--- /dev/null
+From f890f89d9a80fffbfa7ca791b78927e5b8aba869 Mon Sep 17 00:00:00 2001
+From: Petr Vorel <petr.vorel@gmail.com>
+Date: Thu, 15 Apr 2021 21:39:13 +0200
+Subject: arm64: dts: qcom: msm8994-angler: Fix gpio-reserved-ranges 85-88
+
+From: Petr Vorel <petr.vorel@gmail.com>
+
+commit f890f89d9a80fffbfa7ca791b78927e5b8aba869 upstream.
+
+Reserve GPIO pins 85-88 as these aren't meant to be accessible from the
+application CPUs (causes reboot). Yet another fix similar to
+9134586715e3, 5f8d3ab136d0, which is needed to allow angler to boot after
+3edfb7bd76bd ("gpiolib: Show correct direction from the beginning").
+
+Fixes: feeaf56ac78d ("arm64: dts: msm8994 SoC and Huawei Angler (Nexus 6P) support")
+
+Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@somainline.org>
+Link: https://lore.kernel.org/r/20210415193913.1836153-1-petr.vorel@gmail.com
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/qcom/msm8994-angler-rev-101.dts | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/arm64/boot/dts/qcom/msm8994-angler-rev-101.dts
++++ b/arch/arm64/boot/dts/qcom/msm8994-angler-rev-101.dts
+@@ -30,3 +30,7 @@
+ };
+ };
+ };
++
++&msmgpio {
++ gpio-reserved-ranges = <85 4>;
++};
--- /dev/null
+From e4571b8c5e9ffa1e85c0c671995bd4dcc5c75091 Mon Sep 17 00:00:00 2001
+From: Qu Wenruo <wqu@suse.com>
+Date: Fri, 6 Aug 2021 18:24:15 +0800
+Subject: btrfs: fix NULL pointer dereference when deleting device by invalid id
+
+From: Qu Wenruo <wqu@suse.com>
+
+commit e4571b8c5e9ffa1e85c0c671995bd4dcc5c75091 upstream.
+
+[BUG]
+It's easy to trigger NULL pointer dereference, just by removing a
+non-existing device id:
+
+ # mkfs.btrfs -f -m single -d single /dev/test/scratch1 \
+ /dev/test/scratch2
+ # mount /dev/test/scratch1 /mnt/btrfs
+ # btrfs device remove 3 /mnt/btrfs
+
+Then we have the following kernel NULL pointer dereference:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000000
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: 0000 [#1] PREEMPT SMP NOPTI
+ CPU: 9 PID: 649 Comm: btrfs Not tainted 5.14.0-rc3-custom+ #35
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
+ RIP: 0010:btrfs_rm_device+0x4de/0x6b0 [btrfs]
+ btrfs_ioctl+0x18bb/0x3190 [btrfs]
+ ? lock_is_held_type+0xa5/0x120
+ ? find_held_lock.constprop.0+0x2b/0x80
+ ? do_user_addr_fault+0x201/0x6a0
+ ? lock_release+0xd2/0x2d0
+ ? __x64_sys_ioctl+0x83/0xb0
+ __x64_sys_ioctl+0x83/0xb0
+ do_syscall_64+0x3b/0x90
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+[CAUSE]
+Commit a27a94c2b0c7 ("btrfs: Make btrfs_find_device_by_devspec return
+btrfs_device directly") moves the "missing" device path check into
+btrfs_rm_device().
+
+But btrfs_rm_device() itself can have case where it only receives
+@devid, with NULL as @device_path.
+
+In that case, calling strcmp() on NULL will trigger the NULL pointer
+dereference.
+
+Before that commit, we handle the "missing" case inside
+btrfs_find_device_by_devspec(), which will not check @device_path at all
+if @devid is provided, thus no way to trigger the bug.
+
+[FIX]
+Before calling strcmp(), also make sure @device_path is not NULL.
+
+Fixes: a27a94c2b0c7 ("btrfs: Make btrfs_find_device_by_devspec return btrfs_device directly")
+CC: stable@vger.kernel.org # 5.4+
+Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/volumes.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -2168,7 +2168,7 @@ int btrfs_rm_device(struct btrfs_fs_info
+
+ if (IS_ERR(device)) {
+ if (PTR_ERR(device) == -ENOENT &&
+- strcmp(device_path, "missing") == 0)
++ device_path && strcmp(device_path, "missing") == 0)
+ ret = BTRFS_ERROR_DEV_MISSING_NOT_FOUND;
+ else
+ ret = PTR_ERR(device);
--- /dev/null
+From foo@baz Wed Sep 1 11:30:02 AM CEST 2021
+From: Sean Christopherson <seanjc@google.com>
+Date: Tue, 22 Jun 2021 10:56:47 -0700
+Subject: KVM: x86/mmu: Treat NX as used (not reserved) for all !TDP shadow MMUs
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 112022bdb5bc372e00e6e43cb88ee38ea67b97bd upstream
+
+Mark NX as being used for all non-nested shadow MMUs, as KVM will set the
+NX bit for huge SPTEs if the iTLB mutli-hit mitigation is enabled.
+Checking the mitigation itself is not sufficient as it can be toggled on
+at any time and KVM doesn't reset MMU contexts when that happens. KVM
+could reset the contexts, but that would require purging all SPTEs in all
+MMUs, for no real benefit. And, KVM already forces EFER.NX=1 when TDP is
+disabled (for WP=0, SMEP=1, NX=0), so technically NX is never reserved
+for shadow MMUs.
+
+Fixes: b8e8c8303ff2 ("kvm: mmu: ITLB_MULTIHIT mitigation")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-Id: <20210622175739.3610207-3-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+[sudip: use old path]
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/mmu.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -4666,7 +4666,15 @@ static void reset_rsvds_bits_mask_ept(st
+ void
+ reset_shadow_zero_bits_mask(struct kvm_vcpu *vcpu, struct kvm_mmu *context)
+ {
+- bool uses_nx = context->nx ||
++ /*
++ * KVM uses NX when TDP is disabled to handle a variety of scenarios,
++ * notably for huge SPTEs if iTLB multi-hit mitigation is enabled and
++ * to generate correct permissions for CR0.WP=0/CR4.SMEP=1/EFER.NX=0.
++ * The iTLB multi-hit workaround can be toggled at any time, so assume
++ * NX can be used by any non-nested shadow MMU to avoid having to reset
++ * MMU contexts. Note, KVM forces EFER.NX=1 when TDP is disabled.
++ */
++ bool uses_nx = context->nx || !tdp_enabled ||
+ context->mmu_role.base.smep_andnot_wp;
+ struct rsvd_bits_validate *shadow_zero_check;
+ int i;
--- /dev/null
+From 7428022b50d0fbb4846dd0f00639ea09d36dff02 Mon Sep 17 00:00:00 2001
+From: DENG Qingfang <dqfext@gmail.com>
+Date: Wed, 11 Aug 2021 17:50:43 +0800
+Subject: net: dsa: mt7530: fix VLAN traffic leaks again
+
+From: DENG Qingfang <dqfext@gmail.com>
+
+commit 7428022b50d0fbb4846dd0f00639ea09d36dff02 upstream.
+
+When a port leaves a VLAN-aware bridge, the current code does not clear
+other ports' matrix field bit. If the bridge is later set to VLAN-unaware
+mode, traffic in the bridge may leak to that port.
+
+Remove the VLAN filtering check in mt7530_port_bridge_leave.
+
+Fixes: 474a2ddaa192 ("net: dsa: mt7530: fix VLAN traffic leaks")
+Fixes: 83163f7dca56 ("net: dsa: mediatek: add VLAN support for MT7530")
+Signed-off-by: DENG Qingfang <dqfext@gmail.com>
+Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/mt7530.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/drivers/net/dsa/mt7530.c
++++ b/drivers/net/dsa/mt7530.c
+@@ -842,11 +842,8 @@ mt7530_port_bridge_leave(struct dsa_swit
+ /* Remove this port from the port matrix of the other ports
+ * in the same bridge. If the port is disabled, port matrix
+ * is kept and not being setup until the port becomes enabled.
+- * And the other port's port matrix cannot be broken when the
+- * other port is still a VLAN-aware port.
+ */
+- if (dsa_is_user_port(ds, i) && i != port &&
+- !dsa_port_is_vlan_filtering(&ds->ports[i])) {
++ if (dsa_is_user_port(ds, i) && i != port) {
+ if (dsa_to_port(ds, i)->bridge_dev != bridge)
+ continue;
+ if (priv->ports[i].enable)
vt_kdsetmode-extend-console-locking.patch
bpf-track-contents-of-read-only-maps-as-scalars.patch
bpf-fix-cast-to-pointer-from-integer-of-different-size-warning.patch
+net-dsa-mt7530-fix-vlan-traffic-leaks-again.patch
+kvm-x86-mmu-treat-nx-as-used-not-reserved-for-all-tdp-shadow-mmus.patch
+arm64-dts-qcom-msm8994-angler-fix-gpio-reserved-ranges-85-88.patch
+btrfs-fix-null-pointer-dereference-when-deleting-device-by-invalid-id.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
