From: Greg Kroah-Hartman Date: Tue, 22 Apr 2025 08:24:10 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v6.1.135~82 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b1c06595c14920a542aaa2b5c7bdf227ef4a59b3;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: nvme-avoid-double-free-special-payload.patch phy-tegra-xusb-fix-return-value-of-tegra_xusb_find_port_node-function.patch powerpc-rtas-prevent-spectre-v1-gadget-construction-in-sys_rtas.patch x86-pvh-call-c-code-via-the-kernel-virtual-mapping.patch --- diff --git a/queue-5.10/nvme-avoid-double-free-special-payload.patch b/queue-5.10/nvme-avoid-double-free-special-payload.patch new file mode 100644 index 0000000000..e765233e9a --- /dev/null +++ b/queue-5.10/nvme-avoid-double-free-special-payload.patch @@ -0,0 +1,35 @@ +From e5d574ab37f5f2e7937405613d9b1a724811e5ad Mon Sep 17 00:00:00 2001 +From: Chunguang Xu +Date: Tue, 11 Jun 2024 18:02:08 +0800 +Subject: nvme: avoid double free special payload + +From: Chunguang Xu + +commit e5d574ab37f5f2e7937405613d9b1a724811e5ad upstream. + +If a discard request needs to be retried, and that retry may fail before +a new special payload is added, a double free will result. Clear the +RQF_SPECIAL_LOAD when the request is cleaned. + +Signed-off-by: Chunguang Xu +Reviewed-by: Sagi Grimberg +Reviewed-by: Max Gurtovoy +Signed-off-by: Keith Busch +[Minor context change fixed] +Signed-off-by: Cliff Liu +Signed-off-by: He Zhe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -850,6 +850,7 @@ void nvme_cleanup_cmd(struct request *re + clear_bit_unlock(0, &ns->ctrl->discard_page_busy); + else + kfree(page_address(page) + req->special_vec.bv_offset); ++ req->rq_flags &= ~RQF_SPECIAL_PAYLOAD; + } + } + EXPORT_SYMBOL_GPL(nvme_cleanup_cmd); diff --git a/queue-5.10/phy-tegra-xusb-fix-return-value-of-tegra_xusb_find_port_node-function.patch b/queue-5.10/phy-tegra-xusb-fix-return-value-of-tegra_xusb_find_port_node-function.patch new file mode 100644 index 0000000000..d52405d574 --- /dev/null +++ b/queue-5.10/phy-tegra-xusb-fix-return-value-of-tegra_xusb_find_port_node-function.patch @@ -0,0 +1,34 @@ +From 045a31b95509c8f25f5f04ec5e0dec5cd09f2c5f Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Mon, 13 Dec 2021 02:05:07 +0000 +Subject: phy: tegra: xusb: Fix return value of tegra_xusb_find_port_node function + +From: Miaoqian Lin + +commit 045a31b95509c8f25f5f04ec5e0dec5cd09f2c5f upstream. + +callers of tegra_xusb_find_port_node() function only do NULL checking for +the return value. return NULL instead of ERR_PTR(-ENOMEM) to keep +consistent. + +Signed-off-by: Miaoqian Lin +Acked-by: Thierry Reding +Link: https://lore.kernel.org/r/20211213020507.1458-1-linmq006@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Alva Lan +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/tegra/xusb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/phy/tegra/xusb.c ++++ b/drivers/phy/tegra/xusb.c +@@ -449,7 +449,7 @@ tegra_xusb_find_port_node(struct tegra_x + name = kasprintf(GFP_KERNEL, "%s-%u", type, index); + if (!name) { + of_node_put(ports); +- return ERR_PTR(-ENOMEM); ++ return NULL; + } + np = of_get_child_by_name(ports, name); + kfree(name); diff --git a/queue-5.10/powerpc-rtas-prevent-spectre-v1-gadget-construction-in-sys_rtas.patch b/queue-5.10/powerpc-rtas-prevent-spectre-v1-gadget-construction-in-sys_rtas.patch new file mode 100644 index 0000000000..f3608335ea --- /dev/null +++ b/queue-5.10/powerpc-rtas-prevent-spectre-v1-gadget-construction-in-sys_rtas.patch @@ -0,0 +1,54 @@ +From 0974d03eb479384466d828d65637814bee6b26d7 Mon Sep 17 00:00:00 2001 +From: Nathan Lynch +Date: Thu, 30 May 2024 19:44:12 -0500 +Subject: powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() + +From: Nathan Lynch + +commit 0974d03eb479384466d828d65637814bee6b26d7 upstream. + +Smatch warns: + + arch/powerpc/kernel/rtas.c:1932 __do_sys_rtas() warn: potential + spectre issue 'args.args' [r] (local cap) + +The 'nargs' and 'nret' locals come directly from a user-supplied +buffer and are used as indexes into a small stack-based array and as +inputs to copy_to_user() after they are subject to bounds checks. + +Use array_index_nospec() after the bounds checks to clamp these values +for speculative execution. + +Signed-off-by: Nathan Lynch +Reported-by: Breno Leitao +Reviewed-by: Breno Leitao +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20240530-sys_rtas-nargs-nret-v1-1-129acddd4d89@linux.ibm.com +[Minor context change fixed] +Signed-off-by: Cliff Liu +Signed-off-by: He Zhe +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/rtas.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/powerpc/kernel/rtas.c ++++ b/arch/powerpc/kernel/rtas.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1173,6 +1174,9 @@ SYSCALL_DEFINE1(rtas, struct rtas_args _ + || nargs + nret > ARRAY_SIZE(args.args)) + return -EINVAL; + ++ nargs = array_index_nospec(nargs, ARRAY_SIZE(args.args)); ++ nret = array_index_nospec(nret, ARRAY_SIZE(args.args) - nargs); ++ + /* Copy in args. */ + if (copy_from_user(args.args, uargs->args, + nargs * sizeof(rtas_arg_t)) != 0) diff --git a/queue-5.10/series b/queue-5.10/series index 033df57628..493aeaa8af 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -148,3 +148,7 @@ mptcp-sockopt-fix-getting-ipv6_v6only.patch misc-pci_endpoint_test-avoid-issue-of-interrupts-remaining-after-request_irq-error.patch misc-pci_endpoint_test-fix-displaying-irq_type-after-request_irq-error.patch misc-pci_endpoint_test-fix-irq_type-to-convey-the-correct-type.patch +x86-pvh-call-c-code-via-the-kernel-virtual-mapping.patch +nvme-avoid-double-free-special-payload.patch +powerpc-rtas-prevent-spectre-v1-gadget-construction-in-sys_rtas.patch +phy-tegra-xusb-fix-return-value-of-tegra_xusb_find_port_node-function.patch diff --git a/queue-5.10/x86-pvh-call-c-code-via-the-kernel-virtual-mapping.patch b/queue-5.10/x86-pvh-call-c-code-via-the-kernel-virtual-mapping.patch new file mode 100644 index 0000000000..a9722b0366 --- /dev/null +++ b/queue-5.10/x86-pvh-call-c-code-via-the-kernel-virtual-mapping.patch @@ -0,0 +1,49 @@ +From e8fbc0d9cab6c1ee6403f42c0991b0c1d5dbc092 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Wed, 9 Oct 2024 18:04:40 +0200 +Subject: x86/pvh: Call C code via the kernel virtual mapping + +From: Ard Biesheuvel + +commit e8fbc0d9cab6c1ee6403f42c0991b0c1d5dbc092 upstream. + +Calling C code via a different mapping than it was linked at is +problematic, because the compiler assumes that RIP-relative and absolute +symbol references are interchangeable. GCC in particular may use +RIP-relative per-CPU variable references even when not using -fpic. + +So call xen_prepare_pvh() via its kernel virtual mapping on x86_64, so +that those RIP-relative references produce the correct values. This +matches the pre-existing behavior for i386, which also invokes +xen_prepare_pvh() via the kernel virtual mapping before invoking +startup_32 with paging disabled again. + +Fixes: 7243b93345f7 ("xen/pvh: Bootstrap PVH guest") +Tested-by: Jason Andryuk +Reviewed-by: Jason Andryuk +Signed-off-by: Ard Biesheuvel +Message-ID: <20241009160438.3884381-8-ardb+git@google.com> +Signed-off-by: Juergen Gross +[ Stable context update ] +Signed-off-by: Jason Andryuk +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/platform/pvh/head.S | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/x86/platform/pvh/head.S ++++ b/arch/x86/platform/pvh/head.S +@@ -99,7 +99,12 @@ SYM_CODE_START_LOCAL(pvh_start_xen) + xor %edx, %edx + wrmsr + +- call xen_prepare_pvh ++ /* Call xen_prepare_pvh() via the kernel virtual mapping */ ++ leaq xen_prepare_pvh(%rip), %rax ++ subq phys_base(%rip), %rax ++ addq $__START_KERNEL_map, %rax ++ ANNOTATE_RETPOLINE_SAFE ++ call *%rax + + /* startup_64 expects boot_params in %rsi. */ + mov $_pa(pvh_bootparams), %rsi