--- /dev/null
+From 66f30c47443567838c95e147b1e5304d71ad054f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 16:23:48 +0000
+Subject: ASoC: cs42l51: Correct PGA Volume minimum value
+
+From: Charles Keepax <ckeepax@opensource.cirrus.com>
+
+[ Upstream commit 3d1bb6cc1a654c8693a85b1d262e610196edec8b ]
+
+The table in the datasheet actually shows the volume values in the wrong
+order, with the two -3dB values being reversed. This appears to have
+caused the lower of the two values to be used in the driver when the
+higher should have been, correct this mixup.
+
+Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Link: https://lore.kernel.org/r/20221125162348.1288005-2-ckeepax@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs42l51.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/cs42l51.c b/sound/soc/codecs/cs42l51.c
+index 51721edd8f53..e88d9ff95cdf 100644
+--- a/sound/soc/codecs/cs42l51.c
++++ b/sound/soc/codecs/cs42l51.c
+@@ -143,7 +143,7 @@ static const struct snd_kcontrol_new cs42l51_snd_controls[] = {
+ 0, 0xA0, 96, adc_att_tlv),
+ SOC_DOUBLE_R_SX_TLV("PGA Volume",
+ CS42L51_ALC_PGA_CTL, CS42L51_ALC_PGB_CTL,
+- 0, 0x19, 30, pga_tlv),
++ 0, 0x1A, 30, pga_tlv),
+ SOC_SINGLE("Playback Deemphasis Switch", CS42L51_DAC_CTL, 3, 1, 0),
+ SOC_SINGLE("Auto-Mute Switch", CS42L51_DAC_CTL, 2, 1, 0),
+ SOC_SINGLE("Soft Ramp Switch", CS42L51_DAC_CTL, 1, 1, 0),
+--
+2.35.1
+
--- /dev/null
+From 613ffb9d728e6701b91d08702981e64bc8f037e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 May 2022 20:14:14 +0800
+Subject: ASoC: fsl_micfil: explicitly clear CHnF flags
+
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+
+[ Upstream commit b776c4a4618ec1b5219d494c423dc142f23c4e8f ]
+
+There may be failure when start 1 channel recording after
+8 channels recording. The reason is that the CHnF
+flags are not cleared successfully by software reset.
+
+This issue is triggerred by the change of clearing
+software reset bit.
+
+CHnF flags are write 1 clear bits. Clear them by force
+write.
+
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Link: https://lore.kernel.org/r/1651925654-32060-2-git-send-email-shengjiu.wang@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl_micfil.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/sound/soc/fsl/fsl_micfil.c b/sound/soc/fsl/fsl_micfil.c
+index 8aa6871e0d42..4b86ef82fd93 100644
+--- a/sound/soc/fsl/fsl_micfil.c
++++ b/sound/soc/fsl/fsl_micfil.c
+@@ -205,6 +205,14 @@ static int fsl_micfil_reset(struct device *dev)
+ if (ret)
+ return ret;
+
++ /*
++ * Set SRES should clear CHnF flags, But even add delay here
++ * the CHnF may not be cleared sometimes, so clear CHnF explicitly.
++ */
++ ret = regmap_write_bits(micfil->regmap, REG_MICFIL_STAT, 0xFF, 0xFF);
++ if (ret)
++ return ret;
++
+ return 0;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 2fc6094dfe89868f714cff1229af02e549172a1d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 May 2022 20:14:13 +0800
+Subject: ASoC: fsl_micfil: explicitly clear software reset bit
+
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+
+[ Upstream commit 292709b9cf3ba470af94b62c9bb60284cc581b79 ]
+
+SRES is self-cleared bit, but REG_MICFIL_CTRL1 is defined as
+non volatile register, it still remain in regmap cache after set,
+then every update of REG_MICFIL_CTRL1, software reset happens.
+to avoid this, clear it explicitly.
+
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Link: https://lore.kernel.org/r/1651925654-32060-1-git-send-email-shengjiu.wang@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl_micfil.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/sound/soc/fsl/fsl_micfil.c b/sound/soc/fsl/fsl_micfil.c
+index 79ef4e269bc9..8aa6871e0d42 100644
+--- a/sound/soc/fsl/fsl_micfil.c
++++ b/sound/soc/fsl/fsl_micfil.c
+@@ -194,6 +194,17 @@ static int fsl_micfil_reset(struct device *dev)
+ if (ret)
+ return ret;
+
++ /*
++ * SRES is self-cleared bit, but REG_MICFIL_CTRL1 is defined
++ * as non-volatile register, so SRES still remain in regmap
++ * cache after set, that every update of REG_MICFIL_CTRL1,
++ * software reset happens. so clear it explicitly.
++ */
++ ret = regmap_clear_bits(micfil->regmap, REG_MICFIL_CTRL1,
++ MICFIL_CTRL1_SRES);
++ if (ret)
++ return ret;
++
+ return 0;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 34cf520e5ff9bfc68f783d8c0351f95990171cd3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 May 2022 14:41:37 +0100
+Subject: ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx()
+
+From: Mark Brown <broonie@kernel.org>
+
+[ Upstream commit 97eea946b93961fffd29448dcda7398d0d51c4b2 ]
+
+The bounds checks in snd_soc_put_volsw_sx() are only being applied to the
+first channel, meaning it is possible to write out of bounds values to the
+second channel in stereo controls. Add appropriate checks.
+
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20220511134137.169575-2-broonie@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-ops.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c
+index 47691119306f..1970bda074d8 100644
+--- a/sound/soc/soc-ops.c
++++ b/sound/soc/soc-ops.c
+@@ -468,6 +468,12 @@ int snd_soc_put_volsw_sx(struct snd_kcontrol *kcontrol,
+
+ val_mask = mask << rshift;
+ val2 = (ucontrol->value.integer.value[1] + min) & mask;
++
++ if (mc->platform_max && val2 > mc->platform_max)
++ return -EINVAL;
++ if (val2 > max)
++ return -EINVAL;
++
+ val2 = val2 << rshift;
+
+ err = snd_soc_component_update_bits(component, reg2, val_mask,
+--
+2.35.1
+
--- /dev/null
+From 44bd028ac2b9ca0cfedcc8c1ab7012153220d012 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 00:25:03 +0900
+Subject: can: mcba_usb: Fix termination command argument
+
+From: Yasushi SHOJI <yasushi.shoji@gmail.com>
+
+[ Upstream commit 1a8e3bd25f1e789c8154e11ea24dc3ec5a4c1da0 ]
+
+Microchip USB Analyzer can activate the internal termination resistors
+by setting the "termination" option ON, or OFF to to deactivate them.
+As I've observed, both with my oscilloscope and captured USB packets
+below, you must send "0" to turn it ON, and "1" to turn it OFF.
+
+From the schematics in the user's guide, I can confirm that you must
+drive the CAN_RES signal LOW "0" to activate the resistors.
+
+Reverse the argument value of usb_msg.termination to fix this.
+
+These are the two commands sequence, ON then OFF.
+
+> No. Time Source Destination Protocol Length Info
+> 1 0.000000 host 1.3.1 USB 46 URB_BULK out
+>
+> Frame 1: 46 bytes on wire (368 bits), 46 bytes captured (368 bits)
+> USB URB
+> Leftover Capture Data: a80000000000000000000000000000000000a8
+>
+> No. Time Source Destination Protocol Length Info
+> 2 4.372547 host 1.3.1 USB 46 URB_BULK out
+>
+> Frame 2: 46 bytes on wire (368 bits), 46 bytes captured (368 bits)
+> USB URB
+> Leftover Capture Data: a80100000000000000000000000000000000a9
+
+Signed-off-by: Yasushi SHOJI <yashi@spacecubics.com>
+Link: https://lore.kernel.org/all/20221124152504.125994-1-yashi@spacecubics.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/usb/mcba_usb.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/can/usb/mcba_usb.c b/drivers/net/can/usb/mcba_usb.c
+index 218b098b261d..47619e9cb005 100644
+--- a/drivers/net/can/usb/mcba_usb.c
++++ b/drivers/net/can/usb/mcba_usb.c
+@@ -47,6 +47,10 @@
+ #define MCBA_VER_REQ_USB 1
+ #define MCBA_VER_REQ_CAN 2
+
++/* Drive the CAN_RES signal LOW "0" to activate R24 and R25 */
++#define MCBA_VER_TERMINATION_ON 0
++#define MCBA_VER_TERMINATION_OFF 1
++
+ #define MCBA_SIDL_EXID_MASK 0x8
+ #define MCBA_DLC_MASK 0xf
+ #define MCBA_DLC_RTR_MASK 0x40
+@@ -463,7 +467,7 @@ static void mcba_usb_process_ka_usb(struct mcba_priv *priv,
+ priv->usb_ka_first_pass = false;
+ }
+
+- if (msg->termination_state)
++ if (msg->termination_state == MCBA_VER_TERMINATION_ON)
+ priv->can.termination = MCBA_TERMINATION_ENABLED;
+ else
+ priv->can.termination = MCBA_TERMINATION_DISABLED;
+@@ -785,9 +789,9 @@ static int mcba_set_termination(struct net_device *netdev, u16 term)
+ };
+
+ if (term == MCBA_TERMINATION_ENABLED)
+- usb_msg.termination = 1;
++ usb_msg.termination = MCBA_VER_TERMINATION_ON;
+ else
+- usb_msg.termination = 0;
++ usb_msg.termination = MCBA_VER_TERMINATION_OFF;
+
+ mcba_usb_xmit_cmd(priv, (struct mcba_usb_msg *)&usb_msg);
+
+--
+2.35.1
+
--- /dev/null
+From 2e53d219d3e133aad1de60dc932f92d8560ef211 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 08:16:36 +0100
+Subject: can: sja1000: fix size of OCR_MODE_MASK define
+
+From: Heiko Schocher <hs@denx.de>
+
+[ Upstream commit 26e8f6a75248247982458e8237b98c9fb2ffcf9d ]
+
+bitfield mode in ocr register has only 2 bits not 3, so correct
+the OCR_MODE_MASK define.
+
+Signed-off-by: Heiko Schocher <hs@denx.de>
+Link: https://lore.kernel.org/all/20221123071636.2407823-1-hs@denx.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/can/platform/sja1000.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/can/platform/sja1000.h b/include/linux/can/platform/sja1000.h
+index 5755ae5a4712..6a869682c120 100644
+--- a/include/linux/can/platform/sja1000.h
++++ b/include/linux/can/platform/sja1000.h
+@@ -14,7 +14,7 @@
+ #define OCR_MODE_TEST 0x01
+ #define OCR_MODE_NORMAL 0x02
+ #define OCR_MODE_CLOCK 0x03
+-#define OCR_MODE_MASK 0x07
++#define OCR_MODE_MASK 0x03
+ #define OCR_TX0_INVERT 0x04
+ #define OCR_TX0_PULLDOWN 0x08
+ #define OCR_TX0_PULLUP 0x10
+--
+2.35.1
+
--- /dev/null
+From 423403b2cdc19b753b73c23e4d75782ad361212a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 15:23:48 +0800
+Subject: libbpf: Use page size as max_entries when probing ring buffer map
+
+From: Hou Tao <houtao1@huawei.com>
+
+[ Upstream commit 689eb2f1ba46b4b02195ac2a71c55b96d619ebf8 ]
+
+Using page size as max_entries when probing ring buffer map, else the
+probe may fail on host with 64KB page size (e.g., an ARM64 host).
+
+After the fix, the output of "bpftool feature" on above host will be
+correct.
+
+Before :
+ eBPF map_type ringbuf is NOT available
+ eBPF map_type user_ringbuf is NOT available
+
+After :
+ eBPF map_type ringbuf is available
+ eBPF map_type user_ringbuf is available
+
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20221116072351.1168938-2-houtao@huaweicloud.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf_probes.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/libbpf_probes.c b/tools/lib/bpf/libbpf_probes.c
+index 6d495656f554..29f7cde10741 100644
+--- a/tools/lib/bpf/libbpf_probes.c
++++ b/tools/lib/bpf/libbpf_probes.c
+@@ -233,7 +233,7 @@ static int probe_map_create(enum bpf_map_type map_type)
+ case BPF_MAP_TYPE_RINGBUF:
+ key_size = 0;
+ value_size = 0;
+- max_entries = 4096;
++ max_entries = sysconf(_SC_PAGE_SIZE);
+ break;
+ case BPF_MAP_TYPE_STRUCT_OPS:
+ /* we'll get -ENOTSUPP for invalid BTF type ID for struct_ops */
+--
+2.35.1
+
--- /dev/null
+From f2e4ff195885ae689e04b8e85a2f8c6750b2d647 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 14:38:52 +0100
+Subject: net: fec: don't reset irq coalesce settings to defaults on "ip link
+ up"
+
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+
+[ Upstream commit df727d4547de568302b0ed15b0d4e8a469bdb456 ]
+
+Currently, when a FEC device is brought up, the irq coalesce settings
+are reset to their default values (1000us, 200 frames). That's
+unexpected, and breaks for example use of an appropriate .link file to
+make systemd-udev apply the desired
+settings (https://www.freedesktop.org/software/systemd/man/systemd.link.html),
+or any other method that would do a one-time setup during early boot.
+
+Refactor the code so that fec_restart() instead uses
+fec_enet_itr_coal_set(), which simply applies the settings that are
+stored in the private data, and initialize that private data with the
+default values.
+
+Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 22 ++++++----------------
+ 1 file changed, 6 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
+index 5aa254eaa8d0..b71e0c32e351 100644
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -72,7 +72,7 @@
+ #include "fec.h"
+
+ static void set_multicast_list(struct net_device *ndev);
+-static void fec_enet_itr_coal_init(struct net_device *ndev);
++static void fec_enet_itr_coal_set(struct net_device *ndev);
+
+ #define DRIVER_NAME "fec"
+
+@@ -1164,8 +1164,7 @@ fec_restart(struct net_device *ndev)
+ writel(0, fep->hwp + FEC_IMASK);
+
+ /* Init the interrupt coalescing */
+- fec_enet_itr_coal_init(ndev);
+-
++ fec_enet_itr_coal_set(ndev);
+ }
+
+ static void fec_enet_stop_mode(struct fec_enet_private *fep, bool enabled)
+@@ -2771,19 +2770,6 @@ static int fec_enet_set_coalesce(struct net_device *ndev,
+ return 0;
+ }
+
+-static void fec_enet_itr_coal_init(struct net_device *ndev)
+-{
+- struct ethtool_coalesce ec;
+-
+- ec.rx_coalesce_usecs = FEC_ITR_ICTT_DEFAULT;
+- ec.rx_max_coalesced_frames = FEC_ITR_ICFT_DEFAULT;
+-
+- ec.tx_coalesce_usecs = FEC_ITR_ICTT_DEFAULT;
+- ec.tx_max_coalesced_frames = FEC_ITR_ICFT_DEFAULT;
+-
+- fec_enet_set_coalesce(ndev, &ec, NULL, NULL);
+-}
+-
+ static int fec_enet_get_tunable(struct net_device *netdev,
+ const struct ethtool_tunable *tuna,
+ void *data)
+@@ -3538,6 +3524,10 @@ static int fec_enet_init(struct net_device *ndev)
+ fep->rx_align = 0x3;
+ fep->tx_align = 0x3;
+ #endif
++ fep->rx_pkts_itr = FEC_ITR_ICFT_DEFAULT;
++ fep->tx_pkts_itr = FEC_ITR_ICFT_DEFAULT;
++ fep->rx_time_itr = FEC_ITR_ICTT_DEFAULT;
++ fep->tx_time_itr = FEC_ITR_ICTT_DEFAULT;
+
+ /* Check mask of the streaming and coherent API */
+ ret = dma_set_mask_and_coherent(&fep->pdev->dev, DMA_BIT_MASK(32));
+--
+2.35.1
+
--- /dev/null
+From fa4bf0c84668bf742839a163733332eeb7b1cd81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 15:18:28 +0100
+Subject: net: loopback: use NET_NAME_PREDICTABLE for name_assign_type
+
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+
+[ Upstream commit 31d929de5a112ee1b977a89c57de74710894bbbf ]
+
+When the name_assign_type attribute was introduced (commit
+685343fc3ba6, "net: add name_assign_type netdev attribute"), the
+loopback device was explicitly mentioned as one which would make use
+of NET_NAME_PREDICTABLE:
+
+ The name_assign_type attribute gives hints where the interface name of a
+ given net-device comes from. These values are currently defined:
+...
+ NET_NAME_PREDICTABLE:
+ The ifname has been assigned by the kernel in a predictable way
+ that is guaranteed to avoid reuse and always be the same for a
+ given device. Examples include statically created devices like
+ the loopback device [...]
+
+Switch to that so that reading /sys/class/net/lo/name_assign_type
+produces something sensible instead of returning -EINVAL.
+
+Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/loopback.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/loopback.c b/drivers/net/loopback.c
+index 14e8d04cb434..2e9742952c4e 100644
+--- a/drivers/net/loopback.c
++++ b/drivers/net/loopback.c
+@@ -211,7 +211,7 @@ static __net_init int loopback_net_init(struct net *net)
+ int err;
+
+ err = -ENOMEM;
+- dev = alloc_netdev(0, "lo", NET_NAME_UNKNOWN, loopback_setup);
++ dev = alloc_netdev(0, "lo", NET_NAME_PREDICTABLE, loopback_setup);
+ if (!dev)
+ goto out;
+
+--
+2.35.1
+
--- /dev/null
+From 59aa5955f4b40c89a17e88524ece30ae38129f28 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Nov 2022 17:48:11 +0800
+Subject: nvme-pci: clear the prp2 field when not used
+
+From: Lei Rao <lei.rao@intel.com>
+
+[ Upstream commit a56ea6147facce4ac1fc38675455f9733d96232b ]
+
+If the prp2 field is not filled in nvme_setup_prp_simple(), the prp2
+field is garbage data. According to nvme spec, the prp2 is reserved if
+the data transfer does not cross a memory page boundary, so clear it to
+zero if it is not used.
+
+Signed-off-by: Lei Rao <lei.rao@intel.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 0f34114c4596..6867620bcc98 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -804,6 +804,8 @@ static blk_status_t nvme_setup_prp_simple(struct nvme_dev *dev,
+ cmnd->dptr.prp1 = cpu_to_le64(iod->first_dma);
+ if (bv->bv_len > first_prp_len)
+ cmnd->dptr.prp2 = cpu_to_le64(iod->first_dma + first_prp_len);
++ else
++ cmnd->dptr.prp2 = 0;
+ return BLK_STS_OK;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 571533ad42dc3b9b051eb0997389bff034887e8d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Nov 2022 12:49:12 +0100
+Subject: perf: Fix perf_pending_task() UaF
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit 517e6a301f34613bff24a8e35b5455884f2d83d8 ]
+
+Per syzbot it is possible for perf_pending_task() to run after the
+event is free()'d. There are two related but distinct cases:
+
+ - the task_work was already queued before destroying the event;
+ - destroying the event itself queues the task_work.
+
+The first cannot be solved using task_work_cancel() since
+perf_release() itself might be called from a task_work (____fput),
+which means the current->task_works list is already empty and
+task_work_cancel() won't be able to find the perf_pending_task()
+entry.
+
+The simplest alternative is extending the perf_event lifetime to cover
+the task_work.
+
+The second is just silly, queueing a task_work while you know the
+event is going away makes no sense and is easily avoided by
+re-arranging how the event is marked STATE_DEAD and ensuring it goes
+through STATE_OFF on the way down.
+
+Reported-by: syzbot+9228d6098455bb209ec8@syzkaller.appspotmail.com
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Tested-by: Marco Elver <elver@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/core.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index 8dcbefd90b7f..91473e9f88cd 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -2283,6 +2283,7 @@ event_sched_out(struct perf_event *event,
+ !event->pending_work) {
+ event->pending_work = 1;
+ dec = false;
++ WARN_ON_ONCE(!atomic_long_inc_not_zero(&event->refcount));
+ task_work_add(current, &event->pending_task, TWA_RESUME);
+ }
+ if (dec)
+@@ -2328,6 +2329,7 @@ group_sched_out(struct perf_event *group_event,
+
+ #define DETACH_GROUP 0x01UL
+ #define DETACH_CHILD 0x02UL
++#define DETACH_DEAD 0x04UL
+
+ /*
+ * Cross CPU call to remove a performance event
+@@ -2348,12 +2350,20 @@ __perf_remove_from_context(struct perf_event *event,
+ update_cgrp_time_from_cpuctx(cpuctx, false);
+ }
+
++ /*
++ * Ensure event_sched_out() switches to OFF, at the very least
++ * this avoids raising perf_pending_task() at this time.
++ */
++ if (flags & DETACH_DEAD)
++ event->pending_disable = 1;
+ event_sched_out(event, cpuctx, ctx);
+ if (flags & DETACH_GROUP)
+ perf_group_detach(event);
+ if (flags & DETACH_CHILD)
+ perf_child_detach(event);
+ list_del_event(event, ctx);
++ if (flags & DETACH_DEAD)
++ event->state = PERF_EVENT_STATE_DEAD;
+
+ if (!ctx->nr_events && ctx->is_active) {
+ if (ctx == &cpuctx->ctx)
+@@ -5113,9 +5123,7 @@ int perf_event_release_kernel(struct perf_event *event)
+
+ ctx = perf_event_ctx_lock(event);
+ WARN_ON_ONCE(ctx->parent_ctx);
+- perf_remove_from_context(event, DETACH_GROUP);
+
+- raw_spin_lock_irq(&ctx->lock);
+ /*
+ * Mark this event as STATE_DEAD, there is no external reference to it
+ * anymore.
+@@ -5127,8 +5135,7 @@ int perf_event_release_kernel(struct perf_event *event)
+ * Thus this guarantees that we will in fact observe and kill _ALL_
+ * child events.
+ */
+- event->state = PERF_EVENT_STATE_DEAD;
+- raw_spin_unlock_irq(&ctx->lock);
++ perf_remove_from_context(event, DETACH_GROUP|DETACH_DEAD);
+
+ perf_event_ctx_unlock(event, ctx);
+
+@@ -6569,6 +6576,8 @@ static void perf_pending_task(struct callback_head *head)
+ if (rctx >= 0)
+ perf_swevent_put_recursion_context(rctx);
+ preempt_enable_notrace();
++
++ put_event(event);
+ }
+
+ #ifdef CONFIG_GUEST_PERF_EVENTS
+--
+2.35.1
+
--- /dev/null
+From a9ad80a0364ecfc86a03324f5dd068718126ecbc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 00:38:55 +0100
+Subject: pinctrl: meditatek: Startup with the IRQs disabled
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+[ Upstream commit 11780e37565db4dd064d3243ca68f755c13f65b4 ]
+
+If the system is restarted via kexec(), the peripherals do not start
+with a known state.
+
+If the previous system had enabled an IRQs we will receive unexected
+IRQs that can lock the system.
+
+[ 28.109251] watchdog: BUG: soft lockup - CPU#0 stuck for 26s!
+[swapper/0:0]
+[ 28.109263] Modules linked in:
+[ 28.109273] CPU: 0 PID: 0 Comm: swapper/0 Not tainted
+5.15.79-14458-g4b9edf7b1ac6 #1 9f2e76613148af94acccd64c609a552fb4b4354b
+[ 28.109284] Hardware name: Google Elm (DT)
+[ 28.109290] pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS
+ BTYPE=--)
+[ 28.109298] pc : __do_softirq+0xa0/0x388
+[ 28.109309] lr : __do_softirq+0x70/0x388
+[ 28.109316] sp : ffffffc008003ee0
+[ 28.109321] x29: ffffffc008003f00 x28: 000000000000000a x27:
+0000000000000080
+[ 28.109334] x26: 0000000000000001 x25: ffffffefa7b350c0 x24:
+ffffffefa7b47480
+[ 28.109346] x23: ffffffefa7b3d000 x22: 0000000000000000 x21:
+ffffffefa7b0fa40
+[ 28.109358] x20: ffffffefa7b005b0 x19: ffffffefa7b47480 x18:
+0000000000065b6b
+[ 28.109370] x17: ffffffefa749c8b0 x16: 000000000000018c x15:
+00000000000001b8
+[ 28.109382] x14: 00000000000d3b6b x13: 0000000000000006 x12:
+0000000000057e91
+[ 28.109394] x11: 0000000000000000 x10: 0000000000000000 x9 :
+ffffffefa7b47480
+[ 28.109406] x8 : 00000000000000e0 x7 : 000000000f424000 x6 :
+0000000000000000
+[ 28.109418] x5 : ffffffefa7dfaca0 x4 : ffffffefa7dfadf0 x3 :
+000000000000000f
+[ 28.109429] x2 : 0000000000000000 x1 : 0000000000000100 x0 :
+0000000001ac65c5
+[ 28.109441] Call trace:
+[ 28.109447] __do_softirq+0xa0/0x388
+[ 28.109454] irq_exit+0xc0/0xe0
+[ 28.109464] handle_domain_irq+0x68/0x90
+[ 28.109473] gic_handle_irq+0xac/0xf0
+[ 28.109480] call_on_irq_stack+0x28/0x50
+[ 28.109488] do_interrupt_handler+0x44/0x58
+[ 28.109496] el1_interrupt+0x30/0x58
+[ 28.109506] el1h_64_irq_handler+0x18/0x24
+[ 28.109512] el1h_64_irq+0x7c/0x80
+[ 28.109519] arch_local_irq_enable+0xc/0x18
+[ 28.109529] default_idle_call+0x40/0x140
+[ 28.109539] do_idle+0x108/0x290
+[ 28.109547] cpu_startup_entry+0x2c/0x30
+[ 28.109554] rest_init+0xe8/0xf8
+[ 28.109562] arch_call_rest_init+0x18/0x24
+[ 28.109571] start_kernel+0x338/0x42c
+[ 28.109578] __primary_switched+0xbc/0xc4
+[ 28.109588] Kernel panic - not syncing: softlockup: hung tasks
+
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Link: https://lore.kernel.org/r/20221122-mtk-pinctrl-v1-1-bedf5655a3d2@chromium.org
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Reviewed-by: Matthias Brugger <matthias.bgg@gmail.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/mediatek/mtk-eint.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/pinctrl/mediatek/mtk-eint.c b/drivers/pinctrl/mediatek/mtk-eint.c
+index f7b54a551764..c24583bffa99 100644
+--- a/drivers/pinctrl/mediatek/mtk-eint.c
++++ b/drivers/pinctrl/mediatek/mtk-eint.c
+@@ -287,12 +287,15 @@ static struct irq_chip mtk_eint_irq_chip = {
+
+ static unsigned int mtk_eint_hw_init(struct mtk_eint *eint)
+ {
+- void __iomem *reg = eint->base + eint->regs->dom_en;
++ void __iomem *dom_en = eint->base + eint->regs->dom_en;
++ void __iomem *mask_set = eint->base + eint->regs->mask_set;
+ unsigned int i;
+
+ for (i = 0; i < eint->hw->ap_num; i += 32) {
+- writel(0xffffffff, reg);
+- reg += 4;
++ writel(0xffffffff, dom_en);
++ writel(0xffffffff, mask_set);
++ dom_en += 4;
++ mask_set += 4;
+ }
+
+ return 0;
+--
+2.35.1
+
x86-vdso-conditionally-export-__vdso_sgx_enter_enclave.patch
libbpf-fix-uninitialized-warning-in-btf_dump_dump_type_data.patch
rtc-cmos-fix-build-on-non-acpi-platforms.patch
+asoc-fsl_micfil-explicitly-clear-software-reset-bit.patch
+asoc-fsl_micfil-explicitly-clear-chnf-flags.patch
+asoc-ops-check-bounds-for-second-channel-in-snd_soc_.patch
+libbpf-use-page-size-as-max_entries-when-probing-rin.patch
+pinctrl-meditatek-startup-with-the-irqs-disabled.patch
+can-sja1000-fix-size-of-ocr_mode_mask-define.patch
+can-mcba_usb-fix-termination-command-argument.patch
+net-fec-don-t-reset-irq-coalesce-settings-to-default.patch
+net-loopback-use-net_name_predictable-for-name_assig.patch
+asoc-cs42l51-correct-pga-volume-minimum-value.patch
+perf-fix-perf_pending_task-uaf.patch
+nvme-pci-clear-the-prp2-field-when-not-used.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
