--- /dev/null
+From bb28587885c617fa25bdcbe9c6d84c2b3734335f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Dec 2021 17:52:13 +0100
+Subject: KVM: x86: Drop guest CPUID check for host initiated writes to
+ MSR_IA32_PERF_CAPABILITIES
+
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+[ Upstream commit 1aa2abb33a419090c7c87d4ae842a6347078ee12 ]
+
+The ability to write to MSR_IA32_PERF_CAPABILITIES from the host should
+not depend on guest visible CPUID entries, even if just to allow
+creating/restoring guest MSRs and CPUIDs in any sequence.
+
+Fixes: 27461da31089 ("KVM: x86/pmu: Support full width counting")
+Suggested-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Message-Id: <20211216165213.338923-3-vkuznets@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/x86.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 3c9e2d236830c..dea578586fa4e 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -3359,7 +3359,7 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
+
+ if (!msr_info->host_initiated)
+ return 1;
+- if (guest_cpuid_has(vcpu, X86_FEATURE_PDCM) && kvm_get_msr_feature(&msr_ent))
++ if (kvm_get_msr_feature(&msr_ent))
+ return 1;
+ if (data & ~msr_ent.data)
+ return 1;
+--
+2.34.1
+
--- /dev/null
+From 6cf3d8e043cc4be7fc38171e8dc3b7be5ba74ccc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Nov 2021 12:11:53 +0800
+Subject: powerpc/85xx: Fix oops when CONFIG_FSL_PMC=n
+
+From: Xiaoming Ni <nixiaoming@huawei.com>
+
+[ Upstream commit 3dc709e518b47386e6af937eaec37bb36539edfd ]
+
+When CONFIG_FSL_PMC is set to n, no value is assigned to cpu_up_prepare
+in the mpc85xx_pm_ops structure. As a result, oops is triggered in
+smp_85xx_start_cpu().
+
+ smp: Bringing up secondary CPUs ...
+ kernel tried to execute user page (0) - exploit attempt? (uid: 0)
+ BUG: Unable to handle kernel instruction fetch (NULL pointer?)
+ Faulting instruction address: 0x00000000
+ Oops: Kernel access of bad area, sig: 11 [#1]
+ ...
+ NIP [00000000] 0x0
+ LR [c0021d2c] smp_85xx_kick_cpu+0xe8/0x568
+ Call Trace:
+ [c1051da8] [c0021cb8] smp_85xx_kick_cpu+0x74/0x568 (unreliable)
+ [c1051de8] [c0011460] __cpu_up+0xc0/0x228
+ [c1051e18] [c0031bbc] bringup_cpu+0x30/0x224
+ [c1051e48] [c0031f3c] cpu_up.constprop.0+0x180/0x33c
+ [c1051e88] [c00322e8] bringup_nonboot_cpus+0x88/0xc8
+ [c1051eb8] [c07e67bc] smp_init+0x30/0x78
+ [c1051ed8] [c07d9e28] kernel_init_freeable+0x118/0x2a8
+ [c1051f18] [c00032d8] kernel_init+0x14/0x124
+ [c1051f38] [c0010278] ret_from_kernel_thread+0x14/0x1c
+
+Fixes: c45361abb918 ("powerpc/85xx: fix timebase sync issue when CONFIG_HOTPLUG_CPU=n")
+Reported-by: Martin Kennedy <hurricos@gmail.com>
+Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
+Tested-by: Martin Kennedy <hurricos@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20211126041153.16926-1-nixiaoming@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/85xx/smp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/platforms/85xx/smp.c b/arch/powerpc/platforms/85xx/smp.c
+index 83f4a6389a282..d7081e9af65c7 100644
+--- a/arch/powerpc/platforms/85xx/smp.c
++++ b/arch/powerpc/platforms/85xx/smp.c
+@@ -220,7 +220,7 @@ static int smp_85xx_start_cpu(int cpu)
+ local_irq_save(flags);
+ hard_irq_disable();
+
+- if (qoriq_pm_ops)
++ if (qoriq_pm_ops && qoriq_pm_ops->cpu_up_prepare)
+ qoriq_pm_ops->cpu_up_prepare(cpu);
+
+ /* if cpu is not spinning, reset it */
+@@ -292,7 +292,7 @@ static int smp_85xx_kick_cpu(int nr)
+ booting_thread_hwid = cpu_thread_in_core(nr);
+ primary = cpu_first_thread_sibling(nr);
+
+- if (qoriq_pm_ops)
++ if (qoriq_pm_ops && qoriq_pm_ops->cpu_up_prepare)
+ qoriq_pm_ops->cpu_up_prepare(nr);
+
+ /*
+--
+2.34.1
+
--- /dev/null
+From 1cbf17bc44c9e3787b57cecac5776430e7d8e543 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Dec 2021 16:24:30 +0100
+Subject: Revert "usb: early: convert to readl_poll_timeout_atomic()"
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+[ Upstream commit c4d936efa46d8ea183df16c0f3fa4423327da51d ]
+
+This reverts commit 796eed4b2342c9d6b26c958e92af91253a2390e1.
+
+This change causes boot lockups when using "arlyprintk=xdbc" because
+ktime can not be used at this point in time in the boot process. Also,
+it is not needed for very small delays like this.
+
+Reported-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Reported-by: Peter Zijlstra <peterz@infradead.org>
+Cc: Jann Horn <jannh@google.com>
+Cc: Chunfeng Yun <chunfeng.yun@mediatek.com>
+Fixes: 796eed4b2342 ("usb: early: convert to readl_poll_timeout_atomic()")
+Link: https://lore.kernel.org/r/c2b5c9bb-1b75-bf56-3754-b5b18812d65e@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/early/xhci-dbc.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/usb/early/xhci-dbc.c b/drivers/usb/early/xhci-dbc.c
+index be4ecbabdd586..6c0434100e38c 100644
+--- a/drivers/usb/early/xhci-dbc.c
++++ b/drivers/usb/early/xhci-dbc.c
+@@ -14,7 +14,6 @@
+ #include <linux/pci_ids.h>
+ #include <linux/memblock.h>
+ #include <linux/io.h>
+-#include <linux/iopoll.h>
+ #include <asm/pci-direct.h>
+ #include <asm/fixmap.h>
+ #include <linux/bcd.h>
+@@ -136,9 +135,17 @@ static int handshake(void __iomem *ptr, u32 mask, u32 done, int wait, int delay)
+ {
+ u32 result;
+
+- return readl_poll_timeout_atomic(ptr, result,
+- ((result & mask) == done),
+- delay, wait);
++ /* Can not use readl_poll_timeout_atomic() for early boot things */
++ do {
++ result = readl(ptr);
++ result &= mask;
++ if (result == done)
++ return 0;
++ udelay(delay);
++ wait -= delay;
++ } while (wait > 0);
++
++ return -ETIMEDOUT;
+ }
+
+ static void __init xdbc_bios_handoff(void)
+--
+2.34.1
+
arm64-kexec-fix-missing-error-code-ret-warning-in-lo.patch
bpf-fix-extable-fixup-offset.patch
bpf-selftests-fix-racing-issue-in-btf_skc_cls_ingres.patch
+powerpc-85xx-fix-oops-when-config_fsl_pmc-n.patch
+usb-gadget-brequesttype-is-a-bitfield-not-a-enum.patch
+revert-usb-early-convert-to-readl_poll_timeout_atomi.patch
+kvm-x86-drop-guest-cpuid-check-for-host-initiated-wr.patch
--- /dev/null
+From 5e65a6b73bf2ddac9deb90da769cab8d513803fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Dec 2021 19:46:21 +0100
+Subject: USB: gadget: bRequestType is a bitfield, not a enum
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+[ Upstream commit f08adf5add9a071160c68bb2a61d697f39ab0758 ]
+
+Szymon rightly pointed out that the previous check for the endpoint
+direction in bRequestType was not looking at only the bit involved, but
+rather the whole value. Normally this is ok, but for some request
+types, bits other than bit 8 could be set and the check for the endpoint
+length could not stall correctly.
+
+Fix that up by only checking the single bit.
+
+Fixes: 153a2d7e3350 ("USB: gadget: detect too-big endpoint 0 requests")
+Cc: Felipe Balbi <balbi@kernel.org>
+Reported-by: Szymon Heidrich <szymon.heidrich@gmail.com>
+Link: https://lore.kernel.org/r/20211214184621.385828-1-gregkh@linuxfoundation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/composite.c | 6 +++---
+ drivers/usb/gadget/legacy/dbgp.c | 6 +++---
+ drivers/usb/gadget/legacy/inode.c | 6 +++---
+ 3 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
+index 284eea9f6e4d8..3789c329183ca 100644
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -1680,14 +1680,14 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
+ u8 endp;
+
+ if (w_length > USB_COMP_EP0_BUFSIZ) {
+- if (ctrl->bRequestType == USB_DIR_OUT) {
+- goto done;
+- } else {
++ if (ctrl->bRequestType & USB_DIR_IN) {
+ /* Cast away the const, we are going to overwrite on purpose. */
+ __le16 *temp = (__le16 *)&ctrl->wLength;
+
+ *temp = cpu_to_le16(USB_COMP_EP0_BUFSIZ);
+ w_length = USB_COMP_EP0_BUFSIZ;
++ } else {
++ goto done;
+ }
+ }
+
+diff --git a/drivers/usb/gadget/legacy/dbgp.c b/drivers/usb/gadget/legacy/dbgp.c
+index 355bc7dab9d5f..6bcbad3825802 100644
+--- a/drivers/usb/gadget/legacy/dbgp.c
++++ b/drivers/usb/gadget/legacy/dbgp.c
+@@ -346,14 +346,14 @@ static int dbgp_setup(struct usb_gadget *gadget,
+ u16 len = 0;
+
+ if (length > DBGP_REQ_LEN) {
+- if (ctrl->bRequestType == USB_DIR_OUT) {
+- return err;
+- } else {
++ if (ctrl->bRequestType & USB_DIR_IN) {
+ /* Cast away the const, we are going to overwrite on purpose. */
+ __le16 *temp = (__le16 *)&ctrl->wLength;
+
+ *temp = cpu_to_le16(DBGP_REQ_LEN);
+ length = DBGP_REQ_LEN;
++ } else {
++ return err;
+ }
+ }
+
+diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c
+index 0a4041552ed19..1b223cba4c2c9 100644
+--- a/drivers/usb/gadget/legacy/inode.c
++++ b/drivers/usb/gadget/legacy/inode.c
+@@ -1337,14 +1337,14 @@ gadgetfs_setup (struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
+ u16 w_length = le16_to_cpu(ctrl->wLength);
+
+ if (w_length > RBUF_SIZE) {
+- if (ctrl->bRequestType == USB_DIR_OUT) {
+- return value;
+- } else {
++ if (ctrl->bRequestType & USB_DIR_IN) {
+ /* Cast away the const, we are going to overwrite on purpose. */
+ __le16 *temp = (__le16 *)&ctrl->wLength;
+
+ *temp = cpu_to_le16(RBUF_SIZE);
+ w_length = RBUF_SIZE;
++ } else {
++ return value;
+ }
+ }
+
+--
+2.34.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
