--- /dev/null
+From d001e41e1b15716e9b759df5ef00510699f85282 Mon Sep 17 00:00:00 2001
+From: Chen Baozi <chenbaozi@phytium.com.cn>
+Date: Tue, 17 Nov 2020 11:20:15 +0800
+Subject: irqchip/exiu: Fix the index of fwspec for IRQ type
+
+From: Chen Baozi <chenbaozi@phytium.com.cn>
+
+commit d001e41e1b15716e9b759df5ef00510699f85282 upstream.
+
+Since fwspec->param_count of ACPI node is two, the index of IRQ type
+in fwspec->param[] should be 1 rather than 2.
+
+Fixes: 3d090a36c8c8 ("irqchip/exiu: Implement ACPI support")
+Signed-off-by: Chen Baozi <chenbaozi@phytium.com.cn>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Link: https://lore.kernel.org/r/20201117032015.11805-1-cbz@baozis.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/irqchip/irq-sni-exiu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/irqchip/irq-sni-exiu.c
++++ b/drivers/irqchip/irq-sni-exiu.c
+@@ -136,7 +136,7 @@ static int exiu_domain_translate(struct
+ if (fwspec->param_count != 2)
+ return -EINVAL;
+ *hwirq = fwspec->param[0];
+- *type = fwspec->param[2] & IRQ_TYPE_SENSE_MASK;
++ *type = fwspec->param[1] & IRQ_TYPE_SENSE_MASK;
+ }
+ return 0;
+ }
perf-stat-use-proper-cpu-for-shadow-stats.patch
perf-probe-fix-to-die_entrypc-returns-error-correctl.patch
spi-bcm2835aux-restore-err-assignment-in-bcm2835aux_spi_probe.patch
+usb-core-change-pk-for-__user-pointers-to-px.patch
+usb-gadget-f_midi-fix-memleak-in-f_midi_alloc.patch
+usb-quirks-add-usb_quirk_disconnect_suspend-quirk-for-lenovo-a630z-tio-built-in-usb-audio-card.patch
+usb-gadget-fix-memleak-in-gadgetfs_fill_super.patch
+irqchip-exiu-fix-the-index-of-fwspec-for-irq-type.patch
+x86-mce-do-not-overwrite-no_way_out-if-mce_end-fails.patch
+x86-speculation-fix-prctl-when-spectre_v2_user-seccomp-prctl-ibpb.patch
+x86-resctrl-remove-superfluous-kernfs_get-calls-to-prevent-refcount-leak.patch
+x86-resctrl-add-necessary-kernfs_put-calls-to-prevent-refcount-leak.patch
--- /dev/null
+From f3bc432aa8a7a2bfe9ebb432502be5c5d979d7fe Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Thu, 19 Nov 2020 12:02:28 -0500
+Subject: USB: core: Change %pK for __user pointers to %px
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit f3bc432aa8a7a2bfe9ebb432502be5c5d979d7fe upstream.
+
+Commit 2f964780c03b ("USB: core: replace %p with %pK") used the %pK
+format specifier for a bunch of __user pointers. But as the 'K' in
+the specifier indicates, it is meant for kernel pointers. The reason
+for the %pK specifier is to avoid leaks of kernel addresses, but when
+the pointer is to an address in userspace the security implications
+are minimal. In particular, no kernel information is leaked.
+
+This patch changes the __user %pK specifiers (used in a bunch of
+debugging output lines) to %px, which will always print the actual
+address with no mangling. (Notably, there is no printk format
+specifier particularly intended for __user pointers.)
+
+Fixes: 2f964780c03b ("USB: core: replace %p with %pK")
+CC: Vamsi Krishna Samavedam <vskrishn@codeaurora.org>
+CC: <stable@vger.kernel.org>
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/20201119170228.GB576844@rowland.harvard.edu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/devio.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -482,11 +482,11 @@ static void snoop_urb(struct usb_device
+
+ if (userurb) { /* Async */
+ if (when == SUBMIT)
+- dev_info(&udev->dev, "userurb %pK, ep%d %s-%s, "
++ dev_info(&udev->dev, "userurb %px, ep%d %s-%s, "
+ "length %u\n",
+ userurb, ep, t, d, length);
+ else
+- dev_info(&udev->dev, "userurb %pK, ep%d %s-%s, "
++ dev_info(&udev->dev, "userurb %px, ep%d %s-%s, "
+ "actual_length %u status %d\n",
+ userurb, ep, t, d, length,
+ timeout_or_status);
+@@ -1992,7 +1992,7 @@ static int proc_reapurb(struct usb_dev_s
+ if (as) {
+ int retval;
+
+- snoop(&ps->dev->dev, "reap %pK\n", as->userurb);
++ snoop(&ps->dev->dev, "reap %px\n", as->userurb);
+ retval = processcompl(as, (void __user * __user *)arg);
+ free_async(as);
+ return retval;
+@@ -2009,7 +2009,7 @@ static int proc_reapurbnonblock(struct u
+
+ as = async_getcompleted(ps);
+ if (as) {
+- snoop(&ps->dev->dev, "reap %pK\n", as->userurb);
++ snoop(&ps->dev->dev, "reap %px\n", as->userurb);
+ retval = processcompl(as, (void __user * __user *)arg);
+ free_async(as);
+ } else {
+@@ -2139,7 +2139,7 @@ static int proc_reapurb_compat(struct us
+ if (as) {
+ int retval;
+
+- snoop(&ps->dev->dev, "reap %pK\n", as->userurb);
++ snoop(&ps->dev->dev, "reap %px\n", as->userurb);
+ retval = processcompl_compat(as, (void __user * __user *)arg);
+ free_async(as);
+ return retval;
+@@ -2156,7 +2156,7 @@ static int proc_reapurbnonblock_compat(s
+
+ as = async_getcompleted(ps);
+ if (as) {
+- snoop(&ps->dev->dev, "reap %pK\n", as->userurb);
++ snoop(&ps->dev->dev, "reap %px\n", as->userurb);
+ retval = processcompl_compat(as, (void __user * __user *)arg);
+ free_async(as);
+ } else {
+@@ -2621,7 +2621,7 @@ static long usbdev_do_ioctl(struct file
+ #endif
+
+ case USBDEVFS_DISCARDURB:
+- snoop(&dev->dev, "%s: DISCARDURB %pK\n", __func__, p);
++ snoop(&dev->dev, "%s: DISCARDURB %px\n", __func__, p);
+ ret = proc_unlinkurb(ps, p);
+ break;
+
--- /dev/null
+From e7694cb6998379341fd9bf3bd62b48c4e6a79385 Mon Sep 17 00:00:00 2001
+From: Zhang Qilong <zhangqilong3@huawei.com>
+Date: Tue, 17 Nov 2020 10:16:28 +0800
+Subject: usb: gadget: f_midi: Fix memleak in f_midi_alloc
+
+From: Zhang Qilong <zhangqilong3@huawei.com>
+
+commit e7694cb6998379341fd9bf3bd62b48c4e6a79385 upstream.
+
+In the error path, if midi is not null, we should
+free the midi->id if necessary to prevent memleak.
+
+Fixes: b85e9de9e818d ("usb: gadget: f_midi: convert to new function interface with backward compatibility")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
+Link: https://lore.kernel.org/r/20201117021629.1470544-2-zhangqilong3@huawei.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_midi.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_midi.c
++++ b/drivers/usb/gadget/function/f_midi.c
+@@ -1315,7 +1315,7 @@ static struct usb_function *f_midi_alloc
+ midi->id = kstrdup(opts->id, GFP_KERNEL);
+ if (opts->id && !midi->id) {
+ status = -ENOMEM;
+- goto setup_fail;
++ goto midi_free;
+ }
+ midi->in_ports = opts->in_ports;
+ midi->out_ports = opts->out_ports;
+@@ -1327,7 +1327,7 @@ static struct usb_function *f_midi_alloc
+
+ status = kfifo_alloc(&midi->in_req_fifo, midi->qlen, GFP_KERNEL);
+ if (status)
+- goto setup_fail;
++ goto midi_free;
+
+ spin_lock_init(&midi->transmit_lock);
+
+@@ -1343,9 +1343,13 @@ static struct usb_function *f_midi_alloc
+
+ return &midi->func;
+
++midi_free:
++ if (midi)
++ kfree(midi->id);
++ kfree(midi);
+ setup_fail:
+ mutex_unlock(&opts->lock);
+- kfree(midi);
++
+ return ERR_PTR(status);
+ }
+
--- /dev/null
+From 87bed3d7d26c974948a3d6e7176f304b2d41272b Mon Sep 17 00:00:00 2001
+From: Zhang Qilong <zhangqilong3@huawei.com>
+Date: Tue, 17 Nov 2020 10:16:29 +0800
+Subject: usb: gadget: Fix memleak in gadgetfs_fill_super
+
+From: Zhang Qilong <zhangqilong3@huawei.com>
+
+commit 87bed3d7d26c974948a3d6e7176f304b2d41272b upstream.
+
+usb_get_gadget_udc_name will alloc memory for CHIP
+in "Enomem" branch. we should free it before error
+returns to prevent memleak.
+
+Fixes: 175f712119c57 ("usb: gadget: provide interface for legacy gadgets to get UDC name")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
+Link: https://lore.kernel.org/r/20201117021629.1470544-3-zhangqilong3@huawei.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/legacy/inode.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/gadget/legacy/inode.c
++++ b/drivers/usb/gadget/legacy/inode.c
+@@ -2040,6 +2040,9 @@ gadgetfs_fill_super (struct super_block
+ return 0;
+
+ Enomem:
++ kfree(CHIP);
++ CHIP = NULL;
++
+ return -ENOMEM;
+ }
+
--- /dev/null
+From 9ca57518361418ad5ae7dc38a2128fbf4855e1a2 Mon Sep 17 00:00:00 2001
+From: penghao <penghao@uniontech.com>
+Date: Wed, 18 Nov 2020 20:30:39 +0800
+Subject: USB: quirks: Add USB_QUIRK_DISCONNECT_SUSPEND quirk for Lenovo A630Z TIO built-in usb-audio card
+
+From: penghao <penghao@uniontech.com>
+
+commit 9ca57518361418ad5ae7dc38a2128fbf4855e1a2 upstream.
+
+Add a USB_QUIRK_DISCONNECT_SUSPEND quirk for the Lenovo TIO built-in
+usb-audio. when A630Z going into S3,the system immediately wakeup 7-8
+seconds later by usb-audio disconnect interrupt to avoids the issue.
+eg dmesg:
+....
+[ 626.974091 ] usb 7-1.1: USB disconnect, device number 3
+....
+....
+[ 1774.486691] usb 7-1.1: new full-speed USB device number 5 using xhci_hcd
+[ 1774.947742] usb 7-1.1: New USB device found, idVendor=17ef, idProduct=a012, bcdDevice= 0.55
+[ 1774.956588] usb 7-1.1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
+[ 1774.964339] usb 7-1.1: Product: Thinkcentre TIO24Gen3 for USB-audio
+[ 1774.970999] usb 7-1.1: Manufacturer: Lenovo
+[ 1774.975447] usb 7-1.1: SerialNumber: 000000000000
+[ 1775.048590] usb 7-1.1: 2:1: cannot get freq at ep 0x1
+.......
+Seeking a better fix, we've tried a lot of things, including:
+ - Check that the device's power/wakeup is disabled
+ - Check that remote wakeup is off at the USB level
+ - All the quirks in drivers/usb/core/quirks.c
+ e.g. USB_QUIRK_RESET_RESUME,
+ USB_QUIRK_RESET,
+ USB_QUIRK_IGNORE_REMOTE_WAKEUP,
+ USB_QUIRK_NO_LPM.
+
+but none of that makes any difference.
+
+There are no errors in the logs showing any suspend/resume-related issues.
+When the system wakes up due to the modem, log-wise it appears to be a
+normal resume.
+
+Introduce a quirk to disable the port during suspend when the modem is
+detected.
+
+Signed-off-by: penghao <penghao@uniontech.com>
+Link: https://lore.kernel.org/r/20201118123039.11696-1-penghao@uniontech.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/quirks.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -421,6 +421,10 @@ static const struct usb_device_id usb_qu
+ { USB_DEVICE(0x1532, 0x0116), .driver_info =
+ USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL },
+
++ /* Lenovo ThinkCenter A630Z TI024Gen3 usb-audio */
++ { USB_DEVICE(0x17ef, 0xa012), .driver_info =
++ USB_QUIRK_DISCONNECT_SUSPEND },
++
+ /* BUILDWIN Photo Frame */
+ { USB_DEVICE(0x1908, 0x1315), .driver_info =
+ USB_QUIRK_HONOR_BNUMINTERFACES },
--- /dev/null
+From 25bc65d8ddfc17cc1d7a45bd48e9bdc0e729ced3 Mon Sep 17 00:00:00 2001
+From: Gabriele Paoloni <gabriele.paoloni@intel.com>
+Date: Fri, 27 Nov 2020 16:18:15 +0000
+Subject: x86/mce: Do not overwrite no_way_out if mce_end() fails
+
+From: Gabriele Paoloni <gabriele.paoloni@intel.com>
+
+commit 25bc65d8ddfc17cc1d7a45bd48e9bdc0e729ced3 upstream.
+
+Currently, if mce_end() fails, no_way_out - the variable denoting
+whether the machine can recover from this MCE - is determined by whether
+the worst severity that was found across the MCA banks associated with
+the current CPU, is of panic severity.
+
+However, at this point no_way_out could have been already set by
+mca_start() after looking at all severities of all CPUs that entered the
+MCE handler. If mce_end() fails, check first if no_way_out is already
+set and, if so, stick to it, otherwise use the local worst value.
+
+ [ bp: Massage. ]
+
+Signed-off-by: Gabriele Paoloni <gabriele.paoloni@intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Tony Luck <tony.luck@intel.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lkml.kernel.org/r/20201127161819.3106432-2-gabriele.paoloni@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/mce/core.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/cpu/mce/core.c
++++ b/arch/x86/kernel/cpu/mce/core.c
+@@ -1361,8 +1361,10 @@ void do_machine_check(struct pt_regs *re
+ * When there's any problem use only local no_way_out state.
+ */
+ if (!lmce) {
+- if (mce_end(order) < 0)
+- no_way_out = worst >= MCE_PANIC_SEVERITY;
++ if (mce_end(order) < 0) {
++ if (!no_way_out)
++ no_way_out = worst >= MCE_PANIC_SEVERITY;
++ }
+ } else {
+ /*
+ * If there was a fatal machine check we should have
--- /dev/null
+From 758999246965eeb8b253d47e72f7bfe508804b16 Mon Sep 17 00:00:00 2001
+From: Xiaochen Shen <xiaochen.shen@intel.com>
+Date: Sat, 31 Oct 2020 03:11:28 +0800
+Subject: x86/resctrl: Add necessary kernfs_put() calls to prevent refcount leak
+
+From: Xiaochen Shen <xiaochen.shen@intel.com>
+
+commit 758999246965eeb8b253d47e72f7bfe508804b16 upstream.
+
+On resource group creation via a mkdir an extra kernfs_node reference is
+obtained by kernfs_get() to ensure that the rdtgroup structure remains
+accessible for the rdtgroup_kn_unlock() calls where it is removed on
+deletion. Currently the extra kernfs_node reference count is only
+dropped by kernfs_put() in rdtgroup_kn_unlock() while the rdtgroup
+structure is removed in a few other locations that lack the matching
+reference drop.
+
+In call paths of rmdir and umount, when a control group is removed,
+kernfs_remove() is called to remove the whole kernfs nodes tree of the
+control group (including the kernfs nodes trees of all child monitoring
+groups), and then rdtgroup structure is freed by kfree(). The rdtgroup
+structures of all child monitoring groups under the control group are
+freed by kfree() in free_all_child_rdtgrp().
+
+Before calling kfree() to free the rdtgroup structures, the kernfs node
+of the control group itself as well as the kernfs nodes of all child
+monitoring groups still take the extra references which will never be
+dropped to 0 and the kernfs nodes will never be freed. It leads to
+reference count leak and kernfs_node_cache memory leak.
+
+For example, reference count leak is observed in these two cases:
+ (1) mount -t resctrl resctrl /sys/fs/resctrl
+ mkdir /sys/fs/resctrl/c1
+ mkdir /sys/fs/resctrl/c1/mon_groups/m1
+ umount /sys/fs/resctrl
+
+ (2) mkdir /sys/fs/resctrl/c1
+ mkdir /sys/fs/resctrl/c1/mon_groups/m1
+ rmdir /sys/fs/resctrl/c1
+
+The same reference count leak issue also exists in the error exit paths
+of mkdir in mkdir_rdt_prepare() and rdtgroup_mkdir_ctrl_mon().
+
+Fix this issue by following changes to make sure the extra kernfs_node
+reference on rdtgroup is dropped before freeing the rdtgroup structure.
+ (1) Introduce rdtgroup removal helper rdtgroup_remove() to wrap up
+ kernfs_put() and kfree().
+
+ (2) Call rdtgroup_remove() in rdtgroup removal path where the rdtgroup
+ structure is about to be freed by kfree().
+
+ (3) Call rdtgroup_remove() or kernfs_put() as appropriate in the error
+ exit paths of mkdir where an extra reference is taken by kernfs_get().
+
+Fixes: f3cbeacaa06e ("x86/intel_rdt/cqm: Add rmdir support")
+Fixes: e02737d5b826 ("x86/intel_rdt: Add tasks files")
+Fixes: 60cf5e101fd4 ("x86/intel_rdt: Add mkdir to resctrl file system")
+Reported-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: Xiaochen Shen <xiaochen.shen@intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Reinette Chatre <reinette.chatre@intel.com>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/1604085088-31707-1-git-send-email-xiaochen.shen@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/resctrl/rdtgroup.c | 32 +++++++++++++++++++++++++-------
+ 1 file changed, 25 insertions(+), 7 deletions(-)
+
+--- a/arch/x86/kernel/cpu/resctrl/rdtgroup.c
++++ b/arch/x86/kernel/cpu/resctrl/rdtgroup.c
+@@ -507,6 +507,24 @@ unlock:
+ return ret ?: nbytes;
+ }
+
++/**
++ * rdtgroup_remove - the helper to remove resource group safely
++ * @rdtgrp: resource group to remove
++ *
++ * On resource group creation via a mkdir, an extra kernfs_node reference is
++ * taken to ensure that the rdtgroup structure remains accessible for the
++ * rdtgroup_kn_unlock() calls where it is removed.
++ *
++ * Drop the extra reference here, then free the rdtgroup structure.
++ *
++ * Return: void
++ */
++static void rdtgroup_remove(struct rdtgroup *rdtgrp)
++{
++ kernfs_put(rdtgrp->kn);
++ kfree(rdtgrp);
++}
++
+ struct task_move_callback {
+ struct callback_head work;
+ struct rdtgroup *rdtgrp;
+@@ -529,7 +547,7 @@ static void move_myself(struct callback_
+ (rdtgrp->flags & RDT_DELETED)) {
+ current->closid = 0;
+ current->rmid = 0;
+- kfree(rdtgrp);
++ rdtgroup_remove(rdtgrp);
+ }
+
+ preempt_disable();
+@@ -1914,8 +1932,7 @@ void rdtgroup_kn_unlock(struct kernfs_no
+ rdtgrp->mode == RDT_MODE_PSEUDO_LOCKED)
+ rdtgroup_pseudo_lock_remove(rdtgrp);
+ kernfs_unbreak_active_protection(kn);
+- kernfs_put(rdtgrp->kn);
+- kfree(rdtgrp);
++ rdtgroup_remove(rdtgrp);
+ } else {
+ kernfs_unbreak_active_protection(kn);
+ }
+@@ -2207,7 +2224,7 @@ static void free_all_child_rdtgrp(struct
+ if (atomic_read(&sentry->waitcount) != 0)
+ sentry->flags = RDT_DELETED;
+ else
+- kfree(sentry);
++ rdtgroup_remove(sentry);
+ }
+ }
+
+@@ -2249,7 +2266,7 @@ static void rmdir_all_sub(void)
+ if (atomic_read(&rdtgrp->waitcount) != 0)
+ rdtgrp->flags = RDT_DELETED;
+ else
+- kfree(rdtgrp);
++ rdtgroup_remove(rdtgrp);
+ }
+ /* Notify online CPUs to update per cpu storage and PQR_ASSOC MSR */
+ update_closid_rmid(cpu_online_mask, &rdtgroup_default);
+@@ -2685,7 +2702,7 @@ static int mkdir_rdt_prepare(struct kern
+ * kernfs_remove() will drop the reference count on "kn" which
+ * will free it. But we still need it to stick around for the
+ * rdtgroup_kn_unlock(kn) call. Take one extra reference here,
+- * which will be dropped inside rdtgroup_kn_unlock().
++ * which will be dropped by kernfs_put() in rdtgroup_remove().
+ */
+ kernfs_get(kn);
+
+@@ -2726,6 +2743,7 @@ static int mkdir_rdt_prepare(struct kern
+ out_idfree:
+ free_rmid(rdtgrp->mon.rmid);
+ out_destroy:
++ kernfs_put(rdtgrp->kn);
+ kernfs_remove(rdtgrp->kn);
+ out_free_rgrp:
+ kfree(rdtgrp);
+@@ -2738,7 +2756,7 @@ static void mkdir_rdt_prepare_clean(stru
+ {
+ kernfs_remove(rgrp->kn);
+ free_rmid(rgrp->mon.rmid);
+- kfree(rgrp);
++ rdtgroup_remove(rgrp);
+ }
+
+ /*
--- /dev/null
+From fd8d9db3559a29fd737bcdb7c4fcbe1940caae34 Mon Sep 17 00:00:00 2001
+From: Xiaochen Shen <xiaochen.shen@intel.com>
+Date: Sat, 31 Oct 2020 03:10:53 +0800
+Subject: x86/resctrl: Remove superfluous kernfs_get() calls to prevent refcount leak
+
+From: Xiaochen Shen <xiaochen.shen@intel.com>
+
+commit fd8d9db3559a29fd737bcdb7c4fcbe1940caae34 upstream.
+
+Willem reported growing of kernfs_node_cache entries in slabtop when
+repeatedly creating and removing resctrl subdirectories as well as when
+repeatedly mounting and unmounting the resctrl filesystem.
+
+On resource group (control as well as monitoring) creation via a mkdir
+an extra kernfs_node reference is obtained to ensure that the rdtgroup
+structure remains accessible for the rdtgroup_kn_unlock() calls where it
+is removed on deletion. The kernfs_node reference count is dropped by
+kernfs_put() in rdtgroup_kn_unlock().
+
+With the above explaining the need for one kernfs_get()/kernfs_put()
+pair in resctrl there are more places where a kernfs_node reference is
+obtained without a corresponding release. The excessive amount of
+reference count on kernfs nodes will never be dropped to 0 and the
+kernfs nodes will never be freed in the call paths of rmdir and umount.
+It leads to reference count leak and kernfs_node_cache memory leak.
+
+Remove the superfluous kernfs_get() calls and expand the existing
+comments surrounding the remaining kernfs_get()/kernfs_put() pair that
+remains in use.
+
+Superfluous kernfs_get() calls are removed from two areas:
+
+ (1) In call paths of mount and mkdir, when kernfs nodes for "info",
+ "mon_groups" and "mon_data" directories and sub-directories are
+ created, the reference count of newly created kernfs node is set to 1.
+ But after kernfs_create_dir() returns, superfluous kernfs_get() are
+ called to take an additional reference.
+
+ (2) kernfs_get() calls in rmdir call paths.
+
+Fixes: 17eafd076291 ("x86/intel_rdt: Split resource group removal in two")
+Fixes: 4af4a88e0c92 ("x86/intel_rdt/cqm: Add mount,umount support")
+Fixes: f3cbeacaa06e ("x86/intel_rdt/cqm: Add rmdir support")
+Fixes: d89b7379015f ("x86/intel_rdt/cqm: Add mon_data")
+Fixes: c7d9aac61311 ("x86/intel_rdt/cqm: Add mkdir support for RDT monitoring")
+Fixes: 5dc1d5c6bac2 ("x86/intel_rdt: Simplify info and base file lists")
+Fixes: 60cf5e101fd4 ("x86/intel_rdt: Add mkdir to resctrl file system")
+Fixes: 4e978d06dedb ("x86/intel_rdt: Add "info" files to resctrl file system")
+Reported-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: Xiaochen Shen <xiaochen.shen@intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Reinette Chatre <reinette.chatre@intel.com>
+Tested-by: Willem de Bruijn <willemb@google.com>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/1604085053-31639-1-git-send-email-xiaochen.shen@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/resctrl/rdtgroup.c | 35 +--------------------------------
+ 1 file changed, 2 insertions(+), 33 deletions(-)
+
+--- a/arch/x86/kernel/cpu/resctrl/rdtgroup.c
++++ b/arch/x86/kernel/cpu/resctrl/rdtgroup.c
+@@ -1618,7 +1618,6 @@ static int rdtgroup_mkdir_info_resdir(st
+ if (IS_ERR(kn_subdir))
+ return PTR_ERR(kn_subdir);
+
+- kernfs_get(kn_subdir);
+ ret = rdtgroup_kn_set_ugid(kn_subdir);
+ if (ret)
+ return ret;
+@@ -1641,7 +1640,6 @@ static int rdtgroup_create_info_dir(stru
+ kn_info = kernfs_create_dir(parent_kn, "info", parent_kn->mode, NULL);
+ if (IS_ERR(kn_info))
+ return PTR_ERR(kn_info);
+- kernfs_get(kn_info);
+
+ ret = rdtgroup_add_files(kn_info, RF_TOP_INFO);
+ if (ret)
+@@ -1662,12 +1660,6 @@ static int rdtgroup_create_info_dir(stru
+ goto out_destroy;
+ }
+
+- /*
+- * This extra ref will be put in kernfs_remove() and guarantees
+- * that @rdtgrp->kn is always accessible.
+- */
+- kernfs_get(kn_info);
+-
+ ret = rdtgroup_kn_set_ugid(kn_info);
+ if (ret)
+ goto out_destroy;
+@@ -1696,12 +1688,6 @@ mongroup_create_dir(struct kernfs_node *
+ if (dest_kn)
+ *dest_kn = kn;
+
+- /*
+- * This extra ref will be put in kernfs_remove() and guarantees
+- * that @rdtgrp->kn is always accessible.
+- */
+- kernfs_get(kn);
+-
+ ret = rdtgroup_kn_set_ugid(kn);
+ if (ret)
+ goto out_destroy;
+@@ -1988,13 +1974,11 @@ static int rdt_get_tree(struct fs_contex
+ &kn_mongrp);
+ if (ret < 0)
+ goto out_info;
+- kernfs_get(kn_mongrp);
+
+ ret = mkdir_mondata_all(rdtgroup_default.kn,
+ &rdtgroup_default, &kn_mondata);
+ if (ret < 0)
+ goto out_mongrp;
+- kernfs_get(kn_mondata);
+ rdtgroup_default.mon.mon_data_kn = kn_mondata;
+ }
+
+@@ -2365,11 +2349,6 @@ static int mkdir_mondata_subdir(struct k
+ if (IS_ERR(kn))
+ return PTR_ERR(kn);
+
+- /*
+- * This extra ref will be put in kernfs_remove() and guarantees
+- * that kn is always accessible.
+- */
+- kernfs_get(kn);
+ ret = rdtgroup_kn_set_ugid(kn);
+ if (ret)
+ goto out_destroy;
+@@ -2705,8 +2684,8 @@ static int mkdir_rdt_prepare(struct kern
+ /*
+ * kernfs_remove() will drop the reference count on "kn" which
+ * will free it. But we still need it to stick around for the
+- * rdtgroup_kn_unlock(kn} call below. Take one extra reference
+- * here, which will be dropped inside rdtgroup_kn_unlock().
++ * rdtgroup_kn_unlock(kn) call. Take one extra reference here,
++ * which will be dropped inside rdtgroup_kn_unlock().
+ */
+ kernfs_get(kn);
+
+@@ -2921,11 +2900,6 @@ static int rdtgroup_rmdir_mon(struct ker
+ WARN_ON(list_empty(&prdtgrp->mon.crdtgrp_list));
+ list_del(&rdtgrp->mon.crdtgrp_list);
+
+- /*
+- * one extra hold on this, will drop when we kfree(rdtgrp)
+- * in rdtgroup_kn_unlock()
+- */
+- kernfs_get(kn);
+ kernfs_remove(rdtgrp->kn);
+
+ return 0;
+@@ -2937,11 +2911,6 @@ static int rdtgroup_ctrl_remove(struct k
+ rdtgrp->flags = RDT_DELETED;
+ list_del(&rdtgrp->rdtgroup_list);
+
+- /*
+- * one extra hold on this, will drop when we kfree(rdtgrp)
+- * in rdtgroup_kn_unlock()
+- */
+- kernfs_get(kn);
+ kernfs_remove(rdtgrp->kn);
+ return 0;
+ }
--- /dev/null
+From 33fc379df76b4991e5ae312f07bcd6820811971e Mon Sep 17 00:00:00 2001
+From: Anand K Mistry <amistry@google.com>
+Date: Tue, 10 Nov 2020 12:33:53 +1100
+Subject: x86/speculation: Fix prctl() when spectre_v2_user={seccomp,prctl},ibpb
+
+From: Anand K Mistry <amistry@google.com>
+
+commit 33fc379df76b4991e5ae312f07bcd6820811971e upstream.
+
+When spectre_v2_user={seccomp,prctl},ibpb is specified on the command
+line, IBPB is force-enabled and STIPB is conditionally-enabled (or not
+available).
+
+However, since
+
+ 21998a351512 ("x86/speculation: Avoid force-disabling IBPB based on STIBP and enhanced IBRS.")
+
+the spectre_v2_user_ibpb variable is set to SPECTRE_V2_USER_{PRCTL,SECCOMP}
+instead of SPECTRE_V2_USER_STRICT, which is the actual behaviour.
+Because the issuing of IBPB relies on the switch_mm_*_ibpb static
+branches, the mitigations behave as expected.
+
+Since
+
+ 1978b3a53a74 ("x86/speculation: Allow IBPB to be conditionally enabled on CPUs with always-on STIBP")
+
+this discrepency caused the misreporting of IB speculation via prctl().
+
+On CPUs with STIBP always-on and spectre_v2_user=seccomp,ibpb,
+prctl(PR_GET_SPECULATION_CTRL) would return PR_SPEC_PRCTL |
+PR_SPEC_ENABLE instead of PR_SPEC_DISABLE since both IBPB and STIPB are
+always on. It also allowed prctl(PR_SET_SPECULATION_CTRL) to set the IB
+speculation mode, even though the flag is ignored.
+
+Similarly, for CPUs without SMT, prctl(PR_GET_SPECULATION_CTRL) should
+also return PR_SPEC_DISABLE since IBPB is always on and STIBP is not
+available.
+
+ [ bp: Massage commit message. ]
+
+Fixes: 21998a351512 ("x86/speculation: Avoid force-disabling IBPB based on STIBP and enhanced IBRS.")
+Fixes: 1978b3a53a74 ("x86/speculation: Allow IBPB to be conditionally enabled on CPUs with always-on STIBP")
+Signed-off-by: Anand K Mistry <amistry@google.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: <stable@vger.kernel.org>
+Link: https://lkml.kernel.org/r/20201110123349.1.Id0cbf996d2151f4c143c90f9028651a5b49a5908@changeid
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/bugs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -733,11 +733,13 @@ spectre_v2_user_select_mitigation(enum s
+ if (boot_cpu_has(X86_FEATURE_IBPB)) {
+ setup_force_cpu_cap(X86_FEATURE_USE_IBPB);
+
++ spectre_v2_user_ibpb = mode;
+ switch (cmd) {
+ case SPECTRE_V2_USER_CMD_FORCE:
+ case SPECTRE_V2_USER_CMD_PRCTL_IBPB:
+ case SPECTRE_V2_USER_CMD_SECCOMP_IBPB:
+ static_branch_enable(&switch_mm_always_ibpb);
++ spectre_v2_user_ibpb = SPECTRE_V2_USER_STRICT;
+ break;
+ case SPECTRE_V2_USER_CMD_PRCTL:
+ case SPECTRE_V2_USER_CMD_AUTO:
+@@ -751,8 +753,6 @@ spectre_v2_user_select_mitigation(enum s
+ pr_info("mitigation: Enabling %s Indirect Branch Prediction Barrier\n",
+ static_key_enabled(&switch_mm_always_ibpb) ?
+ "always-on" : "conditional");
+-
+- spectre_v2_user_ibpb = mode;
+ }
+
+ /*
projects / thirdparty / kernel / stable-queue.git / commitdiff
