From 635003b41a01a4d18c4b1329ca58937d58d47906 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 14 Jan 2023 11:02:42 +0100 Subject: [PATCH] 5.15-stable patches added patches: alsa-control-led-use-strscpy-in-set_led_id.patch alsa-hda-realtek-enable-mute-micmute-leds-on-hp-spectre-x360-13-aw0xxx.patch alsa-hda-realtek-turn-on-power-early.patch asoc-qcom-lpass-cpu-fix-fallback-sd-line-index-handling.patch docs-fix-the-docs-build-with-sphinx-6.0.patch drm-i915-gt-reset-twice.patch drm-virtio-fix-gem-handle-creation-uaf.patch efi-tpm-avoid-read_once-for-accessing-the-event-log.patch kvm-arm64-fix-s1ptw-handling-on-ro-memslots.patch kvm-arm64-nvhe-fix-build-with-profile-optimization.patch net-stmmac-add-aux-timestamps-fifo-clearance-wait.patch netfilter-nft_payload-incorrect-arithmetics-when-fetching-vlan-header-bits.patch perf-auxtrace-fix-address-filter-duplicate-symbol-selection.patch s390-cpum_sf-add-read_once-semantics-to-compare-and-swap-loops.patch s390-kexec-fix-ipl-report-address-for-kdump.patch s390-percpu-add-read_once-to-arch_this_cpu_to_op_simple.patch selftests-kvm-fix-a-compile-error-in-selftests-kvm-rseq_test.c.patch series --- ...ontrol-led-use-strscpy-in-set_led_id.patch | 43 +++ ...te-leds-on-hp-spectre-x360-13-aw0xxx.patch | 82 +++++ ...alsa-hda-realtek-turn-on-power-early.patch | 81 ++++ ...-fix-fallback-sd-line-index-handling.patch | 45 +++ ...s-fix-the-docs-build-with-sphinx-6.0.patch | 49 +++ queue-5.15/drm-i915-gt-reset-twice.patch | 85 +++++ ...m-virtio-fix-gem-handle-creation-uaf.patch | 68 ++++ ...ead_once-for-accessing-the-event-log.patch | 51 +++ ...64-fix-s1ptw-handling-on-ro-memslots.patch | 81 ++++ ...-fix-build-with-profile-optimization.patch | 42 +++ ...d-aux-timestamps-fifo-clearance-wait.patch | 37 ++ ...etics-when-fetching-vlan-header-bits.patch | 37 ++ ...ss-filter-duplicate-symbol-selection.patch | 104 ++++++ ...-semantics-to-compare-and-swap-loops.patch | 345 ++++++++++++++++++ ...xec-fix-ipl-report-address-for-kdump.patch | 60 +++ ...d_once-to-arch_this_cpu_to_op_simple.patch | 32 ++ ...e-error-in-selftests-kvm-rseq_test.c.patch | 48 +++ queue-5.15/series | 17 + 18 files changed, 1307 insertions(+) create mode 100644 queue-5.15/alsa-control-led-use-strscpy-in-set_led_id.patch create mode 100644 queue-5.15/alsa-hda-realtek-enable-mute-micmute-leds-on-hp-spectre-x360-13-aw0xxx.patch create mode 100644 queue-5.15/alsa-hda-realtek-turn-on-power-early.patch create mode 100644 queue-5.15/asoc-qcom-lpass-cpu-fix-fallback-sd-line-index-handling.patch create mode 100644 queue-5.15/docs-fix-the-docs-build-with-sphinx-6.0.patch create mode 100644 queue-5.15/drm-i915-gt-reset-twice.patch create mode 100644 queue-5.15/drm-virtio-fix-gem-handle-creation-uaf.patch create mode 100644 queue-5.15/efi-tpm-avoid-read_once-for-accessing-the-event-log.patch create mode 100644 queue-5.15/kvm-arm64-fix-s1ptw-handling-on-ro-memslots.patch create mode 100644 queue-5.15/kvm-arm64-nvhe-fix-build-with-profile-optimization.patch create mode 100644 queue-5.15/net-stmmac-add-aux-timestamps-fifo-clearance-wait.patch create mode 100644 queue-5.15/netfilter-nft_payload-incorrect-arithmetics-when-fetching-vlan-header-bits.patch create mode 100644 queue-5.15/perf-auxtrace-fix-address-filter-duplicate-symbol-selection.patch create mode 100644 queue-5.15/s390-cpum_sf-add-read_once-semantics-to-compare-and-swap-loops.patch create mode 100644 queue-5.15/s390-kexec-fix-ipl-report-address-for-kdump.patch create mode 100644 queue-5.15/s390-percpu-add-read_once-to-arch_this_cpu_to_op_simple.patch create mode 100644 queue-5.15/selftests-kvm-fix-a-compile-error-in-selftests-kvm-rseq_test.c.patch create mode 100644 queue-5.15/series diff --git a/queue-5.15/alsa-control-led-use-strscpy-in-set_led_id.patch b/queue-5.15/alsa-control-led-use-strscpy-in-set_led_id.patch new file mode 100644 index 00000000000..b292874c7b8 --- /dev/null +++ b/queue-5.15/alsa-control-led-use-strscpy-in-set_led_id.patch @@ -0,0 +1,43 @@ +From 70051cffb31b5ee09096351c3b41fcae6f89de31 Mon Sep 17 00:00:00 2001 +From: Jaroslav Kysela +Date: Mon, 9 Jan 2023 16:12:49 +0100 +Subject: ALSA: control-led: use strscpy in set_led_id() + +From: Jaroslav Kysela + +commit 70051cffb31b5ee09096351c3b41fcae6f89de31 upstream. + +The use of strncpy() in the set_led_id() was incorrect. +The len variable should use 'min(sizeof(buf2) - 1, count)' +expression. + +Use strscpy() function to simplify things and handle the error gracefully. + +Fixes: a135dfb5de15 ("ALSA: led control - add sysfs kcontrol LED marking layer") +Reported-by: yang.yang29@zte.com.cn +Link: https://lore.kernel.org/alsa-devel/202301091945513559977@zte.com.cn/ +Cc: +Signed-off-by: Jaroslav Kysela +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/control_led.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/sound/core/control_led.c ++++ b/sound/core/control_led.c +@@ -530,12 +530,11 @@ static ssize_t set_led_id(struct snd_ctl + bool attach) + { + char buf2[256], *s, *os; +- size_t len = max(sizeof(s) - 1, count); + struct snd_ctl_elem_id id; + int err; + +- strncpy(buf2, buf, len); +- buf2[len] = '\0'; ++ if (strscpy(buf2, buf, sizeof(buf2)) < 0) ++ return -E2BIG; + memset(&id, 0, sizeof(id)); + id.iface = SNDRV_CTL_ELEM_IFACE_MIXER; + s = buf2; diff --git a/queue-5.15/alsa-hda-realtek-enable-mute-micmute-leds-on-hp-spectre-x360-13-aw0xxx.patch b/queue-5.15/alsa-hda-realtek-enable-mute-micmute-leds-on-hp-spectre-x360-13-aw0xxx.patch new file mode 100644 index 00000000000..d9d6afab3da --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-enable-mute-micmute-leds-on-hp-spectre-x360-13-aw0xxx.patch @@ -0,0 +1,82 @@ +From ca88eeb308a221c2dcd4a64031d2e5fcd3db9eaa Mon Sep 17 00:00:00 2001 +From: Luka Guzenko +Date: Tue, 10 Jan 2023 21:25:14 +0100 +Subject: ALSA: hda/realtek: Enable mute/micmute LEDs on HP Spectre x360 13-aw0xxx + +From: Luka Guzenko + +commit ca88eeb308a221c2dcd4a64031d2e5fcd3db9eaa upstream. + +The HP Spectre x360 13-aw0xxx devices use the ALC285 codec with GPIO 0x04 +controlling the micmute LED and COEF 0x0b index 8 controlling the mute LED. +A quirk was added to make these work as well as a fixup. + +Signed-off-by: Luka Guzenko +Cc: +Link: https://lore.kernel.org/r/20230110202514.2792-1-l.guzenko@web.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -4639,6 +4639,16 @@ static void alc285_fixup_hp_coef_micmute + } + } + ++static void alc285_fixup_hp_gpio_micmute_led(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ struct alc_spec *spec = codec->spec; ++ ++ if (action == HDA_FIXUP_ACT_PRE_PROBE) ++ spec->micmute_led_polarity = 1; ++ alc_fixup_hp_gpio_led(codec, action, 0, 0x04); ++} ++ + static void alc236_fixup_hp_coef_micmute_led(struct hda_codec *codec, + const struct hda_fixup *fix, int action) + { +@@ -4660,6 +4670,13 @@ static void alc285_fixup_hp_mute_led(str + alc285_fixup_hp_coef_micmute_led(codec, fix, action); + } + ++static void alc285_fixup_hp_spectre_x360_mute_led(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ alc285_fixup_hp_mute_led_coefbit(codec, fix, action); ++ alc285_fixup_hp_gpio_micmute_led(codec, fix, action); ++} ++ + static void alc236_fixup_hp_mute_led(struct hda_codec *codec, + const struct hda_fixup *fix, int action) + { +@@ -6913,6 +6930,7 @@ enum { + ALC285_FIXUP_ASUS_G533Z_PINS, + ALC285_FIXUP_HP_GPIO_LED, + ALC285_FIXUP_HP_MUTE_LED, ++ ALC285_FIXUP_HP_SPECTRE_X360_MUTE_LED, + ALC236_FIXUP_HP_GPIO_LED, + ALC236_FIXUP_HP_MUTE_LED, + ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF, +@@ -8282,6 +8300,10 @@ static const struct hda_fixup alc269_fix + .type = HDA_FIXUP_FUNC, + .v.func = alc285_fixup_hp_mute_led, + }, ++ [ALC285_FIXUP_HP_SPECTRE_X360_MUTE_LED] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc285_fixup_hp_spectre_x360_mute_led, ++ }, + [ALC236_FIXUP_HP_GPIO_LED] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc236_fixup_hp_gpio_led, +@@ -9000,6 +9022,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x86c7, "HP Envy AiO 32", ALC274_FIXUP_HP_ENVY_GPIO), + SND_PCI_QUIRK(0x103c, 0x86e7, "HP Spectre x360 15-eb0xxx", ALC285_FIXUP_HP_SPECTRE_X360_EB1), + SND_PCI_QUIRK(0x103c, 0x86e8, "HP Spectre x360 15-eb0xxx", ALC285_FIXUP_HP_SPECTRE_X360_EB1), ++ SND_PCI_QUIRK(0x103c, 0x86f9, "HP Spectre x360 13-aw0xxx", ALC285_FIXUP_HP_SPECTRE_X360_MUTE_LED), + SND_PCI_QUIRK(0x103c, 0x8716, "HP Elite Dragonfly G2 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8720, "HP EliteBook x360 1040 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8724, "HP EliteBook 850 G7", ALC285_FIXUP_HP_GPIO_LED), diff --git a/queue-5.15/alsa-hda-realtek-turn-on-power-early.patch b/queue-5.15/alsa-hda-realtek-turn-on-power-early.patch new file mode 100644 index 00000000000..7e9a0ae39ac --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-turn-on-power-early.patch @@ -0,0 +1,81 @@ +From 1f680609bf1beac20e2a31ddcb1b88874123c39f Mon Sep 17 00:00:00 2001 +From: Yuchi Yang +Date: Fri, 30 Dec 2022 15:22:25 +0800 +Subject: ALSA: hda/realtek - Turn on power early + +From: Yuchi Yang + +commit 1f680609bf1beac20e2a31ddcb1b88874123c39f upstream. + +Turn on power early to avoid wrong state for power relation register. +This can earlier update JD state when resume back. + +Signed-off-by: Yuchi Yang +Cc: +Link: https://lore.kernel.org/r/e35d8f4fa18f4448a2315cc7d4a3715f@realtek.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 30 ++++++++++++++++-------------- + 1 file changed, 16 insertions(+), 14 deletions(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -3558,6 +3558,15 @@ static void alc256_init(struct hda_codec + hda_nid_t hp_pin = alc_get_hp_pin(spec); + bool hp_pin_sense; + ++ if (spec->ultra_low_power) { ++ alc_update_coef_idx(codec, 0x03, 1<<1, 1<<1); ++ alc_update_coef_idx(codec, 0x08, 3<<2, 3<<2); ++ alc_update_coef_idx(codec, 0x08, 7<<4, 0); ++ alc_update_coef_idx(codec, 0x3b, 1<<15, 0); ++ alc_update_coef_idx(codec, 0x0e, 7<<6, 7<<6); ++ msleep(30); ++ } ++ + if (!hp_pin) + hp_pin = 0x21; + +@@ -3569,14 +3578,6 @@ static void alc256_init(struct hda_codec + msleep(2); + + alc_update_coefex_idx(codec, 0x57, 0x04, 0x0007, 0x1); /* Low power */ +- if (spec->ultra_low_power) { +- alc_update_coef_idx(codec, 0x03, 1<<1, 1<<1); +- alc_update_coef_idx(codec, 0x08, 3<<2, 3<<2); +- alc_update_coef_idx(codec, 0x08, 7<<4, 0); +- alc_update_coef_idx(codec, 0x3b, 1<<15, 0); +- alc_update_coef_idx(codec, 0x0e, 7<<6, 7<<6); +- msleep(30); +- } + + snd_hda_codec_write(codec, hp_pin, 0, + AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_MUTE); +@@ -3707,6 +3708,13 @@ static void alc225_init(struct hda_codec + hda_nid_t hp_pin = alc_get_hp_pin(spec); + bool hp1_pin_sense, hp2_pin_sense; + ++ if (spec->ultra_low_power) { ++ alc_update_coef_idx(codec, 0x08, 0x0f << 2, 3<<2); ++ alc_update_coef_idx(codec, 0x0e, 7<<6, 7<<6); ++ alc_update_coef_idx(codec, 0x33, 1<<11, 0); ++ msleep(30); ++ } ++ + if (spec->codec_variant != ALC269_TYPE_ALC287 && + spec->codec_variant != ALC269_TYPE_ALC245) + /* required only at boot or S3 and S4 resume time */ +@@ -3728,12 +3736,6 @@ static void alc225_init(struct hda_codec + msleep(2); + + alc_update_coefex_idx(codec, 0x57, 0x04, 0x0007, 0x1); /* Low power */ +- if (spec->ultra_low_power) { +- alc_update_coef_idx(codec, 0x08, 0x0f << 2, 3<<2); +- alc_update_coef_idx(codec, 0x0e, 7<<6, 7<<6); +- alc_update_coef_idx(codec, 0x33, 1<<11, 0); +- msleep(30); +- } + + if (hp1_pin_sense || spec->ultra_low_power) + snd_hda_codec_write(codec, hp_pin, 0, diff --git a/queue-5.15/asoc-qcom-lpass-cpu-fix-fallback-sd-line-index-handling.patch b/queue-5.15/asoc-qcom-lpass-cpu-fix-fallback-sd-line-index-handling.patch new file mode 100644 index 00000000000..821dd195b82 --- /dev/null +++ b/queue-5.15/asoc-qcom-lpass-cpu-fix-fallback-sd-line-index-handling.patch @@ -0,0 +1,45 @@ +From 000bca8d706d1bf7cca01af75787247c5a2fdedf Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Fri, 30 Dec 2022 22:15:45 -0800 +Subject: ASoC: qcom: lpass-cpu: Fix fallback SD line index handling + +From: Brian Norris + +commit 000bca8d706d1bf7cca01af75787247c5a2fdedf upstream. + +These indices should reference the ID placed within the dai_driver +array, not the indices of the array itself. + +This fixes commit 4ff028f6c108 ("ASoC: qcom: lpass-cpu: Make I2S SD +lines configurable"), which among others, broke IPQ8064 audio +(sound/soc/qcom/lpass-ipq806x.c) because it uses ID 4 but we'd stop +initializing the mi2s_playback_sd_mode and mi2s_capture_sd_mode arrays +at ID 0. + +Fixes: 4ff028f6c108 ("ASoC: qcom: lpass-cpu: Make I2S SD lines configurable") +Cc: +Signed-off-by: Brian Norris +Reviewed-by: Stephan Gerhold +Link: https://lore.kernel.org/r/20221231061545.2110253-1-computersforpeace@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/qcom/lpass-cpu.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/sound/soc/qcom/lpass-cpu.c ++++ b/sound/soc/qcom/lpass-cpu.c +@@ -851,10 +851,11 @@ static void of_lpass_cpu_parse_dai_data( + struct lpass_data *data) + { + struct device_node *node; +- int ret, id; ++ int ret, i, id; + + /* Allow all channels by default for backwards compatibility */ +- for (id = 0; id < data->variant->num_dai; id++) { ++ for (i = 0; i < data->variant->num_dai; i++) { ++ id = data->variant->dai_driver[i].id; + data->mi2s_playback_sd_mode[id] = LPAIF_I2SCTL_MODE_8CH; + data->mi2s_capture_sd_mode[id] = LPAIF_I2SCTL_MODE_8CH; + } diff --git a/queue-5.15/docs-fix-the-docs-build-with-sphinx-6.0.patch b/queue-5.15/docs-fix-the-docs-build-with-sphinx-6.0.patch new file mode 100644 index 00000000000..923ca1ed57f --- /dev/null +++ b/queue-5.15/docs-fix-the-docs-build-with-sphinx-6.0.patch @@ -0,0 +1,49 @@ +From 0283189e8f3d0917e2ac399688df85211f48447b Mon Sep 17 00:00:00 2001 +From: Jonathan Corbet +Date: Wed, 4 Jan 2023 10:47:39 -0700 +Subject: docs: Fix the docs build with Sphinx 6.0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonathan Corbet + +commit 0283189e8f3d0917e2ac399688df85211f48447b upstream. + +Sphinx 6.0 removed the execfile_() function, which we use as part of the +configuration process. They *did* warn us... Just open-code the +functionality as is done in Sphinx itself. + +Tested (using SPHINX_CONF, since this code is only executed with an +alternative config file) on various Sphinx versions from 2.5 through 6.0. + +Reported-by: Martin Liška +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan Corbet +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/sphinx/load_config.py | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/Documentation/sphinx/load_config.py ++++ b/Documentation/sphinx/load_config.py +@@ -3,7 +3,7 @@ + + import os + import sys +-from sphinx.util.pycompat import execfile_ ++from sphinx.util.osutil import fs_encoding + + # ------------------------------------------------------------------------------ + def loadConfig(namespace): +@@ -48,7 +48,9 @@ def loadConfig(namespace): + sys.stdout.write("load additional sphinx-config: %s\n" % config_file) + config = namespace.copy() + config['__file__'] = config_file +- execfile_(config_file, config) ++ with open(config_file, 'rb') as f: ++ code = compile(f.read(), fs_encoding, 'exec') ++ exec(code, config) + del config['__file__'] + namespace.update(config) + else: diff --git a/queue-5.15/drm-i915-gt-reset-twice.patch b/queue-5.15/drm-i915-gt-reset-twice.patch new file mode 100644 index 00000000000..345a000031e --- /dev/null +++ b/queue-5.15/drm-i915-gt-reset-twice.patch @@ -0,0 +1,85 @@ +From d3de5616d36462a646f5b360ba82d3b09ff668eb Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Mon, 12 Dec 2022 17:13:38 +0100 +Subject: drm/i915/gt: Reset twice + +From: Chris Wilson + +commit d3de5616d36462a646f5b360ba82d3b09ff668eb upstream. + +After applying an engine reset, on some platforms like Jasperlake, we +occasionally detect that the engine state is not cleared until shortly +after the resume. As we try to resume the engine with volatile internal +state, the first request fails with a spurious CS event (it looks like +it reports a lite-restore to the hung context, instead of the expected +idle->active context switch). + +Signed-off-by: Chris Wilson +Cc: stable@vger.kernel.org +Cc: Mika Kuoppala +Signed-off-by: Andi Shyti +Reviewed-by: Gwan-gyeong Mun +Link: https://patchwork.freedesktop.org/patch/msgid/20221212161338.1007659-1-andi.shyti@linux.intel.com +(cherry picked from commit 3db9d590557da3aa2c952f2fecd3e9b703dad790) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/gt/intel_reset.c | 34 ++++++++++++++++++++++++++++------ + 1 file changed, 28 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/i915/gt/intel_reset.c ++++ b/drivers/gpu/drm/i915/gt/intel_reset.c +@@ -271,6 +271,7 @@ out: + static int gen6_hw_domain_reset(struct intel_gt *gt, u32 hw_domain_mask) + { + struct intel_uncore *uncore = gt->uncore; ++ int loops = 2; + int err; + + /* +@@ -278,18 +279,39 @@ static int gen6_hw_domain_reset(struct i + * for fifo space for the write or forcewake the chip for + * the read + */ +- intel_uncore_write_fw(uncore, GEN6_GDRST, hw_domain_mask); ++ do { ++ intel_uncore_write_fw(uncore, GEN6_GDRST, hw_domain_mask); + +- /* Wait for the device to ack the reset requests */ +- err = __intel_wait_for_register_fw(uncore, +- GEN6_GDRST, hw_domain_mask, 0, +- 500, 0, +- NULL); ++ /* ++ * Wait for the device to ack the reset requests. ++ * ++ * On some platforms, e.g. Jasperlake, we see that the ++ * engine register state is not cleared until shortly after ++ * GDRST reports completion, causing a failure as we try ++ * to immediately resume while the internal state is still ++ * in flux. If we immediately repeat the reset, the second ++ * reset appears to serialise with the first, and since ++ * it is a no-op, the registers should retain their reset ++ * value. However, there is still a concern that upon ++ * leaving the second reset, the internal engine state ++ * is still in flux and not ready for resuming. ++ */ ++ err = __intel_wait_for_register_fw(uncore, GEN6_GDRST, ++ hw_domain_mask, 0, ++ 2000, 0, ++ NULL); ++ } while (err == 0 && --loops); + if (err) + GT_TRACE(gt, + "Wait for 0x%08x engines reset failed\n", + hw_domain_mask); + ++ /* ++ * As we have observed that the engine state is still volatile ++ * after GDRST is acked, impose a small delay to let everything settle. ++ */ ++ udelay(50); ++ + return err; + } + diff --git a/queue-5.15/drm-virtio-fix-gem-handle-creation-uaf.patch b/queue-5.15/drm-virtio-fix-gem-handle-creation-uaf.patch new file mode 100644 index 00000000000..1f410d48d1a --- /dev/null +++ b/queue-5.15/drm-virtio-fix-gem-handle-creation-uaf.patch @@ -0,0 +1,68 @@ +From 52531258318ed59a2dc5a43df2eaf0eb1d65438e Mon Sep 17 00:00:00 2001 +From: Rob Clark +Date: Fri, 16 Dec 2022 15:33:55 -0800 +Subject: drm/virtio: Fix GEM handle creation UAF + +From: Rob Clark + +commit 52531258318ed59a2dc5a43df2eaf0eb1d65438e upstream. + +Userspace can guess the handle value and try to race GEM object creation +with handle close, resulting in a use-after-free if we dereference the +object after dropping the handle's reference. For that reason, dropping +the handle's reference must be done *after* we are done dereferencing +the object. + +Signed-off-by: Rob Clark +Reviewed-by: Chia-I Wu +Fixes: 62fb7a5e1096 ("virtio-gpu: add 3d/virgl support") +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Osipenko +Link: https://patchwork.freedesktop.org/patch/msgid/20221216233355.542197-2-robdclark@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/virtio/virtgpu_ioctl.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/virtio/virtgpu_ioctl.c ++++ b/drivers/gpu/drm/virtio/virtgpu_ioctl.c +@@ -292,10 +292,18 @@ static int virtio_gpu_resource_create_io + drm_gem_object_release(obj); + return ret; + } +- drm_gem_object_put(obj); + + rc->res_handle = qobj->hw_res_handle; /* similiar to a VM address */ + rc->bo_handle = handle; ++ ++ /* ++ * The handle owns the reference now. But we must drop our ++ * remaining reference *after* we no longer need to dereference ++ * the obj. Otherwise userspace could guess the handle and ++ * race closing it from another thread. ++ */ ++ drm_gem_object_put(obj); ++ + return 0; + } + +@@ -656,11 +664,18 @@ static int virtio_gpu_resource_create_bl + drm_gem_object_release(obj); + return ret; + } +- drm_gem_object_put(obj); + + rc_blob->res_handle = bo->hw_res_handle; + rc_blob->bo_handle = handle; + ++ /* ++ * The handle owns the reference now. But we must drop our ++ * remaining reference *after* we no longer need to dereference ++ * the obj. Otherwise userspace could guess the handle and ++ * race closing it from another thread. ++ */ ++ drm_gem_object_put(obj); ++ + return 0; + } + diff --git a/queue-5.15/efi-tpm-avoid-read_once-for-accessing-the-event-log.patch b/queue-5.15/efi-tpm-avoid-read_once-for-accessing-the-event-log.patch new file mode 100644 index 00000000000..48f04e9414d --- /dev/null +++ b/queue-5.15/efi-tpm-avoid-read_once-for-accessing-the-event-log.patch @@ -0,0 +1,51 @@ +From d3f450533bbcb6dd4d7d59cadc9b61b7321e4ac1 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Mon, 9 Jan 2023 10:44:31 +0100 +Subject: efi: tpm: Avoid READ_ONCE() for accessing the event log + +From: Ard Biesheuvel + +commit d3f450533bbcb6dd4d7d59cadc9b61b7321e4ac1 upstream. + +Nathan reports that recent kernels built with LTO will crash when doing +EFI boot using Fedora's GRUB and SHIM. The culprit turns out to be a +misaligned load from the TPM event log, which is annotated with +READ_ONCE(), and under LTO, this gets translated into a LDAR instruction +which does not tolerate misaligned accesses. + +Interestingly, this does not happen when booting the same kernel +straight from the UEFI shell, and so the fact that the event log may +appear misaligned in memory may be caused by a bug in GRUB or SHIM. + +However, using READ_ONCE() to access firmware tables is slightly unusual +in any case, and here, we only need to ensure that 'event' is not +dereferenced again after it gets unmapped, but this is already taken +care of by the implicit barrier() semantics of the early_memunmap() +call. + +Cc: +Cc: Peter Jones +Cc: Jarkko Sakkinen +Cc: Matthew Garrett +Reported-by: Nathan Chancellor +Tested-by: Nathan Chancellor +Link: https://github.com/ClangBuiltLinux/linux/issues/1782 +Signed-off-by: Ard Biesheuvel +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/tpm_eventlog.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/tpm_eventlog.h ++++ b/include/linux/tpm_eventlog.h +@@ -198,8 +198,8 @@ static __always_inline int __calc_tpm2_e + * The loop below will unmap these fields if the log is larger than + * one page, so save them here for reference: + */ +- count = READ_ONCE(event->count); +- event_type = READ_ONCE(event->event_type); ++ count = event->count; ++ event_type = event->event_type; + + /* Verify that it's the log header */ + if (event_header->pcr_idx != 0 || diff --git a/queue-5.15/kvm-arm64-fix-s1ptw-handling-on-ro-memslots.patch b/queue-5.15/kvm-arm64-fix-s1ptw-handling-on-ro-memslots.patch new file mode 100644 index 00000000000..e015937c8ca --- /dev/null +++ b/queue-5.15/kvm-arm64-fix-s1ptw-handling-on-ro-memslots.patch @@ -0,0 +1,81 @@ +From 406504c7b0405d74d74c15a667cd4c4620c3e7a9 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Tue, 20 Dec 2022 14:03:52 +0000 +Subject: KVM: arm64: Fix S1PTW handling on RO memslots + +From: Marc Zyngier + +commit 406504c7b0405d74d74c15a667cd4c4620c3e7a9 upstream. + +A recent development on the EFI front has resulted in guests having +their page tables baked in the firmware binary, and mapped into the +IPA space as part of a read-only memslot. Not only is this legitimate, +but it also results in added security, so thumbs up. + +It is possible to take an S1PTW translation fault if the S1 PTs are +unmapped at stage-2. However, KVM unconditionally treats S1PTW as a +write to correctly handle hardware AF/DB updates to the S1 PTs. +Furthermore, KVM injects an exception into the guest for S1PTW writes. +In the aforementioned case this results in the guest taking an abort +it won't recover from, as the S1 PTs mapping the vectors suffer from +the same problem. + +So clearly our handling is... wrong. + +Instead, switch to a two-pronged approach: + +- On S1PTW translation fault, handle the fault as a read + +- On S1PTW permission fault, handle the fault as a write + +This is of no consequence to SW that *writes* to its PTs (the write +will trigger a non-S1PTW fault), and SW that uses RO PTs will not +use HW-assisted AF/DB anyway, as that'd be wrong. + +Only in the case described in c4ad98e4b72c ("KVM: arm64: Assume write +fault on S1PTW permission fault on instruction fetch") do we end-up +with two back-to-back faults (page being evicted and faulted back). +I don't think this is a case worth optimising for. + +Fixes: c4ad98e4b72c ("KVM: arm64: Assume write fault on S1PTW permission fault on instruction fetch") +Reviewed-by: Oliver Upton +Reviewed-by: Ard Biesheuvel +Regression-tested-by: Ard Biesheuvel +Signed-off-by: Marc Zyngier +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/kvm_emulate.h | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +--- a/arch/arm64/include/asm/kvm_emulate.h ++++ b/arch/arm64/include/asm/kvm_emulate.h +@@ -366,8 +366,26 @@ static __always_inline int kvm_vcpu_sys_ + + static inline bool kvm_is_write_fault(struct kvm_vcpu *vcpu) + { +- if (kvm_vcpu_abt_iss1tw(vcpu)) +- return true; ++ if (kvm_vcpu_abt_iss1tw(vcpu)) { ++ /* ++ * Only a permission fault on a S1PTW should be ++ * considered as a write. Otherwise, page tables baked ++ * in a read-only memslot will result in an exception ++ * being delivered in the guest. ++ * ++ * The drawback is that we end-up faulting twice if the ++ * guest is using any of HW AF/DB: a translation fault ++ * to map the page containing the PT (read only at ++ * first), then a permission fault to allow the flags ++ * to be set. ++ */ ++ switch (kvm_vcpu_trap_get_fault_type(vcpu)) { ++ case ESR_ELx_FSC_PERM: ++ return true; ++ default: ++ return false; ++ } ++ } + + if (kvm_vcpu_trap_is_iabt(vcpu)) + return false; diff --git a/queue-5.15/kvm-arm64-nvhe-fix-build-with-profile-optimization.patch b/queue-5.15/kvm-arm64-nvhe-fix-build-with-profile-optimization.patch new file mode 100644 index 00000000000..20f5e1edb72 --- /dev/null +++ b/queue-5.15/kvm-arm64-nvhe-fix-build-with-profile-optimization.patch @@ -0,0 +1,42 @@ +From bde971a83bbff78561458ded236605a365411b87 Mon Sep 17 00:00:00 2001 +From: Denis Nikitin +Date: Fri, 14 Oct 2022 11:45:32 -0700 +Subject: KVM: arm64: nvhe: Fix build with profile optimization + +From: Denis Nikitin + +commit bde971a83bbff78561458ded236605a365411b87 upstream. + +Kernel build with clang and KCFLAGS=-fprofile-sample-use= fails with: + +error: arch/arm64/kvm/hyp/nvhe/kvm_nvhe.tmp.o: Unexpected SHT_REL +section ".rel.llvm.call-graph-profile" + +Starting from 13.0.0 llvm can generate SHT_REL section, see +https://reviews.llvm.org/rGca3bdb57fa1ac98b711a735de048c12b5fdd8086. +gen-hyprel does not support SHT_REL relocation section. + +Filter out profile use flags to fix the build with profile optimization. + +Signed-off-by: Denis Nikitin +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20221014184532.3153551-1-denik@chromium.org +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/hyp/nvhe/Makefile | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/arm64/kvm/hyp/nvhe/Makefile ++++ b/arch/arm64/kvm/hyp/nvhe/Makefile +@@ -83,6 +83,10 @@ quiet_cmd_hypcopy = HYPCOPY $@ + # Remove ftrace, Shadow Call Stack, and CFI CFLAGS. + # This is equivalent to the 'notrace', '__noscs', and '__nocfi' annotations. + KBUILD_CFLAGS := $(filter-out $(CC_FLAGS_FTRACE) $(CC_FLAGS_SCS) $(CC_FLAGS_CFI), $(KBUILD_CFLAGS)) ++# Starting from 13.0.0 llvm emits SHT_REL section '.llvm.call-graph-profile' ++# when profile optimization is applied. gen-hyprel does not support SHT_REL and ++# causes a build failure. Remove profile optimization flags. ++KBUILD_CFLAGS := $(filter-out -fprofile-sample-use=% -fprofile-use=%, $(KBUILD_CFLAGS)) + + # KVM nVHE code is run at a different exception code with a different map, so + # compiler instrumentation that inserts callbacks or checks into the code may diff --git a/queue-5.15/net-stmmac-add-aux-timestamps-fifo-clearance-wait.patch b/queue-5.15/net-stmmac-add-aux-timestamps-fifo-clearance-wait.patch new file mode 100644 index 00000000000..99cbfb94a61 --- /dev/null +++ b/queue-5.15/net-stmmac-add-aux-timestamps-fifo-clearance-wait.patch @@ -0,0 +1,37 @@ +From ae9dcb91c6069e20b3b9505d79cbc89fd6e086f5 Mon Sep 17 00:00:00 2001 +From: Noor Azura Ahmad Tarmizi +Date: Wed, 11 Jan 2023 13:02:00 +0800 +Subject: net: stmmac: add aux timestamps fifo clearance wait + +From: Noor Azura Ahmad Tarmizi + +commit ae9dcb91c6069e20b3b9505d79cbc89fd6e086f5 upstream. + +Add timeout polling wait for auxiliary timestamps snapshot FIFO clear bit +(ATSFC) to clear. This is to ensure no residue fifo value is being read +erroneously. + +Fixes: f4da56529da6 ("net: stmmac: Add support for external trigger timestamping") +Cc: # 5.10.x +Signed-off-by: Noor Azura Ahmad Tarmizi +Link: https://lore.kernel.org/r/20230111050200.2130-1-noor.azura.ahmad.tarmizi@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c +@@ -229,7 +229,10 @@ static int stmmac_enable(struct ptp_cloc + } + writel(acr_value, ptpaddr + PTP_ACR); + mutex_unlock(&priv->aux_ts_lock); +- ret = 0; ++ /* wait for auxts fifo clear to finish */ ++ ret = readl_poll_timeout(ptpaddr + PTP_ACR, acr_value, ++ !(acr_value & PTP_ACR_ATSFC), ++ 10, 10000); + break; + + default: diff --git a/queue-5.15/netfilter-nft_payload-incorrect-arithmetics-when-fetching-vlan-header-bits.patch b/queue-5.15/netfilter-nft_payload-incorrect-arithmetics-when-fetching-vlan-header-bits.patch new file mode 100644 index 00000000000..ef401a9f86f --- /dev/null +++ b/queue-5.15/netfilter-nft_payload-incorrect-arithmetics-when-fetching-vlan-header-bits.patch @@ -0,0 +1,37 @@ +From 696e1a48b1a1b01edad542a1ef293665864a4dd0 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Wed, 11 Jan 2023 17:07:33 +0100 +Subject: netfilter: nft_payload: incorrect arithmetics when fetching VLAN header bits + +From: Pablo Neira Ayuso + +commit 696e1a48b1a1b01edad542a1ef293665864a4dd0 upstream. + +If the offset + length goes over the ethernet + vlan header, then the +length is adjusted to copy the bytes that are within the boundaries of +the vlan_ethhdr scratchpad area. The remaining bytes beyond ethernet + +vlan header are copied directly from the skbuff data area. + +Fix incorrect arithmetic operator: subtract, not add, the size of the +vlan header in case of double-tagged packets to adjust the length +accordingly to address CVE-2023-0179. + +Reported-by: Davide Ornaghi +Fixes: f6ae9f120dad ("netfilter: nft_payload: add C-VLAN support") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_payload.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nft_payload.c ++++ b/net/netfilter/nft_payload.c +@@ -63,7 +63,7 @@ nft_payload_copy_vlan(u32 *d, const stru + return false; + + if (offset + len > VLAN_ETH_HLEN + vlan_hlen) +- ethlen -= offset + len - VLAN_ETH_HLEN + vlan_hlen; ++ ethlen -= offset + len - VLAN_ETH_HLEN - vlan_hlen; + + memcpy(dst_u8, vlanh + offset - vlan_hlen, ethlen); + diff --git a/queue-5.15/perf-auxtrace-fix-address-filter-duplicate-symbol-selection.patch b/queue-5.15/perf-auxtrace-fix-address-filter-duplicate-symbol-selection.patch new file mode 100644 index 00000000000..7dd233c44ed --- /dev/null +++ b/queue-5.15/perf-auxtrace-fix-address-filter-duplicate-symbol-selection.patch @@ -0,0 +1,104 @@ +From cf129830ee820f7fc90b98df193cd49d49344d09 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Tue, 10 Jan 2023 20:56:59 +0200 +Subject: perf auxtrace: Fix address filter duplicate symbol selection + +From: Adrian Hunter + +commit cf129830ee820f7fc90b98df193cd49d49344d09 upstream. + +When a match has been made to the nth duplicate symbol, return +success not error. + +Example: + + Before: + + $ cat file.c + cat: file.c: No such file or directory + $ cat file1.c + #include + + static void func(void) + { + printf("First func\n"); + } + + void other(void); + + int main() + { + func(); + other(); + return 0; + } + $ cat file2.c + #include + + static void func(void) + { + printf("Second func\n"); + } + + void other(void) + { + func(); + } + + $ gcc -Wall -Wextra -o test file1.c file2.c + $ perf record -e intel_pt//u --filter 'filter func @ ./test' -- ./test + Multiple symbols with name 'func' + #1 0x1149 l func + which is near main + #2 0x1179 l func + which is near other + Disambiguate symbol name by inserting #n after the name e.g. func #2 + Or select a global symbol by inserting #0 or #g or #G + Failed to parse address filter: 'filter func @ ./test' + Filter format is: filter|start|stop|tracestop [/ ] [@] + Where multiple filters are separated by space or comma. + $ perf record -e intel_pt//u --filter 'filter func #2 @ ./test' -- ./test + Failed to parse address filter: 'filter func #2 @ ./test' + Filter format is: filter|start|stop|tracestop [/ ] [@] + Where multiple filters are separated by space or comma. + + After: + + $ perf record -e intel_pt//u --filter 'filter func #2 @ ./test' -- ./test + First func + Second func + [ perf record: Woken up 1 times to write data ] + [ perf record: Captured and wrote 0.016 MB perf.data ] + $ perf script --itrace=b -Ftime,flags,ip,sym,addr --ns + 1231062.526977619: tr strt 0 [unknown] => 558495708179 func + 1231062.526977619: tr end call 558495708188 func => 558495708050 _init + 1231062.526979286: tr strt 0 [unknown] => 55849570818d func + 1231062.526979286: tr end return 55849570818f func => 55849570819d other + +Fixes: 1b36c03e356936d6 ("perf record: Add support for using symbols in address filters") +Reported-by: Dmitrii Dolgov <9erthalion6@gmail.com> +Signed-off-by: Adrian Hunter +Tested-by: Dmitry Dolgov <9erthalion6@gmail.com> +Cc: Adrian Hunter +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230110185659.15979-1-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/auxtrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/util/auxtrace.c ++++ b/tools/perf/util/auxtrace.c +@@ -2545,7 +2545,7 @@ static int find_dso_sym(struct dso *dso, + *size = sym->start - *start; + if (idx > 0) { + if (*size) +- return 1; ++ return 0; + } else if (dso_sym_match(sym, sym_name, &cnt, idx)) { + print_duplicate_syms(dso, sym_name); + return -EINVAL; diff --git a/queue-5.15/s390-cpum_sf-add-read_once-semantics-to-compare-and-swap-loops.patch b/queue-5.15/s390-cpum_sf-add-read_once-semantics-to-compare-and-swap-loops.patch new file mode 100644 index 00000000000..01f56be151a --- /dev/null +++ b/queue-5.15/s390-cpum_sf-add-read_once-semantics-to-compare-and-swap-loops.patch @@ -0,0 +1,345 @@ +From 82d3edb50a11bf3c5ef63294d5358ba230181413 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Thu, 5 Jan 2023 15:44:20 +0100 +Subject: s390/cpum_sf: add READ_ONCE() semantics to compare and swap loops + +From: Heiko Carstens + +commit 82d3edb50a11bf3c5ef63294d5358ba230181413 upstream. + +The current cmpxchg_double() loops within the perf hw sampling code do not +have READ_ONCE() semantics to read the old value from memory. This allows +the compiler to generate code which reads the "old" value several times +from memory, which again allows for inconsistencies. + +For example: + + /* Reset trailer (using compare-double-and-swap) */ + do { + te_flags = te->flags & ~SDB_TE_BUFFER_FULL_MASK; + te_flags |= SDB_TE_ALERT_REQ_MASK; + } while (!cmpxchg_double(&te->flags, &te->overflow, + te->flags, te->overflow, + te_flags, 0ULL)); + +The compiler could generate code where te->flags used within the +cmpxchg_double() call may be refetched from memory and which is not +necessarily identical to the previous read version which was used to +generate te_flags. Which in turn means that an incorrect update could +happen. + +Fix this by adding READ_ONCE() semantics to all cmpxchg_double() +loops. Given that READ_ONCE() cannot generate code on s390 which atomically +reads 16 bytes, use a private compare-and-swap-double implementation to +achieve that. + +Also replace cmpxchg_double() with the private implementation to be able to +re-use the old value within the loops. + +As a side effect this converts the whole code to only use bit fields +to read and modify bits within the hws trailer header. + +Reported-by: Alexander Gordeev +Acked-by: Alexander Gordeev +Acked-by: Hendrik Brueckner +Reviewed-by: Thomas Richter +Cc: +Link: https://lore.kernel.org/linux-s390/Y71QJBhNTIatvxUT@osiris/T/#ma14e2a5f7aa8ed4b94b6f9576799b3ad9c60f333 +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/include/asm/cpu_mf.h | 31 +++++------- + arch/s390/kernel/perf_cpum_sf.c | 101 ++++++++++++++++++++++++---------------- + 2 files changed, 77 insertions(+), 55 deletions(-) + +--- a/arch/s390/include/asm/cpu_mf.h ++++ b/arch/s390/include/asm/cpu_mf.h +@@ -128,19 +128,21 @@ struct hws_combined_entry { + struct hws_diag_entry diag; /* Diagnostic-sampling data entry */ + } __packed; + +-struct hws_trailer_entry { +- union { +- struct { +- unsigned int f:1; /* 0 - Block Full Indicator */ +- unsigned int a:1; /* 1 - Alert request control */ +- unsigned int t:1; /* 2 - Timestamp format */ +- unsigned int :29; /* 3 - 31: Reserved */ +- unsigned int bsdes:16; /* 32-47: size of basic SDE */ +- unsigned int dsdes:16; /* 48-63: size of diagnostic SDE */ +- }; +- unsigned long long flags; /* 0 - 63: All indicators */ ++union hws_trailer_header { ++ struct { ++ unsigned int f:1; /* 0 - Block Full Indicator */ ++ unsigned int a:1; /* 1 - Alert request control */ ++ unsigned int t:1; /* 2 - Timestamp format */ ++ unsigned int :29; /* 3 - 31: Reserved */ ++ unsigned int bsdes:16; /* 32-47: size of basic SDE */ ++ unsigned int dsdes:16; /* 48-63: size of diagnostic SDE */ ++ unsigned long long overflow; /* 64 - Overflow Count */ + }; +- unsigned long long overflow; /* 64 - sample Overflow count */ ++ __uint128_t val; ++}; ++ ++struct hws_trailer_entry { ++ union hws_trailer_header header; /* 0 - 15 Flags + Overflow Count */ + unsigned char timestamp[16]; /* 16 - 31 timestamp */ + unsigned long long reserved1; /* 32 -Reserved */ + unsigned long long reserved2; /* */ +@@ -287,14 +289,11 @@ static inline unsigned long sample_rate_ + return USEC_PER_SEC * qsi->cpu_speed / rate; + } + +-#define SDB_TE_ALERT_REQ_MASK 0x4000000000000000UL +-#define SDB_TE_BUFFER_FULL_MASK 0x8000000000000000UL +- + /* Return TOD timestamp contained in an trailer entry */ + static inline unsigned long long trailer_timestamp(struct hws_trailer_entry *te) + { + /* TOD in STCKE format */ +- if (te->t) ++ if (te->header.t) + return *((unsigned long long *) &te->timestamp[1]); + + /* TOD in STCK format */ +--- a/arch/s390/kernel/perf_cpum_sf.c ++++ b/arch/s390/kernel/perf_cpum_sf.c +@@ -163,14 +163,15 @@ static void free_sampling_buffer(struct + + static int alloc_sample_data_block(unsigned long *sdbt, gfp_t gfp_flags) + { +- unsigned long sdb, *trailer; ++ struct hws_trailer_entry *te; ++ unsigned long sdb; + + /* Allocate and initialize sample-data-block */ + sdb = get_zeroed_page(gfp_flags); + if (!sdb) + return -ENOMEM; +- trailer = trailer_entry_ptr(sdb); +- *trailer = SDB_TE_ALERT_REQ_MASK; ++ te = (struct hws_trailer_entry *)trailer_entry_ptr(sdb); ++ te->header.a = 1; + + /* Link SDB into the sample-data-block-table */ + *sdbt = sdb; +@@ -1206,7 +1207,7 @@ static void hw_collect_samples(struct pe + "%s: Found unknown" + " sampling data entry: te->f %i" + " basic.def %#4x (%p)\n", __func__, +- te->f, sample->def, sample); ++ te->header.f, sample->def, sample); + /* Sample slot is not yet written or other record. + * + * This condition can occur if the buffer was reused +@@ -1217,7 +1218,7 @@ static void hw_collect_samples(struct pe + * that are not full. Stop processing if the first + * invalid format was detected. + */ +- if (!te->f) ++ if (!te->header.f) + break; + } + +@@ -1227,6 +1228,16 @@ static void hw_collect_samples(struct pe + } + } + ++static inline __uint128_t __cdsg(__uint128_t *ptr, __uint128_t old, __uint128_t new) ++{ ++ asm volatile( ++ " cdsg %[old],%[new],%[ptr]\n" ++ : [old] "+d" (old), [ptr] "+QS" (*ptr) ++ : [new] "d" (new) ++ : "memory", "cc"); ++ return old; ++} ++ + /* hw_perf_event_update() - Process sampling buffer + * @event: The perf event + * @flush_all: Flag to also flush partially filled sample-data-blocks +@@ -1243,10 +1254,11 @@ static void hw_collect_samples(struct pe + */ + static void hw_perf_event_update(struct perf_event *event, int flush_all) + { ++ unsigned long long event_overflow, sampl_overflow, num_sdb; ++ union hws_trailer_header old, prev, new; + struct hw_perf_event *hwc = &event->hw; + struct hws_trailer_entry *te; + unsigned long *sdbt; +- unsigned long long event_overflow, sampl_overflow, num_sdb, te_flags; + int done; + + /* +@@ -1266,25 +1278,25 @@ static void hw_perf_event_update(struct + te = (struct hws_trailer_entry *) trailer_entry_ptr(*sdbt); + + /* Leave loop if no more work to do (block full indicator) */ +- if (!te->f) { ++ if (!te->header.f) { + done = 1; + if (!flush_all) + break; + } + + /* Check the sample overflow count */ +- if (te->overflow) ++ if (te->header.overflow) + /* Account sample overflows and, if a particular limit + * is reached, extend the sampling buffer. + * For details, see sfb_account_overflows(). + */ +- sampl_overflow += te->overflow; ++ sampl_overflow += te->header.overflow; + + /* Timestamps are valid for full sample-data-blocks only */ + debug_sprintf_event(sfdbg, 6, "%s: sdbt %#lx " + "overflow %llu timestamp %#llx\n", +- __func__, (unsigned long)sdbt, te->overflow, +- (te->f) ? trailer_timestamp(te) : 0ULL); ++ __func__, (unsigned long)sdbt, te->header.overflow, ++ (te->header.f) ? trailer_timestamp(te) : 0ULL); + + /* Collect all samples from a single sample-data-block and + * flag if an (perf) event overflow happened. If so, the PMU +@@ -1294,12 +1306,16 @@ static void hw_perf_event_update(struct + num_sdb++; + + /* Reset trailer (using compare-double-and-swap) */ ++ /* READ_ONCE() 16 byte header */ ++ prev.val = __cdsg(&te->header.val, 0, 0); + do { +- te_flags = te->flags & ~SDB_TE_BUFFER_FULL_MASK; +- te_flags |= SDB_TE_ALERT_REQ_MASK; +- } while (!cmpxchg_double(&te->flags, &te->overflow, +- te->flags, te->overflow, +- te_flags, 0ULL)); ++ old.val = prev.val; ++ new.val = prev.val; ++ new.f = 0; ++ new.a = 1; ++ new.overflow = 0; ++ prev.val = __cdsg(&te->header.val, old.val, new.val); ++ } while (prev.val != old.val); + + /* Advance to next sample-data-block */ + sdbt++; +@@ -1384,7 +1400,7 @@ static void aux_output_end(struct perf_o + range_scan = AUX_SDB_NUM_ALERT(aux); + for (i = 0, idx = aux->head; i < range_scan; i++, idx++) { + te = aux_sdb_trailer(aux, idx); +- if (!(te->flags & SDB_TE_BUFFER_FULL_MASK)) ++ if (!te->header.f) + break; + } + /* i is num of SDBs which are full */ +@@ -1392,7 +1408,7 @@ static void aux_output_end(struct perf_o + + /* Remove alert indicators in the buffer */ + te = aux_sdb_trailer(aux, aux->alert_mark); +- te->flags &= ~SDB_TE_ALERT_REQ_MASK; ++ te->header.a = 0; + + debug_sprintf_event(sfdbg, 6, "%s: SDBs %ld range %ld head %ld\n", + __func__, i, range_scan, aux->head); +@@ -1437,9 +1453,9 @@ static int aux_output_begin(struct perf_ + idx = aux->empty_mark + 1; + for (i = 0; i < range_scan; i++, idx++) { + te = aux_sdb_trailer(aux, idx); +- te->flags &= ~(SDB_TE_BUFFER_FULL_MASK | +- SDB_TE_ALERT_REQ_MASK); +- te->overflow = 0; ++ te->header.f = 0; ++ te->header.a = 0; ++ te->header.overflow = 0; + } + /* Save the position of empty SDBs */ + aux->empty_mark = aux->head + range - 1; +@@ -1448,7 +1464,7 @@ static int aux_output_begin(struct perf_ + /* Set alert indicator */ + aux->alert_mark = aux->head + range/2 - 1; + te = aux_sdb_trailer(aux, aux->alert_mark); +- te->flags = te->flags | SDB_TE_ALERT_REQ_MASK; ++ te->header.a = 1; + + /* Reset hardware buffer head */ + head = AUX_SDB_INDEX(aux, aux->head); +@@ -1475,14 +1491,17 @@ static int aux_output_begin(struct perf_ + static bool aux_set_alert(struct aux_buffer *aux, unsigned long alert_index, + unsigned long long *overflow) + { +- unsigned long long orig_overflow, orig_flags, new_flags; ++ union hws_trailer_header old, prev, new; + struct hws_trailer_entry *te; + + te = aux_sdb_trailer(aux, alert_index); ++ /* READ_ONCE() 16 byte header */ ++ prev.val = __cdsg(&te->header.val, 0, 0); + do { +- orig_flags = te->flags; +- *overflow = orig_overflow = te->overflow; +- if (orig_flags & SDB_TE_BUFFER_FULL_MASK) { ++ old.val = prev.val; ++ new.val = prev.val; ++ *overflow = old.overflow; ++ if (old.f) { + /* + * SDB is already set by hardware. + * Abort and try to set somewhere +@@ -1490,10 +1509,10 @@ static bool aux_set_alert(struct aux_buf + */ + return false; + } +- new_flags = orig_flags | SDB_TE_ALERT_REQ_MASK; +- } while (!cmpxchg_double(&te->flags, &te->overflow, +- orig_flags, orig_overflow, +- new_flags, 0ULL)); ++ new.a = 1; ++ new.overflow = 0; ++ prev.val = __cdsg(&te->header.val, old.val, new.val); ++ } while (prev.val != old.val); + return true; + } + +@@ -1522,8 +1541,9 @@ static bool aux_set_alert(struct aux_buf + static bool aux_reset_buffer(struct aux_buffer *aux, unsigned long range, + unsigned long long *overflow) + { +- unsigned long long orig_overflow, orig_flags, new_flags; + unsigned long i, range_scan, idx, idx_old; ++ union hws_trailer_header old, prev, new; ++ unsigned long long orig_overflow; + struct hws_trailer_entry *te; + + debug_sprintf_event(sfdbg, 6, "%s: range %ld head %ld alert %ld " +@@ -1554,17 +1574,20 @@ static bool aux_reset_buffer(struct aux_ + idx_old = idx = aux->empty_mark + 1; + for (i = 0; i < range_scan; i++, idx++) { + te = aux_sdb_trailer(aux, idx); ++ /* READ_ONCE() 16 byte header */ ++ prev.val = __cdsg(&te->header.val, 0, 0); + do { +- orig_flags = te->flags; +- orig_overflow = te->overflow; +- new_flags = orig_flags & ~SDB_TE_BUFFER_FULL_MASK; ++ old.val = prev.val; ++ new.val = prev.val; ++ orig_overflow = old.overflow; ++ new.f = 0; ++ new.overflow = 0; + if (idx == aux->alert_mark) +- new_flags |= SDB_TE_ALERT_REQ_MASK; ++ new.a = 1; + else +- new_flags &= ~SDB_TE_ALERT_REQ_MASK; +- } while (!cmpxchg_double(&te->flags, &te->overflow, +- orig_flags, orig_overflow, +- new_flags, 0ULL)); ++ new.a = 0; ++ prev.val = __cdsg(&te->header.val, old.val, new.val); ++ } while (prev.val != old.val); + *overflow += orig_overflow; + } + diff --git a/queue-5.15/s390-kexec-fix-ipl-report-address-for-kdump.patch b/queue-5.15/s390-kexec-fix-ipl-report-address-for-kdump.patch new file mode 100644 index 00000000000..ae30475793a --- /dev/null +++ b/queue-5.15/s390-kexec-fix-ipl-report-address-for-kdump.patch @@ -0,0 +1,60 @@ +From c2337a40e04dde1692b5b0a46ecc59f89aaba8a1 Mon Sep 17 00:00:00 2001 +From: Alexander Egorenkov +Date: Mon, 14 Nov 2022 11:40:08 +0100 +Subject: s390/kexec: fix ipl report address for kdump + +From: Alexander Egorenkov + +commit c2337a40e04dde1692b5b0a46ecc59f89aaba8a1 upstream. + +This commit addresses the following erroneous situation with file-based +kdump executed on a system with a valid IPL report. + +On s390, a kdump kernel, its initrd and IPL report if present are loaded +into a special and reserved on boot memory region - crashkernel. When +a system crashes and kdump was activated before, the purgatory code +is entered first which swaps the crashkernel and [0 - crashkernel size] +memory regions. Only after that the kdump kernel is entered. For this +reason, the pointer to an IPL report in lowcore must point to the IPL report +after the swap and not to the address of the IPL report that was located in +crashkernel memory region before the swap. Failing to do so, makes the +kdump's decompressor try to read memory from the crashkernel memory region +which already contains the production's kernel memory. + +The situation described above caused spontaneous kdump failures/hangs +on systems where the Secure IPL is activated because on such systems +an IPL report is always present. In that case kdump's decompressor tried +to parse an IPL report which frequently lead to illegal memory accesses +because an IPL report contains addresses to various data. + +Cc: +Fixes: 99feaa717e55 ("s390/kexec_file: Create ipl report and pass to next kernel") +Reviewed-by: Vasily Gorbik +Signed-off-by: Alexander Egorenkov +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kernel/machine_kexec_file.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/s390/kernel/machine_kexec_file.c ++++ b/arch/s390/kernel/machine_kexec_file.c +@@ -185,8 +185,6 @@ static int kexec_file_add_ipl_report(str + + data->memsz = ALIGN(data->memsz, PAGE_SIZE); + buf.mem = data->memsz; +- if (image->type == KEXEC_TYPE_CRASH) +- buf.mem += crashk_res.start; + + ptr = (void *)ipl_cert_list_addr; + end = ptr + ipl_cert_list_size; +@@ -223,6 +221,9 @@ static int kexec_file_add_ipl_report(str + data->kernel_buf + offsetof(struct lowcore, ipl_parmblock_ptr); + *lc_ipl_parmblock_ptr = (__u32)buf.mem; + ++ if (image->type == KEXEC_TYPE_CRASH) ++ buf.mem += crashk_res.start; ++ + ret = kexec_add_buffer(&buf); + out: + return ret; diff --git a/queue-5.15/s390-percpu-add-read_once-to-arch_this_cpu_to_op_simple.patch b/queue-5.15/s390-percpu-add-read_once-to-arch_this_cpu_to_op_simple.patch new file mode 100644 index 00000000000..99c0ce2dd33 --- /dev/null +++ b/queue-5.15/s390-percpu-add-read_once-to-arch_this_cpu_to_op_simple.patch @@ -0,0 +1,32 @@ +From e3f360db08d55a14112bd27454e616a24296a8b0 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Mon, 9 Jan 2023 11:51:20 +0100 +Subject: s390/percpu: add READ_ONCE() to arch_this_cpu_to_op_simple() + +From: Heiko Carstens + +commit e3f360db08d55a14112bd27454e616a24296a8b0 upstream. + +Make sure that *ptr__ within arch_this_cpu_to_op_simple() is only +dereferenced once by using READ_ONCE(). Otherwise the compiler could +generate incorrect code. + +Cc: +Reviewed-by: Alexander Gordeev +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/include/asm/percpu.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/s390/include/asm/percpu.h ++++ b/arch/s390/include/asm/percpu.h +@@ -31,7 +31,7 @@ + pcp_op_T__ *ptr__; \ + preempt_disable_notrace(); \ + ptr__ = raw_cpu_ptr(&(pcp)); \ +- prev__ = *ptr__; \ ++ prev__ = READ_ONCE(*ptr__); \ + do { \ + old__ = prev__; \ + new__ = old__ op (val); \ diff --git a/queue-5.15/selftests-kvm-fix-a-compile-error-in-selftests-kvm-rseq_test.c.patch b/queue-5.15/selftests-kvm-fix-a-compile-error-in-selftests-kvm-rseq_test.c.patch new file mode 100644 index 00000000000..cb30e017520 --- /dev/null +++ b/queue-5.15/selftests-kvm-fix-a-compile-error-in-selftests-kvm-rseq_test.c.patch @@ -0,0 +1,48 @@ +From 561cafebb2cf97b0927b4fb0eba22de6200f682e Mon Sep 17 00:00:00 2001 +From: Jinrong Liang +Date: Tue, 2 Aug 2022 15:12:40 +0800 +Subject: selftests: kvm: Fix a compile error in selftests/kvm/rseq_test.c +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jinrong Liang + +commit 561cafebb2cf97b0927b4fb0eba22de6200f682e upstream. + +The following warning appears when executing: + make -C tools/testing/selftests/kvm + +rseq_test.c: In function ‘main’: +rseq_test.c:237:33: warning: implicit declaration of function ‘gettid’; did you mean ‘getgid’? [-Wimplicit-function-declaration] + (void *)(unsigned long)gettid()); + ^~~~~~ + getgid +/usr/bin/ld: /tmp/ccr5mMko.o: in function `main': +../kvm/tools/testing/selftests/kvm/rseq_test.c:237: undefined reference to `gettid' +collect2: error: ld returned 1 exit status +make: *** [../lib.mk:173: ../kvm/tools/testing/selftests/kvm/rseq_test] Error 1 + +Use the more compatible syscall(SYS_gettid) instead of gettid() to fix it. +More subsequent reuse may cause it to be wrapped in a lib file. + +Signed-off-by: Jinrong Liang +Message-Id: <20220802071240.84626-1-cloudliang@tencent.com> +Signed-off-by: Paolo Bonzini +Cc: Harshit Mogalapalli +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/kvm/rseq_test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/selftests/kvm/rseq_test.c ++++ b/tools/testing/selftests/kvm/rseq_test.c +@@ -233,7 +233,7 @@ int main(int argc, char *argv[]) + ucall_init(vm, NULL); + + pthread_create(&migration_thread, NULL, migration_worker, +- (void *)(unsigned long)gettid()); ++ (void *)(unsigned long)syscall(SYS_gettid)); + + for (i = 0; !done; i++) { + vcpu_run(vm, VCPU_ID); diff --git a/queue-5.15/series b/queue-5.15/series new file mode 100644 index 00000000000..d12b63bd891 --- /dev/null +++ b/queue-5.15/series @@ -0,0 +1,17 @@ +netfilter-nft_payload-incorrect-arithmetics-when-fetching-vlan-header-bits.patch +alsa-control-led-use-strscpy-in-set_led_id.patch +alsa-hda-realtek-turn-on-power-early.patch +alsa-hda-realtek-enable-mute-micmute-leds-on-hp-spectre-x360-13-aw0xxx.patch +kvm-arm64-fix-s1ptw-handling-on-ro-memslots.patch +kvm-arm64-nvhe-fix-build-with-profile-optimization.patch +selftests-kvm-fix-a-compile-error-in-selftests-kvm-rseq_test.c.patch +efi-tpm-avoid-read_once-for-accessing-the-event-log.patch +docs-fix-the-docs-build-with-sphinx-6.0.patch +net-stmmac-add-aux-timestamps-fifo-clearance-wait.patch +perf-auxtrace-fix-address-filter-duplicate-symbol-selection.patch +s390-kexec-fix-ipl-report-address-for-kdump.patch +asoc-qcom-lpass-cpu-fix-fallback-sd-line-index-handling.patch +s390-cpum_sf-add-read_once-semantics-to-compare-and-swap-loops.patch +s390-percpu-add-read_once-to-arch_this_cpu_to_op_simple.patch +drm-virtio-fix-gem-handle-creation-uaf.patch +drm-i915-gt-reset-twice.patch -- 2.47.3