From 79dd48f6c67aebd7e83f24b641808a5feede19ff Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 20 Mar 2023 13:04:16 +0100 Subject: [PATCH] 5.15-stable patches added patches: cpuidle-psci-iterate-backwards-over-list-in-psci_pd_remove.patch fbdev-stifb-provide-valid-pixelclock-and-add-fb_check_var-checks.patch ftrace-fix-invalid-address-access-in-lookup_rec-when-index-is-0.patch ice-avoid-bonding-causing-auxiliary-plug-unplug-under-rtnl-lock.patch mm-userfaultfd-propagate-uffd-wp-bit-when-pte-mapping-the-huge-zeropage.patch mmc-sdhci_am654-lower-power-on-failed-message-severity.patch net-phy-nxp-c45-tja11xx-fix-mii_basic_config_rev-bit.patch nvme-pci-add-nvme_quirk_bogus_nid-for-netac-nv3000.patch trace-hwlat-do-not-wipe-the-contents-of-per-cpu-thread-data.patch x86-mce-make-sure-logged-mces-are-processed-after-sysfs-update.patch x86-mm-fix-use-of-uninitialized-buffer-in-sme_enable.patch x86-resctrl-clear-staged_config-before-and-after-it-is-used.patch --- ...ackwards-over-list-in-psci_pd_remove.patch | 62 +++++ ...xelclock-and-add-fb_check_var-checks.patch | 77 ++++++ ...access-in-lookup_rec-when-index-is-0.patch | 54 +++++ ...uxiliary-plug-unplug-under-rtnl-lock.patch | 97 ++++++++ ...t-when-pte-mapping-the-huge-zeropage.patch | 223 ++++++++++++++++++ ...wer-power-on-failed-message-severity.patch | 36 +++ ...tja11xx-fix-mii_basic_config_rev-bit.patch | 33 +++ ...vme_quirk_bogus_nid-for-netac-nv3000.patch | 31 +++ queue-5.15/series | 12 + ...-the-contents-of-per-cpu-thread-data.patch | 38 +++ ...ces-are-processed-after-sysfs-update.patch | 44 ++++ ...f-uninitialized-buffer-in-sme_enable.patch | 40 ++++ ...d_config-before-and-after-it-is-used.patch | 165 +++++++++++++ 13 files changed, 912 insertions(+) create mode 100644 queue-5.15/cpuidle-psci-iterate-backwards-over-list-in-psci_pd_remove.patch create mode 100644 queue-5.15/fbdev-stifb-provide-valid-pixelclock-and-add-fb_check_var-checks.patch create mode 100644 queue-5.15/ftrace-fix-invalid-address-access-in-lookup_rec-when-index-is-0.patch create mode 100644 queue-5.15/ice-avoid-bonding-causing-auxiliary-plug-unplug-under-rtnl-lock.patch create mode 100644 queue-5.15/mm-userfaultfd-propagate-uffd-wp-bit-when-pte-mapping-the-huge-zeropage.patch create mode 100644 queue-5.15/mmc-sdhci_am654-lower-power-on-failed-message-severity.patch create mode 100644 queue-5.15/net-phy-nxp-c45-tja11xx-fix-mii_basic_config_rev-bit.patch create mode 100644 queue-5.15/nvme-pci-add-nvme_quirk_bogus_nid-for-netac-nv3000.patch create mode 100644 queue-5.15/trace-hwlat-do-not-wipe-the-contents-of-per-cpu-thread-data.patch create mode 100644 queue-5.15/x86-mce-make-sure-logged-mces-are-processed-after-sysfs-update.patch create mode 100644 queue-5.15/x86-mm-fix-use-of-uninitialized-buffer-in-sme_enable.patch create mode 100644 queue-5.15/x86-resctrl-clear-staged_config-before-and-after-it-is-used.patch diff --git a/queue-5.15/cpuidle-psci-iterate-backwards-over-list-in-psci_pd_remove.patch b/queue-5.15/cpuidle-psci-iterate-backwards-over-list-in-psci_pd_remove.patch new file mode 100644 index 00000000000..0b2a6784045 --- /dev/null +++ b/queue-5.15/cpuidle-psci-iterate-backwards-over-list-in-psci_pd_remove.patch @@ -0,0 +1,62 @@ +From 6b0313c2fa3d2cf991c9ffef6fae6e7ef592ce6d Mon Sep 17 00:00:00 2001 +From: Shawn Guo +Date: Sat, 4 Mar 2023 15:41:07 +0800 +Subject: cpuidle: psci: Iterate backwards over list in psci_pd_remove() + +From: Shawn Guo + +commit 6b0313c2fa3d2cf991c9ffef6fae6e7ef592ce6d upstream. + +In case that psci_pd_init_topology() fails for some reason, +psci_pd_remove() will be responsible for deleting provider and removing +genpd from psci_pd_providers list. There will be a failure when removing +the cluster PD, because the cpu (child) PDs haven't been removed. + +[ 0.050232] CPUidle PSCI: init PM domain cpu0 +[ 0.050278] CPUidle PSCI: init PM domain cpu1 +[ 0.050329] CPUidle PSCI: init PM domain cpu2 +[ 0.050370] CPUidle PSCI: init PM domain cpu3 +[ 0.050422] CPUidle PSCI: init PM domain cpu-cluster0 +[ 0.050475] PM: genpd_remove: unable to remove cpu-cluster0 +[ 0.051412] PM: genpd_remove: removed cpu3 +[ 0.051449] PM: genpd_remove: removed cpu2 +[ 0.051499] PM: genpd_remove: removed cpu1 +[ 0.051546] PM: genpd_remove: removed cpu0 + +Fix the problem by iterating the provider list reversely, so that parent +PD gets removed after child's PDs like below. + +[ 0.029052] CPUidle PSCI: init PM domain cpu0 +[ 0.029076] CPUidle PSCI: init PM domain cpu1 +[ 0.029103] CPUidle PSCI: init PM domain cpu2 +[ 0.029124] CPUidle PSCI: init PM domain cpu3 +[ 0.029151] CPUidle PSCI: init PM domain cpu-cluster0 +[ 0.029647] PM: genpd_remove: removed cpu0 +[ 0.029666] PM: genpd_remove: removed cpu1 +[ 0.029690] PM: genpd_remove: removed cpu2 +[ 0.029714] PM: genpd_remove: removed cpu3 +[ 0.029738] PM: genpd_remove: removed cpu-cluster0 + +Fixes: a65a397f2451 ("cpuidle: psci: Add support for PM domains by using genpd") +Reviewed-by: Sudeep Holla +Reviewed-by: Ulf Hansson +Signed-off-by: Shawn Guo +Cc: 5.10+ # 5.10+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpuidle/cpuidle-psci-domain.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/cpuidle/cpuidle-psci-domain.c ++++ b/drivers/cpuidle/cpuidle-psci-domain.c +@@ -182,7 +182,8 @@ static void psci_pd_remove(void) + struct psci_pd_provider *pd_provider, *it; + struct generic_pm_domain *genpd; + +- list_for_each_entry_safe(pd_provider, it, &psci_pd_providers, link) { ++ list_for_each_entry_safe_reverse(pd_provider, it, ++ &psci_pd_providers, link) { + of_genpd_del_provider(pd_provider->node); + + genpd = of_genpd_remove_last(pd_provider->node); diff --git a/queue-5.15/fbdev-stifb-provide-valid-pixelclock-and-add-fb_check_var-checks.patch b/queue-5.15/fbdev-stifb-provide-valid-pixelclock-and-add-fb_check_var-checks.patch new file mode 100644 index 00000000000..cd73ec4752d --- /dev/null +++ b/queue-5.15/fbdev-stifb-provide-valid-pixelclock-and-add-fb_check_var-checks.patch @@ -0,0 +1,77 @@ +From 203873a535d627c668f293be0cb73e26c30f9cc7 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Thu, 16 Mar 2023 11:38:19 +0100 +Subject: fbdev: stifb: Provide valid pixelclock and add fb_check_var() checks + +From: Helge Deller + +commit 203873a535d627c668f293be0cb73e26c30f9cc7 upstream. + +Find a valid modeline depending on the machine graphic card +configuration and add the fb_check_var() function to validate +Xorg provided graphics settings. + +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/stifb.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +--- a/drivers/video/fbdev/stifb.c ++++ b/drivers/video/fbdev/stifb.c +@@ -922,6 +922,28 @@ SETUP_HCRX(struct stifb_info *fb) + /* ------------------- driver specific functions --------------------------- */ + + static int ++stifb_check_var(struct fb_var_screeninfo *var, struct fb_info *info) ++{ ++ struct stifb_info *fb = container_of(info, struct stifb_info, info); ++ ++ if (var->xres != fb->info.var.xres || ++ var->yres != fb->info.var.yres || ++ var->bits_per_pixel != fb->info.var.bits_per_pixel) ++ return -EINVAL; ++ ++ var->xres_virtual = var->xres; ++ var->yres_virtual = var->yres; ++ var->xoffset = 0; ++ var->yoffset = 0; ++ var->grayscale = fb->info.var.grayscale; ++ var->red.length = fb->info.var.red.length; ++ var->green.length = fb->info.var.green.length; ++ var->blue.length = fb->info.var.blue.length; ++ ++ return 0; ++} ++ ++static int + stifb_setcolreg(u_int regno, u_int red, u_int green, + u_int blue, u_int transp, struct fb_info *info) + { +@@ -1145,6 +1167,7 @@ stifb_init_display(struct stifb_info *fb + + static const struct fb_ops stifb_ops = { + .owner = THIS_MODULE, ++ .fb_check_var = stifb_check_var, + .fb_setcolreg = stifb_setcolreg, + .fb_blank = stifb_blank, + .fb_fillrect = stifb_fillrect, +@@ -1164,6 +1187,7 @@ static int __init stifb_init_fb(struct s + struct stifb_info *fb; + struct fb_info *info; + unsigned long sti_rom_address; ++ char modestr[32]; + char *dev_name; + int bpp, xres, yres; + +@@ -1342,6 +1366,9 @@ static int __init stifb_init_fb(struct s + info->flags = FBINFO_HWACCEL_COPYAREA | FBINFO_HWACCEL_FILLRECT; + info->pseudo_palette = &fb->pseudo_palette; + ++ scnprintf(modestr, sizeof(modestr), "%dx%d-%d", xres, yres, bpp); ++ fb_find_mode(&info->var, info, modestr, NULL, 0, NULL, bpp); ++ + /* This has to be done !!! */ + if (fb_alloc_cmap(&info->cmap, NR_PALETTE, 0)) + goto out_err1; diff --git a/queue-5.15/ftrace-fix-invalid-address-access-in-lookup_rec-when-index-is-0.patch b/queue-5.15/ftrace-fix-invalid-address-access-in-lookup_rec-when-index-is-0.patch new file mode 100644 index 00000000000..645eb229dce --- /dev/null +++ b/queue-5.15/ftrace-fix-invalid-address-access-in-lookup_rec-when-index-is-0.patch @@ -0,0 +1,54 @@ +From ee92fa443358f4fc0017c1d0d325c27b37802504 Mon Sep 17 00:00:00 2001 +From: Chen Zhongjin +Date: Thu, 9 Mar 2023 16:02:30 +0800 +Subject: ftrace: Fix invalid address access in lookup_rec() when index is 0 + +From: Chen Zhongjin + +commit ee92fa443358f4fc0017c1d0d325c27b37802504 upstream. + +KASAN reported follow problem: + + BUG: KASAN: use-after-free in lookup_rec + Read of size 8 at addr ffff000199270ff0 by task modprobe + CPU: 2 Comm: modprobe + Call trace: + kasan_report + __asan_load8 + lookup_rec + ftrace_location + arch_check_ftrace_location + check_kprobe_address_safe + register_kprobe + +When checking pg->records[pg->index - 1].ip in lookup_rec(), it can get a +pg which is newly added to ftrace_pages_start in ftrace_process_locs(). +Before the first pg->index++, index is 0 and accessing pg->records[-1].ip +will cause this problem. + +Don't check the ip when pg->index is 0. + +Link: https://lore.kernel.org/linux-trace-kernel/20230309080230.36064-1-chenzhongjin@huawei.com + +Cc: stable@vger.kernel.org +Fixes: 9644302e3315 ("ftrace: Speed up search by skipping pages by address") +Suggested-by: Steven Rostedt (Google) +Signed-off-by: Chen Zhongjin +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ftrace.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -1538,7 +1538,8 @@ static struct dyn_ftrace *lookup_rec(uns + key.flags = end; /* overload flags, as it is unsigned long */ + + for (pg = ftrace_pages_start; pg; pg = pg->next) { +- if (end < pg->records[0].ip || ++ if (pg->index == 0 || ++ end < pg->records[0].ip || + start >= (pg->records[pg->index - 1].ip + MCOUNT_INSN_SIZE)) + continue; + rec = bsearch(&key, pg->records, pg->index, diff --git a/queue-5.15/ice-avoid-bonding-causing-auxiliary-plug-unplug-under-rtnl-lock.patch b/queue-5.15/ice-avoid-bonding-causing-auxiliary-plug-unplug-under-rtnl-lock.patch new file mode 100644 index 00000000000..0fc1ce43cd8 --- /dev/null +++ b/queue-5.15/ice-avoid-bonding-causing-auxiliary-plug-unplug-under-rtnl-lock.patch @@ -0,0 +1,97 @@ +From 248401cb2c4612d83eb0c352ee8103b78b8eb365 Mon Sep 17 00:00:00 2001 +From: Dave Ertman +Date: Fri, 10 Mar 2023 11:48:33 -0800 +Subject: ice: avoid bonding causing auxiliary plug/unplug under RTNL lock + +From: Dave Ertman + +commit 248401cb2c4612d83eb0c352ee8103b78b8eb365 upstream. + +RDMA is not supported in ice on a PF that has been added to a bonded +interface. To enforce this, when an interface enters a bond, we unplug +the auxiliary device that supports RDMA functionality. This unplug +currently happens in the context of handling the netdev bonding event. +This event is sent to the ice driver under RTNL context. This is causing +a deadlock where the RDMA driver is waiting for the RTNL lock to complete +the removal. + +Defer the unplugging/re-plugging of the auxiliary device to the service +task so that it is not performed under the RTNL lock context. + +Cc: stable@vger.kernel.org # 6.1.x +Reported-by: Jaroslav Pulchart +Link: https://lore.kernel.org/netdev/CAK8fFZ6A_Gphw_3-QMGKEFQk=sfCw1Qmq0TVZK3rtAi7vb621A@mail.gmail.com/ +Fixes: 5cb1ebdbc434 ("ice: Fix race condition during interface enslave") +Fixes: 4eace75e0853 ("RDMA/irdma: Report the correct link speed") +Signed-off-by: Dave Ertman +Tested-by: Arpana Arland (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Reviewed-by: Leon Romanovsky +Link: https://lore.kernel.org/r/20230310194833.3074601-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ice/ice.h | 14 +++++--------- + drivers/net/ethernet/intel/ice/ice_main.c | 19 ++++++++----------- + 2 files changed, 13 insertions(+), 20 deletions(-) + +--- a/drivers/net/ethernet/intel/ice/ice.h ++++ b/drivers/net/ethernet/intel/ice/ice.h +@@ -399,6 +399,7 @@ enum ice_pf_flags { + ICE_FLAG_MDD_AUTO_RESET_VF, + ICE_FLAG_LINK_LENIENT_MODE_ENA, + ICE_FLAG_PLUG_AUX_DEV, ++ ICE_FLAG_UNPLUG_AUX_DEV, + ICE_FLAG_MTU_CHANGED, + ICE_PF_FLAGS_NBITS /* must be last */ + }; +@@ -706,16 +707,11 @@ static inline void ice_set_rdma_cap(stru + */ + static inline void ice_clear_rdma_cap(struct ice_pf *pf) + { +- /* We can directly unplug aux device here only if the flag bit +- * ICE_FLAG_PLUG_AUX_DEV is not set because ice_unplug_aux_dev() +- * could race with ice_plug_aux_dev() called from +- * ice_service_task(). In this case we only clear that bit now and +- * aux device will be unplugged later once ice_plug_aux_device() +- * called from ice_service_task() finishes (see ice_service_task()). ++ /* defer unplug to service task to avoid RTNL lock and ++ * clear PLUG bit so that pending plugs don't interfere + */ +- if (!test_and_clear_bit(ICE_FLAG_PLUG_AUX_DEV, pf->flags)) +- ice_unplug_aux_dev(pf); +- ++ clear_bit(ICE_FLAG_PLUG_AUX_DEV, pf->flags); ++ set_bit(ICE_FLAG_UNPLUG_AUX_DEV, pf->flags); + clear_bit(ICE_FLAG_RDMA_ENA, pf->flags); + clear_bit(ICE_FLAG_AUX_ENA, pf->flags); + } +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -2156,18 +2156,15 @@ static void ice_service_task(struct work + } + } + +- if (test_bit(ICE_FLAG_PLUG_AUX_DEV, pf->flags)) { +- /* Plug aux device per request */ +- ice_plug_aux_dev(pf); ++ /* unplug aux dev per request, if an unplug request came in ++ * while processing a plug request, this will handle it ++ */ ++ if (test_and_clear_bit(ICE_FLAG_UNPLUG_AUX_DEV, pf->flags)) ++ ice_unplug_aux_dev(pf); + +- /* Mark plugging as done but check whether unplug was +- * requested during ice_plug_aux_dev() call +- * (e.g. from ice_clear_rdma_cap()) and if so then +- * plug aux device. +- */ +- if (!test_and_clear_bit(ICE_FLAG_PLUG_AUX_DEV, pf->flags)) +- ice_unplug_aux_dev(pf); +- } ++ /* Plug aux device per request */ ++ if (test_and_clear_bit(ICE_FLAG_PLUG_AUX_DEV, pf->flags)) ++ ice_plug_aux_dev(pf); + + if (test_and_clear_bit(ICE_FLAG_MTU_CHANGED, pf->flags)) { + struct iidc_event *event; diff --git a/queue-5.15/mm-userfaultfd-propagate-uffd-wp-bit-when-pte-mapping-the-huge-zeropage.patch b/queue-5.15/mm-userfaultfd-propagate-uffd-wp-bit-when-pte-mapping-the-huge-zeropage.patch new file mode 100644 index 00000000000..6893c0bcb86 --- /dev/null +++ b/queue-5.15/mm-userfaultfd-propagate-uffd-wp-bit-when-pte-mapping-the-huge-zeropage.patch @@ -0,0 +1,223 @@ +From 42b2af2c9b7eede8ef21d0943f84d135e21a32a3 Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Thu, 2 Mar 2023 18:54:23 +0100 +Subject: mm/userfaultfd: propagate uffd-wp bit when PTE-mapping the huge zeropage + +From: David Hildenbrand + +commit 42b2af2c9b7eede8ef21d0943f84d135e21a32a3 upstream. + +Currently, we'd lose the userfaultfd-wp marker when PTE-mapping a huge +zeropage, resulting in the next write faults in the PMD range not +triggering uffd-wp events. + +Various actions (partial MADV_DONTNEED, partial mremap, partial munmap, +partial mprotect) could trigger this. However, most importantly, +un-protecting a single sub-page from the userfaultfd-wp handler when +processing a uffd-wp event will PTE-map the shared huge zeropage and lose +the uffd-wp bit for the remainder of the PMD. + +Let's properly propagate the uffd-wp bit to the PMDs. + + #define _GNU_SOURCE + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + static size_t pagesize; + static int uffd; + static volatile bool uffd_triggered; + + #define barrier() __asm__ __volatile__("": : :"memory") + + static void uffd_wp_range(char *start, size_t size, bool wp) + { + struct uffdio_writeprotect uffd_writeprotect; + + uffd_writeprotect.range.start = (unsigned long) start; + uffd_writeprotect.range.len = size; + if (wp) { + uffd_writeprotect.mode = UFFDIO_WRITEPROTECT_MODE_WP; + } else { + uffd_writeprotect.mode = 0; + } + if (ioctl(uffd, UFFDIO_WRITEPROTECT, &uffd_writeprotect)) { + fprintf(stderr, "UFFDIO_WRITEPROTECT failed: %d\n", errno); + exit(1); + } + } + + static void *uffd_thread_fn(void *arg) + { + static struct uffd_msg msg; + ssize_t nread; + + while (1) { + struct pollfd pollfd; + int nready; + + pollfd.fd = uffd; + pollfd.events = POLLIN; + nready = poll(&pollfd, 1, -1); + if (nready == -1) { + fprintf(stderr, "poll() failed: %d\n", errno); + exit(1); + } + + nread = read(uffd, &msg, sizeof(msg)); + if (nread <= 0) + continue; + + if (msg.event != UFFD_EVENT_PAGEFAULT || + !(msg.arg.pagefault.flags & UFFD_PAGEFAULT_FLAG_WP)) { + printf("FAIL: wrong uffd-wp event fired\n"); + exit(1); + } + + /* un-protect the single page. */ + uffd_triggered = true; + uffd_wp_range((char *)(uintptr_t)msg.arg.pagefault.address, + pagesize, false); + } + return arg; + } + + static int setup_uffd(char *map, size_t size) + { + struct uffdio_api uffdio_api; + struct uffdio_register uffdio_register; + pthread_t thread; + + uffd = syscall(__NR_userfaultfd, + O_CLOEXEC | O_NONBLOCK | UFFD_USER_MODE_ONLY); + if (uffd < 0) { + fprintf(stderr, "syscall() failed: %d\n", errno); + return -errno; + } + + uffdio_api.api = UFFD_API; + uffdio_api.features = UFFD_FEATURE_PAGEFAULT_FLAG_WP; + if (ioctl(uffd, UFFDIO_API, &uffdio_api) < 0) { + fprintf(stderr, "UFFDIO_API failed: %d\n", errno); + return -errno; + } + + if (!(uffdio_api.features & UFFD_FEATURE_PAGEFAULT_FLAG_WP)) { + fprintf(stderr, "UFFD_FEATURE_WRITEPROTECT missing\n"); + return -ENOSYS; + } + + uffdio_register.range.start = (unsigned long) map; + uffdio_register.range.len = size; + uffdio_register.mode = UFFDIO_REGISTER_MODE_WP; + if (ioctl(uffd, UFFDIO_REGISTER, &uffdio_register) < 0) { + fprintf(stderr, "UFFDIO_REGISTER failed: %d\n", errno); + return -errno; + } + + pthread_create(&thread, NULL, uffd_thread_fn, NULL); + + return 0; + } + + int main(void) + { + const size_t size = 4 * 1024 * 1024ull; + char *map, *cur; + + pagesize = getpagesize(); + + map = mmap(NULL, size, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0); + if (map == MAP_FAILED) { + fprintf(stderr, "mmap() failed\n"); + return -errno; + } + + if (madvise(map, size, MADV_HUGEPAGE)) { + fprintf(stderr, "MADV_HUGEPAGE failed\n"); + return -errno; + } + + if (setup_uffd(map, size)) + return 1; + + /* Read the whole range, populating zeropages. */ + madvise(map, size, MADV_POPULATE_READ); + + /* Write-protect the whole range. */ + uffd_wp_range(map, size, true); + + /* Make sure uffd-wp triggers on each page. */ + for (cur = map; cur < map + size; cur += pagesize) { + uffd_triggered = false; + + barrier(); + /* Trigger a write fault. */ + *cur = 1; + barrier(); + + if (!uffd_triggered) { + printf("FAIL: uffd-wp did not trigger\n"); + return 1; + } + } + + printf("PASS: uffd-wp triggered\n"); + return 0; + } + +Link: https://lkml.kernel.org/r/20230302175423.589164-1-david@redhat.com +Fixes: e06f1e1dd499 ("userfaultfd: wp: enabled write protection in userfaultfd API") +Signed-off-by: David Hildenbrand +Acked-by: Peter Xu +Cc: Mike Rapoport +Cc: Andrea Arcangeli +Cc: Jerome Glisse +Cc: Shaohua Li +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/huge_memory.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -1926,7 +1926,7 @@ static void __split_huge_zero_page_pmd(s + { + struct mm_struct *mm = vma->vm_mm; + pgtable_t pgtable; +- pmd_t _pmd; ++ pmd_t _pmd, old_pmd; + int i; + + /* +@@ -1937,7 +1937,7 @@ static void __split_huge_zero_page_pmd(s + * + * See Documentation/vm/mmu_notifier.rst + */ +- pmdp_huge_clear_flush(vma, haddr, pmd); ++ old_pmd = pmdp_huge_clear_flush(vma, haddr, pmd); + + pgtable = pgtable_trans_huge_withdraw(mm, pmd); + pmd_populate(mm, &_pmd, pgtable); +@@ -1946,6 +1946,8 @@ static void __split_huge_zero_page_pmd(s + pte_t *pte, entry; + entry = pfn_pte(my_zero_pfn(haddr), vma->vm_page_prot); + entry = pte_mkspecial(entry); ++ if (pmd_uffd_wp(old_pmd)) ++ entry = pte_mkuffd_wp(entry); + pte = pte_offset_map(&_pmd, haddr); + VM_BUG_ON(!pte_none(*pte)); + set_pte_at(mm, haddr, pte, entry); diff --git a/queue-5.15/mmc-sdhci_am654-lower-power-on-failed-message-severity.patch b/queue-5.15/mmc-sdhci_am654-lower-power-on-failed-message-severity.patch new file mode 100644 index 00000000000..dc0c760dffc --- /dev/null +++ b/queue-5.15/mmc-sdhci_am654-lower-power-on-failed-message-severity.patch @@ -0,0 +1,36 @@ +From 11440da77d6020831ee6f9ce4551b545dea789ee Mon Sep 17 00:00:00 2001 +From: Francesco Dolcini +Date: Mon, 6 Mar 2023 17:27:51 +0100 +Subject: mmc: sdhci_am654: lower power-on failed message severity + +From: Francesco Dolcini + +commit 11440da77d6020831ee6f9ce4551b545dea789ee upstream. + +Lower the power-on failed message severity from warn to info when the +controller does not power-up. It's normal to have this situation when +the SD card slot is empty, therefore we should not warn the user about +it. + +Fixes: 7ca0f166f5b2 ("mmc: sdhci_am654: Add workaround for card detect debounce timer") +Signed-off-by: Francesco Dolcini +Acked-by: Adrian Hunter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230306162751.163369-1-francesco@dolcini.it +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci_am654.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/host/sdhci_am654.c ++++ b/drivers/mmc/host/sdhci_am654.c +@@ -369,7 +369,7 @@ static void sdhci_am654_write_b(struct s + MAX_POWER_ON_TIMEOUT, false, host, val, + reg); + if (ret) +- dev_warn(mmc_dev(host->mmc), "Power on failed\n"); ++ dev_info(mmc_dev(host->mmc), "Power on failed\n"); + } + } + diff --git a/queue-5.15/net-phy-nxp-c45-tja11xx-fix-mii_basic_config_rev-bit.patch b/queue-5.15/net-phy-nxp-c45-tja11xx-fix-mii_basic_config_rev-bit.patch new file mode 100644 index 00000000000..7fe8695f3b4 --- /dev/null +++ b/queue-5.15/net-phy-nxp-c45-tja11xx-fix-mii_basic_config_rev-bit.patch @@ -0,0 +1,33 @@ +From 8ba572052a4b8fe5b205854d27e54e3486049b71 Mon Sep 17 00:00:00 2001 +From: "Radu Pirea (OSS)" +Date: Thu, 9 Mar 2023 12:01:11 +0200 +Subject: net: phy: nxp-c45-tja11xx: fix MII_BASIC_CONFIG_REV bit + +From: Radu Pirea (OSS) + +commit 8ba572052a4b8fe5b205854d27e54e3486049b71 upstream. + +According to the TJA1103 user manual, the bit for the reversed role in MII +or RMII modes is bit 4. + +Cc: # 5.15+ +Fixes: b050f2f15e04 ("phy: nxp-c45: add driver for tja1103") +Signed-off-by: Radu Pirea (OSS) +Link: https://lore.kernel.org/r/20230309100111.1246214-1-radu-nicolae.pirea@oss.nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/nxp-c45-tja11xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/phy/nxp-c45-tja11xx.c ++++ b/drivers/net/phy/nxp-c45-tja11xx.c +@@ -79,7 +79,7 @@ + #define SGMII_ABILITY BIT(0) + + #define VEND1_MII_BASIC_CONFIG 0xAFC6 +-#define MII_BASIC_CONFIG_REV BIT(8) ++#define MII_BASIC_CONFIG_REV BIT(4) + #define MII_BASIC_CONFIG_SGMII 0x9 + #define MII_BASIC_CONFIG_RGMII 0x7 + #define MII_BASIC_CONFIG_RMII 0x5 diff --git a/queue-5.15/nvme-pci-add-nvme_quirk_bogus_nid-for-netac-nv3000.patch b/queue-5.15/nvme-pci-add-nvme_quirk_bogus_nid-for-netac-nv3000.patch new file mode 100644 index 00000000000..8dedc567105 --- /dev/null +++ b/queue-5.15/nvme-pci-add-nvme_quirk_bogus_nid-for-netac-nv3000.patch @@ -0,0 +1,31 @@ +From 9630d80655bfe7e62e4aff2889dc4eae7ceeb887 Mon Sep 17 00:00:00 2001 +From: Elmer Miroslav Mosher Golovin +Date: Wed, 8 Mar 2023 19:19:29 +0300 +Subject: nvme-pci: add NVME_QUIRK_BOGUS_NID for Netac NV3000 + +From: Elmer Miroslav Mosher Golovin + +commit 9630d80655bfe7e62e4aff2889dc4eae7ceeb887 upstream. + +Added a quirk to fix the Netac NV3000 SSD reporting duplicate NGUIDs. + +Cc: +Signed-off-by: Elmer Miroslav Mosher Golovin +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -3378,6 +3378,8 @@ static const struct pci_device_id nvme_i + .driver_data = NVME_QUIRK_DISABLE_WRITE_ZEROES, }, + { PCI_DEVICE(0x2646, 0x501E), /* KINGSTON OM3PGP4xxxxQ OS21011 NVMe SSD */ + .driver_data = NVME_QUIRK_DISABLE_WRITE_ZEROES, }, ++ { PCI_DEVICE(0x1f40, 0x1202), /* Netac Technologies Co. NV3000 NVMe SSD */ ++ .driver_data = NVME_QUIRK_BOGUS_NID, }, + { PCI_DEVICE(0x1f40, 0x5236), /* Netac Technologies Co. NV7000 NVMe SSD */ + .driver_data = NVME_QUIRK_BOGUS_NID, }, + { PCI_DEVICE(0x1e4B, 0x1001), /* MAXIO MAP1001 */ diff --git a/queue-5.15/series b/queue-5.15/series index f443b350666..8e1427f988c 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -94,3 +94,15 @@ mptcp-fix-possible-deadlock-in-subflow_error_report.patch mptcp-add-ro_after_init-for-tcp-v6-_prot_override.patch mptcp-avoid-setting-tcp_close-state-twice.patch mptcp-fix-lockdep-false-positive-in-mptcp_pm_nl_create_listen_socket.patch +ftrace-fix-invalid-address-access-in-lookup_rec-when-index-is-0.patch +nvme-pci-add-nvme_quirk_bogus_nid-for-netac-nv3000.patch +ice-avoid-bonding-causing-auxiliary-plug-unplug-under-rtnl-lock.patch +mm-userfaultfd-propagate-uffd-wp-bit-when-pte-mapping-the-huge-zeropage.patch +mmc-sdhci_am654-lower-power-on-failed-message-severity.patch +fbdev-stifb-provide-valid-pixelclock-and-add-fb_check_var-checks.patch +trace-hwlat-do-not-wipe-the-contents-of-per-cpu-thread-data.patch +net-phy-nxp-c45-tja11xx-fix-mii_basic_config_rev-bit.patch +cpuidle-psci-iterate-backwards-over-list-in-psci_pd_remove.patch +x86-mce-make-sure-logged-mces-are-processed-after-sysfs-update.patch +x86-mm-fix-use-of-uninitialized-buffer-in-sme_enable.patch +x86-resctrl-clear-staged_config-before-and-after-it-is-used.patch diff --git a/queue-5.15/trace-hwlat-do-not-wipe-the-contents-of-per-cpu-thread-data.patch b/queue-5.15/trace-hwlat-do-not-wipe-the-contents-of-per-cpu-thread-data.patch new file mode 100644 index 00000000000..f22607e1524 --- /dev/null +++ b/queue-5.15/trace-hwlat-do-not-wipe-the-contents-of-per-cpu-thread-data.patch @@ -0,0 +1,38 @@ +From 4c42f5f0d1dd20bddd9f940beb1e6ccad60c4498 Mon Sep 17 00:00:00 2001 +From: Tero Kristo +Date: Fri, 10 Mar 2023 12:04:50 +0200 +Subject: trace/hwlat: Do not wipe the contents of per-cpu thread data + +From: Tero Kristo + +commit 4c42f5f0d1dd20bddd9f940beb1e6ccad60c4498 upstream. + +Do not wipe the contents of the per-cpu kthread data when starting the +tracer, as this will completely forget about already running instances +and can later start new additional per-cpu threads. + +Link: https://lore.kernel.org/all/20230302113654.2984709-1-tero.kristo@linux.intel.com/ +Link: https://lkml.kernel.org/r/20230310100451.3948583-2-tero.kristo@linux.intel.com + +Cc: stable@vger.kernel.org +Fixes: f46b16520a087 ("trace/hwlat: Implement the per-cpu mode") +Signed-off-by: Tero Kristo +Acked-by: Daniel Bristot de Oliveira +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_hwlat.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/kernel/trace/trace_hwlat.c ++++ b/kernel/trace/trace_hwlat.c +@@ -588,9 +588,6 @@ static int start_per_cpu_kthreads(struct + */ + cpumask_and(current_mask, cpu_online_mask, tr->tracing_cpumask); + +- for_each_online_cpu(cpu) +- per_cpu(hwlat_per_cpu_data, cpu).kthread = NULL; +- + for_each_cpu(cpu, current_mask) { + retval = start_cpu_kthread(cpu); + if (retval) diff --git a/queue-5.15/x86-mce-make-sure-logged-mces-are-processed-after-sysfs-update.patch b/queue-5.15/x86-mce-make-sure-logged-mces-are-processed-after-sysfs-update.patch new file mode 100644 index 00000000000..d76b1279966 --- /dev/null +++ b/queue-5.15/x86-mce-make-sure-logged-mces-are-processed-after-sysfs-update.patch @@ -0,0 +1,44 @@ +From 4783b9cb374af02d49740e00e2da19fd4ed6dec4 Mon Sep 17 00:00:00 2001 +From: Yazen Ghannam +Date: Wed, 1 Mar 2023 22:14:20 +0000 +Subject: x86/mce: Make sure logged MCEs are processed after sysfs update + +From: Yazen Ghannam + +commit 4783b9cb374af02d49740e00e2da19fd4ed6dec4 upstream. + +A recent change introduced a flag to queue up errors found during +boot-time polling. These errors will be processed during late init once +the MCE subsystem is fully set up. + +A number of sysfs updates call mce_restart() which goes through a subset +of the CPU init flow. This includes polling MCA banks and logging any +errors found. Since the same function is used as boot-time polling, +errors will be queued. However, the system is now past late init, so the +errors will remain queued until another error is found and the workqueue +is triggered. + +Call mce_schedule_work() at the end of mce_restart() so that queued +errors are processed. + +Fixes: 3bff147b187d ("x86/mce: Defer processing of early errors") +Signed-off-by: Yazen Ghannam +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Tony Luck +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230301221420.2203184-1-yazen.ghannam@amd.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/mce/core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kernel/cpu/mce/core.c ++++ b/arch/x86/kernel/cpu/mce/core.c +@@ -2302,6 +2302,7 @@ static void mce_restart(void) + { + mce_timer_delete_all(); + on_each_cpu(mce_cpu_restart, NULL, 1); ++ mce_schedule_work(); + } + + /* Toggle features for corrected errors */ diff --git a/queue-5.15/x86-mm-fix-use-of-uninitialized-buffer-in-sme_enable.patch b/queue-5.15/x86-mm-fix-use-of-uninitialized-buffer-in-sme_enable.patch new file mode 100644 index 00000000000..d93bd736b21 --- /dev/null +++ b/queue-5.15/x86-mm-fix-use-of-uninitialized-buffer-in-sme_enable.patch @@ -0,0 +1,40 @@ +From cbebd68f59f03633469f3ecf9bea99cd6cce3854 Mon Sep 17 00:00:00 2001 +From: Nikita Zhandarovich +Date: Mon, 6 Mar 2023 08:06:56 -0800 +Subject: x86/mm: Fix use of uninitialized buffer in sme_enable() + +From: Nikita Zhandarovich + +commit cbebd68f59f03633469f3ecf9bea99cd6cce3854 upstream. + +cmdline_find_option() may fail before doing any initialization of +the buffer array. This may lead to unpredictable results when the same +buffer is used later in calls to strncmp() function. Fix the issue by +returning early if cmdline_find_option() returns an error. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: aca20d546214 ("x86/mm: Add support to make use of Secure Memory Encryption") +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Borislav Petkov (AMD) +Acked-by: Tom Lendacky +Cc: +Link: https://lore.kernel.org/r/20230306160656.14844-1-n.zhandarovich@fintech.ru +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/mem_encrypt_identity.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/mm/mem_encrypt_identity.c ++++ b/arch/x86/mm/mem_encrypt_identity.c +@@ -585,7 +585,8 @@ void __init sme_enable(struct boot_param + cmdline_ptr = (const char *)((u64)bp->hdr.cmd_line_ptr | + ((u64)bp->ext_cmd_line_ptr << 32)); + +- cmdline_find_option(cmdline_ptr, cmdline_arg, buffer, sizeof(buffer)); ++ if (cmdline_find_option(cmdline_ptr, cmdline_arg, buffer, sizeof(buffer)) < 0) ++ return; + + if (!strncmp(buffer, cmdline_on, sizeof(buffer))) + sme_me_mask = me_mask; diff --git a/queue-5.15/x86-resctrl-clear-staged_config-before-and-after-it-is-used.patch b/queue-5.15/x86-resctrl-clear-staged_config-before-and-after-it-is-used.patch new file mode 100644 index 00000000000..12ab91a3d4e --- /dev/null +++ b/queue-5.15/x86-resctrl-clear-staged_config-before-and-after-it-is-used.patch @@ -0,0 +1,165 @@ +From 0424a7dfe9129b93f29b277511a60e87f052ac6b Mon Sep 17 00:00:00 2001 +From: Shawn Wang +Date: Tue, 17 Jan 2023 13:14:50 -0800 +Subject: x86/resctrl: Clear staged_config[] before and after it is used + +From: Shawn Wang + +commit 0424a7dfe9129b93f29b277511a60e87f052ac6b upstream. + +As a temporary storage, staged_config[] in rdt_domain should be cleared +before and after it is used. The stale value in staged_config[] could +cause an MSR access error. + +Here is a reproducer on a system with 16 usable CLOSIDs for a 15-way L3 +Cache (MBA should be disabled if the number of CLOSIDs for MB is less than +16.) : + mount -t resctrl resctrl -o cdp /sys/fs/resctrl + mkdir /sys/fs/resctrl/p{1..7} + umount /sys/fs/resctrl/ + mount -t resctrl resctrl /sys/fs/resctrl + mkdir /sys/fs/resctrl/p{1..8} + +An error occurs when creating resource group named p8: + unchecked MSR access error: WRMSR to 0xca0 (tried to write 0x00000000000007ff) at rIP: 0xffffffff82249142 (cat_wrmsr+0x32/0x60) + Call Trace: + + __flush_smp_call_function_queue+0x11d/0x170 + __sysvec_call_function+0x24/0xd0 + sysvec_call_function+0x89/0xc0 + + + asm_sysvec_call_function+0x16/0x20 + +When creating a new resource control group, hardware will be configured +by the following process: + rdtgroup_mkdir() + rdtgroup_mkdir_ctrl_mon() + rdtgroup_init_alloc() + resctrl_arch_update_domains() + +resctrl_arch_update_domains() iterates and updates all resctrl_conf_type +whose have_new_ctrl is true. Since staged_config[] holds the same values as +when CDP was enabled, it will continue to update the CDP_CODE and CDP_DATA +configurations. When group p8 is created, get_config_index() called in +resctrl_arch_update_domains() will return 16 and 17 as the CLOSIDs for +CDP_CODE and CDP_DATA, which will be translated to an invalid register - +0xca0 in this scenario. + +Fix it by clearing staged_config[] before and after it is used. + +[reinette: re-order commit tags] + +Fixes: 75408e43509e ("x86/resctrl: Allow different CODE/DATA configurations to be staged") +Suggested-by: Xin Hao +Signed-off-by: Shawn Wang +Signed-off-by: Reinette Chatre +Signed-off-by: Dave Hansen +Tested-by: Reinette Chatre +Cc:stable@vger.kernel.org +Link: https://lore.kernel.org/all/2fad13f49fbe89687fc40e9a5a61f23a28d1507a.1673988935.git.reinette.chatre%40intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/resctrl/ctrlmondata.c | 7 ++----- + arch/x86/kernel/cpu/resctrl/internal.h | 1 + + arch/x86/kernel/cpu/resctrl/rdtgroup.c | 25 +++++++++++++++++++++---- + 3 files changed, 24 insertions(+), 9 deletions(-) + +--- a/arch/x86/kernel/cpu/resctrl/ctrlmondata.c ++++ b/arch/x86/kernel/cpu/resctrl/ctrlmondata.c +@@ -353,7 +353,6 @@ ssize_t rdtgroup_schemata_write(struct k + { + struct resctrl_schema *s; + struct rdtgroup *rdtgrp; +- struct rdt_domain *dom; + struct rdt_resource *r; + char *tok, *resname; + int ret = 0; +@@ -382,10 +381,7 @@ ssize_t rdtgroup_schemata_write(struct k + goto out; + } + +- list_for_each_entry(s, &resctrl_schema_all, list) { +- list_for_each_entry(dom, &s->res->domains, list) +- memset(dom->staged_config, 0, sizeof(dom->staged_config)); +- } ++ rdt_staged_configs_clear(); + + while ((tok = strsep(&buf, "\n")) != NULL) { + resname = strim(strsep(&tok, ":")); +@@ -422,6 +418,7 @@ ssize_t rdtgroup_schemata_write(struct k + } + + out: ++ rdt_staged_configs_clear(); + rdtgroup_kn_unlock(of->kn); + cpus_read_unlock(); + return ret ?: nbytes; +--- a/arch/x86/kernel/cpu/resctrl/internal.h ++++ b/arch/x86/kernel/cpu/resctrl/internal.h +@@ -550,5 +550,6 @@ bool has_busy_rmid(struct rdt_resource * + void __check_limbo(struct rdt_domain *d, bool force_free); + void rdt_domain_reconfigure_cdp(struct rdt_resource *r); + void __init thread_throttle_mode_init(void); ++void rdt_staged_configs_clear(void); + + #endif /* _ASM_X86_RESCTRL_INTERNAL_H */ +--- a/arch/x86/kernel/cpu/resctrl/rdtgroup.c ++++ b/arch/x86/kernel/cpu/resctrl/rdtgroup.c +@@ -78,6 +78,19 @@ void rdt_last_cmd_printf(const char *fmt + va_end(ap); + } + ++void rdt_staged_configs_clear(void) ++{ ++ struct rdt_resource *r; ++ struct rdt_domain *dom; ++ ++ lockdep_assert_held(&rdtgroup_mutex); ++ ++ for_each_alloc_capable_rdt_resource(r) { ++ list_for_each_entry(dom, &r->domains, list) ++ memset(dom->staged_config, 0, sizeof(dom->staged_config)); ++ } ++} ++ + /* + * Trivial allocator for CLOSIDs. Since h/w only supports a small number, + * we can keep a bitmap of free CLOSIDs in a single integer. +@@ -2813,7 +2826,9 @@ static int rdtgroup_init_alloc(struct rd + { + struct resctrl_schema *s; + struct rdt_resource *r; +- int ret; ++ int ret = 0; ++ ++ rdt_staged_configs_clear(); + + list_for_each_entry(s, &resctrl_schema_all, list) { + r = s->res; +@@ -2822,20 +2837,22 @@ static int rdtgroup_init_alloc(struct rd + } else { + ret = rdtgroup_init_cat(s, rdtgrp->closid); + if (ret < 0) +- return ret; ++ goto out; + } + + ret = resctrl_arch_update_domains(r, rdtgrp->closid); + if (ret < 0) { + rdt_last_cmd_puts("Failed to initialize allocations\n"); +- return ret; ++ goto out; + } + + } + + rdtgrp->mode = RDT_MODE_SHAREABLE; + +- return 0; ++out: ++ rdt_staged_configs_clear(); ++ return ret; + } + + static int mkdir_rdt_prepare(struct kernfs_node *parent_kn, -- 2.47.3