From: Greg Kroah-Hartman Date: Tue, 7 Mar 2023 16:40:48 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v6.2.3~32 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=83100530023d8261fbc1370d37e7608ba090ac6d;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: drm-i915-quirks-add-inverted-backlight-quirk-for-hp-14-r206nv.patch drm-radeon-fix-edp-for-single-display-imac11-2.patch pci-avoid-flr-for-amd-fch-ahci-adapters.patch pci-hotplug-allow-marking-devices-as-disconnected-during-bind-unbind.patch pci-pm-observe-reset-delay-irrespective-of-bridge_d3.patch riscv-jump_label-fixup-unaligned-arch_static_branch-function.patch scsi-ses-don-t-attach-if-enclosure-has-no-components.patch scsi-ses-fix-possible-addl_desc_ptr-out-of-bounds-accesses.patch scsi-ses-fix-possible-desc_ptr-out-of-bounds-accesses.patch scsi-ses-fix-slab-out-of-bounds-in-ses_enclosure_data_process.patch scsi-ses-fix-slab-out-of-bounds-in-ses_intf_remove.patch vfio-type1-prevent-underflow-of-locked_vm-via-exec.patch --- diff --git a/queue-5.10/drm-i915-quirks-add-inverted-backlight-quirk-for-hp-14-r206nv.patch b/queue-5.10/drm-i915-quirks-add-inverted-backlight-quirk-for-hp-14-r206nv.patch new file mode 100644 index 00000000000..50fff9dbb9b --- /dev/null +++ b/queue-5.10/drm-i915-quirks-add-inverted-backlight-quirk-for-hp-14-r206nv.patch @@ -0,0 +1,36 @@ +From 5e438bf7f9a1705ebcae5fa89cdbfbc6932a7871 Mon Sep 17 00:00:00 2001 +From: Mavroudis Chatzilaridis +Date: Wed, 1 Feb 2023 18:51:25 +0000 +Subject: drm/i915/quirks: Add inverted backlight quirk for HP 14-r206nv + +From: Mavroudis Chatzilaridis + +commit 5e438bf7f9a1705ebcae5fa89cdbfbc6932a7871 upstream. + +This laptop uses inverted backlight PWM. Thus, without this quirk, +backlight brightness decreases as the brightness value increases and +vice versa. + +Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/8013 +Cc: stable@vger.kernel.org +Signed-off-by: Mavroudis Chatzilaridis +Reviewed-by: Jani Nikula +Signed-off-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/20230201184947.8835-1-mavchatz@protonmail.com +(cherry picked from commit 83e7d6fd330d413cb2064e680ffea91b0512a520) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_quirks.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/i915/display/intel_quirks.c ++++ b/drivers/gpu/drm/i915/display/intel_quirks.c +@@ -159,6 +159,8 @@ static struct intel_quirk intel_quirks[] + /* ECS Liva Q2 */ + { 0x3185, 0x1019, 0xa94d, quirk_increase_ddi_disabled_time }, + { 0x3184, 0x1019, 0xa94d, quirk_increase_ddi_disabled_time }, ++ /* HP Notebook - 14-r206nv */ ++ { 0x0f31, 0x103c, 0x220f, quirk_invert_brightness }, + }; + + void intel_init_quirks(struct drm_i915_private *i915) diff --git a/queue-5.10/drm-radeon-fix-edp-for-single-display-imac11-2.patch b/queue-5.10/drm-radeon-fix-edp-for-single-display-imac11-2.patch new file mode 100644 index 00000000000..7044b9e4206 --- /dev/null +++ b/queue-5.10/drm-radeon-fix-edp-for-single-display-imac11-2.patch @@ -0,0 +1,46 @@ +From 05eacc198c68cbb35a7281ce4011f8899ee1cfb8 Mon Sep 17 00:00:00 2001 +From: Mark Hawrylak +Date: Sun, 19 Feb 2023 16:02:00 +1100 +Subject: drm/radeon: Fix eDP for single-display iMac11,2 + +From: Mark Hawrylak + +commit 05eacc198c68cbb35a7281ce4011f8899ee1cfb8 upstream. + +Apple iMac11,2 (mid 2010) also with Radeon HD-4670 that has the same +issue as iMac10,1 (late 2009) where the internal eDP panel stays dark on +driver load. This patch treats iMac11,2 the same as iMac10,1, +so the eDP panel stays active. + +Additional steps: +Kernel boot parameter radeon.nomodeset=0 required to keep the eDP +panel active. + +This patch is an extension of +commit 564d8a2cf3ab ("drm/radeon: Fix eDP for single-display iMac10,1 (v2)") +Link: https://lore.kernel.org/all/lsq.1507553064.833262317@decadent.org.uk/ +Signed-off-by: Mark Hawrylak +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/radeon/atombios_encoders.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/radeon/atombios_encoders.c ++++ b/drivers/gpu/drm/radeon/atombios_encoders.c +@@ -2191,11 +2191,12 @@ int radeon_atom_pick_dig_encoder(struct + + /* + * On DCE32 any encoder can drive any block so usually just use crtc id, +- * but Apple thinks different at least on iMac10,1, so there use linkb, ++ * but Apple thinks different at least on iMac10,1 and iMac11,2, so there use linkb, + * otherwise the internal eDP panel will stay dark. + */ + if (ASIC_IS_DCE32(rdev)) { +- if (dmi_match(DMI_PRODUCT_NAME, "iMac10,1")) ++ if (dmi_match(DMI_PRODUCT_NAME, "iMac10,1") || ++ dmi_match(DMI_PRODUCT_NAME, "iMac11,2")) + enc_idx = (dig->linkb) ? 1 : 0; + else + enc_idx = radeon_crtc->crtc_id; diff --git a/queue-5.10/pci-avoid-flr-for-amd-fch-ahci-adapters.patch b/queue-5.10/pci-avoid-flr-for-amd-fch-ahci-adapters.patch new file mode 100644 index 00000000000..6ded6866689 --- /dev/null +++ b/queue-5.10/pci-avoid-flr-for-amd-fch-ahci-adapters.patch @@ -0,0 +1,48 @@ +From 63ba51db24ed1b8f8088a897290eb6c036c5435d Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Sat, 28 Jan 2023 10:39:51 +0900 +Subject: PCI: Avoid FLR for AMD FCH AHCI adapters + +From: Damien Le Moal + +commit 63ba51db24ed1b8f8088a897290eb6c036c5435d upstream. + +PCI passthrough to VMs does not work with AMD FCH AHCI adapters: the guest +OS fails to correctly probe devices attached to the controller due to FIS +communication failures: + + ata4: softreset failed (1st FIS failed) + ... + ata4.00: qc timeout after 5000 msecs (cmd 0xec) + ata4.00: failed to IDENTIFY (I/O error, err_mask=0x4) + +Forcing the "bus" reset method before unbinding & binding the adapter to +the vfio-pci driver solves this issue, e.g.: + + echo "bus" > /sys/bus/pci/devices//reset_method + +gives a working guest OS, indicating that the default FLR reset method +doesn't work correctly. + +Apply quirk_no_flr() to AMD FCH AHCI devices to work around this issue. + +Link: https://lore.kernel.org/r/20230128013951.523247-1-damien.lemoal@opensource.wdc.com +Reported-by: Niklas Cassel +Signed-off-by: Damien Le Moal +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/quirks.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -5302,6 +5302,7 @@ static void quirk_no_flr(struct pci_dev + DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_AMD, 0x1487, quirk_no_flr); + DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_AMD, 0x148c, quirk_no_flr); + DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_AMD, 0x149c, quirk_no_flr); ++DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_AMD, 0x7901, quirk_no_flr); + DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x1502, quirk_no_flr); + DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x1503, quirk_no_flr); + diff --git a/queue-5.10/pci-hotplug-allow-marking-devices-as-disconnected-during-bind-unbind.patch b/queue-5.10/pci-hotplug-allow-marking-devices-as-disconnected-during-bind-unbind.patch new file mode 100644 index 00000000000..9a3909c67e1 --- /dev/null +++ b/queue-5.10/pci-hotplug-allow-marking-devices-as-disconnected-during-bind-unbind.patch @@ -0,0 +1,136 @@ +From 74ff8864cc842be994853095dba6db48e716400a Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Fri, 20 Jan 2023 10:19:02 +0100 +Subject: PCI: hotplug: Allow marking devices as disconnected during bind/unbind + +From: Lukas Wunner + +commit 74ff8864cc842be994853095dba6db48e716400a upstream. + +On surprise removal, pciehp_unconfigure_device() and acpiphp's +trim_stale_devices() call pci_dev_set_disconnected() to mark removed +devices as permanently offline. Thereby, the PCI core and drivers know +to skip device accesses. + +However pci_dev_set_disconnected() takes the device_lock and thus waits for +a concurrent driver bind or unbind to complete. As a result, the driver's +->probe and ->remove hooks have no chance to learn that the device is gone. + +That doesn't make any sense, so drop the device_lock and instead use atomic +xchg() and cmpxchg() operations to update the device state. + +As a byproduct, an AB-BA deadlock reported by Anatoli is fixed which occurs +on surprise removal with AER concurrently performing a bus reset. + +AER bus reset: + + INFO: task irq/26-aerdrv:95 blocked for more than 120 seconds. + Tainted: G W 6.2.0-rc3-custom-norework-jan11+ + schedule + rwsem_down_write_slowpath + down_write_nested + pciehp_reset_slot # acquires reset_lock + pci_reset_hotplug_slot + pci_slot_reset # acquires device_lock + pci_bus_error_reset + aer_root_reset + pcie_do_recovery + aer_process_err_devices + aer_isr + +pciehp surprise removal: + + INFO: task irq/26-pciehp:96 blocked for more than 120 seconds. + Tainted: G W 6.2.0-rc3-custom-norework-jan11+ + schedule_preempt_disabled + __mutex_lock + mutex_lock_nested + pci_dev_set_disconnected # acquires device_lock + pci_walk_bus + pciehp_unconfigure_device + pciehp_disable_slot + pciehp_handle_presence_or_link_change + pciehp_ist # acquires reset_lock + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=215590 +Fixes: a6bd101b8f84 ("PCI: Unify device inaccessible") +Link: https://lore.kernel.org/r/3dc88ea82bdc0e37d9000e413d5ebce481cbd629.1674205689.git.lukas@wunner.de +Reported-by: Anatoli Antonovitch +Signed-off-by: Lukas Wunner +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org # v4.20+ +Cc: Keith Busch +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci.h | 43 +++++++++++++------------------------------ + 1 file changed, 13 insertions(+), 30 deletions(-) + +--- a/drivers/pci/pci.h ++++ b/drivers/pci/pci.h +@@ -351,53 +351,36 @@ struct pci_sriov { + * @dev - pci device to set new error_state + * @new - the state we want dev to be in + * +- * Must be called with device_lock held. ++ * If the device is experiencing perm_failure, it has to remain in that state. ++ * Any other transition is allowed. + * + * Returns true if state has been changed to the requested state. + */ + static inline bool pci_dev_set_io_state(struct pci_dev *dev, + pci_channel_state_t new) + { +- bool changed = false; ++ pci_channel_state_t old; + +- device_lock_assert(&dev->dev); + switch (new) { + case pci_channel_io_perm_failure: +- switch (dev->error_state) { +- case pci_channel_io_frozen: +- case pci_channel_io_normal: +- case pci_channel_io_perm_failure: +- changed = true; +- break; +- } +- break; ++ xchg(&dev->error_state, pci_channel_io_perm_failure); ++ return true; + case pci_channel_io_frozen: +- switch (dev->error_state) { +- case pci_channel_io_frozen: +- case pci_channel_io_normal: +- changed = true; +- break; +- } +- break; ++ old = cmpxchg(&dev->error_state, pci_channel_io_normal, ++ pci_channel_io_frozen); ++ return old != pci_channel_io_perm_failure; + case pci_channel_io_normal: +- switch (dev->error_state) { +- case pci_channel_io_frozen: +- case pci_channel_io_normal: +- changed = true; +- break; +- } +- break; ++ old = cmpxchg(&dev->error_state, pci_channel_io_frozen, ++ pci_channel_io_normal); ++ return old != pci_channel_io_perm_failure; ++ default: ++ return false; + } +- if (changed) +- dev->error_state = new; +- return changed; + } + + static inline int pci_dev_set_disconnected(struct pci_dev *dev, void *unused) + { +- device_lock(&dev->dev); + pci_dev_set_io_state(dev, pci_channel_io_perm_failure); +- device_unlock(&dev->dev); + + return 0; + } diff --git a/queue-5.10/pci-pm-observe-reset-delay-irrespective-of-bridge_d3.patch b/queue-5.10/pci-pm-observe-reset-delay-irrespective-of-bridge_d3.patch new file mode 100644 index 00000000000..0af586753d2 --- /dev/null +++ b/queue-5.10/pci-pm-observe-reset-delay-irrespective-of-bridge_d3.patch @@ -0,0 +1,57 @@ +From 8ef0217227b42e2c34a18de316cee3da16c9bf1e Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Sun, 15 Jan 2023 09:20:31 +0100 +Subject: PCI/PM: Observe reset delay irrespective of bridge_d3 + +From: Lukas Wunner + +commit 8ef0217227b42e2c34a18de316cee3da16c9bf1e upstream. + +If a PCI bridge is suspended to D3cold upon entering system sleep, +resuming it entails a Fundamental Reset per PCIe r6.0 sec 5.8. + +The delay prescribed after a Fundamental Reset in PCIe r6.0 sec 6.6.1 +is sought to be observed by: + + pci_pm_resume_noirq() + pci_pm_bridge_power_up_actions() + pci_bridge_wait_for_secondary_bus() + +However, pci_bridge_wait_for_secondary_bus() bails out if the bridge_d3 +flag is not set. That flag indicates whether a bridge is allowed to +suspend to D3cold at *runtime*. + +Hence *no* delay is observed on resume from system sleep if runtime +D3cold is forbidden. That doesn't make any sense, so drop the bridge_d3 +check from pci_bridge_wait_for_secondary_bus(). + +The purpose of the bridge_d3 check was probably to avoid delays if a +bridge remained in D0 during suspend. However the sole caller of +pci_bridge_wait_for_secondary_bus(), pci_pm_bridge_power_up_actions(), +is only invoked if the previous power state was D3cold. Hence the +additional bridge_d3 check seems superfluous. + +Fixes: ad9001f2f411 ("PCI/PM: Add missing link delays required by the PCIe spec") +Link: https://lore.kernel.org/r/eb37fa345285ec8bacabbf06b020b803f77bdd3d.1673769517.git.lukas@wunner.de +Tested-by: Ravi Kishore Koppuravuri +Signed-off-by: Lukas Wunner +Signed-off-by: Bjorn Helgaas +Reviewed-by: Mika Westerberg +Reviewed-by: Kuppuswamy Sathyanarayanan +Cc: stable@vger.kernel.org # v5.5+ +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -4808,7 +4808,7 @@ void pci_bridge_wait_for_secondary_bus(s + if (pci_dev_is_disconnected(dev)) + return; + +- if (!pci_is_bridge(dev) || !dev->bridge_d3) ++ if (!pci_is_bridge(dev)) + return; + + down_read(&pci_bus_sem); diff --git a/queue-5.10/riscv-jump_label-fixup-unaligned-arch_static_branch-function.patch b/queue-5.10/riscv-jump_label-fixup-unaligned-arch_static_branch-function.patch new file mode 100644 index 00000000000..4b2e60bca9e --- /dev/null +++ b/queue-5.10/riscv-jump_label-fixup-unaligned-arch_static_branch-function.patch @@ -0,0 +1,61 @@ +From 9ddfc3cd806081ce1f6c9c2f988cbb031f35d28f Mon Sep 17 00:00:00 2001 +From: Andy Chiu +Date: Mon, 6 Feb 2023 04:04:40 -0500 +Subject: riscv: jump_label: Fixup unaligned arch_static_branch function + +From: Andy Chiu + +commit 9ddfc3cd806081ce1f6c9c2f988cbb031f35d28f upstream. + +Runtime code patching must be done at a naturally aligned address, or we +may execute on a partial instruction. + +We have encountered problems traced back to static jump functions during +the test. We switched the tracer randomly for every 1~5 seconds on a +dual-core QEMU setup and found the kernel sucking at a static branch +where it jumps to itself. + +The reason is that the static branch was 2-byte but not 4-byte aligned. +Then, the kernel would patch the instruction, either J or NOP, with two +half-word stores if the machine does not have efficient unaligned +accesses. Thus, moments exist where half of the NOP mixes with the other +half of the J when transitioning the branch. In our particular case, on +a little-endian machine, the upper half of the NOP was mixed with the +lower part of the J when enabling the branch, resulting in a jump that +jumped to itself. Conversely, it would result in a HINT instruction when +disabling the branch, but it might not be observable. + +ARM64 does not have this problem since all instructions must be 4-byte +aligned. + +Fixes: ebc00dde8a97 ("riscv: Add jump-label implementation") +Link: https://lore.kernel.org/linux-riscv/20220913094252.3555240-6-andy.chiu@sifive.com/ +Reviewed-by: Greentime Hu +Signed-off-by: Andy Chiu +Signed-off-by: Guo Ren +Link: https://lore.kernel.org/r/20230206090440.1255001-1-guoren@kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/include/asm/jump_label.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/riscv/include/asm/jump_label.h ++++ b/arch/riscv/include/asm/jump_label.h +@@ -18,6 +18,7 @@ static __always_inline bool arch_static_ + bool branch) + { + asm_volatile_goto( ++ " .align 2 \n\t" + " .option push \n\t" + " .option norelax \n\t" + " .option norvc \n\t" +@@ -39,6 +40,7 @@ static __always_inline bool arch_static_ + bool branch) + { + asm_volatile_goto( ++ " .align 2 \n\t" + " .option push \n\t" + " .option norelax \n\t" + " .option norvc \n\t" diff --git a/queue-5.10/scsi-ses-don-t-attach-if-enclosure-has-no-components.patch b/queue-5.10/scsi-ses-don-t-attach-if-enclosure-has-no-components.patch new file mode 100644 index 00000000000..2d1c56fb199 --- /dev/null +++ b/queue-5.10/scsi-ses-don-t-attach-if-enclosure-has-no-components.patch @@ -0,0 +1,41 @@ +From 3fe97ff3d94934649abb0652028dd7296170c8d0 Mon Sep 17 00:00:00 2001 +From: James Bottomley +Date: Sat, 28 Nov 2020 15:27:21 -0800 +Subject: scsi: ses: Don't attach if enclosure has no components + +From: James Bottomley + +commit 3fe97ff3d94934649abb0652028dd7296170c8d0 upstream. + +An enclosure with no components can't usefully be operated by the driver +(since effectively it has nothing to manage), so report the problem and +don't attach. Not attaching also fixes an oops which could occur if the +driver tries to manage a zero component enclosure. + +[mkp: Switched to KERN_WARNING since this scenario is common] + +Link: https://lore.kernel.org/r/c5deac044ac409e32d9ad9968ce0dcbc996bfc7a.camel@linux.ibm.com +Cc: stable@vger.kernel.org +Reported-by: Ding Hui +Signed-off-by: James Bottomley +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ses.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/scsi/ses.c ++++ b/drivers/scsi/ses.c +@@ -704,6 +704,12 @@ static int ses_intf_add(struct device *c + type_ptr[0] == ENCLOSURE_COMPONENT_ARRAY_DEVICE) + components += type_ptr[1]; + } ++ ++ if (components == 0) { ++ sdev_printk(KERN_WARNING, sdev, "enclosure has no enumerated components\n"); ++ goto err_free; ++ } ++ + ses_dev->page1 = buf; + ses_dev->page1_len = len; + buf = NULL; diff --git a/queue-5.10/scsi-ses-fix-possible-addl_desc_ptr-out-of-bounds-accesses.patch b/queue-5.10/scsi-ses-fix-possible-addl_desc_ptr-out-of-bounds-accesses.patch new file mode 100644 index 00000000000..2f96d15cf65 --- /dev/null +++ b/queue-5.10/scsi-ses-fix-possible-addl_desc_ptr-out-of-bounds-accesses.patch @@ -0,0 +1,114 @@ +From db95d4df71cb55506425b6e4a5f8d68e3a765b63 Mon Sep 17 00:00:00 2001 +From: Tomas Henzl +Date: Thu, 2 Feb 2023 17:24:49 +0100 +Subject: scsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses + +From: Tomas Henzl + +commit db95d4df71cb55506425b6e4a5f8d68e3a765b63 upstream. + +Sanitize possible addl_desc_ptr out-of-bounds accesses in +ses_enclosure_data_process(). + +Link: https://lore.kernel.org/r/20230202162451.15346-3-thenzl@redhat.com +Cc: stable@vger.kernel.org +Signed-off-by: Tomas Henzl +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ses.c | 35 ++++++++++++++++++++++++++--------- + 1 file changed, 26 insertions(+), 9 deletions(-) + +--- a/drivers/scsi/ses.c ++++ b/drivers/scsi/ses.c +@@ -433,8 +433,8 @@ int ses_match_host(struct enclosure_devi + } + #endif /* 0 */ + +-static void ses_process_descriptor(struct enclosure_component *ecomp, +- unsigned char *desc) ++static int ses_process_descriptor(struct enclosure_component *ecomp, ++ unsigned char *desc, int max_desc_len) + { + int eip = desc[0] & 0x10; + int invalid = desc[0] & 0x80; +@@ -445,22 +445,32 @@ static void ses_process_descriptor(struc + unsigned char *d; + + if (invalid) +- return; ++ return 0; + + switch (proto) { + case SCSI_PROTOCOL_FCP: + if (eip) { ++ if (max_desc_len <= 7) ++ return 1; + d = desc + 4; + slot = d[3]; + } + break; + case SCSI_PROTOCOL_SAS: ++ + if (eip) { ++ if (max_desc_len <= 27) ++ return 1; + d = desc + 4; + slot = d[3]; + d = desc + 8; +- } else ++ } else { ++ if (max_desc_len <= 23) ++ return 1; + d = desc + 4; ++ } ++ ++ + /* only take the phy0 addr */ + addr = (u64)d[12] << 56 | + (u64)d[13] << 48 | +@@ -477,6 +487,8 @@ static void ses_process_descriptor(struc + } + ecomp->slot = slot; + scomp->addr = addr; ++ ++ return 0; + } + + struct efd { +@@ -549,7 +561,7 @@ static void ses_enclosure_data_process(s + /* skip past overall descriptor */ + desc_ptr += len + 4; + } +- if (ses_dev->page10) ++ if (ses_dev->page10 && ses_dev->page10_len > 9) + addl_desc_ptr = ses_dev->page10 + 8; + type_ptr = ses_dev->page1_types; + components = 0; +@@ -557,6 +569,7 @@ static void ses_enclosure_data_process(s + for (j = 0; j < type_ptr[1]; j++) { + char *name = NULL; + struct enclosure_component *ecomp; ++ int max_desc_len; + + if (desc_ptr) { + if (desc_ptr >= buf + page7_len) { +@@ -583,10 +596,14 @@ static void ses_enclosure_data_process(s + ecomp = &edev->component[components++]; + + if (!IS_ERR(ecomp)) { +- if (addl_desc_ptr) +- ses_process_descriptor( +- ecomp, +- addl_desc_ptr); ++ if (addl_desc_ptr) { ++ max_desc_len = ses_dev->page10_len - ++ (addl_desc_ptr - ses_dev->page10); ++ if (ses_process_descriptor(ecomp, ++ addl_desc_ptr, ++ max_desc_len)) ++ addl_desc_ptr = NULL; ++ } + if (create) + enclosure_component_register( + ecomp); diff --git a/queue-5.10/scsi-ses-fix-possible-desc_ptr-out-of-bounds-accesses.patch b/queue-5.10/scsi-ses-fix-possible-desc_ptr-out-of-bounds-accesses.patch new file mode 100644 index 00000000000..986e20ad165 --- /dev/null +++ b/queue-5.10/scsi-ses-fix-possible-desc_ptr-out-of-bounds-accesses.patch @@ -0,0 +1,48 @@ +From 801ab13d50cf3d26170ee073ea8bb4eececb76ab Mon Sep 17 00:00:00 2001 +From: Tomas Henzl +Date: Thu, 2 Feb 2023 17:24:50 +0100 +Subject: scsi: ses: Fix possible desc_ptr out-of-bounds accesses + +From: Tomas Henzl + +commit 801ab13d50cf3d26170ee073ea8bb4eececb76ab upstream. + +Sanitize possible desc_ptr out-of-bounds accesses in +ses_enclosure_data_process(). + +Link: https://lore.kernel.org/r/20230202162451.15346-4-thenzl@redhat.com +Cc: stable@vger.kernel.org +Signed-off-by: Tomas Henzl +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ses.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/drivers/scsi/ses.c ++++ b/drivers/scsi/ses.c +@@ -572,15 +572,19 @@ static void ses_enclosure_data_process(s + int max_desc_len; + + if (desc_ptr) { +- if (desc_ptr >= buf + page7_len) { ++ if (desc_ptr + 3 >= buf + page7_len) { + desc_ptr = NULL; + } else { + len = (desc_ptr[2] << 8) + desc_ptr[3]; + desc_ptr += 4; +- /* Add trailing zero - pushes into +- * reserved space */ +- desc_ptr[len] = '\0'; +- name = desc_ptr; ++ if (desc_ptr + len > buf + page7_len) ++ desc_ptr = NULL; ++ else { ++ /* Add trailing zero - pushes into ++ * reserved space */ ++ desc_ptr[len] = '\0'; ++ name = desc_ptr; ++ } + } + } + if (type_ptr[0] == ENCLOSURE_COMPONENT_DEVICE || diff --git a/queue-5.10/scsi-ses-fix-slab-out-of-bounds-in-ses_enclosure_data_process.patch b/queue-5.10/scsi-ses-fix-slab-out-of-bounds-in-ses_enclosure_data_process.patch new file mode 100644 index 00000000000..d4cf236032d --- /dev/null +++ b/queue-5.10/scsi-ses-fix-slab-out-of-bounds-in-ses_enclosure_data_process.patch @@ -0,0 +1,43 @@ +From 9b4f5028e493cb353a5c8f5c45073eeea0303abd Mon Sep 17 00:00:00 2001 +From: Tomas Henzl +Date: Thu, 2 Feb 2023 17:24:48 +0100 +Subject: scsi: ses: Fix slab-out-of-bounds in ses_enclosure_data_process() + +From: Tomas Henzl + +commit 9b4f5028e493cb353a5c8f5c45073eeea0303abd upstream. + +A fix for: + +BUG: KASAN: slab-out-of-bounds in ses_enclosure_data_process+0x949/0xe30 [ses] +Read of size 1 at addr ffff88a1b043a451 by task systemd-udevd/3271 + +Checking after (and before in next loop) addl_desc_ptr[1] is sufficient, we +expect the size to be sanitized before first access to addl_desc_ptr[1]. +Make sure we don't walk beyond end of page. + +Link: https://lore.kernel.org/r/20230202162451.15346-2-thenzl@redhat.com +Cc: stable@vger.kernel.org +Signed-off-by: Tomas Henzl +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ses.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/ses.c ++++ b/drivers/scsi/ses.c +@@ -603,9 +603,11 @@ static void ses_enclosure_data_process(s + /* these elements are optional */ + type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_TARGET_PORT || + type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT || +- type_ptr[0] == ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS)) ++ type_ptr[0] == ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS)) { + addl_desc_ptr += addl_desc_ptr[1] + 2; +- ++ if (addl_desc_ptr + 1 >= ses_dev->page10 + ses_dev->page10_len) ++ addl_desc_ptr = NULL; ++ } + } + } + kfree(buf); diff --git a/queue-5.10/scsi-ses-fix-slab-out-of-bounds-in-ses_intf_remove.patch b/queue-5.10/scsi-ses-fix-slab-out-of-bounds-in-ses_intf_remove.patch new file mode 100644 index 00000000000..9d22b329dcf --- /dev/null +++ b/queue-5.10/scsi-ses-fix-slab-out-of-bounds-in-ses_intf_remove.patch @@ -0,0 +1,38 @@ +From 578797f0c8cbc2e3ec5fc0dab87087b4c7073686 Mon Sep 17 00:00:00 2001 +From: Tomas Henzl +Date: Thu, 2 Feb 2023 17:24:51 +0100 +Subject: scsi: ses: Fix slab-out-of-bounds in ses_intf_remove() + +From: Tomas Henzl + +commit 578797f0c8cbc2e3ec5fc0dab87087b4c7073686 upstream. + +A fix for: + +BUG: KASAN: slab-out-of-bounds in ses_intf_remove+0x23f/0x270 [ses] +Read of size 8 at addr ffff88a10d32e5d8 by task rmmod/12013 + +When edev->components is zero, accessing edev->component[0] members is +wrong. + +Link: https://lore.kernel.org/r/20230202162451.15346-5-thenzl@redhat.com +Cc: stable@vger.kernel.org +Signed-off-by: Tomas Henzl +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ses.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/ses.c ++++ b/drivers/scsi/ses.c +@@ -856,7 +856,8 @@ static void ses_intf_remove_enclosure(st + kfree(ses_dev->page2); + kfree(ses_dev); + +- kfree(edev->component[0].scratch); ++ if (edev->components) ++ kfree(edev->component[0].scratch); + + put_device(&edev->edev); + enclosure_unregister(edev); diff --git a/queue-5.10/series b/queue-5.10/series index 75770f12c8b..5ca8dc22089 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -414,3 +414,15 @@ scsi-core-remove-the-proc-scsi-proc_name-directory-earlier.patch scsi-qla2xxx-fix-link-failure-in-npiv-environment.patch scsi-qla2xxx-fix-dma-api-call-trace-on-nvme-ls-requests.patch scsi-qla2xxx-fix-erroneous-link-down.patch +scsi-ses-don-t-attach-if-enclosure-has-no-components.patch +scsi-ses-fix-slab-out-of-bounds-in-ses_enclosure_data_process.patch +scsi-ses-fix-possible-addl_desc_ptr-out-of-bounds-accesses.patch +scsi-ses-fix-possible-desc_ptr-out-of-bounds-accesses.patch +scsi-ses-fix-slab-out-of-bounds-in-ses_intf_remove.patch +riscv-jump_label-fixup-unaligned-arch_static_branch-function.patch +pci-pm-observe-reset-delay-irrespective-of-bridge_d3.patch +pci-hotplug-allow-marking-devices-as-disconnected-during-bind-unbind.patch +pci-avoid-flr-for-amd-fch-ahci-adapters.patch +vfio-type1-prevent-underflow-of-locked_vm-via-exec.patch +drm-i915-quirks-add-inverted-backlight-quirk-for-hp-14-r206nv.patch +drm-radeon-fix-edp-for-single-display-imac11-2.patch diff --git a/queue-5.10/vfio-type1-prevent-underflow-of-locked_vm-via-exec.patch b/queue-5.10/vfio-type1-prevent-underflow-of-locked_vm-via-exec.patch new file mode 100644 index 00000000000..f0b3bd25c5b --- /dev/null +++ b/queue-5.10/vfio-type1-prevent-underflow-of-locked_vm-via-exec.patch @@ -0,0 +1,129 @@ +From 046eca5018f8a5dd1dc2cedf87fb5843b9ea3026 Mon Sep 17 00:00:00 2001 +From: Steve Sistare +Date: Tue, 31 Jan 2023 08:58:04 -0800 +Subject: vfio/type1: prevent underflow of locked_vm via exec() + +From: Steve Sistare + +commit 046eca5018f8a5dd1dc2cedf87fb5843b9ea3026 upstream. + +When a vfio container is preserved across exec, the task does not change, +but it gets a new mm with locked_vm=0, and loses the count from existing +dma mappings. If the user later unmaps a dma mapping, locked_vm underflows +to a large unsigned value, and a subsequent dma map request fails with +ENOMEM in __account_locked_vm. + +To avoid underflow, grab and save the mm at the time a dma is mapped. +Use that mm when adjusting locked_vm, rather than re-acquiring the saved +task's mm, which may have changed. If the saved mm is dead, do nothing. + +locked_vm is incremented for existing mappings in a subsequent patch. + +Fixes: 73fa0d10d077 ("vfio: Type1 IOMMU implementation") +Cc: stable@vger.kernel.org +Signed-off-by: Steve Sistare +Reviewed-by: Kevin Tian +Reviewed-by: Jason Gunthorpe +Link: https://lore.kernel.org/r/1675184289-267876-3-git-send-email-steven.sistare@oracle.com +Signed-off-by: Alex Williamson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vfio/vfio_iommu_type1.c | 41 +++++++++++++--------------------------- + 1 file changed, 14 insertions(+), 27 deletions(-) + +--- a/drivers/vfio/vfio_iommu_type1.c ++++ b/drivers/vfio/vfio_iommu_type1.c +@@ -96,6 +96,7 @@ struct vfio_dma { + struct task_struct *task; + struct rb_root pfn_list; /* Ex-user pinned pfn list */ + unsigned long *bitmap; ++ struct mm_struct *mm; + }; + + struct vfio_batch { +@@ -391,8 +392,8 @@ static int vfio_lock_acct(struct vfio_dm + if (!npage) + return 0; + +- mm = async ? get_task_mm(dma->task) : dma->task->mm; +- if (!mm) ++ mm = dma->mm; ++ if (async && !mmget_not_zero(mm)) + return -ESRCH; /* process exited */ + + ret = mmap_write_lock_killable(mm); +@@ -666,8 +667,8 @@ static int vfio_pin_page_external(struct + struct mm_struct *mm; + int ret; + +- mm = get_task_mm(dma->task); +- if (!mm) ++ mm = dma->mm; ++ if (!mmget_not_zero(mm)) + return -ENODEV; + + ret = vaddr_get_pfns(mm, vaddr, 1, dma->prot, pfn_base, pages); +@@ -677,7 +678,7 @@ static int vfio_pin_page_external(struct + ret = 0; + + if (do_accounting && !is_invalid_reserved_pfn(*pfn_base)) { +- ret = vfio_lock_acct(dma, 1, true); ++ ret = vfio_lock_acct(dma, 1, false); + if (ret) { + put_pfn(*pfn_base, dma->prot); + if (ret == -ENOMEM) +@@ -1031,6 +1032,7 @@ static void vfio_remove_dma(struct vfio_ + vfio_unmap_unpin(iommu, dma, true); + vfio_unlink_dma(iommu, dma); + put_task_struct(dma->task); ++ mmdrop(dma->mm); + vfio_dma_bitmap_free(dma); + kfree(dma); + iommu->dma_avail++; +@@ -1452,29 +1454,15 @@ static int vfio_dma_do_map(struct vfio_i + * against the locked memory limit and we need to be able to do both + * outside of this call path as pinning can be asynchronous via the + * external interfaces for mdev devices. RLIMIT_MEMLOCK requires a +- * task_struct and VM locked pages requires an mm_struct, however +- * holding an indefinite mm reference is not recommended, therefore we +- * only hold a reference to a task. We could hold a reference to +- * current, however QEMU uses this call path through vCPU threads, +- * which can be killed resulting in a NULL mm and failure in the unmap +- * path when called via a different thread. Avoid this problem by +- * using the group_leader as threads within the same group require +- * both CLONE_THREAD and CLONE_VM and will therefore use the same +- * mm_struct. +- * +- * Previously we also used the task for testing CAP_IPC_LOCK at the +- * time of pinning and accounting, however has_capability() makes use +- * of real_cred, a copy-on-write field, so we can't guarantee that it +- * matches group_leader, or in fact that it might not change by the +- * time it's evaluated. If a process were to call MAP_DMA with +- * CAP_IPC_LOCK but later drop it, it doesn't make sense that they +- * possibly see different results for an iommu_mapped vfio_dma vs +- * externally mapped. Therefore track CAP_IPC_LOCK in vfio_dma at the +- * time of calling MAP_DMA. ++ * task_struct. Save the group_leader so that all DMA tracking uses ++ * the same task, to make debugging easier. VM locked pages requires ++ * an mm_struct, so grab the mm in case the task dies. + */ + get_task_struct(current->group_leader); + dma->task = current->group_leader; + dma->lock_cap = capable(CAP_IPC_LOCK); ++ dma->mm = current->mm; ++ mmgrab(dma->mm); + + dma->pfn_list = RB_ROOT; + +@@ -2998,9 +2986,8 @@ static int vfio_iommu_type1_dma_rw_chunk + !(dma->prot & IOMMU_READ)) + return -EPERM; + +- mm = get_task_mm(dma->task); +- +- if (!mm) ++ mm = dma->mm; ++ if (!mmget_not_zero(mm)) + return -EPERM; + + if (kthread)