From 7abf7a35248c780a7d5a378471edf19377913c1b Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 12 Aug 2025 18:37:49 +0200 Subject: [PATCH] 6.1-stable patches added patches: alsa-intel_hdmi-fix-off-by-one-error-in-__hdmi_lpe_audio_probe.patch alsa-scarlett2-add-retry-on-eproto-from-scarlett2_usb_tx.patch kvm-vmx-allow-guest-to-set-debugctl.rtm_debug-if-rtm-is-supported.patch mips-mm-tlb-r4k-uniquify-tlb-entries-on-init.patch mm-hmm-move-pmd_to_hmm_pfn_flags-to-the-respective-ifdeffery.patch usb-gadget-fix-use-after-free-in-composite_dev_cleanup.patch x86-fpu-delay-instruction-pointer-fixup-until-after-warning.patch x86-sev-evict-cache-lines-during-snp-memory-validation.patch --- ...-one-error-in-__hdmi_lpe_audio_probe.patch | 38 +++++ ...etry-on-eproto-from-scarlett2_usb_tx.patch | 59 +++++++ ...-010b-for-tp-link-archer-tx10ub-nano.patch | 79 ---------- ...bugctl.rtm_debug-if-rtm-is-supported.patch | 55 +++++++ ...tlb-r4k-uniquify-tlb-entries-on-init.patch | 98 ++++++++++++ ...fn_flags-to-the-respective-ifdeffery.patch | 56 +++++++ queue-6.1/series | 9 +- ...-after-free-in-composite_dev_cleanup.patch | 51 ++++++ ...on-pointer-fixup-until-after-warning.patch | 57 +++++++ ...e-lines-during-snp-memory-validation.patch | 149 ++++++++++++++++++ 10 files changed, 571 insertions(+), 80 deletions(-) create mode 100644 queue-6.1/alsa-intel_hdmi-fix-off-by-one-error-in-__hdmi_lpe_audio_probe.patch create mode 100644 queue-6.1/alsa-scarlett2-add-retry-on-eproto-from-scarlett2_usb_tx.patch delete mode 100644 queue-6.1/bluetooth-btusb-add-usb-id-3625-010b-for-tp-link-archer-tx10ub-nano.patch create mode 100644 queue-6.1/kvm-vmx-allow-guest-to-set-debugctl.rtm_debug-if-rtm-is-supported.patch create mode 100644 queue-6.1/mips-mm-tlb-r4k-uniquify-tlb-entries-on-init.patch create mode 100644 queue-6.1/mm-hmm-move-pmd_to_hmm_pfn_flags-to-the-respective-ifdeffery.patch create mode 100644 queue-6.1/usb-gadget-fix-use-after-free-in-composite_dev_cleanup.patch create mode 100644 queue-6.1/x86-fpu-delay-instruction-pointer-fixup-until-after-warning.patch create mode 100644 queue-6.1/x86-sev-evict-cache-lines-during-snp-memory-validation.patch diff --git a/queue-6.1/alsa-intel_hdmi-fix-off-by-one-error-in-__hdmi_lpe_audio_probe.patch b/queue-6.1/alsa-intel_hdmi-fix-off-by-one-error-in-__hdmi_lpe_audio_probe.patch new file mode 100644 index 0000000000..c0d6b703a9 --- /dev/null +++ b/queue-6.1/alsa-intel_hdmi-fix-off-by-one-error-in-__hdmi_lpe_audio_probe.patch @@ -0,0 +1,38 @@ +From 8cbe564974248ee980562be02f2b1912769562c7 Mon Sep 17 00:00:00 2001 +From: Thorsten Blum +Date: Wed, 6 Aug 2025 01:41:53 +0200 +Subject: ALSA: intel_hdmi: Fix off-by-one error in __hdmi_lpe_audio_probe() + +From: Thorsten Blum + +commit 8cbe564974248ee980562be02f2b1912769562c7 upstream. + +In __hdmi_lpe_audio_probe(), strscpy() is incorrectly called with the +length of the source string (excluding the NUL terminator) rather than +the size of the destination buffer. This results in one character less +being copied from 'card->shortname' to 'pcm->name'. + +Use the destination buffer size instead to ensure the card name is +copied correctly. + +Cc: stable@vger.kernel.org +Fixes: 75b1a8f9d62e ("ALSA: Convert strlcpy to strscpy when return value is unused") +Signed-off-by: Thorsten Blum +Link: https://patch.msgid.link/20250805234156.60294-1-thorsten.blum@linux.dev +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/x86/intel_hdmi_audio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/x86/intel_hdmi_audio.c ++++ b/sound/x86/intel_hdmi_audio.c +@@ -1766,7 +1766,7 @@ static int __hdmi_lpe_audio_probe(struct + /* setup private data which can be retrieved when required */ + pcm->private_data = ctx; + pcm->info_flags = 0; +- strscpy(pcm->name, card->shortname, strlen(card->shortname)); ++ strscpy(pcm->name, card->shortname, sizeof(pcm->name)); + /* setup the ops for playback */ + snd_pcm_set_ops(pcm, SNDRV_PCM_STREAM_PLAYBACK, &had_pcm_ops); + diff --git a/queue-6.1/alsa-scarlett2-add-retry-on-eproto-from-scarlett2_usb_tx.patch b/queue-6.1/alsa-scarlett2-add-retry-on-eproto-from-scarlett2_usb_tx.patch new file mode 100644 index 0000000000..79db6d2b4c --- /dev/null +++ b/queue-6.1/alsa-scarlett2-add-retry-on-eproto-from-scarlett2_usb_tx.patch @@ -0,0 +1,59 @@ +From 8a15ca0ca51399b652b1bbb23b590b220cf03d62 Mon Sep 17 00:00:00 2001 +From: "Geoffrey D. Bennett" +Date: Mon, 28 Jul 2025 19:00:35 +0930 +Subject: ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx() + +From: Geoffrey D. Bennett + +commit 8a15ca0ca51399b652b1bbb23b590b220cf03d62 upstream. + +During communication with Focusrite Scarlett Gen 2/3/4 USB audio +interfaces, -EPROTO is sometimes returned from scarlett2_usb_tx(), +snd_usb_ctl_msg() which can cause initialisation and control +operations to fail intermittently. + +This patch adds up to 5 retries in scarlett2_usb(), with a delay +starting at 5ms and doubling each time. This follows the same approach +as the fix for usb_set_interface() in endpoint.c (commit f406005e162b +("ALSA: usb-audio: Add retry on -EPROTO from usb_set_interface()")), +which resolved similar -EPROTO issues during device initialisation, +and is the same approach as in fcp.c:fcp_usb(). + +Fixes: 9e4d5c1be21f ("ALSA: usb-audio: Scarlett Gen 2 mixer interface") +Closes: https://github.com/geoffreybennett/linux-fcp/issues/41 +Cc: stable@vger.kernel.org +Signed-off-by: Geoffrey D. Bennett +Link: https://patch.msgid.link/aIdDO6ld50WQwNim@m.b4.vu +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/mixer_scarlett2.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/sound/usb/mixer_scarlett2.c ++++ b/sound/usb/mixer_scarlett2.c +@@ -1279,6 +1279,8 @@ static int scarlett2_usb( + struct scarlett2_usb_packet *req, *resp = NULL; + size_t req_buf_size = struct_size(req, data, req_size); + size_t resp_buf_size = struct_size(resp, data, resp_size); ++ int retries = 0; ++ const int max_retries = 5; + int err; + + req = kmalloc(req_buf_size, GFP_KERNEL); +@@ -1302,10 +1304,15 @@ static int scarlett2_usb( + if (req_size) + memcpy(req->data, req_data, req_size); + ++retry: + err = scarlett2_usb_tx(dev, private->bInterfaceNumber, + req, req_buf_size); + + if (err != req_buf_size) { ++ if (err == -EPROTO && ++retries <= max_retries) { ++ msleep(5 * (1 << (retries - 1))); ++ goto retry; ++ } + usb_audio_err( + mixer->chip, + "%s USB request result cmd %x was %d\n", diff --git a/queue-6.1/bluetooth-btusb-add-usb-id-3625-010b-for-tp-link-archer-tx10ub-nano.patch b/queue-6.1/bluetooth-btusb-add-usb-id-3625-010b-for-tp-link-archer-tx10ub-nano.patch deleted file mode 100644 index 0dac16266e..0000000000 --- a/queue-6.1/bluetooth-btusb-add-usb-id-3625-010b-for-tp-link-archer-tx10ub-nano.patch +++ /dev/null @@ -1,79 +0,0 @@ -From d9da920233ec85af8b9c87154f2721a7dc4623f5 Mon Sep 17 00:00:00 2001 -From: Zenm Chen -Date: Wed, 21 May 2025 09:30:20 +0800 -Subject: Bluetooth: btusb: Add USB ID 3625:010b for TP-LINK Archer TX10UB Nano - -From: Zenm Chen - -commit d9da920233ec85af8b9c87154f2721a7dc4623f5 upstream. - -Add USB ID 3625:010b for TP-LINK Archer TX10UB Nano which is based on -a Realtek RTL8851BU chip. - -The information in /sys/kernel/debug/usb/devices about the Bluetooth -device is listed as the below: - -T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 9 Spd=480 MxCh= 0 -D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 -P: Vendor=3625 ProdID=010b Rev= 0.00 -S: Manufacturer=Realtek -S: Product=802.11ax WLAN Adapter -S: SerialNumber=00e04c000001 -C:* #Ifs= 3 Cfg#= 1 Atr=e0 MxPwr=500mA -A: FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=01 -I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb -E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms -E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms -E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms -I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb -E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms -E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms -I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb -E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms -E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms -I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb -E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms -E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms -I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb -E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms -E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms -I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb -E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms -E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms -I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb -E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms -E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms -I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb -E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms -E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms -I:* If#= 2 Alt= 0 #EPs= 8 Cls=ff(vend.) Sub=ff Prot=ff Driver=rtl8851bu -E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms -E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms -E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms -E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms -E: Ad=09(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms -E: Ad=0a(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms -E: Ad=0b(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms -E: Ad=0c(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms - -Cc: stable@vger.kernel.org -Signed-off-by: Zenm Chen -Signed-off-by: Luiz Augusto von Dentz -Signed-off-by: Greg Kroah-Hartman ---- - drivers/bluetooth/btusb.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/drivers/bluetooth/btusb.c -+++ b/drivers/bluetooth/btusb.c -@@ -502,6 +502,10 @@ static const struct usb_device_id blackl - { USB_DEVICE(0x0bda, 0xc822), .driver_info = BTUSB_REALTEK | - BTUSB_WIDEBAND_SPEECH }, - -+ /* Realtek 8851BU Bluetooth devices */ -+ { USB_DEVICE(0x3625, 0x010b), .driver_info = BTUSB_REALTEK | -+ BTUSB_WIDEBAND_SPEECH }, -+ - /* Realtek 8852AE Bluetooth devices */ - { USB_DEVICE(0x0bda, 0x2852), .driver_info = BTUSB_REALTEK | - BTUSB_WIDEBAND_SPEECH }, diff --git a/queue-6.1/kvm-vmx-allow-guest-to-set-debugctl.rtm_debug-if-rtm-is-supported.patch b/queue-6.1/kvm-vmx-allow-guest-to-set-debugctl.rtm_debug-if-rtm-is-supported.patch new file mode 100644 index 0000000000..d72c9f0b37 --- /dev/null +++ b/queue-6.1/kvm-vmx-allow-guest-to-set-debugctl.rtm_debug-if-rtm-is-supported.patch @@ -0,0 +1,55 @@ +From 17ec2f965344ee3fd6620bef7ef68792f4ac3af0 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 10 Jun 2025 16:20:06 -0700 +Subject: KVM: VMX: Allow guest to set DEBUGCTL.RTM_DEBUG if RTM is supported + +From: Sean Christopherson + +commit 17ec2f965344ee3fd6620bef7ef68792f4ac3af0 upstream. + +Let the guest set DEBUGCTL.RTM_DEBUG if RTM is supported according to the +guest CPUID model, as debug support is supposed to be available if RTM is +supported, and there are no known downsides to letting the guest debug RTM +aborts. + +Note, there are no known bug reports related to RTM_DEBUG, the primary +motivation is to reduce the probability of breaking existing guests when a +future change adds a missing consistency check on vmcs12.GUEST_DEBUGCTL +(KVM currently lets L2 run with whatever hardware supports; whoops). + +Note #2, KVM already emulates DR6.RTM, and doesn't restrict access to +DR7.RTM. + +Fixes: 83c529151ab0 ("KVM: x86: expose Intel cpu new features (HLE, RTM) to guest") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250610232010.162191-5-seanjc@google.com +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/msr-index.h | 1 + + arch/x86/kvm/vmx/vmx.c | 4 ++++ + 2 files changed, 5 insertions(+) + +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -379,6 +379,7 @@ + #define DEBUGCTLMSR_FREEZE_PERFMON_ON_PMI (1UL << 12) + #define DEBUGCTLMSR_FREEZE_IN_SMM_BIT 14 + #define DEBUGCTLMSR_FREEZE_IN_SMM (1UL << DEBUGCTLMSR_FREEZE_IN_SMM_BIT) ++#define DEBUGCTLMSR_RTM_DEBUG BIT(15) + + #define MSR_PEBS_FRONTEND 0x000003f7 + +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -2068,6 +2068,10 @@ static u64 vmx_get_supported_debugctl(st + (host_initiated || intel_pmu_lbr_is_enabled(vcpu))) + debugctl |= DEBUGCTLMSR_LBR | DEBUGCTLMSR_FREEZE_LBRS_ON_PMI; + ++ if (boot_cpu_has(X86_FEATURE_RTM) && ++ (host_initiated || guest_cpu_cap_has(vcpu, X86_FEATURE_RTM))) ++ debugctl |= DEBUGCTLMSR_RTM_DEBUG; ++ + return debugctl; + } + diff --git a/queue-6.1/mips-mm-tlb-r4k-uniquify-tlb-entries-on-init.patch b/queue-6.1/mips-mm-tlb-r4k-uniquify-tlb-entries-on-init.patch new file mode 100644 index 0000000000..b1e42e6aaf --- /dev/null +++ b/queue-6.1/mips-mm-tlb-r4k-uniquify-tlb-entries-on-init.patch @@ -0,0 +1,98 @@ +From 35ad7e181541aa5757f9f316768d3e64403ec843 Mon Sep 17 00:00:00 2001 +From: Jiaxun Yang +Date: Sat, 7 Jun 2025 13:43:56 +0100 +Subject: MIPS: mm: tlb-r4k: Uniquify TLB entries on init + +From: Jiaxun Yang + +commit 35ad7e181541aa5757f9f316768d3e64403ec843 upstream. + +Hardware or bootloader will initialize TLB entries to any value, which +may collide with kernel's UNIQUE_ENTRYHI value. On MIPS microAptiv/M5150 +family of cores this will trigger machine check exception and cause boot +failure. On M5150 simulation this could happen 7 times out of 1000 boots. + +Replace local_flush_tlb_all() with r4k_tlb_uniquify() which probes each +TLB ENTRIHI unique value for collisions before it's written, and in case +of collision try a different ASID. + +Cc: stable@kernel.org +Signed-off-by: Jiaxun Yang +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/mm/tlb-r4k.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 55 insertions(+), 1 deletion(-) + +--- a/arch/mips/mm/tlb-r4k.c ++++ b/arch/mips/mm/tlb-r4k.c +@@ -498,6 +498,60 @@ static int __init set_ntlb(char *str) + + __setup("ntlb=", set_ntlb); + ++/* Initialise all TLB entries with unique values */ ++static void r4k_tlb_uniquify(void) ++{ ++ int entry = num_wired_entries(); ++ ++ htw_stop(); ++ write_c0_entrylo0(0); ++ write_c0_entrylo1(0); ++ ++ while (entry < current_cpu_data.tlbsize) { ++ unsigned long asid_mask = cpu_asid_mask(¤t_cpu_data); ++ unsigned long asid = 0; ++ int idx; ++ ++ /* Skip wired MMID to make ginvt_mmid work */ ++ if (cpu_has_mmid) ++ asid = MMID_KERNEL_WIRED + 1; ++ ++ /* Check for match before using UNIQUE_ENTRYHI */ ++ do { ++ if (cpu_has_mmid) { ++ write_c0_memorymapid(asid); ++ write_c0_entryhi(UNIQUE_ENTRYHI(entry)); ++ } else { ++ write_c0_entryhi(UNIQUE_ENTRYHI(entry) | asid); ++ } ++ mtc0_tlbw_hazard(); ++ tlb_probe(); ++ tlb_probe_hazard(); ++ idx = read_c0_index(); ++ /* No match or match is on current entry */ ++ if (idx < 0 || idx == entry) ++ break; ++ /* ++ * If we hit a match, we need to try again with ++ * a different ASID. ++ */ ++ asid++; ++ } while (asid < asid_mask); ++ ++ if (idx >= 0 && idx != entry) ++ panic("Unable to uniquify TLB entry %d", idx); ++ ++ write_c0_index(entry); ++ mtc0_tlbw_hazard(); ++ tlb_write_indexed(); ++ entry++; ++ } ++ ++ tlbw_use_hazard(); ++ htw_start(); ++ flush_micro_tlb(); ++} ++ + /* + * Configure TLB (for init or after a CPU has been powered off). + */ +@@ -537,7 +591,7 @@ static void r4k_tlb_configure(void) + temp_tlb_entry = current_cpu_data.tlbsize - 1; + + /* From this point on the ARC firmware is dead. */ +- local_flush_tlb_all(); ++ r4k_tlb_uniquify(); + + /* Did I tell you that ARC SUCKS? */ + } diff --git a/queue-6.1/mm-hmm-move-pmd_to_hmm_pfn_flags-to-the-respective-ifdeffery.patch b/queue-6.1/mm-hmm-move-pmd_to_hmm_pfn_flags-to-the-respective-ifdeffery.patch new file mode 100644 index 0000000000..03fba9d6bb --- /dev/null +++ b/queue-6.1/mm-hmm-move-pmd_to_hmm_pfn_flags-to-the-respective-ifdeffery.patch @@ -0,0 +1,56 @@ +From 188cb385bbf04d486df3e52f28c47b3961f5f0c0 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Thu, 10 Jul 2025 11:23:53 +0300 +Subject: mm/hmm: move pmd_to_hmm_pfn_flags() to the respective #ifdeffery + +From: Andy Shevchenko + +commit 188cb385bbf04d486df3e52f28c47b3961f5f0c0 upstream. + +When pmd_to_hmm_pfn_flags() is unused, it prevents kernel builds with +clang, `make W=1` and CONFIG_TRANSPARENT_HUGEPAGE=n: + + mm/hmm.c:186:29: warning: unused function 'pmd_to_hmm_pfn_flags' [-Wunused-function] + +Fix this by moving the function to the respective existing ifdeffery +for its the only user. + +See also: + + 6863f5643dd7 ("kbuild: allow Clang to find unused static inline functions for W=1 build") + +Link: https://lkml.kernel.org/r/20250710082403.664093-1-andriy.shevchenko@linux.intel.com +Fixes: 992de9a8b751 ("mm/hmm: allow to mirror vma of a file on a DAX backed filesystem") +Signed-off-by: Andy Shevchenko +Reviewed-by: Leon Romanovsky +Reviewed-by: Alistair Popple +Cc: Andriy Shevchenko +Cc: Bill Wendling +Cc: Jerome Glisse +Cc: Justin Stitt +Cc: Nathan Chancellor +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/hmm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/hmm.c ++++ b/mm/hmm.c +@@ -173,6 +173,7 @@ static inline unsigned long hmm_pfn_flag + return order << HMM_PFN_ORDER_SHIFT; + } + ++#ifdef CONFIG_TRANSPARENT_HUGEPAGE + static inline unsigned long pmd_to_hmm_pfn_flags(struct hmm_range *range, + pmd_t pmd) + { +@@ -183,7 +184,6 @@ static inline unsigned long pmd_to_hmm_p + hmm_pfn_flags_order(PMD_SHIFT - PAGE_SHIFT); + } + +-#ifdef CONFIG_TRANSPARENT_HUGEPAGE + static int hmm_vma_handle_pmd(struct mm_walk *walk, unsigned long addr, + unsigned long end, unsigned long hmm_pfns[], + pmd_t pmd) diff --git a/queue-6.1/series b/queue-6.1/series index 70deb19686..eea4737a57 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -242,6 +242,13 @@ ksmbd-fix-corrupted-mtime-and-ctime-in-smb2_open.patch ksmbd-limit-repeated-connections-from-clients-with-the-same-ip.patch smb-server-fix-extension-string-in-ksmbd_extract_shortname.patch usb-serial-option-add-foxconn-t99w709.patch -bluetooth-btusb-add-usb-id-3625-010b-for-tp-link-archer-tx10ub-nano.patch net-usbnet-avoid-potential-rcu-stall-on-link_change-event.patch net-usbnet-fix-the-wrong-netif_carrier_on-call.patch +x86-sev-evict-cache-lines-during-snp-memory-validation.patch +alsa-intel_hdmi-fix-off-by-one-error-in-__hdmi_lpe_audio_probe.patch +alsa-scarlett2-add-retry-on-eproto-from-scarlett2_usb_tx.patch +x86-fpu-delay-instruction-pointer-fixup-until-after-warning.patch +kvm-vmx-allow-guest-to-set-debugctl.rtm_debug-if-rtm-is-supported.patch +mips-mm-tlb-r4k-uniquify-tlb-entries-on-init.patch +mm-hmm-move-pmd_to_hmm_pfn_flags-to-the-respective-ifdeffery.patch +usb-gadget-fix-use-after-free-in-composite_dev_cleanup.patch diff --git a/queue-6.1/usb-gadget-fix-use-after-free-in-composite_dev_cleanup.patch b/queue-6.1/usb-gadget-fix-use-after-free-in-composite_dev_cleanup.patch new file mode 100644 index 0000000000..4d029865a7 --- /dev/null +++ b/queue-6.1/usb-gadget-fix-use-after-free-in-composite_dev_cleanup.patch @@ -0,0 +1,51 @@ +From 151c0aa896c47a4459e07fee7d4843f44c1bb18e Mon Sep 17 00:00:00 2001 +From: Tao Xue +Date: Mon, 21 Jul 2025 17:39:08 +0800 +Subject: usb: gadget : fix use-after-free in composite_dev_cleanup() + +From: Tao Xue + +commit 151c0aa896c47a4459e07fee7d4843f44c1bb18e upstream. + +1. In func configfs_composite_bind() -> composite_os_desc_req_prepare(): +if kmalloc fails, the pointer cdev->os_desc_req will be freed but not +set to NULL. Then it will return a failure to the upper-level function. +2. in func configfs_composite_bind() -> composite_dev_cleanup(): +it will checks whether cdev->os_desc_req is NULL. If it is not NULL, it +will attempt to use it.This will lead to a use-after-free issue. + +BUG: KASAN: use-after-free in composite_dev_cleanup+0xf4/0x2c0 +Read of size 8 at addr 0000004827837a00 by task init/1 + +CPU: 10 PID: 1 Comm: init Tainted: G O 5.10.97-oh #1 + kasan_report+0x188/0x1cc + __asan_load8+0xb4/0xbc + composite_dev_cleanup+0xf4/0x2c0 + configfs_composite_bind+0x210/0x7ac + udc_bind_to_driver+0xb4/0x1ec + usb_gadget_probe_driver+0xec/0x21c + gadget_dev_desc_UDC_store+0x264/0x27c + +Fixes: 37a3a533429e ("usb: gadget: OS Feature Descriptors support") +Cc: stable +Signed-off-by: Tao Xue +Link: https://lore.kernel.org/r/20250721093908.14967-1-xuetao09@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/composite.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -2366,6 +2366,11 @@ int composite_os_desc_req_prepare(struct + if (!cdev->os_desc_req->buf) { + ret = -ENOMEM; + usb_ep_free_request(ep0, cdev->os_desc_req); ++ /* ++ * Set os_desc_req to NULL so that composite_dev_cleanup() ++ * will not try to free it again. ++ */ ++ cdev->os_desc_req = NULL; + goto end; + } + cdev->os_desc_req->context = cdev; diff --git a/queue-6.1/x86-fpu-delay-instruction-pointer-fixup-until-after-warning.patch b/queue-6.1/x86-fpu-delay-instruction-pointer-fixup-until-after-warning.patch new file mode 100644 index 0000000000..7e6843e553 --- /dev/null +++ b/queue-6.1/x86-fpu-delay-instruction-pointer-fixup-until-after-warning.patch @@ -0,0 +1,57 @@ +From 1cec9ac2d071cfd2da562241aab0ef701355762a Mon Sep 17 00:00:00 2001 +From: Dave Hansen +Date: Tue, 24 Jun 2025 14:01:48 -0700 +Subject: x86/fpu: Delay instruction pointer fixup until after warning + +From: Dave Hansen + +commit 1cec9ac2d071cfd2da562241aab0ef701355762a upstream. + +Right now, if XRSTOR fails a console message like this is be printed: + + Bad FPU state detected at restore_fpregs_from_fpstate+0x9a/0x170, reinitializing FPU registers. + +However, the text location (...+0x9a in this case) is the instruction +*AFTER* the XRSTOR. The highlighted instruction in the "Code:" dump +also points one instruction late. + +The reason is that the "fixup" moves RIP up to pass the bad XRSTOR and +keep on running after returning from the #GP handler. But it does this +fixup before warning. + +The resulting warning output is nonsensical because it looks like the +non-FPU-related instruction is #GP'ing. + +Do not fix up RIP until after printing the warning. Do this by using +the more generic and standard ex_handler_default(). + +Fixes: d5c8028b4788 ("x86/fpu: Reinitialize FPU registers if restoring FPU state fails") +Signed-off-by: Dave Hansen +Reviewed-by: Chao Gao +Acked-by: Alison Schofield +Acked-by: Peter Zijlstra (Intel) +Cc:stable@vger.kernel.org +Link: https://lore.kernel.org/all/20250624210148.97126F9E%40davehans-spike.ostc.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/extable.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/arch/x86/mm/extable.c ++++ b/arch/x86/mm/extable.c +@@ -121,13 +121,12 @@ static bool ex_handler_sgx(const struct + static bool ex_handler_fprestore(const struct exception_table_entry *fixup, + struct pt_regs *regs) + { +- regs->ip = ex_fixup_addr(fixup); +- + WARN_ONCE(1, "Bad FPU state detected at %pB, reinitializing FPU registers.", + (void *)instruction_pointer(regs)); + + fpu_reset_from_exception_fixup(); +- return true; ++ ++ return ex_handler_default(fixup, regs); + } + + static bool ex_handler_uaccess(const struct exception_table_entry *fixup, diff --git a/queue-6.1/x86-sev-evict-cache-lines-during-snp-memory-validation.patch b/queue-6.1/x86-sev-evict-cache-lines-during-snp-memory-validation.patch new file mode 100644 index 0000000000..f6d5a385fc --- /dev/null +++ b/queue-6.1/x86-sev-evict-cache-lines-during-snp-memory-validation.patch @@ -0,0 +1,149 @@ +From ab3038454906d633499df4e0da2d44a9493f3a88 Mon Sep 17 00:00:00 2001 +From: Tom Lendacky +Date: Wed, 30 Jul 2025 09:57:45 -0500 +Subject: x86/sev: Evict cache lines during SNP memory validation + +From: Tom Lendacky + +Commit 7b306dfa326f70114312b320d083b21fa9481e1e upstream. + +An SNP cache coherency vulnerability requires a cache line eviction +mitigation when validating memory after a page state change to private. +The specific mitigation is to touch the first and last byte of each 4K +page that is being validated. There is no need to perform the mitigation +when performing a page state change to shared and rescinding validation. + +CPUID bit Fn8000001F_EBX[31] defines the COHERENCY_SFW_NO CPUID bit that, +when set, indicates that the software mitigation for this vulnerability is +not needed. + +Implement the mitigation and invoke it when validating memory (making it +private) and the COHERENCY_SFW_NO bit is not set, indicating the SNP guest +is vulnerable. + +Co-developed-by: Michael Roth +Signed-off-by: Michael Roth +Signed-off-by: Tom Lendacky +Signed-off-by: Borislav Petkov (AMD) +Acked-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/boot/compressed/sev.c | 7 +++++++ + arch/x86/boot/cpuflags.c | 13 +++++++++++++ + arch/x86/include/asm/cpufeatures.h | 1 + + arch/x86/kernel/cpu/scattered.c | 1 + + arch/x86/kernel/sev-shared.c | 18 ++++++++++++++++++ + arch/x86/kernel/sev.c | 11 ++++++++++- + 6 files changed, 50 insertions(+), 1 deletion(-) + +--- a/arch/x86/boot/compressed/sev.c ++++ b/arch/x86/boot/compressed/sev.c +@@ -164,6 +164,13 @@ static void __page_state_change(unsigned + */ + if (op == SNP_PAGE_STATE_PRIVATE && pvalidate(paddr, RMP_PG_SIZE_4K, 1)) + sev_es_terminate(SEV_TERM_SET_LINUX, GHCB_TERM_PVALIDATE); ++ ++ /* ++ * If validating memory (making it private) and affected by the ++ * cache-coherency vulnerability, perform the cache eviction mitigation. ++ */ ++ if (op == SNP_PAGE_STATE_PRIVATE && !has_cpuflag(X86_FEATURE_COHERENCY_SFW_NO)) ++ sev_evict_cache((void *)paddr, 1); + } + + void snp_set_page_private(unsigned long paddr) +--- a/arch/x86/boot/cpuflags.c ++++ b/arch/x86/boot/cpuflags.c +@@ -124,5 +124,18 @@ void get_cpuflags(void) + cpuid(0x80000001, &ignored, &ignored, &cpu.flags[6], + &cpu.flags[1]); + } ++ ++ if (max_amd_level >= 0x8000001f) { ++ u32 ebx; ++ ++ /* ++ * The X86_FEATURE_COHERENCY_SFW_NO feature bit is in ++ * the virtualization flags entry (word 8) and set by ++ * scattered.c, so the bit needs to be explicitly set. ++ */ ++ cpuid(0x8000001f, &ignored, &ebx, &ignored, &ignored); ++ if (ebx & BIT(31)) ++ set_bit(X86_FEATURE_COHERENCY_SFW_NO, cpu.flags); ++ } + } + } +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -230,6 +230,7 @@ + #define X86_FEATURE_FLEXPRIORITY ( 8*32+ 2) /* Intel FlexPriority */ + #define X86_FEATURE_EPT ( 8*32+ 3) /* Intel Extended Page Table */ + #define X86_FEATURE_VPID ( 8*32+ 4) /* Intel Virtual Processor ID */ ++#define X86_FEATURE_COHERENCY_SFW_NO ( 8*32+ 5) /* "" SNP cache coherency software work around not needed */ + + #define X86_FEATURE_VMMCALL ( 8*32+15) /* Prefer VMMCALL to VMCALL */ + #define X86_FEATURE_XENPV ( 8*32+16) /* "" Xen paravirtual guest */ +--- a/arch/x86/kernel/cpu/scattered.c ++++ b/arch/x86/kernel/cpu/scattered.c +@@ -45,6 +45,7 @@ static const struct cpuid_bit cpuid_bits + { X86_FEATURE_CPB, CPUID_EDX, 9, 0x80000007, 0 }, + { X86_FEATURE_PROC_FEEDBACK, CPUID_EDX, 11, 0x80000007, 0 }, + { X86_FEATURE_MBA, CPUID_EBX, 6, 0x80000008, 0 }, ++ { X86_FEATURE_COHERENCY_SFW_NO, CPUID_EBX, 31, 0x8000001f, 0 }, + { X86_FEATURE_TSA_SQ_NO, CPUID_ECX, 1, 0x80000021, 0 }, + { X86_FEATURE_TSA_L1_NO, CPUID_ECX, 2, 0x80000021, 0 }, + { X86_FEATURE_PERFMON_V2, CPUID_EAX, 0, 0x80000022, 0 }, +--- a/arch/x86/kernel/sev-shared.c ++++ b/arch/x86/kernel/sev-shared.c +@@ -1064,3 +1064,21 @@ static void __head setup_cpuid_table(con + RIP_REL_REF(cpuid_ext_range_max) = fn->eax; + } + } ++ ++static inline void sev_evict_cache(void *va, int npages) ++{ ++ volatile u8 val __always_unused; ++ u8 *bytes = va; ++ int page_idx; ++ ++ /* ++ * For SEV guests, a read from the first/last cache-lines of a 4K page ++ * using the guest key is sufficient to cause a flush of all cache-lines ++ * associated with that 4K page without incurring all the overhead of a ++ * full CLFLUSH sequence. ++ */ ++ for (page_idx = 0; page_idx < npages; page_idx++) { ++ val = bytes[page_idx * PAGE_SIZE]; ++ val = bytes[page_idx * PAGE_SIZE + PAGE_SIZE - 1]; ++ } ++} +--- a/arch/x86/kernel/sev.c ++++ b/arch/x86/kernel/sev.c +@@ -676,10 +676,12 @@ static u64 __init get_jump_table_addr(vo + + static void pvalidate_pages(unsigned long vaddr, unsigned long npages, bool validate) + { +- unsigned long vaddr_end; ++ unsigned long vaddr_begin, vaddr_end; + int rc; + + vaddr = vaddr & PAGE_MASK; ++ ++ vaddr_begin = vaddr; + vaddr_end = vaddr + (npages << PAGE_SHIFT); + + while (vaddr < vaddr_end) { +@@ -689,6 +691,13 @@ static void pvalidate_pages(unsigned lon + + vaddr = vaddr + PAGE_SIZE; + } ++ ++ /* ++ * If validating memory (making it private) and affected by the ++ * cache-coherency vulnerability, perform the cache eviction mitigation. ++ */ ++ if (validate && !cpu_feature_enabled(X86_FEATURE_COHERENCY_SFW_NO)) ++ sev_evict_cache((void *)vaddr_begin, npages); + } + + static void __head early_set_pages_state(unsigned long paddr, unsigned long npages, enum psc_op op) -- 2.47.3