1. 05 Dec, 2021 10 commits
    • Linus Torvalds's avatar
      Merge tag 'usb-5.16-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 94420704
      Linus Torvalds authored
      Pull USB fixes from Greg KH:
       "Here are some small USB fixes for a few reported issues. Included in
        here are:
      
         - xhci fix for a _much_ reported regression. I don't think there's a
           community distro that has not reported this problem yet :(
      
         - new USB quirk addition
      
         - cdns3 minor fixes
      
         - typec regression fix.
      
        All of these have been in linux-next with no reported problems, and
        the xhci fix has been reported by many to resolve their reported
        problem"
      
      * tag 'usb-5.16-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        usb: cdnsp: Fix a NULL pointer dereference in cdnsp_endpoint_init()
        usb: cdns3: gadget: fix new urb never complete if ep cancel previous requests
        usb: typec: tcpm: Wait in SNK_DEBOUNCED until disconnect
        USB: NO_LPM quirk Lenovo Powered USB-C Travel Hub
        xhci: Fix commad ring abort, write all 64 bits to CRCR register.
      94420704
    • Linus Torvalds's avatar
      Merge tag 'tty-5.16-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · 51639539
      Linus Torvalds authored
      Pull tty/serial fixes from Greg KH:
       "Here are some small TTY and Serial driver fixes for 5.16-rc4 to
        resolve a number of reported problems.
      
        They include:
      
         - liteuart serial driver fixes
      
         - 8250_pci serial driver fixes for pericom devices
      
         - 8250 RTS line control fix while in RS-485 mode
      
         - tegra serial driver fix
      
         - msm_serial driver fix
      
         - pl011 serial driver new id
      
         - fsl_lpuart revert of broken change
      
         - 8250_bcm7271 serial driver fix
      
         - MAINTAINERS file update for rpmsg tty driver that came in 5.16-rc1
      
         - vgacon fix for reported problem
      
        All of these, except for the 8250_bcm7271 fix have been in linux-next
        with no reported problem. The 8250_bcm7271 fix was added to the tree
        on Friday so no chance to be linux-next yet. But it should be fine as
        the affected developers submitted it"
      
      * tag 'tty-5.16-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        serial: 8250_bcm7271: UART errors after resuming from S2
        serial: 8250_pci: rewrite pericom_do_set_divisor()
        serial: 8250_pci: Fix ACCES entries in pci_serial_quirks array
        serial: 8250: Fix RTS modem control while in rs485 mode
        Revert "tty: serial: fsl_lpuart: drop earlycon entry for i.MX8QXP"
        serial: tegra: Change lower tolerance baud rate limit for tegra20 and tegra30
        serial: liteuart: relax compile-test dependencies
        serial: liteuart: fix minor-number leak on probe errors
        serial: liteuart: fix use-after-free and memleak on unbind
        serial: liteuart: Fix NULL pointer dereference in ->remove()
        vgacon: Propagate console boot parameters before calling `vc_resize'
        tty: serial: msm_serial: Deactivate RX DMA for polling support
        serial: pl011: Add ACPI SBSA UART match id
        serial: core: fix transmit-buffer reset and memleak
        MAINTAINERS: Add rpmsg tty driver maintainer
      51639539
    • Linus Torvalds's avatar
      Merge tag 'timers_urgent_for_v5.16_rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 7587a4a5
      Linus Torvalds authored
      Pull timer fix from Borislav Petkov:
      
       - Prevent a tick storm when a dedicated timekeeper CPU in nohz_full
         mode runs for prolonged periods with interrupts disabled and ends up
         programming the next tick in the past, leading to that storm
      
      * tag 'timers_urgent_for_v5.16_rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        timers/nohz: Last resort update jiffies on nohz_full IRQ entry
      7587a4a5
    • Linus Torvalds's avatar
      Merge tag 'sched_urgent_for_v5.16_rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 1d213767
      Linus Torvalds authored
      Pull scheduler fixes from Borislav Petkov:
      
       - Properly init uclamp_flags of a runqueue, on first enqueuing
      
       - Fix preempt= callback return values
      
       - Correct utime/stime resource usage reporting on nohz_full to return
         the proper times instead of shorter ones
      
      * tag 'sched_urgent_for_v5.16_rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        sched/uclamp: Fix rq->uclamp_max not set on first enqueue
        preempt/dynamic: Fix setup_preempt_mode() return value
        sched/cputime: Fix getrusage(RUSAGE_THREAD) with nohz_full
      1d213767
    • Linus Torvalds's avatar
      Merge tag 'x86_urgent_for_v5.16_rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · f5d54a42
      Linus Torvalds authored
      Pull x86 fixes from Borislav Petkov:
      
       - Fix a couple of SWAPGS fencing issues in the x86 entry code
      
       - Use the proper operand types in __{get,put}_user() to prevent
         truncation in SEV-ES string io
      
       - Make sure the kernel mappings are present in trampoline_pgd in order
         to prevent any potential accesses to unmapped memory after switching
         to it
      
       - Fix a trivial list corruption in objtool's pv_ops validation
      
       - Disable the clocksource watchdog for TSC on platforms which claim
         that the TSC is constant, doesn't stop in sleep states, CPU has TSC
         adjust and the number of sockets of the platform are max 2, to
         prevent erroneous markings of the TSC as unstable.
      
       - Make sure TSC adjust is always checked not only when going idle
      
       - Prevent a stack leak by initializing struct _fpx_sw_bytes properly in
         the FPU code
      
       - Fix INTEL_FAM6_RAPTORLAKE define naming to adhere to the convention
      
      * tag 'x86_urgent_for_v5.16_rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/xen: Add xenpv_restore_regs_and_return_to_usermode()
        x86/entry: Use the correct fence macro after swapgs in kernel CR3
        x86/entry: Add a fence for kernel entry SWAPGS in paranoid_entry()
        x86/sev: Fix SEV-ES INS/OUTS instructions for word, dword, and qword
        x86/64/mm: Map all kernel memory into trampoline_pgd
        objtool: Fix pv_ops noinstr validation
        x86/tsc: Disable clocksource watchdog for TSC on qualified platorms
        x86/tsc: Add a timer to make sure TSC_adjust is always checked
        x86/fpu/signal: Initialize sw_bytes in save_xstate_epilog()
        x86/cpu: Drop spurious underscore from RAPTOR_LAKE #define
      f5d54a42
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 90bf8d98
      Linus Torvalds authored
      Pull more kvm fixes from Paolo Bonzini:
      
       - Static analysis fix
      
       - New SEV-ES protocol for communicating invalid VMGEXIT requests
      
       - Ensure APICv is considered inactive if there is no APIC
      
       - Fix reserved bits for AMD PerfEvtSeln register
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: SVM: Do not terminate SEV-ES guests on GHCB validation failure
        KVM: SEV: Fall back to vmalloc for SEV-ES scratch area if necessary
        KVM: SEV: Return appropriate error codes if SEV-ES scratch setup fails
        KVM: x86/mmu: Retry page fault if root is invalidated by memslot update
        KVM: VMX: Set failure code in prepare_vmcs02()
        KVM: ensure APICv is considered inactive if there is no APIC
        KVM: x86/pmu: Fix reserved bits for AMD PerfEvtSeln register
      90bf8d98
    • Tom Lendacky's avatar
      KVM: SVM: Do not terminate SEV-ES guests on GHCB validation failure · ad5b3532
      Tom Lendacky authored
      Currently, an SEV-ES guest is terminated if the validation of the VMGEXIT
      exit code or exit parameters fails.
      
      The VMGEXIT instruction can be issued from userspace, even though
      userspace (likely) can't update the GHCB. To prevent userspace from being
      able to kill the guest, return an error through the GHCB when validation
      fails rather than terminating the guest. For cases where the GHCB can't be
      updated (e.g. the GHCB can't be mapped, etc.), just return back to the
      guest.
      
      The new error codes are documented in the lasest update to the GHCB
      specification.
      
      Fixes: 291bd20d ("KVM: SVM: Add initial support for a VMGEXIT VMEXIT")
      Signed-off-by: default avatarTom Lendacky <thomas.lendacky@amd.com>
      Message-Id: <b57280b5562893e2616257ac9c2d4525a9aeeb42.1638471124.git.thomas.lendacky@amd.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      ad5b3532
    • Sean Christopherson's avatar
      KVM: SEV: Fall back to vmalloc for SEV-ES scratch area if necessary · a655276a
      Sean Christopherson authored
      Use kvzalloc() to allocate KVM's buffer for SEV-ES's GHCB scratch area so
      that KVM falls back to __vmalloc() if physically contiguous memory isn't
      available.  The buffer is purely a KVM software construct, i.e. there's
      no need for it to be physically contiguous.
      
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
      Message-Id: <20211109222350.2266045-3-seanjc@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      a655276a
    • Sean Christopherson's avatar
      KVM: SEV: Return appropriate error codes if SEV-ES scratch setup fails · 75236f5f
      Sean Christopherson authored
      Return appropriate error codes if setting up the GHCB scratch area for an
      SEV-ES guest fails.  In particular, returning -EINVAL instead of -ENOMEM
      when allocating the kernel buffer could be confusing as userspace would
      likely suspect a guest issue.
      
      Fixes: 8f423a80 ("KVM: SVM: Support MMIO for an SEV-ES guest")
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
      Message-Id: <20211109222350.2266045-2-seanjc@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      75236f5f
    • Linus Torvalds's avatar
      Merge tag 'xfs-5.16-fixes-2' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux · 79a72162
      Linus Torvalds authored
      Pull xfs fix from Darrick Wong:
       "Remove an unnecessary (and backwards) rename flags check that
        duplicates a VFS level check"
      
      * tag 'xfs-5.16-fixes-2' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
        xfs: remove incorrect ASSERT in xfs_rename
      79a72162
  2. 04 Dec, 2021 7 commits
  3. 03 Dec, 2021 23 commits
    • Linus Torvalds's avatar
      Merge tag 'vfio-v5.16-rc4' of git://github.com/awilliam/linux-vfio · 12119cfa
      Linus Torvalds authored
      Pull VFIO fixes from Alex Williamson:
      
       - Fix OpRegion pointer arithmetic (Zhenyu Wang)
      
       - Fix comment format triggering kernel-doc warnings (Randy Dunlap)
      
      * tag 'vfio-v5.16-rc4' of git://github.com/awilliam/linux-vfio:
        vfio/pci: Fix OpRegion read
        vfio: remove all kernel-doc notation
      12119cfa
    • Linus Torvalds's avatar
      Merge tag 'pm-5.16-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 4ec6afd6
      Linus Torvalds authored
      Pull power management fixes from Rafael Wysocki:
       "These fix a CPU hot-add issue in the cpufreq core, fix a comment in
        the cpufreq core code and update its documentation, and disable the
        DTPM (Dynamic Thermal Power Management) code for the time being to
        prevent it from causing issues to appear.
      
        Specifics:
      
         - Disable DTPM for this cycle to prevent it from causing issues to
           appear on otherwise functional systems (Daniel Lezcano)
      
         - Fix cpufreq sysfs interface failure related to physical CPU hot-add
           (Xiongfeng Wang)
      
         - Fix comment in cpufreq core and update its documentation (Tang
           Yizhou)"
      
      * tag 'pm-5.16-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        powercap: DTPM: Drop unused local variable from init_dtpm()
        cpufreq: docs: Update core.rst
        cpufreq: Fix a comment in cpufreq_policy_free
        powercap/drivers/dtpm: Disable DTPM at boot time
        cpufreq: Fix get_cpu_device() failure in add_cpu_dev_symlink()
      4ec6afd6
    • Linus Torvalds's avatar
      Merge tag 's390-5.16-4' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · 757f3e6d
      Linus Torvalds authored
      Pull s390 fixes from Heiko Carstens:
      
       - Fix potential overlap of pseudo-MMIO addresses with MIO addresses
      
       - Fix stack unwinder test case inline assembly compile error that
         happens with LLVM's integrated assembler
      
       - Update defconfigs
      
      * tag 's390-5.16-4' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390: update defconfigs
        s390/pci: move pseudo-MMIO to prevent MIO overlap
        s390/test_unwind: use raw opcode instead of invalid instruction
      757f3e6d
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · a2aeaeab
      Linus Torvalds authored
      Pull arm64 fixes from Will Deacon:
       "Three arm64 fixes for -rc4.
      
        One of them is just a trivial documentation fix, whereas the other two
        address a warning in the kexec code and a crash in ftrace on systems
        implementing BTI.
      
        The latter patch has a couple of ugly ifdefs which Mark plans to clean
        up separately, but as-is the patch is straightforward for backporting
        to stable kernels.
      
        Summary:
      
         - Add missing BTI landing instructions to the ftrace*_caller
           trampolines
      
         - Fix kexec() WARN when DEBUG_VIRTUAL is enabled
      
         - Fix PAC documentation by removing stale references to compiler
           flags"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: ftrace: add missing BTIs
        arm64: kexec: use __pa_symbol(empty_zero_page)
        arm64: update PAC description for kernel
      a2aeaeab
    • Linus Torvalds's avatar
      Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · f66062c7
      Linus Torvalds authored
      Pull i2c fixes from Wolfram Sang:
       "I2C has another set of driver bugfixes, mostly for the stm32f7 driver"
      
      * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: rk3x: Handle a spurious start completion interrupt flag
        i2c: stm32f7: use proper DMAENGINE API for termination
        i2c: stm32f7: stop dma transfer in case of NACK
        i2c: stm32f7: recover the bus on access timeout
        i2c: stm32f7: flush TX FIFO upon transfer errors
        i2c: cbus-gpio: set atomic transfer callback
      f66062c7
    • Linus Torvalds's avatar
      Merge tag 'libata-5.16-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata · a44f27e4
      Linus Torvalds authored
      Pull libata fixes from Damien Le Moal:
       "Two sparse warning fixes and a couple of patches to fix an issue with
        sata_fsl driver module removal:
      
         - A couple of patches to avoid sparse warnings in libata-sata and in
           the pata_falcon driver (from Yang and Finn).
      
         - A couple of sata_fsl driver patches fixing IRQ free and proc
           unregister on module removal (from Baokun)"
      
      * tag 'libata-5.16-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata:
        ata: replace snprintf in show functions with sysfs_emit
        sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl
        sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl
        pata_falcon: Avoid type warnings from sparse
      a44f27e4
    • Shyam Prasad N's avatar
      cifs: avoid use of dstaddr as key for fscache client cookie · bbb9db5e
      Shyam Prasad N authored
      server->dstaddr can change when the DNS mapping for the
      server hostname changes. But conn_id is a u64 counter
      that is incremented each time a new TCP connection
      is setup. So use only that as a key.
      Signed-off-by: default avatarShyam Prasad N <sprasad@microsoft.com>
      Reviewed-by: default avatarPaulo Alcantara (SUSE) <pc@cjr.nz>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      bbb9db5e
    • Shyam Prasad N's avatar
      cifs: add server conn_id to fscache client cookie · 2adc8200
      Shyam Prasad N authored
      The fscache client cookie uses the server address
      (and port) as the cookie key. This is a problem when
      nosharesock is used. Two different connections will
      use duplicate cookies. Avoid this by adding
      server->conn_id to the key, so that it's guaranteed
      that cookie will not be duplicated.
      
      Also, for secondary channels of a session, copy the
      fscache pointer from the primary channel. The primary
      channel is guaranteed not to go away as long as secondary
      channels are in use.  Also addresses minor problem found
      by kernel test robot.
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Signed-off-by: default avatarShyam Prasad N <sprasad@microsoft.com>
      Reviewed-by: default avatarPaulo Alcantara (SUSE) <pc@cjr.nz>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      2adc8200
    • Shyam Prasad N's avatar
      cifs: wait for tcon resource_id before getting fscache super · 5bf91ef0
      Shyam Prasad N authored
      The logic for initializing tcon->resource_id is done inside
      cifs_root_iget. fscache super cookie relies on this for aux
      data. So we need to push the fscache initialization to this
      later point during mount.
      Signed-off-by: default avatarShyam Prasad N <sprasad@microsoft.com>
      Reviewed-by: default avatarPaulo Alcantara (SUSE) <pc@cjr.nz>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      5bf91ef0
    • Paulo Alcantara's avatar
      cifs: fix missed refcounting of ipc tcon · 65de262a
      Paulo Alcantara authored
      Fix missed refcounting of IPC tcon used for getting domain-based DFS
      root referrals.  We want to keep it alive as long as mount is active
      and can be refreshed.  For standalone DFS root referrals it wouldn't
      be a problem as the client ends up having an IPC tcon for both mount
      and cache.
      
      Fixes: c88f7dcd ("cifs: support nested dfs links over reconnect")
      Signed-off-by: default avatarPaulo Alcantara (SUSE) <pc@cjr.nz>
      Reviewed-by: default avatarEnzo Matsumiya <ematsumiya@suse.de>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      65de262a
    • Lai Jiangshan's avatar
      x86/xen: Add xenpv_restore_regs_and_return_to_usermode() · 5c8f6a2e
      Lai Jiangshan authored
      In the native case, PER_CPU_VAR(cpu_tss_rw + TSS_sp0) is the
      trampoline stack. But XEN pv doesn't use trampoline stack, so
      PER_CPU_VAR(cpu_tss_rw + TSS_sp0) is also the kernel stack.
      
      In that case, source and destination stacks are identical, which means
      that reusing swapgs_restore_regs_and_return_to_usermode() in XEN pv
      would cause %rsp to move up to the top of the kernel stack and leave the
      IRET frame below %rsp.
      
      This is dangerous as it can be corrupted if #NMI / #MC hit as either of
      these events occurring in the middle of the stack pushing would clobber
      data on the (original) stack.
      
      And, with  XEN pv, swapgs_restore_regs_and_return_to_usermode() pushing
      the IRET frame on to the original address is useless and error-prone
      when there is any future attempt to modify the code.
      
       [ bp: Massage commit message. ]
      
      Fixes: 7f2590a1 ("x86/entry/64: Use a per-CPU trampoline stack for IDT entries")
      Signed-off-by: default avatarLai Jiangshan <laijs@linux.alibaba.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Reviewed-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Link: https://lkml.kernel.org/r/20211126101209.8613-4-jiangshanlai@gmail.com
      5c8f6a2e
    • Lai Jiangshan's avatar
      x86/entry: Use the correct fence macro after swapgs in kernel CR3 · 1367afaa
      Lai Jiangshan authored
      The commit
      
        c7589070 ("x86/entry/64: Remove unneeded kernel CR3 switching")
      
      removed a CR3 write in the faulting path of load_gs_index().
      
      But the path's FENCE_SWAPGS_USER_ENTRY has no fence operation if PTI is
      enabled, see spectre_v1_select_mitigation().
      
      Rather, it depended on the serializing CR3 write of SWITCH_TO_KERNEL_CR3
      and since it got removed, add a FENCE_SWAPGS_KERNEL_ENTRY call to make
      sure speculation is blocked.
      
       [ bp: Massage commit message and comment. ]
      
      Fixes: c7589070 ("x86/entry/64: Remove unneeded kernel CR3 switching")
      Signed-off-by: default avatarLai Jiangshan <laijs@linux.alibaba.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Acked-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Link: https://lkml.kernel.org/r/20211126101209.8613-3-jiangshanlai@gmail.com
      1367afaa
    • Linus Torvalds's avatar
      fget: check that the fd still exists after getting a ref to it · 054aa8d4
      Linus Torvalds authored
      Jann Horn points out that there is another possible race wrt Unix domain
      socket garbage collection, somewhat reminiscent of the one fixed in
      commit cbcf0112 ("af_unix: fix garbage collect vs MSG_PEEK").
      
      See the extended comment about the garbage collection requirements added
      to unix_peek_fds() by that commit for details.
      
      The race comes from how we can locklessly look up a file descriptor just
      as it is in the process of being closed, and with the right artificial
      timing (Jann added a few strategic 'mdelay(500)' calls to do that), the
      Unix domain socket garbage collector could see the reference count
      decrement of the close() happen before fget() took its reference to the
      file and the file was attached onto a new file descriptor.
      
      This is all (intentionally) correct on the 'struct file *' side, with
      RCU lookups and lockless reference counting very much part of the
      design.  Getting that reference count out of order isn't a problem per
      se.
      
      But the garbage collector can get confused by seeing this situation of
      having seen a file not having any remaining external references and then
      seeing it being attached to an fd.
      
      In commit cbcf0112 ("af_unix: fix garbage collect vs MSG_PEEK") the
      fix was to serialize the file descriptor install with the garbage
      collector by taking and releasing the unix_gc_lock.
      
      That's not really an option here, but since this all happens when we are
      in the process of looking up a file descriptor, we can instead simply
      just re-check that the file hasn't been closed in the meantime, and just
      re-do the lookup if we raced with a concurrent close() of the same file
      descriptor.
      Reported-and-tested-by: default avatarJann Horn <jannh@google.com>
      Acked-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      054aa8d4
    • Lai Jiangshan's avatar
      x86/entry: Add a fence for kernel entry SWAPGS in paranoid_entry() · c07e4555
      Lai Jiangshan authored
      Commit
      
        18ec54fd ("x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations")
      
      added FENCE_SWAPGS_{KERNEL|USER}_ENTRY for conditional SWAPGS. In
      paranoid_entry(), it uses only FENCE_SWAPGS_KERNEL_ENTRY for both
      branches. This is because the fence is required for both cases since the
      CR3 write is conditional even when PTI is enabled.
      
      But
      
        96b23714 ("x86/entry/64: Switch CR3 before SWAPGS in paranoid entry")
      
      changed the order of SWAPGS and the CR3 write. And it missed the needed
      FENCE_SWAPGS_KERNEL_ENTRY for the user gsbase case.
      
      Add it back by changing the branches so that FENCE_SWAPGS_KERNEL_ENTRY
      can cover both branches.
      
        [ bp: Massage, fix typos, remove obsolete comment while at it. ]
      
      Fixes: 96b23714 ("x86/entry/64: Switch CR3 before SWAPGS in paranoid entry")
      Signed-off-by: default avatarLai Jiangshan <laijs@linux.alibaba.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Link: https://lkml.kernel.org/r/20211126101209.8613-2-jiangshanlai@gmail.com
      c07e4555
    • Rafael J. Wysocki's avatar
      Merge branch 'powercap' · 404c9121
      Rafael J. Wysocki authored
      Merge DTPM fixes for 5.16-rc4.
      
      * powercap:
        powercap: DTPM: Drop unused local variable from init_dtpm()
        powercap/drivers/dtpm: Disable DTPM at boot time
      404c9121
    • Michael Sterritt's avatar
      x86/sev: Fix SEV-ES INS/OUTS instructions for word, dword, and qword · 1d5379d0
      Michael Sterritt authored
      Properly type the operands being passed to __put_user()/__get_user().
      Otherwise, these routines truncate data for dependent instructions
      (e.g., INSW) and only read/write one byte.
      
      This has been tested by sending a string with REP OUTSW to a port and
      then reading it back in with REP INSW on the same port.
      
      Previous behavior was to only send and receive the first char of the
      size. For example, word operations for "abcd" would only read/write
      "ac". With change, the full string is now written and read back.
      
      Fixes: f980f9c3 (x86/sev-es: Compile early handler code into kernel image)
      Signed-off-by: default avatarMichael Sterritt <sterritt@google.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Reviewed-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Reviewed-by: default avatarMarc Orr <marcorr@google.com>
      Reviewed-by: default avatarPeter Gonda <pgonda@google.com>
      Reviewed-by: default avatarJoerg Roedel <jroedel@suse.de>
      Link: https://lkml.kernel.org/r/20211119232757.176201-1-sterritt@google.com
      1d5379d0
    • Rafael J. Wysocki's avatar
      powercap: DTPM: Drop unused local variable from init_dtpm() · 1ac5e21d
      Rafael J. Wysocki authored
      The dtpm_descr variable in init_dtpm() is not used after commit
      f751db8a ("powercap/drivers/dtpm: Disable DTPM at boot time"),
      so drop it.
      
      Fixes: f751db8a ("powercap/drivers/dtpm: Disable DTPM at boot time")
      Reported-by: default avatarStephen Rothwell <sfr@canb.auug.org.au>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      1ac5e21d
    • Jens Axboe's avatar
      io-wq: don't retry task_work creation failure on fatal conditions · a226abcd
      Jens Axboe authored
      We don't want to be retrying task_work creation failure if there's
      an actual signal pending for the parent task. If we do, then we can
      enter an infinite loop of perpetually retrying and each retry failing
      with -ERESTARTNOINTR because a signal is pending.
      
      Fixes: 3146cba9 ("io-wq: make worker creation resilient against signals")
      Reported-by: default avatarFlorian Fischer <florian.fl.fischer@fau.de>
      Link: https://lore.kernel.org/io-uring/20211202165606.mqryio4yzubl7ms5@pasture/Tested-by: default avatarFlorian Fischer <florian.fl.fischer@fau.de>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      a226abcd
    • Al Cooper's avatar
      serial: 8250_bcm7271: UART errors after resuming from S2 · 9cabe26e
      Al Cooper authored
      There is a small window in time during resume where the hardware
      flow control signal RTS can be asserted (which allows a sender to
      resume sending data to the UART) but the baud rate has not yet
      been restored. This will cause corrupted data and FRAMING, OVERRUN
      and BREAK errors. This is happening because the MCTRL register is
      shadowed in uart_port struct and is later used during resume to set
      the MCTRL register during both serial8250_do_startup() and
      uart_resume_port(). Unfortunately, serial8250_do_startup()
      happens before the UART baud rate is restored. The fix is to clear
      the shadowed mctrl value at the end of suspend and restore it at the
      end of resume.
      
      Fixes: 41a46948 ("serial: 8250: Add new 8250-core based Broadcom STB driver")
      Acked-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarAl Cooper <alcooperx@gmail.com>
      Link: https://lore.kernel.org/r/20211201201402.47446-1-alcooperx@gmail.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9cabe26e
    • Zhou Qingyang's avatar
      usb: cdnsp: Fix a NULL pointer dereference in cdnsp_endpoint_init() · 37307f70
      Zhou Qingyang authored
      In cdnsp_endpoint_init(), cdnsp_ring_alloc() is assigned to pep->ring
      and there is a dereference of it in cdnsp_endpoint_init(), which could
      lead to a NULL pointer dereference on failure of cdnsp_ring_alloc().
      
      Fix this bug by adding a check of pep->ring.
      
      This bug was found by a static analyzer. The analysis employs
      differential checking to identify inconsistent security operations
      (e.g., checks or kfrees) between two code paths and confirms that the
      inconsistent operations are not recovered in the current function or
      the callers, so they constitute bugs.
      
      Note that, as a bug found by static analysis, it can be a false
      positive or hard to trigger. Multiple researchers have cross-reviewed
      the bug.
      
      Builds with CONFIG_USB_CDNSP_GADGET=y show no new warnings,
      and our static analyzer no longer warns about this code.
      
      Fixes: 3d829045 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
      Cc: stable <stable@vger.kernel.org>
      Acked-by: default avatarPawel Laszczak <pawell@cadence.com>
      Acked-by: default avatarPeter Chen <peter.chen@kernel.org>
      Signed-off-by: default avatarZhou Qingyang <zhou1615@umn.edu>
      Link: https://lore.kernel.org/r/20211130172700.206650-1-zhou1615@umn.eduSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      37307f70
    • Frank Li's avatar
      usb: cdns3: gadget: fix new urb never complete if ep cancel previous requests · 387c2b6b
      Frank Li authored
      This issue was found at android12 MTP.
      1. MTP submit many out urb request.
      2. Cancel left requests (>20) when enough data get from host
      3. Send ACK by IN endpoint.
      4. MTP submit new out urb request.
      5. 4's urb never complete.
      
      TRACE LOG:
      
      MtpServer-2157    [000] d..3  1287.150391: cdns3_ep_dequeue: ep1out: req: 00000000299e6836, req buff 000000009df42287, length: 0/16384 zsi, status: -115, trb: [start:87, end:87: virt addr 0x80004000ffd50420], flags:1 SID: 0
      MtpServer-2157    [000] d..3  1287.150410: cdns3_gadget_giveback: ep1out: req: 00000000299e6836, req buff 000000009df42287, length: 0/16384 zsi, status: -104, trb: [start:87, end:87: virt addr 0x80004000ffd50420], flags:0 SID: 0
      MtpServer-2157    [000] d..3  1287.150433: cdns3_ep_dequeue: ep1out: req: 0000000080b7bde6, req buff 000000009ed5c556, length: 0/16384 zsi, status: -115, trb: [start:88, end:88: virt addr 0x80004000ffd5042c], flags:1 SID: 0
      MtpServer-2157    [000] d..3  1287.150446: cdns3_gadget_giveback: ep1out: req: 0000000080b7bde6, req buff 000000009ed5c556, length: 0/16384 zsi, status: -104, trb: [start:88, end:88: virt addr 0x80004000ffd5042c], flags:0 SID: 0
      	....
      MtpServer-2157    [000] d..1  1293.630410: cdns3_alloc_request: ep1out: req: 00000000afbccb7d, req buff 0000000000000000, length: 0/0 zsi, status: 0, trb: [start:0, end:0: virt addr (null)], flags:0 SID: 0
      MtpServer-2157    [000] d..2  1293.630421: cdns3_ep_queue: ep1out: req: 00000000afbccb7d, req buff 00000000871caf90, length: 0/512 zsi, status: -115, trb: [start:0, end:0: virt addr (null)], flags:0 SID: 0
      MtpServer-2157    [000] d..2  1293.630445: cdns3_wa1: WA1: ep1out set guard
      MtpServer-2157    [000] d..2  1293.630450: cdns3_wa1: WA1: ep1out restore cycle bit
      MtpServer-2157    [000] d..2  1293.630453: cdns3_prepare_trb: ep1out: trb 000000007317b3ee, dma buf: 0xffd5bc00, size: 512, burst: 128 ctrl: 0x00000424 (C=0, T=0, ISP, IOC, Normal) SID:0 LAST_SID:0
      MtpServer-2157    [000] d..2  1293.630460: cdns3_doorbell_epx: ep1out, ep_trbaddr ffd50414
      	....
      irq/241-5b13000-2154    [000] d..1  1293.680849: cdns3_epx_irq: IRQ for ep1out: 01000408 ISP , ep_traddr: ffd508ac ep_last_sid: 00000000 use_streams: 0
      irq/241-5b13000-2154    [000] d..1  1293.680858: cdns3_complete_trb: ep1out: trb 0000000021a11b54, dma buf: 0xffd50420, size: 16384, burst: 128 ctrl: 0x00001810 (C=0, T=0, CHAIN, LINK) SID:0 LAST_SID:0
      irq/241-5b13000-2154    [000] d..1  1293.680865: cdns3_request_handled: Req: 00000000afbccb7d not handled, DMA pos: 185, ep deq: 88, ep enq: 185, start trb: 184, end trb: 184
      
      Actually DMA pos already bigger than previous submit request afbccb7d's TRB (184-184). The reason of (not handled) is that deq position is wrong.
      
      The TRB link is below when irq happen.
      
      	DEQ LINK LINK LINK LINK LINK .... TRB(afbccb7d):START  DMA(EP_TRADDR).
      
      Original code check LINK TRB, but DEQ just move one step.
      
      	LINK DEQ LINK LINK LINK LINK .... TRB(afbccb7d):START  DMA(EP_TRADDR).
      
      This patch skip all LINK TRB and sync DEQ to trb's start.
      
      	LINK LINK LINK LINK LINK .... DEQ = TRB(afbccb7d):START  DMA(EP_TRADDR).
      Acked-by: default avatarPeter Chen <peter.chen@kernel.org>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarFrank Li <Frank.Li@nxp.com>
      Signed-off-by: default avatarJun Li <jun.li@nxp.com>
      Link: https://lore.kernel.org/r/20211130154239.8029-1-Frank.Li@nxp.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      387c2b6b
    • Badhri Jagan Sridharan's avatar
      usb: typec: tcpm: Wait in SNK_DEBOUNCED until disconnect · fbcd13df
      Badhri Jagan Sridharan authored
      Stub from the spec:
      "4.5.2.2.4.2 Exiting from AttachWait.SNK State
      A Sink shall transition to Unattached.SNK when the state of both
      the CC1 and CC2 pins is SNK.Open for at least tPDDebounce.
      A DRP shall transition to Unattached.SRC when the state of both
      the CC1 and CC2 pins is SNK.Open for at least tPDDebounce."
      
      This change makes TCPM to wait in SNK_DEBOUNCED state until
      CC1 and CC2 pins is SNK.Open for at least tPDDebounce. Previously,
      TCPM resets the port if vbus is not present in PD_T_PS_SOURCE_ON.
      This causes TCPM to loop continuously when connected to a
      faulty power source that does not present vbus. Waiting in
      SNK_DEBOUNCED also ensures that TCPM is adherant to
      "4.5.2.2.4.2 Exiting from AttachWait.SNK State" requirements.
      
      [ 6169.280751] CC1: 0 -> 0, CC2: 0 -> 5 [state TOGGLING, polarity 0, connected]
      [ 6169.280759] state change TOGGLING -> SNK_ATTACH_WAIT [rev2 NONE_AMS]
      [ 6169.280771] pending state change SNK_ATTACH_WAIT -> SNK_DEBOUNCED @ 170 ms [rev2 NONE_AMS]
      [ 6169.282427] CC1: 0 -> 0, CC2: 5 -> 5 [state SNK_ATTACH_WAIT, polarity 0, connected]
      [ 6169.450825] state change SNK_ATTACH_WAIT -> SNK_DEBOUNCED [delayed 170 ms]
      [ 6169.450834] pending state change SNK_DEBOUNCED -> PORT_RESET @ 480 ms [rev2 NONE_AMS]
      [ 6169.930892] state change SNK_DEBOUNCED -> PORT_RESET [delayed 480 ms]
      [ 6169.931296] disable vbus discharge ret:0
      [ 6169.931301] Setting usb_comm capable false
      [ 6169.932783] Setting voltage/current limit 0 mV 0 mA
      [ 6169.932802] polarity 0
      [ 6169.933706] Requesting mux state 0, usb-role 0, orientation 0
      [ 6169.936689] cc:=0
      [ 6169.936812] pending state change PORT_RESET -> PORT_RESET_WAIT_OFF @ 100 ms [rev2 NONE_AMS]
      [ 6169.937157] CC1: 0 -> 0, CC2: 5 -> 0 [state PORT_RESET, polarity 0, disconnected]
      [ 6170.036880] state change PORT_RESET -> PORT_RESET_WAIT_OFF [delayed 100 ms]
      [ 6170.036890] state change PORT_RESET_WAIT_OFF -> SNK_UNATTACHED [rev2 NONE_AMS]
      [ 6170.036896] Start toggling
      [ 6170.041412] CC1: 0 -> 0, CC2: 0 -> 0 [state TOGGLING, polarity 0, disconnected]
      [ 6170.042973] CC1: 0 -> 0, CC2: 0 -> 5 [state TOGGLING, polarity 0, connected]
      [ 6170.042976] state change TOGGLING -> SNK_ATTACH_WAIT [rev2 NONE_AMS]
      [ 6170.042981] pending state change SNK_ATTACH_WAIT -> SNK_DEBOUNCED @ 170 ms [rev2 NONE_AMS]
      [ 6170.213014] state change SNK_ATTACH_WAIT -> SNK_DEBOUNCED [delayed 170 ms]
      [ 6170.213019] pending state change SNK_DEBOUNCED -> PORT_RESET @ 480 ms [rev2 NONE_AMS]
      [ 6170.693068] state change SNK_DEBOUNCED -> PORT_RESET [delayed 480 ms]
      [ 6170.693304] disable vbus discharge ret:0
      [ 6170.693308] Setting usb_comm capable false
      [ 6170.695193] Setting voltage/current limit 0 mV 0 mA
      [ 6170.695210] polarity 0
      [ 6170.695990] Requesting mux state 0, usb-role 0, orientation 0
      [ 6170.701896] cc:=0
      [ 6170.702181] pending state change PORT_RESET -> PORT_RESET_WAIT_OFF @ 100 ms [rev2 NONE_AMS]
      [ 6170.703343] CC1: 0 -> 0, CC2: 5 -> 0 [state PORT_RESET, polarity 0, disconnected]
      
      Fixes: f0690a25 ("staging: typec: USB Type-C Port Manager (tcpm)")
      Cc: stable@vger.kernel.org
      Acked-by: default avatarHeikki Krogerus <heikki.krogerus@linux.intel.com>
      Signed-off-by: default avatarBadhri Jagan Sridharan <badhri@google.com>
      Link: https://lore.kernel.org/r/20211130001825.3142830-1-badhri@google.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fbcd13df
    • Ole Ernst's avatar
      USB: NO_LPM quirk Lenovo Powered USB-C Travel Hub · d2a00403
      Ole Ernst authored
      This is another branded 8153 device that doesn't work well with LPM:
      r8152 2-2.1:1.0 enp0s13f0u2u1: Stop submitting intr, status -71
      
      Disable LPM to resolve the issue.
      Signed-off-by: default avatarOle Ernst <olebowle@gmx.com>
      Cc: stable <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20211127090546.52072-1-olebowle@gmx.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d2a00403