Merge tag 'v6.1.138' into orange-pi-6.1-rk35xx

This is the 6.1.138 stable release

* tag 'v6.1.138' of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux:
  Linux 6.1.138
  ASoC: soc-core: Stop using of_property_read_bool() for non-boolean properties
  ASoC: Use of_property_read_bool()
  drm/amd/display: Fix slab-use-after-free in hdcp
  drm/amd/display: Add scoped mutexes for amdgpu_dm_dhcp
  drm/amd/display: Change HDCP update sequence for DM
  drm/amd/display: Clean up style problems in amdgpu_dm_hdcp.c
  drm/amd/display: phase2 enable mst hdcp multiple displays
  iommu/arm-smmu-v3: Fix iommu_device_probe bug due to duplicated stream ids
  iommu/arm-smmu-v3: Use the new rb tree helpers
  dm: fix copying after src array boundaries
  irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode()
  irqchip/gic-v2m: Mark a few functions __init
  Revert "drm/meson: vclk: fix calculation of 59.94 fractional rates"
  net: phy: microchip: force IRQ polling mode for lan88xx
  ARM: dts: opos6ul: add ksz8081 phy properties
  firmware: arm_ffa: Skip Rx buffer ownership release if not acquired
  firmware: arm_scmi: Balance device refcount when destroying devices
  Revert "x86/kexec: Allocate PGD for x86_64 transition page tables separately"
  sch_ets: make est_qlen_notify() idempotent
  sch_qfq: make qfq_qlen_notify() idempotent
  sch_hfsc: make hfsc_qlen_notify() idempotent
  sch_drr: make drr_qlen_notify() idempotent
  sch_htb: make htb_qlen_notify() idempotent
  PCI: imx6: Skip controller_id generation logic for i.MX7D
  md: move initialization and destruction of 'io_acct_set' to md.c
  net: vertexcom: mse102x: Fix RX error handling
  net: vertexcom: mse102x: Add range check for CMD_RTS
  net: vertexcom: mse102x: Fix LEN_MASK
  net: vertexcom: mse102x: Fix possible stuck of SPI interrupt
  net: hns3: defer calling ptp_clock_register()
  net: hns3: fixed debugfs tm_qset size
  net: hns3: fix an interrupt residual problem
  net: hns3: store rx VLAN tag offload state for VF
  net: fec: ERR007885 Workaround for conventional TX
  net: lan743x: Fix memleak issue when GSO enabled
  nvme-tcp: fix premature queue removal and I/O failover
  bnxt_en: Fix ethtool -d byte order for 32-bit values
  bnxt_en: Fix out-of-bound memcpy() during ethtool -w
  bnxt_en: Fix coredump logic to free allocated buffer
  net: ipv6: fix UDPv6 GSO segmentation with NAT
  net: dsa: felix: fix broken taprio gate states after clock jump
  net: dlink: Correct endianness handling of led_mode
  ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr()
  net_sched: qfq: Fix double list add in class with netem as child qdisc
  net_sched: ets: Fix double list add in class with netem as child qdisc
  net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc
  net_sched: drr: Fix double list add in class with netem as child qdisc
  net: ethernet: mtk-star-emac: rearm interrupts in rx_poll only when advised
  net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll
  net: mscc: ocelot: delete PVID VLAN when readding it as non-PVID
  net: mscc: ocelot: treat 802.1ad tagged traffic as 802.1Q-untagged
  net/mlx5: E-switch, Fix error handling for enabling roce
  net/mlx5: E-Switch, Initialize MAC Address for Default GID
  vxlan: vnifilter: Fix unlocked deletion of default FDB entry
  wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release
  ASoC: soc-pcm: Fix hw_params() and DAPM widget sequence
  dm-bufio: don't schedule in atomic context
  KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop
  xfs: restrict when we try to align cow fork delalloc to cowextsz hints
  xfs: allow unlinked symlinks and dirs with zero size
  xfs: fix freeing speculative preallocations for preallocated files
  xfs: make sure sb_fdblocks is non-negative
  xfs: allow symlinks with short remote targets
  xfs: convert delayed extents to unwritten when zeroing post eof blocks
  xfs: make xfs_bmapi_convert_delalloc() to allocate the target offset
  xfs: make the seq argument to xfs_bmapi_convert_delalloc() optional
  xfs: match lock mode in xfs_buffered_write_iomap_begin()
  xfs: revert commit 44af6c7e59b12
  xfs: validate recovered name buffers when recovering xattr items
  xfs: check opcode and iovec count match in xlog_recover_attri_commit_pass2
  xfs: require XFS_SB_FEAT_INCOMPAT_LOG_XATTRS for attr log intent item recovery
  xfs: remove a racy if_bytes check in xfs_reflink_end_cow_extent
  xfs: fix xfs_bmap_add_extent_delay_real for partial conversions
  xfs: fix error returns from xfs_bmapi_write
  tracing: Fix oob write in trace_seq_to_buffer()
  cpufreq: Fix setting policy limits when frequency tables are used
  cpufreq: Avoid using inconsistent policy->min and policy->max
  ksmbd: fix use-after-free in kerberos authentication
  platform/x86/intel-uncore-freq: Fix missing uncore sysfs during CPU hotplug
  iommu/vt-d: Apply quirk_iommu_igfx for 8086:0044 (QM57/QS57)
  iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid
  dm: always update the array size in realloc_argv on success
  dm-integrity: fix a warning on invalid table line
  wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage()
  mmc: renesas_sdhi: Fix error handling in renesas_sdhi_probe
  irqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs
  amd-xgbe: Fix to ensure dependent features are toggled with RX checksum offload
  perf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU's value.
  parisc: Fix double SIGFPE crash
  arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays
  i2c: imx-lpi2c: Fix clock count when probe defers
  EDAC/altera: Set DDR and SDMMC interrupt mask before registration
  EDAC/altera: Test the correct error reg offset
  drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill()
  ALSA: usb-audio: Add second USB ID for Jabra Evolve 65 headset
  Revert "rndis_host: Flag RNDIS modems as WWAN devices"

Signed-off-by: Khusika Dhamar Gusti <[email protected]>

Author: khusika

Makefile

@@ -1,7 +1,7 @@
 # SPDX-License-Identifier: GPL-2.0
 VERSION = 6
 PATCHLEVEL = 1
-SUBLEVEL = 137
+SUBLEVEL = 138
 EXTRAVERSION =
 NAME = Curry Ramen
 

arch/arm/boot/dts/imx6ul-imx6ull-opos6ul.dtsi

@@ -40,6 +40,9 @@
 			reg = <1>;
 			interrupt-parent = <&gpio4>;
 			interrupts = <16 IRQ_TYPE_LEVEL_LOW>;
+			micrel,led-mode = <1>;
+			clocks = <&clks IMX6UL_CLK_ENET_REF>;
+			clock-names = "rmii-ref";
 			status = "okay";
 		};
 	};

arch/arm64/kernel/proton-pack.c

@@ -891,10 +891,12 @@ static u8 spectre_bhb_loop_affected(void)
 	static const struct midr_range spectre_bhb_k132_list[] = {
 		MIDR_ALL_VERSIONS(MIDR_CORTEX_X3),
 		MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2),
+		{},
 	};
 	static const struct midr_range spectre_bhb_k38_list[] = {
 		MIDR_ALL_VERSIONS(MIDR_CORTEX_A715),
 		MIDR_ALL_VERSIONS(MIDR_CORTEX_A720),
+		{},
 	};
 	static const struct midr_range spectre_bhb_k32_list[] = {
 		MIDR_ALL_VERSIONS(MIDR_CORTEX_A78),

arch/parisc/math-emu/driver.c

@@ -103,9 +103,19 @@ handle_fpe(struct pt_regs *regs)
 
 	memcpy(regs->fr, frcopy, sizeof regs->fr);
 	if (signalcode != 0) {
-	    force_sig_fault(signalcode >> 24, signalcode & 0xffffff,
-			    (void __user *) regs->iaoq[0]);
-	    return -1;
+		int sig = signalcode >> 24;
+
+		if (sig == SIGFPE) {
+			/*
+			 * Clear floating point trap bit to avoid trapping
+			 * again on the first floating-point instruction in
+			 * the userspace signal handler.
+			 */
+			regs->fr[0] &= ~(1ULL << 38);
+		}
+		force_sig_fault(sig, signalcode & 0xffffff,
+				(void __user *) regs->iaoq[0]);
+		return -1;
 	}
 
 	return signalcode ? -1 : 0;

arch/x86/events/intel/core.c

@@ -4177,7 +4177,7 @@ static struct perf_guest_switch_msr *intel_guest_get_msrs(int *nr, void *data)
 	arr[pebs_enable] = (struct perf_guest_switch_msr){
 		.msr = MSR_IA32_PEBS_ENABLE,
 		.host = cpuc->pebs_enabled & ~cpuc->intel_ctrl_guest_mask,
-		.guest = pebs_mask & ~cpuc->intel_ctrl_host_mask,
+		.guest = pebs_mask & ~cpuc->intel_ctrl_host_mask & kvm_pmu->pebs_enable,
 	};
 
 	if (arr[pebs_enable].host) {

arch/x86/include/asm/kexec.h

@@ -16,7 +16,6 @@
 # define PAGES_NR		4
 #endif
 
-# define KEXEC_CONTROL_PAGE_SIZE	4096
 # define KEXEC_CONTROL_CODE_MAX_SIZE	2048
 
 #ifndef __ASSEMBLY__
@@ -45,6 +44,7 @@ struct kimage;
 /* Maximum address we can use for the control code buffer */
 # define KEXEC_CONTROL_MEMORY_LIMIT TASK_SIZE
 
+# define KEXEC_CONTROL_PAGE_SIZE	4096
 
 /* The native architecture */
 # define KEXEC_ARCH KEXEC_ARCH_386
@@ -59,6 +59,9 @@ struct kimage;
 /* Maximum address we can use for the control pages */
 # define KEXEC_CONTROL_MEMORY_LIMIT     (MAXMEM-1)
 
+/* Allocate one page for the pdp and the second for the code */
+# define KEXEC_CONTROL_PAGE_SIZE  (4096UL + 4096UL)
+
 /* The native architecture */
 # define KEXEC_ARCH KEXEC_ARCH_X86_64
 #endif
@@ -143,19 +146,6 @@ struct kimage_arch {
 };
 #else
 struct kimage_arch {
-	/*
-	 * This is a kimage control page, as it must not overlap with either
-	 * source or destination address ranges.
-	 */
-	pgd_t *pgd;
-	/*
-	 * The virtual mapping of the control code page itself is used only
-	 * during the transition, while the current kernel's pages are all
-	 * in place. Thus the intermediate page table pages used to map it
-	 * are not control pages, but instead just normal pages obtained
-	 * with get_zeroed_page(). And have to be tracked (below) so that
-	 * they can be freed.
-	 */
 	p4d_t *p4d;
 	pud_t *pud;
 	pmd_t *pmd;

arch/x86/include/asm/kvm-x86-ops.h

@@ -47,6 +47,7 @@ KVM_X86_OP(set_idt)
 KVM_X86_OP(get_gdt)
 KVM_X86_OP(set_gdt)
 KVM_X86_OP(sync_dirty_debug_regs)
+KVM_X86_OP(set_dr6)
 KVM_X86_OP(set_dr7)
 KVM_X86_OP(cache_reg)
 KVM_X86_OP(get_rflags)

arch/x86/include/asm/kvm_host.h

@@ -1499,6 +1499,7 @@ struct kvm_x86_ops {
 	void (*get_gdt)(struct kvm_vcpu *vcpu, struct desc_ptr *dt);
 	void (*set_gdt)(struct kvm_vcpu *vcpu, struct desc_ptr *dt);
 	void (*sync_dirty_debug_regs)(struct kvm_vcpu *vcpu);
+	void (*set_dr6)(struct kvm_vcpu *vcpu, unsigned long value);
 	void (*set_dr7)(struct kvm_vcpu *vcpu, unsigned long value);
 	void (*cache_reg)(struct kvm_vcpu *vcpu, enum kvm_reg reg);
 	unsigned long (*get_rflags)(struct kvm_vcpu *vcpu);

arch/x86/kernel/machine_kexec_64.c

@@ -149,8 +149,7 @@ static void free_transition_pgtable(struct kimage *image)
 	image->arch.pte = NULL;
 }
 
-static int init_transition_pgtable(struct kimage *image, pgd_t *pgd,
-				   unsigned long control_page)
+static int init_transition_pgtable(struct kimage *image, pgd_t *pgd)
 {
 	pgprot_t prot = PAGE_KERNEL_EXEC_NOENC;
 	unsigned long vaddr, paddr;
@@ -161,7 +160,7 @@ static int init_transition_pgtable(struct kimage *image, pgd_t *pgd,
 	pte_t *pte;
 
 	vaddr = (unsigned long)relocate_kernel;
-	paddr = control_page;
+	paddr = __pa(page_address(image->control_code_page)+PAGE_SIZE);
 	pgd += pgd_index(vaddr);
 	if (!pgd_present(*pgd)) {
 		p4d = (p4d_t *)get_zeroed_page(GFP_KERNEL);
@@ -220,7 +219,7 @@ static void *alloc_pgt_page(void *data)
 	return p;
 }
 
-static int init_pgtable(struct kimage *image, unsigned long control_page)
+static int init_pgtable(struct kimage *image, unsigned long start_pgtable)
 {
 	struct x86_mapping_info info = {
 		.alloc_pgt_page	= alloc_pgt_page,
@@ -229,12 +228,12 @@ static int init_pgtable(struct kimage *image, unsigned long control_page)
 		.kernpg_flag	= _KERNPG_TABLE_NOENC,
 	};
 	unsigned long mstart, mend;
+	pgd_t *level4p;
 	int result;
 	int i;
 
-	image->arch.pgd = alloc_pgt_page(image);
-	if (!image->arch.pgd)
-		return -ENOMEM;
+	level4p = (pgd_t *)__va(start_pgtable);
+	clear_page(level4p);
 
 	if (cc_platform_has(CC_ATTR_GUEST_MEM_ENCRYPT)) {
 		info.page_flag   |= _PAGE_ENC;
@@ -248,8 +247,8 @@ static int init_pgtable(struct kimage *image, unsigned long control_page)
 		mstart = pfn_mapped[i].start << PAGE_SHIFT;
 		mend   = pfn_mapped[i].end << PAGE_SHIFT;
 
-		result = kernel_ident_mapping_init(&info, image->arch.pgd,
-						   mstart, mend);
+		result = kernel_ident_mapping_init(&info,
+						 level4p, mstart, mend);
 		if (result)
 			return result;
 	}
@@ -264,8 +263,8 @@ static int init_pgtable(struct kimage *image, unsigned long control_page)
 		mstart = image->segment[i].mem;
 		mend   = mstart + image->segment[i].memsz;
 
-		result = kernel_ident_mapping_init(&info, image->arch.pgd,
-						   mstart, mend);
+		result = kernel_ident_mapping_init(&info,
+						 level4p, mstart, mend);
 
 		if (result)
 			return result;
@@ -275,19 +274,15 @@ static int init_pgtable(struct kimage *image, unsigned long control_page)
 	 * Prepare EFI systab and ACPI tables for kexec kernel since they are
 	 * not covered by pfn_mapped.
 	 */
-	result = map_efi_systab(&info, image->arch.pgd);
+	result = map_efi_systab(&info, level4p);
 	if (result)
 		return result;
 
-	result = map_acpi_tables(&info, image->arch.pgd);
+	result = map_acpi_tables(&info, level4p);
 	if (result)
 		return result;
 
-	/*
-	 * This must be last because the intermediate page table pages it
-	 * allocates will not be control pages and may overlap the image.
-	 */
-	return init_transition_pgtable(image, image->arch.pgd, control_page);
+	return init_transition_pgtable(image, level4p);
 }
 
 static void load_segments(void)
@@ -304,14 +299,14 @@ static void load_segments(void)
 
 int machine_kexec_prepare(struct kimage *image)
 {
-	unsigned long control_page;
+	unsigned long start_pgtable;
 	int result;
 
 	/* Calculate the offsets */
-	control_page = page_to_pfn(image->control_code_page) << PAGE_SHIFT;
+	start_pgtable = page_to_pfn(image->control_code_page) << PAGE_SHIFT;
 
 	/* Setup the identity mapped 64bit page table */
-	result = init_pgtable(image, control_page);
+	result = init_pgtable(image, start_pgtable);
 	if (result)
 		return result;
 
@@ -358,12 +353,13 @@ void machine_kexec(struct kimage *image)
 #endif
 	}
 
-	control_page = page_address(image->control_code_page);
+	control_page = page_address(image->control_code_page) + PAGE_SIZE;
 	__memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
 
 	page_list[PA_CONTROL_PAGE] = virt_to_phys(control_page);
 	page_list[VA_CONTROL_PAGE] = (unsigned long)control_page;
-	page_list[PA_TABLE_PAGE] = (unsigned long)__pa(image->arch.pgd);
+	page_list[PA_TABLE_PAGE] =
+	  (unsigned long)__pa(page_address(image->control_code_page));
 
 	if (image->type == KEXEC_TYPE_DEFAULT)
 		page_list[PA_SWAP_PAGE] = (page_to_pfn(image->swap_page)
@@ -582,7 +578,8 @@ static void kexec_mark_crashkres(bool protect)
 
 	/* Don't touch the control code page used in crash_kexec().*/
 	control = PFN_PHYS(page_to_pfn(kexec_crash_image->control_code_page));
-	kexec_mark_range(crashk_res.start, control - 1, protect);
+	/* Control code page is located in the 2nd page. */
+	kexec_mark_range(crashk_res.start, control + PAGE_SIZE - 1, protect);
 	control += KEXEC_CONTROL_PAGE_SIZE;
 	kexec_mark_range(control, crashk_res.end, protect);
 }

arch/x86/kvm/svm/svm.c

@@ -1920,11 +1920,11 @@ static void new_asid(struct vcpu_svm *svm, struct svm_cpu_data *sd)
 	svm->asid = sd->next_asid++;
 }
 
-static void svm_set_dr6(struct vcpu_svm *svm, unsigned long value)
+static void svm_set_dr6(struct kvm_vcpu *vcpu, unsigned long value)
 {
-	struct vmcb *vmcb = svm->vmcb;
+	struct vmcb *vmcb = to_svm(vcpu)->vmcb;
 
-	if (svm->vcpu.arch.guest_state_protected)
+	if (vcpu->arch.guest_state_protected)
 		return;
 
 	if (unlikely(value != vmcb->save.dr6)) {
@@ -4035,10 +4035,8 @@ static __no_kcsan fastpath_t svm_vcpu_run(struct kvm_vcpu *vcpu)
 	 * Run with all-zero DR6 unless needed, so that we can get the exact cause
 	 * of a #DB.
 	 */
-	if (unlikely(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT))
-		svm_set_dr6(svm, vcpu->arch.dr6);
-	else
-		svm_set_dr6(svm, DR6_ACTIVE_LOW);
+	if (likely(!(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT)))
+		svm_set_dr6(vcpu, DR6_ACTIVE_LOW);
 
 	clgi();
 	kvm_load_guest_xsave_state(vcpu);
@@ -4807,6 +4805,7 @@ static struct kvm_x86_ops svm_x86_ops __initdata = {
 	.set_idt = svm_set_idt,
 	.get_gdt = svm_get_gdt,
 	.set_gdt = svm_set_gdt,
+	.set_dr6 = svm_set_dr6,
 	.set_dr7 = svm_set_dr7,
 	.sync_dirty_debug_regs = svm_sync_dirty_debug_regs,
 	.cache_reg = svm_cache_reg,