From: Greg Kroah-Hartman Date: Sat, 12 Aug 2023 16:57:34 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v4.14.323~52 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e77913f67089b011824bea9b9d025b24fc61c990;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: binder-fix-memory-leak-in-binder_init.patch drm-nouveau-disp-revert-a-null-check-inside-nouveau_connector_get_modes.patch iio-cros_ec-fix-the-allocation-size-for-cros_ec_command.patch netfilter-nf_tables-don-t-skip-expired-elements-during-walk.patch netfilter-nft_set_hash-mark-set-element-as-dead-when-deleting-from-packet-path.patch usb-common-usb-conn-gpio-prevent-bailing-out-if-initial-role-is-none.patch usb-dwc3-properly-handle-processing-of-pending-events.patch usb-storage-alauda-fix-uninit-value-in-alauda_check_media.patch x86-cpu-amd-enable-zenbleed-fix-for-amd-custom-apu-0405.patch x86-mm-fix-vdso-and-vvar-placement-on-5-level-paging-machines.patch x86-move-gds_ucode_mitigated-declaration-to-header.patch x86-speculation-add-cpu_show_gds-prototype.patch x86-srso-fix-build-breakage-with-the-llvm-linker.patch --- diff --git a/queue-5.10/binder-fix-memory-leak-in-binder_init.patch b/queue-5.10/binder-fix-memory-leak-in-binder_init.patch new file mode 100644 index 00000000000..13e74f55189 --- /dev/null +++ b/queue-5.10/binder-fix-memory-leak-in-binder_init.patch @@ -0,0 +1,61 @@ +From adb9743d6a08778b78d62d16b4230346d3508986 Mon Sep 17 00:00:00 2001 +From: Qi Zheng +Date: Sun, 25 Jun 2023 15:49:37 +0000 +Subject: binder: fix memory leak in binder_init() + +From: Qi Zheng + +commit adb9743d6a08778b78d62d16b4230346d3508986 upstream. + +In binder_init(), the destruction of binder_alloc_shrinker_init() is not +performed in the wrong path, which will cause memory leaks. So this commit +introduces binder_alloc_shrinker_exit() and calls it in the wrong path to +fix that. + +Signed-off-by: Qi Zheng +Acked-by: Carlos Llamas +Fixes: f2517eb76f1f ("android: binder: Add global lru shrinker to binder") +Cc: stable +Link: https://lore.kernel.org/r/20230625154937.64316-1-qi.zheng@linux.dev +Signed-off-by: Greg Kroah-Hartman +--- + drivers/android/binder.c | 1 + + drivers/android/binder_alloc.c | 6 ++++++ + drivers/android/binder_alloc.h | 1 + + 3 files changed, 8 insertions(+) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -6541,6 +6541,7 @@ err_init_binder_device_failed: + + err_alloc_device_names_failed: + debugfs_remove_recursive(binder_debugfs_dir_entry_root); ++ binder_alloc_shrinker_exit(); + + return ret; + } +--- a/drivers/android/binder_alloc.c ++++ b/drivers/android/binder_alloc.c +@@ -1086,6 +1086,12 @@ int binder_alloc_shrinker_init(void) + return ret; + } + ++void binder_alloc_shrinker_exit(void) ++{ ++ unregister_shrinker(&binder_shrinker); ++ list_lru_destroy(&binder_alloc_lru); ++} ++ + /** + * check_buffer() - verify that buffer/offset is safe to access + * @alloc: binder_alloc for this proc +--- a/drivers/android/binder_alloc.h ++++ b/drivers/android/binder_alloc.h +@@ -125,6 +125,7 @@ extern struct binder_buffer *binder_allo + int pid); + extern void binder_alloc_init(struct binder_alloc *alloc); + extern int binder_alloc_shrinker_init(void); ++extern void binder_alloc_shrinker_exit(void); + extern void binder_alloc_vma_close(struct binder_alloc *alloc); + extern struct binder_buffer * + binder_alloc_prepare_to_free(struct binder_alloc *alloc, diff --git a/queue-5.10/drm-nouveau-disp-revert-a-null-check-inside-nouveau_connector_get_modes.patch b/queue-5.10/drm-nouveau-disp-revert-a-null-check-inside-nouveau_connector_get_modes.patch new file mode 100644 index 00000000000..c486cd2a101 --- /dev/null +++ b/queue-5.10/drm-nouveau-disp-revert-a-null-check-inside-nouveau_connector_get_modes.patch @@ -0,0 +1,40 @@ +From d5712cd22b9cf109fded1b7f178f4c1888c8b84b Mon Sep 17 00:00:00 2001 +From: Karol Herbst +Date: Sat, 5 Aug 2023 12:18:13 +0200 +Subject: drm/nouveau/disp: Revert a NULL check inside nouveau_connector_get_modes + +From: Karol Herbst + +commit d5712cd22b9cf109fded1b7f178f4c1888c8b84b upstream. + +The original commit adding that check tried to protect the kenrel against +a potential invalid NULL pointer access. + +However we call nouveau_connector_detect_depth once without a native_mode +set on purpose for non LVDS connectors and this broke DP support in a few +cases. + +Cc: Olaf Skibbe +Cc: Lyude Paul +Closes: https://gitlab.freedesktop.org/drm/nouveau/-/issues/238 +Closes: https://gitlab.freedesktop.org/drm/nouveau/-/issues/245 +Fixes: 20a2ce87fbaf8 ("drm/nouveau/dp: check for NULL nv_connector->native_mode") +Signed-off-by: Karol Herbst +Reviewed-by: Lyude Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20230805101813.2603989-1-kherbst@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nouveau_connector.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/nouveau/nouveau_connector.c ++++ b/drivers/gpu/drm/nouveau/nouveau_connector.c +@@ -947,7 +947,7 @@ nouveau_connector_get_modes(struct drm_c + /* Determine display colour depth for everything except LVDS now, + * DP requires this before mode_valid() is called. + */ +- if (connector->connector_type != DRM_MODE_CONNECTOR_LVDS && nv_connector->native_mode) ++ if (connector->connector_type != DRM_MODE_CONNECTOR_LVDS) + nouveau_connector_detect_depth(connector); + + /* Find the native mode if this is a digital panel, if we didn't diff --git a/queue-5.10/iio-cros_ec-fix-the-allocation-size-for-cros_ec_command.patch b/queue-5.10/iio-cros_ec-fix-the-allocation-size-for-cros_ec_command.patch new file mode 100644 index 00000000000..d813045378f --- /dev/null +++ b/queue-5.10/iio-cros_ec-fix-the-allocation-size-for-cros_ec_command.patch @@ -0,0 +1,35 @@ +From 8a4629055ef55177b5b63dab1ecce676bd8cccdd Mon Sep 17 00:00:00 2001 +From: Yiyuan Guo +Date: Fri, 30 Jun 2023 22:37:19 +0800 +Subject: iio: cros_ec: Fix the allocation size for cros_ec_command + +From: Yiyuan Guo + +commit 8a4629055ef55177b5b63dab1ecce676bd8cccdd upstream. + +The struct cros_ec_command contains several integer fields and a +trailing array. An allocation size neglecting the integer fields can +lead to buffer overrun. + +Reviewed-by: Tzung-Bi Shih +Signed-off-by: Yiyuan Guo +Fixes: 974e6f02e27e ("iio: cros_ec_sensors_core: Add common functions for the ChromeOS EC Sensor Hub.") +Link: https://lore.kernel.org/r/20230630143719.1513906-1-yguoaz@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.c ++++ b/drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.c +@@ -263,7 +263,7 @@ int cros_ec_sensors_core_init(struct pla + platform_set_drvdata(pdev, indio_dev); + + state->ec = ec->ec_dev; +- state->msg = devm_kzalloc(&pdev->dev, ++ state->msg = devm_kzalloc(&pdev->dev, sizeof(*state->msg) + + max((u16)sizeof(struct ec_params_motion_sense), + state->ec->max_response), GFP_KERNEL); + if (!state->msg) diff --git a/queue-5.10/netfilter-nf_tables-don-t-skip-expired-elements-during-walk.patch b/queue-5.10/netfilter-nf_tables-don-t-skip-expired-elements-during-walk.patch new file mode 100644 index 00000000000..accdaccaeae --- /dev/null +++ b/queue-5.10/netfilter-nf_tables-don-t-skip-expired-elements-during-walk.patch @@ -0,0 +1,129 @@ +From 24138933b97b055d486e8064b4a1721702442a9b Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Wed, 9 Aug 2023 14:31:15 +0200 +Subject: netfilter: nf_tables: don't skip expired elements during walk + +From: Florian Westphal + +commit 24138933b97b055d486e8064b4a1721702442a9b upstream. + +There is an asymmetry between commit/abort and preparation phase if the +following conditions are met: + +1. set is a verdict map ("1.2.3.4 : jump foo") +2. timeouts are enabled + +In this case, following sequence is problematic: + +1. element E in set S refers to chain C +2. userspace requests removal of set S +3. kernel does a set walk to decrement chain->use count for all elements + from preparation phase +4. kernel does another set walk to remove elements from the commit phase + (or another walk to do a chain->use increment for all elements from + abort phase) + +If E has already expired in 1), it will be ignored during list walk, so its use count +won't have been changed. + +Then, when set is culled, ->destroy callback will zap the element via +nf_tables_set_elem_destroy(), but this function is only safe for +elements that have been deactivated earlier from the preparation phase: +lack of earlier deactivate removes the element but leaks the chain use +count, which results in a WARN splat when the chain gets removed later, +plus a leak of the nft_chain structure. + +Update pipapo_get() not to skip expired elements, otherwise flush +command reports bogus ENOENT errors. + +Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") +Fixes: 8d8540c4f5e0 ("netfilter: nft_set_rbtree: add timeout support") +Fixes: 9d0982927e79 ("netfilter: nft_hash: add support for timeouts") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 4 ++++ + net/netfilter/nft_set_hash.c | 2 -- + net/netfilter/nft_set_pipapo.c | 18 ++++++++++++------ + net/netfilter/nft_set_rbtree.c | 2 -- + 4 files changed, 16 insertions(+), 10 deletions(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -4911,8 +4911,12 @@ static int nf_tables_dump_setelem(const + const struct nft_set_iter *iter, + struct nft_set_elem *elem) + { ++ const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); + struct nft_set_dump_args *args; + ++ if (nft_set_elem_expired(ext)) ++ return 0; ++ + args = container_of(iter, struct nft_set_dump_args, iter); + return nf_tables_fill_setelem(args->skb, set, elem); + } +--- a/net/netfilter/nft_set_hash.c ++++ b/net/netfilter/nft_set_hash.c +@@ -277,8 +277,6 @@ static void nft_rhash_walk(const struct + + if (iter->count < iter->skip) + goto cont; +- if (nft_set_elem_expired(&he->ext)) +- goto cont; + if (!nft_set_elem_active(&he->ext, iter->genmask)) + goto cont; + +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -566,8 +566,7 @@ next_match: + goto out; + + if (last) { +- if (nft_set_elem_expired(&f->mt[b].e->ext) || +- (genmask && ++ if ((genmask && + !nft_set_elem_active(&f->mt[b].e->ext, genmask))) + goto next_match; + +@@ -601,8 +600,17 @@ out: + static void *nft_pipapo_get(const struct net *net, const struct nft_set *set, + const struct nft_set_elem *elem, unsigned int flags) + { +- return pipapo_get(net, set, (const u8 *)elem->key.val.data, +- nft_genmask_cur(net)); ++ struct nft_pipapo_elem *ret; ++ ++ ret = pipapo_get(net, set, (const u8 *)elem->key.val.data, ++ nft_genmask_cur(net)); ++ if (IS_ERR(ret)) ++ return ret; ++ ++ if (nft_set_elem_expired(&ret->ext)) ++ return ERR_PTR(-ENOENT); ++ ++ return ret; + } + + /** +@@ -1981,8 +1989,6 @@ static void nft_pipapo_walk(const struct + goto cont; + + e = f->mt[r].e; +- if (nft_set_elem_expired(&e->ext)) +- goto cont; + + elem.priv = e; + +--- a/net/netfilter/nft_set_rbtree.c ++++ b/net/netfilter/nft_set_rbtree.c +@@ -551,8 +551,6 @@ static void nft_rbtree_walk(const struct + + if (iter->count < iter->skip) + goto cont; +- if (nft_set_elem_expired(&rbe->ext)) +- goto cont; + if (!nft_set_elem_active(&rbe->ext, iter->genmask)) + goto cont; + diff --git a/queue-5.10/netfilter-nft_set_hash-mark-set-element-as-dead-when-deleting-from-packet-path.patch b/queue-5.10/netfilter-nft_set_hash-mark-set-element-as-dead-when-deleting-from-packet-path.patch new file mode 100644 index 00000000000..028c7656b42 --- /dev/null +++ b/queue-5.10/netfilter-nft_set_hash-mark-set-element-as-dead-when-deleting-from-packet-path.patch @@ -0,0 +1,43 @@ +From c92db3030492b8ad1d0faace7a93bbcf53850d0c Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Wed, 9 Aug 2023 15:00:06 +0200 +Subject: netfilter: nft_set_hash: mark set element as dead when deleting from packet path + +From: Pablo Neira Ayuso + +commit c92db3030492b8ad1d0faace7a93bbcf53850d0c upstream. + +Set on the NFT_SET_ELEM_DEAD_BIT flag on this element, instead of +performing element removal which might race with an ongoing transaction. +Enable gc when dynamic flag is set on since dynset deletion requires +garbage collection after this patch. + +Fixes: d0a8d877da97 ("netfilter: nft_dynset: support for element deletion") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_set_hash.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/netfilter/nft_set_hash.c ++++ b/net/netfilter/nft_set_hash.c +@@ -251,7 +251,9 @@ static bool nft_rhash_delete(const struc + if (he == NULL) + return false; + +- return rhashtable_remove_fast(&priv->ht, &he->node, nft_rhash_params) == 0; ++ nft_set_elem_dead(&he->ext); ++ ++ return true; + } + + static void nft_rhash_walk(const struct nft_ctx *ctx, struct nft_set *set, +@@ -372,7 +374,7 @@ static int nft_rhash_init(const struct n + return err; + + INIT_DEFERRABLE_WORK(&priv->gc_work, nft_rhash_gc); +- if (set->flags & NFT_SET_TIMEOUT) ++ if (set->flags & (NFT_SET_TIMEOUT | NFT_SET_EVAL)) + nft_rhash_gc_init(set); + + return 0; diff --git a/queue-5.10/series b/queue-5.10/series index c6d9371b16f..2e1c101bd1c 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -17,3 +17,16 @@ radix-tree-test-suite-fix-incorrect-allocation-size-for-pthreads.patch x86-pkeys-revert-a5eff7259790-x86-pkeys-add-pkru-value-to-init_fpstate.patch nilfs2-fix-use-after-free-of-nilfs_root-in-dirtying-inodes-via-iput.patch io_uring-correct-check-for-o_tmpfile.patch +iio-cros_ec-fix-the-allocation-size-for-cros_ec_command.patch +binder-fix-memory-leak-in-binder_init.patch +usb-storage-alauda-fix-uninit-value-in-alauda_check_media.patch +usb-dwc3-properly-handle-processing-of-pending-events.patch +usb-common-usb-conn-gpio-prevent-bailing-out-if-initial-role-is-none.patch +x86-srso-fix-build-breakage-with-the-llvm-linker.patch +x86-cpu-amd-enable-zenbleed-fix-for-amd-custom-apu-0405.patch +x86-mm-fix-vdso-and-vvar-placement-on-5-level-paging-machines.patch +x86-speculation-add-cpu_show_gds-prototype.patch +x86-move-gds_ucode_mitigated-declaration-to-header.patch +drm-nouveau-disp-revert-a-null-check-inside-nouveau_connector_get_modes.patch +netfilter-nf_tables-don-t-skip-expired-elements-during-walk.patch +netfilter-nft_set_hash-mark-set-element-as-dead-when-deleting-from-packet-path.patch diff --git a/queue-5.10/usb-common-usb-conn-gpio-prevent-bailing-out-if-initial-role-is-none.patch b/queue-5.10/usb-common-usb-conn-gpio-prevent-bailing-out-if-initial-role-is-none.patch new file mode 100644 index 00000000000..9722558da58 --- /dev/null +++ b/queue-5.10/usb-common-usb-conn-gpio-prevent-bailing-out-if-initial-role-is-none.patch @@ -0,0 +1,62 @@ +From 8e21a620c7e6e00347ade1a6ed4967b359eada5a Mon Sep 17 00:00:00 2001 +From: Prashanth K +Date: Tue, 1 Aug 2023 14:33:52 +0530 +Subject: usb: common: usb-conn-gpio: Prevent bailing out if initial role is none + +From: Prashanth K + +commit 8e21a620c7e6e00347ade1a6ed4967b359eada5a upstream. + +Currently if we bootup a device without cable connected, then +usb-conn-gpio won't call set_role() because last_role is same +as current role. This happens since last_role gets initialised +to zero during the probe. + +To avoid this, add a new flag initial_detection into struct +usb_conn_info, which prevents bailing out during initial +detection. + +Cc: # 5.4 +Fixes: 4602f3bff266 ("usb: common: add USB GPIO based connection detection driver") +Signed-off-by: Prashanth K +Tested-by: AngeloGioacchino Del Regno +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/1690880632-12588-1-git-send-email-quic_prashk@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/common/usb-conn-gpio.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/usb/common/usb-conn-gpio.c ++++ b/drivers/usb/common/usb-conn-gpio.c +@@ -42,6 +42,7 @@ struct usb_conn_info { + + struct power_supply_desc desc; + struct power_supply *charger; ++ bool initial_detection; + }; + + /* +@@ -86,11 +87,13 @@ static void usb_conn_detect_cable(struct + dev_dbg(info->dev, "role %d/%d, gpios: id %d, vbus %d\n", + info->last_role, role, id, vbus); + +- if (info->last_role == role) { ++ if (!info->initial_detection && info->last_role == role) { + dev_warn(info->dev, "repeated role: %d\n", role); + return; + } + ++ info->initial_detection = false; ++ + if (info->last_role == USB_ROLE_HOST && info->vbus) + regulator_disable(info->vbus); + +@@ -277,6 +280,7 @@ static int usb_conn_probe(struct platfor + platform_set_drvdata(pdev, info); + + /* Perform initial detection */ ++ info->initial_detection = true; + usb_conn_queue_dwork(info, 0); + + return 0; diff --git a/queue-5.10/usb-dwc3-properly-handle-processing-of-pending-events.patch b/queue-5.10/usb-dwc3-properly-handle-processing-of-pending-events.patch new file mode 100644 index 00000000000..591ac0004ff --- /dev/null +++ b/queue-5.10/usb-dwc3-properly-handle-processing-of-pending-events.patch @@ -0,0 +1,56 @@ +From 3ddaa6a274578e23745b7466346fc2650df8f959 Mon Sep 17 00:00:00 2001 +From: Elson Roy Serrao +Date: Tue, 1 Aug 2023 12:26:58 -0700 +Subject: usb: dwc3: Properly handle processing of pending events + +From: Elson Roy Serrao + +commit 3ddaa6a274578e23745b7466346fc2650df8f959 upstream. + +If dwc3 is runtime suspended we defer processing the event buffer +until resume, by setting the pending_events flag. Set this flag before +triggering resume to avoid race with the runtime resume callback. + +While handling the pending events, in addition to checking the event +buffer we also need to process it. Handle this by explicitly calling +dwc3_thread_interrupt(). Also balance the runtime pm get() operation +that triggered this processing. + +Cc: stable@vger.kernel.org +Fixes: fc8bb91bc83e ("usb: dwc3: implement runtime PM") +Signed-off-by: Elson Roy Serrao +Acked-by: Thinh Nguyen +Reviewed-by: Roger Quadros +Link: https://lore.kernel.org/r/20230801192658.19275-1-quic_eserrao@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/gadget.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -3830,9 +3830,14 @@ static irqreturn_t dwc3_check_event_buf( + u32 reg; + + if (pm_runtime_suspended(dwc->dev)) { ++ dwc->pending_events = true; ++ /* ++ * Trigger runtime resume. The get() function will be balanced ++ * after processing the pending events in dwc3_process_pending ++ * events(). ++ */ + pm_runtime_get(dwc->dev); + disable_irq_nosync(dwc->irq_gadget); +- dwc->pending_events = true; + return IRQ_HANDLED; + } + +@@ -4091,6 +4096,8 @@ void dwc3_gadget_process_pending_events( + { + if (dwc->pending_events) { + dwc3_interrupt(dwc->irq_gadget, dwc->ev_buf); ++ dwc3_thread_interrupt(dwc->irq_gadget, dwc->ev_buf); ++ pm_runtime_put(dwc->dev); + dwc->pending_events = false; + enable_irq(dwc->irq_gadget); + } diff --git a/queue-5.10/usb-storage-alauda-fix-uninit-value-in-alauda_check_media.patch b/queue-5.10/usb-storage-alauda-fix-uninit-value-in-alauda_check_media.patch new file mode 100644 index 00000000000..00d3e9dd804 --- /dev/null +++ b/queue-5.10/usb-storage-alauda-fix-uninit-value-in-alauda_check_media.patch @@ -0,0 +1,81 @@ +From a6ff6e7a9dd69364547751db0f626a10a6d628d2 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Wed, 2 Aug 2023 13:49:02 -0400 +Subject: usb-storage: alauda: Fix uninit-value in alauda_check_media() + +From: Alan Stern + +commit a6ff6e7a9dd69364547751db0f626a10a6d628d2 upstream. + +Syzbot got KMSAN to complain about access to an uninitialized value in +the alauda subdriver of usb-storage: + +BUG: KMSAN: uninit-value in alauda_transport+0x462/0x57f0 +drivers/usb/storage/alauda.c:1137 +CPU: 0 PID: 12279 Comm: usb-storage Not tainted 5.3.0-rc7+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x191/0x1f0 lib/dump_stack.c:113 + kmsan_report+0x13a/0x2b0 mm/kmsan/kmsan_report.c:108 + __msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:250 + alauda_check_media+0x344/0x3310 drivers/usb/storage/alauda.c:460 + +The problem is that alauda_check_media() doesn't verify that its USB +transfer succeeded before trying to use the received data. What +should happen if the transfer fails isn't entirely clear, but a +reasonably conservative approach is to pretend that no media is +present. + +A similar problem exists in a usb_stor_dbg() call in +alauda_get_media_status(). In this case, when an error occurs the +call is redundant, because usb_stor_ctrl_transfer() already will print +a debugging message. + +Finally, unrelated to the uninitialized memory access, is the fact +that alauda_check_media() performs DMA to a buffer on the stack. +Fortunately usb-storage provides a general purpose DMA-able buffer for +uses like this. We'll use it instead. + +Reported-and-tested-by: syzbot+e7d46eb426883fb97efd@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/0000000000007d25ff059457342d@google.com/T/ +Suggested-by: Christophe JAILLET +Signed-off-by: Alan Stern +Fixes: e80b0fade09e ("[PATCH] USB Storage: add alauda support") +Cc: +Link: https://lore.kernel.org/r/693d5d5e-f09b-42d0-8ed9-1f96cd30bcce@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/storage/alauda.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/usb/storage/alauda.c ++++ b/drivers/usb/storage/alauda.c +@@ -318,7 +318,8 @@ static int alauda_get_media_status(struc + rc = usb_stor_ctrl_transfer(us, us->recv_ctrl_pipe, + command, 0xc0, 0, 1, data, 2); + +- usb_stor_dbg(us, "Media status %02X %02X\n", data[0], data[1]); ++ if (rc == USB_STOR_XFER_GOOD) ++ usb_stor_dbg(us, "Media status %02X %02X\n", data[0], data[1]); + + return rc; + } +@@ -454,9 +455,14 @@ static int alauda_init_media(struct us_d + static int alauda_check_media(struct us_data *us) + { + struct alauda_info *info = (struct alauda_info *) us->extra; +- unsigned char status[2]; ++ unsigned char *status = us->iobuf; ++ int rc; + +- alauda_get_media_status(us, status); ++ rc = alauda_get_media_status(us, status); ++ if (rc != USB_STOR_XFER_GOOD) { ++ status[0] = 0xF0; /* Pretend there's no media */ ++ status[1] = 0; ++ } + + /* Check for no media or door open */ + if ((status[0] & 0x80) || ((status[0] & 0x1F) == 0x10) diff --git a/queue-5.10/x86-cpu-amd-enable-zenbleed-fix-for-amd-custom-apu-0405.patch b/queue-5.10/x86-cpu-amd-enable-zenbleed-fix-for-amd-custom-apu-0405.patch new file mode 100644 index 00000000000..3b7521f138f --- /dev/null +++ b/queue-5.10/x86-cpu-amd-enable-zenbleed-fix-for-amd-custom-apu-0405.patch @@ -0,0 +1,41 @@ +From 6dbef74aeb090d6bee7d64ef3fa82ae6fa53f271 Mon Sep 17 00:00:00 2001 +From: Cristian Ciocaltea +Date: Fri, 11 Aug 2023 23:37:05 +0300 +Subject: x86/cpu/amd: Enable Zenbleed fix for AMD Custom APU 0405 + +From: Cristian Ciocaltea + +commit 6dbef74aeb090d6bee7d64ef3fa82ae6fa53f271 upstream. + +Commit + + 522b1d69219d ("x86/cpu/amd: Add a Zenbleed fix") + +provided a fix for the Zen2 VZEROUPPER data corruption bug affecting +a range of CPU models, but the AMD Custom APU 0405 found on SteamDeck +was not listed, although it is clearly affected by the vulnerability. + +Add this CPU variant to the Zenbleed erratum list, in order to +unconditionally enable the fallback fix until a proper microcode update +is available. + +Fixes: 522b1d69219d ("x86/cpu/amd: Add a Zenbleed fix") +Signed-off-by: Cristian Ciocaltea +Signed-off-by: Borislav Petkov (AMD) +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230811203705.1699914-1-cristian.ciocaltea@collabora.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/amd.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -74,6 +74,7 @@ static const int amd_erratum_1054[] = + static const int amd_zenbleed[] = + AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0x30, 0x0, 0x4f, 0xf), + AMD_MODEL_RANGE(0x17, 0x60, 0x0, 0x7f, 0xf), ++ AMD_MODEL_RANGE(0x17, 0x90, 0x0, 0x91, 0xf), + AMD_MODEL_RANGE(0x17, 0xa0, 0x0, 0xaf, 0xf)); + + static const int amd_div0[] = diff --git a/queue-5.10/x86-mm-fix-vdso-and-vvar-placement-on-5-level-paging-machines.patch b/queue-5.10/x86-mm-fix-vdso-and-vvar-placement-on-5-level-paging-machines.patch new file mode 100644 index 00000000000..7cc5b7fec81 --- /dev/null +++ b/queue-5.10/x86-mm-fix-vdso-and-vvar-placement-on-5-level-paging-machines.patch @@ -0,0 +1,52 @@ +From 1b8b1aa90c9c0e825b181b98b8d9e249dc395470 Mon Sep 17 00:00:00 2001 +From: "Kirill A. Shutemov" +Date: Thu, 3 Aug 2023 18:16:09 +0300 +Subject: x86/mm: Fix VDSO and VVAR placement on 5-level paging machines + +From: Kirill A. Shutemov + +commit 1b8b1aa90c9c0e825b181b98b8d9e249dc395470 upstream. + +Yingcong has noticed that on the 5-level paging machine, VDSO and VVAR +VMAs are placed above the 47-bit border: + +8000001a9000-8000001ad000 r--p 00000000 00:00 0 [vvar] +8000001ad000-8000001af000 r-xp 00000000 00:00 0 [vdso] + +This might confuse users who are not aware of 5-level paging and expect +all userspace addresses to be under the 47-bit border. + +So far problem has only been triggered with ASLR disabled, although it +may also occur with ASLR enabled if the layout is randomized in a just +right way. + +The problem happens due to custom placement for the VMAs in the VDSO +code: vdso_addr() tries to place them above the stack and checks the +result against TASK_SIZE_MAX, which is wrong. TASK_SIZE_MAX is set to +the 56-bit border on 5-level paging machines. Use DEFAULT_MAP_WINDOW +instead. + +Fixes: b569bab78d8d ("x86/mm: Prepare to expose larger address space to userspace") +Reported-by: Yingcong Wu +Signed-off-by: Kirill A. Shutemov +Signed-off-by: Dave Hansen +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/20230803151609.22141-1-kirill.shutemov%40linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/entry/vdso/vma.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/entry/vdso/vma.c ++++ b/arch/x86/entry/vdso/vma.c +@@ -339,8 +339,8 @@ static unsigned long vdso_addr(unsigned + + /* Round the lowest possible end address up to a PMD boundary. */ + end = (start + len + PMD_SIZE - 1) & PMD_MASK; +- if (end >= TASK_SIZE_MAX) +- end = TASK_SIZE_MAX; ++ if (end >= DEFAULT_MAP_WINDOW) ++ end = DEFAULT_MAP_WINDOW; + end -= len; + + if (end > start) { diff --git a/queue-5.10/x86-move-gds_ucode_mitigated-declaration-to-header.patch b/queue-5.10/x86-move-gds_ucode_mitigated-declaration-to-header.patch new file mode 100644 index 00000000000..e8973773a9f --- /dev/null +++ b/queue-5.10/x86-move-gds_ucode_mitigated-declaration-to-header.patch @@ -0,0 +1,48 @@ +From eb3515dc99c7c85f4170b50838136b2a193f8012 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Wed, 9 Aug 2023 15:05:00 +0200 +Subject: x86: Move gds_ucode_mitigated() declaration to header + +From: Arnd Bergmann + +commit eb3515dc99c7c85f4170b50838136b2a193f8012 upstream. + +The declaration got placed in the .c file of the caller, but that +causes a warning for the definition: + +arch/x86/kernel/cpu/bugs.c:682:6: error: no previous prototype for 'gds_ucode_mitigated' [-Werror=missing-prototypes] + +Move it to a header where both sides can observe it instead. + +Fixes: 81ac7e5d74174 ("KVM: Add GDS_NO support to KVM") +Signed-off-by: Arnd Bergmann +Signed-off-by: Dave Hansen +Tested-by: Daniel Sneddon +Cc: stable@kernel.org +Link: https://lore.kernel.org/all/20230809130530.1913368-2-arnd%40kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/processor.h | 2 ++ + arch/x86/kvm/x86.c | 2 -- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/include/asm/processor.h ++++ b/arch/x86/include/asm/processor.h +@@ -864,4 +864,6 @@ enum mds_mitigations { + MDS_MITIGATION_VMWERV, + }; + ++extern bool gds_ucode_mitigated(void); ++ + #endif /* _ASM_X86_PROCESSOR_H */ +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -255,8 +255,6 @@ static struct kmem_cache *x86_fpu_cache; + + static struct kmem_cache *x86_emulator_cache; + +-extern bool gds_ucode_mitigated(void); +- + /* + * When called, it means the previous get/set msr reached an invalid msr. + * Return true if we want to ignore/silent this failed msr access. diff --git a/queue-5.10/x86-speculation-add-cpu_show_gds-prototype.patch b/queue-5.10/x86-speculation-add-cpu_show_gds-prototype.patch new file mode 100644 index 00000000000..8d08a3a239c --- /dev/null +++ b/queue-5.10/x86-speculation-add-cpu_show_gds-prototype.patch @@ -0,0 +1,38 @@ +From a57c27c7ad85c420b7de44c6ee56692d51709dda Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Wed, 9 Aug 2023 15:04:59 +0200 +Subject: x86/speculation: Add cpu_show_gds() prototype + +From: Arnd Bergmann + +commit a57c27c7ad85c420b7de44c6ee56692d51709dda upstream. + +The newly added function has two definitions but no prototypes: + +drivers/base/cpu.c:605:16: error: no previous prototype for 'cpu_show_gds' [-Werror=missing-prototypes] + +Add a declaration next to the other ones for this file to avoid the +warning. + +Fixes: 8974eb588283b ("x86/speculation: Add Gather Data Sampling mitigation") +Signed-off-by: Arnd Bergmann +Signed-off-by: Dave Hansen +Tested-by: Daniel Sneddon +Cc: stable@kernel.org +Link: https://lore.kernel.org/all/20230809130530.1913368-1-arnd%40kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/cpu.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/include/linux/cpu.h ++++ b/include/linux/cpu.h +@@ -72,6 +72,8 @@ extern ssize_t cpu_show_retbleed(struct + struct device_attribute *attr, char *buf); + extern ssize_t cpu_show_spec_rstack_overflow(struct device *dev, + struct device_attribute *attr, char *buf); ++extern ssize_t cpu_show_gds(struct device *dev, ++ struct device_attribute *attr, char *buf); + + extern __printf(4, 5) + struct device *cpu_device_create(struct device *parent, void *drvdata, diff --git a/queue-5.10/x86-srso-fix-build-breakage-with-the-llvm-linker.patch b/queue-5.10/x86-srso-fix-build-breakage-with-the-llvm-linker.patch new file mode 100644 index 00000000000..70a62e134df --- /dev/null +++ b/queue-5.10/x86-srso-fix-build-breakage-with-the-llvm-linker.patch @@ -0,0 +1,62 @@ +From cbe8ded48b939b9d55d2c5589ab56caa7b530709 Mon Sep 17 00:00:00 2001 +From: Nick Desaulniers +Date: Wed, 9 Aug 2023 09:40:26 -0700 +Subject: x86/srso: Fix build breakage with the LLVM linker + +From: Nick Desaulniers + +commit cbe8ded48b939b9d55d2c5589ab56caa7b530709 upstream. + +The assertion added to verify the difference in bits set of the +addresses of srso_untrain_ret_alias() and srso_safe_ret_alias() would fail +to link in LLVM's ld.lld linker with the following error: + + ld.lld: error: ./arch/x86/kernel/vmlinux.lds:210: at least one side of + the expression must be absolute + ld.lld: error: ./arch/x86/kernel/vmlinux.lds:211: at least one side of + the expression must be absolute + +Use ABSOLUTE to evaluate the expression referring to at least one of the +symbols so that LLD can evaluate the linker script. + +Also, add linker version info to the comment about XOR being unsupported +in either ld.bfd or ld.lld until somewhat recently. + +Fixes: fb3bd914b3ec ("x86/srso: Add a Speculative RAS Overflow mitigation") +Closes: https://lore.kernel.org/llvm/CA+G9fYsdUeNu-gwbs0+T6XHi4hYYk=Y9725-wFhZ7gJMspLDRA@mail.gmail.com/ +Reported-by: Nathan Chancellor +Reported-by: Daniel Kolesa +Reported-by: Naresh Kamboju +Suggested-by: Sven Volkinsfeld +Signed-off-by: Nick Desaulniers +Signed-off-by: Borislav Petkov (AMD) +Link: https://github.com/ClangBuiltLinux/linux/issues/1907 +Link: https://lore.kernel.org/r/20230809-gds-v1-1-eaac90b0cbcc@google.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/vmlinux.lds.S | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/arch/x86/kernel/vmlinux.lds.S ++++ b/arch/x86/kernel/vmlinux.lds.S +@@ -524,11 +524,17 @@ INIT_PER_CPU(irq_stack_backing_store); + + #ifdef CONFIG_CPU_SRSO + /* +- * GNU ld cannot do XOR so do: (A | B) - (A & B) in order to compute the XOR ++ * GNU ld cannot do XOR until 2.41. ++ * https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=f6f78318fca803c4907fb8d7f6ded8295f1947b1 ++ * ++ * LLVM lld cannot do XOR until lld-17. ++ * https://github.com/llvm/llvm-project/commit/fae96104d4378166cbe5c875ef8ed808a356f3fb ++ * ++ * Instead do: (A | B) - (A & B) in order to compute the XOR + * of the two function addresses: + */ +-. = ASSERT(((srso_untrain_ret_alias | srso_safe_ret_alias) - +- (srso_untrain_ret_alias & srso_safe_ret_alias)) == ((1 << 2) | (1 << 8) | (1 << 14) | (1 << 20)), ++. = ASSERT(((ABSOLUTE(srso_untrain_ret_alias) | srso_safe_ret_alias) - ++ (ABSOLUTE(srso_untrain_ret_alias) & srso_safe_ret_alias)) == ((1 << 2) | (1 << 8) | (1 << 14) | (1 << 20)), + "SRSO function pair won't alias"); + #endif +