From: Greg Kroah-Hartman Date: Mon, 20 Nov 2023 15:31:57 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v4.14.331~142 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=341bf7ca96e673855799a4e370a6cbf24bf8d43c;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: bpf-fix-check_stack_write_fixed_off-to-correctly-spill-imm.patch bpf-fix-precision-tracking-for-bpf_alu-bpf_to_be-bpf_end.patch crypto-x86-sha-load-modules-based-on-cpu-features.patch drivers-perf-check-find_first_bit-return-value.patch i915-perf-fix-null-deref-bugs-with-drm_dbg-calls.patch kvm-x86-clear-bit12-of-icr-after-apic-write-vm-exit.patch kvm-x86-hyper-v-don-t-auto-enable-stimer-on-write-from-user-space.patch kvm-x86-ignore-msr_amd64_tw_cfg-access.patch media-venus-hfi-add-checks-to-perform-sanity-on-queue-pointers.patch perf-intel-pt-fix-async-branch-flags.patch powerpc-perf-fix-disabling-bhrb-and-instruction-sampling.patch randstruct-fix-gcc-plugin-performance-mode-to-stay-in-group.patch scsi-megaraid_sas-increase-register-read-retry-rount-from-3-to-30-for-selected-registers.patch scsi-mpt3sas-fix-loop-logic.patch scsi-qla2xxx-fix-system-crash-due-to-bad-pointer-access.patch x86-cpu-hygon-fix-the-cpu-topology-evaluation-for-real.patch --- diff --git a/queue-6.1/bpf-fix-check_stack_write_fixed_off-to-correctly-spill-imm.patch b/queue-6.1/bpf-fix-check_stack_write_fixed_off-to-correctly-spill-imm.patch new file mode 100644 index 00000000000..81e44c35f76 --- /dev/null +++ b/queue-6.1/bpf-fix-check_stack_write_fixed_off-to-correctly-spill-imm.patch @@ -0,0 +1,68 @@ +From 811c363645b33e6e22658634329e95f383dfc705 Mon Sep 17 00:00:00 2001 +From: Hao Sun +Date: Wed, 1 Nov 2023 13:33:51 +0100 +Subject: bpf: Fix check_stack_write_fixed_off() to correctly spill imm + +From: Hao Sun + +commit 811c363645b33e6e22658634329e95f383dfc705 upstream. + +In check_stack_write_fixed_off(), imm value is cast to u32 before being +spilled to the stack. Therefore, the sign information is lost, and the +range information is incorrect when load from the stack again. + +For the following prog: +0: r2 = r10 +1: *(u64*)(r2 -40) = -44 +2: r0 = *(u64*)(r2 - 40) +3: if r0 s<= 0xa goto +2 +4: r0 = 1 +5: exit +6: r0 = 0 +7: exit + +The verifier gives: +func#0 @0 +0: R1=ctx(off=0,imm=0) R10=fp0 +0: (bf) r2 = r10 ; R2_w=fp0 R10=fp0 +1: (7a) *(u64 *)(r2 -40) = -44 ; R2_w=fp0 fp-40_w=4294967252 +2: (79) r0 = *(u64 *)(r2 -40) ; R0_w=4294967252 R2_w=fp0 +fp-40_w=4294967252 +3: (c5) if r0 s< 0xa goto pc+2 +mark_precise: frame0: last_idx 3 first_idx 0 subseq_idx -1 +mark_precise: frame0: regs=r0 stack= before 2: (79) r0 = *(u64 *)(r2 -40) +3: R0_w=4294967252 +4: (b7) r0 = 1 ; R0_w=1 +5: (95) exit +verification time 7971 usec +stack depth 40 +processed 6 insns (limit 1000000) max_states_per_insn 0 total_states 0 +peak_states 0 mark_read 0 + +So remove the incorrect cast, since imm field is declared as s32, and +__mark_reg_known() takes u64, so imm would be correctly sign extended +by compiler. + +Fixes: ecdf985d7615 ("bpf: track immediate values written to stack by BPF_ST instruction") +Cc: stable@vger.kernel.org +Signed-off-by: Hao Sun +Acked-by: Shung-Hsi Yu +Acked-by: Eduard Zingerman +Link: https://lore.kernel.org/r/20231101-fix-check-stack-write-v3-1-f05c2b1473d5@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/verifier.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -3292,7 +3292,7 @@ static int check_stack_write_fixed_off(s + insn->imm != 0 && env->bpf_capable) { + struct bpf_reg_state fake_reg = {}; + +- __mark_reg_known(&fake_reg, (u32)insn->imm); ++ __mark_reg_known(&fake_reg, insn->imm); + fake_reg.type = SCALAR_VALUE; + save_register_state(state, spi, &fake_reg, size); + } else if (reg && is_spillable_regtype(reg->type)) { diff --git a/queue-6.1/bpf-fix-precision-tracking-for-bpf_alu-bpf_to_be-bpf_end.patch b/queue-6.1/bpf-fix-precision-tracking-for-bpf_alu-bpf_to_be-bpf_end.patch new file mode 100644 index 00000000000..910d2db2f4c --- /dev/null +++ b/queue-6.1/bpf-fix-precision-tracking-for-bpf_alu-bpf_to_be-bpf_end.patch @@ -0,0 +1,60 @@ +From 291d044fd51f8484066300ee42afecf8c8db7b3a Mon Sep 17 00:00:00 2001 +From: Shung-Hsi Yu +Date: Thu, 2 Nov 2023 13:39:03 +0800 +Subject: bpf: Fix precision tracking for BPF_ALU | BPF_TO_BE | BPF_END +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Shung-Hsi Yu + +commit 291d044fd51f8484066300ee42afecf8c8db7b3a upstream. + +BPF_END and BPF_NEG has a different specification for the source bit in +the opcode compared to other ALU/ALU64 instructions, and is either +reserved or use to specify the byte swap endianness. In both cases the +source bit does not encode source operand location, and src_reg is a +reserved field. + +backtrack_insn() currently does not differentiate BPF_END and BPF_NEG +from other ALU/ALU64 instructions, which leads to r0 being incorrectly +marked as precise when processing BPF_ALU | BPF_TO_BE | BPF_END +instructions. This commit teaches backtrack_insn() to correctly mark +precision for such case. + +While precise tracking of BPF_NEG and other BPF_END instructions are +correct and does not need fixing, this commit opt to process all BPF_NEG +and BPF_END instructions within the same if-clause to better align with +current convention used in the verifier (e.g. check_alu_op). + +Fixes: b5dc0163d8fd ("bpf: precise scalar_value tracking") +Cc: stable@vger.kernel.org +Reported-by: Mohamed Mahmoud +Closes: https://lore.kernel.org/r/87jzrrwptf.fsf@toke.dk +Tested-by: Toke Høiland-Jørgensen +Tested-by: Tao Lyu +Acked-by: Eduard Zingerman +Signed-off-by: Shung-Hsi Yu +Link: https://lore.kernel.org/r/20231102053913.12004-2-shung-hsi.yu@suse.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/verifier.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -2596,7 +2596,12 @@ static int backtrack_insn(struct bpf_ver + if (class == BPF_ALU || class == BPF_ALU64) { + if (!(*reg_mask & dreg)) + return 0; +- if (opcode == BPF_MOV) { ++ if (opcode == BPF_END || opcode == BPF_NEG) { ++ /* sreg is reserved and unused ++ * dreg still need precision before this insn ++ */ ++ return 0; ++ } else if (opcode == BPF_MOV) { + if (BPF_SRC(insn->code) == BPF_X) { + /* dreg = sreg + * dreg needs precision after this insn diff --git a/queue-6.1/crypto-x86-sha-load-modules-based-on-cpu-features.patch b/queue-6.1/crypto-x86-sha-load-modules-based-on-cpu-features.patch new file mode 100644 index 00000000000..7d205dfd495 --- /dev/null +++ b/queue-6.1/crypto-x86-sha-load-modules-based-on-cpu-features.patch @@ -0,0 +1,102 @@ +From 1c43c0f1f84aa59dfc98ce66f0a67b2922aa7f9d Mon Sep 17 00:00:00 2001 +From: Roxana Nicolescu +Date: Fri, 15 Sep 2023 12:23:25 +0200 +Subject: crypto: x86/sha - load modules based on CPU features + +From: Roxana Nicolescu + +commit 1c43c0f1f84aa59dfc98ce66f0a67b2922aa7f9d upstream. + +x86 optimized crypto modules are built as modules rather than build-in and +they are not loaded when the crypto API is initialized, resulting in the +generic builtin module (sha1-generic) being used instead. + +It was discovered when creating a sha1/sha256 checksum of a 2Gb file by +using kcapi-tools because it would take significantly longer than creating +a sha512 checksum of the same file. trace-cmd showed that for sha1/256 the +generic module was used, whereas for sha512 the optimized module was used +instead. + +Add module aliases() for these x86 optimized crypto modules based on CPU +feature bits so udev gets a chance to load them later in the boot +process. This resulted in ~3x decrease in the real-time execution of +kcapi-dsg. + +Fix is inspired from commit +aa031b8f702e ("crypto: x86/sha512 - load based on CPU features") +where a similar fix was done for sha512. + +Cc: stable@vger.kernel.org # 5.15+ +Suggested-by: Dimitri John Ledkov +Suggested-by: Julian Andres Klode +Signed-off-by: Roxana Nicolescu +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/crypto/sha1_ssse3_glue.c | 12 ++++++++++++ + arch/x86/crypto/sha256_ssse3_glue.c | 12 ++++++++++++ + 2 files changed, 24 insertions(+) + +--- a/arch/x86/crypto/sha1_ssse3_glue.c ++++ b/arch/x86/crypto/sha1_ssse3_glue.c +@@ -24,8 +24,17 @@ + #include + #include + #include ++#include + #include + ++static const struct x86_cpu_id module_cpu_ids[] = { ++ X86_MATCH_FEATURE(X86_FEATURE_AVX2, NULL), ++ X86_MATCH_FEATURE(X86_FEATURE_AVX, NULL), ++ X86_MATCH_FEATURE(X86_FEATURE_SSSE3, NULL), ++ {} ++}; ++MODULE_DEVICE_TABLE(x86cpu, module_cpu_ids); ++ + static int sha1_update(struct shash_desc *desc, const u8 *data, + unsigned int len, sha1_block_fn *sha1_xform) + { +@@ -301,6 +310,9 @@ static inline void unregister_sha1_ni(vo + + static int __init sha1_ssse3_mod_init(void) + { ++ if (!x86_match_cpu(module_cpu_ids)) ++ return -ENODEV; ++ + if (register_sha1_ssse3()) + goto fail; + +--- a/arch/x86/crypto/sha256_ssse3_glue.c ++++ b/arch/x86/crypto/sha256_ssse3_glue.c +@@ -38,11 +38,20 @@ + #include + #include + #include ++#include + #include + + asmlinkage void sha256_transform_ssse3(struct sha256_state *state, + const u8 *data, int blocks); + ++static const struct x86_cpu_id module_cpu_ids[] = { ++ X86_MATCH_FEATURE(X86_FEATURE_AVX2, NULL), ++ X86_MATCH_FEATURE(X86_FEATURE_AVX, NULL), ++ X86_MATCH_FEATURE(X86_FEATURE_SSSE3, NULL), ++ {} ++}; ++MODULE_DEVICE_TABLE(x86cpu, module_cpu_ids); ++ + static int _sha256_update(struct shash_desc *desc, const u8 *data, + unsigned int len, sha256_block_fn *sha256_xform) + { +@@ -366,6 +375,9 @@ static inline void unregister_sha256_ni( + + static int __init sha256_ssse3_mod_init(void) + { ++ if (!x86_match_cpu(module_cpu_ids)) ++ return -ENODEV; ++ + if (register_sha256_ssse3()) + goto fail; + diff --git a/queue-6.1/drivers-perf-check-find_first_bit-return-value.patch b/queue-6.1/drivers-perf-check-find_first_bit-return-value.patch new file mode 100644 index 00000000000..f4526e72cbb --- /dev/null +++ b/queue-6.1/drivers-perf-check-find_first_bit-return-value.patch @@ -0,0 +1,67 @@ +From c6e316ac05532febb0c966fa9b55f5258ed037be Mon Sep 17 00:00:00 2001 +From: Alexandre Ghiti +Date: Thu, 9 Nov 2023 09:21:28 +0100 +Subject: drivers: perf: Check find_first_bit() return value + +From: Alexandre Ghiti + +commit c6e316ac05532febb0c966fa9b55f5258ed037be upstream. + +We must check the return value of find_first_bit() before using the +return value as an index array since it happens to overflow the array +and then panic: + +[ 107.318430] Kernel BUG [#1] +[ 107.319434] CPU: 3 PID: 1238 Comm: kill Tainted: G E 6.6.0-rc6ubuntu-defconfig #2 +[ 107.319465] Hardware name: riscv-virtio,qemu (DT) +[ 107.319551] epc : pmu_sbi_ovf_handler+0x3a4/0x3ae +[ 107.319840] ra : pmu_sbi_ovf_handler+0x52/0x3ae +[ 107.319868] epc : ffffffff80a0a77c ra : ffffffff80a0a42a sp : ffffaf83fecda350 +[ 107.319884] gp : ffffffff823961a8 tp : ffffaf8083db1dc0 t0 : ffffaf83fecda480 +[ 107.319899] t1 : ffffffff80cafe62 t2 : 000000000000ff00 s0 : ffffaf83fecda520 +[ 107.319921] s1 : ffffaf83fecda380 a0 : 00000018fca29df0 a1 : ffffffffffffffff +[ 107.319936] a2 : 0000000001073734 a3 : 0000000000000004 a4 : 0000000000000000 +[ 107.319951] a5 : 0000000000000040 a6 : 000000001d1c8774 a7 : 0000000000504d55 +[ 107.319965] s2 : ffffffff82451f10 s3 : ffffffff82724e70 s4 : 000000000000003f +[ 107.319980] s5 : 0000000000000011 s6 : ffffaf8083db27c0 s7 : 0000000000000000 +[ 107.319995] s8 : 0000000000000001 s9 : 00007fffb45d6558 s10: 00007fffb45d81a0 +[ 107.320009] s11: ffffaf7ffff60000 t3 : 0000000000000004 t4 : 0000000000000000 +[ 107.320023] t5 : ffffaf7f80000000 t6 : ffffaf8000000000 +[ 107.320037] status: 0000000200000100 badaddr: 0000000000000000 cause: 0000000000000003 +[ 107.320081] [] pmu_sbi_ovf_handler+0x3a4/0x3ae +[ 107.320112] [] handle_percpu_devid_irq+0x9e/0x1a0 +[ 107.320131] [] generic_handle_domain_irq+0x28/0x36 +[ 107.320148] [] riscv_intc_irq+0x36/0x4e +[ 107.320166] [] handle_riscv_irq+0x54/0x86 +[ 107.320189] [] do_irq+0x64/0x96 +[ 107.320271] Code: 85a6 855e b097 ff7f 80e7 9220 b709 9002 4501 bbd9 (9002) 6097 +[ 107.320585] ---[ end trace 0000000000000000 ]--- +[ 107.320704] Kernel panic - not syncing: Fatal exception in interrupt +[ 107.320775] SMP: stopping secondary CPUs +[ 107.321219] Kernel Offset: 0x0 from 0xffffffff80000000 +[ 107.333051] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- + +Fixes: 4905ec2fb7e6 ("RISC-V: Add sscofpmf extension support") +Signed-off-by: Alexandre Ghiti +Link: https://lore.kernel.org/r/20231109082128.40777-1-alexghiti@rivosinc.com +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + drivers/perf/riscv_pmu_sbi.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/perf/riscv_pmu_sbi.c ++++ b/drivers/perf/riscv_pmu_sbi.c +@@ -578,6 +578,11 @@ static irqreturn_t pmu_sbi_ovf_handler(i + + /* Firmware counter don't support overflow yet */ + fidx = find_first_bit(cpu_hw_evt->used_hw_ctrs, RISCV_MAX_COUNTERS); ++ if (fidx == RISCV_MAX_COUNTERS) { ++ csr_clear(CSR_SIP, BIT(riscv_pmu_irq_num)); ++ return IRQ_NONE; ++ } ++ + event = cpu_hw_evt->events[fidx]; + if (!event) { + csr_clear(CSR_SIP, SIP_LCOFIP); diff --git a/queue-6.1/i915-perf-fix-null-deref-bugs-with-drm_dbg-calls.patch b/queue-6.1/i915-perf-fix-null-deref-bugs-with-drm_dbg-calls.patch new file mode 100644 index 00000000000..b1ff6a67c3c --- /dev/null +++ b/queue-6.1/i915-perf-fix-null-deref-bugs-with-drm_dbg-calls.patch @@ -0,0 +1,71 @@ +From 471aa951bf1206d3c10d0daa67005b8e4db4ff83 Mon Sep 17 00:00:00 2001 +From: Harshit Mogalapalli +Date: Fri, 27 Oct 2023 10:28:22 -0700 +Subject: i915/perf: Fix NULL deref bugs with drm_dbg() calls + +From: Harshit Mogalapalli + +commit 471aa951bf1206d3c10d0daa67005b8e4db4ff83 upstream. + +When i915 perf interface is not available dereferencing it will lead to +NULL dereferences. + +As returning -ENOTSUPP is pretty clear return when perf interface is not +available. + +Fixes: 2fec539112e8 ("i915/perf: Replace DRM_DEBUG with driver specific drm_dbg call") +Suggested-by: Tvrtko Ursulin +Signed-off-by: Harshit Mogalapalli +Reviewed-by: Tvrtko Ursulin +Cc: # v6.0+ +Signed-off-by: Tvrtko Ursulin +Link: https://patchwork.freedesktop.org/patch/msgid/20231027172822.2753059-1-harshit.m.mogalapalli@oracle.com +[tursulin: added stable tag] +(cherry picked from commit 36f27350ff745bd228ab04d7845dfbffc177a889) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/i915_perf.c | 15 +++------------ + 1 file changed, 3 insertions(+), 12 deletions(-) + +--- a/drivers/gpu/drm/i915/i915_perf.c ++++ b/drivers/gpu/drm/i915/i915_perf.c +@@ -3809,11 +3809,8 @@ int i915_perf_open_ioctl(struct drm_devi + u32 known_open_flags; + int ret; + +- if (!perf->i915) { +- drm_dbg(&perf->i915->drm, +- "i915 perf interface not available for this system\n"); ++ if (!perf->i915) + return -ENOTSUPP; +- } + + known_open_flags = I915_PERF_FLAG_FD_CLOEXEC | + I915_PERF_FLAG_FD_NONBLOCK | +@@ -4140,11 +4137,8 @@ int i915_perf_add_config_ioctl(struct dr + struct i915_oa_reg *regs; + int err, id; + +- if (!perf->i915) { +- drm_dbg(&perf->i915->drm, +- "i915 perf interface not available for this system\n"); ++ if (!perf->i915) + return -ENOTSUPP; +- } + + if (!perf->metrics_kobj) { + drm_dbg(&perf->i915->drm, +@@ -4306,11 +4300,8 @@ int i915_perf_remove_config_ioctl(struct + struct i915_oa_config *oa_config; + int ret; + +- if (!perf->i915) { +- drm_dbg(&perf->i915->drm, +- "i915 perf interface not available for this system\n"); ++ if (!perf->i915) + return -ENOTSUPP; +- } + + if (i915_perf_stream_paranoid && !perfmon_capable()) { + drm_dbg(&perf->i915->drm, diff --git a/queue-6.1/kvm-x86-clear-bit12-of-icr-after-apic-write-vm-exit.patch b/queue-6.1/kvm-x86-clear-bit12-of-icr-after-apic-write-vm-exit.patch new file mode 100644 index 00000000000..79ab24a4cad --- /dev/null +++ b/queue-6.1/kvm-x86-clear-bit12-of-icr-after-apic-write-vm-exit.patch @@ -0,0 +1,85 @@ +From 629d3698f6958ee6f8131ea324af794f973b12ac Mon Sep 17 00:00:00 2001 +From: Tao Su +Date: Thu, 14 Sep 2023 13:55:04 +0800 +Subject: KVM: x86: Clear bit12 of ICR after APIC-write VM-exit + +From: Tao Su + +commit 629d3698f6958ee6f8131ea324af794f973b12ac upstream. + +When IPI virtualization is enabled, a WARN is triggered if bit12 of ICR +MSR is set after APIC-write VM-exit. The reason is kvm_apic_send_ipi() +thinks the APIC_ICR_BUSY bit should be cleared because KVM has no delay, +but kvm_apic_write_nodecode() doesn't clear the APIC_ICR_BUSY bit. + +Under the x2APIC section, regarding ICR, the SDM says: + + It remains readable only to aid in debugging; however, software should + not assume the value returned by reading the ICR is the last written + value. + +I.e. the guest is allowed to set bit 12. However, the SDM also gives KVM +free reign to do whatever it wants with the bit, so long as KVM's behavior +doesn't confuse userspace or break KVM's ABI. + +Clear bit 12 so that it reads back as '0'. This approach is safer than +"do nothing" and is consistent with the case where IPI virtualization is +disabled or not supported, i.e., + + handle_fastpath_set_x2apic_icr_irqoff() -> kvm_x2apic_icr_write() + +Opportunistically replace the TODO with a comment calling out that eating +the write is likely faster than a conditional branch around the busy bit. + +Link: https://lore.kernel.org/all/ZPj6iF0Q7iynn62p@google.com/ +Fixes: 5413bcba7ed5 ("KVM: x86: Add support for vICR APIC-write VM-Exits in x2APIC mode") +Cc: stable@vger.kernel.org +Signed-off-by: Tao Su +Tested-by: Yi Lai +Reviewed-by: Chao Gao +Link: https://lore.kernel.org/r/20230914055504.151365-1-tao1.su@linux.intel.com +[sean: tweak changelog, replace TODO with comment, drop local "val"] +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/lapic.c | 26 +++++++++++++------------- + 1 file changed, 13 insertions(+), 13 deletions(-) + +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -2294,22 +2294,22 @@ EXPORT_SYMBOL_GPL(kvm_lapic_set_eoi); + void kvm_apic_write_nodecode(struct kvm_vcpu *vcpu, u32 offset) + { + struct kvm_lapic *apic = vcpu->arch.apic; +- u64 val; + + /* +- * ICR is a single 64-bit register when x2APIC is enabled. For legacy +- * xAPIC, ICR writes need to go down the common (slightly slower) path +- * to get the upper half from ICR2. ++ * ICR is a single 64-bit register when x2APIC is enabled, all others ++ * registers hold 32-bit values. For legacy xAPIC, ICR writes need to ++ * go down the common path to get the upper half from ICR2. ++ * ++ * Note, using the write helpers may incur an unnecessary write to the ++ * virtual APIC state, but KVM needs to conditionally modify the value ++ * in certain cases, e.g. to clear the ICR busy bit. The cost of extra ++ * conditional branches is likely a wash relative to the cost of the ++ * maybe-unecessary write, and both are in the noise anyways. + */ +- if (apic_x2apic_mode(apic) && offset == APIC_ICR) { +- val = kvm_lapic_get_reg64(apic, APIC_ICR); +- kvm_apic_send_ipi(apic, (u32)val, (u32)(val >> 32)); +- trace_kvm_apic_write(APIC_ICR, val); +- } else { +- /* TODO: optimize to just emulate side effect w/o one more write */ +- val = kvm_lapic_get_reg(apic, offset); +- kvm_lapic_reg_write(apic, offset, (u32)val); +- } ++ if (apic_x2apic_mode(apic) && offset == APIC_ICR) ++ kvm_x2apic_icr_write(apic, kvm_lapic_get_reg64(apic, APIC_ICR)); ++ else ++ kvm_lapic_reg_write(apic, offset, kvm_lapic_get_reg(apic, offset)); + } + EXPORT_SYMBOL_GPL(kvm_apic_write_nodecode); + diff --git a/queue-6.1/kvm-x86-hyper-v-don-t-auto-enable-stimer-on-write-from-user-space.patch b/queue-6.1/kvm-x86-hyper-v-don-t-auto-enable-stimer-on-write-from-user-space.patch new file mode 100644 index 00000000000..a36da667122 --- /dev/null +++ b/queue-6.1/kvm-x86-hyper-v-don-t-auto-enable-stimer-on-write-from-user-space.patch @@ -0,0 +1,51 @@ +From d6800af51c76b6dae20e6023bbdc9b3da3ab5121 Mon Sep 17 00:00:00 2001 +From: Nicolas Saenz Julienne +Date: Tue, 17 Oct 2023 15:51:02 +0000 +Subject: KVM: x86: hyper-v: Don't auto-enable stimer on write from user-space + +From: Nicolas Saenz Julienne + +commit d6800af51c76b6dae20e6023bbdc9b3da3ab5121 upstream. + +Don't apply the stimer's counter side effects when modifying its +value from user-space, as this may trigger spurious interrupts. + +For example: + - The stimer is configured in auto-enable mode. + - The stimer's count is set and the timer enabled. + - The stimer expires, an interrupt is injected. + - The VM is live migrated. + - The stimer config and count are deserialized, auto-enable is ON, the + stimer is re-enabled. + - The stimer expires right away, and injects an unwarranted interrupt. + +Cc: stable@vger.kernel.org +Fixes: 1f4b34f825e8 ("kvm/x86: Hyper-V SynIC timers") +Signed-off-by: Nicolas Saenz Julienne +Reviewed-by: Vitaly Kuznetsov +Link: https://lore.kernel.org/r/20231017155101.40677-1-nsaenz@amazon.com +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/hyperv.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/arch/x86/kvm/hyperv.c ++++ b/arch/x86/kvm/hyperv.c +@@ -705,10 +705,12 @@ static int stimer_set_count(struct kvm_v + + stimer_cleanup(stimer); + stimer->count = count; +- if (stimer->count == 0) +- stimer->config.enable = 0; +- else if (stimer->config.auto_enable) +- stimer->config.enable = 1; ++ if (!host) { ++ if (stimer->count == 0) ++ stimer->config.enable = 0; ++ else if (stimer->config.auto_enable) ++ stimer->config.enable = 1; ++ } + + if (stimer->config.enable) + stimer_mark_pending(stimer, false); diff --git a/queue-6.1/kvm-x86-ignore-msr_amd64_tw_cfg-access.patch b/queue-6.1/kvm-x86-ignore-msr_amd64_tw_cfg-access.patch new file mode 100644 index 00000000000..80ccbb64491 --- /dev/null +++ b/queue-6.1/kvm-x86-ignore-msr_amd64_tw_cfg-access.patch @@ -0,0 +1,78 @@ +From 2770d4722036d6bd24bcb78e9cd7f6e572077d03 Mon Sep 17 00:00:00 2001 +From: "Maciej S. Szmigiero" +Date: Thu, 19 Oct 2023 18:06:57 +0200 +Subject: KVM: x86: Ignore MSR_AMD64_TW_CFG access + +From: Maciej S. Szmigiero + +commit 2770d4722036d6bd24bcb78e9cd7f6e572077d03 upstream. + +Hyper-V enabled Windows Server 2022 KVM VM cannot be started on Zen1 Ryzen +since it crashes at boot with SYSTEM_THREAD_EXCEPTION_NOT_HANDLED + +STATUS_PRIVILEGED_INSTRUCTION (in other words, because of an unexpected #GP +in the guest kernel). + +This is because Windows tries to set bit 8 in MSR_AMD64_TW_CFG and can't +handle receiving a #GP when doing so. + +Give this MSR the same treatment that commit 2e32b7190641 +("x86, kvm: Add MSR_AMD64_BU_CFG2 to the list of ignored MSRs") gave +MSR_AMD64_BU_CFG2 under justification that this MSR is baremetal-relevant +only. +Although apparently it was then needed for Linux guests, not Windows as in +this case. + +With this change, the aforementioned guest setup is able to finish booting +successfully. + +This issue can be reproduced either on a Summit Ridge Ryzen (with +just "-cpu host") or on a Naples EPYC (with "-cpu host,stepping=1" since +EPYC is ordinarily stepping 2). + +Alternatively, userspace could solve the problem by using MSR filters, but +forcing every userspace to define a filter isn't very friendly and doesn't +add much, if any, value. The only potential hiccup is if one of these +"baremetal-only" MSRs ever requires actual emulation and/or has F/M/S +specific behavior. But if that happens, then KVM can still punt *that* +handling to userspace since userspace MSR filters "win" over KVM's default +handling. + +Signed-off-by: Maciej S. Szmigiero +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/1ce85d9c7c9e9632393816cf19c902e0a3f411f1.1697731406.git.maciej.szmigiero@oracle.com +[sean: call out MSR filtering alternative] +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/msr-index.h | 1 + + arch/x86/kvm/x86.c | 2 ++ + 2 files changed, 3 insertions(+) + +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -551,6 +551,7 @@ + #define MSR_AMD64_CPUID_FN_1 0xc0011004 + #define MSR_AMD64_LS_CFG 0xc0011020 + #define MSR_AMD64_DC_CFG 0xc0011022 ++#define MSR_AMD64_TW_CFG 0xc0011023 + + #define MSR_AMD64_DE_CFG 0xc0011029 + #define MSR_AMD64_DE_CFG_LFENCE_SERIALIZE_BIT 1 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -3582,6 +3582,7 @@ int kvm_set_msr_common(struct kvm_vcpu * + case MSR_AMD64_PATCH_LOADER: + case MSR_AMD64_BU_CFG2: + case MSR_AMD64_DC_CFG: ++ case MSR_AMD64_TW_CFG: + case MSR_F15H_EX_CFG: + break; + +@@ -3982,6 +3983,7 @@ int kvm_get_msr_common(struct kvm_vcpu * + case MSR_AMD64_BU_CFG2: + case MSR_IA32_PERF_CTL: + case MSR_AMD64_DC_CFG: ++ case MSR_AMD64_TW_CFG: + case MSR_F15H_EX_CFG: + /* + * Intel Sandy Bridge CPUs must support the RAPL (running average power diff --git a/queue-6.1/media-venus-hfi-add-checks-to-perform-sanity-on-queue-pointers.patch b/queue-6.1/media-venus-hfi-add-checks-to-perform-sanity-on-queue-pointers.patch new file mode 100644 index 00000000000..aa19a07d535 --- /dev/null +++ b/queue-6.1/media-venus-hfi-add-checks-to-perform-sanity-on-queue-pointers.patch @@ -0,0 +1,50 @@ +From 5e538fce33589da6d7cb2de1445b84d3a8a692f7 Mon Sep 17 00:00:00 2001 +From: Vikash Garodia +Date: Thu, 10 Aug 2023 07:55:01 +0530 +Subject: media: venus: hfi: add checks to perform sanity on queue pointers + +From: Vikash Garodia + +commit 5e538fce33589da6d7cb2de1445b84d3a8a692f7 upstream. + +Read and write pointers are used to track the packet index in the memory +shared between video driver and firmware. There is a possibility of OOB +access if the read or write pointer goes beyond the queue memory size. +Add checks for the read and write pointer to avoid OOB access. + +Cc: stable@vger.kernel.org +Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files") +Signed-off-by: Vikash Garodia +Signed-off-by: Stanimir Varbanov +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/hfi_venus.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/media/platform/qcom/venus/hfi_venus.c ++++ b/drivers/media/platform/qcom/venus/hfi_venus.c +@@ -205,6 +205,11 @@ static int venus_write_queue(struct venu + + new_wr_idx = wr_idx + dwords; + wr_ptr = (u32 *)(queue->qmem.kva + (wr_idx << 2)); ++ ++ if (wr_ptr < (u32 *)queue->qmem.kva || ++ wr_ptr > (u32 *)(queue->qmem.kva + queue->qmem.size - sizeof(*wr_ptr))) ++ return -EINVAL; ++ + if (new_wr_idx < qsize) { + memcpy(wr_ptr, packet, dwords << 2); + } else { +@@ -272,6 +277,11 @@ static int venus_read_queue(struct venus + } + + rd_ptr = (u32 *)(queue->qmem.kva + (rd_idx << 2)); ++ ++ if (rd_ptr < (u32 *)queue->qmem.kva || ++ rd_ptr > (u32 *)(queue->qmem.kva + queue->qmem.size - sizeof(*rd_ptr))) ++ return -EINVAL; ++ + dwords = *rd_ptr >> 2; + if (!dwords) + return -EINVAL; diff --git a/queue-6.1/perf-intel-pt-fix-async-branch-flags.patch b/queue-6.1/perf-intel-pt-fix-async-branch-flags.patch new file mode 100644 index 00000000000..b9811c4d432 --- /dev/null +++ b/queue-6.1/perf-intel-pt-fix-async-branch-flags.patch @@ -0,0 +1,37 @@ +From f2d87895cbc4af80649850dcf5da36de6b2ed3dd Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Thu, 28 Sep 2023 10:29:53 +0300 +Subject: perf intel-pt: Fix async branch flags + +From: Adrian Hunter + +commit f2d87895cbc4af80649850dcf5da36de6b2ed3dd upstream. + +Ensure PERF_IP_FLAG_ASYNC is set always for asynchronous branches (i.e. +interrupts etc). + +Fixes: 90e457f7be08 ("perf tools: Add Intel PT support") +Cc: stable@vger.kernel.org +Signed-off-by: Adrian Hunter +Acked-by: Namhyung Kim +Link: https://lore.kernel.org/r/20230928072953.19369-1-adrian.hunter@intel.com +Signed-off-by: Namhyung Kim +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/intel-pt.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/tools/perf/util/intel-pt.c ++++ b/tools/perf/util/intel-pt.c +@@ -1483,9 +1483,11 @@ static void intel_pt_sample_flags(struct + } else if (ptq->state->flags & INTEL_PT_ASYNC) { + if (!ptq->state->to_ip) + ptq->flags = PERF_IP_FLAG_BRANCH | ++ PERF_IP_FLAG_ASYNC | + PERF_IP_FLAG_TRACE_END; + else if (ptq->state->from_nr && !ptq->state->to_nr) + ptq->flags = PERF_IP_FLAG_BRANCH | PERF_IP_FLAG_CALL | ++ PERF_IP_FLAG_ASYNC | + PERF_IP_FLAG_VMEXIT; + else + ptq->flags = PERF_IP_FLAG_BRANCH | PERF_IP_FLAG_CALL | diff --git a/queue-6.1/powerpc-perf-fix-disabling-bhrb-and-instruction-sampling.patch b/queue-6.1/powerpc-perf-fix-disabling-bhrb-and-instruction-sampling.patch new file mode 100644 index 00000000000..1b25c58bfcb --- /dev/null +++ b/queue-6.1/powerpc-perf-fix-disabling-bhrb-and-instruction-sampling.patch @@ -0,0 +1,44 @@ +From ea142e590aec55ba40c5affb4d49e68c713c63dc Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Thu, 19 Oct 2023 01:34:23 +1000 +Subject: powerpc/perf: Fix disabling BHRB and instruction sampling + +From: Nicholas Piggin + +commit ea142e590aec55ba40c5affb4d49e68c713c63dc upstream. + +When the PMU is disabled, MMCRA is not updated to disable BHRB and +instruction sampling. This can lead to those features remaining enabled, +which can slow down a real or emulated CPU. + +Fixes: 1cade527f6e9 ("powerpc/perf: BHRB control to disable BHRB logic when not used") +Cc: stable@vger.kernel.org # v5.9+ +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20231018153423.298373-1-npiggin@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/perf/core-book3s.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/arch/powerpc/perf/core-book3s.c ++++ b/arch/powerpc/perf/core-book3s.c +@@ -1371,8 +1371,7 @@ static void power_pmu_disable(struct pmu + /* + * Disable instruction sampling if it was enabled + */ +- if (cpuhw->mmcr.mmcra & MMCRA_SAMPLE_ENABLE) +- val &= ~MMCRA_SAMPLE_ENABLE; ++ val &= ~MMCRA_SAMPLE_ENABLE; + + /* Disable BHRB via mmcra (BHRBRD) for p10 */ + if (ppmu->flags & PPMU_ARCH_31) +@@ -1383,7 +1382,7 @@ static void power_pmu_disable(struct pmu + * instruction sampling or BHRB. + */ + if (val != mmcra) { +- mtspr(SPRN_MMCRA, mmcra); ++ mtspr(SPRN_MMCRA, val); + mb(); + isync(); + } diff --git a/queue-6.1/randstruct-fix-gcc-plugin-performance-mode-to-stay-in-group.patch b/queue-6.1/randstruct-fix-gcc-plugin-performance-mode-to-stay-in-group.patch new file mode 100644 index 00000000000..7e158c6254e --- /dev/null +++ b/queue-6.1/randstruct-fix-gcc-plugin-performance-mode-to-stay-in-group.patch @@ -0,0 +1,59 @@ +From 381fdb73d1e2a48244de7260550e453d1003bb8e Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Fri, 6 Oct 2023 21:09:28 -0700 +Subject: randstruct: Fix gcc-plugin performance mode to stay in group + +From: Kees Cook + +commit 381fdb73d1e2a48244de7260550e453d1003bb8e upstream. + +The performance mode of the gcc-plugin randstruct was shuffling struct +members outside of the cache-line groups. Limit the range to the +specified group indexes. + +Cc: linux-hardening@vger.kernel.org +Cc: stable@vger.kernel.org +Reported-by: Lukas Loidolt +Closes: https://lore.kernel.org/all/f3ca77f0-e414-4065-83a5-ae4c4d25545d@student.tuwien.ac.at +Fixes: 313dd1b62921 ("gcc-plugins: Add the randstruct plugin") +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman +--- + scripts/gcc-plugins/randomize_layout_plugin.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/scripts/gcc-plugins/randomize_layout_plugin.c ++++ b/scripts/gcc-plugins/randomize_layout_plugin.c +@@ -191,12 +191,14 @@ static void partition_struct(tree *field + + static void performance_shuffle(tree *newtree, unsigned long length, ranctx *prng_state) + { +- unsigned long i, x; ++ unsigned long i, x, index; + struct partition_group size_group[length]; + unsigned long num_groups = 0; + unsigned long randnum; + + partition_struct(newtree, length, (struct partition_group *)&size_group, &num_groups); ++ ++ /* FIXME: this group shuffle is currently a no-op. */ + for (i = num_groups - 1; i > 0; i--) { + struct partition_group tmp; + randnum = ranval(prng_state) % (i + 1); +@@ -206,11 +208,14 @@ static void performance_shuffle(tree *ne + } + + for (x = 0; x < num_groups; x++) { +- for (i = size_group[x].start + size_group[x].length - 1; i > size_group[x].start; i--) { ++ for (index = size_group[x].length - 1; index > 0; index--) { + tree tmp; ++ ++ i = size_group[x].start + index; + if (DECL_BIT_FIELD_TYPE(newtree[i])) + continue; +- randnum = ranval(prng_state) % (i + 1); ++ randnum = ranval(prng_state) % (index + 1); ++ randnum += size_group[x].start; + // we could handle this case differently if desired + if (DECL_BIT_FIELD_TYPE(newtree[randnum])) + continue; diff --git a/queue-6.1/scsi-megaraid_sas-increase-register-read-retry-rount-from-3-to-30-for-selected-registers.patch b/queue-6.1/scsi-megaraid_sas-increase-register-read-retry-rount-from-3-to-30-for-selected-registers.patch new file mode 100644 index 00000000000..db34d7b569b --- /dev/null +++ b/queue-6.1/scsi-megaraid_sas-increase-register-read-retry-rount-from-3-to-30-for-selected-registers.patch @@ -0,0 +1,47 @@ +From 8e3ed9e786511ad800c33605ed904b9de49323cf Mon Sep 17 00:00:00 2001 +From: Chandrakanth patil +Date: Tue, 3 Oct 2023 16:30:18 +0530 +Subject: scsi: megaraid_sas: Increase register read retry rount from 3 to 30 for selected registers + +From: Chandrakanth patil + +commit 8e3ed9e786511ad800c33605ed904b9de49323cf upstream. + +In BMC environments with concurrent access to multiple registers, certain +registers occasionally yield a value of 0 even after 3 retries due to +hardware errata. As a fix, we have extended the retry count from 3 to 30. + +The same errata applies to the mpt3sas driver, and a similar patch has +been accepted. Please find more details in the mpt3sas patch reference +link. + +Link: https://lore.kernel.org/r/20230829090020.5417-2-ranjan.kumar@broadcom.com +Fixes: 272652fcbf1a ("scsi: megaraid_sas: add retry logic in megasas_readl") +Cc: stable@vger.kernel.org +Signed-off-by: Chandrakanth patil +Signed-off-by: Sumit Saxena +Link: https://lore.kernel.org/r/20231003110021.168862-2-chandrakanth.patil@broadcom.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/megaraid/megaraid_sas_base.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/megaraid/megaraid_sas_base.c ++++ b/drivers/scsi/megaraid/megaraid_sas_base.c +@@ -263,13 +263,13 @@ u32 megasas_readl(struct megasas_instanc + * Fusion registers could intermittently return all zeroes. + * This behavior is transient in nature and subsequent reads will + * return valid value. As a workaround in driver, retry readl for +- * upto three times until a non-zero value is read. ++ * up to thirty times until a non-zero value is read. + */ + if (instance->adapter_type == AERO_SERIES) { + do { + ret_val = readl(addr); + i++; +- } while (ret_val == 0 && i < 3); ++ } while (ret_val == 0 && i < 30); + return ret_val; + } else { + return readl(addr); diff --git a/queue-6.1/scsi-mpt3sas-fix-loop-logic.patch b/queue-6.1/scsi-mpt3sas-fix-loop-logic.patch new file mode 100644 index 00000000000..fa58906513d --- /dev/null +++ b/queue-6.1/scsi-mpt3sas-fix-loop-logic.patch @@ -0,0 +1,35 @@ +From 3c978492c333f0c08248a8d51cecbe5eb5f617c9 Mon Sep 17 00:00:00 2001 +From: Ranjan Kumar +Date: Fri, 20 Oct 2023 16:28:49 +0530 +Subject: scsi: mpt3sas: Fix loop logic + +From: Ranjan Kumar + +commit 3c978492c333f0c08248a8d51cecbe5eb5f617c9 upstream. + +The retry loop continues to iterate until the count reaches 30, even after +receiving the correct value. Exit loop when a non-zero value is read. + +Fixes: 4ca10f3e3174 ("scsi: mpt3sas: Perform additional retries if doorbell read returns 0") +Cc: stable@vger.kernel.org +Signed-off-by: Ranjan Kumar +Link: https://lore.kernel.org/r/20231020105849.6350-1-ranjan.kumar@broadcom.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/mpt3sas/mpt3sas_base.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/mpt3sas/mpt3sas_base.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_base.c +@@ -224,8 +224,8 @@ _base_readl_ext_retry(const volatile voi + + for (i = 0 ; i < 30 ; i++) { + ret_val = readl(addr); +- if (ret_val == 0) +- continue; ++ if (ret_val != 0) ++ break; + } + + return ret_val; diff --git a/queue-6.1/scsi-qla2xxx-fix-system-crash-due-to-bad-pointer-access.patch b/queue-6.1/scsi-qla2xxx-fix-system-crash-due-to-bad-pointer-access.patch new file mode 100644 index 00000000000..2aa4047288e --- /dev/null +++ b/queue-6.1/scsi-qla2xxx-fix-system-crash-due-to-bad-pointer-access.patch @@ -0,0 +1,72 @@ +From 19597cad64d608aa8ac2f8aef50a50187a565223 Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Mon, 30 Oct 2023 12:19:12 +0530 +Subject: scsi: qla2xxx: Fix system crash due to bad pointer access + +From: Quinn Tran + +commit 19597cad64d608aa8ac2f8aef50a50187a565223 upstream. + +User experiences system crash when running AER error injection. The +perturbation causes the abort-all-I/O path to trigger. The driver assumes +all I/O on this path is FCP only. If there is both NVMe & FCP traffic, a +system crash happens. Add additional check to see if I/O is FCP or not +before access. + +PID: 999019 TASK: ff35d769f24722c0 CPU: 53 COMMAND: "kworker/53:1" + 0 [ff3f78b964847b58] machine_kexec at ffffffffae86973d + 1 [ff3f78b964847ba8] __crash_kexec at ffffffffae9be29d + 2 [ff3f78b964847c70] crash_kexec at ffffffffae9bf528 + 3 [ff3f78b964847c78] oops_end at ffffffffae8282ab + 4 [ff3f78b964847c98] exc_page_fault at ffffffffaf2da502 + 5 [ff3f78b964847cc0] asm_exc_page_fault at ffffffffaf400b62 + [exception RIP: qla2x00_abort_srb+444] + RIP: ffffffffc07b5f8c RSP: ff3f78b964847d78 RFLAGS: 00010046 + RAX: 0000000000000282 RBX: ff35d74a0195a200 RCX: ff35d76886fd03a0 + RDX: 0000000000000001 RSI: ffffffffc07c5ec8 RDI: ff35d74a0195a200 + RBP: ff35d76913d22080 R8: ff35d7694d103200 R9: ff35d7694d103200 + R10: 0000000100000000 R11: ffffffffb05d6630 R12: 0000000000010000 + R13: ff3f78b964847df8 R14: ff35d768d8754000 R15: ff35d768877248e0 + ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 + 6 [ff3f78b964847d70] qla2x00_abort_srb at ffffffffc07b5f84 [qla2xxx] + 7 [ff3f78b964847de0] __qla2x00_abort_all_cmds at ffffffffc07b6238 [qla2xxx] + 8 [ff3f78b964847e38] qla2x00_abort_all_cmds at ffffffffc07ba635 [qla2xxx] + 9 [ff3f78b964847e58] qla2x00_terminate_rport_io at ffffffffc08145eb [qla2xxx] +10 [ff3f78b964847e70] fc_terminate_rport_io at ffffffffc045987e [scsi_transport_fc] +11 [ff3f78b964847e88] process_one_work at ffffffffae914f15 +12 [ff3f78b964847ed0] worker_thread at ffffffffae9154c0 +13 [ff3f78b964847f10] kthread at ffffffffae91c456 +14 [ff3f78b964847f50] ret_from_fork at ffffffffae8036ef + +Cc: stable@vger.kernel.org +Fixes: f45bca8c5052 ("scsi: qla2xxx: Fix double scsi_done for abort path") +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20231030064912.37912-1-njavali@marvell.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_os.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -1831,8 +1831,16 @@ static void qla2x00_abort_srb(struct qla + } + + spin_lock_irqsave(qp->qp_lock_ptr, *flags); +- if (ret_cmd && blk_mq_request_started(scsi_cmd_to_rq(cmd))) +- sp->done(sp, res); ++ switch (sp->type) { ++ case SRB_SCSI_CMD: ++ if (ret_cmd && blk_mq_request_started(scsi_cmd_to_rq(cmd))) ++ sp->done(sp, res); ++ break; ++ default: ++ if (ret_cmd) ++ sp->done(sp, res); ++ break; ++ } + } else { + sp->done(sp, res); + } diff --git a/queue-6.1/series b/queue-6.1/series index 04381093f7a..73274026796 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -158,3 +158,19 @@ tools-power-turbostat-fix-a-knl-bug.patch tools-power-turbostat-enable-the-c-state-pre-wake-pr.patch cifs-spnego-add-in-host_key_len.patch cifs-fix-check-of-rc-in-function-generate_smb3signin.patch +i915-perf-fix-null-deref-bugs-with-drm_dbg-calls.patch +drivers-perf-check-find_first_bit-return-value.patch +media-venus-hfi-add-checks-to-perform-sanity-on-queue-pointers.patch +perf-intel-pt-fix-async-branch-flags.patch +powerpc-perf-fix-disabling-bhrb-and-instruction-sampling.patch +randstruct-fix-gcc-plugin-performance-mode-to-stay-in-group.patch +bpf-fix-check_stack_write_fixed_off-to-correctly-spill-imm.patch +bpf-fix-precision-tracking-for-bpf_alu-bpf_to_be-bpf_end.patch +scsi-mpt3sas-fix-loop-logic.patch +scsi-megaraid_sas-increase-register-read-retry-rount-from-3-to-30-for-selected-registers.patch +scsi-qla2xxx-fix-system-crash-due-to-bad-pointer-access.patch +crypto-x86-sha-load-modules-based-on-cpu-features.patch +x86-cpu-hygon-fix-the-cpu-topology-evaluation-for-real.patch +kvm-x86-hyper-v-don-t-auto-enable-stimer-on-write-from-user-space.patch +kvm-x86-ignore-msr_amd64_tw_cfg-access.patch +kvm-x86-clear-bit12-of-icr-after-apic-write-vm-exit.patch diff --git a/queue-6.1/x86-cpu-hygon-fix-the-cpu-topology-evaluation-for-real.patch b/queue-6.1/x86-cpu-hygon-fix-the-cpu-topology-evaluation-for-real.patch new file mode 100644 index 00000000000..a09b66a2b60 --- /dev/null +++ b/queue-6.1/x86-cpu-hygon-fix-the-cpu-topology-evaluation-for-real.patch @@ -0,0 +1,42 @@ +From ee545b94d39a00c93dc98b1dbcbcf731d2eadeb4 Mon Sep 17 00:00:00 2001 +From: Pu Wen +Date: Mon, 14 Aug 2023 10:18:26 +0200 +Subject: x86/cpu/hygon: Fix the CPU topology evaluation for real + +From: Pu Wen + +commit ee545b94d39a00c93dc98b1dbcbcf731d2eadeb4 upstream. + +Hygon processors with a model ID > 3 have CPUID leaf 0xB correctly +populated and don't need the fixed package ID shift workaround. The fixup +is also incorrect when running in a guest. + +Fixes: e0ceeae708ce ("x86/CPU/hygon: Fix phys_proc_id calculation logic for multi-die processors") +Signed-off-by: Pu Wen +Signed-off-by: Thomas Gleixner +Acked-by: Peter Zijlstra (Intel) +Cc: +Link: https://lore.kernel.org/r/tencent_594804A808BD93A4EBF50A994F228E3A7F07@qq.com +Link: https://lore.kernel.org/r/20230814085112.089607918@linutronix.de +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/hygon.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/cpu/hygon.c ++++ b/arch/x86/kernel/cpu/hygon.c +@@ -86,8 +86,12 @@ static void hygon_get_topology(struct cp + if (!err) + c->x86_coreid_bits = get_count_order(c->x86_max_cores); + +- /* Socket ID is ApicId[6] for these processors. */ +- c->phys_proc_id = c->apicid >> APICID_SOCKET_ID_BIT; ++ /* ++ * Socket ID is ApicId[6] for the processors with model <= 0x3 ++ * when running on host. ++ */ ++ if (!boot_cpu_has(X86_FEATURE_HYPERVISOR) && c->x86_model <= 0x3) ++ c->phys_proc_id = c->apicid >> APICID_SOCKET_ID_BIT; + + cacheinfo_hygon_init_llc_id(c, cpu); + } else if (cpu_has(c, X86_FEATURE_NODEID_MSR)) {