From 7349e72bffcf8adbda2c8d40a76d699bd80876e7 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 19 Dec 2021 21:48:15 -0500 Subject: [PATCH] Fixes for 5.15 Signed-off-by: Sasha Levin --- ...st-cpuid-check-for-host-initiated-wr.patch | 40 ++++++++ ...-85xx-fix-oops-when-config_fsl_pmc-n.patch | 68 +++++++++++++ ...-convert-to-readl_poll_timeout_atomi.patch | 63 ++++++++++++ queue-5.15/series | 4 + ...requesttype-is-a-bitfield-not-a-enum.patch | 98 +++++++++++++++++++ 5 files changed, 273 insertions(+) create mode 100644 queue-5.15/kvm-x86-drop-guest-cpuid-check-for-host-initiated-wr.patch create mode 100644 queue-5.15/powerpc-85xx-fix-oops-when-config_fsl_pmc-n.patch create mode 100644 queue-5.15/revert-usb-early-convert-to-readl_poll_timeout_atomi.patch create mode 100644 queue-5.15/usb-gadget-brequesttype-is-a-bitfield-not-a-enum.patch diff --git a/queue-5.15/kvm-x86-drop-guest-cpuid-check-for-host-initiated-wr.patch b/queue-5.15/kvm-x86-drop-guest-cpuid-check-for-host-initiated-wr.patch new file mode 100644 index 00000000000..3afdc168585 --- /dev/null +++ b/queue-5.15/kvm-x86-drop-guest-cpuid-check-for-host-initiated-wr.patch @@ -0,0 +1,40 @@ +From bb28587885c617fa25bdcbe9c6d84c2b3734335f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Dec 2021 17:52:13 +0100 +Subject: KVM: x86: Drop guest CPUID check for host initiated writes to + MSR_IA32_PERF_CAPABILITIES + +From: Vitaly Kuznetsov + +[ Upstream commit 1aa2abb33a419090c7c87d4ae842a6347078ee12 ] + +The ability to write to MSR_IA32_PERF_CAPABILITIES from the host should +not depend on guest visible CPUID entries, even if just to allow +creating/restoring guest MSRs and CPUIDs in any sequence. + +Fixes: 27461da31089 ("KVM: x86/pmu: Support full width counting") +Suggested-by: Sean Christopherson +Signed-off-by: Vitaly Kuznetsov +Message-Id: <20211216165213.338923-3-vkuznets@redhat.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/x86.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 3c9e2d236830c..dea578586fa4e 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -3359,7 +3359,7 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) + + if (!msr_info->host_initiated) + return 1; +- if (guest_cpuid_has(vcpu, X86_FEATURE_PDCM) && kvm_get_msr_feature(&msr_ent)) ++ if (kvm_get_msr_feature(&msr_ent)) + return 1; + if (data & ~msr_ent.data) + return 1; +-- +2.34.1 + diff --git a/queue-5.15/powerpc-85xx-fix-oops-when-config_fsl_pmc-n.patch b/queue-5.15/powerpc-85xx-fix-oops-when-config_fsl_pmc-n.patch new file mode 100644 index 00000000000..6873e45641a --- /dev/null +++ b/queue-5.15/powerpc-85xx-fix-oops-when-config_fsl_pmc-n.patch @@ -0,0 +1,68 @@ +From 6cf3d8e043cc4be7fc38171e8dc3b7be5ba74ccc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Nov 2021 12:11:53 +0800 +Subject: powerpc/85xx: Fix oops when CONFIG_FSL_PMC=n + +From: Xiaoming Ni + +[ Upstream commit 3dc709e518b47386e6af937eaec37bb36539edfd ] + +When CONFIG_FSL_PMC is set to n, no value is assigned to cpu_up_prepare +in the mpc85xx_pm_ops structure. As a result, oops is triggered in +smp_85xx_start_cpu(). + + smp: Bringing up secondary CPUs ... + kernel tried to execute user page (0) - exploit attempt? (uid: 0) + BUG: Unable to handle kernel instruction fetch (NULL pointer?) + Faulting instruction address: 0x00000000 + Oops: Kernel access of bad area, sig: 11 [#1] + ... + NIP [00000000] 0x0 + LR [c0021d2c] smp_85xx_kick_cpu+0xe8/0x568 + Call Trace: + [c1051da8] [c0021cb8] smp_85xx_kick_cpu+0x74/0x568 (unreliable) + [c1051de8] [c0011460] __cpu_up+0xc0/0x228 + [c1051e18] [c0031bbc] bringup_cpu+0x30/0x224 + [c1051e48] [c0031f3c] cpu_up.constprop.0+0x180/0x33c + [c1051e88] [c00322e8] bringup_nonboot_cpus+0x88/0xc8 + [c1051eb8] [c07e67bc] smp_init+0x30/0x78 + [c1051ed8] [c07d9e28] kernel_init_freeable+0x118/0x2a8 + [c1051f18] [c00032d8] kernel_init+0x14/0x124 + [c1051f38] [c0010278] ret_from_kernel_thread+0x14/0x1c + +Fixes: c45361abb918 ("powerpc/85xx: fix timebase sync issue when CONFIG_HOTPLUG_CPU=n") +Reported-by: Martin Kennedy +Signed-off-by: Xiaoming Ni +Tested-by: Martin Kennedy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20211126041153.16926-1-nixiaoming@huawei.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/85xx/smp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/platforms/85xx/smp.c b/arch/powerpc/platforms/85xx/smp.c +index 83f4a6389a282..d7081e9af65c7 100644 +--- a/arch/powerpc/platforms/85xx/smp.c ++++ b/arch/powerpc/platforms/85xx/smp.c +@@ -220,7 +220,7 @@ static int smp_85xx_start_cpu(int cpu) + local_irq_save(flags); + hard_irq_disable(); + +- if (qoriq_pm_ops) ++ if (qoriq_pm_ops && qoriq_pm_ops->cpu_up_prepare) + qoriq_pm_ops->cpu_up_prepare(cpu); + + /* if cpu is not spinning, reset it */ +@@ -292,7 +292,7 @@ static int smp_85xx_kick_cpu(int nr) + booting_thread_hwid = cpu_thread_in_core(nr); + primary = cpu_first_thread_sibling(nr); + +- if (qoriq_pm_ops) ++ if (qoriq_pm_ops && qoriq_pm_ops->cpu_up_prepare) + qoriq_pm_ops->cpu_up_prepare(nr); + + /* +-- +2.34.1 + diff --git a/queue-5.15/revert-usb-early-convert-to-readl_poll_timeout_atomi.patch b/queue-5.15/revert-usb-early-convert-to-readl_poll_timeout_atomi.patch new file mode 100644 index 00000000000..b93b936e502 --- /dev/null +++ b/queue-5.15/revert-usb-early-convert-to-readl_poll_timeout_atomi.patch @@ -0,0 +1,63 @@ +From 1cbf17bc44c9e3787b57cecac5776430e7d8e543 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Dec 2021 16:24:30 +0100 +Subject: Revert "usb: early: convert to readl_poll_timeout_atomic()" + +From: Greg Kroah-Hartman + +[ Upstream commit c4d936efa46d8ea183df16c0f3fa4423327da51d ] + +This reverts commit 796eed4b2342c9d6b26c958e92af91253a2390e1. + +This change causes boot lockups when using "arlyprintk=xdbc" because +ktime can not be used at this point in time in the boot process. Also, +it is not needed for very small delays like this. + +Reported-by: Mathias Nyman +Reported-by: Peter Zijlstra +Cc: Jann Horn +Cc: Chunfeng Yun +Fixes: 796eed4b2342 ("usb: early: convert to readl_poll_timeout_atomic()") +Link: https://lore.kernel.org/r/c2b5c9bb-1b75-bf56-3754-b5b18812d65e@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/early/xhci-dbc.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/early/xhci-dbc.c b/drivers/usb/early/xhci-dbc.c +index be4ecbabdd586..6c0434100e38c 100644 +--- a/drivers/usb/early/xhci-dbc.c ++++ b/drivers/usb/early/xhci-dbc.c +@@ -14,7 +14,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -136,9 +135,17 @@ static int handshake(void __iomem *ptr, u32 mask, u32 done, int wait, int delay) + { + u32 result; + +- return readl_poll_timeout_atomic(ptr, result, +- ((result & mask) == done), +- delay, wait); ++ /* Can not use readl_poll_timeout_atomic() for early boot things */ ++ do { ++ result = readl(ptr); ++ result &= mask; ++ if (result == done) ++ return 0; ++ udelay(delay); ++ wait -= delay; ++ } while (wait > 0); ++ ++ return -ETIMEDOUT; + } + + static void __init xdbc_bios_handoff(void) +-- +2.34.1 + diff --git a/queue-5.15/series b/queue-5.15/series index cbdfd4254fd..7b67ce5f6de 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -109,3 +109,7 @@ afs-fix-mmap.patch arm64-kexec-fix-missing-error-code-ret-warning-in-lo.patch bpf-fix-extable-fixup-offset.patch bpf-selftests-fix-racing-issue-in-btf_skc_cls_ingres.patch +powerpc-85xx-fix-oops-when-config_fsl_pmc-n.patch +usb-gadget-brequesttype-is-a-bitfield-not-a-enum.patch +revert-usb-early-convert-to-readl_poll_timeout_atomi.patch +kvm-x86-drop-guest-cpuid-check-for-host-initiated-wr.patch diff --git a/queue-5.15/usb-gadget-brequesttype-is-a-bitfield-not-a-enum.patch b/queue-5.15/usb-gadget-brequesttype-is-a-bitfield-not-a-enum.patch new file mode 100644 index 00000000000..a2caf295bb2 --- /dev/null +++ b/queue-5.15/usb-gadget-brequesttype-is-a-bitfield-not-a-enum.patch @@ -0,0 +1,98 @@ +From 5e65a6b73bf2ddac9deb90da769cab8d513803fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Dec 2021 19:46:21 +0100 +Subject: USB: gadget: bRequestType is a bitfield, not a enum + +From: Greg Kroah-Hartman + +[ Upstream commit f08adf5add9a071160c68bb2a61d697f39ab0758 ] + +Szymon rightly pointed out that the previous check for the endpoint +direction in bRequestType was not looking at only the bit involved, but +rather the whole value. Normally this is ok, but for some request +types, bits other than bit 8 could be set and the check for the endpoint +length could not stall correctly. + +Fix that up by only checking the single bit. + +Fixes: 153a2d7e3350 ("USB: gadget: detect too-big endpoint 0 requests") +Cc: Felipe Balbi +Reported-by: Szymon Heidrich +Link: https://lore.kernel.org/r/20211214184621.385828-1-gregkh@linuxfoundation.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/composite.c | 6 +++--- + drivers/usb/gadget/legacy/dbgp.c | 6 +++--- + drivers/usb/gadget/legacy/inode.c | 6 +++--- + 3 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c +index 284eea9f6e4d8..3789c329183ca 100644 +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -1680,14 +1680,14 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl) + u8 endp; + + if (w_length > USB_COMP_EP0_BUFSIZ) { +- if (ctrl->bRequestType == USB_DIR_OUT) { +- goto done; +- } else { ++ if (ctrl->bRequestType & USB_DIR_IN) { + /* Cast away the const, we are going to overwrite on purpose. */ + __le16 *temp = (__le16 *)&ctrl->wLength; + + *temp = cpu_to_le16(USB_COMP_EP0_BUFSIZ); + w_length = USB_COMP_EP0_BUFSIZ; ++ } else { ++ goto done; + } + } + +diff --git a/drivers/usb/gadget/legacy/dbgp.c b/drivers/usb/gadget/legacy/dbgp.c +index 355bc7dab9d5f..6bcbad3825802 100644 +--- a/drivers/usb/gadget/legacy/dbgp.c ++++ b/drivers/usb/gadget/legacy/dbgp.c +@@ -346,14 +346,14 @@ static int dbgp_setup(struct usb_gadget *gadget, + u16 len = 0; + + if (length > DBGP_REQ_LEN) { +- if (ctrl->bRequestType == USB_DIR_OUT) { +- return err; +- } else { ++ if (ctrl->bRequestType & USB_DIR_IN) { + /* Cast away the const, we are going to overwrite on purpose. */ + __le16 *temp = (__le16 *)&ctrl->wLength; + + *temp = cpu_to_le16(DBGP_REQ_LEN); + length = DBGP_REQ_LEN; ++ } else { ++ return err; + } + } + +diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c +index 0a4041552ed19..1b223cba4c2c9 100644 +--- a/drivers/usb/gadget/legacy/inode.c ++++ b/drivers/usb/gadget/legacy/inode.c +@@ -1337,14 +1337,14 @@ gadgetfs_setup (struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl) + u16 w_length = le16_to_cpu(ctrl->wLength); + + if (w_length > RBUF_SIZE) { +- if (ctrl->bRequestType == USB_DIR_OUT) { +- return value; +- } else { ++ if (ctrl->bRequestType & USB_DIR_IN) { + /* Cast away the const, we are going to overwrite on purpose. */ + __le16 *temp = (__le16 *)&ctrl->wLength; + + *temp = cpu_to_le16(RBUF_SIZE); + w_length = RBUF_SIZE; ++ } else { ++ return value; + } + } + +-- +2.34.1 + -- 2.47.3