--- /dev/null
+From ff5a19909b49fe5c0b01ae197f84b741e0f698dc Mon Sep 17 00:00:00 2001
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Tue, 22 Nov 2022 14:44:11 +0100
+Subject: bus: ixp4xx: Don't touch bit 7 on IXP42x
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+commit ff5a19909b49fe5c0b01ae197f84b741e0f698dc upstream.
+
+We face some regressions on a few IXP42x systems when
+accessing flash, the following unrelated error prints
+appear from the PCI driver:
+
+ixp4xx-pci c0000000.pci: PCI: abort_handler addr = 0xff9ffb5f,
+ isr = 0x0, status = 0x22a0
+ixp4xx-pci c0000000.pci: imprecise abort
+(...)
+
+It turns out that while bit 7 is masked "reserved" it is
+not unused, so masking it off as zero is dangerous, and
+breaks flash access on some systems such as the NSLU2.
+Be more careful and avoid masking off any of the reserved
+bits 7, 8, 9 or 30. Only keep masking EXP_WORD (bit 2)
+on IXP43x which is necessary in some setups.
+
+Fixes: 1c953bda90ca ("bus: ixp4xx: Add a driver for IXP4xx expansion bus")
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20221122134411.2030372-1-linus.walleij@linaro.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bus/intel-ixp4xx-eb.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+--- a/drivers/bus/intel-ixp4xx-eb.c
++++ b/drivers/bus/intel-ixp4xx-eb.c
+@@ -49,7 +49,7 @@
+ #define IXP4XX_EXP_SIZE_SHIFT 10
+ #define IXP4XX_EXP_CNFG_0 BIT(9) /* Always zero */
+ #define IXP43X_EXP_SYNC_INTEL BIT(8) /* Only on IXP43x */
+-#define IXP43X_EXP_EXP_CHIP BIT(7) /* Only on IXP43x */
++#define IXP43X_EXP_EXP_CHIP BIT(7) /* Only on IXP43x, dangerous to touch on IXP42x */
+ #define IXP4XX_EXP_BYTE_RD16 BIT(6)
+ #define IXP4XX_EXP_HRDY_POL BIT(5) /* Only on IXP42x */
+ #define IXP4XX_EXP_MUX_EN BIT(4)
+@@ -57,8 +57,6 @@
+ #define IXP4XX_EXP_WORD BIT(2) /* Always zero */
+ #define IXP4XX_EXP_WR_EN BIT(1)
+ #define IXP4XX_EXP_BYTE_EN BIT(0)
+-#define IXP42X_RESERVED (BIT(30)|IXP4XX_EXP_CNFG_0|BIT(8)|BIT(7)|IXP4XX_EXP_WORD)
+-#define IXP43X_RESERVED (BIT(30)|IXP4XX_EXP_CNFG_0|BIT(5)|IXP4XX_EXP_WORD)
+
+ #define IXP4XX_EXP_CNFG0 0x20
+ #define IXP4XX_EXP_CNFG0_MEM_MAP BIT(31)
+@@ -252,10 +250,9 @@ static void ixp4xx_exp_setup_chipselect(
+ cs_cfg |= val << IXP4XX_EXP_CYC_TYPE_SHIFT;
+ }
+
+- if (eb->is_42x)
+- cs_cfg &= ~IXP42X_RESERVED;
+ if (eb->is_43x) {
+- cs_cfg &= ~IXP43X_RESERVED;
++ /* Should always be zero */
++ cs_cfg &= ~IXP4XX_EXP_WORD;
+ /*
+ * This bit for Intel strata flash is currently unused, but let's
+ * report it if we find one.
--- /dev/null
+From 919f4557696939625085435ebde09a539de2349c Mon Sep 17 00:00:00 2001
+From: Wyes Karny <wyes.karny@amd.com>
+Date: Thu, 17 Nov 2022 15:35:37 +0800
+Subject: cpufreq: amd-pstate: cpufreq: amd-pstate: reset MSR_AMD_PERF_CTL register at init
+
+From: Wyes Karny <wyes.karny@amd.com>
+
+commit 919f4557696939625085435ebde09a539de2349c upstream.
+
+MSR_AMD_PERF_CTL is guaranteed to be 0 on a cold boot. However, on a
+kexec boot, for instance, it may have a non-zero value (if the cpu was
+in a non-P0 Pstate). In such cases, the cores with non-P0 Pstates at
+boot will never be pushed to P0, let alone boost frequencies.
+
+Kexec is a common workflow for reboot on Linux and this creates a
+regression in performance. Fix it by explicitly setting the
+MSR_AMD_PERF_CTL to 0 during amd_pstate driver init.
+
+Cc: All applicable <stable@vger.kernel.org>
+Acked-by: Huang Rui <ray.huang@amd.com>
+Reviewed-by: Gautham R. Shenoy <gautham.shenoy@amd.com>
+Tested-by: Wyes Karny <wyes.karny@amd.com>
+Signed-off-by: Wyes Karny <wyes.karny@amd.com>
+Signed-off-by: Perry Yuan <Perry.Yuan@amd.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpufreq/amd-pstate.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/cpufreq/amd-pstate.c
++++ b/drivers/cpufreq/amd-pstate.c
+@@ -483,12 +483,22 @@ static void amd_pstate_boost_init(struct
+ amd_pstate_driver.boost_enabled = true;
+ }
+
++static void amd_perf_ctl_reset(unsigned int cpu)
++{
++ wrmsrl_on_cpu(cpu, MSR_AMD_PERF_CTL, 0);
++}
++
+ static int amd_pstate_cpu_init(struct cpufreq_policy *policy)
+ {
+ int min_freq, max_freq, nominal_freq, lowest_nonlinear_freq, ret;
+ struct device *dev;
+ struct amd_cpudata *cpudata;
+
++ /*
++ * Resetting PERF_CTL_MSR will put the CPU in P0 frequency,
++ * which is ideal for initialization process.
++ */
++ amd_perf_ctl_reset(policy->cpu);
+ dev = get_cpu_device(policy->cpu);
+ if (!dev)
+ return -ENODEV;
--- /dev/null
+From 398e3479874f381cca8726ca5d8a31e1bf35a3cd Mon Sep 17 00:00:00 2001
+From: Billy Tsai <billy_tsai@aspeedtech.com>
+Date: Mon, 14 Nov 2022 10:50:57 +0800
+Subject: dt-bindings: iio: adc: Remove the property "aspeed,trim-data-valid"
+
+From: Billy Tsai <billy_tsai@aspeedtech.com>
+
+commit 398e3479874f381cca8726ca5d8a31e1bf35a3cd upstream.
+
+If the property is set on a device without valid trimming data in the OTP
+the ADC will not function correctly. Therefore, this patch drops the use
+of this property to avoid this scenario.
+
+Fixes: 2bdb2f00a895 ("dt-bindings: iio: adc: Add ast2600-adc bindings")
+Signed-off-by: Billy Tsai <billy_tsai@aspeedtech.com>
+Acked-by: Rob Herring <robh@kernel.org>
+Link: https://lore.kernel.org/r/20221114025057.10843-2-billy_tsai@aspeedtech.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/iio/adc/aspeed,ast2600-adc.yaml | 7 -------
+ 1 file changed, 7 deletions(-)
+
+--- a/Documentation/devicetree/bindings/iio/adc/aspeed,ast2600-adc.yaml
++++ b/Documentation/devicetree/bindings/iio/adc/aspeed,ast2600-adc.yaml
+@@ -62,13 +62,6 @@ properties:
+ description:
+ Inform the driver that last channel will be used to sensor battery.
+
+- aspeed,trim-data-valid:
+- type: boolean
+- description: |
+- The ADC reference voltage can be calibrated to obtain the trimming
+- data which will be stored in otp. This property informs the driver that
+- the data store in the otp is valid.
+-
+ required:
+ - compatible
+ - reg
--- /dev/null
+From 20690cd50e68c0313472c7539460168b8ea6444d Mon Sep 17 00:00:00 2001
+From: Dong Chenchen <dongchenchen2@huawei.com>
+Date: Thu, 10 Nov 2022 09:07:26 +0800
+Subject: iio: accel: bma400: Fix memory leak in bma400_get_steps_reg()
+
+From: Dong Chenchen <dongchenchen2@huawei.com>
+
+commit 20690cd50e68c0313472c7539460168b8ea6444d upstream.
+
+When regmap_bulk_read() fails, it does not free steps_raw,
+which will cause a memory leak issue, this patch fixes it.
+
+Fixes: d221de60eee3 ("iio: accel: bma400: Add separate channel for step counter")
+Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com>
+Reviewed-by: Jagath Jog J <jagathjog1996@gmail.com>
+Link: https://lore.kernel.org/r/20221110010726.235601-1-dongchenchen2@huawei.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/accel/bma400_core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/iio/accel/bma400_core.c
++++ b/drivers/iio/accel/bma400_core.c
+@@ -673,8 +673,10 @@ static int bma400_get_steps_reg(struct b
+
+ ret = regmap_bulk_read(data->regmap, BMA400_STEP_CNT0_REG,
+ steps_raw, BMA400_STEP_RAW_LEN);
+- if (ret)
++ if (ret) {
++ kfree(steps_raw);
+ return ret;
++ }
+ *val = get_unaligned_le24(steps_raw);
+ kfree(steps_raw);
+ return IIO_VAL_INT;
--- /dev/null
+From fdd0d6b2eb35c83d6b1226ad20b346a4b45ddfb8 Mon Sep 17 00:00:00 2001
+From: Billy Tsai <billy_tsai@aspeedtech.com>
+Date: Mon, 14 Nov 2022 10:50:56 +0800
+Subject: iio: adc: aspeed: Remove the trim valid dts property.
+
+From: Billy Tsai <billy_tsai@aspeedtech.com>
+
+commit fdd0d6b2eb35c83d6b1226ad20b346a4b45ddfb8 upstream.
+
+The dts property "aspeed,trim-data-valid" is currently used to determine
+whether to read trimming data from the OTP register. If this is set on
+a device without valid trimming data in the OTP the ADC will not function
+correctly. This patch drops the use of this property and instead uses the
+default (unprogrammed) OTP value of 0 to detect when a fallback value of
+0x8 should be used rather then the value read from the OTP.
+
+Fixes: d0a4c17b4073 ("iio: adc: aspeed: Get and set trimming data.")
+Signed-off-by: Billy Tsai <billy_tsai@aspeedtech.com>
+Link: https://lore.kernel.org/r/20221114025057.10843-1-billy_tsai@aspeedtech.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/aspeed_adc.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+--- a/drivers/iio/adc/aspeed_adc.c
++++ b/drivers/iio/adc/aspeed_adc.c
+@@ -202,6 +202,8 @@ static int aspeed_adc_set_trim_data(stru
+ ((scu_otp) &
+ (data->model_data->trim_locate->field)) >>
+ __ffs(data->model_data->trim_locate->field);
++ if (!trimming_val)
++ trimming_val = 0x8;
+ }
+ dev_dbg(data->dev,
+ "trimming val = %d, offset = %08x, fields = %08x\n",
+@@ -563,12 +565,9 @@ static int aspeed_adc_probe(struct platf
+ if (ret)
+ return ret;
+
+- if (of_find_property(data->dev->of_node, "aspeed,trim-data-valid",
+- NULL)) {
+- ret = aspeed_adc_set_trim_data(indio_dev);
+- if (ret)
+- return ret;
+- }
++ ret = aspeed_adc_set_trim_data(indio_dev);
++ if (ret)
++ return ret;
+
+ if (of_find_property(data->dev->of_node, "aspeed,battery-sensing",
+ NULL)) {
--- /dev/null
+From 4ad09d956f8eacff61e67e5b13ba8ebec3232f76 Mon Sep 17 00:00:00 2001
+From: Chen Zhongjin <chenzhongjin@huawei.com>
+Date: Tue, 8 Nov 2022 11:28:02 +0800
+Subject: iio: core: Fix entry not deleted when iio_register_sw_trigger_type() fails
+
+From: Chen Zhongjin <chenzhongjin@huawei.com>
+
+commit 4ad09d956f8eacff61e67e5b13ba8ebec3232f76 upstream.
+
+In iio_register_sw_trigger_type(), configfs_register_default_group() is
+possible to fail, but the entry add to iio_trigger_types_list is not
+deleted.
+
+This leaves wild in iio_trigger_types_list, which can cause page fault
+when module is loading again. So fix this by list_del(&t->list) in error
+path.
+
+BUG: unable to handle page fault for address: fffffbfff81d7400
+Call Trace:
+<TASK>
+ iio_register_sw_trigger_type
+ do_one_initcall
+ do_init_module
+ load_module
+ ...
+
+Fixes: b662f809d410 ("iio: core: Introduce IIO software triggers")
+Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
+Link: https://lore.kernel.org/r/20221108032802.168623-1-chenzhongjin@huawei.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/industrialio-sw-trigger.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/iio/industrialio-sw-trigger.c
++++ b/drivers/iio/industrialio-sw-trigger.c
+@@ -58,8 +58,12 @@ int iio_register_sw_trigger_type(struct
+
+ t->group = configfs_register_default_group(iio_triggers_group, t->name,
+ &iio_trigger_type_group_type);
+- if (IS_ERR(t->group))
++ if (IS_ERR(t->group)) {
++ mutex_lock(&iio_trigger_types_lock);
++ list_del(&t->list);
++ mutex_unlock(&iio_trigger_types_lock);
+ ret = PTR_ERR(t->group);
++ }
+
+ return ret;
+ }
--- /dev/null
+From 0aa60ff5d996d4ecdd4a62699c01f6d00f798d59 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Alejandro=20Concepci=C3=B3n=20Rodr=C3=ADguez?=
+ <asconcepcion@acoro.eu>
+Date: Sun, 6 Nov 2022 01:56:51 +0000
+Subject: iio: light: apds9960: fix wrong register for gesture gain
+
+From: Alejandro Concepción Rodríguez <asconcepcion@acoro.eu>
+
+commit 0aa60ff5d996d4ecdd4a62699c01f6d00f798d59 upstream.
+
+Gesture Gain Control is in REG_GCONF_2 (0xa3), not in REG_CONFIG_2 (0x90).
+
+Fixes: aff268cd532e ("iio: light: add APDS9960 ALS + promixity driver")
+Signed-off-by: Alejandro Concepcion-Rodriguez <asconcepcion@acoro.eu>
+Acked-by: Matt Ranostay <matt.ranostay@konsulko.com>
+Cc: <Stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/EaT-NKC-H4DNX5z4Lg9B6IWPD5TrTrYBr5DYB784wfDKQkTmzPXkoYqyUOrOgJH-xvTsEkFLcVkeAPZRUODEFI5dGziaWXwjpfBNLeNGfNc=@acoro.eu
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/light/apds9960.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/iio/light/apds9960.c
++++ b/drivers/iio/light/apds9960.c
+@@ -54,9 +54,6 @@
+ #define APDS9960_REG_CONTROL_PGAIN_MASK_SHIFT 2
+
+ #define APDS9960_REG_CONFIG_2 0x90
+-#define APDS9960_REG_CONFIG_2_GGAIN_MASK 0x60
+-#define APDS9960_REG_CONFIG_2_GGAIN_MASK_SHIFT 5
+-
+ #define APDS9960_REG_ID 0x92
+
+ #define APDS9960_REG_STATUS 0x93
+@@ -77,6 +74,9 @@
+ #define APDS9960_REG_GCONF_1_GFIFO_THRES_MASK_SHIFT 6
+
+ #define APDS9960_REG_GCONF_2 0xa3
++#define APDS9960_REG_GCONF_2_GGAIN_MASK 0x60
++#define APDS9960_REG_GCONF_2_GGAIN_MASK_SHIFT 5
++
+ #define APDS9960_REG_GOFFSET_U 0xa4
+ #define APDS9960_REG_GOFFSET_D 0xa5
+ #define APDS9960_REG_GPULSE 0xa6
+@@ -396,9 +396,9 @@ static int apds9960_set_pxs_gain(struct
+ }
+
+ ret = regmap_update_bits(data->regmap,
+- APDS9960_REG_CONFIG_2,
+- APDS9960_REG_CONFIG_2_GGAIN_MASK,
+- idx << APDS9960_REG_CONFIG_2_GGAIN_MASK_SHIFT);
++ APDS9960_REG_GCONF_2,
++ APDS9960_REG_GCONF_2_GGAIN_MASK,
++ idx << APDS9960_REG_GCONF_2_GGAIN_MASK_SHIFT);
+ if (!ret)
+ data->pxs_gain = idx;
+ mutex_unlock(&data->lock);
--- /dev/null
+From 8468b486612c808c9e337708d66a435498f1735c Mon Sep 17 00:00:00 2001
+From: SeongJae Park <sj@kernel.org>
+Date: Mon, 14 Nov 2022 17:55:52 +0000
+Subject: mm/damon/sysfs-schemes: skip stats update if the scheme directory is removed
+
+From: SeongJae Park <sj@kernel.org>
+
+commit 8468b486612c808c9e337708d66a435498f1735c upstream.
+
+A DAMON sysfs interface user can start DAMON with a scheme, remove the
+sysfs directory for the scheme, and then ask update of the scheme's stats.
+Because the schemes stats update logic isn't aware of the situation, it
+results in an invalid memory access. Fix the bug by checking if the
+scheme sysfs directory exists.
+
+Link: https://lkml.kernel.org/r/20221114175552.1951-1-sj@kernel.org
+Fixes: 0ac32b8affb5 ("mm/damon/sysfs: support DAMOS stats")
+Signed-off-by: SeongJae Park <sj@kernel.org>
+Cc: <stable@vger.kernel.org> [v5.18]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/damon/sysfs.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/mm/damon/sysfs.c
++++ b/mm/damon/sysfs.c
+@@ -2342,6 +2342,10 @@ static int damon_sysfs_upd_schemes_stats
+ damon_for_each_scheme(scheme, ctx) {
+ struct damon_sysfs_stats *sysfs_stats;
+
++ /* user could have removed the scheme sysfs dir */
++ if (schemes_idx >= sysfs_schemes->nr)
++ break;
++
+ sysfs_stats = sysfs_schemes->schemes_arr[schemes_idx++]->stats;
+ sysfs_stats->nr_tried = scheme->stat.nr_tried;
+ sysfs_stats->sz_tried = scheme->stat.sz_tried;
ext4-fix-use-after-free-in-ext4_ext_shift_extents.patch
arm64-dts-rockchip-lower-rk3399-puma-haikou-sd-controller-clock-frequency.patch
kbuild-fix-wimplicit-function-declaration-in-license_is_gpl_compatible.patch
+iio-adc-aspeed-remove-the-trim-valid-dts-property.patch
+iio-light-apds9960-fix-wrong-register-for-gesture-gain.patch
+iio-core-fix-entry-not-deleted-when-iio_register_sw_trigger_type-fails.patch
+iio-accel-bma400-fix-memory-leak-in-bma400_get_steps_reg.patch
+dt-bindings-iio-adc-remove-the-property-aspeed-trim-data-valid.patch
+mm-damon-sysfs-schemes-skip-stats-update-if-the-scheme-directory-is-removed.patch
+virt-sev-guest-prevent-iv-reuse-in-the-snp-guest-driver.patch
+cpufreq-amd-pstate-cpufreq-amd-pstate-reset-msr_amd_perf_ctl-register-at-init.patch
+zonefs-fix-active-zone-accounting.patch
+bus-ixp4xx-don-t-touch-bit-7-on-ixp42x.patch
+spi-spi-imx-fix-spi_bus_clk-if-requested-clock-is-higher-than-input-clock.patch
+spi-spi-imx-spi_imx_transfer_one-check-for-dma-transfer-first.patch
init-kconfig-fix-cc_has_asm_goto_tied_output-test-wi.patch
nfsd-fix-reads-with-a-non-zero-offset-that-don-t-end.patch
nios2-add-force-for-vmlinuz.gz.patch
--- /dev/null
+From db2d2dc9a0b58c6faefb6b002fdbed4f0362d1a4 Mon Sep 17 00:00:00 2001
+From: Frieder Schrempf <frieder.schrempf@kontron.de>
+Date: Tue, 15 Nov 2022 19:10:00 +0100
+Subject: spi: spi-imx: Fix spi_bus_clk if requested clock is higher than input clock
+
+From: Frieder Schrempf <frieder.schrempf@kontron.de>
+
+commit db2d2dc9a0b58c6faefb6b002fdbed4f0362d1a4 upstream.
+
+In case the requested bus clock is higher than the input clock, the correct
+dividers (pre = 0, post = 0) are returned from mx51_ecspi_clkdiv(), but
+*fres is left uninitialized and therefore contains an arbitrary value.
+
+This causes trouble for the recently introduced PIO polling feature as the
+value in spi_imx->spi_bus_clk is used there to calculate for which
+transfers to enable PIO polling.
+
+Fix this by setting *fres even if no clock dividers are in use.
+
+This issue was observed on Kontron BL i.MX8MM with an SPI peripheral clock set
+to 50 MHz by default and a requested SPI bus clock of 80 MHz for the SPI NOR
+flash.
+
+With the fix applied the debug message from mx51_ecspi_clkdiv() now prints the
+following:
+
+spi_imx 30820000.spi: mx51_ecspi_clkdiv: fin: 50000000, fspi: 50000000,
+post: 0, pre: 0
+
+Fixes: 6fd8b8503a0d ("spi: spi-imx: Fix out-of-order CS/SCLK operation at low speeds")
+Fixes: 07e759387788 ("spi: spi-imx: add PIO polling support")
+Cc: Marc Kleine-Budde <mkl@pengutronix.de>
+Cc: David Jander <david@protonic.nl>
+Cc: Fabio Estevam <festevam@gmail.com>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Marek Vasut <marex@denx.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de>
+Tested-by: Fabio Estevam <festevam@gmail.com>
+Acked-by: Marek Vasut <marex@denx.de>
+Link: https://lore.kernel.org/r/20221115181002.2068270-1-frieder@fris.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-imx.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/spi/spi-imx.c
++++ b/drivers/spi/spi-imx.c
+@@ -444,8 +444,7 @@ static unsigned int mx51_ecspi_clkdiv(st
+ unsigned int pre, post;
+ unsigned int fin = spi_imx->spi_clk;
+
+- if (unlikely(fspi > fin))
+- return 0;
++ fspi = min(fspi, fin);
+
+ post = fls(fin) - fls(fspi);
+ if (fin > fspi << post)
--- /dev/null
+From e85e9e0d8cb759013d6474011c227f92e442d746 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Wed, 16 Nov 2022 17:49:30 +0100
+Subject: spi: spi-imx: spi_imx_transfer_one(): check for DMA transfer first
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit e85e9e0d8cb759013d6474011c227f92e442d746 upstream.
+
+The SPI framework checks for each transfer (with the struct
+spi_controller::can_dma callback) whether the driver wants to use DMA
+for the transfer. If the driver returns true, the SPI framework will
+map the transfer's data to the device, start the actual transfer and
+map the data back.
+
+In commit 07e759387788 ("spi: spi-imx: add PIO polling support") the
+spi-imx driver's spi_imx_transfer_one() function was extended. If the
+estimated duration of a transfer does not exceed a configurable
+duration, a polling transfer function is used. This check happens
+before checking if the driver decided earlier for a DMA transfer.
+
+If spi_imx_can_dma() decided to use a DMA transfer, and the user
+configured a big maximum polling duration, a polling transfer will be
+used. The DMA unmap after the transfer destroys the transferred data.
+
+To fix this problem check in spi_imx_transfer_one() if the driver
+decided for DMA transfer first, then check the limits for a polling
+transfer.
+
+Fixes: 07e759387788 ("spi: spi-imx: add PIO polling support")
+Link: https://lore.kernel.org/all/20221111003032.82371-1-festevam@gmail.com
+Reported-by: Frieder Schrempf <frieder.schrempf@kontron.de>
+Reported-by: Fabio Estevam <festevam@gmail.com>
+Tested-by: Fabio Estevam <festevam@gmail.com>
+Cc: David Jander <david@protonic.nl>
+Cc: stable@vger.kernel.org
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Tested-by: Frieder Schrempf <frieder.schrempf@kontron.de>
+Reviewed-by: Frieder Schrempf <frieder.schrempf@kontron.de>
+Link: https://lore.kernel.org/r/20221116164930.855362-1-mkl@pengutronix.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-imx.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c
+index 468ce0a2b282..d209930069cf 100644
+--- a/drivers/spi/spi-imx.c
++++ b/drivers/spi/spi-imx.c
+@@ -1606,6 +1606,13 @@ static int spi_imx_transfer_one(struct spi_controller *controller,
+ if (spi_imx->slave_mode)
+ return spi_imx_pio_transfer_slave(spi, transfer);
+
++ /*
++ * If we decided in spi_imx_can_dma() that we want to do a DMA
++ * transfer, the SPI transfer has already been mapped, so we
++ * have to do the DMA transfer here.
++ */
++ if (spi_imx->usedma)
++ return spi_imx_dma_transfer(spi_imx, transfer);
+ /*
+ * Calculate the estimated time in us the transfer runs. Find
+ * the number of Hz per byte per polling limit.
+@@ -1617,9 +1624,6 @@ static int spi_imx_transfer_one(struct spi_controller *controller,
+ if (transfer->len < byte_limit)
+ return spi_imx_poll_transfer(spi, transfer);
+
+- if (spi_imx->usedma)
+- return spi_imx_dma_transfer(spi_imx, transfer);
+-
+ return spi_imx_pio_transfer(spi, transfer);
+ }
+
+--
+2.38.1
+
--- /dev/null
+From 47894e0fa6a56a42be6a47c767e79cce8125489d Mon Sep 17 00:00:00 2001
+From: Peter Gonda <pgonda@google.com>
+Date: Wed, 16 Nov 2022 09:55:58 -0800
+Subject: virt/sev-guest: Prevent IV reuse in the SNP guest driver
+
+From: Peter Gonda <pgonda@google.com>
+
+commit 47894e0fa6a56a42be6a47c767e79cce8125489d upstream.
+
+The AMD Secure Processor (ASP) and an SNP guest use a series of
+AES-GCM keys called VMPCKs to communicate securely with each other.
+The IV to this scheme is a sequence number that both the ASP and the
+guest track.
+
+Currently, this sequence number in a guest request must exactly match
+the sequence number tracked by the ASP. This means that if the guest
+sees an error from the host during a request it can only retry that
+exact request or disable the VMPCK to prevent an IV reuse. AES-GCM
+cannot tolerate IV reuse, see: "Authentication Failures in NIST version
+of GCM" - Antoine Joux et al.
+
+In order to address this, make handle_guest_request() delete the VMPCK
+on any non successful return. To allow userspace querying the cert_data
+length make handle_guest_request() save the number of pages required by
+the host, then have handle_guest_request() retry the request without
+requesting the extended data, then return the number of pages required
+back to userspace.
+
+ [ bp: Massage, incorporate Tom's review comments. ]
+
+Fixes: fce96cf044308 ("virt: Add SEV-SNP guest driver")
+Reported-by: Peter Gonda <pgonda@google.com>
+Signed-off-by: Peter Gonda <pgonda@google.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
+Cc: stable@kernel.org
+Link: https://lore.kernel.org/r/20221116175558.2373112-1-pgonda@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/virt/coco/sev-guest/sev-guest.c | 84 ++++++++++++++++++++-----
+ 1 file changed, 70 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/virt/coco/sev-guest/sev-guest.c b/drivers/virt/coco/sev-guest/sev-guest.c
+index f422f9c58ba7..1ea6d2e5b218 100644
+--- a/drivers/virt/coco/sev-guest/sev-guest.c
++++ b/drivers/virt/coco/sev-guest/sev-guest.c
+@@ -67,8 +67,27 @@ static bool is_vmpck_empty(struct snp_guest_dev *snp_dev)
+ return true;
+ }
+
++/*
++ * If an error is received from the host or AMD Secure Processor (ASP) there
++ * are two options. Either retry the exact same encrypted request or discontinue
++ * using the VMPCK.
++ *
++ * This is because in the current encryption scheme GHCB v2 uses AES-GCM to
++ * encrypt the requests. The IV for this scheme is the sequence number. GCM
++ * cannot tolerate IV reuse.
++ *
++ * The ASP FW v1.51 only increments the sequence numbers on a successful
++ * guest<->ASP back and forth and only accepts messages at its exact sequence
++ * number.
++ *
++ * So if the sequence number were to be reused the encryption scheme is
++ * vulnerable. If the sequence number were incremented for a fresh IV the ASP
++ * will reject the request.
++ */
+ static void snp_disable_vmpck(struct snp_guest_dev *snp_dev)
+ {
++ dev_alert(snp_dev->dev, "Disabling vmpck_id %d to prevent IV reuse.\n",
++ vmpck_id);
+ memzero_explicit(snp_dev->vmpck, VMPCK_KEY_LEN);
+ snp_dev->vmpck = NULL;
+ }
+@@ -321,34 +340,71 @@ static int handle_guest_request(struct snp_guest_dev *snp_dev, u64 exit_code, in
+ if (rc)
+ return rc;
+
+- /* Call firmware to process the request */
++ /*
++ * Call firmware to process the request. In this function the encrypted
++ * message enters shared memory with the host. So after this call the
++ * sequence number must be incremented or the VMPCK must be deleted to
++ * prevent reuse of the IV.
++ */
+ rc = snp_issue_guest_request(exit_code, &snp_dev->input, &err);
++
++ /*
++ * If the extended guest request fails due to having too small of a
++ * certificate data buffer, retry the same guest request without the
++ * extended data request in order to increment the sequence number
++ * and thus avoid IV reuse.
++ */
++ if (exit_code == SVM_VMGEXIT_EXT_GUEST_REQUEST &&
++ err == SNP_GUEST_REQ_INVALID_LEN) {
++ const unsigned int certs_npages = snp_dev->input.data_npages;
++
++ exit_code = SVM_VMGEXIT_GUEST_REQUEST;
++
++ /*
++ * If this call to the firmware succeeds, the sequence number can
++ * be incremented allowing for continued use of the VMPCK. If
++ * there is an error reflected in the return value, this value
++ * is checked further down and the result will be the deletion
++ * of the VMPCK and the error code being propagated back to the
++ * user as an ioctl() return code.
++ */
++ rc = snp_issue_guest_request(exit_code, &snp_dev->input, &err);
++
++ /*
++ * Override the error to inform callers the given extended
++ * request buffer size was too small and give the caller the
++ * required buffer size.
++ */
++ err = SNP_GUEST_REQ_INVALID_LEN;
++ snp_dev->input.data_npages = certs_npages;
++ }
++
+ if (fw_err)
+ *fw_err = err;
+
+- if (rc)
+- return rc;
++ if (rc) {
++ dev_alert(snp_dev->dev,
++ "Detected error from ASP request. rc: %d, fw_err: %llu\n",
++ rc, *fw_err);
++ goto disable_vmpck;
++ }
+
+- /*
+- * The verify_and_dec_payload() will fail only if the hypervisor is
+- * actively modifying the message header or corrupting the encrypted payload.
+- * This hints that hypervisor is acting in a bad faith. Disable the VMPCK so that
+- * the key cannot be used for any communication. The key is disabled to ensure
+- * that AES-GCM does not use the same IV while encrypting the request payload.
+- */
+ rc = verify_and_dec_payload(snp_dev, resp_buf, resp_sz);
+ if (rc) {
+ dev_alert(snp_dev->dev,
+- "Detected unexpected decode failure, disabling the vmpck_id %d\n",
+- vmpck_id);
+- snp_disable_vmpck(snp_dev);
+- return rc;
++ "Detected unexpected decode failure from ASP. rc: %d\n",
++ rc);
++ goto disable_vmpck;
+ }
+
+ /* Increment to new message sequence after payload decryption was successful. */
+ snp_inc_msg_seqno(snp_dev);
+
+ return 0;
++
++disable_vmpck:
++ snp_disable_vmpck(snp_dev);
++ return rc;
+ }
+
+ static int get_report(struct snp_guest_dev *snp_dev, struct snp_guest_request_ioctl *arg)
+--
+2.38.1
+
--- /dev/null
+From db58653ce0c7cf4d155727852607106f890005c0 Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Date: Mon, 21 Nov 2022 16:29:37 +0900
+Subject: zonefs: Fix active zone accounting
+
+From: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+
+commit db58653ce0c7cf4d155727852607106f890005c0 upstream.
+
+If a file zone transitions to the offline or readonly state from an
+active state, we must clear the zone active flag and decrement the
+active seq file counter. Do so in zonefs_account_active() using the new
+zonefs inode flags ZONEFS_ZONE_OFFLINE and ZONEFS_ZONE_READONLY. These
+flags are set if necessary in zonefs_check_zone_condition() based on the
+result of report zones operation after an IO error.
+
+Fixes: 87c9ce3ffec9 ("zonefs: Add active seq file accounting")
+Cc: stable@vger.kernel.org
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/zonefs/super.c | 11 +++++++++++
+ fs/zonefs/zonefs.h | 6 ++++--
+ 2 files changed, 15 insertions(+), 2 deletions(-)
+
+--- a/fs/zonefs/super.c
++++ b/fs/zonefs/super.c
+@@ -41,6 +41,13 @@ static void zonefs_account_active(struct
+ return;
+
+ /*
++ * For zones that transitioned to the offline or readonly condition,
++ * we only need to clear the active state.
++ */
++ if (zi->i_flags & (ZONEFS_ZONE_OFFLINE | ZONEFS_ZONE_READONLY))
++ goto out;
++
++ /*
+ * If the zone is active, that is, if it is explicitly open or
+ * partially written, check if it was already accounted as active.
+ */
+@@ -53,6 +60,7 @@ static void zonefs_account_active(struct
+ return;
+ }
+
++out:
+ /* The zone is not active. If it was, update the active count */
+ if (zi->i_flags & ZONEFS_ZONE_ACTIVE) {
+ zi->i_flags &= ~ZONEFS_ZONE_ACTIVE;
+@@ -324,6 +332,7 @@ static loff_t zonefs_check_zone_conditio
+ inode->i_flags |= S_IMMUTABLE;
+ inode->i_mode &= ~0777;
+ zone->wp = zone->start;
++ zi->i_flags |= ZONEFS_ZONE_OFFLINE;
+ return 0;
+ case BLK_ZONE_COND_READONLY:
+ /*
+@@ -342,8 +351,10 @@ static loff_t zonefs_check_zone_conditio
+ zone->cond = BLK_ZONE_COND_OFFLINE;
+ inode->i_mode &= ~0777;
+ zone->wp = zone->start;
++ zi->i_flags |= ZONEFS_ZONE_OFFLINE;
+ return 0;
+ }
++ zi->i_flags |= ZONEFS_ZONE_READONLY;
+ inode->i_mode &= ~0222;
+ return i_size_read(inode);
+ case BLK_ZONE_COND_FULL:
+--- a/fs/zonefs/zonefs.h
++++ b/fs/zonefs/zonefs.h
+@@ -39,8 +39,10 @@ static inline enum zonefs_ztype zonefs_z
+ return ZONEFS_ZTYPE_SEQ;
+ }
+
+-#define ZONEFS_ZONE_OPEN (1 << 0)
+-#define ZONEFS_ZONE_ACTIVE (1 << 1)
++#define ZONEFS_ZONE_OPEN (1U << 0)
++#define ZONEFS_ZONE_ACTIVE (1U << 1)
++#define ZONEFS_ZONE_OFFLINE (1U << 2)
++#define ZONEFS_ZONE_READONLY (1U << 3)
+
+ /*
+ * In-memory inode data.
projects / thirdparty / kernel / stable-queue.git / commitdiff
