From: Greg Kroah-Hartman Date: Mon, 18 Apr 2022 09:25:41 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v4.9.311~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f382c679a38fb90e887fa24d927c4add6fbd3738;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: alsa-hda-realtek-add-quirk-for-clevo-pd50pnt.patch alsa-hda-realtek-add-quirk-for-lenovo-thinkpad-x12-speakers.patch alsa-pcm-test-for-silence-field-in-struct-pcm_format_data.patch arm-davinci-da850-evm-avoid-null-pointer-dereference.patch ath9k-fix-usage-of-driver-private-space-in-tx_info.patch ath9k-properly-clear-tx-status-area-before-reporting-to-mac80211.patch btrfs-fix-root-ref-counts-in-error-handling-in-btrfs_get_root_ref.patch btrfs-mark-resumed-async-balance-as-writing.patch dm-integrity-fix-memory-corruption-when-tag_size-is-less-than-digest-size.patch drm-amd-display-don-t-ignore-alpha-property-on-pre-multiplied-mode.patch drm-amdgpu-enable-gfxoff-quirk-on-macbook-pro.patch genirq-affinity-consider-that-cpus-on-nodes-can-be-unbalanced.patch ipv6-fix-panic-when-forwarding-a-pkt-with-no-in6-dev.patch nl80211-correctly-check-nl80211_attr_reg_alpha2-size.patch tick-nohz-use-warn_on_once-to-prevent-console-saturation.patch x86-tsx-disable-tsx-development-mode-at-boot.patch x86-tsx-use-msr_tsx_ctrl-to-clear-cpuid-bits.patch --- diff --git a/queue-5.15/alsa-hda-realtek-add-quirk-for-clevo-pd50pnt.patch b/queue-5.15/alsa-hda-realtek-add-quirk-for-clevo-pd50pnt.patch new file mode 100644 index 00000000000..3b2e3ed973c --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-add-quirk-for-clevo-pd50pnt.patch @@ -0,0 +1,30 @@ +From 9eb6f5c388060d8cef3c8b616cc31b765e022359 Mon Sep 17 00:00:00 2001 +From: Tim Crawford +Date: Tue, 5 Apr 2022 12:20:29 -0600 +Subject: ALSA: hda/realtek: Add quirk for Clevo PD50PNT + +From: Tim Crawford + +commit 9eb6f5c388060d8cef3c8b616cc31b765e022359 upstream. + +Fixes speaker output and headset detection on Clevo PD50PNT. + +Signed-off-by: Tim Crawford +Cc: +Link: https://lore.kernel.org/r/20220405182029.27431-1-tcrawford@system76.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -2614,6 +2614,7 @@ static const struct snd_pci_quirk alc882 + SND_PCI_QUIRK(0x1558, 0x65e1, "Clevo PB51[ED][DF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS), + SND_PCI_QUIRK(0x1558, 0x65e5, "Clevo PC50D[PRS](?:-D|-G)?", ALC1220_FIXUP_CLEVO_PB51ED_PINS), + SND_PCI_QUIRK(0x1558, 0x65f1, "Clevo PC50HS", ALC1220_FIXUP_CLEVO_PB51ED_PINS), ++ SND_PCI_QUIRK(0x1558, 0x65f5, "Clevo PD50PN[NRT]", ALC1220_FIXUP_CLEVO_PB51ED_PINS), + SND_PCI_QUIRK(0x1558, 0x67d1, "Clevo PB71[ER][CDF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS), + SND_PCI_QUIRK(0x1558, 0x67e1, "Clevo PB71[DE][CDF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS), + SND_PCI_QUIRK(0x1558, 0x67e5, "Clevo PC70D[PRS](?:-D|-G)?", ALC1220_FIXUP_CLEVO_PB51ED_PINS), diff --git a/queue-5.15/alsa-hda-realtek-add-quirk-for-lenovo-thinkpad-x12-speakers.patch b/queue-5.15/alsa-hda-realtek-add-quirk-for-lenovo-thinkpad-x12-speakers.patch new file mode 100644 index 00000000000..d3cd2d58c60 --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-add-quirk-for-lenovo-thinkpad-x12-speakers.patch @@ -0,0 +1,35 @@ +From 264fb03497ec1c7841bba872571bcd11beed57a7 Mon Sep 17 00:00:00 2001 +From: Tao Jin +Date: Sat, 9 Apr 2022 18:44:24 -0400 +Subject: ALSA: hda/realtek: add quirk for Lenovo Thinkpad X12 speakers + +From: Tao Jin + +commit 264fb03497ec1c7841bba872571bcd11beed57a7 upstream. + +For this specific device on Lenovo Thinkpad X12 tablet, the verbs were +dumped by qemu running a guest OS that init this codec properly. +After studying the dump, it turns out that +the same quirk used by the other Lenovo devices can be reused. + +The patch was tested working against the mainline kernel. + +Cc: +Signed-off-by: Tao Jin +Link: https://lore.kernel.org/r/CO6PR03MB6241CD73310B37858FE64C85E1E89@CO6PR03MB6241.namprd03.prod.outlook.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9060,6 +9060,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x17aa, 0x505d, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), + SND_PCI_QUIRK(0x17aa, 0x505f, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), + SND_PCI_QUIRK(0x17aa, 0x5062, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), ++ SND_PCI_QUIRK(0x17aa, 0x508b, "Thinkpad X12 Gen 1", ALC287_FIXUP_LEGION_15IMHG05_SPEAKERS), + SND_PCI_QUIRK(0x17aa, 0x5109, "Thinkpad", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), + SND_PCI_QUIRK(0x17aa, 0x511e, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), + SND_PCI_QUIRK(0x17aa, 0x511f, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), diff --git a/queue-5.15/alsa-pcm-test-for-silence-field-in-struct-pcm_format_data.patch b/queue-5.15/alsa-pcm-test-for-silence-field-in-struct-pcm_format_data.patch new file mode 100644 index 00000000000..2d2906aa1fe --- /dev/null +++ b/queue-5.15/alsa-pcm-test-for-silence-field-in-struct-pcm_format_data.patch @@ -0,0 +1,40 @@ +From 2f7a26abb8241a0208c68d22815aa247c5ddacab Mon Sep 17 00:00:00 2001 +From: "Fabio M. De Francesco" +Date: Sat, 9 Apr 2022 03:26:55 +0200 +Subject: ALSA: pcm: Test for "silence" field in struct "pcm_format_data" + +From: Fabio M. De Francesco + +commit 2f7a26abb8241a0208c68d22815aa247c5ddacab upstream. + +Syzbot reports "KASAN: null-ptr-deref Write in +snd_pcm_format_set_silence".[1] + +It is due to missing validation of the "silence" field of struct +"pcm_format_data" in "pcm_formats" array. + +Add a test for valid "pat" and, if it is not so, return -EINVAL. + +[1] https://lore.kernel.org/lkml/000000000000d188ef05dc2c7279@google.com/ + +Reported-and-tested-by: syzbot+205eb15961852c2c5974@syzkaller.appspotmail.com +Signed-off-by: Fabio M. De Francesco +Cc: +Link: https://lore.kernel.org/r/20220409012655.9399-1-fmdefrancesco@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/pcm_misc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/core/pcm_misc.c ++++ b/sound/core/pcm_misc.c +@@ -433,7 +433,7 @@ int snd_pcm_format_set_silence(snd_pcm_f + return 0; + width = pcm_formats[(INT)format].phys; /* physical width */ + pat = pcm_formats[(INT)format].silence; +- if (! width) ++ if (!width || !pat) + return -EINVAL; + /* signed or 1 byte data */ + if (pcm_formats[(INT)format].signd == 1 || width <= 8) { diff --git a/queue-5.15/arm-davinci-da850-evm-avoid-null-pointer-dereference.patch b/queue-5.15/arm-davinci-da850-evm-avoid-null-pointer-dereference.patch new file mode 100644 index 00000000000..6b8f5615c67 --- /dev/null +++ b/queue-5.15/arm-davinci-da850-evm-avoid-null-pointer-dereference.patch @@ -0,0 +1,58 @@ +From 83a1cde5c74bfb44b49cb2a940d044bb2380f4ea Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Thu, 23 Dec 2021 15:21:41 -0700 +Subject: ARM: davinci: da850-evm: Avoid NULL pointer dereference + +From: Nathan Chancellor + +commit 83a1cde5c74bfb44b49cb2a940d044bb2380f4ea upstream. + +With newer versions of GCC, there is a panic in da850_evm_config_emac() +when booting multi_v5_defconfig in QEMU under the palmetto-bmc machine: + +Unable to handle kernel NULL pointer dereference at virtual address 00000020 +pgd = (ptrval) +[00000020] *pgd=00000000 +Internal error: Oops: 5 [#1] PREEMPT ARM +Modules linked in: +CPU: 0 PID: 1 Comm: swapper Not tainted 5.15.0 #1 +Hardware name: Generic DT based system +PC is at da850_evm_config_emac+0x1c/0x120 +LR is at do_one_initcall+0x50/0x1e0 + +The emac_pdata pointer in soc_info is NULL because davinci_soc_info only +gets populated on davinci machines but da850_evm_config_emac() is called +on all machines via device_initcall(). + +Move the rmii_en assignment below the machine check so that it is only +dereferenced when running on a supported SoC. + +Fixes: bae105879f2f ("davinci: DA850/OMAP-L138 EVM: implement autodetect of RMII PHY") +Signed-off-by: Nathan Chancellor +Reviewed-by: Arnd Bergmann +Reviewed-by: Bartosz Golaszewski +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/YcS4xVWs6bQlQSPC@archlinux-ax161/ +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-davinci/board-da850-evm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/arm/mach-davinci/board-da850-evm.c ++++ b/arch/arm/mach-davinci/board-da850-evm.c +@@ -1101,11 +1101,13 @@ static int __init da850_evm_config_emac( + int ret; + u32 val; + struct davinci_soc_info *soc_info = &davinci_soc_info; +- u8 rmii_en = soc_info->emac_pdata->rmii_en; ++ u8 rmii_en; + + if (!machine_is_davinci_da850_evm()) + return 0; + ++ rmii_en = soc_info->emac_pdata->rmii_en; ++ + cfg_chip3_base = DA8XX_SYSCFG0_VIRT(DA8XX_CFGCHIP3_REG); + + val = __raw_readl(cfg_chip3_base); diff --git a/queue-5.15/ath9k-fix-usage-of-driver-private-space-in-tx_info.patch b/queue-5.15/ath9k-fix-usage-of-driver-private-space-in-tx_info.patch new file mode 100644 index 00000000000..850ce70b648 --- /dev/null +++ b/queue-5.15/ath9k-fix-usage-of-driver-private-space-in-tx_info.patch @@ -0,0 +1,122 @@ +From 5a6b06f5927c940fa44026695779c30b7536474c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= +Date: Mon, 4 Apr 2022 22:48:00 +0200 +Subject: ath9k: Fix usage of driver-private space in tx_info +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +commit 5a6b06f5927c940fa44026695779c30b7536474c upstream. + +The ieee80211_tx_info_clear_status() helper also clears the rate counts and +the driver-private part of struct ieee80211_tx_info, so using it breaks +quite a few other things. So back out of using it, and instead define a +ath-internal helper that only clears the area between the +status_driver_data and the rates info. Combined with moving the +ath_frame_info struct to status_driver_data, this avoids clearing anything +we shouldn't be, and so we can keep the existing code for handling the rate +information. + +While fixing this I also noticed that the setting of +tx_info->status.rates[tx_rateindex].count on hardware underrun errors was +always immediately overridden by the normal setting of the same fields, so +rearrange the code so that the underrun detection actually takes effect. + +The new helper could be generalised to a 'memset_between()' helper, but +leave it as a driver-internal helper for now since this needs to go to +stable. + +Cc: stable@vger.kernel.org +Reported-by: Peter Seiderer +Fixes: 037250f0a45c ("ath9k: Properly clear TX status area before reporting to mac80211") +Signed-off-by: Toke Høiland-Jørgensen +Reviewed-by: Peter Seiderer +Tested-by: Peter Seiderer +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220404204800.2681133-1-toke@toke.dk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath9k/main.c | 2 +- + drivers/net/wireless/ath/ath9k/xmit.c | 30 ++++++++++++++++++++---------- + 2 files changed, 21 insertions(+), 11 deletions(-) + +--- a/drivers/net/wireless/ath/ath9k/main.c ++++ b/drivers/net/wireless/ath/ath9k/main.c +@@ -839,7 +839,7 @@ static bool ath9k_txq_list_has_key(struc + continue; + + txinfo = IEEE80211_SKB_CB(bf->bf_mpdu); +- fi = (struct ath_frame_info *)&txinfo->rate_driver_data[0]; ++ fi = (struct ath_frame_info *)&txinfo->status.status_driver_data[0]; + if (fi->keyix == keyix) + return true; + } +--- a/drivers/net/wireless/ath/ath9k/xmit.c ++++ b/drivers/net/wireless/ath/ath9k/xmit.c +@@ -141,8 +141,8 @@ static struct ath_frame_info *get_frame_ + { + struct ieee80211_tx_info *tx_info = IEEE80211_SKB_CB(skb); + BUILD_BUG_ON(sizeof(struct ath_frame_info) > +- sizeof(tx_info->rate_driver_data)); +- return (struct ath_frame_info *) &tx_info->rate_driver_data[0]; ++ sizeof(tx_info->status.status_driver_data)); ++ return (struct ath_frame_info *) &tx_info->status.status_driver_data[0]; + } + + static void ath_send_bar(struct ath_atx_tid *tid, u16 seqno) +@@ -2501,6 +2501,16 @@ skip_tx_complete: + spin_unlock_irqrestore(&sc->tx.txbuflock, flags); + } + ++static void ath_clear_tx_status(struct ieee80211_tx_info *tx_info) ++{ ++ void *ptr = &tx_info->status; ++ ++ memset(ptr + sizeof(tx_info->status.rates), 0, ++ sizeof(tx_info->status) - ++ sizeof(tx_info->status.rates) - ++ sizeof(tx_info->status.status_driver_data)); ++} ++ + static void ath_tx_rc_status(struct ath_softc *sc, struct ath_buf *bf, + struct ath_tx_status *ts, int nframes, int nbad, + int txok) +@@ -2512,7 +2522,7 @@ static void ath_tx_rc_status(struct ath_ + struct ath_hw *ah = sc->sc_ah; + u8 i, tx_rateindex; + +- ieee80211_tx_info_clear_status(tx_info); ++ ath_clear_tx_status(tx_info); + + if (txok) + tx_info->status.ack_signal = ts->ts_rssi; +@@ -2528,6 +2538,13 @@ static void ath_tx_rc_status(struct ath_ + tx_info->status.ampdu_len = nframes; + tx_info->status.ampdu_ack_len = nframes - nbad; + ++ tx_info->status.rates[tx_rateindex].count = ts->ts_longretry + 1; ++ ++ for (i = tx_rateindex + 1; i < hw->max_rates; i++) { ++ tx_info->status.rates[i].count = 0; ++ tx_info->status.rates[i].idx = -1; ++ } ++ + if ((ts->ts_status & ATH9K_TXERR_FILT) == 0 && + (tx_info->flags & IEEE80211_TX_CTL_NO_ACK) == 0) { + /* +@@ -2549,13 +2566,6 @@ static void ath_tx_rc_status(struct ath_ + tx_info->status.rates[tx_rateindex].count = + hw->max_rate_tries; + } +- +- for (i = tx_rateindex + 1; i < hw->max_rates; i++) { +- tx_info->status.rates[i].count = 0; +- tx_info->status.rates[i].idx = -1; +- } +- +- tx_info->status.rates[tx_rateindex].count = ts->ts_longretry + 1; + } + + static void ath_tx_processq(struct ath_softc *sc, struct ath_txq *txq) diff --git a/queue-5.15/ath9k-properly-clear-tx-status-area-before-reporting-to-mac80211.patch b/queue-5.15/ath9k-properly-clear-tx-status-area-before-reporting-to-mac80211.patch new file mode 100644 index 00000000000..d3b1954912d --- /dev/null +++ b/queue-5.15/ath9k-properly-clear-tx-status-area-before-reporting-to-mac80211.patch @@ -0,0 +1,59 @@ +From 037250f0a45cf9ecf5b52d4b9ff8eadeb609c800 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= +Date: Wed, 30 Mar 2022 18:44:09 +0200 +Subject: ath9k: Properly clear TX status area before reporting to mac80211 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +commit 037250f0a45cf9ecf5b52d4b9ff8eadeb609c800 upstream. + +The ath9k driver was not properly clearing the status area in the +ieee80211_tx_info struct before reporting TX status to mac80211. Instead, +it was manually filling in fields, which meant that fields introduced later +were left as-is. + +Conveniently, mac80211 actually provides a helper to zero out the status +area, so use that to make sure we zero everything. + +The last commit touching the driver function writing the status information +seems to have actually been fixing an issue that was also caused by the +area being uninitialised; but it only added clearing of a single field +instead of the whole struct. That is now redundant, though, so revert that +commit and use it as a convenient Fixes tag. + +Fixes: cc591d77aba1 ("ath9k: Make sure to zero status.tx_time before reporting TX status") +Reported-by: Bagas Sanjaya +Cc: +Signed-off-by: Toke Høiland-Jørgensen +Tested-by: Bagas Sanjaya +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220330164409.16645-1-toke@toke.dk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath9k/xmit.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/ath/ath9k/xmit.c ++++ b/drivers/net/wireless/ath/ath9k/xmit.c +@@ -2512,6 +2512,8 @@ static void ath_tx_rc_status(struct ath_ + struct ath_hw *ah = sc->sc_ah; + u8 i, tx_rateindex; + ++ ieee80211_tx_info_clear_status(tx_info); ++ + if (txok) + tx_info->status.ack_signal = ts->ts_rssi; + +@@ -2554,9 +2556,6 @@ static void ath_tx_rc_status(struct ath_ + } + + tx_info->status.rates[tx_rateindex].count = ts->ts_longretry + 1; +- +- /* we report airtime in ath_tx_count_airtime(), don't report twice */ +- tx_info->status.tx_time = 0; + } + + static void ath_tx_processq(struct ath_softc *sc, struct ath_txq *txq) diff --git a/queue-5.15/btrfs-fix-root-ref-counts-in-error-handling-in-btrfs_get_root_ref.patch b/queue-5.15/btrfs-fix-root-ref-counts-in-error-handling-in-btrfs_get_root_ref.patch new file mode 100644 index 00000000000..a7eebffcd7a --- /dev/null +++ b/queue-5.15/btrfs-fix-root-ref-counts-in-error-handling-in-btrfs_get_root_ref.patch @@ -0,0 +1,46 @@ +From 168a2f776b9762f4021421008512dd7ab7474df1 Mon Sep 17 00:00:00 2001 +From: Jia-Ju Bai +Date: Thu, 24 Mar 2022 06:44:54 -0700 +Subject: btrfs: fix root ref counts in error handling in btrfs_get_root_ref + +From: Jia-Ju Bai + +commit 168a2f776b9762f4021421008512dd7ab7474df1 upstream. + +In btrfs_get_root_ref(), when btrfs_insert_fs_root() fails, +btrfs_put_root() can happen for two reasons: + +- the root already exists in the tree, in that case it returns the + reference obtained in btrfs_lookup_fs_root() + +- another error so the cleanup is done in the fail label + +Calling btrfs_put_root() unconditionally would lead to double decrement +of the root reference possibly freeing it in the second case. + +Reported-by: TOTE Robot +Fixes: bc44d7c4b2b1 ("btrfs: push btrfs_grab_fs_root into btrfs_get_fs_root") +CC: stable@vger.kernel.org # 5.10+ +Signed-off-by: Jia-Ju Bai +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/disk-io.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -1738,9 +1738,10 @@ again: + + ret = btrfs_insert_fs_root(fs_info, root); + if (ret) { +- btrfs_put_root(root); +- if (ret == -EEXIST) ++ if (ret == -EEXIST) { ++ btrfs_put_root(root); + goto again; ++ } + goto fail; + } + return root; diff --git a/queue-5.15/btrfs-mark-resumed-async-balance-as-writing.patch b/queue-5.15/btrfs-mark-resumed-async-balance-as-writing.patch new file mode 100644 index 00000000000..8ec4e303d9c --- /dev/null +++ b/queue-5.15/btrfs-mark-resumed-async-balance-as-writing.patch @@ -0,0 +1,39 @@ +From a690e5f2db4d1dca742ce734aaff9f3112d63764 Mon Sep 17 00:00:00 2001 +From: Naohiro Aota +Date: Tue, 29 Mar 2022 15:55:58 +0900 +Subject: btrfs: mark resumed async balance as writing + +From: Naohiro Aota + +commit a690e5f2db4d1dca742ce734aaff9f3112d63764 upstream. + +When btrfs balance is interrupted with umount, the background balance +resumes on the next mount. There is a potential deadlock with FS freezing +here like as described in commit 26559780b953 ("btrfs: zoned: mark +relocation as writing"). Mark the process as sb_writing to avoid it. + +Reviewed-by: Filipe Manana +CC: stable@vger.kernel.org # 4.9+ +Signed-off-by: Naohiro Aota +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/volumes.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -4389,10 +4389,12 @@ static int balance_kthread(void *data) + struct btrfs_fs_info *fs_info = data; + int ret = 0; + ++ sb_start_write(fs_info->sb); + mutex_lock(&fs_info->balance_mutex); + if (fs_info->balance_ctl) + ret = btrfs_balance(fs_info, fs_info->balance_ctl, NULL); + mutex_unlock(&fs_info->balance_mutex); ++ sb_end_write(fs_info->sb); + + return ret; + } diff --git a/queue-5.15/dm-integrity-fix-memory-corruption-when-tag_size-is-less-than-digest-size.patch b/queue-5.15/dm-integrity-fix-memory-corruption-when-tag_size-is-less-than-digest-size.patch new file mode 100644 index 00000000000..a7890d69f1e --- /dev/null +++ b/queue-5.15/dm-integrity-fix-memory-corruption-when-tag_size-is-less-than-digest-size.patch @@ -0,0 +1,53 @@ +From 08c1af8f1c13bbf210f1760132f4df24d0ed46d6 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Sun, 3 Apr 2022 14:38:22 -0400 +Subject: dm integrity: fix memory corruption when tag_size is less than digest size + +From: Mikulas Patocka + +commit 08c1af8f1c13bbf210f1760132f4df24d0ed46d6 upstream. + +It is possible to set up dm-integrity in such a way that the +"tag_size" parameter is less than the actual digest size. In this +situation, a part of the digest beyond tag_size is ignored. + +In this case, dm-integrity would write beyond the end of the +ic->recalc_tags array and corrupt memory. The corruption happened in +integrity_recalc->integrity_sector_checksum->crypto_shash_final. + +Fix this corruption by increasing the tags array so that it has enough +padding at the end to accomodate the loop in integrity_recalc() being +able to write a full digest size for the last member of the tags +array. + +Cc: stable@vger.kernel.org # v4.19+ +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-integrity.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/md/dm-integrity.c ++++ b/drivers/md/dm-integrity.c +@@ -4383,6 +4383,7 @@ try_smaller_buffer: + } + + if (ic->internal_hash) { ++ size_t recalc_tags_size; + ic->recalc_wq = alloc_workqueue("dm-integrity-recalc", WQ_MEM_RECLAIM, 1); + if (!ic->recalc_wq ) { + ti->error = "Cannot allocate workqueue"; +@@ -4396,8 +4397,10 @@ try_smaller_buffer: + r = -ENOMEM; + goto bad; + } +- ic->recalc_tags = kvmalloc_array(RECALC_SECTORS >> ic->sb->log2_sectors_per_block, +- ic->tag_size, GFP_KERNEL); ++ recalc_tags_size = (RECALC_SECTORS >> ic->sb->log2_sectors_per_block) * ic->tag_size; ++ if (crypto_shash_digestsize(ic->internal_hash) > ic->tag_size) ++ recalc_tags_size += crypto_shash_digestsize(ic->internal_hash) - ic->tag_size; ++ ic->recalc_tags = kvmalloc(recalc_tags_size, GFP_KERNEL); + if (!ic->recalc_tags) { + ti->error = "Cannot allocate tags for recalculating"; + r = -ENOMEM; diff --git a/queue-5.15/drm-amd-display-don-t-ignore-alpha-property-on-pre-multiplied-mode.patch b/queue-5.15/drm-amd-display-don-t-ignore-alpha-property-on-pre-multiplied-mode.patch new file mode 100644 index 00000000000..502204686f1 --- /dev/null +++ b/queue-5.15/drm-amd-display-don-t-ignore-alpha-property-on-pre-multiplied-mode.patch @@ -0,0 +1,97 @@ +From e4f1541caf60fcbe5a59e9d25805c0b5865e546a Mon Sep 17 00:00:00 2001 +From: Melissa Wen +Date: Tue, 29 Mar 2022 19:18:35 -0100 +Subject: drm/amd/display: don't ignore alpha property on pre-multiplied mode + +From: Melissa Wen + +commit e4f1541caf60fcbe5a59e9d25805c0b5865e546a upstream. + +"Pre-multiplied" is the default pixel blend mode for KMS/DRM, as +documented in supported_modes of drm_plane_create_blend_mode_property(): +https://cgit.freedesktop.org/drm/drm-misc/tree/drivers/gpu/drm/drm_blend.c + +In this mode, both 'pixel alpha' and 'plane alpha' participate in the +calculation, as described by the pixel blend mode formula in KMS/DRM +documentation: + +out.rgb = plane_alpha * fg.rgb + + (1 - (plane_alpha * fg.alpha)) * bg.rgb + +Considering the blend config mechanisms we have in the driver so far, +the alpha mode that better fits this blend mode is the +_PER_PIXEL_ALPHA_COMBINED_GLOBAL_GAIN, where the value for global_gain +is the plane alpha (global_alpha). + +With this change, alpha property stops to be ignored. It also addresses +Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1734 + +v2: + * keep the 8-bit value for global_alpha_value (Nicholas) + * correct the logical ordering for combined global gain (Nicholas) + * apply to dcn10 too (Nicholas) + +Signed-off-by: Melissa Wen +Tested-by: Rodrigo Siqueira +Reviewed-by: Harry Wentland +Tested-by: Simon Ser +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c | 14 +++++++++----- + drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c | 14 +++++++++----- + 2 files changed, 18 insertions(+), 10 deletions(-) + +--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c +@@ -2460,14 +2460,18 @@ void dcn10_update_mpcc(struct dc *dc, st + struct mpc *mpc = dc->res_pool->mpc; + struct mpc_tree *mpc_tree_params = &(pipe_ctx->stream_res.opp->mpc_tree_params); + +- if (per_pixel_alpha) +- blnd_cfg.alpha_mode = MPCC_ALPHA_BLEND_MODE_PER_PIXEL_ALPHA; +- else +- blnd_cfg.alpha_mode = MPCC_ALPHA_BLEND_MODE_GLOBAL_ALPHA; +- + blnd_cfg.overlap_only = false; + blnd_cfg.global_gain = 0xff; + ++ if (per_pixel_alpha && pipe_ctx->plane_state->global_alpha) { ++ blnd_cfg.alpha_mode = MPCC_ALPHA_BLEND_MODE_PER_PIXEL_ALPHA_COMBINED_GLOBAL_GAIN; ++ blnd_cfg.global_gain = pipe_ctx->plane_state->global_alpha_value; ++ } else if (per_pixel_alpha) { ++ blnd_cfg.alpha_mode = MPCC_ALPHA_BLEND_MODE_PER_PIXEL_ALPHA; ++ } else { ++ blnd_cfg.alpha_mode = MPCC_ALPHA_BLEND_MODE_GLOBAL_ALPHA; ++ } ++ + if (pipe_ctx->plane_state->global_alpha) + blnd_cfg.global_alpha = pipe_ctx->plane_state->global_alpha_value; + else +--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c +@@ -2297,14 +2297,18 @@ void dcn20_update_mpcc(struct dc *dc, st + struct mpc *mpc = dc->res_pool->mpc; + struct mpc_tree *mpc_tree_params = &(pipe_ctx->stream_res.opp->mpc_tree_params); + +- if (per_pixel_alpha) +- blnd_cfg.alpha_mode = MPCC_ALPHA_BLEND_MODE_PER_PIXEL_ALPHA; +- else +- blnd_cfg.alpha_mode = MPCC_ALPHA_BLEND_MODE_GLOBAL_ALPHA; +- + blnd_cfg.overlap_only = false; + blnd_cfg.global_gain = 0xff; + ++ if (per_pixel_alpha && pipe_ctx->plane_state->global_alpha) { ++ blnd_cfg.alpha_mode = MPCC_ALPHA_BLEND_MODE_PER_PIXEL_ALPHA_COMBINED_GLOBAL_GAIN; ++ blnd_cfg.global_gain = pipe_ctx->plane_state->global_alpha_value; ++ } else if (per_pixel_alpha) { ++ blnd_cfg.alpha_mode = MPCC_ALPHA_BLEND_MODE_PER_PIXEL_ALPHA; ++ } else { ++ blnd_cfg.alpha_mode = MPCC_ALPHA_BLEND_MODE_GLOBAL_ALPHA; ++ } ++ + if (pipe_ctx->plane_state->global_alpha) + blnd_cfg.global_alpha = pipe_ctx->plane_state->global_alpha_value; + else diff --git a/queue-5.15/drm-amdgpu-enable-gfxoff-quirk-on-macbook-pro.patch b/queue-5.15/drm-amdgpu-enable-gfxoff-quirk-on-macbook-pro.patch new file mode 100644 index 00000000000..f638466dec0 --- /dev/null +++ b/queue-5.15/drm-amdgpu-enable-gfxoff-quirk-on-macbook-pro.patch @@ -0,0 +1,37 @@ +From 4593c1b6d159f1e5c35c07a7f125e79e5a864302 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tomasz=20Mo=C5=84?= +Date: Wed, 6 Apr 2022 21:49:21 +0200 +Subject: drm/amdgpu: Enable gfxoff quirk on MacBook Pro +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tomasz Moń + +commit 4593c1b6d159f1e5c35c07a7f125e79e5a864302 upstream. + +Enabling gfxoff quirk results in perfectly usable graphical user +interface on MacBook Pro (15-inch, 2019) with Radeon Pro Vega 20 4 GB. + +Without the quirk, X server is completely unusable as every few seconds +there is gpu reset due to ring gfx timeout. + +Signed-off-by: Tomasz Moń +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c +@@ -1272,6 +1272,8 @@ static const struct amdgpu_gfxoff_quirk + { 0x1002, 0x15dd, 0x103c, 0x83e7, 0xd3 }, + /* GFXOFF is unstable on C6 parts with a VBIOS 113-RAVEN-114 */ + { 0x1002, 0x15dd, 0x1002, 0x15dd, 0xc6 }, ++ /* Apple MacBook Pro (15-inch, 2019) Radeon Pro Vega 20 4 GB */ ++ { 0x1002, 0x69af, 0x106b, 0x019a, 0xc0 }, + { 0, 0, 0, 0, 0 }, + }; + diff --git a/queue-5.15/genirq-affinity-consider-that-cpus-on-nodes-can-be-unbalanced.patch b/queue-5.15/genirq-affinity-consider-that-cpus-on-nodes-can-be-unbalanced.patch new file mode 100644 index 00000000000..4bae1069ca7 --- /dev/null +++ b/queue-5.15/genirq-affinity-consider-that-cpus-on-nodes-can-be-unbalanced.patch @@ -0,0 +1,47 @@ +From 08d835dff916bfe8f45acc7b92c7af6c4081c8a7 Mon Sep 17 00:00:00 2001 +From: Rei Yamamoto +Date: Thu, 31 Mar 2022 09:33:09 +0900 +Subject: genirq/affinity: Consider that CPUs on nodes can be unbalanced + +From: Rei Yamamoto + +commit 08d835dff916bfe8f45acc7b92c7af6c4081c8a7 upstream. + +If CPUs on a node are offline at boot time, the number of nodes is +different when building affinity masks for present cpus and when building +affinity masks for possible cpus. This causes the following problem: + +In the case that the number of vectors is less than the number of nodes +there are cases where bits of masks for present cpus are overwritten when +building masks for possible cpus. + +Fix this by excluding CPUs, which are not part of the current build mask +(present/possible). + +[ tglx: Massaged changelog and added comment ] + +Fixes: b82592199032 ("genirq/affinity: Spread IRQs to all available NUMA nodes") +Signed-off-by: Rei Yamamoto +Signed-off-by: Thomas Gleixner +Reviewed-by: Ming Lei +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20220331003309.10891-1-yamamoto.rei@jp.fujitsu.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/irq/affinity.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/kernel/irq/affinity.c ++++ b/kernel/irq/affinity.c +@@ -269,8 +269,9 @@ static int __irq_build_affinity_masks(un + */ + if (numvecs <= nodes) { + for_each_node_mask(n, nodemsk) { +- cpumask_or(&masks[curvec].mask, &masks[curvec].mask, +- node_to_cpumask[n]); ++ /* Ensure that only CPUs which are in both masks are set */ ++ cpumask_and(nmsk, cpu_mask, node_to_cpumask[n]); ++ cpumask_or(&masks[curvec].mask, &masks[curvec].mask, nmsk); + if (++curvec == last_affv) + curvec = firstvec; + } diff --git a/queue-5.15/ipv6-fix-panic-when-forwarding-a-pkt-with-no-in6-dev.patch b/queue-5.15/ipv6-fix-panic-when-forwarding-a-pkt-with-no-in6-dev.patch new file mode 100644 index 00000000000..edc0631fac2 --- /dev/null +++ b/queue-5.15/ipv6-fix-panic-when-forwarding-a-pkt-with-no-in6-dev.patch @@ -0,0 +1,38 @@ +From e3fa461d8b0e185b7da8a101fe94dfe6dd500ac0 Mon Sep 17 00:00:00 2001 +From: Nicolas Dichtel +Date: Fri, 8 Apr 2022 16:03:42 +0200 +Subject: ipv6: fix panic when forwarding a pkt with no in6 dev + +From: Nicolas Dichtel + +commit e3fa461d8b0e185b7da8a101fe94dfe6dd500ac0 upstream. + +kongweibin reported a kernel panic in ip6_forward() when input interface +has no in6 dev associated. + +The following tc commands were used to reproduce this panic: +tc qdisc del dev vxlan100 root +tc qdisc add dev vxlan100 root netem corrupt 5% + +CC: stable@vger.kernel.org +Fixes: ccd27f05ae7b ("ipv6: fix 'disable_policy' for fwd packets") +Reported-by: kongweibin +Signed-off-by: Nicolas Dichtel +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_output.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -485,7 +485,7 @@ int ip6_forward(struct sk_buff *skb) + goto drop; + + if (!net->ipv6.devconf_all->disable_policy && +- !idev->cnf.disable_policy && ++ (!idev || !idev->cnf.disable_policy) && + !xfrm6_policy_check(NULL, XFRM_POLICY_FWD, skb)) { + __IP6_INC_STATS(net, idev, IPSTATS_MIB_INDISCARDS); + goto drop; diff --git a/queue-5.15/nl80211-correctly-check-nl80211_attr_reg_alpha2-size.patch b/queue-5.15/nl80211-correctly-check-nl80211_attr_reg_alpha2-size.patch new file mode 100644 index 00000000000..2d169d18630 --- /dev/null +++ b/queue-5.15/nl80211-correctly-check-nl80211_attr_reg_alpha2-size.patch @@ -0,0 +1,35 @@ +From 6624bb34b4eb19f715db9908cca00122748765d7 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Mon, 11 Apr 2022 11:42:03 +0200 +Subject: nl80211: correctly check NL80211_ATTR_REG_ALPHA2 size + +From: Johannes Berg + +commit 6624bb34b4eb19f715db9908cca00122748765d7 upstream. + +We need this to be at least two bytes, so we can access +alpha2[0] and alpha2[1]. It may be three in case some +userspace used NUL-termination since it was NLA_STRING +(and we also push it out with NUL-termination). + +Cc: stable@vger.kernel.org +Reported-by: Lee Jones +Link: https://lore.kernel.org/r/20220411114201.fd4a31f06541.Ie7ff4be2cf348d8cc28ed0d626fc54becf7ea799@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/nl80211.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -509,7 +509,8 @@ static const struct nla_policy nl80211_p + .len = IEEE80211_MAX_MESH_ID_LEN }, + [NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT, + +- [NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 }, ++ /* allow 3 for NUL-termination, we used to declare this NLA_STRING */ ++ [NL80211_ATTR_REG_ALPHA2] = NLA_POLICY_RANGE(NLA_BINARY, 2, 3), + [NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED }, + + [NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 }, diff --git a/queue-5.15/series b/queue-5.15/series index e8b79b15011..2c49da3aaf2 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -151,3 +151,20 @@ sunrpc-fix-nfsd-s-request-deferral-on-rdma-transports.patch memory-renesas-rpc-if-fix-platform-device-leak-in-error-path.patch gcc-plugins-latent_entropy-use-dev-urandom.patch cifs-verify-that-tcon-is-valid-before-dereference-in-cifs_kill_sb.patch +ath9k-properly-clear-tx-status-area-before-reporting-to-mac80211.patch +ath9k-fix-usage-of-driver-private-space-in-tx_info.patch +btrfs-fix-root-ref-counts-in-error-handling-in-btrfs_get_root_ref.patch +btrfs-mark-resumed-async-balance-as-writing.patch +alsa-hda-realtek-add-quirk-for-clevo-pd50pnt.patch +alsa-hda-realtek-add-quirk-for-lenovo-thinkpad-x12-speakers.patch +alsa-pcm-test-for-silence-field-in-struct-pcm_format_data.patch +nl80211-correctly-check-nl80211_attr_reg_alpha2-size.patch +ipv6-fix-panic-when-forwarding-a-pkt-with-no-in6-dev.patch +drm-amd-display-don-t-ignore-alpha-property-on-pre-multiplied-mode.patch +drm-amdgpu-enable-gfxoff-quirk-on-macbook-pro.patch +x86-tsx-use-msr_tsx_ctrl-to-clear-cpuid-bits.patch +x86-tsx-disable-tsx-development-mode-at-boot.patch +genirq-affinity-consider-that-cpus-on-nodes-can-be-unbalanced.patch +tick-nohz-use-warn_on_once-to-prevent-console-saturation.patch +arm-davinci-da850-evm-avoid-null-pointer-dereference.patch +dm-integrity-fix-memory-corruption-when-tag_size-is-less-than-digest-size.patch diff --git a/queue-5.15/tick-nohz-use-warn_on_once-to-prevent-console-saturation.patch b/queue-5.15/tick-nohz-use-warn_on_once-to-prevent-console-saturation.patch new file mode 100644 index 00000000000..8f78e0fec3e --- /dev/null +++ b/queue-5.15/tick-nohz-use-warn_on_once-to-prevent-console-saturation.patch @@ -0,0 +1,43 @@ +From 40e97e42961f8c6cc7bd5fe67cc18417e02d78f1 Mon Sep 17 00:00:00 2001 +From: Paul Gortmaker +Date: Mon, 6 Dec 2021 09:59:50 -0500 +Subject: tick/nohz: Use WARN_ON_ONCE() to prevent console saturation + +From: Paul Gortmaker + +commit 40e97e42961f8c6cc7bd5fe67cc18417e02d78f1 upstream. + +While running some testing on code that happened to allow the variable +tick_nohz_full_running to get set but with no "possible" NOHZ cores to +back up that setting, this warning triggered: + + if (unlikely(tick_do_timer_cpu == TICK_DO_TIMER_NONE)) + WARN_ON(tick_nohz_full_running); + +The console was overwhemled with an endless stream of one WARN per tick +per core and there was no way to even see what was going on w/o using a +serial console to capture it and then trace it back to this. + +Change it to WARN_ON_ONCE(). + +Fixes: 08ae95f4fd3b ("nohz_full: Allow the boot CPU to be nohz_full") +Signed-off-by: Paul Gortmaker +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20211206145950.10927-3-paul.gortmaker@windriver.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/time/tick-sched.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/time/tick-sched.c ++++ b/kernel/time/tick-sched.c +@@ -186,7 +186,7 @@ static void tick_sched_do_timer(struct t + */ + if (unlikely(tick_do_timer_cpu == TICK_DO_TIMER_NONE)) { + #ifdef CONFIG_NO_HZ_FULL +- WARN_ON(tick_nohz_full_running); ++ WARN_ON_ONCE(tick_nohz_full_running); + #endif + tick_do_timer_cpu = cpu; + } diff --git a/queue-5.15/x86-tsx-disable-tsx-development-mode-at-boot.patch b/queue-5.15/x86-tsx-disable-tsx-development-mode-at-boot.patch new file mode 100644 index 00000000000..e9d46aa6e66 --- /dev/null +++ b/queue-5.15/x86-tsx-disable-tsx-development-mode-at-boot.patch @@ -0,0 +1,201 @@ +From 400331f8ffa3bec5c561417e5eec6848464e9160 Mon Sep 17 00:00:00 2001 +From: Pawan Gupta +Date: Thu, 10 Mar 2022 14:02:09 -0800 +Subject: x86/tsx: Disable TSX development mode at boot + +From: Pawan Gupta + +commit 400331f8ffa3bec5c561417e5eec6848464e9160 upstream. + +A microcode update on some Intel processors causes all TSX transactions +to always abort by default[*]. Microcode also added functionality to +re-enable TSX for development purposes. With this microcode loaded, if +tsx=on was passed on the cmdline, and TSX development mode was already +enabled before the kernel boot, it may make the system vulnerable to TSX +Asynchronous Abort (TAA). + +To be on safer side, unconditionally disable TSX development mode during +boot. If a viable use case appears, this can be revisited later. + + [*]: Intel TSX Disable Update for Selected Processors, doc ID: 643557 + + [ bp: Drop unstable web link, massage heavily. ] + +Suggested-by: Andrew Cooper +Suggested-by: Borislav Petkov +Signed-off-by: Pawan Gupta +Signed-off-by: Borislav Petkov +Tested-by: Neelima Krishnan +Cc: +Link: https://lore.kernel.org/r/347bd844da3a333a9793c6687d4e4eb3b2419a3e.1646943780.git.pawan.kumar.gupta@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/msr-index.h | 4 +- + arch/x86/kernel/cpu/common.c | 2 + + arch/x86/kernel/cpu/cpu.h | 5 +-- + arch/x86/kernel/cpu/intel.c | 8 ----- + arch/x86/kernel/cpu/tsx.c | 50 +++++++++++++++++++++++++++++++-- + tools/arch/x86/include/asm/msr-index.h | 4 +- + 6 files changed, 55 insertions(+), 18 deletions(-) + +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -128,9 +128,9 @@ + #define TSX_CTRL_RTM_DISABLE BIT(0) /* Disable RTM feature */ + #define TSX_CTRL_CPUID_CLEAR BIT(1) /* Disable TSX enumeration */ + +-/* SRBDS support */ + #define MSR_IA32_MCU_OPT_CTRL 0x00000123 +-#define RNGDS_MITG_DIS BIT(0) ++#define RNGDS_MITG_DIS BIT(0) /* SRBDS support */ ++#define RTM_ALLOW BIT(1) /* TSX development mode */ + + #define MSR_IA32_SYSENTER_CS 0x00000174 + #define MSR_IA32_SYSENTER_ESP 0x00000175 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -1714,6 +1714,8 @@ void identify_secondary_cpu(struct cpuin + validate_apic_and_package_id(c); + x86_spec_ctrl_setup_ap(); + update_srbds_msr(); ++ ++ tsx_ap_init(); + } + + static __init int setup_noclflush(char *arg) +--- a/arch/x86/kernel/cpu/cpu.h ++++ b/arch/x86/kernel/cpu/cpu.h +@@ -55,11 +55,10 @@ enum tsx_ctrl_states { + extern __ro_after_init enum tsx_ctrl_states tsx_ctrl_state; + + extern void __init tsx_init(void); +-extern void tsx_enable(void); +-extern void tsx_disable(void); +-extern void tsx_clear_cpuid(void); ++void tsx_ap_init(void); + #else + static inline void tsx_init(void) { } ++static inline void tsx_ap_init(void) { } + #endif /* CONFIG_CPU_SUP_INTEL */ + + extern void get_cpu_cap(struct cpuinfo_x86 *c); +--- a/arch/x86/kernel/cpu/intel.c ++++ b/arch/x86/kernel/cpu/intel.c +@@ -717,14 +717,6 @@ static void init_intel(struct cpuinfo_x8 + + init_intel_misc_features(c); + +- if (tsx_ctrl_state == TSX_CTRL_ENABLE) +- tsx_enable(); +- else if (tsx_ctrl_state == TSX_CTRL_DISABLE) +- tsx_disable(); +- else if (tsx_ctrl_state == TSX_CTRL_RTM_ALWAYS_ABORT) +- /* See comment over that function for more details. */ +- tsx_clear_cpuid(); +- + split_lock_init(); + bus_lock_init(); + +--- a/arch/x86/kernel/cpu/tsx.c ++++ b/arch/x86/kernel/cpu/tsx.c +@@ -19,7 +19,7 @@ + + enum tsx_ctrl_states tsx_ctrl_state __ro_after_init = TSX_CTRL_NOT_SUPPORTED; + +-void tsx_disable(void) ++static void tsx_disable(void) + { + u64 tsx; + +@@ -39,7 +39,7 @@ void tsx_disable(void) + wrmsrl(MSR_IA32_TSX_CTRL, tsx); + } + +-void tsx_enable(void) ++static void tsx_enable(void) + { + u64 tsx; + +@@ -122,7 +122,7 @@ static enum tsx_ctrl_states x86_get_tsx_ + * That's why, this function's call in init_intel() doesn't clear the + * feature flags. + */ +-void tsx_clear_cpuid(void) ++static void tsx_clear_cpuid(void) + { + u64 msr; + +@@ -142,11 +142,42 @@ void tsx_clear_cpuid(void) + } + } + ++/* ++ * Disable TSX development mode ++ * ++ * When the microcode released in Feb 2022 is applied, TSX will be disabled by ++ * default on some processors. MSR 0x122 (TSX_CTRL) and MSR 0x123 ++ * (IA32_MCU_OPT_CTRL) can be used to re-enable TSX for development, doing so is ++ * not recommended for production deployments. In particular, applying MD_CLEAR ++ * flows for mitigation of the Intel TSX Asynchronous Abort (TAA) transient ++ * execution attack may not be effective on these processors when Intel TSX is ++ * enabled with updated microcode. ++ */ ++static void tsx_dev_mode_disable(void) ++{ ++ u64 mcu_opt_ctrl; ++ ++ /* Check if RTM_ALLOW exists */ ++ if (!boot_cpu_has_bug(X86_BUG_TAA) || !tsx_ctrl_is_supported() || ++ !cpu_feature_enabled(X86_FEATURE_SRBDS_CTRL)) ++ return; ++ ++ rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_opt_ctrl); ++ ++ if (mcu_opt_ctrl & RTM_ALLOW) { ++ mcu_opt_ctrl &= ~RTM_ALLOW; ++ wrmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_opt_ctrl); ++ setup_force_cpu_cap(X86_FEATURE_RTM_ALWAYS_ABORT); ++ } ++} ++ + void __init tsx_init(void) + { + char arg[5] = {}; + int ret; + ++ tsx_dev_mode_disable(); ++ + /* + * Hardware will always abort a TSX transaction when the CPUID bit + * RTM_ALWAYS_ABORT is set. In this case, it is better not to enumerate +@@ -215,3 +246,16 @@ void __init tsx_init(void) + setup_force_cpu_cap(X86_FEATURE_HLE); + } + } ++ ++void tsx_ap_init(void) ++{ ++ tsx_dev_mode_disable(); ++ ++ if (tsx_ctrl_state == TSX_CTRL_ENABLE) ++ tsx_enable(); ++ else if (tsx_ctrl_state == TSX_CTRL_DISABLE) ++ tsx_disable(); ++ else if (tsx_ctrl_state == TSX_CTRL_RTM_ALWAYS_ABORT) ++ /* See comment over that function for more details. */ ++ tsx_clear_cpuid(); ++} +--- a/tools/arch/x86/include/asm/msr-index.h ++++ b/tools/arch/x86/include/asm/msr-index.h +@@ -128,9 +128,9 @@ + #define TSX_CTRL_RTM_DISABLE BIT(0) /* Disable RTM feature */ + #define TSX_CTRL_CPUID_CLEAR BIT(1) /* Disable TSX enumeration */ + +-/* SRBDS support */ + #define MSR_IA32_MCU_OPT_CTRL 0x00000123 +-#define RNGDS_MITG_DIS BIT(0) ++#define RNGDS_MITG_DIS BIT(0) /* SRBDS support */ ++#define RTM_ALLOW BIT(1) /* TSX development mode */ + + #define MSR_IA32_SYSENTER_CS 0x00000174 + #define MSR_IA32_SYSENTER_ESP 0x00000175 diff --git a/queue-5.15/x86-tsx-use-msr_tsx_ctrl-to-clear-cpuid-bits.patch b/queue-5.15/x86-tsx-use-msr_tsx_ctrl-to-clear-cpuid-bits.patch new file mode 100644 index 00000000000..d1e353e8358 --- /dev/null +++ b/queue-5.15/x86-tsx-use-msr_tsx_ctrl-to-clear-cpuid-bits.patch @@ -0,0 +1,123 @@ +From 258f3b8c3210b03386e4ad92b4bd8652b5c1beb3 Mon Sep 17 00:00:00 2001 +From: Pawan Gupta +Date: Thu, 10 Mar 2022 14:00:59 -0800 +Subject: x86/tsx: Use MSR_TSX_CTRL to clear CPUID bits + +From: Pawan Gupta + +commit 258f3b8c3210b03386e4ad92b4bd8652b5c1beb3 upstream. + +tsx_clear_cpuid() uses MSR_TSX_FORCE_ABORT to clear CPUID.RTM and +CPUID.HLE. Not all CPUs support MSR_TSX_FORCE_ABORT, alternatively use +MSR_IA32_TSX_CTRL when supported. + + [ bp: Document how and why TSX gets disabled. ] + +Fixes: 293649307ef9 ("x86/tsx: Clear CPUID bits when TSX always force aborts") +Reported-by: kernel test robot +Signed-off-by: Pawan Gupta +Signed-off-by: Borislav Petkov +Tested-by: Neelima Krishnan +Cc: +Link: https://lore.kernel.org/r/5b323e77e251a9c8bcdda498c5cc0095be1e1d3c.1646943780.git.pawan.kumar.gupta@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/intel.c | 1 + arch/x86/kernel/cpu/tsx.c | 54 ++++++++++++++++++++++++++++++++++++++------ + 2 files changed, 48 insertions(+), 7 deletions(-) + +--- a/arch/x86/kernel/cpu/intel.c ++++ b/arch/x86/kernel/cpu/intel.c +@@ -722,6 +722,7 @@ static void init_intel(struct cpuinfo_x8 + else if (tsx_ctrl_state == TSX_CTRL_DISABLE) + tsx_disable(); + else if (tsx_ctrl_state == TSX_CTRL_RTM_ALWAYS_ABORT) ++ /* See comment over that function for more details. */ + tsx_clear_cpuid(); + + split_lock_init(); +--- a/arch/x86/kernel/cpu/tsx.c ++++ b/arch/x86/kernel/cpu/tsx.c +@@ -58,7 +58,7 @@ void tsx_enable(void) + wrmsrl(MSR_IA32_TSX_CTRL, tsx); + } + +-static bool __init tsx_ctrl_is_supported(void) ++static bool tsx_ctrl_is_supported(void) + { + u64 ia32_cap = x86_read_arch_cap_msr(); + +@@ -84,6 +84,44 @@ static enum tsx_ctrl_states x86_get_tsx_ + return TSX_CTRL_ENABLE; + } + ++/* ++ * Disabling TSX is not a trivial business. ++ * ++ * First of all, there's a CPUID bit: X86_FEATURE_RTM_ALWAYS_ABORT ++ * which says that TSX is practically disabled (all transactions are ++ * aborted by default). When that bit is set, the kernel unconditionally ++ * disables TSX. ++ * ++ * In order to do that, however, it needs to dance a bit: ++ * ++ * 1. The first method to disable it is through MSR_TSX_FORCE_ABORT and ++ * the MSR is present only when *two* CPUID bits are set: ++ * ++ * - X86_FEATURE_RTM_ALWAYS_ABORT ++ * - X86_FEATURE_TSX_FORCE_ABORT ++ * ++ * 2. The second method is for CPUs which do not have the above-mentioned ++ * MSR: those use a different MSR - MSR_IA32_TSX_CTRL and disable TSX ++ * through that one. Those CPUs can also have the initially mentioned ++ * CPUID bit X86_FEATURE_RTM_ALWAYS_ABORT set and for those the same strategy ++ * applies: TSX gets disabled unconditionally. ++ * ++ * When either of the two methods are present, the kernel disables TSX and ++ * clears the respective RTM and HLE feature flags. ++ * ++ * An additional twist in the whole thing presents late microcode loading ++ * which, when done, may cause for the X86_FEATURE_RTM_ALWAYS_ABORT CPUID ++ * bit to be set after the update. ++ * ++ * A subsequent hotplug operation on any logical CPU except the BSP will ++ * cause for the supported CPUID feature bits to get re-detected and, if ++ * RTM and HLE get cleared all of a sudden, but, userspace did consult ++ * them before the update, then funny explosions will happen. Long story ++ * short: the kernel doesn't modify CPUID feature bits after booting. ++ * ++ * That's why, this function's call in init_intel() doesn't clear the ++ * feature flags. ++ */ + void tsx_clear_cpuid(void) + { + u64 msr; +@@ -97,6 +135,10 @@ void tsx_clear_cpuid(void) + rdmsrl(MSR_TSX_FORCE_ABORT, msr); + msr |= MSR_TFA_TSX_CPUID_CLEAR; + wrmsrl(MSR_TSX_FORCE_ABORT, msr); ++ } else if (tsx_ctrl_is_supported()) { ++ rdmsrl(MSR_IA32_TSX_CTRL, msr); ++ msr |= TSX_CTRL_CPUID_CLEAR; ++ wrmsrl(MSR_IA32_TSX_CTRL, msr); + } + } + +@@ -106,13 +148,11 @@ void __init tsx_init(void) + int ret; + + /* +- * Hardware will always abort a TSX transaction if both CPUID bits +- * RTM_ALWAYS_ABORT and TSX_FORCE_ABORT are set. In this case, it is +- * better not to enumerate CPUID.RTM and CPUID.HLE bits. Clear them +- * here. ++ * Hardware will always abort a TSX transaction when the CPUID bit ++ * RTM_ALWAYS_ABORT is set. In this case, it is better not to enumerate ++ * CPUID.RTM and CPUID.HLE bits. Clear them here. + */ +- if (boot_cpu_has(X86_FEATURE_RTM_ALWAYS_ABORT) && +- boot_cpu_has(X86_FEATURE_TSX_FORCE_ABORT)) { ++ if (boot_cpu_has(X86_FEATURE_RTM_ALWAYS_ABORT)) { + tsx_ctrl_state = TSX_CTRL_RTM_ALWAYS_ABORT; + tsx_clear_cpuid(); + setup_clear_cpu_cap(X86_FEATURE_RTM);