--- /dev/null
+From 94ebc035456a4ccacfbbef60c444079a256623ad Mon Sep 17 00:00:00 2001
+From: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+Date: Fri, 12 Nov 2021 15:27:32 -0500
+Subject: drm/amd/display: Allow DSC on supported MST branch devices
+
+From: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+
+commit 94ebc035456a4ccacfbbef60c444079a256623ad upstream.
+
+[Why]
+When trying to lightup two 4k60 non-DSC displays behind a branch device
+that supports DSC we can't lightup both at once due to bandwidth
+limitations - each requires 48 VCPI slots but we only have 63.
+
+[How]
+The workaround already exists in the code but is guarded by a CONFIG
+that cannot be set by the user and shouldn't need to be.
+
+Check for specific branch device IDs to device whether to enable
+the workaround for multiple display scenarios.
+
+Reviewed-by: Hersen Wu <hersenxs.wu@amd.com>
+Acked-by: Bhawanpreet Lakha <Bhawanpreet.Lakha@amd.com>
+Signed-off-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 20 +++++++++---
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
+@@ -36,6 +36,8 @@
+ #include "dm_helpers.h"
+
+ #include "dc_link_ddc.h"
++#include "ddc_service_types.h"
++#include "dpcd_defs.h"
+
+ #include "i2caux_interface.h"
+ #if defined(CONFIG_DEBUG_FS)
+@@ -152,6 +154,16 @@ static const struct drm_connector_funcs
+ };
+
+ #if defined(CONFIG_DRM_AMD_DC_DCN)
++static bool needs_dsc_aux_workaround(struct dc_link *link)
++{
++ if (link->dpcd_caps.branch_dev_id == DP_BRANCH_DEVICE_ID_90CC24 &&
++ (link->dpcd_caps.dpcd_rev.raw == DPCD_REV_14 || link->dpcd_caps.dpcd_rev.raw == DPCD_REV_12) &&
++ link->dpcd_caps.sink_count.bits.SINK_COUNT >= 2)
++ return true;
++
++ return false;
++}
++
+ static bool validate_dsc_caps_on_connector(struct amdgpu_dm_connector *aconnector)
+ {
+ struct dc_sink *dc_sink = aconnector->dc_sink;
+@@ -159,7 +171,7 @@ static bool validate_dsc_caps_on_connect
+ u8 dsc_caps[16] = { 0 };
+
+ aconnector->dsc_aux = drm_dp_mst_dsc_aux_for_port(port);
+-#if defined(CONFIG_HP_HOOK_WORKAROUND)
++
+ /*
+ * drm_dp_mst_dsc_aux_for_port() will return NULL for certain configs
+ * because it only check the dsc/fec caps of the "port variable" and not the dock
+@@ -169,10 +181,10 @@ static bool validate_dsc_caps_on_connect
+ * Workaround: explicitly check the use case above and use the mst dock's aux as dsc_aux
+ *
+ */
+-
+- if (!aconnector->dsc_aux && !port->parent->port_parent)
++ if (!aconnector->dsc_aux && !port->parent->port_parent &&
++ needs_dsc_aux_workaround(aconnector->dc_link))
+ aconnector->dsc_aux = &aconnector->mst_port->dm_dp_aux.aux;
+-#endif
++
+ if (!aconnector->dsc_aux)
+ return false;
+
--- /dev/null
+From 8066008482e533e91934bee49765bf8b4a7c40db Mon Sep 17 00:00:00 2001
+From: James Zhu <James.Zhu@amd.com>
+Date: Tue, 7 Sep 2021 11:27:31 -0400
+Subject: drm/amdgpu: add amdgpu_amdkfd_resume_iommu
+
+From: James Zhu <James.Zhu@amd.com>
+
+commit 8066008482e533e91934bee49765bf8b4a7c40db upstream.
+
+Add amdgpu_amdkfd_resume_iommu for amdgpu.
+
+Bug: https://bugzilla.kernel.org/show_bug.cgi?id=211277
+Signed-off-by: James Zhu <James.Zhu@amd.com>
+Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c | 10 ++++++++++
+ drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 1 +
+ 2 files changed, 11 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c
+@@ -194,6 +194,16 @@ void amdgpu_amdkfd_suspend(struct amdgpu
+ kgd2kfd_suspend(adev->kfd.dev, run_pm);
+ }
+
++int amdgpu_amdkfd_resume_iommu(struct amdgpu_device *adev)
++{
++ int r = 0;
++
++ if (adev->kfd.dev)
++ r = kgd2kfd_resume_iommu(adev->kfd.dev);
++
++ return r;
++}
++
+ int amdgpu_amdkfd_resume(struct amdgpu_device *adev, bool run_pm)
+ {
+ int r = 0;
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h
+@@ -126,6 +126,7 @@ int amdgpu_amdkfd_init(void);
+ void amdgpu_amdkfd_fini(void);
+
+ void amdgpu_amdkfd_suspend(struct amdgpu_device *adev, bool run_pm);
++int amdgpu_amdkfd_resume_iommu(struct amdgpu_device *adev);
+ int amdgpu_amdkfd_resume(struct amdgpu_device *adev, bool run_pm);
+ void amdgpu_amdkfd_interrupt(struct amdgpu_device *adev,
+ const void *ih_ring_entry);
--- /dev/null
+From 714d9e4574d54596973ee3b0624ee4a16264d700 Mon Sep 17 00:00:00 2001
+From: Yifan Zhang <yifan1.zhang@amd.com>
+Date: Tue, 28 Sep 2021 15:42:35 +0800
+Subject: drm/amdgpu: init iommu after amdkfd device init
+
+From: Yifan Zhang <yifan1.zhang@amd.com>
+
+commit 714d9e4574d54596973ee3b0624ee4a16264d700 upstream.
+
+This patch is to fix clinfo failure in Raven/Picasso:
+
+Number of platforms: 1
+ Platform Profile: FULL_PROFILE
+ Platform Version: OpenCL 2.2 AMD-APP (3364.0)
+ Platform Name: AMD Accelerated Parallel Processing
+ Platform Vendor: Advanced Micro Devices, Inc.
+ Platform Extensions: cl_khr_icd cl_amd_event_callback
+
+ Platform Name: AMD Accelerated Parallel Processing Number of devices: 0
+
+Signed-off-by: Yifan Zhang <yifan1.zhang@amd.com>
+Reviewed-by: James Zhu <James.Zhu@amd.com>
+Tested-by: James Zhu <James.Zhu@amd.com>
+Acked-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -2220,10 +2220,6 @@ static int amdgpu_device_ip_init(struct
+ if (r)
+ goto init_failed;
+
+- r = amdgpu_amdkfd_resume_iommu(adev);
+- if (r)
+- goto init_failed;
+-
+ r = amdgpu_device_ip_hw_init_phase1(adev);
+ if (r)
+ goto init_failed;
+@@ -2259,6 +2255,10 @@ static int amdgpu_device_ip_init(struct
+ amdgpu_xgmi_add_device(adev);
+ amdgpu_amdkfd_device_init(adev);
+
++ r = amdgpu_amdkfd_resume_iommu(adev);
++ if (r)
++ goto init_failed;
++
+ amdgpu_fru_get_product_info(adev);
+
+ init_failed:
--- /dev/null
+From f02abeb0779700c308e661a412451b38962b8a0b Mon Sep 17 00:00:00 2001
+From: James Zhu <James.Zhu@amd.com>
+Date: Tue, 7 Sep 2021 11:32:22 -0400
+Subject: drm/amdgpu: move iommu_resume before ip init/resume
+
+From: James Zhu <James.Zhu@amd.com>
+
+commit f02abeb0779700c308e661a412451b38962b8a0b upstream.
+
+Separate iommu_resume from kfd_resume, and move it before
+other amdgpu ip init/resume.
+
+Bug: https://bugzilla.kernel.org/show_bug.cgi?id=211277
+Signed-off-by: James Zhu <James.Zhu@amd.com>
+Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -2220,6 +2220,10 @@ static int amdgpu_device_ip_init(struct
+ if (r)
+ goto init_failed;
+
++ r = amdgpu_amdkfd_resume_iommu(adev);
++ if (r)
++ goto init_failed;
++
+ r = amdgpu_device_ip_hw_init_phase1(adev);
+ if (r)
+ goto init_failed;
+@@ -2913,6 +2917,10 @@ static int amdgpu_device_ip_resume(struc
+ {
+ int r;
+
++ r = amdgpu_amdkfd_resume_iommu(adev);
++ if (r)
++ return r;
++
+ r = amdgpu_device_ip_resume_phase1(adev);
+ if (r)
+ return r;
+@@ -4296,6 +4304,10 @@ static int amdgpu_do_asic_reset(struct a
+
+ if (!r) {
+ dev_info(tmp_adev->dev, "GPU reset succeeded, trying to resume\n");
++ r = amdgpu_amdkfd_resume_iommu(tmp_adev);
++ if (r)
++ goto out;
++
+ r = amdgpu_device_ip_resume_phase1(tmp_adev);
+ if (r)
+ goto out;
--- /dev/null
+From afd18180c07026f94a80ff024acef5f4159084a4 Mon Sep 17 00:00:00 2001
+From: Yifan Zhang <yifan1.zhang@amd.com>
+Date: Mon, 11 Oct 2021 20:37:01 +0800
+Subject: drm/amdkfd: fix boot failure when iommu is disabled in Picasso.
+
+From: Yifan Zhang <yifan1.zhang@amd.com>
+
+commit afd18180c07026f94a80ff024acef5f4159084a4 upstream.
+
+When IOMMU disabled in sbios and kfd in iommuv2 path, iommuv2
+init will fail. But this failure should not block amdgpu driver init.
+
+Reported-by: youling <youling257@gmail.com>
+Tested-by: youling <youling257@gmail.com>
+Signed-off-by: Yifan Zhang <yifan1.zhang@amd.com>
+Reviewed-by: James Zhu <James.Zhu@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 4 ----
+ drivers/gpu/drm/amd/amdkfd/kfd_device.c | 3 +++
+ 2 files changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -2255,10 +2255,6 @@ static int amdgpu_device_ip_init(struct
+ amdgpu_xgmi_add_device(adev);
+ amdgpu_amdkfd_device_init(adev);
+
+- r = amdgpu_amdkfd_resume_iommu(adev);
+- if (r)
+- goto init_failed;
+-
+ amdgpu_fru_get_product_info(adev);
+
+ init_failed:
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_device.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device.c
+@@ -751,6 +751,9 @@ bool kgd2kfd_device_init(struct kfd_dev
+
+ kfd_cwsr_init(kfd);
+
++ if(kgd2kfd_resume_iommu(kfd))
++ goto device_iommu_error;
++
+ if (kfd_resume(kfd))
+ goto kfd_resume_error;
+
--- /dev/null
+From fefc01f042f44ede373ee66773b8238dd8fdcb55 Mon Sep 17 00:00:00 2001
+From: James Zhu <James.Zhu@amd.com>
+Date: Tue, 7 Sep 2021 11:13:02 -0400
+Subject: drm/amdkfd: separate kfd_iommu_resume from kfd_resume
+
+From: James Zhu <James.Zhu@amd.com>
+
+commit fefc01f042f44ede373ee66773b8238dd8fdcb55 upstream.
+
+Separate kfd_iommu_resume from kfd_resume for fine-tuning
+of amdgpu device init/resume/reset/recovery sequence.
+
+v2: squash in fix for !CONFIG_HSA_AMD
+
+Bug: https://bugzilla.kernel.org/show_bug.cgi?id=211277
+Signed-off-by: James Zhu <James.Zhu@amd.com>
+Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 1 +
+ drivers/gpu/drm/amd/amdkfd/kfd_device.c | 12 ++++++++----
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h
+@@ -262,6 +262,7 @@ bool kgd2kfd_device_init(struct kfd_dev
+ const struct kgd2kfd_shared_resources *gpu_resources);
+ void kgd2kfd_device_exit(struct kfd_dev *kfd);
+ void kgd2kfd_suspend(struct kfd_dev *kfd, bool run_pm);
++int kgd2kfd_resume_iommu(struct kfd_dev *kfd);
+ int kgd2kfd_resume(struct kfd_dev *kfd, bool run_pm);
+ int kgd2kfd_pre_reset(struct kfd_dev *kfd);
+ int kgd2kfd_post_reset(struct kfd_dev *kfd);
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_device.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device.c
+@@ -896,17 +896,21 @@ int kgd2kfd_resume(struct kfd_dev *kfd,
+ return ret;
+ }
+
+-static int kfd_resume(struct kfd_dev *kfd)
++int kgd2kfd_resume_iommu(struct kfd_dev *kfd)
+ {
+ int err = 0;
+
+ err = kfd_iommu_resume(kfd);
+- if (err) {
++ if (err)
+ dev_err(kfd_device,
+ "Failed to resume IOMMU for device %x:%x\n",
+ kfd->pdev->vendor, kfd->pdev->device);
+- return err;
+- }
++ return err;
++}
++
++static int kfd_resume(struct kfd_dev *kfd)
++{
++ int err = 0;
+
+ err = kfd->dqm->ops.start(kfd->dqm);
+ if (err) {
--- /dev/null
+From cdef485217d30382f3bf6448c54b4401648fe3f1 Mon Sep 17 00:00:00 2001
+From: msizanoen1 <msizanoen@qtmlabs.xyz>
+Date: Tue, 23 Nov 2021 13:48:32 +0100
+Subject: ipv6: fix memory leak in fib6_rule_suppress
+
+From: msizanoen1 <msizanoen@qtmlabs.xyz>
+
+commit cdef485217d30382f3bf6448c54b4401648fe3f1 upstream.
+
+The kernel leaks memory when a `fib` rule is present in IPv6 nftables
+firewall rules and a suppress_prefix rule is present in the IPv6 routing
+rules (used by certain tools such as wg-quick). In such scenarios, every
+incoming packet will leak an allocation in `ip6_dst_cache` slab cache.
+
+After some hours of `bpftrace`-ing and source code reading, I tracked
+down the issue to ca7a03c41753 ("ipv6: do not free rt if
+FIB_LOOKUP_NOREF is set on suppress rule").
+
+The problem with that change is that the generic `args->flags` always have
+`FIB_LOOKUP_NOREF` set[1][2] but the IPv6-specific flag
+`RT6_LOOKUP_F_DST_NOREF` might not be, leading to `fib6_rule_suppress` not
+decreasing the refcount when needed.
+
+How to reproduce:
+ - Add the following nftables rule to a prerouting chain:
+ meta nfproto ipv6 fib saddr . mark . iif oif missing drop
+ This can be done with:
+ sudo nft create table inet test
+ sudo nft create chain inet test test_chain '{ type filter hook prerouting priority filter + 10; policy accept; }'
+ sudo nft add rule inet test test_chain meta nfproto ipv6 fib saddr . mark . iif oif missing drop
+ - Run:
+ sudo ip -6 rule add table main suppress_prefixlength 0
+ - Watch `sudo slabtop -o | grep ip6_dst_cache` to see memory usage increase
+ with every incoming ipv6 packet.
+
+This patch exposes the protocol-specific flags to the protocol
+specific `suppress` function, and check the protocol-specific `flags`
+argument for RT6_LOOKUP_F_DST_NOREF instead of the generic
+FIB_LOOKUP_NOREF when decreasing the refcount, like this.
+
+[1]: https://github.com/torvalds/linux/blob/ca7a03c4175366a92cee0ccc4fec0038c3266e26/net/ipv6/fib6_rules.c#L71
+[2]: https://github.com/torvalds/linux/blob/ca7a03c4175366a92cee0ccc4fec0038c3266e26/net/ipv6/fib6_rules.c#L99
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=215105
+Fixes: ca7a03c41753 ("ipv6: do not free rt if FIB_LOOKUP_NOREF is set on suppress rule")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/fib_rules.h | 4 +++-
+ net/core/fib_rules.c | 2 +-
+ net/ipv4/fib_rules.c | 1 +
+ net/ipv6/fib6_rules.c | 4 ++--
+ 4 files changed, 7 insertions(+), 4 deletions(-)
+
+--- a/include/net/fib_rules.h
++++ b/include/net/fib_rules.h
+@@ -69,7 +69,7 @@ struct fib_rules_ops {
+ int (*action)(struct fib_rule *,
+ struct flowi *, int,
+ struct fib_lookup_arg *);
+- bool (*suppress)(struct fib_rule *,
++ bool (*suppress)(struct fib_rule *, int,
+ struct fib_lookup_arg *);
+ int (*match)(struct fib_rule *,
+ struct flowi *, int);
+@@ -218,7 +218,9 @@ INDIRECT_CALLABLE_DECLARE(int fib4_rule_
+ struct fib_lookup_arg *arg));
+
+ INDIRECT_CALLABLE_DECLARE(bool fib6_rule_suppress(struct fib_rule *rule,
++ int flags,
+ struct fib_lookup_arg *arg));
+ INDIRECT_CALLABLE_DECLARE(bool fib4_rule_suppress(struct fib_rule *rule,
++ int flags,
+ struct fib_lookup_arg *arg));
+ #endif
+--- a/net/core/fib_rules.c
++++ b/net/core/fib_rules.c
+@@ -323,7 +323,7 @@ jumped:
+ if (!err && ops->suppress && INDIRECT_CALL_MT(ops->suppress,
+ fib6_rule_suppress,
+ fib4_rule_suppress,
+- rule, arg))
++ rule, flags, arg))
+ continue;
+
+ if (err != -EAGAIN) {
+--- a/net/ipv4/fib_rules.c
++++ b/net/ipv4/fib_rules.c
+@@ -141,6 +141,7 @@ INDIRECT_CALLABLE_SCOPE int fib4_rule_ac
+ }
+
+ INDIRECT_CALLABLE_SCOPE bool fib4_rule_suppress(struct fib_rule *rule,
++ int flags,
+ struct fib_lookup_arg *arg)
+ {
+ struct fib_result *result = (struct fib_result *) arg->result;
+--- a/net/ipv6/fib6_rules.c
++++ b/net/ipv6/fib6_rules.c
+@@ -267,6 +267,7 @@ INDIRECT_CALLABLE_SCOPE int fib6_rule_ac
+ }
+
+ INDIRECT_CALLABLE_SCOPE bool fib6_rule_suppress(struct fib_rule *rule,
++ int flags,
+ struct fib_lookup_arg *arg)
+ {
+ struct fib6_result *res = arg->result;
+@@ -294,8 +295,7 @@ INDIRECT_CALLABLE_SCOPE bool fib6_rule_s
+ return false;
+
+ suppress_route:
+- if (!(arg->flags & FIB_LOOKUP_NOREF))
+- ip6_rt_put(rt);
++ ip6_rt_put_flags(rt, flags);
+ return true;
+ }
+
--- /dev/null
+From 1f80d15020d7f130194821feb1432b67648c632d Mon Sep 17 00:00:00 2001
+From: Catalin Marinas <catalin.marinas@arm.com>
+Date: Thu, 25 Nov 2021 15:20:14 +0000
+Subject: KVM: arm64: Avoid setting the upper 32 bits of TCR_EL2 and CPTR_EL2 to 1
+
+From: Catalin Marinas <catalin.marinas@arm.com>
+
+commit 1f80d15020d7f130194821feb1432b67648c632d upstream.
+
+Having a signed (1 << 31) constant for TCR_EL2_RES1 and CPTR_EL2_TCPAC
+causes the upper 32-bit to be set to 1 when assigning them to a 64-bit
+variable. Bit 32 in TCR_EL2 is no longer RES0 in ARMv8.7: with FEAT_LPA2
+it changes the meaning of bits 49:48 and 9:8 in the stage 1 EL2 page
+table entries. As a result of the sign-extension, a non-VHE kernel can
+no longer boot on a model with ARMv8.7 enabled.
+
+CPTR_EL2 still has the top 32 bits RES0 but we should preempt any future
+problems
+
+Make these top bit constants unsigned as per commit df655b75c43f
+("arm64: KVM: Avoid setting the upper 32 bits of VTCR_EL2 to 1").
+
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Reported-by: Chris January <Chris.January@arm.com>
+Cc: <stable@vger.kernel.org>
+Cc: Will Deacon <will@kernel.org>
+Cc: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20211125152014.2806582-1-catalin.marinas@arm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/kvm_arm.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/include/asm/kvm_arm.h
++++ b/arch/arm64/include/asm/kvm_arm.h
+@@ -83,7 +83,7 @@
+ #define HCR_HOST_VHE_FLAGS (HCR_RW | HCR_TGE | HCR_E2H)
+
+ /* TCR_EL2 Registers bits */
+-#define TCR_EL2_RES1 ((1 << 31) | (1 << 23))
++#define TCR_EL2_RES1 ((1U << 31) | (1 << 23))
+ #define TCR_EL2_TBI (1 << 20)
+ #define TCR_EL2_PS_SHIFT 16
+ #define TCR_EL2_PS_MASK (7 << TCR_EL2_PS_SHIFT)
+@@ -268,7 +268,7 @@
+ #define CPTR_EL2_TFP_SHIFT 10
+
+ /* Hyp Coprocessor Trap Register */
+-#define CPTR_EL2_TCPAC (1 << 31)
++#define CPTR_EL2_TCPAC (1U << 31)
+ #define CPTR_EL2_TAM (1 << 30)
+ #define CPTR_EL2_TTA (1 << 20)
+ #define CPTR_EL2_TFP (1 << CPTR_EL2_TFP_SHIFT)
--- /dev/null
+From 6b285a5587506bae084cf9a3ed5aa491d623b91b Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Thu, 4 Nov 2021 00:25:03 +0000
+Subject: KVM: Disallow user memslot with size that exceeds "unsigned long"
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 6b285a5587506bae084cf9a3ed5aa491d623b91b upstream.
+
+Reject userspace memslots whose size exceeds the storage capacity of an
+"unsigned long". KVM's uAPI takes the size as u64 to support large slots
+on 64-bit hosts, but does not account for the size being truncated on
+32-bit hosts in various flows. The access_ok() check on the userspace
+virtual address in particular casts the size to "unsigned long" and will
+check the wrong number of bytes.
+
+KVM doesn't actually support slots whose size doesn't fit in an "unsigned
+long", e.g. KVM's internal kvm_memory_slot.npages is an "unsigned long",
+not a "u64", and misc arch specific code follows that behavior.
+
+Fixes: fa3d315a4ce2 ("KVM: Validate userspace_addr of memslot when registered")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Reviewed-by: Maciej S. Szmigiero <maciej.szmigiero@oracle.com>
+Message-Id: <20211104002531.1176691-3-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ virt/kvm/kvm_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -1297,7 +1297,8 @@ int __kvm_set_memory_region(struct kvm *
+ id = (u16)mem->slot;
+
+ /* General sanity checks */
+- if (mem->memory_size & (PAGE_SIZE - 1))
++ if ((mem->memory_size & (PAGE_SIZE - 1)) ||
++ (mem->memory_size != (unsigned long)mem->memory_size))
+ return -EINVAL;
+ if (mem->guest_phys_addr & (PAGE_SIZE - 1))
+ return -EINVAL;
--- /dev/null
+From 2b4a5a5d56881ece3c66b9a9a8943a6f41bd7349 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Thu, 25 Nov 2021 01:49:43 +0000
+Subject: KVM: nVMX: Flush current VPID (L1 vs. L2) for KVM_REQ_TLB_FLUSH_GUEST
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 2b4a5a5d56881ece3c66b9a9a8943a6f41bd7349 upstream.
+
+Flush the current VPID when handling KVM_REQ_TLB_FLUSH_GUEST instead of
+always flushing vpid01. Any TLB flush that is triggered when L2 is
+active is scoped to L2's VPID (if it has one), e.g. if L2 toggles CR4.PGE
+and L1 doesn't intercept PGE writes, then KVM's emulation of the TLB
+flush needs to be applied to L2's VPID.
+
+Reported-by: Lai Jiangshan <jiangshanlai+lkml@gmail.com>
+Fixes: 07ffaf343e34 ("KVM: nVMX: Sync all PGDs on nested transition with shadow paging")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-Id: <20211125014944.536398-2-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/vmx/vmx.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+--- a/arch/x86/kvm/vmx/vmx.c
++++ b/arch/x86/kvm/vmx/vmx.c
+@@ -2908,6 +2908,13 @@ static void vmx_flush_tlb_all(struct kvm
+ }
+ }
+
++static inline int vmx_get_current_vpid(struct kvm_vcpu *vcpu)
++{
++ if (is_guest_mode(vcpu))
++ return nested_get_vpid02(vcpu);
++ return to_vmx(vcpu)->vpid;
++}
++
+ static void vmx_flush_tlb_current(struct kvm_vcpu *vcpu)
+ {
+ struct kvm_mmu *mmu = vcpu->arch.mmu;
+@@ -2920,31 +2927,29 @@ static void vmx_flush_tlb_current(struct
+ if (enable_ept)
+ ept_sync_context(construct_eptp(vcpu, root_hpa,
+ mmu->shadow_root_level));
+- else if (!is_guest_mode(vcpu))
+- vpid_sync_context(to_vmx(vcpu)->vpid);
+ else
+- vpid_sync_context(nested_get_vpid02(vcpu));
++ vpid_sync_context(vmx_get_current_vpid(vcpu));
+ }
+
+ static void vmx_flush_tlb_gva(struct kvm_vcpu *vcpu, gva_t addr)
+ {
+ /*
+- * vpid_sync_vcpu_addr() is a nop if vmx->vpid==0, see the comment in
++ * vpid_sync_vcpu_addr() is a nop if vpid==0, see the comment in
+ * vmx_flush_tlb_guest() for an explanation of why this is ok.
+ */
+- vpid_sync_vcpu_addr(to_vmx(vcpu)->vpid, addr);
++ vpid_sync_vcpu_addr(vmx_get_current_vpid(vcpu), addr);
+ }
+
+ static void vmx_flush_tlb_guest(struct kvm_vcpu *vcpu)
+ {
+ /*
+- * vpid_sync_context() is a nop if vmx->vpid==0, e.g. if enable_vpid==0
+- * or a vpid couldn't be allocated for this vCPU. VM-Enter and VM-Exit
+- * are required to flush GVA->{G,H}PA mappings from the TLB if vpid is
++ * vpid_sync_context() is a nop if vpid==0, e.g. if enable_vpid==0 or a
++ * vpid couldn't be allocated for this vCPU. VM-Enter and VM-Exit are
++ * required to flush GVA->{G,H}PA mappings from the TLB if vpid is
+ * disabled (VM-Enter with vpid enabled and vpid==0 is disallowed),
+ * i.e. no explicit INVVPID is necessary.
+ */
+- vpid_sync_context(to_vmx(vcpu)->vpid);
++ vpid_sync_context(vmx_get_current_vpid(vcpu));
+ }
+
+ void vmx_ept_load_pdptrs(struct kvm_vcpu *vcpu)
--- /dev/null
+From 53b7ca1a359389276c76fbc9e1009d8626a17e40 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Mon, 22 Nov 2021 19:43:11 -0500
+Subject: KVM: x86: Use a stable condition around all VT-d PI paths
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 53b7ca1a359389276c76fbc9e1009d8626a17e40 upstream.
+
+Currently, checks for whether VT-d PI can be used refer to the current
+status of the feature in the current vCPU; or they more or less pick
+vCPU 0 in case a specific vCPU is not available.
+
+However, these checks do not attempt to synchronize with changes to
+the IRTE. In particular, there is no path that updates the IRTE when
+APICv is re-activated on vCPU 0; and there is no path to wakeup a CPU
+that has APICv disabled, if the wakeup occurs because of an IRTE
+that points to a posted interrupt.
+
+To fix this, always go through the VT-d PI path as long as there are
+assigned devices and APICv is available on both the host and the VM side.
+Since the relevant condition was copied over three times, take the hint
+and factor it into a separate function.
+
+Suggested-by: Sean Christopherson <seanjc@google.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Sean Christopherson <seanjc@google.com>
+Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
+Reviewed-by: David Matlack <dmatlack@google.com>
+Message-Id: <20211123004311.2954158-5-pbonzini@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/vmx/posted_intr.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+--- a/arch/x86/kvm/vmx/posted_intr.c
++++ b/arch/x86/kvm/vmx/posted_intr.c
+@@ -5,6 +5,7 @@
+ #include <asm/cpu.h>
+
+ #include "lapic.h"
++#include "irq.h"
+ #include "posted_intr.h"
+ #include "trace.h"
+ #include "vmx.h"
+@@ -77,13 +78,18 @@ after_clear_sn:
+ pi_set_on(pi_desc);
+ }
+
++static bool vmx_can_use_vtd_pi(struct kvm *kvm)
++{
++ return irqchip_in_kernel(kvm) && enable_apicv &&
++ kvm_arch_has_assigned_device(kvm) &&
++ irq_remapping_cap(IRQ_POSTING_CAP);
++}
++
+ void vmx_vcpu_pi_put(struct kvm_vcpu *vcpu)
+ {
+ struct pi_desc *pi_desc = vcpu_to_pi_desc(vcpu);
+
+- if (!kvm_arch_has_assigned_device(vcpu->kvm) ||
+- !irq_remapping_cap(IRQ_POSTING_CAP) ||
+- !kvm_vcpu_apicv_active(vcpu))
++ if (!vmx_can_use_vtd_pi(vcpu->kvm))
+ return;
+
+ /* Set SN when the vCPU is preempted */
+@@ -141,9 +147,7 @@ int pi_pre_block(struct kvm_vcpu *vcpu)
+ struct pi_desc old, new;
+ struct pi_desc *pi_desc = vcpu_to_pi_desc(vcpu);
+
+- if (!kvm_arch_has_assigned_device(vcpu->kvm) ||
+- !irq_remapping_cap(IRQ_POSTING_CAP) ||
+- !kvm_vcpu_apicv_active(vcpu))
++ if (!vmx_can_use_vtd_pi(vcpu->kvm))
+ return 0;
+
+ WARN_ON(irqs_disabled());
+@@ -256,9 +260,7 @@ int pi_update_irte(struct kvm *kvm, unsi
+ struct vcpu_data vcpu_info;
+ int idx, ret = 0;
+
+- if (!kvm_arch_has_assigned_device(kvm) ||
+- !irq_remapping_cap(IRQ_POSTING_CAP) ||
+- !kvm_vcpu_apicv_active(kvm->vcpus[0]))
++ if (!vmx_can_use_vtd_pi(kvm))
+ return 0;
+
+ idx = srcu_read_lock(&kvm->irq_srcu);
--- /dev/null
+From 05b29633c7a956d5675f5fbba70db0d26aa5e73e Mon Sep 17 00:00:00 2001
+From: Lai Jiangshan <laijs@linux.alibaba.com>
+Date: Wed, 24 Nov 2021 20:20:46 +0800
+Subject: KVM: X86: Use vcpu->arch.walk_mmu for kvm_mmu_invlpg()
+
+From: Lai Jiangshan <laijs@linux.alibaba.com>
+
+commit 05b29633c7a956d5675f5fbba70db0d26aa5e73e upstream.
+
+INVLPG operates on guest virtual address, which are represented by
+vcpu->arch.walk_mmu. In nested virtualization scenarios,
+kvm_mmu_invlpg() was using the wrong MMU structure; if L2's invlpg were
+emulated by L0 (in practice, it hardly happen) when nested two-dimensional
+paging is enabled, the call to ->tlb_flush_gva() would be skipped and
+the hardware TLB entry would not be invalidated.
+
+Signed-off-by: Lai Jiangshan <laijs@linux.alibaba.com>
+Message-Id: <20211124122055.64424-5-jiangshanlai@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/mmu/mmu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/mmu/mmu.c
++++ b/arch/x86/kvm/mmu/mmu.c
+@@ -5152,7 +5152,7 @@ EXPORT_SYMBOL_GPL(kvm_mmu_invalidate_gva
+
+ void kvm_mmu_invlpg(struct kvm_vcpu *vcpu, gva_t gva)
+ {
+- kvm_mmu_invalidate_gva(vcpu, vcpu->arch.mmu, gva, INVALID_PAGE);
++ kvm_mmu_invalidate_gva(vcpu, vcpu->arch.walk_mmu, gva, INVALID_PAGE);
+ ++vcpu->stat.invlpg;
+ }
+ EXPORT_SYMBOL_GPL(kvm_mmu_invlpg);
fget-check-that-the-fd-still-exists-after-getting-a-ref-to-it.patch
sata_fsl-fix-uaf-in-sata_fsl_port_stop-when-rmmod-sata_fsl.patch
sata_fsl-fix-warning-in-remove_proc_entry-when-rmmod-sata_fsl.patch
+ipv6-fix-memory-leak-in-fib6_rule_suppress.patch
+drm-amd-display-allow-dsc-on-supported-mst-branch-devices.patch
+kvm-disallow-user-memslot-with-size-that-exceeds-unsigned-long.patch
+kvm-nvmx-flush-current-vpid-l1-vs.-l2-for-kvm_req_tlb_flush_guest.patch
+kvm-x86-use-a-stable-condition-around-all-vt-d-pi-paths.patch
+kvm-arm64-avoid-setting-the-upper-32-bits-of-tcr_el2-and-cptr_el2-to-1.patch
+kvm-x86-use-vcpu-arch.walk_mmu-for-kvm_mmu_invlpg.patch
+tracing-histograms-string-compares-should-not-care-about-signed-values.patch
+drm-amdkfd-separate-kfd_iommu_resume-from-kfd_resume.patch
+drm-amdgpu-add-amdgpu_amdkfd_resume_iommu.patch
+drm-amdgpu-move-iommu_resume-before-ip-init-resume.patch
+drm-amdgpu-init-iommu-after-amdkfd-device-init.patch
+drm-amdkfd-fix-boot-failure-when-iommu-is-disabled-in-picasso.patch
--- /dev/null
+From 450fec13d9170127678f991698ac1a5b05c02e2f Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Tue, 30 Nov 2021 12:31:23 -0500
+Subject: tracing/histograms: String compares should not care about signed values
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 450fec13d9170127678f991698ac1a5b05c02e2f upstream.
+
+When comparing two strings for the "onmatch" histogram trigger, fields
+that are strings use string comparisons, which do not care about being
+signed or not.
+
+Do not fail to match two string fields if one is unsigned char array and
+the other is a signed char array.
+
+Link: https://lore.kernel.org/all/20211129123043.5cfd687a@gandalf.local.home/
+
+Cc: stable@vgerk.kernel.org
+Cc: Tom Zanussi <zanussi@kernel.org>
+Cc: Yafang Shao <laoar.shao@gmail.com>
+Fixes: b05e89ae7cf3b ("tracing: Accept different type for synthetic event fields")
+Reviewed-by: Masami Hiramatsu <mhiramatsu@kernel.org>
+Reported-by: Sven Schnelle <svens@linux.ibm.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_events_hist.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/trace/trace_events_hist.c
++++ b/kernel/trace/trace_events_hist.c
+@@ -3344,7 +3344,7 @@ static int check_synth_field(struct synt
+
+ if (strcmp(field->type, hist_field->type) != 0) {
+ if (field->size != hist_field->size ||
+- field->is_signed != hist_field->is_signed)
++ (!field->is_string && field->is_signed != hist_field->is_signed))
+ return -EINVAL;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
