From: Greg Kroah-Hartman Date: Mon, 26 Feb 2024 13:11:31 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v4.19.308~54 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c1dbfbacee986f3886888d95da24901f6b3558d9;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: arm-ep93xx-add-terminator-to-gpiod_lookup_table.patch l2tp-pass-correct-message-length-to-ip6_append_data.patch pci-msi-prevent-msi-hardware-interrupt-number-truncation.patch revert-x86-alternative-make-custom-return-thunk-unconditional.patch revert-x86-ftrace-use-alternative-ret-encoding.patch usb-cdns3-fix-memory-double-free-when-handle-zero-packet.patch usb-cdns3-fixed-memory-use-after-free-at-cdns3_gadget_ep_disable.patch usb-gadget-ncm-avoid-dropping-datagrams-of-properly-parsed-ntbs.patch usb-roles-don-t-get-set_role-when-usb_role_switch-is-unregistered.patch usb-roles-fix-null-pointer-issue-when-put-module-s-reference.patch x86-alternative-make-custom-return-thunk-unconditional.patch x86-ftrace-use-alternative-ret-encoding.patch x86-ibt-paravirt-use-text_gen_insn-for-paravirt_patch.patch x86-returnthunk-allow-different-return-thunks.patch x86-text-patching-make-text_gen_insn-play-nice-with-annotate_noendbr.patch --- diff --git a/queue-5.10/arm-ep93xx-add-terminator-to-gpiod_lookup_table.patch b/queue-5.10/arm-ep93xx-add-terminator-to-gpiod_lookup_table.patch new file mode 100644 index 00000000000..98e5ebe04c0 --- /dev/null +++ b/queue-5.10/arm-ep93xx-add-terminator-to-gpiod_lookup_table.patch @@ -0,0 +1,37 @@ +From fdf87a0dc26d0550c60edc911cda42f9afec3557 Mon Sep 17 00:00:00 2001 +From: Nikita Shubin +Date: Mon, 5 Feb 2024 11:23:34 +0100 +Subject: ARM: ep93xx: Add terminator to gpiod_lookup_table + +From: Nikita Shubin + +commit fdf87a0dc26d0550c60edc911cda42f9afec3557 upstream. + +Without the terminator, if a con_id is passed to gpio_find() that +does not exist in the lookup table the function will not stop looping +correctly, and eventually cause an oops. + +Cc: stable@vger.kernel.org +Fixes: b2e63555592f ("i2c: gpio: Convert to use descriptors") +Reported-by: Andy Shevchenko +Signed-off-by: Nikita Shubin +Reviewed-by: Linus Walleij +Acked-by: Alexander Sverdlin +Signed-off-by: Alexander Sverdlin +Link: https://lore.kernel.org/r/20240205102337.439002-1-alexander.sverdlin@gmail.com +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-ep93xx/core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/mach-ep93xx/core.c ++++ b/arch/arm/mach-ep93xx/core.c +@@ -337,6 +337,7 @@ static struct gpiod_lookup_table ep93xx_ + GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN), + GPIO_LOOKUP_IDX("G", 0, NULL, 1, + GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN), ++ { } + }, + }; + diff --git a/queue-5.10/l2tp-pass-correct-message-length-to-ip6_append_data.patch b/queue-5.10/l2tp-pass-correct-message-length-to-ip6_append_data.patch new file mode 100644 index 00000000000..c4b10d7c969 --- /dev/null +++ b/queue-5.10/l2tp-pass-correct-message-length-to-ip6_append_data.patch @@ -0,0 +1,50 @@ +From 359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79 Mon Sep 17 00:00:00 2001 +From: Tom Parkin +Date: Tue, 20 Feb 2024 12:21:56 +0000 +Subject: l2tp: pass correct message length to ip6_append_data + +From: Tom Parkin + +commit 359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79 upstream. + +l2tp_ip6_sendmsg needs to avoid accounting for the transport header +twice when splicing more data into an already partially-occupied skbuff. + +To manage this, we check whether the skbuff contains data using +skb_queue_empty when deciding how much data to append using +ip6_append_data. + +However, the code which performed the calculation was incorrect: + + ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0; + +...due to C operator precedence, this ends up setting ulen to +transhdrlen for messages with a non-zero length, which results in +corrupted packets on the wire. + +Add parentheses to correct the calculation in line with the original +intent. + +Fixes: 9d4c75800f61 ("ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data()") +Cc: David Howells +Cc: stable@vger.kernel.org +Signed-off-by: Tom Parkin +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20240220122156.43131-1-tparkin@katalix.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/l2tp/l2tp_ip6.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/l2tp/l2tp_ip6.c ++++ b/net/l2tp/l2tp_ip6.c +@@ -628,7 +628,7 @@ static int l2tp_ip6_sendmsg(struct sock + + back_from_confirm: + lock_sock(sk); +- ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0; ++ ulen = len + (skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0); + err = ip6_append_data(sk, ip_generic_getfrag, msg, + ulen, transhdrlen, &ipc6, + &fl6, (struct rt6_info *)dst, diff --git a/queue-5.10/pci-msi-prevent-msi-hardware-interrupt-number-truncation.patch b/queue-5.10/pci-msi-prevent-msi-hardware-interrupt-number-truncation.patch new file mode 100644 index 00000000000..57d088c8d8a --- /dev/null +++ b/queue-5.10/pci-msi-prevent-msi-hardware-interrupt-number-truncation.patch @@ -0,0 +1,46 @@ +From db744ddd59be798c2627efbfc71f707f5a935a40 Mon Sep 17 00:00:00 2001 +From: Vidya Sagar +Date: Mon, 15 Jan 2024 19:26:49 +0530 +Subject: PCI/MSI: Prevent MSI hardware interrupt number truncation + +From: Vidya Sagar + +commit db744ddd59be798c2627efbfc71f707f5a935a40 upstream. + +While calculating the hardware interrupt number for a MSI interrupt, the +higher bits (i.e. from bit-5 onwards a.k.a domain_nr >= 32) of the PCI +domain number gets truncated because of the shifted value casting to return +type of pci_domain_nr() which is 'int'. This for example is resulting in +same hardware interrupt number for devices 0019:00:00.0 and 0039:00:00.0. + +To address this cast the PCI domain number to 'irq_hw_number_t' before left +shifting it to calculate the hardware interrupt number. + +Please note that this fixes the issue only on 64-bit systems and doesn't +change the behavior for 32-bit systems i.e. the 32-bit systems continue to +have the issue. Since the issue surfaces only if there are too many PCIe +controllers in the system which usually is the case in modern server +systems and they don't tend to run 32-bit kernels. + +Fixes: 3878eaefb89a ("PCI/MSI: Enhance core to support hierarchy irqdomain") +Signed-off-by: Vidya Sagar +Signed-off-by: Thomas Gleixner +Tested-by: Shanker Donthineni +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240115135649.708536-1-vidyas@nvidia.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/msi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pci/msi.c ++++ b/drivers/pci/msi.c +@@ -1409,7 +1409,7 @@ static irq_hw_number_t pci_msi_domain_ca + + return (irq_hw_number_t)desc->msi_attrib.entry_nr | + pci_dev_id(dev) << 11 | +- (pci_domain_nr(dev->bus) & 0xFFFFFFFF) << 27; ++ ((irq_hw_number_t)(pci_domain_nr(dev->bus) & 0xFFFFFFFF)) << 27; + } + + static inline bool pci_msi_desc_is_multi_msi(struct msi_desc *desc) diff --git a/queue-5.10/revert-x86-alternative-make-custom-return-thunk-unconditional.patch b/queue-5.10/revert-x86-alternative-make-custom-return-thunk-unconditional.patch new file mode 100644 index 00000000000..aff2b664e24 --- /dev/null +++ b/queue-5.10/revert-x86-alternative-make-custom-return-thunk-unconditional.patch @@ -0,0 +1,55 @@ +From 6ef279dc0bda804d63602a930905be00dbce614a Mon Sep 17 00:00:00 2001 +From: "Borislav Petkov (AMD)" +Date: Thu, 22 Feb 2024 15:50:48 +0100 +Subject: Revert "x86/alternative: Make custom return thunk unconditional" + +From: "Borislav Petkov (AMD)" + +This reverts commit 08f7cfd44f77b2796582bc26164fdef44dd33b6c. + +Revert the backport of upstream commit: + + 095b8303f383 ("x86/alternative: Make custom return thunk unconditional") + +in order to backport the full version now that + + 770ae1b70952 ("x86/returnthunk: Allow different return thunks") + +has been backported. + +Revert it here so that the build breakage is kept at minimum. + +Signed-off-by: Borislav Petkov (AMD) +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/nospec-branch.h | 4 ---- + arch/x86/kernel/cpu/bugs.c | 4 ---- + 2 files changed, 8 deletions(-) + +--- a/arch/x86/include/asm/nospec-branch.h ++++ b/arch/x86/include/asm/nospec-branch.h +@@ -190,11 +190,7 @@ + _ASM_PTR " 999b\n\t" \ + ".popsection\n\t" + +-#ifdef CONFIG_RETHUNK + extern void __x86_return_thunk(void); +-#else +-static inline void __x86_return_thunk(void) {} +-#endif + + extern void retbleed_return_thunk(void); + extern void srso_return_thunk(void); +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -61,10 +61,6 @@ EXPORT_SYMBOL_GPL(x86_pred_cmd); + + static DEFINE_MUTEX(spec_ctrl_mutex); + +-#ifdef CONFIG_CALL_THUNKS +-void (*x86_return_thunk)(void) __ro_after_init = &__x86_return_thunk; +-#endif +- + /* Update SPEC_CTRL MSR and its cached copy unconditionally */ + static void update_spec_ctrl(u64 val) + { diff --git a/queue-5.10/revert-x86-ftrace-use-alternative-ret-encoding.patch b/queue-5.10/revert-x86-ftrace-use-alternative-ret-encoding.patch new file mode 100644 index 00000000000..8fa1be5b1e9 --- /dev/null +++ b/queue-5.10/revert-x86-ftrace-use-alternative-ret-encoding.patch @@ -0,0 +1,47 @@ +From 7a90451f941d5f9e8da667630eb0b6ab76320257 Mon Sep 17 00:00:00 2001 +From: "Borislav Petkov (AMD)" +Date: Thu, 22 Feb 2024 13:46:09 +0100 +Subject: Revert "x86/ftrace: Use alternative RET encoding" + +From: "Borislav Petkov (AMD)" + +This reverts commit 3eb602ad6a94a76941f93173131a71ad36fa1324. + +Revert the backport of upstream commit + + 1f001e9da6bb ("x86/ftrace: Use alternative RET encoding") + +in favor of a proper backport after backporting the commit which adds +__text_gen_insn(). + +Signed-off-by: Borislav Petkov (AMD) +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/ftrace.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +--- a/arch/x86/kernel/ftrace.c ++++ b/arch/x86/kernel/ftrace.c +@@ -311,7 +311,7 @@ union ftrace_op_code_union { + } __attribute__((packed)); + }; + +-#define RET_SIZE (IS_ENABLED(CONFIG_RETPOLINE) ? 5 : 1 + IS_ENABLED(CONFIG_SLS)) ++#define RET_SIZE 1 + IS_ENABLED(CONFIG_SLS) + + static unsigned long + create_trampoline(struct ftrace_ops *ops, unsigned int *tramp_size) +@@ -367,12 +367,7 @@ create_trampoline(struct ftrace_ops *ops + goto fail; + + ip = trampoline + size; +- +- /* The trampoline ends with ret(q) */ +- if (cpu_feature_enabled(X86_FEATURE_RETHUNK)) +- memcpy(ip, text_gen_insn(JMP32_INSN_OPCODE, ip, &__x86_return_thunk), JMP32_INSN_SIZE); +- else +- memcpy(ip, retq, sizeof(retq)); ++ memcpy(ip, retq, RET_SIZE); + + /* No need to test direct calls on created trampolines */ + if (ops->flags & FTRACE_OPS_FL_SAVE_REGS) { diff --git a/queue-5.10/series b/queue-5.10/series index bfb5f1f0ff9..04931a6c072 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -77,3 +77,18 @@ dm-crypt-don-t-modify-the-data-when-using-authenticated-encryption.patch kvm-arm64-vgic-its-test-for-valid-irq-in-movall-handler.patch kvm-arm64-vgic-its-test-for-valid-irq-in-its_sync_lpi_pending_table.patch gtp-fix-use-after-free-and-null-ptr-deref-in-gtp_genl_dump_pdp.patch +pci-msi-prevent-msi-hardware-interrupt-number-truncation.patch +l2tp-pass-correct-message-length-to-ip6_append_data.patch +arm-ep93xx-add-terminator-to-gpiod_lookup_table.patch +revert-x86-ftrace-use-alternative-ret-encoding.patch +x86-text-patching-make-text_gen_insn-play-nice-with-annotate_noendbr.patch +x86-ibt-paravirt-use-text_gen_insn-for-paravirt_patch.patch +x86-ftrace-use-alternative-ret-encoding.patch +x86-returnthunk-allow-different-return-thunks.patch +revert-x86-alternative-make-custom-return-thunk-unconditional.patch +x86-alternative-make-custom-return-thunk-unconditional.patch +usb-cdns3-fixed-memory-use-after-free-at-cdns3_gadget_ep_disable.patch +usb-cdns3-fix-memory-double-free-when-handle-zero-packet.patch +usb-gadget-ncm-avoid-dropping-datagrams-of-properly-parsed-ntbs.patch +usb-roles-fix-null-pointer-issue-when-put-module-s-reference.patch +usb-roles-don-t-get-set_role-when-usb_role_switch-is-unregistered.patch diff --git a/queue-5.10/usb-cdns3-fix-memory-double-free-when-handle-zero-packet.patch b/queue-5.10/usb-cdns3-fix-memory-double-free-when-handle-zero-packet.patch new file mode 100644 index 00000000000..ec01a70c31a --- /dev/null +++ b/queue-5.10/usb-cdns3-fix-memory-double-free-when-handle-zero-packet.patch @@ -0,0 +1,62 @@ +From 5fd9e45f1ebcd57181358af28506e8a661a260b3 Mon Sep 17 00:00:00 2001 +From: Frank Li +Date: Fri, 2 Feb 2024 10:42:17 -0500 +Subject: usb: cdns3: fix memory double free when handle zero packet + +From: Frank Li + +commit 5fd9e45f1ebcd57181358af28506e8a661a260b3 upstream. + +829 if (request->complete) { +830 spin_unlock(&priv_dev->lock); +831 usb_gadget_giveback_request(&priv_ep->endpoint, +832 request); +833 spin_lock(&priv_dev->lock); +834 } +835 +836 if (request->buf == priv_dev->zlp_buf) +837 cdns3_gadget_ep_free_request(&priv_ep->endpoint, request); + +Driver append an additional zero packet request when queue a packet, which +length mod max packet size is 0. When transfer complete, run to line 831, +usb_gadget_giveback_request() will free this requestion. 836 condition is +true, so cdns3_gadget_ep_free_request() free this request again. + +Log: + +[ 1920.140696][ T150] BUG: KFENCE: use-after-free read in cdns3_gadget_giveback+0x134/0x2c0 [cdns3] +[ 1920.140696][ T150] +[ 1920.151837][ T150] Use-after-free read at 0x000000003d1cd10b (in kfence-#36): +[ 1920.159082][ T150] cdns3_gadget_giveback+0x134/0x2c0 [cdns3] +[ 1920.164988][ T150] cdns3_transfer_completed+0x438/0x5f8 [cdns3] + +Add check at line 829, skip call usb_gadget_giveback_request() if it is +additional zero length packet request. Needn't call +usb_gadget_giveback_request() because it is allocated in this driver. + +Cc: stable@vger.kernel.org +Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver") +Signed-off-by: Frank Li +Reviewed-by: Roger Quadros +Acked-by: Peter Chen +Link: https://lore.kernel.org/r/20240202154217.661867-2-Frank.Li@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/cdns3/gadget.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/usb/cdns3/gadget.c ++++ b/drivers/usb/cdns3/gadget.c +@@ -837,7 +837,11 @@ void cdns3_gadget_giveback(struct cdns3_ + return; + } + +- if (request->complete) { ++ /* ++ * zlp request is appended by driver, needn't call usb_gadget_giveback_request() to notify ++ * gadget composite driver. ++ */ ++ if (request->complete && request->buf != priv_dev->zlp_buf) { + spin_unlock(&priv_dev->lock); + usb_gadget_giveback_request(&priv_ep->endpoint, + request); diff --git a/queue-5.10/usb-cdns3-fixed-memory-use-after-free-at-cdns3_gadget_ep_disable.patch b/queue-5.10/usb-cdns3-fixed-memory-use-after-free-at-cdns3_gadget_ep_disable.patch new file mode 100644 index 00000000000..22598531515 --- /dev/null +++ b/queue-5.10/usb-cdns3-fixed-memory-use-after-free-at-cdns3_gadget_ep_disable.patch @@ -0,0 +1,56 @@ +From cd45f99034b0c8c9cb346dd0d6407a95ca3d36f6 Mon Sep 17 00:00:00 2001 +From: Frank Li +Date: Fri, 2 Feb 2024 10:42:16 -0500 +Subject: usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable() + +From: Frank Li + +commit cd45f99034b0c8c9cb346dd0d6407a95ca3d36f6 upstream. + + ... + cdns3_gadget_ep_free_request(&priv_ep->endpoint, &priv_req->request); + list_del_init(&priv_req->list); + ... + +'priv_req' actually free at cdns3_gadget_ep_free_request(). But +list_del_init() use priv_req->list after it. + +[ 1542.642868][ T534] BUG: KFENCE: use-after-free read in __list_del_entry_valid+0x10/0xd4 +[ 1542.642868][ T534] +[ 1542.653162][ T534] Use-after-free read at 0x000000009ed0ba99 (in kfence-#3): +[ 1542.660311][ T534] __list_del_entry_valid+0x10/0xd4 +[ 1542.665375][ T534] cdns3_gadget_ep_disable+0x1f8/0x388 [cdns3] +[ 1542.671571][ T534] usb_ep_disable+0x44/0xe4 +[ 1542.675948][ T534] ffs_func_eps_disable+0x64/0xc8 +[ 1542.680839][ T534] ffs_func_set_alt+0x74/0x368 +[ 1542.685478][ T534] ffs_func_disable+0x18/0x28 + +Move list_del_init() before cdns3_gadget_ep_free_request() to resolve this +problem. + +Cc: stable@vger.kernel.org +Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver") +Signed-off-by: Frank Li +Reviewed-by: Roger Quadros +Acked-by: Peter Chen +Link: https://lore.kernel.org/r/20240202154217.661867-1-Frank.Li@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/cdns3/gadget.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/cdns3/gadget.c ++++ b/drivers/usb/cdns3/gadget.c +@@ -2538,11 +2538,11 @@ static int cdns3_gadget_ep_disable(struc + + while (!list_empty(&priv_ep->wa2_descmiss_req_list)) { + priv_req = cdns3_next_priv_request(&priv_ep->wa2_descmiss_req_list); ++ list_del_init(&priv_req->list); + + kfree(priv_req->request.buf); + cdns3_gadget_ep_free_request(&priv_ep->endpoint, + &priv_req->request); +- list_del_init(&priv_req->list); + --priv_ep->wa2_counter; + } + diff --git a/queue-5.10/usb-gadget-ncm-avoid-dropping-datagrams-of-properly-parsed-ntbs.patch b/queue-5.10/usb-gadget-ncm-avoid-dropping-datagrams-of-properly-parsed-ntbs.patch new file mode 100644 index 00000000000..2ec00131331 --- /dev/null +++ b/queue-5.10/usb-gadget-ncm-avoid-dropping-datagrams-of-properly-parsed-ntbs.patch @@ -0,0 +1,88 @@ +From 76c51146820c5dac629f21deafab0a7039bc3ccd Mon Sep 17 00:00:00 2001 +From: Krishna Kurapati +Date: Mon, 5 Feb 2024 13:16:50 +0530 +Subject: usb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Krishna Kurapati + +commit 76c51146820c5dac629f21deafab0a7039bc3ccd upstream. + +It is observed sometimes when tethering is used over NCM with Windows 11 +as host, at some instances, the gadget_giveback has one byte appended at +the end of a proper NTB. When the NTB is parsed, unwrap call looks for +any leftover bytes in SKB provided by u_ether and if there are any pending +bytes, it treats them as a separate NTB and parses it. But in case the +second NTB (as per unwrap call) is faulty/corrupt, all the datagrams that +were parsed properly in the first NTB and saved in rx_list are dropped. + +Adding a few custom traces showed the following: +[002] d..1 7828.532866: dwc3_gadget_giveback: ep1out: +req 000000003868811a length 1025/16384 zsI ==> 0 +[002] d..1 7828.532867: ncm_unwrap_ntb: K: ncm_unwrap_ntb toprocess: 1025 +[002] d..1 7828.532867: ncm_unwrap_ntb: K: ncm_unwrap_ntb nth: 1751999342 +[002] d..1 7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb seq: 0xce67 +[002] d..1 7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb blk_len: 0x400 +[002] d..1 7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb ndp_len: 0x10 +[002] d..1 7828.532869: ncm_unwrap_ntb: K: Parsed NTB with 1 frames + +In this case, the giveback is of 1025 bytes and block length is 1024. +The rest 1 byte (which is 0x00) won't be parsed resulting in drop of +all datagrams in rx_list. + +Same is case with packets of size 2048: +[002] d..1 7828.557948: dwc3_gadget_giveback: ep1out: +req 0000000011dfd96e length 2049/16384 zsI ==> 0 +[002] d..1 7828.557949: ncm_unwrap_ntb: K: ncm_unwrap_ntb nth: 1751999342 +[002] d..1 7828.557950: ncm_unwrap_ntb: K: ncm_unwrap_ntb blk_len: 0x800 + +Lecroy shows one byte coming in extra confirming that the byte is coming +in from PC: + + Transfer 2959 - Bytes Transferred(1025) Timestamp((18.524 843 590) + - Transaction 8391 - Data(1025 bytes) Timestamp(18.524 843 590) + --- Packet 4063861 + Data(1024 bytes) + Duration(2.117us) Idle(14.700ns) Timestamp(18.524 843 590) + --- Packet 4063863 + Data(1 byte) + Duration(66.160ns) Time(282.000ns) Timestamp(18.524 845 722) + +According to Windows driver, no ZLP is needed if wBlockLength is non-zero, +because the non-zero wBlockLength has already told the function side the +size of transfer to be expected. However, there are in-market NCM devices +that rely on ZLP as long as the wBlockLength is multiple of wMaxPacketSize. +To deal with such devices, it pads an extra 0 at end so the transfer is no +longer multiple of wMaxPacketSize. + +Cc: +Fixes: 9f6ce4240a2b ("usb: gadget: f_ncm.c added") +Signed-off-by: Krishna Kurapati +Reviewed-by: Maciej Żenczykowski +Link: https://lore.kernel.org/r/20240205074650.200304-1-quic_kriskura@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_ncm.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/usb/gadget/function/f_ncm.c ++++ b/drivers/usb/gadget/function/f_ncm.c +@@ -1349,7 +1349,15 @@ parse_ntb: + "Parsed NTB with %d frames\n", dgram_counter); + + to_process -= block_len; +- if (to_process != 0) { ++ ++ /* ++ * Windows NCM driver avoids USB ZLPs by adding a 1-byte ++ * zero pad as needed. ++ */ ++ if (to_process == 1 && ++ (*(unsigned char *)(ntb_ptr + block_len) == 0x00)) { ++ to_process--; ++ } else if (to_process > 0) { + ntb_ptr = (unsigned char *)(ntb_ptr + block_len); + goto parse_ntb; + } diff --git a/queue-5.10/usb-roles-don-t-get-set_role-when-usb_role_switch-is-unregistered.patch b/queue-5.10/usb-roles-don-t-get-set_role-when-usb_role_switch-is-unregistered.patch new file mode 100644 index 00000000000..bb7ce603f85 --- /dev/null +++ b/queue-5.10/usb-roles-don-t-get-set_role-when-usb_role_switch-is-unregistered.patch @@ -0,0 +1,76 @@ +From b787a3e781759026a6212736ef8e52cf83d1821a Mon Sep 17 00:00:00 2001 +From: Xu Yang +Date: Mon, 29 Jan 2024 17:37:39 +0800 +Subject: usb: roles: don't get/set_role() when usb_role_switch is unregistered + +From: Xu Yang + +commit b787a3e781759026a6212736ef8e52cf83d1821a upstream. + +There is a possibility that usb_role_switch device is unregistered before +the user put usb_role_switch. In this case, the user may still want to +get/set_role() since the user can't sense the changes of usb_role_switch. + +This will add a flag to show if usb_role_switch is already registered and +avoid unwanted behaviors. + +Fixes: fde0aa6c175a ("usb: common: Small class for USB role switches") +cc: stable@vger.kernel.org +Signed-off-by: Xu Yang +Acked-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20240129093739.2371530-2-xu.yang_2@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/roles/class.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/usb/roles/class.c ++++ b/drivers/usb/roles/class.c +@@ -21,6 +21,7 @@ struct usb_role_switch { + struct mutex lock; /* device lock*/ + struct module *module; /* the module this device depends on */ + enum usb_role role; ++ bool registered; + + /* From descriptor */ + struct device *usb2_port; +@@ -47,6 +48,9 @@ int usb_role_switch_set_role(struct usb_ + if (IS_ERR_OR_NULL(sw)) + return 0; + ++ if (!sw->registered) ++ return -EOPNOTSUPP; ++ + mutex_lock(&sw->lock); + + ret = sw->set(sw, role); +@@ -72,7 +76,7 @@ enum usb_role usb_role_switch_get_role(s + { + enum usb_role role; + +- if (IS_ERR_OR_NULL(sw)) ++ if (IS_ERR_OR_NULL(sw) || !sw->registered) + return USB_ROLE_NONE; + + mutex_lock(&sw->lock); +@@ -347,6 +351,8 @@ usb_role_switch_register(struct device * + return ERR_PTR(ret); + } + ++ sw->registered = true; ++ + /* TODO: Symlinks for the host port and the device controller. */ + + return sw; +@@ -361,8 +367,10 @@ EXPORT_SYMBOL_GPL(usb_role_switch_regist + */ + void usb_role_switch_unregister(struct usb_role_switch *sw) + { +- if (!IS_ERR_OR_NULL(sw)) ++ if (!IS_ERR_OR_NULL(sw)) { ++ sw->registered = false; + device_unregister(&sw->dev); ++ } + } + EXPORT_SYMBOL_GPL(usb_role_switch_unregister); + diff --git a/queue-5.10/usb-roles-fix-null-pointer-issue-when-put-module-s-reference.patch b/queue-5.10/usb-roles-fix-null-pointer-issue-when-put-module-s-reference.patch new file mode 100644 index 00000000000..92f6f165555 --- /dev/null +++ b/queue-5.10/usb-roles-fix-null-pointer-issue-when-put-module-s-reference.patch @@ -0,0 +1,96 @@ +From 1c9be13846c0b2abc2480602f8ef421360e1ad9e Mon Sep 17 00:00:00 2001 +From: Xu Yang +Date: Mon, 29 Jan 2024 17:37:38 +0800 +Subject: usb: roles: fix NULL pointer issue when put module's reference + +From: Xu Yang + +commit 1c9be13846c0b2abc2480602f8ef421360e1ad9e upstream. + +In current design, usb role class driver will get usb_role_switch parent's +module reference after the user get usb_role_switch device and put the +reference after the user put the usb_role_switch device. However, the +parent device of usb_role_switch may be removed before the user put the +usb_role_switch. If so, then, NULL pointer issue will be met when the user +put the parent module's reference. + +This will save the module pointer in structure of usb_role_switch. Then, +we don't need to find module by iterating long relations. + +Fixes: 5c54fcac9a9d ("usb: roles: Take care of driver module reference counting") +cc: stable@vger.kernel.org +Signed-off-by: Xu Yang +Acked-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20240129093739.2371530-1-xu.yang_2@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/roles/class.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +--- a/drivers/usb/roles/class.c ++++ b/drivers/usb/roles/class.c +@@ -19,6 +19,7 @@ static struct class *role_class; + struct usb_role_switch { + struct device dev; + struct mutex lock; /* device lock*/ ++ struct module *module; /* the module this device depends on */ + enum usb_role role; + + /* From descriptor */ +@@ -133,7 +134,7 @@ struct usb_role_switch *usb_role_switch_ + usb_role_switch_match); + + if (!IS_ERR_OR_NULL(sw)) +- WARN_ON(!try_module_get(sw->dev.parent->driver->owner)); ++ WARN_ON(!try_module_get(sw->module)); + + return sw; + } +@@ -155,7 +156,7 @@ struct usb_role_switch *fwnode_usb_role_ + sw = fwnode_connection_find_match(fwnode, "usb-role-switch", + NULL, usb_role_switch_match); + if (!IS_ERR_OR_NULL(sw)) +- WARN_ON(!try_module_get(sw->dev.parent->driver->owner)); ++ WARN_ON(!try_module_get(sw->module)); + + return sw; + } +@@ -170,7 +171,7 @@ EXPORT_SYMBOL_GPL(fwnode_usb_role_switch + void usb_role_switch_put(struct usb_role_switch *sw) + { + if (!IS_ERR_OR_NULL(sw)) { +- module_put(sw->dev.parent->driver->owner); ++ module_put(sw->module); + put_device(&sw->dev); + } + } +@@ -187,15 +188,18 @@ struct usb_role_switch * + usb_role_switch_find_by_fwnode(const struct fwnode_handle *fwnode) + { + struct device *dev; ++ struct usb_role_switch *sw = NULL; + + if (!fwnode) + return NULL; + + dev = class_find_device_by_fwnode(role_class, fwnode); +- if (dev) +- WARN_ON(!try_module_get(dev->parent->driver->owner)); ++ if (dev) { ++ sw = to_role_switch(dev); ++ WARN_ON(!try_module_get(sw->module)); ++ } + +- return dev ? to_role_switch(dev) : NULL; ++ return sw; + } + EXPORT_SYMBOL_GPL(usb_role_switch_find_by_fwnode); + +@@ -328,6 +332,7 @@ usb_role_switch_register(struct device * + sw->set = desc->set; + sw->get = desc->get; + ++ sw->module = parent->driver->owner; + sw->dev.parent = parent; + sw->dev.fwnode = desc->fwnode; + sw->dev.class = role_class; diff --git a/queue-5.10/x86-alternative-make-custom-return-thunk-unconditional.patch b/queue-5.10/x86-alternative-make-custom-return-thunk-unconditional.patch new file mode 100644 index 00000000000..5e5139feae1 --- /dev/null +++ b/queue-5.10/x86-alternative-make-custom-return-thunk-unconditional.patch @@ -0,0 +1,77 @@ +From 15b2ca2d422d3481819141c6de8ab6e6f80f543d Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Mon, 14 Aug 2023 13:44:30 +0200 +Subject: x86/alternative: Make custom return thunk unconditional + +From: Peter Zijlstra + +Upstream commit: 095b8303f3835c68ac4a8b6d754ca1c3b6230711 + +There is infrastructure to rewrite return thunks to point to any +random thunk one desires, unwrap that from CALL_THUNKS, which up to +now was the sole user of that. + + [ bp: Make the thunks visible on 32-bit and add ifdeffery for the + 32-bit builds. ] + +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Borislav Petkov (AMD) +Link: https://lore.kernel.org/r/20230814121148.775293785@infradead.org +Signed-off-by: Borislav Petkov (AMD) +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/nospec-branch.h | 8 ++++---- + arch/x86/kernel/alternative.c | 4 ---- + arch/x86/kernel/cpu/bugs.c | 2 ++ + 3 files changed, 6 insertions(+), 8 deletions(-) + +--- a/arch/x86/include/asm/nospec-branch.h ++++ b/arch/x86/include/asm/nospec-branch.h +@@ -190,7 +190,11 @@ + _ASM_PTR " 999b\n\t" \ + ".popsection\n\t" + ++#ifdef CONFIG_RETHUNK + extern void __x86_return_thunk(void); ++#else ++static inline void __x86_return_thunk(void) {} ++#endif + + extern void retbleed_return_thunk(void); + extern void srso_return_thunk(void); +@@ -203,11 +207,7 @@ extern void srso_alias_untrain_ret(void) + extern void entry_untrain_ret(void); + extern void entry_ibpb(void); + +-#ifdef CONFIG_CALL_THUNKS + extern void (*x86_return_thunk)(void); +-#else +-#define x86_return_thunk (&__x86_return_thunk) +-#endif + + #ifdef CONFIG_RETPOLINE + +--- a/arch/x86/kernel/alternative.c ++++ b/arch/x86/kernel/alternative.c +@@ -677,10 +677,6 @@ void __init_or_module noinline apply_ret + + #ifdef CONFIG_RETHUNK + +-#ifdef CONFIG_CALL_THUNKS +-void (*x86_return_thunk)(void) __ro_after_init = &__x86_return_thunk; +-#endif +- + /* + * Rewrite the compiler generated return thunk tail-calls. + * +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -61,6 +61,8 @@ EXPORT_SYMBOL_GPL(x86_pred_cmd); + + static DEFINE_MUTEX(spec_ctrl_mutex); + ++void (*x86_return_thunk)(void) __ro_after_init = &__x86_return_thunk; ++ + /* Update SPEC_CTRL MSR and its cached copy unconditionally */ + static void update_spec_ctrl(u64 val) + { diff --git a/queue-5.10/x86-ftrace-use-alternative-ret-encoding.patch b/queue-5.10/x86-ftrace-use-alternative-ret-encoding.patch new file mode 100644 index 00000000000..e1d9c701513 --- /dev/null +++ b/queue-5.10/x86-ftrace-use-alternative-ret-encoding.patch @@ -0,0 +1,44 @@ +From b5f525de67aa9b129b7b93492642c53f85e12d82 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Tue, 14 Jun 2022 23:15:40 +0200 +Subject: x86/ftrace: Use alternative RET encoding + +From: Peter Zijlstra + +Upstream commit: 1f001e9da6bbf482311e45e48f53c2bd2179e59c + +Use the return thunk in ftrace trampolines, if needed. + +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Borislav Petkov +Reviewed-by: Josh Poimboeuf +Signed-off-by: Borislav Petkov +Signed-off-by: Borislav Petkov (AMD) +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/ftrace.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/ftrace.c ++++ b/arch/x86/kernel/ftrace.c +@@ -311,7 +311,7 @@ union ftrace_op_code_union { + } __attribute__((packed)); + }; + +-#define RET_SIZE 1 + IS_ENABLED(CONFIG_SLS) ++#define RET_SIZE (IS_ENABLED(CONFIG_RETPOLINE) ? 5 : 1 + IS_ENABLED(CONFIG_SLS)) + + static unsigned long + create_trampoline(struct ftrace_ops *ops, unsigned int *tramp_size) +@@ -367,7 +367,10 @@ create_trampoline(struct ftrace_ops *ops + goto fail; + + ip = trampoline + size; +- memcpy(ip, retq, RET_SIZE); ++ if (cpu_feature_enabled(X86_FEATURE_RETHUNK)) ++ __text_gen_insn(ip, JMP32_INSN_OPCODE, ip, &__x86_return_thunk, JMP32_INSN_SIZE); ++ else ++ memcpy(ip, retq, sizeof(retq)); + + /* No need to test direct calls on created trampolines */ + if (ops->flags & FTRACE_OPS_FL_SAVE_REGS) { diff --git a/queue-5.10/x86-ibt-paravirt-use-text_gen_insn-for-paravirt_patch.patch b/queue-5.10/x86-ibt-paravirt-use-text_gen_insn-for-paravirt_patch.patch new file mode 100644 index 00000000000..7e309e3bf63 --- /dev/null +++ b/queue-5.10/x86-ibt-paravirt-use-text_gen_insn-for-paravirt_patch.patch @@ -0,0 +1,107 @@ +From fa9d1e9927ed5387d324b2d8cd04f106c89cb507 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Tue, 8 Mar 2022 16:30:20 +0100 +Subject: x86/ibt,paravirt: Use text_gen_insn() for paravirt_patch() + +From: Peter Zijlstra + +Upstream commit: ba27d1a80871eb8dbeddf34ec7d396c149cbb8d7 + +Less duplication is more better. + +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Josh Poimboeuf +Link: https://lore.kernel.org/r/20220308154317.697253958@infradead.org + [ Keep struct branch. ] +Signed-off-by: Borislav Petkov (AMD) +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/text-patching.h | 20 ++++++++++++++------ + arch/x86/kernel/paravirt.c | 22 +++++----------------- + 2 files changed, 19 insertions(+), 23 deletions(-) + +--- a/arch/x86/include/asm/text-patching.h ++++ b/arch/x86/include/asm/text-patching.h +@@ -96,32 +96,40 @@ union text_poke_insn { + }; + + static __always_inline +-void *text_gen_insn(u8 opcode, const void *addr, const void *dest) ++void __text_gen_insn(void *buf, u8 opcode, const void *addr, const void *dest, int size) + { +- static union text_poke_insn insn; /* per instance */ +- int size = text_opcode_size(opcode); ++ union text_poke_insn *insn = buf; ++ ++ BUG_ON(size < text_opcode_size(opcode)); + + /* + * Hide the addresses to avoid the compiler folding in constants when + * referencing code, these can mess up annotations like + * ANNOTATE_NOENDBR. + */ ++ OPTIMIZER_HIDE_VAR(insn); + OPTIMIZER_HIDE_VAR(addr); + OPTIMIZER_HIDE_VAR(dest); + +- insn.opcode = opcode; ++ insn->opcode = opcode; + + if (size > 1) { +- insn.disp = (long)dest - (long)(addr + size); ++ insn->disp = (long)dest - (long)(addr + size); + if (size == 2) { + /* + * Ensure that for JMP8 the displacement + * actually fits the signed byte. + */ +- BUG_ON((insn.disp >> 31) != (insn.disp >> 7)); ++ BUG_ON((insn->disp >> 31) != (insn->disp >> 7)); + } + } ++} + ++static __always_inline ++void *text_gen_insn(u8 opcode, const void *addr, const void *dest) ++{ ++ static union text_poke_insn insn; /* per instance */ ++ __text_gen_insn(&insn, opcode, addr, dest, text_opcode_size(opcode)); + return &insn.text; + } + +--- a/arch/x86/kernel/paravirt.c ++++ b/arch/x86/kernel/paravirt.c +@@ -55,28 +55,16 @@ void __init default_banner(void) + static const unsigned char ud2a[] = { 0x0f, 0x0b }; + + struct branch { +- unsigned char opcode; +- u32 delta; ++ unsigned char opcode; ++ u32 delta; + } __attribute__((packed)); + + static unsigned paravirt_patch_call(void *insn_buff, const void *target, + unsigned long addr, unsigned len) + { +- const int call_len = 5; +- struct branch *b = insn_buff; +- unsigned long delta = (unsigned long)target - (addr+call_len); +- +- if (len < call_len) { +- pr_warn("paravirt: Failed to patch indirect CALL at %ps\n", (void *)addr); +- /* Kernel might not be viable if patching fails, bail out: */ +- BUG_ON(1); +- } +- +- b->opcode = 0xe8; /* call */ +- b->delta = delta; +- BUILD_BUG_ON(sizeof(*b) != call_len); +- +- return call_len; ++ __text_gen_insn(insn_buff, CALL_INSN_OPCODE, ++ (void *)addr, target, CALL_INSN_SIZE); ++ return CALL_INSN_SIZE; + } + + #ifdef CONFIG_PARAVIRT_XXL diff --git a/queue-5.10/x86-returnthunk-allow-different-return-thunks.patch b/queue-5.10/x86-returnthunk-allow-different-return-thunks.patch new file mode 100644 index 00000000000..ce3a25f9711 --- /dev/null +++ b/queue-5.10/x86-returnthunk-allow-different-return-thunks.patch @@ -0,0 +1,125 @@ +From 69d7a0673e8777f47ddb6dafe395590d9cd811fe Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Thu, 15 Sep 2022 13:11:25 +0200 +Subject: x86/returnthunk: Allow different return thunks + +From: Peter Zijlstra + +Upstream commit: 770ae1b709528a6a173b5c7b183818ee9b45e376 + +In preparation for call depth tracking on Intel SKL CPUs, make it possible +to patch in a SKL specific return thunk. + +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Thomas Gleixner +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lore.kernel.org/r/20220915111147.680469665@infradead.org +Signed-off-by: Borislav Petkov (AMD) +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/nospec-branch.h | 6 ++++++ + arch/x86/kernel/alternative.c | 19 ++++++++++++++----- + arch/x86/kernel/cpu/bugs.c | 2 ++ + arch/x86/kernel/ftrace.c | 2 +- + arch/x86/kernel/static_call.c | 2 +- + arch/x86/net/bpf_jit_comp.c | 2 +- + 6 files changed, 25 insertions(+), 8 deletions(-) + +--- a/arch/x86/include/asm/nospec-branch.h ++++ b/arch/x86/include/asm/nospec-branch.h +@@ -207,6 +207,12 @@ extern void srso_alias_untrain_ret(void) + extern void entry_untrain_ret(void); + extern void entry_ibpb(void); + ++#ifdef CONFIG_CALL_THUNKS ++extern void (*x86_return_thunk)(void); ++#else ++#define x86_return_thunk (&__x86_return_thunk) ++#endif ++ + #ifdef CONFIG_RETPOLINE + + typedef u8 retpoline_thunk_t[RETPOLINE_THUNK_SIZE]; +--- a/arch/x86/kernel/alternative.c ++++ b/arch/x86/kernel/alternative.c +@@ -676,6 +676,11 @@ void __init_or_module noinline apply_ret + } + + #ifdef CONFIG_RETHUNK ++ ++#ifdef CONFIG_CALL_THUNKS ++void (*x86_return_thunk)(void) __ro_after_init = &__x86_return_thunk; ++#endif ++ + /* + * Rewrite the compiler generated return thunk tail-calls. + * +@@ -691,14 +696,18 @@ static int patch_return(void *addr, stru + { + int i = 0; + +- if (cpu_feature_enabled(X86_FEATURE_RETHUNK)) +- return -1; +- +- bytes[i++] = RET_INSN_OPCODE; ++ if (cpu_feature_enabled(X86_FEATURE_RETHUNK)) { ++ if (x86_return_thunk == __x86_return_thunk) ++ return -1; ++ ++ i = JMP32_INSN_SIZE; ++ __text_gen_insn(bytes, JMP32_INSN_OPCODE, addr, x86_return_thunk, i); ++ } else { ++ bytes[i++] = RET_INSN_OPCODE; ++ } + + for (; i < insn->length;) + bytes[i++] = INT3_INSN_OPCODE; +- + return i; + } + +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -61,7 +61,9 @@ EXPORT_SYMBOL_GPL(x86_pred_cmd); + + static DEFINE_MUTEX(spec_ctrl_mutex); + ++#ifdef CONFIG_CALL_THUNKS + void (*x86_return_thunk)(void) __ro_after_init = &__x86_return_thunk; ++#endif + + /* Update SPEC_CTRL MSR and its cached copy unconditionally */ + static void update_spec_ctrl(u64 val) +--- a/arch/x86/kernel/ftrace.c ++++ b/arch/x86/kernel/ftrace.c +@@ -368,7 +368,7 @@ create_trampoline(struct ftrace_ops *ops + + ip = trampoline + size; + if (cpu_feature_enabled(X86_FEATURE_RETHUNK)) +- __text_gen_insn(ip, JMP32_INSN_OPCODE, ip, &__x86_return_thunk, JMP32_INSN_SIZE); ++ __text_gen_insn(ip, JMP32_INSN_OPCODE, ip, x86_return_thunk, JMP32_INSN_SIZE); + else + memcpy(ip, retq, sizeof(retq)); + +--- a/arch/x86/kernel/static_call.c ++++ b/arch/x86/kernel/static_call.c +@@ -41,7 +41,7 @@ static void __ref __static_call_transfor + + case RET: + if (cpu_feature_enabled(X86_FEATURE_RETHUNK)) +- code = text_gen_insn(JMP32_INSN_OPCODE, insn, &__x86_return_thunk); ++ code = text_gen_insn(JMP32_INSN_OPCODE, insn, x86_return_thunk); + else + code = &retinsn; + break; +--- a/arch/x86/net/bpf_jit_comp.c ++++ b/arch/x86/net/bpf_jit_comp.c +@@ -405,7 +405,7 @@ static void emit_return(u8 **pprog, u8 * + int cnt = 0; + + if (cpu_feature_enabled(X86_FEATURE_RETHUNK)) { +- emit_jump(&prog, &__x86_return_thunk, ip); ++ emit_jump(&prog, x86_return_thunk, ip); + } else { + EMIT1(0xC3); /* ret */ + if (IS_ENABLED(CONFIG_SLS)) diff --git a/queue-5.10/x86-text-patching-make-text_gen_insn-play-nice-with-annotate_noendbr.patch b/queue-5.10/x86-text-patching-make-text_gen_insn-play-nice-with-annotate_noendbr.patch new file mode 100644 index 00000000000..3278a24cf9e --- /dev/null +++ b/queue-5.10/x86-text-patching-make-text_gen_insn-play-nice-with-annotate_noendbr.patch @@ -0,0 +1,43 @@ +From ffdfac21ffa69fd4c05a4baa4d0ad48e7abf4d8a Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Tue, 8 Mar 2022 16:30:19 +0100 +Subject: x86/text-patching: Make text_gen_insn() play nice with ANNOTATE_NOENDBR + +From: Peter Zijlstra + +Upstream commit: bbf92368b0b1fe472d489e62d3340d7897e9c697 + +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Josh Poimboeuf +Link: https://lore.kernel.org/r/20220308154317.638561109@infradead.org +Signed-off-by: Borislav Petkov (AMD) +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/text-patching.h | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/arch/x86/include/asm/text-patching.h ++++ b/arch/x86/include/asm/text-patching.h +@@ -101,13 +101,21 @@ void *text_gen_insn(u8 opcode, const voi + static union text_poke_insn insn; /* per instance */ + int size = text_opcode_size(opcode); + ++ /* ++ * Hide the addresses to avoid the compiler folding in constants when ++ * referencing code, these can mess up annotations like ++ * ANNOTATE_NOENDBR. ++ */ ++ OPTIMIZER_HIDE_VAR(addr); ++ OPTIMIZER_HIDE_VAR(dest); ++ + insn.opcode = opcode; + + if (size > 1) { + insn.disp = (long)dest - (long)(addr + size); + if (size == 2) { + /* +- * Ensure that for JMP9 the displacement ++ * Ensure that for JMP8 the displacement + * actually fits the signed byte. + */ + BUG_ON((insn.disp >> 31) != (insn.disp >> 7));