From 0b38474fed97d0d6f02d043162f677af9e5257f7 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Thu, 15 Dec 2022 12:25:49 -0500 Subject: [PATCH] Fixes for 5.15 Signed-off-by: Sasha Levin --- ...l51-correct-pga-volume-minimum-value.patch | 38 ++++++ ...l_micfil-explicitly-clear-chnf-flags.patch | 49 ++++++++ ...-explicitly-clear-software-reset-bit.patch | 47 ++++++++ ...ounds-for-second-channel-in-snd_soc_.patch | 41 +++++++ ...usb-fix-termination-command-argument.patch | 82 +++++++++++++ ...000-fix-size-of-ocr_mode_mask-define.patch | 36 ++++++ ...size-as-max_entries-when-probing-rin.patch | 47 ++++++++ ...set-irq-coalesce-settings-to-default.patch | 87 ++++++++++++++ ...-net_name_predictable-for-name_assig.patch | 50 ++++++++ ...i-clear-the-prp2-field-when-not-used.patch | 37 ++++++ .../perf-fix-perf_pending_task-uaf.patch | 110 ++++++++++++++++++ ...tatek-startup-with-the-irqs-disabled.patch | 102 ++++++++++++++++ queue-5.15/series | 12 ++ 13 files changed, 738 insertions(+) create mode 100644 queue-5.15/asoc-cs42l51-correct-pga-volume-minimum-value.patch create mode 100644 queue-5.15/asoc-fsl_micfil-explicitly-clear-chnf-flags.patch create mode 100644 queue-5.15/asoc-fsl_micfil-explicitly-clear-software-reset-bit.patch create mode 100644 queue-5.15/asoc-ops-check-bounds-for-second-channel-in-snd_soc_.patch create mode 100644 queue-5.15/can-mcba_usb-fix-termination-command-argument.patch create mode 100644 queue-5.15/can-sja1000-fix-size-of-ocr_mode_mask-define.patch create mode 100644 queue-5.15/libbpf-use-page-size-as-max_entries-when-probing-rin.patch create mode 100644 queue-5.15/net-fec-don-t-reset-irq-coalesce-settings-to-default.patch create mode 100644 queue-5.15/net-loopback-use-net_name_predictable-for-name_assig.patch create mode 100644 queue-5.15/nvme-pci-clear-the-prp2-field-when-not-used.patch create mode 100644 queue-5.15/perf-fix-perf_pending_task-uaf.patch create mode 100644 queue-5.15/pinctrl-meditatek-startup-with-the-irqs-disabled.patch diff --git a/queue-5.15/asoc-cs42l51-correct-pga-volume-minimum-value.patch b/queue-5.15/asoc-cs42l51-correct-pga-volume-minimum-value.patch new file mode 100644 index 00000000000..2876dcbf2f1 --- /dev/null +++ b/queue-5.15/asoc-cs42l51-correct-pga-volume-minimum-value.patch @@ -0,0 +1,38 @@ +From 0ff2cf16e14cd85f68b67b4628c50bb1c9096bde Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 16:23:48 +0000 +Subject: ASoC: cs42l51: Correct PGA Volume minimum value + +From: Charles Keepax + +[ Upstream commit 3d1bb6cc1a654c8693a85b1d262e610196edec8b ] + +The table in the datasheet actually shows the volume values in the wrong +order, with the two -3dB values being reversed. This appears to have +caused the lower of the two values to be used in the driver when the +higher should have been, correct this mixup. + +Signed-off-by: Charles Keepax +Link: https://lore.kernel.org/r/20221125162348.1288005-2-ckeepax@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs42l51.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/cs42l51.c b/sound/soc/codecs/cs42l51.c +index fc6a2bc311b4..c61b17dc2af8 100644 +--- a/sound/soc/codecs/cs42l51.c ++++ b/sound/soc/codecs/cs42l51.c +@@ -146,7 +146,7 @@ static const struct snd_kcontrol_new cs42l51_snd_controls[] = { + 0, 0xA0, 96, adc_att_tlv), + SOC_DOUBLE_R_SX_TLV("PGA Volume", + CS42L51_ALC_PGA_CTL, CS42L51_ALC_PGB_CTL, +- 0, 0x19, 30, pga_tlv), ++ 0, 0x1A, 30, pga_tlv), + SOC_SINGLE("Playback Deemphasis Switch", CS42L51_DAC_CTL, 3, 1, 0), + SOC_SINGLE("Auto-Mute Switch", CS42L51_DAC_CTL, 2, 1, 0), + SOC_SINGLE("Soft Ramp Switch", CS42L51_DAC_CTL, 1, 1, 0), +-- +2.35.1 + diff --git a/queue-5.15/asoc-fsl_micfil-explicitly-clear-chnf-flags.patch b/queue-5.15/asoc-fsl_micfil-explicitly-clear-chnf-flags.patch new file mode 100644 index 00000000000..500b81da7bc --- /dev/null +++ b/queue-5.15/asoc-fsl_micfil-explicitly-clear-chnf-flags.patch @@ -0,0 +1,49 @@ +From f6774ce5830500245c8335a71d8b6d21171c6c37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 May 2022 20:14:14 +0800 +Subject: ASoC: fsl_micfil: explicitly clear CHnF flags + +From: Shengjiu Wang + +[ Upstream commit b776c4a4618ec1b5219d494c423dc142f23c4e8f ] + +There may be failure when start 1 channel recording after +8 channels recording. The reason is that the CHnF +flags are not cleared successfully by software reset. + +This issue is triggerred by the change of clearing +software reset bit. + +CHnF flags are write 1 clear bits. Clear them by force +write. + +Signed-off-by: Shengjiu Wang +Link: https://lore.kernel.org/r/1651925654-32060-2-git-send-email-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl_micfil.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/sound/soc/fsl/fsl_micfil.c b/sound/soc/fsl/fsl_micfil.c +index cb84d95c3aac..d1cd104f8584 100644 +--- a/sound/soc/fsl/fsl_micfil.c ++++ b/sound/soc/fsl/fsl_micfil.c +@@ -202,6 +202,14 @@ static int fsl_micfil_reset(struct device *dev) + if (ret) + return ret; + ++ /* ++ * Set SRES should clear CHnF flags, But even add delay here ++ * the CHnF may not be cleared sometimes, so clear CHnF explicitly. ++ */ ++ ret = regmap_write_bits(micfil->regmap, REG_MICFIL_STAT, 0xFF, 0xFF); ++ if (ret) ++ return ret; ++ + return 0; + } + +-- +2.35.1 + diff --git a/queue-5.15/asoc-fsl_micfil-explicitly-clear-software-reset-bit.patch b/queue-5.15/asoc-fsl_micfil-explicitly-clear-software-reset-bit.patch new file mode 100644 index 00000000000..5d3becb408c --- /dev/null +++ b/queue-5.15/asoc-fsl_micfil-explicitly-clear-software-reset-bit.patch @@ -0,0 +1,47 @@ +From c31c0ee938676b97a3f35914f590825c03c32cf4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 May 2022 20:14:13 +0800 +Subject: ASoC: fsl_micfil: explicitly clear software reset bit + +From: Shengjiu Wang + +[ Upstream commit 292709b9cf3ba470af94b62c9bb60284cc581b79 ] + +SRES is self-cleared bit, but REG_MICFIL_CTRL1 is defined as +non volatile register, it still remain in regmap cache after set, +then every update of REG_MICFIL_CTRL1, software reset happens. +to avoid this, clear it explicitly. + +Signed-off-by: Shengjiu Wang +Link: https://lore.kernel.org/r/1651925654-32060-1-git-send-email-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl_micfil.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/sound/soc/fsl/fsl_micfil.c b/sound/soc/fsl/fsl_micfil.c +index 9f90989ac59a..cb84d95c3aac 100644 +--- a/sound/soc/fsl/fsl_micfil.c ++++ b/sound/soc/fsl/fsl_micfil.c +@@ -191,6 +191,17 @@ static int fsl_micfil_reset(struct device *dev) + return ret; + } + ++ /* ++ * SRES is self-cleared bit, but REG_MICFIL_CTRL1 is defined ++ * as non-volatile register, so SRES still remain in regmap ++ * cache after set, that every update of REG_MICFIL_CTRL1, ++ * software reset happens. so clear it explicitly. ++ */ ++ ret = regmap_clear_bits(micfil->regmap, REG_MICFIL_CTRL1, ++ MICFIL_CTRL1_SRES); ++ if (ret) ++ return ret; ++ + return 0; + } + +-- +2.35.1 + diff --git a/queue-5.15/asoc-ops-check-bounds-for-second-channel-in-snd_soc_.patch b/queue-5.15/asoc-ops-check-bounds-for-second-channel-in-snd_soc_.patch new file mode 100644 index 00000000000..e938003c166 --- /dev/null +++ b/queue-5.15/asoc-ops-check-bounds-for-second-channel-in-snd_soc_.patch @@ -0,0 +1,41 @@ +From 95dce034b51ea934c54fa2e62460e29993c61200 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 May 2022 14:41:37 +0100 +Subject: ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx() + +From: Mark Brown + +[ Upstream commit 97eea946b93961fffd29448dcda7398d0d51c4b2 ] + +The bounds checks in snd_soc_put_volsw_sx() are only being applied to the +first channel, meaning it is possible to write out of bounds values to the +second channel in stereo controls. Add appropriate checks. + +Signed-off-by: Mark Brown +Link: https://lore.kernel.org/r/20220511134137.169575-2-broonie@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-ops.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c +index b8a169d3b830..ece45fd654b8 100644 +--- a/sound/soc/soc-ops.c ++++ b/sound/soc/soc-ops.c +@@ -451,6 +451,12 @@ int snd_soc_put_volsw_sx(struct snd_kcontrol *kcontrol, + + val_mask = mask << rshift; + val2 = (ucontrol->value.integer.value[1] + min) & mask; ++ ++ if (mc->platform_max && val2 > mc->platform_max) ++ return -EINVAL; ++ if (val2 > max) ++ return -EINVAL; ++ + val2 = val2 << rshift; + + err = snd_soc_component_update_bits(component, reg2, val_mask, +-- +2.35.1 + diff --git a/queue-5.15/can-mcba_usb-fix-termination-command-argument.patch b/queue-5.15/can-mcba_usb-fix-termination-command-argument.patch new file mode 100644 index 00000000000..df20b6c41fd --- /dev/null +++ b/queue-5.15/can-mcba_usb-fix-termination-command-argument.patch @@ -0,0 +1,82 @@ +From b7846a3680c4c4668251dbded85c9116e50488fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 00:25:03 +0900 +Subject: can: mcba_usb: Fix termination command argument + +From: Yasushi SHOJI + +[ Upstream commit 1a8e3bd25f1e789c8154e11ea24dc3ec5a4c1da0 ] + +Microchip USB Analyzer can activate the internal termination resistors +by setting the "termination" option ON, or OFF to to deactivate them. +As I've observed, both with my oscilloscope and captured USB packets +below, you must send "0" to turn it ON, and "1" to turn it OFF. + +From the schematics in the user's guide, I can confirm that you must +drive the CAN_RES signal LOW "0" to activate the resistors. + +Reverse the argument value of usb_msg.termination to fix this. + +These are the two commands sequence, ON then OFF. + +> No. Time Source Destination Protocol Length Info +> 1 0.000000 host 1.3.1 USB 46 URB_BULK out +> +> Frame 1: 46 bytes on wire (368 bits), 46 bytes captured (368 bits) +> USB URB +> Leftover Capture Data: a80000000000000000000000000000000000a8 +> +> No. Time Source Destination Protocol Length Info +> 2 4.372547 host 1.3.1 USB 46 URB_BULK out +> +> Frame 2: 46 bytes on wire (368 bits), 46 bytes captured (368 bits) +> USB URB +> Leftover Capture Data: a80100000000000000000000000000000000a9 + +Signed-off-by: Yasushi SHOJI +Link: https://lore.kernel.org/all/20221124152504.125994-1-yashi@spacecubics.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/mcba_usb.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/can/usb/mcba_usb.c b/drivers/net/can/usb/mcba_usb.c +index 023bd34d48e3..e9ccdcce01cc 100644 +--- a/drivers/net/can/usb/mcba_usb.c ++++ b/drivers/net/can/usb/mcba_usb.c +@@ -47,6 +47,10 @@ + #define MCBA_VER_REQ_USB 1 + #define MCBA_VER_REQ_CAN 2 + ++/* Drive the CAN_RES signal LOW "0" to activate R24 and R25 */ ++#define MCBA_VER_TERMINATION_ON 0 ++#define MCBA_VER_TERMINATION_OFF 1 ++ + #define MCBA_SIDL_EXID_MASK 0x8 + #define MCBA_DLC_MASK 0xf + #define MCBA_DLC_RTR_MASK 0x40 +@@ -469,7 +473,7 @@ static void mcba_usb_process_ka_usb(struct mcba_priv *priv, + priv->usb_ka_first_pass = false; + } + +- if (msg->termination_state) ++ if (msg->termination_state == MCBA_VER_TERMINATION_ON) + priv->can.termination = MCBA_TERMINATION_ENABLED; + else + priv->can.termination = MCBA_TERMINATION_DISABLED; +@@ -789,9 +793,9 @@ static int mcba_set_termination(struct net_device *netdev, u16 term) + }; + + if (term == MCBA_TERMINATION_ENABLED) +- usb_msg.termination = 1; ++ usb_msg.termination = MCBA_VER_TERMINATION_ON; + else +- usb_msg.termination = 0; ++ usb_msg.termination = MCBA_VER_TERMINATION_OFF; + + mcba_usb_xmit_cmd(priv, (struct mcba_usb_msg *)&usb_msg); + +-- +2.35.1 + diff --git a/queue-5.15/can-sja1000-fix-size-of-ocr_mode_mask-define.patch b/queue-5.15/can-sja1000-fix-size-of-ocr_mode_mask-define.patch new file mode 100644 index 00000000000..5fbdb3509d4 --- /dev/null +++ b/queue-5.15/can-sja1000-fix-size-of-ocr_mode_mask-define.patch @@ -0,0 +1,36 @@ +From 5e5ae672eaa480fabc6dcec5c8e7847c97cb09fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 08:16:36 +0100 +Subject: can: sja1000: fix size of OCR_MODE_MASK define + +From: Heiko Schocher + +[ Upstream commit 26e8f6a75248247982458e8237b98c9fb2ffcf9d ] + +bitfield mode in ocr register has only 2 bits not 3, so correct +the OCR_MODE_MASK define. + +Signed-off-by: Heiko Schocher +Link: https://lore.kernel.org/all/20221123071636.2407823-1-hs@denx.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + include/linux/can/platform/sja1000.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/can/platform/sja1000.h b/include/linux/can/platform/sja1000.h +index 5755ae5a4712..6a869682c120 100644 +--- a/include/linux/can/platform/sja1000.h ++++ b/include/linux/can/platform/sja1000.h +@@ -14,7 +14,7 @@ + #define OCR_MODE_TEST 0x01 + #define OCR_MODE_NORMAL 0x02 + #define OCR_MODE_CLOCK 0x03 +-#define OCR_MODE_MASK 0x07 ++#define OCR_MODE_MASK 0x03 + #define OCR_TX0_INVERT 0x04 + #define OCR_TX0_PULLDOWN 0x08 + #define OCR_TX0_PULLUP 0x10 +-- +2.35.1 + diff --git a/queue-5.15/libbpf-use-page-size-as-max_entries-when-probing-rin.patch b/queue-5.15/libbpf-use-page-size-as-max_entries-when-probing-rin.patch new file mode 100644 index 00000000000..d0c3c854f86 --- /dev/null +++ b/queue-5.15/libbpf-use-page-size-as-max_entries-when-probing-rin.patch @@ -0,0 +1,47 @@ +From 8893f54a138d1447127cb3c9daa9750a2e9b0839 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 15:23:48 +0800 +Subject: libbpf: Use page size as max_entries when probing ring buffer map + +From: Hou Tao + +[ Upstream commit 689eb2f1ba46b4b02195ac2a71c55b96d619ebf8 ] + +Using page size as max_entries when probing ring buffer map, else the +probe may fail on host with 64KB page size (e.g., an ARM64 host). + +After the fix, the output of "bpftool feature" on above host will be +correct. + +Before : + eBPF map_type ringbuf is NOT available + eBPF map_type user_ringbuf is NOT available + +After : + eBPF map_type ringbuf is available + eBPF map_type user_ringbuf is available + +Signed-off-by: Hou Tao +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20221116072351.1168938-2-houtao@huaweicloud.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf_probes.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/libbpf_probes.c b/tools/lib/bpf/libbpf_probes.c +index cd8c703dde71..8f425473ccaa 100644 +--- a/tools/lib/bpf/libbpf_probes.c ++++ b/tools/lib/bpf/libbpf_probes.c +@@ -245,7 +245,7 @@ bool bpf_probe_map_type(enum bpf_map_type map_type, __u32 ifindex) + case BPF_MAP_TYPE_RINGBUF: + key_size = 0; + value_size = 0; +- max_entries = 4096; ++ max_entries = sysconf(_SC_PAGE_SIZE); + break; + case BPF_MAP_TYPE_UNSPEC: + case BPF_MAP_TYPE_HASH: +-- +2.35.1 + diff --git a/queue-5.15/net-fec-don-t-reset-irq-coalesce-settings-to-default.patch b/queue-5.15/net-fec-don-t-reset-irq-coalesce-settings-to-default.patch new file mode 100644 index 00000000000..d4cafa03271 --- /dev/null +++ b/queue-5.15/net-fec-don-t-reset-irq-coalesce-settings-to-default.patch @@ -0,0 +1,87 @@ +From 3b253616b79ca8532bff3944df7fc2e28d36535c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 14:38:52 +0100 +Subject: net: fec: don't reset irq coalesce settings to defaults on "ip link + up" + +From: Rasmus Villemoes + +[ Upstream commit df727d4547de568302b0ed15b0d4e8a469bdb456 ] + +Currently, when a FEC device is brought up, the irq coalesce settings +are reset to their default values (1000us, 200 frames). That's +unexpected, and breaks for example use of an appropriate .link file to +make systemd-udev apply the desired +settings (https://www.freedesktop.org/software/systemd/man/systemd.link.html), +or any other method that would do a one-time setup during early boot. + +Refactor the code so that fec_restart() instead uses +fec_enet_itr_coal_set(), which simply applies the settings that are +stored in the private data, and initialize that private data with the +default values. + +Signed-off-by: Rasmus Villemoes +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_main.c | 22 ++++++---------------- + 1 file changed, 6 insertions(+), 16 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index a829ba128b9d..351f7ef3bc8b 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -72,7 +72,7 @@ + #include "fec.h" + + static void set_multicast_list(struct net_device *ndev); +-static void fec_enet_itr_coal_init(struct net_device *ndev); ++static void fec_enet_itr_coal_set(struct net_device *ndev); + + #define DRIVER_NAME "fec" + +@@ -1163,8 +1163,7 @@ fec_restart(struct net_device *ndev) + writel(0, fep->hwp + FEC_IMASK); + + /* Init the interrupt coalescing */ +- fec_enet_itr_coal_init(ndev); +- ++ fec_enet_itr_coal_set(ndev); + } + + static void fec_enet_stop_mode(struct fec_enet_private *fep, bool enabled) +@@ -2760,19 +2759,6 @@ static int fec_enet_set_coalesce(struct net_device *ndev, + return 0; + } + +-static void fec_enet_itr_coal_init(struct net_device *ndev) +-{ +- struct ethtool_coalesce ec; +- +- ec.rx_coalesce_usecs = FEC_ITR_ICTT_DEFAULT; +- ec.rx_max_coalesced_frames = FEC_ITR_ICFT_DEFAULT; +- +- ec.tx_coalesce_usecs = FEC_ITR_ICTT_DEFAULT; +- ec.tx_max_coalesced_frames = FEC_ITR_ICFT_DEFAULT; +- +- fec_enet_set_coalesce(ndev, &ec, NULL, NULL); +-} +- + static int fec_enet_get_tunable(struct net_device *netdev, + const struct ethtool_tunable *tuna, + void *data) +@@ -3526,6 +3512,10 @@ static int fec_enet_init(struct net_device *ndev) + fep->rx_align = 0x3; + fep->tx_align = 0x3; + #endif ++ fep->rx_pkts_itr = FEC_ITR_ICFT_DEFAULT; ++ fep->tx_pkts_itr = FEC_ITR_ICFT_DEFAULT; ++ fep->rx_time_itr = FEC_ITR_ICTT_DEFAULT; ++ fep->tx_time_itr = FEC_ITR_ICTT_DEFAULT; + + /* Check mask of the streaming and coherent API */ + ret = dma_set_mask_and_coherent(&fep->pdev->dev, DMA_BIT_MASK(32)); +-- +2.35.1 + diff --git a/queue-5.15/net-loopback-use-net_name_predictable-for-name_assig.patch b/queue-5.15/net-loopback-use-net_name_predictable-for-name_assig.patch new file mode 100644 index 00000000000..581a39ca055 --- /dev/null +++ b/queue-5.15/net-loopback-use-net_name_predictable-for-name_assig.patch @@ -0,0 +1,50 @@ +From bc3f35b00fd13e632eb05b76a8d95a0d8ca601c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 15:18:28 +0100 +Subject: net: loopback: use NET_NAME_PREDICTABLE for name_assign_type + +From: Rasmus Villemoes + +[ Upstream commit 31d929de5a112ee1b977a89c57de74710894bbbf ] + +When the name_assign_type attribute was introduced (commit +685343fc3ba6, "net: add name_assign_type netdev attribute"), the +loopback device was explicitly mentioned as one which would make use +of NET_NAME_PREDICTABLE: + + The name_assign_type attribute gives hints where the interface name of a + given net-device comes from. These values are currently defined: +... + NET_NAME_PREDICTABLE: + The ifname has been assigned by the kernel in a predictable way + that is guaranteed to avoid reuse and always be the same for a + given device. Examples include statically created devices like + the loopback device [...] + +Switch to that so that reading /sys/class/net/lo/name_assign_type +produces something sensible instead of returning -EINVAL. + +Signed-off-by: Rasmus Villemoes +Reviewed-by: Jacob Keller +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/loopback.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/loopback.c b/drivers/net/loopback.c +index a1c77cc00416..498e5c8013ef 100644 +--- a/drivers/net/loopback.c ++++ b/drivers/net/loopback.c +@@ -208,7 +208,7 @@ static __net_init int loopback_net_init(struct net *net) + int err; + + err = -ENOMEM; +- dev = alloc_netdev(0, "lo", NET_NAME_UNKNOWN, loopback_setup); ++ dev = alloc_netdev(0, "lo", NET_NAME_PREDICTABLE, loopback_setup); + if (!dev) + goto out; + +-- +2.35.1 + diff --git a/queue-5.15/nvme-pci-clear-the-prp2-field-when-not-used.patch b/queue-5.15/nvme-pci-clear-the-prp2-field-when-not-used.patch new file mode 100644 index 00000000000..7d31ed63a9f --- /dev/null +++ b/queue-5.15/nvme-pci-clear-the-prp2-field-when-not-used.patch @@ -0,0 +1,37 @@ +From 9809b15813f6c29fd366dbb644a9b1cf8b4a2c61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Nov 2022 17:48:11 +0800 +Subject: nvme-pci: clear the prp2 field when not used + +From: Lei Rao + +[ Upstream commit a56ea6147facce4ac1fc38675455f9733d96232b ] + +If the prp2 field is not filled in nvme_setup_prp_simple(), the prp2 +field is garbage data. According to nvme spec, the prp2 is reserved if +the data transfer does not cross a memory page boundary, so clear it to +zero if it is not used. + +Signed-off-by: Lei Rao +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 772bdc6845fb..d49df7123677 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -814,6 +814,8 @@ static blk_status_t nvme_setup_prp_simple(struct nvme_dev *dev, + cmnd->dptr.prp1 = cpu_to_le64(iod->first_dma); + if (bv->bv_len > first_prp_len) + cmnd->dptr.prp2 = cpu_to_le64(iod->first_dma + first_prp_len); ++ else ++ cmnd->dptr.prp2 = 0; + return BLK_STS_OK; + } + +-- +2.35.1 + diff --git a/queue-5.15/perf-fix-perf_pending_task-uaf.patch b/queue-5.15/perf-fix-perf_pending_task-uaf.patch new file mode 100644 index 00000000000..d800877a08e --- /dev/null +++ b/queue-5.15/perf-fix-perf_pending_task-uaf.patch @@ -0,0 +1,110 @@ +From ad4451a6c2f069a5624448d2de4ec20cba1b45c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Nov 2022 12:49:12 +0100 +Subject: perf: Fix perf_pending_task() UaF + +From: Peter Zijlstra + +[ Upstream commit 517e6a301f34613bff24a8e35b5455884f2d83d8 ] + +Per syzbot it is possible for perf_pending_task() to run after the +event is free()'d. There are two related but distinct cases: + + - the task_work was already queued before destroying the event; + - destroying the event itself queues the task_work. + +The first cannot be solved using task_work_cancel() since +perf_release() itself might be called from a task_work (____fput), +which means the current->task_works list is already empty and +task_work_cancel() won't be able to find the perf_pending_task() +entry. + +The simplest alternative is extending the perf_event lifetime to cover +the task_work. + +The second is just silly, queueing a task_work while you know the +event is going away makes no sense and is easily avoided by +re-arranging how the event is marked STATE_DEAD and ensuring it goes +through STATE_OFF on the way down. + +Reported-by: syzbot+9228d6098455bb209ec8@syzkaller.appspotmail.com +Signed-off-by: Peter Zijlstra (Intel) +Tested-by: Marco Elver +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 44f982b73640..5422bd77c7d4 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -2367,6 +2367,7 @@ event_sched_out(struct perf_event *event, + !event->pending_work) { + event->pending_work = 1; + dec = false; ++ WARN_ON_ONCE(!atomic_long_inc_not_zero(&event->refcount)); + task_work_add(current, &event->pending_task, TWA_RESUME); + } + if (dec) +@@ -2412,6 +2413,7 @@ group_sched_out(struct perf_event *group_event, + + #define DETACH_GROUP 0x01UL + #define DETACH_CHILD 0x02UL ++#define DETACH_DEAD 0x04UL + + /* + * Cross CPU call to remove a performance event +@@ -2432,12 +2434,20 @@ __perf_remove_from_context(struct perf_event *event, + update_cgrp_time_from_cpuctx(cpuctx, false); + } + ++ /* ++ * Ensure event_sched_out() switches to OFF, at the very least ++ * this avoids raising perf_pending_task() at this time. ++ */ ++ if (flags & DETACH_DEAD) ++ event->pending_disable = 1; + event_sched_out(event, cpuctx, ctx); + if (flags & DETACH_GROUP) + perf_group_detach(event); + if (flags & DETACH_CHILD) + perf_child_detach(event); + list_del_event(event, ctx); ++ if (flags & DETACH_DEAD) ++ event->state = PERF_EVENT_STATE_DEAD; + + if (!ctx->nr_events && ctx->is_active) { + if (ctx == &cpuctx->ctx) +@@ -5212,9 +5222,7 @@ int perf_event_release_kernel(struct perf_event *event) + + ctx = perf_event_ctx_lock(event); + WARN_ON_ONCE(ctx->parent_ctx); +- perf_remove_from_context(event, DETACH_GROUP); + +- raw_spin_lock_irq(&ctx->lock); + /* + * Mark this event as STATE_DEAD, there is no external reference to it + * anymore. +@@ -5226,8 +5234,7 @@ int perf_event_release_kernel(struct perf_event *event) + * Thus this guarantees that we will in fact observe and kill _ALL_ + * child events. + */ +- event->state = PERF_EVENT_STATE_DEAD; +- raw_spin_unlock_irq(&ctx->lock); ++ perf_remove_from_context(event, DETACH_GROUP|DETACH_DEAD); + + perf_event_ctx_unlock(event, ctx); + +@@ -6662,6 +6669,8 @@ static void perf_pending_task(struct callback_head *head) + if (rctx >= 0) + perf_swevent_put_recursion_context(rctx); + preempt_enable_notrace(); ++ ++ put_event(event); + } + + /* +-- +2.35.1 + diff --git a/queue-5.15/pinctrl-meditatek-startup-with-the-irqs-disabled.patch b/queue-5.15/pinctrl-meditatek-startup-with-the-irqs-disabled.patch new file mode 100644 index 00000000000..1d128bba28c --- /dev/null +++ b/queue-5.15/pinctrl-meditatek-startup-with-the-irqs-disabled.patch @@ -0,0 +1,102 @@ +From 0442e018733cab13b4f1aa681b55d1c6b1d2568c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 00:38:55 +0100 +Subject: pinctrl: meditatek: Startup with the IRQs disabled + +From: Ricardo Ribalda + +[ Upstream commit 11780e37565db4dd064d3243ca68f755c13f65b4 ] + +If the system is restarted via kexec(), the peripherals do not start +with a known state. + +If the previous system had enabled an IRQs we will receive unexected +IRQs that can lock the system. + +[ 28.109251] watchdog: BUG: soft lockup - CPU#0 stuck for 26s! +[swapper/0:0] +[ 28.109263] Modules linked in: +[ 28.109273] CPU: 0 PID: 0 Comm: swapper/0 Not tainted +5.15.79-14458-g4b9edf7b1ac6 #1 9f2e76613148af94acccd64c609a552fb4b4354b +[ 28.109284] Hardware name: Google Elm (DT) +[ 28.109290] pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS + BTYPE=--) +[ 28.109298] pc : __do_softirq+0xa0/0x388 +[ 28.109309] lr : __do_softirq+0x70/0x388 +[ 28.109316] sp : ffffffc008003ee0 +[ 28.109321] x29: ffffffc008003f00 x28: 000000000000000a x27: +0000000000000080 +[ 28.109334] x26: 0000000000000001 x25: ffffffefa7b350c0 x24: +ffffffefa7b47480 +[ 28.109346] x23: ffffffefa7b3d000 x22: 0000000000000000 x21: +ffffffefa7b0fa40 +[ 28.109358] x20: ffffffefa7b005b0 x19: ffffffefa7b47480 x18: +0000000000065b6b +[ 28.109370] x17: ffffffefa749c8b0 x16: 000000000000018c x15: +00000000000001b8 +[ 28.109382] x14: 00000000000d3b6b x13: 0000000000000006 x12: +0000000000057e91 +[ 28.109394] x11: 0000000000000000 x10: 0000000000000000 x9 : +ffffffefa7b47480 +[ 28.109406] x8 : 00000000000000e0 x7 : 000000000f424000 x6 : +0000000000000000 +[ 28.109418] x5 : ffffffefa7dfaca0 x4 : ffffffefa7dfadf0 x3 : +000000000000000f +[ 28.109429] x2 : 0000000000000000 x1 : 0000000000000100 x0 : +0000000001ac65c5 +[ 28.109441] Call trace: +[ 28.109447] __do_softirq+0xa0/0x388 +[ 28.109454] irq_exit+0xc0/0xe0 +[ 28.109464] handle_domain_irq+0x68/0x90 +[ 28.109473] gic_handle_irq+0xac/0xf0 +[ 28.109480] call_on_irq_stack+0x28/0x50 +[ 28.109488] do_interrupt_handler+0x44/0x58 +[ 28.109496] el1_interrupt+0x30/0x58 +[ 28.109506] el1h_64_irq_handler+0x18/0x24 +[ 28.109512] el1h_64_irq+0x7c/0x80 +[ 28.109519] arch_local_irq_enable+0xc/0x18 +[ 28.109529] default_idle_call+0x40/0x140 +[ 28.109539] do_idle+0x108/0x290 +[ 28.109547] cpu_startup_entry+0x2c/0x30 +[ 28.109554] rest_init+0xe8/0xf8 +[ 28.109562] arch_call_rest_init+0x18/0x24 +[ 28.109571] start_kernel+0x338/0x42c +[ 28.109578] __primary_switched+0xbc/0xc4 +[ 28.109588] Kernel panic - not syncing: softlockup: hung tasks + +Signed-off-by: Ricardo Ribalda +Link: https://lore.kernel.org/r/20221122-mtk-pinctrl-v1-1-bedf5655a3d2@chromium.org +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: Matthias Brugger +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/mediatek/mtk-eint.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/pinctrl/mediatek/mtk-eint.c b/drivers/pinctrl/mediatek/mtk-eint.c +index f7b54a551764..c24583bffa99 100644 +--- a/drivers/pinctrl/mediatek/mtk-eint.c ++++ b/drivers/pinctrl/mediatek/mtk-eint.c +@@ -287,12 +287,15 @@ static struct irq_chip mtk_eint_irq_chip = { + + static unsigned int mtk_eint_hw_init(struct mtk_eint *eint) + { +- void __iomem *reg = eint->base + eint->regs->dom_en; ++ void __iomem *dom_en = eint->base + eint->regs->dom_en; ++ void __iomem *mask_set = eint->base + eint->regs->mask_set; + unsigned int i; + + for (i = 0; i < eint->hw->ap_num; i += 32) { +- writel(0xffffffff, reg); +- reg += 4; ++ writel(0xffffffff, dom_en); ++ writel(0xffffffff, mask_set); ++ dom_en += 4; ++ mask_set += 4; + } + + return 0; +-- +2.35.1 + diff --git a/queue-5.15/series b/queue-5.15/series index 11512741df0..50717484b08 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -1,3 +1,15 @@ x86-vdso-conditionally-export-__vdso_sgx_enter_enclave.patch vfs-fix-copy_file_range-averts-filesystem-freeze-protection.patch nfp-fix-use-after-free-in-area_cache_get.patch +asoc-fsl_micfil-explicitly-clear-software-reset-bit.patch +asoc-fsl_micfil-explicitly-clear-chnf-flags.patch +asoc-ops-check-bounds-for-second-channel-in-snd_soc_.patch +libbpf-use-page-size-as-max_entries-when-probing-rin.patch +pinctrl-meditatek-startup-with-the-irqs-disabled.patch +can-sja1000-fix-size-of-ocr_mode_mask-define.patch +can-mcba_usb-fix-termination-command-argument.patch +net-fec-don-t-reset-irq-coalesce-settings-to-default.patch +net-loopback-use-net_name_predictable-for-name_assig.patch +asoc-cs42l51-correct-pga-volume-minimum-value.patch +perf-fix-perf_pending_task-uaf.patch +nvme-pci-clear-the-prp2-field-when-not-used.patch -- 2.47.3