From: Greg Kroah-Hartman Date: Wed, 26 Oct 2022 15:19:48 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v5.10.151~54 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cfc9bc4e1b536deb45b435f32a766071976d6f65;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: arm64-errata-remove-aes-hwcap-for-compat-tasks.patch ata-ahci-imx-fix-module_alias.patch ata-ahci-match-em_max_slots-with-sata_pmp_max_ports.patch btrfs-enhance-unsupported-compat-ro-flags-handling.patch cpufreq-qcom-fix-memory-leak-in-error-path.patch cpufreq-qcom-fix-writes-in-read-only-memory-region.patch cpufreq-tegra194-fix-module-loading.patch drm-amdgpu-fix-sdma-doorbell-init-ordering-on-apus.patch hwmon-coretemp-handle-large-core-id-value.patch i2c-qcom-cci-fix-ordering-of-pm_runtime_xx-and-i2c_add_adapter.patch kvm-add-support-for-arch-compat-vm-ioctls.patch kvm-arm64-vgic-fix-exit-condition-in-scan_its_table.patch media-ipu3-imgu-fix-null-pointer-dereference-in-active-selection-access.patch media-mceusb-set-timeout-to-at-least-timeout-provided.patch media-venus-dec-handle-the-case-where-find_format-fails.patch mm-hugetlb-take-hugetlb_lock-before-decrementing-h-resv_huge_pages.patch ocfs2-clear-dinode-links-count-in-case-of-error.patch ocfs2-fix-bug-when-iput-after-ocfs2_mknod-fails.patch perf-x86-intel-pt-relax-address-filter-validation.patch selinux-enable-use-of-both-gfp_kernel-and-gfp_atomic-in-convert_context.patch x86-microcode-amd-apply-the-patch-early-on-every-logical-thread.patch x86-resctrl-fix-min_cbm_bits-for-amd.patch --- diff --git a/queue-5.15/arm64-errata-remove-aes-hwcap-for-compat-tasks.patch b/queue-5.15/arm64-errata-remove-aes-hwcap-for-compat-tasks.patch new file mode 100644 index 00000000000..ab49e622828 --- /dev/null +++ b/queue-5.15/arm64-errata-remove-aes-hwcap-for-compat-tasks.patch @@ -0,0 +1,165 @@ +From 44b3834b2eed595af07021b1c64e6f9bc396398b Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Thu, 14 Jul 2022 17:15:23 +0100 +Subject: arm64: errata: Remove AES hwcap for COMPAT tasks + +From: James Morse + +commit 44b3834b2eed595af07021b1c64e6f9bc396398b upstream. + +Cortex-A57 and Cortex-A72 have an erratum where an interrupt that +occurs between a pair of AES instructions in aarch32 mode may corrupt +the ELR. The task will subsequently produce the wrong AES result. + +The AES instructions are part of the cryptographic extensions, which are +optional. User-space software will detect the support for these +instructions from the hwcaps. If the platform doesn't support these +instructions a software implementation should be used. + +Remove the hwcap bits on affected parts to indicate user-space should +not use the AES instructions. + +Acked-by: Ard Biesheuvel +Signed-off-by: James Morse +Link: https://lore.kernel.org/r/20220714161523.279570-3-james.morse@arm.com +Signed-off-by: Will Deacon +[florian: resolved conflicts in arch/arm64/tools/cpucaps and cpu_errata.c] +Signed-off-by: Florian Fainelli +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/arm64/silicon-errata.rst | 4 ++++ + arch/arm64/Kconfig | 16 ++++++++++++++++ + arch/arm64/kernel/cpu_errata.c | 16 ++++++++++++++++ + arch/arm64/kernel/cpufeature.c | 14 +++++++++++++- + arch/arm64/tools/cpucaps | 1 + + 5 files changed, 50 insertions(+), 1 deletion(-) + +--- a/Documentation/arm64/silicon-errata.rst ++++ b/Documentation/arm64/silicon-errata.rst +@@ -78,10 +78,14 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A57 | #1319537 | ARM64_ERRATUM_1319367 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-A57 | #1742098 | ARM64_ERRATUM_1742098 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A72 | #853709 | N/A | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A72 | #1319367 | ARM64_ERRATUM_1319367 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-A72 | #1655431 | ARM64_ERRATUM_1742098 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A73 | #858921 | ARM64_ERRATUM_858921 | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A76 | #1188873,1418040| ARM64_ERRATUM_1418040 | +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -487,6 +487,22 @@ config ARM64_ERRATUM_834220 + + If unsure, say Y. + ++config ARM64_ERRATUM_1742098 ++ bool "Cortex-A57/A72: 1742098: ELR recorded incorrectly on interrupt taken between cryptographic instructions in a sequence" ++ depends on COMPAT ++ default y ++ help ++ This option removes the AES hwcap for aarch32 user-space to ++ workaround erratum 1742098 on Cortex-A57 and Cortex-A72. ++ ++ Affected parts may corrupt the AES state if an interrupt is ++ taken between a pair of AES instructions. These instructions ++ are only present if the cryptography extensions are present. ++ All software should have a fallback implementation for CPUs ++ that don't implement the cryptography extensions. ++ ++ If unsure, say Y. ++ + config ARM64_ERRATUM_845719 + bool "Cortex-A53: 845719: a load might read incorrect data" + depends on COMPAT +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -355,6 +355,14 @@ static const struct midr_range erratum_1 + }; + #endif + ++#ifdef CONFIG_ARM64_ERRATUM_1742098 ++static struct midr_range broken_aarch32_aes[] = { ++ MIDR_RANGE(MIDR_CORTEX_A57, 0, 1, 0xf, 0xf), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A72), ++ {}, ++}; ++#endif ++ + const struct arm64_cpu_capabilities arm64_errata[] = { + #ifdef CONFIG_ARM64_WORKAROUND_CLEAN_CACHE + { +@@ -565,6 +573,14 @@ const struct arm64_cpu_capabilities arm6 + CAP_MIDR_RANGE(MIDR_CORTEX_A510, 0, 0, 1, 1) + }, + #endif ++#ifdef CONFIG_ARM64_ERRATUM_1742098 ++ { ++ .desc = "ARM erratum 1742098", ++ .capability = ARM64_WORKAROUND_1742098, ++ CAP_MIDR_RANGE_LIST(broken_aarch32_aes), ++ .type = ARM64_CPUCAP_LOCAL_CPU_ERRATUM, ++ }, ++#endif + { + } + }; +--- a/arch/arm64/kernel/cpufeature.c ++++ b/arch/arm64/kernel/cpufeature.c +@@ -79,6 +79,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1915,6 +1916,14 @@ static void cpu_enable_mte(struct arm64_ + } + #endif /* CONFIG_ARM64_MTE */ + ++static void elf_hwcap_fixup(void) ++{ ++#ifdef CONFIG_ARM64_ERRATUM_1742098 ++ if (cpus_have_const_cap(ARM64_WORKAROUND_1742098)) ++ compat_elf_hwcap2 &= ~COMPAT_HWCAP2_AES; ++#endif /* ARM64_ERRATUM_1742098 */ ++} ++ + #ifdef CONFIG_KVM + static bool is_kvm_protected_mode(const struct arm64_cpu_capabilities *entry, int __unused) + { +@@ -2942,8 +2951,10 @@ void __init setup_cpu_features(void) + setup_system_capabilities(); + setup_elf_hwcaps(arm64_elf_hwcaps); + +- if (system_supports_32bit_el0()) ++ if (system_supports_32bit_el0()) { + setup_elf_hwcaps(compat_elf_hwcaps); ++ elf_hwcap_fixup(); ++ } + + if (system_uses_ttbr0_pan()) + pr_info("emulated: Privileged Access Never (PAN) using TTBR0_EL1 switching\n"); +@@ -2995,6 +3006,7 @@ static int enable_mismatched_32bit_el0(u + cpu_active_mask); + get_cpu_device(lucky_winner)->offline_disabled = true; + setup_elf_hwcaps(compat_elf_hwcaps); ++ elf_hwcap_fixup(); + pr_info("Asymmetric 32-bit EL0 support detected on CPU %u; CPU hot-unplug disabled on CPU %u\n", + cpu, lucky_winner); + return 0; +--- a/arch/arm64/tools/cpucaps ++++ b/arch/arm64/tools/cpucaps +@@ -54,6 +54,7 @@ WORKAROUND_1418040 + WORKAROUND_1463225 + WORKAROUND_1508412 + WORKAROUND_1542419 ++WORKAROUND_1742098 + WORKAROUND_2457168 + WORKAROUND_CAVIUM_23154 + WORKAROUND_CAVIUM_27456 diff --git a/queue-5.15/ata-ahci-imx-fix-module_alias.patch b/queue-5.15/ata-ahci-imx-fix-module_alias.patch new file mode 100644 index 00000000000..c897199836b --- /dev/null +++ b/queue-5.15/ata-ahci-imx-fix-module_alias.patch @@ -0,0 +1,30 @@ +From 979556f1521a835a059de3b117b9c6c6642c7d58 Mon Sep 17 00:00:00 2001 +From: Alexander Stein +Date: Wed, 12 Oct 2022 15:11:05 +0200 +Subject: ata: ahci-imx: Fix MODULE_ALIAS + +From: Alexander Stein + +commit 979556f1521a835a059de3b117b9c6c6642c7d58 upstream. + +'ahci:' is an invalid prefix, preventing the module from autoloading. +Fix this by using the 'platform:' prefix and DRV_NAME. + +Fixes: 9e54eae23bc9 ("ahci_imx: add ahci sata support on imx platforms") +Cc: stable@vger.kernel.org +Signed-off-by: Alexander Stein +Reviewed-by: Fabio Estevam +Signed-off-by: Damien Le Moal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/ahci_imx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ata/ahci_imx.c ++++ b/drivers/ata/ahci_imx.c +@@ -1230,4 +1230,4 @@ module_platform_driver(imx_ahci_driver); + MODULE_DESCRIPTION("Freescale i.MX AHCI SATA platform driver"); + MODULE_AUTHOR("Richard Zhu "); + MODULE_LICENSE("GPL"); +-MODULE_ALIAS("ahci:imx"); ++MODULE_ALIAS("platform:" DRV_NAME); diff --git a/queue-5.15/ata-ahci-match-em_max_slots-with-sata_pmp_max_ports.patch b/queue-5.15/ata-ahci-match-em_max_slots-with-sata_pmp_max_ports.patch new file mode 100644 index 00000000000..5ae2b9ab527 --- /dev/null +++ b/queue-5.15/ata-ahci-match-em_max_slots-with-sata_pmp_max_ports.patch @@ -0,0 +1,76 @@ +From 1e41e693f458eef2d5728207dbd327cd3b16580a Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Tue, 11 Oct 2022 10:46:17 +0800 +Subject: ata: ahci: Match EM_MAX_SLOTS with SATA_PMP_MAX_PORTS + +From: Kai-Heng Feng + +commit 1e41e693f458eef2d5728207dbd327cd3b16580a upstream. + +UBSAN complains about array-index-out-of-bounds: +[ 1.980703] kernel: UBSAN: array-index-out-of-bounds in /build/linux-9H675w/linux-5.15.0/drivers/ata/libahci.c:968:41 +[ 1.980709] kernel: index 15 is out of range for type 'ahci_em_priv [8]' +[ 1.980713] kernel: CPU: 0 PID: 209 Comm: scsi_eh_8 Not tainted 5.15.0-25-generic #25-Ubuntu +[ 1.980716] kernel: Hardware name: System manufacturer System Product Name/P5Q3, BIOS 1102 06/11/2010 +[ 1.980718] kernel: Call Trace: +[ 1.980721] kernel: +[ 1.980723] kernel: show_stack+0x52/0x58 +[ 1.980729] kernel: dump_stack_lvl+0x4a/0x5f +[ 1.980734] kernel: dump_stack+0x10/0x12 +[ 1.980736] kernel: ubsan_epilogue+0x9/0x45 +[ 1.980739] kernel: __ubsan_handle_out_of_bounds.cold+0x44/0x49 +[ 1.980742] kernel: ahci_qc_issue+0x166/0x170 [libahci] +[ 1.980748] kernel: ata_qc_issue+0x135/0x240 +[ 1.980752] kernel: ata_exec_internal_sg+0x2c4/0x580 +[ 1.980754] kernel: ? vprintk_default+0x1d/0x20 +[ 1.980759] kernel: ata_exec_internal+0x67/0xa0 +[ 1.980762] kernel: sata_pmp_read+0x8d/0xc0 +[ 1.980765] kernel: sata_pmp_read_gscr+0x3c/0x90 +[ 1.980768] kernel: sata_pmp_attach+0x8b/0x310 +[ 1.980771] kernel: ata_eh_revalidate_and_attach+0x28c/0x4b0 +[ 1.980775] kernel: ata_eh_recover+0x6b6/0xb30 +[ 1.980778] kernel: ? ahci_do_hardreset+0x180/0x180 [libahci] +[ 1.980783] kernel: ? ahci_stop_engine+0xb0/0xb0 [libahci] +[ 1.980787] kernel: ? ahci_do_softreset+0x290/0x290 [libahci] +[ 1.980792] kernel: ? trace_event_raw_event_ata_eh_link_autopsy_qc+0xe0/0xe0 +[ 1.980795] kernel: sata_pmp_eh_recover.isra.0+0x214/0x560 +[ 1.980799] kernel: sata_pmp_error_handler+0x23/0x40 +[ 1.980802] kernel: ahci_error_handler+0x43/0x80 [libahci] +[ 1.980806] kernel: ata_scsi_port_error_handler+0x2b1/0x600 +[ 1.980810] kernel: ata_scsi_error+0x9c/0xd0 +[ 1.980813] kernel: scsi_error_handler+0xa1/0x180 +[ 1.980817] kernel: ? scsi_unjam_host+0x1c0/0x1c0 +[ 1.980820] kernel: kthread+0x12a/0x150 +[ 1.980823] kernel: ? set_kthread_struct+0x50/0x50 +[ 1.980826] kernel: ret_from_fork+0x22/0x30 +[ 1.980831] kernel: + +This happens because sata_pmp_init_links() initialize link->pmp up to +SATA_PMP_MAX_PORTS while em_priv is declared as 8 elements array. + +I can't find the maximum Enclosure Management ports specified in AHCI +spec v1.3.1, but "12.2.1 LED message type" states that "Port Multiplier +Information" can utilize 4 bits, which implies it can support up to 16 +ports. Hence, use SATA_PMP_MAX_PORTS as EM_MAX_SLOTS to resolve the +issue. + +BugLink: https://bugs.launchpad.net/bugs/1970074 +Cc: stable@vger.kernel.org +Signed-off-by: Kai-Heng Feng +Signed-off-by: Damien Le Moal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/ahci.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ata/ahci.h ++++ b/drivers/ata/ahci.h +@@ -254,7 +254,7 @@ enum { + PCS_7 = 0x94, /* 7+ port PCS (Denverton) */ + + /* em constants */ +- EM_MAX_SLOTS = 8, ++ EM_MAX_SLOTS = SATA_PMP_MAX_PORTS, + EM_MAX_RETRY = 5, + + /* em_ctl bits */ diff --git a/queue-5.15/btrfs-enhance-unsupported-compat-ro-flags-handling.patch b/queue-5.15/btrfs-enhance-unsupported-compat-ro-flags-handling.patch new file mode 100644 index 00000000000..19fd2827b36 --- /dev/null +++ b/queue-5.15/btrfs-enhance-unsupported-compat-ro-flags-handling.patch @@ -0,0 +1,86 @@ +From 81d5d61454c365718655cfc87d8200c84e25d596 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Tue, 9 Aug 2022 13:02:16 +0800 +Subject: btrfs: enhance unsupported compat RO flags handling + +From: Qu Wenruo + +commit 81d5d61454c365718655cfc87d8200c84e25d596 upstream. + +Currently there are two corner cases not handling compat RO flags +correctly: + +- Remount + We can still mount the fs RO with compat RO flags, then remount it RW. + We should not allow any write into a fs with unsupported RO flags. + +- Still try to search block group items + In fact, behavior/on-disk format change to extent tree should not + need a full incompat flag. + + And since we can ensure fs with unsupported RO flags never got any + writes (with above case fixed), then we can even skip block group + items search at mount time. + +This patch will enhance the unsupported RO compat flags by: + +- Reject read-write remount if there are unsupported RO compat flags + +- Go dummy block group items directly for unsupported RO compat flags + In fact, only changes to chunk/subvolume/root/csum trees should go + incompat flags. + +The latter part should allow future change to extent tree to be compat +RO flags. + +Thus this patch also needs to be backported to all stable trees. + +CC: stable@vger.kernel.org # 4.9+ +Reviewed-by: Nikolay Borisov +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/block-group.c | 11 ++++++++++- + fs/btrfs/super.c | 9 +++++++++ + 2 files changed, 19 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/block-group.c ++++ b/fs/btrfs/block-group.c +@@ -2139,7 +2139,16 @@ int btrfs_read_block_groups(struct btrfs + int need_clear = 0; + u64 cache_gen; + +- if (!info->extent_root) ++ /* ++ * Either no extent root (with ibadroots rescue option) or we have ++ * unsupported RO options. The fs can never be mounted read-write, so no ++ * need to waste time searching block group items. ++ * ++ * This also allows new extent tree related changes to be RO compat, ++ * no need for a full incompat flag. ++ */ ++ if (!info->extent_root || (btrfs_super_compat_ro_flags(info->super_copy) & ++ ~BTRFS_FEATURE_COMPAT_RO_SUPP)) + return fill_dummy_bgs(info); + + key.objectid = 0; +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -2048,6 +2048,15 @@ static int btrfs_remount(struct super_bl + ret = -EINVAL; + goto restore; + } ++ if (btrfs_super_compat_ro_flags(fs_info->super_copy) & ++ ~BTRFS_FEATURE_COMPAT_RO_SUPP) { ++ btrfs_err(fs_info, ++ "can not remount read-write due to unsupported optional flags 0x%llx", ++ btrfs_super_compat_ro_flags(fs_info->super_copy) & ++ ~BTRFS_FEATURE_COMPAT_RO_SUPP); ++ ret = -EINVAL; ++ goto restore; ++ } + if (fs_info->fs_devices->rw_devices == 0) { + ret = -EACCES; + goto restore; diff --git a/queue-5.15/cpufreq-qcom-fix-memory-leak-in-error-path.patch b/queue-5.15/cpufreq-qcom-fix-memory-leak-in-error-path.patch new file mode 100644 index 00000000000..f4db3681c42 --- /dev/null +++ b/queue-5.15/cpufreq-qcom-fix-memory-leak-in-error-path.patch @@ -0,0 +1,53 @@ +From 9f42cf54403a42cb092636804d2628d8ecf71e75 Mon Sep 17 00:00:00 2001 +From: Fabien Parent +Date: Sat, 15 Oct 2022 15:04:22 +0200 +Subject: cpufreq: qcom: fix memory leak in error path + +From: Fabien Parent + +commit 9f42cf54403a42cb092636804d2628d8ecf71e75 upstream. + +If for some reason the speedbin length is incorrect, then there is a +memory leak in the error path because we never free the speedbin buffer. +This commit fixes the error path to always free the speedbin buffer. + +Cc: v5.7+ # v5.7+ +Fixes: a8811ec764f9 ("cpufreq: qcom: Add support for krait based socs") +Signed-off-by: Fabien Parent +Signed-off-by: Viresh Kumar +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/qcom-cpufreq-nvmem.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/cpufreq/qcom-cpufreq-nvmem.c ++++ b/drivers/cpufreq/qcom-cpufreq-nvmem.c +@@ -215,6 +215,7 @@ static int qcom_cpufreq_krait_name_versi + int speed = 0, pvs = 0, pvs_ver = 0; + u8 *speedbin; + size_t len; ++ int ret = 0; + + speedbin = nvmem_cell_read(speedbin_nvmem, &len); + +@@ -232,7 +233,8 @@ static int qcom_cpufreq_krait_name_versi + break; + default: + dev_err(cpu_dev, "Unable to read nvmem data. Defaulting to 0!\n"); +- return -ENODEV; ++ ret = -ENODEV; ++ goto len_error; + } + + snprintf(*pvs_name, sizeof("speedXX-pvsXX-vXX"), "speed%d-pvs%d-v%d", +@@ -240,8 +242,9 @@ static int qcom_cpufreq_krait_name_versi + + drv->versions = (1 << speed); + ++len_error: + kfree(speedbin); +- return 0; ++ return ret; + } + + static const struct qcom_cpufreq_match_data match_data_kryo = { diff --git a/queue-5.15/cpufreq-qcom-fix-writes-in-read-only-memory-region.patch b/queue-5.15/cpufreq-qcom-fix-writes-in-read-only-memory-region.patch new file mode 100644 index 00000000000..2d97c43885a --- /dev/null +++ b/queue-5.15/cpufreq-qcom-fix-writes-in-read-only-memory-region.patch @@ -0,0 +1,65 @@ +From 01039fb8e90c9cb684430414bff70cea9eb168c5 Mon Sep 17 00:00:00 2001 +From: Fabien Parent +Date: Sat, 15 Oct 2022 15:04:23 +0200 +Subject: cpufreq: qcom: fix writes in read-only memory region + +From: Fabien Parent + +commit 01039fb8e90c9cb684430414bff70cea9eb168c5 upstream. + +This commit fixes a kernel oops because of a write in some read-only memory: + + [ 9.068287] Unable to handle kernel write to read-only memory at virtual address ffff800009240ad8 + ..snip.. + [ 9.138790] Internal error: Oops: 9600004f [#1] PREEMPT SMP + ..snip.. + [ 9.269161] Call trace: + [ 9.276271] __memcpy+0x5c/0x230 + [ 9.278531] snprintf+0x58/0x80 + [ 9.282002] qcom_cpufreq_msm8939_name_version+0xb4/0x190 + [ 9.284869] qcom_cpufreq_probe+0xc8/0x39c + ..snip.. + +The following line defines a pointer that point to a char buffer stored +in read-only memory: + + char *pvs_name = "speedXX-pvsXX-vXX"; + +This pointer is meant to hold a template "speedXX-pvsXX-vXX" where the +XX values get overridden by the qcom_cpufreq_krait_name_version function. Since +the template is actually stored in read-only memory, when the function +executes the following call we get an oops: + + snprintf(*pvs_name, sizeof("speedXX-pvsXX-vXX"), "speed%d-pvs%d-v%d", + speed, pvs, pvs_ver); + +To fix this issue, we instead store the template name onto the stack by +using the following syntax: + + char pvs_name_buffer[] = "speedXX-pvsXX-vXX"; + +Because the `pvs_name` needs to be able to be assigned to NULL, the +template buffer is stored in the pvs_name_buffer and not under the +pvs_name variable. + +Cc: v5.7+ # v5.7+ +Fixes: a8811ec764f9 ("cpufreq: qcom: Add support for krait based socs") +Signed-off-by: Fabien Parent +Signed-off-by: Viresh Kumar +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/qcom-cpufreq-nvmem.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/cpufreq/qcom-cpufreq-nvmem.c ++++ b/drivers/cpufreq/qcom-cpufreq-nvmem.c +@@ -264,7 +264,8 @@ static int qcom_cpufreq_probe(struct pla + struct nvmem_cell *speedbin_nvmem; + struct device_node *np; + struct device *cpu_dev; +- char *pvs_name = "speedXX-pvsXX-vXX"; ++ char pvs_name_buffer[] = "speedXX-pvsXX-vXX"; ++ char *pvs_name = pvs_name_buffer; + unsigned cpu; + const struct of_device_id *match; + int ret; diff --git a/queue-5.15/cpufreq-tegra194-fix-module-loading.patch b/queue-5.15/cpufreq-tegra194-fix-module-loading.patch new file mode 100644 index 00000000000..1be3411d8ca --- /dev/null +++ b/queue-5.15/cpufreq-tegra194-fix-module-loading.patch @@ -0,0 +1,32 @@ +From 1dcaf30725c32b26daa70d22083999972ab99c29 Mon Sep 17 00:00:00 2001 +From: Jon Hunter +Date: Tue, 11 Oct 2022 16:32:43 +0100 +Subject: cpufreq: tegra194: Fix module loading + +From: Jon Hunter + +commit 1dcaf30725c32b26daa70d22083999972ab99c29 upstream. + +When the Tegra194 CPUFREQ driver is built as a module it is not +automatically loaded as expected on Tegra194 devices. Populate the +MODULE_DEVICE_TABLE to fix this. + +Cc: v5.9+ # v5.9+ +Fixes: df320f89359c ("cpufreq: Add Tegra194 cpufreq driver") +Signed-off-by: Jon Hunter +Signed-off-by: Viresh Kumar +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/tegra194-cpufreq.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/cpufreq/tegra194-cpufreq.c ++++ b/drivers/cpufreq/tegra194-cpufreq.c +@@ -279,6 +279,7 @@ static struct cpufreq_driver tegra194_cp + .init = tegra194_cpufreq_init, + .attr = cpufreq_generic_attr, + }; ++MODULE_DEVICE_TABLE(of, tegra194_cpufreq_of_match); + + static void tegra194_cpufreq_free_resources(void) + { diff --git a/queue-5.15/drm-amdgpu-fix-sdma-doorbell-init-ordering-on-apus.patch b/queue-5.15/drm-amdgpu-fix-sdma-doorbell-init-ordering-on-apus.patch new file mode 100644 index 00000000000..7b15f68f5d8 --- /dev/null +++ b/queue-5.15/drm-amdgpu-fix-sdma-doorbell-init-ordering-on-apus.patch @@ -0,0 +1,88 @@ +From 50b0e4d4da09fa501e722af886f97e60a4f820d6 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Wed, 19 Oct 2022 16:57:42 -0400 +Subject: drm/amdgpu: fix sdma doorbell init ordering on APUs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +commit 50b0e4d4da09fa501e722af886f97e60a4f820d6 upstream. + +Commit 8795e182b02d ("PCI/portdrv: Don't disable AER reporting in get_port_device_capability()") +uncovered a bug in amdgpu that required a reordering of the driver +init sequence to avoid accessing a special register on the GPU +before it was properly set up leading to an PCI AER error. This +reordering uncovered a different hw programming ordering dependency +in some APUs where the SDMA doorbells need to be programmed before +the GFX doorbells. To fix this, move the SDMA doorbell programming +back into the soc15 common code, but use the actual doorbell range +values directly rather than the values stored in the ring structure +since those will not be initialized at this point. + +This is a partial revert, but with the doorbell assignment +fixed so the proper doorbell index is set before it's used. + +Fixes: e3163bc8ffdfdb ("drm/amdgpu: move nbio sdma_doorbell_range() into sdma code for vega") +Acked-by: Christian König +Signed-off-by: Alex Deucher +Cc: skhan@linuxfoundation.org +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c | 5 ----- + drivers/gpu/drm/amd/amdgpu/soc15.c | 21 +++++++++++++++++++++ + 2 files changed, 21 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c +@@ -1507,11 +1507,6 @@ static int sdma_v4_0_start(struct amdgpu + WREG32_SDMA(i, mmSDMA0_CNTL, temp); + + if (!amdgpu_sriov_vf(adev)) { +- ring = &adev->sdma.instance[i].ring; +- adev->nbio.funcs->sdma_doorbell_range(adev, i, +- ring->use_doorbell, ring->doorbell_index, +- adev->doorbell_index.sdma_doorbell_range); +- + /* unhalt engine */ + temp = RREG32_SDMA(i, mmSDMA0_F32_CNTL); + temp = REG_SET_FIELD(temp, SDMA0_F32_CNTL, HALT, 0); +--- a/drivers/gpu/drm/amd/amdgpu/soc15.c ++++ b/drivers/gpu/drm/amd/amdgpu/soc15.c +@@ -1416,6 +1416,20 @@ static int soc15_common_sw_fini(void *ha + return 0; + } + ++static void soc15_sdma_doorbell_range_init(struct amdgpu_device *adev) ++{ ++ int i; ++ ++ /* sdma doorbell range is programed by hypervisor */ ++ if (!amdgpu_sriov_vf(adev)) { ++ for (i = 0; i < adev->sdma.num_instances; i++) { ++ adev->nbio.funcs->sdma_doorbell_range(adev, i, ++ true, adev->doorbell_index.sdma_engine[i] << 1, ++ adev->doorbell_index.sdma_doorbell_range); ++ } ++ } ++} ++ + static int soc15_common_hw_init(void *handle) + { + struct amdgpu_device *adev = (struct amdgpu_device *)handle; +@@ -1435,6 +1449,13 @@ static int soc15_common_hw_init(void *ha + + /* enable the doorbell aperture */ + soc15_enable_doorbell_aperture(adev, true); ++ /* HW doorbell routing policy: doorbell writing not ++ * in SDMA/IH/MM/ACV range will be routed to CP. So ++ * we need to init SDMA doorbell range prior ++ * to CP ip block init and ring test. IH already ++ * happens before CP. ++ */ ++ soc15_sdma_doorbell_range_init(adev); + + return 0; + } diff --git a/queue-5.15/hwmon-coretemp-handle-large-core-id-value.patch b/queue-5.15/hwmon-coretemp-handle-large-core-id-value.patch new file mode 100644 index 00000000000..aa6ca52da4d --- /dev/null +++ b/queue-5.15/hwmon-coretemp-handle-large-core-id-value.patch @@ -0,0 +1,170 @@ +From 7108b80a542b9d65e44b36d64a700a83658c0b73 Mon Sep 17 00:00:00 2001 +From: Zhang Rui +Date: Fri, 14 Oct 2022 17:01:45 +0800 +Subject: hwmon/coretemp: Handle large core ID value + +From: Zhang Rui + +commit 7108b80a542b9d65e44b36d64a700a83658c0b73 upstream. + +The coretemp driver supports up to a hard-coded limit of 128 cores. + +Today, the driver can not support a core with an ID above that limit. +Yet, the encoding of core ID's is arbitrary (BIOS APIC-ID) and so they +may be sparse and they may be large. + +Update the driver to map arbitrary core ID numbers into appropriate +array indexes so that 128 cores can be supported, no matter the encoding +of core ID's. + +Signed-off-by: Zhang Rui +Signed-off-by: Dave Hansen +Acked-by: Len Brown +Acked-by: Guenter Roeck +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20221014090147.1836-3-rui.zhang@intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/coretemp.c | 56 ++++++++++++++++++++++++++++++++++------------- + 1 file changed, 41 insertions(+), 15 deletions(-) + +--- a/drivers/hwmon/coretemp.c ++++ b/drivers/hwmon/coretemp.c +@@ -46,9 +46,6 @@ MODULE_PARM_DESC(tjmax, "TjMax value in + #define TOTAL_ATTRS (MAX_CORE_ATTRS + 1) + #define MAX_CORE_DATA (NUM_REAL_CORES + BASE_SYSFS_ATTR_NO) + +-#define TO_CORE_ID(cpu) (cpu_data(cpu).cpu_core_id) +-#define TO_ATTR_NO(cpu) (TO_CORE_ID(cpu) + BASE_SYSFS_ATTR_NO) +- + #ifdef CONFIG_SMP + #define for_each_sibling(i, cpu) \ + for_each_cpu(i, topology_sibling_cpumask(cpu)) +@@ -91,6 +88,8 @@ struct temp_data { + struct platform_data { + struct device *hwmon_dev; + u16 pkg_id; ++ u16 cpu_map[NUM_REAL_CORES]; ++ struct ida ida; + struct cpumask cpumask; + struct temp_data *core_data[MAX_CORE_DATA]; + struct device_attribute name_attr; +@@ -441,7 +440,7 @@ static struct temp_data *init_temp_data( + MSR_IA32_THERM_STATUS; + tdata->is_pkg_data = pkg_flag; + tdata->cpu = cpu; +- tdata->cpu_core_id = TO_CORE_ID(cpu); ++ tdata->cpu_core_id = topology_core_id(cpu); + tdata->attr_size = MAX_CORE_ATTRS; + mutex_init(&tdata->update_lock); + return tdata; +@@ -454,7 +453,7 @@ static int create_core_data(struct platf + struct platform_data *pdata = platform_get_drvdata(pdev); + struct cpuinfo_x86 *c = &cpu_data(cpu); + u32 eax, edx; +- int err, attr_no; ++ int err, index, attr_no; + + /* + * Find attr number for sysfs: +@@ -462,14 +461,26 @@ static int create_core_data(struct platf + * The attr number is always core id + 2 + * The Pkgtemp will always show up as temp1_*, if available + */ +- attr_no = pkg_flag ? PKG_SYSFS_ATTR_NO : TO_ATTR_NO(cpu); ++ if (pkg_flag) { ++ attr_no = PKG_SYSFS_ATTR_NO; ++ } else { ++ index = ida_alloc(&pdata->ida, GFP_KERNEL); ++ if (index < 0) ++ return index; ++ pdata->cpu_map[index] = topology_core_id(cpu); ++ attr_no = index + BASE_SYSFS_ATTR_NO; ++ } + +- if (attr_no > MAX_CORE_DATA - 1) +- return -ERANGE; ++ if (attr_no > MAX_CORE_DATA - 1) { ++ err = -ERANGE; ++ goto ida_free; ++ } + + tdata = init_temp_data(cpu, pkg_flag); +- if (!tdata) +- return -ENOMEM; ++ if (!tdata) { ++ err = -ENOMEM; ++ goto ida_free; ++ } + + /* Test if we can access the status register */ + err = rdmsr_safe_on_cpu(cpu, tdata->status_reg, &eax, &edx); +@@ -505,6 +516,9 @@ static int create_core_data(struct platf + exit_free: + pdata->core_data[attr_no] = NULL; + kfree(tdata); ++ida_free: ++ if (!pkg_flag) ++ ida_free(&pdata->ida, index); + return err; + } + +@@ -524,6 +538,9 @@ static void coretemp_remove_core(struct + + kfree(pdata->core_data[indx]); + pdata->core_data[indx] = NULL; ++ ++ if (indx >= BASE_SYSFS_ATTR_NO) ++ ida_free(&pdata->ida, indx - BASE_SYSFS_ATTR_NO); + } + + static int coretemp_probe(struct platform_device *pdev) +@@ -537,6 +554,7 @@ static int coretemp_probe(struct platfor + return -ENOMEM; + + pdata->pkg_id = pdev->id; ++ ida_init(&pdata->ida); + platform_set_drvdata(pdev, pdata); + + pdata->hwmon_dev = devm_hwmon_device_register_with_groups(dev, DRVNAME, +@@ -553,6 +571,7 @@ static int coretemp_remove(struct platfo + if (pdata->core_data[i]) + coretemp_remove_core(pdata, i); + ++ ida_destroy(&pdata->ida); + return 0; + } + +@@ -647,7 +666,7 @@ static int coretemp_cpu_offline(unsigned + struct platform_device *pdev = coretemp_get_pdev(cpu); + struct platform_data *pd; + struct temp_data *tdata; +- int indx, target; ++ int i, indx = -1, target; + + /* + * Don't execute this on suspend as the device remove locks +@@ -660,12 +679,19 @@ static int coretemp_cpu_offline(unsigned + if (!pdev) + return 0; + +- /* The core id is too big, just return */ +- indx = TO_ATTR_NO(cpu); +- if (indx > MAX_CORE_DATA - 1) ++ pd = platform_get_drvdata(pdev); ++ ++ for (i = 0; i < NUM_REAL_CORES; i++) { ++ if (pd->cpu_map[i] == topology_core_id(cpu)) { ++ indx = i + BASE_SYSFS_ATTR_NO; ++ break; ++ } ++ } ++ ++ /* Too many cores and this core is not populated, just return */ ++ if (indx < 0) + return 0; + +- pd = platform_get_drvdata(pdev); + tdata = pd->core_data[indx]; + + cpumask_clear_cpu(cpu, &pd->cpumask); diff --git a/queue-5.15/i2c-qcom-cci-fix-ordering-of-pm_runtime_xx-and-i2c_add_adapter.patch b/queue-5.15/i2c-qcom-cci-fix-ordering-of-pm_runtime_xx-and-i2c_add_adapter.patch new file mode 100644 index 00000000000..245052120e6 --- /dev/null +++ b/queue-5.15/i2c-qcom-cci-fix-ordering-of-pm_runtime_xx-and-i2c_add_adapter.patch @@ -0,0 +1,65 @@ +From 61775d54d674ff8ec3658495e0dbc537227dc5c1 Mon Sep 17 00:00:00 2001 +From: Bryan O'Donoghue +Date: Tue, 18 Oct 2022 03:19:20 +0100 +Subject: i2c: qcom-cci: Fix ordering of pm_runtime_xx and i2c_add_adapter + +From: Bryan O'Donoghue + +commit 61775d54d674ff8ec3658495e0dbc537227dc5c1 upstream. + +When we compile-in the CCI along with the imx412 driver and run on the RB5 +we see that i2c_add_adapter() causes the probe of the imx412 driver to +happen. + +This probe tries to perform an i2c xfer() and the xfer() in i2c-qcom-cci.c +fails on pm_runtime_get() because the i2c-qcom-cci.c::probe() function has +not completed to pm_runtime_enable(dev). + +Fix this sequence by ensuring pm_runtime_xxx() calls happen prior to adding +the i2c adapter. + +Fixes: e517526195de ("i2c: Add Qualcomm CCI I2C driver") +Reported-by: Vladimir Zapolskiy +Reviewed-by: Vladimir Zapolskiy +Tested-by: Vladimir Zapolskiy +Cc: +Signed-off-by: Bryan O'Donoghue +Reviewed-by: Robert Foss +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-qcom-cci.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/i2c/busses/i2c-qcom-cci.c ++++ b/drivers/i2c/busses/i2c-qcom-cci.c +@@ -638,6 +638,11 @@ static int cci_probe(struct platform_dev + if (ret < 0) + goto error; + ++ pm_runtime_set_autosuspend_delay(dev, MSEC_PER_SEC); ++ pm_runtime_use_autosuspend(dev); ++ pm_runtime_set_active(dev); ++ pm_runtime_enable(dev); ++ + for (i = 0; i < cci->data->num_masters; i++) { + if (!cci->master[i].cci) + continue; +@@ -649,14 +654,12 @@ static int cci_probe(struct platform_dev + } + } + +- pm_runtime_set_autosuspend_delay(dev, MSEC_PER_SEC); +- pm_runtime_use_autosuspend(dev); +- pm_runtime_set_active(dev); +- pm_runtime_enable(dev); +- + return 0; + + error_i2c: ++ pm_runtime_disable(dev); ++ pm_runtime_dont_use_autosuspend(dev); ++ + for (--i ; i >= 0; i--) { + if (cci->master[i].cci) { + i2c_del_adapter(&cci->master[i].adap); diff --git a/queue-5.15/kvm-add-support-for-arch-compat-vm-ioctls.patch b/queue-5.15/kvm-add-support-for-arch-compat-vm-ioctls.patch new file mode 100644 index 00000000000..557c6e13fd9 --- /dev/null +++ b/queue-5.15/kvm-add-support-for-arch-compat-vm-ioctls.patch @@ -0,0 +1,61 @@ +From ed51862f2f57cbce6fed2d4278cfe70a490899fd Mon Sep 17 00:00:00 2001 +From: Alexander Graf +Date: Mon, 17 Oct 2022 20:45:39 +0200 +Subject: kvm: Add support for arch compat vm ioctls + +From: Alexander Graf + +commit ed51862f2f57cbce6fed2d4278cfe70a490899fd upstream. + +We will introduce the first architecture specific compat vm ioctl in the +next patch. Add all necessary boilerplate to allow architectures to +override compat vm ioctls when necessary. + +Signed-off-by: Alexander Graf +Message-Id: <20221017184541.2658-2-graf@amazon.com> +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/kvm_host.h | 2 ++ + virt/kvm/kvm_main.c | 11 +++++++++++ + 2 files changed, 13 insertions(+) + +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -1124,6 +1124,8 @@ int kvm_vm_ioctl_enable_cap(struct kvm * + struct kvm_enable_cap *cap); + long kvm_arch_vm_ioctl(struct file *filp, + unsigned int ioctl, unsigned long arg); ++long kvm_arch_vm_compat_ioctl(struct file *filp, unsigned int ioctl, ++ unsigned long arg); + + int kvm_arch_vcpu_ioctl_get_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu); + int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu); +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -4609,6 +4609,12 @@ struct compat_kvm_clear_dirty_log { + }; + }; + ++long __weak kvm_arch_vm_compat_ioctl(struct file *filp, unsigned int ioctl, ++ unsigned long arg) ++{ ++ return -ENOTTY; ++} ++ + static long kvm_vm_compat_ioctl(struct file *filp, + unsigned int ioctl, unsigned long arg) + { +@@ -4617,6 +4623,11 @@ static long kvm_vm_compat_ioctl(struct f + + if (kvm->mm != current->mm || kvm->vm_bugged) + return -EIO; ++ ++ r = kvm_arch_vm_compat_ioctl(filp, ioctl, arg); ++ if (r != -ENOTTY) ++ return r; ++ + switch (ioctl) { + #ifdef CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT + case KVM_CLEAR_DIRTY_LOG: { diff --git a/queue-5.15/kvm-arm64-vgic-fix-exit-condition-in-scan_its_table.patch b/queue-5.15/kvm-arm64-vgic-fix-exit-condition-in-scan_its_table.patch new file mode 100644 index 00000000000..f219d2d0a57 --- /dev/null +++ b/queue-5.15/kvm-arm64-vgic-fix-exit-condition-in-scan_its_table.patch @@ -0,0 +1,81 @@ +From c000a2607145d28b06c697f968491372ea56c23a Mon Sep 17 00:00:00 2001 +From: Eric Ren +Date: Sat, 15 Oct 2022 11:19:28 +0800 +Subject: KVM: arm64: vgic: Fix exit condition in scan_its_table() + +From: Eric Ren + +commit c000a2607145d28b06c697f968491372ea56c23a upstream. + +With some PCIe topologies, restoring a guest fails while +parsing the ITS device tables. + +Reproducer hints: +1. Create ARM virt VM with pxb-pcie bus which adds + extra host bridges, with qemu command like: + +``` + -device pxb-pcie,bus_nr=8,id=pci.x,numa_node=0,bus=pcie.0 \ + -device pcie-root-port,..,bus=pci.x \ + ... + -device pxb-pcie,bus_nr=37,id=pci.y,numa_node=1,bus=pcie.0 \ + -device pcie-root-port,..,bus=pci.y \ + ... + +``` +2. Ensure the guest uses 2-level device table +3. Perform VM migration which calls save/restore device tables + +In that setup, we get a big "offset" between 2 device_ids, +which makes unsigned "len" round up a big positive number, +causing the scan loop to continue with a bad GPA. For example: + +1. L1 table has 2 entries; +2. and we are now scanning at L2 table entry index 2075 (pointed + to by L1 first entry) +3. if next device id is 9472, we will get a big offset: 7397; +4. with unsigned 'len', 'len -= offset * esz', len will underflow to a + positive number, mistakenly into next iteration with a bad GPA; + (It should break out of the current L2 table scanning, and jump + into the next L1 table entry) +5. that bad GPA fails the guest read. + +Fix it by stopping the L2 table scan when the next device id is +outside of the current table, allowing the scan to continue from +the next L1 table entry. + +Thanks to Eric Auger for the fix suggestion. + +Fixes: 920a7a8fa92a ("KVM: arm64: vgic-its: Add infrastructure for tableookup") +Suggested-by: Eric Auger +Signed-off-by: Eric Ren +[maz: commit message tidy-up] +Signed-off-by: Marc Zyngier +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/d9c3a564af9e2c5bf63f48a7dcbf08cd593c5c0b.1665802985.git.renzhengeek@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/vgic/vgic-its.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/arch/arm64/kvm/vgic/vgic-its.c ++++ b/arch/arm64/kvm/vgic/vgic-its.c +@@ -2096,7 +2096,7 @@ static int scan_its_table(struct vgic_it + + memset(entry, 0, esz); + +- while (len > 0) { ++ while (true) { + int next_offset; + size_t byte_offset; + +@@ -2109,6 +2109,9 @@ static int scan_its_table(struct vgic_it + return next_offset; + + byte_offset = next_offset * esz; ++ if (byte_offset >= len) ++ break; ++ + id += next_offset; + gpa += byte_offset; + len -= byte_offset; diff --git a/queue-5.15/media-ipu3-imgu-fix-null-pointer-dereference-in-active-selection-access.patch b/queue-5.15/media-ipu3-imgu-fix-null-pointer-dereference-in-active-selection-access.patch new file mode 100644 index 00000000000..83a71dcdad1 --- /dev/null +++ b/queue-5.15/media-ipu3-imgu-fix-null-pointer-dereference-in-active-selection-access.patch @@ -0,0 +1,80 @@ +From b9eb3ab6f30bf32f7326909f17949ccb11bab514 Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Thu, 25 Aug 2022 20:36:37 +0200 +Subject: media: ipu3-imgu: Fix NULL pointer dereference in active selection access + +From: Sakari Ailus + +commit b9eb3ab6f30bf32f7326909f17949ccb11bab514 upstream. + +What the IMGU driver did was that it first acquired the pointers to active +and try V4L2 subdev state, and only then figured out which one to use. + +The problem with that approach and a later patch (see Fixes: tag) is that +as sd_state argument to v4l2_subdev_get_try_crop() et al is NULL, there is +now an attempt to dereference that. + +Fix this. + +Also rewrap lines a little. + +Fixes: 0d346d2a6f54 ("media: v4l2-subdev: add subdev-wide state struct") +Cc: stable@vger.kernel.org # for v5.14 and later +Signed-off-by: Sakari Ailus +Reviewed-by: Bingbu Cao +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/media/ipu3/ipu3-v4l2.c | 31 ++++++++++++++----------------- + 1 file changed, 14 insertions(+), 17 deletions(-) + +--- a/drivers/staging/media/ipu3/ipu3-v4l2.c ++++ b/drivers/staging/media/ipu3/ipu3-v4l2.c +@@ -192,33 +192,30 @@ static int imgu_subdev_get_selection(str + struct v4l2_subdev_state *sd_state, + struct v4l2_subdev_selection *sel) + { +- struct v4l2_rect *try_sel, *r; +- struct imgu_v4l2_subdev *imgu_sd = container_of(sd, +- struct imgu_v4l2_subdev, +- subdev); ++ struct imgu_v4l2_subdev *imgu_sd = ++ container_of(sd, struct imgu_v4l2_subdev, subdev); + + if (sel->pad != IMGU_NODE_IN) + return -EINVAL; + + switch (sel->target) { + case V4L2_SEL_TGT_CROP: +- try_sel = v4l2_subdev_get_try_crop(sd, sd_state, sel->pad); +- r = &imgu_sd->rect.eff; +- break; ++ if (sel->which == V4L2_SUBDEV_FORMAT_TRY) ++ sel->r = *v4l2_subdev_get_try_crop(sd, sd_state, ++ sel->pad); ++ else ++ sel->r = imgu_sd->rect.eff; ++ return 0; + case V4L2_SEL_TGT_COMPOSE: +- try_sel = v4l2_subdev_get_try_compose(sd, sd_state, sel->pad); +- r = &imgu_sd->rect.bds; +- break; ++ if (sel->which == V4L2_SUBDEV_FORMAT_TRY) ++ sel->r = *v4l2_subdev_get_try_compose(sd, sd_state, ++ sel->pad); ++ else ++ sel->r = imgu_sd->rect.bds; ++ return 0; + default: + return -EINVAL; + } +- +- if (sel->which == V4L2_SUBDEV_FORMAT_TRY) +- sel->r = *try_sel; +- else +- sel->r = *r; +- +- return 0; + } + + static int imgu_subdev_set_selection(struct v4l2_subdev *sd, diff --git a/queue-5.15/media-mceusb-set-timeout-to-at-least-timeout-provided.patch b/queue-5.15/media-mceusb-set-timeout-to-at-least-timeout-provided.patch new file mode 100644 index 00000000000..91ed02379c3 --- /dev/null +++ b/queue-5.15/media-mceusb-set-timeout-to-at-least-timeout-provided.patch @@ -0,0 +1,33 @@ +From 20b794ddce475ed012deb365000527c17b3e93e6 Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Fri, 2 Sep 2022 12:32:21 +0200 +Subject: media: mceusb: set timeout to at least timeout provided + +From: Sean Young + +commit 20b794ddce475ed012deb365000527c17b3e93e6 upstream. + +By rounding down, the actual timeout can be lower than requested. As a +result, long spaces just below the requested timeout can be incorrectly +reported as timeout and truncated. + +Fixes: 877f1a7cee3f ("media: rc: mceusb: allow the timeout to be configurable") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/rc/mceusb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/rc/mceusb.c ++++ b/drivers/media/rc/mceusb.c +@@ -1077,7 +1077,7 @@ static int mceusb_set_timeout(struct rc_ + struct mceusb_dev *ir = dev->priv; + unsigned int units; + +- units = DIV_ROUND_CLOSEST(timeout, MCE_TIME_UNIT); ++ units = DIV_ROUND_UP(timeout, MCE_TIME_UNIT); + + cmdbuf[2] = units >> 8; + cmdbuf[3] = units; diff --git a/queue-5.15/media-venus-dec-handle-the-case-where-find_format-fails.patch b/queue-5.15/media-venus-dec-handle-the-case-where-find_format-fails.patch new file mode 100644 index 00000000000..cdaa1f97958 --- /dev/null +++ b/queue-5.15/media-venus-dec-handle-the-case-where-find_format-fails.patch @@ -0,0 +1,36 @@ +From 06a2da340f762addc5935bf851d95b14d4692db2 Mon Sep 17 00:00:00 2001 +From: Bryan O'Donoghue +Date: Tue, 26 Jul 2022 04:14:54 +0200 +Subject: media: venus: dec: Handle the case where find_format fails + +From: Bryan O'Donoghue + +commit 06a2da340f762addc5935bf851d95b14d4692db2 upstream. + +Debugging the decoder on msm8916 I noticed the vdec probe was crashing if +the fmt pointer was NULL. + +A similar fix from Colin Ian King found by Coverity was implemented for the +encoder. Implement the same fix on the decoder. + +Fixes: 7472c1c69138 ("[media] media: venus: vdec: add video decoder files") +Cc: stable@vger.kernel.org # v4.13+ +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Stanimir Varbanov +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/vdec.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/platform/qcom/venus/vdec.c ++++ b/drivers/media/platform/qcom/venus/vdec.c +@@ -158,6 +158,8 @@ vdec_try_fmt_common(struct venus_inst *i + else + return NULL; + fmt = find_format(inst, pixmp->pixelformat, f->type); ++ if (!fmt) ++ return NULL; + } + + pixmp->width = clamp(pixmp->width, frame_width_min(inst), diff --git a/queue-5.15/mm-hugetlb-take-hugetlb_lock-before-decrementing-h-resv_huge_pages.patch b/queue-5.15/mm-hugetlb-take-hugetlb_lock-before-decrementing-h-resv_huge_pages.patch new file mode 100644 index 00000000000..12a9d01d13a --- /dev/null +++ b/queue-5.15/mm-hugetlb-take-hugetlb_lock-before-decrementing-h-resv_huge_pages.patch @@ -0,0 +1,49 @@ +From 12df140f0bdfae5dcfc81800970dd7f6f632e00c Mon Sep 17 00:00:00 2001 +From: Rik van Riel +Date: Mon, 17 Oct 2022 20:25:05 -0400 +Subject: mm,hugetlb: take hugetlb_lock before decrementing h->resv_huge_pages + +From: Rik van Riel + +commit 12df140f0bdfae5dcfc81800970dd7f6f632e00c upstream. + +The h->*_huge_pages counters are protected by the hugetlb_lock, but +alloc_huge_page has a corner case where it can decrement the counter +outside of the lock. + +This could lead to a corrupted value of h->resv_huge_pages, which we have +observed on our systems. + +Take the hugetlb_lock before decrementing h->resv_huge_pages to avoid a +potential race. + +Link: https://lkml.kernel.org/r/20221017202505.0e6a4fcd@imladris.surriel.com +Fixes: a88c76954804 ("mm: hugetlb: fix hugepage memory leak caused by wrong reserve count") +Signed-off-by: Rik van Riel +Reviewed-by: Mike Kravetz +Cc: Naoya Horiguchi +Cc: Glen McCready +Cc: Mike Kravetz +Cc: Muchun Song +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/hugetlb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -2813,11 +2813,11 @@ struct page *alloc_huge_page(struct vm_a + page = alloc_buddy_huge_page_with_mpol(h, vma, addr); + if (!page) + goto out_uncharge_cgroup; ++ spin_lock_irq(&hugetlb_lock); + if (!avoid_reserve && vma_has_reserves(vma, gbl_chg)) { + SetHPageRestoreReserve(page); + h->resv_huge_pages--; + } +- spin_lock_irq(&hugetlb_lock); + list_add(&page->lru, &h->hugepage_activelist); + /* Fall through */ + } diff --git a/queue-5.15/ocfs2-clear-dinode-links-count-in-case-of-error.patch b/queue-5.15/ocfs2-clear-dinode-links-count-in-case-of-error.patch new file mode 100644 index 00000000000..6f10920749e --- /dev/null +++ b/queue-5.15/ocfs2-clear-dinode-links-count-in-case-of-error.patch @@ -0,0 +1,77 @@ +From 28f4821b1b53e0649706912e810c6c232fc506f9 Mon Sep 17 00:00:00 2001 +From: Joseph Qi +Date: Mon, 17 Oct 2022 21:02:27 +0800 +Subject: ocfs2: clear dinode links count in case of error + +From: Joseph Qi + +commit 28f4821b1b53e0649706912e810c6c232fc506f9 upstream. + +In ocfs2_mknod(), if error occurs after dinode successfully allocated, +ocfs2 i_links_count will not be 0. + +So even though we clear inode i_nlink before iput in error handling, it +still won't wipe inode since we'll refresh inode from dinode during inode +lock. So just like clear inode i_nlink, we clear ocfs2 i_links_count as +well. Also do the same change for ocfs2_symlink(). + +Link: https://lkml.kernel.org/r/20221017130227.234480-2-joseph.qi@linux.alibaba.com +Signed-off-by: Joseph Qi +Reported-by: Yan Wang +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/namei.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/fs/ocfs2/namei.c ++++ b/fs/ocfs2/namei.c +@@ -231,6 +231,7 @@ static int ocfs2_mknod(struct user_names + handle_t *handle = NULL; + struct ocfs2_super *osb; + struct ocfs2_dinode *dirfe; ++ struct ocfs2_dinode *fe = NULL; + struct buffer_head *new_fe_bh = NULL; + struct inode *inode = NULL; + struct ocfs2_alloc_context *inode_ac = NULL; +@@ -381,6 +382,7 @@ static int ocfs2_mknod(struct user_names + goto leave; + } + ++ fe = (struct ocfs2_dinode *) new_fe_bh->b_data; + if (S_ISDIR(mode)) { + status = ocfs2_fill_new_dir(osb, handle, dir, inode, + new_fe_bh, data_ac, meta_ac); +@@ -453,8 +455,11 @@ roll_back: + leave: + if (status < 0 && did_quota_inode) + dquot_free_inode(inode); +- if (handle) ++ if (handle) { ++ if (status < 0 && fe) ++ ocfs2_set_links_count(fe, 0); + ocfs2_commit_trans(osb, handle); ++ } + + ocfs2_inode_unlock(dir, 1); + if (did_block_signals) +@@ -2027,8 +2032,11 @@ bail: + ocfs2_clusters_to_bytes(osb->sb, 1)); + if (status < 0 && did_quota_inode) + dquot_free_inode(inode); +- if (handle) ++ if (handle) { ++ if (status < 0 && fe) ++ ocfs2_set_links_count(fe, 0); + ocfs2_commit_trans(osb, handle); ++ } + + ocfs2_inode_unlock(dir, 1); + if (did_block_signals) diff --git a/queue-5.15/ocfs2-fix-bug-when-iput-after-ocfs2_mknod-fails.patch b/queue-5.15/ocfs2-fix-bug-when-iput-after-ocfs2_mknod-fails.patch new file mode 100644 index 00000000000..6505210d0ca --- /dev/null +++ b/queue-5.15/ocfs2-fix-bug-when-iput-after-ocfs2_mknod-fails.patch @@ -0,0 +1,60 @@ +From 759a7c6126eef5635506453e9b9d55a6a3ac2084 Mon Sep 17 00:00:00 2001 +From: Joseph Qi +Date: Mon, 17 Oct 2022 21:02:26 +0800 +Subject: ocfs2: fix BUG when iput after ocfs2_mknod fails + +From: Joseph Qi + +commit 759a7c6126eef5635506453e9b9d55a6a3ac2084 upstream. + +Commit b1529a41f777 "ocfs2: should reclaim the inode if +'__ocfs2_mknod_locked' returns an error" tried to reclaim the claimed +inode if __ocfs2_mknod_locked() fails later. But this introduce a race, +the freed bit may be reused immediately by another thread, which will +update dinode, e.g. i_generation. Then iput this inode will lead to BUG: +inode->i_generation != le32_to_cpu(fe->i_generation) + +We could make this inode as bad, but we did want to do operations like +wipe in some cases. Since the claimed inode bit can only affect that an +dinode is missing and will return back after fsck, it seems not a big +problem. So just leave it as is by revert the reclaim logic. + +Link: https://lkml.kernel.org/r/20221017130227.234480-1-joseph.qi@linux.alibaba.com +Fixes: b1529a41f777 ("ocfs2: should reclaim the inode if '__ocfs2_mknod_locked' returns an error") +Signed-off-by: Joseph Qi +Reported-by: Yan Wang +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/namei.c | 11 +---------- + 1 file changed, 1 insertion(+), 10 deletions(-) + +--- a/fs/ocfs2/namei.c ++++ b/fs/ocfs2/namei.c +@@ -636,18 +636,9 @@ static int ocfs2_mknod_locked(struct ocf + return status; + } + +- status = __ocfs2_mknod_locked(dir, inode, dev, new_fe_bh, ++ return __ocfs2_mknod_locked(dir, inode, dev, new_fe_bh, + parent_fe_bh, handle, inode_ac, + fe_blkno, suballoc_loc, suballoc_bit); +- if (status < 0) { +- u64 bg_blkno = ocfs2_which_suballoc_group(fe_blkno, suballoc_bit); +- int tmp = ocfs2_free_suballoc_bits(handle, inode_ac->ac_inode, +- inode_ac->ac_bh, suballoc_bit, bg_blkno, 1); +- if (tmp) +- mlog_errno(tmp); +- } +- +- return status; + } + + static int ocfs2_mkdir(struct user_namespace *mnt_userns, diff --git a/queue-5.15/perf-x86-intel-pt-relax-address-filter-validation.patch b/queue-5.15/perf-x86-intel-pt-relax-address-filter-validation.patch new file mode 100644 index 00000000000..5769bc0cc95 --- /dev/null +++ b/queue-5.15/perf-x86-intel-pt-relax-address-filter-validation.patch @@ -0,0 +1,121 @@ +From c243cecb58e3905baeace8827201c14df8481e2a Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Mon, 31 Jan 2022 09:24:49 +0200 +Subject: perf/x86/intel/pt: Relax address filter validation + +From: Adrian Hunter + +commit c243cecb58e3905baeace8827201c14df8481e2a upstream. + +The requirement for 64-bit address filters is that they are canonical +addresses. In other respects any address range is allowed which would +include user space addresses. + +That can be useful for tracing virtual machine guests because address +filtering can be used to advantage in place of current privilege level +(CPL) filtering. + +Signed-off-by: Adrian Hunter +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lore.kernel.org/r/20220131072453.2839535-2-adrian.hunter@intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/pt.c | 63 +++++++++++++++++++++++++++++++++++---------- + 1 file changed, 50 insertions(+), 13 deletions(-) + +--- a/arch/x86/events/intel/pt.c ++++ b/arch/x86/events/intel/pt.c +@@ -13,6 +13,8 @@ + #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt + + #include ++#include ++#include + #include + #include + +@@ -1348,11 +1350,37 @@ static void pt_addr_filters_fini(struct + event->hw.addr_filters = NULL; + } + +-static inline bool valid_kernel_ip(unsigned long ip) ++#ifdef CONFIG_X86_64 ++static u64 canonical_address(u64 vaddr, u8 vaddr_bits) + { +- return virt_addr_valid(ip) && kernel_ip(ip); ++ return ((s64)vaddr << (64 - vaddr_bits)) >> (64 - vaddr_bits); + } + ++static u64 is_canonical_address(u64 vaddr, u8 vaddr_bits) ++{ ++ return canonical_address(vaddr, vaddr_bits) == vaddr; ++} ++ ++/* Clamp to a canonical address greater-than-or-equal-to the address given */ ++static u64 clamp_to_ge_canonical_addr(u64 vaddr, u8 vaddr_bits) ++{ ++ return is_canonical_address(vaddr, vaddr_bits) ? ++ vaddr : ++ -BIT_ULL(vaddr_bits - 1); ++} ++ ++/* Clamp to a canonical address less-than-or-equal-to the address given */ ++static u64 clamp_to_le_canonical_addr(u64 vaddr, u8 vaddr_bits) ++{ ++ return is_canonical_address(vaddr, vaddr_bits) ? ++ vaddr : ++ BIT_ULL(vaddr_bits - 1) - 1; ++} ++#else ++#define clamp_to_ge_canonical_addr(x, y) (x) ++#define clamp_to_le_canonical_addr(x, y) (x) ++#endif ++ + static int pt_event_addr_filters_validate(struct list_head *filters) + { + struct perf_addr_filter *filter; +@@ -1367,14 +1395,6 @@ static int pt_event_addr_filters_validat + filter->action == PERF_ADDR_FILTER_ACTION_START) + return -EOPNOTSUPP; + +- if (!filter->path.dentry) { +- if (!valid_kernel_ip(filter->offset)) +- return -EINVAL; +- +- if (!valid_kernel_ip(filter->offset + filter->size)) +- return -EINVAL; +- } +- + if (++range > intel_pt_validate_hw_cap(PT_CAP_num_address_ranges)) + return -EOPNOTSUPP; + } +@@ -1398,9 +1418,26 @@ static void pt_event_addr_filters_sync(s + if (filter->path.dentry && !fr[range].start) { + msr_a = msr_b = 0; + } else { +- /* apply the offset */ +- msr_a = fr[range].start; +- msr_b = msr_a + fr[range].size - 1; ++ unsigned long n = fr[range].size - 1; ++ unsigned long a = fr[range].start; ++ unsigned long b; ++ ++ if (a > ULONG_MAX - n) ++ b = ULONG_MAX; ++ else ++ b = a + n; ++ /* ++ * Apply the offset. 64-bit addresses written to the ++ * MSRs must be canonical, but the range can encompass ++ * non-canonical addresses. Since software cannot ++ * execute at non-canonical addresses, adjusting to ++ * canonical addresses does not affect the result of the ++ * address filter. ++ */ ++ msr_a = clamp_to_ge_canonical_addr(a, boot_cpu_data.x86_virt_bits); ++ msr_b = clamp_to_le_canonical_addr(b, boot_cpu_data.x86_virt_bits); ++ if (msr_b < msr_a) ++ msr_a = msr_b = 0; + } + + filters->filter[range].msr_a = msr_a; diff --git a/queue-5.15/selinux-enable-use-of-both-gfp_kernel-and-gfp_atomic-in-convert_context.patch b/queue-5.15/selinux-enable-use-of-both-gfp_kernel-and-gfp_atomic-in-convert_context.patch new file mode 100644 index 00000000000..431767f751b --- /dev/null +++ b/queue-5.15/selinux-enable-use-of-both-gfp_kernel-and-gfp_atomic-in-convert_context.patch @@ -0,0 +1,129 @@ +From abe3c631447dcd1ba7af972fe6f054bee6f136fa Mon Sep 17 00:00:00 2001 +From: "GONG, Ruiqi" +Date: Wed, 19 Oct 2022 10:57:10 +0800 +Subject: selinux: enable use of both GFP_KERNEL and GFP_ATOMIC in convert_context() + +From: GONG, Ruiqi + +commit abe3c631447dcd1ba7af972fe6f054bee6f136fa upstream. + +The following warning was triggered on a hardware environment: + + SELinux: Converting 162 SID table entries... + BUG: sleeping function called from invalid context at + __might_sleep+0x60/0x74 0x0 + in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 5943, name: tar + CPU: 7 PID: 5943 Comm: tar Tainted: P O 5.10.0 #1 + Call trace: + dump_backtrace+0x0/0x1c8 + show_stack+0x18/0x28 + dump_stack+0xe8/0x15c + ___might_sleep+0x168/0x17c + __might_sleep+0x60/0x74 + __kmalloc_track_caller+0xa0/0x7dc + kstrdup+0x54/0xac + convert_context+0x48/0x2e4 + sidtab_context_to_sid+0x1c4/0x36c + security_context_to_sid_core+0x168/0x238 + security_context_to_sid_default+0x14/0x24 + inode_doinit_use_xattr+0x164/0x1e4 + inode_doinit_with_dentry+0x1c0/0x488 + selinux_d_instantiate+0x20/0x34 + security_d_instantiate+0x70/0xbc + d_splice_alias+0x4c/0x3c0 + ext4_lookup+0x1d8/0x200 [ext4] + __lookup_slow+0x12c/0x1e4 + walk_component+0x100/0x200 + path_lookupat+0x88/0x118 + filename_lookup+0x98/0x130 + user_path_at_empty+0x48/0x60 + vfs_statx+0x84/0x140 + vfs_fstatat+0x20/0x30 + __se_sys_newfstatat+0x30/0x74 + __arm64_sys_newfstatat+0x1c/0x2c + el0_svc_common.constprop.0+0x100/0x184 + do_el0_svc+0x1c/0x2c + el0_svc+0x20/0x34 + el0_sync_handler+0x80/0x17c + el0_sync+0x13c/0x140 + SELinux: Context system_u:object_r:pssp_rsyslog_log_t:s0:c0 is + not valid (left unmapped). + +It was found that within a critical section of spin_lock_irqsave in +sidtab_context_to_sid(), convert_context() (hooked by +sidtab_convert_params.func) might cause the process to sleep via +allocating memory with GFP_KERNEL, which is problematic. + +As Ondrej pointed out [1], convert_context()/sidtab_convert_params.func +has another caller sidtab_convert_tree(), which is okay with GFP_KERNEL. +Therefore, fix this problem by adding a gfp_t argument for +convert_context()/sidtab_convert_params.func and pass GFP_KERNEL/_ATOMIC +properly in individual callers. + +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/20221018120111.1474581-1-gongruiqi1@huawei.com/ [1] +Reported-by: Tan Ninghao +Fixes: ee1a84fdfeed ("selinux: overhaul sidtab to fix bug and improve performance") +Signed-off-by: GONG, Ruiqi +Reviewed-by: Ondrej Mosnacek +[PM: wrap long BUG() output lines, tweak subject line] +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + security/selinux/ss/services.c | 5 +++-- + security/selinux/ss/sidtab.c | 4 ++-- + security/selinux/ss/sidtab.h | 2 +- + 3 files changed, 6 insertions(+), 5 deletions(-) + +--- a/security/selinux/ss/services.c ++++ b/security/selinux/ss/services.c +@@ -2021,7 +2021,8 @@ static inline int convert_context_handle + * in `newc'. Verify that the context is valid + * under the new policy. + */ +-static int convert_context(struct context *oldc, struct context *newc, void *p) ++static int convert_context(struct context *oldc, struct context *newc, void *p, ++ gfp_t gfp_flags) + { + struct convert_context_args *args; + struct ocontext *oc; +@@ -2035,7 +2036,7 @@ static int convert_context(struct contex + args = p; + + if (oldc->str) { +- s = kstrdup(oldc->str, GFP_KERNEL); ++ s = kstrdup(oldc->str, gfp_flags); + if (!s) + return -ENOMEM; + +--- a/security/selinux/ss/sidtab.c ++++ b/security/selinux/ss/sidtab.c +@@ -325,7 +325,7 @@ int sidtab_context_to_sid(struct sidtab + } + + rc = convert->func(context, &dst_convert->context, +- convert->args); ++ convert->args, GFP_ATOMIC); + if (rc) { + context_destroy(&dst->context); + goto out_unlock; +@@ -404,7 +404,7 @@ static int sidtab_convert_tree(union sid + while (i < SIDTAB_LEAF_ENTRIES && *pos < count) { + rc = convert->func(&esrc->ptr_leaf->entries[i].context, + &edst->ptr_leaf->entries[i].context, +- convert->args); ++ convert->args, GFP_KERNEL); + if (rc) + return rc; + (*pos)++; +--- a/security/selinux/ss/sidtab.h ++++ b/security/selinux/ss/sidtab.h +@@ -65,7 +65,7 @@ struct sidtab_isid_entry { + }; + + struct sidtab_convert_params { +- int (*func)(struct context *oldc, struct context *newc, void *args); ++ int (*func)(struct context *oldc, struct context *newc, void *args, gfp_t gfp_flags); + void *args; + struct sidtab *target; + }; diff --git a/queue-5.15/series b/queue-5.15/series index b20c09b1393..a5a3cc8866d 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -5,3 +5,25 @@ usb-gadget-uvc-use-on-returned-header-len-in-video_encode_isoc_sg.patch usb-gadget-uvc-rework-uvcg_queue_next_buffer-to-uvcg_complete_buffer.patch usb-gadget-uvc-giveback-vb2-buffer-on-req-complete.patch usb-gadget-uvc-improve-sg-exit-condition.patch +arm64-errata-remove-aes-hwcap-for-compat-tasks.patch +perf-x86-intel-pt-relax-address-filter-validation.patch +btrfs-enhance-unsupported-compat-ro-flags-handling.patch +ocfs2-clear-dinode-links-count-in-case-of-error.patch +ocfs2-fix-bug-when-iput-after-ocfs2_mknod-fails.patch +selinux-enable-use-of-both-gfp_kernel-and-gfp_atomic-in-convert_context.patch +cpufreq-qcom-fix-writes-in-read-only-memory-region.patch +i2c-qcom-cci-fix-ordering-of-pm_runtime_xx-and-i2c_add_adapter.patch +cpufreq-tegra194-fix-module-loading.patch +x86-microcode-amd-apply-the-patch-early-on-every-logical-thread.patch +hwmon-coretemp-handle-large-core-id-value.patch +ata-ahci-imx-fix-module_alias.patch +ata-ahci-match-em_max_slots-with-sata_pmp_max_ports.patch +x86-resctrl-fix-min_cbm_bits-for-amd.patch +cpufreq-qcom-fix-memory-leak-in-error-path.patch +drm-amdgpu-fix-sdma-doorbell-init-ordering-on-apus.patch +mm-hugetlb-take-hugetlb_lock-before-decrementing-h-resv_huge_pages.patch +kvm-add-support-for-arch-compat-vm-ioctls.patch +kvm-arm64-vgic-fix-exit-condition-in-scan_its_table.patch +media-ipu3-imgu-fix-null-pointer-dereference-in-active-selection-access.patch +media-mceusb-set-timeout-to-at-least-timeout-provided.patch +media-venus-dec-handle-the-case-where-find_format-fails.patch diff --git a/queue-5.15/x86-microcode-amd-apply-the-patch-early-on-every-logical-thread.patch b/queue-5.15/x86-microcode-amd-apply-the-patch-early-on-every-logical-thread.patch new file mode 100644 index 00000000000..c65a2a7cc35 --- /dev/null +++ b/queue-5.15/x86-microcode-amd-apply-the-patch-early-on-every-logical-thread.patch @@ -0,0 +1,76 @@ +From e7ad18d1169c62e6c78c01ff693fd362d9d65278 Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Wed, 5 Oct 2022 12:00:08 +0200 +Subject: x86/microcode/AMD: Apply the patch early on every logical thread +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Borislav Petkov + +commit e7ad18d1169c62e6c78c01ff693fd362d9d65278 upstream. + +Currently, the patch application logic checks whether the revision +needs to be applied on each logical CPU (SMT thread). Therefore, on SMT +designs where the microcode engine is shared between the two threads, +the application happens only on one of them as that is enough to update +the shared microcode engine. + +However, there are microcode patches which do per-thread modification, +see Link tag below. + +Therefore, drop the revision check and try applying on each thread. This +is what the BIOS does too so this method is very much tested. + +Btw, change only the early paths. On the late loading paths, there's no +point in doing per-thread modification because if is it some case like +in the bugzilla below - removing a CPUID flag - the kernel cannot go and +un-use features it has detected are there early. For that, one should +use early loading anyway. + + [ bp: Fixes does not contain the oldest commit which did check for + equality but that is good enough. ] + +Fixes: 8801b3fcb574 ("x86/microcode/AMD: Rework container parsing") +Reported-by: Ștefan Talpalaru +Signed-off-by: Borislav Petkov +Tested-by: Ștefan Talpalaru +Cc: +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216211 +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/microcode/amd.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +--- a/arch/x86/kernel/cpu/microcode/amd.c ++++ b/arch/x86/kernel/cpu/microcode/amd.c +@@ -440,7 +440,13 @@ apply_microcode_early_amd(u32 cpuid_1_ea + return ret; + + native_rdmsr(MSR_AMD64_PATCH_LEVEL, rev, dummy); +- if (rev >= mc->hdr.patch_id) ++ ++ /* ++ * Allow application of the same revision to pick up SMT-specific ++ * changes even if the revision of the other SMT thread is already ++ * up-to-date. ++ */ ++ if (rev > mc->hdr.patch_id) + return ret; + + if (!__apply_microcode_amd(mc)) { +@@ -522,8 +528,12 @@ void load_ucode_amd_ap(unsigned int cpui + + native_rdmsr(MSR_AMD64_PATCH_LEVEL, rev, dummy); + +- /* Check whether we have saved a new patch already: */ +- if (*new_rev && rev < mc->hdr.patch_id) { ++ /* ++ * Check whether a new patch has been saved already. Also, allow application of ++ * the same revision in order to pick up SMT-thread-specific configuration even ++ * if the sibling SMT thread already has an up-to-date revision. ++ */ ++ if (*new_rev && rev <= mc->hdr.patch_id) { + if (!__apply_microcode_amd(mc)) { + *new_rev = mc->hdr.patch_id; + return; diff --git a/queue-5.15/x86-resctrl-fix-min_cbm_bits-for-amd.patch b/queue-5.15/x86-resctrl-fix-min_cbm_bits-for-amd.patch new file mode 100644 index 00000000000..54510d84df0 --- /dev/null +++ b/queue-5.15/x86-resctrl-fix-min_cbm_bits-for-amd.patch @@ -0,0 +1,100 @@ +From 67bf6493449b09590f9f71d7df29efb392b12d25 Mon Sep 17 00:00:00 2001 +From: Babu Moger +Date: Tue, 27 Sep 2022 15:16:29 -0500 +Subject: x86/resctrl: Fix min_cbm_bits for AMD + +From: Babu Moger + +commit 67bf6493449b09590f9f71d7df29efb392b12d25 upstream. + +AMD systems support zero CBM (capacity bit mask) for cache allocation. +That is reflected in rdt_init_res_defs_amd() by: + + r->cache.arch_has_empty_bitmaps = true; + +However given the unified code in cbm_validate(), checking for: + + val == 0 && !arch_has_empty_bitmaps + +is not enough because of another check in cbm_validate(): + + if ((zero_bit - first_bit) < r->cache.min_cbm_bits) + +The default value of r->cache.min_cbm_bits = 1. + +Leading to: + + $ cd /sys/fs/resctrl + $ mkdir foo + $ cd foo + $ echo L3:0=0 > schemata + -bash: echo: write error: Invalid argument + $ cat /sys/fs/resctrl/info/last_cmd_status + Need at least 1 bits in the mask + +Initialize the min_cbm_bits to 0 for AMD. Also, remove the default +setting of min_cbm_bits and initialize it separately. + +After the fix: + + $ cd /sys/fs/resctrl + $ mkdir foo + $ cd foo + $ echo L3:0=0 > schemata + $ cat /sys/fs/resctrl/info/last_cmd_status + ok + +Fixes: 316e7f901f5a ("x86/resctrl: Add struct rdt_cache::arch_has_{sparse, empty}_bitmaps") +Co-developed-by: Stephane Eranian +Signed-off-by: Stephane Eranian +Signed-off-by: Babu Moger +Signed-off-by: Borislav Petkov +Reviewed-by: Ingo Molnar +Reviewed-by: James Morse +Reviewed-by: Reinette Chatre +Reviewed-by: Fenghua Yu +Cc: +Link: https://lore.kernel.org/lkml/20220517001234.3137157-1-eranian@google.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/resctrl/core.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/arch/x86/kernel/cpu/resctrl/core.c ++++ b/arch/x86/kernel/cpu/resctrl/core.c +@@ -66,9 +66,6 @@ struct rdt_hw_resource rdt_resources_all + .rid = RDT_RESOURCE_L3, + .name = "L3", + .cache_level = 3, +- .cache = { +- .min_cbm_bits = 1, +- }, + .domains = domain_init(RDT_RESOURCE_L3), + .parse_ctrlval = parse_cbm, + .format_str = "%d=%0*x", +@@ -83,9 +80,6 @@ struct rdt_hw_resource rdt_resources_all + .rid = RDT_RESOURCE_L2, + .name = "L2", + .cache_level = 2, +- .cache = { +- .min_cbm_bits = 1, +- }, + .domains = domain_init(RDT_RESOURCE_L2), + .parse_ctrlval = parse_cbm, + .format_str = "%d=%0*x", +@@ -877,6 +871,7 @@ static __init void rdt_init_res_defs_int + r->cache.arch_has_sparse_bitmaps = false; + r->cache.arch_has_empty_bitmaps = false; + r->cache.arch_has_per_cpu_cfg = false; ++ r->cache.min_cbm_bits = 1; + } else if (r->rid == RDT_RESOURCE_MBA) { + hw_res->msr_base = MSR_IA32_MBA_THRTL_BASE; + hw_res->msr_update = mba_wrmsr_intel; +@@ -897,6 +892,7 @@ static __init void rdt_init_res_defs_amd + r->cache.arch_has_sparse_bitmaps = true; + r->cache.arch_has_empty_bitmaps = true; + r->cache.arch_has_per_cpu_cfg = true; ++ r->cache.min_cbm_bits = 0; + } else if (r->rid == RDT_RESOURCE_MBA) { + hw_res->msr_base = MSR_IA32_MBA_BW_BASE; + hw_res->msr_update = mba_wrmsr_amd;