From: Greg Kroah-Hartman Date: Sat, 9 Sep 2023 21:55:18 +0000 (+0100) Subject: 6.4-stable patches X-Git-Tag: v6.1.53~57 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cbf132d6cb39c58752d350c15d3593dc838c63af;p=thirdparty%2Fkernel%2Fstable-queue.git 6.4-stable patches added patches: arm64-sdei-abort-running-sdei-handlers-during-crash.patch crypto-af_alg-decrement-struct-key.usage-in-alg_set_by_key_serial.patch dccp-fix-out-of-bounds-access-in-dccp-error-handler.patch dlm-fix-plock-lookup-when-using-multiple-lockspaces.patch fsverity-skip-pkcs-7-parser-when-keyring-is-empty.patch mmc-renesas_sdhi-register-irqs-before-registering-controller.patch net-handle-arphrd_ppp-in-dev_is_mac_header_xmit.patch platform-chrome-chromeos_acpi-print-hex-string-for-acpi_type_buffer.patch pstore-ram-check-start-of-empty-przs-during-init.patch r8169-fix-aspm-related-issues-on-a-number-of-systems-with-nic-version-from-rtl8168h.patch regulator-dt-bindings-qcom-rpm-fix-pattern-for-children.patch x.509-if-signature-is-unsupported-skip-validation.patch x86-mce-always-save-cs-register-on-amd-zen-if-poison-errors.patch x86-sev-make-enc_dec_hypercall-accept-a-size-instead-of-npages.patch --- diff --git a/queue-6.4/arm64-sdei-abort-running-sdei-handlers-during-crash.patch b/queue-6.4/arm64-sdei-abort-running-sdei-handlers-during-crash.patch new file mode 100644 index 00000000000..9fc363f290f --- /dev/null +++ b/queue-6.4/arm64-sdei-abort-running-sdei-handlers-during-crash.patch @@ -0,0 +1,183 @@ +From 5cd474e57368f0957c343bb21e309cf82826b1ef Mon Sep 17 00:00:00 2001 +From: D Scott Phillips +Date: Mon, 26 Jun 2023 17:29:39 -0700 +Subject: arm64: sdei: abort running SDEI handlers during crash + +From: D Scott Phillips + +commit 5cd474e57368f0957c343bb21e309cf82826b1ef upstream. + +Interrupts are blocked in SDEI context, per the SDEI spec: "The client +interrupts cannot preempt the event handler." If we crashed in the SDEI +handler-running context (as with ACPI's AGDI) then we need to clean up the +SDEI state before proceeding to the crash kernel so that the crash kernel +can have working interrupts. + +Track the active SDEI handler per-cpu so that we can COMPLETE_AND_RESUME +the handler, discarding the interrupted context. + +Fixes: f5df26961853 ("arm64: kernel: Add arch-specific SDEI entry code and CPU masking") +Signed-off-by: D Scott Phillips +Cc: stable@vger.kernel.org +Reviewed-by: James Morse +Tested-by: Mihai Carabas +Link: https://lore.kernel.org/r/20230627002939.2758-1-scott@os.amperecomputing.com +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/sdei.h | 6 ++++++ + arch/arm64/kernel/entry.S | 27 +++++++++++++++++++++++++-- + arch/arm64/kernel/sdei.c | 3 +++ + arch/arm64/kernel/smp.c | 8 ++++---- + drivers/firmware/arm_sdei.c | 19 +++++++++++++++++++ + include/linux/arm_sdei.h | 2 ++ + 6 files changed, 59 insertions(+), 6 deletions(-) + +--- a/arch/arm64/include/asm/sdei.h ++++ b/arch/arm64/include/asm/sdei.h +@@ -17,6 +17,9 @@ + + #include + ++DECLARE_PER_CPU(struct sdei_registered_event *, sdei_active_normal_event); ++DECLARE_PER_CPU(struct sdei_registered_event *, sdei_active_critical_event); ++ + extern unsigned long sdei_exit_mode; + + /* Software Delegated Exception entry point from firmware*/ +@@ -29,6 +32,9 @@ asmlinkage void __sdei_asm_entry_trampol + unsigned long pc, + unsigned long pstate); + ++/* Abort a running handler. Context is discarded. */ ++void __sdei_handler_abort(void); ++ + /* + * The above entry point does the minimum to call C code. This function does + * anything else, before calling the driver. +--- a/arch/arm64/kernel/entry.S ++++ b/arch/arm64/kernel/entry.S +@@ -1003,9 +1003,13 @@ SYM_CODE_START(__sdei_asm_handler) + + mov x19, x1 + +-#if defined(CONFIG_VMAP_STACK) || defined(CONFIG_SHADOW_CALL_STACK) ++ /* Store the registered-event for crash_smp_send_stop() */ + ldrb w4, [x19, #SDEI_EVENT_PRIORITY] +-#endif ++ cbnz w4, 1f ++ adr_this_cpu dst=x5, sym=sdei_active_normal_event, tmp=x6 ++ b 2f ++1: adr_this_cpu dst=x5, sym=sdei_active_critical_event, tmp=x6 ++2: str x19, [x5] + + #ifdef CONFIG_VMAP_STACK + /* +@@ -1072,6 +1076,14 @@ SYM_CODE_START(__sdei_asm_handler) + + ldr_l x2, sdei_exit_mode + ++ /* Clear the registered-event seen by crash_smp_send_stop() */ ++ ldrb w3, [x4, #SDEI_EVENT_PRIORITY] ++ cbnz w3, 1f ++ adr_this_cpu dst=x5, sym=sdei_active_normal_event, tmp=x6 ++ b 2f ++1: adr_this_cpu dst=x5, sym=sdei_active_critical_event, tmp=x6 ++2: str xzr, [x5] ++ + alternative_if_not ARM64_UNMAP_KERNEL_AT_EL0 + sdei_handler_exit exit_mode=x2 + alternative_else_nop_endif +@@ -1082,4 +1094,15 @@ alternative_else_nop_endif + #endif + SYM_CODE_END(__sdei_asm_handler) + NOKPROBE(__sdei_asm_handler) ++ ++SYM_CODE_START(__sdei_handler_abort) ++ mov_q x0, SDEI_1_0_FN_SDEI_EVENT_COMPLETE_AND_RESUME ++ adr x1, 1f ++ ldr_l x2, sdei_exit_mode ++ sdei_handler_exit exit_mode=x2 ++ // exit the handler and jump to the next instruction. ++ // Exit will stomp x0-x17, PSTATE, ELR_ELx, and SPSR_ELx. ++1: ret ++SYM_CODE_END(__sdei_handler_abort) ++NOKPROBE(__sdei_handler_abort) + #endif /* CONFIG_ARM_SDE_INTERFACE */ +--- a/arch/arm64/kernel/sdei.c ++++ b/arch/arm64/kernel/sdei.c +@@ -47,6 +47,9 @@ DEFINE_PER_CPU(unsigned long *, sdei_sha + DEFINE_PER_CPU(unsigned long *, sdei_shadow_call_stack_critical_ptr); + #endif + ++DEFINE_PER_CPU(struct sdei_registered_event *, sdei_active_normal_event); ++DEFINE_PER_CPU(struct sdei_registered_event *, sdei_active_critical_event); ++ + static void _free_sdei_stack(unsigned long * __percpu *ptr, int cpu) + { + unsigned long *p; +--- a/arch/arm64/kernel/smp.c ++++ b/arch/arm64/kernel/smp.c +@@ -1048,10 +1048,8 @@ void crash_smp_send_stop(void) + * If this cpu is the only one alive at this point in time, online or + * not, there are no stop messages to be sent around, so just back out. + */ +- if (num_other_online_cpus() == 0) { +- sdei_mask_local_cpu(); +- return; +- } ++ if (num_other_online_cpus() == 0) ++ goto skip_ipi; + + cpumask_copy(&mask, cpu_online_mask); + cpumask_clear_cpu(smp_processor_id(), &mask); +@@ -1070,7 +1068,9 @@ void crash_smp_send_stop(void) + pr_warn("SMP: failed to stop secondary CPUs %*pbl\n", + cpumask_pr_args(&mask)); + ++skip_ipi: + sdei_mask_local_cpu(); ++ sdei_handler_abort(); + } + + bool smp_crash_stop_failed(void) +--- a/drivers/firmware/arm_sdei.c ++++ b/drivers/firmware/arm_sdei.c +@@ -1095,3 +1095,22 @@ int sdei_event_handler(struct pt_regs *r + return err; + } + NOKPROBE_SYMBOL(sdei_event_handler); ++ ++void sdei_handler_abort(void) ++{ ++ /* ++ * If the crash happened in an SDEI event handler then we need to ++ * finish the handler with the firmware so that we can have working ++ * interrupts in the crash kernel. ++ */ ++ if (__this_cpu_read(sdei_active_critical_event)) { ++ pr_warn("still in SDEI critical event context, attempting to finish handler.\n"); ++ __sdei_handler_abort(); ++ __this_cpu_write(sdei_active_critical_event, NULL); ++ } ++ if (__this_cpu_read(sdei_active_normal_event)) { ++ pr_warn("still in SDEI normal event context, attempting to finish handler.\n"); ++ __sdei_handler_abort(); ++ __this_cpu_write(sdei_active_normal_event, NULL); ++ } ++} +--- a/include/linux/arm_sdei.h ++++ b/include/linux/arm_sdei.h +@@ -47,10 +47,12 @@ int sdei_unregister_ghes(struct ghes *gh + int sdei_mask_local_cpu(void); + int sdei_unmask_local_cpu(void); + void __init sdei_init(void); ++void sdei_handler_abort(void); + #else + static inline int sdei_mask_local_cpu(void) { return 0; } + static inline int sdei_unmask_local_cpu(void) { return 0; } + static inline void sdei_init(void) { } ++static inline void sdei_handler_abort(void) { } + #endif /* CONFIG_ARM_SDE_INTERFACE */ + + diff --git a/queue-6.4/crypto-af_alg-decrement-struct-key.usage-in-alg_set_by_key_serial.patch b/queue-6.4/crypto-af_alg-decrement-struct-key.usage-in-alg_set_by_key_serial.patch new file mode 100644 index 00000000000..4dd110477d2 --- /dev/null +++ b/queue-6.4/crypto-af_alg-decrement-struct-key.usage-in-alg_set_by_key_serial.patch @@ -0,0 +1,46 @@ +From 6b4b53ca0b7300ba2af98a49dbce22054bf034fe Mon Sep 17 00:00:00 2001 +From: Frederick Lawler +Date: Tue, 1 Aug 2023 08:57:09 -0500 +Subject: crypto: af_alg - Decrement struct key.usage in alg_set_by_key_serial() + +From: Frederick Lawler + +commit 6b4b53ca0b7300ba2af98a49dbce22054bf034fe upstream. + +Calls to lookup_user_key() require a corresponding key_put() to +decrement the usage counter. Once it reaches zero, we schedule key GC. +Therefore decrement struct key.usage in alg_set_by_key_serial(). + +Fixes: 7984ceb134bf ("crypto: af_alg - Support symmetric encryption via keyring keys") +Cc: +Signed-off-by: Frederick Lawler +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + crypto/af_alg.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -320,18 +320,21 @@ static int alg_setkey_by_key_serial(stru + + if (IS_ERR(ret)) { + up_read(&key->sem); ++ key_put(key); + return PTR_ERR(ret); + } + + key_data = sock_kmalloc(&ask->sk, key_datalen, GFP_KERNEL); + if (!key_data) { + up_read(&key->sem); ++ key_put(key); + return -ENOMEM; + } + + memcpy(key_data, ret, key_datalen); + + up_read(&key->sem); ++ key_put(key); + + err = type->setkey(ask->private, key_data, key_datalen); + diff --git a/queue-6.4/dccp-fix-out-of-bounds-access-in-dccp-error-handler.patch b/queue-6.4/dccp-fix-out-of-bounds-access-in-dccp-error-handler.patch new file mode 100644 index 00000000000..080c3db2e39 --- /dev/null +++ b/queue-6.4/dccp-fix-out-of-bounds-access-in-dccp-error-handler.patch @@ -0,0 +1,84 @@ +From 977ad86c2a1bcaf58f01ab98df5cc145083c489c Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Fri, 25 Aug 2023 15:32:41 +0200 +Subject: dccp: Fix out of bounds access in DCCP error handler + +From: Jann Horn + +commit 977ad86c2a1bcaf58f01ab98df5cc145083c489c upstream. + +There was a previous attempt to fix an out-of-bounds access in the DCCP +error handlers, but that fix assumed that the error handlers only want +to access the first 8 bytes of the DCCP header. Actually, they also look +at the DCCP sequence number, which is stored beyond 8 bytes, so an +explicit pskb_may_pull() is required. + +Fixes: 6706a97fec96 ("dccp: fix out of bound access in dccp_v4_err()") +Fixes: 1aa9d1a0e7ee ("ipv6: dccp: fix out of bound access in dccp_v6_err()") +Cc: stable@vger.kernel.org +Signed-off-by: Jann Horn +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dccp/ipv4.c | 13 +++++++++---- + net/dccp/ipv6.c | 15 ++++++++++----- + 2 files changed, 19 insertions(+), 9 deletions(-) + +--- a/net/dccp/ipv4.c ++++ b/net/dccp/ipv4.c +@@ -255,12 +255,17 @@ static int dccp_v4_err(struct sk_buff *s + int err; + struct net *net = dev_net(skb->dev); + +- /* Only need dccph_dport & dccph_sport which are the first +- * 4 bytes in dccp header. ++ /* For the first __dccp_basic_hdr_len() check, we only need dh->dccph_x, ++ * which is in byte 7 of the dccp header. + * Our caller (icmp_socket_deliver()) already pulled 8 bytes for us. ++ * ++ * Later on, we want to access the sequence number fields, which are ++ * beyond 8 bytes, so we have to pskb_may_pull() ourselves. + */ +- BUILD_BUG_ON(offsetofend(struct dccp_hdr, dccph_sport) > 8); +- BUILD_BUG_ON(offsetofend(struct dccp_hdr, dccph_dport) > 8); ++ dh = (struct dccp_hdr *)(skb->data + offset); ++ if (!pskb_may_pull(skb, offset + __dccp_basic_hdr_len(dh))) ++ return -EINVAL; ++ iph = (struct iphdr *)skb->data; + dh = (struct dccp_hdr *)(skb->data + offset); + + sk = __inet_lookup_established(net, &dccp_hashinfo, +--- a/net/dccp/ipv6.c ++++ b/net/dccp/ipv6.c +@@ -74,7 +74,7 @@ static inline __u64 dccp_v6_init_sequenc + static int dccp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt, + u8 type, u8 code, int offset, __be32 info) + { +- const struct ipv6hdr *hdr = (const struct ipv6hdr *)skb->data; ++ const struct ipv6hdr *hdr; + const struct dccp_hdr *dh; + struct dccp_sock *dp; + struct ipv6_pinfo *np; +@@ -83,12 +83,17 @@ static int dccp_v6_err(struct sk_buff *s + __u64 seq; + struct net *net = dev_net(skb->dev); + +- /* Only need dccph_dport & dccph_sport which are the first +- * 4 bytes in dccp header. ++ /* For the first __dccp_basic_hdr_len() check, we only need dh->dccph_x, ++ * which is in byte 7 of the dccp header. + * Our caller (icmpv6_notify()) already pulled 8 bytes for us. ++ * ++ * Later on, we want to access the sequence number fields, which are ++ * beyond 8 bytes, so we have to pskb_may_pull() ourselves. + */ +- BUILD_BUG_ON(offsetofend(struct dccp_hdr, dccph_sport) > 8); +- BUILD_BUG_ON(offsetofend(struct dccp_hdr, dccph_dport) > 8); ++ dh = (struct dccp_hdr *)(skb->data + offset); ++ if (!pskb_may_pull(skb, offset + __dccp_basic_hdr_len(dh))) ++ return -EINVAL; ++ hdr = (const struct ipv6hdr *)skb->data; + dh = (struct dccp_hdr *)(skb->data + offset); + + sk = __inet6_lookup_established(net, &dccp_hashinfo, diff --git a/queue-6.4/dlm-fix-plock-lookup-when-using-multiple-lockspaces.patch b/queue-6.4/dlm-fix-plock-lookup-when-using-multiple-lockspaces.patch new file mode 100644 index 00000000000..d1351e693c7 --- /dev/null +++ b/queue-6.4/dlm-fix-plock-lookup-when-using-multiple-lockspaces.patch @@ -0,0 +1,57 @@ +From 7c53e847ff5e97f033fdd31f71949807633d506b Mon Sep 17 00:00:00 2001 +From: Alexander Aring +Date: Thu, 24 Aug 2023 16:51:42 -0400 +Subject: dlm: fix plock lookup when using multiple lockspaces + +From: Alexander Aring + +commit 7c53e847ff5e97f033fdd31f71949807633d506b upstream. + +All posix lock ops, for all lockspaces (gfs2 file systems) are +sent to userspace (dlm_controld) through a single misc device. +The dlm_controld daemon reads the ops from the misc device +and sends them to other cluster nodes using separate, per-lockspace +cluster api communication channels. The ops for a single lockspace +are ordered at this level, so that the results are received in +the same sequence that the requests were sent. When the results +are sent back to the kernel via the misc device, they are again +funneled through the single misc device for all lockspaces. When +the dlm code in the kernel processes the results from the misc +device, these results will be returned in the same sequence that +the requests were sent, on a per-lockspace basis. A recent change +in this request/reply matching code missed the "per-lockspace" +check (fsid comparison) when matching request and reply, so replies +could be incorrectly matched to requests from other lockspaces. + +Cc: stable@vger.kernel.org +Reported-by: Barry Marson +Fixes: 57e2c2f2d94c ("fs: dlm: fix mismatch of plock results from userspace") +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Greg Kroah-Hartman +--- + fs/dlm/plock.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/dlm/plock.c ++++ b/fs/dlm/plock.c +@@ -456,7 +456,8 @@ static ssize_t dev_write(struct file *fi + } + } else { + list_for_each_entry(iter, &recv_list, list) { +- if (!iter->info.wait) { ++ if (!iter->info.wait && ++ iter->info.fsid == info.fsid) { + op = iter; + break; + } +@@ -468,8 +469,7 @@ static ssize_t dev_write(struct file *fi + if (info.wait) + WARN_ON(op->info.optype != DLM_PLOCK_OP_LOCK); + else +- WARN_ON(op->info.fsid != info.fsid || +- op->info.number != info.number || ++ WARN_ON(op->info.number != info.number || + op->info.owner != info.owner || + op->info.optype != info.optype); + diff --git a/queue-6.4/fsverity-skip-pkcs-7-parser-when-keyring-is-empty.patch b/queue-6.4/fsverity-skip-pkcs-7-parser-when-keyring-is-empty.patch new file mode 100644 index 00000000000..13e5a7cc589 --- /dev/null +++ b/queue-6.4/fsverity-skip-pkcs-7-parser-when-keyring-is-empty.patch @@ -0,0 +1,52 @@ +From 919dc320956ea353a7fb2d84265195ad5ef525ac Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Tue, 1 Aug 2023 21:03:53 -0700 +Subject: fsverity: skip PKCS#7 parser when keyring is empty + +From: Eric Biggers + +commit 919dc320956ea353a7fb2d84265195ad5ef525ac upstream. + +If an fsverity builtin signature is given for a file but the +".fs-verity" keyring is empty, there's no real reason to run the PKCS#7 +parser. Skip this to avoid the PKCS#7 attack surface when builtin +signature support is configured into the kernel but is not being used. + +This is a hardening improvement, not a fix per se, but I've added +Fixes and Cc stable to get it out to more users. + +Fixes: 432434c9f8e1 ("fs-verity: support builtin file signatures") +Cc: stable@vger.kernel.org +Reviewed-by: Jarkko Sakkinen +Link: https://lore.kernel.org/r/20230820173237.2579-1-ebiggers@kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Greg Kroah-Hartman +--- + fs/verity/signature.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/fs/verity/signature.c ++++ b/fs/verity/signature.c +@@ -54,6 +54,22 @@ int fsverity_verify_signature(const stru + return 0; + } + ++ if (fsverity_keyring->keys.nr_leaves_on_tree == 0) { ++ /* ++ * The ".fs-verity" keyring is empty, due to builtin signatures ++ * being supported by the kernel but not actually being used. ++ * In this case, verify_pkcs7_signature() would always return an ++ * error, usually ENOKEY. It could also be EBADMSG if the ++ * PKCS#7 is malformed, but that isn't very important to ++ * distinguish. So, just skip to ENOKEY to avoid the attack ++ * surface of the PKCS#7 parser, which would otherwise be ++ * reachable by any task able to execute FS_IOC_ENABLE_VERITY. ++ */ ++ fsverity_err(inode, ++ "fs-verity keyring is empty, rejecting signed file!"); ++ return -ENOKEY; ++ } ++ + d = kzalloc(sizeof(*d) + hash_alg->digest_size, GFP_KERNEL); + if (!d) + return -ENOMEM; diff --git a/queue-6.4/mmc-renesas_sdhi-register-irqs-before-registering-controller.patch b/queue-6.4/mmc-renesas_sdhi-register-irqs-before-registering-controller.patch new file mode 100644 index 00000000000..c6d88427333 --- /dev/null +++ b/queue-6.4/mmc-renesas_sdhi-register-irqs-before-registering-controller.patch @@ -0,0 +1,58 @@ +From 74f45de394d979cc7770271f92fafa53e1ed3119 Mon Sep 17 00:00:00 2001 +From: Wolfram Sang +Date: Wed, 12 Jul 2023 16:00:11 +0200 +Subject: mmc: renesas_sdhi: register irqs before registering controller + +From: Wolfram Sang + +commit 74f45de394d979cc7770271f92fafa53e1ed3119 upstream. + +IRQs should be ready to serve when we call mmc_add_host() via +tmio_mmc_host_probe(). To achieve that, ensure that all irqs are masked +before registering the handlers. + +Signed-off-by: Wolfram Sang +Tested-by: Biju Das +Reviewed-by: Geert Uytterhoeven +Tested-by: Geert Uytterhoeven +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230712140011.18602-1-wsa+renesas@sang-engineering.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/renesas_sdhi_core.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/mmc/host/renesas_sdhi_core.c ++++ b/drivers/mmc/host/renesas_sdhi_core.c +@@ -1006,6 +1006,8 @@ int renesas_sdhi_probe(struct platform_d + host->sdcard_irq_setbit_mask = TMIO_STAT_ALWAYS_SET_27; + host->sdcard_irq_mask_all = TMIO_MASK_ALL_RCAR2; + host->reset = renesas_sdhi_reset; ++ } else { ++ host->sdcard_irq_mask_all = TMIO_MASK_ALL; + } + + /* Orginally registers were 16 bit apart, could be 32 or 64 nowadays */ +@@ -1100,9 +1102,7 @@ int renesas_sdhi_probe(struct platform_d + host->ops.hs400_complete = renesas_sdhi_hs400_complete; + } + +- ret = tmio_mmc_host_probe(host); +- if (ret < 0) +- goto edisclk; ++ sd_ctrl_write32_as_16_and_16(host, CTL_IRQ_MASK, host->sdcard_irq_mask_all); + + num_irqs = platform_irq_count(pdev); + if (num_irqs < 0) { +@@ -1129,6 +1129,10 @@ int renesas_sdhi_probe(struct platform_d + goto eirq; + } + ++ ret = tmio_mmc_host_probe(host); ++ if (ret < 0) ++ goto edisclk; ++ + dev_info(&pdev->dev, "%s base at %pa, max clock rate %u MHz\n", + mmc_hostname(host->mmc), &res->start, host->mmc->f_max / 1000000); + diff --git a/queue-6.4/net-handle-arphrd_ppp-in-dev_is_mac_header_xmit.patch b/queue-6.4/net-handle-arphrd_ppp-in-dev_is_mac_header_xmit.patch new file mode 100644 index 00000000000..d2ade7b9a9f --- /dev/null +++ b/queue-6.4/net-handle-arphrd_ppp-in-dev_is_mac_header_xmit.patch @@ -0,0 +1,38 @@ +From a4f39c9f14a634e4cd35fcd338c239d11fcc73fc Mon Sep 17 00:00:00 2001 +From: Nicolas Dichtel +Date: Wed, 23 Aug 2023 15:41:02 +0200 +Subject: net: handle ARPHRD_PPP in dev_is_mac_header_xmit() + +From: Nicolas Dichtel + +commit a4f39c9f14a634e4cd35fcd338c239d11fcc73fc upstream. + +The goal is to support a bpf_redirect() from an ethernet device (ingress) +to a ppp device (egress). +The l2 header is added automatically by the ppp driver, thus the ethernet +header should be removed. + +CC: stable@vger.kernel.org +Fixes: 27b29f63058d ("bpf: add bpf_redirect() helper") +Signed-off-by: Nicolas Dichtel +Tested-by: Siwar Zitouni +Reviewed-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/if_arp.h | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/include/linux/if_arp.h ++++ b/include/linux/if_arp.h +@@ -53,6 +53,10 @@ static inline bool dev_is_mac_header_xmi + case ARPHRD_NONE: + case ARPHRD_RAWIP: + case ARPHRD_PIMREG: ++ /* PPP adds its l2 header automatically in ppp_start_xmit(). ++ * This makes it look like an l3 device to __bpf_redirect() and tcf_mirred_init(). ++ */ ++ case ARPHRD_PPP: + return false; + default: + return true; diff --git a/queue-6.4/platform-chrome-chromeos_acpi-print-hex-string-for-acpi_type_buffer.patch b/queue-6.4/platform-chrome-chromeos_acpi-print-hex-string-for-acpi_type_buffer.patch new file mode 100644 index 00000000000..7ac8314dd4e --- /dev/null +++ b/queue-6.4/platform-chrome-chromeos_acpi-print-hex-string-for-acpi_type_buffer.patch @@ -0,0 +1,74 @@ +From 0820debb7d489e9eb1f68b7bb69e6ae210699b3f Mon Sep 17 00:00:00 2001 +From: Tzung-Bi Shih +Date: Thu, 3 Aug 2023 09:12:45 +0800 +Subject: platform/chrome: chromeos_acpi: print hex string for ACPI_TYPE_BUFFER + +From: Tzung-Bi Shih + +commit 0820debb7d489e9eb1f68b7bb69e6ae210699b3f upstream. + +`element->buffer.pointer` should be binary blob. `%s` doesn't work +perfect for them. + +Print hex string for ACPI_TYPE_BUFFER. Also update the documentation +to reflect this. + +Fixes: 0a4cad9c11ad ("platform/chrome: Add ChromeOS ACPI device driver") +Cc: stable@vger.kernel.org +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20230803011245.3773756-1-tzungbi@kernel.org +Signed-off-by: Tzung-Bi Shih +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/ABI/testing/sysfs-driver-chromeos-acpi | 2 - + drivers/platform/chrome/chromeos_acpi.c | 31 ++++++++++++++++++- + 2 files changed, 31 insertions(+), 2 deletions(-) + +--- a/Documentation/ABI/testing/sysfs-driver-chromeos-acpi ++++ b/Documentation/ABI/testing/sysfs-driver-chromeos-acpi +@@ -134,4 +134,4 @@ KernelVersion: 5.19 + Description: + Returns the verified boot data block shared between the + firmware verification step and the kernel verification step +- (binary). ++ (hex dump). +--- a/drivers/platform/chrome/chromeos_acpi.c ++++ b/drivers/platform/chrome/chromeos_acpi.c +@@ -90,7 +90,36 @@ static int chromeos_acpi_handle_package( + case ACPI_TYPE_STRING: + return sysfs_emit(buf, "%s\n", element->string.pointer); + case ACPI_TYPE_BUFFER: +- return sysfs_emit(buf, "%s\n", element->buffer.pointer); ++ { ++ int i, r, at, room_left; ++ const int byte_per_line = 16; ++ ++ at = 0; ++ room_left = PAGE_SIZE - 1; ++ for (i = 0; i < element->buffer.length && room_left; i += byte_per_line) { ++ r = hex_dump_to_buffer(element->buffer.pointer + i, ++ element->buffer.length - i, ++ byte_per_line, 1, buf + at, room_left, ++ false); ++ if (r > room_left) ++ goto truncating; ++ at += r; ++ room_left -= r; ++ ++ r = sysfs_emit_at(buf, at, "\n"); ++ if (!r) ++ goto truncating; ++ at += r; ++ room_left -= r; ++ } ++ ++ buf[at] = 0; ++ return at; ++truncating: ++ dev_info_once(dev, "truncating sysfs content for %s\n", name); ++ sysfs_emit_at(buf, PAGE_SIZE - 4, "..\n"); ++ return PAGE_SIZE - 1; ++ } + default: + dev_err(dev, "element type %d not supported\n", element->type); + return -EINVAL; diff --git a/queue-6.4/pstore-ram-check-start-of-empty-przs-during-init.patch b/queue-6.4/pstore-ram-check-start-of-empty-przs-during-init.patch new file mode 100644 index 00000000000..3ae4d96d588 --- /dev/null +++ b/queue-6.4/pstore-ram-check-start-of-empty-przs-during-init.patch @@ -0,0 +1,60 @@ +From fe8c3623ab06603eb760444a032d426542212021 Mon Sep 17 00:00:00 2001 +From: Enlin Mu +Date: Tue, 1 Aug 2023 14:04:32 +0800 +Subject: pstore/ram: Check start of empty przs during init + +From: Enlin Mu + +commit fe8c3623ab06603eb760444a032d426542212021 upstream. + +After commit 30696378f68a ("pstore/ram: Do not treat empty buffers as +valid"), initialization would assume a prz was valid after seeing that +the buffer_size is zero (regardless of the buffer start position). This +unchecked start value means it could be outside the bounds of the buffer, +leading to future access panics when written to: + + sysdump_panic_event+0x3b4/0x5b8 + atomic_notifier_call_chain+0x54/0x90 + panic+0x1c8/0x42c + die+0x29c/0x2a8 + die_kernel_fault+0x68/0x78 + __do_kernel_fault+0x1c4/0x1e0 + do_bad_area+0x40/0x100 + do_translation_fault+0x68/0x80 + do_mem_abort+0x68/0xf8 + el1_da+0x1c/0xc0 + __raw_writeb+0x38/0x174 + __memcpy_toio+0x40/0xac + persistent_ram_update+0x44/0x12c + persistent_ram_write+0x1a8/0x1b8 + ramoops_pstore_write+0x198/0x1e8 + pstore_console_write+0x94/0xe0 + ... + +To avoid this, also check if the prz start is 0 during the initialization +phase. If not, the next prz sanity check case will discover it (start > +size) and zap the buffer back to a sane state. + +Fixes: 30696378f68a ("pstore/ram: Do not treat empty buffers as valid") +Cc: Yunlong Xing +Cc: stable@vger.kernel.org +Signed-off-by: Enlin Mu +Link: https://lore.kernel.org/r/20230801060432.1307717-1-yunlong.xing@unisoc.com +[kees: update commit log with backtrace and clarifications] +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman +--- + fs/pstore/ram_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/pstore/ram_core.c ++++ b/fs/pstore/ram_core.c +@@ -519,7 +519,7 @@ static int persistent_ram_post_init(stru + sig ^= PERSISTENT_RAM_SIG; + + if (prz->buffer->sig == sig) { +- if (buffer_size(prz) == 0) { ++ if (buffer_size(prz) == 0 && buffer_start(prz) == 0) { + pr_debug("found existing empty buffer\n"); + return 0; + } diff --git a/queue-6.4/r8169-fix-aspm-related-issues-on-a-number-of-systems-with-nic-version-from-rtl8168h.patch b/queue-6.4/r8169-fix-aspm-related-issues-on-a-number-of-systems-with-nic-version-from-rtl8168h.patch new file mode 100644 index 00000000000..46321f69055 --- /dev/null +++ b/queue-6.4/r8169-fix-aspm-related-issues-on-a-number-of-systems-with-nic-version-from-rtl8168h.patch @@ -0,0 +1,38 @@ +From 90ca51e8c654699b672ba61aeaa418dfb3252e5e Mon Sep 17 00:00:00 2001 +From: Heiner Kallweit +Date: Fri, 25 Aug 2023 21:44:01 +0200 +Subject: r8169: fix ASPM-related issues on a number of systems with NIC version from RTL8168h + +From: Heiner Kallweit + +commit 90ca51e8c654699b672ba61aeaa418dfb3252e5e upstream. + +This effectively reverts 4b5f82f6aaef. On a number of systems ASPM L1 +causes tx timeouts with RTL8168h, see referenced bug report. + +Fixes: 4b5f82f6aaef ("r8169: enable ASPM L1/L1.1 from RTL8168h") +Cc: stable@vger.kernel.org +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217814 +Signed-off-by: Heiner Kallweit +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/realtek/r8169_main.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -5241,13 +5241,9 @@ static int rtl_init_one(struct pci_dev * + + /* Disable ASPM L1 as that cause random device stop working + * problems as well as full system hangs for some PCIe devices users. +- * Chips from RTL8168h partially have issues with L1.2, but seem +- * to work fine with L1 and L1.1. + */ + if (rtl_aspm_is_safe(tp)) + rc = 0; +- else if (tp->mac_version >= RTL_GIGA_MAC_VER_46) +- rc = pci_disable_link_state(pdev, PCIE_LINK_STATE_L1_2); + else + rc = pci_disable_link_state(pdev, PCIE_LINK_STATE_L1); + tp->aspm_manageable = !rc; diff --git a/queue-6.4/regulator-dt-bindings-qcom-rpm-fix-pattern-for-children.patch b/queue-6.4/regulator-dt-bindings-qcom-rpm-fix-pattern-for-children.patch new file mode 100644 index 00000000000..7a0c9cea5a1 --- /dev/null +++ b/queue-6.4/regulator-dt-bindings-qcom-rpm-fix-pattern-for-children.patch @@ -0,0 +1,40 @@ +From 75d9bf03e2fa38242b35e941ce7c7cdabe479961 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Tue, 25 Jul 2023 18:40:47 +0200 +Subject: regulator: dt-bindings: qcom,rpm: fix pattern for children + +From: Krzysztof Kozlowski + +commit 75d9bf03e2fa38242b35e941ce7c7cdabe479961 upstream. + +The "or" (|) in regular expression must be within parentheses, +otherwise it is not really an "or" and it matches supplies: + + qcom-apq8060-dragonboard.dtb: regulators-1: vdd_ncp-supply: [[34]] is not of type 'object' + +Fixes: fde0e25b71a9 ("dt-bindings: regulators: convert non-smd RPM Regulators bindings to dt-schema") +Cc: stable@vger.kernel.org +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20230725164047.368892-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + .../devicetree/bindings/regulator/qcom,rpm-regulator.yaml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Documentation/devicetree/bindings/regulator/qcom,rpm-regulator.yaml b/Documentation/devicetree/bindings/regulator/qcom,rpm-regulator.yaml +index 8a08698e3484..b4eb4001eb3d 100644 +--- a/Documentation/devicetree/bindings/regulator/qcom,rpm-regulator.yaml ++++ b/Documentation/devicetree/bindings/regulator/qcom,rpm-regulator.yaml +@@ -49,7 +49,7 @@ patternProperties: + ".*-supply$": + description: Input supply phandle(s) for this node + +- "^((s|l|lvs)[0-9]*)|(s[1-2][a-b])|(ncp)|(mvs)|(usb-switch)|(hdmi-switch)$": ++ "^((s|l|lvs)[0-9]*|s[1-2][a-b]|ncp|mvs|usb-switch|hdmi-switch)$": + description: List of regulators and its properties + $ref: regulator.yaml# + unevaluatedProperties: false +-- +2.42.0 + diff --git a/queue-6.4/series b/queue-6.4/series index 0b593d1bc49..f450f0844b9 100644 --- a/queue-6.4/series +++ b/queue-6.4/series @@ -689,3 +689,17 @@ parisc-fix-proc-cpuinfo-output-for-lscpu.patch misc-fastrpc-pass-proper-scm-arguments-for-static-process-init.patch drm-amd-display-add-smu-write-msg-id-fail-retry-process.patch bpf-fix-issue-in-verifying-allow_ptr_leaks.patch +dlm-fix-plock-lookup-when-using-multiple-lockspaces.patch +dccp-fix-out-of-bounds-access-in-dccp-error-handler.patch +x86-sev-make-enc_dec_hypercall-accept-a-size-instead-of-npages.patch +r8169-fix-aspm-related-issues-on-a-number-of-systems-with-nic-version-from-rtl8168h.patch +x.509-if-signature-is-unsupported-skip-validation.patch +net-handle-arphrd_ppp-in-dev_is_mac_header_xmit.patch +fsverity-skip-pkcs-7-parser-when-keyring-is-empty.patch +x86-mce-always-save-cs-register-on-amd-zen-if-poison-errors.patch +crypto-af_alg-decrement-struct-key.usage-in-alg_set_by_key_serial.patch +platform-chrome-chromeos_acpi-print-hex-string-for-acpi_type_buffer.patch +mmc-renesas_sdhi-register-irqs-before-registering-controller.patch +pstore-ram-check-start-of-empty-przs-during-init.patch +arm64-sdei-abort-running-sdei-handlers-during-crash.patch +regulator-dt-bindings-qcom-rpm-fix-pattern-for-children.patch diff --git a/queue-6.4/x.509-if-signature-is-unsupported-skip-validation.patch b/queue-6.4/x.509-if-signature-is-unsupported-skip-validation.patch new file mode 100644 index 00000000000..d9c0f560eb6 --- /dev/null +++ b/queue-6.4/x.509-if-signature-is-unsupported-skip-validation.patch @@ -0,0 +1,45 @@ +From ef5b52a631f8c18353e80ccab8408b963305510c Mon Sep 17 00:00:00 2001 +From: Thore Sommer +Date: Tue, 15 Aug 2023 14:29:42 +0300 +Subject: X.509: if signature is unsupported skip validation + +From: Thore Sommer + +commit ef5b52a631f8c18353e80ccab8408b963305510c upstream. + +When the hash algorithm for the signature is not available the digest size +is 0 and the signature in the certificate is marked as unsupported. + +When validating a self-signed certificate, this needs to be checked, +because otherwise trying to validate the signature will fail with an +warning: + +Loading compiled-in X.509 certificates +WARNING: CPU: 0 PID: 1 at crypto/rsa-pkcs1pad.c:537 \ +pkcs1pad_verify+0x46/0x12c +... +Problem loading in-kernel X.509 certificate (-22) + +Signed-off-by: Thore Sommer +Cc: stable@vger.kernel.org # v4.7+ +Fixes: 6c2dc5ae4ab7 ("X.509: Extract signature digest and make self-signed cert checks earlier") +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + crypto/asymmetric_keys/x509_public_key.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/crypto/asymmetric_keys/x509_public_key.c ++++ b/crypto/asymmetric_keys/x509_public_key.c +@@ -117,6 +117,11 @@ int x509_check_for_self_signed(struct x5 + goto out; + } + ++ if (cert->unsupported_sig) { ++ ret = 0; ++ goto out; ++ } ++ + ret = public_key_verify_signature(cert->pub, cert->sig); + if (ret < 0) { + if (ret == -ENOPKG) { diff --git a/queue-6.4/x86-mce-always-save-cs-register-on-amd-zen-if-poison-errors.patch b/queue-6.4/x86-mce-always-save-cs-register-on-amd-zen-if-poison-errors.patch new file mode 100644 index 00000000000..57b4edcc031 --- /dev/null +++ b/queue-6.4/x86-mce-always-save-cs-register-on-amd-zen-if-poison-errors.patch @@ -0,0 +1,110 @@ +From 4240e2ebe67941ce2c4f5c866c3af4b5ac7a0c67 Mon Sep 17 00:00:00 2001 +From: Yazen Ghannam +Date: Mon, 14 Aug 2023 15:08:53 -0500 +Subject: x86/MCE: Always save CS register on AMD Zen IF Poison errors + +From: Yazen Ghannam + +commit 4240e2ebe67941ce2c4f5c866c3af4b5ac7a0c67 upstream. + +The Instruction Fetch (IF) units on current AMD Zen-based systems do not +guarantee a synchronous #MC is delivered for poison consumption errors. +Therefore, MCG_STATUS[EIPV|RIPV] will not be set. However, the +microarchitecture does guarantee that the exception is delivered within +the same context. In other words, the exact rIP is not known, but the +context is known to not have changed. + +There is no architecturally-defined method to determine this behavior. + +The Code Segment (CS) register is always valid on such IF unit poison +errors regardless of the value of MCG_STATUS[EIPV|RIPV]. + +Add a quirk to save the CS register for poison consumption from the IF +unit banks. + +This is needed to properly determine the context of the error. +Otherwise, the severity grading function will assume the context is +IN_KERNEL due to the m->cs value being 0 (the initialized value). This +leads to unnecessary kernel panics on data poison errors due to the +kernel believing the poison consumption occurred in kernel context. + +Signed-off-by: Yazen Ghannam +Signed-off-by: Borislav Petkov (AMD) +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230814200853.29258-1-yazen.ghannam@amd.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/mce/core.c | 26 ++++++++++++++++++++++++++ + arch/x86/kernel/cpu/mce/internal.h | 5 ++++- + 2 files changed, 30 insertions(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/mce/core.c ++++ b/arch/x86/kernel/cpu/mce/core.c +@@ -843,6 +843,26 @@ static noinstr bool quirk_skylake_repmov + } + + /* ++ * Some Zen-based Instruction Fetch Units set EIPV=RIPV=0 on poison consumption ++ * errors. This means mce_gather_info() will not save the "ip" and "cs" registers. ++ * ++ * However, the context is still valid, so save the "cs" register for later use. ++ * ++ * The "ip" register is truly unknown, so don't save it or fixup EIPV/RIPV. ++ * ++ * The Instruction Fetch Unit is at MCA bank 1 for all affected systems. ++ */ ++static __always_inline void quirk_zen_ifu(int bank, struct mce *m, struct pt_regs *regs) ++{ ++ if (bank != 1) ++ return; ++ if (!(m->status & MCI_STATUS_POISON)) ++ return; ++ ++ m->cs = regs->cs; ++} ++ ++/* + * Do a quick check if any of the events requires a panic. + * This decides if we keep the events around or clear them. + */ +@@ -861,6 +881,9 @@ static __always_inline int mce_no_way_ou + if (mce_flags.snb_ifu_quirk) + quirk_sandybridge_ifu(i, m, regs); + ++ if (mce_flags.zen_ifu_quirk) ++ quirk_zen_ifu(i, m, regs); ++ + m->bank = i; + if (mce_severity(m, regs, &tmp, true) >= MCE_PANIC_SEVERITY) { + mce_read_aux(m, i); +@@ -1842,6 +1865,9 @@ static int __mcheck_cpu_apply_quirks(str + if (c->x86 == 0x15 && c->x86_model <= 0xf) + mce_flags.overflow_recov = 1; + ++ if (c->x86 >= 0x17 && c->x86 <= 0x1A) ++ mce_flags.zen_ifu_quirk = 1; ++ + } + + if (c->x86_vendor == X86_VENDOR_INTEL) { +--- a/arch/x86/kernel/cpu/mce/internal.h ++++ b/arch/x86/kernel/cpu/mce/internal.h +@@ -157,6 +157,9 @@ struct mce_vendor_flags { + */ + smca : 1, + ++ /* Zen IFU quirk */ ++ zen_ifu_quirk : 1, ++ + /* AMD-style error thresholding banks present. */ + amd_threshold : 1, + +@@ -172,7 +175,7 @@ struct mce_vendor_flags { + /* Skylake, Cascade Lake, Cooper Lake REP;MOVS* quirk */ + skx_repmov_quirk : 1, + +- __reserved_0 : 56; ++ __reserved_0 : 55; + }; + + extern struct mce_vendor_flags mce_flags; diff --git a/queue-6.4/x86-sev-make-enc_dec_hypercall-accept-a-size-instead-of-npages.patch b/queue-6.4/x86-sev-make-enc_dec_hypercall-accept-a-size-instead-of-npages.patch new file mode 100644 index 00000000000..826e8bf098b --- /dev/null +++ b/queue-6.4/x86-sev-make-enc_dec_hypercall-accept-a-size-instead-of-npages.patch @@ -0,0 +1,114 @@ +From ac3f9c9f1b37edaa7d1a9b908bc79d843955a1a2 Mon Sep 17 00:00:00 2001 +From: Steve Rutherford +Date: Thu, 24 Aug 2023 15:37:31 -0700 +Subject: x86/sev: Make enc_dec_hypercall() accept a size instead of npages + +From: Steve Rutherford + +commit ac3f9c9f1b37edaa7d1a9b908bc79d843955a1a2 upstream. + +enc_dec_hypercall() accepted a page count instead of a size, which +forced its callers to round up. As a result, non-page aligned +vaddrs caused pages to be spuriously marked as decrypted via the +encryption status hypercall, which in turn caused consistent +corruption of pages during live migration. Live migration requires +accurate encryption status information to avoid migrating pages +from the wrong perspective. + +Fixes: 064ce6c550a0 ("mm: x86: Invoke hypercall when page encryption status is changed") +Signed-off-by: Steve Rutherford +Signed-off-by: Ingo Molnar +Reviewed-by: Tom Lendacky +Reviewed-by: Pankaj Gupta +Tested-by: Ben Hillier +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230824223731.2055016-1-srutherford@google.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/mem_encrypt.h | 6 +++--- + arch/x86/kernel/kvm.c | 4 +--- + arch/x86/mm/mem_encrypt_amd.c | 13 ++++++------- + 3 files changed, 10 insertions(+), 13 deletions(-) + +--- a/arch/x86/include/asm/mem_encrypt.h ++++ b/arch/x86/include/asm/mem_encrypt.h +@@ -50,8 +50,8 @@ void __init sme_enable(struct boot_param + + int __init early_set_memory_decrypted(unsigned long vaddr, unsigned long size); + int __init early_set_memory_encrypted(unsigned long vaddr, unsigned long size); +-void __init early_set_mem_enc_dec_hypercall(unsigned long vaddr, int npages, +- bool enc); ++void __init early_set_mem_enc_dec_hypercall(unsigned long vaddr, ++ unsigned long size, bool enc); + + void __init mem_encrypt_free_decrypted_mem(void); + +@@ -85,7 +85,7 @@ early_set_memory_decrypted(unsigned long + static inline int __init + early_set_memory_encrypted(unsigned long vaddr, unsigned long size) { return 0; } + static inline void __init +-early_set_mem_enc_dec_hypercall(unsigned long vaddr, int npages, bool enc) {} ++early_set_mem_enc_dec_hypercall(unsigned long vaddr, unsigned long size, bool enc) {} + + static inline void mem_encrypt_free_decrypted_mem(void) { } + +--- a/arch/x86/kernel/kvm.c ++++ b/arch/x86/kernel/kvm.c +@@ -966,10 +966,8 @@ static void __init kvm_init_platform(voi + * Ensure that _bss_decrypted section is marked as decrypted in the + * shared pages list. + */ +- nr_pages = DIV_ROUND_UP(__end_bss_decrypted - __start_bss_decrypted, +- PAGE_SIZE); + early_set_mem_enc_dec_hypercall((unsigned long)__start_bss_decrypted, +- nr_pages, 0); ++ __end_bss_decrypted - __start_bss_decrypted, 0); + + /* + * If not booted using EFI, enable Live migration support. +--- a/arch/x86/mm/mem_encrypt_amd.c ++++ b/arch/x86/mm/mem_encrypt_amd.c +@@ -288,11 +288,10 @@ static bool amd_enc_cache_flush_required + return !cpu_feature_enabled(X86_FEATURE_SME_COHERENT); + } + +-static void enc_dec_hypercall(unsigned long vaddr, int npages, bool enc) ++static void enc_dec_hypercall(unsigned long vaddr, unsigned long size, bool enc) + { + #ifdef CONFIG_PARAVIRT +- unsigned long sz = npages << PAGE_SHIFT; +- unsigned long vaddr_end = vaddr + sz; ++ unsigned long vaddr_end = vaddr + size; + + while (vaddr < vaddr_end) { + int psize, pmask, level; +@@ -342,7 +341,7 @@ static bool amd_enc_status_change_finish + snp_set_memory_private(vaddr, npages); + + if (!cc_platform_has(CC_ATTR_HOST_MEM_ENCRYPT)) +- enc_dec_hypercall(vaddr, npages, enc); ++ enc_dec_hypercall(vaddr, npages << PAGE_SHIFT, enc); + + return true; + } +@@ -466,7 +465,7 @@ static int __init early_set_memory_enc_d + + ret = 0; + +- early_set_mem_enc_dec_hypercall(start, PAGE_ALIGN(size) >> PAGE_SHIFT, enc); ++ early_set_mem_enc_dec_hypercall(start, size, enc); + out: + __flush_tlb_all(); + return ret; +@@ -482,9 +481,9 @@ int __init early_set_memory_encrypted(un + return early_set_memory_enc_dec(vaddr, size, true); + } + +-void __init early_set_mem_enc_dec_hypercall(unsigned long vaddr, int npages, bool enc) ++void __init early_set_mem_enc_dec_hypercall(unsigned long vaddr, unsigned long size, bool enc) + { +- enc_dec_hypercall(vaddr, npages, enc); ++ enc_dec_hypercall(vaddr, size, enc); + } + + void __init sme_early_init(void)