Greg Kroah-Hartman
de64d941a7
Changes in 5.10.112
drm/amdkfd: Use drm_priv to pass VM from KFD to amdgpu
hamradio: defer 6pack kfree after unregister_netdev
hamradio: remove needs_free_netdev to avoid UAF
cpuidle: PSCI: Move the `has_lpi` check to the beginning of the function
ACPI: processor idle: Check for architectural support for LPI
btrfs: remove unused variable in btrfs_{start,write}_dirty_block_groups()
drm/msm: Add missing put_task_struct() in debugfs path
memory: atmel-ebi: Fix missing of_node_put in atmel_ebi_probe
firmware: arm_scmi: Fix sorting of retrieved clock rates
media: rockchip/rga: do proper error checking in probe
SUNRPC: Fix the svc_deferred_event trace class
net/sched: flower: fix parsing of ethertype following VLAN header
veth: Ensure eth header is in skb's linear part
gpiolib: acpi: use correct format characters
net: mdio: Alphabetically sort header inclusion
mlxsw: i2c: Fix initialization error flow
net/sched: fix initialization order when updating chain 0 head
net: dsa: felix: suppress -EPROBE_DEFER errors
net: ethernet: stmmac: fix altr_tse_pcs function when using a fixed-link
net/sched: taprio: Check if socket flags are valid
cfg80211: hold bss_lock while updating nontrans_list
drm/msm: Fix range size vs end confusion
drm/msm/dsi: Use connector directly in msm_dsi_manager_connector_init()
net/smc: Fix NULL pointer dereference in smc_pnet_find_ib()
scsi: pm80xx: Mask and unmask upper interrupt vectors 32-63
scsi: pm80xx: Enable upper inbound, outbound queues
scsi: iscsi: Stop queueing during ep_disconnect
scsi: iscsi: Force immediate failure during shutdown
scsi: iscsi: Use system_unbound_wq for destroy_work
scsi: iscsi: Rel ref after iscsi_lookup_endpoint()
scsi: iscsi: Fix in-kernel conn failure handling
scsi: iscsi: Move iscsi_ep_disconnect()
scsi: iscsi: Fix offload conn cleanup when iscsid restarts
scsi: iscsi: Fix conn cleanup and stop race during iscsid restart
sctp: Initialize daddr on peeled off socket
testing/selftests/mqueue: Fix mq_perf_tests to free the allocated cpu set
perf tools: Fix misleading add event PMU debug message
nfc: nci: add flush_workqueue to prevent uaf
cifs: potential buffer overflow in handling symlinks
dm mpath: only use ktime_get_ns() in historical selector
net: bcmgenet: Revert "Use stronger register read/writes to assure ordering"
drm/amd: Add USBC connector ID
btrfs: fix fallocate to use file_modified to update permissions consistently
btrfs: do not warn for free space inode in cow_file_range
drm/amd/display: fix audio format not updated after edid updated
drm/amd/display: FEC check in timing validation
drm/amd/display: Update VTEM Infopacket definition
drm/amdkfd: Fix Incorrect VMIDs passed to HWS
drm/amdgpu/vcn: improve vcn dpg stop procedure
drm/amdkfd: Check for potential null return of kmalloc_array()
Drivers: hv: vmbus: Prevent load re-ordering when reading ring buffer
scsi: target: tcmu: Fix possible page UAF
scsi: lpfc: Fix queue failures when recovering from PCI parity error
scsi: ibmvscsis: Increase INITIAL_SRP_LIMIT to 1024
net: micrel: fix KS8851_MLL Kconfig
ata: libata-core: Disable READ LOG DMA EXT for Samsung 840 EVOs
gpu: ipu-v3: Fix dev_dbg frequency output
regulator: wm8994: Add an off-on delay for WM8994 variant
arm64: alternatives: mark patch_alternative() as `noinstr`
tlb: hugetlb: Add more sizes to tlb_remove_huge_tlb_entry
net: axienet: setup mdio unconditionally
net: usb: aqc111: Fix out-of-bounds accesses in RX fixup
myri10ge: fix an incorrect free for skb in myri10ge_sw_tso
drm/amd/display: Revert FEC check in validation
drm/amd/display: Fix allocate_mst_payload assert on resume
scsi: mvsas: Add PCI ID of RocketRaid 2640
scsi: megaraid_sas: Target with invalid LUN ID is deleted during scan
drivers: net: slip: fix NPD bug in sl_tx_timeout()
perf/imx_ddr: Fix undefined behavior due to shift overflowing the constant
mm, page_alloc: fix build_zonerefs_node()
mm: fix unexpected zeroed page mapping with zram swap
mm: kmemleak: take a full lowmem check in kmemleak_*_phys()
KVM: x86/mmu: Resolve nx_huge_pages when kvm.ko is loaded
memory: renesas-rpc-if: fix platform-device leak in error path
gcc-plugins: latent_entropy: use /dev/urandom
ath9k: Properly clear TX status area before reporting to mac80211
ath9k: Fix usage of driver-private space in tx_info
btrfs: fix root ref counts in error handling in btrfs_get_root_ref
btrfs: mark resumed async balance as writing
ALSA: hda/realtek: Add quirk for Clevo PD50PNT
ALSA: hda/realtek: add quirk for Lenovo Thinkpad X12 speakers
ALSA: pcm: Test for "silence" field in struct "pcm_format_data"
nl80211: correctly check NL80211_ATTR_REG_ALPHA2 size
ipv6: fix panic when forwarding a pkt with no in6 dev
drm/amd/display: don't ignore alpha property on pre-multiplied mode
drm/amdgpu: Enable gfxoff quirk on MacBook Pro
genirq/affinity: Consider that CPUs on nodes can be unbalanced
tick/nohz: Use WARN_ON_ONCE() to prevent console saturation
ARM: davinci: da850-evm: Avoid NULL pointer dereference
dm integrity: fix memory corruption when tag_size is less than digest size
smp: Fix offline cpu check in flush_smp_call_function_queue()
i2c: pasemi: Wait for write xfers to finish
timers: Fix warning condition in __run_timers()
dma-direct: avoid redundant memory sync for swiotlb
scsi: iscsi: Fix endpoint reuse regression
scsi: iscsi: Fix unbound endpoint error handling
ax25: add refcount in ax25_dev to avoid UAF bugs
ax25: fix reference count leaks of ax25_dev
ax25: fix UAF bugs of net_device caused by rebinding operation
ax25: Fix refcount leaks caused by ax25_cb_del()
ax25: fix UAF bug in ax25_send_control()
ax25: fix NPD bug in ax25_disconnect
ax25: Fix NULL pointer dereferences in ax25 timers
ax25: Fix UAF bugs in ax25 timers
Linux 5.10.112
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I9ce7b432f335445dbfb4a67a34a8a1c279011954
265 lines
6.8 KiB
C
265 lines
6.8 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
/*
|
|
* alternative runtime patching
|
|
* inspired by the x86 version
|
|
*
|
|
* Copyright (C) 2014 ARM Ltd.
|
|
*/
|
|
|
|
#define pr_fmt(fmt) "alternatives: " fmt
|
|
|
|
#include <linux/init.h>
|
|
#include <linux/cpu.h>
|
|
#include <asm/cacheflush.h>
|
|
#include <asm/alternative.h>
|
|
#include <asm/cpufeature.h>
|
|
#include <asm/insn.h>
|
|
#include <asm/sections.h>
|
|
#include <linux/stop_machine.h>
|
|
|
|
#define __ALT_PTR(a,f) ((void *)&(a)->f + (a)->f)
|
|
#define ALT_ORIG_PTR(a) __ALT_PTR(a, orig_offset)
|
|
#define ALT_REPL_PTR(a) __ALT_PTR(a, alt_offset)
|
|
|
|
/* Volatile, as we may be patching the guts of READ_ONCE() */
|
|
static volatile int all_alternatives_applied;
|
|
|
|
static DECLARE_BITMAP(applied_alternatives, ARM64_NCAPS);
|
|
|
|
struct alt_region {
|
|
struct alt_instr *begin;
|
|
struct alt_instr *end;
|
|
};
|
|
|
|
bool alternative_is_applied(u16 cpufeature)
|
|
{
|
|
if (WARN_ON(cpufeature >= ARM64_NCAPS))
|
|
return false;
|
|
|
|
return test_bit(cpufeature, applied_alternatives);
|
|
}
|
|
|
|
/*
|
|
* Check if the target PC is within an alternative block.
|
|
*/
|
|
static __always_inline bool branch_insn_requires_update(struct alt_instr *alt, unsigned long pc)
|
|
{
|
|
unsigned long replptr = (unsigned long)ALT_REPL_PTR(alt);
|
|
return !(pc >= replptr && pc <= (replptr + alt->alt_len));
|
|
}
|
|
|
|
#define align_down(x, a) ((unsigned long)(x) & ~(((unsigned long)(a)) - 1))
|
|
|
|
static __always_inline u32 get_alt_insn(struct alt_instr *alt, __le32 *insnptr, __le32 *altinsnptr)
|
|
{
|
|
u32 insn;
|
|
|
|
insn = le32_to_cpu(*altinsnptr);
|
|
|
|
if (aarch64_insn_is_branch_imm(insn)) {
|
|
s32 offset = aarch64_get_branch_offset(insn);
|
|
unsigned long target;
|
|
|
|
target = (unsigned long)altinsnptr + offset;
|
|
|
|
/*
|
|
* If we're branching inside the alternate sequence,
|
|
* do not rewrite the instruction, as it is already
|
|
* correct. Otherwise, generate the new instruction.
|
|
*/
|
|
if (branch_insn_requires_update(alt, target)) {
|
|
offset = target - (unsigned long)insnptr;
|
|
insn = aarch64_set_branch_offset(insn, offset);
|
|
}
|
|
} else if (aarch64_insn_is_adrp(insn)) {
|
|
s32 orig_offset, new_offset;
|
|
unsigned long target;
|
|
|
|
/*
|
|
* If we're replacing an adrp instruction, which uses PC-relative
|
|
* immediate addressing, adjust the offset to reflect the new
|
|
* PC. adrp operates on 4K aligned addresses.
|
|
*/
|
|
orig_offset = aarch64_insn_adrp_get_offset(insn);
|
|
target = align_down(altinsnptr, SZ_4K) + orig_offset;
|
|
new_offset = target - align_down(insnptr, SZ_4K);
|
|
insn = aarch64_insn_adrp_set_offset(insn, new_offset);
|
|
} else if (aarch64_insn_uses_literal(insn)) {
|
|
/*
|
|
* Disallow patching unhandled instructions using PC relative
|
|
* literal addresses
|
|
*/
|
|
BUG();
|
|
}
|
|
|
|
return insn;
|
|
}
|
|
|
|
static noinstr void patch_alternative(struct alt_instr *alt,
|
|
__le32 *origptr, __le32 *updptr, int nr_inst)
|
|
{
|
|
__le32 *replptr;
|
|
int i;
|
|
|
|
replptr = ALT_REPL_PTR(alt);
|
|
for (i = 0; i < nr_inst; i++) {
|
|
u32 insn;
|
|
|
|
insn = get_alt_insn(alt, origptr + i, replptr + i);
|
|
updptr[i] = cpu_to_le32(insn);
|
|
}
|
|
}
|
|
|
|
/*
|
|
* We provide our own, private D-cache cleaning function so that we don't
|
|
* accidentally call into the cache.S code, which is patched by us at
|
|
* runtime.
|
|
*/
|
|
static void clean_dcache_range_nopatch(u64 start, u64 end)
|
|
{
|
|
u64 cur, d_size, ctr_el0;
|
|
|
|
ctr_el0 = read_sanitised_ftr_reg(SYS_CTR_EL0);
|
|
d_size = 4 << cpuid_feature_extract_unsigned_field(ctr_el0,
|
|
CTR_DMINLINE_SHIFT);
|
|
cur = start & ~(d_size - 1);
|
|
do {
|
|
/*
|
|
* We must clean+invalidate to the PoC in order to avoid
|
|
* Cortex-A53 errata 826319, 827319, 824069 and 819472
|
|
* (this corresponds to ARM64_WORKAROUND_CLEAN_CACHE)
|
|
*/
|
|
asm volatile("dc civac, %0" : : "r" (cur) : "memory");
|
|
} while (cur += d_size, cur < end);
|
|
}
|
|
|
|
static void __nocfi __apply_alternatives(void *alt_region, bool is_module,
|
|
unsigned long *feature_mask)
|
|
{
|
|
struct alt_instr *alt;
|
|
struct alt_region *region = alt_region;
|
|
__le32 *origptr, *updptr;
|
|
alternative_cb_t alt_cb;
|
|
|
|
for (alt = region->begin; alt < region->end; alt++) {
|
|
int nr_inst;
|
|
|
|
if (!test_bit(alt->cpufeature, feature_mask))
|
|
continue;
|
|
|
|
/* Use ARM64_CB_PATCH as an unconditional patch */
|
|
if (alt->cpufeature < ARM64_CB_PATCH &&
|
|
!cpus_have_cap(alt->cpufeature))
|
|
continue;
|
|
|
|
if (alt->cpufeature == ARM64_CB_PATCH)
|
|
BUG_ON(alt->alt_len != 0);
|
|
else
|
|
BUG_ON(alt->alt_len != alt->orig_len);
|
|
|
|
pr_info_once("patching kernel code\n");
|
|
|
|
origptr = ALT_ORIG_PTR(alt);
|
|
updptr = is_module ? origptr : lm_alias(origptr);
|
|
nr_inst = alt->orig_len / AARCH64_INSN_SIZE;
|
|
|
|
if (alt->cpufeature < ARM64_CB_PATCH)
|
|
alt_cb = patch_alternative;
|
|
else
|
|
alt_cb = ALT_REPL_PTR(alt);
|
|
|
|
alt_cb(alt, origptr, updptr, nr_inst);
|
|
|
|
if (!is_module) {
|
|
clean_dcache_range_nopatch((u64)origptr,
|
|
(u64)(origptr + nr_inst));
|
|
}
|
|
}
|
|
|
|
/*
|
|
* The core module code takes care of cache maintenance in
|
|
* flush_module_icache().
|
|
*/
|
|
if (!is_module) {
|
|
dsb(ish);
|
|
__flush_icache_all();
|
|
isb();
|
|
|
|
/* Ignore ARM64_CB bit from feature mask */
|
|
bitmap_or(applied_alternatives, applied_alternatives,
|
|
feature_mask, ARM64_NCAPS);
|
|
bitmap_and(applied_alternatives, applied_alternatives,
|
|
cpu_hwcaps, ARM64_NCAPS);
|
|
}
|
|
}
|
|
|
|
/*
|
|
* We might be patching the stop_machine state machine, so implement a
|
|
* really simple polling protocol here.
|
|
*/
|
|
static int __apply_alternatives_multi_stop(void *unused)
|
|
{
|
|
struct alt_region region = {
|
|
.begin = (struct alt_instr *)__alt_instructions,
|
|
.end = (struct alt_instr *)__alt_instructions_end,
|
|
};
|
|
|
|
/* We always have a CPU 0 at this point (__init) */
|
|
if (smp_processor_id()) {
|
|
while (!all_alternatives_applied)
|
|
cpu_relax();
|
|
isb();
|
|
} else {
|
|
DECLARE_BITMAP(remaining_capabilities, ARM64_NPATCHABLE);
|
|
|
|
bitmap_complement(remaining_capabilities, boot_capabilities,
|
|
ARM64_NPATCHABLE);
|
|
|
|
BUG_ON(all_alternatives_applied);
|
|
__apply_alternatives(®ion, false, remaining_capabilities);
|
|
/* Barriers provided by the cache flushing */
|
|
all_alternatives_applied = 1;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
void __init apply_alternatives_all(void)
|
|
{
|
|
/* better not try code patching on a live SMP system */
|
|
stop_machine(__apply_alternatives_multi_stop, NULL, cpu_online_mask);
|
|
}
|
|
|
|
/*
|
|
* This is called very early in the boot process (directly after we run
|
|
* a feature detect on the boot CPU). No need to worry about other CPUs
|
|
* here.
|
|
*/
|
|
void __init apply_boot_alternatives(void)
|
|
{
|
|
struct alt_region region = {
|
|
.begin = (struct alt_instr *)__alt_instructions,
|
|
.end = (struct alt_instr *)__alt_instructions_end,
|
|
};
|
|
|
|
/* If called on non-boot cpu things could go wrong */
|
|
WARN_ON(smp_processor_id() != 0);
|
|
|
|
__apply_alternatives(®ion, false, &boot_capabilities[0]);
|
|
}
|
|
|
|
#ifdef CONFIG_MODULES
|
|
void apply_alternatives_module(void *start, size_t length)
|
|
{
|
|
struct alt_region region = {
|
|
.begin = start,
|
|
.end = start + length,
|
|
};
|
|
DECLARE_BITMAP(all_capabilities, ARM64_NPATCHABLE);
|
|
|
|
bitmap_fill(all_capabilities, ARM64_NPATCHABLE);
|
|
|
|
__apply_alternatives(®ion, true, &all_capabilities[0]);
|
|
}
|
|
#endif
|