From: Greg Kroah-Hartman Date: Sun, 28 Nov 2021 11:48:01 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v5.15.6~61 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c3a661479e1270d2264c04f6f7ca0a9a86cdd28a;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: kvm-ppc-book3s-hv-prevent-power7-8-tlb-flush-flushing-slb.patch mdio-aspeed-fix-link-is-down-issue.patch mmc-sdhci-fix-adma-for-page_size-64kib.patch tracing-fix-pid-filtering-when-triggers-are-attached.patch tracing-uprobe-fix-uprobe_perf_open-probes-iteration.patch xen-detect-uninitialized-xenbus-in-xenbus_init.patch xen-don-t-continue-xenstore-initialization-in-case-of-errors.patch --- diff --git a/queue-5.4/kvm-ppc-book3s-hv-prevent-power7-8-tlb-flush-flushing-slb.patch b/queue-5.4/kvm-ppc-book3s-hv-prevent-power7-8-tlb-flush-flushing-slb.patch new file mode 100644 index 00000000000..1540be93905 --- /dev/null +++ b/queue-5.4/kvm-ppc-book3s-hv-prevent-power7-8-tlb-flush-flushing-slb.patch @@ -0,0 +1,59 @@ +From cf0b0e3712f7af90006f8317ff27278094c2c128 Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Fri, 19 Nov 2021 13:16:27 +1000 +Subject: KVM: PPC: Book3S HV: Prevent POWER7/8 TLB flush flushing SLB + +From: Nicholas Piggin + +commit cf0b0e3712f7af90006f8317ff27278094c2c128 upstream. + +The POWER9 ERAT flush instruction is a SLBIA with IH=7, which is a +reserved value on POWER7/8. On POWER8 this invalidates the SLB entries +above index 0, similarly to SLBIA IH=0. + +If the SLB entries are invalidated, and then the guest is bypassed, the +host SLB does not get re-loaded, so the bolted entries above 0 will be +lost. This can result in kernel stack access causing a SLB fault. + +Kernel stack access causing a SLB fault was responsible for the infamous +mega bug (search "Fix SLB reload bug"). Although since commit +48e7b7695745 ("powerpc/64s/hash: Convert SLB miss handlers to C") that +starts using the kernel stack in the SLB miss handler, it might only +result in an infinite loop of SLB faults. In any case it's a bug. + +Fix this by only executing the instruction on >= POWER9 where IH=7 is +defined not to invalidate the SLB. POWER7/8 don't require this ERAT +flush. + +Fixes: 500871125920 ("KVM: PPC: Book3S HV: Invalidate ERAT when flushing guest TLB entries") +Cc: stable@vger.kernel.org # v5.2+ +Signed-off-by: Nicholas Piggin +Reviewed-by: Fabiano Rosas +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20211119031627.577853-1-npiggin@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kvm/book3s_hv_builtin.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/kvm/book3s_hv_builtin.c ++++ b/arch/powerpc/kvm/book3s_hv_builtin.c +@@ -821,6 +821,7 @@ static void flush_guest_tlb(struct kvm * + "r" (0) : "memory"); + } + asm volatile("ptesync": : :"memory"); ++ // POWER9 congruence-class TLBIEL leaves ERAT. Flush it now. + asm volatile(PPC_RADIX_INVALIDATE_ERAT_GUEST : : :"memory"); + } else { + for (set = 0; set < kvm->arch.tlb_sets; ++set) { +@@ -831,7 +832,9 @@ static void flush_guest_tlb(struct kvm * + rb += PPC_BIT(51); /* increment set number */ + } + asm volatile("ptesync": : :"memory"); +- asm volatile(PPC_ISA_3_0_INVALIDATE_ERAT : : :"memory"); ++ // POWER9 congruence-class TLBIEL leaves ERAT. Flush it now. ++ if (cpu_has_feature(CPU_FTR_ARCH_300)) ++ asm volatile(PPC_ISA_3_0_INVALIDATE_ERAT : : :"memory"); + } + } + diff --git a/queue-5.4/mdio-aspeed-fix-link-is-down-issue.patch b/queue-5.4/mdio-aspeed-fix-link-is-down-issue.patch new file mode 100644 index 00000000000..f95bb345828 --- /dev/null +++ b/queue-5.4/mdio-aspeed-fix-link-is-down-issue.patch @@ -0,0 +1,49 @@ +From 9dbe33cf371bd70330858370bdbc35c7668f00c3 Mon Sep 17 00:00:00 2001 +From: Dylan Hung +Date: Thu, 25 Nov 2021 10:44:32 +0800 +Subject: mdio: aspeed: Fix "Link is Down" issue + +From: Dylan Hung + +commit 9dbe33cf371bd70330858370bdbc35c7668f00c3 upstream. + +The issue happened randomly in runtime. The message "Link is Down" is +popped but soon it recovered to "Link is Up". + +The "Link is Down" results from the incorrect read data for reading the +PHY register via MDIO bus. The correct sequence for reading the data +shall be: +1. fire the command +2. wait for command done (this step was missing) +3. wait for data idle +4. read data from data register + +Cc: stable@vger.kernel.org +Fixes: f160e99462c6 ("net: phy: Add mdio-aspeed") +Reviewed-by: Joel Stanley +Signed-off-by: Dylan Hung +Reviewed-by: Andrew Lunn +Reviewed-by: Russell King (Oracle) +Link: https://lore.kernel.org/r/20211125024432.15809-1-dylan_hung@aspeedtech.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/mdio-aspeed.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/net/phy/mdio-aspeed.c ++++ b/drivers/net/phy/mdio-aspeed.c +@@ -61,6 +61,13 @@ static int aspeed_mdio_read(struct mii_b + + iowrite32(ctrl, ctx->base + ASPEED_MDIO_CTRL); + ++ rc = readl_poll_timeout(ctx->base + ASPEED_MDIO_CTRL, ctrl, ++ !(ctrl & ASPEED_MDIO_CTRL_FIRE), ++ ASPEED_MDIO_INTERVAL_US, ++ ASPEED_MDIO_TIMEOUT_US); ++ if (rc < 0) ++ return rc; ++ + rc = readl_poll_timeout(ctx->base + ASPEED_MDIO_DATA, data, + data & ASPEED_MDIO_DATA_IDLE, + ASPEED_MDIO_INTERVAL_US, diff --git a/queue-5.4/mmc-sdhci-fix-adma-for-page_size-64kib.patch b/queue-5.4/mmc-sdhci-fix-adma-for-page_size-64kib.patch new file mode 100644 index 00000000000..ca6f5a16cd9 --- /dev/null +++ b/queue-5.4/mmc-sdhci-fix-adma-for-page_size-64kib.patch @@ -0,0 +1,91 @@ +From 3d7c194b7c9ad414264935ad4f943a6ce285ebb1 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Mon, 15 Nov 2021 10:23:45 +0200 +Subject: mmc: sdhci: Fix ADMA for PAGE_SIZE >= 64KiB + +From: Adrian Hunter + +commit 3d7c194b7c9ad414264935ad4f943a6ce285ebb1 upstream. + +The block layer forces a minimum segment size of PAGE_SIZE, so a segment +can be too big for the ADMA table, if PAGE_SIZE >= 64KiB. Fix by writing +multiple descriptors, noting that the ADMA table is sized for 4KiB chunks +anyway, so it will be big enough. + +Reported-and-tested-by: Bough Chen +Signed-off-by: Adrian Hunter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20211115082345.802238-1-adrian.hunter@intel.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci.c | 21 ++++++++++++++++++--- + drivers/mmc/host/sdhci.h | 4 +++- + 2 files changed, 21 insertions(+), 4 deletions(-) + +--- a/drivers/mmc/host/sdhci.c ++++ b/drivers/mmc/host/sdhci.c +@@ -749,7 +749,19 @@ static void sdhci_adma_table_pre(struct + len -= offset; + } + +- BUG_ON(len > 65536); ++ /* ++ * The block layer forces a minimum segment size of PAGE_SIZE, ++ * so 'len' can be too big here if PAGE_SIZE >= 64KiB. Write ++ * multiple descriptors, noting that the ADMA table is sized ++ * for 4KiB chunks anyway, so it will be big enough. ++ */ ++ while (len > host->max_adma) { ++ int n = 32 * 1024; /* 32KiB*/ ++ ++ __sdhci_adma_write_desc(host, &desc, addr, n, ADMA2_TRAN_VALID); ++ addr += n; ++ len -= n; ++ } + + /* tran, valid */ + if (len) +@@ -3568,6 +3580,7 @@ struct sdhci_host *sdhci_alloc_host(stru + * descriptor for each segment, plus 1 for a nop end descriptor. + */ + host->adma_table_cnt = SDHCI_MAX_SEGS * 2 + 1; ++ host->max_adma = 65536; + + return host; + } +@@ -4221,10 +4234,12 @@ int sdhci_setup_host(struct sdhci_host * + * be larger than 64 KiB though. + */ + if (host->flags & SDHCI_USE_ADMA) { +- if (host->quirks & SDHCI_QUIRK_BROKEN_ADMA_ZEROLEN_DESC) ++ if (host->quirks & SDHCI_QUIRK_BROKEN_ADMA_ZEROLEN_DESC) { ++ host->max_adma = 65532; /* 32-bit alignment */ + mmc->max_seg_size = 65535; +- else ++ } else { + mmc->max_seg_size = 65536; ++ } + } else { + mmc->max_seg_size = mmc->max_req_size; + } +--- a/drivers/mmc/host/sdhci.h ++++ b/drivers/mmc/host/sdhci.h +@@ -349,7 +349,8 @@ struct sdhci_adma2_64_desc { + + /* + * Maximum segments assuming a 512KiB maximum requisition size and a minimum +- * 4KiB page size. ++ * 4KiB page size. Note this also allows enough for multiple descriptors in ++ * case of PAGE_SIZE >= 64KiB. + */ + #define SDHCI_MAX_SEGS 128 + +@@ -547,6 +548,7 @@ struct sdhci_host { + unsigned int blocks; /* remaining PIO blocks */ + + int sg_count; /* Mapped sg entries */ ++ int max_adma; /* Max. length in ADMA descriptor */ + + void *adma_table; /* ADMA descriptor table */ + void *align_buffer; /* Bounce buffer */ diff --git a/queue-5.4/series b/queue-5.4/series index 35c88ee54cc..1bdb07398c7 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -13,3 +13,10 @@ revert-parisc-fix-backtrace-to-always-include-init-funtion-names.patch hid-wacom-use-confidence-flag-to-prevent-reporting-invalid-contacts.patch staging-fbtft-fix-backlight.patch staging-rtl8192e-fix-use-after-free-in-_rtl92e_pci_disconnect.patch +xen-don-t-continue-xenstore-initialization-in-case-of-errors.patch +xen-detect-uninitialized-xenbus-in-xenbus_init.patch +kvm-ppc-book3s-hv-prevent-power7-8-tlb-flush-flushing-slb.patch +tracing-uprobe-fix-uprobe_perf_open-probes-iteration.patch +tracing-fix-pid-filtering-when-triggers-are-attached.patch +mmc-sdhci-fix-adma-for-page_size-64kib.patch +mdio-aspeed-fix-link-is-down-issue.patch diff --git a/queue-5.4/tracing-fix-pid-filtering-when-triggers-are-attached.patch b/queue-5.4/tracing-fix-pid-filtering-when-triggers-are-attached.patch new file mode 100644 index 00000000000..bed5605fa97 --- /dev/null +++ b/queue-5.4/tracing-fix-pid-filtering-when-triggers-are-attached.patch @@ -0,0 +1,57 @@ +From a55f224ff5f238013de8762c4287117e47b86e22 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Fri, 26 Nov 2021 17:34:42 -0500 +Subject: tracing: Fix pid filtering when triggers are attached + +From: Steven Rostedt (VMware) + +commit a55f224ff5f238013de8762c4287117e47b86e22 upstream. + +If a event is filtered by pid and a trigger that requires processing of +the event to happen is a attached to the event, the discard portion does +not take the pid filtering into account, and the event will then be +recorded when it should not have been. + +Cc: stable@vger.kernel.org +Fixes: 3fdaf80f4a836 ("tracing: Implement event pid filtering") +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace.h | 24 ++++++++++++++++++------ + 1 file changed, 18 insertions(+), 6 deletions(-) + +--- a/kernel/trace/trace.h ++++ b/kernel/trace/trace.h +@@ -1423,14 +1423,26 @@ __event_trigger_test_discard(struct trac + if (eflags & EVENT_FILE_FL_TRIGGER_COND) + *tt = event_triggers_call(file, entry, event); + +- if (test_bit(EVENT_FILE_FL_SOFT_DISABLED_BIT, &file->flags) || +- (unlikely(file->flags & EVENT_FILE_FL_FILTERED) && +- !filter_match_preds(file->filter, entry))) { +- __trace_event_discard_commit(buffer, event); +- return true; +- } ++ if (likely(!(file->flags & (EVENT_FILE_FL_SOFT_DISABLED | ++ EVENT_FILE_FL_FILTERED | ++ EVENT_FILE_FL_PID_FILTER)))) ++ return false; ++ ++ if (file->flags & EVENT_FILE_FL_SOFT_DISABLED) ++ goto discard; ++ ++ if (file->flags & EVENT_FILE_FL_FILTERED && ++ !filter_match_preds(file->filter, entry)) ++ goto discard; ++ ++ if ((file->flags & EVENT_FILE_FL_PID_FILTER) && ++ trace_event_ignore_this_pid(file)) ++ goto discard; + + return false; ++ discard: ++ __trace_event_discard_commit(buffer, event); ++ return true; + } + + /** diff --git a/queue-5.4/tracing-uprobe-fix-uprobe_perf_open-probes-iteration.patch b/queue-5.4/tracing-uprobe-fix-uprobe_perf_open-probes-iteration.patch new file mode 100644 index 00000000000..f74a6b02baa --- /dev/null +++ b/queue-5.4/tracing-uprobe-fix-uprobe_perf_open-probes-iteration.patch @@ -0,0 +1,34 @@ +From 1880ed71ce863318c1ce93bf324876fb5f92854f Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Tue, 23 Nov 2021 15:28:01 +0100 +Subject: tracing/uprobe: Fix uprobe_perf_open probes iteration + +From: Jiri Olsa + +commit 1880ed71ce863318c1ce93bf324876fb5f92854f upstream. + +Add missing 'tu' variable initialization in the probes loop, +otherwise the head 'tu' is used instead of added probes. + +Link: https://lkml.kernel.org/r/20211123142801.182530-1-jolsa@kernel.org + +Cc: stable@vger.kernel.org +Fixes: 99c9a923e97a ("tracing/uprobe: Fix double perf_event linking on multiprobe uprobe") +Acked-by: Masami Hiramatsu +Signed-off-by: Jiri Olsa +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_uprobe.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/trace/trace_uprobe.c ++++ b/kernel/trace/trace_uprobe.c +@@ -1299,6 +1299,7 @@ static int uprobe_perf_open(struct trace + return 0; + + list_for_each_entry(pos, trace_probe_probe_list(tp), list) { ++ tu = container_of(pos, struct trace_uprobe, tp); + err = uprobe_apply(tu->inode, tu->offset, &tu->consumer, true); + if (err) { + uprobe_perf_close(call, event); diff --git a/queue-5.4/xen-detect-uninitialized-xenbus-in-xenbus_init.patch b/queue-5.4/xen-detect-uninitialized-xenbus-in-xenbus_init.patch new file mode 100644 index 00000000000..f40e15cb215 --- /dev/null +++ b/queue-5.4/xen-detect-uninitialized-xenbus-in-xenbus_init.patch @@ -0,0 +1,68 @@ +From 36e8f60f0867d3b70d398d653c17108459a04efe Mon Sep 17 00:00:00 2001 +From: Stefano Stabellini +Date: Tue, 23 Nov 2021 13:07:48 -0800 +Subject: xen: detect uninitialized xenbus in xenbus_init + +From: Stefano Stabellini + +commit 36e8f60f0867d3b70d398d653c17108459a04efe upstream. + +If the xenstore page hasn't been allocated properly, reading the value +of the related hvm_param (HVM_PARAM_STORE_PFN) won't actually return +error. Instead, it will succeed and return zero. Instead of attempting +to xen_remap a bad guest physical address, detect this condition and +return early. + +Note that although a guest physical address of zero for +HVM_PARAM_STORE_PFN is theoretically possible, it is not a good choice +and zero has never been validly used in that capacity. + +Also recognize all bits set as an invalid value. + +For 32-bit Linux, any pfn above ULONG_MAX would get truncated. Pfns +above ULONG_MAX should never be passed by the Xen tools to HVM guests +anyway, so check for this condition and return early. + +Cc: stable@vger.kernel.org +Signed-off-by: Stefano Stabellini +Reviewed-by: Juergen Gross +Reviewed-by: Jan Beulich +Link: https://lore.kernel.org/r/20211123210748.1910236-1-sstabellini@kernel.org +Signed-off-by: Boris Ostrovsky +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/xenbus/xenbus_probe.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +--- a/drivers/xen/xenbus/xenbus_probe.c ++++ b/drivers/xen/xenbus/xenbus_probe.c +@@ -886,6 +886,29 @@ static int __init xenbus_init(void) + err = hvm_get_parameter(HVM_PARAM_STORE_PFN, &v); + if (err) + goto out_error; ++ /* ++ * Uninitialized hvm_params are zero and return no error. ++ * Although it is theoretically possible to have ++ * HVM_PARAM_STORE_PFN set to zero on purpose, in reality it is ++ * not zero when valid. If zero, it means that Xenstore hasn't ++ * been properly initialized. Instead of attempting to map a ++ * wrong guest physical address return error. ++ * ++ * Also recognize all bits set as an invalid value. ++ */ ++ if (!v || !~v) { ++ err = -ENOENT; ++ goto out_error; ++ } ++ /* Avoid truncation on 32-bit. */ ++#if BITS_PER_LONG == 32 ++ if (v > ULONG_MAX) { ++ pr_err("%s: cannot handle HVM_PARAM_STORE_PFN=%llx > ULONG_MAX\n", ++ __func__, v); ++ err = -EINVAL; ++ goto out_error; ++ } ++#endif + xen_store_gfn = (unsigned long)v; + xen_store_interface = + xen_remap(xen_store_gfn << XEN_PAGE_SHIFT, diff --git a/queue-5.4/xen-don-t-continue-xenstore-initialization-in-case-of-errors.patch b/queue-5.4/xen-don-t-continue-xenstore-initialization-in-case-of-errors.patch new file mode 100644 index 00000000000..400d2e46628 --- /dev/null +++ b/queue-5.4/xen-don-t-continue-xenstore-initialization-in-case-of-errors.patch @@ -0,0 +1,57 @@ +From 08f6c2b09ebd4b326dbe96d13f94fee8f9814c78 Mon Sep 17 00:00:00 2001 +From: Stefano Stabellini +Date: Mon, 15 Nov 2021 14:27:19 -0800 +Subject: xen: don't continue xenstore initialization in case of errors + +From: Stefano Stabellini + +commit 08f6c2b09ebd4b326dbe96d13f94fee8f9814c78 upstream. + +In case of errors in xenbus_init (e.g. missing xen_store_gfn parameter), +we goto out_error but we forget to reset xen_store_domain_type to +XS_UNKNOWN. As a consequence xenbus_probe_initcall and other initcalls +will still try to initialize xenstore resulting into a crash at boot. + +[ 2.479830] Call trace: +[ 2.482314] xb_init_comms+0x18/0x150 +[ 2.486354] xs_init+0x34/0x138 +[ 2.489786] xenbus_probe+0x4c/0x70 +[ 2.498432] xenbus_probe_initcall+0x2c/0x7c +[ 2.503944] do_one_initcall+0x54/0x1b8 +[ 2.507358] kernel_init_freeable+0x1ac/0x210 +[ 2.511617] kernel_init+0x28/0x130 +[ 2.516112] ret_from_fork+0x10/0x20 + +Cc: +Cc: jbeulich@suse.com +Signed-off-by: Stefano Stabellini +Link: https://lore.kernel.org/r/20211115222719.2558207-1-sstabellini@kernel.org +Reviewed-by: Jan Beulich +Signed-off-by: Boris Ostrovsky +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/xenbus/xenbus_probe.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/xen/xenbus/xenbus_probe.c ++++ b/drivers/xen/xenbus/xenbus_probe.c +@@ -846,7 +846,7 @@ static struct notifier_block xenbus_resu + + static int __init xenbus_init(void) + { +- int err = 0; ++ int err; + uint64_t v = 0; + xen_store_domain_type = XS_UNKNOWN; + +@@ -920,8 +920,10 @@ static int __init xenbus_init(void) + */ + proc_create_mount_point("xen"); + #endif ++ return 0; + + out_error: ++ xen_store_domain_type = XS_UNKNOWN; + return err; + } +