--- /dev/null
+From 3204be4109ad681523e3461ce64454c79278450a Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <maz@kernel.org>
+Date: Tue, 9 Jun 2020 08:40:35 +0100
+Subject: KVM: arm64: Make vcpu_cp1x() work on Big Endian hosts
+
+From: Marc Zyngier <maz@kernel.org>
+
+commit 3204be4109ad681523e3461ce64454c79278450a upstream.
+
+AArch32 CP1x registers are overlayed on their AArch64 counterparts
+in the vcpu struct. This leads to an interesting problem as they
+are stored in their CPU-local format, and thus a CP1x register
+doesn't "hit" the lower 32bit portion of the AArch64 register on
+a BE host.
+
+To workaround this unfortunate situation, introduce a bias trick
+in the vcpu_cp1x() accessors which picks the correct half of the
+64bit register.
+
+Cc: stable@vger.kernel.org
+Reported-by: James Morse <james.morse@arm.com>
+Tested-by: James Morse <james.morse@arm.com>
+Acked-by: James Morse <james.morse@arm.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/kvm_host.h | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/include/asm/kvm_host.h
++++ b/arch/arm64/include/asm/kvm_host.h
+@@ -335,8 +335,10 @@ void vcpu_write_sys_reg(struct kvm_vcpu
+ * CP14 and CP15 live in the same array, as they are backed by the
+ * same system registers.
+ */
+-#define vcpu_cp14(v,r) ((v)->arch.ctxt.copro[(r)])
+-#define vcpu_cp15(v,r) ((v)->arch.ctxt.copro[(r)])
++#define CPx_BIAS IS_ENABLED(CONFIG_CPU_BIG_ENDIAN)
++
++#define vcpu_cp14(v,r) ((v)->arch.ctxt.copro[(r) ^ CPx_BIAS])
++#define vcpu_cp15(v,r) ((v)->arch.ctxt.copro[(r) ^ CPx_BIAS])
+
+ struct kvm_vm_stat {
+ ulong remote_tlb_flush;
--- /dev/null
+From fe2b73dba47fb6d6922df1ad44e83b1754d5ed4d Mon Sep 17 00:00:00 2001
+From: Xing Li <lixing@loongson.cn>
+Date: Sat, 23 May 2020 15:56:28 +0800
+Subject: KVM: MIPS: Define KVM_ENTRYHI_ASID to cpu_asid_mask(&boot_cpu_data)
+
+From: Xing Li <lixing@loongson.cn>
+
+commit fe2b73dba47fb6d6922df1ad44e83b1754d5ed4d upstream.
+
+The code in decode_config4() of arch/mips/kernel/cpu-probe.c
+
+ asid_mask = MIPS_ENTRYHI_ASID;
+ if (config4 & MIPS_CONF4_AE)
+ asid_mask |= MIPS_ENTRYHI_ASIDX;
+ set_cpu_asid_mask(c, asid_mask);
+
+set asid_mask to cpuinfo->asid_mask.
+
+So in order to support variable ASID_MASK, KVM_ENTRYHI_ASID should also
+be changed to cpu_asid_mask(&boot_cpu_data).
+
+Cc: Stable <stable@vger.kernel.org> #4.9+
+Reviewed-by: Aleksandar Markovic <aleksandar.qemu.devel@gmail.com>
+Signed-off-by: Xing Li <lixing@loongson.cn>
+[Huacai: Change current_cpu_data to boot_cpu_data for optimization]
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Message-Id: <1590220602-3547-2-git-send-email-chenhc@lemote.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/include/asm/kvm_host.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/include/asm/kvm_host.h
++++ b/arch/mips/include/asm/kvm_host.h
+@@ -275,7 +275,7 @@ enum emulation_result {
+ #define MIPS3_PG_FRAME 0x3fffffc0
+
+ #define VPN2_MASK 0xffffe000
+-#define KVM_ENTRYHI_ASID MIPS_ENTRYHI_ASID
++#define KVM_ENTRYHI_ASID cpu_asid_mask(&boot_cpu_data)
+ #define TLB_IS_GLOBAL(x) ((x).tlb_lo[0] & (x).tlb_lo[1] & ENTRYLO_G)
+ #define TLB_VPN2(x) ((x).tlb_hi & VPN2_MASK)
+ #define TLB_ASID(x) ((x).tlb_hi & KVM_ENTRYHI_ASID)
--- /dev/null
+From 5816c76dea116a458f1932eefe064e35403248eb Mon Sep 17 00:00:00 2001
+From: Xing Li <lixing@loongson.cn>
+Date: Sat, 23 May 2020 15:56:29 +0800
+Subject: KVM: MIPS: Fix VPN2_MASK definition for variable cpu_vmbits
+
+From: Xing Li <lixing@loongson.cn>
+
+commit 5816c76dea116a458f1932eefe064e35403248eb upstream.
+
+If a CPU support more than 32bit vmbits (which is true for 64bit CPUs),
+VPN2_MASK set to fixed 0xffffe000 will lead to a wrong EntryHi in some
+functions such as _kvm_mips_host_tlb_inv().
+
+The cpu_vmbits definition of 32bit CPU in cpu-features.h is 31, so we
+still use the old definition.
+
+Cc: Stable <stable@vger.kernel.org>
+Reviewed-by: Aleksandar Markovic <aleksandar.qemu.devel@gmail.com>
+Signed-off-by: Xing Li <lixing@loongson.cn>
+[Huacai: Improve commit messages]
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Message-Id: <1590220602-3547-3-git-send-email-chenhc@lemote.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/include/asm/kvm_host.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/mips/include/asm/kvm_host.h
++++ b/arch/mips/include/asm/kvm_host.h
+@@ -274,7 +274,11 @@ enum emulation_result {
+ #define MIPS3_PG_SHIFT 6
+ #define MIPS3_PG_FRAME 0x3fffffc0
+
++#if defined(CONFIG_64BIT)
++#define VPN2_MASK GENMASK(cpu_vmbits - 1, 13)
++#else
+ #define VPN2_MASK 0xffffe000
++#endif
+ #define KVM_ENTRYHI_ASID cpu_asid_mask(&boot_cpu_data)
+ #define TLB_IS_GLOBAL(x) ((x).tlb_lo[0] & (x).tlb_lo[1] & ENTRYLO_G)
+ #define TLB_VPN2(x) ((x).tlb_hi & VPN2_MASK)
--- /dev/null
+From a3535be731c2a343912578465021f50937f7b099 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Sat, 16 May 2020 09:19:06 -0400
+Subject: KVM: nSVM: fix condition for filtering async PF
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit a3535be731c2a343912578465021f50937f7b099 upstream.
+
+Async page faults have to be trapped in the host (L1 in this case),
+since the APF reason was passed from L0 to L1 and stored in the L1 APF
+data page. This was completely reversed: the page faults were passed
+to the guest, a L2 hypervisor.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/svm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -3229,8 +3229,8 @@ static int nested_svm_exit_special(struc
+ return NESTED_EXIT_HOST;
+ break;
+ case SVM_EXIT_EXCP_BASE + PF_VECTOR:
+- /* When we're shadowing, trap PFs, but not async PF */
+- if (!npt_enabled && svm->vcpu.arch.apf.host_apf_reason == 0)
++ /* Trap async PF even if not shadowing */
++ if (!npt_enabled || svm->vcpu.arch.apf.host_apf_reason)
+ return NESTED_EXIT_HOST;
+ break;
+ default:
--- /dev/null
+From 6c0238c4a62b3a0b1201aeb7e33a4636d552a436 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 20 May 2020 08:02:17 -0400
+Subject: KVM: nSVM: leave ASID aside in copy_vmcb_control_area
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 6c0238c4a62b3a0b1201aeb7e33a4636d552a436 upstream.
+
+Restoring the ASID from the hsave area on VMEXIT is wrong, because its
+value depends on the handling of TLB flushes. Just skipping the field in
+copy_vmcb_control_area will do.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/svm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -3319,7 +3319,7 @@ static inline void copy_vmcb_control_are
+ dst->iopm_base_pa = from->iopm_base_pa;
+ dst->msrpm_base_pa = from->msrpm_base_pa;
+ dst->tsc_offset = from->tsc_offset;
+- dst->asid = from->asid;
++ /* asid not copied, it is handled manually for svm->vmcb. */
+ dst->tlb_ctl = from->tlb_ctl;
+ dst->int_ctl = from->int_ctl;
+ dst->int_vector = from->int_vector;
--- /dev/null
+From 2ebac8bb3c2d35f5135466490fc8eeaf3f3e2d37 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Thu, 27 Feb 2020 09:44:30 -0800
+Subject: KVM: nVMX: Consult only the "basic" exit reason when routing nested exit
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit 2ebac8bb3c2d35f5135466490fc8eeaf3f3e2d37 upstream.
+
+Consult only the basic exit reason, i.e. bits 15:0 of vmcs.EXIT_REASON,
+when determining whether a nested VM-Exit should be reflected into L1 or
+handled by KVM in L0.
+
+For better or worse, the switch statement in nested_vmx_exit_reflected()
+currently defaults to "true", i.e. reflects any nested VM-Exit without
+dedicated logic. Because the case statements only contain the basic
+exit reason, any VM-Exit with modifier bits set will be reflected to L1,
+even if KVM intended to handle it in L0.
+
+Practically speaking, this only affects EXIT_REASON_MCE_DURING_VMENTRY,
+i.e. a #MC that occurs on nested VM-Enter would be incorrectly routed to
+L1, as "failed VM-Entry" is the only modifier that KVM can currently
+encounter. The SMM modifiers will never be generated as KVM doesn't
+support/employ a SMI Transfer Monitor. Ditto for "exit from enclave",
+as KVM doesn't yet support virtualizing SGX, i.e. it's impossible to
+enter an enclave in a KVM guest (L1 or L2).
+
+Fixes: 644d711aa0e1 ("KVM: nVMX: Deciding if L0 or L1 should handle an L2 exit")
+Cc: Jim Mattson <jmattson@google.com>
+Cc: Xiaoyao Li <xiaoyao.li@intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Message-Id: <20200227174430.26371-1-sean.j.christopherson@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -9683,7 +9683,7 @@ static bool nested_vmx_exit_reflected(st
+ vmcs_read32(VM_EXIT_INTR_ERROR_CODE),
+ KVM_ISA_VMX);
+
+- switch (exit_reason) {
++ switch ((u16)exit_reason) {
+ case EXIT_REASON_EXCEPTION_NMI:
+ if (is_nmi(intr_info))
+ return false;
--- /dev/null
+From 6fd8525a70221c26823b1c7e912fb21f218fb0c5 Mon Sep 17 00:00:00 2001
+From: Sumit Saxena <sumit.saxena@broadcom.com>
+Date: Fri, 8 May 2020 14:22:42 +0530
+Subject: scsi: megaraid_sas: TM command refire leads to controller firmware crash
+
+From: Sumit Saxena <sumit.saxena@broadcom.com>
+
+commit 6fd8525a70221c26823b1c7e912fb21f218fb0c5 upstream.
+
+When TM command times out, driver invokes the controller reset. Post reset,
+driver re-fires pended TM commands which leads to firmware crash.
+
+Post controller reset, return pended TM commands back to OS.
+
+Link: https://lore.kernel.org/r/20200508085242.23406-1-chandrakanth.patil@broadcom.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Sumit Saxena <sumit.saxena@broadcom.com>
+Signed-off-by: Chandrakanth Patil <chandrakanth.patil@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/megaraid/megaraid_sas_fusion.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c
++++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c
+@@ -3940,6 +3940,7 @@ void megasas_refire_mgmt_cmd(struct mega
+ struct fusion_context *fusion;
+ struct megasas_cmd *cmd_mfi;
+ union MEGASAS_REQUEST_DESCRIPTOR_UNION *req_desc;
++ struct MPI2_RAID_SCSI_IO_REQUEST *scsi_io_req;
+ u16 smid;
+ bool refire_cmd = 0;
+ u8 result;
+@@ -3990,6 +3991,11 @@ void megasas_refire_mgmt_cmd(struct mega
+ break;
+ }
+
++ scsi_io_req = (struct MPI2_RAID_SCSI_IO_REQUEST *)
++ cmd_fusion->io_request;
++ if (scsi_io_req->Function == MPI2_FUNCTION_SCSI_TASK_MGMT)
++ result = RETURN_CMD;
++
+ switch (result) {
+ case REFIRE_CMD:
+ megasas_fire_cmd_fusion(instance, req_desc);
+@@ -4187,7 +4193,6 @@ megasas_issue_tm(struct megasas_instance
+ if (!timeleft) {
+ dev_err(&instance->pdev->dev,
+ "task mgmt type 0x%x timed out\n", type);
+- cmd_mfi->flags |= DRV_DCMD_SKIP_REFIRE;
+ mutex_unlock(&instance->reset_mutex);
+ rc = megasas_reset_fusion(instance->host, MFI_IO_TIMEOUT_OCR);
+ mutex_lock(&instance->reset_mutex);
selftests-net-in-rxtimestamp-getopt_long-needs-terminating-null-entry.patch
ovl-initialize-error-in-ovl_copy_xattr.patch
proc-use-new_inode-not-new_inode_pseudo.patch
+video-fbdev-w100fb-fix-a-potential-double-free.patch
+kvm-nsvm-fix-condition-for-filtering-async-pf.patch
+kvm-nsvm-leave-asid-aside-in-copy_vmcb_control_area.patch
+kvm-nvmx-consult-only-the-basic-exit-reason-when-routing-nested-exit.patch
+kvm-mips-define-kvm_entryhi_asid-to-cpu_asid_mask-boot_cpu_data.patch
+kvm-mips-fix-vpn2_mask-definition-for-variable-cpu_vmbits.patch
+kvm-arm64-make-vcpu_cp1x-work-on-big-endian-hosts.patch
+scsi-megaraid_sas-tm-command-refire-leads-to-controller-firmware-crash.patch
--- /dev/null
+From 18722d48a6bb9c2e8d046214c0a5fd19d0a7c9f6 Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Wed, 6 May 2020 20:19:02 +0200
+Subject: video: fbdev: w100fb: Fix a potential double free.
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit 18722d48a6bb9c2e8d046214c0a5fd19d0a7c9f6 upstream.
+
+Some memory is vmalloc'ed in the 'w100fb_save_vidmem' function and freed in
+the 'w100fb_restore_vidmem' function. (these functions are called
+respectively from the 'suspend' and the 'resume' functions)
+
+However, it is also freed in the 'remove' function.
+
+In order to avoid a potential double free, set the corresponding pointer
+to NULL once freed in the 'w100fb_restore_vidmem' function.
+
+Fixes: aac51f09d96a ("[PATCH] w100fb: Rewrite for platform independence")
+Cc: Richard Purdie <rpurdie@rpsys.net>
+Cc: Antonino Daplas <adaplas@pol.net>
+Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Cc: <stable@vger.kernel.org> # v2.6.14+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200506181902.193290-1-christophe.jaillet@wanadoo.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/fbdev/w100fb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/video/fbdev/w100fb.c
++++ b/drivers/video/fbdev/w100fb.c
+@@ -583,6 +583,7 @@ static void w100fb_restore_vidmem(struct
+ memsize=par->mach->mem->size;
+ memcpy_toio(remapped_fbuf + (W100_FB_BASE-MEM_WINDOW_BASE), par->saved_extmem, memsize);
+ vfree(par->saved_extmem);
++ par->saved_extmem = NULL;
+ }
+ if (par->saved_intmem) {
+ memsize=MEM_INT_SIZE;
+@@ -591,6 +592,7 @@ static void w100fb_restore_vidmem(struct
+ else
+ memcpy_toio(remapped_fbuf + (W100_FB_BASE-MEM_WINDOW_BASE), par->saved_intmem, memsize);
+ vfree(par->saved_intmem);
++ par->saved_intmem = NULL;
+ }
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
