From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 16 Jun 2020 10:59:06 +0000 (+0200)
Subject: 4.9-stable patches
X-Git-Tag: v5.4.47~49
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=eb6a225908ae481e902175ac131264840404e2d4;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	kvm-arm64-make-vcpu_cp1x-work-on-big-endian-hosts.patch
	kvm-mips-define-kvm_entryhi_asid-to-cpu_asid_mask-boot_cpu_data.patch
	kvm-mips-fix-vpn2_mask-definition-for-variable-cpu_vmbits.patch
	kvm-nsvm-leave-asid-aside-in-copy_vmcb_control_area.patch
	kvm-nvmx-consult-only-the-basic-exit-reason-when-routing-nested-exit.patch
	video-fbdev-w100fb-fix-a-potential-double-free.patch
---

diff --git a/queue-4.9/kvm-arm64-make-vcpu_cp1x-work-on-big-endian-hosts.patch b/queue-4.9/kvm-arm64-make-vcpu_cp1x-work-on-big-endian-hosts.patch
new file mode 100644
index 00000000000..62be64004e7
--- /dev/null
+++ b/queue-4.9/kvm-arm64-make-vcpu_cp1x-work-on-big-endian-hosts.patch
@@ -0,0 +1,45 @@
+From 3204be4109ad681523e3461ce64454c79278450a Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <maz@kernel.org>
+Date: Tue, 9 Jun 2020 08:40:35 +0100
+Subject: KVM: arm64: Make vcpu_cp1x() work on Big Endian hosts
+
+From: Marc Zyngier <maz@kernel.org>
+
+commit 3204be4109ad681523e3461ce64454c79278450a upstream.
+
+AArch32 CP1x registers are overlayed on their AArch64 counterparts
+in the vcpu struct. This leads to an interesting problem as they
+are stored in their CPU-local format, and thus a CP1x register
+doesn't "hit" the lower 32bit portion of the AArch64 register on
+a BE host.
+
+To workaround this unfortunate situation, introduce a bias trick
+in the vcpu_cp1x() accessors which picks the correct half of the
+64bit register.
+
+Cc: stable@vger.kernel.org
+Reported-by: James Morse <james.morse@arm.com>
+Tested-by: James Morse <james.morse@arm.com>
+Acked-by: James Morse <james.morse@arm.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/kvm_host.h |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/include/asm/kvm_host.h
++++ b/arch/arm64/include/asm/kvm_host.h
+@@ -290,8 +290,10 @@ struct kvm_vcpu_arch {
+  * CP14 and CP15 live in the same array, as they are backed by the
+  * same system registers.
+  */
+-#define vcpu_cp14(v,r)		((v)->arch.ctxt.copro[(r)])
+-#define vcpu_cp15(v,r)		((v)->arch.ctxt.copro[(r)])
++#define CPx_BIAS		IS_ENABLED(CONFIG_CPU_BIG_ENDIAN)
++
++#define vcpu_cp14(v,r)		((v)->arch.ctxt.copro[(r) ^ CPx_BIAS])
++#define vcpu_cp15(v,r)		((v)->arch.ctxt.copro[(r) ^ CPx_BIAS])
+ 
+ #ifdef CONFIG_CPU_BIG_ENDIAN
+ #define vcpu_cp15_64_high(v,r)	vcpu_cp15((v),(r))
diff --git a/queue-4.9/kvm-mips-define-kvm_entryhi_asid-to-cpu_asid_mask-boot_cpu_data.patch b/queue-4.9/kvm-mips-define-kvm_entryhi_asid-to-cpu_asid_mask-boot_cpu_data.patch
new file mode 100644
index 00000000000..cf99320e0a6
--- /dev/null
+++ b/queue-4.9/kvm-mips-define-kvm_entryhi_asid-to-cpu_asid_mask-boot_cpu_data.patch
@@ -0,0 +1,45 @@
+From fe2b73dba47fb6d6922df1ad44e83b1754d5ed4d Mon Sep 17 00:00:00 2001
+From: Xing Li <lixing@loongson.cn>
+Date: Sat, 23 May 2020 15:56:28 +0800
+Subject: KVM: MIPS: Define KVM_ENTRYHI_ASID to cpu_asid_mask(&boot_cpu_data)
+
+From: Xing Li <lixing@loongson.cn>
+
+commit fe2b73dba47fb6d6922df1ad44e83b1754d5ed4d upstream.
+
+The code in decode_config4() of arch/mips/kernel/cpu-probe.c
+
+        asid_mask = MIPS_ENTRYHI_ASID;
+        if (config4 & MIPS_CONF4_AE)
+                asid_mask |= MIPS_ENTRYHI_ASIDX;
+        set_cpu_asid_mask(c, asid_mask);
+
+set asid_mask to cpuinfo->asid_mask.
+
+So in order to support variable ASID_MASK, KVM_ENTRYHI_ASID should also
+be changed to cpu_asid_mask(&boot_cpu_data).
+
+Cc: Stable <stable@vger.kernel.org>  #4.9+
+Reviewed-by: Aleksandar Markovic <aleksandar.qemu.devel@gmail.com>
+Signed-off-by: Xing Li <lixing@loongson.cn>
+[Huacai: Change current_cpu_data to boot_cpu_data for optimization]
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Message-Id: <1590220602-3547-2-git-send-email-chenhc@lemote.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/include/asm/kvm_host.h |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/include/asm/kvm_host.h
++++ b/arch/mips/include/asm/kvm_host.h
+@@ -244,7 +244,7 @@ enum emulation_result {
+ #define MIPS3_PG_FRAME		0x3fffffc0
+ 
+ #define VPN2_MASK		0xffffe000
+-#define KVM_ENTRYHI_ASID	MIPS_ENTRYHI_ASID
++#define KVM_ENTRYHI_ASID	cpu_asid_mask(&boot_cpu_data)
+ #define TLB_IS_GLOBAL(x)	((x).tlb_lo[0] & (x).tlb_lo[1] & ENTRYLO_G)
+ #define TLB_VPN2(x)		((x).tlb_hi & VPN2_MASK)
+ #define TLB_ASID(x)		((x).tlb_hi & KVM_ENTRYHI_ASID)
diff --git a/queue-4.9/kvm-mips-fix-vpn2_mask-definition-for-variable-cpu_vmbits.patch b/queue-4.9/kvm-mips-fix-vpn2_mask-definition-for-variable-cpu_vmbits.patch
new file mode 100644
index 00000000000..4e4d0437bcd
--- /dev/null
+++ b/queue-4.9/kvm-mips-fix-vpn2_mask-definition-for-variable-cpu_vmbits.patch
@@ -0,0 +1,43 @@
+From 5816c76dea116a458f1932eefe064e35403248eb Mon Sep 17 00:00:00 2001
+From: Xing Li <lixing@loongson.cn>
+Date: Sat, 23 May 2020 15:56:29 +0800
+Subject: KVM: MIPS: Fix VPN2_MASK definition for variable cpu_vmbits
+
+From: Xing Li <lixing@loongson.cn>
+
+commit 5816c76dea116a458f1932eefe064e35403248eb upstream.
+
+If a CPU support more than 32bit vmbits (which is true for 64bit CPUs),
+VPN2_MASK set to fixed 0xffffe000 will lead to a wrong EntryHi in some
+functions such as _kvm_mips_host_tlb_inv().
+
+The cpu_vmbits definition of 32bit CPU in cpu-features.h is 31, so we
+still use the old definition.
+
+Cc: Stable <stable@vger.kernel.org>
+Reviewed-by: Aleksandar Markovic <aleksandar.qemu.devel@gmail.com>
+Signed-off-by: Xing Li <lixing@loongson.cn>
+[Huacai: Improve commit messages]
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Message-Id: <1590220602-3547-3-git-send-email-chenhc@lemote.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/include/asm/kvm_host.h |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/mips/include/asm/kvm_host.h
++++ b/arch/mips/include/asm/kvm_host.h
+@@ -243,7 +243,11 @@ enum emulation_result {
+ #define MIPS3_PG_SHIFT		6
+ #define MIPS3_PG_FRAME		0x3fffffc0
+ 
++#if defined(CONFIG_64BIT)
++#define VPN2_MASK		GENMASK(cpu_vmbits - 1, 13)
++#else
+ #define VPN2_MASK		0xffffe000
++#endif
+ #define KVM_ENTRYHI_ASID	cpu_asid_mask(&boot_cpu_data)
+ #define TLB_IS_GLOBAL(x)	((x).tlb_lo[0] & (x).tlb_lo[1] & ENTRYLO_G)
+ #define TLB_VPN2(x)		((x).tlb_hi & VPN2_MASK)
diff --git a/queue-4.9/kvm-nsvm-leave-asid-aside-in-copy_vmcb_control_area.patch b/queue-4.9/kvm-nsvm-leave-asid-aside-in-copy_vmcb_control_area.patch
new file mode 100644
index 00000000000..7a51d763ca2
--- /dev/null
+++ b/queue-4.9/kvm-nsvm-leave-asid-aside-in-copy_vmcb_control_area.patch
@@ -0,0 +1,32 @@
+From 6c0238c4a62b3a0b1201aeb7e33a4636d552a436 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 20 May 2020 08:02:17 -0400
+Subject: KVM: nSVM: leave ASID aside in copy_vmcb_control_area
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 6c0238c4a62b3a0b1201aeb7e33a4636d552a436 upstream.
+
+Restoring the ASID from the hsave area on VMEXIT is wrong, because its
+value depends on the handling of TLB flushes.  Just skipping the field in
+copy_vmcb_control_area will do.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/svm.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -2734,7 +2734,7 @@ static inline void copy_vmcb_control_are
+ 	dst->iopm_base_pa         = from->iopm_base_pa;
+ 	dst->msrpm_base_pa        = from->msrpm_base_pa;
+ 	dst->tsc_offset           = from->tsc_offset;
+-	dst->asid                 = from->asid;
++	/* asid not copied, it is handled manually for svm->vmcb.  */
+ 	dst->tlb_ctl              = from->tlb_ctl;
+ 	dst->int_ctl              = from->int_ctl;
+ 	dst->int_vector           = from->int_vector;
diff --git a/queue-4.9/kvm-nvmx-consult-only-the-basic-exit-reason-when-routing-nested-exit.patch b/queue-4.9/kvm-nvmx-consult-only-the-basic-exit-reason-when-routing-nested-exit.patch
new file mode 100644
index 00000000000..33d4d5f366e
--- /dev/null
+++ b/queue-4.9/kvm-nvmx-consult-only-the-basic-exit-reason-when-routing-nested-exit.patch
@@ -0,0 +1,51 @@
+From 2ebac8bb3c2d35f5135466490fc8eeaf3f3e2d37 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Thu, 27 Feb 2020 09:44:30 -0800
+Subject: KVM: nVMX: Consult only the "basic" exit reason when routing nested exit
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit 2ebac8bb3c2d35f5135466490fc8eeaf3f3e2d37 upstream.
+
+Consult only the basic exit reason, i.e. bits 15:0 of vmcs.EXIT_REASON,
+when determining whether a nested VM-Exit should be reflected into L1 or
+handled by KVM in L0.
+
+For better or worse, the switch statement in nested_vmx_exit_reflected()
+currently defaults to "true", i.e. reflects any nested VM-Exit without
+dedicated logic.  Because the case statements only contain the basic
+exit reason, any VM-Exit with modifier bits set will be reflected to L1,
+even if KVM intended to handle it in L0.
+
+Practically speaking, this only affects EXIT_REASON_MCE_DURING_VMENTRY,
+i.e. a #MC that occurs on nested VM-Enter would be incorrectly routed to
+L1, as "failed VM-Entry" is the only modifier that KVM can currently
+encounter.  The SMM modifiers will never be generated as KVM doesn't
+support/employ a SMI Transfer Monitor.  Ditto for "exit from enclave",
+as KVM doesn't yet support virtualizing SGX, i.e. it's impossible to
+enter an enclave in a KVM guest (L1 or L2).
+
+Fixes: 644d711aa0e1 ("KVM: nVMX: Deciding if L0 or L1 should handle an L2 exit")
+Cc: Jim Mattson <jmattson@google.com>
+Cc: Xiaoyao Li <xiaoyao.li@intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Message-Id: <20200227174430.26371-1-sean.j.christopherson@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -8207,7 +8207,7 @@ static bool nested_vmx_exit_handled(stru
+ 		return true;
+ 	}
+ 
+-	switch (exit_reason) {
++	switch ((u16)exit_reason) {
+ 	case EXIT_REASON_EXCEPTION_NMI:
+ 		if (is_nmi(intr_info))
+ 			return false;
diff --git a/queue-4.9/series b/queue-4.9/series
index a675ce3dc17..df58ede703a 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -34,3 +34,9 @@ spi-pxa2xx-fix-controller-unregister-order.patch
 spi-bcm2835-fix-controller-unregister-order.patch
 ovl-initialize-error-in-ovl_copy_xattr.patch
 proc-use-new_inode-not-new_inode_pseudo.patch
+video-fbdev-w100fb-fix-a-potential-double-free.patch
+kvm-nsvm-leave-asid-aside-in-copy_vmcb_control_area.patch
+kvm-nvmx-consult-only-the-basic-exit-reason-when-routing-nested-exit.patch
+kvm-mips-define-kvm_entryhi_asid-to-cpu_asid_mask-boot_cpu_data.patch
+kvm-mips-fix-vpn2_mask-definition-for-variable-cpu_vmbits.patch
+kvm-arm64-make-vcpu_cp1x-work-on-big-endian-hosts.patch
diff --git a/queue-4.9/video-fbdev-w100fb-fix-a-potential-double-free.patch b/queue-4.9/video-fbdev-w100fb-fix-a-potential-double-free.patch
new file mode 100644
index 00000000000..b6b2ee1952f
--- /dev/null
+++ b/queue-4.9/video-fbdev-w100fb-fix-a-potential-double-free.patch
@@ -0,0 +1,50 @@
+From 18722d48a6bb9c2e8d046214c0a5fd19d0a7c9f6 Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Wed, 6 May 2020 20:19:02 +0200
+Subject: video: fbdev: w100fb: Fix a potential double free.
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit 18722d48a6bb9c2e8d046214c0a5fd19d0a7c9f6 upstream.
+
+Some memory is vmalloc'ed in the 'w100fb_save_vidmem' function and freed in
+the 'w100fb_restore_vidmem' function. (these functions are called
+respectively from the 'suspend' and the 'resume' functions)
+
+However, it is also freed in the 'remove' function.
+
+In order to avoid a potential double free, set the corresponding pointer
+to NULL once freed in the 'w100fb_restore_vidmem' function.
+
+Fixes: aac51f09d96a ("[PATCH] w100fb: Rewrite for platform independence")
+Cc: Richard Purdie <rpurdie@rpsys.net>
+Cc: Antonino Daplas <adaplas@pol.net>
+Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Cc: <stable@vger.kernel.org> # v2.6.14+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200506181902.193290-1-christophe.jaillet@wanadoo.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/fbdev/w100fb.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/video/fbdev/w100fb.c
++++ b/drivers/video/fbdev/w100fb.c
+@@ -583,6 +583,7 @@ static void w100fb_restore_vidmem(struct
+ 		memsize=par->mach->mem->size;
+ 		memcpy_toio(remapped_fbuf + (W100_FB_BASE-MEM_WINDOW_BASE), par->saved_extmem, memsize);
+ 		vfree(par->saved_extmem);
++		par->saved_extmem = NULL;
+ 	}
+ 	if (par->saved_intmem) {
+ 		memsize=MEM_INT_SIZE;
+@@ -591,6 +592,7 @@ static void w100fb_restore_vidmem(struct
+ 		else
+ 			memcpy_toio(remapped_fbuf + (W100_FB_BASE-MEM_WINDOW_BASE), par->saved_intmem, memsize);
+ 		vfree(par->saved_intmem);
++		par->saved_intmem = NULL;
+ 	}
+ }
+