A single fix for this final PR for 6.1-rc:
- Avoid a NULL pointer dereference in the libahci platform code that
can happen on initialization when a device tree does not specify
names for the adapter clocks (from Anders).
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQSRPv8tYSvhwAzJdzjdoc3SxdoYdgUCY5FONgAKCRDdoc3SxdoY
dsBSAP9aOBlpbZxMA1SU7Ig9JZDv22W+0D747wuMDHoLzOdlHQD8CGsarHIFsfU5
H5xOjTVfkSra5sfMUIpqk31R77ETDwg=
=jjPB
-----END PGP SIGNATURE-----
Merge tag 'ata-6.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata
Pull ATA fix from Damien Le Moal:
- Avoid a NULL pointer dereference in the libahci platform code that
can happen on initialization when a device tree does not specify
names for the adapter clocks (from Anders)
* tag 'ata-6.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata:
ata: libahci_platform: ahci_platform_find_clk: oops, NULL pointer
memcg_write_event_control() accesses the dentry->d_name of the specified
control fd to route the write call. As a cgroup interface file can't be
renamed, it's safe to access d_name as long as the specified file is a
regular cgroup file. Also, as these cgroup interface files can't be
removed before the directory, it's safe to access the parent too.
Prior to 347c4a8747 ("memcg: remove cgroup_event->cft"), there was a
call to __file_cft() which verified that the specified file is a regular
cgroupfs file before further accesses. The cftype pointer returned from
__file_cft() was no longer necessary and the commit inadvertently
dropped the file type check with it allowing any file to slip through.
With the invarients broken, the d_name and parent accesses can now race
against renames and removals of arbitrary files and cause
use-after-free's.
Fix the bug by resurrecting the file type check in __file_cft(). Now
that cgroupfs is implemented through kernfs, checking the file
operations needs to go through a layer of indirection. Instead, let's
check the superblock and dentry type.
Signed-off-by: Tejun Heo <tj@kernel.org>
Fixes: 347c4a8747 ("memcg: remove cgroup_event->cft")
Cc: stable@kernel.org # v3.14+
Reported-by: Jann Horn <jannh@google.com>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Acked-by: Roman Gushchin <roman.gushchin@linux.dev>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
A single fix for 6.12 for suspend/resume issues on some AMD systems.
The following is an automated git shortlog grouped by driver:
platform/x86/amd:
- pmc: Add a workaround for an s0i3 issue on Cezanne
-----BEGIN PGP SIGNATURE-----
iQFIBAABCAAyFiEEuvA7XScYQRpenhd+kuxHeUQDJ9wFAmOQyfYUHGhkZWdvZWRl
QHJlZGhhdC5jb20ACgkQkuxHeUQDJ9xysAf+PZZ5W+yvgBOQJFok+dehxq2ctgzg
sBIG21hAYohuJ3/XbKVHxl07iZRaZ3YWOsO00AFwQL/5TyNx9WzYu1B/kUwf04jU
mboqJmnxuTRX76lDKHHJ/T5KQtGYEjqItzPkvqQilpvlcE6z3FJkJ6iiYk2YObD3
BKDhRCiL29Al2o2nkuecGqoBI9b9tdGPIBJdvaItDQfTn4jih3wkdU9Ts2dZaW7N
9K4WEGw3ztHUZDFKnj469lcg1RU4aMUhYFWugMaqqRSClj3Q3xnQbKdhDsn8MQnX
VrmOyjfLLpGKox8OAUA0XYnJI20xRMCZj/ejWx4qOdAo/KcUTMcIQ3sP4g==
=iSPt
-----END PGP SIGNATURE-----
Merge tag 'platform-drivers-x86-v6.1-5' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86
Pull x86 platform driver fix from Hans de Goede:
"A single fix for 6.1 for suspend/resume issues on some AMD systems"
* tag 'platform-drivers-x86-v6.1-5' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86:
platform/x86/amd: pmc: Add a workaround for an s0i3 issue on Cezanne
If a cookie expires from the LRU and the LRU_DISCARD flag is set, but
the state machine has not run yet, it's possible another thread can call
fscache_use_cookie and begin to use it.
When the cookie_worker finally runs, it will see the LRU_DISCARD flag
set, transition the cookie->state to LRU_DISCARDING, which will then
withdraw the cookie. Once the cookie is withdrawn the object is removed
the below oops will occur because the object associated with the cookie
is now NULL.
Fix the oops by clearing the LRU_DISCARD bit if another thread uses the
cookie before the cookie_worker runs.
BUG: kernel NULL pointer dereference, address: 0000000000000008
...
CPU: 31 PID: 44773 Comm: kworker/u130:1 Tainted: G E 6.0.0-5.dneg.x86_64 #1
Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
Workqueue: events_unbound netfs_rreq_write_to_cache_work [netfs]
RIP: 0010:cachefiles_prepare_write+0x28/0x90 [cachefiles]
...
Call Trace:
netfs_rreq_write_to_cache_work+0x11c/0x320 [netfs]
process_one_work+0x217/0x3e0
worker_thread+0x4a/0x3b0
kthread+0xd6/0x100
Fixes: 12bb21a29c ("fscache: Implement cookie user counting and resource pinning")
Reported-by: Daire Byrne <daire.byrne@gmail.com>
Signed-off-by: Dave Wysochanski <dwysocha@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Daire Byrne <daire@dneg.com>
Link: https://lore.kernel.org/r/20221117115023.1350181-1-dwysocha@redhat.com/ # v1
Link: https://lore.kernel.org/r/20221117142915.1366990-1-dwysocha@redhat.com/ # v2
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
While vb2_mmap took the mmap_lock mutex, vb2_get_unmapped_area didn't.
Add this.
Also take this opportunity to move the 'q->memory != VB2_MEMORY_MMAP'
check and vb2_fileio_is_active() check into __find_plane_by_offset() so
both vb2_mmap and vb2_get_unmapped_area do the same checks.
Since q->memory is checked while mmap_lock is held, also take that lock
in reqbufs and create_bufs when it is set, and set it back to
MEMORY_UNKNOWN on error.
Fixes: f035eb4e97 ("[media] videobuf2: fix lockdep warning")
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Acked-by: Tomasz Figa <tfiga@chromium.org>
Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cezanne platforms under the right circumstances have a synchronization
problem where attempting to enter s2idle may fail if the x86 cores are
put into HLT before hardware resume from the previous attempt has
completed.
To avoid this issue add a 10-20ms delay before entering s2idle another
time. This workaround will only be applied on interrupts that wake the
hardware but don't break the s2idle loop.
Cc: stable@vger.kernel.org # 6.1
Cc: "Mahapatra, Rajib" <Rajib.Mahapatra@amd.com>
Cc: "Raul Rangel" <rrangel@chromium.org>
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Link: https://lore.kernel.org/r/20221116154341.13382-1-mario.limonciello@amd.com
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
arch_dma_prep_coherent() as it caused a regression in the qcom_q6v5_mss
remoteproc driver. The driver is already buggy but the original arm64
change made the problem obvious. The change will be re-introduced once
the driver is fixed.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE5RElWfyWxS+3PLO2a9axLQDIXvEFAmOPfrIACgkQa9axLQDI
XvH2SxAAolN3oris9RYVlVsldd38XSklgEjKhotJulYUzK2+9u1Chv757sX1UlyN
YkZD2uZfHYIVMXzgEVlkecepMRNj7Vp8i4fzTRqUcYBeRjhNz8dfkAwS5L5ezA9f
NFYnh3tv4YYn5LNv03Gd2VQMrniOHYfyZKLextZyJC0OuabIHXGAgbR8vt0cJeAe
CzZkoGzmtv1IPd81DEeUZYsW+KGOHqKHj8aI+0DWHNGLmc3H/VNoQ5JlNOZSgR8F
DOAmM+UgeTVNJfTv81u4skTcBm3Dr8aDyIUlHTrjXXRPAmpeFoy1WwN22jeq0P2z
6nnbHGufgqVfhebd1Wy5sKQHg3tVZ8FEXJW9Tpw85m019v4jaPF3Pmz6e1Lvlzuz
pUX5fbLkwNHBJMUkkw5iVR9W5P3vrKkcq/XGa2y8sMPUDK7IaiMGQhVTT724oHgy
UW9j0G7iUguXNii6ZHyUPOdaA2Vrjj3AjmJX6bHhwDSvvkNZGZgA4iBY+yRoUU2V
xBuOkLE9oa5QE62jGoipajgi3CIB3cXwbNZyfPuZkkosHuqqRDkuLX5TJ2snAHhs
lSSwDlAGY+9p4jiTd8/36E2GPXZOGPDn3L/3UdYsi9ScNKYFNJREKL8b2ZBlTo9X
P0qIeCmiyMPp5s6i3D9M8xRbVySgu542tcQG3+KhbGUsl3XElr0=
=l6Q7
-----END PGP SIGNATURE-----
Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux
Pull arm64 fix from Catalin Marinas:
"Revert the dropping of the cache invalidation from the arm64
arch_dma_prep_coherent() as it caused a regression in the
qcom_q6v5_mss remoteproc driver.
The driver is already buggy but the original arm64 change made
the problem obvious. The change will be re-introduced once the
driver is fixed"
* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
Revert "arm64: dma: Drop cache invalidation from arch_dma_prep_coherent()"
* s390: fix multi-epoch extension in nested guests
* x86: fix uninitialized variable on nested triple fault
-----BEGIN PGP SIGNATURE-----
iQFIBAABCAAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmOPcBoUHHBib256aW5p
QHJlZGhhdC5jb20ACgkQv/vSX3jHroN9sAgArbccE7GCXUP3snd08rdV2Y1efKq3
SsZWlze/esVlsRBr4Z+lzMamCIdMwUT242XEq50pOjQeqYB0PjaIraDhd/lnhbk/
pYITFCoOmRtT4PyUrfYZIFeQBo+yhuhrYN8WCLFCatqY4ec+9p5nCiaFk1Wn49ZD
zFm+uVXhlTa+DGNjGzjBi3mAPqTpRNAxdlPAEHv+kyaQgfRlTSo37H8Xs6PfcLVe
YnsGG47Ozx3pPe5Zo3Sr1k56CQLjNcY77lVWXskKIiABsM3G5YJ2BlGgG007zlSB
4G0/GyJhb351c1MHk1O+AfMNPfD4shJfLdIm5bJNGdiFPz9XFdpqa49BNQ==
=SKVi
-----END PGP SIGNATURE-----
Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
Pull kvm fixes from Paolo Bonzini:
"Unless anything comes from the ARM side, this should be the last pull
request for this release - and it's mostly documentation:
- Document the interaction between KVM_CAP_HALT_POLL and halt_poll_ns
- s390: fix multi-epoch extension in nested guests
- x86: fix uninitialized variable on nested triple fault"
* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
KVM: Document the interaction between KVM_CAP_HALT_POLL and halt_poll_ns
KVM: Move halt-polling documentation into common directory
KVM: x86: fix uninitialized variable use on KVM_REQ_TRIPLE_FAULT
KVM: s390: vsie: Fix the initialization of the epoch extension (epdx) field
-----BEGIN PGP SIGNATURE-----
iHUEABYIAB0WIQRTLbB6QfY48x44uB6AXGG7T9hjvgUCY49degAKCRCAXGG7T9hj
vjt3APwJ2Xi240fsa8LRd0vvVgqU47DEw9EV2VdFs7NUchsp/gEA6PzZRAoTQS9z
x7ZQdFjf2dQSVNZM3mry4fL18r1oAwc=
=+GZe
-----END PGP SIGNATURE-----
Merge tag 'for-linus-xsa-6.1-rc9-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip
Pull xen fixes from Juergen Gross:
"Two zero-day fixes for the xen-netback driver (XSA-423 and XSA-424)"
* tag 'for-linus-xsa-6.1-rc9-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
xen/netback: don't call kfree_skb() with interrupts disabled
xen/netback: Ensure protocol headers don't fall in the non-linear area
This reverts commit c44094eee3.
Although the semantics of the DMA API require only a clean operation
here, it turns out that the Qualcomm 'qcom_q6v5_mss' remoteproc driver
(ab)uses the DMA API for transferring the modem firmware to the secure
world via calls to Trustzone [1].
Once the firmware buffer has changed hands, _any_ access from the
non-secure side (i.e. Linux) will be detected on the bus and result in a
full system reset [2]. Although this is possible even with this revert
in place (due to speculative reads via the cacheable linear alias of
memory), anecdotally the problem occurs considerably more frequently
when the lines have not been invalidated, assumedly due to some
micro-architectural interactions with the cache hierarchy.
Revert the offending change for now, along with a comment, so that the
Qualcomm developers have time to fix the driver [3] to use a firmware
buffer which does not have a cacheable alias in the linear map.
Link: https://lore.kernel.org/r/20221114110329.68413-1-manivannan.sadhasivam@linaro.org [1]
Link: https://lore.kernel.org/r/CAMi1Hd3H2k1J8hJ6e-Miy5+nVDNzv6qQ3nN-9929B0GbHJkXEg@mail.gmail.com/ [2]
Link: https://lore.kernel.org/r/20221206092152.GD15486@thinkpad [2]
Reported-by: Amit Pundir <amit.pundir@linaro.org>
Reported-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Cc: Thorsten Leemhuis <regressions@leemhuis.info>
Cc: Sibi Sankar <quic_sibis@quicinc.com>
Signed-off-by: Will Deacon <will@kernel.org>
Acked-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Link: https://lore.kernel.org/r/20221206103403.646-1-will@kernel.org
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
It is not allowed to call kfree_skb() from hardware interrupt
context or with interrupts being disabled. So remove kfree_skb()
from the spin_lock_irqsave() section and use the already existing
"drop" label in xenvif_start_xmit() for dropping the SKB. At the
same time replace the dev_kfree_skb() call there with a call of
dev_kfree_skb_any(), as xenvif_start_xmit() can be called with
disabled interrupts.
This is XSA-424 / CVE-2022-42328 / CVE-2022-42329.
Fixes: be81992f90 ("xen/netback: don't queue unlimited number of packages")
Reported-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
In some cases, the frontend may send a packet where the protocol headers
are spread across multiple slots. This would result in netback creating
an skb where the protocol headers spill over into the non-linear area.
Some drivers and NICs don't handle this properly resulting in an
interface reset or worse.
This issue was introduced by the removal of an unconditional skb pull in
the tx path to improve performance. Fix this without reintroducing the
pull by setting up grant copy ops for as many slots as needed to reach
the XEN_NETBACK_TX_COPY_LEN size. Adjust the rest of the code to handle
multiple copy operations per skb.
This is XSA-423 / CVE-2022-3643.
Fixes: 7e5d775395 ("xen-netback: remove unconditional __pskb_pull_tail() in guest Tx path")
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Reviewed-by: Paul Durrant <paul@xen.org>
Signed-off-by: Juergen Gross <jgross@suse.com>
proc_skip_spaces() seems to think it is working on C strings, and ends
up being just a wrapper around skip_spaces() with a really odd calling
convention.
Instead of basing it on skip_spaces(), it should have looked more like
proc_skip_char(), which really is the exact same function (except it
skips a particular character, rather than whitespace). So use that as
inspiration, odd coding and all.
Now the calling convention actually makes sense and works for the
intended purpose.
Reported-and-tested-by: Kyle Zeng <zengyhkyle@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
proc_get_long() is passed a size_t, but then assigns it to an 'int'
variable for the length. Let's not do that, even if our IO paths are
limited to MAX_RW_COUNT (exactly because of these kinds of type errors).
So do the proper test in the rigth type.
Reported-by: Kyle Zeng <zengyhkyle@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
When __do_semtimedop() goes to sleep because it has to wait for a
semaphore value becoming zero or becoming bigger than some threshold, it
links the on-stack sem_queue to the sem_array, then goes to sleep
without holding a reference on the sem_array.
When __do_semtimedop() comes back out of sleep, one of two things must
happen:
a) We prove that the on-stack sem_queue has been disconnected from the
(possibly freed) sem_array, making it safe to return from the stack
frame that the sem_queue exists in.
b) We stabilize our reference to the sem_array, lock the sem_array, and
detach the sem_queue from the sem_array ourselves.
sem_array has RCU lifetime, so for case (b), the reference can be
stabilized inside an RCU read-side critical section by locklessly
checking whether the sem_queue is still connected to the sem_array.
However, the current code does the lockless check on sem_queue before
starting an RCU read-side critical section, so the result of the
lockless check immediately becomes useless.
Fix it by doing rcu_read_lock() before the lockless check. Now RCU
ensures that if we observe the object being on our queue, the object
can't be freed until rcu_read_unlock().
This bug is only hittable on kernel builds with full preemption support
(either CONFIG_PREEMPT or PREEMPT_DYNAMIC with preempt=full).
Fixes: 370b262c89 ("ipc/sem: avoid idr tree lookup for interrupted semop")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This reverts commit f35b5d7d67.
It has been reported to cause huge performance regressions on some loads
(will-it-scale.per_process_ops, but also building the kernel with
clang).
The commit did speed up gcc builds by a small amount, so it's not an
unambiguous regression, but until the big regressions are understood,
let's revert it.
Reported-by: kernel test robot <yujie.liu@intel.com>
Link: https://lore.kernel.org/r/202210181535.7144dd15-yujie.liu@intel.com
Reported-by: Nathan Chancellor <nathan@kernel.org>
Link: https://lore.kernel.org/lkml/Y1DNQaoPWxE%2BrGce@dev-arch.thelio-3990X/
Cc: Huang, Ying <ying.huang@intel.com>
Cc: Rik van Riel <riel@surriel.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Yang Shi <shy828301@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Currently tpm transactions are executed unconditionally in
tpm_pm_suspend() function, which may lead to races with other tpm
accessors in the system.
Specifically, the hw_random tpm driver makes use of tpm_get_random(),
and this function is called in a loop from a kthread, which means it's
not frozen alongside userspace, and so can race with the work done
during system suspend:
tpm tpm0: tpm_transmit: tpm_recv: error -52
tpm tpm0: invalid TPM_STS.x 0xff, dumping stack for forensics
CPU: 0 PID: 1 Comm: init Not tainted 6.1.0-rc5+ #135
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014
Call Trace:
tpm_tis_status.cold+0x19/0x20
tpm_transmit+0x13b/0x390
tpm_transmit_cmd+0x20/0x80
tpm1_pm_suspend+0xa6/0x110
tpm_pm_suspend+0x53/0x80
__pnp_bus_suspend+0x35/0xe0
__device_suspend+0x10f/0x350
Fix this by calling tpm_try_get_ops(), which itself is a wrapper around
tpm_chip_start(), but takes the appropriate mutex.
Signed-off-by: Jan Dabros <jsd@semihalf.com>
Reported-by: Vlastimil Babka <vbabka@suse.cz>
Tested-by: Jason A. Donenfeld <Jason@zx2c4.com>
Tested-by: Vlastimil Babka <vbabka@suse.cz>
Link: https://lore.kernel.org/all/c5ba47ef-393f-1fba-30bd-1230d1b4b592@suse.cz/
Cc: stable@vger.kernel.org
Fixes: e891db1a18 ("tpm: turn on TPM on suspend for TPM 1.x")
[Jason: reworked commit message, added metadata]
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
see an already freed event
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEzv7L6UO9uDPlPSfHEsHwGGHeVUoFAmOMqHUACgkQEsHwGGHe
VUpRzw/9Gow+0wbm2XhMuweUA6t3LgNweOmzDl9w8k1f55OD6niCvuDiF9jSaiKZ
UwGyErasp2dlEVjuNGnp42qSHos3vRiR7sdZZQG+7opWV2FFyxyFpx5x8UEgVnFy
gOuEij5vLXBApUdNRAcVqCbvivs4Lv6SggDyQ075zGzuOmUv57vw2jDt8YfKaFcp
jZTiL+j5GKwihndDB6ayx+7Gwo9a9ASKrTgz8JK2tPOIHZR4X9y9ot1IanZnxzwF
d0kFpLgF/ZqjPRpJoaFn/jgk1AfahQyYHXh7lQ1aP7rLSLRRGcfTBX4n9nC3BYT+
EHaA94l151L1mzbR69ij9tryAERU4NlguD/FIuCeW+6IEPiuwBNGklXF+rRegNj4
IYC0ZSld/NyWKtOrwNSrFRMsxFm583Pg6TaBkvU1rGd5YVQ7GImrj7UjecXO/W71
iXpfarF7ur2zmd+5+F5FB34VYw8GumRo+D+XIb34+8UMBURTX36hgXvSC3sVyyCw
b0c758F3+1zTwm8z52T1RhOOp47t5iWAznwTq6k1cT7788PDXJ9sGYXIpdLpwKcI
Fuj61alwamGeUciCr0iKGtCLRHayZII7OeQh1VjXuqgCwI3hI2j3EaI9C74WSApn
ttVInS0Ka2xcu//A1VFltkMOWNMQK9JeTlqdqctwypTL3WVb2XA=
=jo4r
-----END PGP SIGNATURE-----
Merge tag 'perf_urgent_for_v6.1_rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull perf fix from Borislav Petkov:
- Fix a use-after-free case where the perf pending task callback would
see an already freed event
* tag 'perf_urgent_for_v6.1_rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
perf: Fix perf_pending_task() UaF
whether clock events are received during S3 or not which locks up other
RISC-V platforms. The issue will be fixed differently later.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEzv7L6UO9uDPlPSfHEsHwGGHeVUoFAmOMnhwACgkQEsHwGGHe
VUrQsBAAt8ILDPAfXSvnak9p6qWywfa5/eMzychUFx4z8UBaTgeTTq5MHIADSkTj
m4vSroX/IzhEzYMDZtLTrggNKta0pTddQkw1wZXZztu4QeixHkGyHrVOaGaWLbPd
8Z+D4yjPuhdvCP8cXq0X3YynmNRDOaNMZMuwq9AtZplZHmBHTdSpDFU5ZbhSlhPT
DXABL5wVOJ1lOzGxtUPCjzgGj/Vo7wSfwA+XGCprj7+1/CO9iMF6LaFhnAf4huLl
alscLysRxbonZ/HKydWFMLMWo7/hcb2kr69QZ2qWlIfCSXHIDE3jF7m/7lpF0FrQ
Ggn9DrcS5uTLWwxZEnbHqKJKQ+JNz9S9gBY2pv6omKVhT0iGkCI9V/h/26QhY6DK
4MQ0PeV+Jrb9rpl6xv41Zqg9S+JzjOrnJPSDgJKK+DUPba4L6vkEJvOErQ1rfB+N
3E/+s2IKXjHFz281jtwmjM37lcNxI8ULvvrw3o8SVxPVyldWJyXIgOndSvYMsKpg
0usXPiTruNc+l39WP2Gf1GgEKlML21GfeFMeuC8ekbTnIYRbHbgUYRhOrOv0nOf8
KUDmp4J/0Ko478jQG2WsTXQ77KM88X2tWdTgfqVpj+Tl+FvVvDuLuREbnBFijBnd
ED/Hyu6i5snCe8ZMwqOHezFBFAZrMgUZwcnvR9NwvIxmzd8Nr0M=
=Urji
-----END PGP SIGNATURE-----
Merge tag 'timers_urgent_for_v6.1_rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull timer fix from Borislav Petkov:
- Revert a fix to RISC-V timers supposed to address an uncertainty
whether clock events are received during S3 or not which locks up
other RISC-V platforms. The issue will be fixed differently later.
* tag 'timers_urgent_for_v6.1_rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
Revert "clocksource/drivers/riscv: Events are stopped during CPU suspend"
- a fix for Raydium touchscreen driver to stop leaking memory when
sending commands to the chip.
-----BEGIN PGP SIGNATURE-----
iHUEABYIAB0WIQST2eWILY88ieB2DOtAj56VGEWXnAUCY4wjZwAKCRBAj56VGEWX
nJI2AQCcfR1zDi8yQOtR2KjKK0DJX7QmKQVK/SbodlFNUnYNPgD8CpDM67vH6Sle
g2TpbVin8186G+a1PBu21NbdbicHYQA=
=AbZG
-----END PGP SIGNATURE-----
Merge tag 'input-for-v6.1-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
Pull input fix from Dmitry Torokhov:
- a fix for Raydium touchscreen driver to stop leaking memory when
sending commands to the chip
* tag 'input-for-v6.1-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
Input: raydium_ts_i2c - fix memory leak in raydium_i2c_send()
regression fix regarding bus recovery for the cadence driver, a DMA
handling fix for the imx driver, and two error path fixes (npcm7xx and
qcom-geni).
-----BEGIN PGP SIGNATURE-----
iQJDBAABCgAtFiEEOZGx6rniZ1Gk92RdFA3kzBSgKbYFAmOLav8PHHdzYUBrZXJu
ZWwub3JnAAoJEBQN5MwUoCm2s7gP+wZTI7tJutMLBHOPji2lvoinD9J19Gk7CLbU
95DrL54VSpt9QB3FzH5du7fsEmmpKaepcG6hXDiG3XNoGyBBPxd8tmEU/SOnyvRI
ucMIBb+DNum+CEWdf3XyTu3VTMpi4iuvxOTlhFkvfZqZXIsjSoiCjVOtA/npiW25
svAflgdm69eBNpr6/w5oJbCsh+cRzmV8V3Un2iwouWV0kUWTlDU11Iu93snzUSEe
fPFOJZVm3R8gyALTlE4v0i7irRWaeKKuoS+dpV5h/hComqL+lvZ4jc+KCiYetimE
jhdWz9RjgX3FKnCk5zap1lagdjDcJ3L0s4m4/LFm7t/OJiLJEkVByqgrftlR3FhM
T4aFFYPegsbvcXz4Gmx4cMILbzIYoh3mN4uaspmCLi3B9fe7NK8iRLN66DmMfoKI
HCZ8FbWuUFk2w/2pPaz5GKfwXDO2YUgKtANdn+zHK8wWJnNQzGPGVkL1XHJeFbJS
dXNka6YITm2Tra3MePT+ra3SfACfS2fGBgH8s0tnyaRQNOUYI6fqokM1IGrCKbTr
nEN8VXIWFVm+3++AlVJcQw26DIN0jGE2PRJQhyiZnxTyryvW6yrkE/KFOOMKA7Ro
5CMccDjY2pkLO9uQmpqeOsQscQh3X36gN8TL2RkTTdB97t71XX+//CkBE9VcJOPM
Ovw2YYWO
=WDqW
-----END PGP SIGNATURE-----
Merge tag 'i2c-for-6.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux
Pull i2c fixes from Wolfram Sang:
"A power state fix in the core for ACPI devices, a regression fix
regarding bus recovery for the cadence driver, a DMA handling fix for
the imx driver, and two error path fixes (npcm7xx and qcom-geni)"
* tag 'i2c-for-6.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
i2c: imx: Only DMA messages with I2C_M_DMA_SAFE flag set
i2c: qcom-geni: fix error return code in geni_i2c_gpi_xfer
i2c: cadence: Fix regression with bus recovery
i2c: Restore initial power state if probe fails
i2c: npcm7xx: Fix error handling in npcm_i2c_init()
- Fix duplicate overlapping device-dax instances for HMAT described
"Soft Reserved" Memory
- Fix missing node targets in the sysfs representation of memory tiers
- Remove a confusing variable initialization
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQSbo+XnGs+rwLz9XGXfioYZHlFsZwUCY4q2jAAKCRDfioYZHlFs
Z1P/AQCbMguw+Nj0oTj64TxvrJ6JjFbmJXI8YTFuSt7yOK4XLgD+OlH4SmZyQ1rH
HSY2kAl1mPKiqdoO0tKwcNtYYrOZtQQ=
=4hxx
-----END PGP SIGNATURE-----
Merge tag 'dax-fixes-6.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm
Pull dax fixes from Dan Williams:
"A few bug fixes around the handling of "Soft Reserved" memory and
memory tiering information.
Linux is starting to enounter more real world systems that deploy an
ACPI HMAT to describe different performance classes of memory, as well
the "special purpose" (Linux "Soft Reserved") designation from EFI.
These fixes result from that testing.
It has all appeared in -next for a while with no known issues.
- Fix duplicate overlapping device-dax instances for HMAT described
"Soft Reserved" Memory
- Fix missing node targets in the sysfs representation of memory
tiers
- Remove a confusing variable initialization"
* tag 'dax-fixes-6.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm:
device-dax: Fix duplicate 'hmem' device registration
ACPI: HMAT: Fix initiator registration for single-initiator systems
ACPI: HMAT: remove unnecessary variable initialization
-----BEGIN PGP SIGNATURE-----
iQJEBAABCAAuFiEEwPw5LcreJtl1+l5K99NY+ylx4KYFAmOKM1MQHGF4Ym9lQGtl
cm5lbC5kawAKCRD301j7KXHgprErD/4vyIhYg4ZM9HOWNjpuT8oZCG6yRZ4gLhz0
GT7VRcb8GKEkKUMmeazaxocWbC3fc+yvj49Oan1Uj7/teHTmJDM0pF/fMpJdkJrF
z+PAy2++MGF++QNBq+wrDEIDsJ4QvRxDDJe9N+KDTtX6UsoBFYxJhem4JzZpM4BI
4GY8jYiKlx42WM58stZ0DXOucG1DsKaOQKYRQGjtKYvA0dTn7dj9btY+n6rGerEX
4265huzW5iY+MZWc5KLXGSr0wIJqAiKMoecN03JSBHONFVB4cjMQpZuQfSChqkUS
3fhVmFOZnYMzMIZgiwhFxuIP/QzLjctdibwU9JusqChYP9Mx7HQ2+gs7H7i5PSdS
9m64g2u+GuRjbgIeeGPVMPnBR3UG2GE8BDRfFBBCtbdmHXIKoolXdKvG9enRjXit
e4wjGQDHk6x9iV6LITH1Jn82kzk6TTuBkdSBJN6u8KASeOCoPwWuhgyRXo6+jh5D
1wd2mYxtM1UB2mZilPpflDSpzZCrp/CMjbLVPIV0aTxmmeEJN+Ao2PnduNjEBxoh
kYwlScoz9DPvMf59UU45MLc9/vYchL14VoPOl59osLlQrWf9vPMATlU1CaRgQSVa
apBNAMzWFTMGxXCtIsUoClNX7uuHrqrMEjBbhWuWp4DSOVQoJORrU5ymX9M92MYP
f0incJSEZQ==
=Gdkx
-----END PGP SIGNATURE-----
Merge tag 'block-6.1-2022-12-02' of git://git.kernel.dk/linux
Pull block fixes from Jens Axboe:
"Just a small NVMe merge for this week, fixing protection of the name
space list, and a missing clear of a reserved field when unused"
* tag 'block-6.1-2022-12-02' of git://git.kernel.dk/linux:
nvme: fix SRCU protection of nvme_ns_head list
nvme-pci: clear the prp2 field when not used
- Fix a potential divide by zero in pinctrl-singe (OMAP
and HiSilicon)
- Disable IRQs on startup in the Mediatek driver. This
is a classic, we should be looking out for this more.
- Save and restore pins in "direct IRQ" mode in the Intel
driver, this works around firmware bugs.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEElDRnuGcz/wPCXQWMQRCzN7AZXXMFAmOKZB4ACgkQQRCzN7AZ
XXMsnw/+PSijwUPsikfZYtgp2BTxMb/xr0XKmggqheNzEs1e0xYHBTJO9nLuUCxG
v0zfpTMgwhx9/988Y39/fRih/DEKB5s/CMV7Ic5DQCmPo9NC5apeWvW80aQPbEun
jwEEmjIUHHx9nX9z4B9CSICZA7XUiTb9vbHIG2KJCX7L3atzkOMmTYNi62qLQ6CU
fo6JYZm1V3zdqLX3dD8HlDdVfzyywvG9MAhFlRgxPk/s2E8BMQdRL93rejPYKvWh
fFH6aQrJMgEymzgRq+vfI62XRKK0ebE6A4084BMHSxflh+LNpjFwZfaNTotaqPHY
uVVmPOGH2wjLHRFit0mp+6xWL9sGjggawJ4Y56gYpsUnNN+aKhkpjdvm9UFscnql
6MZFx6hKbx91czhSD0M5nSWTR7AQwP3YLgOPZnGS0bt7WvuX306eh1CxYcbHlBFq
KM4u7B36Q89b0Ac2+CjyXo4rUdXyeMRY6kDFuVaqVGyU1SEIWaqP9wwGDDY5ZXWx
Kqc+mP5Zr6TzUbx4Amry/EswynT5zeqr6N8DFWcDZW2VJwiDqPs7g3ZIVxqpv719
OOFzwNGtCkrjYs2SH9o697gC5xPofw2OgIFUeYMFNoCNjmjhegym6qrVAT45IOV1
SYYoRKEFFdof9DbhJrWUmOBkMqtuPhycZClbHpRHoI/309Cq7eo=
=bP9I
-----END PGP SIGNATURE-----
Merge tag 'pinctrl-v6.1-5' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl
Pull pin control fixes from Linus Walleij:
"Three driver fixes. The Intel fix looks like the most important.
- Fix a potential divide by zero in pinctrl-singe (OMAP and
HiSilicon)
- Disable IRQs on startup in the Mediatek driver. This is a classic,
we should be looking out for this more.
- Save and restore pins in 'direct IRQ' mode in the Intel driver,
this works around firmware bugs"
* tag 'pinctrl-v6.1-5' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
pinctrl: intel: Save and restore pins in "direct IRQ" mode
pinctrl: meditatek: Startup with the IRQs disabled
pinctrl: single: Fix potential division by zero
* A build-time fix for the NR_CPUS Kconfig SBI version dependency.
* A pair of fixes to early memory initialization, to fix page
permissions in EFI and post-initmem-free.
* A build-time fix for the VDSO, to avoid trying to profile the VDSO
functions.
* A pair of fixes for kexec crash handling, to fix multi-core and
interrupt related initialization inside the crash kernel.
* A fix to avoid a race condition when handling multiple concurrect
kernel stack overflows.
-----BEGIN PGP SIGNATURE-----
iQJHBAABCAAxFiEEKzw3R0RoQ7JKlDp6LhMZ81+7GIkFAmOKLK8THHBhbG1lckBk
YWJiZWx0LmNvbQAKCRAuExnzX7sYidb0EACeA33Y1YMY/0W679rJgPgeas2xLfRU
RIpSFZk1ylBQi8upQi6XWjh8xb/kd9LVglORRazaCcVYzmRNWOtcLfpIfYccqFhv
7aszAXbajHtXJHN8GK0XKf2S4PazchtQ6tTsmDT12VwnWDn8pEOdW3BOBEvh6DPX
Mn+tMZeCmcI9jzaR7OwaZYyZmc4u16MTsh9stCfnmcU9tS9oq1JTPY1UHUqGzeiC
W8zzHyREHoKO5fU4JZYQYDoXtuqqfjiBXWVxIogQduBzMwyXKP6RR1+qMtDvLc8k
OhThrde1NCIFD6se6IQlvjMdUaroMZf0gprhahbcjABdtvsPYwAG0TBLMNaHYUZT
Pl+np/xmFocTOPcMQ1A57qlPUfeAsR55eE0bEjxLiy5H7ygnEu3D2st+uBtiO69v
d6gie9qmrEF230dHJ7qJnbMtrJcAL/u671ylmRS8iwFZlbOE+Ra2aqsBgf+9ri56
syZY8ovnPUl72ZNZtLiBxnDSIegMfLr7As1vFlAXT+ZntDRKR1ZGkXDvSk9apOMd
oxIiIOPTQHQQKlzH8oZEIDTnuL7T6+6CtwvlF74keSF+y4YMQJTmDTIARJ7z5rab
aiR+pU4HdvF6Koujv4imlO/9Ahwk9G/vCQ9zyz/AGG21kic4gACvA45Z5AjKoakP
PgIh0Uintun+yw==
=u62e
-----END PGP SIGNATURE-----
Merge tag 'riscv-for-linus-6.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux
Pull RISC-V fixes from Palmer Dabbelt:
- build fix for the NR_CPUS Kconfig SBI version dependency
- fixes to early memory initialization, to fix page permissions in EFI
and post-initmem-free
- build fix for the VDSO, to avoid trying to profile the VDSO functions
- fixes for kexec crash handling, to fix multi-core and interrupt
related initialization inside the crash kernel
- fix for a race condition when handling multiple concurrect kernel
stack overflows
* tag 'riscv-for-linus-6.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
riscv: kexec: Fixup crash_smp_send_stop without multi cores
riscv: kexec: Fixup irq controller broken in kexec crash path
riscv: mm: Proper page permissions after initmem free
riscv: vdso: fix section overlapping under some conditions
riscv: fix race when vmap stack overflow
riscv: Sync efi page table's kernel mappings before switching
riscv: Fix NR_CPUS range conditions
- Fix ambiguous TRIM and DISCARD args
- Fix removal of debugfs file for mmc_test
MMC host:
- mtk-sd: Add missing clk_disable_unprepare() in an error path
- sdhci: Fix I/O voltage switch delay for UHS-I SD cards
- sdhci-esdhc-imx: Fix CQHCI exit halt state check
- sdhci-sprd: Fix voltage switch
-----BEGIN PGP SIGNATURE-----
iQJLBAABCgA1FiEEugLDXPmKSktSkQsV/iaEJXNYjCkFAmOJt2wXHHVsZi5oYW5z
c29uQGxpbmFyby5vcmcACgkQ/iaEJXNYjCnIfhAAzDpsdF1zBYQDHelN6DsqMX4c
vHmBO8P9DE9xfhmdt3bnCa+26WIzmXGJ/8/jZLkV9ZGYLeAjkj6sYPQ2Zgvndecd
f+9l4sGBiL1b26ON2wQqnrsZcEedtDh3xYdAtuHyEwqb4hRs+ryl9vMGvwdfE685
T0Y+rvIxsT9m+X0kQfJzc7hedJ+K7wytkY5MmQhh5bMzhm7+6BhQJf/ABG2CTdUm
Wilx9VJIxeVfORg1jEgQ+ssR0K9RmbuzAb3690xUYKobAK034JbSCvhodXIzVMYU
g4iJ2m5rZrvdYKweuO98AAoRQ4DzNo2scGjmF9V2ImBrIbkIc2Mq2wms3PhNoYCu
Rvzoa6fkoOR8acSo4dU3433xeZfdOIX9h0o5sBI+esERfdST1FwQ5FpF4SAiAr3u
wXo/KZV/PfSZUAPHzbKCvIiEd330MJD6z18ORUYviqAcQNjqEhYyeARrzKxbkJA7
zOn3yirLR6yGm5cZ1YS0+A8wj4GBcf7XwkSJs2ospQqeTCpqZwceOxogs03myey9
Igx7IGT/PRHbMWFli584iERL+L6LbHUtZguJGabr/xh7YHt/vbOniH9BiG6AexXZ
UzOjDaddzVJeAmvARQMowV7WssxvdVg8jnO19T4v93At0LKmTwUC015AQigaAvDP
PZ3jUC/QBty5d7N3GBg=
=7SFO
-----END PGP SIGNATURE-----
Merge tag 'mmc-v6.1-rc5-2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc
Pull MMC fixes from Ulf Hansson:
"MMC core:
- Fix ambiguous TRIM and DISCARD args
- Fix removal of debugfs file for mmc_test
MMC host:
- mtk-sd: Add missing clk_disable_unprepare() in an error path
- sdhci: Fix I/O voltage switch delay for UHS-I SD cards
- sdhci-esdhc-imx: Fix CQHCI exit halt state check
- sdhci-sprd: Fix voltage switch"
* tag 'mmc-v6.1-rc5-2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
mmc: sdhci-sprd: Fix no reset data and command after voltage switch
mmc: sdhci: Fix voltage switch delay
mmc: mtk-sd: Fix missing clk_disable_unprepare in msdc_of_clock_parse()
mmc: mmc_test: Fix removal of debugfs file
mmc: sdhci-esdhc-imx: correct CQHCI exit halt state check
mmc: core: Fix ambiguous TRIM and DISCARD arg
The "force" argument to write_spec_ctrl_current() is currently ambiguous
as it does not guarantee the MSR write. This is due to the optimization
that writes to the MSR happen only when the new value differs from the
cached value.
This is fine in most cases, but breaks for S3 resume when the cached MSR
value gets out of sync with the hardware MSR value due to S3 resetting
it.
When x86_spec_ctrl_current is same as x86_spec_ctrl_base, the MSR write
is skipped. Which results in SPEC_CTRL mitigations not getting restored.
Move the MSR write from write_spec_ctrl_current() to a new function that
unconditionally writes to the MSR. Update the callers accordingly and
rename functions.
[ bp: Rework a bit. ]
Fixes: caa0ff24d5 ("x86/bugs: Keep a per-CPU IA32_SPEC_CTRL value")
Suggested-by: Borislav Petkov <bp@alien8.de>
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Cc: <stable@kernel.org>
Link: https://lore.kernel.org/r/806d39b0bfec2fe8f50dc5446dff20f5bb24a959.1669821572.git.pawan.kumar.gupta@linux.intel.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Likely the last piece for 6.1; the only significant fixes are ASoC
core ops fixes, while others are device-specific (rather minor)
fixes in ASoC and FireWire drivers.
All appear safe enough to take as a late stage material.
-----BEGIN PGP SIGNATURE-----
iQJCBAABCAAsFiEEIXTw5fNLNI7mMiVaLtJE4w1nLE8FAmOJuooOHHRpd2FpQHN1
c2UuZGUACgkQLtJE4w1nLE+RThAAxOJ3TUepppN5MXhM2r4khA1dV8xKIexOHddv
n1g/rmqkHsSr+VltnQ2GbnUUmt4fgl5nXFEOlZCDW2z60j6Ue28fbimW6DH5yd+V
rjbPg2i9zolwVH8MZsvl7jbb2jMeFFqXhwa8650Oxg3BRdOshUhvpFAbjWoAAZEk
p0E9oSGvhmebtQlbtlHWlDBwdfPxbyc5pFxM5ESe9ckq6Uc5WTfrkrw7uz9yeqED
vP92waW6UywBPpeXRgZBzvvAZP3tNTs/NW8VZWtpDzesdBH6M2hlGpL0MviBjI0J
gWgThxjOoS8yi/Js+18DDWq8GgO57PQoZKaexCfJvKVDx2aSRH66LPhv+cVROhP7
jPFzH30ESb65TjKrMUnTcPujs+uq4YLPsZ7KBTg1ylUEC1477Ja5C1Q1lsLCXj1+
c7NoAO6/8nEjuezlun3kNXZ1dJGuFSRW2MdzyXGOAsVKwFPUfJGNFCE/h77826jn
50SHMRwnNkOHIYDzB+W7fZ5HPId6QCzXZLoPuzbFpEeLYjqNUO8KYp3oh+ssfXiu
cKioCzl07Fx4DKl5NNCG6VXXVKhzYj9MwtzNCIMIP8neWarMuW2e82/H+rS3v8Fc
4hM8mZ90u8mxd36cMa+SLYpIfdTUEMAZpdtMc4WHc7BBjaZx5FDU5QZYkqZpdsOY
L/BcX5Q=
=XTUR
-----END PGP SIGNATURE-----
Merge tag 'sound-6.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
Pull sound fixes from Takashi Iwai:
"Likely the last piece for 6.1; the only significant fixes are ASoC
core ops fixes, while others are device-specific (rather minor) fixes
in ASoC and FireWire drivers.
All appear safe enough to take as a late stage material"
* tag 'sound-6.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
ALSA: dice: fix regression for Lexicon I-ONIX FW810S
ASoC: cs42l51: Correct PGA Volume minimum value
ASoC: ops: Correct bounds check for second channel on SX controls
ASoC: tlv320adc3xxx: Fix build error for implicit function declaration
ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx()
ASoC: ops: Fix bounds check for _sx controls
ASoC: fsl_micfil: explicitly clear CHnF flags
ASoC: fsl_micfil: explicitly clear software reset bit
i915:
- Fix dram info readout
- Remove non-existent pipes from bigjoiner pipe mask
- Fix negative value passed as remaining time
- Never return 0 if not all requests retired
amdgpu:
- VCN fix for vangogh
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEEKbZHaGwW9KfbeusDHTzWXnEhr4FAmOJV+oACgkQDHTzWXnE
hr4fLhAAjvH0Qp/b7mjJ6J7C5b8w2IPGVUDeGdZIqmaFv905825o8Hoj132F5HV0
NvSK5B69Z+of958ky1ksXowAMfKyUbqpOx00QjX1F4v+R0C1QAslobQirhfVpaf5
uvqw69/b1A7uPI1Pz+2SXWgmmrJ1qyMc7fqPodNWudBDyjm+Wsz6NnTxCF+OMsJV
LRlZ73IjLqfX17sUFpH9Gr/1PsAF9d4PkLPcc2WVFQrV8O7K5dPBwRdtqtCuZ54K
zRE3k0hIYyRQHhqCd+IBGpnbwTGAhLIb4FAN+wQ5hmO/gU5kJm3o+1ruhpUepiLM
jhZOHritZAqU3NE42odWrKT3Juz9Zvf84fTaULKcmk/cNUPPBhlLbBU4CL5/OCAD
RbT7kSxMzqO1uVDKXggblaFWjeMmeulz3iSqU3dmSGWue39/2kMSDKKykCSpSJTn
ync5iEXD9nIADjgdnu9W7sbQaEhoJc0/bJ01/sy1FPimR5rcJh15pozabSMz95cO
YtnkzYymyCQbyaSdPHgWSRrAmFHfGi6rMdLR+vl6CHTRdyYfb/tB5hhcwxLZoWpt
K4/+IrJO7kUR7wbBpYRq1sQfl98PinfVxXiCI3PnLSBBkLFCNxRwrYw+4hMe2Bjw
sYPT7ADAIwNW2HWM+z7GxTMYQZK5lcsolPeFaxycA3h4B5NA8QU=
=TdXQ
-----END PGP SIGNATURE-----
Merge tag 'drm-fixes-2022-12-02' of git://anongit.freedesktop.org/drm/drm
Pull drm fixes from Dave Airlie:
"Things do seem to have finally settled down, just four i915 and one
amdgpu this week. Probably won't have much for next week if you do
push rc8 out.
i915:
- Fix dram info readout
- Remove non-existent pipes from bigjoiner pipe mask
- Fix negative value passed as remaining time
- Never return 0 if not all requests retired
amdgpu:
- VCN fix for vangogh"
* tag 'drm-fixes-2022-12-02' of git://anongit.freedesktop.org/drm/drm:
drm/amdgpu: enable Vangogh VCN indirect sram mode
drm/i915: Never return 0 if not all requests retired
drm/i915: Fix negative value passed as remaining time
drm/i915: Remove non-existent pipes from bigjoiner pipe mask
drm/i915/mtl: Fix dram info readout
address post-6.0 issues, which is hopefully a sign that things are
converging.
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQTTMBEPP41GrTpTJgfdBJ7gKXxAjgUCY4pQpQAKCRDdBJ7gKXxA
jquxAP9Lqif7CGDgdq8uWY2hHS/Ujc3k7Ohgyzs37olnCuU8KwEA6/J7SpjsBgtY
OfzvnwxpCTh8Kfzu/oNckIHo/EEiIA8=
=o6qT
-----END PGP SIGNATURE-----
Merge tag 'mm-hotfixes-stable-2022-12-02' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
Pull misc hotfixes from Andrew Morton:
"15 hotfixes, 11 marked cc:stable.
Only three or four of the latter address post-6.0 issues, which is
hopefully a sign that things are converging"
* tag 'mm-hotfixes-stable-2022-12-02' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm:
revert "kbuild: fix -Wimplicit-function-declaration in license_is_gpl_compatible"
Kconfig.debug: provide a little extra FRAME_WARN leeway when KASAN is enabled
drm/amdgpu: temporarily disable broken Clang builds due to blown stack-frame
mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths
mm/khugepaged: fix GUP-fast interaction by sending IPI
mm/khugepaged: take the right locks for page table retraction
mm: migrate: fix THP's mapcount on isolation
mm: introduce arch_has_hw_nonleaf_pmd_young()
mm: add dummy pmd_young() for architectures not having it
mm/damon/sysfs: fix wrong empty schemes assumption under online tuning in damon_sysfs_set_schemes()
tools/vm/slabinfo-gnuplot: use "grep -E" instead of "egrep"
nilfs2: fix NULL pointer dereference in nilfs_palloc_commit_free_entry()
hugetlb: don't delete vma_lock in hugetlb MADV_DONTNEED processing
madvise: use zap_page_range_single for madvise dontneed
mm: replace VM_WARN_ON to pr_warn if the node is offline with __GFP_THISNODE
The V4L2_MEMORY_USERPTR interface is long deprecated and shouldn't be
used (and is discouraged for any modern v4l drivers). And Seth Jenkins
points out that the fallback to VM_PFNMAP/VM_IO is fundamentally racy
and dangerous.
Note that it's not even a case that should trigger, since any normal
user pointer logic ends up just using the pin_user_pages_fast() call
that does the proper page reference counting. That's not the problem
case, only if you try to use special device mappings do you have any
issues.
Normally I'd just remove this during the merge window, but since Seth
pointed out the problem cases, we really want to know as soon as
possible if there are actually any users of this odd special case of a
legacy interface. Neither Hans nor Mauro seem to think that such
mis-uses of the old legacy interface should exist. As Mauro says:
"See, V4L2 has actually 4 streaming APIs:
- Kernel-allocated mmap (usually referred simply as just mmap);
- USERPTR mmap;
- read();
- dmabuf;
The USERPTR is one of the oldest way to use it, coming from V4L
version 1 times, and by far the least used one"
And Hans chimed in on the USERPTR interface:
"To be honest, I wouldn't mind if it goes away completely, but that's a
bit of a pipe dream right now"
but while removing this legacy interface entirely may be a pipe dream we
can at least try to remove the unlikely (and actively broken) case of
using special device mappings for USERPTR accesses.
This replaces it with a WARN_ONCE() that we can remove once we've
hopefully confirmed that no actual users exist.
NOTE! Longer term, this means that a 'struct frame_vector' only ever
contains proper page pointers, and all the games we have with converting
them to pages can go away (grep for 'frame_vector_to_pages()' and the
uses of 'vec->is_pfns'). But this is just the first step, to verify
that this code really is all dead, and do so as quickly as possible.
Reported-by: Seth Jenkins <sethjenkins@google.com>
Acked-by: Hans Verkuil <hverkuil@xs4all.nl>
Acked-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: David Hildenbrand <david@redhat.com>
Cc: Jan Kara <jack@suse.cz>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Clarify the existing documentation about how KVM_CAP_HALT_POLL and
halt_poll_ns interact to make it clear that VMs using KVM_CAP_HALT_POLL
ignore halt_poll_ns.
Signed-off-by: David Matlack <dmatlack@google.com>
Message-Id: <20221201195249.3369720-3-dmatlack@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Move halt-polling.rst into the common KVM documentation directory and
out of the x86-specific directory. Halt-polling is a common feature and
the existing documentation is already written as such.
Signed-off-by: David Matlack <dmatlack@google.com>
Message-Id: <20221201195249.3369720-2-dmatlack@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
- fix SRCU protection of nvme_ns_head list (Caleb Sander)
- clear the prp2 field when not used (Lei Rao)
-----BEGIN PGP SIGNATURE-----
iQI/BAABCgApFiEEgdbnc3r/njty3Iq9D55TZVIEUYMFAmOJxmMLHGhjaEBsc3Qu
ZGUACgkQD55TZVIEUYOMmg//V5SBQ+Y7+j2ZtUYrJ8TnV9HehCwBTkoLXvsOOto7
AFbEfsqFmWEVttCZCyKHlAliwZZc5JonPT6PSxEgf6vLeFo4Ijpgl/k9I7L3FBgm
6ZsztVTZH2/FV5eUPHn5/TEdJ7vJkDM3S/uH0RbrZQpdP0qfEgwrgloVpvXa4dj+
jqw8W97oR6dpgGgLm/9IXhQFxVz3inff8iaOWl2ihGK1QlujZFY1sd67mSrfiwhN
w70pH1MNYDe2IjgegjfElywUGvZM5nkLtQKZD7wK9nPOZxep/SPtnYvVGweJCOyt
qSgknVw9vAH4MnbqJ9GSF66d6LcXdzW71d8RMR1tx+Y3Ib+0vlVcxk3L7MPsfSYH
2bMgPmmUg/PZxFuxQ51Tyor75zlqLTH069p/AAxS5gyLW1CHk8GUPognGEb+PPFc
8nZsomSLozxBwqD5vb+gKLo9aPKn1pZhKIRwVTabPeVu91IW/u0iuBibH6O8Ou1Y
YiKRwYI9RoXD9PxtahjL0ONSvWriR1lXhAW/iE5ViTSqao9/jqHvy16VPW86fjr7
LrTos7wBBHDWCvwlQTErKwcJUr1Y68at8A4zKewNQDCWGRBQ150JV7hqvguUtqNE
+lkotIok4YXTcF9GMozIFRxt/nWs8e7eR67/D8WgJqlCXf8BinqOMnN3//qXZkCE
YIw=
=K3vx
-----END PGP SIGNATURE-----
Merge tag 'nvme-6.1-2022-01-02' of git://git.infradead.org/nvme into block-6.1
Pull NVMe fixes from Christoph:
"nvme fixes for Linux 6.1
- fix SRCU protection of nvme_ns_head list (Caleb Sander)
- clear the prp2 field when not used (Lei Rao)"
* tag 'nvme-6.1-2022-01-02' of git://git.infradead.org/nvme:
nvme: fix SRCU protection of nvme_ns_head list
nvme-pci: clear the prp2 field when not used
for_each_pci_dev() is implemented by pci_get_device(). The comment of
pci_get_device() says that it will increase the reference count for the
returned pci_dev and also decrease the reference count for the input
pci_dev @from if it is not NULL.
If we break for_each_pci_dev() loop with pdev not NULL, we need to call
pci_dev_put() to decrease the reference count. Add the missing
pci_dev_put() for the error path to avoid reference count leak.
Fixes: 2e45528930 ("iommu/vt-d: Unify the way to process DMAR device scope array")
Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
Link: https://lore.kernel.org/r/20221121113649.190393-3-wangxiongfeng2@huawei.com
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
for_each_pci_dev() is implemented by pci_get_device(). The comment of
pci_get_device() says that it will increase the reference count for the
returned pci_dev and also decrease the reference count for the input
pci_dev @from if it is not NULL.
If we break for_each_pci_dev() loop with pdev not NULL, we need to call
pci_dev_put() to decrease the reference count. Add the missing
pci_dev_put() before 'return true' to avoid reference count leak.
Fixes: 89a6079df7 ("iommu/vt-d: Force IOMMU on for platform opt in hint")
Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
Link: https://lore.kernel.org/r/20221121113649.190393-2-wangxiongfeng2@huawei.com
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
As comment of pci_get_domain_bus_and_slot() says, it returns a pci device
with refcount increment, when finish using it, the caller must decrease
the reference count by calling pci_dev_put(). So call pci_dev_put() after
using the 'pdev' to avoid refcount leak.
Besides, if the 'pdev' is null or intel_svm_prq_report() returns error,
there is no need to trace this fault.
Fixes: 06f4b8d09d ("iommu/vt-d: Remove unnecessary SVA data accesses in page fault path")
Suggested-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221119144028.2452731-1-yangyingliang@huawei.com
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
QAT devices on Intel Sapphire Rapids and Emerald Rapids have a defect in
address translation service (ATS). These devices may inadvertently issue
ATS invalidation completion before posted writes initiated with
translated address that utilized translations matching the invalidation
address range, violating the invalidation completion ordering.
This patch adds an extra device TLB invalidation for the affected devices,
it is needed to ensure no more posted writes with translated address
following the invalidation completion. Therefore, the ordering is
preserved and data-corruption is prevented.
Device TLBs are invalidated under the following six conditions:
1. Device driver does DMA API unmap IOVA
2. Device driver unbind a PASID from a process, sva_unbind_device()
3. PASID is torn down, after PASID cache is flushed. e.g. process
exit_mmap() due to crash
4. Under SVA usage, called by mmu_notifier.invalidate_range() where
VM has to free pages that were unmapped
5. userspace driver unmaps a DMA buffer
6. Cache invalidation in vSVA usage (upcoming)
For #1 and #2, device drivers are responsible for stopping DMA traffic
before unmap/unbind. For #3, iommu driver gets mmu_notifier to
invalidate TLB the same way as normal user unmap which will do an extra
invalidation. The dTLB invalidation after PASID cache flush does not
need an extra invalidation.
Therefore, we only need to deal with #4 and #5 in this patch. #1 is also
covered by this patch due to common code path with #5.
Tested-by: Yuzhang Luo <yuzhang.luo@intel.com>
Reviewed-by: Ashok Raj <ashok.raj@intel.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Jacob Pan <jacob.jun.pan@linux.intel.com>
Link: https://lore.kernel.org/r/20221130062449.1360063-1-jacob.jun.pan@linux.intel.com
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Recent changes to the DMA code has resulting in the IMX driver failing
I2C transfers when the buffer has been vmalloc. Only perform DMA
transfers if the message has the I2C_M_DMA_SAFE flag set, indicating
the client is providing a buffer which is DMA safe.
This is a minimal fix for stable. The I2C core provides helpers to
allocate a bounce buffer. For a fuller fix the master should make use
of these helpers.
Fixes: 4544b9f25e ("dma-mapping: Add vmap checks to dma_map_single()")
Signed-off-by: Andrew Lunn <andrew@lunn.ch>
Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Fix to return a negative error code from the gi2c->err instead of
0.
Fixes: d8703554f4 ("i2c: qcom-geni: Add support for GPI DMA")
Signed-off-by: Wang Yufen <wangyufen@huawei.com>
Reviewed-by: Tommaso Merciai <tommaso.merciai@amarulasoluitons.com>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Commit "i2c: cadence: Add standard bus recovery support" breaks for i2c
devices that have no pinctrl defined. There is no requirement for this
to exist in the DT. This has worked perfectly well without this before in
at least 1 real usage case on hardware (Mali Komeda DPU, Cadence i2c to
talk to a tda99xx phy). Adding the requirement to have pinctrl set up in
the device tree (or otherwise be found) is a regression where the whole
i2c device is lost entirely (in this case dropping entire devices which
then leads to the drm display stack unable to find the phy for display
output, thus having no drm display device and so on down the chain).
This converts the above commit to an enhancement if pinctrl can be found
for the i2c device, providing a timeout on read with recovery, but if not,
do what used to be done rather than a fatal loss of a device.
This restores the mentioned display devices to their working state again.
Fixes: 58b924241d ("i2c: cadence: Add standard bus recovery support")
Signed-off-by: Carsten Haitzler <carsten.haitzler@arm.com>
Reviewed-by: Shubhrajyoti Datta <shubhrajyoti.datta@amd.com>
Reviewed-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Acked-by: Michal Simek <michal.simek@amd.com>
[wsa: added braces to else-branch]
Signed-off-by: Wolfram Sang <wsa@kernel.org>
- Fix dram info readout (Radhakrishna Sripada)
- Remove non-existent pipes from bigjoiner pipe mask (Ville Syrjälä)
- Fix negative value passed as remaining time (Janusz Krzysztofik)
- Never return 0 if not all requests retired (Janusz Krzysztofik)
Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/Y4hp+a3TJ13t2ZA1@tursulin-desk
The config to be able to inject error codes into any function annotated
with ALLOW_ERROR_INJECTION() is enabled when FUNCTION_ERROR_INJECTION is
enabled. But unfortunately, this is always enabled on x86 when KPROBES
is enabled, and there's no way to turn it off.
As kprobes is useful for observability of the kernel, it is useful to
have it enabled in production environments. But error injection should
be avoided. Add a prompt to the config to allow it to be disabled even
when kprobes is enabled, and get rid of the "def_bool y".
This is a kernel debug feature (it's in Kconfig.debug), and should have
never been something enabled by default.
Cc: stable@vger.kernel.org
Fixes: 540adea380 ("error-injection: Separate error-injection from kprobe")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
So that uses PSP to initialize HW.
Fixes: 0c2c02b66c ("drm/amdgpu/vcn: add firmware support for dimgrey_cavefish")
Signed-off-by: Leo Liu <leo.liu@amd.com>
Reviewed-by: James Zhu <James.Zhu@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
