1. 13 Jan, 2023 24 commits
    • Linus Torvalds's avatar
      Merge tag 'io_uring-6.2-2023-01-13' of git://git.kernel.dk/linux · 2ce7592d
      Linus Torvalds authored
      Pull io_uring fixes from Jens Axboe:
       "A fix for a regression that happened last week, rest is fixes that
        will be headed to stable as well. In detail:
      
         - Fix for a regression added with the leak fix from last week (me)
      
         - In writing a test case for that leak, inadvertently discovered a
           case where we a poll request can race. So fix that up and mark it
           for stable, and also ensure that fdinfo covers both the poll tables
           that we have. The latter was an oversight when the split poll table
           were added (me)
      
         - Fix for a lockdep reported issue with IOPOLL (Pavel)"
      
      * tag 'io_uring-6.2-2023-01-13' of git://git.kernel.dk/linux:
        io_uring: lock overflowing for IOPOLL
        io_uring/poll: attempt request issue after racy poll wakeup
        io_uring/fdinfo: include locked hash table in fdinfo output
        io_uring/poll: add hash if ready poll request can't complete inline
        io_uring/io-wq: only free worker if it was allocated for creation
      2ce7592d
    • Linus Torvalds's avatar
      Merge tag 'pci-v6.2-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci · 9e058c29
      Linus Torvalds authored
      Pull pci fixes from Bjorn Helgaas:
      
       - Work around apparent firmware issue that made Linux reject MMCONFIG
         space, which broke PCI extended config space (Bjorn Helgaas)
      
       - Fix CONFIG_PCIE_BT1 dependency due to mid-air collision between a
         PCI_MSI_IRQ_DOMAIN -> PCI_MSI change and addition of PCIE_BT1 (Lukas
         Bulwahn)
      
      * tag 'pci-v6.2-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
        x86/pci: Treat EfiMemoryMappedIO as reservation of ECAM space
        x86/pci: Simplify is_mmconf_reserved() messages
        PCI: dwc: Adjust to recent removal of PCI_MSI_IRQ_DOMAIN
      9e058c29
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 92783a90
      Linus Torvalds authored
      Pull kvm fixes from Paolo Bonzini:
       "ARM:
      
         - Fix the PMCR_EL0 reset value after the PMU rework
      
         - Correctly handle S2 fault triggered by a S1 page table walk by not
           always classifying it as a write, as this breaks on R/O memslots
      
         - Document why we cannot exit with KVM_EXIT_MMIO when taking a write
           fault from a S1 PTW on a R/O memslot
      
         - Put the Apple M2 on the naughty list for not being able to
           correctly implement the vgic SEIS feature, just like the M1 before
           it
      
         - Reviewer updates: Alex is stepping down, replaced by Zenghui
      
        x86:
      
         - Fix various rare locking issues in Xen emulation and teach lockdep
           to detect them
      
         - Documentation improvements
      
         - Do not return host topology information from KVM_GET_SUPPORTED_CPUID"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: x86/xen: Avoid deadlock by adding kvm->arch.xen.xen_lock leaf node lock
        KVM: Ensure lockdep knows about kvm->lock vs. vcpu->mutex ordering rule
        KVM: x86/xen: Fix potential deadlock in kvm_xen_update_runstate_guest()
        KVM: x86/xen: Fix lockdep warning on "recursive" gpc locking
        Documentation: kvm: fix SRCU locking order docs
        KVM: x86: Do not return host topology information from KVM_GET_SUPPORTED_CPUID
        KVM: nSVM: clarify recalc_intercepts() wrt CR8
        MAINTAINERS: Remove myself as a KVM/arm64 reviewer
        MAINTAINERS: Add Zenghui Yu as a KVM/arm64 reviewer
        KVM: arm64: vgic: Add Apple M2 cpus to the list of broken SEIS implementations
        KVM: arm64: Convert FSC_* over to ESR_ELx_FSC_*
        KVM: arm64: Document the behaviour of S1PTW faults on RO memslots
        KVM: arm64: Fix S1PTW handling on RO memslots
        KVM: arm64: PMU: Fix PMCR_EL0 reset value
      92783a90
    • Mateusz Guzik's avatar
      lockref: stop doing cpu_relax in the cmpxchg loop · f5fe24ef
      Mateusz Guzik authored
      On the x86-64 architecture even a failing cmpxchg grants exclusive
      access to the cacheline, making it preferable to retry the failed op
      immediately instead of stalling with the pause instruction.
      
      To illustrate the impact, below are benchmark results obtained by
      running various will-it-scale tests on top of the 6.2-rc3 kernel and
      Cascade Lake (2 sockets * 24 cores * 2 threads) CPU.
      
      All results in ops/s.  Note there is some variance in re-runs, but the
      code is consistently faster when contention is present.
      
        open3 ("Same file open/close"):
        proc          stock       no-pause
           1         805603         814942       (+%1)
           2        1054980        1054781       (-0%)
           8        1544802        1822858      (+18%)
          24        1191064        2199665      (+84%)
          48         851582        1469860      (+72%)
          96         609481        1427170     (+134%)
      
        fstat2 ("Same file fstat"):
        proc          stock       no-pause
           1        3013872        3047636       (+1%)
           2        4284687        4400421       (+2%)
           8        3257721        5530156      (+69%)
          24        2239819        5466127     (+144%)
          48        1701072        5256609     (+209%)
          96        1269157        6649326     (+423%)
      
      Additionally, a kernel with a private patch to help access() scalability:
      access2 ("Same file access"):
      
        proc          stock        patched      patched
                                               +nopause
          24        2378041        2005501      5370335  (-15% / +125%)
      
      That is, fixing the problems in access itself *reduces* scalability
      after the cacheline ping-pong only happens in lockref with the pause
      instruction.
      
      Note that fstat and access benchmarks are not currently integrated into
      will-it-scale, but interested parties can find them in pull requests to
      said project.
      
      Code at hand has a rather tortured history.  First modification showed
      up in commit d472d9d9 ("lockref: Relax in cmpxchg loop"), written
      with Itanium in mind.  Later it got patched up to use an arch-dependent
      macro to stop doing it on s390 where it caused a significant regression.
      Said macro had undergone revisions and was ultimately eliminated later,
      going back to cpu_relax.
      
      While I intended to only remove cpu_relax for x86-64, I got the
      following comment from Linus:
      
          I would actually prefer just removing it entirely and see if
          somebody else hollers. You have the numbers to prove it hurts on
          real hardware, and I don't think we have any numbers to the
          contrary.
      
          So I think it's better to trust the numbers and remove it as a
          failure, than say "let's just remove it on x86-64 and leave
          everybody else with the potentially broken code"
      
      Additionally, Will Deacon (maintainer of the arm64 port, one of the
      architectures previously benchmarked):
      
          So, from the arm64 side of the fence, I'm perfectly happy just
          removing the cpu_relax() calls from lockref.
      
      As such, come back full circle in history and whack it altogether.
      Signed-off-by: default avatarMateusz Guzik <mjguzik@gmail.com>
      Link: https://lore.kernel.org/all/CAGudoHHx0Nqg6DE70zAVA75eV-HXfWyhVMWZ-aSeOofkA_=WdA@mail.gmail.com/
      Acked-by: Tony Luck <tony.luck@intel.com> # ia64
      Acked-by: Nicholas Piggin <npiggin@gmail.com> # powerpc
      Acked-by: Will Deacon <will@kernel.org> # arm64
      Acked-by: default avatarPeter Zijlstra <peterz@infradead.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      f5fe24ef
    • Bjorn Helgaas's avatar
      x86/pci: Treat EfiMemoryMappedIO as reservation of ECAM space · fd3a8cff
      Bjorn Helgaas authored
      Normally we reject ECAM space unless it is reported as reserved in the E820
      table or via a PNP0C02 _CRS method (PCI Firmware, r3.3, sec 4.1.2).
      
      07eab090 ("efi/x86: Remove EfiMemoryMappedIO from E820 map"), removes
      E820 entries that correspond to EfiMemoryMappedIO regions because some
      other firmware uses EfiMemoryMappedIO for PCI host bridge windows, and the
      E820 entries prevent Linux from allocating BAR space for hot-added devices.
      
      Some firmware doesn't report ECAM space via PNP0C02 _CRS methods, but does
      mention it as an EfiMemoryMappedIO region via EFI GetMemoryMap(), which is
      normally converted to an E820 entry by a bootloader or EFI stub.  After
      07eab090, that E820 entry is removed, so we reject this ECAM space,
      which makes PCI extended config space (offsets 0x100-0xfff) inaccessible.
      
      The lack of extended config space breaks anything that relies on it,
      including perf, VSEC telemetry, EDAC, QAT, SR-IOV, etc.
      
      Allow use of ECAM for extended config space when the region is covered by
      an EfiMemoryMappedIO region, even if it's not included in E820 or PNP0C02
      _CRS.
      
      Link: https://lore.kernel.org/r/ac2693d8-8ba3-72e0-5b66-b3ae008d539d@linux.intel.com
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=216891
      Fixes: 07eab090 ("efi/x86: Remove EfiMemoryMappedIO from E820 map")
      Link: https://lore.kernel.org/r/20230110180243.1590045-3-helgaas@kernel.orgReported-by: default avatarKan Liang <kan.liang@linux.intel.com>
      Reported-by: default avatarTony Luck <tony.luck@intel.com>
      Reported-by: default avatarGiovanni Cabiddu <giovanni.cabiddu@intel.com>
      Reported-by: default avatarYunying Sun <yunying.sun@intel.com>
      Reported-by: default avatarBaowen Zheng <baowen.zheng@corigine.com>
      Reported-by: default avatarZhenzhong Duan <zhenzhong.duan@intel.com>
      Reported-by: default avatarYang Lixiao <lixiao.yang@intel.com>
      Tested-by: default avatarTony Luck <tony.luck@intel.com>
      Tested-by: default avatarGiovanni Cabiddu <giovanni.cabiddu@intel.com>
      Tested-by: default avatarKan Liang <kan.liang@linux.intel.com>
      Tested-by: default avatarYunying Sun <yunying.sun@intel.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Reviewed-by: default avatarDan Williams <dan.j.williams@intel.com>
      Reviewed-by: default avatarRafael J. Wysocki <rafael@kernel.org>
      fd3a8cff
    • Linus Torvalds's avatar
      Merge tag 'efi-fixes-for-v6.2-1' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi · 0bf913e0
      Linus Torvalds authored
      Pull EFI fixes from Ard Biesheuvel:
      
       - avoid a potential crash on the efi_subsys_init() error path
      
       - use more appropriate error code for runtime services calls issued
         after a crash in the firmware occurred
      
       - avoid READ_ONCE() for accessing firmware tables that may appear
         misaligned in memory
      
      * tag 'efi-fixes-for-v6.2-1' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi:
        efi: tpm: Avoid READ_ONCE() for accessing the event log
        efi: rt-wrapper: Add missing include
        efi: fix userspace infinite retry read efivars after EFI runtime services page fault
        efi: fix NULL-deref in init error path
      0bf913e0
    • Linus Torvalds's avatar
      Merge tag 'docs-6.2-fixes' of git://git.lwn.net/linux · 40d92fc4
      Linus Torvalds authored
      Pull documentation fixes from Jonathan Corbet:
       "Three documentation fixes (or rather two and one warning):
      
         - Sphinx 6.0 broke our configuration mechanism, so fix it
      
         - I broke our configuration for non-Alabaster themes; Akira fixed it
      
         - Deprecate Sphinx < 2.4 with an eye toward future removal"
      
      * tag 'docs-6.2-fixes' of git://git.lwn.net/linux:
        docs/conf.py: Use about.html only in sidebar of alabaster theme
        docs: Deprecate use of Sphinx < 2.4.x
        docs: Fix the docs build with Sphinx 6.0
      40d92fc4
    • Ard Biesheuvel's avatar
      efi: tpm: Avoid READ_ONCE() for accessing the event log · d3f45053
      Ard Biesheuvel authored
      Nathan reports that recent kernels built with LTO will crash when doing
      EFI boot using Fedora's GRUB and SHIM. The culprit turns out to be a
      misaligned load from the TPM event log, which is annotated with
      READ_ONCE(), and under LTO, this gets translated into a LDAR instruction
      which does not tolerate misaligned accesses.
      
      Interestingly, this does not happen when booting the same kernel
      straight from the UEFI shell, and so the fact that the event log may
      appear misaligned in memory may be caused by a bug in GRUB or SHIM.
      
      However, using READ_ONCE() to access firmware tables is slightly unusual
      in any case, and here, we only need to ensure that 'event' is not
      dereferenced again after it gets unmapped, but this is already taken
      care of by the implicit barrier() semantics of the early_memunmap()
      call.
      
      Cc: <stable@vger.kernel.org>
      Cc: Peter Jones <pjones@redhat.com>
      Cc: Jarkko Sakkinen <jarkko@kernel.org>
      Cc: Matthew Garrett <mjg59@srcf.ucam.org>
      Reported-by: default avatarNathan Chancellor <nathan@kernel.org>
      Tested-by: default avatarNathan Chancellor <nathan@kernel.org>
      Link: https://github.com/ClangBuiltLinux/linux/issues/1782Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      d3f45053
    • Pavel Begunkov's avatar
      io_uring: lock overflowing for IOPOLL · 544d163d
      Pavel Begunkov authored
      syzbot reports an issue with overflow filling for IOPOLL:
      
      WARNING: CPU: 0 PID: 28 at io_uring/io_uring.c:734 io_cqring_event_overflow+0x1c0/0x230 io_uring/io_uring.c:734
      CPU: 0 PID: 28 Comm: kworker/u4:1 Not tainted 6.2.0-rc3-syzkaller-16369-g358a161a6a9e #0
      Workqueue: events_unbound io_ring_exit_work
      Call trace:
       io_cqring_event_overflow+0x1c0/0x230 io_uring/io_uring.c:734
       io_req_cqe_overflow+0x5c/0x70 io_uring/io_uring.c:773
       io_fill_cqe_req io_uring/io_uring.h:168 [inline]
       io_do_iopoll+0x474/0x62c io_uring/rw.c:1065
       io_iopoll_try_reap_events+0x6c/0x108 io_uring/io_uring.c:1513
       io_uring_try_cancel_requests+0x13c/0x258 io_uring/io_uring.c:3056
       io_ring_exit_work+0xec/0x390 io_uring/io_uring.c:2869
       process_one_work+0x2d8/0x504 kernel/workqueue.c:2289
       worker_thread+0x340/0x610 kernel/workqueue.c:2436
       kthread+0x12c/0x158 kernel/kthread.c:376
       ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:863
      
      There is no real problem for normal IOPOLL as flush is also called with
      uring_lock taken, but it's getting more complicated for IOPOLL|SQPOLL,
      for which __io_cqring_overflow_flush() happens from the CQ waiting path.
      
      Reported-and-tested-by: syzbot+6805087452d72929404e@syzkaller.appspotmail.com
      Cc: stable@vger.kernel.org # 5.10+
      Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      544d163d
    • Linus Torvalds's avatar
      Merge tag 'sound-6.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 689968db
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "This became a slightly big update, but it's more or less expected, as
        the first batch after holidays.
      
        All changes (but for the last two last-minute fixes) have been stewed
        in linux-next long enough, so it's fairly safe to take:
      
         - PCM UAF fix in 32bit compat layer
      
         - ASoC board-specific fixes for Intel, AMD, Medathek, Qualcomm
      
         - SOF power management fixes
      
         - ASoC Intel link failure fixes
      
         - A series of fixes for USB-audio regressions
      
         - CS35L41 HD-audio codec regression fixes
      
         - HD-audio device-specific fixes / quirks
      
        Note that one SPI patch has been taken in ASoC subtree mistakenly, and
        the same fix is found in spi tree, but it should be OK to apply"
      
      * tag 'sound-6.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (39 commits)
        ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF
        ALSA: usb-audio: Fix possible NULL pointer dereference in snd_usb_pcm_has_fixed_rate()
        ALSA: hda/realtek: Enable mute/micmute LEDs on HP Spectre x360 13-aw0xxx
        ASoC: fsl-asoc-card: Fix naming of AC'97 CODEC widgets
        ASoC: fsl_ssi: Rename AC'97 streams to avoid collisions with AC'97 CODEC
        ALSA: hda/hdmi: Add a HP device 0x8715 to force connect list
        ALSA: control-led: use strscpy in set_led_id()
        ALSA: usb-audio: Always initialize fixed_rate in snd_usb_find_implicit_fb_sync_format()
        ASoC: dt-bindings: qcom,lpass-tx-macro: correct clocks on SC7280
        ASoC: dt-bindings: qcom,lpass-wsa-macro: correct clocks on SM8250
        ASoC: qcom: Fix building APQ8016 machine driver without SOUNDWIRE
        ALSA: hda: cs35l41: Check runtime suspend capability at runtime_idle
        ALSA: hda: cs35l41: Don't return -EINVAL from system suspend/resume
        ASoC: fsl_micfil: Correct the number of steps on SX controls
        ALSA: hda/realtek: fix mute/micmute LEDs don't work for a HP platform
        Revert "ALSA: usb-audio: Drop superfluous interface setup at parsing"
        ALSA: usb-audio: More refactoring of hw constraint rules
        ALSA: usb-audio: Relax hw constraints for implicit fb sync
        ALSA: usb-audio: Make sure to stop endpoints before closing EPs
        ALSA: hda - Enable headset mic on another Dell laptop with ALC3254
        ...
      689968db
    • Linus Torvalds's avatar
      Merge tag 'pm-6.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · d863f053
      Linus Torvalds authored
      Pull power management fixes from Rafael Wysocki:
       "These fix assorted issues in the ARM cpufreq drivers and in the AMD
        P-state driver.
      
        Specifics:
      
         - Fix cpufreq policy reference counting in amd-pstate to prevent it
           from crashing on removal (Perry Yuan)
      
         - Fix double initialization and set suspend-freq for Apple's cpufreq
           driver (Arnd Bergmann, Hector Martin)
      
         - Fix reading of "reg" property, update cpufreq-dt's blocklist and
           update DT documentation for Qualcomm's cpufreq driver (Konrad
           Dybcio, Krzysztof Kozlowski)
      
         - Replace 0 with NULL in the Armada cpufreq driver (Miles Chen)
      
         - Fix potential overflows in the CPPC cpufreq driver (Pierre Gondois)
      
         - Update blocklist for the Tegra234 Soc cpufreq driver (Sumit Gupta)"
      
      * tag 'pm-6.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        cpufreq: amd-pstate: fix kernel hang issue while amd-pstate unregistering
        cpufreq: armada-37xx: stop using 0 as NULL pointer
        cpufreq: apple-soc: Switch to the lowest frequency on suspend
        dt-bindings: cpufreq: cpufreq-qcom-hw: document interrupts
        cpufreq: Add SM6375 to cpufreq-dt-platdev blocklist
        cpufreq: Add Tegra234 to cpufreq-dt-platdev blocklist
        cpufreq: qcom-hw: Fix reading "reg" with address/size-cells != 2
        cpufreq: CPPC: Add u64 casts to avoid overflowing
        cpufreq: apple: remove duplicate intializer
      d863f053
    • Linus Torvalds's avatar
      Merge tag 'acpi-6.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · cdbbca25
      Linus Torvalds authored
      Pull ACPI fixes from Rafael Wysocki:
       "These add one more ACPI IRQ override quirk, improve ACPI companion
        lookup for backlight devices and add missing kernel command line
        option values for backlight detection.
      
        Specifics:
      
         - Improve ACPI companion lookup for backlight devices in the cases
           when there is more than one candidate ACPI device object (Hans de
           Goede)
      
         - Add missing support for manual selection of NVidia-WMI-EC or Apple
           GMUX backlight in the kernel command line to the ACPI backlight
           driver (Hans de Goede)
      
         - Skip ACPI IRQ override on Asus Expertbook B2402CBA (Tamim Khan)"
      
      * tag 'acpi-6.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPI: Fix selecting wrong ACPI fwnode for the iGPU on some Dell laptops
        ACPI: video: Allow selecting NVidia-WMI-EC or Apple GMUX backlight from the cmdline
        ACPI: resource: Skip IRQ override on Asus Expertbook B2402CBA
      cdbbca25
    • Linus Torvalds's avatar
      Merge tag 'platform-drivers-x86-v6.2-2' of... · 0d0833e0
      Linus Torvalds authored
      Merge tag 'platform-drivers-x86-v6.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86
      
      Pull x86 platform driver fixes from Hans de Goede:
       "A set of assorted fixes and hardware-id additions"
      
      * tag 'platform-drivers-x86-v6.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86:
        platform/x86: thinkpad_acpi: Fix profile mode display in AMT mode
        platform/x86: int3472/discrete: Ensure the clk/power enable pins are in output mode
        platform/x86/amd: Fix refcount leak in amd_pmc_probe
        platform/x86: intel/pmc/core: Add Meteor Lake mobile support
        platform/x86: simatic-ipc: add another model
        platform/x86: simatic-ipc: correct name of a model
        platform/x86: dell-privacy: Only register SW_CAMERA_LENS_COVER if present
        platform/x86: dell-privacy: Fix SW_CAMERA_LENS_COVER reporting
        platform/x86: asus-wmi: Don't load fan curves without fan
        platform/x86: asus-wmi: Ignore fan on E410MA
        platform/x86: asus-wmi: Add quirk wmi_ignore_fan
        platform/x86: asus-nb-wmi: Add alternate mapping for KEY_SCREENLOCK
        platform/x86: asus-nb-wmi: Add alternate mapping for KEY_CAMERA
        platform/surface: aggregator: Add missing call to ssam_request_sync_free()
        platform/surface: aggregator: Ignore command messages not intended for us
        platform/x86: touchscreen_dmi: Add info for the CSL Panther Tab HD
        platform/x86: ideapad-laptop: Add Legion 5 15ARH05 DMI id to set_fn_lock_led_list[]
        platform/x86: sony-laptop: Don't turn off 0x153 keyboard backlight during probe
      0d0833e0
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2023-01-13' of git://anongit.freedesktop.org/drm/drm · ff5ebafd
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "There is a bit of a post-holiday build up here I expect, small fixes
        across the board, amdgpu and msm being the main leaders, with others
        having a few. One code removal patch for nouveau:
      
        buddy:
         - benchmark regression fix for top-down buddy allocation
      
        panel:
         - add Lenovo panel orientation quirk
      
        ttm:
         - fix kernel oops regression
      
        amdgpu:
         - fix missing fence references
         - fix missing pipeline sync fencing
         - SMU13 fan speed fix
         - SMU13 fix power cap handling
         - SMU13 BACO fix
         - Fix a possible segfault in bo validation error case
         - Delay removal of firmware framebuffer
         - Fix error when unloading
      
        amdkfd:
         - SVM fix when clearing vram
         - GC11 fix for multi-GPU
      
        i915:
         - Reserve enough fence slot for i915_vma_unbind_vsync
         - Fix potential use after free
         - Reset engines twice in case of reset failure
         - Use multi-cast registers for SVG Unit registers
      
        msm:
         - display:
         - doc warning fixes
         - dt attribs cleanups
         - memory leak fix
         - error handing in hdmi probe fix
         - dp_aux_isr incorrect signalling fix
         - shutdown path fix
         - accel:
         - a5xx: fix quirks to be a bitmask
         - a6xx: fix gx halt to avoid 1s hang
         - kexec shutdown fix
         - fix potential double free
      
        vmwgfx:
         - drop rcu usage to make code more robust
      
        virtio:
         - fix use-after-free in gem handle code
      
        nouveau:
         - drop unused nouveau_fbcon.c"
      
      * tag 'drm-fixes-2023-01-13' of git://anongit.freedesktop.org/drm/drm: (35 commits)
        drm: Optimize drm buddy top-down allocation method
        drm/ttm: Fix a regression causing kernel oops'es
        drm/i915/gt: Cover rest of SVG unit MCR registers
        drm/nouveau: Remove file nouveau_fbcon.c
        drm/amdkfd: Fix NULL pointer error for GC 11.0.1 on mGPU
        drm/amd/pm/smu13: BACO is supported when it's in BACO state
        drm/amdkfd: Add sync after creating vram bo
        drm/i915/gt: Reset twice
        drm/amdgpu: fix pipeline sync v2
        drm/vmwgfx: Remove rcu locks from user resources
        drm/virtio: Fix GEM handle creation UAF
        drm/amdgpu: Fixed bug on error when unloading amdgpu
        drm/amd: Delay removal of the firmware framebuffer
        drm/amdgpu: Fix potential NULL dereference
        drm/i915: Fix potential context UAFs
        drm/i915: Reserve enough fence slot for i915_vma_unbind_async
        drm: Add orientation quirk for Lenovo ideapad D330-10IGL
        drm/msm/a6xx: Avoid gx gbit halt during rpm suspend
        drm/msm/adreno: Make adreno quirks not overwrite each other
        drm/msm: another fix for the headless Adreno GPU
        ...
      ff5ebafd
    • Clement Lecigne's avatar
      ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF · 56b88b50
      Clement Lecigne authored
      Takes rwsem lock inside snd_ctl_elem_read instead of snd_ctl_elem_read_user
      like it was done for write in commit 1fa4445f ("ALSA: control - introduce
      snd_ctl_notify_one() helper"). Doing this way we are also fixing the following
      locking issue happening in the compat path which can be easily triggered and
      turned into an use-after-free.
      
      64-bits:
      snd_ctl_ioctl
        snd_ctl_elem_read_user
          [takes controls_rwsem]
          snd_ctl_elem_read [lock properly held, all good]
          [drops controls_rwsem]
      
      32-bits:
      snd_ctl_ioctl_compat
        snd_ctl_elem_write_read_compat
          ctl_elem_write_read
            snd_ctl_elem_read [missing lock, not good]
      
      CVE-2023-0266 was assigned for this issue.
      
      Cc: stable@kernel.org # 5.13+
      Signed-off-by: default avatarClement Lecigne <clecigne@google.com>
      Reviewed-by: default avatarJaroslav Kysela <perex@perex.cz>
      Link: https://lore.kernel.org/r/20230113120745.25464-1-tiwai@suse.deSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      56b88b50
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · d45b832d
      Linus Torvalds authored
      Pull arm64 fixes from Will Deacon:
       "Here's a sizeable batch of Friday the 13th arm64 fixes for -rc4. What
        could possibly go wrong?
      
        The obvious reason we have so much here is because of the holiday
        season right after the merge window, but we've also brought back an
        erratum workaround that was previously dropped at the last minute and
        there's an MTE coredumping fix that strays outside of the arch/arm64
        directory.
      
        Summary:
      
         - Fix PAGE_TABLE_CHECK failures on hugepage splitting path
      
         - Fix PSCI encoding of MEM_PROTECT_RANGE function in UAPI header
      
         - Fix NULL deref when accessing debugfs node if PSCI is not present
      
         - Fix MTE core dumping when VMA list is being updated concurrently
      
         - Fix SME signal frame handling when SVE is not implemented by the
           CPU
      
         - Fix asm constraints for cmpxchg_double() to hazard both words
      
         - Fix build failure with stack tracer and older versions of Clang
      
         - Bring back workaround for Cortex-A715 erratum 2645198"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: Fix build with CC=clang, CONFIG_FTRACE=y and CONFIG_STACK_TRACER=y
        arm64/mm: Define dummy pud_user_exec() when using 2-level page-table
        arm64: errata: Workaround possible Cortex-A715 [ESR|FAR]_ELx corruption
        firmware/psci: Don't register with debugfs if PSCI isn't available
        firmware/psci: Fix MEM_PROTECT_RANGE function numbers
        arm64/signal: Always allocate SVE signal frames on SME only systems
        arm64/signal: Always accept SVE signal frames on SME only systems
        arm64/sme: Fix context switch for SME only systems
        arm64: cmpxchg_double*: hazard against entire exchange variable
        arm64/uprobes: change the uprobe_opcode_t typedef to fix the sparse warning
        arm64: mte: Avoid the racy walk of the vma list during core dump
        elfcore: Add a cprm parameter to elf_core_extra_{phdrs,data_size}
        arm64: mte: Fix double-freeing of the temporary tag storage during coredump
        arm64: ptrace: Use ARM64_SME to guard the SME register enumerations
        arm64/mm: add pud_user_exec() check in pud_user_accessible_page()
        arm64/mm: fix incorrect file_map_count for invalid pmd
      d45b832d
    • Mark Pearson's avatar
      platform/x86: thinkpad_acpi: Fix profile mode display in AMT mode · fde5f74c
      Mark Pearson authored
      Recently AMT mode was enabled (somewhat unexpectedly) on the Lenovo
      Z13 platform. The FW is advertising it is available and the driver tries
      to use it - unfortunately it reports the profile mode incorrectly.
      
      Note, there is also some extra work needed to enable the dynamic aspect
      of AMT support that I will be following up with; but more testing is
      needed first. This patch just fixes things so the profiles are reported
      correctly.
      
      Link: https://gitlab.freedesktop.org/hadess/power-profiles-daemon/-/issues/115
      Fixes: 46dcbc61 ("platform/x86: thinkpad-acpi: Add support for automatic mode transitions")
      Reviewed-by: default avatarMario Limonciello <mario.limonciello@amd.com>
      Signed-off-by: default avatarMark Pearson <mpearson-lenovo@squebb.ca>
      Link: https://lore.kernel.org/r/20230112221228.490946-1-mpearson-lenovo@squebb.caReviewed-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      fde5f74c
    • Rafael J. Wysocki's avatar
      Merge branches 'acpi-resource' and 'acpi-video' · df3a71ab
      Rafael J. Wysocki authored
      Merge an ACPI resource management quirk and an ACPI backlight driver fix
      for 6.2-rc4:
      
       - Skip ACPI  IRQ override on Asus Expertbook B2402CBA (Tamim Khan).
      
       - Add missing support for manual selection of NVidia-WMI-EC or Apple
         GMUX backlight in the kernel command line to the ACPI backlight
         driver (Hans de Goede).
      
      * acpi-resource:
        ACPI: resource: Skip IRQ override on Asus Expertbook B2402CBA
      
      * acpi-video:
        ACPI: video: Allow selecting NVidia-WMI-EC or Apple GMUX backlight from the cmdline
      df3a71ab
    • Jaroslav Kysela's avatar
      ALSA: usb-audio: Fix possible NULL pointer dereference in snd_usb_pcm_has_fixed_rate() · 92a9c0ad
      Jaroslav Kysela authored
      The subs function argument may be NULL, so do not use it before the NULL check.
      
      Fixes: 291e9da9 ("ALSA: usb-audio: Always initialize fixed_rate in snd_usb_find_implicit_fb_sync_format()")
      Reported-by: default avatarcoverity-bot <keescook@chromium.org>
      Link: https://lore.kernel.org/alsa-devel/202301121424.4A79A485@keescook/Signed-off-by: default avatarJaroslav Kysela <perex@perex.cz>
      Link: https://lore.kernel.org/r/20230113085311.623325-1-perex@perex.czSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      92a9c0ad
    • Dave Airlie's avatar
      Merge tag 'drm-msm-fixes-2023-01-12' of https://gitlab.freedesktop.org/drm/msm into drm-fixes · e695bc7e
      Dave Airlie authored
      msm-fixes for v6.3-rc4
      
      Display Fixes:
      
      - Fix the documentation for dpu_encoder_phys_wb_init() and
        dpu_encoder_phys_wb_setup_fb() APIs to address doc warnings
      - Remove vcca-supply and vdds-supply as mandatory for 14nm PHY and
        10nm PHY DT schemas respectively as they are not present on some
        SOCs using these PHYs
      - Add the dsi-phy-regulator-ldo-mode to dsi-phy-28nm.yaml as it was
        missed out during txt to yaml migration
      - Remove operating-points-v2 and power-domain as a required property
        for the DSI controller as thats not the case for every SOC
      - Fix the description from display escape clock to display core
        clock in the dsi controller yaml
      - Fix the memory leak for mdp1-mem path for the cases when we return
        early after failing to get mdp0-mem ICC paths for msm
      - Fix error handling path in msm_hdmi_dev_probe() to release the phy
        ref count when devm_pm_runtime_enable() fails
      - Fix the dp_aux_isr() routine to make sure it doesnt incorrectly
        signal the aux transaction as complete if the ISR was not an AUX
        isr. This fixes a big hitter stability bug on chromebooks.
      - Add protection against null pointer dereference when there is no
        kms object as in the case of headless adreno GPU in the shutdown
        path.
      
      GPU Fixes:
      
      - a5xx: fix quirks to actually be a bitmask and not overwrite each
        other
      - a6xx: fix gx halt sequence to avoid 1000ms hang on some devices
      - kexec shutdown fix
      - fix potential double free
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      From: Rob Clark <robdclark@gmail.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/CAF6AEGv7=in_MHW3kdkhqh7ZFoVCmnikmr29YYHCXR=7aOEneg@mail.gmail.com
      e695bc7e
    • Dave Airlie's avatar
      Merge tag 'drm-intel-fixes-2023-01-12' of... · 51883883
      Dave Airlie authored
      Merge tag 'drm-intel-fixes-2023-01-12' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
      
      - Reserve enough fence slot for i915_vma_unbind_vsync (Nirmoy)
      - Fix potential use after free (Rob Clark)
      - Reset engines twice in case of reset failure (Chris)
      - Use multi-cast registers for SVG Unit registers (Gustavo)
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Rodrigo Vivi <rodrigo.vivi@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/Y8AbHelGeXc5eQ8U@intel.com
      51883883
    • Dave Airlie's avatar
      Merge tag 'amd-drm-fixes-6.2-2023-01-11' of... · 28d31e1a
      Dave Airlie authored
      Merge tag 'amd-drm-fixes-6.2-2023-01-11' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes
      
      amd-drm-fixes-6.2-2023-01-11:
      
      amdgpu:
      - SMU13 fan speed fix
      - SMU13 fix power cap handling
      - SMU13 BACO fix
      - Fix a possible segfault in bo validation error case
      - Delay removal of firmware framebuffer
      - Fix error when unloading
      
      amdkfd:
      - SVM fix when clearing vram
      - GC11 fix for multi-GPU
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      From: Alex Deucher <alexander.deucher@amd.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20230112033004.8184-1-alexander.deucher@amd.com
      28d31e1a
    • Dave Airlie's avatar
      Merge tag 'drm-misc-fixes-2023-01-12' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes · a2837733
      Dave Airlie authored
      Several fixes for amdgpu (all addressing issues with fences), yet
      another orientation quirk for a Lenovo device, a use-after-free fix for
      virtio, a regression fix in TTM and a performance regression in drm
      buddy.
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Maxime Ripard <maxime@cerno.tech>
      Link: https://patchwork.freedesktop.org/patch/msgid/20230112130954.pxt77g3a7rokha42@houat
      a2837733
    • Linus Torvalds's avatar
      Merge tag 'net-6.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · d9fc1511
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
       "Including fixes from rxrpc.
      
        The rxrpc changes are noticeable large: to address a recent regression
        has been necessary completing the threaded refactor.
      
        Current release - regressions:
      
         - rxrpc:
             - only disconnect calls in the I/O thread
             - move client call connection to the I/O thread
             - fix incoming call setup race
      
         - eth: mlx5:
             - restore pkt rate policing support
             - fix memory leak on updating vport counters
      
        Previous releases - regressions:
      
         - gro: take care of DODGY packets
      
         - ipv6: deduct extension header length in rawv6_push_pending_frames
      
         - tipc: fix unexpected link reset due to discovery messages
      
        Previous releases - always broken:
      
         - sched: disallow noqueue for qdisc classes
      
         - eth: ice: fix potential memory leak in ice_gnss_tty_write()
      
         - eth: ixgbe: fix pci device refcount leak
      
         - eth: mlx5:
             - fix command stats access after free
             - fix macsec possible null dereference when updating MAC security
               entity (SecY)"
      
      * tag 'net-6.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (64 commits)
        r8152: add vendor/device ID pair for Microsoft Devkit
        net: stmmac: add aux timestamps fifo clearance wait
        bnxt: make sure we return pages to the pool
        net: hns3: fix wrong use of rss size during VF rss config
        ipv6: raw: Deduct extension header length in rawv6_push_pending_frames
        net: lan966x: check for ptp to be enabled in lan966x_ptp_deinit()
        net: sched: disallow noqueue for qdisc classes
        iavf/iavf_main: actually log ->src mask when talking about it
        igc: Fix PPS delta between two synchronized end-points
        ixgbe: fix pci device refcount leak
        octeontx2-pf: Fix resource leakage in VF driver unbind
        selftests/net: l2_tos_ttl_inherit.sh: Ensure environment cleanup on failure.
        selftests/net: l2_tos_ttl_inherit.sh: Run tests in their own netns.
        selftests/net: l2_tos_ttl_inherit.sh: Set IPv6 addresses with "nodad".
        net/mlx5e: Fix macsec possible null dereference when updating MAC security entity (SecY)
        net/mlx5e: Fix macsec ssci attribute handling in offload path
        net/mlx5: E-switch, Coverity: overlapping copy
        net/mlx5e: Don't support encap rules with gbp option
        net/mlx5: Fix ptp max frequency adjustment range
        net/mlx5e: Fix memory leak on updating vport counters
        ...
      d9fc1511
  2. 12 Jan, 2023 16 commits