From: Greg Kroah-Hartman Date: Thu, 17 Apr 2025 14:30:18 +0000 (+0200) Subject: 6.6-stable patches X-Git-Tag: v6.12.24~33 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=352b4921d5af40206b433eacfe475a8e1a26f970;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: acpi-platform-profile-fix-cfi-violation-when-accessing-sysfs-files.patch iommufd-fail-replace-if-device-has-not-been-attached.patch x86-paravirt-move-halt-paravirt-calls-under-config_paravirt.patch --- diff --git a/queue-6.6/acpi-platform-profile-fix-cfi-violation-when-accessing-sysfs-files.patch b/queue-6.6/acpi-platform-profile-fix-cfi-violation-when-accessing-sysfs-files.patch new file mode 100644 index 0000000000..cfe32b10b7 --- /dev/null +++ b/queue-6.6/acpi-platform-profile-fix-cfi-violation-when-accessing-sysfs-files.patch @@ -0,0 +1,105 @@ +From dd4f730b557ce701a2cd4f604bf1e57667bd8b6e Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Mon, 10 Feb 2025 21:28:25 -0500 +Subject: ACPI: platform-profile: Fix CFI violation when accessing sysfs files + +From: Nathan Chancellor + +commit dd4f730b557ce701a2cd4f604bf1e57667bd8b6e upstream. + +When an attribute group is created with sysfs_create_group(), the +->sysfs_ops() callback is set to kobj_sysfs_ops, which sets the ->show() +and ->store() callbacks to kobj_attr_show() and kobj_attr_store() +respectively. These functions use container_of() to get the respective +callback from the passed attribute, meaning that these callbacks need to +be of the same type as the callbacks in 'struct kobj_attribute'. + +However, ->show() and ->store() in the platform_profile driver are +defined for struct device_attribute with the help of DEVICE_ATTR_RO() +and DEVICE_ATTR_RW(), which results in a CFI violation when accessing +platform_profile or platform_profile_choices under /sys/firmware/acpi +because the types do not match: + + CFI failure at kobj_attr_show+0x19/0x30 (target: platform_profile_choices_show+0x0/0x140; expected type: 0x7a69590c) + +There is no functional issue from the type mismatch because the layout +of 'struct kobj_attribute' and 'struct device_attribute' are the same, +so the container_of() cast does not break anything aside from CFI. + +Change the type of platform_profile_choices_show() and +platform_profile_{show,store}() to match the callbacks in +'struct kobj_attribute' and update the attribute variables to +match, which resolves the CFI violation. + +Cc: All applicable +Fixes: a2ff95e018f1 ("ACPI: platform: Add platform profile support") +Reported-by: John Rowley +Closes: https://github.com/ClangBuiltLinux/linux/issues/2047 +Tested-by: John Rowley +Reviewed-by: Sami Tolvanen +Signed-off-by: Nathan Chancellor +Acked-by: Greg Kroah-Hartman +Reviewed-by: Mark Pearson +Tested-by: Mark Pearson +Link: https://patch.msgid.link/20250210-acpi-platform_profile-fix-cfi-violation-v3-1-ed9e9901c33a@kernel.org +[ rjw: Changelog edits ] +Signed-off-by: Rafael J. Wysocki +[nathan: Fix conflicts in older stable branches] +Signed-off-by: Nathan Chancellor +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/platform_profile.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +--- a/drivers/acpi/platform_profile.c ++++ b/drivers/acpi/platform_profile.c +@@ -22,8 +22,8 @@ static const char * const profile_names[ + }; + static_assert(ARRAY_SIZE(profile_names) == PLATFORM_PROFILE_LAST); + +-static ssize_t platform_profile_choices_show(struct device *dev, +- struct device_attribute *attr, ++static ssize_t platform_profile_choices_show(struct kobject *kobj, ++ struct kobj_attribute *attr, + char *buf) + { + int len = 0; +@@ -49,8 +49,8 @@ static ssize_t platform_profile_choices_ + return len; + } + +-static ssize_t platform_profile_show(struct device *dev, +- struct device_attribute *attr, ++static ssize_t platform_profile_show(struct kobject *kobj, ++ struct kobj_attribute *attr, + char *buf) + { + enum platform_profile_option profile = PLATFORM_PROFILE_BALANCED; +@@ -77,8 +77,8 @@ static ssize_t platform_profile_show(str + return sysfs_emit(buf, "%s\n", profile_names[profile]); + } + +-static ssize_t platform_profile_store(struct device *dev, +- struct device_attribute *attr, ++static ssize_t platform_profile_store(struct kobject *kobj, ++ struct kobj_attribute *attr, + const char *buf, size_t count) + { + int err, i; +@@ -115,12 +115,12 @@ static ssize_t platform_profile_store(st + return count; + } + +-static DEVICE_ATTR_RO(platform_profile_choices); +-static DEVICE_ATTR_RW(platform_profile); ++static struct kobj_attribute attr_platform_profile_choices = __ATTR_RO(platform_profile_choices); ++static struct kobj_attribute attr_platform_profile = __ATTR_RW(platform_profile); + + static struct attribute *platform_profile_attrs[] = { +- &dev_attr_platform_profile_choices.attr, +- &dev_attr_platform_profile.attr, ++ &attr_platform_profile_choices.attr, ++ &attr_platform_profile.attr, + NULL + }; + diff --git a/queue-6.6/iommufd-fail-replace-if-device-has-not-been-attached.patch b/queue-6.6/iommufd-fail-replace-if-device-has-not-been-attached.patch new file mode 100644 index 0000000000..a04cdf3f96 --- /dev/null +++ b/queue-6.6/iommufd-fail-replace-if-device-has-not-been-attached.patch @@ -0,0 +1,69 @@ +From 55c85fa7579dc2e3f5399ef5bad67a44257c1a48 Mon Sep 17 00:00:00 2001 +From: Yi Liu +Date: Wed, 5 Mar 2025 19:48:42 -0800 +Subject: iommufd: Fail replace if device has not been attached + +From: Yi Liu + +commit 55c85fa7579dc2e3f5399ef5bad67a44257c1a48 upstream. + +The current implementation of iommufd_device_do_replace() implicitly +assumes that the input device has already been attached. However, there +is no explicit check to verify this assumption. If another device within +the same group has been attached, the replace operation might succeed, +but the input device itself may not have been attached yet. + +As a result, the input device might not be tracked in the +igroup->device_list, and its reserved IOVA might not be added. Despite +this, the caller might incorrectly assume that the device has been +successfully replaced, which could lead to unexpected behavior or errors. + +To address this issue, add a check to ensure that the input device has +been attached before proceeding with the replace operation. This check +will help maintain the integrity of the device tracking system and prevent +potential issues arising from incorrect assumptions about the device's +attachment status. + +Fixes: e88d4ec154a8 ("iommufd: Add iommufd_device_replace()") +Link: https://patch.msgid.link/r/20250306034842.5950-1-yi.l.liu@intel.com +Cc: stable@vger.kernel.org +Reviewed-by: Kevin Tian +Signed-off-by: Yi Liu +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/iommufd/device.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/drivers/iommu/iommufd/device.c ++++ b/drivers/iommu/iommufd/device.c +@@ -407,6 +407,17 @@ iommufd_device_do_attach(struct iommufd_ + return NULL; + } + ++/* Check if idev is attached to igroup->hwpt */ ++static bool iommufd_device_is_attached(struct iommufd_device *idev) ++{ ++ struct iommufd_device *cur; ++ ++ list_for_each_entry(cur, &idev->igroup->device_list, group_item) ++ if (cur == idev) ++ return true; ++ return false; ++} ++ + static struct iommufd_hw_pagetable * + iommufd_device_do_replace(struct iommufd_device *idev, + struct iommufd_hw_pagetable *hwpt) +@@ -423,6 +434,11 @@ iommufd_device_do_replace(struct iommufd + rc = -EINVAL; + goto err_unlock; + } ++ ++ if (!iommufd_device_is_attached(idev)) { ++ rc = -EINVAL; ++ goto err_unlock; ++ } + + if (hwpt == igroup->hwpt) { + mutex_unlock(&idev->igroup->lock); diff --git a/queue-6.6/series b/queue-6.6/series index f134e2c349..816fcea0ee 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -231,3 +231,6 @@ pinctrl-qcom-clear-latched-interrupt-status-when-changing-irq-type.patch selftests-mptcp-close-fd_in-before-returning-in-main_loop.patch selftests-mptcp-fix-incorrect-fd-checks-in-main_loop.patch arm64-errata-add-newer-arm-cores-to-the-spectre_bhb_loop_affected-lists.patch +x86-paravirt-move-halt-paravirt-calls-under-config_paravirt.patch +acpi-platform-profile-fix-cfi-violation-when-accessing-sysfs-files.patch +iommufd-fail-replace-if-device-has-not-been-attached.patch diff --git a/queue-6.6/x86-paravirt-move-halt-paravirt-calls-under-config_paravirt.patch b/queue-6.6/x86-paravirt-move-halt-paravirt-calls-under-config_paravirt.patch new file mode 100644 index 0000000000..73d2ac4792 --- /dev/null +++ b/queue-6.6/x86-paravirt-move-halt-paravirt-calls-under-config_paravirt.patch @@ -0,0 +1,196 @@ +From 22cc5ca5de52bbfc36a7d4a55323f91fb4492264 Mon Sep 17 00:00:00 2001 +From: "Kirill A. Shutemov" +Date: Fri, 28 Feb 2025 01:44:14 +0000 +Subject: x86/paravirt: Move halt paravirt calls under CONFIG_PARAVIRT + +From: Kirill A. Shutemov + +commit 22cc5ca5de52bbfc36a7d4a55323f91fb4492264 upstream. + +CONFIG_PARAVIRT_XXL is mainly defined/used by XEN PV guests. For +other VM guest types, features supported under CONFIG_PARAVIRT +are self sufficient. CONFIG_PARAVIRT mainly provides support for +TLB flush operations and time related operations. + +For TDX guest as well, paravirt calls under CONFIG_PARVIRT meets +most of its requirement except the need of HLT and SAFE_HLT +paravirt calls, which is currently defined under +CONFIG_PARAVIRT_XXL. + +Since enabling CONFIG_PARAVIRT_XXL is too bloated for TDX guest +like platforms, move HLT and SAFE_HLT paravirt calls under +CONFIG_PARAVIRT. + +Moving HLT and SAFE_HLT paravirt calls are not fatal and should not +break any functionality for current users of CONFIG_PARAVIRT. + +Fixes: bfe6ed0c6727 ("x86/tdx: Add HLT support for TDX guests") +Co-developed-by: Kuppuswamy Sathyanarayanan +Signed-off-by: Kuppuswamy Sathyanarayanan +Signed-off-by: Kirill A. Shutemov +Signed-off-by: Vishal Annapurve +Signed-off-by: Ingo Molnar +Reviewed-by: Andi Kleen +Reviewed-by: Tony Luck +Reviewed-by: Juergen Gross +Tested-by: Ryan Afranji +Cc: Andy Lutomirski +Cc: Brian Gerst +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Josh Poimboeuf +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20250228014416.3925664-2-vannapurve@google.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/irqflags.h | 40 ++++++++++++++++++---------------- + arch/x86/include/asm/paravirt.h | 20 ++++++++--------- + arch/x86/include/asm/paravirt_types.h | 3 -- + arch/x86/kernel/paravirt.c | 14 ++++++----- + 4 files changed, 41 insertions(+), 36 deletions(-) + +--- a/arch/x86/include/asm/irqflags.h ++++ b/arch/x86/include/asm/irqflags.h +@@ -56,6 +56,28 @@ static __always_inline void native_halt( + + #endif + ++#ifndef CONFIG_PARAVIRT ++#ifndef __ASSEMBLY__ ++/* ++ * Used in the idle loop; sti takes one instruction cycle ++ * to complete: ++ */ ++static __always_inline void arch_safe_halt(void) ++{ ++ native_safe_halt(); ++} ++ ++/* ++ * Used when interrupts are already enabled or to ++ * shutdown the processor: ++ */ ++static __always_inline void halt(void) ++{ ++ native_halt(); ++} ++#endif /* __ASSEMBLY__ */ ++#endif /* CONFIG_PARAVIRT */ ++ + #ifdef CONFIG_PARAVIRT_XXL + #include + #else +@@ -78,24 +100,6 @@ static __always_inline void arch_local_i + } + + /* +- * Used in the idle loop; sti takes one instruction cycle +- * to complete: +- */ +-static __always_inline void arch_safe_halt(void) +-{ +- native_safe_halt(); +-} +- +-/* +- * Used when interrupts are already enabled or to +- * shutdown the processor: +- */ +-static __always_inline void halt(void) +-{ +- native_halt(); +-} +- +-/* + * For spinlocks, etc: + */ + static __always_inline unsigned long arch_local_irq_save(void) +--- a/arch/x86/include/asm/paravirt.h ++++ b/arch/x86/include/asm/paravirt.h +@@ -103,6 +103,16 @@ static inline void notify_page_enc_statu + PVOP_VCALL3(mmu.notify_page_enc_status_changed, pfn, npages, enc); + } + ++static __always_inline void arch_safe_halt(void) ++{ ++ PVOP_VCALL0(irq.safe_halt); ++} ++ ++static inline void halt(void) ++{ ++ PVOP_VCALL0(irq.halt); ++} ++ + #ifdef CONFIG_PARAVIRT_XXL + static inline void load_sp0(unsigned long sp0) + { +@@ -168,16 +178,6 @@ static inline void __write_cr4(unsigned + PVOP_VCALL1(cpu.write_cr4, x); + } + +-static __always_inline void arch_safe_halt(void) +-{ +- PVOP_VCALL0(irq.safe_halt); +-} +- +-static inline void halt(void) +-{ +- PVOP_VCALL0(irq.halt); +-} +- + extern noinstr void pv_native_wbinvd(void); + + static __always_inline void wbinvd(void) +--- a/arch/x86/include/asm/paravirt_types.h ++++ b/arch/x86/include/asm/paravirt_types.h +@@ -130,10 +130,9 @@ struct pv_irq_ops { + struct paravirt_callee_save save_fl; + struct paravirt_callee_save irq_disable; + struct paravirt_callee_save irq_enable; +- ++#endif + void (*safe_halt)(void); + void (*halt)(void); +-#endif + } __no_randomize_layout; + + struct pv_mmu_ops { +--- a/arch/x86/kernel/paravirt.c ++++ b/arch/x86/kernel/paravirt.c +@@ -142,6 +142,11 @@ int paravirt_disable_iospace(void) + return request_resource(&ioport_resource, &reserve_ioports); + } + ++static noinstr void pv_native_safe_halt(void) ++{ ++ native_safe_halt(); ++} ++ + #ifdef CONFIG_PARAVIRT_XXL + static noinstr void pv_native_write_cr2(unsigned long val) + { +@@ -162,11 +167,6 @@ noinstr void pv_native_wbinvd(void) + { + native_wbinvd(); + } +- +-static noinstr void pv_native_safe_halt(void) +-{ +- native_safe_halt(); +-} + #endif + + struct pv_info pv_info = { +@@ -224,9 +224,11 @@ struct paravirt_patch_template pv_ops = + .irq.save_fl = __PV_IS_CALLEE_SAVE(pv_native_save_fl), + .irq.irq_disable = __PV_IS_CALLEE_SAVE(pv_native_irq_disable), + .irq.irq_enable = __PV_IS_CALLEE_SAVE(pv_native_irq_enable), ++#endif /* CONFIG_PARAVIRT_XXL */ ++ ++ /* Irq HLT ops. */ + .irq.safe_halt = pv_native_safe_halt, + .irq.halt = native_halt, +-#endif /* CONFIG_PARAVIRT_XXL */ + + /* Mmu ops. */ + .mmu.flush_tlb_user = native_flush_tlb_local,