From: Greg Kroah-Hartman Date: Fri, 3 Mar 2023 15:58:06 +0000 (+0100) Subject: 6.2-stable patches X-Git-Tag: v6.2.3~131 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=caf843f8b59d0e54cd579938ae38aa6e1d4985af;p=thirdparty%2Fkernel%2Fstable-queue.git 6.2-stable patches added patches: hid-asus-use-spinlock-to-protect-concurrent-accesses.patch hid-asus-use-spinlock-to-safely-schedule-workers.patch iommu-amd-fix-error-handling-for-pdev_pri_ats_enable.patch iommu-amd-improve-page-fault-error-reporting.patch iommu-amd-skip-attach-device-domain-is-same-as-new-domain.patch iommu-attach-device-group-to-old-domain-in-error-path.patch powerpc-mm-rearrange-if-else-block-to-avoid-clang-warning.patch series --- diff --git a/queue-6.2/hid-asus-use-spinlock-to-protect-concurrent-accesses.patch b/queue-6.2/hid-asus-use-spinlock-to-protect-concurrent-accesses.patch new file mode 100644 index 00000000000..75cbf169f75 --- /dev/null +++ b/queue-6.2/hid-asus-use-spinlock-to-protect-concurrent-accesses.patch @@ -0,0 +1,98 @@ +From 315c537068a13f0b5681d33dd045a912f4bece6f Mon Sep 17 00:00:00 2001 +From: Pietro Borrello +Date: Sun, 12 Feb 2023 19:00:02 +0000 +Subject: HID: asus: use spinlock to protect concurrent accesses + +From: Pietro Borrello + +commit 315c537068a13f0b5681d33dd045a912f4bece6f upstream. + +asus driver has a worker that may access data concurrently. +Proct the accesses using a spinlock. + +Fixes: af22a610bc38 ("HID: asus: support backlight on USB keyboards") +Signed-off-by: Pietro Borrello +Link: https://lore.kernel.org/r/20230125-hid-unregister-leds-v4-4-7860c5763c38@diag.uniroma1.it +Signed-off-by: Benjamin Tissoires +Signed-off-by: Stefan Ghinea +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-asus.c | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +--- a/drivers/hid/hid-asus.c ++++ b/drivers/hid/hid-asus.c +@@ -98,6 +98,7 @@ struct asus_kbd_leds { + struct hid_device *hdev; + struct work_struct work; + unsigned int brightness; ++ spinlock_t lock; + bool removed; + }; + +@@ -495,7 +496,12 @@ static void asus_kbd_backlight_set(struc + { + struct asus_kbd_leds *led = container_of(led_cdev, struct asus_kbd_leds, + cdev); ++ unsigned long flags; ++ ++ spin_lock_irqsave(&led->lock, flags); + led->brightness = brightness; ++ spin_unlock_irqrestore(&led->lock, flags); ++ + schedule_work(&led->work); + } + +@@ -503,8 +509,14 @@ static enum led_brightness asus_kbd_back + { + struct asus_kbd_leds *led = container_of(led_cdev, struct asus_kbd_leds, + cdev); ++ enum led_brightness brightness; ++ unsigned long flags; + +- return led->brightness; ++ spin_lock_irqsave(&led->lock, flags); ++ brightness = led->brightness; ++ spin_unlock_irqrestore(&led->lock, flags); ++ ++ return brightness; + } + + static void asus_kbd_backlight_work(struct work_struct *work) +@@ -512,11 +524,14 @@ static void asus_kbd_backlight_work(stru + struct asus_kbd_leds *led = container_of(work, struct asus_kbd_leds, work); + u8 buf[] = { FEATURE_KBD_REPORT_ID, 0xba, 0xc5, 0xc4, 0x00 }; + int ret; ++ unsigned long flags; + + if (led->removed) + return; + ++ spin_lock_irqsave(&led->lock, flags); + buf[4] = led->brightness; ++ spin_unlock_irqrestore(&led->lock, flags); + + ret = asus_kbd_set_report(led->hdev, buf, sizeof(buf)); + if (ret < 0) +@@ -584,6 +599,7 @@ static int asus_kbd_register_leds(struct + drvdata->kbd_backlight->cdev.brightness_set = asus_kbd_backlight_set; + drvdata->kbd_backlight->cdev.brightness_get = asus_kbd_backlight_get; + INIT_WORK(&drvdata->kbd_backlight->work, asus_kbd_backlight_work); ++ spin_lock_init(&drvdata->kbd_backlight->lock); + + ret = devm_led_classdev_register(&hdev->dev, &drvdata->kbd_backlight->cdev); + if (ret < 0) { +@@ -1119,9 +1135,13 @@ err_stop_hw: + static void asus_remove(struct hid_device *hdev) + { + struct asus_drvdata *drvdata = hid_get_drvdata(hdev); ++ unsigned long flags; + + if (drvdata->kbd_backlight) { ++ spin_lock_irqsave(&drvdata->kbd_backlight->lock, flags); + drvdata->kbd_backlight->removed = true; ++ spin_unlock_irqrestore(&drvdata->kbd_backlight->lock, flags); ++ + cancel_work_sync(&drvdata->kbd_backlight->work); + } + diff --git a/queue-6.2/hid-asus-use-spinlock-to-safely-schedule-workers.patch b/queue-6.2/hid-asus-use-spinlock-to-safely-schedule-workers.patch new file mode 100644 index 00000000000..832008ac6fd --- /dev/null +++ b/queue-6.2/hid-asus-use-spinlock-to-safely-schedule-workers.patch @@ -0,0 +1,62 @@ +From 4ab3a086d10eeec1424f2e8a968827a6336203df Mon Sep 17 00:00:00 2001 +From: Pietro Borrello +Date: Sun, 12 Feb 2023 19:00:03 +0000 +Subject: HID: asus: use spinlock to safely schedule workers + +From: Pietro Borrello + +commit 4ab3a086d10eeec1424f2e8a968827a6336203df upstream. + +Use spinlocks to deal with workers introducing a wrapper +asus_schedule_work(), and several spinlock checks. +Otherwise, asus_kbd_backlight_set() may schedule led->work after the +structure has been freed, causing a use-after-free. + +Fixes: af22a610bc38 ("HID: asus: support backlight on USB keyboards") +Signed-off-by: Pietro Borrello +Link: https://lore.kernel.org/r/20230125-hid-unregister-leds-v4-5-7860c5763c38@diag.uniroma1.it +Signed-off-by: Benjamin Tissoires +Signed-off-by: Stefan Ghinea +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-asus.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/drivers/hid/hid-asus.c ++++ b/drivers/hid/hid-asus.c +@@ -491,6 +491,16 @@ static int rog_nkey_led_init(struct hid_ + return ret; + } + ++static void asus_schedule_work(struct asus_kbd_leds *led) ++{ ++ unsigned long flags; ++ ++ spin_lock_irqsave(&led->lock, flags); ++ if (!led->removed) ++ schedule_work(&led->work); ++ spin_unlock_irqrestore(&led->lock, flags); ++} ++ + static void asus_kbd_backlight_set(struct led_classdev *led_cdev, + enum led_brightness brightness) + { +@@ -502,7 +512,7 @@ static void asus_kbd_backlight_set(struc + led->brightness = brightness; + spin_unlock_irqrestore(&led->lock, flags); + +- schedule_work(&led->work); ++ asus_schedule_work(led); + } + + static enum led_brightness asus_kbd_backlight_get(struct led_classdev *led_cdev) +@@ -526,9 +536,6 @@ static void asus_kbd_backlight_work(stru + int ret; + unsigned long flags; + +- if (led->removed) +- return; +- + spin_lock_irqsave(&led->lock, flags); + buf[4] = led->brightness; + spin_unlock_irqrestore(&led->lock, flags); diff --git a/queue-6.2/iommu-amd-fix-error-handling-for-pdev_pri_ats_enable.patch b/queue-6.2/iommu-amd-fix-error-handling-for-pdev_pri_ats_enable.patch new file mode 100644 index 00000000000..2432f0d0c12 --- /dev/null +++ b/queue-6.2/iommu-amd-fix-error-handling-for-pdev_pri_ats_enable.patch @@ -0,0 +1,62 @@ +From 080920e52148b4fbbf9360d5345fdcd7846e4841 Mon Sep 17 00:00:00 2001 +From: Vasant Hegde +Date: Wed, 11 Jan 2023 12:15:03 +0000 +Subject: iommu/amd: Fix error handling for pdev_pri_ats_enable() + +From: Vasant Hegde + +commit 080920e52148b4fbbf9360d5345fdcd7846e4841 upstream. + +Current code throws kernel warning if it fails to enable pasid/pri [1]. +Do not call pci_disable_[pasid/pri] if pci_enable_[pasid/pri] failed. + +[1] https://lore.kernel.org/linux-iommu/15d0f9ff-2a56-b3e9-5b45-e6b23300ae3b@leemhuis.info/ + +Reported-by: Matt Fagnani +Signed-off-by: Vasant Hegde +Reviewed-by: Suravee Suthikulpanit +Link: https://lore.kernel.org/r/20230111121503.5931-1-vasant.hegde@amd.com +Signed-off-by: Joerg Roedel +Cc: "Limonciello, Mario" +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/amd/iommu.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/iommu/amd/iommu.c ++++ b/drivers/iommu/amd/iommu.c +@@ -1702,27 +1702,29 @@ static int pdev_pri_ats_enable(struct pc + /* Only allow access to user-accessible pages */ + ret = pci_enable_pasid(pdev, 0); + if (ret) +- goto out_err; ++ return ret; + + /* First reset the PRI state of the device */ + ret = pci_reset_pri(pdev); + if (ret) +- goto out_err; ++ goto out_err_pasid; + + /* Enable PRI */ + /* FIXME: Hardcode number of outstanding requests for now */ + ret = pci_enable_pri(pdev, 32); + if (ret) +- goto out_err; ++ goto out_err_pasid; + + ret = pci_enable_ats(pdev, PAGE_SHIFT); + if (ret) +- goto out_err; ++ goto out_err_pri; + + return 0; + +-out_err: ++out_err_pri: + pci_disable_pri(pdev); ++ ++out_err_pasid: + pci_disable_pasid(pdev); + + return ret; diff --git a/queue-6.2/iommu-amd-improve-page-fault-error-reporting.patch b/queue-6.2/iommu-amd-improve-page-fault-error-reporting.patch new file mode 100644 index 00000000000..d0a6933fbdd --- /dev/null +++ b/queue-6.2/iommu-amd-improve-page-fault-error-reporting.patch @@ -0,0 +1,74 @@ +From 996d120b4de2b0d6b592bd9fbbe6e244b81ab3cc Mon Sep 17 00:00:00 2001 +From: Vasant Hegde +Date: Wed, 15 Feb 2023 05:26:42 +0000 +Subject: iommu/amd: Improve page fault error reporting + +From: Vasant Hegde + +commit 996d120b4de2b0d6b592bd9fbbe6e244b81ab3cc upstream. + +If IOMMU domain for device group is not setup properly then we may hit +IOMMU page fault. Current page fault handler assumes that domain is +always setup and it will hit NULL pointer derefence (see below sample log). + +Lets check whether domain is setup or not and log appropriate message. + +Sample log: +---------- + amdgpu 0000:00:01.0: amdgpu: SE 1, SH per SE 1, CU per SH 8, active_cu_number 6 + BUG: kernel NULL pointer dereference, address: 0000000000000058 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: 0000 [#1] PREEMPT SMP NOPTI + CPU: 2 PID: 56 Comm: irq/24-AMD-Vi Not tainted 6.2.0-rc2+ #89 + Hardware name: xxx + RIP: 0010:report_iommu_fault+0x11/0x90 + [...] + Call Trace: + + amd_iommu_int_thread+0x60c/0x760 + ? __pfx_irq_thread_fn+0x10/0x10 + irq_thread_fn+0x1f/0x60 + irq_thread+0xea/0x1a0 + ? preempt_count_add+0x6a/0xa0 + ? __pfx_irq_thread_dtor+0x10/0x10 + ? __pfx_irq_thread+0x10/0x10 + kthread+0xe9/0x110 + ? __pfx_kthread+0x10/0x10 + ret_from_fork+0x2c/0x50 + + +Reported-by: Matt Fagnani +Suggested-by: Joerg Roedel +Signed-off-by: Vasant Hegde +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216865 +Link: https://lore.kernel.org/lkml/15d0f9ff-2a56-b3e9-5b45-e6b23300ae3b@leemhuis.info/ +Link: https://lore.kernel.org/r/20230215052642.6016-3-vasant.hegde@amd.com +Cc: stable@vger.kernel.org +[joro: Edit commit message] +Signed-off-by: Joerg Roedel +Cc: "Limonciello, Mario" +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/amd/iommu.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/iommu/amd/iommu.c ++++ b/drivers/iommu/amd/iommu.c +@@ -558,6 +558,15 @@ static void amd_iommu_report_page_fault( + * prevent logging it. + */ + if (IS_IOMMU_MEM_TRANSACTION(flags)) { ++ /* Device not attached to domain properly */ ++ if (dev_data->domain == NULL) { ++ pr_err_ratelimited("Event logged [Device not attached to domain properly]\n"); ++ pr_err_ratelimited(" device=%04x:%02x:%02x.%x domain=0x%04x\n", ++ iommu->pci_seg->id, PCI_BUS_NUM(devid), PCI_SLOT(devid), ++ PCI_FUNC(devid), domain_id); ++ goto out; ++ } ++ + if (!report_iommu_fault(&dev_data->domain->domain, + &pdev->dev, address, + IS_WRITE_REQUEST(flags) ? diff --git a/queue-6.2/iommu-amd-skip-attach-device-domain-is-same-as-new-domain.patch b/queue-6.2/iommu-amd-skip-attach-device-domain-is-same-as-new-domain.patch new file mode 100644 index 00000000000..045e297713e --- /dev/null +++ b/queue-6.2/iommu-amd-skip-attach-device-domain-is-same-as-new-domain.patch @@ -0,0 +1,37 @@ +From f451c7a5a3b818ecfeba2ba258570769998baf3a Mon Sep 17 00:00:00 2001 +From: Vasant Hegde +Date: Wed, 15 Feb 2023 05:26:41 +0000 +Subject: iommu/amd: Skip attach device domain is same as new domain + +From: Vasant Hegde + +commit f451c7a5a3b818ecfeba2ba258570769998baf3a upstream. + +If device->domain is same as new domain then we can skip the +device attach process. + +Signed-off-by: Vasant Hegde +Link: https://lore.kernel.org/r/20230215052642.6016-2-vasant.hegde@amd.com +Signed-off-by: Joerg Roedel +Cc: "Limonciello, Mario" +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/amd/iommu.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/iommu/amd/iommu.c ++++ b/drivers/iommu/amd/iommu.c +@@ -2161,6 +2161,13 @@ static int amd_iommu_attach_device(struc + struct amd_iommu *iommu = rlookup_amd_iommu(dev); + int ret; + ++ /* ++ * Skip attach device to domain if new domain is same as ++ * devices current domain ++ */ ++ if (dev_data->domain == domain) ++ return 0; ++ + dev_data->defer_attach = false; + + if (dev_data->domain) diff --git a/queue-6.2/iommu-attach-device-group-to-old-domain-in-error-path.patch b/queue-6.2/iommu-attach-device-group-to-old-domain-in-error-path.patch new file mode 100644 index 00000000000..1c8430a8b2c --- /dev/null +++ b/queue-6.2/iommu-attach-device-group-to-old-domain-in-error-path.patch @@ -0,0 +1,71 @@ +From 2cc73c5712f97de98c38c2fafc1f288354a9f3c3 Mon Sep 17 00:00:00 2001 +From: Vasant Hegde +Date: Wed, 15 Feb 2023 05:26:40 +0000 +Subject: iommu: Attach device group to old domain in error path + +From: Vasant Hegde + +commit 2cc73c5712f97de98c38c2fafc1f288354a9f3c3 upstream. + +iommu_attach_group() attaches all devices in a group to domain and then +sets group domain (group->domain). Current code (__iommu_attach_group()) +does not handle error path. This creates problem as devices to domain +attachment is in inconsistent state. + +Flow: + - During boot iommu attach devices to default domain + - Later some device driver (like amd/iommu_v2 or vfio) tries to attach + device to new domain. + - In iommu_attach_group() path we detach device from current domain. + Then it tries to attach devices to new domain. + - If it fails to attach device to new domain then device to domain link + is broken. + - iommu_attach_group() returns error. + - At this stage iommu_attach_group() caller thinks, attaching device to + new domain failed and devices are still attached to old domain. + - But in reality device to old domain link is broken. It will result + in all sort of failures (like IO page fault) later. + +To recover from this situation, we need to attach all devices back to the +old domain. Also log warning if it fails attach device back to old domain. + +Suggested-by: Lu Baolu +Reported-by: Matt Fagnani +Signed-off-by: Vasant Hegde +Reviewed-by: Jason Gunthorpe +Tested-by: Matt Fagnani +Link: https://lore.kernel.org/r/20230215052642.6016-1-vasant.hegde@amd.com +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216865 +Link: https://lore.kernel.org/lkml/15d0f9ff-2a56-b3e9-5b45-e6b23300ae3b@leemhuis.info/ +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/iommu.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +--- a/drivers/iommu/iommu.c ++++ b/drivers/iommu/iommu.c +@@ -2124,8 +2124,22 @@ static int __iommu_attach_group(struct i + + ret = __iommu_group_for_each_dev(group, domain, + iommu_group_do_attach_device); +- if (ret == 0) ++ if (ret == 0) { + group->domain = domain; ++ } else { ++ /* ++ * To recover from the case when certain device within the ++ * group fails to attach to the new domain, we need force ++ * attaching all devices back to the old domain. The old ++ * domain is compatible for all devices in the group, ++ * hence the iommu driver should always return success. ++ */ ++ struct iommu_domain *old_domain = group->domain; ++ ++ group->domain = NULL; ++ WARN(__iommu_group_set_domain(group, old_domain), ++ "iommu driver failed to attach a compatible domain"); ++ } + + return ret; + } diff --git a/queue-6.2/powerpc-mm-rearrange-if-else-block-to-avoid-clang-warning.patch b/queue-6.2/powerpc-mm-rearrange-if-else-block-to-avoid-clang-warning.patch new file mode 100644 index 00000000000..bafc07f1c4c --- /dev/null +++ b/queue-6.2/powerpc-mm-rearrange-if-else-block-to-avoid-clang-warning.patch @@ -0,0 +1,58 @@ +From d78c8e32890ef7eca79ffd67c96022c7f9d8cce4 Mon Sep 17 00:00:00 2001 +From: Anders Roxell +Date: Wed, 10 Aug 2022 13:43:18 +0200 +Subject: powerpc/mm: Rearrange if-else block to avoid clang warning + +From: Anders Roxell + +commit d78c8e32890ef7eca79ffd67c96022c7f9d8cce4 upstream. + +Clang warns: + + arch/powerpc/mm/book3s64/radix_tlb.c:1191:23: error: variable 'hstart' is uninitialized when used here + __tlbiel_va_range(hstart, hend, pid, + ^~~~~~ + arch/powerpc/mm/book3s64/radix_tlb.c:1191:31: error: variable 'hend' is uninitialized when used here + __tlbiel_va_range(hstart, hend, pid, + ^~~~ + +Rework the 'if (IS_ENABLE(CONFIG_TRANSPARENT_HUGEPAGE))' so hstart/hend +is always initialized to silence the warnings. That will also simplify +the 'else' path. Clang is getting confused with these warnings, but the +warnings is a false-positive. + +Suggested-by: Arnd Bergmann +Suggested-by: Nathan Chancellor +Reviewed-by: Christophe Leroy +Reviewed-by: Nathan Chancellor +Signed-off-by: Anders Roxell +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220810114318.3220630-1-anders.roxell@linaro.org +Signed-off-by: Daniel Díaz +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/mm/book3s64/radix_tlb.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +--- a/arch/powerpc/mm/book3s64/radix_tlb.c ++++ b/arch/powerpc/mm/book3s64/radix_tlb.c +@@ -1179,15 +1179,12 @@ static inline void __radix__flush_tlb_ra + } + } + } else { +- bool hflush = false; ++ bool hflush; + unsigned long hstart, hend; + +- if (IS_ENABLED(CONFIG_TRANSPARENT_HUGEPAGE)) { +- hstart = (start + PMD_SIZE - 1) & PMD_MASK; +- hend = end & PMD_MASK; +- if (hstart < hend) +- hflush = true; +- } ++ hstart = (start + PMD_SIZE - 1) & PMD_MASK; ++ hend = end & PMD_MASK; ++ hflush = IS_ENABLED(CONFIG_TRANSPARENT_HUGEPAGE) && hstart < hend; + + if (type == FLUSH_TYPE_LOCAL) { + asm volatile("ptesync": : :"memory"); diff --git a/queue-6.2/series b/queue-6.2/series new file mode 100644 index 00000000000..f2f71160f65 --- /dev/null +++ b/queue-6.2/series @@ -0,0 +1,7 @@ +hid-asus-use-spinlock-to-protect-concurrent-accesses.patch +hid-asus-use-spinlock-to-safely-schedule-workers.patch +iommu-amd-fix-error-handling-for-pdev_pri_ats_enable.patch +iommu-amd-skip-attach-device-domain-is-same-as-new-domain.patch +iommu-amd-improve-page-fault-error-reporting.patch +iommu-attach-device-group-to-old-domain-in-error-path.patch +powerpc-mm-rearrange-if-else-block-to-avoid-clang-warning.patch