From: Greg Kroah-Hartman Date: Mon, 20 Mar 2023 12:04:06 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v4.14.311~26 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=992f0810cb300e82c0d6943ee9e57df62eeac452;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: cpuidle-psci-iterate-backwards-over-list-in-psci_pd_remove.patch fbdev-stifb-provide-valid-pixelclock-and-add-fb_check_var-checks.patch ftrace-fix-invalid-address-access-in-lookup_rec-when-index-is-0.patch mm-userfaultfd-propagate-uffd-wp-bit-when-pte-mapping-the-huge-zeropage.patch mmc-sdhci_am654-lower-power-on-failed-message-severity.patch x86-mce-make-sure-logged-mces-are-processed-after-sysfs-update.patch x86-mm-fix-use-of-uninitialized-buffer-in-sme_enable.patch --- diff --git a/queue-5.10/cpuidle-psci-iterate-backwards-over-list-in-psci_pd_remove.patch b/queue-5.10/cpuidle-psci-iterate-backwards-over-list-in-psci_pd_remove.patch new file mode 100644 index 00000000000..0b2a6784045 --- /dev/null +++ b/queue-5.10/cpuidle-psci-iterate-backwards-over-list-in-psci_pd_remove.patch @@ -0,0 +1,62 @@ +From 6b0313c2fa3d2cf991c9ffef6fae6e7ef592ce6d Mon Sep 17 00:00:00 2001 +From: Shawn Guo +Date: Sat, 4 Mar 2023 15:41:07 +0800 +Subject: cpuidle: psci: Iterate backwards over list in psci_pd_remove() + +From: Shawn Guo + +commit 6b0313c2fa3d2cf991c9ffef6fae6e7ef592ce6d upstream. + +In case that psci_pd_init_topology() fails for some reason, +psci_pd_remove() will be responsible for deleting provider and removing +genpd from psci_pd_providers list. There will be a failure when removing +the cluster PD, because the cpu (child) PDs haven't been removed. + +[ 0.050232] CPUidle PSCI: init PM domain cpu0 +[ 0.050278] CPUidle PSCI: init PM domain cpu1 +[ 0.050329] CPUidle PSCI: init PM domain cpu2 +[ 0.050370] CPUidle PSCI: init PM domain cpu3 +[ 0.050422] CPUidle PSCI: init PM domain cpu-cluster0 +[ 0.050475] PM: genpd_remove: unable to remove cpu-cluster0 +[ 0.051412] PM: genpd_remove: removed cpu3 +[ 0.051449] PM: genpd_remove: removed cpu2 +[ 0.051499] PM: genpd_remove: removed cpu1 +[ 0.051546] PM: genpd_remove: removed cpu0 + +Fix the problem by iterating the provider list reversely, so that parent +PD gets removed after child's PDs like below. + +[ 0.029052] CPUidle PSCI: init PM domain cpu0 +[ 0.029076] CPUidle PSCI: init PM domain cpu1 +[ 0.029103] CPUidle PSCI: init PM domain cpu2 +[ 0.029124] CPUidle PSCI: init PM domain cpu3 +[ 0.029151] CPUidle PSCI: init PM domain cpu-cluster0 +[ 0.029647] PM: genpd_remove: removed cpu0 +[ 0.029666] PM: genpd_remove: removed cpu1 +[ 0.029690] PM: genpd_remove: removed cpu2 +[ 0.029714] PM: genpd_remove: removed cpu3 +[ 0.029738] PM: genpd_remove: removed cpu-cluster0 + +Fixes: a65a397f2451 ("cpuidle: psci: Add support for PM domains by using genpd") +Reviewed-by: Sudeep Holla +Reviewed-by: Ulf Hansson +Signed-off-by: Shawn Guo +Cc: 5.10+ # 5.10+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpuidle/cpuidle-psci-domain.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/cpuidle/cpuidle-psci-domain.c ++++ b/drivers/cpuidle/cpuidle-psci-domain.c +@@ -182,7 +182,8 @@ static void psci_pd_remove(void) + struct psci_pd_provider *pd_provider, *it; + struct generic_pm_domain *genpd; + +- list_for_each_entry_safe(pd_provider, it, &psci_pd_providers, link) { ++ list_for_each_entry_safe_reverse(pd_provider, it, ++ &psci_pd_providers, link) { + of_genpd_del_provider(pd_provider->node); + + genpd = of_genpd_remove_last(pd_provider->node); diff --git a/queue-5.10/fbdev-stifb-provide-valid-pixelclock-and-add-fb_check_var-checks.patch b/queue-5.10/fbdev-stifb-provide-valid-pixelclock-and-add-fb_check_var-checks.patch new file mode 100644 index 00000000000..cd73ec4752d --- /dev/null +++ b/queue-5.10/fbdev-stifb-provide-valid-pixelclock-and-add-fb_check_var-checks.patch @@ -0,0 +1,77 @@ +From 203873a535d627c668f293be0cb73e26c30f9cc7 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Thu, 16 Mar 2023 11:38:19 +0100 +Subject: fbdev: stifb: Provide valid pixelclock and add fb_check_var() checks + +From: Helge Deller + +commit 203873a535d627c668f293be0cb73e26c30f9cc7 upstream. + +Find a valid modeline depending on the machine graphic card +configuration and add the fb_check_var() function to validate +Xorg provided graphics settings. + +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/stifb.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +--- a/drivers/video/fbdev/stifb.c ++++ b/drivers/video/fbdev/stifb.c +@@ -922,6 +922,28 @@ SETUP_HCRX(struct stifb_info *fb) + /* ------------------- driver specific functions --------------------------- */ + + static int ++stifb_check_var(struct fb_var_screeninfo *var, struct fb_info *info) ++{ ++ struct stifb_info *fb = container_of(info, struct stifb_info, info); ++ ++ if (var->xres != fb->info.var.xres || ++ var->yres != fb->info.var.yres || ++ var->bits_per_pixel != fb->info.var.bits_per_pixel) ++ return -EINVAL; ++ ++ var->xres_virtual = var->xres; ++ var->yres_virtual = var->yres; ++ var->xoffset = 0; ++ var->yoffset = 0; ++ var->grayscale = fb->info.var.grayscale; ++ var->red.length = fb->info.var.red.length; ++ var->green.length = fb->info.var.green.length; ++ var->blue.length = fb->info.var.blue.length; ++ ++ return 0; ++} ++ ++static int + stifb_setcolreg(u_int regno, u_int red, u_int green, + u_int blue, u_int transp, struct fb_info *info) + { +@@ -1145,6 +1167,7 @@ stifb_init_display(struct stifb_info *fb + + static const struct fb_ops stifb_ops = { + .owner = THIS_MODULE, ++ .fb_check_var = stifb_check_var, + .fb_setcolreg = stifb_setcolreg, + .fb_blank = stifb_blank, + .fb_fillrect = stifb_fillrect, +@@ -1164,6 +1187,7 @@ static int __init stifb_init_fb(struct s + struct stifb_info *fb; + struct fb_info *info; + unsigned long sti_rom_address; ++ char modestr[32]; + char *dev_name; + int bpp, xres, yres; + +@@ -1342,6 +1366,9 @@ static int __init stifb_init_fb(struct s + info->flags = FBINFO_HWACCEL_COPYAREA | FBINFO_HWACCEL_FILLRECT; + info->pseudo_palette = &fb->pseudo_palette; + ++ scnprintf(modestr, sizeof(modestr), "%dx%d-%d", xres, yres, bpp); ++ fb_find_mode(&info->var, info, modestr, NULL, 0, NULL, bpp); ++ + /* This has to be done !!! */ + if (fb_alloc_cmap(&info->cmap, NR_PALETTE, 0)) + goto out_err1; diff --git a/queue-5.10/ftrace-fix-invalid-address-access-in-lookup_rec-when-index-is-0.patch b/queue-5.10/ftrace-fix-invalid-address-access-in-lookup_rec-when-index-is-0.patch new file mode 100644 index 00000000000..645eb229dce --- /dev/null +++ b/queue-5.10/ftrace-fix-invalid-address-access-in-lookup_rec-when-index-is-0.patch @@ -0,0 +1,54 @@ +From ee92fa443358f4fc0017c1d0d325c27b37802504 Mon Sep 17 00:00:00 2001 +From: Chen Zhongjin +Date: Thu, 9 Mar 2023 16:02:30 +0800 +Subject: ftrace: Fix invalid address access in lookup_rec() when index is 0 + +From: Chen Zhongjin + +commit ee92fa443358f4fc0017c1d0d325c27b37802504 upstream. + +KASAN reported follow problem: + + BUG: KASAN: use-after-free in lookup_rec + Read of size 8 at addr ffff000199270ff0 by task modprobe + CPU: 2 Comm: modprobe + Call trace: + kasan_report + __asan_load8 + lookup_rec + ftrace_location + arch_check_ftrace_location + check_kprobe_address_safe + register_kprobe + +When checking pg->records[pg->index - 1].ip in lookup_rec(), it can get a +pg which is newly added to ftrace_pages_start in ftrace_process_locs(). +Before the first pg->index++, index is 0 and accessing pg->records[-1].ip +will cause this problem. + +Don't check the ip when pg->index is 0. + +Link: https://lore.kernel.org/linux-trace-kernel/20230309080230.36064-1-chenzhongjin@huawei.com + +Cc: stable@vger.kernel.org +Fixes: 9644302e3315 ("ftrace: Speed up search by skipping pages by address") +Suggested-by: Steven Rostedt (Google) +Signed-off-by: Chen Zhongjin +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ftrace.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -1538,7 +1538,8 @@ static struct dyn_ftrace *lookup_rec(uns + key.flags = end; /* overload flags, as it is unsigned long */ + + for (pg = ftrace_pages_start; pg; pg = pg->next) { +- if (end < pg->records[0].ip || ++ if (pg->index == 0 || ++ end < pg->records[0].ip || + start >= (pg->records[pg->index - 1].ip + MCOUNT_INSN_SIZE)) + continue; + rec = bsearch(&key, pg->records, pg->index, diff --git a/queue-5.10/mm-userfaultfd-propagate-uffd-wp-bit-when-pte-mapping-the-huge-zeropage.patch b/queue-5.10/mm-userfaultfd-propagate-uffd-wp-bit-when-pte-mapping-the-huge-zeropage.patch new file mode 100644 index 00000000000..078519f51a8 --- /dev/null +++ b/queue-5.10/mm-userfaultfd-propagate-uffd-wp-bit-when-pte-mapping-the-huge-zeropage.patch @@ -0,0 +1,223 @@ +From 42b2af2c9b7eede8ef21d0943f84d135e21a32a3 Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Thu, 2 Mar 2023 18:54:23 +0100 +Subject: mm/userfaultfd: propagate uffd-wp bit when PTE-mapping the huge zeropage + +From: David Hildenbrand + +commit 42b2af2c9b7eede8ef21d0943f84d135e21a32a3 upstream. + +Currently, we'd lose the userfaultfd-wp marker when PTE-mapping a huge +zeropage, resulting in the next write faults in the PMD range not +triggering uffd-wp events. + +Various actions (partial MADV_DONTNEED, partial mremap, partial munmap, +partial mprotect) could trigger this. However, most importantly, +un-protecting a single sub-page from the userfaultfd-wp handler when +processing a uffd-wp event will PTE-map the shared huge zeropage and lose +the uffd-wp bit for the remainder of the PMD. + +Let's properly propagate the uffd-wp bit to the PMDs. + + #define _GNU_SOURCE + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + static size_t pagesize; + static int uffd; + static volatile bool uffd_triggered; + + #define barrier() __asm__ __volatile__("": : :"memory") + + static void uffd_wp_range(char *start, size_t size, bool wp) + { + struct uffdio_writeprotect uffd_writeprotect; + + uffd_writeprotect.range.start = (unsigned long) start; + uffd_writeprotect.range.len = size; + if (wp) { + uffd_writeprotect.mode = UFFDIO_WRITEPROTECT_MODE_WP; + } else { + uffd_writeprotect.mode = 0; + } + if (ioctl(uffd, UFFDIO_WRITEPROTECT, &uffd_writeprotect)) { + fprintf(stderr, "UFFDIO_WRITEPROTECT failed: %d\n", errno); + exit(1); + } + } + + static void *uffd_thread_fn(void *arg) + { + static struct uffd_msg msg; + ssize_t nread; + + while (1) { + struct pollfd pollfd; + int nready; + + pollfd.fd = uffd; + pollfd.events = POLLIN; + nready = poll(&pollfd, 1, -1); + if (nready == -1) { + fprintf(stderr, "poll() failed: %d\n", errno); + exit(1); + } + + nread = read(uffd, &msg, sizeof(msg)); + if (nread <= 0) + continue; + + if (msg.event != UFFD_EVENT_PAGEFAULT || + !(msg.arg.pagefault.flags & UFFD_PAGEFAULT_FLAG_WP)) { + printf("FAIL: wrong uffd-wp event fired\n"); + exit(1); + } + + /* un-protect the single page. */ + uffd_triggered = true; + uffd_wp_range((char *)(uintptr_t)msg.arg.pagefault.address, + pagesize, false); + } + return arg; + } + + static int setup_uffd(char *map, size_t size) + { + struct uffdio_api uffdio_api; + struct uffdio_register uffdio_register; + pthread_t thread; + + uffd = syscall(__NR_userfaultfd, + O_CLOEXEC | O_NONBLOCK | UFFD_USER_MODE_ONLY); + if (uffd < 0) { + fprintf(stderr, "syscall() failed: %d\n", errno); + return -errno; + } + + uffdio_api.api = UFFD_API; + uffdio_api.features = UFFD_FEATURE_PAGEFAULT_FLAG_WP; + if (ioctl(uffd, UFFDIO_API, &uffdio_api) < 0) { + fprintf(stderr, "UFFDIO_API failed: %d\n", errno); + return -errno; + } + + if (!(uffdio_api.features & UFFD_FEATURE_PAGEFAULT_FLAG_WP)) { + fprintf(stderr, "UFFD_FEATURE_WRITEPROTECT missing\n"); + return -ENOSYS; + } + + uffdio_register.range.start = (unsigned long) map; + uffdio_register.range.len = size; + uffdio_register.mode = UFFDIO_REGISTER_MODE_WP; + if (ioctl(uffd, UFFDIO_REGISTER, &uffdio_register) < 0) { + fprintf(stderr, "UFFDIO_REGISTER failed: %d\n", errno); + return -errno; + } + + pthread_create(&thread, NULL, uffd_thread_fn, NULL); + + return 0; + } + + int main(void) + { + const size_t size = 4 * 1024 * 1024ull; + char *map, *cur; + + pagesize = getpagesize(); + + map = mmap(NULL, size, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0); + if (map == MAP_FAILED) { + fprintf(stderr, "mmap() failed\n"); + return -errno; + } + + if (madvise(map, size, MADV_HUGEPAGE)) { + fprintf(stderr, "MADV_HUGEPAGE failed\n"); + return -errno; + } + + if (setup_uffd(map, size)) + return 1; + + /* Read the whole range, populating zeropages. */ + madvise(map, size, MADV_POPULATE_READ); + + /* Write-protect the whole range. */ + uffd_wp_range(map, size, true); + + /* Make sure uffd-wp triggers on each page. */ + for (cur = map; cur < map + size; cur += pagesize) { + uffd_triggered = false; + + barrier(); + /* Trigger a write fault. */ + *cur = 1; + barrier(); + + if (!uffd_triggered) { + printf("FAIL: uffd-wp did not trigger\n"); + return 1; + } + } + + printf("PASS: uffd-wp triggered\n"); + return 0; + } + +Link: https://lkml.kernel.org/r/20230302175423.589164-1-david@redhat.com +Fixes: e06f1e1dd499 ("userfaultfd: wp: enabled write protection in userfaultfd API") +Signed-off-by: David Hildenbrand +Acked-by: Peter Xu +Cc: Mike Rapoport +Cc: Andrea Arcangeli +Cc: Jerome Glisse +Cc: Shaohua Li +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/huge_memory.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -1994,7 +1994,7 @@ static void __split_huge_zero_page_pmd(s + { + struct mm_struct *mm = vma->vm_mm; + pgtable_t pgtable; +- pmd_t _pmd; ++ pmd_t _pmd, old_pmd; + int i; + + /* +@@ -2005,7 +2005,7 @@ static void __split_huge_zero_page_pmd(s + * + * See Documentation/vm/mmu_notifier.rst + */ +- pmdp_huge_clear_flush(vma, haddr, pmd); ++ old_pmd = pmdp_huge_clear_flush(vma, haddr, pmd); + + pgtable = pgtable_trans_huge_withdraw(mm, pmd); + pmd_populate(mm, &_pmd, pgtable); +@@ -2014,6 +2014,8 @@ static void __split_huge_zero_page_pmd(s + pte_t *pte, entry; + entry = pfn_pte(my_zero_pfn(haddr), vma->vm_page_prot); + entry = pte_mkspecial(entry); ++ if (pmd_uffd_wp(old_pmd)) ++ entry = pte_mkuffd_wp(entry); + pte = pte_offset_map(&_pmd, haddr); + VM_BUG_ON(!pte_none(*pte)); + set_pte_at(mm, haddr, pte, entry); diff --git a/queue-5.10/mmc-sdhci_am654-lower-power-on-failed-message-severity.patch b/queue-5.10/mmc-sdhci_am654-lower-power-on-failed-message-severity.patch new file mode 100644 index 00000000000..dc0c760dffc --- /dev/null +++ b/queue-5.10/mmc-sdhci_am654-lower-power-on-failed-message-severity.patch @@ -0,0 +1,36 @@ +From 11440da77d6020831ee6f9ce4551b545dea789ee Mon Sep 17 00:00:00 2001 +From: Francesco Dolcini +Date: Mon, 6 Mar 2023 17:27:51 +0100 +Subject: mmc: sdhci_am654: lower power-on failed message severity + +From: Francesco Dolcini + +commit 11440da77d6020831ee6f9ce4551b545dea789ee upstream. + +Lower the power-on failed message severity from warn to info when the +controller does not power-up. It's normal to have this situation when +the SD card slot is empty, therefore we should not warn the user about +it. + +Fixes: 7ca0f166f5b2 ("mmc: sdhci_am654: Add workaround for card detect debounce timer") +Signed-off-by: Francesco Dolcini +Acked-by: Adrian Hunter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230306162751.163369-1-francesco@dolcini.it +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci_am654.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/host/sdhci_am654.c ++++ b/drivers/mmc/host/sdhci_am654.c +@@ -369,7 +369,7 @@ static void sdhci_am654_write_b(struct s + MAX_POWER_ON_TIMEOUT, false, host, val, + reg); + if (ret) +- dev_warn(mmc_dev(host->mmc), "Power on failed\n"); ++ dev_info(mmc_dev(host->mmc), "Power on failed\n"); + } + } + diff --git a/queue-5.10/series b/queue-5.10/series index 18cedcf5711..96440354924 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -67,3 +67,10 @@ alsa-hda-intel-dsp-config-add-mtl-pci-id.patch alsa-hda-realtek-fix-the-speaker-output-on-samsung-galaxy-book2-pro.patch drm-shmem-helper-remove-another-errant-put-in-error-path.patch mptcp-avoid-setting-tcp_close-state-twice.patch +ftrace-fix-invalid-address-access-in-lookup_rec-when-index-is-0.patch +mm-userfaultfd-propagate-uffd-wp-bit-when-pte-mapping-the-huge-zeropage.patch +mmc-sdhci_am654-lower-power-on-failed-message-severity.patch +fbdev-stifb-provide-valid-pixelclock-and-add-fb_check_var-checks.patch +cpuidle-psci-iterate-backwards-over-list-in-psci_pd_remove.patch +x86-mce-make-sure-logged-mces-are-processed-after-sysfs-update.patch +x86-mm-fix-use-of-uninitialized-buffer-in-sme_enable.patch diff --git a/queue-5.10/x86-mce-make-sure-logged-mces-are-processed-after-sysfs-update.patch b/queue-5.10/x86-mce-make-sure-logged-mces-are-processed-after-sysfs-update.patch new file mode 100644 index 00000000000..eb35dc7d1b9 --- /dev/null +++ b/queue-5.10/x86-mce-make-sure-logged-mces-are-processed-after-sysfs-update.patch @@ -0,0 +1,44 @@ +From 4783b9cb374af02d49740e00e2da19fd4ed6dec4 Mon Sep 17 00:00:00 2001 +From: Yazen Ghannam +Date: Wed, 1 Mar 2023 22:14:20 +0000 +Subject: x86/mce: Make sure logged MCEs are processed after sysfs update + +From: Yazen Ghannam + +commit 4783b9cb374af02d49740e00e2da19fd4ed6dec4 upstream. + +A recent change introduced a flag to queue up errors found during +boot-time polling. These errors will be processed during late init once +the MCE subsystem is fully set up. + +A number of sysfs updates call mce_restart() which goes through a subset +of the CPU init flow. This includes polling MCA banks and logging any +errors found. Since the same function is used as boot-time polling, +errors will be queued. However, the system is now past late init, so the +errors will remain queued until another error is found and the workqueue +is triggered. + +Call mce_schedule_work() at the end of mce_restart() so that queued +errors are processed. + +Fixes: 3bff147b187d ("x86/mce: Defer processing of early errors") +Signed-off-by: Yazen Ghannam +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Tony Luck +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230301221420.2203184-1-yazen.ghannam@amd.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/mce/core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kernel/cpu/mce/core.c ++++ b/arch/x86/kernel/cpu/mce/core.c +@@ -2309,6 +2309,7 @@ static void mce_restart(void) + { + mce_timer_delete_all(); + on_each_cpu(mce_cpu_restart, NULL, 1); ++ mce_schedule_work(); + } + + /* Toggle features for corrected errors */ diff --git a/queue-5.10/x86-mm-fix-use-of-uninitialized-buffer-in-sme_enable.patch b/queue-5.10/x86-mm-fix-use-of-uninitialized-buffer-in-sme_enable.patch new file mode 100644 index 00000000000..04ed810e67c --- /dev/null +++ b/queue-5.10/x86-mm-fix-use-of-uninitialized-buffer-in-sme_enable.patch @@ -0,0 +1,40 @@ +From cbebd68f59f03633469f3ecf9bea99cd6cce3854 Mon Sep 17 00:00:00 2001 +From: Nikita Zhandarovich +Date: Mon, 6 Mar 2023 08:06:56 -0800 +Subject: x86/mm: Fix use of uninitialized buffer in sme_enable() + +From: Nikita Zhandarovich + +commit cbebd68f59f03633469f3ecf9bea99cd6cce3854 upstream. + +cmdline_find_option() may fail before doing any initialization of +the buffer array. This may lead to unpredictable results when the same +buffer is used later in calls to strncmp() function. Fix the issue by +returning early if cmdline_find_option() returns an error. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: aca20d546214 ("x86/mm: Add support to make use of Secure Memory Encryption") +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Borislav Petkov (AMD) +Acked-by: Tom Lendacky +Cc: +Link: https://lore.kernel.org/r/20230306160656.14844-1-n.zhandarovich@fintech.ru +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/mem_encrypt_identity.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/mm/mem_encrypt_identity.c ++++ b/arch/x86/mm/mem_encrypt_identity.c +@@ -586,7 +586,8 @@ void __init sme_enable(struct boot_param + cmdline_ptr = (const char *)((u64)bp->hdr.cmd_line_ptr | + ((u64)bp->ext_cmd_line_ptr << 32)); + +- cmdline_find_option(cmdline_ptr, cmdline_arg, buffer, sizeof(buffer)); ++ if (cmdline_find_option(cmdline_ptr, cmdline_arg, buffer, sizeof(buffer)) < 0) ++ return; + + if (!strncmp(buffer, cmdline_on, sizeof(buffer))) + sme_me_mask = me_mask;