From: Greg Kroah-Hartman Date: Mon, 31 Oct 2022 06:54:23 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v4.19.263~42 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7300b0823ec276891d76b636052930be49b2bb7d;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: arc-mm-fix-leakage-of-memory-allocated-for-pte.patch kernfs-fix-use-after-free-in-__kernfs_remove.patch perf-auxtrace-fix-address-filter-symbol-name-match-for-modules.patch pinctrl-ingenic-jz4755-bug-fixes.patch s390-futex-add-missing-ex_table-entry-to-__futex_atomic_op.patch s390-pci-add-missing-ex_table-entries-to-__pcistg_mio_inuser-__pcilg_mio_inuser.patch --- diff --git a/queue-5.15/arc-mm-fix-leakage-of-memory-allocated-for-pte.patch b/queue-5.15/arc-mm-fix-leakage-of-memory-allocated-for-pte.patch new file mode 100644 index 00000000000..9372eff458d --- /dev/null +++ b/queue-5.15/arc-mm-fix-leakage-of-memory-allocated-for-pte.patch @@ -0,0 +1,48 @@ +From 4fd9df10cb7a9289fbd22d669f9f98164d95a1ce Mon Sep 17 00:00:00 2001 +From: Pavel Kozlov +Date: Mon, 17 Oct 2022 20:11:27 +0400 +Subject: ARC: mm: fix leakage of memory allocated for PTE + +From: Pavel Kozlov + +commit 4fd9df10cb7a9289fbd22d669f9f98164d95a1ce upstream. + +Since commit d9820ff ("ARC: mm: switch pgtable_t back to struct page *") +a memory leakage problem occurs. Memory allocated for page table entries +not released during process termination. This issue can be reproduced by +a small program that allocates a large amount of memory. After several +runs, you'll see that the amount of free memory has reduced and will +continue to reduce after each run. All ARC CPUs are effected by this +issue. The issue was introduced since the kernel stable release v5.15-rc1. + +As described in commit d9820ff after switch pgtable_t back to struct +page *, a pointer to "struct page" and appropriate functions are used to +allocate and free a memory page for PTEs, but the pmd_pgtable macro hasn't +changed and returns the direct virtual address from the PMD (PGD) entry. +Than this address used as a parameter in the __pte_free() and as a result +this function couldn't release memory page allocated for PTEs. + +Fix this issue by changing the pmd_pgtable macro and returning pointer to +struct page. + +Fixes: d9820ff76f95 ("ARC: mm: switch pgtable_t back to struct page *") +Cc: Mike Rapoport +Cc: # 5.15.x +Signed-off-by: Pavel Kozlov +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman +--- + arch/arc/include/asm/pgtable-levels.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arc/include/asm/pgtable-levels.h ++++ b/arch/arc/include/asm/pgtable-levels.h +@@ -163,7 +163,7 @@ + #define pmd_page_vaddr(pmd) (pmd_val(pmd) & PAGE_MASK) + #define pmd_page(pmd) virt_to_page(pmd_page_vaddr(pmd)) + #define set_pmd(pmdp, pmd) (*(pmdp) = pmd) +-#define pmd_pgtable(pmd) ((pgtable_t) pmd_page_vaddr(pmd)) ++#define pmd_pgtable(pmd) ((pgtable_t) pmd_page(pmd)) + + /* + * 4th level paging: pte diff --git a/queue-5.15/kernfs-fix-use-after-free-in-__kernfs_remove.patch b/queue-5.15/kernfs-fix-use-after-free-in-__kernfs_remove.patch new file mode 100644 index 00000000000..6061ec4b2c4 --- /dev/null +++ b/queue-5.15/kernfs-fix-use-after-free-in-__kernfs_remove.patch @@ -0,0 +1,197 @@ +From 4abc99652812a2ddf932f137515d5c5a04723538 Mon Sep 17 00:00:00 2001 +From: "Christian A. Ehrhardt" +Date: Tue, 13 Sep 2022 14:17:23 +0200 +Subject: kernfs: fix use-after-free in __kernfs_remove + +From: Christian A. Ehrhardt + +commit 4abc99652812a2ddf932f137515d5c5a04723538 upstream. + +Syzkaller managed to trigger concurrent calls to +kernfs_remove_by_name_ns() for the same file resulting in +a KASAN detected use-after-free. The race occurs when the root +node is freed during kernfs_drain(). + +To prevent this acquire an additional reference for the root +of the tree that is removed before calling __kernfs_remove(). + +Found by syzkaller with the following reproducer (slab_nomerge is +required): + +syz_mount_image$ext4(0x0, &(0x7f0000000100)='./file0\x00', 0x100000, 0x0, 0x0, 0x0, 0x0) +r0 = openat(0xffffffffffffff9c, &(0x7f0000000080)='/proc/self/exe\x00', 0x0, 0x0) +close(r0) +pipe2(&(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}, 0x800) +mount$9p_fd(0x0, &(0x7f0000000040)='./file0\x00', &(0x7f00000000c0), 0x408, &(0x7f0000000280)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r1}, 0x2c, {[{@cache_loose}, {@mmap}, {@loose}, {@loose}, {@mmap}], [{@mask={'mask', 0x3d, '^MAY_EXEC'}}, {@fsmagic={'fsmagic', 0x3d, 0x10001}}, {@dont_hash}]}}) + +Sample report: + +================================================================== +BUG: KASAN: use-after-free in kernfs_type include/linux/kernfs.h:335 [inline] +BUG: KASAN: use-after-free in kernfs_leftmost_descendant fs/kernfs/dir.c:1261 [inline] +BUG: KASAN: use-after-free in __kernfs_remove.part.0+0x843/0x960 fs/kernfs/dir.c:1369 +Read of size 2 at addr ffff8880088807f0 by task syz-executor.2/857 + +CPU: 0 PID: 857 Comm: syz-executor.2 Not tainted 6.0.0-rc3-00363-g7726d4c3e60b #5 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x6e/0x91 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:317 [inline] + print_report.cold+0x5e/0x5e5 mm/kasan/report.c:433 + kasan_report+0xa3/0x130 mm/kasan/report.c:495 + kernfs_type include/linux/kernfs.h:335 [inline] + kernfs_leftmost_descendant fs/kernfs/dir.c:1261 [inline] + __kernfs_remove.part.0+0x843/0x960 fs/kernfs/dir.c:1369 + __kernfs_remove fs/kernfs/dir.c:1356 [inline] + kernfs_remove_by_name_ns+0x108/0x190 fs/kernfs/dir.c:1589 + sysfs_slab_add+0x133/0x1e0 mm/slub.c:5943 + __kmem_cache_create+0x3e0/0x550 mm/slub.c:4899 + create_cache mm/slab_common.c:229 [inline] + kmem_cache_create_usercopy+0x167/0x2a0 mm/slab_common.c:335 + p9_client_create+0xd4d/0x1190 net/9p/client.c:993 + v9fs_session_init+0x1e6/0x13c0 fs/9p/v9fs.c:408 + v9fs_mount+0xb9/0xbd0 fs/9p/vfs_super.c:126 + legacy_get_tree+0xf1/0x200 fs/fs_context.c:610 + vfs_get_tree+0x85/0x2e0 fs/super.c:1530 + do_new_mount fs/namespace.c:3040 [inline] + path_mount+0x675/0x1d00 fs/namespace.c:3370 + do_mount fs/namespace.c:3383 [inline] + __do_sys_mount fs/namespace.c:3591 [inline] + __se_sys_mount fs/namespace.c:3568 [inline] + __x64_sys_mount+0x282/0x300 fs/namespace.c:3568 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7f725f983aed +Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f725f0f7028 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 +RAX: ffffffffffffffda RBX: 00007f725faa3f80 RCX: 00007f725f983aed +RDX: 00000000200000c0 RSI: 0000000020000040 RDI: 0000000000000000 +RBP: 00007f725f9f419c R08: 0000000020000280 R09: 0000000000000000 +R10: 0000000000000408 R11: 0000000000000246 R12: 0000000000000000 +R13: 0000000000000006 R14: 00007f725faa3f80 R15: 00007f725f0d7000 + + +Allocated by task 855: + kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 + kasan_set_track mm/kasan/common.c:45 [inline] + set_alloc_info mm/kasan/common.c:437 [inline] + __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:470 + kasan_slab_alloc include/linux/kasan.h:224 [inline] + slab_post_alloc_hook mm/slab.h:727 [inline] + slab_alloc_node mm/slub.c:3243 [inline] + slab_alloc mm/slub.c:3251 [inline] + __kmem_cache_alloc_lru mm/slub.c:3258 [inline] + kmem_cache_alloc+0xbf/0x200 mm/slub.c:3268 + kmem_cache_zalloc include/linux/slab.h:723 [inline] + __kernfs_new_node+0xd4/0x680 fs/kernfs/dir.c:593 + kernfs_new_node fs/kernfs/dir.c:655 [inline] + kernfs_create_dir_ns+0x9c/0x220 fs/kernfs/dir.c:1010 + sysfs_create_dir_ns+0x127/0x290 fs/sysfs/dir.c:59 + create_dir lib/kobject.c:63 [inline] + kobject_add_internal+0x24a/0x8d0 lib/kobject.c:223 + kobject_add_varg lib/kobject.c:358 [inline] + kobject_init_and_add+0x101/0x160 lib/kobject.c:441 + sysfs_slab_add+0x156/0x1e0 mm/slub.c:5954 + __kmem_cache_create+0x3e0/0x550 mm/slub.c:4899 + create_cache mm/slab_common.c:229 [inline] + kmem_cache_create_usercopy+0x167/0x2a0 mm/slab_common.c:335 + p9_client_create+0xd4d/0x1190 net/9p/client.c:993 + v9fs_session_init+0x1e6/0x13c0 fs/9p/v9fs.c:408 + v9fs_mount+0xb9/0xbd0 fs/9p/vfs_super.c:126 + legacy_get_tree+0xf1/0x200 fs/fs_context.c:610 + vfs_get_tree+0x85/0x2e0 fs/super.c:1530 + do_new_mount fs/namespace.c:3040 [inline] + path_mount+0x675/0x1d00 fs/namespace.c:3370 + do_mount fs/namespace.c:3383 [inline] + __do_sys_mount fs/namespace.c:3591 [inline] + __se_sys_mount fs/namespace.c:3568 [inline] + __x64_sys_mount+0x282/0x300 fs/namespace.c:3568 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Freed by task 857: + kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 + kasan_set_track+0x21/0x30 mm/kasan/common.c:45 + kasan_set_free_info+0x20/0x40 mm/kasan/generic.c:370 + ____kasan_slab_free mm/kasan/common.c:367 [inline] + ____kasan_slab_free mm/kasan/common.c:329 [inline] + __kasan_slab_free+0x108/0x190 mm/kasan/common.c:375 + kasan_slab_free include/linux/kasan.h:200 [inline] + slab_free_hook mm/slub.c:1754 [inline] + slab_free_freelist_hook mm/slub.c:1780 [inline] + slab_free mm/slub.c:3534 [inline] + kmem_cache_free+0x9c/0x340 mm/slub.c:3551 + kernfs_put.part.0+0x2b2/0x520 fs/kernfs/dir.c:547 + kernfs_put+0x42/0x50 fs/kernfs/dir.c:521 + __kernfs_remove.part.0+0x72d/0x960 fs/kernfs/dir.c:1407 + __kernfs_remove fs/kernfs/dir.c:1356 [inline] + kernfs_remove_by_name_ns+0x108/0x190 fs/kernfs/dir.c:1589 + sysfs_slab_add+0x133/0x1e0 mm/slub.c:5943 + __kmem_cache_create+0x3e0/0x550 mm/slub.c:4899 + create_cache mm/slab_common.c:229 [inline] + kmem_cache_create_usercopy+0x167/0x2a0 mm/slab_common.c:335 + p9_client_create+0xd4d/0x1190 net/9p/client.c:993 + v9fs_session_init+0x1e6/0x13c0 fs/9p/v9fs.c:408 + v9fs_mount+0xb9/0xbd0 fs/9p/vfs_super.c:126 + legacy_get_tree+0xf1/0x200 fs/fs_context.c:610 + vfs_get_tree+0x85/0x2e0 fs/super.c:1530 + do_new_mount fs/namespace.c:3040 [inline] + path_mount+0x675/0x1d00 fs/namespace.c:3370 + do_mount fs/namespace.c:3383 [inline] + __do_sys_mount fs/namespace.c:3591 [inline] + __se_sys_mount fs/namespace.c:3568 [inline] + __x64_sys_mount+0x282/0x300 fs/namespace.c:3568 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +The buggy address belongs to the object at ffff888008880780 + which belongs to the cache kernfs_node_cache of size 128 +The buggy address is located 112 bytes inside of + 128-byte region [ffff888008880780, ffff888008880800) + +The buggy address belongs to the physical page: +page:00000000732833f8 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8880 +flags: 0x100000000000200(slab|node=0|zone=1) +raw: 0100000000000200 0000000000000000 dead000000000122 ffff888001147280 +raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff888008880680: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb + ffff888008880700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +>ffff888008880780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff888008880800: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb + ffff888008880880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +================================================================== + +Acked-by: Tejun Heo +Cc: stable # -rc3 +Signed-off-by: Christian A. Ehrhardt +Link: https://lore.kernel.org/r/20220913121723.691454-1-lk@c--e.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + fs/kernfs/dir.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/kernfs/dir.c ++++ b/fs/kernfs/dir.c +@@ -1547,8 +1547,11 @@ int kernfs_remove_by_name_ns(struct kern + down_write(&kernfs_rwsem); + + kn = kernfs_find_ns(parent, name, ns); +- if (kn) ++ if (kn) { ++ kernfs_get(kn); + __kernfs_remove(kn); ++ kernfs_put(kn); ++ } + + up_write(&kernfs_rwsem); + diff --git a/queue-5.15/perf-auxtrace-fix-address-filter-symbol-name-match-for-modules.patch b/queue-5.15/perf-auxtrace-fix-address-filter-symbol-name-match-for-modules.patch new file mode 100644 index 00000000000..39ac988de9f --- /dev/null +++ b/queue-5.15/perf-auxtrace-fix-address-filter-symbol-name-match-for-modules.patch @@ -0,0 +1,51 @@ +From cba04f3136b658583adb191556f99d087589c1cc Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Wed, 26 Oct 2022 10:27:36 +0300 +Subject: perf auxtrace: Fix address filter symbol name match for modules + +From: Adrian Hunter + +commit cba04f3136b658583adb191556f99d087589c1cc upstream. + +For modules, names from kallsyms__parse() contain the module name which +meant that module symbols did not match exactly by name. + +Fix by matching the name string up to the separating tab character. + +Fixes: 1b36c03e356936d6 ("perf record: Add support for using symbols in address filters") +Signed-off-by: Adrian Hunter +Cc: Adrian Hunter +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20221026072736.2982-1-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/auxtrace.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/tools/perf/util/auxtrace.c ++++ b/tools/perf/util/auxtrace.c +@@ -2260,11 +2260,19 @@ struct sym_args { + bool near; + }; + ++static bool kern_sym_name_match(const char *kname, const char *name) ++{ ++ size_t n = strlen(name); ++ ++ return !strcmp(kname, name) || ++ (!strncmp(kname, name, n) && kname[n] == '\t'); ++} ++ + static bool kern_sym_match(struct sym_args *args, const char *name, char type) + { + /* A function with the same name, and global or the n'th found or any */ + return kallsyms__is_function(type) && +- !strcmp(name, args->name) && ++ kern_sym_name_match(name, args->name) && + ((args->global && isupper(type)) || + (args->selected && ++(args->cnt) == args->idx) || + (!args->global && !args->selected)); diff --git a/queue-5.15/pinctrl-ingenic-jz4755-bug-fixes.patch b/queue-5.15/pinctrl-ingenic-jz4755-bug-fixes.patch new file mode 100644 index 00000000000..ca3ccca7715 --- /dev/null +++ b/queue-5.15/pinctrl-ingenic-jz4755-bug-fixes.patch @@ -0,0 +1,49 @@ +From 17747577bbcb496e1b1c4096d64c2fc1e7bc0fef Mon Sep 17 00:00:00 2001 +From: Siarhei Volkau +Date: Sun, 16 Oct 2022 18:35:48 +0300 +Subject: pinctrl: Ingenic: JZ4755 bug fixes + +From: Siarhei Volkau + +commit 17747577bbcb496e1b1c4096d64c2fc1e7bc0fef upstream. + +Fixes UART1 function bits and MMC groups typo. + +For pins 0x97,0x99 function 0 is designated to PWM3/PWM5 +respectively, function is 1 designated to the UART1. + +Diff from v1: + - sent separately + - added tag Fixes + +Cc: stable@vger.kernel.org +Fixes: b582b5a434d3 ("pinctrl: Ingenic: Add pinctrl driver for JZ4755.") +Tested-by: Siarhei Volkau +Signed-off-by: Siarhei Volkau +Link: https://lore.kernel.org/r/20221016153548.3024209-1-lis8215@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/pinctrl-ingenic.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/pinctrl/pinctrl-ingenic.c ++++ b/drivers/pinctrl/pinctrl-ingenic.c +@@ -643,7 +643,7 @@ static u8 jz4755_lcd_24bit_funcs[] = { 1 + static const struct group_desc jz4755_groups[] = { + INGENIC_PIN_GROUP("uart0-data", jz4755_uart0_data, 0), + INGENIC_PIN_GROUP("uart0-hwflow", jz4755_uart0_hwflow, 0), +- INGENIC_PIN_GROUP("uart1-data", jz4755_uart1_data, 0), ++ INGENIC_PIN_GROUP("uart1-data", jz4755_uart1_data, 1), + INGENIC_PIN_GROUP("uart2-data", jz4755_uart2_data, 1), + INGENIC_PIN_GROUP("ssi-dt-b", jz4755_ssi_dt_b, 0), + INGENIC_PIN_GROUP("ssi-dt-f", jz4755_ssi_dt_f, 0), +@@ -697,7 +697,7 @@ static const char *jz4755_ssi_groups[] = + "ssi-ce1-b", "ssi-ce1-f", + }; + static const char *jz4755_mmc0_groups[] = { "mmc0-1bit", "mmc0-4bit", }; +-static const char *jz4755_mmc1_groups[] = { "mmc0-1bit", "mmc0-4bit", }; ++static const char *jz4755_mmc1_groups[] = { "mmc1-1bit", "mmc1-4bit", }; + static const char *jz4755_i2c_groups[] = { "i2c-data", }; + static const char *jz4755_cim_groups[] = { "cim-data", }; + static const char *jz4755_lcd_groups[] = { diff --git a/queue-5.15/s390-futex-add-missing-ex_table-entry-to-__futex_atomic_op.patch b/queue-5.15/s390-futex-add-missing-ex_table-entry-to-__futex_atomic_op.patch new file mode 100644 index 00000000000..16f79a7b491 --- /dev/null +++ b/queue-5.15/s390-futex-add-missing-ex_table-entry-to-__futex_atomic_op.patch @@ -0,0 +1,34 @@ +From a262d3ad6a433e4080cecd0a8841104a5906355e Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Tue, 18 Oct 2022 13:44:11 +0200 +Subject: s390/futex: add missing EX_TABLE entry to __futex_atomic_op() + +From: Heiko Carstens + +commit a262d3ad6a433e4080cecd0a8841104a5906355e upstream. + +For some exception types the instruction address points behind the +instruction that caused the exception. Take that into account and add +the missing exception table entry. + +Cc: +Reviewed-by: Vasily Gorbik +Signed-off-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/include/asm/futex.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/s390/include/asm/futex.h ++++ b/arch/s390/include/asm/futex.h +@@ -16,7 +16,8 @@ + "3: jl 1b\n" \ + " lhi %0,0\n" \ + "4: sacf 768\n" \ +- EX_TABLE(0b,4b) EX_TABLE(2b,4b) EX_TABLE(3b,4b) \ ++ EX_TABLE(0b,4b) EX_TABLE(1b,4b) \ ++ EX_TABLE(2b,4b) EX_TABLE(3b,4b) \ + : "=d" (ret), "=&d" (oldval), "=&d" (newval), \ + "=m" (*uaddr) \ + : "0" (-EFAULT), "d" (oparg), "a" (uaddr), \ diff --git a/queue-5.15/s390-pci-add-missing-ex_table-entries-to-__pcistg_mio_inuser-__pcilg_mio_inuser.patch b/queue-5.15/s390-pci-add-missing-ex_table-entries-to-__pcistg_mio_inuser-__pcilg_mio_inuser.patch new file mode 100644 index 00000000000..07bda706c80 --- /dev/null +++ b/queue-5.15/s390-pci-add-missing-ex_table-entries-to-__pcistg_mio_inuser-__pcilg_mio_inuser.patch @@ -0,0 +1,56 @@ +From 6ec803025cf3173a57222e4411097166bd06fa98 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Tue, 18 Oct 2022 13:48:34 +0200 +Subject: s390/pci: add missing EX_TABLE entries to __pcistg_mio_inuser()/__pcilg_mio_inuser() + +From: Heiko Carstens + +commit 6ec803025cf3173a57222e4411097166bd06fa98 upstream. + +For some exception types the instruction address points behind the +instruction that caused the exception. Take that into account and add +the missing exception table entry. + +Cc: +Fixes: f058599e22d5 ("s390/pci: Fix s390_mmio_read/write with MIO") +Reviewed-by: Niklas Schnelle +Signed-off-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/pci/pci_mmio.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/s390/pci/pci_mmio.c ++++ b/arch/s390/pci/pci_mmio.c +@@ -63,7 +63,7 @@ static inline int __pcistg_mio_inuser( + asm volatile ( + " sacf 256\n" + "0: llgc %[tmp],0(%[src])\n" +- " sllg %[val],%[val],8\n" ++ "4: sllg %[val],%[val],8\n" + " aghi %[src],1\n" + " ogr %[val],%[tmp]\n" + " brctg %[cnt],0b\n" +@@ -71,7 +71,7 @@ static inline int __pcistg_mio_inuser( + "2: ipm %[cc]\n" + " srl %[cc],28\n" + "3: sacf 768\n" +- EX_TABLE(0b, 3b) EX_TABLE(1b, 3b) EX_TABLE(2b, 3b) ++ EX_TABLE(0b, 3b) EX_TABLE(4b, 3b) EX_TABLE(1b, 3b) EX_TABLE(2b, 3b) + : + [src] "+a" (src), [cnt] "+d" (cnt), + [val] "+d" (val), [tmp] "=d" (tmp), +@@ -214,10 +214,10 @@ static inline int __pcilg_mio_inuser( + "2: ahi %[shift],-8\n" + " srlg %[tmp],%[val],0(%[shift])\n" + "3: stc %[tmp],0(%[dst])\n" +- " aghi %[dst],1\n" ++ "5: aghi %[dst],1\n" + " brctg %[cnt],2b\n" + "4: sacf 768\n" +- EX_TABLE(0b, 4b) EX_TABLE(1b, 4b) EX_TABLE(3b, 4b) ++ EX_TABLE(0b, 4b) EX_TABLE(1b, 4b) EX_TABLE(3b, 4b) EX_TABLE(5b, 4b) + : + [ioaddr_len] "+&d" (ioaddr_len.pair), + [cc] "+d" (cc), [val] "=d" (val), diff --git a/queue-5.15/series b/queue-5.15/series index 499eca98339..4c9fd0b0a86 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -38,3 +38,9 @@ mmc-core-fix-kernel-panic-when-remove-non-standard-sdio-card.patch mmc-sdhci-pci-core-disable-es-for-asus-bios-on-jasper-lake.patch mmc-sdhci-esdhc-imx-propagate-esdhc_flag_hs400-only-on-8bit-bus.patch counter-microchip-tcb-capture-handle-signal1-read-and-synapse.patch +kernfs-fix-use-after-free-in-__kernfs_remove.patch +pinctrl-ingenic-jz4755-bug-fixes.patch +arc-mm-fix-leakage-of-memory-allocated-for-pte.patch +perf-auxtrace-fix-address-filter-symbol-name-match-for-modules.patch +s390-futex-add-missing-ex_table-entry-to-__futex_atomic_op.patch +s390-pci-add-missing-ex_table-entries-to-__pcistg_mio_inuser-__pcilg_mio_inuser.patch