Merge 5.10.199 into android12-5.10-lts

Changes in 5.10.199
        RDMA/srp: Make struct scsi_cmnd and struct srp_request adjacent
        RDMA/srp: Do not call scsi_done() from srp_abort()
        RDMA/cxgb4: Check skb value for failure to allocate
        perf/arm-cmn: Fix the unhandled overflow status of counter 4 to 7
        lib/test_meminit: fix off-by-one error in test_pages()
        HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect
        quota: Fix slow quotaoff
        net: prevent address rewrite in kernel_bind()
        drm/msm/dp: do not reinitialize phy unless retry during link training
        drm/msm/dsi: skip the wait for video mode done if not applicable
        drm/msm/dpu: change _dpu_plane_calc_bw() to use u64 to avoid overflow
        ravb: Fix up dma_free_coherent() call in ravb_remove()
        ieee802154: ca8210: Fix a potential UAF in ca8210_probe
        mlxsw: fix mlxsw_sp2_nve_vxlan_learning_set() return type
        xen-netback: use default TX queue size for vifs
        riscv, bpf: Factor out emit_call for kernel and bpf context
        riscv, bpf: Sign-extend return values
        drm/vmwgfx: fix typo of sizeof argument
        net: macsec: indicate next pn update when offloading
        net: phy: mscc: macsec: reject PN update requests
        ixgbe: fix crash with empty VF macvlan list
        net: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn()
        pinctrl: renesas: rzn1: Enable missing PINMUX
        nfc: nci: assert requested protocol is valid
        workqueue: Override implicit ordered attribute in workqueue_apply_unbound_cpumask()
        Revert "spi: zynqmp-gqspi: fix clock imbalance on probe failure"
        Revert "spi: spi-zynqmp-gqspi: Fix runtime PM imbalance in zynqmp_qspi_probe"
        net: add sysctl accept_ra_min_rtr_lft
        net: change accept_ra_min_rtr_lft to affect all RA lifetimes
        net: release reference to inet6_dev pointer
        media: mtk-jpeg: Fix use after free bug due to uncanceled work
        dmaengine: stm32-mdma: abort resume if no ongoing transfer
        usb: xhci: xhci-ring: Use sysdev for mapping bounce buffer
        net: usb: dm9601: fix uninitialized variable use in dm9601_mdio_read
        usb: dwc3: Soft reset phy on probe for host
        usb: musb: Get the musb_qh poniter after musb_giveback
        usb: musb: Modify the "HWVers" register address
        iio: pressure: bmp280: Fix NULL pointer exception
        iio: pressure: dps310: Adjust Timeout Settings
        iio: pressure: ms5611: ms5611_prom_is_valid false negative bug
        x86/cpu: Fix AMD erratum #1485 on Zen4-based CPUs
        mcb: remove is_added flag from mcb_device struct
        thunderbolt: Check that lane 1 is in CL0 before enabling lane bonding
        libceph: use kernel_connect()
        ceph: fix incorrect revoked caps assert in ceph_fill_file_size()
        ceph: fix type promotion bug on 32bit systems
        Input: powermate - fix use-after-free in powermate_config_complete
        Input: psmouse - fix fast_reconnect function for PS/2 mode
        Input: xpad - add PXN V900 support
        Input: i8042 - add Fujitsu Lifebook E5411 to i8042 quirk table
        Input: goodix - ensure int GPIO is in input for gpio_count == 1 && gpio_int_idx == 0 case
        tee: amdtee: fix use-after-free vulnerability in amdtee_close_session
        cgroup: Remove duplicates in cgroup v1 tasks file
        pinctrl: avoid unsafe code pattern in find_pinctrl()
        counter: microchip-tcb-capture: Fix the use of internal GCLK logic
        usb: gadget: udc-xilinx: replace memcpy with memcpy_toio
        usb: gadget: ncm: Handle decoding of multiple NTB's in unwrap call
        dmaengine: mediatek: Fix deadlock caused by synchronize_irq()
        powerpc/8xx: Fix pte_access_permitted() for PAGE_NONE
        powerpc/64e: Fix wrong test in __ptep_test_and_clear_young()
        x86/alternatives: Disable KASAN in apply_alternatives()
        arm64: report EL1 UNDEFs better
        arm64: die(): pass 'err' as long
        arm64: consistently pass ESR_ELx to die()
        arm64: rework FPAC exception handling
        arm64: rework BTI exception handling
        arm64: allow kprobes on EL0 handlers
        arm64: split EL0/EL1 UNDEF handlers
        arm64: factor out EL1 SSBS emulation hook
        arm64: factor insn read out of call_undef_hook()
        arm64: rework EL0 MRS emulation
        arm64: armv8_deprecated: fold ops into insn_emulation
        arm64: armv8_deprecated move emulation functions
        arm64: armv8_deprecated: move aarch32 helper earlier
        arm64: armv8_deprecated: rework deprected instruction handling
        arm64: armv8_deprecated: fix unused-function error
        RDMA/srp: Set scmnd->result only when scmnd is not NULL
        RDMA/srp: Fix srp_abort()
        ravb: Fix use-after-free issue in ravb_tx_timeout_work()
        dev_forward_skb: do not scrub skb mark within the same name space
        lib/Kconfig.debug: do not enable DEBUG_PREEMPT by default
        mm/memory_hotplug: rate limit page migration warnings
        Documentation: sysctl: align cells in second content column
        usb: hub: Guard against accesses to uninitialized BOS descriptors
        Bluetooth: hci_event: Ignore NULL link key
        Bluetooth: Reject connection with the device which has same BD_ADDR
        Bluetooth: Fix a refcnt underflow problem for hci_conn
        Bluetooth: vhci: Fix race when opening vhci device
        Bluetooth: hci_event: Fix coding style
        Bluetooth: avoid memcmp() out of bounds warning
        ice: fix over-shifted variable
        ice: reset first in crash dump kernels
        nfc: nci: fix possible NULL pointer dereference in send_acknowledge()
        regmap: fix NULL deref on lookup
        KVM: x86: Mask LVTPC when handling a PMI
        x86/sev: Disable MMIO emulation from user mode
        x86/sev: Check IOBM for IOIO exceptions from user-space
        x86/sev: Check for user-space IOIO pointing to kernel space
        tcp: check mptcp-level constraints for backlog coalescing
        netfilter: nft_payload: fix wrong mac header matching
        nvmet-tcp: Fix a possible UAF in queue intialization setup
        drm/i915: Retry gtt fault when out of fence registers
        qed: fix LL2 RX buffer allocation
        xfrm: fix a data-race in xfrm_gen_index()
        xfrm: interface: use DEV_STATS_INC()
        net: ipv4: fix return value check in esp_remove_trailer
        net: ipv6: fix return value check in esp_remove_trailer
        net: rfkill: gpio: prevent value glitch during probe
        tcp: fix excessive TLP and RACK timeouts from HZ rounding
        tcp: tsq: relax tcp_small_queue_check() when rtx queue contains a single skb
        tun: prevent negative ifindex
        ipv4: fib: annotate races around nh->nh_saddr_genid and nh->nh_saddr
        net: usb: smsc95xx: Fix an error code in smsc95xx_reset()
        i40e: prevent crash on probe if hw registers have invalid values
        net: dsa: bcm_sf2: Fix possible memory leak in bcm_sf2_mdio_register()
        net/sched: sch_hfsc: upgrade 'rt' to 'sc' when it becomes a inner curve
        neighbor: tracing: Move pin6 inside CONFIG_IPV6=y section
        netfilter: nft_set_rbtree: .deactivate fails if element has expired
        net: pktgen: Fix interface flags printing
        thunderbolt: Workaround an IOMMU fault on certain systems with Intel Maple Ridge
        resource: Add irqresource_disabled()
        ACPI: Drop acpi_dev_irqresource_disabled()
        ACPI: resources: Add DMI-based legacy IRQ override quirk
        ACPI: resource: Skip IRQ override on Asus Vivobook K3402ZA/K3502ZA
        ACPI: resource: Add ASUS model S5402ZA to quirks
        ACPI: resource: Skip IRQ override on Asus Vivobook S5602ZA
        ACPI: resource: Add Asus ExpertBook B2502 to Asus quirks
        ACPI: resource: Skip IRQ override on Asus Expertbook B2402CBA
        ACPI: resource: Skip IRQ override on ASUS ExpertBook B1502CBA
        ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CBA
        selftests/vm: make charge_reserved_hugetlb.sh work with existing cgroup setting
        selftests/mm: fix awk usage in charge_reserved_hugetlb.sh and hugetlb_reparenting_test.sh that may cause error
        usb: core: Track SuperSpeed Plus GenXxY
        xhci: cleanup xhci_hub_control port references
        xhci: move port specific items such as state completions to port structure
        xhci: rename resume_done to resume_timestamp
        xhci: clear usb2 resume related variables in one place.
        xhci: decouple usb2 port resume and get_port_status request handling
        xhci: track port suspend state correctly in unsuccessful resume cases
        serial: 8250: omap: Fix imprecise external abort for omap_8250_pm()
        serial: 8250_omap: Fix errors with no_console_suspend
        drm/amd/display: only check available pipe to disable vbios mode.
        drm/amd/display: Don't set dpms_off for seamless boot
        drm/connector: Give connector sysfs devices there own device_type
        drm/connector: Add a fwnode pointer to drm_connector and register with ACPI (v2)
        drm/connector: Add drm_connector_find_by_fwnode() function (v3)
        drm/connector: Add support for out-of-band hotplug notification (v3)
        usb: typec: altmodes/displayport: Notify drm subsys of hotplug events
        usb: typec: altmodes/displayport: Signal hpd low when exiting mode
        ARM: dts: ti: omap: Fix noisy serial with overrun-throttle-ms for mapphone
        btrfs: return -EUCLEAN for delayed tree ref with a ref count not equals to 1
        btrfs: initialize start_slot in btrfs_log_prealloc_extents
        i2c: mux: Avoid potential false error message in i2c_mux_add_adapter
        overlayfs: set ctime when setting mtime and atime
        gpio: timberdale: Fix potential deadlock on &tgpio->lock
        ata: libata-eh: Fix compilation warning in ata_eh_link_report()
        tracing: relax trace_event_eval_update() execution with cond_resched()
        HID: holtek: fix slab-out-of-bounds Write in holtek_kbd_input_event
        Bluetooth: Avoid redundant authentication
        Bluetooth: hci_core: Fix build warnings
        wifi: cfg80211: Fix 6GHz scan configuration
        wifi: mac80211: allow transmitting EAPOL frames with tainted key
        wifi: cfg80211: avoid leaking stack data into trace
        regulator/core: Revert "fix kobject release warning and memory leak in regulator_register()"
        sky2: Make sure there is at least one frag_addr available
        ipv4/fib: send notify when delete source address routes
        drm: panel-orientation-quirks: Add quirk for One Mix 2S
        btrfs: fix some -Wmaybe-uninitialized warnings in ioctl.c
        HID: multitouch: Add required quirk for Synaptics 0xcd7e device
        platform/x86: touchscreen_dmi: Add info for the Positivo C4128B
        net/mlx5: Handle fw tracer change ownership event based on MTRC
        Bluetooth: hci_event: Fix using memcmp when comparing keys
        mtd: rawnand: qcom: Unmap the right resource upon probe failure
        mtd: rawnand: marvell: Ensure program page operations are successful
        mtd: rawnand: arasan: Ensure program page operations are successful
        mtd: spinand: micron: correct bitmask for ecc status
        mtd: physmap-core: Restore map_rom fallback
        mmc: core: sdio: hold retuning if sdio in 1-bit mode
        mmc: core: Capture correct oemid-bits for eMMC cards
        Revert "pinctrl: avoid unsafe code pattern in find_pinctrl()"
        pNFS: Fix a hang in nfs4_evict_inode()
        ACPI: irq: Fix incorrect return value in acpi_register_gsi()
        nvme-pci: add BOGUS_NID for Intel 0a54 device
        nvme-rdma: do not try to stop unallocated queues
        USB: serial: option: add Telit LE910C4-WWX 0x1035 composition
        USB: serial: option: add entry for Sierra EM9191 with new firmware
        USB: serial: option: add Fibocom to DELL custom modem FM101R-GL
        perf: Disallow mis-matched inherited group reads
        s390/pci: fix iommu bitmap allocation
        platform/x86: asus-wmi: Change ASUS_WMI_BRN_DOWN code from 0x20 to 0x2e
        platform/x86: asus-wmi: Map 0x2a code, Ignore 0x2b and 0x2c events
        gpio: vf610: set value before the direction to avoid a glitch
        ASoC: pxa: fix a memory leak in probe()
        phy: mapphone-mdm6600: Fix runtime disable on probe
        phy: mapphone-mdm6600: Fix runtime PM for remove
        phy: mapphone-mdm6600: Fix pinctrl_pm handling for sleep pins
        Bluetooth: hci_sock: fix slab oob read in create_monitor_event
        Bluetooth: hci_sock: Correctly bounds check and pad HCI_MON_NEW_INDEX name
        xfrm6: fix inet6_dev refcount underflow problem
        Linux 5.10.199

NOTE, this reverts the following commits in order to apply things
cleanly and avoid ABI breakage.  Due to the complexity involved,
individual reverts would not work properly:
        fc778e9d79 xhci: track port suspend state correctly in unsuccessful resume cases
        1c034c6e22 xhci: decouple usb2 port resume and get_port_status request handling
        92088dd886 xhci: clear usb2 resume related variables in one place.
        e7abc4b18d xhci: rename resume_done to resume_timestamp
        d44c9285ce xhci: move port specific items such as state completions to port structure
        e2b4de13e5 xhci: cleanup xhci_hub_control port references
        489818719a arm64: armv8_deprecated: fix unused-function error
        da7603cedb arm64: armv8_deprecated: rework deprected instruction handling
        45a26d2a53 arm64: armv8_deprecated: move aarch32 helper earlier
        0b6a7a9f6d arm64: armv8_deprecated move emulation functions
        2202536144 arm64: armv8_deprecated: fold ops into insn_emulation
        5aa232345e arm64: rework EL0 MRS emulation
        15e964971f arm64: factor insn read out of call_undef_hook()
        0edde7fd1c arm64: factor out EL1 SSBS emulation hook
        7a76df1ae1 arm64: split EL0/EL1 UNDEF handlers
        8a8d4cc303 arm64: allow kprobes on EL0 handlers
        793ed958b6 arm64: rework BTI exception handling
        9113333d7c arm64: rework FPAC exception handling
        a8d7c8484f arm64: consistently pass ESR_ELx to die()
        004bdab6ed arm64: die(): pass 'err' as long
        835cb1f78d arm64: report EL1 UNDEFs better

Change-Id: I54f6d79ae4886b808d6e3c017343f1f25c5254c3
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>

Documentation/admin-guide/sysctl/net.rst

@@ -31,18 +31,18 @@ see only some of them, depending on your kernel's configuration.
 
 Table : Subdirectories in /proc/sys/net
 
- ========= =================== = ========== ==================
+ ========= =================== = ========== ===================
  Directory Content               Directory  Content
- ========= =================== = ========== ==================
- 802       E802 protocol         mptcp     Multipath TCP
- appletalk Appletalk protocol    netfilter Network Filter
+ ========= =================== = ========== ===================
+ 802       E802 protocol         mptcp      Multipath TCP
+ appletalk Appletalk protocol    netfilter  Network Filter
  ax25      AX25                  netrom     NET/ROM
- bridge    Bridging              rose      X.25 PLP layer
- core      General parameter     tipc      TIPC
- ethernet  Ethernet protocol     unix      Unix domain sockets
- ipv4      IP version 4          x25       X.25 protocol
+ bridge    Bridging              rose       X.25 PLP layer
+ core      General parameter     tipc       TIPC
+ ethernet  Ethernet protocol     unix       Unix domain sockets
+ ipv4      IP version 4          x25        X.25 protocol
  ipv6      IP version 6
- ========= =================== = ========== ==================
+ ========= =================== = ========== ===================
 
 1. /proc/sys/net/core - Network core options
 ============================================

Documentation/networking/ip-sysctl.rst

@@ -1902,6 +1902,14 @@ accept_ra_min_hop_limit - INTEGER
 
 	Default: 1
 
+accept_ra_min_lft - INTEGER
+	Minimum acceptable lifetime value in Router Advertisement.
+
+	RA sections with a lifetime less than this value shall be
+	ignored. Zero lifetimes stay unaffected.
+
+	Default: 0
+
 accept_ra_pinfo - BOOLEAN
 	Learn Prefix Information in Router Advertisement.
 

Makefile

@@ -1,7 +1,7 @@
 # SPDX-License-Identifier: GPL-2.0
 VERSION = 5
 PATCHLEVEL = 10
-SUBLEVEL = 198
+SUBLEVEL = 199
 EXTRAVERSION =
 NAME = Dare mighty things
 

arch/arm/boot/dts/motorola-mapphone-common.dtsi

@@ -765,6 +765,7 @@
 &uart3 {
 	interrupts-extended = <&wakeupgen GIC_SPI 74 IRQ_TYPE_LEVEL_HIGH
 			       &omap4_pmx_core 0x17c>;
+	overrun-throttle-ms = <500>;
 };
 
 &uart4 {

arch/powerpc/include/asm/nohash/32/pte-8xx.h

@@ -94,6 +94,13 @@ static inline pte_t pte_wrprotect(pte_t pte)
 
 #define pte_wrprotect pte_wrprotect
 
+static inline int pte_read(pte_t pte)
+{
+	return (pte_val(pte) & _PAGE_RO) != _PAGE_NA;
+}
+
+#define pte_read pte_read
+
 static inline int pte_write(pte_t pte)
 {
 	return !(pte_val(pte) & _PAGE_RO);

arch/powerpc/include/asm/nohash/64/pgtable.h

@@ -216,7 +216,7 @@ static inline int __ptep_test_and_clear_young(struct mm_struct *mm,
 {
 	unsigned long old;
 
-	if (pte_young(*ptep))
+	if (!pte_young(*ptep))
 		return 0;
 	old = pte_update(mm, addr, ptep, _PAGE_ACCESSED, 0, 0);
 	return (old & _PAGE_ACCESSED) != 0;

arch/powerpc/include/asm/nohash/pgtable.h

@@ -45,7 +45,9 @@ static inline int pte_write(pte_t pte)
 	return pte_val(pte) & _PAGE_RW;
 }
 #endif
+#ifndef pte_read
 static inline int pte_read(pte_t pte)		{ return 1; }
+#endif
 static inline int pte_dirty(pte_t pte)		{ return pte_val(pte) & _PAGE_DIRTY; }
 static inline int pte_special(pte_t pte)	{ return pte_val(pte) & _PAGE_SPECIAL; }
 static inline int pte_none(pte_t pte)		{ return (pte_val(pte) & ~_PTE_NONE_MASK) == 0; }

arch/riscv/net/bpf_jit_comp64.c

@@ -201,7 +201,7 @@ static void __build_epilogue(bool is_tail_call, struct rv_jit_context *ctx)
 	emit_addi(RV_REG_SP, RV_REG_SP, stack_adjust, ctx);
 	/* Set return value. */
 	if (!is_tail_call)
-		emit_mv(RV_REG_A0, RV_REG_A5, ctx);
+		emit_addiw(RV_REG_A0, RV_REG_A5, 0, ctx);
 	emit_jalr(RV_REG_ZERO, is_tail_call ? RV_REG_T3 : RV_REG_RA,
 		  is_tail_call ? 4 : 0, /* skip TCC init */
 		  ctx);
@@ -394,12 +394,12 @@ static void emit_sext_32_rd(u8 *rd, struct rv_jit_context *ctx)
 	*rd = RV_REG_T2;
 }
 
-static int emit_jump_and_link(u8 rd, s64 rvoff, bool force_jalr,
+static int emit_jump_and_link(u8 rd, s64 rvoff, bool fixed_addr,
 			      struct rv_jit_context *ctx)
 {
 	s64 upper, lower;
 
-	if (rvoff && is_21b_int(rvoff) && !force_jalr) {
+	if (rvoff && fixed_addr && is_21b_int(rvoff)) {
 		emit(rv_jal(rd, rvoff >> 1), ctx);
 		return 0;
 	} else if (in_auipc_jalr_range(rvoff)) {
@@ -420,24 +420,17 @@ static bool is_signed_bpf_cond(u8 cond)
 		cond == BPF_JSGE || cond == BPF_JSLE;
 }
 
-static int emit_call(bool fixed, u64 addr, struct rv_jit_context *ctx)
+static int emit_call(u64 addr, bool fixed_addr, struct rv_jit_context *ctx)
 {
 	s64 off = 0;
 	u64 ip;
-	u8 rd;
-	int ret;
 
 	if (addr && ctx->insns) {
 		ip = (u64)(long)(ctx->insns + ctx->ninsns);
 		off = addr - ip;
 	}
 
-	ret = emit_jump_and_link(RV_REG_RA, off, !fixed, ctx);
-	if (ret)
-		return ret;
-	rd = bpf_to_rv_reg(BPF_REG_0, ctx);
-	emit_mv(rd, RV_REG_A0, ctx);
-	return 0;
+	return emit_jump_and_link(RV_REG_RA, off, fixed_addr, ctx);
 }
 
 int bpf_jit_emit_insn(const struct bpf_insn *insn, struct rv_jit_context *ctx,
@@ -731,7 +724,7 @@ out_be:
 	/* JUMP off */
 	case BPF_JMP | BPF_JA:
 		rvoff = rv_offset(i, off, ctx);
-		ret = emit_jump_and_link(RV_REG_ZERO, rvoff, false, ctx);
+		ret = emit_jump_and_link(RV_REG_ZERO, rvoff, true, ctx);
 		if (ret)
 			return ret;
 		break;
@@ -850,17 +843,21 @@ out_be:
 	/* function call */
 	case BPF_JMP | BPF_CALL:
 	{
-		bool fixed;
+		bool fixed_addr;
 		u64 addr;
 
 		mark_call(ctx);
-		ret = bpf_jit_get_func_addr(ctx->prog, insn, extra_pass, &addr,
-					    &fixed);
+		ret = bpf_jit_get_func_addr(ctx->prog, insn, extra_pass,
+					    &addr, &fixed_addr);
 		if (ret < 0)
 			return ret;
-		ret = emit_call(fixed, addr, ctx);
+
+		ret = emit_call(addr, fixed_addr, ctx);
 		if (ret)
 			return ret;
+
+		if (insn->src_reg != BPF_PSEUDO_CALL)
+			emit_mv(bpf_to_rv_reg(BPF_REG_0, ctx), RV_REG_A0, ctx);
 		break;
 	}
 	/* tail call */
@@ -875,7 +872,7 @@ out_be:
 			break;
 
 		rvoff = epilogue_offset(ctx);
-		ret = emit_jump_and_link(RV_REG_ZERO, rvoff, false, ctx);
+		ret = emit_jump_and_link(RV_REG_ZERO, rvoff, true, ctx);
 		if (ret)
 			return ret;
 		break;

arch/s390/pci/pci_dma.c

@@ -541,6 +541,17 @@ static void s390_dma_unmap_sg(struct device *dev, struct scatterlist *sg,
 		s->dma_length = 0;
 	}
 }
+
+static unsigned long *bitmap_vzalloc(size_t bits, gfp_t flags)
+{
+	size_t n = BITS_TO_LONGS(bits);
+	size_t bytes;
+
+	if (unlikely(check_mul_overflow(n, sizeof(unsigned long), &bytes)))
+		return NULL;
+
+	return vzalloc(bytes);
+}
 	
 int zpci_dma_init_device(struct zpci_dev *zdev)
 {
@@ -577,13 +588,13 @@ int zpci_dma_init_device(struct zpci_dev *zdev)
 				zdev->end_dma - zdev->start_dma + 1);
 	zdev->end_dma = zdev->start_dma + zdev->iommu_size - 1;
 	zdev->iommu_pages = zdev->iommu_size >> PAGE_SHIFT;
-	zdev->iommu_bitmap = vzalloc(zdev->iommu_pages / 8);
+	zdev->iommu_bitmap = bitmap_vzalloc(zdev->iommu_pages, GFP_KERNEL);
 	if (!zdev->iommu_bitmap) {
 		rc = -ENOMEM;
 		goto free_dma_table;
 	}
 	if (!s390_iommu_strict) {
-		zdev->lazy_bitmap = vzalloc(zdev->iommu_pages / 8);
+		zdev->lazy_bitmap = bitmap_vzalloc(zdev->iommu_pages, GFP_KERNEL);
 		if (!zdev->lazy_bitmap) {
 			rc = -ENOMEM;
 			goto free_bitmap;

arch/x86/boot/compressed/sev-es.c

@@ -106,6 +106,16 @@ static enum es_result vc_read_mem(struct es_em_ctxt *ctxt,
 	return ES_OK;
 }
 
+static enum es_result vc_ioio_check(struct es_em_ctxt *ctxt, u16 port, size_t size)
+{
+	return ES_OK;
+}
+
+static bool fault_in_kernel_space(unsigned long address)
+{
+	return false;
+}
+
 #undef __init
 #undef __pa
 #define __init

arch/x86/include/asm/msr-index.h

@@ -541,12 +541,17 @@
 
 #define MSR_AMD64_VIRT_SPEC_CTRL	0xc001011f
 
-/* Fam 17h MSRs */
-#define MSR_F17H_IRPERF			0xc00000e9
+/* Zen4 */
+#define MSR_ZEN4_BP_CFG			0xc001102e
+#define MSR_ZEN4_BP_CFG_SHARED_BTB_FIX_BIT 5
 
+/* Zen 2 */
 #define MSR_ZEN2_SPECTRAL_CHICKEN	0xc00110e3
 #define MSR_ZEN2_SPECTRAL_CHICKEN_BIT	BIT_ULL(1)
 
+/* Fam 17h MSRs */
+#define MSR_F17H_IRPERF			0xc00000e9
+
 /* Fam 16h MSRs */
 #define MSR_F16H_L2I_PERF_CTL		0xc0010230
 #define MSR_F16H_L2I_PERF_CTR		0xc0010231

arch/x86/kernel/alternative.c

@@ -424,6 +424,17 @@ void __init_or_module noinline apply_alternatives(struct alt_instr *start,
 	u8 insn_buff[MAX_PATCH_LEN];
 
 	DPRINTK("alt table %px, -> %px", start, end);
+
+	/*
+	 * In the case CONFIG_X86_5LEVEL=y, KASAN_SHADOW_START is defined using
+	 * cpu_feature_enabled(X86_FEATURE_LA57) and is therefore patched here.
+	 * During the process, KASAN becomes confused seeing partial LA57
+	 * conversion and triggers a false-positive out-of-bound report.
+	 *
+	 * Disable KASAN until the patching is complete.
+	 */
+	kasan_disable_current();
+
 	/*
 	 * The scan order should be from start to end. A later scanned
 	 * alternative code can overwrite previously scanned alternative code.
@@ -491,6 +502,8 @@ void __init_or_module noinline apply_alternatives(struct alt_instr *start,
 next:
 		optimize_nops(instr, a->instrlen);
 	}
+
+	kasan_enable_current();
 }
 
 #if defined(CONFIG_RETPOLINE) && defined(CONFIG_STACK_VALIDATION)

arch/x86/kernel/cpu/amd.c

@@ -81,6 +81,10 @@ static const int amd_div0[] =
 	AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0x00, 0x0, 0x2f, 0xf),
 			   AMD_MODEL_RANGE(0x17, 0x50, 0x0, 0x5f, 0xf));
 
+static const int amd_erratum_1485[] =
+	AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x19, 0x10, 0x0, 0x1f, 0xf),
+			   AMD_MODEL_RANGE(0x19, 0x60, 0x0, 0xaf, 0xf));
+
 static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum)
 {
 	int osvw_id = *erratum++;
@@ -1178,6 +1182,10 @@ static void init_amd(struct cpuinfo_x86 *c)
 		pr_notice_once("AMD Zen1 DIV0 bug detected. Disable SMT for full protection.\n");
 		setup_force_cpu_bug(X86_BUG_DIV0);
 	}
+
+	if (!cpu_has(c, X86_FEATURE_HYPERVISOR) &&
+	     cpu_has_amd_erratum(c, amd_erratum_1485))
+		msr_set_bit(MSR_ZEN4_BP_CFG, MSR_ZEN4_BP_CFG_SHARED_BTB_FIX_BIT);
 }
 
 #ifdef CONFIG_X86_32

arch/x86/kernel/sev-es-shared.c

@@ -217,6 +217,23 @@ fail:
 		asm volatile("hlt\n");
 }
 
+static enum es_result vc_insn_string_check(struct es_em_ctxt *ctxt,
+					   unsigned long address,
+					   bool write)
+{
+	if (user_mode(ctxt->regs) && fault_in_kernel_space(address)) {
+		ctxt->fi.vector     = X86_TRAP_PF;
+		ctxt->fi.error_code = X86_PF_USER;
+		ctxt->fi.cr2        = address;
+		if (write)
+			ctxt->fi.error_code |= X86_PF_WRITE;
+
+		return ES_EXCEPTION;
+	}
+
+	return ES_OK;
+}
+
 static enum es_result vc_insn_string_read(struct es_em_ctxt *ctxt,
 					  void *src, char *buf,
 					  unsigned int data_size,
@@ -224,7 +241,12 @@ static enum es_result vc_insn_string_read(struct es_em_ctxt *ctxt,
 					  bool backwards)
 {
 	int i, b = backwards ? -1 : 1;
-	enum es_result ret = ES_OK;
+	unsigned long address = (unsigned long)src;
+	enum es_result ret;
+
+	ret = vc_insn_string_check(ctxt, address, false);
+	if (ret != ES_OK)
+		return ret;
 
 	for (i = 0; i < count; i++) {
 		void *s = src + (i * data_size * b);
@@ -245,7 +267,12 @@ static enum es_result vc_insn_string_write(struct es_em_ctxt *ctxt,
 					   bool backwards)
 {
 	int i, s = backwards ? -1 : 1;
-	enum es_result ret = ES_OK;
+	unsigned long address = (unsigned long)dst;
+	enum es_result ret;
+
+	ret = vc_insn_string_check(ctxt, address, true);
+	if (ret != ES_OK)
+		return ret;
 
 	for (i = 0; i < count; i++) {
 		void *d = dst + (i * data_size * s);
@@ -281,6 +308,9 @@ static enum es_result vc_insn_string_write(struct es_em_ctxt *ctxt,
 static enum es_result vc_ioio_exitinfo(struct es_em_ctxt *ctxt, u64 *exitinfo)
 {
 	struct insn *insn = &ctxt->insn;
+	size_t size;
+	u64 port;
+
 	*exitinfo = 0;
 
 	switch (insn->opcode.bytes[0]) {
@@ -289,7 +319,7 @@ static enum es_result vc_ioio_exitinfo(struct es_em_ctxt *ctxt, u64 *exitinfo)
 	case 0x6d:
 		*exitinfo |= IOIO_TYPE_INS;
 		*exitinfo |= IOIO_SEG_ES;
-		*exitinfo |= (ctxt->regs->dx & 0xffff) << 16;
+		port	   = ctxt->regs->dx & 0xffff;
 		break;
 
 	/* OUTS opcodes */
@@ -297,41 +327,43 @@ static enum es_result vc_ioio_exitinfo(struct es_em_ctxt *ctxt, u64 *exitinfo)
 	case 0x6f:
 		*exitinfo |= IOIO_TYPE_OUTS;
 		*exitinfo |= IOIO_SEG_DS;
-		*exitinfo |= (ctxt->regs->dx & 0xffff) << 16;
+		port	   = ctxt->regs->dx & 0xffff;
 		break;
 
 	/* IN immediate opcodes */
 	case 0xe4:
 	case 0xe5:
 		*exitinfo |= IOIO_TYPE_IN;
-		*exitinfo |= (u8)insn->immediate.value << 16;
+		port	   = (u8)insn->immediate.value & 0xffff;
 		break;
 
 	/* OUT immediate opcodes */
 	case 0xe6:
 	case 0xe7:
 		*exitinfo |= IOIO_TYPE_OUT;
-		*exitinfo |= (u8)insn->immediate.value << 16;
+		port	   = (u8)insn->immediate.value & 0xffff;
 		break;
 
 	/* IN register opcodes */
 	case 0xec:
 	case 0xed:
 		*exitinfo |= IOIO_TYPE_IN;
-		*exitinfo |= (ctxt->regs->dx & 0xffff) << 16;
+		port	   = ctxt->regs->dx & 0xffff;
 		break;
 
 	/* OUT register opcodes */
 	case 0xee:
 	case 0xef:
 		*exitinfo |= IOIO_TYPE_OUT;
-		*exitinfo |= (ctxt->regs->dx & 0xffff) << 16;
+		port	   = ctxt->regs->dx & 0xffff;
 		break;
 
 	default:
 		return ES_DECODE_FAILED;
 	}
 
+	*exitinfo |= port << 16;
+
 	switch (insn->opcode.bytes[0]) {
 	case 0x6c:
 	case 0x6e:
@@ -341,12 +373,15 @@ static enum es_result vc_ioio_exitinfo(struct es_em_ctxt *ctxt, u64 *exitinfo)
 	case 0xee:
 		/* Single byte opcodes */
 		*exitinfo |= IOIO_DATA_8;
+		size       = 1;
 		break;
 	default:
 		/* Length determined by instruction parsing */
 		*exitinfo |= (insn->opnd_bytes == 2) ? IOIO_DATA_16
 						     : IOIO_DATA_32;
+		size       = (insn->opnd_bytes == 2) ? 2 : 4;
 	}
+
 	switch (insn->addr_bytes) {
 	case 2:
 		*exitinfo |= IOIO_ADDR_16;
@@ -362,7 +397,7 @@ static enum es_result vc_ioio_exitinfo(struct es_em_ctxt *ctxt, u64 *exitinfo)
 	if (insn_has_rep_prefix(insn))
 		*exitinfo |= IOIO_REP;
 
-	return ES_OK;
+	return vc_ioio_check(ctxt, (u16)port, size);
 }
 
 static enum es_result vc_handle_ioio(struct ghcb *ghcb, struct es_em_ctxt *ctxt)

arch/x86/kernel/sev-es.c

@@ -448,6 +448,33 @@ static enum es_result vc_slow_virt_to_phys(struct ghcb *ghcb, struct es_em_ctxt
 	return ES_OK;
 }
 
+static enum es_result vc_ioio_check(struct es_em_ctxt *ctxt, u16 port, size_t size)
+{
+	BUG_ON(size > 4);
+
+	if (user_mode(ctxt->regs)) {
+		struct thread_struct *t = &current->thread;
+		struct io_bitmap *iobm = t->io_bitmap;
+		size_t idx;
+
+		if (!iobm)
+			goto fault;
+
+		for (idx = port; idx < port + size; ++idx) {
+			if (test_bit(idx, iobm->bitmap))
+				goto fault;
+		}
+	}
+
+	return ES_OK;
+
+fault:
+	ctxt->fi.vector = X86_TRAP_GP;
+	ctxt->fi.error_code = 0;
+
+	return ES_EXCEPTION;
+}
+
 /* Include code shared with pre-decompression boot stage */
 #include "sev-es-shared.c"
 
@@ -970,6 +997,9 @@ static enum es_result vc_handle_mmio(struct ghcb *ghcb,
 	enum es_result ret;
 	long *reg_data;
 
+	if (user_mode(ctxt->regs))
+		return ES_UNSUPPORTED;
+
 	switch (insn->opcode.bytes[0]) {
 	/* MMIO Write */
 	case 0x88:

arch/x86/kvm/lapic.c

@@ -2397,13 +2397,17 @@ int kvm_apic_local_deliver(struct kvm_lapic *apic, int lvt_type)
 {
 	u32 reg = kvm_lapic_get_reg(apic, lvt_type);
 	int vector, mode, trig_mode;
+	int r;
 
 	if (kvm_apic_hw_enabled(apic) && !(reg & APIC_LVT_MASKED)) {
 		vector = reg & APIC_VECTOR_MASK;
 		mode = reg & APIC_MODE_MASK;
 		trig_mode = reg & APIC_LVT_LEVEL_TRIGGER;
-		return __apic_accept_irq(apic, mode, vector, 1, trig_mode,
-					NULL);
+
+		r = __apic_accept_irq(apic, mode, vector, 1, trig_mode, NULL);
+		if (r && lvt_type == APIC_LVTPC)
+			kvm_lapic_set_reg(apic, APIC_LVTPC, reg | APIC_LVT_MASKED);
+		return r;
 	}
 	return 0;
 }

drivers/acpi/irq.c

@@ -52,6 +52,7 @@ int acpi_register_gsi(struct device *dev, u32 gsi, int trigger,
 		      int polarity)
 {
 	struct irq_fwspec fwspec;
+	unsigned int irq;
 
 	if (WARN_ON(!acpi_gsi_domain_id)) {
 		pr_warn("GSI: No registered irqchip, giving up\n");
@@ -63,7 +64,11 @@ int acpi_register_gsi(struct device *dev, u32 gsi, int trigger,
 	fwspec.param[1] = acpi_dev_get_irq_type(trigger, polarity);
 	fwspec.param_count = 2;
 
-	return irq_create_fwspec_mapping(&fwspec);
+	irq = irq_create_fwspec_mapping(&fwspec);
+	if (!irq)
+		return -EINVAL;
+
+	return irq;
 }
 EXPORT_SYMBOL_GPL(acpi_register_gsi);
 

drivers/acpi/resource.c

@@ -16,6 +16,7 @@
 #include <linux/ioport.h>
 #include <linux/slab.h>
 #include <linux/irq.h>
+#include <linux/dmi.h>
 
 #ifdef CONFIG_X86
 #define valid_IRQ(i) (((i) != 0) && ((i) != 2))
@@ -380,21 +381,117 @@ unsigned int acpi_dev_get_irq_type(int triggering, int polarity)
 }
 EXPORT_SYMBOL_GPL(acpi_dev_get_irq_type);
 
-static void acpi_dev_irqresource_disabled(struct resource *res, u32 gsi)
+static const struct dmi_system_id medion_laptop[] = {
+	{
+		.ident = "MEDION P15651",
+		.matches = {
+			DMI_MATCH(DMI_SYS_VENDOR, "MEDION"),
+			DMI_MATCH(DMI_BOARD_NAME, "M15T"),
+		},
+	},
+	{ }
+};
+
+static const struct dmi_system_id asus_laptop[] = {
+	{
+		.ident = "Asus Vivobook K3402ZA",
+		.matches = {
+			DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+			DMI_MATCH(DMI_BOARD_NAME, "K3402ZA"),
+		},
+	},
+	{
+		.ident = "Asus Vivobook K3502ZA",
+		.matches = {
+			DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+			DMI_MATCH(DMI_BOARD_NAME, "K3502ZA"),
+		},
+	},
+	{
+		.ident = "Asus Vivobook S5402ZA",
+		.matches = {
+			DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+			DMI_MATCH(DMI_BOARD_NAME, "S5402ZA"),
+		},
+	},
+	{
+		.ident = "Asus Vivobook S5602ZA",
+		.matches = {
+			DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+			DMI_MATCH(DMI_BOARD_NAME, "S5602ZA"),
+		},
+	},
+	{
+		.ident = "Asus ExpertBook B1402CBA",
+		.matches = {
+			DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+			DMI_MATCH(DMI_BOARD_NAME, "B1402CBA"),
+		},
+	},
+	{
+		.ident = "Asus ExpertBook B1502CBA",
+		.matches = {
+			DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+			DMI_MATCH(DMI_BOARD_NAME, "B1502CBA"),
+		},
+	},
+	{
+		.ident = "Asus ExpertBook B2402CBA",
+		.matches = {
+			DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+			DMI_MATCH(DMI_BOARD_NAME, "B2402CBA"),
+		},
+	},
+	{
+		.ident = "Asus ExpertBook B2502",
+		.matches = {
+			DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+			DMI_MATCH(DMI_BOARD_NAME, "B2502CBA"),
+		},
+	},
+	{ }
+};
+
+struct irq_override_cmp {
+	const struct dmi_system_id *system;
+	unsigned char irq;
+	unsigned char triggering;
+	unsigned char polarity;
+	unsigned char shareable;
+};
+
+static const struct irq_override_cmp skip_override_table[] = {
+	{ medion_laptop, 1, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0 },
+	{ asus_laptop, 1, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0 },
+};
+
+static bool acpi_dev_irq_override(u32 gsi, u8 triggering, u8 polarity,
+				  u8 shareable)
 {
-	res->start = gsi;
-	res->end = gsi;
-	res->flags = IORESOURCE_IRQ | IORESOURCE_DISABLED | IORESOURCE_UNSET;
+	int i;
+
+	for (i = 0; i < ARRAY_SIZE(skip_override_table); i++) {
+		const struct irq_override_cmp *entry = &skip_override_table[i];
+
+		if (dmi_check_system(entry->system) &&
+		    entry->irq == gsi &&
+		    entry->triggering == triggering &&
+		    entry->polarity == polarity &&
+		    entry->shareable == shareable)
+			return false;
+	}
+
+	return true;
 }
 
 static void acpi_dev_get_irqresource(struct resource *res, u32 gsi,
 				     u8 triggering, u8 polarity, u8 shareable,
-				     bool legacy)
+				     bool check_override)
 {
 	int irq, p, t;
 
 	if (!valid_IRQ(gsi)) {
-		acpi_dev_irqresource_disabled(res, gsi);
+		irqresource_disabled(res, gsi);
 		return;
 	}
 
@@ -408,7 +505,9 @@ static void acpi_dev_get_irqresource(struct resource *res, u32 gsi,
 	 * using extended IRQ descriptors we take the IRQ configuration
 	 * from _CRS directly.
 	 */
-	if (legacy && !acpi_get_override_irq(gsi, &t, &p)) {
+	if (check_override &&
+	    acpi_dev_irq_override(gsi, triggering, polarity, shareable) &&
+	    !acpi_get_override_irq(gsi, &t, &p)) {
 		u8 trig = t ? ACPI_LEVEL_SENSITIVE : ACPI_EDGE_SENSITIVE;
 		u8 pol = p ? ACPI_ACTIVE_LOW : ACPI_ACTIVE_HIGH;
 
@@ -426,7 +525,7 @@ static void acpi_dev_get_irqresource(struct resource *res, u32 gsi,
 		res->start = irq;
 		res->end = irq;
 	} else {
-		acpi_dev_irqresource_disabled(res, gsi);
+		irqresource_disabled(res, gsi);
 	}
 }
 
@@ -463,7 +562,7 @@ bool acpi_dev_resource_interrupt(struct acpi_resource *ares, int index,
 		 */
 		irq = &ares->data.irq;
 		if (index >= irq->interrupt_count) {
-			acpi_dev_irqresource_disabled(res, 0);
+			irqresource_disabled(res, 0);
 			return false;
 		}
 		acpi_dev_get_irqresource(res, irq->interrupts[index],
@@ -473,7 +572,7 @@ bool acpi_dev_resource_interrupt(struct acpi_resource *ares, int index,
 	case ACPI_RESOURCE_TYPE_EXTENDED_IRQ:
 		ext_irq = &ares->data.extended_irq;
 		if (index >= ext_irq->interrupt_count) {
-			acpi_dev_irqresource_disabled(res, 0);
+			irqresource_disabled(res, 0);
 			return false;
 		}
 		if (is_gsi(ext_irq))
@@ -481,7 +580,7 @@ bool acpi_dev_resource_interrupt(struct acpi_resource *ares, int index,
 					 ext_irq->triggering, ext_irq->polarity,
 					 ext_irq->shareable, false);
 		else
-			acpi_dev_irqresource_disabled(res, 0);
+			irqresource_disabled(res, 0);
 		break;
 	default:
 		res->flags = 0;

drivers/ata/libata-eh.c

@@ -2224,7 +2224,7 @@ static void ata_eh_link_report(struct ata_link *link)
 	struct ata_eh_context *ehc = &link->eh_context;
 	struct ata_queued_cmd *qc;
 	const char *frozen, *desc;
-	char tries_buf[6] = "";
+	char tries_buf[16] = "";
 	int tag, nr_failed = 0;
 
 	if (ehc->i.flags & ATA_EHI_QUIET)

drivers/base/regmap/regmap.c

@@ -1511,7 +1511,7 @@ static int dev_get_regmap_match(struct device *dev, void *res, void *data)
 
 	/* If the user didn't specify a name match any */
 	if (data)
-		return !strcmp((*r)->name, data);
+		return (*r)->name && !strcmp((*r)->name, data);
 	else
 		return 1;
 }