Merge x86-specific ACPI updates, PMIC driver ACPI updates and a DPTF
driver update for 5.17-rc1:

 - Rework the handling of device enumeration quirks in the x86-specific
   code and add new quirks for known-broken platforms (Hans de Goede).

 - Fix the handling of defective LPAT in the ACPI xpower PMIC driver
   and clean up some definitions of PMIC data structures (Hans de
   Goede).

 - Fix outdated comment in the ACPI DPTF driver (Sumeet Pawnikar).

* acpi-x86:
  ACPI / x86: Skip AC and battery devices on x86 Android tablets with broken DSDTs
  ACPI / x86: Introduce an acpi_quirk_skip_acpi_ac_and_battery() helper
  mmc: sdhci-acpi: Use the new soc_intel_is_byt() helper
  mmc: sdhci-acpi: Remove special handling for GPD win/pocket devices
  ACPI / x86: Add PWM2 on the Xiaomi Mi Pad 2 to the always_present list
  ACPI / x86: Add not-present quirk for the PCI0.SDHB.BRC1 device on the GPD win
  ACPI / x86: Allow specifying acpi_device_override_status() quirks by path
  ACPI: Change acpi_device_always_present() into acpi_device_override_status()
  ACPI / x86: Drop PWM2 device on Lenovo Yoga Book from always present table

* acpi-pmic:
  ACPI: PMIC: xpower: Fix _TMP ACPI errors
  ACPI: PMIC: allow drivers to provide a custom lpat_raw_to_temp() function
  ACPI: PMIC: constify all struct intel_pmic_opregion_data declarations

* acpi-dptf:
  ACPI: DPTF: Update device ID in a comment

Merge ACPI EC driver updates and ACPI processor driver updates for
5.17-rc1:

 - Rework flushing of EC work while suspended to idle and clean up
   the handling of events in the ACPI EC driver (Rafael Wysocki).

 - Prohibit ec_sys module parameter write_support from being used
   when the system is locked down (Hans de Goede).

 - Make the ACPI processor thermal driver use cpufreq_cpu_get() to
   check for presence of cpufreq policy (Manfred Spraul).

 - Avoid unnecessary CPU cache flushing in the ACPI processor idle
   driver (Kirill A. Shutemov).

 - Replace kernel.h with the necessary inclusions in the ACPI
   processor driver (Andy Shevchenko).

 - Use swap() instead of open coding it in the ACPI processor idle
   driver (Guo Zhengkui).

* acpi-ec:
  ACPI: EC: Mark the ec_sys write_support param as module_param_hw()
  ACPI: EC: Relocate acpi_ec_create_query() and drop acpi_ec_delete_query()
  ACPI: EC: Make the event work state machine visible
  ACPI: EC: Avoid queuing unnecessary work in acpi_ec_submit_event()
  ACPI: EC: Rename three functions
  ACPI: EC: Simplify locking in acpi_ec_event_handler()
  ACPI: EC: Rearrange the loop in acpi_ec_event_handler()
  ACPI: EC: Fold acpi_ec_check_event() into acpi_ec_event_handler()
  ACPI: EC: Pass one argument to acpi_ec_query()
  ACPI: EC: Call advance_transaction() from acpi_ec_dispatch_gpe()
  ACPI: EC: Rework flushing of EC work while suspended to idle

* acpi-processor:
  ACPI: processor: thermal: avoid cpufreq_get_policy()
  ACPI: processor: idle: Only flush cache on entering C3
  ACPI: processor idle: Use swap() instead of open coding it
  ACPI: processor: Replace kernel.h with the necessary inclusions

Merge ACPI device enumeration updates, ACPI power management updates
and PCI host bridge ACPI driver updates for 5.17-rc1:

 - Introduce acpi_fetch_acpi_dev() as a replacement for
   acpi_bus_get_device() and use it in the ACPI subsystem (Rafael
   Wysocki).

 - Avoid using _CID for device enumaration if _HID is missing or
   invalid (Rafael Wysocki).

 - Rework quirk handling during ACPI device enumeration and add some
   new quirks for known broken platforms (Hans de Goede).

 - Avoid unnecessary or redundant CPU cache flushing during system
   PM transitions (Kirill A. Shutemov).

 - Add PM debug messages related to power resources (Rafael Wysocki).

 - Fix kernel-doc comment in the PCI host bridge ACPI driver (Yang Li).

* acpi-scan:
  serdev: Do not instantiate serdevs on boards with known bogus DSDT entries
  i2c: acpi: Do not instantiate I2C-clients on boards with known bogus DSDT entries
  ACPI / x86: Add acpi_quirk_skip_[i2c_client|serdev]_enumeration() helpers
  ACPI: scan: Create platform device for BCM4752 and LNV4752 ACPI nodes
  ACPI: Use acpi_fetch_acpi_dev() instead of acpi_bus_get_device()
  ACPI: scan: Introduce acpi_fetch_acpi_dev()
  ACPI: scan: Do not add device IDs from _CID if _HID is not valid

* acpi-pm:
  ACPI: PM: Remove redundant cache flushing
  ACPI: PM: Avoid CPU cache flush when entering S4

* acpi-power:
  ACPI: PM: Emit debug messages when enabling/disabling wakeup power

* acpi-pci:
  PCI/ACPI: Fix acpi_pci_osc_control_set() kernel-doc comment

PCC OpRegion provides a mechanism to communicate with the platform
directly from the AML. PCCT provides the list of PCC channel available
in the platform, a subset or all of them can be used in PCC Opregion.

This patch registers the PCC OpRegion handler before ACPI tables are
loaded. This relies on the special context data passed to identify and
set up the PCC channel before the OpRegion handler is executed for the
first time.

Typical PCC Opregion declaration looks like this:

OperationRegion (PFRM, PCC, 2, 0x74)
Field (PFRM, ByteAcc, NoLock, Preserve)
{
    SIGN,   32,
    FLGS,   32,
    LEN,    32,
    CMD,    32,
    DATA,   800
}

It contains four named double words followed by 100 bytes of buffer
names DATA.

ASL can fill out the buffer something like:

    /* Create global or local buffer */
    Name (BUFF, Buffer (0x0C){})
    /* Create double word fields over the buffer */
    CreateDWordField (BUFF, 0x0, WD0)
    CreateDWordField (BUFF, 0x04, WD1)
    CreateDWordField (BUFF, 0x08, WD2)

    /* Fill the named fields */
    WD0 = 0x50434300
    SIGN = BUFF
    WD0 = 1
    FLGS = BUFF
    WD0 = 0x10
    LEN = BUFF

    /* Fill the payload in the DATA buffer */
    WD0 = 0
    WD1 = 0x08
    WD2 = 0
    DATA = BUFF

    /* Write to CMD field to trigger handler */
    WD0 = 0x4404
    CMD = BUFF

This buffer is received by acpi_pcc_opregion_space_handler. This
handler will fetch the complete buffer via internal_pcc_buffer.

The setup handler will receive the special PCC context data which will
contain the PCC channel index which used to set up the channel. The
buffer pointer and length is saved in region context which is then used
in the handler.

(kernel test robot: Build failure with CONFIG_ACPI_DEBUGGER)
Link: https://lore.kernel.org/r/202201041539.feAV0l27-lkp@intel.comReported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

So far all of the tablets for which the skip i2c-client/serdev enumeration
quirks have been added also all have broken ACPI AC / battery devices
extend the existing quirks for these tablets to also skip the broken
AC / battery devices.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

Some x86 ACPI boards have broken AC and battery ACPI devices in their ACPI
tables. This is often tied to these devices using certain PMICs where the
factory OS image seems to be using native charger and fuel-gauge drivers
instead.

So far both the AC and battery drivers have almost identical checks for
these PMICs including both of them having a DMI based mechanism to force
usage of the ACPI AC and battery drivers on some boards even though one
of these PMICs is present, with the same 2 boards listed in both driver's
DMI tables for this.

The only difference is that the AC driver checks for 2 PMICs and the
battery driver only for one. This has grown this way because the other
(Whiskey Cove) PMIC is only used on a few boards (3 known boards) and
although some of these do have non working ACPI battery devices, their
_STA method always returns 0, but that really should not be relied on.

This patch factors out the shared checks into a new
acpi_quirk_skip_acpi_ac_and_battery() helper and moves the AC and
battery drivers over to this new helper.

Note the DMI table is shared with acpi_quirk_skip_i2c_client_enumeration()
and acpi_quirk_skip_serdev_enumeration(), because boards needing DMI quirks
for either of these typically also have broken AC and battery ACPI devices.

The ACPI_QUIRK_SKIP_ACPI_AC_AND_BATTERY quirk is not set yet on boards
already in this DMI table, to avoid introducing any functional changes
in this refactoring patch.

Besided sharing the code between the AC and battery drivers this
refactoring also moves this quirk handling to under #ifdef CONFIG_X86,
removing this x86 specific code from non x86 ACPI builds.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

Merge recent device enumeration changes to satisfy dependencies.

cpu_has_cpufreq() stores a 'struct cpufreq_policy' on the stack.
Unfortunately, with debugging options enabled, the structure can be
larger than 1024 bytes, which causes a compiler warning/error.

(actually observed: 1184 bytes).

Therefore: Switch to cpufreq_cpu_get().
Signed-off-by: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

x86 ACPI devices which ship with only Android as their factory image use
older kernels which do not yet support ACPI serdev enumeration, as such
the serdev information in their ACPI tables is not reliable.

For example on the Asus ME176C tablet the serdev describing the Bluetooth
HCI points to the serdev_controller connected to the GPS and the other way
around.

Use the new acpi_quirk_skip_serdev_enumeration() helper to identify
known boards with this issue and then either abort adding the serdev
controller (creating a tty cdev instead) or only create the controller
leaving the instantation of the serdev itself up to platform code.

In the case where only the serdev controller is created the necessary
serdevs will instead be instantiated by the
drivers/platform/x86/x86-android-tablets.c kernel module.
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

x86 ACPI devices which ship with only Android as their factory image
usually declare a whole bunch of bogus I2C devices in their ACPI tables.

Instantiating I2C clients for these bogus devices causes various issues,
e.g. GPIO/IRQ resource conflicts because sometimes drivers do bind to them.
The Android x86 kernel fork shipped on these devices has some special code
to remove these bogus devices, instead of just fixing the DSDT <sigh>.

Use the new acpi_quirk_skip_i2c_client_enumeration() helper to identify
known boards / acpi devices with this issue, and skip enumerating these.

Note these boards typically do actually have I2C devices, just
different ones then the ones described in their DSDT. The devices
which are actually present are manually instantiated by the
drivers/platform/x86/x86-android-tablets.c kernel module.
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Reviewed-by: Wolfram Sang <wsa@kernel.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

x86 ACPI boards which ship with only Android as their factory image usually
declare a whole bunch of bogus I2C devs in their ACPI tables and sometimes
there are issues with serdev devices on these boards too, e.g. the resource
points to the wrong serdev_controller.

Instantiating I2C / serdev devs for these bogus devs causes various issues,
e.g. GPIO/IRQ resource conflicts because sometimes drivers do bind to them.
The Android x86 kernel fork shipped on these devices has some special code
to remove the bogus I2C clients (and serdevs are ignored completely).

Introduce acpi_quirk_skip_i2c_client_enumeration() and
acpi_quirk_skip_serdev_enumeration() helpers. Which can be used by the I2C/
serdev code to skip instantiating any I2C or serdev devs on broken boards.

These 2 helpers are added to drivers/acpi/x86/utils.c so that the DMI table
can be shared between the I2C and serdev code.

Note these boards typically do actually have I2C and serdev devices, just
different ones then the ones described in their DSDT. The devices which
are actually present are manually instantiated by the
drivers/platform/x86/x86-android-tablets.c kernel module.

The new helpers are only build if CONFIG_X86_ANDROID_TABLETS is enabled,
otherwise they are empty stubs to not unnecessarily grow the kernel size.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

BCM4752 and LNV4752 ACPI nodes describe a Broadcom 4752 GPS module
attached to an UART of the system.

The GPS modules talk a custom protocol which only works with a closed-
source Android gpsd daemon which knows this protocol.

The ACPI nodes also describe GPIOs to turn the GPS on/off these are
handled by the net/rfkill/rfkill-gpio.c code. This handling predates the
addition of enumeration of ACPI instantiated serdevs to the kernel and
was broken by that addition, because the ACPI scan code now no longer
instantiates platform_device-s for these nodes.

Rename the i2c_multi_instantiate_ids HID list to ignore_serial_bus_ids
and add the BCM4752 and LNV4752 HIDs, so that rfkill-gpio gets
a platform_device to bind to again; and so that a tty cdev for gpsd
gets created for these.

Fixes: e361d1f8 ("ACPI / scan: Fix enumeration for special UART devices")
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

Add the description of @support and remove @req in
acpi_pci_osc_control_set() kernel-doc comment to remove warnings found
by running scripts/kernel-doc, which is caused by using 'make W=1'.

drivers/acpi/pci_root.c:337: warning: Excess function parameter 'req'
description in 'acpi_pci_osc_control_set'
drivers/acpi/pci_root.c:337: warning: Function parameter or member
'support' not described in 'acpi_pci_osc_control_set'
Reported-by: Abaci Robot <abaci@linux.alibaba.com>
Fixes: 6bc779ee ("PCI/ACPI: Check for _OSC support in acpi_pci_osc_control_set()")
Signed-off-by: Yang Li <yang.lee@linux.alibaba.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

ACPICA commit 90088defcb99e122edf41038ae5c901206c86dc9

Version 20211217.

Link: https://github.com/acpica/acpica/commit/90088defSigned-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

ACPICA commit 26f8c721fb01e4a26eec8c85dffcbe950d5e61a9

Add support for optional "Specific Data" field for the optional
Linux-specific structure that appears at the end of an Endpoint
Descriptor.

Link: https://github.com/acpica/acpica/commit/26f8c721Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

ACPICA commit cf36a6d658ca5aa8c329c2edfc3322c095ffd844

Add support for Arm Generic Diagnostic Dump and Reset Interface, which is
described by "ACPI for Arm Components 1.1 Platform Design Document"
ARM DEN0093.

Add the necessary types in the ACPICA header files and support for
compiling and decompiling the table.

Link: https://github.com/acpica/acpica/commit/cf36a6d6Signed-off-by: Ilkka Koskinen <ilkka@os.amperecomputing.com>
Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

ACPICA commit 403f9965aba7ff9d2ed5b41bbffdd2a1ed0f596f

Added struct acpi_pcc_info to acpi_src.

Link: https://github.com/acpica/acpica/commit/403f9965Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

ACPICA commit 86c919d2bad08491fc91ffa53e9b169092de8622

Repaired with casts.

Link: https://github.com/acpica/acpica/commit/86c919d2Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

ACPICA commit ff803279dde7a3e068a6a698d8c69503cd159ad7

To simply return (AE_BAD_PARAMETER); to fix compilation on MSVC.

Link: https://github.com/acpica/acpica/commit/ff803279Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

ACPICA commit 3dd7e1f3996456ef81bfe14cba29860e8d42949e

According to ACPI 6.4, Section 16.2, the CPU cache flushing is
required on entering to S1, S2, and S3, but the ACPICA code
flushes the CPU cache regardless of the sleep state.

Blind cache flush on entering S5 causes problems for TDX.

Flushing happens with WBINVD that is not supported in the TDX
environment.

TDX only supports S5 and adjusting ACPICA code to conform to the
spec more strictly fixes the issue.

Link: https://github.com/acpica/acpica/commit/3dd7e1f3Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
[ rjw: Subject and changelog edits ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

ACPICA commit 55526e8a6133cbf5a9cc0fb75a95dbbac6eb98e6

PCC Opregion added in ACPIC 6.3 requires special context data similar
to GPIO and Generic Serial Bus as it needs to know the internal PCC
buffer and its length as well as the PCC channel index when the opregion
handler is being executed by the OSPM.

Lets add support for the special context data needed by PCC Opregion.

Link: https://github.com/acpica/acpica/commit/55526e8aSigned-off-by: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

ACPICA commit 41be6afacfdaec2dba3a5ed368736babc2a7aa5c

With the PCC Opregion in the firmware and we are hitting below kernel crash:

-->8
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010
 Workqueue: pm pm_runtime_work
 pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
 pc : __memcpy+0x54/0x260
 lr : acpi_ex_write_data_to_field+0xb8/0x194
 Call trace:
  __memcpy+0x54/0x260
  acpi_ex_store_object_to_node+0xa4/0x1d4
  acpi_ex_store+0x44/0x164
  acpi_ex_opcode_1A_1T_1R+0x25c/0x508
  acpi_ds_exec_end_op+0x1b4/0x44c
  acpi_ps_parse_loop+0x3a8/0x614
  acpi_ps_parse_aml+0x90/0x2f4
  acpi_ps_execute_method+0x11c/0x19c
  acpi_ns_evaluate+0x1ec/0x2b0
  acpi_evaluate_object+0x170/0x2b0
  acpi_device_set_power+0x118/0x310
  acpi_dev_suspend+0xd4/0x180
  acpi_subsys_runtime_suspend+0x28/0x38
  __rpm_callback+0x74/0x328
  rpm_suspend+0x2d8/0x624
  pm_runtime_work+0xa4/0xb8
  process_one_work+0x194/0x25c
  worker_thread+0x260/0x49c
  kthread+0x14c/0x30c
  ret_from_fork+0x10/0x20
 Code: f9000006 f81f80a7 d65f03c0 361000c2 (b9400026)
 ---[ end trace 24d8a032fa77b68a ]---

The reason for the crash is that the PCC channel index passed via region.address
in acpi_ex_store_object_to_node is interpreted as the channel subtype
incorrectly.

Assuming the PCC op_region support is not used by any other type, let us
remove the subtype check as the AML has no access to the subtype information.
Once we remove it, the kernel crash disappears and correctly complains about
missing PCC Opregion handler.

ACPI Error: No handler for Region [PFRM] ((____ptrval____)) [PCC] (20210730/evregion-130)
ACPI Error: Region PCC (ID=10) has no handler (20210730/exfldio-261)
ACPI Error: Aborting method \_SB.ETH0._PS3 due to previous error (AE_NOT_EXIST) (20210730/psparse-531)

Link: https://github.com/acpica/acpica/commit/41be6afaSigned-off-by: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

ACPICA commit d984f12041392fa4156b52e2f7e5c5e7bc38ad9e

If Operand[0] is a reference of the ACPI_REFCLASS_REFOF class,
acpi_ex_opcode_1A_0T_1R () calls acpi_ns_get_attached_object () to
obtain return_desc which may require additional resolution with
the help of acpi_ex_read_data_from_field (). If the latter fails,
the reference counter of the original return_desc is decremented
which is incorrect, because acpi_ns_get_attached_object () does not
increment the reference counter of the object returned by it.

This issue may lead to premature deletion of the attached object
while it is still attached and a use-after-free and crash in the
host OS.  For example, this may happen when on evaluation of ref_of()
a local region field where there is no registered handler for the
given Operation Region.

Fix it by making acpi_ex_opcode_1A_0T_1R () return Status right away
after a acpi_ex_read_data_from_field () failure.

Link: https://github.com/acpica/acpica/commit/d984f120
Link: https://github.com/acpica/acpica/pull/685Reported-by: Lenny Szubowicz <lszubowi@redhat.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

ACPICA commit c11af67d8f7e3d381068ce7771322f2b5324d687

If original_count is 0 in acpi_ut_update_ref_count (),
acpi_ut_delete_internal_obj () is invoked for the target object, which is
incorrect, because that object has been deleted once already and the
memory allocated to store it may have been reclaimed and allocated
for a different purpose by the host OS.  Moreover, a confusing debug
message following the "Reference Count is already zero, cannot
decrement" warning is printed in that case.

To fix this issue, make acpi_ut_update_ref_count () return after finding
that original_count is 0 and printing the above warning.

Link: https://github.com/acpica/acpica/commit/c11af67d
Link: https://github.com/acpica/acpica/pull/652Reported-by: Mark Asselstine <mark.asselstine@windriver.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

ACPICA commit 13b9327761955f6e1e5dbf748b3112940c0dc539

The byte length of the Data field in the AEST Processor generic resource
substructure defined in ACPI for the Armv8 RAS Extensions 1.1 is 4Byte.
However, it is defined as a pointer type, and on a 64-bit machine,
it is interpreted as 8 bytes. Therefore, it is changed from a pointer
type unsigned integer 1 byte to an unsigned integer 4 bytes.

Link: https://github.com/acpica/acpica/commit/13b93277Signed-off-by: Shuuichirou Ishii <ishii.shuuichir@fujitsu.com>
Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

ACPICA commit 0420852ffc520b81960e877852703b739c16025c

Added support for Vendor-defined microphone arrays and SNR
(signal-to-noise) extension.

Link: https://github.com/acpica/acpica/commit/0420852fSigned-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

ACPICA commit 6bb72909c1e3d415aee214104a01bc9834b2d4ce

Since the Signature member is accessed through an struct acpi_table_header, the
pointer to it is only to a 4-char array, and so trying to read past the
4th character, as will be done when it is an RSDP, reads beyond the
bounds of the accessed member. On CHERI, and thus Arm's experimental
Morello prototype architecture, pointers are represented as
capabilities, which are unforgeable bounded pointers, providing
always-on fine-grained spatial memory safety. By default, subobject
bounds enforcement is not enabled, only bounds on allocations, but it is
enabled in the cheri_BSD (a port of free_BSD) kernel as intra-object
overflow attacks are common on operating system kernels, and so this
overflow is detected there and traps.

Link: https://github.com/acpica/acpica/commit/6bb72909Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

ACPICA commit 52abebd410945ec55afb4dd8b7150e8a39b5c960

This macro was only ever used when stuffing pointers into physical
addresses and trying to later reconstruct the pointer, which is
implementation-defined as to whether that can be done. Now that all such
operations are gone, the macro is unused, and should be removed to avoid
such practices being reintroduced.

Link: https://github.com/acpica/acpica/commit/52abebd4Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

ACPICA commit dfa3feffa8f760b686207d09dc880cd2f26c72af

Currently the pointer to the table is cast to acpi_physical_address and
later cast back to a pointer to be dereferenced. Whether or not this is
supported is implementation-defined.

On CHERI, and thus Arm's experimental Morello prototype architecture,
pointers are represented as capabilities, which are unforgeable bounded
pointers, providing always-on fine-grained spatial memory safety. This
means that any pointer cast to a plain integer will lose all its
associated metadata, and when cast back to a pointer it will give a
null-derived pointer (one that has the same metadata as null but an
address equal to the integer) that will trap on any dereference. As a
result, this is an implementation where acpi_physical_address cannot be
used as a hack to store real pointers.

Thus, alter the lifecycle of table descriptors. Internal physical tables
keep the current behaviour where only the address is set on install, and
the pointer is set on acquire. Virtual tables (internal and external)
now store the pointer on initialisation and use that on acquire (which
will redundantly set *table_ptr to itself, but changing that is both
unnecessary and overly complicated as acpi_tb_acquire_table is called with
both a pointer to a variable and a pointer to Table->Pointer itself).

This requires propagating the (possible) table pointer everywhere in
order to make sure pointers make it through to acpi_tb_acquire_temp_table,
which requires a change to the acpi_install_table interface. Instead of
taking an ACPI_PHYSADDR_TYPE and a boolean indicating whether it's
physical or virtual, it is now split into acpi_install_table (that takes
an external virtual table pointer) and acpi_install_physical_table (that
takes an ACPI_PHYSADDR_TYPE for an internal physical table address).
This also has the benefit of providing a cleaner API.

Link: https://github.com/acpica/acpica/commit/dfa3feffSigned-off-by: Bob Moore <robert.moore@intel.com>
[ rjw: Adjust the code in tables.c to match interface changes ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

ACPICA commit d9eb82bd7515989f0b29d79deeeb758db4d6529c

Currently the pointer to the table is cast to acpi_physical_address and
later cast back to a pointer to be dereferenced. Whether or not this is
supported is implementation-defined.

On CHERI, and thus Arm's experimental Morello prototype architecture,
pointers are represented as capabilities, which are unforgeable bounded
pointers, providing always-on fine-grained spatial memory safety. This
means that any pointer cast to a plain integer will lose all its
associated metadata, and when cast back to a pointer it will give a
null-derived pointer (one that has the same metadata as null but an
address equal to the integer) that will trap on any dereference. As a
result, this is an implementation where acpi_physical_address cannot be
used as a hack to store real pointers.

Thus, add a new field to struct acpi_object_region to store the pointer for
table regions, and propagate it to acpi_ex_data_table_space_handler via the
region context, to use a more portable implementation that supports
CHERI.

Link: https://github.com/acpica/acpica/commit/d9eb82bdSigned-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

ACPICA commit bc02c76d518135531483dfc276ed28b7ee632ce1

The current ACPI_ACCESS_*_WIDTH defines do not provide a way to
test that size is small enough to not cause an overflow when
applied to a 32-bit integer.

Rather than adding more magic numbers, add ACPI_ACCESS_*_SHIFT,
ACPI_ACCESS_*_MAX, and ACPI_ACCESS_*_DEFAULT #defines and
redefine ACPI_ACCESS_*_WIDTH in terms of the new #defines.

This was inititally reported on Linux where a size of 102 in
ACPI_ACCESS_BIT_WIDTH caused an overflow error in the SPCR
initialization code.

Link: https://github.com/acpica/acpica/commit/bc02c76dSigned-off-by: Mark Langsdorf <mlangsdo@redhat.com>
Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

Pull x86 fixes from Borislav Petkov:

 - Prevent potential undefined behavior due to shifting pkey constants
   into the sign bit

 - Move the EFI memory reservation code *after* the efi= cmdline parsing
   has happened

 - Revert two commits which turned out to be the wrong direction to
   chase when accommodating early memblock reservations consolidation
   and command line parameters parsing

* tag 'x86_urgent_for_v5.16_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86/pkey: Fix undefined behaviour with PKRU_WD_BIT
  x86/boot: Move EFI range reservation after cmdline parsing
  Revert "x86/boot: Pull up cmdline preparation and early param parsing"
  Revert "x86/boot: Mark prepare_command_line() __init"

Pull objtool fixes from Borislav Petkov:

 - Prevent clang from reordering the reachable annotation in
   an inline asm statement without inputs

 - Fix objtool builds on non-glibc systems due to undefined
   __always_inline

* tag 'objtool_urgent_for_v5.16_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  compiler.h: Fix annotation macro misplacement with Clang
  uapi: Fix undefined __always_inline on non-glibc systems

Pull pin control fixes from Linus Walleij:
 "Some hopefully final pin control fixes for the v5.16 kernel:

   - Fix an out-of-bounds bug in the Mediatek driver

   - Fix an init order bug in the Broadcom BCM2835 driver

   - Fix a GPIO offset bug in the STM32 driver"

* tag 'pinctrl-v5.16-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
  pinctrl: stm32: consider the GPIO offset to expose all the GPIO lines
  pinctrl: bcm2835: Change init order for gpio hogs
  pinctrl: mediatek: fix global-out-of-bounds issue

Merge tag 'hwmon-for-v5.16-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging

Pull hwmon fixes from Guenter Roeck:
 "A couple of lm90 driver fixes. None of them are critical, but they
  should nevertheless be fixed"

* tag 'hwmon-for-v5.16-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
  hwmon: (lm90) Do not report 'busy' status bit as alarm
  hwmom: (lm90) Fix citical alarm status for MAX6680/MAX6681
  hwmon: (lm90) Drop critical attribute support for MAX6654
  hwmon: (lm90) Prevent integer overflow/underflow in hysteresis calculations
  hwmon: (lm90) Fix usage of CONFIG2 register in detect function

Pull input fixes from Dmitry Torokhov:
 "A few small updates to drivers.

  Of note we are now deferring probes of i8042 on some Asus devices as
  the controller is not ready to respond to queries first time around
  when the driver is compiled into the kernel"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
  Input: elants_i2c - do not check Remark ID on eKTH3900/eKTH5312
  Input: atmel_mxt_ts - fix double free in mxt_read_info_block
  Input: goodix - fix memory leak in goodix_firmware_upload
  Input: goodix - add id->model mapping for the "9111" model
  Input: goodix - try not to touch the reset-pin on x86/ACPI devices
  Input: i8042 - enable deferred probe quirk for ASUS UM325UA
  Input: elantech - fix stack out of bound access in elantech_change_report_id()
  Input: iqs626a - prohibit inlining of channel parsing functions
  Input: i8042 - add deferred probe support

Merge misc fixes from Andrew Morton:
 "9 patches.

  Subsystems affected by this patch series: mm (kfence, mempolicy,
  memory-failure, pagemap, pagealloc, damon, and memory-failure),
  core-kernel, and MAINTAINERS"

* emailed patches from Andrew Morton <akpm@linux-foundation.org>:
  mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page()
  mm/damon/dbgfs: protect targets destructions with kdamond_lock
  mm/page_alloc: fix __alloc_size attribute for alloc_pages_exact_nid
  mm: delete unsafe BUG from page_cache_add_speculative()
  mm, hwpoison: fix condition in free hugetlb page path
  MAINTAINERS: mark more list instances as moderated
  kernel/crash_core: suppress unknown crashkernel parameter warning
  mm: mempolicy: fix THP allocations escaping mempolicy restrictions
  kfence: fix memory leak when cat kfence objects

Hulk Robot reported a panic in put_page_testzero() when testing
madvise() with MADV_SOFT_OFFLINE.  The BUG() is triggered when retrying
get_any_page().  This is because we keep MF_COUNT_INCREASED flag in
second try but the refcnt is not increased.

    page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0)
    ------------[ cut here ]------------
    kernel BUG at include/linux/mm.h:737!
    invalid opcode: 0000 [#1] PREEMPT SMP
    CPU: 5 PID: 2135 Comm: sshd Tainted: G    B             5.16.0-rc6-dirty #373
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
    RIP: release_pages+0x53f/0x840
    Call Trace:
      free_pages_and_swap_cache+0x64/0x80
      tlb_flush_mmu+0x6f/0x220
      unmap_page_range+0xe6c/0x12c0
      unmap_single_vma+0x90/0x170
      unmap_vmas+0xc4/0x180
      exit_mmap+0xde/0x3a0
      mmput+0xa3/0x250
      do_exit+0x564/0x1470
      do_group_exit+0x3b/0x100
      __do_sys_exit_group+0x13/0x20
      __x64_sys_exit_group+0x16/0x20
      do_syscall_64+0x34/0x80
      entry_SYSCALL_64_after_hwframe+0x44/0xae
    Modules linked in:
    ---[ end trace e99579b570fe0649 ]---
    RIP: 0010:release_pages+0x53f/0x840

Link: https://lkml.kernel.org/r/20211221074908.3910286-1-liushixin2@huawei.com
Fixes: b94e0282 ("mm,hwpoison: try to narrow window race for free pages")
Signed-off-by: Liu Shixin <liushixin2@huawei.com>
Reported-by: Hulk Robot <hulkci@huawei.com>
Reviewed-by: Oscar Salvador <osalvador@suse.de>
Acked-by: Naoya Horiguchi <naoya.horiguchi@nec.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

DAMON debugfs interface iterates current monitoring targets in
'dbgfs_target_ids_read()' while holding the corresponding
'kdamond_lock'.  However, it also destructs the monitoring targets in
'dbgfs_before_terminate()' without holding the lock.  This can result in
a use_after_free bug.  This commit avoids the race by protecting the
destruction with the corresponding 'kdamond_lock'.

Link: https://lkml.kernel.org/r/20211221094447.2241-1-sj@kernel.orgReported-by: Sangwoo Bae <sangwoob@amazon.com>
Fixes: 4bc05954 ("mm/damon: implement a debugfs-based user space interface")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: <stable@vger.kernel.org>	[5.15.x]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>