From: Greg Kroah-Hartman Date: Tue, 29 Nov 2022 19:01:05 +0000 (+0100) Subject: 6.0-stable patches X-Git-Tag: v5.10.157~58 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b87bb6c8e02675c370d6a76f810b8a13c7f23c18;p=thirdparty%2Fkernel%2Fstable-queue.git 6.0-stable patches added patches: bus-ixp4xx-don-t-touch-bit-7-on-ixp42x.patch cpufreq-amd-pstate-cpufreq-amd-pstate-reset-msr_amd_perf_ctl-register-at-init.patch dt-bindings-iio-adc-remove-the-property-aspeed-trim-data-valid.patch iio-accel-bma400-fix-memory-leak-in-bma400_get_steps_reg.patch iio-adc-aspeed-remove-the-trim-valid-dts-property.patch iio-core-fix-entry-not-deleted-when-iio_register_sw_trigger_type-fails.patch iio-light-apds9960-fix-wrong-register-for-gesture-gain.patch mm-damon-sysfs-schemes-skip-stats-update-if-the-scheme-directory-is-removed.patch spi-spi-imx-fix-spi_bus_clk-if-requested-clock-is-higher-than-input-clock.patch spi-spi-imx-spi_imx_transfer_one-check-for-dma-transfer-first.patch virt-sev-guest-prevent-iv-reuse-in-the-snp-guest-driver.patch zonefs-fix-active-zone-accounting.patch --- diff --git a/queue-6.0/bus-ixp4xx-don-t-touch-bit-7-on-ixp42x.patch b/queue-6.0/bus-ixp4xx-don-t-touch-bit-7-on-ixp42x.patch new file mode 100644 index 00000000000..c7feb229327 --- /dev/null +++ b/queue-6.0/bus-ixp4xx-don-t-touch-bit-7-on-ixp42x.patch @@ -0,0 +1,68 @@ +From ff5a19909b49fe5c0b01ae197f84b741e0f698dc Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Tue, 22 Nov 2022 14:44:11 +0100 +Subject: bus: ixp4xx: Don't touch bit 7 on IXP42x + +From: Linus Walleij + +commit ff5a19909b49fe5c0b01ae197f84b741e0f698dc upstream. + +We face some regressions on a few IXP42x systems when +accessing flash, the following unrelated error prints +appear from the PCI driver: + +ixp4xx-pci c0000000.pci: PCI: abort_handler addr = 0xff9ffb5f, + isr = 0x0, status = 0x22a0 +ixp4xx-pci c0000000.pci: imprecise abort +(...) + +It turns out that while bit 7 is masked "reserved" it is +not unused, so masking it off as zero is dangerous, and +breaks flash access on some systems such as the NSLU2. +Be more careful and avoid masking off any of the reserved +bits 7, 8, 9 or 30. Only keep masking EXP_WORD (bit 2) +on IXP43x which is necessary in some setups. + +Fixes: 1c953bda90ca ("bus: ixp4xx: Add a driver for IXP4xx expansion bus") +Signed-off-by: Linus Walleij +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20221122134411.2030372-1-linus.walleij@linaro.org +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/intel-ixp4xx-eb.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +--- a/drivers/bus/intel-ixp4xx-eb.c ++++ b/drivers/bus/intel-ixp4xx-eb.c +@@ -49,7 +49,7 @@ + #define IXP4XX_EXP_SIZE_SHIFT 10 + #define IXP4XX_EXP_CNFG_0 BIT(9) /* Always zero */ + #define IXP43X_EXP_SYNC_INTEL BIT(8) /* Only on IXP43x */ +-#define IXP43X_EXP_EXP_CHIP BIT(7) /* Only on IXP43x */ ++#define IXP43X_EXP_EXP_CHIP BIT(7) /* Only on IXP43x, dangerous to touch on IXP42x */ + #define IXP4XX_EXP_BYTE_RD16 BIT(6) + #define IXP4XX_EXP_HRDY_POL BIT(5) /* Only on IXP42x */ + #define IXP4XX_EXP_MUX_EN BIT(4) +@@ -57,8 +57,6 @@ + #define IXP4XX_EXP_WORD BIT(2) /* Always zero */ + #define IXP4XX_EXP_WR_EN BIT(1) + #define IXP4XX_EXP_BYTE_EN BIT(0) +-#define IXP42X_RESERVED (BIT(30)|IXP4XX_EXP_CNFG_0|BIT(8)|BIT(7)|IXP4XX_EXP_WORD) +-#define IXP43X_RESERVED (BIT(30)|IXP4XX_EXP_CNFG_0|BIT(5)|IXP4XX_EXP_WORD) + + #define IXP4XX_EXP_CNFG0 0x20 + #define IXP4XX_EXP_CNFG0_MEM_MAP BIT(31) +@@ -252,10 +250,9 @@ static void ixp4xx_exp_setup_chipselect( + cs_cfg |= val << IXP4XX_EXP_CYC_TYPE_SHIFT; + } + +- if (eb->is_42x) +- cs_cfg &= ~IXP42X_RESERVED; + if (eb->is_43x) { +- cs_cfg &= ~IXP43X_RESERVED; ++ /* Should always be zero */ ++ cs_cfg &= ~IXP4XX_EXP_WORD; + /* + * This bit for Intel strata flash is currently unused, but let's + * report it if we find one. diff --git a/queue-6.0/cpufreq-amd-pstate-cpufreq-amd-pstate-reset-msr_amd_perf_ctl-register-at-init.patch b/queue-6.0/cpufreq-amd-pstate-cpufreq-amd-pstate-reset-msr_amd_perf_ctl-register-at-init.patch new file mode 100644 index 00000000000..19f62b10596 --- /dev/null +++ b/queue-6.0/cpufreq-amd-pstate-cpufreq-amd-pstate-reset-msr_amd_perf_ctl-register-at-init.patch @@ -0,0 +1,55 @@ +From 919f4557696939625085435ebde09a539de2349c Mon Sep 17 00:00:00 2001 +From: Wyes Karny +Date: Thu, 17 Nov 2022 15:35:37 +0800 +Subject: cpufreq: amd-pstate: cpufreq: amd-pstate: reset MSR_AMD_PERF_CTL register at init + +From: Wyes Karny + +commit 919f4557696939625085435ebde09a539de2349c upstream. + +MSR_AMD_PERF_CTL is guaranteed to be 0 on a cold boot. However, on a +kexec boot, for instance, it may have a non-zero value (if the cpu was +in a non-P0 Pstate). In such cases, the cores with non-P0 Pstates at +boot will never be pushed to P0, let alone boost frequencies. + +Kexec is a common workflow for reboot on Linux and this creates a +regression in performance. Fix it by explicitly setting the +MSR_AMD_PERF_CTL to 0 during amd_pstate driver init. + +Cc: All applicable +Acked-by: Huang Rui +Reviewed-by: Gautham R. Shenoy +Tested-by: Wyes Karny +Signed-off-by: Wyes Karny +Signed-off-by: Perry Yuan +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/amd-pstate.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/cpufreq/amd-pstate.c ++++ b/drivers/cpufreq/amd-pstate.c +@@ -483,12 +483,22 @@ static void amd_pstate_boost_init(struct + amd_pstate_driver.boost_enabled = true; + } + ++static void amd_perf_ctl_reset(unsigned int cpu) ++{ ++ wrmsrl_on_cpu(cpu, MSR_AMD_PERF_CTL, 0); ++} ++ + static int amd_pstate_cpu_init(struct cpufreq_policy *policy) + { + int min_freq, max_freq, nominal_freq, lowest_nonlinear_freq, ret; + struct device *dev; + struct amd_cpudata *cpudata; + ++ /* ++ * Resetting PERF_CTL_MSR will put the CPU in P0 frequency, ++ * which is ideal for initialization process. ++ */ ++ amd_perf_ctl_reset(policy->cpu); + dev = get_cpu_device(policy->cpu); + if (!dev) + return -ENODEV; diff --git a/queue-6.0/dt-bindings-iio-adc-remove-the-property-aspeed-trim-data-valid.patch b/queue-6.0/dt-bindings-iio-adc-remove-the-property-aspeed-trim-data-valid.patch new file mode 100644 index 00000000000..072757f0ece --- /dev/null +++ b/queue-6.0/dt-bindings-iio-adc-remove-the-property-aspeed-trim-data-valid.patch @@ -0,0 +1,40 @@ +From 398e3479874f381cca8726ca5d8a31e1bf35a3cd Mon Sep 17 00:00:00 2001 +From: Billy Tsai +Date: Mon, 14 Nov 2022 10:50:57 +0800 +Subject: dt-bindings: iio: adc: Remove the property "aspeed,trim-data-valid" + +From: Billy Tsai + +commit 398e3479874f381cca8726ca5d8a31e1bf35a3cd upstream. + +If the property is set on a device without valid trimming data in the OTP +the ADC will not function correctly. Therefore, this patch drops the use +of this property to avoid this scenario. + +Fixes: 2bdb2f00a895 ("dt-bindings: iio: adc: Add ast2600-adc bindings") +Signed-off-by: Billy Tsai +Acked-by: Rob Herring +Link: https://lore.kernel.org/r/20221114025057.10843-2-billy_tsai@aspeedtech.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/iio/adc/aspeed,ast2600-adc.yaml | 7 ------- + 1 file changed, 7 deletions(-) + +--- a/Documentation/devicetree/bindings/iio/adc/aspeed,ast2600-adc.yaml ++++ b/Documentation/devicetree/bindings/iio/adc/aspeed,ast2600-adc.yaml +@@ -62,13 +62,6 @@ properties: + description: + Inform the driver that last channel will be used to sensor battery. + +- aspeed,trim-data-valid: +- type: boolean +- description: | +- The ADC reference voltage can be calibrated to obtain the trimming +- data which will be stored in otp. This property informs the driver that +- the data store in the otp is valid. +- + required: + - compatible + - reg diff --git a/queue-6.0/iio-accel-bma400-fix-memory-leak-in-bma400_get_steps_reg.patch b/queue-6.0/iio-accel-bma400-fix-memory-leak-in-bma400_get_steps_reg.patch new file mode 100644 index 00000000000..b38622e74d2 --- /dev/null +++ b/queue-6.0/iio-accel-bma400-fix-memory-leak-in-bma400_get_steps_reg.patch @@ -0,0 +1,37 @@ +From 20690cd50e68c0313472c7539460168b8ea6444d Mon Sep 17 00:00:00 2001 +From: Dong Chenchen +Date: Thu, 10 Nov 2022 09:07:26 +0800 +Subject: iio: accel: bma400: Fix memory leak in bma400_get_steps_reg() + +From: Dong Chenchen + +commit 20690cd50e68c0313472c7539460168b8ea6444d upstream. + +When regmap_bulk_read() fails, it does not free steps_raw, +which will cause a memory leak issue, this patch fixes it. + +Fixes: d221de60eee3 ("iio: accel: bma400: Add separate channel for step counter") +Signed-off-by: Dong Chenchen +Reviewed-by: Jagath Jog J +Link: https://lore.kernel.org/r/20221110010726.235601-1-dongchenchen2@huawei.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/accel/bma400_core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/iio/accel/bma400_core.c ++++ b/drivers/iio/accel/bma400_core.c +@@ -673,8 +673,10 @@ static int bma400_get_steps_reg(struct b + + ret = regmap_bulk_read(data->regmap, BMA400_STEP_CNT0_REG, + steps_raw, BMA400_STEP_RAW_LEN); +- if (ret) ++ if (ret) { ++ kfree(steps_raw); + return ret; ++ } + *val = get_unaligned_le24(steps_raw); + kfree(steps_raw); + return IIO_VAL_INT; diff --git a/queue-6.0/iio-adc-aspeed-remove-the-trim-valid-dts-property.patch b/queue-6.0/iio-adc-aspeed-remove-the-trim-valid-dts-property.patch new file mode 100644 index 00000000000..6ae1140a00c --- /dev/null +++ b/queue-6.0/iio-adc-aspeed-remove-the-trim-valid-dts-property.patch @@ -0,0 +1,53 @@ +From fdd0d6b2eb35c83d6b1226ad20b346a4b45ddfb8 Mon Sep 17 00:00:00 2001 +From: Billy Tsai +Date: Mon, 14 Nov 2022 10:50:56 +0800 +Subject: iio: adc: aspeed: Remove the trim valid dts property. + +From: Billy Tsai + +commit fdd0d6b2eb35c83d6b1226ad20b346a4b45ddfb8 upstream. + +The dts property "aspeed,trim-data-valid" is currently used to determine +whether to read trimming data from the OTP register. If this is set on +a device without valid trimming data in the OTP the ADC will not function +correctly. This patch drops the use of this property and instead uses the +default (unprogrammed) OTP value of 0 to detect when a fallback value of +0x8 should be used rather then the value read from the OTP. + +Fixes: d0a4c17b4073 ("iio: adc: aspeed: Get and set trimming data.") +Signed-off-by: Billy Tsai +Link: https://lore.kernel.org/r/20221114025057.10843-1-billy_tsai@aspeedtech.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/aspeed_adc.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/drivers/iio/adc/aspeed_adc.c ++++ b/drivers/iio/adc/aspeed_adc.c +@@ -202,6 +202,8 @@ static int aspeed_adc_set_trim_data(stru + ((scu_otp) & + (data->model_data->trim_locate->field)) >> + __ffs(data->model_data->trim_locate->field); ++ if (!trimming_val) ++ trimming_val = 0x8; + } + dev_dbg(data->dev, + "trimming val = %d, offset = %08x, fields = %08x\n", +@@ -563,12 +565,9 @@ static int aspeed_adc_probe(struct platf + if (ret) + return ret; + +- if (of_find_property(data->dev->of_node, "aspeed,trim-data-valid", +- NULL)) { +- ret = aspeed_adc_set_trim_data(indio_dev); +- if (ret) +- return ret; +- } ++ ret = aspeed_adc_set_trim_data(indio_dev); ++ if (ret) ++ return ret; + + if (of_find_property(data->dev->of_node, "aspeed,battery-sensing", + NULL)) { diff --git a/queue-6.0/iio-core-fix-entry-not-deleted-when-iio_register_sw_trigger_type-fails.patch b/queue-6.0/iio-core-fix-entry-not-deleted-when-iio_register_sw_trigger_type-fails.patch new file mode 100644 index 00000000000..ffaf80bc411 --- /dev/null +++ b/queue-6.0/iio-core-fix-entry-not-deleted-when-iio_register_sw_trigger_type-fails.patch @@ -0,0 +1,52 @@ +From 4ad09d956f8eacff61e67e5b13ba8ebec3232f76 Mon Sep 17 00:00:00 2001 +From: Chen Zhongjin +Date: Tue, 8 Nov 2022 11:28:02 +0800 +Subject: iio: core: Fix entry not deleted when iio_register_sw_trigger_type() fails + +From: Chen Zhongjin + +commit 4ad09d956f8eacff61e67e5b13ba8ebec3232f76 upstream. + +In iio_register_sw_trigger_type(), configfs_register_default_group() is +possible to fail, but the entry add to iio_trigger_types_list is not +deleted. + +This leaves wild in iio_trigger_types_list, which can cause page fault +when module is loading again. So fix this by list_del(&t->list) in error +path. + +BUG: unable to handle page fault for address: fffffbfff81d7400 +Call Trace: + + iio_register_sw_trigger_type + do_one_initcall + do_init_module + load_module + ... + +Fixes: b662f809d410 ("iio: core: Introduce IIO software triggers") +Signed-off-by: Chen Zhongjin +Link: https://lore.kernel.org/r/20221108032802.168623-1-chenzhongjin@huawei.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/industrialio-sw-trigger.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/iio/industrialio-sw-trigger.c ++++ b/drivers/iio/industrialio-sw-trigger.c +@@ -58,8 +58,12 @@ int iio_register_sw_trigger_type(struct + + t->group = configfs_register_default_group(iio_triggers_group, t->name, + &iio_trigger_type_group_type); +- if (IS_ERR(t->group)) ++ if (IS_ERR(t->group)) { ++ mutex_lock(&iio_trigger_types_lock); ++ list_del(&t->list); ++ mutex_unlock(&iio_trigger_types_lock); + ret = PTR_ERR(t->group); ++ } + + return ret; + } diff --git a/queue-6.0/iio-light-apds9960-fix-wrong-register-for-gesture-gain.patch b/queue-6.0/iio-light-apds9960-fix-wrong-register-for-gesture-gain.patch new file mode 100644 index 00000000000..a6ecd1ea34d --- /dev/null +++ b/queue-6.0/iio-light-apds9960-fix-wrong-register-for-gesture-gain.patch @@ -0,0 +1,58 @@ +From 0aa60ff5d996d4ecdd4a62699c01f6d00f798d59 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Alejandro=20Concepci=C3=B3n=20Rodr=C3=ADguez?= + +Date: Sun, 6 Nov 2022 01:56:51 +0000 +Subject: iio: light: apds9960: fix wrong register for gesture gain + +From: Alejandro Concepción Rodríguez + +commit 0aa60ff5d996d4ecdd4a62699c01f6d00f798d59 upstream. + +Gesture Gain Control is in REG_GCONF_2 (0xa3), not in REG_CONFIG_2 (0x90). + +Fixes: aff268cd532e ("iio: light: add APDS9960 ALS + promixity driver") +Signed-off-by: Alejandro Concepcion-Rodriguez +Acked-by: Matt Ranostay +Cc: +Link: https://lore.kernel.org/r/EaT-NKC-H4DNX5z4Lg9B6IWPD5TrTrYBr5DYB784wfDKQkTmzPXkoYqyUOrOgJH-xvTsEkFLcVkeAPZRUODEFI5dGziaWXwjpfBNLeNGfNc=@acoro.eu +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/light/apds9960.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/iio/light/apds9960.c ++++ b/drivers/iio/light/apds9960.c +@@ -54,9 +54,6 @@ + #define APDS9960_REG_CONTROL_PGAIN_MASK_SHIFT 2 + + #define APDS9960_REG_CONFIG_2 0x90 +-#define APDS9960_REG_CONFIG_2_GGAIN_MASK 0x60 +-#define APDS9960_REG_CONFIG_2_GGAIN_MASK_SHIFT 5 +- + #define APDS9960_REG_ID 0x92 + + #define APDS9960_REG_STATUS 0x93 +@@ -77,6 +74,9 @@ + #define APDS9960_REG_GCONF_1_GFIFO_THRES_MASK_SHIFT 6 + + #define APDS9960_REG_GCONF_2 0xa3 ++#define APDS9960_REG_GCONF_2_GGAIN_MASK 0x60 ++#define APDS9960_REG_GCONF_2_GGAIN_MASK_SHIFT 5 ++ + #define APDS9960_REG_GOFFSET_U 0xa4 + #define APDS9960_REG_GOFFSET_D 0xa5 + #define APDS9960_REG_GPULSE 0xa6 +@@ -396,9 +396,9 @@ static int apds9960_set_pxs_gain(struct + } + + ret = regmap_update_bits(data->regmap, +- APDS9960_REG_CONFIG_2, +- APDS9960_REG_CONFIG_2_GGAIN_MASK, +- idx << APDS9960_REG_CONFIG_2_GGAIN_MASK_SHIFT); ++ APDS9960_REG_GCONF_2, ++ APDS9960_REG_GCONF_2_GGAIN_MASK, ++ idx << APDS9960_REG_GCONF_2_GGAIN_MASK_SHIFT); + if (!ret) + data->pxs_gain = idx; + mutex_unlock(&data->lock); diff --git a/queue-6.0/mm-damon-sysfs-schemes-skip-stats-update-if-the-scheme-directory-is-removed.patch b/queue-6.0/mm-damon-sysfs-schemes-skip-stats-update-if-the-scheme-directory-is-removed.patch new file mode 100644 index 00000000000..384cdd50e93 --- /dev/null +++ b/queue-6.0/mm-damon-sysfs-schemes-skip-stats-update-if-the-scheme-directory-is-removed.patch @@ -0,0 +1,38 @@ +From 8468b486612c808c9e337708d66a435498f1735c Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Mon, 14 Nov 2022 17:55:52 +0000 +Subject: mm/damon/sysfs-schemes: skip stats update if the scheme directory is removed + +From: SeongJae Park + +commit 8468b486612c808c9e337708d66a435498f1735c upstream. + +A DAMON sysfs interface user can start DAMON with a scheme, remove the +sysfs directory for the scheme, and then ask update of the scheme's stats. +Because the schemes stats update logic isn't aware of the situation, it +results in an invalid memory access. Fix the bug by checking if the +scheme sysfs directory exists. + +Link: https://lkml.kernel.org/r/20221114175552.1951-1-sj@kernel.org +Fixes: 0ac32b8affb5 ("mm/damon/sysfs: support DAMOS stats") +Signed-off-by: SeongJae Park +Cc: [v5.18] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/sysfs.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/mm/damon/sysfs.c ++++ b/mm/damon/sysfs.c +@@ -2342,6 +2342,10 @@ static int damon_sysfs_upd_schemes_stats + damon_for_each_scheme(scheme, ctx) { + struct damon_sysfs_stats *sysfs_stats; + ++ /* user could have removed the scheme sysfs dir */ ++ if (schemes_idx >= sysfs_schemes->nr) ++ break; ++ + sysfs_stats = sysfs_schemes->schemes_arr[schemes_idx++]->stats; + sysfs_stats->nr_tried = scheme->stat.nr_tried; + sysfs_stats->sz_tried = scheme->stat.sz_tried; diff --git a/queue-6.0/series b/queue-6.0/series index 8315de05453..2c09fe5bc14 100644 --- a/queue-6.0/series +++ b/queue-6.0/series @@ -168,6 +168,18 @@ cifs-use-after-free-in-debug-code.patch ext4-fix-use-after-free-in-ext4_ext_shift_extents.patch arm64-dts-rockchip-lower-rk3399-puma-haikou-sd-controller-clock-frequency.patch kbuild-fix-wimplicit-function-declaration-in-license_is_gpl_compatible.patch +iio-adc-aspeed-remove-the-trim-valid-dts-property.patch +iio-light-apds9960-fix-wrong-register-for-gesture-gain.patch +iio-core-fix-entry-not-deleted-when-iio_register_sw_trigger_type-fails.patch +iio-accel-bma400-fix-memory-leak-in-bma400_get_steps_reg.patch +dt-bindings-iio-adc-remove-the-property-aspeed-trim-data-valid.patch +mm-damon-sysfs-schemes-skip-stats-update-if-the-scheme-directory-is-removed.patch +virt-sev-guest-prevent-iv-reuse-in-the-snp-guest-driver.patch +cpufreq-amd-pstate-cpufreq-amd-pstate-reset-msr_amd_perf_ctl-register-at-init.patch +zonefs-fix-active-zone-accounting.patch +bus-ixp4xx-don-t-touch-bit-7-on-ixp42x.patch +spi-spi-imx-fix-spi_bus_clk-if-requested-clock-is-higher-than-input-clock.patch +spi-spi-imx-spi_imx_transfer_one-check-for-dma-transfer-first.patch init-kconfig-fix-cc_has_asm_goto_tied_output-test-wi.patch nfsd-fix-reads-with-a-non-zero-offset-that-don-t-end.patch nios2-add-force-for-vmlinuz.gz.patch diff --git a/queue-6.0/spi-spi-imx-fix-spi_bus_clk-if-requested-clock-is-higher-than-input-clock.patch b/queue-6.0/spi-spi-imx-fix-spi_bus_clk-if-requested-clock-is-higher-than-input-clock.patch new file mode 100644 index 00000000000..9a215fcab37 --- /dev/null +++ b/queue-6.0/spi-spi-imx-fix-spi_bus_clk-if-requested-clock-is-higher-than-input-clock.patch @@ -0,0 +1,59 @@ +From db2d2dc9a0b58c6faefb6b002fdbed4f0362d1a4 Mon Sep 17 00:00:00 2001 +From: Frieder Schrempf +Date: Tue, 15 Nov 2022 19:10:00 +0100 +Subject: spi: spi-imx: Fix spi_bus_clk if requested clock is higher than input clock + +From: Frieder Schrempf + +commit db2d2dc9a0b58c6faefb6b002fdbed4f0362d1a4 upstream. + +In case the requested bus clock is higher than the input clock, the correct +dividers (pre = 0, post = 0) are returned from mx51_ecspi_clkdiv(), but +*fres is left uninitialized and therefore contains an arbitrary value. + +This causes trouble for the recently introduced PIO polling feature as the +value in spi_imx->spi_bus_clk is used there to calculate for which +transfers to enable PIO polling. + +Fix this by setting *fres even if no clock dividers are in use. + +This issue was observed on Kontron BL i.MX8MM with an SPI peripheral clock set +to 50 MHz by default and a requested SPI bus clock of 80 MHz for the SPI NOR +flash. + +With the fix applied the debug message from mx51_ecspi_clkdiv() now prints the +following: + +spi_imx 30820000.spi: mx51_ecspi_clkdiv: fin: 50000000, fspi: 50000000, +post: 0, pre: 0 + +Fixes: 6fd8b8503a0d ("spi: spi-imx: Fix out-of-order CS/SCLK operation at low speeds") +Fixes: 07e759387788 ("spi: spi-imx: add PIO polling support") +Cc: Marc Kleine-Budde +Cc: David Jander +Cc: Fabio Estevam +Cc: Mark Brown +Cc: Marek Vasut +Cc: stable@vger.kernel.org +Signed-off-by: Frieder Schrempf +Tested-by: Fabio Estevam +Acked-by: Marek Vasut +Link: https://lore.kernel.org/r/20221115181002.2068270-1-frieder@fris.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-imx.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/spi/spi-imx.c ++++ b/drivers/spi/spi-imx.c +@@ -444,8 +444,7 @@ static unsigned int mx51_ecspi_clkdiv(st + unsigned int pre, post; + unsigned int fin = spi_imx->spi_clk; + +- if (unlikely(fspi > fin)) +- return 0; ++ fspi = min(fspi, fin); + + post = fls(fin) - fls(fspi); + if (fin > fspi << post) diff --git a/queue-6.0/spi-spi-imx-spi_imx_transfer_one-check-for-dma-transfer-first.patch b/queue-6.0/spi-spi-imx-spi_imx_transfer_one-check-for-dma-transfer-first.patch new file mode 100644 index 00000000000..408ff27ce79 --- /dev/null +++ b/queue-6.0/spi-spi-imx-spi_imx_transfer_one-check-for-dma-transfer-first.patch @@ -0,0 +1,77 @@ +From e85e9e0d8cb759013d6474011c227f92e442d746 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Wed, 16 Nov 2022 17:49:30 +0100 +Subject: spi: spi-imx: spi_imx_transfer_one(): check for DMA transfer first + +From: Marc Kleine-Budde + +commit e85e9e0d8cb759013d6474011c227f92e442d746 upstream. + +The SPI framework checks for each transfer (with the struct +spi_controller::can_dma callback) whether the driver wants to use DMA +for the transfer. If the driver returns true, the SPI framework will +map the transfer's data to the device, start the actual transfer and +map the data back. + +In commit 07e759387788 ("spi: spi-imx: add PIO polling support") the +spi-imx driver's spi_imx_transfer_one() function was extended. If the +estimated duration of a transfer does not exceed a configurable +duration, a polling transfer function is used. This check happens +before checking if the driver decided earlier for a DMA transfer. + +If spi_imx_can_dma() decided to use a DMA transfer, and the user +configured a big maximum polling duration, a polling transfer will be +used. The DMA unmap after the transfer destroys the transferred data. + +To fix this problem check in spi_imx_transfer_one() if the driver +decided for DMA transfer first, then check the limits for a polling +transfer. + +Fixes: 07e759387788 ("spi: spi-imx: add PIO polling support") +Link: https://lore.kernel.org/all/20221111003032.82371-1-festevam@gmail.com +Reported-by: Frieder Schrempf +Reported-by: Fabio Estevam +Tested-by: Fabio Estevam +Cc: David Jander +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Tested-by: Frieder Schrempf +Reviewed-by: Frieder Schrempf +Link: https://lore.kernel.org/r/20221116164930.855362-1-mkl@pengutronix.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-imx.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c +index 468ce0a2b282..d209930069cf 100644 +--- a/drivers/spi/spi-imx.c ++++ b/drivers/spi/spi-imx.c +@@ -1606,6 +1606,13 @@ static int spi_imx_transfer_one(struct spi_controller *controller, + if (spi_imx->slave_mode) + return spi_imx_pio_transfer_slave(spi, transfer); + ++ /* ++ * If we decided in spi_imx_can_dma() that we want to do a DMA ++ * transfer, the SPI transfer has already been mapped, so we ++ * have to do the DMA transfer here. ++ */ ++ if (spi_imx->usedma) ++ return spi_imx_dma_transfer(spi_imx, transfer); + /* + * Calculate the estimated time in us the transfer runs. Find + * the number of Hz per byte per polling limit. +@@ -1617,9 +1624,6 @@ static int spi_imx_transfer_one(struct spi_controller *controller, + if (transfer->len < byte_limit) + return spi_imx_poll_transfer(spi, transfer); + +- if (spi_imx->usedma) +- return spi_imx_dma_transfer(spi_imx, transfer); +- + return spi_imx_pio_transfer(spi, transfer); + } + +-- +2.38.1 + diff --git a/queue-6.0/virt-sev-guest-prevent-iv-reuse-in-the-snp-guest-driver.patch b/queue-6.0/virt-sev-guest-prevent-iv-reuse-in-the-snp-guest-driver.patch new file mode 100644 index 00000000000..0ab6716dcc5 --- /dev/null +++ b/queue-6.0/virt-sev-guest-prevent-iv-reuse-in-the-snp-guest-driver.patch @@ -0,0 +1,163 @@ +From 47894e0fa6a56a42be6a47c767e79cce8125489d Mon Sep 17 00:00:00 2001 +From: Peter Gonda +Date: Wed, 16 Nov 2022 09:55:58 -0800 +Subject: virt/sev-guest: Prevent IV reuse in the SNP guest driver + +From: Peter Gonda + +commit 47894e0fa6a56a42be6a47c767e79cce8125489d upstream. + +The AMD Secure Processor (ASP) and an SNP guest use a series of +AES-GCM keys called VMPCKs to communicate securely with each other. +The IV to this scheme is a sequence number that both the ASP and the +guest track. + +Currently, this sequence number in a guest request must exactly match +the sequence number tracked by the ASP. This means that if the guest +sees an error from the host during a request it can only retry that +exact request or disable the VMPCK to prevent an IV reuse. AES-GCM +cannot tolerate IV reuse, see: "Authentication Failures in NIST version +of GCM" - Antoine Joux et al. + +In order to address this, make handle_guest_request() delete the VMPCK +on any non successful return. To allow userspace querying the cert_data +length make handle_guest_request() save the number of pages required by +the host, then have handle_guest_request() retry the request without +requesting the extended data, then return the number of pages required +back to userspace. + + [ bp: Massage, incorporate Tom's review comments. ] + +Fixes: fce96cf044308 ("virt: Add SEV-SNP guest driver") +Reported-by: Peter Gonda +Signed-off-by: Peter Gonda +Signed-off-by: Borislav Petkov +Reviewed-by: Tom Lendacky +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20221116175558.2373112-1-pgonda@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/virt/coco/sev-guest/sev-guest.c | 84 ++++++++++++++++++++----- + 1 file changed, 70 insertions(+), 14 deletions(-) + +diff --git a/drivers/virt/coco/sev-guest/sev-guest.c b/drivers/virt/coco/sev-guest/sev-guest.c +index f422f9c58ba7..1ea6d2e5b218 100644 +--- a/drivers/virt/coco/sev-guest/sev-guest.c ++++ b/drivers/virt/coco/sev-guest/sev-guest.c +@@ -67,8 +67,27 @@ static bool is_vmpck_empty(struct snp_guest_dev *snp_dev) + return true; + } + ++/* ++ * If an error is received from the host or AMD Secure Processor (ASP) there ++ * are two options. Either retry the exact same encrypted request or discontinue ++ * using the VMPCK. ++ * ++ * This is because in the current encryption scheme GHCB v2 uses AES-GCM to ++ * encrypt the requests. The IV for this scheme is the sequence number. GCM ++ * cannot tolerate IV reuse. ++ * ++ * The ASP FW v1.51 only increments the sequence numbers on a successful ++ * guest<->ASP back and forth and only accepts messages at its exact sequence ++ * number. ++ * ++ * So if the sequence number were to be reused the encryption scheme is ++ * vulnerable. If the sequence number were incremented for a fresh IV the ASP ++ * will reject the request. ++ */ + static void snp_disable_vmpck(struct snp_guest_dev *snp_dev) + { ++ dev_alert(snp_dev->dev, "Disabling vmpck_id %d to prevent IV reuse.\n", ++ vmpck_id); + memzero_explicit(snp_dev->vmpck, VMPCK_KEY_LEN); + snp_dev->vmpck = NULL; + } +@@ -321,34 +340,71 @@ static int handle_guest_request(struct snp_guest_dev *snp_dev, u64 exit_code, in + if (rc) + return rc; + +- /* Call firmware to process the request */ ++ /* ++ * Call firmware to process the request. In this function the encrypted ++ * message enters shared memory with the host. So after this call the ++ * sequence number must be incremented or the VMPCK must be deleted to ++ * prevent reuse of the IV. ++ */ + rc = snp_issue_guest_request(exit_code, &snp_dev->input, &err); ++ ++ /* ++ * If the extended guest request fails due to having too small of a ++ * certificate data buffer, retry the same guest request without the ++ * extended data request in order to increment the sequence number ++ * and thus avoid IV reuse. ++ */ ++ if (exit_code == SVM_VMGEXIT_EXT_GUEST_REQUEST && ++ err == SNP_GUEST_REQ_INVALID_LEN) { ++ const unsigned int certs_npages = snp_dev->input.data_npages; ++ ++ exit_code = SVM_VMGEXIT_GUEST_REQUEST; ++ ++ /* ++ * If this call to the firmware succeeds, the sequence number can ++ * be incremented allowing for continued use of the VMPCK. If ++ * there is an error reflected in the return value, this value ++ * is checked further down and the result will be the deletion ++ * of the VMPCK and the error code being propagated back to the ++ * user as an ioctl() return code. ++ */ ++ rc = snp_issue_guest_request(exit_code, &snp_dev->input, &err); ++ ++ /* ++ * Override the error to inform callers the given extended ++ * request buffer size was too small and give the caller the ++ * required buffer size. ++ */ ++ err = SNP_GUEST_REQ_INVALID_LEN; ++ snp_dev->input.data_npages = certs_npages; ++ } ++ + if (fw_err) + *fw_err = err; + +- if (rc) +- return rc; ++ if (rc) { ++ dev_alert(snp_dev->dev, ++ "Detected error from ASP request. rc: %d, fw_err: %llu\n", ++ rc, *fw_err); ++ goto disable_vmpck; ++ } + +- /* +- * The verify_and_dec_payload() will fail only if the hypervisor is +- * actively modifying the message header or corrupting the encrypted payload. +- * This hints that hypervisor is acting in a bad faith. Disable the VMPCK so that +- * the key cannot be used for any communication. The key is disabled to ensure +- * that AES-GCM does not use the same IV while encrypting the request payload. +- */ + rc = verify_and_dec_payload(snp_dev, resp_buf, resp_sz); + if (rc) { + dev_alert(snp_dev->dev, +- "Detected unexpected decode failure, disabling the vmpck_id %d\n", +- vmpck_id); +- snp_disable_vmpck(snp_dev); +- return rc; ++ "Detected unexpected decode failure from ASP. rc: %d\n", ++ rc); ++ goto disable_vmpck; + } + + /* Increment to new message sequence after payload decryption was successful. */ + snp_inc_msg_seqno(snp_dev); + + return 0; ++ ++disable_vmpck: ++ snp_disable_vmpck(snp_dev); ++ return rc; + } + + static int get_report(struct snp_guest_dev *snp_dev, struct snp_guest_request_ioctl *arg) +-- +2.38.1 + diff --git a/queue-6.0/zonefs-fix-active-zone-accounting.patch b/queue-6.0/zonefs-fix-active-zone-accounting.patch new file mode 100644 index 00000000000..a1daafc0984 --- /dev/null +++ b/queue-6.0/zonefs-fix-active-zone-accounting.patch @@ -0,0 +1,84 @@ +From db58653ce0c7cf4d155727852607106f890005c0 Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Mon, 21 Nov 2022 16:29:37 +0900 +Subject: zonefs: Fix active zone accounting + +From: Damien Le Moal + +commit db58653ce0c7cf4d155727852607106f890005c0 upstream. + +If a file zone transitions to the offline or readonly state from an +active state, we must clear the zone active flag and decrement the +active seq file counter. Do so in zonefs_account_active() using the new +zonefs inode flags ZONEFS_ZONE_OFFLINE and ZONEFS_ZONE_READONLY. These +flags are set if necessary in zonefs_check_zone_condition() based on the +result of report zones operation after an IO error. + +Fixes: 87c9ce3ffec9 ("zonefs: Add active seq file accounting") +Cc: stable@vger.kernel.org +Signed-off-by: Damien Le Moal +Reviewed-by: Johannes Thumshirn +Signed-off-by: Greg Kroah-Hartman +--- + fs/zonefs/super.c | 11 +++++++++++ + fs/zonefs/zonefs.h | 6 ++++-- + 2 files changed, 15 insertions(+), 2 deletions(-) + +--- a/fs/zonefs/super.c ++++ b/fs/zonefs/super.c +@@ -41,6 +41,13 @@ static void zonefs_account_active(struct + return; + + /* ++ * For zones that transitioned to the offline or readonly condition, ++ * we only need to clear the active state. ++ */ ++ if (zi->i_flags & (ZONEFS_ZONE_OFFLINE | ZONEFS_ZONE_READONLY)) ++ goto out; ++ ++ /* + * If the zone is active, that is, if it is explicitly open or + * partially written, check if it was already accounted as active. + */ +@@ -53,6 +60,7 @@ static void zonefs_account_active(struct + return; + } + ++out: + /* The zone is not active. If it was, update the active count */ + if (zi->i_flags & ZONEFS_ZONE_ACTIVE) { + zi->i_flags &= ~ZONEFS_ZONE_ACTIVE; +@@ -324,6 +332,7 @@ static loff_t zonefs_check_zone_conditio + inode->i_flags |= S_IMMUTABLE; + inode->i_mode &= ~0777; + zone->wp = zone->start; ++ zi->i_flags |= ZONEFS_ZONE_OFFLINE; + return 0; + case BLK_ZONE_COND_READONLY: + /* +@@ -342,8 +351,10 @@ static loff_t zonefs_check_zone_conditio + zone->cond = BLK_ZONE_COND_OFFLINE; + inode->i_mode &= ~0777; + zone->wp = zone->start; ++ zi->i_flags |= ZONEFS_ZONE_OFFLINE; + return 0; + } ++ zi->i_flags |= ZONEFS_ZONE_READONLY; + inode->i_mode &= ~0222; + return i_size_read(inode); + case BLK_ZONE_COND_FULL: +--- a/fs/zonefs/zonefs.h ++++ b/fs/zonefs/zonefs.h +@@ -39,8 +39,10 @@ static inline enum zonefs_ztype zonefs_z + return ZONEFS_ZTYPE_SEQ; + } + +-#define ZONEFS_ZONE_OPEN (1 << 0) +-#define ZONEFS_ZONE_ACTIVE (1 << 1) ++#define ZONEFS_ZONE_OPEN (1U << 0) ++#define ZONEFS_ZONE_ACTIVE (1U << 1) ++#define ZONEFS_ZONE_OFFLINE (1U << 2) ++#define ZONEFS_ZONE_READONLY (1U << 3) + + /* + * In-memory inode data.