From cf0c92a84ce9d1a6f276363c2bf1c32f492c9897 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Thu, 15 Dec 2022 12:25:48 -0500 Subject: [PATCH] Fixes for 6.0 Signed-off-by: Sasha Levin --- ...l51-correct-pga-volume-minimum-value.patch | 38 ++++++ ...l_micfil-explicitly-clear-chnf-flags.patch | 49 ++++++++ ...-explicitly-clear-software-reset-bit.patch | 47 ++++++++ ...ounds-for-second-channel-in-snd_soc_.patch | 41 +++++++ ...usb-fix-termination-command-argument.patch | 82 +++++++++++++ ...000-fix-size-of-ocr_mode_mask-define.patch | 36 ++++++ ...size-as-max_entries-when-probing-rin.patch | 47 ++++++++ ...set-irq-coalesce-settings-to-default.patch | 87 ++++++++++++++ ...-net_name_predictable-for-name_assig.patch | 50 ++++++++ ...i-clear-the-prp2-field-when-not-used.patch | 37 ++++++ .../perf-fix-perf_pending_task-uaf.patch | 110 ++++++++++++++++++ ...tatek-startup-with-the-irqs-disabled.patch | 102 ++++++++++++++++ queue-6.0/series | 12 ++ 13 files changed, 738 insertions(+) create mode 100644 queue-6.0/asoc-cs42l51-correct-pga-volume-minimum-value.patch create mode 100644 queue-6.0/asoc-fsl_micfil-explicitly-clear-chnf-flags.patch create mode 100644 queue-6.0/asoc-fsl_micfil-explicitly-clear-software-reset-bit.patch create mode 100644 queue-6.0/asoc-ops-check-bounds-for-second-channel-in-snd_soc_.patch create mode 100644 queue-6.0/can-mcba_usb-fix-termination-command-argument.patch create mode 100644 queue-6.0/can-sja1000-fix-size-of-ocr_mode_mask-define.patch create mode 100644 queue-6.0/libbpf-use-page-size-as-max_entries-when-probing-rin.patch create mode 100644 queue-6.0/net-fec-don-t-reset-irq-coalesce-settings-to-default.patch create mode 100644 queue-6.0/net-loopback-use-net_name_predictable-for-name_assig.patch create mode 100644 queue-6.0/nvme-pci-clear-the-prp2-field-when-not-used.patch create mode 100644 queue-6.0/perf-fix-perf_pending_task-uaf.patch create mode 100644 queue-6.0/pinctrl-meditatek-startup-with-the-irqs-disabled.patch diff --git a/queue-6.0/asoc-cs42l51-correct-pga-volume-minimum-value.patch b/queue-6.0/asoc-cs42l51-correct-pga-volume-minimum-value.patch new file mode 100644 index 00000000000..85cfb57fe82 --- /dev/null +++ b/queue-6.0/asoc-cs42l51-correct-pga-volume-minimum-value.patch @@ -0,0 +1,38 @@ +From 66f30c47443567838c95e147b1e5304d71ad054f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 16:23:48 +0000 +Subject: ASoC: cs42l51: Correct PGA Volume minimum value + +From: Charles Keepax + +[ Upstream commit 3d1bb6cc1a654c8693a85b1d262e610196edec8b ] + +The table in the datasheet actually shows the volume values in the wrong +order, with the two -3dB values being reversed. This appears to have +caused the lower of the two values to be used in the driver when the +higher should have been, correct this mixup. + +Signed-off-by: Charles Keepax +Link: https://lore.kernel.org/r/20221125162348.1288005-2-ckeepax@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs42l51.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/cs42l51.c b/sound/soc/codecs/cs42l51.c +index 51721edd8f53..e88d9ff95cdf 100644 +--- a/sound/soc/codecs/cs42l51.c ++++ b/sound/soc/codecs/cs42l51.c +@@ -143,7 +143,7 @@ static const struct snd_kcontrol_new cs42l51_snd_controls[] = { + 0, 0xA0, 96, adc_att_tlv), + SOC_DOUBLE_R_SX_TLV("PGA Volume", + CS42L51_ALC_PGA_CTL, CS42L51_ALC_PGB_CTL, +- 0, 0x19, 30, pga_tlv), ++ 0, 0x1A, 30, pga_tlv), + SOC_SINGLE("Playback Deemphasis Switch", CS42L51_DAC_CTL, 3, 1, 0), + SOC_SINGLE("Auto-Mute Switch", CS42L51_DAC_CTL, 2, 1, 0), + SOC_SINGLE("Soft Ramp Switch", CS42L51_DAC_CTL, 1, 1, 0), +-- +2.35.1 + diff --git a/queue-6.0/asoc-fsl_micfil-explicitly-clear-chnf-flags.patch b/queue-6.0/asoc-fsl_micfil-explicitly-clear-chnf-flags.patch new file mode 100644 index 00000000000..a4c2ddae948 --- /dev/null +++ b/queue-6.0/asoc-fsl_micfil-explicitly-clear-chnf-flags.patch @@ -0,0 +1,49 @@ +From 613ffb9d728e6701b91d08702981e64bc8f037e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 May 2022 20:14:14 +0800 +Subject: ASoC: fsl_micfil: explicitly clear CHnF flags + +From: Shengjiu Wang + +[ Upstream commit b776c4a4618ec1b5219d494c423dc142f23c4e8f ] + +There may be failure when start 1 channel recording after +8 channels recording. The reason is that the CHnF +flags are not cleared successfully by software reset. + +This issue is triggerred by the change of clearing +software reset bit. + +CHnF flags are write 1 clear bits. Clear them by force +write. + +Signed-off-by: Shengjiu Wang +Link: https://lore.kernel.org/r/1651925654-32060-2-git-send-email-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl_micfil.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/sound/soc/fsl/fsl_micfil.c b/sound/soc/fsl/fsl_micfil.c +index 8aa6871e0d42..4b86ef82fd93 100644 +--- a/sound/soc/fsl/fsl_micfil.c ++++ b/sound/soc/fsl/fsl_micfil.c +@@ -205,6 +205,14 @@ static int fsl_micfil_reset(struct device *dev) + if (ret) + return ret; + ++ /* ++ * Set SRES should clear CHnF flags, But even add delay here ++ * the CHnF may not be cleared sometimes, so clear CHnF explicitly. ++ */ ++ ret = regmap_write_bits(micfil->regmap, REG_MICFIL_STAT, 0xFF, 0xFF); ++ if (ret) ++ return ret; ++ + return 0; + } + +-- +2.35.1 + diff --git a/queue-6.0/asoc-fsl_micfil-explicitly-clear-software-reset-bit.patch b/queue-6.0/asoc-fsl_micfil-explicitly-clear-software-reset-bit.patch new file mode 100644 index 00000000000..59e2bca7b78 --- /dev/null +++ b/queue-6.0/asoc-fsl_micfil-explicitly-clear-software-reset-bit.patch @@ -0,0 +1,47 @@ +From 2fc6094dfe89868f714cff1229af02e549172a1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 May 2022 20:14:13 +0800 +Subject: ASoC: fsl_micfil: explicitly clear software reset bit + +From: Shengjiu Wang + +[ Upstream commit 292709b9cf3ba470af94b62c9bb60284cc581b79 ] + +SRES is self-cleared bit, but REG_MICFIL_CTRL1 is defined as +non volatile register, it still remain in regmap cache after set, +then every update of REG_MICFIL_CTRL1, software reset happens. +to avoid this, clear it explicitly. + +Signed-off-by: Shengjiu Wang +Link: https://lore.kernel.org/r/1651925654-32060-1-git-send-email-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl_micfil.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/sound/soc/fsl/fsl_micfil.c b/sound/soc/fsl/fsl_micfil.c +index 79ef4e269bc9..8aa6871e0d42 100644 +--- a/sound/soc/fsl/fsl_micfil.c ++++ b/sound/soc/fsl/fsl_micfil.c +@@ -194,6 +194,17 @@ static int fsl_micfil_reset(struct device *dev) + if (ret) + return ret; + ++ /* ++ * SRES is self-cleared bit, but REG_MICFIL_CTRL1 is defined ++ * as non-volatile register, so SRES still remain in regmap ++ * cache after set, that every update of REG_MICFIL_CTRL1, ++ * software reset happens. so clear it explicitly. ++ */ ++ ret = regmap_clear_bits(micfil->regmap, REG_MICFIL_CTRL1, ++ MICFIL_CTRL1_SRES); ++ if (ret) ++ return ret; ++ + return 0; + } + +-- +2.35.1 + diff --git a/queue-6.0/asoc-ops-check-bounds-for-second-channel-in-snd_soc_.patch b/queue-6.0/asoc-ops-check-bounds-for-second-channel-in-snd_soc_.patch new file mode 100644 index 00000000000..7d727bf1b25 --- /dev/null +++ b/queue-6.0/asoc-ops-check-bounds-for-second-channel-in-snd_soc_.patch @@ -0,0 +1,41 @@ +From 34cf520e5ff9bfc68f783d8c0351f95990171cd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 May 2022 14:41:37 +0100 +Subject: ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx() + +From: Mark Brown + +[ Upstream commit 97eea946b93961fffd29448dcda7398d0d51c4b2 ] + +The bounds checks in snd_soc_put_volsw_sx() are only being applied to the +first channel, meaning it is possible to write out of bounds values to the +second channel in stereo controls. Add appropriate checks. + +Signed-off-by: Mark Brown +Link: https://lore.kernel.org/r/20220511134137.169575-2-broonie@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-ops.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c +index 47691119306f..1970bda074d8 100644 +--- a/sound/soc/soc-ops.c ++++ b/sound/soc/soc-ops.c +@@ -468,6 +468,12 @@ int snd_soc_put_volsw_sx(struct snd_kcontrol *kcontrol, + + val_mask = mask << rshift; + val2 = (ucontrol->value.integer.value[1] + min) & mask; ++ ++ if (mc->platform_max && val2 > mc->platform_max) ++ return -EINVAL; ++ if (val2 > max) ++ return -EINVAL; ++ + val2 = val2 << rshift; + + err = snd_soc_component_update_bits(component, reg2, val_mask, +-- +2.35.1 + diff --git a/queue-6.0/can-mcba_usb-fix-termination-command-argument.patch b/queue-6.0/can-mcba_usb-fix-termination-command-argument.patch new file mode 100644 index 00000000000..c2a73217bff --- /dev/null +++ b/queue-6.0/can-mcba_usb-fix-termination-command-argument.patch @@ -0,0 +1,82 @@ +From 44bd028ac2b9ca0cfedcc8c1ab7012153220d012 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 00:25:03 +0900 +Subject: can: mcba_usb: Fix termination command argument + +From: Yasushi SHOJI + +[ Upstream commit 1a8e3bd25f1e789c8154e11ea24dc3ec5a4c1da0 ] + +Microchip USB Analyzer can activate the internal termination resistors +by setting the "termination" option ON, or OFF to to deactivate them. +As I've observed, both with my oscilloscope and captured USB packets +below, you must send "0" to turn it ON, and "1" to turn it OFF. + +From the schematics in the user's guide, I can confirm that you must +drive the CAN_RES signal LOW "0" to activate the resistors. + +Reverse the argument value of usb_msg.termination to fix this. + +These are the two commands sequence, ON then OFF. + +> No. Time Source Destination Protocol Length Info +> 1 0.000000 host 1.3.1 USB 46 URB_BULK out +> +> Frame 1: 46 bytes on wire (368 bits), 46 bytes captured (368 bits) +> USB URB +> Leftover Capture Data: a80000000000000000000000000000000000a8 +> +> No. Time Source Destination Protocol Length Info +> 2 4.372547 host 1.3.1 USB 46 URB_BULK out +> +> Frame 2: 46 bytes on wire (368 bits), 46 bytes captured (368 bits) +> USB URB +> Leftover Capture Data: a80100000000000000000000000000000000a9 + +Signed-off-by: Yasushi SHOJI +Link: https://lore.kernel.org/all/20221124152504.125994-1-yashi@spacecubics.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/mcba_usb.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/can/usb/mcba_usb.c b/drivers/net/can/usb/mcba_usb.c +index 218b098b261d..47619e9cb005 100644 +--- a/drivers/net/can/usb/mcba_usb.c ++++ b/drivers/net/can/usb/mcba_usb.c +@@ -47,6 +47,10 @@ + #define MCBA_VER_REQ_USB 1 + #define MCBA_VER_REQ_CAN 2 + ++/* Drive the CAN_RES signal LOW "0" to activate R24 and R25 */ ++#define MCBA_VER_TERMINATION_ON 0 ++#define MCBA_VER_TERMINATION_OFF 1 ++ + #define MCBA_SIDL_EXID_MASK 0x8 + #define MCBA_DLC_MASK 0xf + #define MCBA_DLC_RTR_MASK 0x40 +@@ -463,7 +467,7 @@ static void mcba_usb_process_ka_usb(struct mcba_priv *priv, + priv->usb_ka_first_pass = false; + } + +- if (msg->termination_state) ++ if (msg->termination_state == MCBA_VER_TERMINATION_ON) + priv->can.termination = MCBA_TERMINATION_ENABLED; + else + priv->can.termination = MCBA_TERMINATION_DISABLED; +@@ -785,9 +789,9 @@ static int mcba_set_termination(struct net_device *netdev, u16 term) + }; + + if (term == MCBA_TERMINATION_ENABLED) +- usb_msg.termination = 1; ++ usb_msg.termination = MCBA_VER_TERMINATION_ON; + else +- usb_msg.termination = 0; ++ usb_msg.termination = MCBA_VER_TERMINATION_OFF; + + mcba_usb_xmit_cmd(priv, (struct mcba_usb_msg *)&usb_msg); + +-- +2.35.1 + diff --git a/queue-6.0/can-sja1000-fix-size-of-ocr_mode_mask-define.patch b/queue-6.0/can-sja1000-fix-size-of-ocr_mode_mask-define.patch new file mode 100644 index 00000000000..779c6e68e34 --- /dev/null +++ b/queue-6.0/can-sja1000-fix-size-of-ocr_mode_mask-define.patch @@ -0,0 +1,36 @@ +From 2e53d219d3e133aad1de60dc932f92d8560ef211 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 08:16:36 +0100 +Subject: can: sja1000: fix size of OCR_MODE_MASK define + +From: Heiko Schocher + +[ Upstream commit 26e8f6a75248247982458e8237b98c9fb2ffcf9d ] + +bitfield mode in ocr register has only 2 bits not 3, so correct +the OCR_MODE_MASK define. + +Signed-off-by: Heiko Schocher +Link: https://lore.kernel.org/all/20221123071636.2407823-1-hs@denx.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + include/linux/can/platform/sja1000.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/can/platform/sja1000.h b/include/linux/can/platform/sja1000.h +index 5755ae5a4712..6a869682c120 100644 +--- a/include/linux/can/platform/sja1000.h ++++ b/include/linux/can/platform/sja1000.h +@@ -14,7 +14,7 @@ + #define OCR_MODE_TEST 0x01 + #define OCR_MODE_NORMAL 0x02 + #define OCR_MODE_CLOCK 0x03 +-#define OCR_MODE_MASK 0x07 ++#define OCR_MODE_MASK 0x03 + #define OCR_TX0_INVERT 0x04 + #define OCR_TX0_PULLDOWN 0x08 + #define OCR_TX0_PULLUP 0x10 +-- +2.35.1 + diff --git a/queue-6.0/libbpf-use-page-size-as-max_entries-when-probing-rin.patch b/queue-6.0/libbpf-use-page-size-as-max_entries-when-probing-rin.patch new file mode 100644 index 00000000000..ed17ab56c5f --- /dev/null +++ b/queue-6.0/libbpf-use-page-size-as-max_entries-when-probing-rin.patch @@ -0,0 +1,47 @@ +From 423403b2cdc19b753b73c23e4d75782ad361212a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 15:23:48 +0800 +Subject: libbpf: Use page size as max_entries when probing ring buffer map + +From: Hou Tao + +[ Upstream commit 689eb2f1ba46b4b02195ac2a71c55b96d619ebf8 ] + +Using page size as max_entries when probing ring buffer map, else the +probe may fail on host with 64KB page size (e.g., an ARM64 host). + +After the fix, the output of "bpftool feature" on above host will be +correct. + +Before : + eBPF map_type ringbuf is NOT available + eBPF map_type user_ringbuf is NOT available + +After : + eBPF map_type ringbuf is available + eBPF map_type user_ringbuf is available + +Signed-off-by: Hou Tao +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20221116072351.1168938-2-houtao@huaweicloud.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf_probes.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/libbpf_probes.c b/tools/lib/bpf/libbpf_probes.c +index 6d495656f554..29f7cde10741 100644 +--- a/tools/lib/bpf/libbpf_probes.c ++++ b/tools/lib/bpf/libbpf_probes.c +@@ -233,7 +233,7 @@ static int probe_map_create(enum bpf_map_type map_type) + case BPF_MAP_TYPE_RINGBUF: + key_size = 0; + value_size = 0; +- max_entries = 4096; ++ max_entries = sysconf(_SC_PAGE_SIZE); + break; + case BPF_MAP_TYPE_STRUCT_OPS: + /* we'll get -ENOTSUPP for invalid BTF type ID for struct_ops */ +-- +2.35.1 + diff --git a/queue-6.0/net-fec-don-t-reset-irq-coalesce-settings-to-default.patch b/queue-6.0/net-fec-don-t-reset-irq-coalesce-settings-to-default.patch new file mode 100644 index 00000000000..796071b37e4 --- /dev/null +++ b/queue-6.0/net-fec-don-t-reset-irq-coalesce-settings-to-default.patch @@ -0,0 +1,87 @@ +From f2e4ff195885ae689e04b8e85a2f8c6750b2d647 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 14:38:52 +0100 +Subject: net: fec: don't reset irq coalesce settings to defaults on "ip link + up" + +From: Rasmus Villemoes + +[ Upstream commit df727d4547de568302b0ed15b0d4e8a469bdb456 ] + +Currently, when a FEC device is brought up, the irq coalesce settings +are reset to their default values (1000us, 200 frames). That's +unexpected, and breaks for example use of an appropriate .link file to +make systemd-udev apply the desired +settings (https://www.freedesktop.org/software/systemd/man/systemd.link.html), +or any other method that would do a one-time setup during early boot. + +Refactor the code so that fec_restart() instead uses +fec_enet_itr_coal_set(), which simply applies the settings that are +stored in the private data, and initialize that private data with the +default values. + +Signed-off-by: Rasmus Villemoes +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_main.c | 22 ++++++---------------- + 1 file changed, 6 insertions(+), 16 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index 5aa254eaa8d0..b71e0c32e351 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -72,7 +72,7 @@ + #include "fec.h" + + static void set_multicast_list(struct net_device *ndev); +-static void fec_enet_itr_coal_init(struct net_device *ndev); ++static void fec_enet_itr_coal_set(struct net_device *ndev); + + #define DRIVER_NAME "fec" + +@@ -1164,8 +1164,7 @@ fec_restart(struct net_device *ndev) + writel(0, fep->hwp + FEC_IMASK); + + /* Init the interrupt coalescing */ +- fec_enet_itr_coal_init(ndev); +- ++ fec_enet_itr_coal_set(ndev); + } + + static void fec_enet_stop_mode(struct fec_enet_private *fep, bool enabled) +@@ -2771,19 +2770,6 @@ static int fec_enet_set_coalesce(struct net_device *ndev, + return 0; + } + +-static void fec_enet_itr_coal_init(struct net_device *ndev) +-{ +- struct ethtool_coalesce ec; +- +- ec.rx_coalesce_usecs = FEC_ITR_ICTT_DEFAULT; +- ec.rx_max_coalesced_frames = FEC_ITR_ICFT_DEFAULT; +- +- ec.tx_coalesce_usecs = FEC_ITR_ICTT_DEFAULT; +- ec.tx_max_coalesced_frames = FEC_ITR_ICFT_DEFAULT; +- +- fec_enet_set_coalesce(ndev, &ec, NULL, NULL); +-} +- + static int fec_enet_get_tunable(struct net_device *netdev, + const struct ethtool_tunable *tuna, + void *data) +@@ -3538,6 +3524,10 @@ static int fec_enet_init(struct net_device *ndev) + fep->rx_align = 0x3; + fep->tx_align = 0x3; + #endif ++ fep->rx_pkts_itr = FEC_ITR_ICFT_DEFAULT; ++ fep->tx_pkts_itr = FEC_ITR_ICFT_DEFAULT; ++ fep->rx_time_itr = FEC_ITR_ICTT_DEFAULT; ++ fep->tx_time_itr = FEC_ITR_ICTT_DEFAULT; + + /* Check mask of the streaming and coherent API */ + ret = dma_set_mask_and_coherent(&fep->pdev->dev, DMA_BIT_MASK(32)); +-- +2.35.1 + diff --git a/queue-6.0/net-loopback-use-net_name_predictable-for-name_assig.patch b/queue-6.0/net-loopback-use-net_name_predictable-for-name_assig.patch new file mode 100644 index 00000000000..04985bac6fb --- /dev/null +++ b/queue-6.0/net-loopback-use-net_name_predictable-for-name_assig.patch @@ -0,0 +1,50 @@ +From fa4bf0c84668bf742839a163733332eeb7b1cd81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 15:18:28 +0100 +Subject: net: loopback: use NET_NAME_PREDICTABLE for name_assign_type + +From: Rasmus Villemoes + +[ Upstream commit 31d929de5a112ee1b977a89c57de74710894bbbf ] + +When the name_assign_type attribute was introduced (commit +685343fc3ba6, "net: add name_assign_type netdev attribute"), the +loopback device was explicitly mentioned as one which would make use +of NET_NAME_PREDICTABLE: + + The name_assign_type attribute gives hints where the interface name of a + given net-device comes from. These values are currently defined: +... + NET_NAME_PREDICTABLE: + The ifname has been assigned by the kernel in a predictable way + that is guaranteed to avoid reuse and always be the same for a + given device. Examples include statically created devices like + the loopback device [...] + +Switch to that so that reading /sys/class/net/lo/name_assign_type +produces something sensible instead of returning -EINVAL. + +Signed-off-by: Rasmus Villemoes +Reviewed-by: Jacob Keller +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/loopback.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/loopback.c b/drivers/net/loopback.c +index 14e8d04cb434..2e9742952c4e 100644 +--- a/drivers/net/loopback.c ++++ b/drivers/net/loopback.c +@@ -211,7 +211,7 @@ static __net_init int loopback_net_init(struct net *net) + int err; + + err = -ENOMEM; +- dev = alloc_netdev(0, "lo", NET_NAME_UNKNOWN, loopback_setup); ++ dev = alloc_netdev(0, "lo", NET_NAME_PREDICTABLE, loopback_setup); + if (!dev) + goto out; + +-- +2.35.1 + diff --git a/queue-6.0/nvme-pci-clear-the-prp2-field-when-not-used.patch b/queue-6.0/nvme-pci-clear-the-prp2-field-when-not-used.patch new file mode 100644 index 00000000000..d3cfef24cb2 --- /dev/null +++ b/queue-6.0/nvme-pci-clear-the-prp2-field-when-not-used.patch @@ -0,0 +1,37 @@ +From 59aa5955f4b40c89a17e88524ece30ae38129f28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Nov 2022 17:48:11 +0800 +Subject: nvme-pci: clear the prp2 field when not used + +From: Lei Rao + +[ Upstream commit a56ea6147facce4ac1fc38675455f9733d96232b ] + +If the prp2 field is not filled in nvme_setup_prp_simple(), the prp2 +field is garbage data. According to nvme spec, the prp2 is reserved if +the data transfer does not cross a memory page boundary, so clear it to +zero if it is not used. + +Signed-off-by: Lei Rao +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 0f34114c4596..6867620bcc98 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -804,6 +804,8 @@ static blk_status_t nvme_setup_prp_simple(struct nvme_dev *dev, + cmnd->dptr.prp1 = cpu_to_le64(iod->first_dma); + if (bv->bv_len > first_prp_len) + cmnd->dptr.prp2 = cpu_to_le64(iod->first_dma + first_prp_len); ++ else ++ cmnd->dptr.prp2 = 0; + return BLK_STS_OK; + } + +-- +2.35.1 + diff --git a/queue-6.0/perf-fix-perf_pending_task-uaf.patch b/queue-6.0/perf-fix-perf_pending_task-uaf.patch new file mode 100644 index 00000000000..ff491f00327 --- /dev/null +++ b/queue-6.0/perf-fix-perf_pending_task-uaf.patch @@ -0,0 +1,110 @@ +From 571533ad42dc3b9b051eb0997389bff034887e8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Nov 2022 12:49:12 +0100 +Subject: perf: Fix perf_pending_task() UaF + +From: Peter Zijlstra + +[ Upstream commit 517e6a301f34613bff24a8e35b5455884f2d83d8 ] + +Per syzbot it is possible for perf_pending_task() to run after the +event is free()'d. There are two related but distinct cases: + + - the task_work was already queued before destroying the event; + - destroying the event itself queues the task_work. + +The first cannot be solved using task_work_cancel() since +perf_release() itself might be called from a task_work (____fput), +which means the current->task_works list is already empty and +task_work_cancel() won't be able to find the perf_pending_task() +entry. + +The simplest alternative is extending the perf_event lifetime to cover +the task_work. + +The second is just silly, queueing a task_work while you know the +event is going away makes no sense and is easily avoided by +re-arranging how the event is marked STATE_DEAD and ensuring it goes +through STATE_OFF on the way down. + +Reported-by: syzbot+9228d6098455bb209ec8@syzkaller.appspotmail.com +Signed-off-by: Peter Zijlstra (Intel) +Tested-by: Marco Elver +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 8dcbefd90b7f..91473e9f88cd 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -2283,6 +2283,7 @@ event_sched_out(struct perf_event *event, + !event->pending_work) { + event->pending_work = 1; + dec = false; ++ WARN_ON_ONCE(!atomic_long_inc_not_zero(&event->refcount)); + task_work_add(current, &event->pending_task, TWA_RESUME); + } + if (dec) +@@ -2328,6 +2329,7 @@ group_sched_out(struct perf_event *group_event, + + #define DETACH_GROUP 0x01UL + #define DETACH_CHILD 0x02UL ++#define DETACH_DEAD 0x04UL + + /* + * Cross CPU call to remove a performance event +@@ -2348,12 +2350,20 @@ __perf_remove_from_context(struct perf_event *event, + update_cgrp_time_from_cpuctx(cpuctx, false); + } + ++ /* ++ * Ensure event_sched_out() switches to OFF, at the very least ++ * this avoids raising perf_pending_task() at this time. ++ */ ++ if (flags & DETACH_DEAD) ++ event->pending_disable = 1; + event_sched_out(event, cpuctx, ctx); + if (flags & DETACH_GROUP) + perf_group_detach(event); + if (flags & DETACH_CHILD) + perf_child_detach(event); + list_del_event(event, ctx); ++ if (flags & DETACH_DEAD) ++ event->state = PERF_EVENT_STATE_DEAD; + + if (!ctx->nr_events && ctx->is_active) { + if (ctx == &cpuctx->ctx) +@@ -5113,9 +5123,7 @@ int perf_event_release_kernel(struct perf_event *event) + + ctx = perf_event_ctx_lock(event); + WARN_ON_ONCE(ctx->parent_ctx); +- perf_remove_from_context(event, DETACH_GROUP); + +- raw_spin_lock_irq(&ctx->lock); + /* + * Mark this event as STATE_DEAD, there is no external reference to it + * anymore. +@@ -5127,8 +5135,7 @@ int perf_event_release_kernel(struct perf_event *event) + * Thus this guarantees that we will in fact observe and kill _ALL_ + * child events. + */ +- event->state = PERF_EVENT_STATE_DEAD; +- raw_spin_unlock_irq(&ctx->lock); ++ perf_remove_from_context(event, DETACH_GROUP|DETACH_DEAD); + + perf_event_ctx_unlock(event, ctx); + +@@ -6569,6 +6576,8 @@ static void perf_pending_task(struct callback_head *head) + if (rctx >= 0) + perf_swevent_put_recursion_context(rctx); + preempt_enable_notrace(); ++ ++ put_event(event); + } + + #ifdef CONFIG_GUEST_PERF_EVENTS +-- +2.35.1 + diff --git a/queue-6.0/pinctrl-meditatek-startup-with-the-irqs-disabled.patch b/queue-6.0/pinctrl-meditatek-startup-with-the-irqs-disabled.patch new file mode 100644 index 00000000000..1a21756a658 --- /dev/null +++ b/queue-6.0/pinctrl-meditatek-startup-with-the-irqs-disabled.patch @@ -0,0 +1,102 @@ +From a9ad80a0364ecfc86a03324f5dd068718126ecbc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 00:38:55 +0100 +Subject: pinctrl: meditatek: Startup with the IRQs disabled + +From: Ricardo Ribalda + +[ Upstream commit 11780e37565db4dd064d3243ca68f755c13f65b4 ] + +If the system is restarted via kexec(), the peripherals do not start +with a known state. + +If the previous system had enabled an IRQs we will receive unexected +IRQs that can lock the system. + +[ 28.109251] watchdog: BUG: soft lockup - CPU#0 stuck for 26s! +[swapper/0:0] +[ 28.109263] Modules linked in: +[ 28.109273] CPU: 0 PID: 0 Comm: swapper/0 Not tainted +5.15.79-14458-g4b9edf7b1ac6 #1 9f2e76613148af94acccd64c609a552fb4b4354b +[ 28.109284] Hardware name: Google Elm (DT) +[ 28.109290] pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS + BTYPE=--) +[ 28.109298] pc : __do_softirq+0xa0/0x388 +[ 28.109309] lr : __do_softirq+0x70/0x388 +[ 28.109316] sp : ffffffc008003ee0 +[ 28.109321] x29: ffffffc008003f00 x28: 000000000000000a x27: +0000000000000080 +[ 28.109334] x26: 0000000000000001 x25: ffffffefa7b350c0 x24: +ffffffefa7b47480 +[ 28.109346] x23: ffffffefa7b3d000 x22: 0000000000000000 x21: +ffffffefa7b0fa40 +[ 28.109358] x20: ffffffefa7b005b0 x19: ffffffefa7b47480 x18: +0000000000065b6b +[ 28.109370] x17: ffffffefa749c8b0 x16: 000000000000018c x15: +00000000000001b8 +[ 28.109382] x14: 00000000000d3b6b x13: 0000000000000006 x12: +0000000000057e91 +[ 28.109394] x11: 0000000000000000 x10: 0000000000000000 x9 : +ffffffefa7b47480 +[ 28.109406] x8 : 00000000000000e0 x7 : 000000000f424000 x6 : +0000000000000000 +[ 28.109418] x5 : ffffffefa7dfaca0 x4 : ffffffefa7dfadf0 x3 : +000000000000000f +[ 28.109429] x2 : 0000000000000000 x1 : 0000000000000100 x0 : +0000000001ac65c5 +[ 28.109441] Call trace: +[ 28.109447] __do_softirq+0xa0/0x388 +[ 28.109454] irq_exit+0xc0/0xe0 +[ 28.109464] handle_domain_irq+0x68/0x90 +[ 28.109473] gic_handle_irq+0xac/0xf0 +[ 28.109480] call_on_irq_stack+0x28/0x50 +[ 28.109488] do_interrupt_handler+0x44/0x58 +[ 28.109496] el1_interrupt+0x30/0x58 +[ 28.109506] el1h_64_irq_handler+0x18/0x24 +[ 28.109512] el1h_64_irq+0x7c/0x80 +[ 28.109519] arch_local_irq_enable+0xc/0x18 +[ 28.109529] default_idle_call+0x40/0x140 +[ 28.109539] do_idle+0x108/0x290 +[ 28.109547] cpu_startup_entry+0x2c/0x30 +[ 28.109554] rest_init+0xe8/0xf8 +[ 28.109562] arch_call_rest_init+0x18/0x24 +[ 28.109571] start_kernel+0x338/0x42c +[ 28.109578] __primary_switched+0xbc/0xc4 +[ 28.109588] Kernel panic - not syncing: softlockup: hung tasks + +Signed-off-by: Ricardo Ribalda +Link: https://lore.kernel.org/r/20221122-mtk-pinctrl-v1-1-bedf5655a3d2@chromium.org +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: Matthias Brugger +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/mediatek/mtk-eint.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/pinctrl/mediatek/mtk-eint.c b/drivers/pinctrl/mediatek/mtk-eint.c +index f7b54a551764..c24583bffa99 100644 +--- a/drivers/pinctrl/mediatek/mtk-eint.c ++++ b/drivers/pinctrl/mediatek/mtk-eint.c +@@ -287,12 +287,15 @@ static struct irq_chip mtk_eint_irq_chip = { + + static unsigned int mtk_eint_hw_init(struct mtk_eint *eint) + { +- void __iomem *reg = eint->base + eint->regs->dom_en; ++ void __iomem *dom_en = eint->base + eint->regs->dom_en; ++ void __iomem *mask_set = eint->base + eint->regs->mask_set; + unsigned int i; + + for (i = 0; i < eint->hw->ap_num; i += 32) { +- writel(0xffffffff, reg); +- reg += 4; ++ writel(0xffffffff, dom_en); ++ writel(0xffffffff, mask_set); ++ dom_en += 4; ++ mask_set += 4; + } + + return 0; +-- +2.35.1 + diff --git a/queue-6.0/series b/queue-6.0/series index 3be1b7b2652..e6ceec67d75 100644 --- a/queue-6.0/series +++ b/queue-6.0/series @@ -3,3 +3,15 @@ rtc-cmos-fix-wake-alarm-breakage.patch x86-vdso-conditionally-export-__vdso_sgx_enter_enclave.patch libbpf-fix-uninitialized-warning-in-btf_dump_dump_type_data.patch rtc-cmos-fix-build-on-non-acpi-platforms.patch +asoc-fsl_micfil-explicitly-clear-software-reset-bit.patch +asoc-fsl_micfil-explicitly-clear-chnf-flags.patch +asoc-ops-check-bounds-for-second-channel-in-snd_soc_.patch +libbpf-use-page-size-as-max_entries-when-probing-rin.patch +pinctrl-meditatek-startup-with-the-irqs-disabled.patch +can-sja1000-fix-size-of-ocr_mode_mask-define.patch +can-mcba_usb-fix-termination-command-argument.patch +net-fec-don-t-reset-irq-coalesce-settings-to-default.patch +net-loopback-use-net_name_predictable-for-name_assig.patch +asoc-cs42l51-correct-pga-volume-minimum-value.patch +perf-fix-perf_pending_task-uaf.patch +nvme-pci-clear-the-prp2-field-when-not-used.patch -- 2.47.3