From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 18 Feb 2025 15:02:28 +0000 (+0100)
Subject: 6.1-stable patches
X-Git-Tag: v6.1.129~38
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ae76bcea19907367c95ea7013f3cd07525305c71;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	iommu-return-right-value-in-iommu_sva_bind_device.patch
	kdb-do-not-assume-write-callback-available.patch
	x86-static-call-remove-early_boot_irqs_disabled-check-to-fix-xen-pvh-dom0.patch
---

diff --git a/queue-6.1/iommu-return-right-value-in-iommu_sva_bind_device.patch b/queue-6.1/iommu-return-right-value-in-iommu_sva_bind_device.patch
new file mode 100644
index 0000000000..735c593edf
--- /dev/null
+++ b/queue-6.1/iommu-return-right-value-in-iommu_sva_bind_device.patch
@@ -0,0 +1,45 @@
+From 89e8a2366e3bce584b6c01549d5019c5cda1205e Mon Sep 17 00:00:00 2001
+From: Lu Baolu <baolu.lu@linux.intel.com>
+Date: Tue, 28 May 2024 12:25:28 +0800
+Subject: iommu: Return right value in iommu_sva_bind_device()
+
+From: Lu Baolu <baolu.lu@linux.intel.com>
+
+commit 89e8a2366e3bce584b6c01549d5019c5cda1205e upstream.
+
+iommu_sva_bind_device() should return either a sva bond handle or an
+ERR_PTR value in error cases. Existing drivers (idxd and uacce) only
+check the return value with IS_ERR(). This could potentially lead to
+a kernel NULL pointer dereference issue if the function returns NULL
+instead of an error pointer.
+
+In reality, this doesn't cause any problems because iommu_sva_bind_device()
+only returns NULL when the kernel is not configured with CONFIG_IOMMU_SVA.
+In this case, iommu_dev_enable_feature(dev, IOMMU_DEV_FEAT_SVA) will
+return an error, and the device drivers won't call iommu_sva_bind_device()
+at all.
+
+Fixes: 26b25a2b98e4 ("iommu: Bind process address spaces to devices")
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
+Reviewed-by: Kevin Tian <kevin.tian@intel.com>
+Reviewed-by: Vasant Hegde <vasant.hegde@amd.com>
+Link: https://lore.kernel.org/r/20240528042528.71396-1-baolu.lu@linux.intel.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Bin Lan <lanbincn@qq.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/iommu.h |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/iommu.h
++++ b/include/linux/iommu.h
+@@ -999,7 +999,7 @@ iommu_dev_disable_feature(struct device
+ static inline struct iommu_sva *
+ iommu_sva_bind_device(struct device *dev, struct mm_struct *mm, void *drvdata)
+ {
+-	return NULL;
++	return ERR_PTR(-ENODEV);
+ }
+ 
+ static inline void iommu_sva_unbind_device(struct iommu_sva *handle)
diff --git a/queue-6.1/kdb-do-not-assume-write-callback-available.patch b/queue-6.1/kdb-do-not-assume-write-callback-available.patch
new file mode 100644
index 0000000000..19e15ced3a
--- /dev/null
+++ b/queue-6.1/kdb-do-not-assume-write-callback-available.patch
@@ -0,0 +1,39 @@
+From 6d3e0d8cc63221dec670d0ee92ac57961581e975 Mon Sep 17 00:00:00 2001
+From: John Ogness <john.ogness@linutronix.de>
+Date: Mon, 17 Jul 2023 21:52:01 +0206
+Subject: kdb: Do not assume write() callback available
+
+From: John Ogness <john.ogness@linutronix.de>
+
+commit 6d3e0d8cc63221dec670d0ee92ac57961581e975 upstream.
+
+It is allowed for consoles to not provide a write() callback. For
+example ttynull does this.
+
+Check if a write() callback is available before using it.
+
+Signed-off-by: John Ogness <john.ogness@linutronix.de>
+Reviewed-by: Petr Mladek <pmladek@suse.com>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Daniel Thompson <daniel.thompson@linaro.org>
+Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
+Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Link: https://lore.kernel.org/r/20230717194607.145135-2-john.ogness@linutronix.de
+Cc: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/debug/kdb/kdb_io.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/debug/kdb/kdb_io.c
++++ b/kernel/debug/kdb/kdb_io.c
+@@ -576,6 +576,8 @@ static void kdb_msg_write(const char *ms
+ 			continue;
+ 		if (c == dbg_io_ops->cons)
+ 			continue;
++		if (!c->write)
++			continue;
+ 		/*
+ 		 * Set oops_in_progress to encourage the console drivers to
+ 		 * disregard their internal spin locks: in the current calling
diff --git a/queue-6.1/series b/queue-6.1/series
index dcf99dbe3f..bc439e5a03 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -556,3 +556,6 @@ ipv6-mcast-add-rcu-protection-to-mld_newpack.patch
 drm-tidss-fix-issue-in-irq-handling-causing-irq-flood-issue.patch
 drm-tidss-clear-the-interrupt-status-for-interrupts-being-disabled.patch
 drm-v3d-stop-active-perfmon-if-it-is-being-destroyed.patch
+kdb-do-not-assume-write-callback-available.patch
+x86-static-call-remove-early_boot_irqs_disabled-check-to-fix-xen-pvh-dom0.patch
+iommu-return-right-value-in-iommu_sva_bind_device.patch
diff --git a/queue-6.1/x86-static-call-remove-early_boot_irqs_disabled-check-to-fix-xen-pvh-dom0.patch b/queue-6.1/x86-static-call-remove-early_boot_irqs_disabled-check-to-fix-xen-pvh-dom0.patch
new file mode 100644
index 0000000000..a7b0f60d86
--- /dev/null
+++ b/queue-6.1/x86-static-call-remove-early_boot_irqs_disabled-check-to-fix-xen-pvh-dom0.patch
@@ -0,0 +1,44 @@
+From 5cc2db37124bb33914996d6fdbb2ddb3811f2945 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Sat, 21 Dec 2024 21:10:46 +0000
+Subject: x86/static-call: Remove early_boot_irqs_disabled check to fix Xen PVH dom0
+
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+
+commit 5cc2db37124bb33914996d6fdbb2ddb3811f2945 upstream.
+
+__static_call_update_early() has a check for early_boot_irqs_disabled, but
+is used before early_boot_irqs_disabled is set up in start_kernel().
+
+Xen PV has always special cased early_boot_irqs_disabled, but Xen PVH does
+not and falls over the BUG when booting as dom0.
+
+It is very suspect that early_boot_irqs_disabled starts as 0, becomes 1 for
+a time, then becomes 0 again, but as this needs backporting to fix a
+breakage in a security fix, dropping the BUG_ON() is the far safer option.
+
+Fixes: 0ef8047b737d ("x86/static-call: provide a way to do very early static-call updates")
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219620
+Reported-by: Alex Zenla <alex@edera.dev>
+Suggested-by: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Tested-by: Alex Zenla <alex@edera.dev>
+Link: https://lore.kernel.org/r/20241221211046.6475-1-andrew.cooper3@citrix.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/static_call.c |    1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/arch/x86/kernel/static_call.c
++++ b/arch/x86/kernel/static_call.c
+@@ -173,7 +173,6 @@ EXPORT_SYMBOL_GPL(arch_static_call_trans
+ noinstr void __static_call_update_early(void *tramp, void *func)
+ {
+ 	BUG_ON(system_state != SYSTEM_BOOTING);
+-	BUG_ON(!early_boot_irqs_disabled);
+ 	BUG_ON(static_call_initialized);
+ 	__text_gen_insn(tramp, JMP32_INSN_OPCODE, tramp, func, JMP32_INSN_SIZE);
+ 	sync_core();