From: Greg Kroah-Hartman Date: Tue, 3 Dec 2024 10:17:36 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.19.325~50 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c0d7259142a04863455e78275a55d8118ac50905;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: arm64-tls-fix-context-switching-of-tpidrro_el0-when-kpti-is-enabled.patch block-fix-ordering-between-checking-blk_mq_s_stopped-request-adding.patch hid-wacom-interpret-tilt-data-from-intuos-pro-bt-as-signed-values.patch media-wl128x-fix-atomicity-violation-in-fmc_send_cmd.patch --- diff --git a/queue-4.19/arm64-tls-fix-context-switching-of-tpidrro_el0-when-kpti-is-enabled.patch b/queue-4.19/arm64-tls-fix-context-switching-of-tpidrro_el0-when-kpti-is-enabled.patch new file mode 100644 index 00000000000..e9107482b9e --- /dev/null +++ b/queue-4.19/arm64-tls-fix-context-switching-of-tpidrro_el0-when-kpti-is-enabled.patch @@ -0,0 +1,47 @@ +From 67ab51cbdfee02ef07fb9d7d14cc0bf6cb5a5e5c Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Thu, 14 Nov 2024 09:53:32 +0000 +Subject: arm64: tls: Fix context-switching of tpidrro_el0 when kpti is enabled + +From: Will Deacon + +commit 67ab51cbdfee02ef07fb9d7d14cc0bf6cb5a5e5c upstream. + +Commit 18011eac28c7 ("arm64: tls: Avoid unconditional zeroing of +tpidrro_el0 for native tasks") tried to optimise the context switching +of tpidrro_el0 by eliding the clearing of the register when switching +to a native task with kpti enabled, on the erroneous assumption that +the kpti trampoline entry code would already have taken care of the +write. + +Although the kpti trampoline does zero the register on entry from a +native task, the check in tls_thread_switch() is on the *next* task and +so we can end up leaving a stale, non-zero value in the register if the +previous task was 32-bit. + +Drop the broken optimisation and zero tpidrro_el0 unconditionally when +switching to a native 64-bit task. + +Cc: Mark Rutland +Cc: stable@vger.kernel.org +Fixes: 18011eac28c7 ("arm64: tls: Avoid unconditional zeroing of tpidrro_el0 for native tasks") +Signed-off-by: Will Deacon +Acked-by: Mark Rutland +Link: https://lore.kernel.org/r/20241114095332.23391-1-will@kernel.org +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/process.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/kernel/process.c ++++ b/arch/arm64/kernel/process.c +@@ -382,7 +382,7 @@ static void tls_thread_switch(struct tas + + if (is_compat_thread(task_thread_info(next))) + write_sysreg(next->thread.uw.tp_value, tpidrro_el0); +- else if (!arm64_kernel_unmapped_at_el0()) ++ else + write_sysreg(0, tpidrro_el0); + + write_sysreg(*task_user_tls(next), tpidr_el0); diff --git a/queue-4.19/block-fix-ordering-between-checking-blk_mq_s_stopped-request-adding.patch b/queue-4.19/block-fix-ordering-between-checking-blk_mq_s_stopped-request-adding.patch new file mode 100644 index 00000000000..5a229a3bca6 --- /dev/null +++ b/queue-4.19/block-fix-ordering-between-checking-blk_mq_s_stopped-request-adding.patch @@ -0,0 +1,113 @@ +From 96a9fe64bfd486ebeeacf1e6011801ffe89dae18 Mon Sep 17 00:00:00 2001 +From: Muchun Song +Date: Mon, 14 Oct 2024 17:29:34 +0800 +Subject: block: fix ordering between checking BLK_MQ_S_STOPPED request adding + +From: Muchun Song + +commit 96a9fe64bfd486ebeeacf1e6011801ffe89dae18 upstream. + +Supposing first scenario with a virtio_blk driver. + +CPU0 CPU1 + +blk_mq_try_issue_directly() + __blk_mq_issue_directly() + q->mq_ops->queue_rq() + virtio_queue_rq() + blk_mq_stop_hw_queue() + virtblk_done() + blk_mq_request_bypass_insert() 1) store + blk_mq_start_stopped_hw_queue() + clear_bit(BLK_MQ_S_STOPPED) 3) store + blk_mq_run_hw_queue() + if (!blk_mq_hctx_has_pending()) 4) load + return + blk_mq_sched_dispatch_requests() + blk_mq_run_hw_queue() + if (!blk_mq_hctx_has_pending()) + return + blk_mq_sched_dispatch_requests() + if (blk_mq_hctx_stopped()) 2) load + return + __blk_mq_sched_dispatch_requests() + +Supposing another scenario. + +CPU0 CPU1 + +blk_mq_requeue_work() + blk_mq_insert_request() 1) store + virtblk_done() + blk_mq_start_stopped_hw_queue() + blk_mq_run_hw_queues() clear_bit(BLK_MQ_S_STOPPED) 3) store + blk_mq_run_hw_queue() + if (!blk_mq_hctx_has_pending()) 4) load + return + blk_mq_sched_dispatch_requests() + if (blk_mq_hctx_stopped()) 2) load + continue + blk_mq_run_hw_queue() + +Both scenarios are similar, the full memory barrier should be inserted +between 1) and 2), as well as between 3) and 4) to make sure that either +CPU0 sees BLK_MQ_S_STOPPED is cleared or CPU1 sees dispatch list. +Otherwise, either CPU will not rerun the hardware queue causing +starvation of the request. + +The easy way to fix it is to add the essential full memory barrier into +helper of blk_mq_hctx_stopped(). In order to not affect the fast path +(hardware queue is not stopped most of the time), we only insert the +barrier into the slow path. Actually, only slow path needs to care about +missing of dispatching the request to the low-level device driver. + +Fixes: 320ae51feed5 ("blk-mq: new multi-queue block IO queueing mechanism") +Cc: stable@vger.kernel.org +Cc: Muchun Song +Signed-off-by: Muchun Song +Reviewed-by: Ming Lei +Link: https://lore.kernel.org/r/20241014092934.53630-4-songmuchun@bytedance.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-mq.c | 6 ++++++ + block/blk-mq.h | 13 +++++++++++++ + 2 files changed, 19 insertions(+) + +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -1544,6 +1544,12 @@ void blk_mq_start_stopped_hw_queue(struc + return; + + clear_bit(BLK_MQ_S_STOPPED, &hctx->state); ++ /* ++ * Pairs with the smp_mb() in blk_mq_hctx_stopped() to order the ++ * clearing of BLK_MQ_S_STOPPED above and the checking of dispatch ++ * list in the subsequent routine. ++ */ ++ smp_mb__after_atomic(); + blk_mq_run_hw_queue(hctx, async); + } + EXPORT_SYMBOL_GPL(blk_mq_start_stopped_hw_queue); +--- a/block/blk-mq.h ++++ b/block/blk-mq.h +@@ -142,6 +142,19 @@ static inline struct blk_mq_tags *blk_mq + + static inline bool blk_mq_hctx_stopped(struct blk_mq_hw_ctx *hctx) + { ++ /* Fast path: hardware queue is not stopped most of the time. */ ++ if (likely(!test_bit(BLK_MQ_S_STOPPED, &hctx->state))) ++ return false; ++ ++ /* ++ * This barrier is used to order adding of dispatch list before and ++ * the test of BLK_MQ_S_STOPPED below. Pairs with the memory barrier ++ * in blk_mq_start_stopped_hw_queue() so that dispatch code could ++ * either see BLK_MQ_S_STOPPED is cleared or dispatch list is not ++ * empty to avoid missing dispatching requests. ++ */ ++ smp_mb(); ++ + return test_bit(BLK_MQ_S_STOPPED, &hctx->state); + } + diff --git a/queue-4.19/hid-wacom-interpret-tilt-data-from-intuos-pro-bt-as-signed-values.patch b/queue-4.19/hid-wacom-interpret-tilt-data-from-intuos-pro-bt-as-signed-values.patch new file mode 100644 index 00000000000..df653480443 --- /dev/null +++ b/queue-4.19/hid-wacom-interpret-tilt-data-from-intuos-pro-bt-as-signed-values.patch @@ -0,0 +1,41 @@ +From 49a397ad24ee5e2c53a59dada2780d7e71bd3f77 Mon Sep 17 00:00:00 2001 +From: Jason Gerecke +Date: Mon, 28 Oct 2024 10:39:14 -0700 +Subject: HID: wacom: Interpret tilt data from Intuos Pro BT as signed values + +From: Jason Gerecke + +commit 49a397ad24ee5e2c53a59dada2780d7e71bd3f77 upstream. + +The tilt data contained in the Bluetooth packets of an Intuos Pro are +supposed to be interpreted as signed values. Simply casting the values +to type `char` is not guaranteed to work since it is implementation- +defined whether it is signed or unsigned. At least one user has noticed +the data being reported incorrectly on their system. To ensure that the +data is interpreted properly, we specifically cast to `signed char` +instead. + +Link: https://github.com/linuxwacom/input-wacom/issues/445 +Fixes: 4922cd26f03c ("HID: wacom: Support 2nd-gen Intuos Pro's Bluetooth classic interface") +CC: stable@vger.kernel.org # 4.11+ +Signed-off-by: Jason Gerecke +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/wacom_wac.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -1321,9 +1321,9 @@ static void wacom_intuos_pro2_bt_pen(str + rotation -= 1800; + + input_report_abs(pen_input, ABS_TILT_X, +- (char)frame[7]); ++ (signed char)frame[7]); + input_report_abs(pen_input, ABS_TILT_Y, +- (char)frame[8]); ++ (signed char)frame[8]); + input_report_abs(pen_input, ABS_Z, rotation); + input_report_abs(pen_input, ABS_WHEEL, + get_unaligned_le16(&frame[11])); diff --git a/queue-4.19/media-wl128x-fix-atomicity-violation-in-fmc_send_cmd.patch b/queue-4.19/media-wl128x-fix-atomicity-violation-in-fmc_send_cmd.patch new file mode 100644 index 00000000000..81127af35a7 --- /dev/null +++ b/queue-4.19/media-wl128x-fix-atomicity-violation-in-fmc_send_cmd.patch @@ -0,0 +1,54 @@ +From ca59f9956d4519ab18ab2270be47c6b8c6ced091 Mon Sep 17 00:00:00 2001 +From: Qiu-ji Chen +Date: Fri, 27 Sep 2024 16:39:02 +0800 +Subject: media: wl128x: Fix atomicity violation in fmc_send_cmd() + +From: Qiu-ji Chen + +commit ca59f9956d4519ab18ab2270be47c6b8c6ced091 upstream. + +Atomicity violation occurs when the fmc_send_cmd() function is executed +simultaneously with the modification of the fmdev->resp_skb value. +Consider a scenario where, after passing the validity check within the +function, a non-null fmdev->resp_skb variable is assigned a null value. +This results in an invalid fmdev->resp_skb variable passing the validity +check. As seen in the later part of the function, skb = fmdev->resp_skb; +when the invalid fmdev->resp_skb passes the check, a null pointer +dereference error may occur at line 478, evt_hdr = (void *)skb->data; + +To address this issue, it is recommended to include the validity check of +fmdev->resp_skb within the locked section of the function. This +modification ensures that the value of fmdev->resp_skb does not change +during the validation process, thereby maintaining its validity. + +This possible bug is found by an experimental static analysis tool +developed by our team. This tool analyzes the locking APIs +to extract function pairs that can be concurrently executed, and then +analyzes the instructions in the paired functions to identify possible +concurrency bugs including data races and atomicity violations. + +Fixes: e8454ff7b9a4 ("[media] drivers:media:radio: wl128x: FM Driver Common sources") +Cc: stable@vger.kernel.org +Signed-off-by: Qiu-ji Chen +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/radio/wl128x/fmdrv_common.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/media/radio/wl128x/fmdrv_common.c ++++ b/drivers/media/radio/wl128x/fmdrv_common.c +@@ -472,11 +472,12 @@ int fmc_send_cmd(struct fmdev *fmdev, u8 + jiffies_to_msecs(FM_DRV_TX_TIMEOUT) / 1000); + return -ETIMEDOUT; + } ++ spin_lock_irqsave(&fmdev->resp_skb_lock, flags); + if (!fmdev->resp_skb) { ++ spin_unlock_irqrestore(&fmdev->resp_skb_lock, flags); + fmerr("Response SKB is missing\n"); + return -EFAULT; + } +- spin_lock_irqsave(&fmdev->resp_skb_lock, flags); + skb = fmdev->resp_skb; + fmdev->resp_skb = NULL; + spin_unlock_irqrestore(&fmdev->resp_skb_lock, flags); diff --git a/queue-4.19/series b/queue-4.19/series index ebef1315b31..6dcf0911c7d 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -117,3 +117,7 @@ serial-8250-omap-move-pm_runtime_get_sync.patch jffs2-prevent-rtime-decompress-memory-corruption.patch um-vector-do-not-use-drvdata-in-release.patch sh-cpuinfo-fix-a-warning-for-config_cpumask_offstack.patch +arm64-tls-fix-context-switching-of-tpidrro_el0-when-kpti-is-enabled.patch +block-fix-ordering-between-checking-blk_mq_s_stopped-request-adding.patch +hid-wacom-interpret-tilt-data-from-intuos-pro-bt-as-signed-values.patch +media-wl128x-fix-atomicity-violation-in-fmc_send_cmd.patch