--- /dev/null
+From b070f9ca78680486927b799cf6126b128a7c2c1b Mon Sep 17 00:00:00 2001
+From: Tero Kristo <t-kristo@ti.com>
+Date: Tue, 20 Jul 2021 11:47:10 -0700
+Subject: ARM: omap2+: hwmod: fix potential NULL pointer access
+
+From: Tero Kristo <t-kristo@ti.com>
+
+commit b070f9ca78680486927b799cf6126b128a7c2c1b upstream.
+
+omap_hwmod_get_pwrdm() may access a NULL clk_hw pointer in some failure
+cases. Add a check for the case and bail out gracely if this happens.
+
+Reported-by: Dan Murphy <dmurphy@ti.com>
+Signed-off-by: Tero Kristo <t-kristo@ti.com>
+Cc: stable@vger.kernel.org # v5.10+
+Signed-off-by: Kevin Hilman <khilman@baylibre.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-omap2/omap_hwmod.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/arch/arm/mach-omap2/omap_hwmod.c
++++ b/arch/arm/mach-omap2/omap_hwmod.c
+@@ -3776,6 +3776,7 @@ struct powerdomain *omap_hwmod_get_pwrdm
+ struct omap_hwmod_ocp_if *oi;
+ struct clockdomain *clkdm;
+ struct clk_hw_omap *clk;
++ struct clk_hw *hw;
+
+ if (!oh)
+ return NULL;
+@@ -3792,7 +3793,14 @@ struct powerdomain *omap_hwmod_get_pwrdm
+ c = oi->_clk;
+ }
+
+- clk = to_clk_hw_omap(__clk_get_hw(c));
++ hw = __clk_get_hw(c);
++ if (!hw)
++ return NULL;
++
++ clk = to_clk_hw_omap(hw);
++ if (!clk)
++ return NULL;
++
+ clkdm = clk->clkdm;
+ if (!clkdm)
+ return NULL;
--- /dev/null
+From e30e8d46cf605d216a799a28c77b8a41c328613a Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Mon, 2 Aug 2021 11:42:00 +0100
+Subject: arm64: fix compat syscall return truncation
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+commit e30e8d46cf605d216a799a28c77b8a41c328613a upstream.
+
+Due to inconsistencies in the way we manipulate compat GPRs, we have a
+few issues today:
+
+* For audit and tracing, where error codes are handled as a (native)
+ long, negative error codes are expected to be sign-extended to the
+ native 64-bits, or they may fail to be matched correctly. Thus a
+ syscall which fails with an error may erroneously be identified as
+ failing.
+
+* For ptrace, *all* compat return values should be sign-extended for
+ consistency with 32-bit arm, but we currently only do this for
+ negative return codes.
+
+* As we may transiently set the upper 32 bits of some compat GPRs while
+ in the kernel, these can be sampled by perf, which is somewhat
+ confusing. This means that where a syscall returns a pointer above 2G,
+ this will be sign-extended, but will not be mistaken for an error as
+ error codes are constrained to the inclusive range [-4096, -1] where
+ no user pointer can exist.
+
+To fix all of these, we must consistently use helpers to get/set the
+compat GPRs, ensuring that we never write the upper 32 bits of the
+return code, and always sign-extend when reading the return code. This
+patch does so, with the following changes:
+
+* We re-organise syscall_get_return_value() to always sign-extend for
+ compat tasks, and reimplement syscall_get_error() atop. We update
+ syscall_trace_exit() to use syscall_get_return_value().
+
+* We consistently use syscall_set_return_value() to set the return
+ value, ensureing the upper 32 bits are never set unexpectedly.
+
+* As the core audit code currently uses regs_return_value() rather than
+ syscall_get_return_value(), we special-case this for
+ compat_user_mode(regs) such that this will do the right thing. Going
+ forward, we should try to move the core audit code over to
+ syscall_get_return_value().
+
+Cc: <stable@vger.kernel.org>
+Reported-by: He Zhe <zhe.he@windriver.com>
+Reported-by: weiyuchen <weiyuchen3@huawei.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Will Deacon <will@kernel.org>
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Link: https://lore.kernel.org/r/20210802104200.21390-1-mark.rutland@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/ptrace.h | 12 +++++++++++-
+ arch/arm64/include/asm/syscall.h | 19 ++++++++++---------
+ arch/arm64/kernel/ptrace.c | 2 +-
+ arch/arm64/kernel/signal.c | 3 ++-
+ arch/arm64/kernel/syscall.c | 9 +++------
+ 5 files changed, 27 insertions(+), 18 deletions(-)
+
+--- a/arch/arm64/include/asm/ptrace.h
++++ b/arch/arm64/include/asm/ptrace.h
+@@ -320,7 +320,17 @@ static inline unsigned long kernel_stack
+
+ static inline unsigned long regs_return_value(struct pt_regs *regs)
+ {
+- return regs->regs[0];
++ unsigned long val = regs->regs[0];
++
++ /*
++ * Audit currently uses regs_return_value() instead of
++ * syscall_get_return_value(). Apply the same sign-extension here until
++ * audit is updated to use syscall_get_return_value().
++ */
++ if (compat_user_mode(regs))
++ val = sign_extend64(val, 31);
++
++ return val;
+ }
+
+ static inline void regs_set_return_value(struct pt_regs *regs, unsigned long rc)
+--- a/arch/arm64/include/asm/syscall.h
++++ b/arch/arm64/include/asm/syscall.h
+@@ -29,22 +29,23 @@ static inline void syscall_rollback(stru
+ regs->regs[0] = regs->orig_x0;
+ }
+
+-
+-static inline long syscall_get_error(struct task_struct *task,
+- struct pt_regs *regs)
++static inline long syscall_get_return_value(struct task_struct *task,
++ struct pt_regs *regs)
+ {
+- unsigned long error = regs->regs[0];
++ unsigned long val = regs->regs[0];
+
+ if (is_compat_thread(task_thread_info(task)))
+- error = sign_extend64(error, 31);
++ val = sign_extend64(val, 31);
+
+- return IS_ERR_VALUE(error) ? error : 0;
++ return val;
+ }
+
+-static inline long syscall_get_return_value(struct task_struct *task,
+- struct pt_regs *regs)
++static inline long syscall_get_error(struct task_struct *task,
++ struct pt_regs *regs)
+ {
+- return regs->regs[0];
++ unsigned long error = syscall_get_return_value(task, regs);
++
++ return IS_ERR_VALUE(error) ? error : 0;
+ }
+
+ static inline void syscall_set_return_value(struct task_struct *task,
+--- a/arch/arm64/kernel/ptrace.c
++++ b/arch/arm64/kernel/ptrace.c
+@@ -1862,7 +1862,7 @@ void syscall_trace_exit(struct pt_regs *
+ audit_syscall_exit(regs);
+
+ if (flags & _TIF_SYSCALL_TRACEPOINT)
+- trace_sys_exit(regs, regs_return_value(regs));
++ trace_sys_exit(regs, syscall_get_return_value(current, regs));
+
+ if (flags & (_TIF_SYSCALL_TRACE | _TIF_SINGLESTEP))
+ tracehook_report_syscall(regs, PTRACE_SYSCALL_EXIT);
+--- a/arch/arm64/kernel/signal.c
++++ b/arch/arm64/kernel/signal.c
+@@ -29,6 +29,7 @@
+ #include <asm/unistd.h>
+ #include <asm/fpsimd.h>
+ #include <asm/ptrace.h>
++#include <asm/syscall.h>
+ #include <asm/signal32.h>
+ #include <asm/traps.h>
+ #include <asm/vdso.h>
+@@ -890,7 +891,7 @@ static void do_signal(struct pt_regs *re
+ retval == -ERESTART_RESTARTBLOCK ||
+ (retval == -ERESTARTSYS &&
+ !(ksig.ka.sa.sa_flags & SA_RESTART)))) {
+- regs->regs[0] = -EINTR;
++ syscall_set_return_value(current, regs, -EINTR, 0);
+ regs->pc = continue_addr;
+ }
+
+--- a/arch/arm64/kernel/syscall.c
++++ b/arch/arm64/kernel/syscall.c
+@@ -54,10 +54,7 @@ static void invoke_syscall(struct pt_reg
+ ret = do_ni_syscall(regs, scno);
+ }
+
+- if (is_compat_task())
+- ret = lower_32_bits(ret);
+-
+- regs->regs[0] = ret;
++ syscall_set_return_value(current, regs, 0, ret);
+
+ /*
+ * Ultimately, this value will get limited by KSTACK_OFFSET_MAX(),
+@@ -115,7 +112,7 @@ static void el0_svc_common(struct pt_reg
+ * syscall. do_notify_resume() will send a signal to userspace
+ * before the syscall is restarted.
+ */
+- regs->regs[0] = -ERESTARTNOINTR;
++ syscall_set_return_value(current, regs, -ERESTARTNOINTR, 0);
+ return;
+ }
+
+@@ -136,7 +133,7 @@ static void el0_svc_common(struct pt_reg
+ * anyway.
+ */
+ if (scno == NO_SYSCALL)
+- regs->regs[0] = -ENOSYS;
++ syscall_set_return_value(current, regs, -ENOSYS, 0);
+ scno = syscall_trace_enter(regs);
+ if (scno == NO_SYSCALL)
+ goto trace_exit;
--- /dev/null
+From a6d90e9f22328f07343e49e08a4ca483ae8e8abb Mon Sep 17 00:00:00 2001
+From: Kevin Hilman <khilman@baylibre.com>
+Date: Tue, 20 Jul 2021 11:27:16 -0700
+Subject: bus: ti-sysc: AM3: RNG is GP only
+
+From: Kevin Hilman <khilman@baylibre.com>
+
+commit a6d90e9f22328f07343e49e08a4ca483ae8e8abb upstream.
+
+Make the RNG on AM3 GP only.
+
+Based on this patch from TI v5.4 tree which is based on hwmod data
+which are now removed:
+
+| ARM: AM43xx: hwmod: Move RNG to a GP only links table
+|
+| On non-GP devices the RNG is controlled by the secure-side software,
+| like in DRA7xx hwmod we should not control this IP when we are not
+| a GP device.
+|
+| Signed-off-by: Andrew F. Davis <afd@ti.com>
+
+Cc: stable@vger.kernel.org # v5.10+
+Signed-off-by: Kevin Hilman <khilman@baylibre.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bus/ti-sysc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/bus/ti-sysc.c
++++ b/drivers/bus/ti-sysc.c
+@@ -2953,6 +2953,8 @@ static int sysc_init_soc(struct sysc *dd
+ case SOC_3430 ... SOC_3630:
+ sysc_add_disabled(0x48304000); /* timer12 */
+ break;
++ case SOC_AM3:
++ sysc_add_disabled(0x48310000); /* rng */
+ default:
+ break;
+ }
--- /dev/null
+From 83d6c39310b6d11199179f6384c2b0a415389597 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Tue, 3 Aug 2021 09:14:35 -0600
+Subject: io-wq: fix race between worker exiting and activating free worker
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 83d6c39310b6d11199179f6384c2b0a415389597 upstream.
+
+Nadav correctly reports that we have a race between a worker exiting,
+and new work being queued. This can lead to work being queued behind
+an existing worker that could be sleeping on an event before it can
+run to completion, and hence introducing potential big latency gaps
+if we hit this race condition:
+
+cpu0 cpu1
+---- ----
+ io_wqe_worker()
+ schedule_timeout()
+ // timed out
+io_wqe_enqueue()
+io_wqe_wake_worker()
+// work_flags & IO_WQ_WORK_CONCURRENT
+io_wqe_activate_free_worker()
+ io_worker_exit()
+
+Fix this by having the exiting worker go through the normal decrement
+of a running worker, which will spawn a new one if needed.
+
+The free worker activation is modified to only return success if we
+were able to find a sleeping worker - if not, we keep looking through
+the list. If we fail, we create a new worker as per usual.
+
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/io-uring/BFF746C0-FEDE-4646-A253-3021C57C26C9@gmail.com/
+Reported-by: Nadav Amit <nadav.amit@gmail.com>
+Tested-by: Nadav Amit <nadav.amit@gmail.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/io-wq.c | 38 +++++++++++++++++++-------------------
+ 1 file changed, 19 insertions(+), 19 deletions(-)
+
+--- a/fs/io-wq.c
++++ b/fs/io-wq.c
+@@ -131,6 +131,7 @@ struct io_cb_cancel_data {
+ };
+
+ static void create_io_worker(struct io_wq *wq, struct io_wqe *wqe, int index);
++static void io_wqe_dec_running(struct io_worker *worker);
+
+ static bool io_worker_get(struct io_worker *worker)
+ {
+@@ -169,26 +170,21 @@ static void io_worker_exit(struct io_wor
+ {
+ struct io_wqe *wqe = worker->wqe;
+ struct io_wqe_acct *acct = io_wqe_get_acct(worker);
+- unsigned flags;
+
+ if (refcount_dec_and_test(&worker->ref))
+ complete(&worker->ref_done);
+ wait_for_completion(&worker->ref_done);
+
+- preempt_disable();
+- current->flags &= ~PF_IO_WORKER;
+- flags = worker->flags;
+- worker->flags = 0;
+- if (flags & IO_WORKER_F_RUNNING)
+- atomic_dec(&acct->nr_running);
+- worker->flags = 0;
+- preempt_enable();
+-
+ raw_spin_lock_irq(&wqe->lock);
+- if (flags & IO_WORKER_F_FREE)
++ if (worker->flags & IO_WORKER_F_FREE)
+ hlist_nulls_del_rcu(&worker->nulls_node);
+ list_del_rcu(&worker->all_list);
+ acct->nr_workers--;
++ preempt_disable();
++ io_wqe_dec_running(worker);
++ worker->flags = 0;
++ current->flags &= ~PF_IO_WORKER;
++ preempt_enable();
+ raw_spin_unlock_irq(&wqe->lock);
+
+ kfree_rcu(worker, rcu);
+@@ -215,15 +211,19 @@ static bool io_wqe_activate_free_worker(
+ struct hlist_nulls_node *n;
+ struct io_worker *worker;
+
+- n = rcu_dereference(hlist_nulls_first_rcu(&wqe->free_list));
+- if (is_a_nulls(n))
+- return false;
+-
+- worker = hlist_nulls_entry(n, struct io_worker, nulls_node);
+- if (io_worker_get(worker)) {
+- wake_up_process(worker->task);
++ /*
++ * Iterate free_list and see if we can find an idle worker to
++ * activate. If a given worker is on the free_list but in the process
++ * of exiting, keep trying.
++ */
++ hlist_nulls_for_each_entry_rcu(worker, n, &wqe->free_list, nulls_node) {
++ if (!io_worker_get(worker))
++ continue;
++ if (wake_up_process(worker->task)) {
++ io_worker_release(worker);
++ return true;
++ }
+ io_worker_release(worker);
+- return true;
+ }
+
+ return false;
--- /dev/null
+From 85cd39af14f498f791d8aab3fbd64cd175787f1a Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 4 Aug 2021 05:28:52 -0400
+Subject: KVM: Do not leak memory for duplicate debugfs directories
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 85cd39af14f498f791d8aab3fbd64cd175787f1a upstream.
+
+KVM creates a debugfs directory for each VM in order to store statistics
+about the virtual machine. The directory name is built from the process
+pid and a VM fd. While generally unique, it is possible to keep a
+file descriptor alive in a way that causes duplicate directories, which
+manifests as these messages:
+
+ [ 471.846235] debugfs: Directory '20245-4' with parent 'kvm' already present!
+
+Even though this should not happen in practice, it is more or less
+expected in the case of KVM for testcases that call KVM_CREATE_VM and
+close the resulting file descriptor repeatedly and in parallel.
+
+When this happens, debugfs_create_dir() returns an error but
+kvm_create_vm_debugfs() goes on to allocate stat data structs which are
+later leaked. The slow memory leak was spotted by syzkaller, where it
+caused OOM reports.
+
+Since the issue only affects debugfs, do a lookup before calling
+debugfs_create_dir, so that the message is downgraded and rate-limited.
+While at it, ensure kvm->debugfs_dentry is NULL rather than an error
+if it is not created. This fixes kvm_destroy_vm_debugfs, which was not
+checking IS_ERR_OR_NULL correctly.
+
+Cc: stable@vger.kernel.org
+Fixes: 536a6f88c49d ("KVM: Create debugfs dir and stat files for each VM")
+Reported-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Suggested-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ virt/kvm/kvm_main.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -845,6 +845,8 @@ static void kvm_destroy_vm_debugfs(struc
+
+ static int kvm_create_vm_debugfs(struct kvm *kvm, int fd)
+ {
++ static DEFINE_MUTEX(kvm_debugfs_lock);
++ struct dentry *dent;
+ char dir_name[ITOA_MAX_LEN * 2];
+ struct kvm_stat_data *stat_data;
+ struct kvm_stats_debugfs_item *p;
+@@ -853,8 +855,20 @@ static int kvm_create_vm_debugfs(struct
+ return 0;
+
+ snprintf(dir_name, sizeof(dir_name), "%d-%d", task_pid_nr(current), fd);
+- kvm->debugfs_dentry = debugfs_create_dir(dir_name, kvm_debugfs_dir);
++ mutex_lock(&kvm_debugfs_lock);
++ dent = debugfs_lookup(dir_name, kvm_debugfs_dir);
++ if (dent) {
++ pr_warn_ratelimited("KVM: debugfs: duplicate directory %s\n", dir_name);
++ dput(dent);
++ mutex_unlock(&kvm_debugfs_lock);
++ return 0;
++ }
++ dent = debugfs_create_dir(dir_name, kvm_debugfs_dir);
++ mutex_unlock(&kvm_debugfs_lock);
++ if (IS_ERR(dent))
++ return 0;
+
++ kvm->debugfs_dentry = dent;
+ kvm->debugfs_stat_data = kcalloc(kvm_debugfs_num_entries,
+ sizeof(*kvm->debugfs_stat_data),
+ GFP_KERNEL_ACCOUNT);
+@@ -4993,7 +5007,7 @@ static void kvm_uevent_notify_change(uns
+ }
+ add_uevent_var(env, "PID=%d", kvm->userspace_pid);
+
+- if (!IS_ERR_OR_NULL(kvm->debugfs_dentry)) {
++ if (kvm->debugfs_dentry) {
+ char *tmp, *p = kmalloc(PATH_MAX, GFP_KERNEL_ACCOUNT);
+
+ if (p) {
--- /dev/null
+From 179c6c27bf487273652efc99acd3ba512a23c137 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Tue, 3 Aug 2021 09:27:46 -0700
+Subject: KVM: SVM: Fix off-by-one indexing when nullifying last used SEV VMCB
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 179c6c27bf487273652efc99acd3ba512a23c137 upstream.
+
+Use the raw ASID, not ASID-1, when nullifying the last used VMCB when
+freeing an SEV ASID. The consumer, pre_sev_run(), indexes the array by
+the raw ASID, thus KVM could get a false negative when checking for a
+different VMCB if KVM manages to reallocate the same ASID+VMCB combo for
+a new VM.
+
+Note, this cannot cause a functional issue _in the current code_, as
+pre_sev_run() also checks which pCPU last did VMRUN for the vCPU, and
+last_vmentry_cpu is initialized to -1 during vCPU creation, i.e. is
+guaranteed to mismatch on the first VMRUN. However, prior to commit
+8a14fe4f0c54 ("kvm: x86: Move last_cpu into kvm_vcpu_arch as
+last_vmentry_cpu"), SVM tracked pCPU on its own and zero-initialized the
+last_cpu variable. Thus it's theoretically possible that older versions
+of KVM could miss a TLB flush if the first VMRUN is on pCPU0 and the ASID
+and VMCB exactly match those of a prior VM.
+
+Fixes: 70cd94e60c73 ("KVM: SVM: VMRUN should use associated ASID when SEV is enabled")
+Cc: Tom Lendacky <thomas.lendacky@amd.com>
+Cc: Brijesh Singh <brijesh.singh@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/svm/sev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/svm/sev.c
++++ b/arch/x86/kvm/svm/sev.c
+@@ -188,7 +188,7 @@ static void sev_asid_free(struct kvm_sev
+
+ for_each_possible_cpu(cpu) {
+ sd = per_cpu(svm_data, cpu);
+- sd->sev_vmcbs[pos] = NULL;
++ sd->sev_vmcbs[sev->asid] = NULL;
+ }
+
+ mutex_unlock(&sev_bitmap_lock);
--- /dev/null
+From fa7a549d321a4189677b0cea86e58d9db7977f7b Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 14 Jul 2021 17:37:49 -0400
+Subject: KVM: x86: accept userspace interrupt only if no event is injected
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit fa7a549d321a4189677b0cea86e58d9db7977f7b upstream.
+
+Once an exception has been injected, any side effects related to
+the exception (such as setting CR2 or DR6) have been taked place.
+Therefore, once KVM sets the VM-entry interruption information
+field or the AMD EVENTINJ field, the next VM-entry must deliver that
+exception.
+
+Pending interrupts are processed after injected exceptions, so
+in theory it would not be a problem to use KVM_INTERRUPT when
+an injected exception is present. However, DOSEMU is using
+run->ready_for_interrupt_injection to detect interrupt windows
+and then using KVM_SET_SREGS/KVM_SET_REGS to inject the
+interrupt manually. For this to work, the interrupt window
+must be delayed after the completion of the previous event
+injection.
+
+Cc: stable@vger.kernel.org
+Reported-by: Stas Sergeev <stsp2@yandex.ru>
+Tested-by: Stas Sergeev <stsp2@yandex.ru>
+Fixes: 71cc849b7093 ("KVM: x86: Fix split-irqchip vs interrupt injection window request")
+Reviewed-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/x86.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -4252,8 +4252,17 @@ static int kvm_cpu_accept_dm_intr(struct
+
+ static int kvm_vcpu_ready_for_interrupt_injection(struct kvm_vcpu *vcpu)
+ {
+- return kvm_arch_interrupt_allowed(vcpu) &&
+- kvm_cpu_accept_dm_intr(vcpu);
++ /*
++ * Do not cause an interrupt window exit if an exception
++ * is pending or an event needs reinjection; userspace
++ * might want to inject the interrupt manually using KVM_SET_REGS
++ * or KVM_SET_SREGS. For that to work, we must be at an
++ * instruction boundary and with no events half-injected.
++ */
++ return (kvm_arch_interrupt_allowed(vcpu) &&
++ kvm_cpu_accept_dm_intr(vcpu) &&
++ !kvm_event_needs_reinjection(vcpu) &&
++ !vcpu->arch.exception.pending);
+ }
+
+ static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
--- /dev/null
+From d5aaad6f83420efb8357ac8e11c868708b22d0a9 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Wed, 4 Aug 2021 14:46:09 -0700
+Subject: KVM: x86/mmu: Fix per-cpu counter corruption on 32-bit builds
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit d5aaad6f83420efb8357ac8e11c868708b22d0a9 upstream.
+
+Take a signed 'long' instead of an 'unsigned long' for the number of
+pages to add/subtract to the total number of pages used by the MMU. This
+fixes a zero-extension bug on 32-bit kernels that effectively corrupts
+the per-cpu counter used by the shrinker.
+
+Per-cpu counters take a signed 64-bit value on both 32-bit and 64-bit
+kernels, whereas kvm_mod_used_mmu_pages() takes an unsigned long and thus
+an unsigned 32-bit value on 32-bit kernels. As a result, the value used
+to adjust the per-cpu counter is zero-extended (unsigned -> signed), not
+sign-extended (signed -> signed), and so KVM's intended -1 gets morphed to
+4294967295 and effectively corrupts the counter.
+
+This was found by a staggering amount of sheer dumb luck when running
+kvm-unit-tests on a 32-bit KVM build. The shrinker just happened to kick
+in while running tests and do_shrink_slab() logged an error about trying
+to free a negative number of objects. The truly lucky part is that the
+kernel just happened to be a slightly stale build, as the shrinker no
+longer yells about negative objects as of commit 18bb473e5031 ("mm:
+vmscan: shrink deferred objects proportional to priority").
+
+ vmscan: shrink_slab: mmu_shrink_scan+0x0/0x210 [kvm] negative objects to delete nr=-858993460
+
+Fixes: bc8a3d8925a8 ("kvm: mmu: Fix overflow on kvm mmu page limit calculation")
+Cc: stable@vger.kernel.org
+Cc: Ben Gardon <bgardon@google.com>
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-Id: <20210804214609.1096003-1-seanjc@google.com>
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/mmu/mmu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/mmu/mmu.c
++++ b/arch/x86/kvm/mmu/mmu.c
+@@ -1546,7 +1546,7 @@ static int is_empty_shadow_page(u64 *spt
+ * aggregate version in order to make the slab shrinker
+ * faster
+ */
+-static inline void kvm_mod_used_mmu_pages(struct kvm *kvm, unsigned long nr)
++static inline void kvm_mod_used_mmu_pages(struct kvm *kvm, long nr)
+ {
+ kvm->arch.n_used_mmu_pages += nr;
+ percpu_counter_add(&kvm_total_used_mmu_pages, nr);
--- /dev/null
+From 5ba03936c05584b6f6f79be5ebe7e5036c1dd252 Mon Sep 17 00:00:00 2001
+From: Wei Shuyu <wsy@dogben.com>
+Date: Mon, 28 Jun 2021 15:15:08 +0800
+Subject: md/raid10: properly indicate failure when ending a failed write request
+
+From: Wei Shuyu <wsy@dogben.com>
+
+commit 5ba03936c05584b6f6f79be5ebe7e5036c1dd252 upstream.
+
+Similar to [1], this patch fixes the same bug in raid10. Also cleanup the
+comments.
+
+[1] commit 2417b9869b81 ("md/raid1: properly indicate failure when ending
+ a failed write request")
+Cc: stable@vger.kernel.org
+Fixes: 7cee6d4e6035 ("md/raid10: end bio when the device faulty")
+Signed-off-by: Wei Shuyu <wsy@dogben.com>
+Acked-by: Guoqing Jiang <jiangguoqing@kylinos.cn>
+Signed-off-by: Song Liu <song@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/raid1.c | 2 --
+ drivers/md/raid10.c | 4 ++--
+ 2 files changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/md/raid1.c
++++ b/drivers/md/raid1.c
+@@ -472,8 +472,6 @@ static void raid1_end_write_request(stru
+ /*
+ * When the device is faulty, it is not necessary to
+ * handle write error.
+- * For failfast, this is the only remaining device,
+- * We need to retry the write without FailFast.
+ */
+ if (!test_bit(Faulty, &rdev->flags))
+ set_bit(R1BIO_WriteError, &r1_bio->state);
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -469,12 +469,12 @@ static void raid10_end_write_request(str
+ /*
+ * When the device is faulty, it is not necessary to
+ * handle write error.
+- * For failfast, this is the only remaining device,
+- * We need to retry the write without FailFast.
+ */
+ if (!test_bit(Faulty, &rdev->flags))
+ set_bit(R10BIO_WriteError, &r10_bio->state);
+ else {
++ /* Fail the request */
++ set_bit(R10BIO_Degraded, &r10_bio->state);
+ r10_bio->devs[slot].bio = NULL;
+ to_put = bio;
+ dec_rdev = 1;
--- /dev/null
+From e39cdacf2f664b09029e7c1eb354c91a20c367af Mon Sep 17 00:00:00 2001
+From: Zheyu Ma <zheyuma97@gmail.com>
+Date: Tue, 22 Jun 2021 07:11:31 +0000
+Subject: pcmcia: i82092: fix a null pointer dereference bug
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+commit e39cdacf2f664b09029e7c1eb354c91a20c367af upstream.
+
+During the driver loading process, the 'dev' field was not assigned, but
+the 'dev' field was referenced in the subsequent 'i82092aa_set_mem_map'
+function.
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+CC: <stable@vger.kernel.org>
+[linux@dominikbrodowski.net: shorten commit message, add Cc to stable]
+Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pcmcia/i82092.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/pcmcia/i82092.c
++++ b/drivers/pcmcia/i82092.c
+@@ -112,6 +112,7 @@ static int i82092aa_pci_probe(struct pci
+ for (i = 0; i < socket_count; i++) {
+ sockets[i].card_state = 1; /* 1 = present but empty */
+ sockets[i].io_base = pci_resource_start(dev, 0);
++ sockets[i].dev = dev;
+ sockets[i].socket.features |= SS_CAP_PCCARD;
+ sockets[i].socket.map_size = 0x1000;
+ sockets[i].socket.irq_mask = 0;
--- /dev/null
+From ec7099fdea8025988710ee6fecfd4e4210c29ab5 Mon Sep 17 00:00:00 2001
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Date: Fri, 2 Jul 2021 15:37:12 +0200
+Subject: Revert "gpio: mpc8xxx: change the gpio interrupt flags."
+
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+
+commit ec7099fdea8025988710ee6fecfd4e4210c29ab5 upstream.
+
+This reverts commit 3d5bfbd9716318b1ca5c38488aa69f64d38a9aa5.
+
+When booting with threadirqs, it causes a splat
+
+ WARNING: CPU: 0 PID: 29 at kernel/irq/handle.c:159 __handle_irq_event_percpu+0x1ec/0x27c
+ irq 66 handler irq_default_primary_handler+0x0/0x1c enabled interrupts
+
+That splat later went away with commit 81e2073c175b ("genirq: Disable
+interrupts for force threaded handlers"), which got backported to
+-stable. However, when running an -rt kernel, the splat still
+exists. Moreover, quoting Thomas Gleixner [1]
+
+ But 3d5bfbd97163 ("gpio: mpc8xxx: change the gpio interrupt flags.")
+ has nothing to do with that:
+
+ "Delete the interrupt IRQF_NO_THREAD flags in order to gpio interrupts
+ can be threaded to allow high-priority processes to preempt."
+
+ This changelog is blatantly wrong. In mainline forced irq threads
+ have always been invoked with softirqs disabled, which obviously
+ makes them non-preemptible.
+
+So the patch didn't even do what its commit log said.
+
+[1] https://lore.kernel.org/lkml/871r8zey88.ffs@nanos.tec.linutronix.de/
+
+Cc: stable@vger.kernel.org # v5.9+
+Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-mpc8xxx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpio-mpc8xxx.c
++++ b/drivers/gpio/gpio-mpc8xxx.c
+@@ -405,7 +405,7 @@ static int mpc8xxx_probe(struct platform
+
+ ret = devm_request_irq(&pdev->dev, mpc8xxx_gc->irqn,
+ mpc8xxx_gpio_irq_cascade,
+- IRQF_SHARED, "gpio-cascade",
++ IRQF_NO_THREAD | IRQF_SHARED, "gpio-cascade",
+ mpc8xxx_gc);
+ if (ret) {
+ dev_err(&pdev->dev,
--- /dev/null
+From 952835edb4fdad49361d5330da918be8b765b787 Mon Sep 17 00:00:00 2001
+From: Stefan Haberland <sth@linux.ibm.com>
+Date: Wed, 4 Aug 2021 17:18:00 +0200
+Subject: s390/dasd: fix use after free in dasd path handling
+
+From: Stefan Haberland <sth@linux.ibm.com>
+
+commit 952835edb4fdad49361d5330da918be8b765b787 upstream.
+
+When new configuration data is obtained after a path event it is stored
+in the per path array. The old data needs to be freed.
+The first valid configuration data is also referenced in the device
+private structure to identify the device.
+When the old per path configuration data was freed the device still
+pointed to the already freed data leading to a use after free.
+
+Fix by replacing also the device configuration data with the newly
+obtained one before the old data gets freed.
+
+Fixes: 460181217a24 ("s390/dasd: Store path configuration data during path handling")
+Cc: stable@vger.kernel.org # 5.11+
+Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
+Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
+Link: https://lore.kernel.org/r/20210804151800.4031761-2-sth@linux.ibm.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/block/dasd_eckd.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/s390/block/dasd_eckd.c
++++ b/drivers/s390/block/dasd_eckd.c
+@@ -1004,15 +1004,23 @@ static unsigned char dasd_eckd_path_acce
+ static void dasd_eckd_store_conf_data(struct dasd_device *device,
+ struct dasd_conf_data *conf_data, int chp)
+ {
++ struct dasd_eckd_private *private = device->private;
+ struct channel_path_desc_fmt0 *chp_desc;
+ struct subchannel_id sch_id;
++ void *cdp;
+
+- ccw_device_get_schid(device->cdev, &sch_id);
+ /*
+ * path handling and read_conf allocate data
+ * free it before replacing the pointer
++ * also replace the old private->conf_data pointer
++ * with the new one if this points to the same data
+ */
+- kfree(device->path[chp].conf_data);
++ cdp = device->path[chp].conf_data;
++ if (private->conf_data == cdp) {
++ private->conf_data = (void *)conf_data;
++ dasd_eckd_identify_conf_parts(private);
++ }
++ ccw_device_get_schid(device->cdev, &sch_id);
+ device->path[chp].conf_data = conf_data;
+ device->path[chp].cssid = sch_id.cssid;
+ device->path[chp].ssid = sch_id.ssid;
+@@ -1020,6 +1028,7 @@ static void dasd_eckd_store_conf_data(st
+ if (chp_desc)
+ device->path[chp].chpid = chp_desc->chpid;
+ kfree(chp_desc);
++ kfree(cdp);
+ }
+
+ static void dasd_eckd_clear_conf_data(struct dasd_device *device)
--- /dev/null
+From a264cf5e81c78e2b9918b8b9ef2ace9dde1850df Mon Sep 17 00:00:00 2001
+From: Tyrel Datwyler <tyreld@linux.ibm.com>
+Date: Fri, 16 Jul 2021 14:52:20 -0600
+Subject: scsi: ibmvfc: Fix command state accounting and stale response detection
+
+From: Tyrel Datwyler <tyreld@linux.ibm.com>
+
+commit a264cf5e81c78e2b9918b8b9ef2ace9dde1850df upstream.
+
+Prior to commit 1f4a4a19508d ("scsi: ibmvfc: Complete commands outside the
+host/queue lock") responses to commands were completed sequentially with
+the host lock held such that a command had a basic binary state of active
+or free. It was therefore a simple affair of ensuring the assocaiated
+ibmvfc_event to a VIOS response was valid by testing that it was not
+already free. The lock relexation work to complete commands outside the
+lock inadverdently made it a trinary command state such that a command is
+either in flight, received and being completed, or completed and now
+free. This breaks the stale command detection logic as a command may be
+still marked active and been placed on the delayed completion list when a
+second stale response for the same command arrives. This can lead to double
+completions and list corruption. This issue was exposed by a recent VIOS
+regression were a missing memory barrier could occasionally result in the
+ibmvfc client receiving a duplicate response for the same command.
+
+Fix the issue by introducing the atomic ibmvfc_event.active to track the
+trinary state of a command. The state is explicitly set to 1 when a command
+is successfully sent. The CRQ response handlers use
+atomic_dec_if_positive() to test for stale responses and correctly
+transition to the completion state when a active command is received.
+Finally, atomic_dec_and_test() is used to sanity check transistions when
+commands are freed as a result of a completion, or moved to the purge list
+as a result of error handling or adapter reset.
+
+Link: https://lore.kernel.org/r/20210716205220.1101150-1-tyreld@linux.ibm.com
+Fixes: 1f4a4a19508d ("scsi: ibmvfc: Complete commands outside the host/queue lock")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tyrel Datwyler <tyreld@linux.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/ibmvscsi/ibmvfc.c | 19 +++++++++++++++++--
+ drivers/scsi/ibmvscsi/ibmvfc.h | 1 +
+ 2 files changed, 18 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/ibmvscsi/ibmvfc.c
++++ b/drivers/scsi/ibmvscsi/ibmvfc.c
+@@ -804,6 +804,13 @@ static int ibmvfc_init_event_pool(struct
+ for (i = 0; i < size; ++i) {
+ struct ibmvfc_event *evt = &pool->events[i];
+
++ /*
++ * evt->active states
++ * 1 = in flight
++ * 0 = being completed
++ * -1 = free/freed
++ */
++ atomic_set(&evt->active, -1);
+ atomic_set(&evt->free, 1);
+ evt->crq.valid = 0x80;
+ evt->crq.ioba = cpu_to_be64(pool->iu_token + (sizeof(*evt->xfer_iu) * i));
+@@ -1014,6 +1021,7 @@ static void ibmvfc_free_event(struct ibm
+
+ BUG_ON(!ibmvfc_valid_event(pool, evt));
+ BUG_ON(atomic_inc_return(&evt->free) != 1);
++ BUG_ON(atomic_dec_and_test(&evt->active));
+
+ spin_lock_irqsave(&evt->queue->l_lock, flags);
+ list_add_tail(&evt->queue_list, &evt->queue->free);
+@@ -1069,6 +1077,12 @@ static void ibmvfc_complete_purge(struct
+ **/
+ static void ibmvfc_fail_request(struct ibmvfc_event *evt, int error_code)
+ {
++ /*
++ * Anything we are failing should still be active. Otherwise, it
++ * implies we already got a response for the command and are doing
++ * something bad like double completing it.
++ */
++ BUG_ON(!atomic_dec_and_test(&evt->active));
+ if (evt->cmnd) {
+ evt->cmnd->result = (error_code << 16);
+ evt->done = ibmvfc_scsi_eh_done;
+@@ -1720,6 +1734,7 @@ static int ibmvfc_send_event(struct ibmv
+
+ evt->done(evt);
+ } else {
++ atomic_set(&evt->active, 1);
+ spin_unlock_irqrestore(&evt->queue->l_lock, flags);
+ ibmvfc_trc_start(evt);
+ }
+@@ -3248,7 +3263,7 @@ static void ibmvfc_handle_crq(struct ibm
+ return;
+ }
+
+- if (unlikely(atomic_read(&evt->free))) {
++ if (unlikely(atomic_dec_if_positive(&evt->active))) {
+ dev_err(vhost->dev, "Received duplicate correlation_token 0x%08llx!\n",
+ crq->ioba);
+ return;
+@@ -3775,7 +3790,7 @@ static void ibmvfc_handle_scrq(struct ib
+ return;
+ }
+
+- if (unlikely(atomic_read(&evt->free))) {
++ if (unlikely(atomic_dec_if_positive(&evt->active))) {
+ dev_err(vhost->dev, "Received duplicate correlation_token 0x%08llx!\n",
+ crq->ioba);
+ return;
+--- a/drivers/scsi/ibmvscsi/ibmvfc.h
++++ b/drivers/scsi/ibmvscsi/ibmvfc.h
+@@ -744,6 +744,7 @@ struct ibmvfc_event {
+ struct ibmvfc_target *tgt;
+ struct scsi_cmnd *cmnd;
+ atomic_t free;
++ atomic_t active;
+ union ibmvfc_iu *xfer_iu;
+ void (*done)(struct ibmvfc_event *evt);
+ void (*_done)(struct ibmvfc_event *evt);
--- /dev/null
+From 4c156084daa8ee70978e4b150b5eb5fc7b1f15be Mon Sep 17 00:00:00 2001
+From: Xiu Jianfeng <xiujianfeng@huawei.com>
+Date: Thu, 29 Jul 2021 11:16:44 +0800
+Subject: selinux: correct the return value when loads initial sids
+
+From: Xiu Jianfeng <xiujianfeng@huawei.com>
+
+commit 4c156084daa8ee70978e4b150b5eb5fc7b1f15be upstream.
+
+It should not return 0 when SID 0 is assigned to isids.
+This patch fixes it.
+
+Cc: stable@vger.kernel.org
+Fixes: e3e0b582c321a ("selinux: remove unused initial SIDs and improve handling")
+Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
+[PM: remove changelog from description]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/selinux/ss/policydb.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/security/selinux/ss/policydb.c
++++ b/security/selinux/ss/policydb.c
+@@ -874,7 +874,7 @@ int policydb_load_isids(struct policydb
+ rc = sidtab_init(s);
+ if (rc) {
+ pr_err("SELinux: out of memory on SID table init\n");
+- goto out;
++ return rc;
+ }
+
+ head = p->ocontexts[OCON_ISID];
+@@ -885,7 +885,7 @@ int policydb_load_isids(struct policydb
+ if (sid == SECSID_NULL) {
+ pr_err("SELinux: SID 0 was assigned a context.\n");
+ sidtab_destroy(s);
+- goto out;
++ return -EINVAL;
+ }
+
+ /* Ignore initial SIDs unused by this kernel. */
+@@ -897,12 +897,10 @@ int policydb_load_isids(struct policydb
+ pr_err("SELinux: unable to load initial SID %s.\n",
+ name);
+ sidtab_destroy(s);
+- goto out;
++ return rc;
+ }
+ }
+- rc = 0;
+-out:
+- return rc;
++ return 0;
+ }
+
+ int policydb_class_isvalid(struct policydb *p, unsigned int class)
perf-fix-required-permissions-if-sigtrap-is-requested.patch
xfrm-fix-rcu-vs-hash_resize_mutex-lock-inversion.patch
net-xfrm-compat-copy-xfrm_spdattr_type_t-atributes.patch
+pcmcia-i82092-fix-a-null-pointer-dereference-bug.patch
+scsi-ibmvfc-fix-command-state-accounting-and-stale-response-detection.patch
+selinux-correct-the-return-value-when-loads-initial-sids.patch
+bus-ti-sysc-am3-rng-is-gp-only.patch
+revert-gpio-mpc8xxx-change-the-gpio-interrupt-flags.patch
+arm64-fix-compat-syscall-return-truncation.patch
+arm-omap2-hwmod-fix-potential-null-pointer-access.patch
+md-raid10-properly-indicate-failure-when-ending-a-failed-write-request.patch
+io-wq-fix-race-between-worker-exiting-and-activating-free-worker.patch
+s390-dasd-fix-use-after-free-in-dasd-path-handling.patch
+kvm-x86-accept-userspace-interrupt-only-if-no-event-is-injected.patch
+kvm-svm-fix-off-by-one-indexing-when-nullifying-last-used-sev-vmcb.patch
+kvm-do-not-leak-memory-for-duplicate-debugfs-directories.patch
+kvm-x86-mmu-fix-per-cpu-counter-corruption-on-32-bit-builds.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
