From faccc3d6f1f324040204cf6acdbef7e38afdb742 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 14 Aug 2022 12:24:21 +0200 Subject: [PATCH] 5.10-stable patches added patches: ftrace-x86-add-back-ftrace_expected-assignment.patch input-gscps2-check-return-value-of-ioremap-in-gscps2_probe.patch posix-cpu-timers-cleanup-cpu-timers-before-freeing-them-during-exec.patch x86-bugs-enable-stibp-for-ibpb-mitigated-retbleed.patch x86-olpc-fix-logical-not-is-only-applied-to-the-left-hand-side.patch --- ...-add-back-ftrace_expected-assignment.patch | 44 +++++++ ...urn-value-of-ioremap-in-gscps2_probe.patch | 35 ++++++ ...mers-before-freeing-them-during-exec.patch | 47 +++++++ queue-5.10/series | 5 + ...le-stibp-for-ibpb-mitigated-retbleed.patch | 115 ++++++++++++++++++ ...s-only-applied-to-the-left-hand-side.patch | 49 ++++++++ 6 files changed, 295 insertions(+) create mode 100644 queue-5.10/ftrace-x86-add-back-ftrace_expected-assignment.patch create mode 100644 queue-5.10/input-gscps2-check-return-value-of-ioremap-in-gscps2_probe.patch create mode 100644 queue-5.10/posix-cpu-timers-cleanup-cpu-timers-before-freeing-them-during-exec.patch create mode 100644 queue-5.10/x86-bugs-enable-stibp-for-ibpb-mitigated-retbleed.patch create mode 100644 queue-5.10/x86-olpc-fix-logical-not-is-only-applied-to-the-left-hand-side.patch diff --git a/queue-5.10/ftrace-x86-add-back-ftrace_expected-assignment.patch b/queue-5.10/ftrace-x86-add-back-ftrace_expected-assignment.patch new file mode 100644 index 00000000000..29ccfd98fa2 --- /dev/null +++ b/queue-5.10/ftrace-x86-add-back-ftrace_expected-assignment.patch @@ -0,0 +1,44 @@ +From ac6c1b2ca77e722a1e5d651f12f437f2f237e658 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Google)" +Date: Tue, 26 Jul 2022 10:18:51 -0400 +Subject: ftrace/x86: Add back ftrace_expected assignment + +From: Steven Rostedt (Google) + +commit ac6c1b2ca77e722a1e5d651f12f437f2f237e658 upstream. + +When a ftrace_bug happens (where ftrace fails to modify a location) it is +helpful to have what was at that location as well as what was expected to +be there. + +But with the conversion to text_poke() the variable that assigns the +expected for debugging was dropped. Unfortunately, I noticed this when I +needed it. Add it back. + +Link: https://lkml.kernel.org/r/20220726101851.069d2e70@gandalf.local.home + +Cc: "x86@kernel.org" +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Ingo Molnar +Cc: Borislav Petkov +Cc: "H. Peter Anvin" +Cc: Andrew Morton +Cc: stable@vger.kernel.org +Fixes: 768ae4406a5c ("x86/ftrace: Use text_poke()") +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/ftrace.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kernel/ftrace.c ++++ b/arch/x86/kernel/ftrace.c +@@ -93,6 +93,7 @@ static int ftrace_verify_code(unsigned l + + /* Make sure it is what we expect it to be */ + if (memcmp(cur_code, old_code, MCOUNT_INSN_SIZE) != 0) { ++ ftrace_expected = old_code; + WARN_ON(1); + return -EINVAL; + } diff --git a/queue-5.10/input-gscps2-check-return-value-of-ioremap-in-gscps2_probe.patch b/queue-5.10/input-gscps2-check-return-value-of-ioremap-in-gscps2_probe.patch new file mode 100644 index 00000000000..a83179aa378 --- /dev/null +++ b/queue-5.10/input-gscps2-check-return-value-of-ioremap-in-gscps2_probe.patch @@ -0,0 +1,35 @@ +From e61b3125a4f036b3c6b87ffd656fc1ab00440ae9 Mon Sep 17 00:00:00 2001 +From: Xie Shaowen +Date: Tue, 2 Aug 2022 15:20:33 +0800 +Subject: Input: gscps2 - check return value of ioremap() in gscps2_probe() + +From: Xie Shaowen + +commit e61b3125a4f036b3c6b87ffd656fc1ab00440ae9 upstream. + +The function ioremap() in gscps2_probe() can fail, so +its return value should be checked. + +Fixes: 4bdc0d676a643 ("remove ioremap_nocache and devm_ioremap_nocache") +Cc: # v5.6+ +Reported-by: Hacash Robot +Signed-off-by: Xie Shaowen +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/serio/gscps2.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/input/serio/gscps2.c ++++ b/drivers/input/serio/gscps2.c +@@ -350,6 +350,10 @@ static int __init gscps2_probe(struct pa + ps2port->port = serio; + ps2port->padev = dev; + ps2port->addr = ioremap(hpa, GSC_STATUS + 4); ++ if (!ps2port->addr) { ++ ret = -ENOMEM; ++ goto fail_nomem; ++ } + spin_lock_init(&ps2port->lock); + + gscps2_reset(ps2port); diff --git a/queue-5.10/posix-cpu-timers-cleanup-cpu-timers-before-freeing-them-during-exec.patch b/queue-5.10/posix-cpu-timers-cleanup-cpu-timers-before-freeing-them-during-exec.patch new file mode 100644 index 00000000000..51e7b2c3d0b --- /dev/null +++ b/queue-5.10/posix-cpu-timers-cleanup-cpu-timers-before-freeing-them-during-exec.patch @@ -0,0 +1,47 @@ +From e362359ace6f87c201531872486ff295df306d13 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Tue, 9 Aug 2022 14:07:51 -0300 +Subject: posix-cpu-timers: Cleanup CPU timers before freeing them during exec + +From: Thadeu Lima de Souza Cascardo + +commit e362359ace6f87c201531872486ff295df306d13 upstream. + +Commit 55e8c8eb2c7b ("posix-cpu-timers: Store a reference to a pid not a +task") started looking up tasks by PID when deleting a CPU timer. + +When a non-leader thread calls execve, it will switch PIDs with the leader +process. Then, as it calls exit_itimers, posix_cpu_timer_del cannot find +the task because the timer still points out to the old PID. + +That means that armed timers won't be disarmed, that is, they won't be +removed from the timerqueue_list. exit_itimers will still release their +memory, and when that list is later processed, it leads to a +use-after-free. + +Clean up the timers from the de-threaded task before freeing them. This +prevents a reported use-after-free. + +Fixes: 55e8c8eb2c7b ("posix-cpu-timers: Store a reference to a pid not a task") +Signed-off-by: Thadeu Lima de Souza Cascardo +Signed-off-by: Thomas Gleixner +Reviewed-by: Thomas Gleixner +Cc: +Link: https://lore.kernel.org/r/20220809170751.164716-1-cascardo@canonical.com +Signed-off-by: Greg Kroah-Hartman +--- + fs/exec.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -1286,6 +1286,9 @@ int begin_new_exec(struct linux_binprm * + bprm->mm = NULL; + + #ifdef CONFIG_POSIX_TIMERS ++ spin_lock_irq(&me->sighand->siglock); ++ posix_cpu_timers_exit(me); ++ spin_unlock_irq(&me->sighand->siglock); + exit_itimers(me); + flush_itimer_signals(); + #endif diff --git a/queue-5.10/series b/queue-5.10/series index 8cc175cee62..b72023c6bf1 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -452,3 +452,8 @@ scsi-qla2xxx-turn-off-multi-queue-for-8g-adapters.patch scsi-qla2xxx-fix-erroneous-mailbox-timeout-after-pci-error-injection.patch scsi-qla2xxx-fix-losing-fcp-2-targets-on-long-port-disable-with-i-os.patch scsi-qla2xxx-fix-losing-fcp-2-targets-during-port-perturbation-tests.patch +x86-bugs-enable-stibp-for-ibpb-mitigated-retbleed.patch +ftrace-x86-add-back-ftrace_expected-assignment.patch +x86-olpc-fix-logical-not-is-only-applied-to-the-left-hand-side.patch +posix-cpu-timers-cleanup-cpu-timers-before-freeing-them-during-exec.patch +input-gscps2-check-return-value-of-ioremap-in-gscps2_probe.patch diff --git a/queue-5.10/x86-bugs-enable-stibp-for-ibpb-mitigated-retbleed.patch b/queue-5.10/x86-bugs-enable-stibp-for-ibpb-mitigated-retbleed.patch new file mode 100644 index 00000000000..0db431008ff --- /dev/null +++ b/queue-5.10/x86-bugs-enable-stibp-for-ibpb-mitigated-retbleed.patch @@ -0,0 +1,115 @@ +From e6cfcdda8cbe81eaf821c897369a65fec987b404 Mon Sep 17 00:00:00 2001 +From: Kim Phillips +Date: Mon, 8 Aug 2022 09:32:33 -0500 +Subject: x86/bugs: Enable STIBP for IBPB mitigated RETBleed + +From: Kim Phillips + +commit e6cfcdda8cbe81eaf821c897369a65fec987b404 upstream. + +AMD's "Technical Guidance for Mitigating Branch Type Confusion, +Rev. 1.0 2022-07-12" whitepaper, under section 6.1.2 "IBPB On +Privileged Mode Entry / SMT Safety" says: + + Similar to the Jmp2Ret mitigation, if the code on the sibling thread + cannot be trusted, software should set STIBP to 1 or disable SMT to + ensure SMT safety when using this mitigation. + +So, like already being done for retbleed=unret, and now also for +retbleed=ibpb, force STIBP on machines that have it, and report its SMT +vulnerability status accordingly. + + [ bp: Remove the "we" and remove "[AMD]" applicability parameter which + doesn't work here. ] + +Fixes: 3ebc17006888 ("x86/bugs: Add retbleed=ibpb") +Signed-off-by: Kim Phillips +Signed-off-by: Borislav Petkov +Cc: stable@vger.kernel.org # 5.10, 5.15, 5.19 +Link: https://bugzilla.kernel.org/show_bug.cgi?id=206537 +Link: https://lore.kernel.org/r/20220804192201.439596-1-kim.phillips@amd.com +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/admin-guide/kernel-parameters.txt | 29 +++++++++++++++++------- + arch/x86/kernel/cpu/bugs.c | 10 ++++---- + 2 files changed, 27 insertions(+), 12 deletions(-) + +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -4662,20 +4662,33 @@ + Speculative Code Execution with Return Instructions) + vulnerability. + ++ AMD-based UNRET and IBPB mitigations alone do not stop ++ sibling threads from influencing the predictions of other ++ sibling threads. For that reason, STIBP is used on pro- ++ cessors that support it, and mitigate SMT on processors ++ that don't. ++ + off - no mitigation + auto - automatically select a migitation + auto,nosmt - automatically select a mitigation, + disabling SMT if necessary for + the full mitigation (only on Zen1 + and older without STIBP). +- ibpb - mitigate short speculation windows on +- basic block boundaries too. Safe, highest +- perf impact. +- unret - force enable untrained return thunks, +- only effective on AMD f15h-f17h +- based systems. +- unret,nosmt - like unret, will disable SMT when STIBP +- is not available. ++ ibpb - On AMD, mitigate short speculation ++ windows on basic block boundaries too. ++ Safe, highest perf impact. It also ++ enables STIBP if present. Not suitable ++ on Intel. ++ ibpb,nosmt - Like "ibpb" above but will disable SMT ++ when STIBP is not available. This is ++ the alternative for systems which do not ++ have STIBP. ++ unret - Force enable untrained return thunks, ++ only effective on AMD f15h-f17h based ++ systems. ++ unret,nosmt - Like unret, but will disable SMT when STIBP ++ is not available. This is the alternative for ++ systems which do not have STIBP. + + Selecting 'auto' will choose a mitigation method at run + time according to the CPU. +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -144,7 +144,7 @@ void __init check_bugs(void) + /* + * spectre_v2_user_select_mitigation() relies on the state set by + * retbleed_select_mitigation(); specifically the STIBP selection is +- * forced for UNRET. ++ * forced for UNRET or IBPB. + */ + spectre_v2_user_select_mitigation(); + ssb_select_mitigation(); +@@ -1135,7 +1135,8 @@ spectre_v2_user_select_mitigation(void) + boot_cpu_has(X86_FEATURE_AMD_STIBP_ALWAYS_ON)) + mode = SPECTRE_V2_USER_STRICT_PREFERRED; + +- if (retbleed_mitigation == RETBLEED_MITIGATION_UNRET) { ++ if (retbleed_mitigation == RETBLEED_MITIGATION_UNRET || ++ retbleed_mitigation == RETBLEED_MITIGATION_IBPB) { + if (mode != SPECTRE_V2_USER_STRICT && + mode != SPECTRE_V2_USER_STRICT_PREFERRED) + pr_info("Selecting STIBP always-on mode to complement retbleed mitigation\n"); +@@ -2283,10 +2284,11 @@ static ssize_t srbds_show_state(char *bu + + static ssize_t retbleed_show_state(char *buf) + { +- if (retbleed_mitigation == RETBLEED_MITIGATION_UNRET) { ++ if (retbleed_mitigation == RETBLEED_MITIGATION_UNRET || ++ retbleed_mitigation == RETBLEED_MITIGATION_IBPB) { + if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD && + boot_cpu_data.x86_vendor != X86_VENDOR_HYGON) +- return sprintf(buf, "Vulnerable: untrained return thunk on non-Zen uarch\n"); ++ return sprintf(buf, "Vulnerable: untrained return thunk / IBPB on non-AMD based uarch\n"); + + return sprintf(buf, "%s; SMT %s\n", + retbleed_strings[retbleed_mitigation], diff --git a/queue-5.10/x86-olpc-fix-logical-not-is-only-applied-to-the-left-hand-side.patch b/queue-5.10/x86-olpc-fix-logical-not-is-only-applied-to-the-left-hand-side.patch new file mode 100644 index 00000000000..7be9b324d5d --- /dev/null +++ b/queue-5.10/x86-olpc-fix-logical-not-is-only-applied-to-the-left-hand-side.patch @@ -0,0 +1,49 @@ +From 3a2ba42cbd0b669ce3837ba400905f93dd06c79f Mon Sep 17 00:00:00 2001 +From: Alexander Lobakin +Date: Fri, 15 Jul 2022 17:15:36 +0200 +Subject: x86/olpc: fix 'logical not is only applied to the left hand side' + +From: Alexander Lobakin + +commit 3a2ba42cbd0b669ce3837ba400905f93dd06c79f upstream. + +The bitops compile-time optimization series revealed one more +problem in olpc-xo1-sci.c:send_ebook_state(), resulted in GCC +warnings: + +arch/x86/platform/olpc/olpc-xo1-sci.c: In function 'send_ebook_state': +arch/x86/platform/olpc/olpc-xo1-sci.c:83:63: warning: logical not is only applied to the left hand side of comparison [-Wlogical-not-parentheses] + 83 | if (!!test_bit(SW_TABLET_MODE, ebook_switch_idev->sw) == state) + | ^~ +arch/x86/platform/olpc/olpc-xo1-sci.c:83:13: note: add parentheses around left hand side expression to silence this warning + +Despite this code working as intended, this redundant double +negation of boolean value, together with comparing to `char` +with no explicit conversion to bool, makes compilers think +the author made some unintentional logical mistakes here. +Make it the other way around and negate the char instead +to silence the warnings. + +Fixes: d2aa37411b8e ("x86/olpc/xo1/sci: Produce wakeup events for buttons and switches") +Cc: stable@vger.kernel.org # 3.5+ +Reported-by: Guenter Roeck +Reported-by: kernel test robot +Reviewed-and-tested-by: Guenter Roeck +Signed-off-by: Alexander Lobakin +Signed-off-by: Yury Norov +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/platform/olpc/olpc-xo1-sci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/platform/olpc/olpc-xo1-sci.c ++++ b/arch/x86/platform/olpc/olpc-xo1-sci.c +@@ -80,7 +80,7 @@ static void send_ebook_state(void) + return; + } + +- if (!!test_bit(SW_TABLET_MODE, ebook_switch_idev->sw) == state) ++ if (test_bit(SW_TABLET_MODE, ebook_switch_idev->sw) == !!state) + return; /* Nothing new to report. */ + + input_report_switch(ebook_switch_idev, SW_TABLET_MODE, state); -- 2.47.3