--- /dev/null
+From b070f9ca78680486927b799cf6126b128a7c2c1b Mon Sep 17 00:00:00 2001
+From: Tero Kristo <t-kristo@ti.com>
+Date: Tue, 20 Jul 2021 11:47:10 -0700
+Subject: ARM: omap2+: hwmod: fix potential NULL pointer access
+
+From: Tero Kristo <t-kristo@ti.com>
+
+commit b070f9ca78680486927b799cf6126b128a7c2c1b upstream.
+
+omap_hwmod_get_pwrdm() may access a NULL clk_hw pointer in some failure
+cases. Add a check for the case and bail out gracely if this happens.
+
+Reported-by: Dan Murphy <dmurphy@ti.com>
+Signed-off-by: Tero Kristo <t-kristo@ti.com>
+Cc: stable@vger.kernel.org # v5.10+
+Signed-off-by: Kevin Hilman <khilman@baylibre.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-omap2/omap_hwmod.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/arch/arm/mach-omap2/omap_hwmod.c
++++ b/arch/arm/mach-omap2/omap_hwmod.c
+@@ -3777,6 +3777,7 @@ struct powerdomain *omap_hwmod_get_pwrdm
+ struct omap_hwmod_ocp_if *oi;
+ struct clockdomain *clkdm;
+ struct clk_hw_omap *clk;
++ struct clk_hw *hw;
+
+ if (!oh)
+ return NULL;
+@@ -3793,7 +3794,14 @@ struct powerdomain *omap_hwmod_get_pwrdm
+ c = oi->_clk;
+ }
+
+- clk = to_clk_hw_omap(__clk_get_hw(c));
++ hw = __clk_get_hw(c);
++ if (!hw)
++ return NULL;
++
++ clk = to_clk_hw_omap(hw);
++ if (!clk)
++ return NULL;
++
+ clkdm = clk->clkdm;
+ if (!clkdm)
+ return NULL;
--- /dev/null
+From a6d90e9f22328f07343e49e08a4ca483ae8e8abb Mon Sep 17 00:00:00 2001
+From: Kevin Hilman <khilman@baylibre.com>
+Date: Tue, 20 Jul 2021 11:27:16 -0700
+Subject: bus: ti-sysc: AM3: RNG is GP only
+
+From: Kevin Hilman <khilman@baylibre.com>
+
+commit a6d90e9f22328f07343e49e08a4ca483ae8e8abb upstream.
+
+Make the RNG on AM3 GP only.
+
+Based on this patch from TI v5.4 tree which is based on hwmod data
+which are now removed:
+
+| ARM: AM43xx: hwmod: Move RNG to a GP only links table
+|
+| On non-GP devices the RNG is controlled by the secure-side software,
+| like in DRA7xx hwmod we should not control this IP when we are not
+| a GP device.
+|
+| Signed-off-by: Andrew F. Davis <afd@ti.com>
+
+Cc: stable@vger.kernel.org # v5.10+
+Signed-off-by: Kevin Hilman <khilman@baylibre.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bus/ti-sysc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/bus/ti-sysc.c
++++ b/drivers/bus/ti-sysc.c
+@@ -2920,6 +2920,8 @@ static int sysc_init_soc(struct sysc *dd
+ case SOC_3430 ... SOC_3630:
+ sysc_add_disabled(0x48304000); /* timer12 */
+ break;
++ case SOC_AM3:
++ sysc_add_disabled(0x48310000); /* rng */
+ default:
+ break;
+ };
--- /dev/null
+From 85cd39af14f498f791d8aab3fbd64cd175787f1a Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 4 Aug 2021 05:28:52 -0400
+Subject: KVM: Do not leak memory for duplicate debugfs directories
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 85cd39af14f498f791d8aab3fbd64cd175787f1a upstream.
+
+KVM creates a debugfs directory for each VM in order to store statistics
+about the virtual machine. The directory name is built from the process
+pid and a VM fd. While generally unique, it is possible to keep a
+file descriptor alive in a way that causes duplicate directories, which
+manifests as these messages:
+
+ [ 471.846235] debugfs: Directory '20245-4' with parent 'kvm' already present!
+
+Even though this should not happen in practice, it is more or less
+expected in the case of KVM for testcases that call KVM_CREATE_VM and
+close the resulting file descriptor repeatedly and in parallel.
+
+When this happens, debugfs_create_dir() returns an error but
+kvm_create_vm_debugfs() goes on to allocate stat data structs which are
+later leaked. The slow memory leak was spotted by syzkaller, where it
+caused OOM reports.
+
+Since the issue only affects debugfs, do a lookup before calling
+debugfs_create_dir, so that the message is downgraded and rate-limited.
+While at it, ensure kvm->debugfs_dentry is NULL rather than an error
+if it is not created. This fixes kvm_destroy_vm_debugfs, which was not
+checking IS_ERR_OR_NULL correctly.
+
+Cc: stable@vger.kernel.org
+Fixes: 536a6f88c49d ("KVM: Create debugfs dir and stat files for each VM")
+Reported-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Suggested-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ virt/kvm/kvm_main.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -685,6 +685,8 @@ static void kvm_destroy_vm_debugfs(struc
+
+ static int kvm_create_vm_debugfs(struct kvm *kvm, int fd)
+ {
++ static DEFINE_MUTEX(kvm_debugfs_lock);
++ struct dentry *dent;
+ char dir_name[ITOA_MAX_LEN * 2];
+ struct kvm_stat_data *stat_data;
+ struct kvm_stats_debugfs_item *p;
+@@ -693,8 +695,20 @@ static int kvm_create_vm_debugfs(struct
+ return 0;
+
+ snprintf(dir_name, sizeof(dir_name), "%d-%d", task_pid_nr(current), fd);
+- kvm->debugfs_dentry = debugfs_create_dir(dir_name, kvm_debugfs_dir);
++ mutex_lock(&kvm_debugfs_lock);
++ dent = debugfs_lookup(dir_name, kvm_debugfs_dir);
++ if (dent) {
++ pr_warn_ratelimited("KVM: debugfs: duplicate directory %s\n", dir_name);
++ dput(dent);
++ mutex_unlock(&kvm_debugfs_lock);
++ return 0;
++ }
++ dent = debugfs_create_dir(dir_name, kvm_debugfs_dir);
++ mutex_unlock(&kvm_debugfs_lock);
++ if (IS_ERR(dent))
++ return 0;
+
++ kvm->debugfs_dentry = dent;
+ kvm->debugfs_stat_data = kcalloc(kvm_debugfs_num_entries,
+ sizeof(*kvm->debugfs_stat_data),
+ GFP_KERNEL_ACCOUNT);
+@@ -4698,7 +4712,7 @@ static void kvm_uevent_notify_change(uns
+ }
+ add_uevent_var(env, "PID=%d", kvm->userspace_pid);
+
+- if (!IS_ERR_OR_NULL(kvm->debugfs_dentry)) {
++ if (kvm->debugfs_dentry) {
+ char *tmp, *p = kmalloc(PATH_MAX, GFP_KERNEL_ACCOUNT);
+
+ if (p) {
--- /dev/null
+From fa7a549d321a4189677b0cea86e58d9db7977f7b Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 14 Jul 2021 17:37:49 -0400
+Subject: KVM: x86: accept userspace interrupt only if no event is injected
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit fa7a549d321a4189677b0cea86e58d9db7977f7b upstream.
+
+Once an exception has been injected, any side effects related to
+the exception (such as setting CR2 or DR6) have been taked place.
+Therefore, once KVM sets the VM-entry interruption information
+field or the AMD EVENTINJ field, the next VM-entry must deliver that
+exception.
+
+Pending interrupts are processed after injected exceptions, so
+in theory it would not be a problem to use KVM_INTERRUPT when
+an injected exception is present. However, DOSEMU is using
+run->ready_for_interrupt_injection to detect interrupt windows
+and then using KVM_SET_SREGS/KVM_SET_REGS to inject the
+interrupt manually. For this to work, the interrupt window
+must be delayed after the completion of the previous event
+injection.
+
+Cc: stable@vger.kernel.org
+Reported-by: Stas Sergeev <stsp2@yandex.ru>
+Tested-by: Stas Sergeev <stsp2@yandex.ru>
+Fixes: 71cc849b7093 ("KVM: x86: Fix split-irqchip vs interrupt injection window request")
+Reviewed-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/x86.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -4100,8 +4100,17 @@ static int kvm_cpu_accept_dm_intr(struct
+
+ static int kvm_vcpu_ready_for_interrupt_injection(struct kvm_vcpu *vcpu)
+ {
+- return kvm_arch_interrupt_allowed(vcpu) &&
+- kvm_cpu_accept_dm_intr(vcpu);
++ /*
++ * Do not cause an interrupt window exit if an exception
++ * is pending or an event needs reinjection; userspace
++ * might want to inject the interrupt manually using KVM_SET_REGS
++ * or KVM_SET_SREGS. For that to work, we must be at an
++ * instruction boundary and with no events half-injected.
++ */
++ return (kvm_arch_interrupt_allowed(vcpu) &&
++ kvm_cpu_accept_dm_intr(vcpu) &&
++ !kvm_event_needs_reinjection(vcpu) &&
++ !vcpu->arch.exception.pending);
+ }
+
+ static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
--- /dev/null
+From d5aaad6f83420efb8357ac8e11c868708b22d0a9 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Wed, 4 Aug 2021 14:46:09 -0700
+Subject: KVM: x86/mmu: Fix per-cpu counter corruption on 32-bit builds
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit d5aaad6f83420efb8357ac8e11c868708b22d0a9 upstream.
+
+Take a signed 'long' instead of an 'unsigned long' for the number of
+pages to add/subtract to the total number of pages used by the MMU. This
+fixes a zero-extension bug on 32-bit kernels that effectively corrupts
+the per-cpu counter used by the shrinker.
+
+Per-cpu counters take a signed 64-bit value on both 32-bit and 64-bit
+kernels, whereas kvm_mod_used_mmu_pages() takes an unsigned long and thus
+an unsigned 32-bit value on 32-bit kernels. As a result, the value used
+to adjust the per-cpu counter is zero-extended (unsigned -> signed), not
+sign-extended (signed -> signed), and so KVM's intended -1 gets morphed to
+4294967295 and effectively corrupts the counter.
+
+This was found by a staggering amount of sheer dumb luck when running
+kvm-unit-tests on a 32-bit KVM build. The shrinker just happened to kick
+in while running tests and do_shrink_slab() logged an error about trying
+to free a negative number of objects. The truly lucky part is that the
+kernel just happened to be a slightly stale build, as the shrinker no
+longer yells about negative objects as of commit 18bb473e5031 ("mm:
+vmscan: shrink deferred objects proportional to priority").
+
+ vmscan: shrink_slab: mmu_shrink_scan+0x0/0x210 [kvm] negative objects to delete nr=-858993460
+
+Fixes: bc8a3d8925a8 ("kvm: mmu: Fix overflow on kvm mmu page limit calculation")
+Cc: stable@vger.kernel.org
+Cc: Ben Gardon <bgardon@google.com>
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-Id: <20210804214609.1096003-1-seanjc@google.com>
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/mmu/mmu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/mmu/mmu.c
++++ b/arch/x86/kvm/mmu/mmu.c
+@@ -1621,7 +1621,7 @@ static int is_empty_shadow_page(u64 *spt
+ * aggregate version in order to make the slab shrinker
+ * faster
+ */
+-static inline void kvm_mod_used_mmu_pages(struct kvm *kvm, unsigned long nr)
++static inline void kvm_mod_used_mmu_pages(struct kvm *kvm, long nr)
+ {
+ kvm->arch.n_used_mmu_pages += nr;
+ percpu_counter_add(&kvm_total_used_mmu_pages, nr);
--- /dev/null
+From 5ba03936c05584b6f6f79be5ebe7e5036c1dd252 Mon Sep 17 00:00:00 2001
+From: Wei Shuyu <wsy@dogben.com>
+Date: Mon, 28 Jun 2021 15:15:08 +0800
+Subject: md/raid10: properly indicate failure when ending a failed write request
+
+From: Wei Shuyu <wsy@dogben.com>
+
+commit 5ba03936c05584b6f6f79be5ebe7e5036c1dd252 upstream.
+
+Similar to [1], this patch fixes the same bug in raid10. Also cleanup the
+comments.
+
+[1] commit 2417b9869b81 ("md/raid1: properly indicate failure when ending
+ a failed write request")
+Cc: stable@vger.kernel.org
+Fixes: 7cee6d4e6035 ("md/raid10: end bio when the device faulty")
+Signed-off-by: Wei Shuyu <wsy@dogben.com>
+Acked-by: Guoqing Jiang <jiangguoqing@kylinos.cn>
+Signed-off-by: Song Liu <song@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/raid1.c | 2 --
+ drivers/md/raid10.c | 4 ++--
+ 2 files changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/md/raid1.c
++++ b/drivers/md/raid1.c
+@@ -472,8 +472,6 @@ static void raid1_end_write_request(stru
+ /*
+ * When the device is faulty, it is not necessary to
+ * handle write error.
+- * For failfast, this is the only remaining device,
+- * We need to retry the write without FailFast.
+ */
+ if (!test_bit(Faulty, &rdev->flags))
+ set_bit(R1BIO_WriteError, &r1_bio->state);
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -470,12 +470,12 @@ static void raid10_end_write_request(str
+ /*
+ * When the device is faulty, it is not necessary to
+ * handle write error.
+- * For failfast, this is the only remaining device,
+- * We need to retry the write without FailFast.
+ */
+ if (!test_bit(Faulty, &rdev->flags))
+ set_bit(R10BIO_WriteError, &r10_bio->state);
+ else {
++ /* Fail the request */
++ set_bit(R10BIO_Degraded, &r10_bio->state);
+ r10_bio->devs[slot].bio = NULL;
+ to_put = bio;
+ dec_rdev = 1;
--- /dev/null
+From e39cdacf2f664b09029e7c1eb354c91a20c367af Mon Sep 17 00:00:00 2001
+From: Zheyu Ma <zheyuma97@gmail.com>
+Date: Tue, 22 Jun 2021 07:11:31 +0000
+Subject: pcmcia: i82092: fix a null pointer dereference bug
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+commit e39cdacf2f664b09029e7c1eb354c91a20c367af upstream.
+
+During the driver loading process, the 'dev' field was not assigned, but
+the 'dev' field was referenced in the subsequent 'i82092aa_set_mem_map'
+function.
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+CC: <stable@vger.kernel.org>
+[linux@dominikbrodowski.net: shorten commit message, add Cc to stable]
+Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pcmcia/i82092.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/pcmcia/i82092.c
++++ b/drivers/pcmcia/i82092.c
+@@ -112,6 +112,7 @@ static int i82092aa_pci_probe(struct pci
+ for (i = 0; i < socket_count; i++) {
+ sockets[i].card_state = 1; /* 1 = present but empty */
+ sockets[i].io_base = pci_resource_start(dev, 0);
++ sockets[i].dev = dev;
+ sockets[i].socket.features |= SS_CAP_PCCARD;
+ sockets[i].socket.map_size = 0x1000;
+ sockets[i].socket.irq_mask = 0;
--- /dev/null
+From ec7099fdea8025988710ee6fecfd4e4210c29ab5 Mon Sep 17 00:00:00 2001
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Date: Fri, 2 Jul 2021 15:37:12 +0200
+Subject: Revert "gpio: mpc8xxx: change the gpio interrupt flags."
+
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+
+commit ec7099fdea8025988710ee6fecfd4e4210c29ab5 upstream.
+
+This reverts commit 3d5bfbd9716318b1ca5c38488aa69f64d38a9aa5.
+
+When booting with threadirqs, it causes a splat
+
+ WARNING: CPU: 0 PID: 29 at kernel/irq/handle.c:159 __handle_irq_event_percpu+0x1ec/0x27c
+ irq 66 handler irq_default_primary_handler+0x0/0x1c enabled interrupts
+
+That splat later went away with commit 81e2073c175b ("genirq: Disable
+interrupts for force threaded handlers"), which got backported to
+-stable. However, when running an -rt kernel, the splat still
+exists. Moreover, quoting Thomas Gleixner [1]
+
+ But 3d5bfbd97163 ("gpio: mpc8xxx: change the gpio interrupt flags.")
+ has nothing to do with that:
+
+ "Delete the interrupt IRQF_NO_THREAD flags in order to gpio interrupts
+ can be threaded to allow high-priority processes to preempt."
+
+ This changelog is blatantly wrong. In mainline forced irq threads
+ have always been invoked with softirqs disabled, which obviously
+ makes them non-preemptible.
+
+So the patch didn't even do what its commit log said.
+
+[1] https://lore.kernel.org/lkml/871r8zey88.ffs@nanos.tec.linutronix.de/
+
+Cc: stable@vger.kernel.org # v5.9+
+Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-mpc8xxx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpio-mpc8xxx.c
++++ b/drivers/gpio/gpio-mpc8xxx.c
+@@ -396,7 +396,7 @@ static int mpc8xxx_probe(struct platform
+
+ ret = devm_request_irq(&pdev->dev, mpc8xxx_gc->irqn,
+ mpc8xxx_gpio_irq_cascade,
+- IRQF_SHARED, "gpio-cascade",
++ IRQF_NO_THREAD | IRQF_SHARED, "gpio-cascade",
+ mpc8xxx_gc);
+ if (ret) {
+ dev_err(&pdev->dev, "%s: failed to devm_request_irq(%d), ret = %d\n",
--- /dev/null
+From 4c156084daa8ee70978e4b150b5eb5fc7b1f15be Mon Sep 17 00:00:00 2001
+From: Xiu Jianfeng <xiujianfeng@huawei.com>
+Date: Thu, 29 Jul 2021 11:16:44 +0800
+Subject: selinux: correct the return value when loads initial sids
+
+From: Xiu Jianfeng <xiujianfeng@huawei.com>
+
+commit 4c156084daa8ee70978e4b150b5eb5fc7b1f15be upstream.
+
+It should not return 0 when SID 0 is assigned to isids.
+This patch fixes it.
+
+Cc: stable@vger.kernel.org
+Fixes: e3e0b582c321a ("selinux: remove unused initial SIDs and improve handling")
+Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
+[PM: remove changelog from description]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/selinux/ss/policydb.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/security/selinux/ss/policydb.c
++++ b/security/selinux/ss/policydb.c
+@@ -874,7 +874,7 @@ int policydb_load_isids(struct policydb
+ rc = sidtab_init(s);
+ if (rc) {
+ pr_err("SELinux: out of memory on SID table init\n");
+- goto out;
++ return rc;
+ }
+
+ head = p->ocontexts[OCON_ISID];
+@@ -885,7 +885,7 @@ int policydb_load_isids(struct policydb
+ if (sid == SECSID_NULL) {
+ pr_err("SELinux: SID 0 was assigned a context.\n");
+ sidtab_destroy(s);
+- goto out;
++ return -EINVAL;
+ }
+
+ /* Ignore initial SIDs unused by this kernel. */
+@@ -897,12 +897,10 @@ int policydb_load_isids(struct policydb
+ pr_err("SELinux: unable to load initial SID %s.\n",
+ name);
+ sidtab_destroy(s);
+- goto out;
++ return rc;
+ }
+ }
+- rc = 0;
+-out:
+- return rc;
++ return 0;
+ }
+
+ int policydb_class_isvalid(struct policydb *p, unsigned int class)
timers-move-clearing-of-base-timer_running-under-base-lock.patch
xfrm-fix-rcu-vs-hash_resize_mutex-lock-inversion.patch
net-xfrm-compat-copy-xfrm_spdattr_type_t-atributes.patch
+pcmcia-i82092-fix-a-null-pointer-dereference-bug.patch
+selinux-correct-the-return-value-when-loads-initial-sids.patch
+bus-ti-sysc-am3-rng-is-gp-only.patch
+revert-gpio-mpc8xxx-change-the-gpio-interrupt-flags.patch
+arm-omap2-hwmod-fix-potential-null-pointer-access.patch
+md-raid10-properly-indicate-failure-when-ending-a-failed-write-request.patch
+kvm-x86-accept-userspace-interrupt-only-if-no-event-is-injected.patch
+kvm-do-not-leak-memory-for-duplicate-debugfs-directories.patch
+kvm-x86-mmu-fix-per-cpu-counter-corruption-on-32-bit-builds.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
