From: Greg Kroah-Hartman Date: Sun, 28 Nov 2021 11:48:17 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v5.15.6~60 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d3ae10d5f614ceee969b5af8771d49df60c120cd;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: kvm-ppc-book3s-hv-prevent-power7-8-tlb-flush-flushing-slb.patch mdio-aspeed-fix-link-is-down-issue.patch mmc-sdhci-esdhc-imx-disable-cmdq-support.patch mmc-sdhci-fix-adma-for-page_size-64kib.patch powerpc-32-fix-hardlockup-on-vmap-stack-overflow.patch tracing-fix-pid-filtering-when-triggers-are-attached.patch tracing-uprobe-fix-uprobe_perf_open-probes-iteration.patch xen-detect-uninitialized-xenbus-in-xenbus_init.patch xen-don-t-continue-xenstore-initialization-in-case-of-errors.patch --- diff --git a/queue-5.10/kvm-ppc-book3s-hv-prevent-power7-8-tlb-flush-flushing-slb.patch b/queue-5.10/kvm-ppc-book3s-hv-prevent-power7-8-tlb-flush-flushing-slb.patch new file mode 100644 index 00000000000..8b62b8c250b --- /dev/null +++ b/queue-5.10/kvm-ppc-book3s-hv-prevent-power7-8-tlb-flush-flushing-slb.patch @@ -0,0 +1,59 @@ +From cf0b0e3712f7af90006f8317ff27278094c2c128 Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Fri, 19 Nov 2021 13:16:27 +1000 +Subject: KVM: PPC: Book3S HV: Prevent POWER7/8 TLB flush flushing SLB + +From: Nicholas Piggin + +commit cf0b0e3712f7af90006f8317ff27278094c2c128 upstream. + +The POWER9 ERAT flush instruction is a SLBIA with IH=7, which is a +reserved value on POWER7/8. On POWER8 this invalidates the SLB entries +above index 0, similarly to SLBIA IH=0. + +If the SLB entries are invalidated, and then the guest is bypassed, the +host SLB does not get re-loaded, so the bolted entries above 0 will be +lost. This can result in kernel stack access causing a SLB fault. + +Kernel stack access causing a SLB fault was responsible for the infamous +mega bug (search "Fix SLB reload bug"). Although since commit +48e7b7695745 ("powerpc/64s/hash: Convert SLB miss handlers to C") that +starts using the kernel stack in the SLB miss handler, it might only +result in an infinite loop of SLB faults. In any case it's a bug. + +Fix this by only executing the instruction on >= POWER9 where IH=7 is +defined not to invalidate the SLB. POWER7/8 don't require this ERAT +flush. + +Fixes: 500871125920 ("KVM: PPC: Book3S HV: Invalidate ERAT when flushing guest TLB entries") +Cc: stable@vger.kernel.org # v5.2+ +Signed-off-by: Nicholas Piggin +Reviewed-by: Fabiano Rosas +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20211119031627.577853-1-npiggin@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kvm/book3s_hv_builtin.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/kvm/book3s_hv_builtin.c ++++ b/arch/powerpc/kvm/book3s_hv_builtin.c +@@ -867,6 +867,7 @@ static void flush_guest_tlb(struct kvm * + "r" (0) : "memory"); + } + asm volatile("ptesync": : :"memory"); ++ // POWER9 congruence-class TLBIEL leaves ERAT. Flush it now. + asm volatile(PPC_RADIX_INVALIDATE_ERAT_GUEST : : :"memory"); + } else { + for (set = 0; set < kvm->arch.tlb_sets; ++set) { +@@ -877,7 +878,9 @@ static void flush_guest_tlb(struct kvm * + rb += PPC_BIT(51); /* increment set number */ + } + asm volatile("ptesync": : :"memory"); +- asm volatile(PPC_ISA_3_0_INVALIDATE_ERAT : : :"memory"); ++ // POWER9 congruence-class TLBIEL leaves ERAT. Flush it now. ++ if (cpu_has_feature(CPU_FTR_ARCH_300)) ++ asm volatile(PPC_ISA_3_0_INVALIDATE_ERAT : : :"memory"); + } + } + diff --git a/queue-5.10/mdio-aspeed-fix-link-is-down-issue.patch b/queue-5.10/mdio-aspeed-fix-link-is-down-issue.patch new file mode 100644 index 00000000000..8b86e8a2b83 --- /dev/null +++ b/queue-5.10/mdio-aspeed-fix-link-is-down-issue.patch @@ -0,0 +1,49 @@ +From 9dbe33cf371bd70330858370bdbc35c7668f00c3 Mon Sep 17 00:00:00 2001 +From: Dylan Hung +Date: Thu, 25 Nov 2021 10:44:32 +0800 +Subject: mdio: aspeed: Fix "Link is Down" issue + +From: Dylan Hung + +commit 9dbe33cf371bd70330858370bdbc35c7668f00c3 upstream. + +The issue happened randomly in runtime. The message "Link is Down" is +popped but soon it recovered to "Link is Up". + +The "Link is Down" results from the incorrect read data for reading the +PHY register via MDIO bus. The correct sequence for reading the data +shall be: +1. fire the command +2. wait for command done (this step was missing) +3. wait for data idle +4. read data from data register + +Cc: stable@vger.kernel.org +Fixes: f160e99462c6 ("net: phy: Add mdio-aspeed") +Reviewed-by: Joel Stanley +Signed-off-by: Dylan Hung +Reviewed-by: Andrew Lunn +Reviewed-by: Russell King (Oracle) +Link: https://lore.kernel.org/r/20211125024432.15809-1-dylan_hung@aspeedtech.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/mdio/mdio-aspeed.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/net/mdio/mdio-aspeed.c ++++ b/drivers/net/mdio/mdio-aspeed.c +@@ -61,6 +61,13 @@ static int aspeed_mdio_read(struct mii_b + + iowrite32(ctrl, ctx->base + ASPEED_MDIO_CTRL); + ++ rc = readl_poll_timeout(ctx->base + ASPEED_MDIO_CTRL, ctrl, ++ !(ctrl & ASPEED_MDIO_CTRL_FIRE), ++ ASPEED_MDIO_INTERVAL_US, ++ ASPEED_MDIO_TIMEOUT_US); ++ if (rc < 0) ++ return rc; ++ + rc = readl_poll_timeout(ctx->base + ASPEED_MDIO_DATA, data, + data & ASPEED_MDIO_DATA_IDLE, + ASPEED_MDIO_INTERVAL_US, diff --git a/queue-5.10/mmc-sdhci-esdhc-imx-disable-cmdq-support.patch b/queue-5.10/mmc-sdhci-esdhc-imx-disable-cmdq-support.patch new file mode 100644 index 00000000000..5faf77442a4 --- /dev/null +++ b/queue-5.10/mmc-sdhci-esdhc-imx-disable-cmdq-support.patch @@ -0,0 +1,84 @@ +From adab993c25191b839b415781bdc7173a77315240 Mon Sep 17 00:00:00 2001 +From: Tim Harvey +Date: Wed, 3 Nov 2021 09:54:15 -0700 +Subject: mmc: sdhci-esdhc-imx: disable CMDQ support + +From: Tim Harvey + +commit adab993c25191b839b415781bdc7173a77315240 upstream. + +On IMX SoC's which support CMDQ the following can occur during high a +high cpu load: + +mmc2: cqhci: ============ CQHCI REGISTER DUMP =========== +mmc2: cqhci: Caps: 0x0000310a | Version: 0x00000510 +mmc2: cqhci: Config: 0x00001001 | Control: 0x00000000 +mmc2: cqhci: Int stat: 0x00000000 | Int enab: 0x00000006 +mmc2: cqhci: Int sig: 0x00000006 | Int Coal: 0x00000000 +mmc2: cqhci: TDL base: 0x8003f000 | TDL up32: 0x00000000 +mmc2: cqhci: Doorbell: 0xbf01dfff | TCN: 0x00000000 +mmc2: cqhci: Dev queue: 0x00000000 | Dev Pend: 0x08000000 +mmc2: cqhci: Task clr: 0x00000000 | SSC1: 0x00011000 +mmc2: cqhci: SSC2: 0x00000001 | DCMD rsp: 0x00000800 +mmc2: cqhci: RED mask: 0xfdf9a080 | TERRI: 0x00000000 +mmc2: cqhci: Resp idx: 0x0000000d | Resp arg: 0x00000000 +mmc2: sdhci: ============ SDHCI REGISTER DUMP =========== +mmc2: sdhci: Sys addr: 0x7c722000 | Version: 0x00000002 +mmc2: sdhci: Blk size: 0x00000200 | Blk cnt: 0x00000020 +mmc2: sdhci: Argument: 0x00018000 | Trn mode: 0x00000023 +mmc2: sdhci: Present: 0x01f88008 | Host ctl: 0x00000030 +mmc2: sdhci: Power: 0x00000002 | Blk gap: 0x00000080 +mmc2: sdhci: Wake-up: 0x00000008 | Clock: 0x0000000f +mmc2: sdhci: Timeout: 0x0000008f | Int stat: 0x00000000 +mmc2: sdhci: Int enab: 0x107f4000 | Sig enab: 0x107f4000 +mmc2: sdhci: ACmd stat: 0x00000000 | Slot int: 0x00000502 +mmc2: sdhci: Caps: 0x07eb0000 | Caps_1: 0x8000b407 +mmc2: sdhci: Cmd: 0x00000d1a | Max curr: 0x00ffffff +mmc2: sdhci: Resp[0]: 0x00000000 | Resp[1]: 0xffc003ff +mmc2: sdhci: Resp[2]: 0x328f5903 | Resp[3]: 0x00d07f01 +mmc2: sdhci: Host ctl2: 0x00000088 +mmc2: sdhci: ADMA Err: 0x00000000 | ADMA Ptr: 0xfe179020 +mmc2: sdhci-esdhc-imx: ========= ESDHC IMX DEBUG STATUS DUMP ==== +mmc2: sdhci-esdhc-imx: cmd debug status: 0x2120 +mmc2: sdhci-esdhc-imx: data debug status: 0x2200 +mmc2: sdhci-esdhc-imx: trans debug status: 0x2300 +mmc2: sdhci-esdhc-imx: dma debug status: 0x2400 +mmc2: sdhci-esdhc-imx: adma debug status: 0x2510 +mmc2: sdhci-esdhc-imx: fifo debug status: 0x2680 +mmc2: sdhci-esdhc-imx: async fifo debug status: 0x2750 +mmc2: sdhci: ============================================ + +For now, disable CMDQ support on the imx8qm/imx8qxp/imx8mm until the +issue is found and resolved. + +Fixes: bb6e358169bf6 ("mmc: sdhci-esdhc-imx: add CMDQ support") +Fixes: cde5e8e9ff146 ("mmc: sdhci-esdhc-imx: Add an new esdhc_soc_data for i.MX8MM") +Cc: stable@vger.kernel.org +Signed-off-by: Tim Harvey +Reviewed-by: Haibo Chen +Acked-by: Adrian Hunter +Link: https://lore.kernel.org/r/20211103165415.2016-1-tharvey@gateworks.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-esdhc-imx.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/mmc/host/sdhci-esdhc-imx.c ++++ b/drivers/mmc/host/sdhci-esdhc-imx.c +@@ -263,7 +263,6 @@ static struct esdhc_soc_data usdhc_imx8q + .flags = ESDHC_FLAG_USDHC | ESDHC_FLAG_STD_TUNING + | ESDHC_FLAG_HAVE_CAP1 | ESDHC_FLAG_HS200 + | ESDHC_FLAG_HS400 | ESDHC_FLAG_HS400_ES +- | ESDHC_FLAG_CQHCI + | ESDHC_FLAG_STATE_LOST_IN_LPMODE + | ESDHC_FLAG_CLK_RATE_LOST_IN_PM_RUNTIME, + }; +@@ -272,7 +271,6 @@ static struct esdhc_soc_data usdhc_imx8m + .flags = ESDHC_FLAG_USDHC | ESDHC_FLAG_STD_TUNING + | ESDHC_FLAG_HAVE_CAP1 | ESDHC_FLAG_HS200 + | ESDHC_FLAG_HS400 | ESDHC_FLAG_HS400_ES +- | ESDHC_FLAG_CQHCI + | ESDHC_FLAG_STATE_LOST_IN_LPMODE, + }; + diff --git a/queue-5.10/mmc-sdhci-fix-adma-for-page_size-64kib.patch b/queue-5.10/mmc-sdhci-fix-adma-for-page_size-64kib.patch new file mode 100644 index 00000000000..153eb73dee2 --- /dev/null +++ b/queue-5.10/mmc-sdhci-fix-adma-for-page_size-64kib.patch @@ -0,0 +1,91 @@ +From 3d7c194b7c9ad414264935ad4f943a6ce285ebb1 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Mon, 15 Nov 2021 10:23:45 +0200 +Subject: mmc: sdhci: Fix ADMA for PAGE_SIZE >= 64KiB + +From: Adrian Hunter + +commit 3d7c194b7c9ad414264935ad4f943a6ce285ebb1 upstream. + +The block layer forces a minimum segment size of PAGE_SIZE, so a segment +can be too big for the ADMA table, if PAGE_SIZE >= 64KiB. Fix by writing +multiple descriptors, noting that the ADMA table is sized for 4KiB chunks +anyway, so it will be big enough. + +Reported-and-tested-by: Bough Chen +Signed-off-by: Adrian Hunter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20211115082345.802238-1-adrian.hunter@intel.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci.c | 21 ++++++++++++++++++--- + drivers/mmc/host/sdhci.h | 4 +++- + 2 files changed, 21 insertions(+), 4 deletions(-) + +--- a/drivers/mmc/host/sdhci.c ++++ b/drivers/mmc/host/sdhci.c +@@ -772,7 +772,19 @@ static void sdhci_adma_table_pre(struct + len -= offset; + } + +- BUG_ON(len > 65536); ++ /* ++ * The block layer forces a minimum segment size of PAGE_SIZE, ++ * so 'len' can be too big here if PAGE_SIZE >= 64KiB. Write ++ * multiple descriptors, noting that the ADMA table is sized ++ * for 4KiB chunks anyway, so it will be big enough. ++ */ ++ while (len > host->max_adma) { ++ int n = 32 * 1024; /* 32KiB*/ ++ ++ __sdhci_adma_write_desc(host, &desc, addr, n, ADMA2_TRAN_VALID); ++ addr += n; ++ len -= n; ++ } + + /* tran, valid */ + if (len) +@@ -3948,6 +3960,7 @@ struct sdhci_host *sdhci_alloc_host(stru + * descriptor for each segment, plus 1 for a nop end descriptor. + */ + host->adma_table_cnt = SDHCI_MAX_SEGS * 2 + 1; ++ host->max_adma = 65536; + + return host; + } +@@ -4611,10 +4624,12 @@ int sdhci_setup_host(struct sdhci_host * + * be larger than 64 KiB though. + */ + if (host->flags & SDHCI_USE_ADMA) { +- if (host->quirks & SDHCI_QUIRK_BROKEN_ADMA_ZEROLEN_DESC) ++ if (host->quirks & SDHCI_QUIRK_BROKEN_ADMA_ZEROLEN_DESC) { ++ host->max_adma = 65532; /* 32-bit alignment */ + mmc->max_seg_size = 65535; +- else ++ } else { + mmc->max_seg_size = 65536; ++ } + } else { + mmc->max_seg_size = mmc->max_req_size; + } +--- a/drivers/mmc/host/sdhci.h ++++ b/drivers/mmc/host/sdhci.h +@@ -338,7 +338,8 @@ struct sdhci_adma2_64_desc { + + /* + * Maximum segments assuming a 512KiB maximum requisition size and a minimum +- * 4KiB page size. ++ * 4KiB page size. Note this also allows enough for multiple descriptors in ++ * case of PAGE_SIZE >= 64KiB. + */ + #define SDHCI_MAX_SEGS 128 + +@@ -540,6 +541,7 @@ struct sdhci_host { + unsigned int blocks; /* remaining PIO blocks */ + + int sg_count; /* Mapped sg entries */ ++ int max_adma; /* Max. length in ADMA descriptor */ + + void *adma_table; /* ADMA descriptor table */ + void *align_buffer; /* Bounce buffer */ diff --git a/queue-5.10/powerpc-32-fix-hardlockup-on-vmap-stack-overflow.patch b/queue-5.10/powerpc-32-fix-hardlockup-on-vmap-stack-overflow.patch new file mode 100644 index 00000000000..3c3eee3225b --- /dev/null +++ b/queue-5.10/powerpc-32-fix-hardlockup-on-vmap-stack-overflow.patch @@ -0,0 +1,44 @@ +From 5bb60ea611db1e04814426ed4bd1c95d1487678e Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Thu, 18 Nov 2021 10:39:53 +0100 +Subject: powerpc/32: Fix hardlockup on vmap stack overflow + +From: Christophe Leroy + +commit 5bb60ea611db1e04814426ed4bd1c95d1487678e upstream. + +Since the commit c118c7303ad5 ("powerpc/32: Fix vmap stack - Do not +activate MMU before reading task struct") a vmap stack overflow +results in a hard lockup. This is because emergency_ctx is still +addressed with its virtual address allthough data MMU is not active +anymore at that time. + +Fix it by using a physical address instead. + +Fixes: c118c7303ad5 ("powerpc/32: Fix vmap stack - Do not activate MMU before reading task struct") +Cc: stable@vger.kernel.org # v5.10+ +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/ce30364fb7ccda489272af4a1612b6aa147e1d23.1637227521.git.christophe.leroy@csgroup.eu +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/head_32.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/powerpc/kernel/head_32.h ++++ b/arch/powerpc/kernel/head_32.h +@@ -333,11 +333,11 @@ label: + mfspr r1, SPRN_SPRG_THREAD + lwz r1, TASK_CPU - THREAD(r1) + slwi r1, r1, 3 +- addis r1, r1, emergency_ctx@ha ++ addis r1, r1, emergency_ctx-PAGE_OFFSET@ha + #else +- lis r1, emergency_ctx@ha ++ lis r1, emergency_ctx-PAGE_OFFSET@ha + #endif +- lwz r1, emergency_ctx@l(r1) ++ lwz r1, emergency_ctx-PAGE_OFFSET@l(r1) + addi r1, r1, THREAD_SIZE - INT_FRAME_SIZE + EXCEPTION_PROLOG_2 + SAVE_NVGPRS(r11) diff --git a/queue-5.10/series b/queue-5.10/series index 9c4b902043d..7009daf504a 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -23,3 +23,12 @@ staging-fbtft-fix-backlight.patch staging-greybus-add-missing-rwsem-around-snd_ctl_remove-calls.patch staging-rtl8192e-fix-use-after-free-in-_rtl92e_pci_disconnect.patch fuse-release-pipe-buf-after-last-use.patch +xen-don-t-continue-xenstore-initialization-in-case-of-errors.patch +xen-detect-uninitialized-xenbus-in-xenbus_init.patch +kvm-ppc-book3s-hv-prevent-power7-8-tlb-flush-flushing-slb.patch +tracing-uprobe-fix-uprobe_perf_open-probes-iteration.patch +tracing-fix-pid-filtering-when-triggers-are-attached.patch +mmc-sdhci-esdhc-imx-disable-cmdq-support.patch +mmc-sdhci-fix-adma-for-page_size-64kib.patch +mdio-aspeed-fix-link-is-down-issue.patch +powerpc-32-fix-hardlockup-on-vmap-stack-overflow.patch diff --git a/queue-5.10/tracing-fix-pid-filtering-when-triggers-are-attached.patch b/queue-5.10/tracing-fix-pid-filtering-when-triggers-are-attached.patch new file mode 100644 index 00000000000..6bd66a7960b --- /dev/null +++ b/queue-5.10/tracing-fix-pid-filtering-when-triggers-are-attached.patch @@ -0,0 +1,57 @@ +From a55f224ff5f238013de8762c4287117e47b86e22 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Fri, 26 Nov 2021 17:34:42 -0500 +Subject: tracing: Fix pid filtering when triggers are attached + +From: Steven Rostedt (VMware) + +commit a55f224ff5f238013de8762c4287117e47b86e22 upstream. + +If a event is filtered by pid and a trigger that requires processing of +the event to happen is a attached to the event, the discard portion does +not take the pid filtering into account, and the event will then be +recorded when it should not have been. + +Cc: stable@vger.kernel.org +Fixes: 3fdaf80f4a836 ("tracing: Implement event pid filtering") +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace.h | 24 ++++++++++++++++++------ + 1 file changed, 18 insertions(+), 6 deletions(-) + +--- a/kernel/trace/trace.h ++++ b/kernel/trace/trace.h +@@ -1506,14 +1506,26 @@ __event_trigger_test_discard(struct trac + if (eflags & EVENT_FILE_FL_TRIGGER_COND) + *tt = event_triggers_call(file, entry, event); + +- if (test_bit(EVENT_FILE_FL_SOFT_DISABLED_BIT, &file->flags) || +- (unlikely(file->flags & EVENT_FILE_FL_FILTERED) && +- !filter_match_preds(file->filter, entry))) { +- __trace_event_discard_commit(buffer, event); +- return true; +- } ++ if (likely(!(file->flags & (EVENT_FILE_FL_SOFT_DISABLED | ++ EVENT_FILE_FL_FILTERED | ++ EVENT_FILE_FL_PID_FILTER)))) ++ return false; ++ ++ if (file->flags & EVENT_FILE_FL_SOFT_DISABLED) ++ goto discard; ++ ++ if (file->flags & EVENT_FILE_FL_FILTERED && ++ !filter_match_preds(file->filter, entry)) ++ goto discard; ++ ++ if ((file->flags & EVENT_FILE_FL_PID_FILTER) && ++ trace_event_ignore_this_pid(file)) ++ goto discard; + + return false; ++ discard: ++ __trace_event_discard_commit(buffer, event); ++ return true; + } + + /** diff --git a/queue-5.10/tracing-uprobe-fix-uprobe_perf_open-probes-iteration.patch b/queue-5.10/tracing-uprobe-fix-uprobe_perf_open-probes-iteration.patch new file mode 100644 index 00000000000..aff4e5763bd --- /dev/null +++ b/queue-5.10/tracing-uprobe-fix-uprobe_perf_open-probes-iteration.patch @@ -0,0 +1,34 @@ +From 1880ed71ce863318c1ce93bf324876fb5f92854f Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Tue, 23 Nov 2021 15:28:01 +0100 +Subject: tracing/uprobe: Fix uprobe_perf_open probes iteration + +From: Jiri Olsa + +commit 1880ed71ce863318c1ce93bf324876fb5f92854f upstream. + +Add missing 'tu' variable initialization in the probes loop, +otherwise the head 'tu' is used instead of added probes. + +Link: https://lkml.kernel.org/r/20211123142801.182530-1-jolsa@kernel.org + +Cc: stable@vger.kernel.org +Fixes: 99c9a923e97a ("tracing/uprobe: Fix double perf_event linking on multiprobe uprobe") +Acked-by: Masami Hiramatsu +Signed-off-by: Jiri Olsa +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_uprobe.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/trace/trace_uprobe.c ++++ b/kernel/trace/trace_uprobe.c +@@ -1312,6 +1312,7 @@ static int uprobe_perf_open(struct trace + return 0; + + list_for_each_entry(pos, trace_probe_probe_list(tp), list) { ++ tu = container_of(pos, struct trace_uprobe, tp); + err = uprobe_apply(tu->inode, tu->offset, &tu->consumer, true); + if (err) { + uprobe_perf_close(call, event); diff --git a/queue-5.10/xen-detect-uninitialized-xenbus-in-xenbus_init.patch b/queue-5.10/xen-detect-uninitialized-xenbus-in-xenbus_init.patch new file mode 100644 index 00000000000..f40e15cb215 --- /dev/null +++ b/queue-5.10/xen-detect-uninitialized-xenbus-in-xenbus_init.patch @@ -0,0 +1,68 @@ +From 36e8f60f0867d3b70d398d653c17108459a04efe Mon Sep 17 00:00:00 2001 +From: Stefano Stabellini +Date: Tue, 23 Nov 2021 13:07:48 -0800 +Subject: xen: detect uninitialized xenbus in xenbus_init + +From: Stefano Stabellini + +commit 36e8f60f0867d3b70d398d653c17108459a04efe upstream. + +If the xenstore page hasn't been allocated properly, reading the value +of the related hvm_param (HVM_PARAM_STORE_PFN) won't actually return +error. Instead, it will succeed and return zero. Instead of attempting +to xen_remap a bad guest physical address, detect this condition and +return early. + +Note that although a guest physical address of zero for +HVM_PARAM_STORE_PFN is theoretically possible, it is not a good choice +and zero has never been validly used in that capacity. + +Also recognize all bits set as an invalid value. + +For 32-bit Linux, any pfn above ULONG_MAX would get truncated. Pfns +above ULONG_MAX should never be passed by the Xen tools to HVM guests +anyway, so check for this condition and return early. + +Cc: stable@vger.kernel.org +Signed-off-by: Stefano Stabellini +Reviewed-by: Juergen Gross +Reviewed-by: Jan Beulich +Link: https://lore.kernel.org/r/20211123210748.1910236-1-sstabellini@kernel.org +Signed-off-by: Boris Ostrovsky +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/xenbus/xenbus_probe.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +--- a/drivers/xen/xenbus/xenbus_probe.c ++++ b/drivers/xen/xenbus/xenbus_probe.c +@@ -886,6 +886,29 @@ static int __init xenbus_init(void) + err = hvm_get_parameter(HVM_PARAM_STORE_PFN, &v); + if (err) + goto out_error; ++ /* ++ * Uninitialized hvm_params are zero and return no error. ++ * Although it is theoretically possible to have ++ * HVM_PARAM_STORE_PFN set to zero on purpose, in reality it is ++ * not zero when valid. If zero, it means that Xenstore hasn't ++ * been properly initialized. Instead of attempting to map a ++ * wrong guest physical address return error. ++ * ++ * Also recognize all bits set as an invalid value. ++ */ ++ if (!v || !~v) { ++ err = -ENOENT; ++ goto out_error; ++ } ++ /* Avoid truncation on 32-bit. */ ++#if BITS_PER_LONG == 32 ++ if (v > ULONG_MAX) { ++ pr_err("%s: cannot handle HVM_PARAM_STORE_PFN=%llx > ULONG_MAX\n", ++ __func__, v); ++ err = -EINVAL; ++ goto out_error; ++ } ++#endif + xen_store_gfn = (unsigned long)v; + xen_store_interface = + xen_remap(xen_store_gfn << XEN_PAGE_SHIFT, diff --git a/queue-5.10/xen-don-t-continue-xenstore-initialization-in-case-of-errors.patch b/queue-5.10/xen-don-t-continue-xenstore-initialization-in-case-of-errors.patch new file mode 100644 index 00000000000..400d2e46628 --- /dev/null +++ b/queue-5.10/xen-don-t-continue-xenstore-initialization-in-case-of-errors.patch @@ -0,0 +1,57 @@ +From 08f6c2b09ebd4b326dbe96d13f94fee8f9814c78 Mon Sep 17 00:00:00 2001 +From: Stefano Stabellini +Date: Mon, 15 Nov 2021 14:27:19 -0800 +Subject: xen: don't continue xenstore initialization in case of errors + +From: Stefano Stabellini + +commit 08f6c2b09ebd4b326dbe96d13f94fee8f9814c78 upstream. + +In case of errors in xenbus_init (e.g. missing xen_store_gfn parameter), +we goto out_error but we forget to reset xen_store_domain_type to +XS_UNKNOWN. As a consequence xenbus_probe_initcall and other initcalls +will still try to initialize xenstore resulting into a crash at boot. + +[ 2.479830] Call trace: +[ 2.482314] xb_init_comms+0x18/0x150 +[ 2.486354] xs_init+0x34/0x138 +[ 2.489786] xenbus_probe+0x4c/0x70 +[ 2.498432] xenbus_probe_initcall+0x2c/0x7c +[ 2.503944] do_one_initcall+0x54/0x1b8 +[ 2.507358] kernel_init_freeable+0x1ac/0x210 +[ 2.511617] kernel_init+0x28/0x130 +[ 2.516112] ret_from_fork+0x10/0x20 + +Cc: +Cc: jbeulich@suse.com +Signed-off-by: Stefano Stabellini +Link: https://lore.kernel.org/r/20211115222719.2558207-1-sstabellini@kernel.org +Reviewed-by: Jan Beulich +Signed-off-by: Boris Ostrovsky +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/xenbus/xenbus_probe.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/xen/xenbus/xenbus_probe.c ++++ b/drivers/xen/xenbus/xenbus_probe.c +@@ -846,7 +846,7 @@ static struct notifier_block xenbus_resu + + static int __init xenbus_init(void) + { +- int err = 0; ++ int err; + uint64_t v = 0; + xen_store_domain_type = XS_UNKNOWN; + +@@ -920,8 +920,10 @@ static int __init xenbus_init(void) + */ + proc_create_mount_point("xen"); + #endif ++ return 0; + + out_error: ++ xen_store_domain_type = XS_UNKNOWN; + return err; + } +