Merge 5.10.175 into android12-5.10-lts

Changes in 5.10.175 fs: prevent out-of-bounds array speculation when closing a file descriptor fork: allow CLONE_NEWTIME in clone3 flags x86/CPU/AMD: Disable XSAVES on AMD family 0x17 drm/amdgpu: fix error checking in amdgpu_read_mm_registers for soc15 drm/connector: print max_requested_bpc in state debugfs ext4: fix cgroup writeback accounting with fs-layer encryption ext4: fix RENAME_WHITEOUT handling for inline directories ext4: fix another off-by-one fsmap error on 1k block filesystems ext4: move where set the MAY_INLINE_DATA flag is set ext4: fix WARNING in ext4_update_inline_data ext4: zero i_disksize when initializing the bootloader inode nfc: change order inside nfc_se_io error path udf: Fix off-by-one error when discarding preallocation irq: Fix typos in comments irqdomain: Look for existing mapping only once irqdomain: Refactor __irq_domain_alloc_irqs() irqdomain: Fix mapping-creation race irqdomain: Change the type of 'size' in __irq_domain_add() to be consistent irqdomain: Fix domain registration race iommu/vt-d: Fix lockdep splat in intel_pasid_get_entry() iommu/vt-d: Fix PASID directory pointer coherency arm64: efi: Make efi_rt_lock a raw_spinlock RISC-V: Avoid dereferening NULL regs in die() riscv: Avoid enabling interrupts in die() riscv: Add header include guards to insn.h scsi: core: Remove the /proc/scsi/${proc_name} directory earlier ext4: Fix possible corruption when moving a directory drm/nouveau/kms/nv50-: remove unused functions drm/nouveau/kms/nv50: fix nv50_wndw_new_ prototype drm/msm: Fix potential invalid ptr free drm/msm/a5xx: fix setting of the CP_PREEMPT_ENABLE_LOCAL register drm/msm: Document and rename preempt_lock drm/msm/a5xx: fix the emptyness check in the preempt code drm/msm/a5xx: fix context faults during ring switch bgmac: fix *initial* chip reset to support BCM5358 nfc: fdp: add null check of devm_kmalloc_array in fdp_nci_i2c_read_device_properties powerpc: dts: t1040rdb: fix compatible string for Rev A boards ila: do not generate empty messages in ila_xlat_nl_cmd_get_mapping() selftests: nft_nat: ensuring the listening side is up before starting the client net: usb: lan78xx: Remove lots of set but unused 'ret' variables net: lan78xx: fix accessing the LAN7800's internal phy specific registers from the MAC driver net: caif: Fix use-after-free in cfusbl_device_notify() net: stmmac: add to set device wake up flag when stmmac init phy net: phylib: get rid of unnecessary locking bnxt_en: Avoid order-5 memory allocation for TPA data netfilter: ctnetlink: revert to dumping mark regardless of event type netfilter: tproxy: fix deadlock due to missing BH disable btf: fix resolving BTF_KIND_VAR after ARRAY, STRUCT, UNION, PTR net: ethernet: mtk_eth_soc: fix RX data corruption issue scsi: megaraid_sas: Update max supported LD IDs to 240 platform: x86: MLX_PLATFORM: select REGMAP instead of depending on it net/smc: fix fallback failed while sendmsg with fastopen SUNRPC: Fix a server shutdown leak riscv: Use READ_ONCE_NOCHECK in imprecise unwinding stack mode RISC-V: Don't check text_mutex during stop_machine ext4: Fix deadlock during directory rename iommu/amd: Add a length limitation for the ivrs_acpihid command-line parameter watch_queue: fix IOC_WATCH_QUEUE_SET_SIZE alloc error paths tpm/eventlog: Don't abort tpm_read_log on faulty ACPI address block, bfq: fix possible uaf for 'bfqq->bic' block, bfq: fix uaf for bfqq in bfq_exit_icq_bfqq block/bfq-iosched.c: use "false" rather than "BLK_RW_ASYNC" block, bfq: replace 0/1 with false/true in bic apis block, bfq: fix uaf for bfqq in bic_set_bfqq() MIPS: Fix a compilation issue powerpc/kcsan: Exclude udelay to prevent recursive instrumentation alpha: fix R_ALPHA_LITERAL reloc for large modules macintosh: windfarm: Use unsigned type for 1-bit bitfields PCI: Add SolidRun vendor ID scripts: handle BrokenPipeError for python scripts media: ov5640: Fix analogue gain control media: rc: gpio-ir-recv: add remove function ipmi/watchdog: replace atomic_add() and atomic_sub() ipmi:watchdog: Set panic count to proper value on a panic skbuff: Fix nfct leak on napi stolen drm/i915: Don't use BAR mappings for ring buffers with LLC ext4: refactor ext4_free_blocks() to pull out ext4_mb_clear_bb() ext4: add ext4_sb_block_valid() refactored out of ext4_inode_block_valid() ext4: add strict range checks while freeing blocks ext4: block range must be validated before use in ext4_mb_clear_bb() arch: fix broken BuildID for arm64 and riscv powerpc/vmlinux.lds: Define RUNTIME_DISCARD_EXIT powerpc/vmlinux.lds: Don't discard .rela* for relocatable builds s390: define RUNTIME_DISCARD_EXIT to fix link error with GNU ld < 2.36 sh: define RUNTIME_DISCARD_EXIT UML: define RUNTIME_DISCARD_EXIT KVM: nVMX: Don't use Enlightened MSR Bitmap for L3 KVM: VMX: Introduce vmx_msr_bitmap_l01_changed() helper KVM: VMX: Fix crash due to uninitialized current_vmcs s390/dasd: add missing discipline function Linux 5.10.175 Change-Id: Ia88bd3919a9280f6aa87c2a048ad156d7f3f2e1d Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2026-01-06 11:08:10 -08:00 · 2023-03-24 14:42:00 +00:00
parent 1baa036104 de26e1b210
commit 87cdb8101e
112 changed files with 714 additions and 451 deletions
--- a/2
+++ b/2
@@ -1,7 +1,7 @@
 # SPDX-License-Identifier: GPL-2.0
 VERSION = 5
 PATCHLEVEL = 10
-SUBLEVEL = 174
+SUBLEVEL = 175
 EXTRAVERSION =
 NAME = Dare mighty things

--- a/arch/alpha/kernel/module.c
+++ b/arch/alpha/kernel/module.c
@@ -146,10 +146,8 @@ apply_relocate_add(Elf64_Shdr *sechdrs, const char *strtab,
 	base = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr;
 	symtab = (Elf64_Sym *)sechdrs[symindex].sh_addr;

-	/* The small sections were sorted to the end of the segment.
-	   The following should definitely cover them.  */
-	gp = (u64)me->core_layout.base + me->core_layout.size - 0x8000;
 	got = sechdrs[me->arch.gotsecindex].sh_addr;
+	gp = got + 0x8000;

 	for (i = 0; i < n; i++) {
 		unsigned long r_sym = ELF64_R_SYM (rela[i].r_info);
--- a/arch/arm64/include/asm/efi.h
+++ b/arch/arm64/include/asm/efi.h
@@ -25,7 +25,7 @@ int efi_set_mapping_permissions(struct mm_struct *mm, efi_memory_desc_t *md);
 ({									\
 	efi_virtmap_load();						\
 	__efi_fpsimd_begin();						\
-	spin_lock(&efi_rt_lock);					\
+	raw_spin_lock(&efi_rt_lock);					\
 })

 #define arch_efi_call_virt(p, f, args...)				\
@@ -37,12 +37,12 @@ int efi_set_mapping_permissions(struct mm_struct *mm, efi_memory_desc_t *md);

 #define arch_efi_call_virt_teardown()					\
 ({									\
-	spin_unlock(&efi_rt_lock);					\
+	raw_spin_unlock(&efi_rt_lock);					\
 	__efi_fpsimd_end();						\
 	efi_virtmap_unload();						\
 })

-extern spinlock_t efi_rt_lock;
+extern raw_spinlock_t efi_rt_lock;
 efi_status_t __efi_rt_asm_wrapper(void *, const char *, ...);

 #define ARCH_EFI_IRQ_FLAGS_MASK (PSR_D_BIT | PSR_A_BIT | PSR_I_BIT | PSR_F_BIT)
--- a/arch/arm64/kernel/efi.c
+++ b/arch/arm64/kernel/efi.c
@@ -144,7 +144,7 @@ asmlinkage efi_status_t efi_handle_corrupted_x18(efi_status_t s, const char *f)
 	return s;
 }

-DEFINE_SPINLOCK(efi_rt_lock);
+DEFINE_RAW_SPINLOCK(efi_rt_lock);

 asmlinkage u64 *efi_rt_stack_top __ro_after_init;

--- a/arch/mips/include/asm/mach-rc32434/pci.h
+++ b/arch/mips/include/asm/mach-rc32434/pci.h
@@ -374,7 +374,7 @@ struct pci_msu {
 				 PCI_CFG04_STAT_SSE | \
 				 PCI_CFG04_STAT_PE)

-#define KORINA_CNFG1		((KORINA_STAT<<16)|KORINA_CMD)
+#define KORINA_CNFG1		(KORINA_STAT | KORINA_CMD)

 #define KORINA_REVID		0
 #define KORINA_CLASS_CODE	0
--- a/arch/powerpc/boot/dts/fsl/t1040rdb-rev-a.dts
+++ b/arch/powerpc/boot/dts/fsl/t1040rdb-rev-a.dts
@@ -10,7 +10,6 @@

 / {
 	model = "fsl,T1040RDB-REV-A";
-	compatible = "fsl,T1040RDB-REV-A";
 };

 &seville_port0 {
--- a/arch/powerpc/kernel/time.c
+++ b/arch/powerpc/kernel/time.c
@@ -436,7 +436,7 @@ void vtime_flush(struct task_struct *tsk)
 #define calc_cputime_factors()
 #endif

-void __delay(unsigned long loops)
+void __no_kcsan __delay(unsigned long loops)
 {
 	unsigned long start;

@@ -457,7 +457,7 @@ void __delay(unsigned long loops)
 }
 EXPORT_SYMBOL(__delay);

-void udelay(unsigned long usecs)
+void __no_kcsan udelay(unsigned long usecs)
 {
 	__delay(tb_ticks_per_usec * usecs);
 }
--- a/arch/powerpc/kernel/vmlinux.lds.S
+++ b/arch/powerpc/kernel/vmlinux.lds.S
@@ -8,6 +8,7 @@
 #define BSS_FIRST_SECTIONS *(.bss.prominit)
 #define EMITS_PT_NOTE
 #define RO_EXCEPTION_TABLE_ALIGN	0
+#define RUNTIME_DISCARD_EXIT

 #include <asm/page.h>
 #include <asm-generic/vmlinux.lds.h>
@@ -382,9 +383,12 @@ SECTIONS
 	DISCARDS
 	/DISCARD/ : {
 		*(*.EMB.apuinfo)
-		*(.glink .iplt .plt .rela* .comment)
+		*(.glink .iplt .plt .comment)
 		*(.gnu.version*)
 		*(.gnu.attributes)
 		*(.eh_frame)
+#ifndef CONFIG_RELOCATABLE
+		*(.rela*)
+#endif
 	}
 }
--- a/arch/riscv/include/asm/ftrace.h
+++ b/arch/riscv/include/asm/ftrace.h
@@ -83,6 +83,6 @@ int ftrace_init_nop(struct module *mod, struct dyn_ftrace *rec);
 #define ftrace_init_nop ftrace_init_nop
 #endif

-#endif
+#endif /* CONFIG_DYNAMIC_FTRACE */

 #endif /* _ASM_RISCV_FTRACE_H */
--- a/arch/riscv/include/asm/parse_asm.h
+++ b/arch/riscv/include/asm/parse_asm.h
@@ -3,6 +3,9 @@
 * Copyright (C) 2020 SiFive
 */

+#ifndef _ASM_RISCV_INSN_H
+#define _ASM_RISCV_INSN_H
+
 #include <linux/bits.h>

 /* The bit field of immediate value in I-type instruction */
@@ -217,3 +220,5 @@ static inline bool is_ ## INSN_NAME ## _insn(long insn) \
 	(RVC_X(x_, RVC_B_IMM_5_OPOFF, RVC_B_IMM_5_MASK) << RVC_B_IMM_5_OFF) | \
 	(RVC_X(x_, RVC_B_IMM_7_6_OPOFF, RVC_B_IMM_7_6_MASK) << RVC_B_IMM_7_6_OFF) | \
 	(RVC_IMM_SIGN(x_) << RVC_B_IMM_SIGN_OFF); })
+
+#endif /* _ASM_RISCV_INSN_H */
--- a/arch/riscv/include/asm/patch.h
+++ b/arch/riscv/include/asm/patch.h
@@ -9,4 +9,6 @@
 int patch_text_nosync(void *addr, const void *insns, size_t len);
 int patch_text(void *addr, u32 insn);

+extern int riscv_patch_in_stop_machine;
+
 #endif /* _ASM_RISCV_PATCH_H */
--- a/arch/riscv/kernel/ftrace.c
+++ b/arch/riscv/kernel/ftrace.c
@@ -15,11 +15,21 @@
 int ftrace_arch_code_modify_prepare(void) __acquires(&text_mutex)
 {
 	mutex_lock(&text_mutex);
+
+	/*
+	 * The code sequences we use for ftrace can't be patched while the
+	 * kernel is running, so we need to use stop_machine() to modify them
+	 * for now.  This doesn't play nice with text_mutex, we use this flag
+	 * to elide the check.
+	 */
+	riscv_patch_in_stop_machine = true;
+
 	return 0;
 }

 int ftrace_arch_code_modify_post_process(void) __releases(&text_mutex)
 {
+	riscv_patch_in_stop_machine = false;
 	mutex_unlock(&text_mutex);
 	return 0;
 }
@@ -109,9 +119,9 @@ int ftrace_init_nop(struct module *mod, struct dyn_ftrace *rec)
 {
 	int out;

-	ftrace_arch_code_modify_prepare();
+	mutex_lock(&text_mutex);
 	out = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
-	ftrace_arch_code_modify_post_process();
+	mutex_unlock(&text_mutex);

 	return out;
 }
--- a/arch/riscv/kernel/patch.c
+++ b/arch/riscv/kernel/patch.c
@@ -11,6 +11,7 @@
 #include <asm/kprobes.h>
 #include <asm/cacheflush.h>
 #include <asm/fixmap.h>
+#include <asm/ftrace.h>
 #include <asm/patch.h>

 struct patch_insn {
@@ -19,6 +20,8 @@ struct patch_insn {
 	atomic_t cpu_count;
 };

+int riscv_patch_in_stop_machine = false;
+
 #ifdef CONFIG_MMU
 static void *patch_map(void *addr, int fixmap)
 {
@@ -55,8 +58,15 @@ static int patch_insn_write(void *addr, const void *insn, size_t len)
 	 * Before reaching here, it was expected to lock the text_mutex
 	 * already, so we don't need to give another lock here and could
 	 * ensure that it was safe between each cores.
+	 *
+	 * We're currently using stop_machine() for ftrace & kprobes, and while
+	 * that ensures text_mutex is held before installing the mappings it
+	 * does not ensure text_mutex is held by the calling thread.  That's
+	 * safe but triggers a lockdep failure, so just elide it for that
+	 * specific case.
 	 */
-	lockdep_assert_held(&text_mutex);
+	if (!riscv_patch_in_stop_machine)
+		lockdep_assert_held(&text_mutex);

 	if (across_pages)
 		patch_map(addr + len, FIX_TEXT_POKE1);
@@ -117,13 +127,25 @@ NOKPROBE_SYMBOL(patch_text_cb);

 int patch_text(void *addr, u32 insn)
 {
+	int ret;
 	struct patch_insn patch = {
 		.addr = addr,
 		.insn = insn,
 		.cpu_count = ATOMIC_INIT(0),
 	};

-	return stop_machine_cpuslocked(patch_text_cb,
-				       &patch, cpu_online_mask);
+	/*
+	 * kprobes takes text_mutex, before calling patch_text(), but as we call
+	 * calls stop_machine(), the lockdep assertion in patch_insn_write()
+	 * gets confused by the context in which the lock is taken.
+	 * Instead, ensure the lock is held before calling stop_machine(), and
+	 * set riscv_patch_in_stop_machine to skip the check in
+	 * patch_insn_write().
+	 */
+	lockdep_assert_held(&text_mutex);
+	riscv_patch_in_stop_machine = true;
+	ret = stop_machine_cpuslocked(patch_text_cb, &patch, cpu_online_mask);
+	riscv_patch_in_stop_machine = false;
+	return ret;
 }
 NOKPROBE_SYMBOL(patch_text);
--- a/arch/riscv/kernel/stacktrace.c
+++ b/arch/riscv/kernel/stacktrace.c
@@ -96,7 +96,7 @@ void notrace walk_stackframe(struct task_struct *task,
 	while (!kstack_end(ksp)) {
 		if (__kernel_text_address(pc) && unlikely(fn(pc, arg)))
 			break;
-		pc = (*ksp++) - 0x4;
+		pc = READ_ONCE_NOCHECK(*ksp++) - 0x4;
 	}
 }

--- a/arch/riscv/kernel/traps.c
+++ b/arch/riscv/kernel/traps.c
@@ -31,25 +31,29 @@ void die(struct pt_regs *regs, const char *str)
 {
 	static int die_counter;
 	int ret;
+	long cause;
+	unsigned long flags;

 	oops_enter();

-	spin_lock_irq(&die_lock);
+	spin_lock_irqsave(&die_lock, flags);
 	console_verbose();
 	bust_spinlocks(1);

 	pr_emerg("%s [#%d]\n", str, ++die_counter);
 	print_modules();
-	show_regs(regs);
+	if (regs)
+		show_regs(regs);

-	ret = notify_die(DIE_OOPS, str, regs, 0, regs->cause, SIGSEGV);
+	cause = regs ? regs->cause : -1;
+	ret = notify_die(DIE_OOPS, str, regs, 0, cause, SIGSEGV);

-	if (regs && kexec_should_crash(current))
+	if (kexec_should_crash(current))
 		crash_kexec(regs);

 	bust_spinlocks(0);
 	add_taint(TAINT_DIE, LOCKDEP_NOW_UNRELIABLE);
-	spin_unlock_irq(&die_lock);
+	spin_unlock_irqrestore(&die_lock, flags);
 	oops_exit();

 	if (in_interrupt())
--- a/arch/s390/kernel/vmlinux.lds.S
+++ b/arch/s390/kernel/vmlinux.lds.S
@@ -15,6 +15,8 @@
 /* Handle ro_after_init data on our own. */
 #define RO_AFTER_INIT_DATA

+#define RUNTIME_DISCARD_EXIT
+
 #define EMITS_PT_NOTE

 #include <asm-generic/vmlinux.lds.h>
--- a/arch/sh/kernel/vmlinux.lds.S
+++ b/arch/sh/kernel/vmlinux.lds.S
@@ -4,6 +4,7 @@
 * Written by Niibe Yutaka and Paul Mundt
 */
 OUTPUT_ARCH(sh)
+#define RUNTIME_DISCARD_EXIT
 #include <asm/thread_info.h>
 #include <asm/cache.h>
 #include <asm/vmlinux.lds.h>
--- a/arch/um/kernel/vmlinux.lds.S
+++ b/arch/um/kernel/vmlinux.lds.S
@@ -1,4 +1,4 @@
-
+#define RUNTIME_DISCARD_EXIT
 KERNEL_STACK_SIZE = 4096 * (1 << CONFIG_KERNEL_STACK_ORDER);

 #ifdef CONFIG_LD_SCRIPT_STATIC
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
@@ -932,6 +932,15 @@ void init_spectral_chicken(struct cpuinfo_x86 *c)
 		}
 	}
 #endif
+	/*
+	 * Work around Erratum 1386.  The XSAVES instruction malfunctions in
+	 * certain circumstances on Zen1/2 uarch, and not all parts have had
+	 * updated microcode at the time of writing (March 2023).
+	 *
+	 * Affected parts all have no supervisor XSAVE states, meaning that
+	 * the XSAVEC instruction (which works fine) is equivalent.
+	 */
+	clear_cpu_cap(c, X86_FEATURE_XSAVES);
 }

 static void init_amd_zn(struct cpuinfo_x86 *c)
--- a/arch/x86/kvm/vmx/evmcs.h
+++ b/arch/x86/kvm/vmx/evmcs.h
@@ -166,16 +166,6 @@ static inline u16 evmcs_read16(unsigned long field)
 	return *(u16 *)((char *)current_evmcs + offset);
 }

-static inline void evmcs_touch_msr_bitmap(void)
-{
-	if (unlikely(!current_evmcs))
-		return;
-
-	if (current_evmcs->hv_enlightenments_control.msr_bitmap)
-		current_evmcs->hv_clean_fields &=
-			~HV_VMX_ENLIGHTENED_CLEAN_FIELD_MSR_BITMAP;
-}
-
 static inline void evmcs_load(u64 phys_addr)
 {
 	struct hv_vp_assist_page *vp_ap =
@@ -196,7 +186,6 @@ static inline u64 evmcs_read64(unsigned long field) { return 0; }
 static inline u32 evmcs_read32(unsigned long field) { return 0; }
 static inline u16 evmcs_read16(unsigned long field) { return 0; }
 static inline void evmcs_load(u64 phys_addr) {}
-static inline void evmcs_touch_msr_bitmap(void) {}
 #endif /* IS_ENABLED(CONFIG_HYPERV) */

 enum nested_evmptrld_status {
--- a/Show More
+++ b/Show More