From 403f5593208eebf72ca962e95311a0ecea202ad7 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 3 Apr 2022 15:50:14 +0200 Subject: [PATCH] 5.17-stable patches added patches: acpi-cppc-avoid-out-of-bounds-access-when-parsing-_cpc-data.patch io_uring-bump-poll-refs-to-full-31-bits.patch io_uring-fix-memory-leak-of-uid-in-files-registration.patch io_uring-remove-poll-entry-from-list-when-canceling-all.patch platform-chrome-cros_ec_typec-check-for-ec-device.patch platform-x86-asus-wmi-fix-regression-when-probing-for-fan-curve-control.patch riscv-module-remove-noload.patch spi-fix-tegra-qspi-example.patch vhost-handle-error-while-adding-split-ranges-to-iotlb.patch --- ...bounds-access-when-parsing-_cpc-data.patch | 37 ++++++++++++++ ...uring-bump-poll-refs-to-full-31-bits.patch | 39 +++++++++++++++ ...ry-leak-of-uid-in-files-registration.patch | 31 ++++++++++++ ...l-entry-from-list-when-canceling-all.patch | 43 ++++++++++++++++ ...me-cros_ec_typec-check-for-ec-device.patch | 48 ++++++++++++++++++ ...n-when-probing-for-fan-curve-control.patch | 39 +++++++++++++++ queue-5.17/riscv-module-remove-noload.patch | 49 +++++++++++++++++++ queue-5.17/series | 9 ++++ queue-5.17/spi-fix-tegra-qspi-example.patch | 37 ++++++++++++++ ...r-while-adding-split-ranges-to-iotlb.patch | 40 +++++++++++++++ 10 files changed, 372 insertions(+) create mode 100644 queue-5.17/acpi-cppc-avoid-out-of-bounds-access-when-parsing-_cpc-data.patch create mode 100644 queue-5.17/io_uring-bump-poll-refs-to-full-31-bits.patch create mode 100644 queue-5.17/io_uring-fix-memory-leak-of-uid-in-files-registration.patch create mode 100644 queue-5.17/io_uring-remove-poll-entry-from-list-when-canceling-all.patch create mode 100644 queue-5.17/platform-chrome-cros_ec_typec-check-for-ec-device.patch create mode 100644 queue-5.17/platform-x86-asus-wmi-fix-regression-when-probing-for-fan-curve-control.patch create mode 100644 queue-5.17/riscv-module-remove-noload.patch create mode 100644 queue-5.17/spi-fix-tegra-qspi-example.patch create mode 100644 queue-5.17/vhost-handle-error-while-adding-split-ranges-to-iotlb.patch diff --git a/queue-5.17/acpi-cppc-avoid-out-of-bounds-access-when-parsing-_cpc-data.patch b/queue-5.17/acpi-cppc-avoid-out-of-bounds-access-when-parsing-_cpc-data.patch new file mode 100644 index 00000000000..1bfd39addd5 --- /dev/null +++ b/queue-5.17/acpi-cppc-avoid-out-of-bounds-access-when-parsing-_cpc-data.patch @@ -0,0 +1,37 @@ +From 40d8abf364bcab23bc715a9221a3c8623956257b Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Tue, 22 Mar 2022 17:02:05 +0100 +Subject: ACPI: CPPC: Avoid out of bounds access when parsing _CPC data + +From: Rafael J. Wysocki + +commit 40d8abf364bcab23bc715a9221a3c8623956257b upstream. + +If the NumEntries field in the _CPC return package is less than 2, do +not attempt to access the "Revision" element of that package, because +it may not be present then. + +Fixes: 337aadff8e45 ("ACPI: Introduce CPU performance controls using CPPC") +BugLink: https://lore.kernel.org/lkml/20220322143534.GC32582@xsang-OptiPlex-9020/ +Reported-by: kernel test robot +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Huang Rui +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/cppc_acpi.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/acpi/cppc_acpi.c ++++ b/drivers/acpi/cppc_acpi.c +@@ -676,6 +676,11 @@ int acpi_cppc_processor_probe(struct acp + cpc_obj = &out_obj->package.elements[0]; + if (cpc_obj->type == ACPI_TYPE_INTEGER) { + num_ent = cpc_obj->integer.value; ++ if (num_ent <= 1) { ++ pr_debug("Unexpected _CPC NumEntries value (%d) for CPU:%d\n", ++ num_ent, pr->id); ++ goto out_free; ++ } + } else { + pr_debug("Unexpected entry type(%d) for NumEntries\n", + cpc_obj->type); diff --git a/queue-5.17/io_uring-bump-poll-refs-to-full-31-bits.patch b/queue-5.17/io_uring-bump-poll-refs-to-full-31-bits.patch new file mode 100644 index 00000000000..feff602a684 --- /dev/null +++ b/queue-5.17/io_uring-bump-poll-refs-to-full-31-bits.patch @@ -0,0 +1,39 @@ +From e2c0cb7c0cc72939b61a7efee376206725796625 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Tue, 22 Mar 2022 06:57:25 -0600 +Subject: io_uring: bump poll refs to full 31-bits + +From: Jens Axboe + +commit e2c0cb7c0cc72939b61a7efee376206725796625 upstream. + +The previous commit: + +1bc84c40088 ("io_uring: remove poll entry from list when canceling all") + +removed a potential overflow condition for the poll references. They +are currently limited to 20-bits, even if we have 31-bits available. The +upper bit is used to mark for cancelation. + +Bump the poll ref space to 31-bits, making that kind of situation much +harder to trigger in general. We'll separately add overflow checking +and handling. + +Fixes: aa43477b0402 ("io_uring: poll rework") +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + fs/io_uring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -5414,7 +5414,7 @@ struct io_poll_table { + }; + + #define IO_POLL_CANCEL_FLAG BIT(31) +-#define IO_POLL_REF_MASK ((1u << 20)-1) ++#define IO_POLL_REF_MASK GENMASK(30, 0) + + /* + * If refs part of ->poll_refs (see IO_POLL_REF_MASK) is 0, it's free. We can diff --git a/queue-5.17/io_uring-fix-memory-leak-of-uid-in-files-registration.patch b/queue-5.17/io_uring-fix-memory-leak-of-uid-in-files-registration.patch new file mode 100644 index 00000000000..5919e1fd437 --- /dev/null +++ b/queue-5.17/io_uring-fix-memory-leak-of-uid-in-files-registration.patch @@ -0,0 +1,31 @@ +From c86d18f4aa93e0e66cda0e55827cd03eea6bc5f8 Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Fri, 25 Mar 2022 16:36:31 +0000 +Subject: io_uring: fix memory leak of uid in files registration + +From: Pavel Begunkov + +commit c86d18f4aa93e0e66cda0e55827cd03eea6bc5f8 upstream. + +When there are no files for __io_sqe_files_scm() to process in the +range, it'll free everything and return. However, it forgets to put uid. + +Fixes: 08a451739a9b5 ("io_uring: allow sparse fixed file sets") +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/accee442376f33ce8aaebb099d04967533efde92.1648226048.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + fs/io_uring.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -8241,6 +8241,7 @@ static int __io_sqe_files_scm(struct io_ + fput(fpl->fp[i]); + } else { + kfree_skb(skb); ++ free_uid(fpl->user); + kfree(fpl); + } + diff --git a/queue-5.17/io_uring-remove-poll-entry-from-list-when-canceling-all.patch b/queue-5.17/io_uring-remove-poll-entry-from-list-when-canceling-all.patch new file mode 100644 index 00000000000..8693c5aebf8 --- /dev/null +++ b/queue-5.17/io_uring-remove-poll-entry-from-list-when-canceling-all.patch @@ -0,0 +1,43 @@ +From 61bc84c4008812d784c398cfb54118c1ba396dfc Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Mon, 21 Mar 2022 19:03:24 -0600 +Subject: io_uring: remove poll entry from list when canceling all + +From: Jens Axboe + +commit 61bc84c4008812d784c398cfb54118c1ba396dfc upstream. + +When the ring is exiting, as part of the shutdown, poll requests are +removed. But io_poll_remove_all() does not remove entries when finding +them, and since completions are done out-of-band, we can find and remove +the same entry multiple times. + +We do guard the poll execution by poll ownership, but that does not +exclude us from reissuing a new one once the previous removal ownership +goes away. + +This can race with poll execution as well, where we then end up seeing +req->apoll be NULL because a previous task_work requeue finished the +request. + +Remove the poll entry when we find it and get ownership of it. This +prevents multiple invocations from finding it. + +Fixes: aa43477b0402 ("io_uring: poll rework") +Reported-by: Dylan Yudaken +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + fs/io_uring.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -5870,6 +5870,7 @@ static __cold bool io_poll_remove_all(st + list = &ctx->cancel_hash[i]; + hlist_for_each_entry_safe(req, tmp, list, hash_node) { + if (io_match_task_safe(req, tsk, cancel_all)) { ++ hlist_del_init(&req->hash_node); + io_poll_cancel_req(req); + found = true; + } diff --git a/queue-5.17/platform-chrome-cros_ec_typec-check-for-ec-device.patch b/queue-5.17/platform-chrome-cros_ec_typec-check-for-ec-device.patch new file mode 100644 index 00000000000..d39c25498d9 --- /dev/null +++ b/queue-5.17/platform-chrome-cros_ec_typec-check-for-ec-device.patch @@ -0,0 +1,48 @@ +From ffebd90532728086007038986900426544e3df4e Mon Sep 17 00:00:00 2001 +From: Prashant Malani +Date: Wed, 26 Jan 2022 19:02:20 +0000 +Subject: platform/chrome: cros_ec_typec: Check for EC device + +From: Prashant Malani + +commit ffebd90532728086007038986900426544e3df4e upstream. + +The Type C ACPI device on older Chromebooks is not generated correctly +(since their EC firmware doesn't support the new commands required). In +such cases, the crafted ACPI device doesn't have an EC parent, and it is +therefore not useful (it shouldn't be generated in the first place since +the EC firmware doesn't support any of the Type C commands). + +To handle devices which use these older firmware revisions, check for +the parent EC device handle, and fail the probe if it's not found. + +Fixes: fdc6b21e2444 ("platform/chrome: Add Type C connector class driver") +Reported-by: Alyssa Ross +Reviewed-by: Tzung-Bi Shih +Signed-off-by: Prashant Malani +Acked-by: Heikki Krogerus +Reviewed-by: Alyssa Ross +Tested-by: Alyssa Ross +Link: https://lore.kernel.org/r/20220126190219.3095419-1-pmalani@chromium.org +Signed-off-by: Benson Leung +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/chrome/cros_ec_typec.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/platform/chrome/cros_ec_typec.c ++++ b/drivers/platform/chrome/cros_ec_typec.c +@@ -1075,7 +1075,13 @@ static int cros_typec_probe(struct platf + return -ENOMEM; + + typec->dev = dev; ++ + typec->ec = dev_get_drvdata(pdev->dev.parent); ++ if (!typec->ec) { ++ dev_err(dev, "couldn't find parent EC device\n"); ++ return -ENODEV; ++ } ++ + platform_set_drvdata(pdev, typec); + + ret = cros_typec_get_cmd_version(typec); diff --git a/queue-5.17/platform-x86-asus-wmi-fix-regression-when-probing-for-fan-curve-control.patch b/queue-5.17/platform-x86-asus-wmi-fix-regression-when-probing-for-fan-curve-control.patch new file mode 100644 index 00000000000..0d1f4720c58 --- /dev/null +++ b/queue-5.17/platform-x86-asus-wmi-fix-regression-when-probing-for-fan-curve-control.patch @@ -0,0 +1,39 @@ +From d717e4509af0380a94dbc28b61839df39f17e1eb Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sat, 5 Feb 2022 12:28:40 +0100 +Subject: platform/x86: asus-wmi: Fix regression when probing for fan curve control + +From: Hans de Goede + +commit d717e4509af0380a94dbc28b61839df39f17e1eb upstream. + +The fan curve control patches introduced a regression for at least the +TUF FX506 and possibly other TUF series laptops that do not have support +for fan curve control. + +As part of the probing process, asus_wmi_evaluate_method_buf is called +to get the factory default fan curve . The WMI management function +returns 0 on certain laptops to indicate lack of fan curve control +instead of ASUS_WMI_UNSUPPORTED_METHOD. This 0 is transformed to +-ENODATA which results in failure when probing. + +Fixes: 0f0ac158d28f ("platform/x86: asus-wmi: Add support for custom fan curves") +Reported-and-tested-by: Abhijeet V +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20220205112840.33095-1-hdegoede@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/asus-wmi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/platform/x86/asus-wmi.c ++++ b/drivers/platform/x86/asus-wmi.c +@@ -2059,7 +2059,7 @@ static int fan_boost_mode_check_present( + err = asus_wmi_get_devstate(asus, ASUS_WMI_DEVID_FAN_BOOST_MODE, + &result); + if (err) { +- if (err == -ENODEV) ++ if (err == -ENODEV || err == -ENODATA) + return 0; + else + return err; diff --git a/queue-5.17/riscv-module-remove-noload.patch b/queue-5.17/riscv-module-remove-noload.patch new file mode 100644 index 00000000000..913f1610cc1 --- /dev/null +++ b/queue-5.17/riscv-module-remove-noload.patch @@ -0,0 +1,49 @@ +From 60210a3d86dc57ce4a76a366e7841dda746a33f7 Mon Sep 17 00:00:00 2001 +From: Fangrui Song +Date: Mon, 21 Mar 2022 18:26:17 -0700 +Subject: riscv module: remove (NOLOAD) + +From: Fangrui Song + +commit 60210a3d86dc57ce4a76a366e7841dda746a33f7 upstream. + +On ELF, (NOLOAD) sets the section type to SHT_NOBITS[1]. It is conceptually +inappropriate for .plt, .got, and .got.plt sections which are always +SHT_PROGBITS. + +In GNU ld, if PLT entries are needed, .plt will be SHT_PROGBITS anyway +and (NOLOAD) will be essentially ignored. In ld.lld, since +https://reviews.llvm.org/D118840 ("[ELF] Support (TYPE=) to +customize the output section type"), ld.lld will report a `section type +mismatch` error (later changed to a warning). Just remove (NOLOAD) to +fix the warning. + +[1] https://lld.llvm.org/ELF/linker_script.html As of today, "The +section should be marked as not loadable" on +https://sourceware.org/binutils/docs/ld/Output-Section-Type.html is +outdated for ELF. + +Link: https://github.com/ClangBuiltLinux/linux/issues/1597 +Fixes: ab1ef68e5401 ("RISC-V: Add sections of PLT and GOT for kernel module") +Reported-by: Nathan Chancellor +Signed-off-by: Fangrui Song +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/include/asm/module.lds.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/riscv/include/asm/module.lds.h ++++ b/arch/riscv/include/asm/module.lds.h +@@ -2,8 +2,8 @@ + /* Copyright (C) 2017 Andes Technology Corporation */ + #ifdef CONFIG_MODULE_SECTIONS + SECTIONS { +- .plt (NOLOAD) : { BYTE(0) } +- .got (NOLOAD) : { BYTE(0) } +- .got.plt (NOLOAD) : { BYTE(0) } ++ .plt : { BYTE(0) } ++ .got : { BYTE(0) } ++ .got.plt : { BYTE(0) } + } + #endif diff --git a/queue-5.17/series b/queue-5.17/series index 40ba8d51fe2..3f15b4667bc 100644 --- a/queue-5.17/series +++ b/queue-5.17/series @@ -1052,3 +1052,12 @@ block-restore-the-old-set_task_ioprio-behaviour-wrt-pf_exiting.patch revert-virtio-pci-harden-intx-interrupts.patch revert-virtio_pci-harden-msi-x-interrupts.patch virtio-use-virtio_device_ready-in-virtio_device_restore.patch +io_uring-remove-poll-entry-from-list-when-canceling-all.patch +io_uring-bump-poll-refs-to-full-31-bits.patch +io_uring-fix-memory-leak-of-uid-in-files-registration.patch +riscv-module-remove-noload.patch +acpi-cppc-avoid-out-of-bounds-access-when-parsing-_cpc-data.patch +vhost-handle-error-while-adding-split-ranges-to-iotlb.patch +spi-fix-tegra-qspi-example.patch +platform-chrome-cros_ec_typec-check-for-ec-device.patch +platform-x86-asus-wmi-fix-regression-when-probing-for-fan-curve-control.patch diff --git a/queue-5.17/spi-fix-tegra-qspi-example.patch b/queue-5.17/spi-fix-tegra-qspi-example.patch new file mode 100644 index 00000000000..49fb06f9990 --- /dev/null +++ b/queue-5.17/spi-fix-tegra-qspi-example.patch @@ -0,0 +1,37 @@ +From 320689a1b543ca1396b3ed43bb18045e4a7ffd79 Mon Sep 17 00:00:00 2001 +From: Jon Hunter +Date: Mon, 7 Mar 2022 11:35:29 +0000 +Subject: spi: Fix Tegra QSPI example + +From: Jon Hunter + +commit 320689a1b543ca1396b3ed43bb18045e4a7ffd79 upstream. + +When running dt_binding_check on the nvidia,tegra210-quad.yaml binding +document the following error is reported ... + + nvidia,tegra210-quad.example.dt.yaml:0:0: /example-0/spi@70410000/flash@0: + failed to match any schema with compatible: ['spi-nor'] + +Update the example in the binding document to fix the above error. + +Signed-off-by: Jon Hunter +Fixes: 9684752e5fe3 ("dt-bindings: spi: Add Tegra Quad SPI device tree binding") +Link: https://lore.kernel.org/r/20220307113529.315685-1-jonathanh@nvidia.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/spi/nvidia,tegra210-quad.yaml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/devicetree/bindings/spi/nvidia,tegra210-quad.yaml ++++ b/Documentation/devicetree/bindings/spi/nvidia,tegra210-quad.yaml +@@ -106,7 +106,7 @@ examples: + dma-names = "rx", "tx"; + + flash@0 { +- compatible = "spi-nor"; ++ compatible = "jedec,spi-nor"; + reg = <0>; + spi-max-frequency = <104000000>; + spi-tx-bus-width = <2>; diff --git a/queue-5.17/vhost-handle-error-while-adding-split-ranges-to-iotlb.patch b/queue-5.17/vhost-handle-error-while-adding-split-ranges-to-iotlb.patch new file mode 100644 index 00000000000..832ff87c4a3 --- /dev/null +++ b/queue-5.17/vhost-handle-error-while-adding-split-ranges-to-iotlb.patch @@ -0,0 +1,40 @@ +From 03a91c9af2c42ae14afafb829a4b7e6589ab5892 Mon Sep 17 00:00:00 2001 +From: Anirudh Rayabharam +Date: Sat, 12 Mar 2022 19:41:21 +0530 +Subject: vhost: handle error while adding split ranges to iotlb + +From: Anirudh Rayabharam + +commit 03a91c9af2c42ae14afafb829a4b7e6589ab5892 upstream. + +vhost_iotlb_add_range_ctx() handles the range [0, ULONG_MAX] by +splitting it into two ranges and adding them separately. The return +value of adding the first range to the iotlb is currently ignored. +Check the return value and bail out in case of an error. + +Signed-off-by: Anirudh Rayabharam +Link: https://lore.kernel.org/r/20220312141121.4981-1-mail@anirudhrb.com +Signed-off-by: Michael S. Tsirkin +Fixes: e2ae38cf3d91 ("vhost: fix hung thread due to erroneous iotlb entries") +Reviewed-by: Stefano Garzarella +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/iotlb.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/vhost/iotlb.c ++++ b/drivers/vhost/iotlb.c +@@ -62,8 +62,12 @@ int vhost_iotlb_add_range_ctx(struct vho + */ + if (start == 0 && last == ULONG_MAX) { + u64 mid = last / 2; ++ int err = vhost_iotlb_add_range_ctx(iotlb, start, mid, addr, ++ perm, opaque); ++ ++ if (err) ++ return err; + +- vhost_iotlb_add_range_ctx(iotlb, start, mid, addr, perm, opaque); + addr += mid + 1; + start = mid + 1; + } -- 2.47.3