id: <20211207193006.120997-3-seanjc@google.com> +Reviewed-by: Maxim Levitsky +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx/vmx.c | 32 ++++++++++++++++++++++++-------- + 1 file changed, 24 insertions(+), 8 deletions(-) + +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -5866,18 +5866,14 @@ static int __vmx_handle_exit(struct kvm_ + vmx_flush_pml_buffer(vcpu); + + /* +- * We should never reach this point with a pending nested VM-Enter, and +- * more specifically emulation of L2 due to invalid guest state (see +- * below) should never happen as that means we incorrectly allowed a +- * nested VM-Enter with an invalid vmcs12. ++ * KVM should never reach this point with a pending nested VM-Enter. ++ * More specifically, short-circuiting VM-Entry to emulate L2 due to ++ * invalid guest state should never happen as that means KVM knowingly ++ * allowed a nested VM-Enter with an invalid vmcs12. More below. + */ + if (KVM_BUG_ON(vmx->nested.nested_run_pending, vcpu->kvm)) + return -EIO; + +- /* If guest state is invalid, start emulating */ +- if (vmx->emulation_required) +- return handle_invalid_guest_state(vcpu); +- + if (is_guest_mode(vcpu)) { + /* + * PML is never enabled when running L2, bail immediately if a +@@ -5899,10 +5895,30 @@ static int __vmx_handle_exit(struct kvm_ + */ + nested_mark_vmcs12_pages_dirty(vcpu); + ++ /* ++ * Synthesize a triple fault if L2 state is invalid. In normal ++ * operation, nested VM-Enter rejects any attempt to enter L2 ++ * with invalid state. However, those checks are skipped if ++ * state is being stuffed via RSM or KVM_SET_NESTED_STATE. If ++ * L2 state is invalid, it means either L1 modified SMRAM state ++ * or userspace provided bad state. Synthesize TRIPLE_FAULT as ++ * doing so is architecturally allowed in the RSM case, and is ++ * the least awful solution for the userspace case without ++ * risking false positives. ++ */ ++ if (vmx->emulation_required) { ++ nested_vmx_vmexit(vcpu, EXIT_REASON_TRIPLE_FAULT, 0, 0); ++ return 1; ++ } ++ + if (nested_vmx_reflect_vmexit(vcpu)) + return 1; + } + ++ /* If guest state is invalid, start emulating. L2 is handled above. */ ++ if (vmx->emulation_required) ++ return handle_invalid_guest_state(vcpu); ++ + if (exit_reason.failed_vmentry) { + dump_vmcs(vcpu); + vcpu->run->exit_reason = KVM_EXIT_FAIL_ENTRY; diff --git a/queue-5.15/kvm-vmx-always-clear-vmx-fail-on-emulation_required.patch b/queue-5.15/kvm-vmx-always-clear-vmx-fail-on-emulation_required.patch new file mode 100644 index 00000000000..7880fb55b8f --- /dev/null +++ b/queue-5.15/kvm-vmx-always-clear-vmx-fail-on-emulation_required.patch @@ -0,0 +1,85 @@ +From a80dfc025924024d2c61a4c1b8ef62b2fce76a04 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 7 Dec 2021 19:30:03 +0000 +Subject: KVM: VMX: Always clear vmx->fail on emulation_required + +From: Sean Christopherson + +commit a80dfc025924024d2c61a4c1b8ef62b2fce76a04 upstream. + +Revert a relatively recent change that set vmx->fail if the vCPU is in L2 +and emulation_required is true, as that behavior is completely bogus. +Setting vmx->fail and synthesizing a VM-Exit is contradictory and wrong: + + (a) it's impossible to have both a VM-Fail and VM-Exit + (b) vmcs.EXIT_REASON is not modified on VM-Fail + (c) emulation_required refers to guest state and guest state checks are + always VM-Exits, not VM-Fails. + +For KVM specifically, emulation_required is handled before nested exits +in __vmx_handle_exit(), thus setting vmx->fail has no immediate effect, +i.e. KVM calls into handle_invalid_guest_state() and vmx->fail is ignored. +Setting vmx->fail can ultimately result in a WARN in nested_vmx_vmexit() +firing when tearing down the VM as KVM never expects vmx->fail to be set +when L2 is active, KVM always reflects those errors into L1. + + ------------[ cut here ]------------ + WARNING: CPU: 0 PID: 21158 at arch/x86/kvm/vmx/nested.c:4548 + nested_vmx_vmexit+0x16bd/0x17e0 + arch/x86/kvm/vmx/nested.c:4547 + Modules linked in: + CPU: 0 PID: 21158 Comm: syz-executor.1 Not tainted 5.16.0-rc3-syzkaller #0 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + RIP: 0010:nested_vmx_vmexit+0x16bd/0x17e0 arch/x86/kvm/vmx/nested.c:4547 + Code: <0f> 0b e9 2e f8 ff ff e8 57 b3 5d 00 0f 0b e9 00 f1 ff ff 89 e9 80 + Call Trace: + vmx_leave_nested arch/x86/kvm/vmx/nested.c:6220 [inline] + nested_vmx_free_vcpu+0x83/0xc0 arch/x86/kvm/vmx/nested.c:330 + vmx_free_vcpu+0x11f/0x2a0 arch/x86/kvm/vmx/vmx.c:6799 + kvm_arch_vcpu_destroy+0x6b/0x240 arch/x86/kvm/x86.c:10989 + kvm_vcpu_destroy+0x29/0x90 arch/x86/kvm/../../../virt/kvm/kvm_main.c:441 + kvm_free_vcpus arch/x86/kvm/x86.c:11426 [inline] + kvm_arch_destroy_vm+0x3ef/0x6b0 arch/x86/kvm/x86.c:11545 + kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1189 [inline] + kvm_put_kvm+0x751/0xe40 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1220 + kvm_vcpu_release+0x53/0x60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3489 + __fput+0x3fc/0x870 fs/file_table.c:280 + task_work_run+0x146/0x1c0 kernel/task_work.c:164 + exit_task_work include/linux/task_work.h:32 [inline] + do_exit+0x705/0x24f0 kernel/exit.c:832 + do_group_exit+0x168/0x2d0 kernel/exit.c:929 + get_signal+0x1740/0x2120 kernel/signal.c:2852 + arch_do_signal_or_restart+0x9c/0x730 arch/x86/kernel/signal.c:868 + handle_signal_work kernel/entry/common.c:148 [inline] + exit_to_user_mode_loop kernel/entry/common.c:172 [inline] + exit_to_user_mode_prepare+0x191/0x220 kernel/entry/common.c:207 + __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] + syscall_exit_to_user_mode+0x2e/0x70 kernel/entry/common.c:300 + do_syscall_64+0x53/0xd0 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Fixes: c8607e4a086f ("KVM: x86: nVMX: don't fail nested VM entry on invalid guest state if !from_vmentry") +Reported-by: syzbot+f1d2136db9c80d4733e8@syzkaller.appspotmail.com +Reviewed-by: Maxim Levitsky +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-Id: <20211207193006.120997-2-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx/vmx.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -6612,9 +6612,7 @@ static fastpath_t vmx_vcpu_run(struct kv + * consistency check VM-Exit due to invalid guest state and bail. + */ + if (unlikely(vmx->emulation_required)) { +- +- /* We don't emulate invalid state of a nested guest */ +- vmx->fail = is_guest_mode(vcpu); ++ vmx->fail = 0; + + vmx->exit_reason.full = EXIT_REASON_INVALID_STATE; + vmx->exit_reason.failed_vmentry = 1; diff --git a/queue-5.15/kvm-vmx-wake-vcpu-when-delivering-posted-irq-even-if-vcpu-this-vcpu.patch b/queue-5.15/kvm-vmx-wake-vcpu-when-delivering-posted-irq-even-if-vcpu-this-vcpu.patch new file mode 100644 index 00000000000..69145785b32 --- /dev/null +++ b/queue-5.15/kvm-vmx-wake-vcpu-when-delivering-posted-irq-even-if-vcpu-this-vcpu.patch @@ -0,0 +1,66 @@ +From fdba608f15e2427419997b0898750a49a735afcb Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 21 Dec 2021 10:37:00 -0500 +Subject: KVM: VMX: Wake vCPU when delivering posted IRQ even if vCPU == this vCPU + +From: Sean Christopherson + +commit fdba608f15e2427419997b0898750a49a735afcb upstream. + +Drop a check that guards triggering a posted interrupt on the currently +running vCPU, and more importantly guards waking the target vCPU if +triggering a posted interrupt fails because the vCPU isn't IN_GUEST_MODE. +If a vIRQ is delivered from asynchronous context, the target vCPU can be +the currently running vCPU and can also be blocking, in which case +skipping kvm_vcpu_wake_up() is effectively dropping what is supposed to +be a wake event for the vCPU. + +The "do nothing" logic when "vcpu == running_vcpu" mostly works only +because the majority of calls to ->deliver_posted_interrupt(), especially +when using posted interrupts, come from synchronous KVM context. But if +a device is exposed to the guest using vfio-pci passthrough, the VFIO IRQ +and vCPU are bound to the same pCPU, and the IRQ is _not_ configured to +use posted interrupts, wake events from the device will be delivered to +KVM from IRQ context, e.g. + + vfio_msihandler() + | + |-> eventfd_signal() + | + |-> ... + | + |-> irqfd_wakeup() + | + |->kvm_arch_set_irq_inatomic() + | + |-> kvm_irq_delivery_to_apic_fast() + | + |-> kvm_apic_set_irq() + +This also aligns the non-nested and nested usage of triggering posted +interrupts, and will allow for additional cleanups. + +Fixes: 379a3c8ee444 ("KVM: VMX: Optimize posted-interrupt delivery for timer fastpath") +Cc: stable@vger.kernel.org +Reported-by: Longpeng (Mike) +Signed-off-by: Sean Christopherson +Reviewed-by: Maxim Levitsky +Message-Id: <20211208015236.1616697-18-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx/vmx.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -3971,8 +3971,7 @@ static int vmx_deliver_posted_interrupt( + if (pi_test_and_set_on(&vmx->pi_desc)) + return 0; + +- if (vcpu != kvm_get_running_vcpu() && +- !kvm_vcpu_trigger_posted_interrupt(vcpu, false)) ++ if (!kvm_vcpu_trigger_posted_interrupt(vcpu, false)) + kvm_vcpu_kick(vcpu); + + return 0; diff --git a/queue-5.15/kvm-x86-always-set-kvm_run-if_flag.patch b/queue-5.15/kvm-x86-always-set-kvm_run-if_flag.patch new file mode 100644 index 00000000000..3d50d4cd78e --- /dev/null +++ b/queue-5.15/kvm-x86-always-set-kvm_run-if_flag.patch @@ -0,0 +1,141 @@ +From c5063551bfcae4e48fec890b7bf369598b77526b Mon Sep 17 00:00:00 2001 +From: Marc Orr +Date: Thu, 9 Dec 2021 07:52:57 -0800 +Subject: KVM: x86: Always set kvm_run->if_flag + +From: Marc Orr + +commit c5063551bfcae4e48fec890b7bf369598b77526b upstream. + +The kvm_run struct's if_flag is a part of the userspace/kernel API. The +SEV-ES patches failed to set this flag because it's no longer needed by +QEMU (according to the comment in the source code). However, other +hypervisors may make use of this flag. Therefore, set the flag for +guests with encrypted registers (i.e., with guest_state_protected set). + +Fixes: f1c6366e3043 ("KVM: SVM: Add required changes to support intercepts under SEV-ES") +Signed-off-by: Marc Orr +Message-Id: <20211209155257.128747-1-marcorr@google.com> +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Reviewed-by: Maxim Levitsky +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/kvm-x86-ops.h | 1 + + arch/x86/include/asm/kvm_host.h | 1 + + arch/x86/kvm/svm/svm.c | 21 ++++++++++++--------- + arch/x86/kvm/vmx/vmx.c | 6 ++++++ + arch/x86/kvm/x86.c | 9 +-------- + 5 files changed, 21 insertions(+), 17 deletions(-) + +--- a/arch/x86/include/asm/kvm-x86-ops.h ++++ b/arch/x86/include/asm/kvm-x86-ops.h +@@ -47,6 +47,7 @@ KVM_X86_OP(set_dr7) + KVM_X86_OP(cache_reg) + KVM_X86_OP(get_rflags) + KVM_X86_OP(set_rflags) ++KVM_X86_OP(get_if_flag) + KVM_X86_OP(tlb_flush_all) + KVM_X86_OP(tlb_flush_current) + KVM_X86_OP_NULL(tlb_remote_flush) +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -1341,6 +1341,7 @@ struct kvm_x86_ops { + void (*cache_reg)(struct kvm_vcpu *vcpu, enum kvm_reg reg); + unsigned long (*get_rflags)(struct kvm_vcpu *vcpu); + void (*set_rflags)(struct kvm_vcpu *vcpu, unsigned long rflags); ++ bool (*get_if_flag)(struct kvm_vcpu *vcpu); + + void (*tlb_flush_all)(struct kvm_vcpu *vcpu); + void (*tlb_flush_current)(struct kvm_vcpu *vcpu); +--- a/arch/x86/kvm/svm/svm.c ++++ b/arch/x86/kvm/svm/svm.c +@@ -1517,6 +1517,15 @@ static void svm_set_rflags(struct kvm_vc + to_svm(vcpu)->vmcb->save.rflags = rflags; + } + ++static bool svm_get_if_flag(struct kvm_vcpu *vcpu) ++{ ++ struct vmcb *vmcb = to_svm(vcpu)->vmcb; ++ ++ return sev_es_guest(vcpu->kvm) ++ ? vmcb->control.int_state & SVM_GUEST_INTERRUPT_MASK ++ : kvm_get_rflags(vcpu) & X86_EFLAGS_IF; ++} ++ + static void svm_cache_reg(struct kvm_vcpu *vcpu, enum kvm_reg reg) + { + switch (reg) { +@@ -3485,14 +3494,7 @@ bool svm_interrupt_blocked(struct kvm_vc + if (!gif_set(svm)) + return true; + +- if (sev_es_guest(vcpu->kvm)) { +- /* +- * SEV-ES guests to not expose RFLAGS. Use the VMCB interrupt mask +- * bit to determine the state of the IF flag. +- */ +- if (!(vmcb->control.int_state & SVM_GUEST_INTERRUPT_MASK)) +- return true; +- } else if (is_guest_mode(vcpu)) { ++ if (is_guest_mode(vcpu)) { + /* As long as interrupts are being delivered... */ + if ((svm->nested.ctl.int_ctl & V_INTR_MASKING_MASK) + ? !(svm->vmcb01.ptr->save.rflags & X86_EFLAGS_IF) +@@ -3503,7 +3505,7 @@ bool svm_interrupt_blocked(struct kvm_vc + if (nested_exit_on_intr(svm)) + return false; + } else { +- if (!(kvm_get_rflags(vcpu) & X86_EFLAGS_IF)) ++ if (!svm_get_if_flag(vcpu)) + return true; + } + +@@ -4562,6 +4564,7 @@ static struct kvm_x86_ops svm_x86_ops __ + .cache_reg = svm_cache_reg, + .get_rflags = svm_get_rflags, + .set_rflags = svm_set_rflags, ++ .get_if_flag = svm_get_if_flag, + + .tlb_flush_all = svm_flush_tlb, + .tlb_flush_current = svm_flush_tlb, +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -1359,6 +1359,11 @@ void vmx_set_rflags(struct kvm_vcpu *vcp + vmx->emulation_required = vmx_emulation_required(vcpu); + } + ++static bool vmx_get_if_flag(struct kvm_vcpu *vcpu) ++{ ++ return vmx_get_rflags(vcpu) & X86_EFLAGS_IF; ++} ++ + u32 vmx_get_interrupt_shadow(struct kvm_vcpu *vcpu) + { + u32 interruptibility = vmcs_read32(GUEST_INTERRUPTIBILITY_INFO); +@@ -7573,6 +7578,7 @@ static struct kvm_x86_ops vmx_x86_ops __ + .cache_reg = vmx_cache_reg, + .get_rflags = vmx_get_rflags, + .set_rflags = vmx_set_rflags, ++ .get_if_flag = vmx_get_if_flag, + + .tlb_flush_all = vmx_flush_tlb_all, + .tlb_flush_current = vmx_flush_tlb_current, +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -8880,14 +8880,7 @@ static void post_kvm_run_save(struct kvm + { + struct kvm_run *kvm_run = vcpu->run; + +- /* +- * if_flag is obsolete and useless, so do not bother +- * setting it for SEV-ES guests. Userspace can just +- * use kvm_run->ready_for_interrupt_injection. +- */ +- kvm_run->if_flag = !vcpu->arch.guest_state_protected +- && (kvm_get_rflags(vcpu) & X86_EFLAGS_IF) != 0; +- ++ kvm_run->if_flag = static_call(kvm_x86_get_if_flag)(vcpu); + kvm_run->cr8 = kvm_get_cr8(vcpu); + kvm_run->apic_base = kvm_get_apic_base(vcpu); + diff --git a/queue-5.15/kvm-x86-mmu-don-t-advance-iterator-after-restart-due-to-yielding.patch b/queue-5.15/kvm-x86-mmu-don-t-advance-iterator-after-restart-due-to-yielding.patch new file mode 100644 index 00000000000..7a1d8dff075 --- /dev/null +++ b/queue-5.15/kvm-x86-mmu-don-t-advance-iterator-after-restart-due-to-yielding.patch @@ -0,0 +1,216 @@ +From 3a0f64de479cae75effb630a2e0a237ca0d0623c Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 14 Dec 2021 03:35:28 +0000 +Subject: KVM: x86/mmu: Don't advance iterator after restart due to yielding + +From: Sean Christopherson + +commit 3a0f64de479cae75effb630a2e0a237ca0d0623c upstream. + +After dropping mmu_lock in the TDP MMU, restart the iterator during +tdp_iter_next() and do not advance the iterator. Advancing the iterator +results in skipping the top-level SPTE and all its children, which is +fatal if any of the skipped SPTEs were not visited before yielding. + +When zapping all SPTEs, i.e. when min_level == root_level, restarting the +iter and then invoking tdp_iter_next() is always fatal if the current gfn +has as a valid SPTE, as advancing the iterator results in try_step_side() +skipping the current gfn, which wasn't visited before yielding. + +Sprinkle WARNs on iter->yielded being true in various helpers that are +often used in conjunction with yielding, and tag the helper with +__must_check to reduce the probabily of improper usage. + +Failing to zap a top-level SPTE manifests in one of two ways. If a valid +SPTE is skipped by both kvm_tdp_mmu_zap_all() and kvm_tdp_mmu_put_root(), +the shadow page will be leaked and KVM will WARN accordingly. + + WARNING: CPU: 1 PID: 3509 at arch/x86/kvm/mmu/tdp_mmu.c:46 [kvm] + RIP: 0010:kvm_mmu_uninit_tdp_mmu+0x3e/0x50 [kvm] + Call Trace: + + kvm_arch_destroy_vm+0x130/0x1b0 [kvm] + kvm_destroy_vm+0x162/0x2a0 [kvm] + kvm_vcpu_release+0x34/0x60 [kvm] + __fput+0x82/0x240 + task_work_run+0x5c/0x90 + do_exit+0x364/0xa10 + ? futex_unqueue+0x38/0x60 + do_group_exit+0x33/0xa0 + get_signal+0x155/0x850 + arch_do_signal_or_restart+0xed/0x750 + exit_to_user_mode_prepare+0xc5/0x120 + syscall_exit_to_user_mode+0x1d/0x40 + do_syscall_64+0x48/0xc0 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +If kvm_tdp_mmu_zap_all() skips a gfn/SPTE but that SPTE is then zapped by +kvm_tdp_mmu_put_root(), KVM triggers a use-after-free in the form of +marking a struct page as dirty/accessed after it has been put back on the +free list. This directly triggers a WARN due to encountering a page with +page_count() == 0, but it can also lead to data corruption and additional +errors in the kernel. + + WARNING: CPU: 7 PID: 1995658 at arch/x86/kvm/../../../virt/kvm/kvm_main.c:171 + RIP: 0010:kvm_is_zone_device_pfn.part.0+0x9e/0xd0 [kvm] + Call Trace: + + kvm_set_pfn_dirty+0x120/0x1d0 [kvm] + __handle_changed_spte+0x92e/0xca0 [kvm] + __handle_changed_spte+0x63c/0xca0 [kvm] + __handle_changed_spte+0x63c/0xca0 [kvm] + __handle_changed_spte+0x63c/0xca0 [kvm] + zap_gfn_range+0x549/0x620 [kvm] + kvm_tdp_mmu_put_root+0x1b6/0x270 [kvm] + mmu_free_root_page+0x219/0x2c0 [kvm] + kvm_mmu_free_roots+0x1b4/0x4e0 [kvm] + kvm_mmu_unload+0x1c/0xa0 [kvm] + kvm_arch_destroy_vm+0x1f2/0x5c0 [kvm] + kvm_put_kvm+0x3b1/0x8b0 [kvm] + kvm_vcpu_release+0x4e/0x70 [kvm] + __fput+0x1f7/0x8c0 + task_work_run+0xf8/0x1a0 + do_exit+0x97b/0x2230 + do_group_exit+0xda/0x2a0 + get_signal+0x3be/0x1e50 + arch_do_signal_or_restart+0x244/0x17f0 + exit_to_user_mode_prepare+0xcb/0x120 + syscall_exit_to_user_mode+0x1d/0x40 + do_syscall_64+0x4d/0x90 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Note, the underlying bug existed even before commit 1af4a96025b3 ("KVM: +x86/mmu: Yield in TDU MMU iter even if no SPTES changed") moved calls to +tdp_mmu_iter_cond_resched() to the beginning of loops, as KVM could still +incorrectly advance past a top-level entry when yielding on a lower-level +entry. But with respect to leaking shadow pages, the bug was introduced +by yielding before processing the current gfn. + +Alternatively, tdp_mmu_iter_cond_resched() could simply fall through, or +callers could jump to their "retry" label. The downside of that approach +is that tdp_mmu_iter_cond_resched() _must_ be called before anything else +in the loop, and there's no easy way to enfornce that requirement. + +Ideally, KVM would handling the cond_resched() fully within the iterator +macro (the code is actually quite clean) and avoid this entire class of +bugs, but that is extremely difficult do while also supporting yielding +after tdp_mmu_set_spte_atomic() fails. Yielding after failing to set a +SPTE is very desirable as the "owner" of the REMOVED_SPTE isn't strictly +bounded, e.g. if it's zapping a high-level shadow page, the REMOVED_SPTE +may block operations on the SPTE for a significant amount of time. + +Fixes: faaf05b00aec ("kvm: x86/mmu: Support zapping SPTEs in the TDP MMU") +Fixes: 1af4a96025b3 ("KVM: x86/mmu: Yield in TDU MMU iter even if no SPTES changed") +Reported-by: Ignat Korchagin +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-Id: <20211214033528.123268-1-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/mmu/tdp_iter.c | 6 ++++++ + arch/x86/kvm/mmu/tdp_iter.h | 6 ++++++ + arch/x86/kvm/mmu/tdp_mmu.c | 29 ++++++++++++++++------------- + 3 files changed, 28 insertions(+), 13 deletions(-) + +--- a/arch/x86/kvm/mmu/tdp_iter.c ++++ b/arch/x86/kvm/mmu/tdp_iter.c +@@ -26,6 +26,7 @@ static gfn_t round_gfn_for_level(gfn_t g + */ + void tdp_iter_restart(struct tdp_iter *iter) + { ++ iter->yielded = false; + iter->yielded_gfn = iter->next_last_level_gfn; + iter->level = iter->root_level; + +@@ -160,6 +161,11 @@ static bool try_step_up(struct tdp_iter + */ + void tdp_iter_next(struct tdp_iter *iter) + { ++ if (iter->yielded) { ++ tdp_iter_restart(iter); ++ return; ++ } ++ + if (try_step_down(iter)) + return; + +--- a/arch/x86/kvm/mmu/tdp_iter.h ++++ b/arch/x86/kvm/mmu/tdp_iter.h +@@ -45,6 +45,12 @@ struct tdp_iter { + * iterator walks off the end of the paging structure. + */ + bool valid; ++ /* ++ * True if KVM dropped mmu_lock and yielded in the middle of a walk, in ++ * which case tdp_iter_next() needs to restart the walk at the root ++ * level instead of advancing to the next entry. ++ */ ++ bool yielded; + }; + + /* +--- a/arch/x86/kvm/mmu/tdp_mmu.c ++++ b/arch/x86/kvm/mmu/tdp_mmu.c +@@ -501,6 +501,8 @@ static inline bool tdp_mmu_set_spte_atom + struct tdp_iter *iter, + u64 new_spte) + { ++ WARN_ON_ONCE(iter->yielded); ++ + lockdep_assert_held_read(&kvm->mmu_lock); + + /* +@@ -611,6 +613,8 @@ static inline void __tdp_mmu_set_spte(st + u64 new_spte, bool record_acc_track, + bool record_dirty_log) + { ++ WARN_ON_ONCE(iter->yielded); ++ + lockdep_assert_held_write(&kvm->mmu_lock); + + /* +@@ -676,18 +680,19 @@ static inline void tdp_mmu_set_spte_no_d + * If this function should yield and flush is set, it will perform a remote + * TLB flush before yielding. + * +- * If this function yields, it will also reset the tdp_iter's walk over the +- * paging structure and the calling function should skip to the next +- * iteration to allow the iterator to continue its traversal from the +- * paging structure root. ++ * If this function yields, iter->yielded is set and the caller must skip to ++ * the next iteration, where tdp_iter_next() will reset the tdp_iter's walk ++ * over the paging structures to allow the iterator to continue its traversal ++ * from the paging structure root. + * +- * Return true if this function yielded and the iterator's traversal was reset. +- * Return false if a yield was not needed. ++ * Returns true if this function yielded. + */ +-static inline bool tdp_mmu_iter_cond_resched(struct kvm *kvm, +- struct tdp_iter *iter, bool flush, +- bool shared) ++static inline bool __must_check tdp_mmu_iter_cond_resched(struct kvm *kvm, ++ struct tdp_iter *iter, ++ bool flush, bool shared) + { ++ WARN_ON(iter->yielded); ++ + /* Ensure forward progress has been made before yielding. */ + if (iter->next_last_level_gfn == iter->yielded_gfn) + return false; +@@ -707,12 +712,10 @@ static inline bool tdp_mmu_iter_cond_res + + WARN_ON(iter->gfn > iter->next_last_level_gfn); + +- tdp_iter_restart(iter); +- +- return true; ++ iter->yielded = true; + } + +- return false; ++ return iter->yielded; + } + + /* diff --git a/queue-5.15/parisc-correct-completer-in-lws-start.patch b/queue-5.15/parisc-correct-completer-in-lws-start.patch new file mode 100644 index 00000000000..de6bdde7309 --- /dev/null +++ b/queue-5.15/parisc-correct-completer-in-lws-start.patch @@ -0,0 +1,37 @@ +From 8f66fce0f46560b9e910787ff7ad0974441c4f9c Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Tue, 21 Dec 2021 13:21:22 -0500 +Subject: parisc: Correct completer in lws start + +From: John David Anglin + +commit 8f66fce0f46560b9e910787ff7ad0974441c4f9c upstream. + +The completer in the "or,ev %r1,%r30,%r30" instruction is reversed, so we are +not clipping the LWS number when we are called from a 32-bit process (W=0). +We need to nulify the following depdi instruction when the least-significant +bit of %r30 is 1. + +If the %r20 register is not clipped, a user process could perform a LWS call +that would branch to an undefined location in the kernel and potentially crash +the machine. + +Signed-off-by: John David Anglin +Cc: stable@vger.kernel.org # 4.19+ +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/syscall.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/parisc/kernel/syscall.S ++++ b/arch/parisc/kernel/syscall.S +@@ -478,7 +478,7 @@ lws_start: + extrd,u %r1,PSW_W_BIT,1,%r1 + /* sp must be aligned on 4, so deposit the W bit setting into + * the bottom of sp temporarily */ +- or,ev %r1,%r30,%r30 ++ or,od %r1,%r30,%r30 + + /* Clip LWS number to a 32-bit value for 32-bit processes */ + depdi 0, 31, 32, %r20 diff --git a/queue-5.15/parisc-fix-mask-used-to-select-futex-spinlock.patch b/queue-5.15/parisc-fix-mask-used-to-select-futex-spinlock.patch new file mode 100644 index 00000000000..ae7fd099ed4 --- /dev/null +++ b/queue-5.15/parisc-fix-mask-used-to-select-futex-spinlock.patch @@ -0,0 +1,44 @@ +From d3a5a68cff47f6eead84504c3c28376b85053242 Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Tue, 21 Dec 2021 13:33:16 -0500 +Subject: parisc: Fix mask used to select futex spinlock + +From: John David Anglin + +commit d3a5a68cff47f6eead84504c3c28376b85053242 upstream. + +The address bits used to select the futex spinlock need to match those used in +the LWS code in syscall.S. The mask 0x3f8 only selects 7 bits. It should +select 8 bits. + +This change fixes the glibc nptl/tst-cond24 and nptl/tst-cond25 tests. + +Signed-off-by: John David Anglin +Fixes: 53a42b6324b8 ("parisc: Switch to more fine grained lws locks") +Cc: stable@vger.kernel.org # 5.10+ +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/include/asm/futex.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/parisc/include/asm/futex.h ++++ b/arch/parisc/include/asm/futex.h +@@ -16,7 +16,7 @@ static inline void + _futex_spin_lock_irqsave(u32 __user *uaddr, unsigned long int *flags) + { + extern u32 lws_lock_start[]; +- long index = ((long)uaddr & 0x3f8) >> 1; ++ long index = ((long)uaddr & 0x7f8) >> 1; + arch_spinlock_t *s = (arch_spinlock_t *)&lws_lock_start[index]; + local_irq_save(*flags); + arch_spin_lock(s); +@@ -26,7 +26,7 @@ static inline void + _futex_spin_unlock_irqrestore(u32 __user *uaddr, unsigned long int *flags) + { + extern u32 lws_lock_start[]; +- long index = ((long)uaddr & 0x3f8) >> 1; ++ long index = ((long)uaddr & 0x7f8) >> 1; + arch_spinlock_t *s = (arch_spinlock_t *)&lws_lock_start[index]; + arch_spin_unlock(s); + local_irq_restore(*flags); diff --git a/queue-5.15/platform-x86-amd-pmc-only-use-callbacks-for-suspend.patch b/queue-5.15/platform-x86-amd-pmc-only-use-callbacks-for-suspend.patch new file mode 100644 index 00000000000..d76139440d1 --- /dev/null +++ b/queue-5.15/platform-x86-amd-pmc-only-use-callbacks-for-suspend.patch @@ -0,0 +1,35 @@ +From 09fc14061f3ed28899c23b8714c066946fdbd43e Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Fri, 10 Dec 2021 08:35:29 -0600 +Subject: platform/x86: amd-pmc: only use callbacks for suspend + +From: Mario Limonciello + +commit 09fc14061f3ed28899c23b8714c066946fdbd43e upstream. + +This driver is intended to be used exclusively for suspend to idle +so callbacks to send OS_HINT during hibernate and S5 will set OS_HINT +at the wrong time leading to an undefined behavior. + +Cc: stable@vger.kernel.org +Signed-off-by: Mario Limonciello +Link: https://lore.kernel.org/r/20211210143529.10594-1-mario.limonciello@amd.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/amd-pmc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/platform/x86/amd-pmc.c ++++ b/drivers/platform/x86/amd-pmc.c +@@ -375,7 +375,8 @@ static int __maybe_unused amd_pmc_resume + } + + static const struct dev_pm_ops amd_pmc_pm_ops = { +- SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(amd_pmc_suspend, amd_pmc_resume) ++ .suspend_noirq = amd_pmc_suspend, ++ .resume_noirq = amd_pmc_resume, + }; + + static const struct pci_device_id pmc_pci_ids[] = { diff --git a/queue-5.15/platform-x86-intel_pmc_core-fix-memleak-on-registration-failure.patch b/queue-5.15/platform-x86-intel_pmc_core-fix-memleak-on-registration-failure.patch new file mode 100644 index 00000000000..943e3a13f48 --- /dev/null +++ b/queue-5.15/platform-x86-intel_pmc_core-fix-memleak-on-registration-failure.patch @@ -0,0 +1,35 @@ +From 26a8b09437804fabfb1db080d676b96c0de68e7c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 22 Dec 2021 11:50:23 +0100 +Subject: platform/x86: intel_pmc_core: fix memleak on registration failure + +From: Johan Hovold + +commit 26a8b09437804fabfb1db080d676b96c0de68e7c upstream. + +In case device registration fails during module initialisation, the +platform device structure needs to be freed using platform_device_put() +to properly free all resources (e.g. the device name). + +Fixes: 938835aa903a ("platform/x86: intel_pmc_core: do not create a static struct device") +Cc: stable@vger.kernel.org # 5.9 +Signed-off-by: Johan Hovold +Reviewed-by: Greg Kroah-Hartman +Link: https://lore.kernel.org/r/20211222105023.6205-1-johan@kernel.org +Signed-off-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/intel/pmc/pltdrv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/platform/x86/intel/pmc/pltdrv.c ++++ b/drivers/platform/x86/intel/pmc/pltdrv.c +@@ -65,7 +65,7 @@ static int __init pmc_core_platform_init + + retval = platform_device_register(pmc_core_device); + if (retval) +- kfree(pmc_core_device); ++ platform_device_put(pmc_core_device); + + return retval; + } diff --git a/queue-5.15/series b/queue-5.15/series index a1603425063..f126ecf3b0b 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -62,3 +62,29 @@ platform-x86-intel-remove-x86_platform_drivers_intel.patch kernel-crash_core-suppress-unknown-crashkernel-param.patch revert-x86-boot-pull-up-cmdline-preparation-and-early-param-parsing.patch x86-boot-move-efi-range-reservation-after-cmdline-parsing.patch +alsa-jack-check-the-return-value-of-kstrdup.patch +alsa-drivers-opl3-fix-incorrect-use-of-vp-state.patch +alsa-rawmidi-fix-the-uninitalized-user_pversion.patch +alsa-hda-hdmi-disable-silent-stream-on-glk.patch +alsa-hda-realtek-amp-init-fixup-for-hp-zbook-15-g6.patch +alsa-hda-realtek-add-new-alc285-hp-amp-init-model.patch +alsa-hda-realtek-fix-mute-micmute-leds-for-a-hp-probook.patch +alsa-hda-realtek-fix-quirk-for-clevo-nj51cu.patch +asoc-meson-aiu-move-aiu_i2s_misc-hold-setting-to-aiu-fifo-i2s.patch +asoc-tegra-add-dapm-switches-for-headphones-and-mic-jack.patch +asoc-tegra-restore-headphones-jack-name-on-nyan-big.patch +input-atmel_mxt_ts-fix-double-free-in-mxt_read_info_block.patch +ipmi-bail-out-if-init_srcu_struct-fails.patch +ipmi-ssif-initialize-ssif_info-client-early.patch +ipmi-fix-initialization-when-workqueue-allocation-fails.patch +parisc-correct-completer-in-lws-start.patch +parisc-fix-mask-used-to-select-futex-spinlock.patch +tee-handle-lookup-of-shm-with-reference-count-0.patch +x86-pkey-fix-undefined-behaviour-with-pkru_wd_bit.patch +platform-x86-amd-pmc-only-use-callbacks-for-suspend.patch +platform-x86-intel_pmc_core-fix-memleak-on-registration-failure.patch +kvm-x86-always-set-kvm_run-if_flag.patch +kvm-x86-mmu-don-t-advance-iterator-after-restart-due-to-yielding.patch +kvm-nvmx-synthesize-triple_fault-for-l2-if-emulation-is-required.patch +kvm-vmx-always-clear-vmx-fail-on-emulation_required.patch +kvm-vmx-wake-vcpu-when-delivering-posted-irq-even-if-vcpu-this-vcpu.patch diff --git a/queue-5.15/tee-handle-lookup-of-shm-with-reference-count-0.patch b/queue-5.15/tee-handle-lookup-of-shm-with-reference-count-0.patch new file mode 100644 index 00000000000..8a7fa80501a --- /dev/null +++ b/queue-5.15/tee-handle-lookup-of-shm-with-reference-count-0.patch @@ -0,0 +1,336 @@ +From dfd0743f1d9ea76931510ed150334d571fbab49d Mon Sep 17 00:00:00 2001 +From: Jens Wiklander +Date: Thu, 9 Dec 2021 15:59:37 +0100 +Subject: tee: handle lookup of shm with reference count 0 + +From: Jens Wiklander + +commit dfd0743f1d9ea76931510ed150334d571fbab49d upstream. + +Since the tee subsystem does not keep a strong reference to its idle +shared memory buffers, it races with other threads that try to destroy a +shared memory through a close of its dma-buf fd or by unmapping the +memory. + +In tee_shm_get_from_id() when a lookup in teedev->idr has been +successful, it is possible that the tee_shm is in the dma-buf teardown +path, but that path is blocked by the teedev mutex. Since we don't have +an API to tell if the tee_shm is in the dma-buf teardown path or not we +must find another way of detecting this condition. + +Fix this by doing the reference counting directly on the tee_shm using a +new refcount_t refcount field. dma-buf is replaced by using +anon_inode_getfd() instead, this separates the life-cycle of the +underlying file from the tee_shm. tee_shm_put() is updated to hold the +mutex when decreasing the refcount to 0 and then remove the tee_shm from +teedev->idr before releasing the mutex. This means that the tee_shm can +never be found unless it has a refcount larger than 0. + +Fixes: 967c9cca2cc5 ("tee: generic TEE subsystem") +Cc: stable@vger.kernel.org +Reviewed-by: Greg Kroah-Hartman +Reviewed-by: Lars Persson +Reviewed-by: Sumit Garg +Reported-by: Patrik Lantz +Signed-off-by: Jens Wiklander +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tee/tee_shm.c | 171 ++++++++++++++++++------------------------------ + include/linux/tee_drv.h | 4 - + 2 files changed, 68 insertions(+), 107 deletions(-) + +--- a/drivers/tee/tee_shm.c ++++ b/drivers/tee/tee_shm.c +@@ -1,11 +1,11 @@ + // SPDX-License-Identifier: GPL-2.0-only + /* +- * Copyright (c) 2015-2016, Linaro Limited ++ * Copyright (c) 2015-2017, 2019-2021 Linaro Limited + */ ++#include + #include +-#include +-#include + #include ++#include + #include + #include + #include +@@ -28,16 +28,8 @@ static void release_registered_pages(str + } + } + +-static void tee_shm_release(struct tee_shm *shm) ++static void tee_shm_release(struct tee_device *teedev, struct tee_shm *shm) + { +- struct tee_device *teedev = shm->ctx->teedev; +- +- if (shm->flags & TEE_SHM_DMA_BUF) { +- mutex_lock(&teedev->mutex); +- idr_remove(&teedev->idr, shm->id); +- mutex_unlock(&teedev->mutex); +- } +- + if (shm->flags & TEE_SHM_POOL) { + struct tee_shm_pool_mgr *poolm; + +@@ -64,45 +56,6 @@ static void tee_shm_release(struct tee_s + tee_device_put(teedev); + } + +-static struct sg_table *tee_shm_op_map_dma_buf(struct dma_buf_attachment +- *attach, enum dma_data_direction dir) +-{ +- return NULL; +-} +- +-static void tee_shm_op_unmap_dma_buf(struct dma_buf_attachment *attach, +- struct sg_table *table, +- enum dma_data_direction dir) +-{ +-} +- +-static void tee_shm_op_release(struct dma_buf *dmabuf) +-{ +- struct tee_shm *shm = dmabuf->priv; +- +- tee_shm_release(shm); +-} +- +-static int tee_shm_op_mmap(struct dma_buf *dmabuf, struct vm_area_struct *vma) +-{ +- struct tee_shm *shm = dmabuf->priv; +- size_t size = vma->vm_end - vma->vm_start; +- +- /* Refuse sharing shared memory provided by application */ +- if (shm->flags & TEE_SHM_USER_MAPPED) +- return -EINVAL; +- +- return remap_pfn_range(vma, vma->vm_start, shm->paddr >> PAGE_SHIFT, +- size, vma->vm_page_prot); +-} +- +-static const struct dma_buf_ops tee_shm_dma_buf_ops = { +- .map_dma_buf = tee_shm_op_map_dma_buf, +- .unmap_dma_buf = tee_shm_op_unmap_dma_buf, +- .release = tee_shm_op_release, +- .mmap = tee_shm_op_mmap, +-}; +- + struct tee_shm *tee_shm_alloc(struct tee_context *ctx, size_t size, u32 flags) + { + struct tee_device *teedev = ctx->teedev; +@@ -137,6 +90,7 @@ struct tee_shm *tee_shm_alloc(struct tee + goto err_dev_put; + } + ++ refcount_set(&shm->refcount, 1); + shm->flags = flags | TEE_SHM_POOL; + shm->ctx = ctx; + if (flags & TEE_SHM_DMA_BUF) +@@ -150,10 +104,7 @@ struct tee_shm *tee_shm_alloc(struct tee + goto err_kfree; + } + +- + if (flags & TEE_SHM_DMA_BUF) { +- DEFINE_DMA_BUF_EXPORT_INFO(exp_info); +- + mutex_lock(&teedev->mutex); + shm->id = idr_alloc(&teedev->idr, shm, 1, 0, GFP_KERNEL); + mutex_unlock(&teedev->mutex); +@@ -161,28 +112,11 @@ struct tee_shm *tee_shm_alloc(struct tee + ret = ERR_PTR(shm->id); + goto err_pool_free; + } +- +- exp_info.ops = &tee_shm_dma_buf_ops; +- exp_info.size = shm->size; +- exp_info.flags = O_RDWR; +- exp_info.priv = shm; +- +- shm->dmabuf = dma_buf_export(&exp_info); +- if (IS_ERR(shm->dmabuf)) { +- ret = ERR_CAST(shm->dmabuf); +- goto err_rem; +- } + } + + teedev_ctx_get(ctx); + + return shm; +-err_rem: +- if (flags & TEE_SHM_DMA_BUF) { +- mutex_lock(&teedev->mutex); +- idr_remove(&teedev->idr, shm->id); +- mutex_unlock(&teedev->mutex); +- } + err_pool_free: + poolm->ops->free(poolm, shm); + err_kfree: +@@ -243,6 +177,7 @@ struct tee_shm *tee_shm_register(struct + goto err; + } + ++ refcount_set(&shm->refcount, 1); + shm->flags = flags | TEE_SHM_REGISTER; + shm->ctx = ctx; + shm->id = -1; +@@ -303,22 +238,6 @@ struct tee_shm *tee_shm_register(struct + goto err; + } + +- if (flags & TEE_SHM_DMA_BUF) { +- DEFINE_DMA_BUF_EXPORT_INFO(exp_info); +- +- exp_info.ops = &tee_shm_dma_buf_ops; +- exp_info.size = shm->size; +- exp_info.flags = O_RDWR; +- exp_info.priv = shm; +- +- shm->dmabuf = dma_buf_export(&exp_info); +- if (IS_ERR(shm->dmabuf)) { +- ret = ERR_CAST(shm->dmabuf); +- teedev->desc->ops->shm_unregister(ctx, shm); +- goto err; +- } +- } +- + return shm; + err: + if (shm) { +@@ -336,6 +255,35 @@ err: + } + EXPORT_SYMBOL_GPL(tee_shm_register); + ++static int tee_shm_fop_release(struct inode *inode, struct file *filp) ++{ ++ tee_shm_put(filp->private_data); ++ return 0; ++} ++ ++static int tee_shm_fop_mmap(struct file *filp, struct vm_area_struct *vma) ++{ ++ struct tee_shm *shm = filp->private_data; ++ size_t size = vma->vm_end - vma->vm_start; ++ ++ /* Refuse sharing shared memory provided by application */ ++ if (shm->flags & TEE_SHM_USER_MAPPED) ++ return -EINVAL; ++ ++ /* check for overflowing the buffer's size */ ++ if (vma->vm_pgoff + vma_pages(vma) > shm->size >> PAGE_SHIFT) ++ return -EINVAL; ++ ++ return remap_pfn_range(vma, vma->vm_start, shm->paddr >> PAGE_SHIFT, ++ size, vma->vm_page_prot); ++} ++ ++static const struct file_operations tee_shm_fops = { ++ .owner = THIS_MODULE, ++ .release = tee_shm_fop_release, ++ .mmap = tee_shm_fop_mmap, ++}; ++ + /** + * tee_shm_get_fd() - Increase reference count and return file descriptor + * @shm: Shared memory handle +@@ -348,10 +296,11 @@ int tee_shm_get_fd(struct tee_shm *shm) + if (!(shm->flags & TEE_SHM_DMA_BUF)) + return -EINVAL; + +- get_dma_buf(shm->dmabuf); +- fd = dma_buf_fd(shm->dmabuf, O_CLOEXEC); ++ /* matched by tee_shm_put() in tee_shm_op_release() */ ++ refcount_inc(&shm->refcount); ++ fd = anon_inode_getfd("tee_shm", &tee_shm_fops, shm, O_RDWR); + if (fd < 0) +- dma_buf_put(shm->dmabuf); ++ tee_shm_put(shm); + return fd; + } + +@@ -361,17 +310,7 @@ int tee_shm_get_fd(struct tee_shm *shm) + */ + void tee_shm_free(struct tee_shm *shm) + { +- /* +- * dma_buf_put() decreases the dmabuf reference counter and will +- * call tee_shm_release() when the last reference is gone. +- * +- * In the case of driver private memory we call tee_shm_release +- * directly instead as it doesn't have a reference counter. +- */ +- if (shm->flags & TEE_SHM_DMA_BUF) +- dma_buf_put(shm->dmabuf); +- else +- tee_shm_release(shm); ++ tee_shm_put(shm); + } + EXPORT_SYMBOL_GPL(tee_shm_free); + +@@ -478,10 +417,15 @@ struct tee_shm *tee_shm_get_from_id(stru + teedev = ctx->teedev; + mutex_lock(&teedev->mutex); + shm = idr_find(&teedev->idr, id); ++ /* ++ * If the tee_shm was found in the IDR it must have a refcount ++ * larger than 0 due to the guarantee in tee_shm_put() below. So ++ * it's safe to use refcount_inc(). ++ */ + if (!shm || shm->ctx != ctx) + shm = ERR_PTR(-EINVAL); +- else if (shm->flags & TEE_SHM_DMA_BUF) +- get_dma_buf(shm->dmabuf); ++ else ++ refcount_inc(&shm->refcount); + mutex_unlock(&teedev->mutex); + return shm; + } +@@ -493,7 +437,24 @@ EXPORT_SYMBOL_GPL(tee_shm_get_from_id); + */ + void tee_shm_put(struct tee_shm *shm) + { +- if (shm->flags & TEE_SHM_DMA_BUF) +- dma_buf_put(shm->dmabuf); ++ struct tee_device *teedev = shm->ctx->teedev; ++ bool do_release = false; ++ ++ mutex_lock(&teedev->mutex); ++ if (refcount_dec_and_test(&shm->refcount)) { ++ /* ++ * refcount has reached 0, we must now remove it from the ++ * IDR before releasing the mutex. This will guarantee that ++ * the refcount_inc() in tee_shm_get_from_id() never starts ++ * from 0. ++ */ ++ if (shm->flags & TEE_SHM_DMA_BUF) ++ idr_remove(&teedev->idr, shm->id); ++ do_release = true; ++ } ++ mutex_unlock(&teedev->mutex); ++ ++ if (do_release) ++ tee_shm_release(teedev, shm); + } + EXPORT_SYMBOL_GPL(tee_shm_put); +--- a/include/linux/tee_drv.h ++++ b/include/linux/tee_drv.h +@@ -195,7 +195,7 @@ int tee_session_calc_client_uuid(uuid_t + * @offset: offset of buffer in user space + * @pages: locked pages from userspace + * @num_pages: number of locked pages +- * @dmabuf: dmabuf used to for exporting to user space ++ * @refcount: reference counter + * @flags: defined by TEE_SHM_* in tee_drv.h + * @id: unique id of a shared memory object on this device + * +@@ -210,7 +210,7 @@ struct tee_shm { + unsigned int offset; + struct page **pages; + size_t num_pages; +- struct dma_buf *dmabuf; ++ refcount_t refcount; + u32 flags; + int id; + }; diff --git a/queue-5.15/x86-pkey-fix-undefined-behaviour-with-pkru_wd_bit.patch b/queue-5.15/x86-pkey-fix-undefined-behaviour-with-pkru_wd_bit.patch new file mode 100644 index 00000000000..1ce7b692519 --- /dev/null +++ b/queue-5.15/x86-pkey-fix-undefined-behaviour-with-pkru_wd_bit.patch @@ -0,0 +1,52 @@ +From 57690554abe135fee81d6ac33cc94d75a7e224bb Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Thu, 16 Dec 2021 00:08:56 +0000 +Subject: x86/pkey: Fix undefined behaviour with PKRU_WD_BIT + +From: Andrew Cooper + +commit 57690554abe135fee81d6ac33cc94d75a7e224bb upstream. + +Both __pkru_allows_write() and arch_set_user_pkey_access() shift +PKRU_WD_BIT (a signed constant) by up to 30 bits, hitting the +sign bit. + +Use unsigned constants instead. + +Clearly pkey 15 has not been used in combination with UBSAN yet. + +Noticed by code inspection only. I can't actually provoke the +compiler into generating incorrect logic as far as this shift is +concerned. + +[ + dhansen: add stable@ tag, plus minor changelog massaging, + + For anyone doing backports, these #defines were in + arch/x86/include/asm/pgtable.h before 784a46618f6. +] + +Fixes: 33a709b25a76 ("mm/gup, x86/mm/pkeys: Check VMAs and PTEs for protection keys") +Signed-off-by: Andrew Cooper +Signed-off-by: Dave Hansen +Signed-off-by: Borislav Petkov +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20211216000856.4480-1-andrew.cooper3@citrix.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/pkru.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/include/asm/pkru.h ++++ b/arch/x86/include/asm/pkru.h +@@ -4,8 +4,8 @@ + + #include + +-#define PKRU_AD_BIT 0x1 +-#define PKRU_WD_BIT 0x2 ++#define PKRU_AD_BIT 0x1u ++#define PKRU_WD_BIT 0x2u + #define PKRU_BITS_PER_PKEY 2 + + #ifdef CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS