From: Greg Kroah-Hartman Date: Sat, 14 Jan 2023 10:01:50 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v4.14.303~75 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=611e17b0dba65acfd201b7b74d3ed01793160418;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: docs-fix-the-docs-build-with-sphinx-6.0.patch efi-tpm-avoid-read_once-for-accessing-the-event-log.patch kvm-arm64-fix-s1ptw-handling-on-ro-memslots.patch perf-auxtrace-fix-address-filter-duplicate-symbol-selection.patch s390-kexec-fix-ipl-report-address-for-kdump.patch s390-percpu-add-read_once-to-arch_this_cpu_to_op_simple.patch --- diff --git a/queue-5.4/docs-fix-the-docs-build-with-sphinx-6.0.patch b/queue-5.4/docs-fix-the-docs-build-with-sphinx-6.0.patch new file mode 100644 index 00000000000..923ca1ed57f --- /dev/null +++ b/queue-5.4/docs-fix-the-docs-build-with-sphinx-6.0.patch @@ -0,0 +1,49 @@ +From 0283189e8f3d0917e2ac399688df85211f48447b Mon Sep 17 00:00:00 2001 +From: Jonathan Corbet +Date: Wed, 4 Jan 2023 10:47:39 -0700 +Subject: docs: Fix the docs build with Sphinx 6.0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonathan Corbet + +commit 0283189e8f3d0917e2ac399688df85211f48447b upstream. + +Sphinx 6.0 removed the execfile_() function, which we use as part of the +configuration process. They *did* warn us... Just open-code the +functionality as is done in Sphinx itself. + +Tested (using SPHINX_CONF, since this code is only executed with an +alternative config file) on various Sphinx versions from 2.5 through 6.0. + +Reported-by: Martin Liška +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan Corbet +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/sphinx/load_config.py | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/Documentation/sphinx/load_config.py ++++ b/Documentation/sphinx/load_config.py +@@ -3,7 +3,7 @@ + + import os + import sys +-from sphinx.util.pycompat import execfile_ ++from sphinx.util.osutil import fs_encoding + + # ------------------------------------------------------------------------------ + def loadConfig(namespace): +@@ -48,7 +48,9 @@ def loadConfig(namespace): + sys.stdout.write("load additional sphinx-config: %s\n" % config_file) + config = namespace.copy() + config['__file__'] = config_file +- execfile_(config_file, config) ++ with open(config_file, 'rb') as f: ++ code = compile(f.read(), fs_encoding, 'exec') ++ exec(code, config) + del config['__file__'] + namespace.update(config) + else: diff --git a/queue-5.4/efi-tpm-avoid-read_once-for-accessing-the-event-log.patch b/queue-5.4/efi-tpm-avoid-read_once-for-accessing-the-event-log.patch new file mode 100644 index 00000000000..48f04e9414d --- /dev/null +++ b/queue-5.4/efi-tpm-avoid-read_once-for-accessing-the-event-log.patch @@ -0,0 +1,51 @@ +From d3f450533bbcb6dd4d7d59cadc9b61b7321e4ac1 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Mon, 9 Jan 2023 10:44:31 +0100 +Subject: efi: tpm: Avoid READ_ONCE() for accessing the event log + +From: Ard Biesheuvel + +commit d3f450533bbcb6dd4d7d59cadc9b61b7321e4ac1 upstream. + +Nathan reports that recent kernels built with LTO will crash when doing +EFI boot using Fedora's GRUB and SHIM. The culprit turns out to be a +misaligned load from the TPM event log, which is annotated with +READ_ONCE(), and under LTO, this gets translated into a LDAR instruction +which does not tolerate misaligned accesses. + +Interestingly, this does not happen when booting the same kernel +straight from the UEFI shell, and so the fact that the event log may +appear misaligned in memory may be caused by a bug in GRUB or SHIM. + +However, using READ_ONCE() to access firmware tables is slightly unusual +in any case, and here, we only need to ensure that 'event' is not +dereferenced again after it gets unmapped, but this is already taken +care of by the implicit barrier() semantics of the early_memunmap() +call. + +Cc: +Cc: Peter Jones +Cc: Jarkko Sakkinen +Cc: Matthew Garrett +Reported-by: Nathan Chancellor +Tested-by: Nathan Chancellor +Link: https://github.com/ClangBuiltLinux/linux/issues/1782 +Signed-off-by: Ard Biesheuvel +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/tpm_eventlog.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/tpm_eventlog.h ++++ b/include/linux/tpm_eventlog.h +@@ -198,8 +198,8 @@ static __always_inline int __calc_tpm2_e + * The loop below will unmap these fields if the log is larger than + * one page, so save them here for reference: + */ +- count = READ_ONCE(event->count); +- event_type = READ_ONCE(event->event_type); ++ count = event->count; ++ event_type = event->event_type; + + /* Verify that it's the log header */ + if (event_header->pcr_idx != 0 || diff --git a/queue-5.4/kvm-arm64-fix-s1ptw-handling-on-ro-memslots.patch b/queue-5.4/kvm-arm64-fix-s1ptw-handling-on-ro-memslots.patch new file mode 100644 index 00000000000..0cafc1578ed --- /dev/null +++ b/queue-5.4/kvm-arm64-fix-s1ptw-handling-on-ro-memslots.patch @@ -0,0 +1,81 @@ +From 406504c7b0405d74d74c15a667cd4c4620c3e7a9 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Tue, 20 Dec 2022 14:03:52 +0000 +Subject: KVM: arm64: Fix S1PTW handling on RO memslots + +From: Marc Zyngier + +commit 406504c7b0405d74d74c15a667cd4c4620c3e7a9 upstream. + +A recent development on the EFI front has resulted in guests having +their page tables baked in the firmware binary, and mapped into the +IPA space as part of a read-only memslot. Not only is this legitimate, +but it also results in added security, so thumbs up. + +It is possible to take an S1PTW translation fault if the S1 PTs are +unmapped at stage-2. However, KVM unconditionally treats S1PTW as a +write to correctly handle hardware AF/DB updates to the S1 PTs. +Furthermore, KVM injects an exception into the guest for S1PTW writes. +In the aforementioned case this results in the guest taking an abort +it won't recover from, as the S1 PTs mapping the vectors suffer from +the same problem. + +So clearly our handling is... wrong. + +Instead, switch to a two-pronged approach: + +- On S1PTW translation fault, handle the fault as a read + +- On S1PTW permission fault, handle the fault as a write + +This is of no consequence to SW that *writes* to its PTs (the write +will trigger a non-S1PTW fault), and SW that uses RO PTs will not +use HW-assisted AF/DB anyway, as that'd be wrong. + +Only in the case described in c4ad98e4b72c ("KVM: arm64: Assume write +fault on S1PTW permission fault on instruction fetch") do we end-up +with two back-to-back faults (page being evicted and faulted back). +I don't think this is a case worth optimising for. + +Fixes: c4ad98e4b72c ("KVM: arm64: Assume write fault on S1PTW permission fault on instruction fetch") +Reviewed-by: Oliver Upton +Reviewed-by: Ard Biesheuvel +Regression-tested-by: Ard Biesheuvel +Signed-off-by: Marc Zyngier +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/kvm_emulate.h | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +--- a/arch/arm64/include/asm/kvm_emulate.h ++++ b/arch/arm64/include/asm/kvm_emulate.h +@@ -378,8 +378,26 @@ static inline int kvm_vcpu_sys_get_rt(st + + static inline bool kvm_is_write_fault(struct kvm_vcpu *vcpu) + { +- if (kvm_vcpu_abt_iss1tw(vcpu)) +- return true; ++ if (kvm_vcpu_abt_iss1tw(vcpu)) { ++ /* ++ * Only a permission fault on a S1PTW should be ++ * considered as a write. Otherwise, page tables baked ++ * in a read-only memslot will result in an exception ++ * being delivered in the guest. ++ * ++ * The drawback is that we end-up faulting twice if the ++ * guest is using any of HW AF/DB: a translation fault ++ * to map the page containing the PT (read only at ++ * first), then a permission fault to allow the flags ++ * to be set. ++ */ ++ switch (kvm_vcpu_trap_get_fault_type(vcpu)) { ++ case ESR_ELx_FSC_PERM: ++ return true; ++ default: ++ return false; ++ } ++ } + + if (kvm_vcpu_trap_is_iabt(vcpu)) + return false; diff --git a/queue-5.4/perf-auxtrace-fix-address-filter-duplicate-symbol-selection.patch b/queue-5.4/perf-auxtrace-fix-address-filter-duplicate-symbol-selection.patch new file mode 100644 index 00000000000..f48778511d1 --- /dev/null +++ b/queue-5.4/perf-auxtrace-fix-address-filter-duplicate-symbol-selection.patch @@ -0,0 +1,104 @@ +From cf129830ee820f7fc90b98df193cd49d49344d09 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Tue, 10 Jan 2023 20:56:59 +0200 +Subject: perf auxtrace: Fix address filter duplicate symbol selection + +From: Adrian Hunter + +commit cf129830ee820f7fc90b98df193cd49d49344d09 upstream. + +When a match has been made to the nth duplicate symbol, return +success not error. + +Example: + + Before: + + $ cat file.c + cat: file.c: No such file or directory + $ cat file1.c + #include + + static void func(void) + { + printf("First func\n"); + } + + void other(void); + + int main() + { + func(); + other(); + return 0; + } + $ cat file2.c + #include + + static void func(void) + { + printf("Second func\n"); + } + + void other(void) + { + func(); + } + + $ gcc -Wall -Wextra -o test file1.c file2.c + $ perf record -e intel_pt//u --filter 'filter func @ ./test' -- ./test + Multiple symbols with name 'func' + #1 0x1149 l func + which is near main + #2 0x1179 l func + which is near other + Disambiguate symbol name by inserting #n after the name e.g. func #2 + Or select a global symbol by inserting #0 or #g or #G + Failed to parse address filter: 'filter func @ ./test' + Filter format is: filter|start|stop|tracestop [/ ] [@] + Where multiple filters are separated by space or comma. + $ perf record -e intel_pt//u --filter 'filter func #2 @ ./test' -- ./test + Failed to parse address filter: 'filter func #2 @ ./test' + Filter format is: filter|start|stop|tracestop [/ ] [@] + Where multiple filters are separated by space or comma. + + After: + + $ perf record -e intel_pt//u --filter 'filter func #2 @ ./test' -- ./test + First func + Second func + [ perf record: Woken up 1 times to write data ] + [ perf record: Captured and wrote 0.016 MB perf.data ] + $ perf script --itrace=b -Ftime,flags,ip,sym,addr --ns + 1231062.526977619: tr strt 0 [unknown] => 558495708179 func + 1231062.526977619: tr end call 558495708188 func => 558495708050 _init + 1231062.526979286: tr strt 0 [unknown] => 55849570818d func + 1231062.526979286: tr end return 55849570818f func => 55849570819d other + +Fixes: 1b36c03e356936d6 ("perf record: Add support for using symbols in address filters") +Reported-by: Dmitrii Dolgov <9erthalion6@gmail.com> +Signed-off-by: Adrian Hunter +Tested-by: Dmitry Dolgov <9erthalion6@gmail.com> +Cc: Adrian Hunter +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230110185659.15979-1-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/auxtrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/util/auxtrace.c ++++ b/tools/perf/util/auxtrace.c +@@ -1995,7 +1995,7 @@ static int find_dso_sym(struct dso *dso, + *size = sym->start - *start; + if (idx > 0) { + if (*size) +- return 1; ++ return 0; + } else if (dso_sym_match(sym, sym_name, &cnt, idx)) { + print_duplicate_syms(dso, sym_name); + return -EINVAL; diff --git a/queue-5.4/s390-kexec-fix-ipl-report-address-for-kdump.patch b/queue-5.4/s390-kexec-fix-ipl-report-address-for-kdump.patch new file mode 100644 index 00000000000..ae30475793a --- /dev/null +++ b/queue-5.4/s390-kexec-fix-ipl-report-address-for-kdump.patch @@ -0,0 +1,60 @@ +From c2337a40e04dde1692b5b0a46ecc59f89aaba8a1 Mon Sep 17 00:00:00 2001 +From: Alexander Egorenkov +Date: Mon, 14 Nov 2022 11:40:08 +0100 +Subject: s390/kexec: fix ipl report address for kdump + +From: Alexander Egorenkov + +commit c2337a40e04dde1692b5b0a46ecc59f89aaba8a1 upstream. + +This commit addresses the following erroneous situation with file-based +kdump executed on a system with a valid IPL report. + +On s390, a kdump kernel, its initrd and IPL report if present are loaded +into a special and reserved on boot memory region - crashkernel. When +a system crashes and kdump was activated before, the purgatory code +is entered first which swaps the crashkernel and [0 - crashkernel size] +memory regions. Only after that the kdump kernel is entered. For this +reason, the pointer to an IPL report in lowcore must point to the IPL report +after the swap and not to the address of the IPL report that was located in +crashkernel memory region before the swap. Failing to do so, makes the +kdump's decompressor try to read memory from the crashkernel memory region +which already contains the production's kernel memory. + +The situation described above caused spontaneous kdump failures/hangs +on systems where the Secure IPL is activated because on such systems +an IPL report is always present. In that case kdump's decompressor tried +to parse an IPL report which frequently lead to illegal memory accesses +because an IPL report contains addresses to various data. + +Cc: +Fixes: 99feaa717e55 ("s390/kexec_file: Create ipl report and pass to next kernel") +Reviewed-by: Vasily Gorbik +Signed-off-by: Alexander Egorenkov +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kernel/machine_kexec_file.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/s390/kernel/machine_kexec_file.c ++++ b/arch/s390/kernel/machine_kexec_file.c +@@ -185,8 +185,6 @@ static int kexec_file_add_ipl_report(str + + data->memsz = ALIGN(data->memsz, PAGE_SIZE); + buf.mem = data->memsz; +- if (image->type == KEXEC_TYPE_CRASH) +- buf.mem += crashk_res.start; + + ptr = (void *)ipl_cert_list_addr; + end = ptr + ipl_cert_list_size; +@@ -223,6 +221,9 @@ static int kexec_file_add_ipl_report(str + data->kernel_buf + offsetof(struct lowcore, ipl_parmblock_ptr); + *lc_ipl_parmblock_ptr = (__u32)buf.mem; + ++ if (image->type == KEXEC_TYPE_CRASH) ++ buf.mem += crashk_res.start; ++ + ret = kexec_add_buffer(&buf); + out: + return ret; diff --git a/queue-5.4/s390-percpu-add-read_once-to-arch_this_cpu_to_op_simple.patch b/queue-5.4/s390-percpu-add-read_once-to-arch_this_cpu_to_op_simple.patch new file mode 100644 index 00000000000..99c0ce2dd33 --- /dev/null +++ b/queue-5.4/s390-percpu-add-read_once-to-arch_this_cpu_to_op_simple.patch @@ -0,0 +1,32 @@ +From e3f360db08d55a14112bd27454e616a24296a8b0 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Mon, 9 Jan 2023 11:51:20 +0100 +Subject: s390/percpu: add READ_ONCE() to arch_this_cpu_to_op_simple() + +From: Heiko Carstens + +commit e3f360db08d55a14112bd27454e616a24296a8b0 upstream. + +Make sure that *ptr__ within arch_this_cpu_to_op_simple() is only +dereferenced once by using READ_ONCE(). Otherwise the compiler could +generate incorrect code. + +Cc: +Reviewed-by: Alexander Gordeev +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/include/asm/percpu.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/s390/include/asm/percpu.h ++++ b/arch/s390/include/asm/percpu.h +@@ -31,7 +31,7 @@ + pcp_op_T__ *ptr__; \ + preempt_disable_notrace(); \ + ptr__ = raw_cpu_ptr(&(pcp)); \ +- prev__ = *ptr__; \ ++ prev__ = READ_ONCE(*ptr__); \ + do { \ + old__ = prev__; \ + new__ = old__ op (val); \ diff --git a/queue-5.4/series b/queue-5.4/series index 303f23b8fcc..31de0b4b2eb 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -600,6 +600,12 @@ selftests-fix-kselftest-o-objdir-build-from-cluttering-top-level-objdir.patch selftests-set-the-build-variable-to-absolute-path.patch driver-core-fix-bus_type.match-error-handling-in-__driver_attach.patch net-sched-disallow-noqueue-for-qdisc-classes.patch +kvm-arm64-fix-s1ptw-handling-on-ro-memslots.patch +efi-tpm-avoid-read_once-for-accessing-the-event-log.patch +docs-fix-the-docs-build-with-sphinx-6.0.patch +perf-auxtrace-fix-address-filter-duplicate-symbol-selection.patch +s390-kexec-fix-ipl-report-address-for-kdump.patch +s390-percpu-add-read_once-to-arch_this_cpu_to_op_simple.patch net-ulp-prevent-ulp-without-clone-op-from-entering-the-listen-status.patch alsa-pcm-move-rwsem-lock-inside-snd_ctl_elem_read-to-prevent-uaf.patch alsa-hda-hdmi-add-a-hp-device-0x8715-to-force-connect-list.patch