From: Sasha Levin Date: Mon, 11 Dec 2023 04:13:35 +0000 (-0500) Subject: Fixes for 6.6 X-Git-Tag: v6.6.6~9 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b4150a0314ce49aeffc3db607d243da60cda1a0e;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.6 Signed-off-by: Sasha Levin --- diff --git a/queue-6.6/drm-amd-display-increase-num-voltage-states-to-40.patch b/queue-6.6/drm-amd-display-increase-num-voltage-states-to-40.patch new file mode 100644 index 00000000000..44da65efd5d --- /dev/null +++ b/queue-6.6/drm-amd-display-increase-num-voltage-states-to-40.patch @@ -0,0 +1,42 @@ +From fcd9041688ba81389477336a3d929c1313ee898c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Nov 2023 17:16:28 -0500 +Subject: drm/amd/display: Increase num voltage states to 40 + +From: Alvin Lee + +[ Upstream commit 67e38874b85b8df7b23d29f78ac3d7ecccd9519d ] + +[Description] +If during driver init stage there are greater than 20 +intermediary voltage states while constructing the SOC +BB we could hit issues because we will index outside of the +clock_limits array and start overwriting data. Increase the +total number of states to 40 to avoid this issue. + +Cc: stable@vger.kernel.org # 6.1+ +Reviewed-by: Samson Tam +Acked-by: Hamza Mahfooz +Signed-off-by: Alvin Lee +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dml/dc_features.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dc_features.h b/drivers/gpu/drm/amd/display/dc/dml/dc_features.h +index 2cbdd75429ffd..6e669a2c5b2d4 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dc_features.h ++++ b/drivers/gpu/drm/amd/display/dc/dml/dc_features.h +@@ -36,7 +36,7 @@ + * Define the maximum amount of states supported by the ASIC. Every ASIC has a + * specific number of states; this macro defines the maximum number of states. + */ +-#define DC__VOLTAGE_STATES 20 ++#define DC__VOLTAGE_STATES 40 + #define DC__NUM_DPP__4 1 + #define DC__NUM_DPP__0_PRESENT 1 + #define DC__NUM_DPP__1_PRESENT 1 +-- +2.42.0 + diff --git a/queue-6.6/gpiolib-sysfs-fix-error-handling-on-failed-export.patch b/queue-6.6/gpiolib-sysfs-fix-error-handling-on-failed-export.patch new file mode 100644 index 00000000000..8d85e877e74 --- /dev/null +++ b/queue-6.6/gpiolib-sysfs-fix-error-handling-on-failed-export.patch @@ -0,0 +1,61 @@ +From eb2f602c93d8cd67793fd6168e3b9a853dffd34a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Nov 2023 16:23:07 +0100 +Subject: gpiolib: sysfs: Fix error handling on failed export + +From: Boerge Struempfel + +[ Upstream commit 95dd1e34ff5bbee93a28ff3947eceaf6de811b1a ] + +If gpio_set_transitory() fails, we should free the GPIO again. Most +notably, the flag FLAG_REQUESTED has previously been set in +gpiod_request_commit(), and should be reset on failure. + +To my knowledge, this does not affect any current users, since the +gpio_set_transitory() mainly returns 0 and -ENOTSUPP, which is converted +to 0. However the gpio_set_transitory() function calles the .set_config() +function of the corresponding GPIO chip and there are some GPIO drivers in +which some (unlikely) branches return other values like -EPROBE_DEFER, +and -EINVAL. In these cases, the above mentioned FLAG_REQUESTED would not +be reset, which results in the pin being blocked until the next reboot. + +Fixes: e10f72bf4b3e ("gpio: gpiolib: Generalise state persistence beyond sleep") +Signed-off-by: Boerge Struempfel +Reviewed-by: Andy Shevchenko +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib-sysfs.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpio/gpiolib-sysfs.c b/drivers/gpio/gpiolib-sysfs.c +index 50503a4525eb0..c7c5c19ebc66f 100644 +--- a/drivers/gpio/gpiolib-sysfs.c ++++ b/drivers/gpio/gpiolib-sysfs.c +@@ -474,14 +474,17 @@ static ssize_t export_store(const struct class *class, + goto done; + + status = gpiod_set_transitory(desc, false); +- if (!status) { +- status = gpiod_export(desc, true); +- if (status < 0) +- gpiod_free(desc); +- else +- set_bit(FLAG_SYSFS, &desc->flags); ++ if (status) { ++ gpiod_free(desc); ++ goto done; + } + ++ status = gpiod_export(desc, true); ++ if (status < 0) ++ gpiod_free(desc); ++ else ++ set_bit(FLAG_SYSFS, &desc->flags); ++ + done: + if (status) + pr_debug("%s: status %d\n", __func__, status); +-- +2.42.0 + diff --git a/queue-6.6/perf-fix-perf_event_validate_size.patch b/queue-6.6/perf-fix-perf_event_validate_size.patch new file mode 100644 index 00000000000..d0c379f1173 --- /dev/null +++ b/queue-6.6/perf-fix-perf_event_validate_size.patch @@ -0,0 +1,135 @@ +From 6b5743735dc946286c78ea252673e78d88b612df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Nov 2023 15:24:52 +0100 +Subject: perf: Fix perf_event_validate_size() + +From: Peter Zijlstra + +[ Upstream commit 382c27f4ed28f803b1f1473ac2d8db0afc795a1b ] + +Budimir noted that perf_event_validate_size() only checks the size of +the newly added event, even though the sizes of all existing events +can also change due to not all events having the same read_format. + +When we attach the new event, perf_group_attach(), we do re-compute +the size for all events. + +Fixes: a723968c0ed3 ("perf: Fix u16 overflows") +Reported-by: Budimir Markovic +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 61 +++++++++++++++++++++++++++----------------- + 1 file changed, 38 insertions(+), 23 deletions(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 6dbb03c532375..252387b6ac8d6 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -1814,31 +1814,34 @@ static inline void perf_event__state_init(struct perf_event *event) + PERF_EVENT_STATE_INACTIVE; + } + +-static void __perf_event_read_size(struct perf_event *event, int nr_siblings) ++static int __perf_event_read_size(u64 read_format, int nr_siblings) + { + int entry = sizeof(u64); /* value */ + int size = 0; + int nr = 1; + +- if (event->attr.read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) ++ if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) + size += sizeof(u64); + +- if (event->attr.read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) ++ if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) + size += sizeof(u64); + +- if (event->attr.read_format & PERF_FORMAT_ID) ++ if (read_format & PERF_FORMAT_ID) + entry += sizeof(u64); + +- if (event->attr.read_format & PERF_FORMAT_LOST) ++ if (read_format & PERF_FORMAT_LOST) + entry += sizeof(u64); + +- if (event->attr.read_format & PERF_FORMAT_GROUP) { ++ if (read_format & PERF_FORMAT_GROUP) { + nr += nr_siblings; + size += sizeof(u64); + } + +- size += entry * nr; +- event->read_size = size; ++ /* ++ * Since perf_event_validate_size() limits this to 16k and inhibits ++ * adding more siblings, this will never overflow. ++ */ ++ return size + nr * entry; + } + + static void __perf_event_header_size(struct perf_event *event, u64 sample_type) +@@ -1888,8 +1891,9 @@ static void __perf_event_header_size(struct perf_event *event, u64 sample_type) + */ + static void perf_event__header_size(struct perf_event *event) + { +- __perf_event_read_size(event, +- event->group_leader->nr_siblings); ++ event->read_size = ++ __perf_event_read_size(event->attr.read_format, ++ event->group_leader->nr_siblings); + __perf_event_header_size(event, event->attr.sample_type); + } + +@@ -1920,24 +1924,35 @@ static void perf_event__id_header_size(struct perf_event *event) + event->id_header_size = size; + } + ++/* ++ * Check that adding an event to the group does not result in anybody ++ * overflowing the 64k event limit imposed by the output buffer. ++ * ++ * Specifically, check that the read_size for the event does not exceed 16k, ++ * read_size being the one term that grows with groups size. Since read_size ++ * depends on per-event read_format, also (re)check the existing events. ++ * ++ * This leaves 48k for the constant size fields and things like callchains, ++ * branch stacks and register sets. ++ */ + static bool perf_event_validate_size(struct perf_event *event) + { +- /* +- * The values computed here will be over-written when we actually +- * attach the event. +- */ +- __perf_event_read_size(event, event->group_leader->nr_siblings + 1); +- __perf_event_header_size(event, event->attr.sample_type & ~PERF_SAMPLE_READ); +- perf_event__id_header_size(event); ++ struct perf_event *sibling, *group_leader = event->group_leader; + +- /* +- * Sum the lot; should not exceed the 64k limit we have on records. +- * Conservative limit to allow for callchains and other variable fields. +- */ +- if (event->read_size + event->header_size + +- event->id_header_size + sizeof(struct perf_event_header) >= 16*1024) ++ if (__perf_event_read_size(event->attr.read_format, ++ group_leader->nr_siblings + 1) > 16*1024) + return false; + ++ if (__perf_event_read_size(group_leader->attr.read_format, ++ group_leader->nr_siblings + 1) > 16*1024) ++ return false; ++ ++ for_each_sibling_event(sibling, group_leader) { ++ if (__perf_event_read_size(sibling->attr.read_format, ++ group_leader->nr_siblings + 1) > 16*1024) ++ return false; ++ } ++ + return true; + } + +-- +2.42.0 + diff --git a/queue-6.6/series b/queue-6.6/series index a0f0b4233eb..03253d805f5 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -202,3 +202,7 @@ parisc-fix-asm-operand-number-out-of-range-build-err.patch arm64-dts-mediatek-add-missing-space-before.patch arm64-dts-mt8183-kukui-fix-underscores-in-node-names.patch drm-amdgpu-disable-mcbp-by-default.patch +perf-fix-perf_event_validate_size.patch +x86-sev-fix-kernel-crash-due-to-late-update-to-read-.patch +gpiolib-sysfs-fix-error-handling-on-failed-export.patch +drm-amd-display-increase-num-voltage-states-to-40.patch diff --git a/queue-6.6/x86-sev-fix-kernel-crash-due-to-late-update-to-read-.patch b/queue-6.6/x86-sev-fix-kernel-crash-due-to-late-update-to-read-.patch new file mode 100644 index 00000000000..8b7b4075d55 --- /dev/null +++ b/queue-6.6/x86-sev-fix-kernel-crash-due-to-late-update-to-read-.patch @@ -0,0 +1,94 @@ +From 8538abb68966da821f0362ac172253bc333e724e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Nov 2023 16:10:29 +0530 +Subject: x86/sev: Fix kernel crash due to late update to read-only + ghcb_version + +From: Ashwin Dayanand Kamat + +[ Upstream commit 27d25348d42161837be08fc63b04a2559d2e781c ] + +A write-access violation page fault kernel crash was observed while running +cpuhotplug LTP testcases on SEV-ES enabled systems. The crash was +observed during hotplug, after the CPU was offlined and the process +was migrated to different CPU. setup_ghcb() is called again which +tries to update ghcb_version in sev_es_negotiate_protocol(). Ideally this +is a read_only variable which is initialised during booting. + +Trying to write it results in a pagefault: + + BUG: unable to handle page fault for address: ffffffffba556e70 + #PF: supervisor write access in kernel mode + #PF: error_code(0x0003) - permissions violation + [ ...] + Call Trace: + + ? __die_body.cold+0x1a/0x1f + ? __die+0x2a/0x35 + ? page_fault_oops+0x10c/0x270 + ? setup_ghcb+0x71/0x100 + ? __x86_return_thunk+0x5/0x6 + ? search_exception_tables+0x60/0x70 + ? __x86_return_thunk+0x5/0x6 + ? fixup_exception+0x27/0x320 + ? kernelmode_fixup_or_oops+0xa2/0x120 + ? __bad_area_nosemaphore+0x16a/0x1b0 + ? kernel_exc_vmm_communication+0x60/0xb0 + ? bad_area_nosemaphore+0x16/0x20 + ? do_kern_addr_fault+0x7a/0x90 + ? exc_page_fault+0xbd/0x160 + ? asm_exc_page_fault+0x27/0x30 + ? setup_ghcb+0x71/0x100 + ? setup_ghcb+0xe/0x100 + cpu_init_exception_handling+0x1b9/0x1f0 + +The fix is to call sev_es_negotiate_protocol() only in the BSP boot phase, +and it only needs to be done once in any case. + +[ mingo: Refined the changelog. ] + +Fixes: 95d33bfaa3e1 ("x86/sev: Register GHCB memory when SEV-SNP is active") +Suggested-by: Tom Lendacky +Co-developed-by: Bo Gan +Signed-off-by: Bo Gan +Signed-off-by: Ashwin Dayanand Kamat +Signed-off-by: Ingo Molnar +Acked-by: Tom Lendacky +Link: https://lore.kernel.org/r/1701254429-18250-1-git-send-email-kashwindayan@vmware.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/sev.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/kernel/sev.c b/arch/x86/kernel/sev.c +index 6395bfd87b68b..d87c6ff1f5136 100644 +--- a/arch/x86/kernel/sev.c ++++ b/arch/x86/kernel/sev.c +@@ -1234,10 +1234,6 @@ void setup_ghcb(void) + if (!cc_platform_has(CC_ATTR_GUEST_STATE_ENCRYPT)) + return; + +- /* First make sure the hypervisor talks a supported protocol. */ +- if (!sev_es_negotiate_protocol()) +- sev_es_terminate(SEV_TERM_SET_GEN, GHCB_SEV_ES_GEN_REQ); +- + /* + * Check whether the runtime #VC exception handler is active. It uses + * the per-CPU GHCB page which is set up by sev_es_init_vc_handling(). +@@ -1254,6 +1250,13 @@ void setup_ghcb(void) + return; + } + ++ /* ++ * Make sure the hypervisor talks a supported protocol. ++ * This gets called only in the BSP boot phase. ++ */ ++ if (!sev_es_negotiate_protocol()) ++ sev_es_terminate(SEV_TERM_SET_GEN, GHCB_SEV_ES_GEN_REQ); ++ + /* + * Clear the boot_ghcb. The first exception comes in before the bss + * section is cleared. +-- +2.42.0 +