From: Greg Kroah-Hartman Date: Wed, 27 Jul 2022 15:05:57 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v4.9.325~5 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ef051ef696c9c1751a1022f19563718d610d2529;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: drm-amd-display-don-t-lock-connection_mutex-for-dmub-hpd.patch drm-amd-display-invalid-parameter-check-in-dmub_hpd_callback.patch drm-amdgpu-off-by-one-in-dm_dmub_outbox1_low_irq.patch kvm-x86-fix-typo-in-__try_cmpxchg_user-causing-non-atomicness.patch x86-drop-bogus-cc-clobber-from-__try_cmpxchg_user_asm.patch x86-extable-prefer-local-labels-in-.set-directives.patch --- diff --git a/queue-5.15/drm-amd-display-don-t-lock-connection_mutex-for-dmub-hpd.patch b/queue-5.15/drm-amd-display-don-t-lock-connection_mutex-for-dmub-hpd.patch new file mode 100644 index 00000000000..a7b9dbfaa9e --- /dev/null +++ b/queue-5.15/drm-amd-display-don-t-lock-connection_mutex-for-dmub-hpd.patch @@ -0,0 +1,59 @@ +From d82b3266ef88dc10fe0e7031b2bd8ba7eedb7e59 Mon Sep 17 00:00:00 2001 +From: Nicholas Kazlauskas +Date: Thu, 4 Nov 2021 16:52:06 -0400 +Subject: drm/amd/display: Don't lock connection_mutex for DMUB HPD + +From: Nicholas Kazlauskas + +commit d82b3266ef88dc10fe0e7031b2bd8ba7eedb7e59 upstream. + +[Why] +Per DRM spec we only need to hold that lock when touching +connector->state - which we do not do in that handler. + +Taking this locking introduces unnecessary dependencies with other +threads which is bad for performance and opens up the potential for +a deadlock since there are multiple locks being held at once. + +[How] +Remove the connection_mutex lock/unlock routine and just iterate over +the drm connectors normally. The iter helpers implicitly lock the +connection list so this is safe to do. + +DC link access also does not need to be guarded since the link +table is static at creation - we don't dynamically add or remove links, +just streams. + +Fixes: e27c41d5b068 ("drm/amd/display: Support for DMUB HPD interrupt handling") + +Reviewed-by: Jude Shih +Acked-by: Anson Jacob +Tested-by: Daniel Wheeler +Signed-off-by: Nicholas Kazlauskas +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -668,10 +668,7 @@ void dmub_hpd_callback(struct amdgpu_dev + return; + } + +- drm_modeset_lock(&dev->mode_config.connection_mutex, NULL); +- + link_index = notify->link_index; +- + link = adev->dm.dc->links[link_index]; + + drm_connector_list_iter_begin(dev, &iter); +@@ -684,7 +681,6 @@ void dmub_hpd_callback(struct amdgpu_dev + } + } + drm_connector_list_iter_end(&iter); +- drm_modeset_unlock(&dev->mode_config.connection_mutex); + + } + diff --git a/queue-5.15/drm-amd-display-invalid-parameter-check-in-dmub_hpd_callback.patch b/queue-5.15/drm-amd-display-invalid-parameter-check-in-dmub_hpd_callback.patch new file mode 100644 index 00000000000..02735f37701 --- /dev/null +++ b/queue-5.15/drm-amd-display-invalid-parameter-check-in-dmub_hpd_callback.patch @@ -0,0 +1,47 @@ +From 978ffac878fd64039f95798b15b430032d2d89d5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= +Date: Sun, 9 Jan 2022 19:42:45 +0100 +Subject: drm/amd/display: invalid parameter check in dmub_hpd_callback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: José Expósito + +commit 978ffac878fd64039f95798b15b430032d2d89d5 upstream. + +The function performs a check on the "adev" input parameter, however, it +is used before the check. + +Initialize the "dev" variable after the sanity check to avoid a possible +NULL pointer dereference. + +Fixes: e27c41d5b0681 ("drm/amd/display: Support for DMUB HPD interrupt handling") +Addresses-Coverity-ID: 1493909 ("Null pointer dereference") +Reviewed-by: Harry Wentland +Signed-off-by: José Expósito +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -653,7 +653,7 @@ void dmub_hpd_callback(struct amdgpu_dev + struct drm_connector_list_iter iter; + struct dc_link *link; + uint8_t link_index = 0; +- struct drm_device *dev = adev->dm.ddev; ++ struct drm_device *dev; + + if (adev == NULL) + return; +@@ -670,6 +670,7 @@ void dmub_hpd_callback(struct amdgpu_dev + + link_index = notify->link_index; + link = adev->dm.dc->links[link_index]; ++ dev = adev->dm.ddev; + + drm_connector_list_iter_begin(dev, &iter); + drm_for_each_connector_iter(connector, &iter) { diff --git a/queue-5.15/drm-amdgpu-off-by-one-in-dm_dmub_outbox1_low_irq.patch b/queue-5.15/drm-amdgpu-off-by-one-in-dm_dmub_outbox1_low_irq.patch new file mode 100644 index 00000000000..5930555eda9 --- /dev/null +++ b/queue-5.15/drm-amdgpu-off-by-one-in-dm_dmub_outbox1_low_irq.patch @@ -0,0 +1,32 @@ +From a35faec3db0e13aac8ea720bc1a3503081dd5a3d Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 16 May 2022 10:05:48 +0300 +Subject: drm/amdgpu: Off by one in dm_dmub_outbox1_low_irq() + +From: Dan Carpenter + +commit a35faec3db0e13aac8ea720bc1a3503081dd5a3d upstream. + +The > ARRAY_SIZE() should be >= ARRAY_SIZE() to prevent an out of bounds +access. + +Fixes: e27c41d5b068 ("drm/amd/display: Support for DMUB HPD interrupt handling") +Reviewed-by: Harry Wentland +Signed-off-by: Dan Carpenter +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -757,7 +757,7 @@ static void dm_dmub_outbox1_low_irq(void + if (irq_params->irq_src == DC_IRQ_SOURCE_DMCUB_OUTBOX) { + do { + dc_stat_get_dmub_notification(adev->dm.dc, ¬ify); +- if (notify.type > ARRAY_SIZE(dm->dmub_thread_offload)) { ++ if (notify.type >= ARRAY_SIZE(dm->dmub_thread_offload)) { + DRM_ERROR("DM: notify type %d larger than the array size %ld !", notify.type, + ARRAY_SIZE(dm->dmub_thread_offload)); + continue; diff --git a/queue-5.15/kvm-x86-fix-typo-in-__try_cmpxchg_user-causing-non-atomicness.patch b/queue-5.15/kvm-x86-fix-typo-in-__try_cmpxchg_user-causing-non-atomicness.patch new file mode 100644 index 00000000000..0088e82c565 --- /dev/null +++ b/queue-5.15/kvm-x86-fix-typo-in-__try_cmpxchg_user-causing-non-atomicness.patch @@ -0,0 +1,35 @@ +From 33fbe6befa622c082f7d417896832856814bdde0 Mon Sep 17 00:00:00 2001 +From: Maxim Levitsky +Date: Thu, 12 May 2022 13:14:20 +0300 +Subject: KVM: x86: fix typo in __try_cmpxchg_user causing non-atomicness + +From: Maxim Levitsky + +commit 33fbe6befa622c082f7d417896832856814bdde0 upstream. + +This shows up as a TDP MMU leak when running nested. Non-working cmpxchg on L0 +relies makes L1 install two different shadow pages under same spte, and one of +them is leaked. + +Fixes: 1c2361f667f36 ("KVM: x86: Use __try_cmpxchg_user() to emulate atomic accesses") +Signed-off-by: Maxim Levitsky +Message-Id: <20220512101420.306759-1-mlevitsk@redhat.com> +Reviewed-by: Sean Christopherson +Reviewed-by: Vitaly Kuznetsov +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -6933,7 +6933,7 @@ static int emulator_cmpxchg_emulated(str + goto emul_write; + + hva = kvm_vcpu_gfn_to_hva(vcpu, gpa_to_gfn(gpa)); +- if (kvm_is_error_hva(addr)) ++ if (kvm_is_error_hva(hva)) + goto emul_write; + + hva += offset_in_page(gpa); diff --git a/queue-5.15/series b/queue-5.15/series index 0381ccd24f4..e48fc9e5bf2 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -192,3 +192,9 @@ tty-extract-tty_flip_buffer_commit-from-tty_flip_buffer_push.patch tty-use-new-tty_insert_flip_string_and_push_buffer-in-pty_write.patch net-usb-ax88179_178a-needs-flag_send_zlp.patch watch-queue-remove-spurious-double-semicolon.patch +drm-amd-display-don-t-lock-connection_mutex-for-dmub-hpd.patch +drm-amd-display-invalid-parameter-check-in-dmub_hpd_callback.patch +x86-extable-prefer-local-labels-in-.set-directives.patch +kvm-x86-fix-typo-in-__try_cmpxchg_user-causing-non-atomicness.patch +x86-drop-bogus-cc-clobber-from-__try_cmpxchg_user_asm.patch +drm-amdgpu-off-by-one-in-dm_dmub_outbox1_low_irq.patch diff --git a/queue-5.15/x86-drop-bogus-cc-clobber-from-__try_cmpxchg_user_asm.patch b/queue-5.15/x86-drop-bogus-cc-clobber-from-__try_cmpxchg_user_asm.patch new file mode 100644 index 00000000000..e857bc85820 --- /dev/null +++ b/queue-5.15/x86-drop-bogus-cc-clobber-from-__try_cmpxchg_user_asm.patch @@ -0,0 +1,36 @@ +From 1df931d95f4dc1c11db1123e85d4e08156e46ef9 Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Tue, 7 Jun 2022 17:00:53 +0200 +Subject: x86: drop bogus "cc" clobber from __try_cmpxchg_user_asm() + +From: Jan Beulich + +commit 1df931d95f4dc1c11db1123e85d4e08156e46ef9 upstream. + +As noted (and fixed) a couple of times in the past, "=@cc" outputs +and clobbering of "cc" don't work well together. The compiler appears to +mean to reject such, but doesn't - in its upstream form - quite manage +to yet for "cc". Furthermore two similar macros don't clobber "cc", and +clobbering "cc" is pointless in asm()-s for x86 anyway - the compiler +always assumes status flags to be clobbered there. + +Fixes: 989b5db215a2 ("x86/uaccess: Implement macros for CMPXCHG on user addresses") +Signed-off-by: Jan Beulich +Message-Id: <485c0c0b-a3a7-0b7c-5264-7d00c01de032@suse.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/uaccess.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/include/asm/uaccess.h ++++ b/arch/x86/include/asm/uaccess.h +@@ -471,7 +471,7 @@ do { \ + [ptr] "+m" (*_ptr), \ + [old] "+a" (__old) \ + : [new] ltype (__new) \ +- : "memory", "cc"); \ ++ : "memory"); \ + if (unlikely(__err)) \ + goto label; \ + if (unlikely(!success)) \ diff --git a/queue-5.15/x86-extable-prefer-local-labels-in-.set-directives.patch b/queue-5.15/x86-extable-prefer-local-labels-in-.set-directives.patch new file mode 100644 index 00000000000..1ea44f6031c --- /dev/null +++ b/queue-5.15/x86-extable-prefer-local-labels-in-.set-directives.patch @@ -0,0 +1,88 @@ +From 334865b2915c33080624e0d06f1c3e917036472c Mon Sep 17 00:00:00 2001 +From: Nick Desaulniers +Date: Tue, 29 Mar 2022 13:21:45 -0700 +Subject: x86/extable: Prefer local labels in .set directives + +From: Nick Desaulniers + +commit 334865b2915c33080624e0d06f1c3e917036472c upstream. + +Bernardo reported an error that Nathan bisected down to +(x86_64) defconfig+LTO_CLANG_FULL+X86_PMEM_LEGACY. + + LTO vmlinux.o + ld.lld: error: :1:13: redefinition of 'found' + .set found, 0 + ^ + + :29:1: while in macro instantiation + extable_type_reg reg=%eax, type=(17 | ((0) << 16)) + ^ + +This appears to be another LTO specific issue similar to what was folded +into commit 4b5305decc84 ("x86/extable: Extend extable functionality"), +where the `.set found, 0` in DEFINE_EXTABLE_TYPE_REG in +arch/x86/include/asm/asm.h conflicts with the symbol for the static +function `found` in arch/x86/kernel/pmem.c. + +Assembler .set directive declare symbols with global visibility, so the +assembler may not rename such symbols in the event of a conflict. LTO +could rename static functions if there was a conflict in C sources, but +it cannot see into symbols defined in inline asm. + +The symbols are also retained in the symbol table, regardless of LTO. + +Give the symbols .L prefixes making them locally visible, so that they +may be renamed for LTO to avoid conflicts, and to drop them from the +symbol table regardless of LTO. + +Fixes: 4b5305decc84 ("x86/extable: Extend extable functionality") +Reported-by: Bernardo Meurer Costa +Debugged-by: Nathan Chancellor +Signed-off-by: Nick Desaulniers +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Nathan Chancellor +Tested-by: Nathan Chancellor +Link: https://lore.kernel.org/r/20220329202148.2379697-1-ndesaulniers@google.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/asm.h | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +--- a/arch/x86/include/asm/asm.h ++++ b/arch/x86/include/asm/asm.h +@@ -149,24 +149,24 @@ + + # define DEFINE_EXTABLE_TYPE_REG \ + ".macro extable_type_reg type:req reg:req\n" \ +- ".set found, 0\n" \ +- ".set regnr, 0\n" \ ++ ".set .Lfound, 0\n" \ ++ ".set .Lregnr, 0\n" \ + ".irp rs,rax,rcx,rdx,rbx,rsp,rbp,rsi,rdi,r8,r9,r10,r11,r12,r13,r14,r15\n" \ + ".ifc \\reg, %%\\rs\n" \ +- ".set found, found+1\n" \ +- ".long \\type + (regnr << 8)\n" \ ++ ".set .Lfound, .Lfound+1\n" \ ++ ".long \\type + (.Lregnr << 8)\n" \ + ".endif\n" \ +- ".set regnr, regnr+1\n" \ ++ ".set .Lregnr, .Lregnr+1\n" \ + ".endr\n" \ +- ".set regnr, 0\n" \ ++ ".set .Lregnr, 0\n" \ + ".irp rs,eax,ecx,edx,ebx,esp,ebp,esi,edi,r8d,r9d,r10d,r11d,r12d,r13d,r14d,r15d\n" \ + ".ifc \\reg, %%\\rs\n" \ +- ".set found, found+1\n" \ +- ".long \\type + (regnr << 8)\n" \ ++ ".set .Lfound, .Lfound+1\n" \ ++ ".long \\type + (.Lregnr << 8)\n" \ + ".endif\n" \ +- ".set regnr, regnr+1\n" \ ++ ".set .Lregnr, .Lregnr+1\n" \ + ".endr\n" \ +- ".if (found != 1)\n" \ ++ ".if (.Lfound != 1)\n" \ + ".error \"extable_type_reg: bad register argument\"\n" \ + ".endif\n" \ + ".endm\n"