1. 28 Oct, 2021 2 commits
  2. 27 Oct, 2021 7 commits
  3. 26 Oct, 2021 3 commits
  4. 25 Oct, 2021 9 commits
    • Amit Pundir's avatar
      Revert "arm64: dts: qcom: sm8250: remove bus clock from the mdss node for sm8250 target" · e091b836
      Amit Pundir authored
      This reverts commit 001ce978.
      
      This upstream commit broke AOSP (post Android 12 merge) build
      on RB5. The device either silently crashes into USB crash mode
      after android boot animation or we see a blank blue screen
      with following dpu errors in dmesg:
      
      [  T444] hw recovery is not complete for ctl:3
      [  T444] [drm:dpu_encoder_phys_vid_prepare_for_kickoff:539] [dpu error]enc31 intf1 ctl 3 reset failure: -22
      [  T444] [drm:dpu_encoder_phys_vid_wait_for_commit_done:513] [dpu error]vblank timeout
      [  T444] [drm:dpu_kms_wait_for_commit_done:454] [dpu error]wait for commit done returned -110
      [    C7] [drm:dpu_encoder_frame_done_timeout:2127] [dpu error]enc31 frame done timeout
      [  T444] [drm:dpu_encoder_phys_vid_wait_for_commit_done:513] [dpu error]vblank timeout
      [  T444] [drm:dpu_kms_wait_for_commit_done:454] [dpu error]wait for commit done returned -110
      
      Fixes: 001ce978 ("arm64: dts: qcom: sm8250: remove bus clock from the mdss node for sm8250 target")
      Signed-off-by: default avatarAmit Pundir <amit.pundir@linaro.org>
      Signed-off-by: default avatarDmitry Baryshkov <dmitry.baryshkov@linaro.org>
      Signed-off-by: default avatarBjorn Andersson <bjorn.andersson@linaro.org>
      Link: https://lore.kernel.org/r/20211014135410.4136412-1-dmitry.baryshkov@linaro.org
      e091b836
    • Linus Torvalds's avatar
      Linux 5.15-rc7 · 3906fe9b
      Linus Torvalds authored
      3906fe9b
    • Matthew Wilcox (Oracle)'s avatar
      secretmem: Prevent secretmem_users from wrapping to zero · cb685432
      Matthew Wilcox (Oracle) authored
      Commit 11086054 ("mm/secretmem: use refcount_t instead of atomic_t")
      attempted to fix the problem of secretmem_users wrapping to zero and
      allowing suspend once again.
      
      But it was reverted in commit 87066fdd ("Revert 'mm/secretmem: use
      refcount_t instead of atomic_t'") because of the problems it caused - a
      refcount_t was not semantically the right type to use.
      
      Instead prevent secretmem_users from wrapping to zero by forbidding new
      users if the number of users has wrapped from positive to negative.
      This stops a long way short of reaching the necessary 4 billion users
      where it wraps to zero again, so there's no need to be clever with
      special anti-wrap types or checking the return value from atomic_inc().
      Signed-off-by: default avatarMatthew Wilcox (Oracle) <willy@infradead.org>
      Cc: Jordy Zomer <jordy@pwning.systems>
      Cc: Kees Cook <keescook@chromium.org>,
      Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
      Cc: Mike Rapoport <rppt@kernel.org>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      cb685432
    • Linus Torvalds's avatar
      spi: Fix tegra20 build with CONFIG_PM=n once again · ac8a6eba
      Linus Torvalds authored
      Commit efafec27 ("spi: Fix tegra20 build with CONFIG_PM=n") already
      fixed the build without PM support once.  There was an alternative fix
      by Guenter in commit 2bab9409 ("spi: tegra20-slink: Declare runtime
      suspend and resume functions conditionally"), and Mark then merged the
      two correctly in ffb1e76f ("Merge tag 'v5.15-rc2' into spi-5.15").
      
      But for some inexplicable reason, Mark then merged things _again_ in
      commit 59c4e190 ("Merge tag 'v5.15-rc3' into spi-5.15"), and screwed
      things up at that point, and the __maybe_unused attribute on
      tegra_slink_runtime_resume() went missing.
      
      Reinstate it, so that alpha (and other architectures without PM support)
      builds cleanly again.
      
      Btw, this is another prime example of how random back-merges are not
      good.  Just don't do them.  Subsystem developers should not merge my
      tree in any normal circumstances.  Both of those merge commits pointed
      to above are bad: even the one that got the merge result right doesn't
      even mention _why_ it was done, and the one that got it wrong is
      obviously broken.
      Reported-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Cc: Mark Brown <broonie@kernel.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      ac8a6eba
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm · c2b43854
      Linus Torvalds authored
      Pull ARM fixes from Russell King:
      
       - Fix clang-related relocation warning in futex code
      
       - Fix incorrect use of get_kernel_nofault()
      
       - Fix bad code generation in __get_user_check() when kasan is enabled
      
       - Ensure TLB function table is correctly aligned
      
       - Remove duplicated string function definitions in decompressor
      
       - Fix link-time orphan section warnings
      
       - Fix old-style function prototype for arch_init_kprobes()
      
       - Only warn about XIP address when not compile testing
      
       - Handle BE32 big endian for keystone2 remapping
      
      * tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm:
        ARM: 9148/1: handle CONFIG_CPU_ENDIAN_BE32 in arch/arm/kernel/head.S
        ARM: 9141/1: only warn about XIP address when not compile testing
        ARM: 9139/1: kprobes: fix arch_init_kprobes() prototype
        ARM: 9138/1: fix link warning with XIP + frame-pointer
        ARM: 9134/1: remove duplicate memcpy() definition
        ARM: 9133/1: mm: proc-macros: ensure *_tlb_fns are 4B aligned
        ARM: 9132/1: Fix __get_user_check failure with ARM KASAN images
        ARM: 9125/1: fix incorrect use of get_kernel_nofault()
        ARM: 9122/1: select HAVE_FUTEX_CMPXCHG
      c2b43854
    • Linus Torvalds's avatar
      Merge tag 'libata-5.15-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata · 4862649f
      Linus Torvalds authored
      Pull libata fix from Damien Le Moal:
       "A single fix in this pull request addressing an invalid error code
        return in the sata_mv driver (from Zheyu)"
      
      * tag 'libata-5.15-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata:
        ata: sata_mv: Fix the error handling of mv_chip_id()
      4862649f
    • Linus Torvalds's avatar
      Merge tag 'pinctrl-v5.15-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl · a51aec41
      Linus Torvalds authored
      Pull pin control fixes from Linus Walleij:
       "Some late pin control fixes, the most generally annoying will probably
        be the AMD IRQ storm fix affecting the Microsoft surface.
      
        Summary:
      
         - Three fixes pertaining to Broadcom DT bindings. Some stuff didn't
           work out as inteded, we need to back out
      
         - A resume bug fix in the STM32 driver
      
         - Disable and mask the interrupts on probe in the AMD pinctrl driver,
           affecting Microsoft surface"
      
      * tag 'pinctrl-v5.15-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
        pinctrl: amd: disable and mask interrupts on probe
        pinctrl: stm32: use valid pin identifier in stm32_pinctrl_resume()
        Revert "pinctrl: bcm: ns: support updated DT binding as syscon subnode"
        dt-bindings: pinctrl: brcm,ns-pinmux: drop unneeded CRU from example
        Revert "dt-bindings: pinctrl: bcm4708-pinmux: rework binding to use syscon"
      a51aec41
    • Mark Zhang's avatar
      RDMA/sa_query: Use strscpy_pad instead of memcpy to copy a string · 64733956
      Mark Zhang authored
      When copying the device name, the length of the data memcpy copied exceeds
      the length of the source buffer, which cause the KASAN issue below.  Use
      strscpy_pad() instead.
      
       BUG: KASAN: slab-out-of-bounds in ib_nl_set_path_rec_attrs+0x136/0x320 [ib_core]
       Read of size 64 at addr ffff88811a10f5e0 by task rping/140263
       CPU: 3 PID: 140263 Comm: rping Not tainted 5.15.0-rc1+ #1
       Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
       Call Trace:
        dump_stack_lvl+0x57/0x7d
        print_address_description.constprop.0+0x1d/0xa0
        kasan_report+0xcb/0x110
        kasan_check_range+0x13d/0x180
        memcpy+0x20/0x60
        ib_nl_set_path_rec_attrs+0x136/0x320 [ib_core]
        ib_nl_make_request+0x1c6/0x380 [ib_core]
        send_mad+0x20a/0x220 [ib_core]
        ib_sa_path_rec_get+0x3e3/0x800 [ib_core]
        cma_query_ib_route+0x29b/0x390 [rdma_cm]
        rdma_resolve_route+0x308/0x3e0 [rdma_cm]
        ucma_resolve_route+0xe1/0x150 [rdma_ucm]
        ucma_write+0x17b/0x1f0 [rdma_ucm]
        vfs_write+0x142/0x4d0
        ksys_write+0x133/0x160
        do_syscall_64+0x43/0x90
        entry_SYSCALL_64_after_hwframe+0x44/0xae
       RIP: 0033:0x7f26499aa90f
       Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 29 fd ff ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 5c fd ff ff 48
       RSP: 002b:00007f26495f2dc0 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
       RAX: ffffffffffffffda RBX: 00000000000007d0 RCX: 00007f26499aa90f
       RDX: 0000000000000010 RSI: 00007f26495f2e00 RDI: 0000000000000003
       RBP: 00005632a8315440 R08: 0000000000000000 R09: 0000000000000001
       R10: 0000000000000000 R11: 0000000000000293 R12: 00007f26495f2e00
       R13: 00005632a83154e0 R14: 00005632a8315440 R15: 00005632a830a810
      
       Allocated by task 131419:
        kasan_save_stack+0x1b/0x40
        __kasan_kmalloc+0x7c/0x90
        proc_self_get_link+0x8b/0x100
        pick_link+0x4f1/0x5c0
        step_into+0x2eb/0x3d0
        walk_component+0xc8/0x2c0
        link_path_walk+0x3b8/0x580
        path_openat+0x101/0x230
        do_filp_open+0x12e/0x240
        do_sys_openat2+0x115/0x280
        __x64_sys_openat+0xce/0x140
        do_syscall_64+0x43/0x90
        entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      Fixes: 2ca546b9 ("IB/sa: Route SA pathrecord query through netlink")
      Link: https://lore.kernel.org/r/72ede0f6dab61f7f23df9ac7a70666e07ef314b0.1635055496.git.leonro@nvidia.comSigned-off-by: default avatarMark Zhang <markzhang@nvidia.com>
      Reviewed-by: default avatarMark Bloch <mbloch@nvidia.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@nvidia.com>
      64733956
    • LABBE Corentin's avatar
      ARM: 9148/1: handle CONFIG_CPU_ENDIAN_BE32 in arch/arm/kernel/head.S · 00568b8a
      LABBE Corentin authored
      My intel-ixp42x-welltech-epbx100 no longer boot since 4.14.
      This is due to commit 463dbba4 ("ARM: 9104/2: Fix Keystone 2 kernel
      mapping regression")
      which forgot to handle CONFIG_CPU_ENDIAN_BE32 as possible BE config.
      Suggested-by: default avatarKrzysztof Hałasa <khalasa@piap.pl>
      Fixes: 463dbba4 ("ARM: 9104/2: Fix Keystone 2 kernel mapping regression")
      Signed-off-by: default avatarCorentin Labbe <clabbe.montjoie@gmail.com>
      Signed-off-by: default avatarRussell King (Oracle) <rmk+kernel@armlinux.org.uk>
      00568b8a
  5. 24 Oct, 2021 7 commits
    • Zheyu Ma's avatar
      ata: sata_mv: Fix the error handling of mv_chip_id() · a0023bb9
      Zheyu Ma authored
      mv_init_host() propagates the value returned by mv_chip_id() which in turn
      gets propagated by mv_pci_init_one() and hits local_pci_probe().
      
      During the process of driver probing, the probe function should return < 0
      for failure, otherwise, the kernel will treat value > 0 as success.
      
      Since this is a bug rather than a recoverable runtime error we should
      use dev_alert() instead of dev_err().
      Signed-off-by: default avatarZheyu Ma <zheyuma97@gmail.com>
      Signed-off-by: default avatarDamien Le Moal <damien.lemoal@opensource.wdc.com>
      a0023bb9
    • Linus Torvalds's avatar
      Revert "mm/secretmem: use refcount_t instead of atomic_t" · 87066fdd
      Linus Torvalds authored
      This reverts commit 11086054.
      
      Converting the "secretmem_users" counter to a refcount is incorrect,
      because a refcount is special in zero and can't just be incremented (but
      a count of users is not, and "no users" is actually perfectly valid and
      not a sign of a free'd resource).
      
      Reported-by: syzbot+75639e6a0331cd61d3e2@syzkaller.appspotmail.com
      Cc: Jordy Zomer <jordy@pwning.systems>
      Cc: Kees Cook <keescook@chromium.org>,
      Cc: Jordy Zomer <jordy@jordyzomer.github.io>
      Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
      Cc: Mike Rapoport <rppt@kernel.org>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      87066fdd
    • Linus Torvalds's avatar
      Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · b20078fd
      Linus Torvalds authored
      Pull autofs fix from Al Viro:
       "Fix for a braino of mine (in getting rid of open-coded
        dentry_path_raw() in autofs a couple of cycles ago).
      
        Mea culpa...  Obvious -stable fodder"
      
      * 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        autofs: fix wait name hash calculation in autofs_wait()
      b20078fd
    • Linus Torvalds's avatar
      Merge tag 'sched_urgent_for_v5.15_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 6c62666d
      Linus Torvalds authored
      Pull scheduler fix from Borislav Petkov:
       "Reset clang's Shadow Call Stack on hotplug to prevent it from
        overflowing"
      
      * tag 'sched_urgent_for_v5.15_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        sched/scs: Reset the shadow stack when idle_task_exit
      6c62666d
    • Linus Torvalds's avatar
      Merge tag 'x86_urgent_for_v5.15_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 16bc1776
      Linus Torvalds authored
      Pull x86 fix from Borislav Petkov:
       "A single change adding Dave Hansen to our maintainers team"
      
      * tag 'x86_urgent_for_v5.15_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        MAINTAINERS: Add Dave Hansen to the x86 maintainer team
      16bc1776
    • Linus Torvalds's avatar
      Merge tag '5.15-rc6-ksmbd-fixes' of git://git.samba.org/ksmbd · c460e789
      Linus Torvalds authored
      Pull ksmbd fixes from Steve French:
       "Ten fixes for the ksmbd kernel server, for improved security and
        additional buffer overflow checks:
      
         - a security improvement to session establishment to reduce the
           possibility of dictionary attacks
      
         - fix to ensure that maximum i/o size negotiated in the protocol is
           not less than 64K and not more than 8MB to better match expected
           behavior
      
         - fix for crediting (flow control) important to properly verify that
           sufficient credits are available for the requested operation
      
         - seven additional buffer overflow, buffer validation checks"
      
      * tag '5.15-rc6-ksmbd-fixes' of git://git.samba.org/ksmbd:
        ksmbd: add buffer validation in session setup
        ksmbd: throttle session setup failures to avoid dictionary attacks
        ksmbd: validate OutputBufferLength of QUERY_DIR, QUERY_INFO, IOCTL requests
        ksmbd: validate credit charge after validating SMB2 PDU body size
        ksmbd: add buffer validation for smb direct
        ksmbd: limit read/write/trans buffer size not to exceed 8MB
        ksmbd: validate compound response buffer
        ksmbd: fix potencial 32bit overflow from data area check in smb2_write
        ksmbd: improve credits management
        ksmbd: add validation in smb2_ioctl
      c460e789
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 0f386a60
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "Ten fixes, seven of which are in drivers.
      
        The core fixes are one to fix a potential crash on resume, one to sort
        out our reference count releases to avoid releasing in-use modules and
        one to adjust the cmd per lun calculation to avoid an overflow in
        hyper-v"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: ufs: ufs-pci: Force a full restore after suspend-to-disk
        scsi: qla2xxx: Fix unmap of already freed sgl
        scsi: qla2xxx: Fix a memory leak in an error path of qla2x00_process_els()
        scsi: qla2xxx: Return -ENOMEM if kzalloc() fails
        scsi: sd: Fix crashes in sd_resume_runtime()
        scsi: mpi3mr: Fix duplicate device entries when scanning through sysfs
        scsi: core: Put LLD module refcnt after SCSI device is released
        scsi: storvsc: Fix validation for unsolicited incoming packets
        scsi: iscsi: Fix set_param() handling
        scsi: core: Fix shost->cmd_per_lun calculation in scsi_add_host_with_dma()
      0f386a60
  6. 23 Oct, 2021 2 commits
  7. 22 Oct, 2021 10 commits
    • Linus Torvalds's avatar
      Merge tag 'fuse-fixes-5.15-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse · 5ab2ed0a
      Linus Torvalds authored
      Pull fuse fixes from Miklos Szeredi:
       "Syzbot discovered a race in case of reusing the fuse sb (introduced in
        this cycle).
      
        Fix it by doing the s_fs_info initialization at the proper place"
      
      * tag 'fuse-fixes-5.15-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse:
        fuse: clean up error exits in fuse_fill_super()
        fuse: always initialize sb->s_fs_info
        fuse: clean up fuse_mount destruction
        fuse: get rid of fuse_put_super()
        fuse: check s_root when destroying sb
      5ab2ed0a
    • Linus Torvalds's avatar
      Merge tag 'hyperv-fixes-signed-20211022' of... · 477b4e80
      Linus Torvalds authored
      Merge tag 'hyperv-fixes-signed-20211022' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux
      
      Pull hyper-v fix from Wei Liu:
      
       - Fix vmbus ARM64 build (Arnd Bergmann)
      
      * tag 'hyperv-fixes-signed-20211022' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux:
        hyperv/vmbus: include linux/bitops.h
      477b4e80
    • Arnd Bergmann's avatar
      hyperv/vmbus: include linux/bitops.h · 8017c996
      Arnd Bergmann authored
      On arm64 randconfig builds, hyperv sometimes fails with this
      error:
      
      In file included from drivers/hv/hv_trace.c:3:
      In file included from drivers/hv/hyperv_vmbus.h:16:
      In file included from arch/arm64/include/asm/sync_bitops.h:5:
      arch/arm64/include/asm/bitops.h:11:2: error: only <linux/bitops.h> can be included directly
      In file included from include/asm-generic/bitops/hweight.h:5:
      include/asm-generic/bitops/arch_hweight.h:9:9: error: implicit declaration of function '__sw_hweight32' [-Werror,-Wimplicit-function-declaration]
      include/asm-generic/bitops/atomic.h:17:7: error: implicit declaration of function 'BIT_WORD' [-Werror,-Wimplicit-function-declaration]
      
      Include the correct header first.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Link: https://lore.kernel.org/r/20211018131929.2260087-1-arnd@kernel.orgSigned-off-by: default avatarWei Liu <wei.liu@kernel.org>
      8017c996
    • Linus Torvalds's avatar
      Merge tag 'acpi-5.15-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 1d4590f5
      Linus Torvalds authored
      Pull ACPI fixes from Rafael Wysocki:
       "These fix two regressions, one related to ACPI power resources
        management and one that broke ACPI tools compilation.
      
        Specifics:
      
         - Stop turning off unused ACPI power resources in an unknown state to
           address a regression introduced during the 5.14 cycle (Rafael
           Wysocki).
      
         - Fix an ACPI tools build issue introduced recently when the minimal
           stdarg.h was added (Miguel Bernal Marin)"
      
      * tag 'acpi-5.15-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPI: PM: Do not turn off power resources in unknown state
        ACPI: tools: fix compilation error
      1d4590f5
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · cd82c4a7
      Linus Torvalds authored
      Pull more x86 kvm fixes from Paolo Bonzini:
      
       - Cache coherency fix for SEV live migration
      
       - Fix for instruction emulation with PKU
      
       - fixes for rare delaying of interrupt delivery
      
       - fix for SEV-ES buffer overflow
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: SEV-ES: go over the sev_pio_data buffer in multiple passes if needed
        KVM: SEV-ES: keep INS functions together
        KVM: x86: remove unnecessary arguments from complete_emulator_pio_in
        KVM: x86: split the two parts of emulator_pio_in
        KVM: SEV-ES: clean up kvm_sev_es_ins/outs
        KVM: x86: leave vcpu->arch.pio.count alone in emulator_pio_in_out
        KVM: SEV-ES: rename guest_ins_data to sev_pio_data
        KVM: SEV: Flush cache on non-coherent systems before RECEIVE_UPDATE_DATA
        KVM: MMU: Reset mmu->pkru_mask to avoid stale data
        KVM: nVMX: promptly process interrupts delivered while in guest mode
        KVM: x86: check for interrupts before deciding whether to exit the fast path
      cd82c4a7
    • Rafael J. Wysocki's avatar
      Merge branch 'acpi-tools' · 7a748900
      Rafael J. Wysocki authored
      Merge a fix for a recent ACPI tools bild regresson.
      
      * acpi-tools:
        ACPI: tools: fix compilation error
      7a748900
    • Paolo Bonzini's avatar
      KVM: SEV-ES: go over the sev_pio_data buffer in multiple passes if needed · 95e16b47
      Paolo Bonzini authored
      The PIO scratch buffer is larger than a single page, and therefore
      it is not possible to copy it in a single step to vcpu->arch/pio_data.
      Bound each call to emulator_pio_in/out to a single page; keep
      track of how many I/O operations are left in vcpu->arch.sev_pio_count,
      so that the operation can be restarted in the complete_userspace_io
      callback.
      
      For OUT, this means that the previous kvm_sev_es_outs implementation
      becomes an iterator of the loop, and we can consume the sev_pio_data
      buffer before leaving to userspace.
      
      For IN, instead, consuming the buffer and decreasing sev_pio_count
      is always done in the complete_userspace_io callback, because that
      is when the memcpy is done into sev_pio_data.
      
      Cc: stable@vger.kernel.org
      Fixes: 7ed9abfe ("KVM: SVM: Support string IO operations for an SEV-ES guest")
      Reported-by: default avatarFelix Wilhelm <fwilhelm@google.com>
      Reviewed-by: default avatarMaxim Levitsky <mlevitsk@redhat.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      95e16b47
    • Paolo Bonzini's avatar
      KVM: SEV-ES: keep INS functions together · 4fa4b38d
      Paolo Bonzini authored
      Make the diff a little nicer when we actually get to fixing
      the bug.  No functional change intended.
      
      Cc: stable@vger.kernel.org
      Fixes: 7ed9abfe ("KVM: SVM: Support string IO operations for an SEV-ES guest")
      Reviewed-by: default avatarMaxim Levitsky <mlevitsk@redhat.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      4fa4b38d
    • Paolo Bonzini's avatar
      KVM: x86: remove unnecessary arguments from complete_emulator_pio_in · 6b5efc93
      Paolo Bonzini authored
      complete_emulator_pio_in can expect that vcpu->arch.pio has been filled in,
      and therefore does not need the size and count arguments.  This makes things
      nicer when the function is called directly from a complete_userspace_io
      callback.
      
      No functional change intended.
      
      Cc: stable@vger.kernel.org
      Fixes: 7ed9abfe ("KVM: SVM: Support string IO operations for an SEV-ES guest")
      Reviewed-by: default avatarMaxim Levitsky <mlevitsk@redhat.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      6b5efc93
    • Paolo Bonzini's avatar
      KVM: x86: split the two parts of emulator_pio_in · 3b27de27
      Paolo Bonzini authored
      emulator_pio_in handles both the case where the data is pending in
      vcpu->arch.pio.count, and the case where I/O has to be done via either
      an in-kernel device or a userspace exit.  For SEV-ES we would like
      to split these, to identify clearly the moment at which the
      sev_pio_data is consumed.  To this end, create two different
      functions: __emulator_pio_in fills in vcpu->arch.pio.count, while
      complete_emulator_pio_in clears it and releases vcpu->arch.pio.data.
      
      Because this patch has to be backported, things are left a bit messy.
      kernel_pio() operates on vcpu->arch.pio, which leads to emulator_pio_in()
      having with two calls to complete_emulator_pio_in().  It will be fixed
      in the next release.
      
      While at it, remove the unused void* val argument of emulator_pio_in_out.
      The function currently hardcodes vcpu->arch.pio_data as the
      source/destination buffer, which sucks but will be fixed after the more
      severe SEV-ES buffer overflow.
      
      No functional change intended.
      
      Cc: stable@vger.kernel.org
      Fixes: 7ed9abfe ("KVM: SVM: Support string IO operations for an SEV-ES guest")
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      3b27de27