From 18e591ccac7d08a89bfd170ed032a02d6c3daa48 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 20 Mar 2023 14:38:41 +0100 Subject: [PATCH] 5.4-stable patches added patches: drm-i915-don-t-use-stolen-memory-for-ring-buffers-with-llc.patch io_uring-avoid-null-ptr-deref-in-io_arm_poll_handler.patch pci-unify-delay-handling-for-reset-and-resume.patch s390-ipl-add-missing-intersection-check-to-ipl_report-handling.patch serial-8250_em-fix-uart-port-type.patch --- ...len-memory-for-ring-buffers-with-llc.patch | 53 ++++ ...ull-ptr-deref-in-io_arm_poll_handler.patch | 50 ++++ ...-delay-handling-for-reset-and-resume.patch | 257 ++++++++++++++++++ ...section-check-to-ipl_report-handling.patch | 51 ++++ .../serial-8250_em-fix-uart-port-type.patch | 38 +++ queue-5.4/series | 5 + 6 files changed, 454 insertions(+) create mode 100644 queue-5.4/drm-i915-don-t-use-stolen-memory-for-ring-buffers-with-llc.patch create mode 100644 queue-5.4/io_uring-avoid-null-ptr-deref-in-io_arm_poll_handler.patch create mode 100644 queue-5.4/pci-unify-delay-handling-for-reset-and-resume.patch create mode 100644 queue-5.4/s390-ipl-add-missing-intersection-check-to-ipl_report-handling.patch create mode 100644 queue-5.4/serial-8250_em-fix-uart-port-type.patch diff --git a/queue-5.4/drm-i915-don-t-use-stolen-memory-for-ring-buffers-with-llc.patch b/queue-5.4/drm-i915-don-t-use-stolen-memory-for-ring-buffers-with-llc.patch new file mode 100644 index 00000000000..7b53a3d683f --- /dev/null +++ b/queue-5.4/drm-i915-don-t-use-stolen-memory-for-ring-buffers-with-llc.patch @@ -0,0 +1,53 @@ +From 690e0ec8e63da9a29b39fedc6ed5da09c7c82651 Mon Sep 17 00:00:00 2001 +From: John Harrison +Date: Wed, 15 Feb 2023 17:11:00 -0800 +Subject: drm/i915: Don't use stolen memory for ring buffers with LLC +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: John Harrison + +commit 690e0ec8e63da9a29b39fedc6ed5da09c7c82651 upstream. + +Direction from hardware is that stolen memory should never be used for +ring buffer allocations on platforms with LLC. There are too many +caching pitfalls due to the way stolen memory accesses are routed. So +it is safest to just not use it. + +Signed-off-by: John Harrison +Fixes: c58b735fc762 ("drm/i915: Allocate rings from stolen") +Cc: Chris Wilson +Cc: Joonas Lahtinen +Cc: Jani Nikula +Cc: Rodrigo Vivi +Cc: Tvrtko Ursulin +Cc: intel-gfx@lists.freedesktop.org +Cc: # v4.9+ +Tested-by: Jouni Högander +Reviewed-by: Daniele Ceraolo Spurio +Link: https://patchwork.freedesktop.org/patch/msgid/20230216011101.1909009-2-John.C.Harrison@Intel.com +(cherry picked from commit f54c1f6c697c4297f7ed94283c184acc338a5cf8) +Signed-off-by: Jani Nikula +Signed-off-by: John Harrison +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/gt/intel_ringbuffer.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/i915/gt/intel_ringbuffer.c ++++ b/drivers/gpu/drm/i915/gt/intel_ringbuffer.c +@@ -1268,10 +1268,11 @@ static struct i915_vma *create_ring_vma( + { + struct i915_address_space *vm = &ggtt->vm; + struct drm_i915_private *i915 = vm->i915; +- struct drm_i915_gem_object *obj; ++ struct drm_i915_gem_object *obj = NULL; + struct i915_vma *vma; + +- obj = i915_gem_object_create_stolen(i915, size); ++ if (!HAS_LLC(i915)) ++ obj = i915_gem_object_create_stolen(i915, size); + if (!obj) + obj = i915_gem_object_create_internal(i915, size); + if (IS_ERR(obj)) diff --git a/queue-5.4/io_uring-avoid-null-ptr-deref-in-io_arm_poll_handler.patch b/queue-5.4/io_uring-avoid-null-ptr-deref-in-io_arm_poll_handler.patch new file mode 100644 index 00000000000..b6bb8d75e6d --- /dev/null +++ b/queue-5.4/io_uring-avoid-null-ptr-deref-in-io_arm_poll_handler.patch @@ -0,0 +1,50 @@ +From pchelkin@ispras.ru Mon Mar 20 14:30:30 2023 +From: Fedor Pchelkin +Date: Thu, 16 Mar 2023 21:56:16 +0300 +Subject: io_uring: avoid null-ptr-deref in io_arm_poll_handler +To: Jens Axboe , Greg Kroah-Hartman , stable@vger.kernel.org +Cc: Fedor Pchelkin , linux-kernel@vger.kernel.org, Alexey Khoroshilov , lvc-project@linuxtesting.org +Message-ID: <20230316185616.271024-1-pchelkin@ispras.ru> + +From: Fedor Pchelkin + +No upstream commit exists for this commit. + +The issue was introduced with backporting upstream commit c16bda37594f +("io_uring/poll: allow some retries for poll triggering spuriously"). + +Memory allocation can possibly fail causing invalid pointer be +dereferenced just before comparing it to NULL value. + +Move the pointer check in proper place (upstream has the similar location +of the check). In case the request has REQ_F_POLLED flag up, apoll can't +be NULL so no need to check there. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Signed-off-by: Fedor Pchelkin +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io_uring.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c +index 445afda927f4..fd799567fc23 100644 +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -5792,10 +5792,10 @@ static int io_arm_poll_handler(struct io_kiocb *req) + } + } else { + apoll = kmalloc(sizeof(*apoll), GFP_ATOMIC); ++ if (unlikely(!apoll)) ++ return IO_APOLL_ABORTED; + apoll->poll.retries = APOLL_MAX_RETRY; + } +- if (unlikely(!apoll)) +- return IO_APOLL_ABORTED; + apoll->double_poll = NULL; + req->apoll = apoll; + req->flags |= REQ_F_POLLED; +-- +2.34.1 + diff --git a/queue-5.4/pci-unify-delay-handling-for-reset-and-resume.patch b/queue-5.4/pci-unify-delay-handling-for-reset-and-resume.patch new file mode 100644 index 00000000000..ccf45b604f4 --- /dev/null +++ b/queue-5.4/pci-unify-delay-handling-for-reset-and-resume.patch @@ -0,0 +1,257 @@ +From ac91e6980563ed53afadd925fa6585ffd2bc4a2c Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Sun, 15 Jan 2023 09:20:32 +0100 +Subject: PCI: Unify delay handling for reset and resume + +From: Lukas Wunner + +commit ac91e6980563ed53afadd925fa6585ffd2bc4a2c upstream. + +Sheng Bi reports that pci_bridge_secondary_bus_reset() may fail to wait +for devices on the secondary bus to become accessible after reset: + +Although it does call pci_dev_wait(), it erroneously passes the bridge's +pci_dev rather than that of a child. The bridge of course is always +accessible while its secondary bus is reset, so pci_dev_wait() returns +immediately. + +Sheng Bi proposes introducing a new pci_bridge_secondary_bus_wait() +function which is called from pci_bridge_secondary_bus_reset(): + +https://lore.kernel.org/linux-pci/20220523171517.32407-1-windy.bi.enflame@gmail.com/ + +However we already have pci_bridge_wait_for_secondary_bus() which does +almost exactly what we need. So far it's only called on resume from +D3cold (which implies a Fundamental Reset per PCIe r6.0 sec 5.8). +Re-using it for Secondary Bus Resets is a leaner and more rational +approach than introducing a new function. + +That only requires a few minor tweaks: + +- Amend pci_bridge_wait_for_secondary_bus() to await accessibility of + the first device on the secondary bus by calling pci_dev_wait() after + performing the prescribed delays. pci_dev_wait() needs two parameters, + a reset reason and a timeout, which callers must now pass to + pci_bridge_wait_for_secondary_bus(). The timeout is 1 sec for resume + (PCIe r6.0 sec 6.6.1) and 60 sec for reset (commit 821cdad5c46c ("PCI: + Wait up to 60 seconds for device to become ready after FLR")). + Introduce a PCI_RESET_WAIT macro for the 1 sec timeout. + +- Amend pci_bridge_wait_for_secondary_bus() to return 0 on success or + -ENOTTY on error for consumption by pci_bridge_secondary_bus_reset(). + +- Drop an unnecessary 1 sec delay from pci_reset_secondary_bus() which + is now performed by pci_bridge_wait_for_secondary_bus(). A static + delay this long is only necessary for Conventional PCI, so modern + PCIe systems benefit from shorter reset times as a side effect. + +Fixes: 6b2f1351af56 ("PCI: Wait for device to become ready after secondary bus reset") +Link: https://lore.kernel.org/r/da77c92796b99ec568bd070cbe4725074a117038.1673769517.git.lukas@wunner.de +Reported-by: Sheng Bi +Tested-by: Ravi Kishore Koppuravuri +Signed-off-by: Lukas Wunner +Signed-off-by: Bjorn Helgaas +Reviewed-by: Mika Westerberg +Reviewed-by: Kuppuswamy Sathyanarayanan +Cc: stable@vger.kernel.org # v4.17+ +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci-driver.c | 4 +-- + drivers/pci/pci.c | 54 ++++++++++++++++++++--------------------------- + drivers/pci/pci.h | 10 +++++++- + 3 files changed, 35 insertions(+), 33 deletions(-) + +--- a/drivers/pci/pci-driver.c ++++ b/drivers/pci/pci-driver.c +@@ -946,7 +946,7 @@ static int pci_pm_resume_noirq(struct de + pcie_pme_root_status_cleanup(pci_dev); + + if (!skip_bus_pm && prev_state == PCI_D3cold) +- pci_bridge_wait_for_secondary_bus(pci_dev); ++ pci_bridge_wait_for_secondary_bus(pci_dev, "resume", PCI_RESET_WAIT); + + if (pci_has_legacy_pm_support(pci_dev)) + return pci_legacy_resume_early(dev); +@@ -1355,7 +1355,7 @@ static int pci_pm_runtime_resume(struct + pci_fixup_device(pci_fixup_resume, pci_dev); + + if (prev_state == PCI_D3cold) +- pci_bridge_wait_for_secondary_bus(pci_dev); ++ pci_bridge_wait_for_secondary_bus(pci_dev, "resume", PCI_RESET_WAIT); + + if (pm && pm->runtime_resume) + rc = pm->runtime_resume(dev); +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -4483,7 +4483,7 @@ static int pci_dev_wait(struct pci_dev * + return -ENOTTY; + } + +- if (delay > 1000) ++ if (delay > PCI_RESET_WAIT) + pci_info(dev, "not ready %dms after %s; waiting\n", + delay - 1, reset_type); + +@@ -4492,7 +4492,7 @@ static int pci_dev_wait(struct pci_dev * + pci_read_config_dword(dev, PCI_COMMAND, &id); + } + +- if (delay > 1000) ++ if (delay > PCI_RESET_WAIT) + pci_info(dev, "ready %dms after %s\n", delay - 1, + reset_type); + +@@ -4727,24 +4727,31 @@ static int pci_bus_max_d3cold_delay(cons + /** + * pci_bridge_wait_for_secondary_bus - Wait for secondary bus to be accessible + * @dev: PCI bridge ++ * @reset_type: reset type in human-readable form ++ * @timeout: maximum time to wait for devices on secondary bus (milliseconds) + * + * Handle necessary delays before access to the devices on the secondary +- * side of the bridge are permitted after D3cold to D0 transition. ++ * side of the bridge are permitted after D3cold to D0 transition ++ * or Conventional Reset. + * + * For PCIe this means the delays in PCIe 5.0 section 6.6.1. For + * conventional PCI it means Tpvrh + Trhfa specified in PCI 3.0 section + * 4.3.2. ++ * ++ * Return 0 on success or -ENOTTY if the first device on the secondary bus ++ * failed to become accessible. + */ +-void pci_bridge_wait_for_secondary_bus(struct pci_dev *dev) ++int pci_bridge_wait_for_secondary_bus(struct pci_dev *dev, char *reset_type, ++ int timeout) + { + struct pci_dev *child; + int delay; + + if (pci_dev_is_disconnected(dev)) +- return; ++ return 0; + + if (!pci_is_bridge(dev)) +- return; ++ return 0; + + down_read(&pci_bus_sem); + +@@ -4756,14 +4763,14 @@ void pci_bridge_wait_for_secondary_bus(s + */ + if (!dev->subordinate || list_empty(&dev->subordinate->devices)) { + up_read(&pci_bus_sem); +- return; ++ return 0; + } + + /* Take d3cold_delay requirements into account */ + delay = pci_bus_max_d3cold_delay(dev->subordinate); + if (!delay) { + up_read(&pci_bus_sem); +- return; ++ return 0; + } + + child = list_first_entry(&dev->subordinate->devices, struct pci_dev, +@@ -4772,14 +4779,12 @@ void pci_bridge_wait_for_secondary_bus(s + + /* + * Conventional PCI and PCI-X we need to wait Tpvrh + Trhfa before +- * accessing the device after reset (that is 1000 ms + 100 ms). In +- * practice this should not be needed because we don't do power +- * management for them (see pci_bridge_d3_possible()). ++ * accessing the device after reset (that is 1000 ms + 100 ms). + */ + if (!pci_is_pcie(dev)) { + pci_dbg(dev, "waiting %d ms for secondary bus\n", 1000 + delay); + msleep(1000 + delay); +- return; ++ return 0; + } + + /* +@@ -4796,11 +4801,11 @@ void pci_bridge_wait_for_secondary_bus(s + * configuration requests if we only wait for 100 ms (see + * https://bugzilla.kernel.org/show_bug.cgi?id=203885). + * +- * Therefore we wait for 100 ms and check for the device presence. +- * If it is still not present give it an additional 100 ms. ++ * Therefore we wait for 100 ms and check for the device presence ++ * until the timeout expires. + */ + if (!pcie_downstream_port(dev)) +- return; ++ return 0; + + if (pcie_get_speed_cap(dev) <= PCIE_SPEED_5_0GT) { + pci_dbg(dev, "waiting %d ms for downstream link\n", delay); +@@ -4810,14 +4815,11 @@ void pci_bridge_wait_for_secondary_bus(s + delay); + if (!pcie_wait_for_link_delay(dev, true, delay)) { + /* Did not train, no need to wait any further */ +- return; ++ return -ENOTTY; + } + } + +- if (!pci_device_is_present(child)) { +- pci_dbg(child, "waiting additional %d ms to become accessible\n", delay); +- msleep(delay); +- } ++ return pci_dev_wait(child, reset_type, timeout - delay); + } + + void pci_reset_secondary_bus(struct pci_dev *dev) +@@ -4836,15 +4838,6 @@ void pci_reset_secondary_bus(struct pci_ + + ctrl &= ~PCI_BRIDGE_CTL_BUS_RESET; + pci_write_config_word(dev, PCI_BRIDGE_CONTROL, ctrl); +- +- /* +- * Trhfa for conventional PCI is 2^25 clock cycles. +- * Assuming a minimum 33MHz clock this results in a 1s +- * delay before we can consider subordinate devices to +- * be re-initialized. PCIe has some ways to shorten this, +- * but we don't make use of them yet. +- */ +- ssleep(1); + } + + void __weak pcibios_reset_secondary_bus(struct pci_dev *dev) +@@ -4863,7 +4856,8 @@ int pci_bridge_secondary_bus_reset(struc + { + pcibios_reset_secondary_bus(dev); + +- return pci_dev_wait(dev, "bus reset", PCIE_RESET_READY_POLL_MS); ++ return pci_bridge_wait_for_secondary_bus(dev, "bus reset", ++ PCIE_RESET_READY_POLL_MS); + } + EXPORT_SYMBOL_GPL(pci_bridge_secondary_bus_reset); + +--- a/drivers/pci/pci.h ++++ b/drivers/pci/pci.h +@@ -47,6 +47,13 @@ int pci_bus_error_reset(struct pci_dev * + #define PCI_PM_D3COLD_WAIT 100 + #define PCI_PM_BUS_WAIT 50 + ++/* ++ * Following exit from Conventional Reset, devices must be ready within 1 sec ++ * (PCIe r6.0 sec 6.6.1). A D3cold to D0 transition implies a Conventional ++ * Reset (PCIe r6.0 sec 5.8). ++ */ ++#define PCI_RESET_WAIT 1000 /* msec */ ++ + /** + * struct pci_platform_pm_ops - Firmware PM callbacks + * +@@ -107,7 +114,8 @@ void pci_allocate_cap_save_buffers(struc + void pci_free_cap_save_buffers(struct pci_dev *dev); + bool pci_bridge_d3_possible(struct pci_dev *dev); + void pci_bridge_d3_update(struct pci_dev *dev); +-void pci_bridge_wait_for_secondary_bus(struct pci_dev *dev); ++int pci_bridge_wait_for_secondary_bus(struct pci_dev *dev, char *reset_type, ++ int timeout); + + static inline void pci_wakeup_event(struct pci_dev *dev) + { diff --git a/queue-5.4/s390-ipl-add-missing-intersection-check-to-ipl_report-handling.patch b/queue-5.4/s390-ipl-add-missing-intersection-check-to-ipl_report-handling.patch new file mode 100644 index 00000000000..f61aa08b6aa --- /dev/null +++ b/queue-5.4/s390-ipl-add-missing-intersection-check-to-ipl_report-handling.patch @@ -0,0 +1,51 @@ +From a52e5cdbe8016d4e3e6322fd93d71afddb9a5af9 Mon Sep 17 00:00:00 2001 +From: Sven Schnelle +Date: Tue, 7 Mar 2023 14:35:23 +0100 +Subject: s390/ipl: add missing intersection check to ipl_report handling + +From: Sven Schnelle + +commit a52e5cdbe8016d4e3e6322fd93d71afddb9a5af9 upstream. + +The code which handles the ipl report is searching for a free location +in memory where it could copy the component and certificate entries to. +It checks for intersection between the sections required for the kernel +and the component/certificate data area, but fails to check whether +the data structures linking these data areas together intersect. + +This might cause the iplreport copy code to overwrite the iplreport +itself. Fix this by adding two addtional intersection checks. + +Cc: +Fixes: 9641b8cc733f ("s390/ipl: read IPL report at early boot") +Signed-off-by: Sven Schnelle +Reviewed-by: Vasily Gorbik +Signed-off-by: Vasily Gorbik +Signed-off-by: Sven Schnelle +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/boot/ipl_report.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/arch/s390/boot/ipl_report.c ++++ b/arch/s390/boot/ipl_report.c +@@ -57,11 +57,19 @@ repeat: + if (IS_ENABLED(CONFIG_BLK_DEV_INITRD) && INITRD_START && INITRD_SIZE && + intersects(INITRD_START, INITRD_SIZE, safe_addr, size)) + safe_addr = INITRD_START + INITRD_SIZE; ++ if (intersects(safe_addr, size, (unsigned long)comps, comps->len)) { ++ safe_addr = (unsigned long)comps + comps->len; ++ goto repeat; ++ } + for_each_rb_entry(comp, comps) + if (intersects(safe_addr, size, comp->addr, comp->len)) { + safe_addr = comp->addr + comp->len; + goto repeat; + } ++ if (intersects(safe_addr, size, (unsigned long)certs, certs->len)) { ++ safe_addr = (unsigned long)certs + certs->len; ++ goto repeat; ++ } + for_each_rb_entry(cert, certs) + if (intersects(safe_addr, size, cert->addr, cert->len)) { + safe_addr = cert->addr + cert->len; diff --git a/queue-5.4/serial-8250_em-fix-uart-port-type.patch b/queue-5.4/serial-8250_em-fix-uart-port-type.patch new file mode 100644 index 00000000000..1749b4f5887 --- /dev/null +++ b/queue-5.4/serial-8250_em-fix-uart-port-type.patch @@ -0,0 +1,38 @@ +From 32e293be736b853f168cd065d9cbc1b0c69f545d Mon Sep 17 00:00:00 2001 +From: Biju Das +Date: Mon, 27 Feb 2023 11:41:46 +0000 +Subject: serial: 8250_em: Fix UART port type + +From: Biju Das + +commit 32e293be736b853f168cd065d9cbc1b0c69f545d upstream. + +As per HW manual for EMEV2 "R19UH0040EJ0400 Rev.4.00", the UART +IP found on EMMA mobile SoC is Register-compatible with the +general-purpose 16750 UART chip. Fix UART port type as 16750 and +enable 64-bytes fifo support. + +Fixes: 22886ee96895 ("serial8250-em: Emma Mobile UART driver V2") +Cc: stable@vger.kernel.org +Signed-off-by: Biju Das +Link: https://lore.kernel.org/r/20230227114152.22265-2-biju.das.jz@bp.renesas.com +[biju: manually fixed the conflicts] +Signed-off-by: Biju Das +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_em.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/tty/serial/8250/8250_em.c ++++ b/drivers/tty/serial/8250/8250_em.c +@@ -102,8 +102,8 @@ static int serial8250_em_probe(struct pl + memset(&up, 0, sizeof(up)); + up.port.mapbase = regs->start; + up.port.irq = irq->start; +- up.port.type = PORT_UNKNOWN; +- up.port.flags = UPF_BOOT_AUTOCONF | UPF_FIXED_PORT | UPF_IOREMAP; ++ up.port.type = PORT_16750; ++ up.port.flags = UPF_FIXED_PORT | UPF_IOREMAP | UPF_FIXED_TYPE; + up.port.dev = &pdev->dev; + up.port.private_data = priv; + diff --git a/queue-5.4/series b/queue-5.4/series index 383242894ad..2162ed5b336 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -52,3 +52,8 @@ fbdev-stifb-provide-valid-pixelclock-and-add-fb_check_var-checks.patch x86-mm-fix-use-of-uninitialized-buffer-in-sme_enable.patch revert-treewide-replace-declare_tasklet-with-declare_tasklet_old.patch treewide-replace-declare_tasklet-with-declare_tasklet_old.patch +drm-i915-don-t-use-stolen-memory-for-ring-buffers-with-llc.patch +serial-8250_em-fix-uart-port-type.patch +s390-ipl-add-missing-intersection-check-to-ipl_report-handling.patch +pci-unify-delay-handling-for-reset-and-resume.patch +io_uring-avoid-null-ptr-deref-in-io_arm_poll_handler.patch -- 2.47.3