From: Greg Kroah-Hartman Date: Mon, 17 Apr 2023 07:07:03 +0000 (+0200) Subject: 6.2-stable patches X-Git-Tag: v4.14.313~34 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=af8682b1524f31a90125775cd97b4268b21553fe;p=thirdparty%2Fkernel%2Fstable-queue.git 6.2-stable patches added patches: hid-intel-ish-hid-fix-kernel-panic-during-warm-reset.patch ksmbd-avoid-out-of-bounds-access-in-decode_preauth_ctxt.patch net-phy-nxp-c45-tja11xx-add-remove-callback.patch net-phy-nxp-c45-tja11xx-fix-unsigned-long-multiplication-overflow.patch net-sfp-initialize-sfp-i2c_block_size-at-sfp-allocation.patch riscv-add-icache-flush-for-nommu-sigreturn-trampoline.patch riscv-do-not-set-initial_boot_params-to-the-linear-address-of-the-dtb.patch riscv-move-early-dtb-mapping-into-the-fixmap-region.patch riscv-no-need-to-relocate-the-dtb-as-it-lies-in-the-fixmap-region.patch --- diff --git a/queue-6.2/hid-intel-ish-hid-fix-kernel-panic-during-warm-reset.patch b/queue-6.2/hid-intel-ish-hid-fix-kernel-panic-during-warm-reset.patch new file mode 100644 index 00000000000..529597ab30f --- /dev/null +++ b/queue-6.2/hid-intel-ish-hid-fix-kernel-panic-during-warm-reset.patch @@ -0,0 +1,59 @@ +From 38518593ec55e897abda4b4be77b2ec8ec4447d1 Mon Sep 17 00:00:00 2001 +From: Tanu Malhotra +Date: Mon, 27 Mar 2023 11:58:38 -0700 +Subject: HID: intel-ish-hid: Fix kernel panic during warm reset + +From: Tanu Malhotra + +commit 38518593ec55e897abda4b4be77b2ec8ec4447d1 upstream. + +During warm reset device->fw_client is set to NULL. If a bus driver is +registered after this NULL setting and before new firmware clients are +enumerated by ISHTP, kernel panic will result in the function +ishtp_cl_bus_match(). This is because of reference to +device->fw_client->props.protocol_name. + +ISH firmware after getting successfully loaded, sends a warm reset +notification to remove all clients from the bus and sets +device->fw_client to NULL. Until kernel v5.15, all enabled ISHTP kernel +module drivers were loaded right after any of the first ISHTP device was +registered, regardless of whether it was a matched or an unmatched +device. This resulted in all drivers getting registered much before the +warm reset notification from ISH. + +Starting kernel v5.16, this issue got exposed after the change was +introduced to load only bus drivers for the respective matching devices. +In this scenario, cros_ec_ishtp device and cros_ec_ishtp driver are +registered after the warm reset device fw_client NULL setting. +cros_ec_ishtp driver_register() triggers the callback to +ishtp_cl_bus_match() to match ISHTP driver to the device and causes kernel +panic in guid_equal() when dereferencing fw_client NULL pointer to get +protocol_name. + +Fixes: f155dfeaa4ee ("platform/x86: isthp_eclite: only load for matching devices") +Fixes: facfe0a4fdce ("platform/chrome: chros_ec_ishtp: only load for matching devices") +Fixes: 0d0cccc0fd83 ("HID: intel-ish-hid: hid-client: only load for matching devices") +Fixes: 44e2a58cb880 ("HID: intel-ish-hid: fw-loader: only load for matching devices") +Cc: # 5.16+ +Signed-off-by: Tanu Malhotra +Tested-by: Shaunak Saha +Acked-by: Srinivas Pandruvada +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/intel-ish-hid/ishtp/bus.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/hid/intel-ish-hid/ishtp/bus.c ++++ b/drivers/hid/intel-ish-hid/ishtp/bus.c +@@ -241,8 +241,8 @@ static int ishtp_cl_bus_match(struct dev + struct ishtp_cl_device *device = to_ishtp_cl_device(dev); + struct ishtp_cl_driver *driver = to_ishtp_cl_driver(drv); + +- return guid_equal(&driver->id[0].guid, +- &device->fw_client->props.protocol_name); ++ return(device->fw_client ? guid_equal(&driver->id[0].guid, ++ &device->fw_client->props.protocol_name) : 0); + } + + /** diff --git a/queue-6.2/ksmbd-avoid-out-of-bounds-access-in-decode_preauth_ctxt.patch b/queue-6.2/ksmbd-avoid-out-of-bounds-access-in-decode_preauth_ctxt.patch new file mode 100644 index 00000000000..475cdb77b42 --- /dev/null +++ b/queue-6.2/ksmbd-avoid-out-of-bounds-access-in-decode_preauth_ctxt.patch @@ -0,0 +1,68 @@ +From e7067a446264a7514fa1cfaa4052cdb6803bc6a2 Mon Sep 17 00:00:00 2001 +From: David Disseldorp +Date: Thu, 13 Apr 2023 23:49:57 +0900 +Subject: ksmbd: avoid out of bounds access in decode_preauth_ctxt() + +From: David Disseldorp + +commit e7067a446264a7514fa1cfaa4052cdb6803bc6a2 upstream. + +Confirm that the accessed pneg_ctxt->HashAlgorithms address sits within +the SMB request boundary; deassemble_neg_contexts() only checks that the +eight byte smb2_neg_context header + (client controlled) DataLength are +within the packet boundary, which is insufficient. + +Checking for sizeof(struct smb2_preauth_neg_context) is overkill given +that the type currently assumes SMB311_SALT_SIZE bytes of trailing Salt. + +Signed-off-by: David Disseldorp +Acked-by: Namjae Jeon +Cc: +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/smb2pdu.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +--- a/fs/ksmbd/smb2pdu.c ++++ b/fs/ksmbd/smb2pdu.c +@@ -872,17 +872,21 @@ static void assemble_neg_contexts(struct + } + + static __le32 decode_preauth_ctxt(struct ksmbd_conn *conn, +- struct smb2_preauth_neg_context *pneg_ctxt) ++ struct smb2_preauth_neg_context *pneg_ctxt, ++ int len_of_ctxts) + { +- __le32 err = STATUS_NO_PREAUTH_INTEGRITY_HASH_OVERLAP; ++ /* ++ * sizeof(smb2_preauth_neg_context) assumes SMB311_SALT_SIZE Salt, ++ * which may not be present. Only check for used HashAlgorithms[1]. ++ */ ++ if (len_of_ctxts < MIN_PREAUTH_CTXT_DATA_LEN) ++ return STATUS_INVALID_PARAMETER; + +- if (pneg_ctxt->HashAlgorithms == SMB2_PREAUTH_INTEGRITY_SHA512) { +- conn->preauth_info->Preauth_HashId = +- SMB2_PREAUTH_INTEGRITY_SHA512; +- err = STATUS_SUCCESS; +- } ++ if (pneg_ctxt->HashAlgorithms != SMB2_PREAUTH_INTEGRITY_SHA512) ++ return STATUS_NO_PREAUTH_INTEGRITY_HASH_OVERLAP; + +- return err; ++ conn->preauth_info->Preauth_HashId = SMB2_PREAUTH_INTEGRITY_SHA512; ++ return STATUS_SUCCESS; + } + + static void decode_encrypt_ctxt(struct ksmbd_conn *conn, +@@ -1010,7 +1014,8 @@ static __le32 deassemble_neg_contexts(st + break; + + status = decode_preauth_ctxt(conn, +- (struct smb2_preauth_neg_context *)pctx); ++ (struct smb2_preauth_neg_context *)pctx, ++ len_of_ctxts); + if (status != STATUS_SUCCESS) + break; + } else if (pctx->ContextType == SMB2_ENCRYPTION_CAPABILITIES) { diff --git a/queue-6.2/net-phy-nxp-c45-tja11xx-add-remove-callback.patch b/queue-6.2/net-phy-nxp-c45-tja11xx-add-remove-callback.patch new file mode 100644 index 00000000000..d982c89d36c --- /dev/null +++ b/queue-6.2/net-phy-nxp-c45-tja11xx-add-remove-callback.patch @@ -0,0 +1,51 @@ +From a4506722dc39ca840593f14e3faa4c9ba9408211 Mon Sep 17 00:00:00 2001 +From: "Radu Pirea (OSS)" +Date: Thu, 6 Apr 2023 12:59:04 +0300 +Subject: net: phy: nxp-c45-tja11xx: add remove callback + +From: Radu Pirea (OSS) + +commit a4506722dc39ca840593f14e3faa4c9ba9408211 upstream. + +Unregister PTP clock when the driver is removed. +Purge the RX and TX skb queues. + +Fixes: 514def5dd339 ("phy: nxp-c45-tja11xx: add timestamping support") +CC: stable@vger.kernel.org # 5.15+ +Signed-off-by: Radu Pirea (OSS) +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20230406095904.75456-1-radu-nicolae.pirea@oss.nxp.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/nxp-c45-tja11xx.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/net/phy/nxp-c45-tja11xx.c ++++ b/drivers/net/phy/nxp-c45-tja11xx.c +@@ -1337,6 +1337,17 @@ no_ptp_support: + return ret; + } + ++static void nxp_c45_remove(struct phy_device *phydev) ++{ ++ struct nxp_c45_phy *priv = phydev->priv; ++ ++ if (priv->ptp_clock) ++ ptp_clock_unregister(priv->ptp_clock); ++ ++ skb_queue_purge(&priv->tx_queue); ++ skb_queue_purge(&priv->rx_queue); ++} ++ + static struct phy_driver nxp_c45_driver[] = { + { + PHY_ID_MATCH_MODEL(PHY_ID_TJA_1103), +@@ -1359,6 +1370,7 @@ static struct phy_driver nxp_c45_driver[ + .set_loopback = genphy_c45_loopback, + .get_sqi = nxp_c45_get_sqi, + .get_sqi_max = nxp_c45_get_sqi_max, ++ .remove = nxp_c45_remove, + }, + }; + diff --git a/queue-6.2/net-phy-nxp-c45-tja11xx-fix-unsigned-long-multiplication-overflow.patch b/queue-6.2/net-phy-nxp-c45-tja11xx-fix-unsigned-long-multiplication-overflow.patch new file mode 100644 index 00000000000..bb0d734e95f --- /dev/null +++ b/queue-6.2/net-phy-nxp-c45-tja11xx-fix-unsigned-long-multiplication-overflow.patch @@ -0,0 +1,38 @@ +From bdaaecc127d471c422ee9e994978617c8aa79e1e Mon Sep 17 00:00:00 2001 +From: "Radu Pirea (OSS)" +Date: Thu, 6 Apr 2023 12:59:53 +0300 +Subject: net: phy: nxp-c45-tja11xx: fix unsigned long multiplication overflow + +From: Radu Pirea (OSS) + +commit bdaaecc127d471c422ee9e994978617c8aa79e1e upstream. + +Any multiplication between GENMASK(31, 0) and a number bigger than 1 +will be truncated because of the overflow, if the size of unsigned long +is 32 bits. + +Replaced GENMASK with GENMASK_ULL to make sure that multiplication will +be between 64 bits values. + +Cc: # 5.15+ +Fixes: 514def5dd339 ("phy: nxp-c45-tja11xx: add timestamping support") +Signed-off-by: Radu Pirea (OSS) +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20230406095953.75622-1-radu-nicolae.pirea@oss.nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/nxp-c45-tja11xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/phy/nxp-c45-tja11xx.c ++++ b/drivers/net/phy/nxp-c45-tja11xx.c +@@ -191,7 +191,7 @@ + #define MAX_ID_PS 2260U + #define DEFAULT_ID_PS 2000U + +-#define PPM_TO_SUBNS_INC(ppb) div_u64(GENMASK(31, 0) * (ppb) * \ ++#define PPM_TO_SUBNS_INC(ppb) div_u64(GENMASK_ULL(31, 0) * (ppb) * \ + PTP_CLK_PERIOD_100BT1, NSEC_PER_SEC) + + #define NXP_C45_SKB_CB(skb) ((struct nxp_c45_skb_cb *)(skb)->cb) diff --git a/queue-6.2/net-sfp-initialize-sfp-i2c_block_size-at-sfp-allocation.patch b/queue-6.2/net-sfp-initialize-sfp-i2c_block_size-at-sfp-allocation.patch new file mode 100644 index 00000000000..05dbaa9e03c --- /dev/null +++ b/queue-6.2/net-sfp-initialize-sfp-i2c_block_size-at-sfp-allocation.patch @@ -0,0 +1,78 @@ +From 813c2dd78618f108fdcf9cd726ea90f081ee2881 Mon Sep 17 00:00:00 2001 +From: Ivan Bornyakov +Date: Thu, 6 Apr 2023 16:08:32 +0300 +Subject: net: sfp: initialize sfp->i2c_block_size at sfp allocation + +From: Ivan Bornyakov + +commit 813c2dd78618f108fdcf9cd726ea90f081ee2881 upstream. + +sfp->i2c_block_size is initialized at SFP module insertion in +sfp_sm_mod_probe(). Because of that, if SFP module was never inserted +since boot, sfp_read() call will lead to zero-length I2C read attempt, +and not all I2C controllers are happy with zero-length reads. + +One way to issue sfp_read() on empty SFP cage is to execute ethtool -m. +If SFP module was never plugged since boot, there will be a zero-length +I2C read attempt. + + # ethtool -m xge0 + i2c i2c-3: adapter quirk: no zero length (addr 0x0050, size 0, read) + Cannot get Module EEPROM data: Operation not supported + +If SFP module was plugged then removed at least once, +sfp->i2c_block_size will be initialized and ethtool -m will fail with +different exit code and without I2C error + + # ethtool -m xge0 + Cannot get Module EEPROM data: Remote I/O error + +Fix this by initializing sfp->i2_block_size at struct sfp allocation +stage so no wild sfp_read() could issue zero-length I2C read. + +Signed-off-by: Ivan Bornyakov +Fixes: 0d035bed2a4a ("net: sfp: VSOL V2801F / CarlitoxxPro CPGOS03-0490 v2.0 workaround") +Cc: stable@vger.kernel.org +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/sfp.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/net/phy/sfp.c ++++ b/drivers/net/phy/sfp.c +@@ -212,6 +212,12 @@ static const enum gpiod_flags gpio_flags + #define SFP_PHY_ADDR 22 + #define SFP_PHY_ADDR_ROLLBALL 17 + ++/* SFP_EEPROM_BLOCK_SIZE is the size of data chunk to read the EEPROM ++ * at a time. Some SFP modules and also some Linux I2C drivers do not like ++ * reads longer than 16 bytes. ++ */ ++#define SFP_EEPROM_BLOCK_SIZE 16 ++ + struct sff_data { + unsigned int gpios; + bool (*module_supported)(const struct sfp_eeprom_id *id); +@@ -1927,11 +1933,7 @@ static int sfp_sm_mod_probe(struct sfp * + u8 check; + int ret; + +- /* Some SFP modules and also some Linux I2C drivers do not like reads +- * longer than 16 bytes, so read the EEPROM in chunks of 16 bytes at +- * a time. +- */ +- sfp->i2c_block_size = 16; ++ sfp->i2c_block_size = SFP_EEPROM_BLOCK_SIZE; + + ret = sfp_read(sfp, false, 0, &id.base, sizeof(id.base)); + if (ret < 0) { +@@ -2614,6 +2616,7 @@ static struct sfp *sfp_alloc(struct devi + return ERR_PTR(-ENOMEM); + + sfp->dev = dev; ++ sfp->i2c_block_size = SFP_EEPROM_BLOCK_SIZE; + + mutex_init(&sfp->sm_mutex); + mutex_init(&sfp->st_mutex); diff --git a/queue-6.2/riscv-add-icache-flush-for-nommu-sigreturn-trampoline.patch b/queue-6.2/riscv-add-icache-flush-for-nommu-sigreturn-trampoline.patch new file mode 100644 index 00000000000..0258cd6f2cc --- /dev/null +++ b/queue-6.2/riscv-add-icache-flush-for-nommu-sigreturn-trampoline.patch @@ -0,0 +1,58 @@ +From 8d736482749f6d350892ef83a7a11d43cd49981e Mon Sep 17 00:00:00 2001 +From: Mathis Salmen +Date: Thu, 6 Apr 2023 12:11:31 +0200 +Subject: riscv: add icache flush for nommu sigreturn trampoline + +From: Mathis Salmen + +commit 8d736482749f6d350892ef83a7a11d43cd49981e upstream. + +In a NOMMU kernel, sigreturn trampolines are generated on the user +stack by setup_rt_frame. Currently, these trampolines are not instruction +fenced, thus their visibility to ifetch is not guaranteed. + +This patch adds a flush_icache_range in setup_rt_frame to fix this +problem. + +Signed-off-by: Mathis Salmen +Fixes: 6bd33e1ece52 ("riscv: add nommu support") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230406101130.82304-1-mathis.salmen@matsal.de +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/kernel/signal.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/arch/riscv/kernel/signal.c ++++ b/arch/riscv/kernel/signal.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + + extern u32 __user_rt_sigreturn[2]; + +@@ -181,6 +182,7 @@ static int setup_rt_frame(struct ksignal + { + struct rt_sigframe __user *frame; + long err = 0; ++ unsigned long __maybe_unused addr; + + frame = get_sigframe(ksig, regs, sizeof(*frame)); + if (!access_ok(frame, sizeof(*frame))) +@@ -209,7 +211,12 @@ static int setup_rt_frame(struct ksignal + if (copy_to_user(&frame->sigreturn_code, __user_rt_sigreturn, + sizeof(frame->sigreturn_code))) + return -EFAULT; +- regs->ra = (unsigned long)&frame->sigreturn_code; ++ ++ addr = (unsigned long)&frame->sigreturn_code; ++ /* Make sure the two instructions are pushed to icache. */ ++ flush_icache_range(addr, addr + sizeof(frame->sigreturn_code)); ++ ++ regs->ra = addr; + #endif /* CONFIG_MMU */ + + /* diff --git a/queue-6.2/riscv-do-not-set-initial_boot_params-to-the-linear-address-of-the-dtb.patch b/queue-6.2/riscv-do-not-set-initial_boot_params-to-the-linear-address-of-the-dtb.patch new file mode 100644 index 00000000000..18cc4698545 --- /dev/null +++ b/queue-6.2/riscv-do-not-set-initial_boot_params-to-the-linear-address-of-the-dtb.patch @@ -0,0 +1,36 @@ +From f1581626071c8e37c58c5e8f0b4126b17172a211 Mon Sep 17 00:00:00 2001 +From: Alexandre Ghiti +Date: Wed, 29 Mar 2023 10:19:31 +0200 +Subject: riscv: Do not set initial_boot_params to the linear address of the dtb + +From: Alexandre Ghiti + +commit f1581626071c8e37c58c5e8f0b4126b17172a211 upstream. + +early_init_dt_verify() is already called in parse_dtb() and since the dtb +address does not change anymore (it is now in the fixmap region), no need +to reset initial_boot_params by calling early_init_dt_verify() again. + +Signed-off-by: Alexandre Ghiti +Link: https://lore.kernel.org/r/20230329081932.79831-3-alexghiti@rivosinc.com +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/kernel/setup.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/arch/riscv/kernel/setup.c ++++ b/arch/riscv/kernel/setup.c +@@ -278,10 +278,7 @@ void __init setup_arch(char **cmdline_p) + #if IS_ENABLED(CONFIG_BUILTIN_DTB) + unflatten_and_copy_device_tree(); + #else +- if (early_init_dt_verify(__va(XIP_FIXUP(dtb_early_pa)))) +- unflatten_device_tree(); +- else +- pr_err("No DTB found in kernel mappings\n"); ++ unflatten_device_tree(); + #endif + early_init_fdt_scan_reserved_mem(); + misc_mem_init(); diff --git a/queue-6.2/riscv-move-early-dtb-mapping-into-the-fixmap-region.patch b/queue-6.2/riscv-move-early-dtb-mapping-into-the-fixmap-region.patch new file mode 100644 index 00000000000..d029ddb8491 --- /dev/null +++ b/queue-6.2/riscv-move-early-dtb-mapping-into-the-fixmap-region.patch @@ -0,0 +1,251 @@ +From ef69d2559fe91f23d27a3d6fd640b5641787d22e Mon Sep 17 00:00:00 2001 +From: Alexandre Ghiti +Date: Wed, 29 Mar 2023 10:19:30 +0200 +Subject: riscv: Move early dtb mapping into the fixmap region + +From: Alexandre Ghiti + +commit ef69d2559fe91f23d27a3d6fd640b5641787d22e upstream. + +riscv establishes 2 virtual mappings: + +- early_pg_dir maps the kernel which allows to discover the system + memory +- swapper_pg_dir installs the final mapping (linear mapping included) + +We used to map the dtb in early_pg_dir using DTB_EARLY_BASE_VA, and this +mapping was not carried over in swapper_pg_dir. It happens that +early_init_fdt_scan_reserved_mem() must be called before swapper_pg_dir is +setup otherwise we could allocate reserved memory defined in the dtb. +And this function initializes reserved_mem variable with addresses that +lie in the early_pg_dir dtb mapping: when those addresses are reused +with swapper_pg_dir, this mapping does not exist and then we trap. + +The previous "fix" was incorrect as early_init_fdt_scan_reserved_mem() +must be called before swapper_pg_dir is set up otherwise we could +allocate in reserved memory defined in the dtb. + +So move the dtb mapping in the fixmap region which is established in +early_pg_dir and handed over to swapper_pg_dir. + +Fixes: 922b0375fc93 ("riscv: Fix memblock reservation for device tree blob") +Fixes: 8f3a2b4a96dc ("RISC-V: Move DT mapping outof fixmap") +Fixes: 50e63dd8ed92 ("riscv: fix reserved memory setup") +Reported-by: Conor Dooley +Link: https://lore.kernel.org/all/f8e67f82-103d-156c-deb0-d6d6e2756f5e@microchip.com/ +Signed-off-by: Alexandre Ghiti +Reviewed-by: Conor Dooley +Tested-by: Conor Dooley +Link: https://lore.kernel.org/r/20230329081932.79831-2-alexghiti@rivosinc.com +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/riscv/vm-layout.rst | 6 +-- + arch/riscv/include/asm/fixmap.h | 8 ++++ + arch/riscv/include/asm/pgtable.h | 8 +++- + arch/riscv/kernel/setup.c | 1 + arch/riscv/mm/init.c | 61 +++++++++++++++++++++----------------- + 5 files changed, 51 insertions(+), 33 deletions(-) + +--- a/Documentation/riscv/vm-layout.rst ++++ b/Documentation/riscv/vm-layout.rst +@@ -47,7 +47,7 @@ RISC-V Linux Kernel SV39 + | Kernel-space virtual memory, shared between all processes: + ____________________________________________________________|___________________________________________________________ + | | | | +- ffffffc6fee00000 | -228 GB | ffffffc6feffffff | 2 MB | fixmap ++ ffffffc6fea00000 | -228 GB | ffffffc6feffffff | 6 MB | fixmap + ffffffc6ff000000 | -228 GB | ffffffc6ffffffff | 16 MB | PCI io + ffffffc700000000 | -228 GB | ffffffc7ffffffff | 4 GB | vmemmap + ffffffc800000000 | -224 GB | ffffffd7ffffffff | 64 GB | vmalloc/ioremap space +@@ -83,7 +83,7 @@ RISC-V Linux Kernel SV48 + | Kernel-space virtual memory, shared between all processes: + ____________________________________________________________|___________________________________________________________ + | | | | +- ffff8d7ffee00000 | -114.5 TB | ffff8d7ffeffffff | 2 MB | fixmap ++ ffff8d7ffea00000 | -114.5 TB | ffff8d7ffeffffff | 6 MB | fixmap + ffff8d7fff000000 | -114.5 TB | ffff8d7fffffffff | 16 MB | PCI io + ffff8d8000000000 | -114.5 TB | ffff8f7fffffffff | 2 TB | vmemmap + ffff8f8000000000 | -112.5 TB | ffffaf7fffffffff | 32 TB | vmalloc/ioremap space +@@ -119,7 +119,7 @@ RISC-V Linux Kernel SV57 + | Kernel-space virtual memory, shared between all processes: + ____________________________________________________________|___________________________________________________________ + | | | | +- ff1bfffffee00000 | -57 PB | ff1bfffffeffffff | 2 MB | fixmap ++ ff1bfffffea00000 | -57 PB | ff1bfffffeffffff | 6 MB | fixmap + ff1bffffff000000 | -57 PB | ff1bffffffffffff | 16 MB | PCI io + ff1c000000000000 | -57 PB | ff1fffffffffffff | 1 PB | vmemmap + ff20000000000000 | -56 PB | ff5fffffffffffff | 16 PB | vmalloc/ioremap space +--- a/arch/riscv/include/asm/fixmap.h ++++ b/arch/riscv/include/asm/fixmap.h +@@ -22,6 +22,14 @@ + */ + enum fixed_addresses { + FIX_HOLE, ++ /* ++ * The fdt fixmap mapping must be PMD aligned and will be mapped ++ * using PMD entries in fixmap_pmd in 64-bit and a PGD entry in 32-bit. ++ */ ++ FIX_FDT_END, ++ FIX_FDT = FIX_FDT_END + FIX_FDT_SIZE / PAGE_SIZE - 1, ++ ++ /* Below fixmaps will be mapped using fixmap_pte */ + FIX_PTE, + FIX_PMD, + FIX_PUD, +--- a/arch/riscv/include/asm/pgtable.h ++++ b/arch/riscv/include/asm/pgtable.h +@@ -87,9 +87,13 @@ + + #define FIXADDR_TOP PCI_IO_START + #ifdef CONFIG_64BIT +-#define FIXADDR_SIZE PMD_SIZE ++#define MAX_FDT_SIZE PMD_SIZE ++#define FIX_FDT_SIZE (MAX_FDT_SIZE + SZ_2M) ++#define FIXADDR_SIZE (PMD_SIZE + FIX_FDT_SIZE) + #else +-#define FIXADDR_SIZE PGDIR_SIZE ++#define MAX_FDT_SIZE PGDIR_SIZE ++#define FIX_FDT_SIZE MAX_FDT_SIZE ++#define FIXADDR_SIZE (PGDIR_SIZE + FIX_FDT_SIZE) + #endif + #define FIXADDR_START (FIXADDR_TOP - FIXADDR_SIZE) + +--- a/arch/riscv/kernel/setup.c ++++ b/arch/riscv/kernel/setup.c +@@ -280,7 +280,6 @@ void __init setup_arch(char **cmdline_p) + #else + unflatten_device_tree(); + #endif +- early_init_fdt_scan_reserved_mem(); + misc_mem_init(); + + init_resources(); +--- a/arch/riscv/mm/init.c ++++ b/arch/riscv/mm/init.c +@@ -57,7 +57,6 @@ unsigned long empty_zero_page[PAGE_SIZE + EXPORT_SYMBOL(empty_zero_page); + + extern char _start[]; +-#define DTB_EARLY_BASE_VA PGDIR_SIZE + void *_dtb_early_va __initdata; + uintptr_t _dtb_early_pa __initdata; + +@@ -236,6 +235,14 @@ static void __init setup_bootmem(void) + set_max_mapnr(max_low_pfn - ARCH_PFN_OFFSET); + + reserve_initrd_mem(); ++ ++ /* ++ * No allocation should be done before reserving the memory as defined ++ * in the device tree, otherwise the allocation could end up in a ++ * reserved region. ++ */ ++ early_init_fdt_scan_reserved_mem(); ++ + /* + * If DTB is built in, no need to reserve its memblock. + * Otherwise, do reserve it but avoid using +@@ -262,9 +269,6 @@ pgd_t trampoline_pg_dir[PTRS_PER_PGD] __ + static pte_t fixmap_pte[PTRS_PER_PTE] __page_aligned_bss; + + pgd_t early_pg_dir[PTRS_PER_PGD] __initdata __aligned(PAGE_SIZE); +-static p4d_t __maybe_unused early_dtb_p4d[PTRS_PER_P4D] __initdata __aligned(PAGE_SIZE); +-static pud_t __maybe_unused early_dtb_pud[PTRS_PER_PUD] __initdata __aligned(PAGE_SIZE); +-static pmd_t __maybe_unused early_dtb_pmd[PTRS_PER_PMD] __initdata __aligned(PAGE_SIZE); + + #ifdef CONFIG_XIP_KERNEL + #define pt_ops (*(struct pt_alloc_ops *)XIP_FIXUP(&pt_ops)) +@@ -609,9 +613,6 @@ static void __init create_p4d_mapping(p4 + #define trampoline_pgd_next (pgtable_l5_enabled ? \ + (uintptr_t)trampoline_p4d : (pgtable_l4_enabled ? \ + (uintptr_t)trampoline_pud : (uintptr_t)trampoline_pmd)) +-#define early_dtb_pgd_next (pgtable_l5_enabled ? \ +- (uintptr_t)early_dtb_p4d : (pgtable_l4_enabled ? \ +- (uintptr_t)early_dtb_pud : (uintptr_t)early_dtb_pmd)) + #else + #define pgd_next_t pte_t + #define alloc_pgd_next(__va) pt_ops.alloc_pte(__va) +@@ -619,7 +620,6 @@ static void __init create_p4d_mapping(p4 + #define create_pgd_next_mapping(__nextp, __va, __pa, __sz, __prot) \ + create_pte_mapping(__nextp, __va, __pa, __sz, __prot) + #define fixmap_pgd_next ((uintptr_t)fixmap_pte) +-#define early_dtb_pgd_next ((uintptr_t)early_dtb_pmd) + #define create_p4d_mapping(__pmdp, __va, __pa, __sz, __prot) do {} while(0) + #define create_pud_mapping(__pmdp, __va, __pa, __sz, __prot) do {} while(0) + #define create_pmd_mapping(__pmdp, __va, __pa, __sz, __prot) do {} while(0) +@@ -843,32 +843,28 @@ static void __init create_kernel_page_ta + * this means 2 PMD entries whereas for 32-bit kernel, this is only 1 PGDIR + * entry. + */ +-static void __init create_fdt_early_page_table(pgd_t *pgdir, uintptr_t dtb_pa) ++static void __init create_fdt_early_page_table(pgd_t *pgdir, ++ uintptr_t fix_fdt_va, ++ uintptr_t dtb_pa) + { +-#ifndef CONFIG_BUILTIN_DTB + uintptr_t pa = dtb_pa & ~(PMD_SIZE - 1); + +- create_pgd_mapping(early_pg_dir, DTB_EARLY_BASE_VA, +- IS_ENABLED(CONFIG_64BIT) ? early_dtb_pgd_next : pa, +- PGDIR_SIZE, +- IS_ENABLED(CONFIG_64BIT) ? PAGE_TABLE : PAGE_KERNEL); +- +- if (pgtable_l5_enabled) +- create_p4d_mapping(early_dtb_p4d, DTB_EARLY_BASE_VA, +- (uintptr_t)early_dtb_pud, P4D_SIZE, PAGE_TABLE); +- +- if (pgtable_l4_enabled) +- create_pud_mapping(early_dtb_pud, DTB_EARLY_BASE_VA, +- (uintptr_t)early_dtb_pmd, PUD_SIZE, PAGE_TABLE); ++#ifndef CONFIG_BUILTIN_DTB ++ /* Make sure the fdt fixmap address is always aligned on PMD size */ ++ BUILD_BUG_ON(FIX_FDT % (PMD_SIZE / PAGE_SIZE)); + +- if (IS_ENABLED(CONFIG_64BIT)) { +- create_pmd_mapping(early_dtb_pmd, DTB_EARLY_BASE_VA, ++ /* In 32-bit only, the fdt lies in its own PGD */ ++ if (!IS_ENABLED(CONFIG_64BIT)) { ++ create_pgd_mapping(early_pg_dir, fix_fdt_va, ++ pa, MAX_FDT_SIZE, PAGE_KERNEL); ++ } else { ++ create_pmd_mapping(fixmap_pmd, fix_fdt_va, + pa, PMD_SIZE, PAGE_KERNEL); +- create_pmd_mapping(early_dtb_pmd, DTB_EARLY_BASE_VA + PMD_SIZE, ++ create_pmd_mapping(fixmap_pmd, fix_fdt_va + PMD_SIZE, + pa + PMD_SIZE, PMD_SIZE, PAGE_KERNEL); + } + +- dtb_early_va = (void *)DTB_EARLY_BASE_VA + (dtb_pa & (PMD_SIZE - 1)); ++ dtb_early_va = (void *)fix_fdt_va + (dtb_pa & (PMD_SIZE - 1)); + #else + /* + * For 64-bit kernel, __va can't be used since it would return a linear +@@ -1038,7 +1034,8 @@ asmlinkage void __init setup_vm(uintptr_ + create_kernel_page_table(early_pg_dir, true); + + /* Setup early mapping for FDT early scan */ +- create_fdt_early_page_table(early_pg_dir, dtb_pa); ++ create_fdt_early_page_table(early_pg_dir, ++ __fix_to_virt(FIX_FDT), dtb_pa); + + /* + * Bootime fixmap only can handle PMD_SIZE mapping. Thus, boot-ioremap +@@ -1080,6 +1077,16 @@ static void __init setup_vm_final(void) + u64 i; + + /* Setup swapper PGD for fixmap */ ++#if !defined(CONFIG_64BIT) ++ /* ++ * In 32-bit, the device tree lies in a pgd entry, so it must be copied ++ * directly in swapper_pg_dir in addition to the pgd entry that points ++ * to fixmap_pte. ++ */ ++ unsigned long idx = pgd_index(__fix_to_virt(FIX_FDT)); ++ ++ set_pgd(&swapper_pg_dir[idx], early_pg_dir[idx]); ++#endif + create_pgd_mapping(swapper_pg_dir, FIXADDR_START, + __pa_symbol(fixmap_pgd_next), + PGDIR_SIZE, PAGE_TABLE); diff --git a/queue-6.2/riscv-no-need-to-relocate-the-dtb-as-it-lies-in-the-fixmap-region.patch b/queue-6.2/riscv-no-need-to-relocate-the-dtb-as-it-lies-in-the-fixmap-region.patch new file mode 100644 index 00000000000..e830e2bad24 --- /dev/null +++ b/queue-6.2/riscv-no-need-to-relocate-the-dtb-as-it-lies-in-the-fixmap-region.patch @@ -0,0 +1,58 @@ +From 1b50f956c8fe9082bdee4a9cfd798149c52f7043 Mon Sep 17 00:00:00 2001 +From: Alexandre Ghiti +Date: Wed, 29 Mar 2023 10:19:32 +0200 +Subject: riscv: No need to relocate the dtb as it lies in the fixmap region + +From: Alexandre Ghiti + +commit 1b50f956c8fe9082bdee4a9cfd798149c52f7043 upstream. + +We used to access the dtb via its linear mapping address but now that the +dtb early mapping was moved in the fixmap region, we can keep using this +address since it is present in swapper_pg_dir, and remove the dtb +relocation. + +Note that the relocation was wrong anyway since early_memremap() is +restricted to 256K whereas the maximum fdt size is 2MB. + +Signed-off-by: Alexandre Ghiti +Reviewed-by: Conor Dooley +Tested-by: Conor Dooley +Link: https://lore.kernel.org/r/20230329081932.79831-4-alexghiti@rivosinc.com +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/mm/init.c | 21 ++------------------- + 1 file changed, 2 insertions(+), 19 deletions(-) + +--- a/arch/riscv/mm/init.c ++++ b/arch/riscv/mm/init.c +@@ -242,25 +242,8 @@ static void __init setup_bootmem(void) + * early_init_fdt_reserve_self() since __pa() does + * not work for DTB pointers that are fixmap addresses + */ +- if (!IS_ENABLED(CONFIG_BUILTIN_DTB)) { +- /* +- * In case the DTB is not located in a memory region we won't +- * be able to locate it later on via the linear mapping and +- * get a segfault when accessing it via __va(dtb_early_pa). +- * To avoid this situation copy DTB to a memory region. +- * Note that memblock_phys_alloc will also reserve DTB region. +- */ +- if (!memblock_is_memory(dtb_early_pa)) { +- size_t fdt_size = fdt_totalsize(dtb_early_va); +- phys_addr_t new_dtb_early_pa = memblock_phys_alloc(fdt_size, PAGE_SIZE); +- void *new_dtb_early_va = early_memremap(new_dtb_early_pa, fdt_size); +- +- memcpy(new_dtb_early_va, dtb_early_va, fdt_size); +- early_memunmap(new_dtb_early_va, fdt_size); +- _dtb_early_pa = new_dtb_early_pa; +- } else +- memblock_reserve(dtb_early_pa, fdt_totalsize(dtb_early_va)); +- } ++ if (!IS_ENABLED(CONFIG_BUILTIN_DTB)) ++ memblock_reserve(dtb_early_pa, fdt_totalsize(dtb_early_va)); + + dma_contiguous_reserve(dma32_phys_limit); + if (IS_ENABLED(CONFIG_64BIT)) diff --git a/queue-6.2/series b/queue-6.2/series index cd19a4ae336..c70b1a2e5ec 100644 --- a/queue-6.2/series +++ b/queue-6.2/series @@ -100,3 +100,12 @@ acpi-resource-add-medion-s17413-to-irq-override-quir.patch tracing-add-trace_array_puts-to-write-into-instance.patch tracing-have-tracing_snapshot_instance_cond-write-er.patch maple_tree-fix-write-memory-barrier-of-nodes-once-de.patch +ksmbd-avoid-out-of-bounds-access-in-decode_preauth_ctxt.patch +riscv-do-not-set-initial_boot_params-to-the-linear-address-of-the-dtb.patch +riscv-no-need-to-relocate-the-dtb-as-it-lies-in-the-fixmap-region.patch +riscv-move-early-dtb-mapping-into-the-fixmap-region.patch +riscv-add-icache-flush-for-nommu-sigreturn-trampoline.patch +hid-intel-ish-hid-fix-kernel-panic-during-warm-reset.patch +net-sfp-initialize-sfp-i2c_block_size-at-sfp-allocation.patch +net-phy-nxp-c45-tja11xx-add-remove-callback.patch +net-phy-nxp-c45-tja11xx-fix-unsigned-long-multiplication-overflow.patch