--- /dev/null
+From e09784a8a751e539dffc94d43bc917b0ac1e934a Mon Sep 17 00:00:00 2001
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Date: Tue, 11 May 2021 03:45:16 +0200
+Subject: alarmtimer: Check RTC features instead of ops
+
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+
+commit e09784a8a751e539dffc94d43bc917b0ac1e934a upstream.
+
+RTC drivers used to leave .set_alarm() NULL in order to signal the RTC
+device doesn't support alarms. The drivers are now clearing the
+RTC_FEATURE_ALARM bit for that purpose in order to keep the rtc_class_ops
+structure const. So now, .set_alarm() is set unconditionally and this
+possibly causes the alarmtimer code to select an RTC device that doesn't
+support alarms.
+
+Test RTC_FEATURE_ALARM instead of relying on ops->set_alarm to determine
+whether alarms are available.
+
+Fixes: 7ae41220ef58 ("rtc: introduce features bitfield")
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20210511014516.563031-1-alexandre.belloni@bootlin.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/time/alarmtimer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/time/alarmtimer.c
++++ b/kernel/time/alarmtimer.c
+@@ -92,7 +92,7 @@ static int alarmtimer_rtc_add_device(str
+ if (rtcdev)
+ return -EBUSY;
+
+- if (!rtc->ops->set_alarm)
++ if (!test_bit(RTC_FEATURE_ALARM, rtc->features))
+ return -1;
+ if (!device_may_wakeup(rtc->dev.parent))
+ return -1;
--- /dev/null
+From 18abf874367456540846319574864e6ff32752e2 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Mon, 26 Apr 2021 11:26:22 +0200
+Subject: cdc-wdm: untangle a circular dependency between callback and softint
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 18abf874367456540846319574864e6ff32752e2 upstream.
+
+We have a cycle of callbacks scheduling works which submit
+URBs with those callbacks. This needs to be blocked, stopped
+and unblocked to untangle the circle.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Link: https://lore.kernel.org/r/20210426092622.20433-1-oneukum@suse.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/cdc-wdm.c | 30 ++++++++++++++++++++++--------
+ 1 file changed, 22 insertions(+), 8 deletions(-)
+
+--- a/drivers/usb/class/cdc-wdm.c
++++ b/drivers/usb/class/cdc-wdm.c
+@@ -321,12 +321,23 @@ exit:
+
+ }
+
+-static void kill_urbs(struct wdm_device *desc)
++static void poison_urbs(struct wdm_device *desc)
+ {
+ /* the order here is essential */
+- usb_kill_urb(desc->command);
+- usb_kill_urb(desc->validity);
+- usb_kill_urb(desc->response);
++ usb_poison_urb(desc->command);
++ usb_poison_urb(desc->validity);
++ usb_poison_urb(desc->response);
++}
++
++static void unpoison_urbs(struct wdm_device *desc)
++{
++ /*
++ * the order here is not essential
++ * it is symmetrical just to be nice
++ */
++ usb_unpoison_urb(desc->response);
++ usb_unpoison_urb(desc->validity);
++ usb_unpoison_urb(desc->command);
+ }
+
+ static void free_urbs(struct wdm_device *desc)
+@@ -741,11 +752,12 @@ static int wdm_release(struct inode *ino
+ if (!desc->count) {
+ if (!test_bit(WDM_DISCONNECTING, &desc->flags)) {
+ dev_dbg(&desc->intf->dev, "wdm_release: cleanup\n");
+- kill_urbs(desc);
++ poison_urbs(desc);
+ spin_lock_irq(&desc->iuspin);
+ desc->resp_count = 0;
+ spin_unlock_irq(&desc->iuspin);
+ desc->manage_power(desc->intf, 0);
++ unpoison_urbs(desc);
+ } else {
+ /* must avoid dev_printk here as desc->intf is invalid */
+ pr_debug(KBUILD_MODNAME " %s: device gone - cleaning up\n", __func__);
+@@ -1037,9 +1049,9 @@ static void wdm_disconnect(struct usb_in
+ wake_up_all(&desc->wait);
+ mutex_lock(&desc->rlock);
+ mutex_lock(&desc->wlock);
++ poison_urbs(desc);
+ cancel_work_sync(&desc->rxwork);
+ cancel_work_sync(&desc->service_outs_intr);
+- kill_urbs(desc);
+ mutex_unlock(&desc->wlock);
+ mutex_unlock(&desc->rlock);
+
+@@ -1080,9 +1092,10 @@ static int wdm_suspend(struct usb_interf
+ set_bit(WDM_SUSPENDING, &desc->flags);
+ spin_unlock_irq(&desc->iuspin);
+ /* callback submits work - order is essential */
+- kill_urbs(desc);
++ poison_urbs(desc);
+ cancel_work_sync(&desc->rxwork);
+ cancel_work_sync(&desc->service_outs_intr);
++ unpoison_urbs(desc);
+ }
+ if (!PMSG_IS_AUTO(message)) {
+ mutex_unlock(&desc->wlock);
+@@ -1140,7 +1153,7 @@ static int wdm_pre_reset(struct usb_inte
+ wake_up_all(&desc->wait);
+ mutex_lock(&desc->rlock);
+ mutex_lock(&desc->wlock);
+- kill_urbs(desc);
++ poison_urbs(desc);
+ cancel_work_sync(&desc->rxwork);
+ cancel_work_sync(&desc->service_outs_intr);
+ return 0;
+@@ -1151,6 +1164,7 @@ static int wdm_post_reset(struct usb_int
+ struct wdm_device *desc = wdm_find_device(intf);
+ int rv;
+
++ unpoison_urbs(desc);
+ clear_bit(WDM_OVERFLOW, &desc->flags);
+ clear_bit(WDM_RESETTING, &desc->flags);
+ rv = recover_from_urb_loss(desc);
--- /dev/null
+From 901f84de0e16bde10a72d7eb2f2eb73fcde8fa1a Mon Sep 17 00:00:00 2001
+From: Tomasz Duszynski <tomasz.duszynski@octakon.com>
+Date: Fri, 23 Apr 2021 10:02:44 +0200
+Subject: iio: core: fix ioctl handlers removal
+
+From: Tomasz Duszynski <tomasz.duszynski@octakon.com>
+
+commit 901f84de0e16bde10a72d7eb2f2eb73fcde8fa1a upstream.
+
+Currently ioctl handlers are removed twice. For the first time during
+iio_device_unregister() then later on inside
+iio_device_unregister_eventset() and iio_buffers_free_sysfs_and_mask().
+Double free leads to kernel panic.
+
+Fix this by not touching ioctl handlers list directly but rather
+letting code responsible for registration call the matching cleanup
+routine itself.
+
+Fixes: 8dedcc3eee3ac ("iio: core: centralize ioctl() calls to the main chardev")
+Signed-off-by: Tomasz Duszynski <tomasz.duszynski@octakon.com>
+Acked-by: Alexandru Ardelean <ardeleanalex@gmail.com>
+Cc: <Stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210423080244.2790-1-tomasz.duszynski@octakon.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/industrialio-core.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/drivers/iio/industrialio-core.c
++++ b/drivers/iio/industrialio-core.c
+@@ -1863,9 +1863,6 @@ EXPORT_SYMBOL(__iio_device_register);
+ **/
+ void iio_device_unregister(struct iio_dev *indio_dev)
+ {
+- struct iio_dev_opaque *iio_dev_opaque = to_iio_dev_opaque(indio_dev);
+- struct iio_ioctl_handler *h, *t;
+-
+ cdev_device_del(&indio_dev->chrdev, &indio_dev->dev);
+
+ mutex_lock(&indio_dev->info_exist_lock);
+@@ -1876,9 +1873,6 @@ void iio_device_unregister(struct iio_de
+
+ indio_dev->info = NULL;
+
+- list_for_each_entry_safe(h, t, &iio_dev_opaque->ioctl_handlers, entry)
+- list_del(&h->entry);
+-
+ iio_device_wakeup_eventset(indio_dev);
+ iio_buffer_wakeup_poll(indio_dev);
+
--- /dev/null
+From f73c730774d88a14d7b60feee6d0e13570f99499 Mon Sep 17 00:00:00 2001
+From: Dmitry Osipenko <digetx@gmail.com>
+Date: Fri, 23 Apr 2021 05:09:59 +0300
+Subject: iio: gyro: mpu3050: Fix reported temperature value
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+commit f73c730774d88a14d7b60feee6d0e13570f99499 upstream.
+
+The raw temperature value is a 16-bit signed integer. The sign casting
+is missing in the code, which results in a wrong temperature reported
+by userspace tools, fix it.
+
+Cc: stable@vger.kernel.org
+Fixes: 3904b28efb2c ("iio: gyro: Add driver for the MPU-3050 gyroscope")
+Datasheet: https://www.cdiweb.com/datasheets/invensense/mpu-3000a.pdf
+Tested-by: Maxim Schwalm <maxim.schwalm@gmail.com> # Asus TF700T
+Tested-by: Svyatoslav Ryhel <clamor95@gmail.com> # Asus TF201
+Reported-by: Svyatoslav Ryhel <clamor95@gmail.com>
+Reviewed-by: Andy Shevchenko <Andy.Shevchenko@gmail.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Acked-by: Jean-Baptiste Maneyrol <jmaneyrol@invensense.com>
+Link: https://lore.kernel.org/r/20210423020959.5023-1-digetx@gmail.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/gyro/mpu3050-core.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/gyro/mpu3050-core.c
++++ b/drivers/iio/gyro/mpu3050-core.c
+@@ -272,7 +272,16 @@ static int mpu3050_read_raw(struct iio_d
+ case IIO_CHAN_INFO_OFFSET:
+ switch (chan->type) {
+ case IIO_TEMP:
+- /* The temperature scaling is (x+23000)/280 Celsius */
++ /*
++ * The temperature scaling is (x+23000)/280 Celsius
++ * for the "best fit straight line" temperature range
++ * of -30C..85C. The 23000 includes room temperature
++ * offset of +35C, 280 is the precision scale and x is
++ * the 16-bit signed integer reported by hardware.
++ *
++ * Temperature value itself represents temperature of
++ * the sensor die.
++ */
+ *val = 23000;
+ return IIO_VAL_INT;
+ default:
+@@ -329,7 +338,7 @@ static int mpu3050_read_raw(struct iio_d
+ goto out_read_raw_unlock;
+ }
+
+- *val = be16_to_cpu(raw_val);
++ *val = (s16)be16_to_cpu(raw_val);
+ ret = IIO_VAL_INT;
+
+ goto out_read_raw_unlock;
--- /dev/null
+From af0e1871d79cfbb91f732d2c6fa7558e45c31038 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Fri, 7 May 2021 19:30:41 +0100
+Subject: iio: tsl2583: Fix division by a zero lux_val
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit af0e1871d79cfbb91f732d2c6fa7558e45c31038 upstream.
+
+The lux_val returned from tsl2583_get_lux can potentially be zero,
+so check for this to avoid a division by zero and an overflowed
+gain_trim_val.
+
+Fixes clang scan-build warning:
+
+drivers/iio/light/tsl2583.c:345:40: warning: Either the
+condition 'lux_val<0' is redundant or there is division
+by zero at line 345. [zerodivcond]
+
+Fixes: ac4f6eee8fe8 ("staging: iio: TAOS tsl258x: Device driver")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/light/tsl2583.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/iio/light/tsl2583.c
++++ b/drivers/iio/light/tsl2583.c
+@@ -341,6 +341,14 @@ static int tsl2583_als_calibrate(struct
+ return lux_val;
+ }
+
++ /* Avoid division by zero of lux_value later on */
++ if (lux_val == 0) {
++ dev_err(&chip->client->dev,
++ "%s: lux_val of 0 will produce out of range trim_value\n",
++ __func__);
++ return -ENODATA;
++ }
++
+ gain_trim_val = (unsigned int)(((chip->als_settings.als_cal_target)
+ * chip->als_settings.als_gain_trim) / lux_val);
+ if ((gain_trim_val < 250) || (gain_trim_val > 4000)) {
--- /dev/null
+From f5c7e8425f18fdb9bdb7d13340651d7876890329 Mon Sep 17 00:00:00 2001
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+Date: Mon, 3 May 2021 17:08:51 +0200
+Subject: KVM: nVMX: Always make an attempt to map eVMCS after migration
+
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+commit f5c7e8425f18fdb9bdb7d13340651d7876890329 upstream.
+
+When enlightened VMCS is in use and nested state is migrated with
+vmx_get_nested_state()/vmx_set_nested_state() KVM can't map evmcs
+page right away: evmcs gpa is not 'struct kvm_vmx_nested_state_hdr'
+and we can't read it from VP assist page because userspace may decide
+to restore HV_X64_MSR_VP_ASSIST_PAGE after restoring nested state
+(and QEMU, for example, does exactly that). To make sure eVMCS is
+mapped /vmx_set_nested_state() raises KVM_REQ_GET_NESTED_STATE_PAGES
+request.
+
+Commit f2c7ef3ba955 ("KVM: nSVM: cancel KVM_REQ_GET_NESTED_STATE_PAGES
+on nested vmexit") added KVM_REQ_GET_NESTED_STATE_PAGES clearing to
+nested_vmx_vmexit() to make sure MSR permission bitmap is not switched
+when an immediate exit from L2 to L1 happens right after migration (caused
+by a pending event, for example). Unfortunately, in the exact same
+situation we still need to have eVMCS mapped so
+nested_sync_vmcs12_to_shadow() reflects changes in VMCS12 to eVMCS.
+
+As a band-aid, restore nested_get_evmcs_page() when clearing
+KVM_REQ_GET_NESTED_STATE_PAGES in nested_vmx_vmexit(). The 'fix' is far
+from being ideal as we can't easily propagate possible failures and even if
+we could, this is most likely already too late to do so. The whole
+'KVM_REQ_GET_NESTED_STATE_PAGES' idea for mapping eVMCS after migration
+seems to be fragile as we diverge too much from the 'native' path when
+vmptr loading happens on vmx_set_nested_state().
+
+Fixes: f2c7ef3ba955 ("KVM: nSVM: cancel KVM_REQ_GET_NESTED_STATE_PAGES on nested vmexit")
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Message-Id: <20210503150854.1144255-2-vkuznets@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/vmx/nested.c | 29 +++++++++++++++++++----------
+ 1 file changed, 19 insertions(+), 10 deletions(-)
+
+--- a/arch/x86/kvm/vmx/nested.c
++++ b/arch/x86/kvm/vmx/nested.c
+@@ -3100,15 +3100,8 @@ static bool nested_get_evmcs_page(struct
+ nested_vmx_handle_enlightened_vmptrld(vcpu, false);
+
+ if (evmptrld_status == EVMPTRLD_VMFAIL ||
+- evmptrld_status == EVMPTRLD_ERROR) {
+- pr_debug_ratelimited("%s: enlightened vmptrld failed\n",
+- __func__);
+- vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
+- vcpu->run->internal.suberror =
+- KVM_INTERNAL_ERROR_EMULATION;
+- vcpu->run->internal.ndata = 0;
++ evmptrld_status == EVMPTRLD_ERROR)
+ return false;
+- }
+ }
+
+ return true;
+@@ -3196,8 +3189,16 @@ static bool nested_get_vmcs12_pages(stru
+
+ static bool vmx_get_nested_state_pages(struct kvm_vcpu *vcpu)
+ {
+- if (!nested_get_evmcs_page(vcpu))
++ if (!nested_get_evmcs_page(vcpu)) {
++ pr_debug_ratelimited("%s: enlightened vmptrld failed\n",
++ __func__);
++ vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
++ vcpu->run->internal.suberror =
++ KVM_INTERNAL_ERROR_EMULATION;
++ vcpu->run->internal.ndata = 0;
++
+ return false;
++ }
+
+ if (is_guest_mode(vcpu) && !nested_get_vmcs12_pages(vcpu))
+ return false;
+@@ -4424,7 +4425,15 @@ void nested_vmx_vmexit(struct kvm_vcpu *
+ /* trying to cancel vmlaunch/vmresume is a bug */
+ WARN_ON_ONCE(vmx->nested.nested_run_pending);
+
+- kvm_clear_request(KVM_REQ_GET_NESTED_STATE_PAGES, vcpu);
++ if (kvm_check_request(KVM_REQ_GET_NESTED_STATE_PAGES, vcpu)) {
++ /*
++ * KVM_REQ_GET_NESTED_STATE_PAGES is also used to map
++ * Enlightened VMCS after migration and we still need to
++ * do that when something is forcing L2->L1 exit prior to
++ * the first L2 run.
++ */
++ (void)nested_get_evmcs_page(vcpu);
++ }
+
+ /* Service the TLB flush request for L2 before switching to L1. */
+ if (kvm_check_request(KVM_REQ_TLB_FLUSH_CURRENT, vcpu))
--- /dev/null
+From 36fa06f9ff39f23e03cd8206dc6bbb7711c23be6 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Tue, 4 May 2021 10:17:26 -0700
+Subject: KVM: x86: Add support for RDPID without RDTSCP
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 36fa06f9ff39f23e03cd8206dc6bbb7711c23be6 upstream.
+
+Allow userspace to enable RDPID for a guest without also enabling RDTSCP.
+Aside from checking for RDPID support in the obvious flows, VMX also needs
+to set ENABLE_RDTSCP=1 when RDPID is exposed.
+
+For the record, there is no known scenario where enabling RDPID without
+RDTSCP is desirable. But, both AMD and Intel architectures allow for the
+condition, i.e. this is purely to make KVM more architecturally accurate.
+
+Fixes: 41cd02c6f7f6 ("kvm: x86: Expose RDPID in KVM_GET_SUPPORTED_CPUID")
+Cc: stable@vger.kernel.org
+Reported-by: Reiji Watanabe <reijiw@google.com>
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-Id: <20210504171734.1434054-8-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/svm/svm.c | 6 ++++--
+ arch/x86/kvm/vmx/vmx.c | 27 +++++++++++++++++++++++----
+ arch/x86/kvm/x86.c | 3 ++-
+ 3 files changed, 29 insertions(+), 7 deletions(-)
+
+--- a/arch/x86/kvm/svm/svm.c
++++ b/arch/x86/kvm/svm/svm.c
+@@ -2741,7 +2741,8 @@ static int svm_get_msr(struct kvm_vcpu *
+ if (!boot_cpu_has(X86_FEATURE_RDTSCP))
+ return 1;
+ if (!msr_info->host_initiated &&
+- !guest_cpuid_has(vcpu, X86_FEATURE_RDTSCP))
++ !guest_cpuid_has(vcpu, X86_FEATURE_RDTSCP) &&
++ !guest_cpuid_has(vcpu, X86_FEATURE_RDPID))
+ return 1;
+ msr_info->data = svm->tsc_aux;
+ break;
+@@ -2952,7 +2953,8 @@ static int svm_set_msr(struct kvm_vcpu *
+ return 1;
+
+ if (!msr->host_initiated &&
+- !guest_cpuid_has(vcpu, X86_FEATURE_RDTSCP))
++ !guest_cpuid_has(vcpu, X86_FEATURE_RDTSCP) &&
++ !guest_cpuid_has(vcpu, X86_FEATURE_RDPID))
+ return 1;
+
+ /*
+--- a/arch/x86/kvm/vmx/vmx.c
++++ b/arch/x86/kvm/vmx/vmx.c
+@@ -1734,7 +1734,8 @@ static void setup_msrs(struct vcpu_vmx *
+ if (update_transition_efer(vmx))
+ vmx_setup_uret_msr(vmx, MSR_EFER);
+
+- if (guest_cpuid_has(&vmx->vcpu, X86_FEATURE_RDTSCP))
++ if (guest_cpuid_has(&vmx->vcpu, X86_FEATURE_RDTSCP) ||
++ guest_cpuid_has(&vmx->vcpu, X86_FEATURE_RDPID))
+ vmx_setup_uret_msr(vmx, MSR_TSC_AUX);
+
+ vmx_setup_uret_msr(vmx, MSR_IA32_TSX_CTRL);
+@@ -1933,7 +1934,8 @@ static int vmx_get_msr(struct kvm_vcpu *
+ break;
+ case MSR_TSC_AUX:
+ if (!msr_info->host_initiated &&
+- !guest_cpuid_has(vcpu, X86_FEATURE_RDTSCP))
++ !guest_cpuid_has(vcpu, X86_FEATURE_RDTSCP) &&
++ !guest_cpuid_has(vcpu, X86_FEATURE_RDPID))
+ return 1;
+ goto find_uret_msr;
+ case MSR_IA32_DEBUGCTLMSR:
+@@ -2230,7 +2232,8 @@ static int vmx_set_msr(struct kvm_vcpu *
+ break;
+ case MSR_TSC_AUX:
+ if (!msr_info->host_initiated &&
+- !guest_cpuid_has(vcpu, X86_FEATURE_RDTSCP))
++ !guest_cpuid_has(vcpu, X86_FEATURE_RDTSCP) &&
++ !guest_cpuid_has(vcpu, X86_FEATURE_RDPID))
+ return 1;
+ /* Check reserved bit, higher 32 bits should be zero */
+ if ((data >> 32) != 0)
+@@ -4302,7 +4305,23 @@ static void vmx_compute_secondary_exec_c
+ xsaves_enabled, false);
+ }
+
+- vmx_adjust_sec_exec_feature(vmx, &exec_control, rdtscp, RDTSCP);
++ /*
++ * RDPID is also gated by ENABLE_RDTSCP, turn on the control if either
++ * feature is exposed to the guest. This creates a virtualization hole
++ * if both are supported in hardware but only one is exposed to the
++ * guest, but letting the guest execute RDTSCP or RDPID when either one
++ * is advertised is preferable to emulating the advertised instruction
++ * in KVM on #UD, and obviously better than incorrectly injecting #UD.
++ */
++ if (cpu_has_vmx_rdtscp()) {
++ bool rdpid_or_rdtscp_enabled =
++ guest_cpuid_has(vcpu, X86_FEATURE_RDTSCP) ||
++ guest_cpuid_has(vcpu, X86_FEATURE_RDPID);
++
++ vmx_adjust_secondary_exec_control(vmx, &exec_control,
++ SECONDARY_EXEC_ENABLE_RDTSCP,
++ rdpid_or_rdtscp_enabled, false);
++ }
+ vmx_adjust_sec_exec_feature(vmx, &exec_control, invpcid, INVPCID);
+
+ vmx_adjust_sec_exec_exiting(vmx, &exec_control, rdrand, RDRAND);
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -5864,7 +5864,8 @@ static void kvm_init_msr_list(void)
+ continue;
+ break;
+ case MSR_TSC_AUX:
+- if (!kvm_cpu_cap_has(X86_FEATURE_RDTSCP))
++ if (!kvm_cpu_cap_has(X86_FEATURE_RDTSCP) &&
++ !kvm_cpu_cap_has(X86_FEATURE_RDPID))
+ continue;
+ break;
+ case MSR_IA32_UMWAIT_CONTROL:
--- /dev/null
+From 85d0011264da24be08ae907d7f29983a597ca9b1 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Tue, 4 May 2021 10:17:21 -0700
+Subject: KVM: x86: Emulate RDPID only if RDTSCP is supported
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 85d0011264da24be08ae907d7f29983a597ca9b1 upstream.
+
+Do not advertise emulation support for RDPID if RDTSCP is unsupported.
+RDPID emulation subtly relies on MSR_TSC_AUX to exist in hardware, as
+both vmx_get_msr() and svm_get_msr() will return an error if the MSR is
+unsupported, i.e. ctxt->ops->get_msr() will fail and the emulator will
+inject a #UD.
+
+Note, RDPID emulation also relies on RDTSCP being enabled in the guest,
+but this is a KVM bug and will eventually be fixed.
+
+Fixes: fb6d4d340e05 ("KVM: x86: emulate RDPID")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-Id: <20210504171734.1434054-3-seanjc@google.com>
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Reviewed-by: Reiji Watanabe <reijiw@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/cpuid.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/cpuid.c
++++ b/arch/x86/kvm/cpuid.c
+@@ -589,7 +589,8 @@ static int __do_cpuid_func_emulated(stru
+ case 7:
+ entry->flags |= KVM_CPUID_FLAG_SIGNIFCANT_INDEX;
+ entry->eax = 0;
+- entry->ecx = F(RDPID);
++ if (kvm_cpu_cap_has(X86_FEATURE_RDTSCP))
++ entry->ecx = F(RDPID);
+ ++array->nent;
+ default:
+ break;
--- /dev/null
+From 2183de4161b90bd3851ccd3910c87b2c9adfc6ed Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Tue, 4 May 2021 10:17:23 -0700
+Subject: KVM: x86: Move RDPID emulation intercept to its own enum
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 2183de4161b90bd3851ccd3910c87b2c9adfc6ed upstream.
+
+Add a dedicated intercept enum for RDPID instead of piggybacking RDTSCP.
+Unlike VMX's ENABLE_RDTSCP, RDPID is not bound to SVM's RDTSCP intercept.
+
+Fixes: fb6d4d340e05 ("KVM: x86: emulate RDPID")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-Id: <20210504171734.1434054-5-seanjc@google.com>
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/emulate.c | 2 +-
+ arch/x86/kvm/kvm_emulate.h | 1 +
+ arch/x86/kvm/vmx/vmx.c | 3 ++-
+ 3 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -4502,7 +4502,7 @@ static const struct opcode group8[] = {
+ * from the register case of group9.
+ */
+ static const struct gprefix pfx_0f_c7_7 = {
+- N, N, N, II(DstMem | ModRM | Op3264 | EmulateOnUD, em_rdpid, rdtscp),
++ N, N, N, II(DstMem | ModRM | Op3264 | EmulateOnUD, em_rdpid, rdpid),
+ };
+
+
+--- a/arch/x86/kvm/kvm_emulate.h
++++ b/arch/x86/kvm/kvm_emulate.h
+@@ -468,6 +468,7 @@ enum x86_intercept {
+ x86_intercept_clgi,
+ x86_intercept_skinit,
+ x86_intercept_rdtscp,
++ x86_intercept_rdpid,
+ x86_intercept_icebp,
+ x86_intercept_wbinvd,
+ x86_intercept_monitor,
+--- a/arch/x86/kvm/vmx/vmx.c
++++ b/arch/x86/kvm/vmx/vmx.c
+@@ -7391,8 +7391,9 @@ static int vmx_check_intercept(struct kv
+ /*
+ * RDPID causes #UD if disabled through secondary execution controls.
+ * Because it is marked as EmulateOnUD, we need to intercept it here.
++ * Note, RDPID is hidden behind ENABLE_RDTSCP.
+ */
+- case x86_intercept_rdtscp:
++ case x86_intercept_rdpid:
+ if (!nested_cpu_has2(vmcs12, SECONDARY_EXEC_ENABLE_RDTSCP)) {
+ exception->vector = UD_VECTOR;
+ exception->error_code_valid = false;
usb-typec-tcpm-fix-wrong-handling-in-get_sink_cap.patch
usb-typec-ucsi-retrieve-all-the-pdos-instead-of-just-the-first-4.patch
usb-typec-ucsi-put-fwnode-in-any-case-during-probe.patch
+xhci-pci-allow-host-runtime-pm-as-default-for-intel-alder-lake-xhci.patch
+xhci-fix-giving-back-cancelled-urbs-even-if-halted-endpoint-can-t-reset.patch
+xhci-do-not-use-gfp_kernel-in-potentially-atomic-context.patch
+xhci-add-reset-resume-quirk-for-amd-xhci-controller.patch
+iio-core-fix-ioctl-handlers-removal.patch
+iio-gyro-mpu3050-fix-reported-temperature-value.patch
+iio-tsl2583-fix-division-by-a-zero-lux_val.patch
+cdc-wdm-untangle-a-circular-dependency-between-callback-and-softint.patch
+alarmtimer-check-rtc-features-instead-of-ops.patch
+xen-gntdev-fix-gntdev_mmap-error-exit-path.patch
+kvm-x86-emulate-rdpid-only-if-rdtscp-is-supported.patch
+kvm-x86-move-rdpid-emulation-intercept-to-its-own-enum.patch
+kvm-x86-add-support-for-rdpid-without-rdtscp.patch
+kvm-nvmx-always-make-an-attempt-to-map-evmcs-after-migration.patch
--- /dev/null
+From 970655aa9b42461f8394e4457307005bdeee14d9 Mon Sep 17 00:00:00 2001
+From: Juergen Gross <jgross@suse.com>
+Date: Fri, 23 Apr 2021 07:40:38 +0200
+Subject: xen/gntdev: fix gntdev_mmap() error exit path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Juergen Gross <jgross@suse.com>
+
+commit 970655aa9b42461f8394e4457307005bdeee14d9 upstream.
+
+Commit d3eeb1d77c5d0af ("xen/gntdev: use mmu_interval_notifier_insert")
+introduced an error in gntdev_mmap(): in case the call of
+mmu_interval_notifier_insert_locked() fails the exit path should not
+call mmu_interval_notifier_remove(), as this might result in NULL
+dereferences.
+
+One reason for failure is e.g. a signal pending for the running
+process.
+
+Fixes: d3eeb1d77c5d0af ("xen/gntdev: use mmu_interval_notifier_insert")
+Cc: stable@vger.kernel.org
+Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+Tested-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Luca Fancellu <luca.fancellu@arm.com>
+Link: https://lore.kernel.org/r/20210423054038.26696-1-jgross@suse.com
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/xen/gntdev.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/xen/gntdev.c
++++ b/drivers/xen/gntdev.c
+@@ -1017,8 +1017,10 @@ static int gntdev_mmap(struct file *flip
+ err = mmu_interval_notifier_insert_locked(
+ &map->notifier, vma->vm_mm, vma->vm_start,
+ vma->vm_end - vma->vm_start, &gntdev_mmu_ops);
+- if (err)
++ if (err) {
++ map->vma = NULL;
+ goto out_unlock_put;
++ }
+ }
+ mutex_unlock(&priv->lock);
+
--- /dev/null
+From 3c128781d8da463761495aaf8898c9ecb4e71528 Mon Sep 17 00:00:00 2001
+From: Sandeep Singh <sandeep.singh@amd.com>
+Date: Wed, 12 May 2021 11:08:16 +0300
+Subject: xhci: Add reset resume quirk for AMD xhci controller.
+
+From: Sandeep Singh <sandeep.singh@amd.com>
+
+commit 3c128781d8da463761495aaf8898c9ecb4e71528 upstream.
+
+One of AMD xhci controller require reset on resume.
+Occasionally AMD xhci controller does not respond to
+Stop endpoint command.
+Once the issue happens controller goes into bad state
+and in that case controller needs to be reset.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Sandeep Singh <sandeep.singh@amd.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20210512080816.866037-6-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-pci.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci-pci.c
++++ b/drivers/usb/host/xhci-pci.c
+@@ -167,8 +167,10 @@ static void xhci_pci_quirks(struct devic
+ (pdev->device == 0x15e0 || pdev->device == 0x15e1))
+ xhci->quirks |= XHCI_SNPS_BROKEN_SUSPEND;
+
+- if (pdev->vendor == PCI_VENDOR_ID_AMD && pdev->device == 0x15e5)
++ if (pdev->vendor == PCI_VENDOR_ID_AMD && pdev->device == 0x15e5) {
+ xhci->quirks |= XHCI_DISABLE_SPARSE;
++ xhci->quirks |= XHCI_RESET_ON_RESUME;
++ }
+
+ if (pdev->vendor == PCI_VENDOR_ID_AMD)
+ xhci->quirks |= XHCI_TRUST_TX_LENGTH;
--- /dev/null
+From dda32c00c9a0fa103b5d54ef72c477b7aa993679 Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Wed, 12 May 2021 11:08:14 +0300
+Subject: xhci: Do not use GFP_KERNEL in (potentially) atomic context
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit dda32c00c9a0fa103b5d54ef72c477b7aa993679 upstream.
+
+'xhci_urb_enqueue()' is passed a 'mem_flags' argument, because "URBs may be
+submitted in interrupt context" (see comment related to 'usb_submit_urb()'
+in 'drivers/usb/core/urb.c')
+
+So this flag should be used in all the calling chain.
+Up to now, 'xhci_check_maxpacket()' which is only called from
+'xhci_urb_enqueue()', uses GFP_KERNEL.
+
+Be safe and pass the mem_flags to this function as well.
+
+Fixes: ddba5cd0aeff ("xhci: Use command structures when queuing commands on the command ring")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20210512080816.866037-4-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -1514,7 +1514,7 @@ static int xhci_configure_endpoint(struc
+ * we need to issue an evaluate context command and wait on it.
+ */
+ static int xhci_check_maxpacket(struct xhci_hcd *xhci, unsigned int slot_id,
+- unsigned int ep_index, struct urb *urb)
++ unsigned int ep_index, struct urb *urb, gfp_t mem_flags)
+ {
+ struct xhci_container_ctx *out_ctx;
+ struct xhci_input_control_ctx *ctrl_ctx;
+@@ -1545,7 +1545,7 @@ static int xhci_check_maxpacket(struct x
+ * changes max packet sizes.
+ */
+
+- command = xhci_alloc_command(xhci, true, GFP_KERNEL);
++ command = xhci_alloc_command(xhci, true, mem_flags);
+ if (!command)
+ return -ENOMEM;
+
+@@ -1639,7 +1639,7 @@ static int xhci_urb_enqueue(struct usb_h
+ */
+ if (urb->dev->speed == USB_SPEED_FULL) {
+ ret = xhci_check_maxpacket(xhci, slot_id,
+- ep_index, urb);
++ ep_index, urb, mem_flags);
+ if (ret < 0) {
+ xhci_urb_free_priv(urb_priv);
+ urb->hcpriv = NULL;
--- /dev/null
+From 9b6a126ae58d9edfdde2d5f2e87f7615ea5e0155 Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Wed, 12 May 2021 11:08:13 +0300
+Subject: xhci: Fix giving back cancelled URBs even if halted endpoint can't reset
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit 9b6a126ae58d9edfdde2d5f2e87f7615ea5e0155 upstream.
+
+Commit 9ebf30007858 ("xhci: Fix halted endpoint at stop endpoint command
+completion") in 5.12 changes how cancelled URBs are given back.
+
+To cancel a URB xhci driver needs to stop the endpoint first.
+To clear a halted endpoint xhci driver needs to reset the endpoint.
+
+In rare cases when an endpoint halt (error) races with a endpoint stop we
+need to clear the reset before removing, and giving back the cancelled URB.
+
+The above change in 5.12 takes care of this, but it also relies on the
+reset endpoint completion handler to give back the cancelled URBs.
+
+There are cases when driver refuses to queue reset endpoint commands,
+for example when a link suddenly goes to an inactive error state.
+In this case the cancelled URB is never given back.
+
+Fix this by giving back the URB in the stop endpoint if queuing a reset
+endpoint command fails.
+
+Fixes: 9ebf30007858 ("xhci: Fix halted endpoint at stop endpoint command completion")
+CC: <stable@vger.kernel.org> # 5.12
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20210512080816.866037-3-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-ring.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -863,7 +863,7 @@ done:
+ return ret;
+ }
+
+-static void xhci_handle_halted_endpoint(struct xhci_hcd *xhci,
++static int xhci_handle_halted_endpoint(struct xhci_hcd *xhci,
+ struct xhci_virt_ep *ep, unsigned int stream_id,
+ struct xhci_td *td,
+ enum xhci_ep_reset_type reset_type)
+@@ -876,7 +876,7 @@ static void xhci_handle_halted_endpoint(
+ * Device will be reset soon to recover the link so don't do anything
+ */
+ if (ep->vdev->flags & VDEV_PORT_ERROR)
+- return;
++ return -ENODEV;
+
+ /* add td to cancelled list and let reset ep handler take care of it */
+ if (reset_type == EP_HARD_RESET) {
+@@ -889,16 +889,18 @@ static void xhci_handle_halted_endpoint(
+
+ if (ep->ep_state & EP_HALTED) {
+ xhci_dbg(xhci, "Reset ep command already pending\n");
+- return;
++ return 0;
+ }
+
+ err = xhci_reset_halted_ep(xhci, slot_id, ep->ep_index, reset_type);
+ if (err)
+- return;
++ return err;
+
+ ep->ep_state |= EP_HALTED;
+
+ xhci_ring_cmd_db(xhci);
++
++ return 0;
+ }
+
+ /*
+@@ -1015,6 +1017,7 @@ static void xhci_handle_cmd_stop_ep(stru
+ struct xhci_td *td = NULL;
+ enum xhci_ep_reset_type reset_type;
+ struct xhci_command *command;
++ int err;
+
+ if (unlikely(TRB_TO_SUSPEND_PORT(le32_to_cpu(trb->generic.field[3])))) {
+ if (!xhci->devs[slot_id])
+@@ -1059,7 +1062,10 @@ static void xhci_handle_cmd_stop_ep(stru
+ td->status = -EPROTO;
+ }
+ /* reset ep, reset handler cleans up cancelled tds */
+- xhci_handle_halted_endpoint(xhci, ep, 0, td, reset_type);
++ err = xhci_handle_halted_endpoint(xhci, ep, 0, td,
++ reset_type);
++ if (err)
++ break;
+ xhci_stop_watchdog_timer_in_irq(xhci, ep);
+ return;
+ case EP_STATE_RUNNING:
--- /dev/null
+From b813511135e8b84fa741afdfbab4937919100bef Mon Sep 17 00:00:00 2001
+From: Abhijeet Rao <abhijeet.rao@intel.com>
+Date: Wed, 12 May 2021 11:08:12 +0300
+Subject: xhci-pci: Allow host runtime PM as default for Intel Alder Lake xHCI
+
+From: Abhijeet Rao <abhijeet.rao@intel.com>
+
+commit b813511135e8b84fa741afdfbab4937919100bef upstream.
+
+In the same way as Intel Tiger Lake TCSS (Type-C Subsystem) the Alder Lake
+TCSS xHCI needs to be runtime suspended whenever possible to allow the
+TCSS hardware block to enter D3cold and thus save energy.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Abhijeet Rao <abhijeet.rao@intel.com>
+Signed-off-by: Nikunj A. Dadhania <nikunj.dadhania@intel.com>
+Signed-off-by: Azhar Shaikh <azhar.shaikh@intel.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20210512080816.866037-2-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-pci.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci-pci.c
++++ b/drivers/usb/host/xhci-pci.c
+@@ -57,6 +57,7 @@
+ #define PCI_DEVICE_ID_INTEL_CML_XHCI 0xa3af
+ #define PCI_DEVICE_ID_INTEL_TIGER_LAKE_XHCI 0x9a13
+ #define PCI_DEVICE_ID_INTEL_MAPLE_RIDGE_XHCI 0x1138
++#define PCI_DEVICE_ID_INTEL_ALDER_LAKE_XHCI 0x461e
+
+ #define PCI_DEVICE_ID_AMD_PROMONTORYA_4 0x43b9
+ #define PCI_DEVICE_ID_AMD_PROMONTORYA_3 0x43ba
+@@ -243,7 +244,8 @@ static void xhci_pci_quirks(struct devic
+ pdev->device == PCI_DEVICE_ID_INTEL_TITAN_RIDGE_DD_XHCI ||
+ pdev->device == PCI_DEVICE_ID_INTEL_ICE_LAKE_XHCI ||
+ pdev->device == PCI_DEVICE_ID_INTEL_TIGER_LAKE_XHCI ||
+- pdev->device == PCI_DEVICE_ID_INTEL_MAPLE_RIDGE_XHCI))
++ pdev->device == PCI_DEVICE_ID_INTEL_MAPLE_RIDGE_XHCI ||
++ pdev->device == PCI_DEVICE_ID_INTEL_ALDER_LAKE_XHCI))
+ xhci->quirks |= XHCI_DEFAULT_PM_RUNTIME_ALLOW;
+
+ if (pdev->vendor == PCI_VENDOR_ID_ETRON &&
projects / thirdparty / kernel / stable-queue.git / commitdiff
