Merge tag 'v6.1.131' into orange-pi-6.1-rk35xx

This is the 6.1.131 stable release

* tag 'v6.1.131' of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux:
  Linux 6.1.131
  kbuild: userprogs: use correct lld when linking through clang
  vsock: Orphan socket after transport release
  vsock: Keep the binding until socket destruction
  bpf, vsock: Invoke proto::close on close()
  fs/ntfs3: Add rough attr alloc_size check
  media: mediatek: vcodec: Handle invalid decoder vsi
  scsi: lpfc: Fix a possible data race in lpfc_unregister_fcf_rescan()
  nilfs2: handle errors that nilfs_prepare_chunk() may return
  nilfs2: eliminate staggered calls to kunmap in nilfs_rename
  nilfs2: move page release outside of nilfs_delete_entry and nilfs_set_link
  spi-mxs: Fix chipselect glitch
  x86/mm: Don't disable PCID when INVLPG has been fixed by microcode
  uprobes: Fix race in uprobe_free_utask
  Revert "KVM: PPC: e500: Mark "struct page" dirty in kvmppc_e500_shadow_map()"
  Revert "KVM: PPC: e500: Mark "struct page" pfn accessed before dropping mmu_lock"
  Revert "KVM: PPC: e500: Use __kvm_faultin_pfn() to handle page faults"
  Revert "KVM: e500: always restore irqs"
  ALSA: hda: realtek: fix incorrect IS_REACHABLE() usage
  iio: adc: at91-sama5d2_adc: fix sama7g5 realbits value
  iio: dac: ad3552r: clear reset status flag
  iio: filter: admv8818: Force initialization of SDO
  drivers: virt: acrn: hsm: Use kzalloc to avoid info leak in pmcmd_ioctl
  eeprom: digsy_mtc: Make GPIO lookup table match the device
  bus: mhi: host: pci_generic: Use pci_try_reset_function() to avoid deadlock
  slimbus: messaging: Free transaction ID in delayed interrupt scenario
  drivers: core: fix device leak in __fw_devlink_relax_cycles()
  intel_th: pci: Add Panther Lake-P/U support
  intel_th: pci: Add Panther Lake-H support
  intel_th: pci: Add Arrow Lake support
  mei: me: add panther lake P DID
  KVM: SVM: Drop DEBUGCTL[5:2] from guest's effective value
  usb: xhci: Enable the TRB overfetch quirk on VIA VL805
  xhci: pci: Fix indentation in the PCI device ID definitions
  usb: gadget: Check bmAttributes only if configuration is valid
  usb: gadget: Fix setting self-powered state on suspend
  usb: gadget: Set self-powered based on MaxPower and bmAttributes
  usb: typec: tcpci_rt1711h: Unmask alert interrupts to fix functionality
  usb: typec: ucsi: increase timeout for PPM reset operations
  usb: dwc3: gadget: Prevent irq storm when TH re-executes
  usb: dwc3: Set SUSPENDENABLE soon after phy init
  usb: atm: cxacru: fix a flaw in existing endpoint checks
  usb: renesas_usbhs: Flush the notify_hotplug_work
  usb: quirks: Add DELAY_INIT and NO_LPM for Prolific Mass Storage Card Reader
  usb: hub: lack of clearing xHC resources
  usb: renesas_usbhs: Use devm_usb_get_phy()
  usb: renesas_usbhs: Call clk_put()
  Revert "drivers/card_reader/rtsx_usb: Restore interrupt based detection"
  gpio: rcar: Fix missing of_node_put() call
  net: ipv6: fix missing dst ref drop in ila lwtunnel
  net: ipv6: fix dst ref loop in ila lwtunnel
  sched/fair: Fix potential memory corruption in child_cfs_rq_on_list
  ublk: set_params: properly check if parameters can be applied
  net-timestamp: support TCP GSO case for a few missing flags
  exfat: fix soft lockup in exfat_clear_bitmap
  x86/sgx: Fix size overflows in sgx_encl_create()
  vlan: enforce underlying device type
  ppp: Fix KMSAN uninit-value warning with bpf
  net: hns3: make sure ptp clock is unregister and freed if hclge_ptp_get_cycle returns an error
  be2net: fix sleeping while atomic bugs in be_ndo_bridge_getlink
  drm/sched: Fix preprocessor guard
  hwmon: fix a NULL vs IS_ERR_OR_NULL() check in xgene_hwmon_probe()
  llc: do not use skb_get() before dev_queue_xmit()
  ALSA: usx2y: validate nrpacks module parameter on probe
  hwmon: (ad7314) Validate leading zero bits and return error
  hwmon: (ntc_thermistor) Fix the ncpXXxh103 sensor table
  hwmon: (pmbus) Initialise page count in pmbus_identify()
  caif_virtio: fix wrong pointer check in cfv_probe()
  net: gso: fix ownership in __udp_gso_segment
  nvmet-tcp: Fix a possible sporadic response drops in weakly ordered arch
  bluetooth: btusb: Initialize .owner field of force_poll_sync_fops
  HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()
  HID: google: fix unused variable warning under !CONFIG_ACPI
  wifi: iwlwifi: limit printed string from FW file
  mm: don't skip arch_sync_kernel_mappings() in error paths
  mm/page_alloc: fix uninitialized variable
  block: fix conversion of GPT partition name to 7-bit
  s390/traps: Fix test_monitor_call() inline assembly
  dma: kmsan: export kmsan_handle_dma() for modules
  rapidio: fix an API misues when rio_add_net() fails
  rapidio: add check for rio_add_net() in rio_scan_alloc_net()
  wifi: nl80211: reject cooked mode if it is set along with other flags
  wifi: cfg80211: regulatory: improve invalid hints checking
  Bluetooth: Add check for mgmt_alloc_skb() in mgmt_device_connected()
  Bluetooth: Add check for mgmt_alloc_skb() in mgmt_remote_name()
  mptcp: fix 'scheduling while atomic' in mptcp_pm_nl_append_new_local_addr
  x86/cpu: Properly parse CPUID leaf 0x2 TLB descriptor 0x63
  x86/cpu: Validate CPUID leaf 0x2 EDX output
  x86/cacheinfo: Validate CPUID leaf 0x2 EDX output
  platform/x86: thinkpad_acpi: Add battery quirk for ThinkPad X131e
  drm/radeon: Fix rs400_gpu_init for ATI mobility radeon Xpress 200M
  drm/amd/display: Fix null check for pipe_ctx->plane_state in resource_build_scaling_params
  ALSA: hda/realtek: update ALC222 depop optimize
  ALSA: hda/realtek - add supported Mic Mute LED for Lenovo platform
  ALSA: hda: intel: Add Dell ALC3271 to power_save denylist
  gpio: aggregator: protect driver attr handlers against module unload
  gpio: rcar: Use raw_spinlock to protect register access
  ksmbd: fix bug on trap in smb2_lock
  ksmbd: fix use-after-free in smb2_lock
  ksmbd: fix type confusion via race condition when using ipc_msg_send_request
  HID: appleir: Fix potential NULL dereference at raw event handle
  LoongArch: Convert unreachable() to BUG()
  Revert "of: reserved-memory: Fix using wrong number of cells to get property 'alignment'"
  x86/amd_nb: Use rdmsr_safe() in amd_get_mmconfig_range()
  x86/speculation: Add __update_spec_ctrl() helper
  cpuidle, intel_idle: Fix CPUIDLE_FLAG_IBRS
  drm/amdgpu: disable BAR resize on Dell G5 SE
  drm/amdgpu: Check extended configuration space register when system uses large bar
  ibmvnic: Inspect header requirements before using scrq direct
  ibmvnic: Perform tx CSO during send scrq direct

Signed-off-by: Khusika Dhamar Gusti <[email protected]>

Conflicts:
	drivers/usb/dwc3/core.c

Author: khusika

Makefile

@@ -1,7 +1,7 @@
 # SPDX-License-Identifier: GPL-2.0
 VERSION = 6
 PATCHLEVEL = 1
-SUBLEVEL = 130
+SUBLEVEL = 131
 EXTRAVERSION =
 NAME = Curry Ramen
 
@@ -1127,6 +1127,11 @@ endif
 KBUILD_USERCFLAGS  += $(filter -m32 -m64 --target=%, $(KBUILD_CFLAGS))
 KBUILD_USERLDFLAGS += $(filter -m32 -m64 --target=%, $(KBUILD_CFLAGS))
 
+# userspace programs are linked via the compiler, use the correct linker
+ifeq ($(CONFIG_CC_IS_CLANG)$(CONFIG_LD_IS_LLD),yy)
+KBUILD_USERLDFLAGS += $(call cc-option, --ld-path=$(LD))
+endif
+
 # make the checker run with the right architecture
 CHECKFLAGS += --arch=$(ARCH)
 

arch/loongarch/kernel/machine_kexec.c

@@ -126,14 +126,14 @@ void kexec_reboot(void)
 	/* All secondary cpus go to kexec_smp_wait */
 	if (smp_processor_id() > 0) {
 		relocated_kexec_smp_wait(NULL);
-		unreachable();
+		BUG();
 	}
 #endif
 
 	do_kexec = (void *)reboot_code_buffer;
 	do_kexec(efi_boot, cmdline_ptr, systable_ptr, start_addr, first_ind_entry);
 
-	unreachable();
+	BUG();
 }
 
 

arch/powerpc/kvm/e500_mmu_host.c

@@ -242,7 +242,7 @@ static inline int tlbe_is_writable(struct kvm_book3e_206_tlb_entry *tlbe)
 	return tlbe->mas7_3 & (MAS3_SW|MAS3_UW);
 }
 
-static inline bool kvmppc_e500_ref_setup(struct tlbe_ref *ref,
+static inline void kvmppc_e500_ref_setup(struct tlbe_ref *ref,
 					 struct kvm_book3e_206_tlb_entry *gtlbe,
 					 kvm_pfn_t pfn, unsigned int wimg)
 {
@@ -252,7 +252,11 @@ static inline bool kvmppc_e500_ref_setup(struct tlbe_ref *ref,
 	/* Use guest supplied MAS2_G and MAS2_E */
 	ref->flags |= (gtlbe->mas2 & MAS2_ATTRIB_MASK) | wimg;
 
-	return tlbe_is_writable(gtlbe);
+	/* Mark the page accessed */
+	kvm_set_pfn_accessed(pfn);
+
+	if (tlbe_is_writable(gtlbe))
+		kvm_set_pfn_dirty(pfn);
 }
 
 static inline void kvmppc_e500_ref_release(struct tlbe_ref *ref)
@@ -322,7 +326,6 @@ static inline int kvmppc_e500_shadow_map(struct kvmppc_vcpu_e500 *vcpu_e500,
 {
 	struct kvm_memory_slot *slot;
 	unsigned long pfn = 0; /* silence GCC warning */
-	struct page *page = NULL;
 	unsigned long hva;
 	int pfnmap = 0;
 	int tsize = BOOK3E_PAGESZ_4K;
@@ -334,7 +337,6 @@ static inline int kvmppc_e500_shadow_map(struct kvmppc_vcpu_e500 *vcpu_e500,
 	unsigned int wimg = 0;
 	pgd_t *pgdir;
 	unsigned long flags;
-	bool writable = false;
 
 	/* used to check for invalidations in progress */
 	mmu_seq = kvm->mmu_invalidate_seq;
@@ -444,7 +446,7 @@ static inline int kvmppc_e500_shadow_map(struct kvmppc_vcpu_e500 *vcpu_e500,
 
 	if (likely(!pfnmap)) {
 		tsize_pages = 1UL << (tsize + 10 - PAGE_SHIFT);
-		pfn = __kvm_faultin_pfn(slot, gfn, FOLL_WRITE, NULL, &page);
+		pfn = gfn_to_pfn_memslot(slot, gfn);
 		if (is_error_noslot_pfn(pfn)) {
 			if (printk_ratelimit())
 				pr_err("%s: real page not found for gfn %lx\n",
@@ -479,6 +481,7 @@ static inline int kvmppc_e500_shadow_map(struct kvmppc_vcpu_e500 *vcpu_e500,
 		if (pte_present(pte)) {
 			wimg = (pte_val(pte) >> PTE_WIMGE_SHIFT) &
 				MAS2_WIMGE_MASK;
+			local_irq_restore(flags);
 		} else {
 			local_irq_restore(flags);
 			pr_err_ratelimited("%s: pte not present: gfn %lx,pfn %lx\n",
@@ -487,18 +490,20 @@ static inline int kvmppc_e500_shadow_map(struct kvmppc_vcpu_e500 *vcpu_e500,
 			goto out;
 		}
 	}
-	local_irq_restore(flags);
+	kvmppc_e500_ref_setup(ref, gtlbe, pfn, wimg);
 
-	writable = kvmppc_e500_ref_setup(ref, gtlbe, pfn, wimg);
 	kvmppc_e500_setup_stlbe(&vcpu_e500->vcpu, gtlbe, tsize,
 				ref, gvaddr, stlbe);
 
 	/* Clear i-cache for new pages */
 	kvmppc_mmu_flush_icache(pfn);
 
 out:
-	kvm_release_faultin_page(kvm, page, !!ret, writable);
 	spin_unlock(&kvm->mmu_lock);
+
+	/* Drop refcount on page, so that mmu notifiers can clear it */
+	kvm_release_pfn_clean(pfn);
+
 	return ret;
 }
 

arch/s390/kernel/traps.c

@@ -276,10 +276,10 @@ static void __init test_monitor_call(void)
 		return;
 	asm volatile(
 		"	mc	0,0\n"
-		"0:	xgr	%0,%0\n"
+		"0:	lhi	%[val],0\n"
 		"1:\n"
-		EX_TABLE(0b,1b)
-		: "+d" (val));
+		EX_TABLE(0b, 1b)
+		: [val] "+d" (val));
 	if (!val)
 		panic("Monitor call doesn't work!\n");
 }

arch/x86/include/asm/spec-ctrl.h

@@ -4,6 +4,7 @@
 
 #include <linux/thread_info.h>
 #include <asm/nospec-branch.h>
+#include <asm/msr.h>
 
 /*
  * On VMENTER we must preserve whatever view of the SPEC_CTRL MSR
@@ -76,6 +77,16 @@ static inline u64 ssbd_tif_to_amd_ls_cfg(u64 tifn)
 	return (tifn & _TIF_SSBD) ? x86_amd_ls_cfg_ssbd_mask : 0ULL;
 }
 
+/*
+ * This can be used in noinstr functions & should only be called in bare
+ * metal context.
+ */
+static __always_inline void __update_spec_ctrl(u64 val)
+{
+	__this_cpu_write(x86_spec_ctrl_current, val);
+	native_wrmsrl(MSR_IA32_SPEC_CTRL, val);
+}
+
 #ifdef CONFIG_SMP
 extern void speculative_store_bypass_ht_init(void);
 #else

arch/x86/kernel/amd_nb.c

@@ -342,21 +342,18 @@ bool __init early_is_amd_nb(u32 device)
 
 struct resource *amd_get_mmconfig_range(struct resource *res)
 {
-	u32 address;
 	u64 base, msr;
 	unsigned int segn_busn_bits;
 
 	if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD &&
 	    boot_cpu_data.x86_vendor != X86_VENDOR_HYGON)
 		return NULL;
 
-	/* assume all cpus from fam10h have mmconfig */
-	if (boot_cpu_data.x86 < 0x10)
+	/* Assume CPUs from Fam10h have mmconfig, although not all VMs do */
+	if (boot_cpu_data.x86 < 0x10 ||
+	    rdmsrl_safe(MSR_FAM10H_MMIO_CONF_BASE, &msr))
 		return NULL;
 
-	address = MSR_FAM10H_MMIO_CONF_BASE;
-	rdmsrl(address, msr);
-
 	/* mmconfig is not enabled */
 	if (!(msr & FAM10H_MMIO_CONF_ENABLE))
 		return NULL;

arch/x86/kernel/cpu/bugs.c

@@ -92,7 +92,7 @@ void update_spec_ctrl_cond(u64 val)
 		wrmsrl(MSR_IA32_SPEC_CTRL, val);
 }
 
-u64 spec_ctrl_current(void)
+noinstr u64 spec_ctrl_current(void)
 {
 	return this_cpu_read(x86_spec_ctrl_current);
 }

arch/x86/kernel/cpu/cacheinfo.c

@@ -801,7 +801,7 @@ void init_intel_cacheinfo(struct cpuinfo_x86 *c)
 			cpuid(2, &regs[0], &regs[1], &regs[2], &regs[3]);
 
 			/* If bit 31 is set, this is an unknown format */
-			for (j = 0 ; j < 3 ; j++)
+			for (j = 0 ; j < 4 ; j++)
 				if (regs[j] & (1 << 31))
 					regs[j] = 0;
 

arch/x86/kernel/cpu/intel.c

@@ -784,26 +784,37 @@ static unsigned int intel_size_cache(struct cpuinfo_x86 *c, unsigned int size)
 }
 #endif
 
-#define TLB_INST_4K	0x01
-#define TLB_INST_4M	0x02
-#define TLB_INST_2M_4M	0x03
+#define TLB_INST_4K		0x01
+#define TLB_INST_4M		0x02
+#define TLB_INST_2M_4M		0x03
 
-#define TLB_INST_ALL	0x05
-#define TLB_INST_1G	0x06
+#define TLB_INST_ALL		0x05
+#define TLB_INST_1G		0x06
 
-#define TLB_DATA_4K	0x11
-#define TLB_DATA_4M	0x12
-#define TLB_DATA_2M_4M	0x13
-#define TLB_DATA_4K_4M	0x14
+#define TLB_DATA_4K		0x11
+#define TLB_DATA_4M		0x12
+#define TLB_DATA_2M_4M		0x13
+#define TLB_DATA_4K_4M		0x14
 
-#define TLB_DATA_1G	0x16
+#define TLB_DATA_1G		0x16
+#define TLB_DATA_1G_2M_4M	0x17
 
-#define TLB_DATA0_4K	0x21
-#define TLB_DATA0_4M	0x22
-#define TLB_DATA0_2M_4M	0x23
+#define TLB_DATA0_4K		0x21
+#define TLB_DATA0_4M		0x22
+#define TLB_DATA0_2M_4M		0x23
 
-#define STLB_4K		0x41
-#define STLB_4K_2M	0x42
+#define STLB_4K			0x41
+#define STLB_4K_2M		0x42
+
+/*
+ * All of leaf 0x2's one-byte TLB descriptors implies the same number of
+ * entries for their respective TLB types.  The 0x63 descriptor is an
+ * exception: it implies 4 dTLB entries for 1GB pages 32 dTLB entries
+ * for 2MB or 4MB pages.  Encode descriptor 0x63 dTLB entry count for
+ * 2MB/4MB pages here, as its count for dTLB 1GB pages is already at the
+ * intel_tlb_table[] mapping.
+ */
+#define TLB_0x63_2M_4M_ENTRIES	32
 
 static const struct _tlb_table intel_tlb_table[] = {
 	{ 0x01, TLB_INST_4K,		32,	" TLB_INST 4 KByte pages, 4-way set associative" },
@@ -825,7 +836,8 @@ static const struct _tlb_table intel_tlb_table[] = {
 	{ 0x5c, TLB_DATA_4K_4M,		128,	" TLB_DATA 4 KByte and 4 MByte pages" },
 	{ 0x5d, TLB_DATA_4K_4M,		256,	" TLB_DATA 4 KByte and 4 MByte pages" },
 	{ 0x61, TLB_INST_4K,		48,	" TLB_INST 4 KByte pages, full associative" },
-	{ 0x63, TLB_DATA_1G,		4,	" TLB_DATA 1 GByte pages, 4-way set associative" },
+	{ 0x63, TLB_DATA_1G_2M_4M,	4,	" TLB_DATA 1 GByte pages, 4-way set associative"
+						" (plus 32 entries TLB_DATA 2 MByte or 4 MByte pages, not encoded here)" },
 	{ 0x6b, TLB_DATA_4K,		256,	" TLB_DATA 4 KByte pages, 8-way associative" },
 	{ 0x6c, TLB_DATA_2M_4M,		128,	" TLB_DATA 2 MByte or 4 MByte pages, 8-way associative" },
 	{ 0x6d, TLB_DATA_1G,		16,	" TLB_DATA 1 GByte pages, fully associative" },
@@ -925,6 +937,12 @@ static void intel_tlb_lookup(const unsigned char desc)
 		if (tlb_lld_4m[ENTRIES] < intel_tlb_table[k].entries)
 			tlb_lld_4m[ENTRIES] = intel_tlb_table[k].entries;
 		break;
+	case TLB_DATA_1G_2M_4M:
+		if (tlb_lld_2m[ENTRIES] < TLB_0x63_2M_4M_ENTRIES)
+			tlb_lld_2m[ENTRIES] = TLB_0x63_2M_4M_ENTRIES;
+		if (tlb_lld_4m[ENTRIES] < TLB_0x63_2M_4M_ENTRIES)
+			tlb_lld_4m[ENTRIES] = TLB_0x63_2M_4M_ENTRIES;
+		fallthrough;
 	case TLB_DATA_1G:
 		if (tlb_lld_1g[ENTRIES] < intel_tlb_table[k].entries)
 			tlb_lld_1g[ENTRIES] = intel_tlb_table[k].entries;
@@ -948,7 +966,7 @@ static void intel_detect_tlb(struct cpuinfo_x86 *c)
 		cpuid(2, &regs[0], &regs[1], &regs[2], &regs[3]);
 
 		/* If bit 31 is set, this is an unknown format */
-		for (j = 0 ; j < 3 ; j++)
+		for (j = 0 ; j < 4 ; j++)
 			if (regs[j] & (1 << 31))
 				regs[j] = 0;
 

arch/x86/kernel/cpu/sgx/ioctl.c

@@ -64,6 +64,13 @@ static int sgx_encl_create(struct sgx_encl *encl, struct sgx_secs *secs)
 	struct file *backing;
 	long ret;
 
+	/*
+	 * ECREATE would detect this too, but checking here also ensures
+	 * that the 'encl_size' calculations below can never overflow.
+	 */
+	if (!is_power_of_2(secs->size))
+		return -EINVAL;
+
 	va_page = sgx_encl_grow(encl, true);
 	if (IS_ERR(va_page))
 		return PTR_ERR(va_page);