--- /dev/null
+From 0283189e8f3d0917e2ac399688df85211f48447b Mon Sep 17 00:00:00 2001
+From: Jonathan Corbet <corbet@lwn.net>
+Date: Wed, 4 Jan 2023 10:47:39 -0700
+Subject: docs: Fix the docs build with Sphinx 6.0
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonathan Corbet <corbet@lwn.net>
+
+commit 0283189e8f3d0917e2ac399688df85211f48447b upstream.
+
+Sphinx 6.0 removed the execfile_() function, which we use as part of the
+configuration process. They *did* warn us... Just open-code the
+functionality as is done in Sphinx itself.
+
+Tested (using SPHINX_CONF, since this code is only executed with an
+alternative config file) on various Sphinx versions from 2.5 through 6.0.
+
+Reported-by: Martin Liška <mliska@suse.cz>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jonathan Corbet <corbet@lwn.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/sphinx/load_config.py | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/Documentation/sphinx/load_config.py
++++ b/Documentation/sphinx/load_config.py
+@@ -3,7 +3,7 @@
+
+ import os
+ import sys
+-from sphinx.util.pycompat import execfile_
++from sphinx.util.osutil import fs_encoding
+
+ # ------------------------------------------------------------------------------
+ def loadConfig(namespace):
+@@ -48,7 +48,9 @@ def loadConfig(namespace):
+ sys.stdout.write("load additional sphinx-config: %s\n" % config_file)
+ config = namespace.copy()
+ config['__file__'] = config_file
+- execfile_(config_file, config)
++ with open(config_file, 'rb') as f:
++ code = compile(f.read(), fs_encoding, 'exec')
++ exec(code, config)
+ del config['__file__']
+ namespace.update(config)
+ else:
--- /dev/null
+From d3f450533bbcb6dd4d7d59cadc9b61b7321e4ac1 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ardb@kernel.org>
+Date: Mon, 9 Jan 2023 10:44:31 +0100
+Subject: efi: tpm: Avoid READ_ONCE() for accessing the event log
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+commit d3f450533bbcb6dd4d7d59cadc9b61b7321e4ac1 upstream.
+
+Nathan reports that recent kernels built with LTO will crash when doing
+EFI boot using Fedora's GRUB and SHIM. The culprit turns out to be a
+misaligned load from the TPM event log, which is annotated with
+READ_ONCE(), and under LTO, this gets translated into a LDAR instruction
+which does not tolerate misaligned accesses.
+
+Interestingly, this does not happen when booting the same kernel
+straight from the UEFI shell, and so the fact that the event log may
+appear misaligned in memory may be caused by a bug in GRUB or SHIM.
+
+However, using READ_ONCE() to access firmware tables is slightly unusual
+in any case, and here, we only need to ensure that 'event' is not
+dereferenced again after it gets unmapped, but this is already taken
+care of by the implicit barrier() semantics of the early_memunmap()
+call.
+
+Cc: <stable@vger.kernel.org>
+Cc: Peter Jones <pjones@redhat.com>
+Cc: Jarkko Sakkinen <jarkko@kernel.org>
+Cc: Matthew Garrett <mjg59@srcf.ucam.org>
+Reported-by: Nathan Chancellor <nathan@kernel.org>
+Tested-by: Nathan Chancellor <nathan@kernel.org>
+Link: https://github.com/ClangBuiltLinux/linux/issues/1782
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/tpm_eventlog.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/linux/tpm_eventlog.h
++++ b/include/linux/tpm_eventlog.h
+@@ -198,8 +198,8 @@ static __always_inline int __calc_tpm2_e
+ * The loop below will unmap these fields if the log is larger than
+ * one page, so save them here for reference:
+ */
+- count = READ_ONCE(event->count);
+- event_type = READ_ONCE(event->event_type);
++ count = event->count;
++ event_type = event->event_type;
+
+ /* Verify that it's the log header */
+ if (event_header->pcr_idx != 0 ||
--- /dev/null
+From 406504c7b0405d74d74c15a667cd4c4620c3e7a9 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <maz@kernel.org>
+Date: Tue, 20 Dec 2022 14:03:52 +0000
+Subject: KVM: arm64: Fix S1PTW handling on RO memslots
+
+From: Marc Zyngier <maz@kernel.org>
+
+commit 406504c7b0405d74d74c15a667cd4c4620c3e7a9 upstream.
+
+A recent development on the EFI front has resulted in guests having
+their page tables baked in the firmware binary, and mapped into the
+IPA space as part of a read-only memslot. Not only is this legitimate,
+but it also results in added security, so thumbs up.
+
+It is possible to take an S1PTW translation fault if the S1 PTs are
+unmapped at stage-2. However, KVM unconditionally treats S1PTW as a
+write to correctly handle hardware AF/DB updates to the S1 PTs.
+Furthermore, KVM injects an exception into the guest for S1PTW writes.
+In the aforementioned case this results in the guest taking an abort
+it won't recover from, as the S1 PTs mapping the vectors suffer from
+the same problem.
+
+So clearly our handling is... wrong.
+
+Instead, switch to a two-pronged approach:
+
+- On S1PTW translation fault, handle the fault as a read
+
+- On S1PTW permission fault, handle the fault as a write
+
+This is of no consequence to SW that *writes* to its PTs (the write
+will trigger a non-S1PTW fault), and SW that uses RO PTs will not
+use HW-assisted AF/DB anyway, as that'd be wrong.
+
+Only in the case described in c4ad98e4b72c ("KVM: arm64: Assume write
+fault on S1PTW permission fault on instruction fetch") do we end-up
+with two back-to-back faults (page being evicted and faulted back).
+I don't think this is a case worth optimising for.
+
+Fixes: c4ad98e4b72c ("KVM: arm64: Assume write fault on S1PTW permission fault on instruction fetch")
+Reviewed-by: Oliver Upton <oliver.upton@linux.dev>
+Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
+Regression-tested-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/kvm_emulate.h | 22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/include/asm/kvm_emulate.h
++++ b/arch/arm64/include/asm/kvm_emulate.h
+@@ -378,8 +378,26 @@ static inline int kvm_vcpu_sys_get_rt(st
+
+ static inline bool kvm_is_write_fault(struct kvm_vcpu *vcpu)
+ {
+- if (kvm_vcpu_abt_iss1tw(vcpu))
+- return true;
++ if (kvm_vcpu_abt_iss1tw(vcpu)) {
++ /*
++ * Only a permission fault on a S1PTW should be
++ * considered as a write. Otherwise, page tables baked
++ * in a read-only memslot will result in an exception
++ * being delivered in the guest.
++ *
++ * The drawback is that we end-up faulting twice if the
++ * guest is using any of HW AF/DB: a translation fault
++ * to map the page containing the PT (read only at
++ * first), then a permission fault to allow the flags
++ * to be set.
++ */
++ switch (kvm_vcpu_trap_get_fault_type(vcpu)) {
++ case ESR_ELx_FSC_PERM:
++ return true;
++ default:
++ return false;
++ }
++ }
+
+ if (kvm_vcpu_trap_is_iabt(vcpu))
+ return false;
--- /dev/null
+From cf129830ee820f7fc90b98df193cd49d49344d09 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Tue, 10 Jan 2023 20:56:59 +0200
+Subject: perf auxtrace: Fix address filter duplicate symbol selection
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit cf129830ee820f7fc90b98df193cd49d49344d09 upstream.
+
+When a match has been made to the nth duplicate symbol, return
+success not error.
+
+Example:
+
+ Before:
+
+ $ cat file.c
+ cat: file.c: No such file or directory
+ $ cat file1.c
+ #include <stdio.h>
+
+ static void func(void)
+ {
+ printf("First func\n");
+ }
+
+ void other(void);
+
+ int main()
+ {
+ func();
+ other();
+ return 0;
+ }
+ $ cat file2.c
+ #include <stdio.h>
+
+ static void func(void)
+ {
+ printf("Second func\n");
+ }
+
+ void other(void)
+ {
+ func();
+ }
+
+ $ gcc -Wall -Wextra -o test file1.c file2.c
+ $ perf record -e intel_pt//u --filter 'filter func @ ./test' -- ./test
+ Multiple symbols with name 'func'
+ #1 0x1149 l func
+ which is near main
+ #2 0x1179 l func
+ which is near other
+ Disambiguate symbol name by inserting #n after the name e.g. func #2
+ Or select a global symbol by inserting #0 or #g or #G
+ Failed to parse address filter: 'filter func @ ./test'
+ Filter format is: filter|start|stop|tracestop <start symbol or address> [/ <end symbol or size>] [@<file name>]
+ Where multiple filters are separated by space or comma.
+ $ perf record -e intel_pt//u --filter 'filter func #2 @ ./test' -- ./test
+ Failed to parse address filter: 'filter func #2 @ ./test'
+ Filter format is: filter|start|stop|tracestop <start symbol or address> [/ <end symbol or size>] [@<file name>]
+ Where multiple filters are separated by space or comma.
+
+ After:
+
+ $ perf record -e intel_pt//u --filter 'filter func #2 @ ./test' -- ./test
+ First func
+ Second func
+ [ perf record: Woken up 1 times to write data ]
+ [ perf record: Captured and wrote 0.016 MB perf.data ]
+ $ perf script --itrace=b -Ftime,flags,ip,sym,addr --ns
+ 1231062.526977619: tr strt 0 [unknown] => 558495708179 func
+ 1231062.526977619: tr end call 558495708188 func => 558495708050 _init
+ 1231062.526979286: tr strt 0 [unknown] => 55849570818d func
+ 1231062.526979286: tr end return 55849570818f func => 55849570819d other
+
+Fixes: 1b36c03e356936d6 ("perf record: Add support for using symbols in address filters")
+Reported-by: Dmitrii Dolgov <9erthalion6@gmail.com>
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Tested-by: Dmitry Dolgov <9erthalion6@gmail.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20230110185659.15979-1-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/auxtrace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/perf/util/auxtrace.c
++++ b/tools/perf/util/auxtrace.c
+@@ -1995,7 +1995,7 @@ static int find_dso_sym(struct dso *dso,
+ *size = sym->start - *start;
+ if (idx > 0) {
+ if (*size)
+- return 1;
++ return 0;
+ } else if (dso_sym_match(sym, sym_name, &cnt, idx)) {
+ print_duplicate_syms(dso, sym_name);
+ return -EINVAL;
--- /dev/null
+From c2337a40e04dde1692b5b0a46ecc59f89aaba8a1 Mon Sep 17 00:00:00 2001
+From: Alexander Egorenkov <egorenar@linux.ibm.com>
+Date: Mon, 14 Nov 2022 11:40:08 +0100
+Subject: s390/kexec: fix ipl report address for kdump
+
+From: Alexander Egorenkov <egorenar@linux.ibm.com>
+
+commit c2337a40e04dde1692b5b0a46ecc59f89aaba8a1 upstream.
+
+This commit addresses the following erroneous situation with file-based
+kdump executed on a system with a valid IPL report.
+
+On s390, a kdump kernel, its initrd and IPL report if present are loaded
+into a special and reserved on boot memory region - crashkernel. When
+a system crashes and kdump was activated before, the purgatory code
+is entered first which swaps the crashkernel and [0 - crashkernel size]
+memory regions. Only after that the kdump kernel is entered. For this
+reason, the pointer to an IPL report in lowcore must point to the IPL report
+after the swap and not to the address of the IPL report that was located in
+crashkernel memory region before the swap. Failing to do so, makes the
+kdump's decompressor try to read memory from the crashkernel memory region
+which already contains the production's kernel memory.
+
+The situation described above caused spontaneous kdump failures/hangs
+on systems where the Secure IPL is activated because on such systems
+an IPL report is always present. In that case kdump's decompressor tried
+to parse an IPL report which frequently lead to illegal memory accesses
+because an IPL report contains addresses to various data.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 99feaa717e55 ("s390/kexec_file: Create ipl report and pass to next kernel")
+Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Alexander Egorenkov <egorenar@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kernel/machine_kexec_file.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/arch/s390/kernel/machine_kexec_file.c
++++ b/arch/s390/kernel/machine_kexec_file.c
+@@ -185,8 +185,6 @@ static int kexec_file_add_ipl_report(str
+
+ data->memsz = ALIGN(data->memsz, PAGE_SIZE);
+ buf.mem = data->memsz;
+- if (image->type == KEXEC_TYPE_CRASH)
+- buf.mem += crashk_res.start;
+
+ ptr = (void *)ipl_cert_list_addr;
+ end = ptr + ipl_cert_list_size;
+@@ -223,6 +221,9 @@ static int kexec_file_add_ipl_report(str
+ data->kernel_buf + offsetof(struct lowcore, ipl_parmblock_ptr);
+ *lc_ipl_parmblock_ptr = (__u32)buf.mem;
+
++ if (image->type == KEXEC_TYPE_CRASH)
++ buf.mem += crashk_res.start;
++
+ ret = kexec_add_buffer(&buf);
+ out:
+ return ret;
--- /dev/null
+From e3f360db08d55a14112bd27454e616a24296a8b0 Mon Sep 17 00:00:00 2001
+From: Heiko Carstens <hca@linux.ibm.com>
+Date: Mon, 9 Jan 2023 11:51:20 +0100
+Subject: s390/percpu: add READ_ONCE() to arch_this_cpu_to_op_simple()
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+commit e3f360db08d55a14112bd27454e616a24296a8b0 upstream.
+
+Make sure that *ptr__ within arch_this_cpu_to_op_simple() is only
+dereferenced once by using READ_ONCE(). Otherwise the compiler could
+generate incorrect code.
+
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/include/asm/percpu.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/s390/include/asm/percpu.h
++++ b/arch/s390/include/asm/percpu.h
+@@ -31,7 +31,7 @@
+ pcp_op_T__ *ptr__; \
+ preempt_disable_notrace(); \
+ ptr__ = raw_cpu_ptr(&(pcp)); \
+- prev__ = *ptr__; \
++ prev__ = READ_ONCE(*ptr__); \
+ do { \
+ old__ = prev__; \
+ new__ = old__ op (val); \
selftests-set-the-build-variable-to-absolute-path.patch
driver-core-fix-bus_type.match-error-handling-in-__driver_attach.patch
net-sched-disallow-noqueue-for-qdisc-classes.patch
+kvm-arm64-fix-s1ptw-handling-on-ro-memslots.patch
+efi-tpm-avoid-read_once-for-accessing-the-event-log.patch
+docs-fix-the-docs-build-with-sphinx-6.0.patch
+perf-auxtrace-fix-address-filter-duplicate-symbol-selection.patch
+s390-kexec-fix-ipl-report-address-for-kdump.patch
+s390-percpu-add-read_once-to-arch_this_cpu_to_op_simple.patch
net-ulp-prevent-ulp-without-clone-op-from-entering-the-listen-status.patch
alsa-pcm-move-rwsem-lock-inside-snd_ctl_elem_read-to-prevent-uaf.patch
alsa-hda-hdmi-add-a-hp-device-0x8715-to-force-connect-list.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
