From: Greg Kroah-Hartman Date: Sun, 29 Jan 2023 13:35:41 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v5.10.166~46 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5dbeed3023b873c4b768c34ef88ddca60eedaef3;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: arm-9280-1-mm-fix-warning-on-phys_addr_t-to-void-pointer-assignment.patch edac-device-respect-any-driver-supplied-workqueue-polling-value.patch edac-qcom-do-not-pass-llcc_driv_data-as-edac_device_ctl_info-s-pvt_info.patch kvm-x86-vmx-do-not-skip-segment-attributes-if-unusable-bit-is-set.patch thermal-intel-int340x-protect-trip-temperature-from-concurrent-updates.patch --- diff --git a/queue-5.10/arm-9280-1-mm-fix-warning-on-phys_addr_t-to-void-pointer-assignment.patch b/queue-5.10/arm-9280-1-mm-fix-warning-on-phys_addr_t-to-void-pointer-assignment.patch new file mode 100644 index 00000000000..b24e8decf07 --- /dev/null +++ b/queue-5.10/arm-9280-1-mm-fix-warning-on-phys_addr_t-to-void-pointer-assignment.patch @@ -0,0 +1,34 @@ +From a4e03921c1bb118e6718e0a3b0322a2c13ed172b Mon Sep 17 00:00:00 2001 +From: Giulio Benetti +Date: Tue, 13 Dec 2022 20:24:03 +0100 +Subject: ARM: 9280/1: mm: fix warning on phys_addr_t to void pointer assignment + +From: Giulio Benetti + +commit a4e03921c1bb118e6718e0a3b0322a2c13ed172b upstream. + +zero_page is a void* pointer but memblock_alloc() returns phys_addr_t type +so this generates a warning while using clang and with -Wint-error enabled +that becomes and error. So let's cast the return of memblock_alloc() to +(void *). + +Cc: # 4.14.x + +Fixes: 340a982825f7 ("ARM: 9266/1: mm: fix no-MMU ZERO_PAGE() implementation") +Signed-off-by: Giulio Benetti +Signed-off-by: Russell King (Oracle) +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mm/nommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/mm/nommu.c ++++ b/arch/arm/mm/nommu.c +@@ -161,7 +161,7 @@ void __init paging_init(const struct mac + mpu_setup(); + + /* allocate the zero page. */ +- zero_page = memblock_alloc(PAGE_SIZE, PAGE_SIZE); ++ zero_page = (void *)memblock_alloc(PAGE_SIZE, PAGE_SIZE); + if (!zero_page) + panic("%s: Failed to allocate %lu bytes align=0x%lx\n", + __func__, PAGE_SIZE, PAGE_SIZE); diff --git a/queue-5.10/edac-device-respect-any-driver-supplied-workqueue-polling-value.patch b/queue-5.10/edac-device-respect-any-driver-supplied-workqueue-polling-value.patch new file mode 100644 index 00000000000..b4e57de3617 --- /dev/null +++ b/queue-5.10/edac-device-respect-any-driver-supplied-workqueue-polling-value.patch @@ -0,0 +1,79 @@ +From cec669ff716cc83505c77b242aecf6f7baad869d Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam +Date: Wed, 18 Jan 2023 20:38:48 +0530 +Subject: EDAC/device: Respect any driver-supplied workqueue polling value + +From: Manivannan Sadhasivam + +commit cec669ff716cc83505c77b242aecf6f7baad869d upstream. + +The EDAC drivers may optionally pass the poll_msec value. Use that value +if available, else fall back to 1000ms. + + [ bp: Touchups. ] + +Fixes: e27e3dac6517 ("drivers/edac: add edac_device class") +Reported-by: Luca Weiss +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Borislav Petkov (AMD) +Tested-by: Steev Klimaszewski # Thinkpad X13s +Tested-by: Andrew Halaney # sa8540p-ride +Cc: # 4.9 +Link: https://lore.kernel.org/r/COZYL8MWN97H.MROQ391BGA09@otso +Signed-off-by: Greg Kroah-Hartman +--- + drivers/edac/edac_device.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/drivers/edac/edac_device.c ++++ b/drivers/edac/edac_device.c +@@ -34,6 +34,9 @@ + static DEFINE_MUTEX(device_ctls_mutex); + static LIST_HEAD(edac_device_list); + ++/* Default workqueue processing interval on this instance, in msecs */ ++#define DEFAULT_POLL_INTERVAL 1000 ++ + #ifdef CONFIG_EDAC_DEBUG + static void edac_device_dump_device(struct edac_device_ctl_info *edac_dev) + { +@@ -366,7 +369,7 @@ static void edac_device_workq_function(s + * whole one second to save timers firing all over the period + * between integral seconds + */ +- if (edac_dev->poll_msec == 1000) ++ if (edac_dev->poll_msec == DEFAULT_POLL_INTERVAL) + edac_queue_work(&edac_dev->work, round_jiffies_relative(edac_dev->delay)); + else + edac_queue_work(&edac_dev->work, edac_dev->delay); +@@ -396,7 +399,7 @@ static void edac_device_workq_setup(stru + * timers firing on sub-second basis, while they are happy + * to fire together on the 1 second exactly + */ +- if (edac_dev->poll_msec == 1000) ++ if (edac_dev->poll_msec == DEFAULT_POLL_INTERVAL) + edac_queue_work(&edac_dev->work, round_jiffies_relative(edac_dev->delay)); + else + edac_queue_work(&edac_dev->work, edac_dev->delay); +@@ -430,7 +433,7 @@ void edac_device_reset_delay_period(stru + edac_dev->delay = msecs_to_jiffies(msec); + + /* See comment in edac_device_workq_setup() above */ +- if (edac_dev->poll_msec == 1000) ++ if (edac_dev->poll_msec == DEFAULT_POLL_INTERVAL) + edac_mod_work(&edac_dev->work, round_jiffies_relative(edac_dev->delay)); + else + edac_mod_work(&edac_dev->work, edac_dev->delay); +@@ -472,11 +475,7 @@ int edac_device_add_device(struct edac_d + /* This instance is NOW RUNNING */ + edac_dev->op_state = OP_RUNNING_POLL; + +- /* +- * enable workq processing on this instance, +- * default = 1000 msec +- */ +- edac_device_workq_setup(edac_dev, 1000); ++ edac_device_workq_setup(edac_dev, edac_dev->poll_msec ?: DEFAULT_POLL_INTERVAL); + } else { + edac_dev->op_state = OP_RUNNING_INTERRUPT; + } diff --git a/queue-5.10/edac-qcom-do-not-pass-llcc_driv_data-as-edac_device_ctl_info-s-pvt_info.patch b/queue-5.10/edac-qcom-do-not-pass-llcc_driv_data-as-edac_device_ctl_info-s-pvt_info.patch new file mode 100644 index 00000000000..bf7b5fad9eb --- /dev/null +++ b/queue-5.10/edac-qcom-do-not-pass-llcc_driv_data-as-edac_device_ctl_info-s-pvt_info.patch @@ -0,0 +1,58 @@ +From 977c6ba624f24ae20cf0faee871257a39348d4a9 Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam +Date: Wed, 18 Jan 2023 20:38:50 +0530 +Subject: EDAC/qcom: Do not pass llcc_driv_data as edac_device_ctl_info's pvt_info + +From: Manivannan Sadhasivam + +commit 977c6ba624f24ae20cf0faee871257a39348d4a9 upstream. + +The memory for llcc_driv_data is allocated by the LLCC driver. But when +it is passed as the private driver info to the EDAC core, it will get freed +during the qcom_edac driver release. So when the qcom_edac driver gets probed +again, it will try to use the freed data leading to the use-after-free bug. + +Hence, do not pass llcc_driv_data as pvt_info but rather reference it +using the platform_data pointer in the qcom_edac driver. + +Fixes: 27450653f1db ("drivers: edac: Add EDAC driver support for QCOM SoCs") +Reported-by: Steev Klimaszewski +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Borislav Petkov (AMD) +Tested-by: Steev Klimaszewski # Thinkpad X13s +Tested-by: Andrew Halaney # sa8540p-ride +Cc: # 4.20 +Link: https://lore.kernel.org/r/20230118150904.26913-4-manivannan.sadhasivam@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/edac/qcom_edac.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/edac/qcom_edac.c ++++ b/drivers/edac/qcom_edac.c +@@ -252,7 +252,7 @@ clear: + static int + dump_syn_reg(struct edac_device_ctl_info *edev_ctl, int err_type, u32 bank) + { +- struct llcc_drv_data *drv = edev_ctl->pvt_info; ++ struct llcc_drv_data *drv = edev_ctl->dev->platform_data; + int ret; + + ret = dump_syn_reg_values(drv, bank, err_type); +@@ -289,7 +289,7 @@ static irqreturn_t + llcc_ecc_irq_handler(int irq, void *edev_ctl) + { + struct edac_device_ctl_info *edac_dev_ctl = edev_ctl; +- struct llcc_drv_data *drv = edac_dev_ctl->pvt_info; ++ struct llcc_drv_data *drv = edac_dev_ctl->dev->platform_data; + irqreturn_t irq_rc = IRQ_NONE; + u32 drp_error, trp_error, i; + int ret; +@@ -358,7 +358,6 @@ static int qcom_llcc_edac_probe(struct p + edev_ctl->dev_name = dev_name(dev); + edev_ctl->ctl_name = "llcc"; + edev_ctl->panic_on_ue = LLCC_ERP_PANIC_ON_UE; +- edev_ctl->pvt_info = llcc_driv_data; + + rc = edac_device_add_device(edev_ctl); + if (rc) diff --git a/queue-5.10/kvm-x86-vmx-do-not-skip-segment-attributes-if-unusable-bit-is-set.patch b/queue-5.10/kvm-x86-vmx-do-not-skip-segment-attributes-if-unusable-bit-is-set.patch new file mode 100644 index 00000000000..3f10168809f --- /dev/null +++ b/queue-5.10/kvm-x86-vmx-do-not-skip-segment-attributes-if-unusable-bit-is-set.patch @@ -0,0 +1,86 @@ +From a44b331614e6f7e63902ed7dff7adc8c85edd8bc Mon Sep 17 00:00:00 2001 +From: Hendrik Borghorst +Date: Mon, 14 Nov 2022 16:48:23 +0000 +Subject: KVM: x86/vmx: Do not skip segment attributes if unusable bit is set + +From: Hendrik Borghorst + +commit a44b331614e6f7e63902ed7dff7adc8c85edd8bc upstream. + +When serializing and deserializing kvm_sregs, attributes of the segment +descriptors are stored by user space. For unusable segments, +vmx_segment_access_rights skips all attributes and sets them to 0. + +This means we zero out the DPL (Descriptor Privilege Level) for unusable +entries. + +Unusable segments are - contrary to their name - usable in 64bit mode and +are used by guests to for example create a linear map through the +NULL selector. + +VMENTER checks if SS.DPL is correct depending on the CS segment type. +For types 9 (Execute Only) and 11 (Execute Read), CS.DPL must be equal to +SS.DPL [1]. + +We have seen real world guests setting CS to a usable segment with DPL=3 +and SS to an unusable segment with DPL=3. Once we go through an sregs +get/set cycle, SS.DPL turns to 0. This causes the virtual machine to crash +reproducibly. + +This commit changes the attribute logic to always preserve attributes for +unusable segments. According to [2] SS.DPL is always saved on VM exits, +regardless of the unusable bit so user space applications should have saved +the information on serialization correctly. + +[3] specifies that besides SS.DPL the rest of the attributes of the +descriptors are undefined after VM entry if unusable bit is set. So, there +should be no harm in setting them all to the previous state. + +[1] Intel SDM Vol 3C 26.3.1.2 Checks on Guest Segment Registers +[2] Intel SDM Vol 3C 27.3.2 Saving Segment Registers and Descriptor-Table +Registers +[3] Intel SDM Vol 3C 26.3.2.2 Loading Guest Segment Registers and +Descriptor-Table Registers + +Cc: Alexander Graf +Cc: stable@vger.kernel.org +Signed-off-by: Hendrik Borghorst +Reviewed-by: Jim Mattson +Reviewed-by: Alexander Graf +Message-Id: <20221114164823.69555-1-hborghor@amazon.de> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx/vmx.c | 21 +++++++++------------ + 1 file changed, 9 insertions(+), 12 deletions(-) + +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -3332,18 +3332,15 @@ static u32 vmx_segment_access_rights(str + { + u32 ar; + +- if (var->unusable || !var->present) +- ar = 1 << 16; +- else { +- ar = var->type & 15; +- ar |= (var->s & 1) << 4; +- ar |= (var->dpl & 3) << 5; +- ar |= (var->present & 1) << 7; +- ar |= (var->avl & 1) << 12; +- ar |= (var->l & 1) << 13; +- ar |= (var->db & 1) << 14; +- ar |= (var->g & 1) << 15; +- } ++ ar = var->type & 15; ++ ar |= (var->s & 1) << 4; ++ ar |= (var->dpl & 3) << 5; ++ ar |= (var->present & 1) << 7; ++ ar |= (var->avl & 1) << 12; ++ ar |= (var->l & 1) << 13; ++ ar |= (var->db & 1) << 14; ++ ar |= (var->g & 1) << 15; ++ ar |= (var->unusable || !var->present) << 16; + + return ar; + } diff --git a/queue-5.10/series b/queue-5.10/series index 0b1355daa1e..e8ec3373ae8 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -104,3 +104,8 @@ tracing-make-sure-trace_printk-can-output-as-soon-as-it-can-be-used.patch trace_events_hist-add-check-for-return-value-of-create_hist_field.patch ftrace-scripts-update-the-instructions-for-ftrace-bisect.sh.patch cifs-fix-oops-due-to-uncleared-server-smbd_conn-in-reconnect.patch +kvm-x86-vmx-do-not-skip-segment-attributes-if-unusable-bit-is-set.patch +thermal-intel-int340x-protect-trip-temperature-from-concurrent-updates.patch +arm-9280-1-mm-fix-warning-on-phys_addr_t-to-void-pointer-assignment.patch +edac-device-respect-any-driver-supplied-workqueue-polling-value.patch +edac-qcom-do-not-pass-llcc_driv_data-as-edac_device_ctl_info-s-pvt_info.patch diff --git a/queue-5.10/thermal-intel-int340x-protect-trip-temperature-from-concurrent-updates.patch b/queue-5.10/thermal-intel-int340x-protect-trip-temperature-from-concurrent-updates.patch new file mode 100644 index 00000000000..8a5a5b9ce4a --- /dev/null +++ b/queue-5.10/thermal-intel-int340x-protect-trip-temperature-from-concurrent-updates.patch @@ -0,0 +1,117 @@ +From 6757a7abe47bcb12cb2d45661067e182424b0ee3 Mon Sep 17 00:00:00 2001 +From: Srinivas Pandruvada +Date: Mon, 23 Jan 2023 09:21:10 -0800 +Subject: thermal: intel: int340x: Protect trip temperature from concurrent updates + +From: Srinivas Pandruvada + +commit 6757a7abe47bcb12cb2d45661067e182424b0ee3 upstream. + +Trip temperatures are read using ACPI methods and stored in the memory +during zone initializtion and when the firmware sends a notification for +change. This trip temperature is returned when the thermal core calls via +callback get_trip_temp(). + +But it is possible that while updating the memory copy of the trips when +the firmware sends a notification for change, thermal core is reading the +trip temperature via the callback get_trip_temp(). This may return invalid +trip temperature. + +To address this add a mutex to protect the invalid temperature reads in +the callback get_trip_temp() and int340x_thermal_read_trips(). + +Fixes: 5fbf7f27fa3d ("Thermal/int340x: Add common thermal zone handler") +Signed-off-by: Srinivas Pandruvada +Cc: 5.0+ # 5.0+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/intel/int340x_thermal/int340x_thermal_zone.c | 18 +++++++++-- + drivers/thermal/intel/int340x_thermal/int340x_thermal_zone.h | 1 + 2 files changed, 16 insertions(+), 3 deletions(-) + +--- a/drivers/thermal/intel/int340x_thermal/int340x_thermal_zone.c ++++ b/drivers/thermal/intel/int340x_thermal/int340x_thermal_zone.c +@@ -44,11 +44,13 @@ static int int340x_thermal_get_trip_temp + int trip, int *temp) + { + struct int34x_thermal_zone *d = zone->devdata; +- int i; ++ int i, ret = 0; + + if (d->override_ops && d->override_ops->get_trip_temp) + return d->override_ops->get_trip_temp(zone, trip, temp); + ++ mutex_lock(&d->trip_mutex); ++ + if (trip < d->aux_trip_nr) + *temp = d->aux_trips[trip]; + else if (trip == d->crt_trip_id) +@@ -66,10 +68,12 @@ static int int340x_thermal_get_trip_temp + } + } + if (i == INT340X_THERMAL_MAX_ACT_TRIP_COUNT) +- return -EINVAL; ++ ret = -EINVAL; + } + +- return 0; ++ mutex_unlock(&d->trip_mutex); ++ ++ return ret; + } + + static int int340x_thermal_get_trip_type(struct thermal_zone_device *zone, +@@ -174,6 +178,8 @@ int int340x_thermal_read_trips(struct in + int trip_cnt = int34x_zone->aux_trip_nr; + int i; + ++ mutex_lock(&int34x_zone->trip_mutex); ++ + int34x_zone->crt_trip_id = -1; + if (!int340x_thermal_get_trip_config(int34x_zone->adev->handle, "_CRT", + &int34x_zone->crt_temp)) +@@ -201,6 +207,8 @@ int int340x_thermal_read_trips(struct in + int34x_zone->act_trips[i].valid = true; + } + ++ mutex_unlock(&int34x_zone->trip_mutex); ++ + return trip_cnt; + } + EXPORT_SYMBOL_GPL(int340x_thermal_read_trips); +@@ -224,6 +232,8 @@ struct int34x_thermal_zone *int340x_ther + if (!int34x_thermal_zone) + return ERR_PTR(-ENOMEM); + ++ mutex_init(&int34x_thermal_zone->trip_mutex); ++ + int34x_thermal_zone->adev = adev; + int34x_thermal_zone->override_ops = override_ops; + +@@ -275,6 +285,7 @@ err_thermal_zone: + acpi_lpat_free_conversion_table(int34x_thermal_zone->lpat_table); + kfree(int34x_thermal_zone->aux_trips); + err_trip_alloc: ++ mutex_destroy(&int34x_thermal_zone->trip_mutex); + kfree(int34x_thermal_zone); + return ERR_PTR(ret); + } +@@ -286,6 +297,7 @@ void int340x_thermal_zone_remove(struct + thermal_zone_device_unregister(int34x_thermal_zone->zone); + acpi_lpat_free_conversion_table(int34x_thermal_zone->lpat_table); + kfree(int34x_thermal_zone->aux_trips); ++ mutex_destroy(&int34x_thermal_zone->trip_mutex); + kfree(int34x_thermal_zone); + } + EXPORT_SYMBOL_GPL(int340x_thermal_zone_remove); +--- a/drivers/thermal/intel/int340x_thermal/int340x_thermal_zone.h ++++ b/drivers/thermal/intel/int340x_thermal/int340x_thermal_zone.h +@@ -32,6 +32,7 @@ struct int34x_thermal_zone { + struct thermal_zone_device_ops *override_ops; + void *priv_data; + struct acpi_lpat_conversion_table *lpat_table; ++ struct mutex trip_mutex; + }; + + struct int34x_thermal_zone *int340x_thermal_zone_add(struct acpi_device *,