From: Greg Kroah-Hartman Date: Sat, 5 Mar 2022 11:26:52 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v4.9.305~85 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bde255d8af4c90e78e40bd9a6a9f5323628c71bd;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: alsa-intel_hdmi-fix-reference-to-pcm-buffer-address.patch asoc-ops-shift-tested-values-in-snd_soc_put_volsw-by-min.patch drm-i915-s-jsp2-icp2-pch.patch iommu-amd-recover-from-event-log-overflow.patch ntb-intel-fix-port-config-status-offset-for-spr.patch riscv-efi_stub-fix-get_boot_hartid_from_fdt-return-value.patch riscv-fix-config-kasan-debug_virtual.patch riscv-fix-config-kasan-sparsemem-sparse_vmemmap.patch thermal-core-fix-tz_get_trip-null-pointer-dereference.patch xen-netfront-destroy-queues-before-real_num_tx_queues-is-zeroed.patch --- diff --git a/queue-5.10/alsa-intel_hdmi-fix-reference-to-pcm-buffer-address.patch b/queue-5.10/alsa-intel_hdmi-fix-reference-to-pcm-buffer-address.patch new file mode 100644 index 00000000000..29616ec5a3f --- /dev/null +++ b/queue-5.10/alsa-intel_hdmi-fix-reference-to-pcm-buffer-address.patch @@ -0,0 +1,35 @@ +From 0aa6b294b312d9710804679abd2c0c8ca52cc2bc Mon Sep 17 00:00:00 2001 +From: Zhen Ni +Date: Wed, 2 Mar 2022 15:42:41 +0800 +Subject: ALSA: intel_hdmi: Fix reference to PCM buffer address + +From: Zhen Ni + +commit 0aa6b294b312d9710804679abd2c0c8ca52cc2bc upstream. + +PCM buffers might be allocated dynamically when the buffer +preallocation failed or a larger buffer is requested, and it's not +guaranteed that substream->dma_buffer points to the actually used +buffer. The driver needs to refer to substream->runtime->dma_addr +instead for the buffer address. + +Signed-off-by: Zhen Ni +Cc: +Link: https://lore.kernel.org/r/20220302074241.30469-1-nizhen@uniontech.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/x86/intel_hdmi_audio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/x86/intel_hdmi_audio.c ++++ b/sound/x86/intel_hdmi_audio.c +@@ -1276,7 +1276,7 @@ static int had_pcm_mmap(struct snd_pcm_s + { + vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot); + return remap_pfn_range(vma, vma->vm_start, +- substream->dma_buffer.addr >> PAGE_SHIFT, ++ substream->runtime->dma_addr >> PAGE_SHIFT, + vma->vm_end - vma->vm_start, vma->vm_page_prot); + } + diff --git a/queue-5.10/asoc-ops-shift-tested-values-in-snd_soc_put_volsw-by-min.patch b/queue-5.10/asoc-ops-shift-tested-values-in-snd_soc_put_volsw-by-min.patch new file mode 100644 index 00000000000..c9231a3200e --- /dev/null +++ b/queue-5.10/asoc-ops-shift-tested-values-in-snd_soc_put_volsw-by-min.patch @@ -0,0 +1,45 @@ +From 9bdd10d57a8807dba0003af0325191f3cec0f11c Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Tue, 15 Feb 2022 14:06:45 +0100 +Subject: ASoC: ops: Shift tested values in snd_soc_put_volsw() by +min + +From: Marek Vasut + +commit 9bdd10d57a8807dba0003af0325191f3cec0f11c upstream. + +While the $val/$val2 values passed in from userspace are always >= 0 +integers, the limits of the control can be signed integers and the $min +can be non-zero and less than zero. To correctly validate $val/$val2 +against platform_max, add the $min offset to val first. + +Fixes: 817f7c9335ec0 ("ASoC: ops: Reject out of bounds values in snd_soc_put_volsw()") +Signed-off-by: Marek Vasut +Cc: Mark Brown +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20220215130645.164025-1-marex@denx.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/soc-ops.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/soc/soc-ops.c ++++ b/sound/soc/soc-ops.c +@@ -317,7 +317,7 @@ int snd_soc_put_volsw(struct snd_kcontro + mask = BIT(sign_bit + 1) - 1; + + val = ucontrol->value.integer.value[0]; +- if (mc->platform_max && val > mc->platform_max) ++ if (mc->platform_max && ((int)val + min) > mc->platform_max) + return -EINVAL; + if (val > max - min) + return -EINVAL; +@@ -330,7 +330,7 @@ int snd_soc_put_volsw(struct snd_kcontro + val = val << shift; + if (snd_soc_volsw_is_stereo(mc)) { + val2 = ucontrol->value.integer.value[1]; +- if (mc->platform_max && val2 > mc->platform_max) ++ if (mc->platform_max && ((int)val2 + min) > mc->platform_max) + return -EINVAL; + if (val2 > max - min) + return -EINVAL; diff --git a/queue-5.10/drm-i915-s-jsp2-icp2-pch.patch b/queue-5.10/drm-i915-s-jsp2-icp2-pch.patch new file mode 100644 index 00000000000..48aeb968cbc --- /dev/null +++ b/queue-5.10/drm-i915-s-jsp2-icp2-pch.patch @@ -0,0 +1,76 @@ +From 08783aa7693f55619859f4f63f384abf17cb58c5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Thu, 24 Feb 2022 15:21:42 +0200 +Subject: drm/i915: s/JSP2/ICP2/ PCH +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit 08783aa7693f55619859f4f63f384abf17cb58c5 upstream. + +This JSP2 PCH actually seems to be some special Apple +specific ICP variant rather than a JSP. Make it so. Or at +least all the references to it seem to be some Apple ICL +machines. Didn't manage to find these PCI IDs in any +public chipset docs unfortunately. + +The only thing we're losing here with this JSP->ICP change +is Wa_14011294188, but based on the HSD that isn't actually +needed on any ICP based design (including JSP), only TGP +based stuff (including MCC) really need it. The documented +w/a just never made that distinction because Windows didn't +want to differentiate between JSP and MCC (not sure how +they handle hpd/ddc/etc. then though...). + +Cc: stable@vger.kernel.org +Cc: Matt Roper +Cc: Vivek Kasireddy +Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/4226 +Fixes: 943682e3bd19 ("drm/i915: Introduce Jasper Lake PCH") +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20220224132142.12927-1-ville.syrjala@linux.intel.com +Acked-by: Vivek Kasireddy +Tested-by: Tomas Bzatek +(cherry picked from commit 53581504a8e216d435f114a4f2596ad0dfd902fc) +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/intel_pch.c | 2 +- + drivers/gpu/drm/i915/intel_pch.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/i915/intel_pch.c ++++ b/drivers/gpu/drm/i915/intel_pch.c +@@ -110,6 +110,7 @@ intel_pch_type(const struct drm_i915_pri + /* Comet Lake V PCH is based on KBP, which is SPT compatible */ + return PCH_SPT; + case INTEL_PCH_ICP_DEVICE_ID_TYPE: ++ case INTEL_PCH_ICP2_DEVICE_ID_TYPE: + drm_dbg_kms(&dev_priv->drm, "Found Ice Lake PCH\n"); + drm_WARN_ON(&dev_priv->drm, !IS_ICELAKE(dev_priv)); + return PCH_ICP; +@@ -124,7 +125,6 @@ intel_pch_type(const struct drm_i915_pri + !IS_ROCKETLAKE(dev_priv)); + return PCH_TGP; + case INTEL_PCH_JSP_DEVICE_ID_TYPE: +- case INTEL_PCH_JSP2_DEVICE_ID_TYPE: + drm_dbg_kms(&dev_priv->drm, "Found Jasper Lake PCH\n"); + drm_WARN_ON(&dev_priv->drm, !IS_ELKHARTLAKE(dev_priv)); + return PCH_JSP; +--- a/drivers/gpu/drm/i915/intel_pch.h ++++ b/drivers/gpu/drm/i915/intel_pch.h +@@ -48,11 +48,11 @@ enum intel_pch { + #define INTEL_PCH_CMP2_DEVICE_ID_TYPE 0x0680 + #define INTEL_PCH_CMP_V_DEVICE_ID_TYPE 0xA380 + #define INTEL_PCH_ICP_DEVICE_ID_TYPE 0x3480 ++#define INTEL_PCH_ICP2_DEVICE_ID_TYPE 0x3880 + #define INTEL_PCH_MCC_DEVICE_ID_TYPE 0x4B00 + #define INTEL_PCH_TGP_DEVICE_ID_TYPE 0xA080 + #define INTEL_PCH_TGP2_DEVICE_ID_TYPE 0x4380 + #define INTEL_PCH_JSP_DEVICE_ID_TYPE 0x4D80 +-#define INTEL_PCH_JSP2_DEVICE_ID_TYPE 0x3880 + #define INTEL_PCH_P2X_DEVICE_ID_TYPE 0x7100 + #define INTEL_PCH_P3X_DEVICE_ID_TYPE 0x7000 + #define INTEL_PCH_QEMU_DEVICE_ID_TYPE 0x2900 /* qemu q35 has 2918 */ diff --git a/queue-5.10/iommu-amd-recover-from-event-log-overflow.patch b/queue-5.10/iommu-amd-recover-from-event-log-overflow.patch new file mode 100644 index 00000000000..0b194f4f6a5 --- /dev/null +++ b/queue-5.10/iommu-amd-recover-from-event-log-overflow.patch @@ -0,0 +1,117 @@ +From 5ce97f4ec5e0f8726a5dda1710727b1ee9badcac Mon Sep 17 00:00:00 2001 +From: Lennert Buytenhek +Date: Mon, 4 Oct 2021 13:07:24 +0300 +Subject: iommu/amd: Recover from event log overflow + +From: Lennert Buytenhek + +commit 5ce97f4ec5e0f8726a5dda1710727b1ee9badcac upstream. + +The AMD IOMMU logs I/O page faults and such to a ring buffer in +system memory, and this ring buffer can overflow. The AMD IOMMU +spec has the following to say about the interrupt status bit that +signals this overflow condition: + + EventOverflow: Event log overflow. RW1C. Reset 0b. 1 = IOMMU + event log overflow has occurred. This bit is set when a new + event is to be written to the event log and there is no usable + entry in the event log, causing the new event information to + be discarded. An interrupt is generated when EventOverflow = 1b + and MMIO Offset 0018h[EventIntEn] = 1b. No new event log + entries are written while this bit is set. Software Note: To + resume logging, clear EventOverflow (W1C), and write a 1 to + MMIO Offset 0018h[EventLogEn]. + +The AMD IOMMU driver doesn't currently implement this recovery +sequence, meaning that if a ring buffer overflow occurs, logging +of EVT/PPR/GA events will cease entirely. + +This patch implements the spec-mandated reset sequence, with the +minor tweak that the hardware seems to want to have a 0 written to +MMIO Offset 0018h[EventLogEn] first, before writing an 1 into this +field, or the IOMMU won't actually resume logging events. + +Signed-off-by: Lennert Buytenhek +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/YVrSXEdW2rzEfOvk@wantstofly.org +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/amd/amd_iommu.h | 1 + + drivers/iommu/amd/amd_iommu_types.h | 1 + + drivers/iommu/amd/init.c | 10 ++++++++++ + drivers/iommu/amd/iommu.c | 10 ++++++++-- + 4 files changed, 20 insertions(+), 2 deletions(-) + +--- a/drivers/iommu/amd/amd_iommu.h ++++ b/drivers/iommu/amd/amd_iommu.h +@@ -17,6 +17,7 @@ extern int amd_iommu_init_passthrough(vo + extern irqreturn_t amd_iommu_int_thread(int irq, void *data); + extern irqreturn_t amd_iommu_int_handler(int irq, void *data); + extern void amd_iommu_apply_erratum_63(u16 devid); ++extern void amd_iommu_restart_event_logging(struct amd_iommu *iommu); + extern void amd_iommu_reset_cmd_buffer(struct amd_iommu *iommu); + extern int amd_iommu_init_devices(void); + extern void amd_iommu_uninit_devices(void); +--- a/drivers/iommu/amd/amd_iommu_types.h ++++ b/drivers/iommu/amd/amd_iommu_types.h +@@ -109,6 +109,7 @@ + #define PASID_MASK 0x0000ffff + + /* MMIO status bits */ ++#define MMIO_STATUS_EVT_OVERFLOW_INT_MASK (1 << 0) + #define MMIO_STATUS_EVT_INT_MASK (1 << 1) + #define MMIO_STATUS_COM_WAIT_INT_MASK (1 << 2) + #define MMIO_STATUS_PPR_INT_MASK (1 << 6) +--- a/drivers/iommu/amd/init.c ++++ b/drivers/iommu/amd/init.c +@@ -657,6 +657,16 @@ static int __init alloc_command_buffer(s + } + + /* ++ * This function restarts event logging in case the IOMMU experienced ++ * an event log buffer overflow. ++ */ ++void amd_iommu_restart_event_logging(struct amd_iommu *iommu) ++{ ++ iommu_feature_disable(iommu, CONTROL_EVT_LOG_EN); ++ iommu_feature_enable(iommu, CONTROL_EVT_LOG_EN); ++} ++ ++/* + * This function resets the command buffer if the IOMMU stopped fetching + * commands from it. + */ +--- a/drivers/iommu/amd/iommu.c ++++ b/drivers/iommu/amd/iommu.c +@@ -813,7 +813,8 @@ amd_iommu_set_pci_msi_domain(struct devi + #endif /* !CONFIG_IRQ_REMAP */ + + #define AMD_IOMMU_INT_MASK \ +- (MMIO_STATUS_EVT_INT_MASK | \ ++ (MMIO_STATUS_EVT_OVERFLOW_INT_MASK | \ ++ MMIO_STATUS_EVT_INT_MASK | \ + MMIO_STATUS_PPR_INT_MASK | \ + MMIO_STATUS_GALOG_INT_MASK) + +@@ -823,7 +824,7 @@ irqreturn_t amd_iommu_int_thread(int irq + u32 status = readl(iommu->mmio_base + MMIO_STATUS_OFFSET); + + while (status & AMD_IOMMU_INT_MASK) { +- /* Enable EVT and PPR and GA interrupts again */ ++ /* Enable interrupt sources again */ + writel(AMD_IOMMU_INT_MASK, + iommu->mmio_base + MMIO_STATUS_OFFSET); + +@@ -844,6 +845,11 @@ irqreturn_t amd_iommu_int_thread(int irq + } + #endif + ++ if (status & MMIO_STATUS_EVT_OVERFLOW_INT_MASK) { ++ pr_info_ratelimited("IOMMU event log overflow\n"); ++ amd_iommu_restart_event_logging(iommu); ++ } ++ + /* + * Hardware bug: ERBT1312 + * When re-enabling interrupt (by writing 1 diff --git a/queue-5.10/ntb-intel-fix-port-config-status-offset-for-spr.patch b/queue-5.10/ntb-intel-fix-port-config-status-offset-for-spr.patch new file mode 100644 index 00000000000..f104a5aacfb --- /dev/null +++ b/queue-5.10/ntb-intel-fix-port-config-status-offset-for-spr.patch @@ -0,0 +1,100 @@ +From d5081bf5dcfb1cb83fb538708b0ac07a10a79cc4 Mon Sep 17 00:00:00 2001 +From: Dave Jiang +Date: Thu, 27 Jan 2022 13:31:12 -0700 +Subject: ntb: intel: fix port config status offset for SPR + +From: Dave Jiang + +commit d5081bf5dcfb1cb83fb538708b0ac07a10a79cc4 upstream. + +The field offset for port configuration status on SPR has been changed to +bit 14 from ICX where it resides at bit 12. By chance link status detection +continued to work on SPR. This is due to bit 12 being a configuration bit +which is in sync with the status bit. Fix this by checking for a SPR device +and checking correct status bit. + +Fixes: 26bfe3d0b227 ("ntb: intel: Add Icelake (gen4) support for Intel NTB") +Tested-by: Jerry Dai +Signed-off-by: Dave Jiang +Signed-off-by: Jon Mason +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ntb/hw/intel/ntb_hw_gen4.c | 17 ++++++++++++++++- + drivers/ntb/hw/intel/ntb_hw_gen4.h | 16 ++++++++++++++++ + 2 files changed, 32 insertions(+), 1 deletion(-) + +--- a/drivers/ntb/hw/intel/ntb_hw_gen4.c ++++ b/drivers/ntb/hw/intel/ntb_hw_gen4.c +@@ -168,6 +168,18 @@ static enum ntb_topo gen4_ppd_topo(struc + return NTB_TOPO_NONE; + } + ++static enum ntb_topo spr_ppd_topo(struct intel_ntb_dev *ndev, u32 ppd) ++{ ++ switch (ppd & SPR_PPD_TOPO_MASK) { ++ case SPR_PPD_TOPO_B2B_USD: ++ return NTB_TOPO_B2B_USD; ++ case SPR_PPD_TOPO_B2B_DSD: ++ return NTB_TOPO_B2B_DSD; ++ } ++ ++ return NTB_TOPO_NONE; ++} ++ + int gen4_init_dev(struct intel_ntb_dev *ndev) + { + struct pci_dev *pdev = ndev->ntb.pdev; +@@ -181,7 +193,10 @@ int gen4_init_dev(struct intel_ntb_dev * + ndev->hwerr_flags |= NTB_HWERR_BAR_ALIGN; + + ppd1 = ioread32(ndev->self_mmio + GEN4_PPD1_OFFSET); +- ndev->ntb.topo = gen4_ppd_topo(ndev, ppd1); ++ if (pdev_is_ICX(pdev)) ++ ndev->ntb.topo = gen4_ppd_topo(ndev, ppd1); ++ else if (pdev_is_SPR(pdev)) ++ ndev->ntb.topo = spr_ppd_topo(ndev, ppd1); + dev_dbg(&pdev->dev, "ppd %#x topo %s\n", ppd1, + ntb_topo_string(ndev->ntb.topo)); + if (ndev->ntb.topo == NTB_TOPO_NONE) +--- a/drivers/ntb/hw/intel/ntb_hw_gen4.h ++++ b/drivers/ntb/hw/intel/ntb_hw_gen4.h +@@ -46,10 +46,14 @@ + #define GEN4_PPD_CLEAR_TRN 0x0001 + #define GEN4_PPD_LINKTRN 0x0008 + #define GEN4_PPD_CONN_MASK 0x0300 ++#define SPR_PPD_CONN_MASK 0x0700 + #define GEN4_PPD_CONN_B2B 0x0200 + #define GEN4_PPD_DEV_MASK 0x1000 + #define GEN4_PPD_DEV_DSD 0x1000 + #define GEN4_PPD_DEV_USD 0x0000 ++#define SPR_PPD_DEV_MASK 0x4000 ++#define SPR_PPD_DEV_DSD 0x4000 ++#define SPR_PPD_DEV_USD 0x0000 + #define GEN4_LINK_CTRL_LINK_DISABLE 0x0010 + + #define GEN4_SLOTSTS 0xb05a +@@ -59,6 +63,10 @@ + #define GEN4_PPD_TOPO_B2B_USD (GEN4_PPD_CONN_B2B | GEN4_PPD_DEV_USD) + #define GEN4_PPD_TOPO_B2B_DSD (GEN4_PPD_CONN_B2B | GEN4_PPD_DEV_DSD) + ++#define SPR_PPD_TOPO_MASK (SPR_PPD_CONN_MASK | SPR_PPD_DEV_MASK) ++#define SPR_PPD_TOPO_B2B_USD (GEN4_PPD_CONN_B2B | SPR_PPD_DEV_USD) ++#define SPR_PPD_TOPO_B2B_DSD (GEN4_PPD_CONN_B2B | SPR_PPD_DEV_DSD) ++ + #define GEN4_DB_COUNT 32 + #define GEN4_DB_LINK 32 + #define GEN4_DB_LINK_BIT BIT_ULL(GEN4_DB_LINK) +@@ -96,5 +104,13 @@ static inline int pdev_is_ICX(struct pci + return 1; + return 0; + } ++ ++static inline int pdev_is_SPR(struct pci_dev *pdev) ++{ ++ if (pdev_is_gen4(pdev) && ++ pdev->revision > PCI_DEVICE_REVISION_ICX_MAX) ++ return 1; ++ return 0; ++} + + #endif diff --git a/queue-5.10/riscv-efi_stub-fix-get_boot_hartid_from_fdt-return-value.patch b/queue-5.10/riscv-efi_stub-fix-get_boot_hartid_from_fdt-return-value.patch new file mode 100644 index 00000000000..8724d680586 --- /dev/null +++ b/queue-5.10/riscv-efi_stub-fix-get_boot_hartid_from_fdt-return-value.patch @@ -0,0 +1,72 @@ +From dcf0c838854c86e1f41fb1934aea906845d69782 Mon Sep 17 00:00:00 2001 +From: Sunil V L +Date: Fri, 28 Jan 2022 10:20:04 +0530 +Subject: riscv/efi_stub: Fix get_boot_hartid_from_fdt() return value + +From: Sunil V L + +commit dcf0c838854c86e1f41fb1934aea906845d69782 upstream. + +The get_boot_hartid_from_fdt() function currently returns U32_MAX +for failure case which is not correct because U32_MAX is a valid +hartid value. This patch fixes the issue by returning error code. + +Cc: +Fixes: d7071743db31 ("RISC-V: Add EFI stub support.") +Signed-off-by: Sunil V L +Reviewed-by: Heinrich Schuchardt +Signed-off-by: Ard Biesheuvel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/efi/libstub/riscv-stub.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/drivers/firmware/efi/libstub/riscv-stub.c b/drivers/firmware/efi/libstub/riscv-stub.c +index 380e4e251399..9c460843442f 100644 +--- a/drivers/firmware/efi/libstub/riscv-stub.c ++++ b/drivers/firmware/efi/libstub/riscv-stub.c +@@ -25,7 +25,7 @@ typedef void __noreturn (*jump_kernel_func)(unsigned int, unsigned long); + + static u32 hartid; + +-static u32 get_boot_hartid_from_fdt(void) ++static int get_boot_hartid_from_fdt(void) + { + const void *fdt; + int chosen_node, len; +@@ -33,23 +33,26 @@ static u32 get_boot_hartid_from_fdt(void) + + fdt = get_efi_config_table(DEVICE_TREE_GUID); + if (!fdt) +- return U32_MAX; ++ return -EINVAL; + + chosen_node = fdt_path_offset(fdt, "/chosen"); + if (chosen_node < 0) +- return U32_MAX; ++ return -EINVAL; + + prop = fdt_getprop((void *)fdt, chosen_node, "boot-hartid", &len); + if (!prop || len != sizeof(u32)) +- return U32_MAX; ++ return -EINVAL; + +- return fdt32_to_cpu(*prop); ++ hartid = fdt32_to_cpu(*prop); ++ return 0; + } + + efi_status_t check_platform_features(void) + { +- hartid = get_boot_hartid_from_fdt(); +- if (hartid == U32_MAX) { ++ int ret; ++ ++ ret = get_boot_hartid_from_fdt(); ++ if (ret) { + efi_err("/chosen/boot-hartid missing or invalid!\n"); + return EFI_UNSUPPORTED; + } +-- +2.35.1 + diff --git a/queue-5.10/riscv-fix-config-kasan-debug_virtual.patch b/queue-5.10/riscv-fix-config-kasan-debug_virtual.patch new file mode 100644 index 00000000000..fb2dee3116b --- /dev/null +++ b/queue-5.10/riscv-fix-config-kasan-debug_virtual.patch @@ -0,0 +1,36 @@ +From c648c4bb7d02ceb53ee40172fdc4433b37cee9c6 Mon Sep 17 00:00:00 2001 +From: Alexandre Ghiti +Date: Fri, 25 Feb 2022 13:39:51 +0100 +Subject: riscv: Fix config KASAN && DEBUG_VIRTUAL + +From: Alexandre Ghiti + +commit c648c4bb7d02ceb53ee40172fdc4433b37cee9c6 upstream. + +__virt_to_phys function is called very early in the boot process (ie +kasan_early_init) so it should not be instrumented by KASAN otherwise it +bugs. + +Fix this by declaring phys_addr.c as non-kasan instrumentable. + +Signed-off-by: Alexandre Ghiti +Fixes: 8ad8b72721d0 (riscv: Add KASAN support) +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/mm/Makefile | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/riscv/mm/Makefile ++++ b/arch/riscv/mm/Makefile +@@ -24,6 +24,9 @@ obj-$(CONFIG_KASAN) += kasan_init.o + ifdef CONFIG_KASAN + KASAN_SANITIZE_kasan_init.o := n + KASAN_SANITIZE_init.o := n ++ifdef CONFIG_DEBUG_VIRTUAL ++KASAN_SANITIZE_physaddr.o := n ++endif + endif + + obj-$(CONFIG_DEBUG_VIRTUAL) += physaddr.o diff --git a/queue-5.10/riscv-fix-config-kasan-sparsemem-sparse_vmemmap.patch b/queue-5.10/riscv-fix-config-kasan-sparsemem-sparse_vmemmap.patch new file mode 100644 index 00000000000..5b585e1a9cd --- /dev/null +++ b/queue-5.10/riscv-fix-config-kasan-sparsemem-sparse_vmemmap.patch @@ -0,0 +1,39 @@ +From a3d328037846d013bb4c7f3777241e190e4c75e1 Mon Sep 17 00:00:00 2001 +From: Alexandre Ghiti +Date: Fri, 25 Feb 2022 13:39:49 +0100 +Subject: riscv: Fix config KASAN && SPARSEMEM && !SPARSE_VMEMMAP + +From: Alexandre Ghiti + +commit a3d328037846d013bb4c7f3777241e190e4c75e1 upstream. + +In order to get the pfn of a struct page* when sparsemem is enabled +without vmemmap, the mem_section structures need to be initialized which +happens in sparse_init. + +But kasan_early_init calls pfn_to_page way before sparse_init is called, +which then tries to dereference a null mem_section pointer. + +Fix this by removing the usage of this function in kasan_early_init. + +Fixes: 8ad8b72721d0 ("riscv: Add KASAN support") +Signed-off-by: Alexandre Ghiti +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/mm/kasan_init.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/riscv/mm/kasan_init.c ++++ b/arch/riscv/mm/kasan_init.c +@@ -21,8 +21,7 @@ asmlinkage void __init kasan_early_init( + + for (i = 0; i < PTRS_PER_PTE; ++i) + set_pte(kasan_early_shadow_pte + i, +- mk_pte(virt_to_page(kasan_early_shadow_page), +- PAGE_KERNEL)); ++ pfn_pte(virt_to_pfn(kasan_early_shadow_page), PAGE_KERNEL)); + + for (i = 0; i < PTRS_PER_PMD; ++i) + set_pmd(kasan_early_shadow_pmd + i, diff --git a/queue-5.10/series b/queue-5.10/series index 261d4350a85..6d5a1ad787a 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -22,3 +22,13 @@ serial-stm32-prevent-tdr-register-overwrite-when-sen.patch ata-pata_hpt37x-fix-pci-clock-detection.patch drm-amdgpu-check-vm-ready-by-amdgpu_vm-evicting-flag.patch tracing-add-ustring-operation-to-filtering-string-po.patch +alsa-intel_hdmi-fix-reference-to-pcm-buffer-address.patch +riscv-efi_stub-fix-get_boot_hartid_from_fdt-return-value.patch +riscv-fix-config-kasan-sparsemem-sparse_vmemmap.patch +riscv-fix-config-kasan-debug_virtual.patch +asoc-ops-shift-tested-values-in-snd_soc_put_volsw-by-min.patch +iommu-amd-recover-from-event-log-overflow.patch +drm-i915-s-jsp2-icp2-pch.patch +xen-netfront-destroy-queues-before-real_num_tx_queues-is-zeroed.patch +thermal-core-fix-tz_get_trip-null-pointer-dereference.patch +ntb-intel-fix-port-config-status-offset-for-spr.patch diff --git a/queue-5.10/thermal-core-fix-tz_get_trip-null-pointer-dereference.patch b/queue-5.10/thermal-core-fix-tz_get_trip-null-pointer-dereference.patch new file mode 100644 index 00000000000..7d52442064a --- /dev/null +++ b/queue-5.10/thermal-core-fix-tz_get_trip-null-pointer-dereference.patch @@ -0,0 +1,38 @@ +From 5838a14832d447990827d85e90afe17e6fb9c175 Mon Sep 17 00:00:00 2001 +From: Nicolas Cavallari +Date: Mon, 28 Feb 2022 12:03:51 +0100 +Subject: thermal: core: Fix TZ_GET_TRIP NULL pointer dereference + +From: Nicolas Cavallari + +commit 5838a14832d447990827d85e90afe17e6fb9c175 upstream. + +Do not call get_trip_hyst() from thermal_genl_cmd_tz_get_trip() if +the thermal zone does not define one. + +Fixes: 1ce50e7d408e ("thermal: core: genetlink support for events/cmd/sampling") +Signed-off-by: Nicolas Cavallari +Cc: 5.10+ # 5.10+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/thermal_netlink.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/thermal/thermal_netlink.c ++++ b/drivers/thermal/thermal_netlink.c +@@ -418,11 +418,12 @@ static int thermal_genl_cmd_tz_get_trip( + for (i = 0; i < tz->trips; i++) { + + enum thermal_trip_type type; +- int temp, hyst; ++ int temp, hyst = 0; + + tz->ops->get_trip_type(tz, i, &type); + tz->ops->get_trip_temp(tz, i, &temp); +- tz->ops->get_trip_hyst(tz, i, &hyst); ++ if (tz->ops->get_trip_hyst) ++ tz->ops->get_trip_hyst(tz, i, &hyst); + + if (nla_put_u32(msg, THERMAL_GENL_ATTR_TZ_TRIP_ID, i) || + nla_put_u32(msg, THERMAL_GENL_ATTR_TZ_TRIP_TYPE, type) || diff --git a/queue-5.10/xen-netfront-destroy-queues-before-real_num_tx_queues-is-zeroed.patch b/queue-5.10/xen-netfront-destroy-queues-before-real_num_tx_queues-is-zeroed.patch new file mode 100644 index 00000000000..82e225b3d1c --- /dev/null +++ b/queue-5.10/xen-netfront-destroy-queues-before-real_num_tx_queues-is-zeroed.patch @@ -0,0 +1,138 @@ +From dcf4ff7a48e7598e6b10126cc02177abb8ae4f3f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= + +Date: Wed, 23 Feb 2022 22:19:54 +0100 +Subject: xen/netfront: destroy queues before real_num_tx_queues is zeroed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Marczykowski-Górecki + +commit dcf4ff7a48e7598e6b10126cc02177abb8ae4f3f upstream. + +xennet_destroy_queues() relies on info->netdev->real_num_tx_queues to +delete queues. Since d7dac083414eb5bb99a6d2ed53dc2c1b405224e5 +("net-sysfs: update the queue counts in the unregistration path"), +unregister_netdev() indirectly sets real_num_tx_queues to 0. Those two +facts together means, that xennet_destroy_queues() called from +xennet_remove() cannot do its job, because it's called after +unregister_netdev(). This results in kfree-ing queues that are still +linked in napi, which ultimately crashes: + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: 0000 [#1] PREEMPT SMP PTI + CPU: 1 PID: 52 Comm: xenwatch Tainted: G W 5.16.10-1.32.fc32.qubes.x86_64+ #226 + RIP: 0010:free_netdev+0xa3/0x1a0 + Code: ff 48 89 df e8 2e e9 00 00 48 8b 43 50 48 8b 08 48 8d b8 a0 fe ff ff 48 8d a9 a0 fe ff ff 49 39 c4 75 26 eb 47 e8 ed c1 66 ff <48> 8b 85 60 01 00 00 48 8d 95 60 01 00 00 48 89 ef 48 2d 60 01 00 + RSP: 0000:ffffc90000bcfd00 EFLAGS: 00010286 + RAX: 0000000000000000 RBX: ffff88800edad000 RCX: 0000000000000000 + RDX: 0000000000000001 RSI: ffffc90000bcfc30 RDI: 00000000ffffffff + RBP: fffffffffffffea0 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000001 R12: ffff88800edad050 + R13: ffff8880065f8f88 R14: 0000000000000000 R15: ffff8880066c6680 + FS: 0000000000000000(0000) GS:ffff8880f3300000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000000 CR3: 00000000e998c006 CR4: 00000000003706e0 + Call Trace: + + xennet_remove+0x13d/0x300 [xen_netfront] + xenbus_dev_remove+0x6d/0xf0 + __device_release_driver+0x17a/0x240 + device_release_driver+0x24/0x30 + bus_remove_device+0xd8/0x140 + device_del+0x18b/0x410 + ? _raw_spin_unlock+0x16/0x30 + ? klist_iter_exit+0x14/0x20 + ? xenbus_dev_request_and_reply+0x80/0x80 + device_unregister+0x13/0x60 + xenbus_dev_changed+0x18e/0x1f0 + xenwatch_thread+0xc0/0x1a0 + ? do_wait_intr_irq+0xa0/0xa0 + kthread+0x16b/0x190 + ? set_kthread_struct+0x40/0x40 + ret_from_fork+0x22/0x30 + + +Fix this by calling xennet_destroy_queues() from xennet_uninit(), +when real_num_tx_queues is still available. This ensures that queues are +destroyed when real_num_tx_queues is set to 0, regardless of how +unregister_netdev() was called. + +Originally reported at +https://github.com/QubesOS/qubes-issues/issues/7257 + +Fixes: d7dac083414eb5bb9 ("net-sysfs: update the queue counts in the unregistration path") +Cc: stable@vger.kernel.org +Signed-off-by: Marek Marczykowski-Górecki +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netfront.c | 39 +++++++++++++++++++++++---------------- + 1 file changed, 23 insertions(+), 16 deletions(-) + +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -844,6 +844,28 @@ static int xennet_close(struct net_devic + return 0; + } + ++static void xennet_destroy_queues(struct netfront_info *info) ++{ ++ unsigned int i; ++ ++ for (i = 0; i < info->netdev->real_num_tx_queues; i++) { ++ struct netfront_queue *queue = &info->queues[i]; ++ ++ if (netif_running(info->netdev)) ++ napi_disable(&queue->napi); ++ netif_napi_del(&queue->napi); ++ } ++ ++ kfree(info->queues); ++ info->queues = NULL; ++} ++ ++static void xennet_uninit(struct net_device *dev) ++{ ++ struct netfront_info *np = netdev_priv(dev); ++ xennet_destroy_queues(np); ++} ++ + static void xennet_set_rx_rsp_cons(struct netfront_queue *queue, RING_IDX val) + { + unsigned long flags; +@@ -1613,6 +1635,7 @@ static int xennet_xdp(struct net_device + } + + static const struct net_device_ops xennet_netdev_ops = { ++ .ndo_uninit = xennet_uninit, + .ndo_open = xennet_open, + .ndo_stop = xennet_close, + .ndo_start_xmit = xennet_start_xmit, +@@ -2105,22 +2128,6 @@ error: + return err; + } + +-static void xennet_destroy_queues(struct netfront_info *info) +-{ +- unsigned int i; +- +- for (i = 0; i < info->netdev->real_num_tx_queues; i++) { +- struct netfront_queue *queue = &info->queues[i]; +- +- if (netif_running(info->netdev)) +- napi_disable(&queue->napi); +- netif_napi_del(&queue->napi); +- } +- +- kfree(info->queues); +- info->queues = NULL; +-} +- + + + static int xennet_create_page_pool(struct netfront_queue *queue)