From e7f4930bdb4e2b7031aa25cd58389b2d5ce0bd0f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 14 Jan 2023 11:02:13 +0100 Subject: [PATCH] 5.10-stable patches added patches: alsa-hda-realtek-enable-mute-micmute-leds-on-hp-spectre-x360-13-aw0xxx.patch asoc-qcom-lpass-cpu-fix-fallback-sd-line-index-handling.patch docs-fix-the-docs-build-with-sphinx-6.0.patch efi-tpm-avoid-read_once-for-accessing-the-event-log.patch kvm-arm64-fix-s1ptw-handling-on-ro-memslots.patch netfilter-nft_payload-incorrect-arithmetics-when-fetching-vlan-header-bits.patch perf-auxtrace-fix-address-filter-duplicate-symbol-selection.patch s390-cpum_sf-add-read_once-semantics-to-compare-and-swap-loops.patch s390-kexec-fix-ipl-report-address-for-kdump.patch s390-percpu-add-read_once-to-arch_this_cpu_to_op_simple.patch series --- ...te-leds-on-hp-spectre-x360-13-aw0xxx.patch | 82 +++++ ...-fix-fallback-sd-line-index-handling.patch | 45 +++ ...s-fix-the-docs-build-with-sphinx-6.0.patch | 49 +++ ...ead_once-for-accessing-the-event-log.patch | 51 +++ ...64-fix-s1ptw-handling-on-ro-memslots.patch | 81 ++++ ...etics-when-fetching-vlan-header-bits.patch | 37 ++ ...ss-filter-duplicate-symbol-selection.patch | 104 ++++++ ...-semantics-to-compare-and-swap-loops.patch | 345 ++++++++++++++++++ ...xec-fix-ipl-report-address-for-kdump.patch | 60 +++ ...d_once-to-arch_this_cpu_to_op_simple.patch | 32 ++ queue-5.10/series | 10 + 11 files changed, 896 insertions(+) create mode 100644 queue-5.10/alsa-hda-realtek-enable-mute-micmute-leds-on-hp-spectre-x360-13-aw0xxx.patch create mode 100644 queue-5.10/asoc-qcom-lpass-cpu-fix-fallback-sd-line-index-handling.patch create mode 100644 queue-5.10/docs-fix-the-docs-build-with-sphinx-6.0.patch create mode 100644 queue-5.10/efi-tpm-avoid-read_once-for-accessing-the-event-log.patch create mode 100644 queue-5.10/kvm-arm64-fix-s1ptw-handling-on-ro-memslots.patch create mode 100644 queue-5.10/netfilter-nft_payload-incorrect-arithmetics-when-fetching-vlan-header-bits.patch create mode 100644 queue-5.10/perf-auxtrace-fix-address-filter-duplicate-symbol-selection.patch create mode 100644 queue-5.10/s390-cpum_sf-add-read_once-semantics-to-compare-and-swap-loops.patch create mode 100644 queue-5.10/s390-kexec-fix-ipl-report-address-for-kdump.patch create mode 100644 queue-5.10/s390-percpu-add-read_once-to-arch_this_cpu_to_op_simple.patch create mode 100644 queue-5.10/series diff --git a/queue-5.10/alsa-hda-realtek-enable-mute-micmute-leds-on-hp-spectre-x360-13-aw0xxx.patch b/queue-5.10/alsa-hda-realtek-enable-mute-micmute-leds-on-hp-spectre-x360-13-aw0xxx.patch new file mode 100644 index 00000000000..c9c23a68d66 --- /dev/null +++ b/queue-5.10/alsa-hda-realtek-enable-mute-micmute-leds-on-hp-spectre-x360-13-aw0xxx.patch @@ -0,0 +1,82 @@ +From ca88eeb308a221c2dcd4a64031d2e5fcd3db9eaa Mon Sep 17 00:00:00 2001 +From: Luka Guzenko +Date: Tue, 10 Jan 2023 21:25:14 +0100 +Subject: ALSA: hda/realtek: Enable mute/micmute LEDs on HP Spectre x360 13-aw0xxx + +From: Luka Guzenko + +commit ca88eeb308a221c2dcd4a64031d2e5fcd3db9eaa upstream. + +The HP Spectre x360 13-aw0xxx devices use the ALC285 codec with GPIO 0x04 +controlling the micmute LED and COEF 0x0b index 8 controlling the mute LED. +A quirk was added to make these work as well as a fixup. + +Signed-off-by: Luka Guzenko +Cc: +Link: https://lore.kernel.org/r/20230110202514.2792-1-l.guzenko@web.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -4581,6 +4581,16 @@ static void alc285_fixup_hp_coef_micmute + } + } + ++static void alc285_fixup_hp_gpio_micmute_led(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ struct alc_spec *spec = codec->spec; ++ ++ if (action == HDA_FIXUP_ACT_PRE_PROBE) ++ spec->micmute_led_polarity = 1; ++ alc_fixup_hp_gpio_led(codec, action, 0, 0x04); ++} ++ + static void alc236_fixup_hp_coef_micmute_led(struct hda_codec *codec, + const struct hda_fixup *fix, int action) + { +@@ -4602,6 +4612,13 @@ static void alc285_fixup_hp_mute_led(str + alc285_fixup_hp_coef_micmute_led(codec, fix, action); + } + ++static void alc285_fixup_hp_spectre_x360_mute_led(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ alc285_fixup_hp_mute_led_coefbit(codec, fix, action); ++ alc285_fixup_hp_gpio_micmute_led(codec, fix, action); ++} ++ + static void alc236_fixup_hp_mute_led(struct hda_codec *codec, + const struct hda_fixup *fix, int action) + { +@@ -6856,6 +6873,7 @@ enum { + ALC285_FIXUP_ASUS_G533Z_PINS, + ALC285_FIXUP_HP_GPIO_LED, + ALC285_FIXUP_HP_MUTE_LED, ++ ALC285_FIXUP_HP_SPECTRE_X360_MUTE_LED, + ALC236_FIXUP_HP_GPIO_LED, + ALC236_FIXUP_HP_MUTE_LED, + ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF, +@@ -8224,6 +8242,10 @@ static const struct hda_fixup alc269_fix + .type = HDA_FIXUP_FUNC, + .v.func = alc285_fixup_hp_mute_led, + }, ++ [ALC285_FIXUP_HP_SPECTRE_X360_MUTE_LED] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc285_fixup_hp_spectre_x360_mute_led, ++ }, + [ALC236_FIXUP_HP_GPIO_LED] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc236_fixup_hp_gpio_led, +@@ -8936,6 +8958,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x86c7, "HP Envy AiO 32", ALC274_FIXUP_HP_ENVY_GPIO), + SND_PCI_QUIRK(0x103c, 0x86e7, "HP Spectre x360 15-eb0xxx", ALC285_FIXUP_HP_SPECTRE_X360_EB1), + SND_PCI_QUIRK(0x103c, 0x86e8, "HP Spectre x360 15-eb0xxx", ALC285_FIXUP_HP_SPECTRE_X360_EB1), ++ SND_PCI_QUIRK(0x103c, 0x86f9, "HP Spectre x360 13-aw0xxx", ALC285_FIXUP_HP_SPECTRE_X360_MUTE_LED), + SND_PCI_QUIRK(0x103c, 0x8716, "HP Elite Dragonfly G2 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8720, "HP EliteBook x360 1040 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8724, "HP EliteBook 850 G7", ALC285_FIXUP_HP_GPIO_LED), diff --git a/queue-5.10/asoc-qcom-lpass-cpu-fix-fallback-sd-line-index-handling.patch b/queue-5.10/asoc-qcom-lpass-cpu-fix-fallback-sd-line-index-handling.patch new file mode 100644 index 00000000000..3599a72558f --- /dev/null +++ b/queue-5.10/asoc-qcom-lpass-cpu-fix-fallback-sd-line-index-handling.patch @@ -0,0 +1,45 @@ +From 000bca8d706d1bf7cca01af75787247c5a2fdedf Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Fri, 30 Dec 2022 22:15:45 -0800 +Subject: ASoC: qcom: lpass-cpu: Fix fallback SD line index handling + +From: Brian Norris + +commit 000bca8d706d1bf7cca01af75787247c5a2fdedf upstream. + +These indices should reference the ID placed within the dai_driver +array, not the indices of the array itself. + +This fixes commit 4ff028f6c108 ("ASoC: qcom: lpass-cpu: Make I2S SD +lines configurable"), which among others, broke IPQ8064 audio +(sound/soc/qcom/lpass-ipq806x.c) because it uses ID 4 but we'd stop +initializing the mi2s_playback_sd_mode and mi2s_capture_sd_mode arrays +at ID 0. + +Fixes: 4ff028f6c108 ("ASoC: qcom: lpass-cpu: Make I2S SD lines configurable") +Cc: +Signed-off-by: Brian Norris +Reviewed-by: Stephan Gerhold +Link: https://lore.kernel.org/r/20221231061545.2110253-1-computersforpeace@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/qcom/lpass-cpu.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/sound/soc/qcom/lpass-cpu.c ++++ b/sound/soc/qcom/lpass-cpu.c +@@ -816,10 +816,11 @@ static void of_lpass_cpu_parse_dai_data( + struct lpass_data *data) + { + struct device_node *node; +- int ret, id; ++ int ret, i, id; + + /* Allow all channels by default for backwards compatibility */ +- for (id = 0; id < data->variant->num_dai; id++) { ++ for (i = 0; i < data->variant->num_dai; i++) { ++ id = data->variant->dai_driver[i].id; + data->mi2s_playback_sd_mode[id] = LPAIF_I2SCTL_MODE_8CH; + data->mi2s_capture_sd_mode[id] = LPAIF_I2SCTL_MODE_8CH; + } diff --git a/queue-5.10/docs-fix-the-docs-build-with-sphinx-6.0.patch b/queue-5.10/docs-fix-the-docs-build-with-sphinx-6.0.patch new file mode 100644 index 00000000000..923ca1ed57f --- /dev/null +++ b/queue-5.10/docs-fix-the-docs-build-with-sphinx-6.0.patch @@ -0,0 +1,49 @@ +From 0283189e8f3d0917e2ac399688df85211f48447b Mon Sep 17 00:00:00 2001 +From: Jonathan Corbet +Date: Wed, 4 Jan 2023 10:47:39 -0700 +Subject: docs: Fix the docs build with Sphinx 6.0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonathan Corbet + +commit 0283189e8f3d0917e2ac399688df85211f48447b upstream. + +Sphinx 6.0 removed the execfile_() function, which we use as part of the +configuration process. They *did* warn us... Just open-code the +functionality as is done in Sphinx itself. + +Tested (using SPHINX_CONF, since this code is only executed with an +alternative config file) on various Sphinx versions from 2.5 through 6.0. + +Reported-by: Martin Liška +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan Corbet +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/sphinx/load_config.py | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/Documentation/sphinx/load_config.py ++++ b/Documentation/sphinx/load_config.py +@@ -3,7 +3,7 @@ + + import os + import sys +-from sphinx.util.pycompat import execfile_ ++from sphinx.util.osutil import fs_encoding + + # ------------------------------------------------------------------------------ + def loadConfig(namespace): +@@ -48,7 +48,9 @@ def loadConfig(namespace): + sys.stdout.write("load additional sphinx-config: %s\n" % config_file) + config = namespace.copy() + config['__file__'] = config_file +- execfile_(config_file, config) ++ with open(config_file, 'rb') as f: ++ code = compile(f.read(), fs_encoding, 'exec') ++ exec(code, config) + del config['__file__'] + namespace.update(config) + else: diff --git a/queue-5.10/efi-tpm-avoid-read_once-for-accessing-the-event-log.patch b/queue-5.10/efi-tpm-avoid-read_once-for-accessing-the-event-log.patch new file mode 100644 index 00000000000..48f04e9414d --- /dev/null +++ b/queue-5.10/efi-tpm-avoid-read_once-for-accessing-the-event-log.patch @@ -0,0 +1,51 @@ +From d3f450533bbcb6dd4d7d59cadc9b61b7321e4ac1 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Mon, 9 Jan 2023 10:44:31 +0100 +Subject: efi: tpm: Avoid READ_ONCE() for accessing the event log + +From: Ard Biesheuvel + +commit d3f450533bbcb6dd4d7d59cadc9b61b7321e4ac1 upstream. + +Nathan reports that recent kernels built with LTO will crash when doing +EFI boot using Fedora's GRUB and SHIM. The culprit turns out to be a +misaligned load from the TPM event log, which is annotated with +READ_ONCE(), and under LTO, this gets translated into a LDAR instruction +which does not tolerate misaligned accesses. + +Interestingly, this does not happen when booting the same kernel +straight from the UEFI shell, and so the fact that the event log may +appear misaligned in memory may be caused by a bug in GRUB or SHIM. + +However, using READ_ONCE() to access firmware tables is slightly unusual +in any case, and here, we only need to ensure that 'event' is not +dereferenced again after it gets unmapped, but this is already taken +care of by the implicit barrier() semantics of the early_memunmap() +call. + +Cc: +Cc: Peter Jones +Cc: Jarkko Sakkinen +Cc: Matthew Garrett +Reported-by: Nathan Chancellor +Tested-by: Nathan Chancellor +Link: https://github.com/ClangBuiltLinux/linux/issues/1782 +Signed-off-by: Ard Biesheuvel +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/tpm_eventlog.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/tpm_eventlog.h ++++ b/include/linux/tpm_eventlog.h +@@ -198,8 +198,8 @@ static __always_inline int __calc_tpm2_e + * The loop below will unmap these fields if the log is larger than + * one page, so save them here for reference: + */ +- count = READ_ONCE(event->count); +- event_type = READ_ONCE(event->event_type); ++ count = event->count; ++ event_type = event->event_type; + + /* Verify that it's the log header */ + if (event_header->pcr_idx != 0 || diff --git a/queue-5.10/kvm-arm64-fix-s1ptw-handling-on-ro-memslots.patch b/queue-5.10/kvm-arm64-fix-s1ptw-handling-on-ro-memslots.patch new file mode 100644 index 00000000000..7a1e69f72fa --- /dev/null +++ b/queue-5.10/kvm-arm64-fix-s1ptw-handling-on-ro-memslots.patch @@ -0,0 +1,81 @@ +From 406504c7b0405d74d74c15a667cd4c4620c3e7a9 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Tue, 20 Dec 2022 14:03:52 +0000 +Subject: KVM: arm64: Fix S1PTW handling on RO memslots + +From: Marc Zyngier + +commit 406504c7b0405d74d74c15a667cd4c4620c3e7a9 upstream. + +A recent development on the EFI front has resulted in guests having +their page tables baked in the firmware binary, and mapped into the +IPA space as part of a read-only memslot. Not only is this legitimate, +but it also results in added security, so thumbs up. + +It is possible to take an S1PTW translation fault if the S1 PTs are +unmapped at stage-2. However, KVM unconditionally treats S1PTW as a +write to correctly handle hardware AF/DB updates to the S1 PTs. +Furthermore, KVM injects an exception into the guest for S1PTW writes. +In the aforementioned case this results in the guest taking an abort +it won't recover from, as the S1 PTs mapping the vectors suffer from +the same problem. + +So clearly our handling is... wrong. + +Instead, switch to a two-pronged approach: + +- On S1PTW translation fault, handle the fault as a read + +- On S1PTW permission fault, handle the fault as a write + +This is of no consequence to SW that *writes* to its PTs (the write +will trigger a non-S1PTW fault), and SW that uses RO PTs will not +use HW-assisted AF/DB anyway, as that'd be wrong. + +Only in the case described in c4ad98e4b72c ("KVM: arm64: Assume write +fault on S1PTW permission fault on instruction fetch") do we end-up +with two back-to-back faults (page being evicted and faulted back). +I don't think this is a case worth optimising for. + +Fixes: c4ad98e4b72c ("KVM: arm64: Assume write fault on S1PTW permission fault on instruction fetch") +Reviewed-by: Oliver Upton +Reviewed-by: Ard Biesheuvel +Regression-tested-by: Ard Biesheuvel +Signed-off-by: Marc Zyngier +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/kvm_emulate.h | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +--- a/arch/arm64/include/asm/kvm_emulate.h ++++ b/arch/arm64/include/asm/kvm_emulate.h +@@ -382,8 +382,26 @@ static __always_inline int kvm_vcpu_sys_ + + static inline bool kvm_is_write_fault(struct kvm_vcpu *vcpu) + { +- if (kvm_vcpu_abt_iss1tw(vcpu)) +- return true; ++ if (kvm_vcpu_abt_iss1tw(vcpu)) { ++ /* ++ * Only a permission fault on a S1PTW should be ++ * considered as a write. Otherwise, page tables baked ++ * in a read-only memslot will result in an exception ++ * being delivered in the guest. ++ * ++ * The drawback is that we end-up faulting twice if the ++ * guest is using any of HW AF/DB: a translation fault ++ * to map the page containing the PT (read only at ++ * first), then a permission fault to allow the flags ++ * to be set. ++ */ ++ switch (kvm_vcpu_trap_get_fault_type(vcpu)) { ++ case ESR_ELx_FSC_PERM: ++ return true; ++ default: ++ return false; ++ } ++ } + + if (kvm_vcpu_trap_is_iabt(vcpu)) + return false; diff --git a/queue-5.10/netfilter-nft_payload-incorrect-arithmetics-when-fetching-vlan-header-bits.patch b/queue-5.10/netfilter-nft_payload-incorrect-arithmetics-when-fetching-vlan-header-bits.patch new file mode 100644 index 00000000000..5f6133e63c3 --- /dev/null +++ b/queue-5.10/netfilter-nft_payload-incorrect-arithmetics-when-fetching-vlan-header-bits.patch @@ -0,0 +1,37 @@ +From 696e1a48b1a1b01edad542a1ef293665864a4dd0 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Wed, 11 Jan 2023 17:07:33 +0100 +Subject: netfilter: nft_payload: incorrect arithmetics when fetching VLAN header bits + +From: Pablo Neira Ayuso + +commit 696e1a48b1a1b01edad542a1ef293665864a4dd0 upstream. + +If the offset + length goes over the ethernet + vlan header, then the +length is adjusted to copy the bytes that are within the boundaries of +the vlan_ethhdr scratchpad area. The remaining bytes beyond ethernet + +vlan header are copied directly from the skbuff data area. + +Fix incorrect arithmetic operator: subtract, not add, the size of the +vlan header in case of double-tagged packets to adjust the length +accordingly to address CVE-2023-0179. + +Reported-by: Davide Ornaghi +Fixes: f6ae9f120dad ("netfilter: nft_payload: add C-VLAN support") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_payload.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nft_payload.c ++++ b/net/netfilter/nft_payload.c +@@ -62,7 +62,7 @@ nft_payload_copy_vlan(u32 *d, const stru + return false; + + if (offset + len > VLAN_ETH_HLEN + vlan_hlen) +- ethlen -= offset + len - VLAN_ETH_HLEN + vlan_hlen; ++ ethlen -= offset + len - VLAN_ETH_HLEN - vlan_hlen; + + memcpy(dst_u8, vlanh + offset - vlan_hlen, ethlen); + diff --git a/queue-5.10/perf-auxtrace-fix-address-filter-duplicate-symbol-selection.patch b/queue-5.10/perf-auxtrace-fix-address-filter-duplicate-symbol-selection.patch new file mode 100644 index 00000000000..1384fa15ce2 --- /dev/null +++ b/queue-5.10/perf-auxtrace-fix-address-filter-duplicate-symbol-selection.patch @@ -0,0 +1,104 @@ +From cf129830ee820f7fc90b98df193cd49d49344d09 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Tue, 10 Jan 2023 20:56:59 +0200 +Subject: perf auxtrace: Fix address filter duplicate symbol selection + +From: Adrian Hunter + +commit cf129830ee820f7fc90b98df193cd49d49344d09 upstream. + +When a match has been made to the nth duplicate symbol, return +success not error. + +Example: + + Before: + + $ cat file.c + cat: file.c: No such file or directory + $ cat file1.c + #include + + static void func(void) + { + printf("First func\n"); + } + + void other(void); + + int main() + { + func(); + other(); + return 0; + } + $ cat file2.c + #include + + static void func(void) + { + printf("Second func\n"); + } + + void other(void) + { + func(); + } + + $ gcc -Wall -Wextra -o test file1.c file2.c + $ perf record -e intel_pt//u --filter 'filter func @ ./test' -- ./test + Multiple symbols with name 'func' + #1 0x1149 l func + which is near main + #2 0x1179 l func + which is near other + Disambiguate symbol name by inserting #n after the name e.g. func #2 + Or select a global symbol by inserting #0 or #g or #G + Failed to parse address filter: 'filter func @ ./test' + Filter format is: filter|start|stop|tracestop [/ ] [@] + Where multiple filters are separated by space or comma. + $ perf record -e intel_pt//u --filter 'filter func #2 @ ./test' -- ./test + Failed to parse address filter: 'filter func #2 @ ./test' + Filter format is: filter|start|stop|tracestop [/ ] [@] + Where multiple filters are separated by space or comma. + + After: + + $ perf record -e intel_pt//u --filter 'filter func #2 @ ./test' -- ./test + First func + Second func + [ perf record: Woken up 1 times to write data ] + [ perf record: Captured and wrote 0.016 MB perf.data ] + $ perf script --itrace=b -Ftime,flags,ip,sym,addr --ns + 1231062.526977619: tr strt 0 [unknown] => 558495708179 func + 1231062.526977619: tr end call 558495708188 func => 558495708050 _init + 1231062.526979286: tr strt 0 [unknown] => 55849570818d func + 1231062.526979286: tr end return 55849570818f func => 55849570819d other + +Fixes: 1b36c03e356936d6 ("perf record: Add support for using symbols in address filters") +Reported-by: Dmitrii Dolgov <9erthalion6@gmail.com> +Signed-off-by: Adrian Hunter +Tested-by: Dmitry Dolgov <9erthalion6@gmail.com> +Cc: Adrian Hunter +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230110185659.15979-1-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/auxtrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/util/auxtrace.c ++++ b/tools/perf/util/auxtrace.c +@@ -2449,7 +2449,7 @@ static int find_dso_sym(struct dso *dso, + *size = sym->start - *start; + if (idx > 0) { + if (*size) +- return 1; ++ return 0; + } else if (dso_sym_match(sym, sym_name, &cnt, idx)) { + print_duplicate_syms(dso, sym_name); + return -EINVAL; diff --git a/queue-5.10/s390-cpum_sf-add-read_once-semantics-to-compare-and-swap-loops.patch b/queue-5.10/s390-cpum_sf-add-read_once-semantics-to-compare-and-swap-loops.patch new file mode 100644 index 00000000000..01f56be151a --- /dev/null +++ b/queue-5.10/s390-cpum_sf-add-read_once-semantics-to-compare-and-swap-loops.patch @@ -0,0 +1,345 @@ +From 82d3edb50a11bf3c5ef63294d5358ba230181413 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Thu, 5 Jan 2023 15:44:20 +0100 +Subject: s390/cpum_sf: add READ_ONCE() semantics to compare and swap loops + +From: Heiko Carstens + +commit 82d3edb50a11bf3c5ef63294d5358ba230181413 upstream. + +The current cmpxchg_double() loops within the perf hw sampling code do not +have READ_ONCE() semantics to read the old value from memory. This allows +the compiler to generate code which reads the "old" value several times +from memory, which again allows for inconsistencies. + +For example: + + /* Reset trailer (using compare-double-and-swap) */ + do { + te_flags = te->flags & ~SDB_TE_BUFFER_FULL_MASK; + te_flags |= SDB_TE_ALERT_REQ_MASK; + } while (!cmpxchg_double(&te->flags, &te->overflow, + te->flags, te->overflow, + te_flags, 0ULL)); + +The compiler could generate code where te->flags used within the +cmpxchg_double() call may be refetched from memory and which is not +necessarily identical to the previous read version which was used to +generate te_flags. Which in turn means that an incorrect update could +happen. + +Fix this by adding READ_ONCE() semantics to all cmpxchg_double() +loops. Given that READ_ONCE() cannot generate code on s390 which atomically +reads 16 bytes, use a private compare-and-swap-double implementation to +achieve that. + +Also replace cmpxchg_double() with the private implementation to be able to +re-use the old value within the loops. + +As a side effect this converts the whole code to only use bit fields +to read and modify bits within the hws trailer header. + +Reported-by: Alexander Gordeev +Acked-by: Alexander Gordeev +Acked-by: Hendrik Brueckner +Reviewed-by: Thomas Richter +Cc: +Link: https://lore.kernel.org/linux-s390/Y71QJBhNTIatvxUT@osiris/T/#ma14e2a5f7aa8ed4b94b6f9576799b3ad9c60f333 +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/include/asm/cpu_mf.h | 31 +++++------- + arch/s390/kernel/perf_cpum_sf.c | 101 ++++++++++++++++++++++++---------------- + 2 files changed, 77 insertions(+), 55 deletions(-) + +--- a/arch/s390/include/asm/cpu_mf.h ++++ b/arch/s390/include/asm/cpu_mf.h +@@ -128,19 +128,21 @@ struct hws_combined_entry { + struct hws_diag_entry diag; /* Diagnostic-sampling data entry */ + } __packed; + +-struct hws_trailer_entry { +- union { +- struct { +- unsigned int f:1; /* 0 - Block Full Indicator */ +- unsigned int a:1; /* 1 - Alert request control */ +- unsigned int t:1; /* 2 - Timestamp format */ +- unsigned int :29; /* 3 - 31: Reserved */ +- unsigned int bsdes:16; /* 32-47: size of basic SDE */ +- unsigned int dsdes:16; /* 48-63: size of diagnostic SDE */ +- }; +- unsigned long long flags; /* 0 - 63: All indicators */ ++union hws_trailer_header { ++ struct { ++ unsigned int f:1; /* 0 - Block Full Indicator */ ++ unsigned int a:1; /* 1 - Alert request control */ ++ unsigned int t:1; /* 2 - Timestamp format */ ++ unsigned int :29; /* 3 - 31: Reserved */ ++ unsigned int bsdes:16; /* 32-47: size of basic SDE */ ++ unsigned int dsdes:16; /* 48-63: size of diagnostic SDE */ ++ unsigned long long overflow; /* 64 - Overflow Count */ + }; +- unsigned long long overflow; /* 64 - sample Overflow count */ ++ __uint128_t val; ++}; ++ ++struct hws_trailer_entry { ++ union hws_trailer_header header; /* 0 - 15 Flags + Overflow Count */ + unsigned char timestamp[16]; /* 16 - 31 timestamp */ + unsigned long long reserved1; /* 32 -Reserved */ + unsigned long long reserved2; /* */ +@@ -287,14 +289,11 @@ static inline unsigned long sample_rate_ + return USEC_PER_SEC * qsi->cpu_speed / rate; + } + +-#define SDB_TE_ALERT_REQ_MASK 0x4000000000000000UL +-#define SDB_TE_BUFFER_FULL_MASK 0x8000000000000000UL +- + /* Return TOD timestamp contained in an trailer entry */ + static inline unsigned long long trailer_timestamp(struct hws_trailer_entry *te) + { + /* TOD in STCKE format */ +- if (te->t) ++ if (te->header.t) + return *((unsigned long long *) &te->timestamp[1]); + + /* TOD in STCK format */ +--- a/arch/s390/kernel/perf_cpum_sf.c ++++ b/arch/s390/kernel/perf_cpum_sf.c +@@ -163,14 +163,15 @@ static void free_sampling_buffer(struct + + static int alloc_sample_data_block(unsigned long *sdbt, gfp_t gfp_flags) + { +- unsigned long sdb, *trailer; ++ struct hws_trailer_entry *te; ++ unsigned long sdb; + + /* Allocate and initialize sample-data-block */ + sdb = get_zeroed_page(gfp_flags); + if (!sdb) + return -ENOMEM; +- trailer = trailer_entry_ptr(sdb); +- *trailer = SDB_TE_ALERT_REQ_MASK; ++ te = (struct hws_trailer_entry *)trailer_entry_ptr(sdb); ++ te->header.a = 1; + + /* Link SDB into the sample-data-block-table */ + *sdbt = sdb; +@@ -1206,7 +1207,7 @@ static void hw_collect_samples(struct pe + "%s: Found unknown" + " sampling data entry: te->f %i" + " basic.def %#4x (%p)\n", __func__, +- te->f, sample->def, sample); ++ te->header.f, sample->def, sample); + /* Sample slot is not yet written or other record. + * + * This condition can occur if the buffer was reused +@@ -1217,7 +1218,7 @@ static void hw_collect_samples(struct pe + * that are not full. Stop processing if the first + * invalid format was detected. + */ +- if (!te->f) ++ if (!te->header.f) + break; + } + +@@ -1227,6 +1228,16 @@ static void hw_collect_samples(struct pe + } + } + ++static inline __uint128_t __cdsg(__uint128_t *ptr, __uint128_t old, __uint128_t new) ++{ ++ asm volatile( ++ " cdsg %[old],%[new],%[ptr]\n" ++ : [old] "+d" (old), [ptr] "+QS" (*ptr) ++ : [new] "d" (new) ++ : "memory", "cc"); ++ return old; ++} ++ + /* hw_perf_event_update() - Process sampling buffer + * @event: The perf event + * @flush_all: Flag to also flush partially filled sample-data-blocks +@@ -1243,10 +1254,11 @@ static void hw_collect_samples(struct pe + */ + static void hw_perf_event_update(struct perf_event *event, int flush_all) + { ++ unsigned long long event_overflow, sampl_overflow, num_sdb; ++ union hws_trailer_header old, prev, new; + struct hw_perf_event *hwc = &event->hw; + struct hws_trailer_entry *te; + unsigned long *sdbt; +- unsigned long long event_overflow, sampl_overflow, num_sdb, te_flags; + int done; + + /* +@@ -1266,25 +1278,25 @@ static void hw_perf_event_update(struct + te = (struct hws_trailer_entry *) trailer_entry_ptr(*sdbt); + + /* Leave loop if no more work to do (block full indicator) */ +- if (!te->f) { ++ if (!te->header.f) { + done = 1; + if (!flush_all) + break; + } + + /* Check the sample overflow count */ +- if (te->overflow) ++ if (te->header.overflow) + /* Account sample overflows and, if a particular limit + * is reached, extend the sampling buffer. + * For details, see sfb_account_overflows(). + */ +- sampl_overflow += te->overflow; ++ sampl_overflow += te->header.overflow; + + /* Timestamps are valid for full sample-data-blocks only */ + debug_sprintf_event(sfdbg, 6, "%s: sdbt %#lx " + "overflow %llu timestamp %#llx\n", +- __func__, (unsigned long)sdbt, te->overflow, +- (te->f) ? trailer_timestamp(te) : 0ULL); ++ __func__, (unsigned long)sdbt, te->header.overflow, ++ (te->header.f) ? trailer_timestamp(te) : 0ULL); + + /* Collect all samples from a single sample-data-block and + * flag if an (perf) event overflow happened. If so, the PMU +@@ -1294,12 +1306,16 @@ static void hw_perf_event_update(struct + num_sdb++; + + /* Reset trailer (using compare-double-and-swap) */ ++ /* READ_ONCE() 16 byte header */ ++ prev.val = __cdsg(&te->header.val, 0, 0); + do { +- te_flags = te->flags & ~SDB_TE_BUFFER_FULL_MASK; +- te_flags |= SDB_TE_ALERT_REQ_MASK; +- } while (!cmpxchg_double(&te->flags, &te->overflow, +- te->flags, te->overflow, +- te_flags, 0ULL)); ++ old.val = prev.val; ++ new.val = prev.val; ++ new.f = 0; ++ new.a = 1; ++ new.overflow = 0; ++ prev.val = __cdsg(&te->header.val, old.val, new.val); ++ } while (prev.val != old.val); + + /* Advance to next sample-data-block */ + sdbt++; +@@ -1384,7 +1400,7 @@ static void aux_output_end(struct perf_o + range_scan = AUX_SDB_NUM_ALERT(aux); + for (i = 0, idx = aux->head; i < range_scan; i++, idx++) { + te = aux_sdb_trailer(aux, idx); +- if (!(te->flags & SDB_TE_BUFFER_FULL_MASK)) ++ if (!te->header.f) + break; + } + /* i is num of SDBs which are full */ +@@ -1392,7 +1408,7 @@ static void aux_output_end(struct perf_o + + /* Remove alert indicators in the buffer */ + te = aux_sdb_trailer(aux, aux->alert_mark); +- te->flags &= ~SDB_TE_ALERT_REQ_MASK; ++ te->header.a = 0; + + debug_sprintf_event(sfdbg, 6, "%s: SDBs %ld range %ld head %ld\n", + __func__, i, range_scan, aux->head); +@@ -1437,9 +1453,9 @@ static int aux_output_begin(struct perf_ + idx = aux->empty_mark + 1; + for (i = 0; i < range_scan; i++, idx++) { + te = aux_sdb_trailer(aux, idx); +- te->flags &= ~(SDB_TE_BUFFER_FULL_MASK | +- SDB_TE_ALERT_REQ_MASK); +- te->overflow = 0; ++ te->header.f = 0; ++ te->header.a = 0; ++ te->header.overflow = 0; + } + /* Save the position of empty SDBs */ + aux->empty_mark = aux->head + range - 1; +@@ -1448,7 +1464,7 @@ static int aux_output_begin(struct perf_ + /* Set alert indicator */ + aux->alert_mark = aux->head + range/2 - 1; + te = aux_sdb_trailer(aux, aux->alert_mark); +- te->flags = te->flags | SDB_TE_ALERT_REQ_MASK; ++ te->header.a = 1; + + /* Reset hardware buffer head */ + head = AUX_SDB_INDEX(aux, aux->head); +@@ -1475,14 +1491,17 @@ static int aux_output_begin(struct perf_ + static bool aux_set_alert(struct aux_buffer *aux, unsigned long alert_index, + unsigned long long *overflow) + { +- unsigned long long orig_overflow, orig_flags, new_flags; ++ union hws_trailer_header old, prev, new; + struct hws_trailer_entry *te; + + te = aux_sdb_trailer(aux, alert_index); ++ /* READ_ONCE() 16 byte header */ ++ prev.val = __cdsg(&te->header.val, 0, 0); + do { +- orig_flags = te->flags; +- *overflow = orig_overflow = te->overflow; +- if (orig_flags & SDB_TE_BUFFER_FULL_MASK) { ++ old.val = prev.val; ++ new.val = prev.val; ++ *overflow = old.overflow; ++ if (old.f) { + /* + * SDB is already set by hardware. + * Abort and try to set somewhere +@@ -1490,10 +1509,10 @@ static bool aux_set_alert(struct aux_buf + */ + return false; + } +- new_flags = orig_flags | SDB_TE_ALERT_REQ_MASK; +- } while (!cmpxchg_double(&te->flags, &te->overflow, +- orig_flags, orig_overflow, +- new_flags, 0ULL)); ++ new.a = 1; ++ new.overflow = 0; ++ prev.val = __cdsg(&te->header.val, old.val, new.val); ++ } while (prev.val != old.val); + return true; + } + +@@ -1522,8 +1541,9 @@ static bool aux_set_alert(struct aux_buf + static bool aux_reset_buffer(struct aux_buffer *aux, unsigned long range, + unsigned long long *overflow) + { +- unsigned long long orig_overflow, orig_flags, new_flags; + unsigned long i, range_scan, idx, idx_old; ++ union hws_trailer_header old, prev, new; ++ unsigned long long orig_overflow; + struct hws_trailer_entry *te; + + debug_sprintf_event(sfdbg, 6, "%s: range %ld head %ld alert %ld " +@@ -1554,17 +1574,20 @@ static bool aux_reset_buffer(struct aux_ + idx_old = idx = aux->empty_mark + 1; + for (i = 0; i < range_scan; i++, idx++) { + te = aux_sdb_trailer(aux, idx); ++ /* READ_ONCE() 16 byte header */ ++ prev.val = __cdsg(&te->header.val, 0, 0); + do { +- orig_flags = te->flags; +- orig_overflow = te->overflow; +- new_flags = orig_flags & ~SDB_TE_BUFFER_FULL_MASK; ++ old.val = prev.val; ++ new.val = prev.val; ++ orig_overflow = old.overflow; ++ new.f = 0; ++ new.overflow = 0; + if (idx == aux->alert_mark) +- new_flags |= SDB_TE_ALERT_REQ_MASK; ++ new.a = 1; + else +- new_flags &= ~SDB_TE_ALERT_REQ_MASK; +- } while (!cmpxchg_double(&te->flags, &te->overflow, +- orig_flags, orig_overflow, +- new_flags, 0ULL)); ++ new.a = 0; ++ prev.val = __cdsg(&te->header.val, old.val, new.val); ++ } while (prev.val != old.val); + *overflow += orig_overflow; + } + diff --git a/queue-5.10/s390-kexec-fix-ipl-report-address-for-kdump.patch b/queue-5.10/s390-kexec-fix-ipl-report-address-for-kdump.patch new file mode 100644 index 00000000000..ae30475793a --- /dev/null +++ b/queue-5.10/s390-kexec-fix-ipl-report-address-for-kdump.patch @@ -0,0 +1,60 @@ +From c2337a40e04dde1692b5b0a46ecc59f89aaba8a1 Mon Sep 17 00:00:00 2001 +From: Alexander Egorenkov +Date: Mon, 14 Nov 2022 11:40:08 +0100 +Subject: s390/kexec: fix ipl report address for kdump + +From: Alexander Egorenkov + +commit c2337a40e04dde1692b5b0a46ecc59f89aaba8a1 upstream. + +This commit addresses the following erroneous situation with file-based +kdump executed on a system with a valid IPL report. + +On s390, a kdump kernel, its initrd and IPL report if present are loaded +into a special and reserved on boot memory region - crashkernel. When +a system crashes and kdump was activated before, the purgatory code +is entered first which swaps the crashkernel and [0 - crashkernel size] +memory regions. Only after that the kdump kernel is entered. For this +reason, the pointer to an IPL report in lowcore must point to the IPL report +after the swap and not to the address of the IPL report that was located in +crashkernel memory region before the swap. Failing to do so, makes the +kdump's decompressor try to read memory from the crashkernel memory region +which already contains the production's kernel memory. + +The situation described above caused spontaneous kdump failures/hangs +on systems where the Secure IPL is activated because on such systems +an IPL report is always present. In that case kdump's decompressor tried +to parse an IPL report which frequently lead to illegal memory accesses +because an IPL report contains addresses to various data. + +Cc: +Fixes: 99feaa717e55 ("s390/kexec_file: Create ipl report and pass to next kernel") +Reviewed-by: Vasily Gorbik +Signed-off-by: Alexander Egorenkov +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kernel/machine_kexec_file.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/s390/kernel/machine_kexec_file.c ++++ b/arch/s390/kernel/machine_kexec_file.c +@@ -185,8 +185,6 @@ static int kexec_file_add_ipl_report(str + + data->memsz = ALIGN(data->memsz, PAGE_SIZE); + buf.mem = data->memsz; +- if (image->type == KEXEC_TYPE_CRASH) +- buf.mem += crashk_res.start; + + ptr = (void *)ipl_cert_list_addr; + end = ptr + ipl_cert_list_size; +@@ -223,6 +221,9 @@ static int kexec_file_add_ipl_report(str + data->kernel_buf + offsetof(struct lowcore, ipl_parmblock_ptr); + *lc_ipl_parmblock_ptr = (__u32)buf.mem; + ++ if (image->type == KEXEC_TYPE_CRASH) ++ buf.mem += crashk_res.start; ++ + ret = kexec_add_buffer(&buf); + out: + return ret; diff --git a/queue-5.10/s390-percpu-add-read_once-to-arch_this_cpu_to_op_simple.patch b/queue-5.10/s390-percpu-add-read_once-to-arch_this_cpu_to_op_simple.patch new file mode 100644 index 00000000000..99c0ce2dd33 --- /dev/null +++ b/queue-5.10/s390-percpu-add-read_once-to-arch_this_cpu_to_op_simple.patch @@ -0,0 +1,32 @@ +From e3f360db08d55a14112bd27454e616a24296a8b0 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Mon, 9 Jan 2023 11:51:20 +0100 +Subject: s390/percpu: add READ_ONCE() to arch_this_cpu_to_op_simple() + +From: Heiko Carstens + +commit e3f360db08d55a14112bd27454e616a24296a8b0 upstream. + +Make sure that *ptr__ within arch_this_cpu_to_op_simple() is only +dereferenced once by using READ_ONCE(). Otherwise the compiler could +generate incorrect code. + +Cc: +Reviewed-by: Alexander Gordeev +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/include/asm/percpu.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/s390/include/asm/percpu.h ++++ b/arch/s390/include/asm/percpu.h +@@ -31,7 +31,7 @@ + pcp_op_T__ *ptr__; \ + preempt_disable_notrace(); \ + ptr__ = raw_cpu_ptr(&(pcp)); \ +- prev__ = *ptr__; \ ++ prev__ = READ_ONCE(*ptr__); \ + do { \ + old__ = prev__; \ + new__ = old__ op (val); \ diff --git a/queue-5.10/series b/queue-5.10/series new file mode 100644 index 00000000000..5efc9eb0253 --- /dev/null +++ b/queue-5.10/series @@ -0,0 +1,10 @@ +netfilter-nft_payload-incorrect-arithmetics-when-fetching-vlan-header-bits.patch +alsa-hda-realtek-enable-mute-micmute-leds-on-hp-spectre-x360-13-aw0xxx.patch +kvm-arm64-fix-s1ptw-handling-on-ro-memslots.patch +efi-tpm-avoid-read_once-for-accessing-the-event-log.patch +docs-fix-the-docs-build-with-sphinx-6.0.patch +perf-auxtrace-fix-address-filter-duplicate-symbol-selection.patch +s390-kexec-fix-ipl-report-address-for-kdump.patch +asoc-qcom-lpass-cpu-fix-fallback-sd-line-index-handling.patch +s390-cpum_sf-add-read_once-semantics-to-compare-and-swap-loops.patch +s390-percpu-add-read_once-to-arch_this_cpu_to_op_simple.patch -- 2.47.3