From: Sasha Levin Date: Tue, 16 Jul 2024 14:21:01 +0000 (-0400) Subject: Fixes for 6.9 X-Git-Tag: v4.19.318~18^2~6 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3157848bb3ff46cce119104906c1e2819dc386c0;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.9 Signed-off-by: Sasha Levin --- diff --git a/queue-6.9/i2c-mark-hostnotify-target-address-as-used.patch b/queue-6.9/i2c-mark-hostnotify-target-address-as-used.patch new file mode 100644 index 00000000000..24d3a6d2947 --- /dev/null +++ b/queue-6.9/i2c-mark-hostnotify-target-address-as-used.patch @@ -0,0 +1,39 @@ +From cf61b5097ae6176834ef5936a221a812d1c5f6de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Jul 2024 10:55:07 +0200 +Subject: i2c: mark HostNotify target address as used + +From: Wolfram Sang + +[ Upstream commit bd9f5348089b65612e5ca976e2ae22f005340331 ] + +I2C core handles the local target for receiving HostNotify alerts. There +is no separate driver bound to that address. That means userspace can +access it if desired, leading to further complications if controllers +are not capable of reading their own local target. Bind the local target +to the dummy driver so it will be marked as "handled by the kernel" if +the HostNotify feature is used. That protects aginst userspace access +and prevents other drivers binding to it. + +Fixes: 2a71593da34d ("i2c: smbus: add core function handling SMBus host-notify") +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/i2c-core-base.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/i2c/i2c-core-base.c b/drivers/i2c/i2c-core-base.c +index db0d1ac82910e..7e7b15440832b 100644 +--- a/drivers/i2c/i2c-core-base.c ++++ b/drivers/i2c/i2c-core-base.c +@@ -1067,6 +1067,7 @@ EXPORT_SYMBOL(i2c_find_device_by_fwnode); + + static const struct i2c_device_id dummy_id[] = { + { "dummy", 0 }, ++ { "smbus_host_notify", 0 }, + { }, + }; + +-- +2.43.0 + diff --git a/queue-6.9/i2c-rcar-bring-hardware-to-known-state-when-probing.patch b/queue-6.9/i2c-rcar-bring-hardware-to-known-state-when-probing.patch new file mode 100644 index 00000000000..864c223c971 --- /dev/null +++ b/queue-6.9/i2c-rcar-bring-hardware-to-known-state-when-probing.patch @@ -0,0 +1,71 @@ +From a86d50f061ff40c902a50ab8a38421827910acf7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Jul 2024 10:28:46 +0200 +Subject: i2c: rcar: bring hardware to known state when probing + +From: Wolfram Sang + +[ Upstream commit 4e36c0f20cb1c74c7bd7ea31ba432c1c4a989031 ] + +When probing, the hardware is not brought into a known state. This may +be a problem when a hypervisor restarts Linux without resetting the +hardware, leaving an old state running. Make sure the hardware gets +initialized, especially interrupts should be cleared and disabled. + +Reported-by: Dirk Behme +Reported-by: Geert Uytterhoeven +Closes: https://lore.kernel.org/r/20240702045535.2000393-1-dirk.behme@de.bosch.com +Fixes: 6ccbe607132b ("i2c: add Renesas R-Car I2C driver") +Signed-off-by: Wolfram Sang +Signed-off-by: Andi Shyti +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-rcar.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-rcar.c b/drivers/i2c/busses/i2c-rcar.c +index 828aa2ea0fe4c..ec73463ea9b5e 100644 +--- a/drivers/i2c/busses/i2c-rcar.c ++++ b/drivers/i2c/busses/i2c-rcar.c +@@ -257,6 +257,14 @@ static void rcar_i2c_init(struct rcar_i2c_priv *priv) + } + } + ++static void rcar_i2c_reset_slave(struct rcar_i2c_priv *priv) ++{ ++ rcar_i2c_write(priv, ICSIER, 0); ++ rcar_i2c_write(priv, ICSSR, 0); ++ rcar_i2c_write(priv, ICSCR, SDBS); ++ rcar_i2c_write(priv, ICSAR, 0); /* Gen2: must be 0 if not using slave */ ++} ++ + static int rcar_i2c_bus_barrier(struct rcar_i2c_priv *priv) + { + int ret; +@@ -1033,11 +1041,8 @@ static int rcar_unreg_slave(struct i2c_client *slave) + + /* ensure no irq is running before clearing ptr */ + disable_irq(priv->irq); +- rcar_i2c_write(priv, ICSIER, 0); +- rcar_i2c_write(priv, ICSSR, 0); ++ rcar_i2c_reset_slave(priv); + enable_irq(priv->irq); +- rcar_i2c_write(priv, ICSCR, SDBS); +- rcar_i2c_write(priv, ICSAR, 0); /* Gen2: must be 0 if not using slave */ + + priv->slave = NULL; + +@@ -1152,7 +1157,9 @@ static int rcar_i2c_probe(struct platform_device *pdev) + goto out_pm_disable; + } + +- rcar_i2c_write(priv, ICSAR, 0); /* Gen2: must be 0 if not using slave */ ++ /* Bring hardware to known state */ ++ rcar_i2c_init(priv); ++ rcar_i2c_reset_slave(priv); + + if (priv->devtype < I2C_RCAR_GEN3) { + irqflags |= IRQF_NO_THREAD; +-- +2.43.0 + diff --git a/queue-6.9/i2c-rcar-clear-no_rxdma-flag-after-resetting.patch b/queue-6.9/i2c-rcar-clear-no_rxdma-flag-after-resetting.patch new file mode 100644 index 00000000000..236eb704433 --- /dev/null +++ b/queue-6.9/i2c-rcar-clear-no_rxdma-flag-after-resetting.patch @@ -0,0 +1,39 @@ +From 8af92cccee6b8d3ff209eb5831f8d13aa9a0b002 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Jul 2024 13:03:00 +0200 +Subject: i2c: rcar: clear NO_RXDMA flag after resetting + +From: Wolfram Sang + +[ Upstream commit fea6b5ebb71a2830b042e42de7ae255017ac3ce8 ] + +We should allow RXDMA only if the reset was really successful, so clear +the flag after the reset call. + +Fixes: 0e864b552b23 ("i2c: rcar: reset controller is mandatory for Gen3+") +Signed-off-by: Wolfram Sang +Signed-off-by: Andi Shyti +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-rcar.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-rcar.c b/drivers/i2c/busses/i2c-rcar.c +index ec73463ea9b5e..f0724c8e4b219 100644 +--- a/drivers/i2c/busses/i2c-rcar.c ++++ b/drivers/i2c/busses/i2c-rcar.c +@@ -911,10 +911,10 @@ static int rcar_i2c_master_xfer(struct i2c_adapter *adap, + + /* Gen3+ needs a reset. That also allows RXDMA once */ + if (priv->devtype >= I2C_RCAR_GEN3) { +- priv->flags &= ~ID_P_NO_RXDMA; + ret = rcar_i2c_do_reset(priv); + if (ret) + goto out; ++ priv->flags &= ~ID_P_NO_RXDMA; + } + + rcar_i2c_init(priv); +-- +2.43.0 + diff --git a/queue-6.9/i2c-rcar-ensure-gen3-reset-does-not-disturb-local-ta.patch b/queue-6.9/i2c-rcar-ensure-gen3-reset-does-not-disturb-local-ta.patch new file mode 100644 index 00000000000..b69e4088d69 --- /dev/null +++ b/queue-6.9/i2c-rcar-ensure-gen3-reset-does-not-disturb-local-ta.patch @@ -0,0 +1,59 @@ +From 7e879baa47a01f26512fcbc62c71a402a501b2be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Jul 2024 10:30:44 +0200 +Subject: i2c: rcar: ensure Gen3+ reset does not disturb local targets + +From: Wolfram Sang + +[ Upstream commit ea5ea84c9d3570dc06e8fc5ee2273eaa584aa3ac ] + +R-Car Gen3+ needs a reset before every controller transfer. That erases +configuration of a potentially in parallel running local target +instance. To avoid this disruption, avoid controller transfers if a +local target is running. Also, disable SMBusHostNotify because it +requires being a controller and local target at the same time. + +Fixes: 3b770017b03a ("i2c: rcar: handle RXDMA HW behaviour on Gen3") +Signed-off-by: Wolfram Sang +Signed-off-by: Andi Shyti +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-rcar.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/i2c/busses/i2c-rcar.c b/drivers/i2c/busses/i2c-rcar.c +index f0724c8e4b219..185a5d60f1019 100644 +--- a/drivers/i2c/busses/i2c-rcar.c ++++ b/drivers/i2c/busses/i2c-rcar.c +@@ -883,6 +883,10 @@ static int rcar_i2c_do_reset(struct rcar_i2c_priv *priv) + { + int ret; + ++ /* Don't reset if a slave instance is currently running */ ++ if (priv->slave) ++ return -EISCONN; ++ + ret = reset_control_reset(priv->rstc); + if (ret) + return ret; +@@ -1175,6 +1179,7 @@ static int rcar_i2c_probe(struct platform_device *pdev) + if (of_property_read_bool(dev->of_node, "smbus")) + priv->flags |= ID_P_HOST_NOTIFY; + ++ /* R-Car Gen3+ needs a reset before every transfer */ + if (priv->devtype >= I2C_RCAR_GEN3) { + priv->rstc = devm_reset_control_get_exclusive(&pdev->dev, NULL); + if (IS_ERR(priv->rstc)) { +@@ -1185,6 +1190,9 @@ static int rcar_i2c_probe(struct platform_device *pdev) + ret = reset_control_status(priv->rstc); + if (ret < 0) + goto out_pm_put; ++ ++ /* hard reset disturbs HostNotify local target, so disable it */ ++ priv->flags &= ~ID_P_HOST_NOTIFY; + } + + ret = platform_get_irq(pdev, 0); +-- +2.43.0 + diff --git a/queue-6.9/i2c-testunit-avoid-re-issued-work-after-read-message.patch b/queue-6.9/i2c-testunit-avoid-re-issued-work-after-read-message.patch new file mode 100644 index 00000000000..4aa3a145c8f --- /dev/null +++ b/queue-6.9/i2c-testunit-avoid-re-issued-work-after-read-message.patch @@ -0,0 +1,44 @@ +From c74288dee7b854e988be1b35788eb281578df78c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Jul 2024 14:08:19 +0200 +Subject: i2c: testunit: avoid re-issued work after read message + +From: Wolfram Sang + +[ Upstream commit 119736c7af442ab398dbb806865988c98ef60d46 ] + +The to-be-fixed commit rightfully prevented that the registers will be +cleared. However, the index must be cleared. Otherwise a read message +will re-issue the last work. Fix it and add a comment describing the +situation. + +Fixes: c422b6a63024 ("i2c: testunit: don't erase registers after STOP") +Signed-off-by: Wolfram Sang +Reviewed-by: Andi Shyti +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/i2c-slave-testunit.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/i2c/i2c-slave-testunit.c b/drivers/i2c/i2c-slave-testunit.c +index ca43e98cae1b2..23a11e4e92567 100644 +--- a/drivers/i2c/i2c-slave-testunit.c ++++ b/drivers/i2c/i2c-slave-testunit.c +@@ -118,6 +118,13 @@ static int i2c_slave_testunit_slave_cb(struct i2c_client *client, + queue_delayed_work(system_long_wq, &tu->worker, + msecs_to_jiffies(10 * tu->regs[TU_REG_DELAY])); + } ++ ++ /* ++ * Reset reg_idx to avoid that work gets queued again in case of ++ * STOP after a following read message. But do not clear TU regs ++ * here because we still need them in the workqueue! ++ */ ++ tu->reg_idx = 0; + break; + + case I2C_SLAVE_WRITE_REQUESTED: +-- +2.43.0 + diff --git a/queue-6.9/kbuild-make-ld-version.sh-more-robust-against-versio.patch b/queue-6.9/kbuild-make-ld-version.sh-more-robust-against-versio.patch new file mode 100644 index 00000000000..9d199c8093b --- /dev/null +++ b/queue-6.9/kbuild-make-ld-version.sh-more-robust-against-versio.patch @@ -0,0 +1,73 @@ +From 2e49cb49246c9f00b686ba587f02d507ebe58e7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Jul 2024 22:06:47 -0700 +Subject: kbuild: Make ld-version.sh more robust against version string changes + +From: Nathan Chancellor + +[ Upstream commit 9852f47ac7c993990317570ff125e30ad901e213 ] + +After [1] in upstream LLVM, ld.lld's version output became slightly +different when the cmake configuration option LLVM_APPEND_VC_REV is +disabled. + +Before: + + Debian LLD 19.0.0 (compatible with GNU linkers) + +After: + + Debian LLD 19.0.0, compatible with GNU linkers + +This results in ld-version.sh failing with + + scripts/ld-version.sh: 18: arithmetic expression: expecting EOF: "10000 * 19 + 100 * 0 + 0," + +because the trailing comma is included in the patch level part of the +expression. While [1] has been partially reverted in [2] to avoid this +breakage (as it impacts the configuration stage and it is present in all +LTS branches), it would be good to make ld-version.sh more robust +against such miniscule changes like this one. + +Use POSIX shell parameter expansion [3] to remove the largest suffix +after just numbers and periods, replacing of the current removal of +everything after a hyphen. ld-version.sh continues to work for a number +of distributions (Arch Linux, Debian, and Fedora) and the kernel.org +toolchains and no longer errors on a version of ld.lld with [1]. + +Fixes: 02aff8592204 ("kbuild: check the minimum linker version in Kconfig") +Link: https://github.com/llvm/llvm-project/commit/0f9fbbb63cfcd2069441aa2ebef622c9716f8dbb [1] +Link: https://github.com/llvm/llvm-project/commit/649cdfc4b6781a350dfc87d9b2a4b5a4c3395909 [2] +Link: https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html [3] +Suggested-by: Fangrui Song +Reviewed-by: Fangrui Song +Signed-off-by: Nathan Chancellor +Reviewed-by: Nicolas Schier +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/ld-version.sh | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/scripts/ld-version.sh b/scripts/ld-version.sh +index a78b804b680cf..b9513d224476f 100755 +--- a/scripts/ld-version.sh ++++ b/scripts/ld-version.sh +@@ -57,9 +57,11 @@ else + fi + fi + +-# Some distributions append a package release number, as in 2.34-4.fc32 +-# Trim the hyphen and any characters that follow. +-version=${version%-*} ++# There may be something after the version, such as a distribution's package ++# release number (like Fedora's "2.34-4.fc32") or punctuation (like LLD briefly ++# added before the "compatible with GNU linkers" string), so remove everything ++# after just numbers and periods. ++version=${version%%[!0-9.]*} + + cversion=$(get_canonical_version $version) + min_cversion=$(get_canonical_version $min_version) +-- +2.43.0 + diff --git a/queue-6.9/kbuild-rpm-pkg-avoid-the-warnings-with-dtb-s-listed-.patch b/queue-6.9/kbuild-rpm-pkg-avoid-the-warnings-with-dtb-s-listed-.patch new file mode 100644 index 00000000000..4ace2c50263 --- /dev/null +++ b/queue-6.9/kbuild-rpm-pkg-avoid-the-warnings-with-dtb-s-listed-.patch @@ -0,0 +1,41 @@ +From 01df6d7dda7a7e918c71beae664b2a453f492827 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Jul 2024 18:49:19 +0200 +Subject: kbuild: rpm-pkg: avoid the warnings with dtb's listed twice + +From: Jose Ignacio Tornos Martinez + +[ Upstream commit e3286434d220efb9a8b78f7241a5667974d2ec80 ] + +After 8d1001f7bdd0 (kbuild: rpm-pkg: fix build error with CONFIG_MODULES=n), +the following warning "warning: File listed twice: *.dtb" is appearing for +every dtb file that is included. +The reason is that the commented commit already adds the folder +/lib/modules/%{KERNELRELEASE} in kernel.list file so the folder +/lib/modules/%{KERNELRELEASE}/dtb is no longer necessary, just remove it. + +Fixes: 8d1001f7bdd0 ("kbuild: rpm-pkg: fix build error with CONFIG_MODULES=n") +Signed-off-by: Jose Ignacio Tornos Martinez +Reviewed-by: Nathan Chancellor +Tested-by: Nathan Chancellor +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/package/kernel.spec | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/scripts/package/kernel.spec b/scripts/package/kernel.spec +index fffc8af8deb17..c52d517b93647 100644 +--- a/scripts/package/kernel.spec ++++ b/scripts/package/kernel.spec +@@ -83,7 +83,6 @@ ln -fns /usr/src/kernels/%{KERNELRELEASE} %{buildroot}/lib/modules/%{KERNELRELEA + done + + if [ -d "%{buildroot}/lib/modules/%{KERNELRELEASE}/dtb" ];then +- echo "/lib/modules/%{KERNELRELEASE}/dtb" + find "%{buildroot}/lib/modules/%{KERNELRELEASE}/dtb" -printf "%%%ghost /boot/dtb-%{KERNELRELEASE}/%%P\n" + fi + +-- +2.43.0 + diff --git a/queue-6.9/sched-deadline-fix-task_struct-reference-leak.patch b/queue-6.9/sched-deadline-fix-task_struct-reference-leak.patch new file mode 100644 index 00000000000..580c5a66880 --- /dev/null +++ b/queue-6.9/sched-deadline-fix-task_struct-reference-leak.patch @@ -0,0 +1,71 @@ +From 9b637a8fa893a2b891c492dee16e577fc166ad1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jun 2024 09:56:17 -0300 +Subject: sched/deadline: Fix task_struct reference leak + +From: Wander Lairson Costa + +[ Upstream commit b58652db66c910c2245f5bee7deca41c12d707b9 ] + +During the execution of the following stress test with linux-rt: + +stress-ng --cyclic 30 --timeout 30 --minimize --quiet + +kmemleak frequently reported a memory leak concerning the task_struct: + +unreferenced object 0xffff8881305b8000 (size 16136): + comm "stress-ng", pid 614, jiffies 4294883961 (age 286.412s) + object hex dump (first 32 bytes): + 02 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .@.............. + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + debug hex dump (first 16 bytes): + 53 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 S............... + backtrace: + [<00000000046b6790>] dup_task_struct+0x30/0x540 + [<00000000c5ca0f0b>] copy_process+0x3d9/0x50e0 + [<00000000ced59777>] kernel_clone+0xb0/0x770 + [<00000000a50befdc>] __do_sys_clone+0xb6/0xf0 + [<000000001dbf2008>] do_syscall_64+0x5d/0xf0 + [<00000000552900ff>] entry_SYSCALL_64_after_hwframe+0x6e/0x76 + +The issue occurs in start_dl_timer(), which increments the task_struct +reference count and sets a timer. The timer callback, dl_task_timer, +is supposed to decrement the reference count upon expiration. However, +if enqueue_task_dl() is called before the timer expires and cancels it, +the reference count is not decremented, leading to the leak. + +This patch fixes the reference leak by ensuring the task_struct +reference count is properly decremented when the timer is canceled. + +Fixes: feff2e65efd8 ("sched/deadline: Unthrottle PI boosted threads while enqueuing") +Signed-off-by: Wander Lairson Costa +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Juri Lelli +Link: https://lore.kernel.org/r/20240620125618.11419-1-wander@redhat.com +Signed-off-by: Sasha Levin +--- + kernel/sched/deadline.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c +index a04a436af8cc4..dce51bf2d3229 100644 +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -1805,8 +1805,13 @@ static void enqueue_task_dl(struct rq *rq, struct task_struct *p, int flags) + * The replenish timer needs to be canceled. No + * problem if it fires concurrently: boosted threads + * are ignored in dl_task_timer(). ++ * ++ * If the timer callback was running (hrtimer_try_to_cancel == -1), ++ * it will eventually call put_task_struct(). + */ +- hrtimer_try_to_cancel(&p->dl.dl_timer); ++ if (hrtimer_try_to_cancel(&p->dl.dl_timer) == 1 && ++ !dl_server(&p->dl)) ++ put_task_struct(p); + p->dl.dl_throttled = 0; + } + } else if (!dl_prio(p->normal_prio)) { +-- +2.43.0 + diff --git a/queue-6.9/series b/queue-6.9/series index 91d3d11bcaa..ff7ef117174 100644 --- a/queue-6.9/series +++ b/queue-6.9/series @@ -132,3 +132,12 @@ mm-shmem-disable-pmd-sized-page-cache-if-needed.patch mm-damon-core-merge-regions-aggressively-when-max_nr_regions-is-unmet.patch revert-dt-bindings-cache-qcom-llcc-correct-qdu1000-reg-entries.patch ext4-avoid-ptr-null-pointer-dereference.patch +i2c-rcar-bring-hardware-to-known-state-when-probing.patch +i2c-rcar-clear-no_rxdma-flag-after-resetting.patch +i2c-mark-hostnotify-target-address-as-used.patch +i2c-rcar-ensure-gen3-reset-does-not-disturb-local-ta.patch +i2c-testunit-avoid-re-issued-work-after-read-message.patch +sched-deadline-fix-task_struct-reference-leak.patch +x86-bhi-avoid-warning-in-db-handler-due-to-bhi-mitig.patch +kbuild-make-ld-version.sh-more-robust-against-versio.patch +kbuild-rpm-pkg-avoid-the-warnings-with-dtb-s-listed-.patch diff --git a/queue-6.9/x86-bhi-avoid-warning-in-db-handler-due-to-bhi-mitig.patch b/queue-6.9/x86-bhi-avoid-warning-in-db-handler-due-to-bhi-mitig.patch new file mode 100644 index 00000000000..c2fc10ce3f5 --- /dev/null +++ b/queue-6.9/x86-bhi-avoid-warning-in-db-handler-due-to-bhi-mitig.patch @@ -0,0 +1,106 @@ +From 02c77183ae5488c703d134bd93961863f13e3470 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 May 2024 09:04:59 +0200 +Subject: x86/bhi: Avoid warning in #DB handler due to BHI mitigation + +From: Alexandre Chartre + +[ Upstream commit ac8b270b61d48fcc61f052097777e3b5e11591e0 ] + +When BHI mitigation is enabled, if SYSENTER is invoked with the TF flag set +then entry_SYSENTER_compat() uses CLEAR_BRANCH_HISTORY and calls the +clear_bhb_loop() before the TF flag is cleared. This causes the #DB handler +(exc_debug_kernel()) to issue a warning because single-step is used outside the +entry_SYSENTER_compat() function. + +To address this issue, entry_SYSENTER_compat() should use CLEAR_BRANCH_HISTORY +after making sure the TF flag is cleared. + +The problem can be reproduced with the following sequence: + + $ cat sysenter_step.c + int main() + { asm("pushf; pop %ax; bts $8,%ax; push %ax; popf; sysenter"); } + + $ gcc -o sysenter_step sysenter_step.c + + $ ./sysenter_step + Segmentation fault (core dumped) + +The program is expected to crash, and the #DB handler will issue a warning. + +Kernel log: + + WARNING: CPU: 27 PID: 7000 at arch/x86/kernel/traps.c:1009 exc_debug_kernel+0xd2/0x160 + ... + RIP: 0010:exc_debug_kernel+0xd2/0x160 + ... + Call Trace: + <#DB> + ? show_regs+0x68/0x80 + ? __warn+0x8c/0x140 + ? exc_debug_kernel+0xd2/0x160 + ? report_bug+0x175/0x1a0 + ? handle_bug+0x44/0x90 + ? exc_invalid_op+0x1c/0x70 + ? asm_exc_invalid_op+0x1f/0x30 + ? exc_debug_kernel+0xd2/0x160 + exc_debug+0x43/0x50 + asm_exc_debug+0x1e/0x40 + RIP: 0010:clear_bhb_loop+0x0/0xb0 + ... + + + ? entry_SYSENTER_compat_after_hwframe+0x6e/0x8d + + + [ bp: Massage commit message. ] + +Fixes: 7390db8aea0d ("x86/bhi: Add support for clearing branch history at syscall entry") +Reported-by: Suman Maity +Signed-off-by: Alexandre Chartre +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Andrew Cooper +Reviewed-by: Pawan Gupta +Reviewed-by: Josh Poimboeuf +Link: https://lore.kernel.org/r/20240524070459.3674025-1-alexandre.chartre@oracle.com +Signed-off-by: Sasha Levin +--- + arch/x86/entry/entry_64_compat.S | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S +index c779046cc3fe7..2e8ead6090393 100644 +--- a/arch/x86/entry/entry_64_compat.S ++++ b/arch/x86/entry/entry_64_compat.S +@@ -90,10 +90,6 @@ SYM_INNER_LABEL(entry_SYSENTER_compat_after_hwframe, SYM_L_GLOBAL) + + cld + +- IBRS_ENTER +- UNTRAIN_RET +- CLEAR_BRANCH_HISTORY +- + /* + * SYSENTER doesn't filter flags, so we need to clear NT and AC + * ourselves. To save a few cycles, we can check whether +@@ -117,6 +113,16 @@ SYM_INNER_LABEL(entry_SYSENTER_compat_after_hwframe, SYM_L_GLOBAL) + jnz .Lsysenter_fix_flags + .Lsysenter_flags_fixed: + ++ /* ++ * CPU bugs mitigations mechanisms can call other functions. They ++ * should be invoked after making sure TF is cleared because ++ * single-step is ignored only for instructions inside the ++ * entry_SYSENTER_compat function. ++ */ ++ IBRS_ENTER ++ UNTRAIN_RET ++ CLEAR_BRANCH_HISTORY ++ + movq %rsp, %rdi + call do_SYSENTER_32 + jmp sysret32_from_system_call +-- +2.43.0 +