Список изменений в Linux 6.1.7

Author: Hans de Goede <[email protected]>
Date:   Tue Jan 10 16:30:28 2023 +0100

    ACPI: Fix selecting wrong ACPI fwnode for the iGPU on some Dell laptops
    
    commit f64e4275ef7407d5c3eca20436519bbd1f796e40 upstream.
    
    The Dell Latitude E6430 both with and without the optional NVidia dGPU
    has a bug in its ACPI tables which is causing Linux to assign the wrong
    ACPI fwnode / companion to the pci_device for the i915 iGPU.
    
    Specifically under the PCI root bridge there are these 2 ACPI Device()s :
    
     Scope (_SB.PCI0)
     {
         Device (GFX0)
         {
             Name (_ADR, 0x00020000)  // _ADR: Address
         }
    
         ...
    
         Device (VID)
         {
             Name (_ADR, 0x00020000)  // _ADR: Address
             ...
    
             Method (_DOS, 1, NotSerialized)  // _DOS: Disable Output Switching
             {
                 VDP8 = Arg0
                 VDP1 (One, VDP8)
             }
    
             Method (_DOD, 0, NotSerialized)  // _DOD: Display Output Devices
             {
                 ...
             }
             ...
         }
     }
    
    The non-functional GFX0 ACPI device is a problem, because this gets
    returned as ACPI companion-device by acpi_find_child_device() for the iGPU.
    
    This is a long standing problem and the i915 driver does use the ACPI
    companion for some things, but works fine without it.
    
    However since commit 63f534b8bad9 ("ACPI: PCI: Rework acpi_get_pci_dev()")
    acpi_get_pci_dev() relies on the physical-node pointer in the acpi_device
    and that is set on the wrong acpi_device because of the wrong
    acpi_find_child_device() return. This breaks the ACPI video code,
    leading to non working backlight control in some cases.
    
    Add a type.backlight flag, mark ACPI video bus devices with this and make
    find_child_checks() return a higher score for children with this flag set,
    so that it picks the right companion-device.
    
    Fixes: 63f534b8bad9 ("ACPI: PCI: Rework acpi_get_pci_dev()")
    Co-developed-by: Rafael J. Wysocki <raf[email protected]>
    Signed-off-by: Hans de Goede <[email protected]>
    Cc: 6.1+ <[email protected]> # 6.1+
    Signed-off-by: Rafael J. Wysocki <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Hans de Goede <[email protected]>
Date:   Mon Jan 9 20:18:11 2023 +0100

    ACPI: video: Allow selecting NVidia-WMI-EC or Apple GMUX backlight from the cmdline
    
    commit 420a1116aef0e8e12c305508f45ce73e5ae30a09 upstream.
    
    The patches adding NVidia-WMI-EC and Apple GMUX backlight detection
    support to acpi_video_get_backlight_type(), forgot to update
    acpi_video_parse_cmdline() to allow manually selecting these from
    the commandline.
    
    Add support for these to acpi_video_parse_cmdline().
    
    Fixes: fe7aebb40d42 ("ACPI: video: Add Nvidia WMI EC brightness control detection (v3)")
    Fixes: 21245df307cb ("ACPI: video: Add Apple GMUX brightness control detection")
    Signed-off-by: Hans de Goede <[email protected]>
    Signed-off-by: Rafael J. Wysocki <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Mirsad Goran Todorovac <[email protected]>
Date:   Sat Jan 7 04:40:20 2023 +0100

    af_unix: selftest: Fix the size of the parameter to connect()
    
    [ Upstream commit 7d6ceeb1875cc08dc3d1e558e191434d94840cd5 ]
    
    Adjust size parameter in connect() to match the type of the parameter, to
    fix "No such file or directory" error in selftests/net/af_unix/
    test_oob_unix.c:127.
    
    The existing code happens to work provided that the autogenerated pathname
    is shorter than sizeof (struct sockaddr), which is why it hasn't been
    noticed earlier.
    
    Visible from the trace excerpt:
    
    bind(3, {sa_family=AF_UNIX, sun_path="unix_oob_453059"}, 110) = 0
    clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fa6a6577a10) = 453060
    [pid <child>] connect(6, {sa_family=AF_UNIX, sun_path="unix_oob_45305"}, 16) = -1 ENOENT (No such file or directory)
    
    BUG: The filename is trimmed to sizeof (struct sockaddr).
    
    Cc: "David S. Miller" <[email protected]>
    Cc: Eric Dumazet <[email protected]>
    Cc: Jakub Kicinski <[email protected]>
    Cc: Paolo Abeni <[email protected]>
    Cc: Shuah Khan <[email protected]>
    Cc: Kuniyuki Iwashima <[email protected]>
    Cc: Florian Westphal <[email protected]>
    Reviewed-by: Florian Westphal <[email protected]>
    Fixes: 314001f0bf92 ("af_unix: Add OOB support")
    Signed-off-by: Mirsad Goran Todorovac <[email protected]>
    Reviewed-by: Kuniyuki Iwashima <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Jaroslav Kysela <[email protected]>
Date:   Mon Jan 9 16:12:49 2023 +0100

    ALSA: control-led: use strscpy in set_led_id()
    
    commit 70051cffb31b5ee09096351c3b41fcae6f89de31 upstream.
    
    The use of strncpy() in the set_led_id() was incorrect.
    The len variable should use 'min(sizeof(buf2) - 1, count)'
    expression.
    
    Use strscpy() function to simplify things and handle the error gracefully.
    
    Fixes: a135dfb5de15 ("ALSA: led control - add sysfs kcontrol LED marking layer")
    Reported-by: [email protected]
    Link: https://lore.kernel.org/alsa-devel/[email protected]/
    Cc: <[email protected]>
    Signed-off-by: Jaroslav Kysela <[email protected]>
    Signed-off-by: Takashi Iwai <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Yuchi Yang <[email protected]>
Date:   Fri Dec 30 15:22:25 2022 +0800

    ALSA: hda/realtek - Turn on power early
    
    commit 1f680609bf1beac20e2a31ddcb1b88874123c39f upstream.
    
    Turn on power early to avoid wrong state for power relation register.
    This can earlier update JD state when resume back.
    
    Signed-off-by: Yuchi Yang <[email protected]>
    Cc: <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Takashi Iwai <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Luka Guzenko <[email protected]>
Date:   Tue Jan 10 21:25:14 2023 +0100

    ALSA: hda/realtek: Enable mute/micmute LEDs on HP Spectre x360 13-aw0xxx
    
    commit ca88eeb308a221c2dcd4a64031d2e5fcd3db9eaa upstream.
    
    The HP Spectre x360 13-aw0xxx devices use the ALC285 codec with GPIO 0x04
    controlling the micmute LED and COEF 0x0b index 8 controlling the mute LED.
    A quirk was added to make these work as well as a fixup.
    
    Signed-off-by: Luka Guzenko <[email protected]>
    Cc: <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Takashi Iwai <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Jaroslav Kysela <[email protected]>
Date:   Mon Jan 9 15:11:33 2023 +0100

    ALSA: usb-audio: Always initialize fixed_rate in snd_usb_find_implicit_fb_sync_format()
    
    commit 291e9da91403e0e628d7692b5ed505100e7b7706 upstream.
    
    Handle the fallback code path, too.
    
    Fixes: fd28941cff1c ("ALSA: usb-audio: Add new quirk FIXED_RATE for JBL Quantum810 Wireless")
    BugLink: https://lore.kernel.org/alsa-devel/Y7frf3N%[email protected]/
    Reported-by: Dan Carpenter <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Jaroslav Kysela <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Takashi Iwai <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Jaroslav Kysela <[email protected]>
Date:   Fri Jan 13 09:53:11 2023 +0100

    ALSA: usb-audio: Fix possible NULL pointer dereference in snd_usb_pcm_has_fixed_rate()
    
    [ Upstream commit 92a9c0ad86d47ff4cce899012e355c400f02cfb8 ]
    
    The subs function argument may be NULL, so do not use it before the NULL check.
    
    Fixes: 291e9da91403 ("ALSA: usb-audio: Always initialize fixed_rate in snd_usb_find_implicit_fb_sync_format()")
    Reported-by: coverity-bot <[email protected]>
    Link: https://lore.kernel.org/alsa-devel/[email protected]/
    Signed-off-by: Jaroslav Kysela <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Takashi Iwai <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Takashi Iwai <[email protected]>
Date:   Mon Jan 2 18:07:57 2023 +0100

    ALSA: usb-audio: Make sure to stop endpoints before closing EPs
    
    [ Upstream commit 0599313e26666e79f6e7fe1450588431b8cb25d5 ]
    
    At the PCM hw params, we may re-configure the endpoints and it's done
    by a temporary EP close followed by re-open.  A potential problem
    there is that the EP might be already running internally at the PCM
    prepare stage; it's seen typically in the playback stream with the
    implicit feedback sync.  As this stream start isn't tracked by the
    core PCM layer, we'd need to stop it explicitly, and that's the
    missing piece.
    
    This patch adds the stop_endpoints() call at snd_usb_hw_params() to
    assure the stream stop before closing the EPs.
    
    Fixes: bf6313a0ff76 ("ALSA: usb-audio: Refactor endpoint management")
    Link: https://lore.kernel.org/r/[email protected]
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Takashi Iwai <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Takashi Iwai <[email protected]>
Date:   Mon Jan 2 18:07:58 2023 +0100

    ALSA: usb-audio: Relax hw constraints for implicit fb sync
    
    [ Upstream commit d463ac1acb454fafed58f695cb3067fbf489f3a0 ]
    
    The fix commit the commit e4ea77f8e53f ("ALSA: usb-audio: Always apply
    the hw constraints for implicit fb sync") tried to address the bug
    where an incorrect PCM parameter is chosen when two (implicit fb)
    streams are set up at the same time.  This change had, however, some
    side effect: once when the sync endpoint is chosen and set up, this
    restriction is applied at the next hw params unless it's freed via hw
    free explicitly.
    
    This patch is a workaround for the problem by relaxing the hw
    constraints a bit for the implicit fb sync.  We still keep applying
    the hw constraints for implicit fb sync, but only when the matching
    sync EP is being used by other streams.
    
    Fixes: e4ea77f8e53f ("ALSA: usb-audio: Always apply the hw constraints for implicit fb sync")
    Reported-by: Ruud van Asseldonk <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Takashi Iwai <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Liu Shixin <[email protected]>
Date:   Tue Nov 22 20:31:37 2022 +0800

    arm64/mm: add pud_user_exec() check in pud_user_accessible_page()
    
    commit 730a11f982e61aaef758ab552dfb7c30de79e99b upstream.
    
    Add check for the executable case in pud_user_accessible_page() too
    like what we did for pte and pmd.
    
    Fixes: 42b2547137f5 ("arm64/mm: enable ARCH_SUPPORTS_PAGE_TABLE_CHECK")
    Suggested-by: Will Deacon <[email protected]>
    Signed-off-by: Liu Shixin <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Will Deacon <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Liu Shixin <[email protected]>
Date:   Mon Nov 21 15:36:08 2022 +0800

    arm64/mm: fix incorrect file_map_count for invalid pmd
    
    commit 74c2f81054510d45b813548cb0a1c4ebf87cdd5f upstream.
    
    The page table check trigger BUG_ON() unexpectedly when split hugepage:
    
     ------------[ cut here ]------------
     kernel BUG at mm/page_table_check.c:119!
     Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
     Dumping ftrace buffer:
        (ftrace buffer empty)
     Modules linked in:
     CPU: 7 PID: 210 Comm: transhuge-stres Not tainted 6.1.0-rc3+ #748
     Hardware name: linux,dummy-virt (DT)
     pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
     pc : page_table_check_set.isra.0+0x398/0x468
     lr : page_table_check_set.isra.0+0x1c0/0x468
    [...]
     Call trace:
      page_table_check_set.isra.0+0x398/0x468
      __page_table_check_pte_set+0x160/0x1c0
      __split_huge_pmd_locked+0x900/0x1648
      __split_huge_pmd+0x28c/0x3b8
      unmap_page_range+0x428/0x858
      unmap_single_vma+0xf4/0x1c8
      zap_page_range+0x2b0/0x410
      madvise_vma_behavior+0xc44/0xe78
      do_madvise+0x280/0x698
      __arm64_sys_madvise+0x90/0xe8
      invoke_syscall.constprop.0+0xdc/0x1d8
      do_el0_svc+0xf4/0x3f8
      el0_svc+0x58/0x120
      el0t_64_sync_handler+0xb8/0xc0
      el0t_64_sync+0x19c/0x1a0
    [...]
    
    On arm64, pmd_leaf() will return true even if the pmd is invalid due to
    pmd_present_invalid() check. So in pmdp_invalidate() the file_map_count
    will not only decrease once but also increase once. Then in set_pte_at(),
    the file_map_count increase again, and so trigger BUG_ON() unexpectedly.
    
    Add !pmd_present_invalid() check in pmd_user_accessible_page() to fix the
    problem.
    
    Fixes: 42b2547137f5 ("arm64/mm: enable ARCH_SUPPORTS_PAGE_TABLE_CHECK")
    Reported-by: Denys Vlasenko <[email protected]>
    Signed-off-by: Liu Shixin <[email protected]>
    Acked-by: Pasha Tatashin <[email protected]>
    Acked-by: David Hildenbrand <[email protected]>
    Reviewed-by: Kefeng Wang <[email protected]>
    Acked-by: Will Deacon <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Will Deacon <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Mark Brown <[email protected]>
Date:   Tue Dec 27 17:12:05 2022 +0000

    arm64/signal: Always accept SVE signal frames on SME only systems
    
    commit 7dde62f0687c8856b6c0660066c7ee83a6a6f033 upstream.
    
    Currently we reject an attempt to restore a SVE signal frame on a system
    with SME but not SVE supported. This means that it is not possible to
    disable streaming mode via signal return as this is configured via the
    flags in the SVE signal context. Instead accept the signal frame, we will
    require it to have a vector length of 0 specified and no payload since the
    task will have no SVE vector length configured.
    
    Fixes: 85ed24dad290 ("arm64/sme: Implement streaming SVE signal handling")
    Signed-off-by: Mark Brown <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Will Deacon <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Mark Brown <[email protected]>
Date:   Tue Dec 27 17:12:06 2022 +0000

    arm64/signal: Always allocate SVE signal frames on SME only systems
    
    commit f26cd7372160da2eba31061d7943348ab9f2c01d upstream.
    
    Currently we only allocate space for SVE signal frames on systems that
    support SVE, meaning that SME only systems do not allocate a signal frame
    for streaming mode SVE state. Change the check so space is allocated if
    either feature is supported.
    
    Fixes: 85ed24dad290 ("arm64/sme: Implement streaming SVE signal handling")
    Signed-off-by: Mark Brown <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Will Deacon <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Mark Rutland <[email protected]>
Date:   Wed Jan 4 15:16:26 2023 +0000

    arm64: cmpxchg_double*: hazard against entire exchange variable
    
    commit 031af50045ea97ed4386eb3751ca2c134d0fc911 upstream.
    
    The inline assembly for arm64's cmpxchg_double*() implementations use a
    +Q constraint to hazard against other accesses to the memory location
    being exchanged. However, the pointer passed to the constraint is a
    pointer to unsigned long, and thus the hazard only applies to the first
    8 bytes of the location.
    
    GCC can take advantage of this, assuming that other portions of the
    location are unchanged, leading to a number of potential problems.
    
    This is similar to what we fixed back in commit:
    
      fee960bed5e857eb ("arm64: xchg: hazard against entire exchange variable")
    
    ... but we forgot to adjust cmpxchg_double*() similarly at the same
    time.
    
    The same problem applies, as demonstrated with the following test:
    
    | struct big {
    |         u64 lo, hi;
    | } __aligned(128);
    |
    | unsigned long foo(struct big *b)
    | {
    |         u64 hi_old, hi_new;
    |
    |         hi_old = b->hi;
    |         cmpxchg_double_local(&b->lo, &b->hi, 0x12, 0x34, 0x56, 0x78);
    |         hi_new = b->hi;
    |
    |         return hi_old ^ hi_new;
    | }
    
    ... which GCC 12.1.0 compiles as:
    
    | 0000000000000000 <foo>:
    |    0:   d503233f        paciasp
    |    4:   aa0003e4        mov     x4, x0
    |    8:   1400000e        b       40 <foo+0x40>
    |    c:   d2800240        mov     x0, #0x12                       // #18
    |   10:   d2800681        mov     x1, #0x34                       // #52
    |   14:   aa0003e5        mov     x5, x0
    |   18:   aa0103e6        mov     x6, x1
    |   1c:   d2800ac2        mov     x2, #0x56                       // #86
    |   20:   d2800f03        mov     x3, #0x78                       // #120
    |   24:   48207c82        casp    x0, x1, x2, x3, [x4]
    |   28:   ca050000        eor     x0, x0, x5
    |   2c:   ca060021        eor     x1, x1, x6
    |   30:   aa010000        orr     x0, x0, x1
    |   34:   d2800000        mov     x0, #0x0                        // #0    <--- BANG
    |   38:   d50323bf        autiasp
    |   3c:   d65f03c0        ret
    |   40:   d2800240        mov     x0, #0x12                       // #18
    |   44:   d2800681        mov     x1, #0x34                       // #52
    |   48:   d2800ac2        mov     x2, #0x56                       // #86
    |   4c:   d2800f03        mov     x3, #0x78                       // #120
    |   50:   f9800091        prfm    pstl1strm, [x4]
    |   54:   c87f1885        ldxp    x5, x6, [x4]
    |   58:   ca0000a5        eor     x5, x5, x0
    |   5c:   ca0100c6        eor     x6, x6, x1
    |   60:   aa0600a6        orr     x6, x5, x6
    |   64:   b5000066        cbnz    x6, 70 <foo+0x70>
    |   68:   c8250c82        stxp    w5, x2, x3, [x4]
    |   6c:   35ffff45        cbnz    w5, 54 <foo+0x54>
    |   70:   d2800000        mov     x0, #0x0                        // #0     <--- BANG
    |   74:   d50323bf        autiasp
    |   78:   d65f03c0        ret
    
    Notice that at the lines with "BANG" comments, GCC has assumed that the
    higher 8 bytes are unchanged by the cmpxchg_double() call, and that
    `hi_old ^ hi_new` can be reduced to a constant zero, for both LSE and
    LL/SC versions of cmpxchg_double().
    
    This patch fixes the issue by passing a pointer to __uint128_t into the
    +Q constraint, ensuring that the compiler hazards against the entire 16
    bytes being modified.
    
    With this change, GCC 12.1.0 compiles the above test as:
    
    | 0000000000000000 <foo>:
    |    0:   f9400407        ldr     x7, [x0, #8]
    |    4:   d503233f        paciasp
    |    8:   aa0003e4        mov     x4, x0
    |    c:   1400000f        b       48 <foo+0x48>
    |   10:   d2800240        mov     x0, #0x12                       // #18
    |   14:   d2800681        mov     x1, #0x34                       // #52
    |   18:   aa0003e5        mov     x5, x0
    |   1c:   aa0103e6        mov     x6, x1
    |   20:   d2800ac2        mov     x2, #0x56                       // #86
    |   24:   d2800f03        mov     x3, #0x78                       // #120
    |   28:   48207c82        casp    x0, x1, x2, x3, [x4]
    |   2c:   ca050000        eor     x0, x0, x5
    |   30:   ca060021        eor     x1, x1, x6
    |   34:   aa010000        orr     x0, x0, x1
    |   38:   f9400480        ldr     x0, [x4, #8]
    |   3c:   d50323bf        autiasp
    |   40:   ca0000e0        eor     x0, x7, x0
    |   44:   d65f03c0        ret
    |   48:   d2800240        mov     x0, #0x12                       // #18
    |   4c:   d2800681        mov     x1, #0x34                       // #52
    |   50:   d2800ac2        mov     x2, #0x56                       // #86
    |   54:   d2800f03        mov     x3, #0x78                       // #120
    |   58:   f9800091        prfm    pstl1strm, [x4]
    |   5c:   c87f1885        ldxp    x5, x6, [x4]
    |   60:   ca0000a5        eor     x5, x5, x0
    |   64:   ca0100c6        eor     x6, x6, x1
    |   68:   aa0600a6        orr     x6, x5, x6
    |   6c:   b5000066        cbnz    x6, 78 <foo+0x78>
    |   70:   c8250c82        stxp    w5, x2, x3, [x4]
    |   74:   35ffff45        cbnz    w5, 5c <foo+0x5c>
    |   78:   f9400480        ldr     x0, [x4, #8]
    |   7c:   d50323bf        autiasp
    |   80:   ca0000e0        eor     x0, x7, x0
    |   84:   d65f03c0        ret
    
    ... sampling the high 8 bytes before and after the cmpxchg, and
    performing an EOR, as we'd expect.
    
    For backporting, I've tested this atop linux-4.9.y with GCC 5.5.0. Note
    that linux-4.9.y is oldest currently supported stable release, and
    mandates GCC 5.1+. Unfortunately I couldn't get a GCC 5.1 binary to run
    on my machines due to library incompatibilities.
    
    I've also used a standalone test to check that we can use a __uint128_t
    pointer in a +Q constraint at least as far back as GCC 4.8.5 and LLVM
    3.9.1.
    
    Fixes: 5284e1b4bc8a ("arm64: xchg: Implement cmpxchg_double")
    Fixes: e9a4b795652f ("arm64: cmpxchg_dbl: patch in lse instructions when supported by the CPU")
    Reported-by: Boqun Feng <[email protected]>
    Link: https://lore.kernel.org/lkml/[email protected]/
    Reported-by: Peter Zijlstra <[email protected]>
    Link: https://lore.kernel.org/lkml/[email protected]/
    Signed-off-by: Mark Rutland <[email protected]>
    Cc: [email protected]
    Cc: Arnd Bergmann <[email protected]>
    Cc: Catalin Marinas <[email protected]>
    Cc: Steve Capper <[email protected]>
    Cc: Will Deacon <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Will Deacon <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Catalin Marinas <[email protected]>
Date:   Thu Dec 22 18:12:51 2022 +0000

    arm64: mte: Avoid the racy walk of the vma list during core dump
    
    commit 4f4c549feb4ecca95ae9abb88887b941d196f83a upstream.
    
    The MTE coredump code in arch/arm64/kernel/elfcore.c iterates over the
    vma list without the mmap_lock held. This can race with another process
    or userfaultfd concurrently modifying the vma list. Change the
    for_each_mte_vma macro and its callers to instead use the vma snapshot
    taken by dump_vma_snapshot() and stored in the cprm object.
    
    Fixes: 6dd8b1a0b6cb ("arm64: mte: Dump the MTE tags in the core file")
    Cc: <[email protected]> # 5.18.x
    Signed-off-by: Catalin Marinas <[email protected]>
    Reported-by: Seth Jenkins <[email protected]>
    Suggested-by: Seth Jenkins <[email protected]>
    Cc: Will Deacon <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Will Deacon <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Catalin Marinas <[email protected]>
Date:   Thu Dec 22 18:12:49 2022 +0000

    arm64: mte: Fix double-freeing of the temporary tag storage during coredump
    
    commit 736eedc974eaafbf4360e0ea85fc892cea72a223 upstream.
    
    Commit 16decce22efa ("arm64: mte: Fix the stack frame size warning in
    mte_dump_tag_range()") moved the temporary tag storage array from the
    stack to slab but it also introduced an error in double freeing this
    object. Remove the in-loop freeing.
    
    Fixes: 16decce22efa ("arm64: mte: Fix the stack frame size warning in mte_dump_tag_range()")
    Cc: <[email protected]> # 5.18.x
    Signed-off-by: Catalin Marinas <[email protected]>
    Reported-by: Seth Jenkins <[email protected]>
    Cc: Will Deacon <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Will Deacon <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Zenghui Yu <[email protected]>
Date:   Wed Dec 14 21:59:43 2022 +0800

    arm64: ptrace: Use ARM64_SME to guard the SME register enumerations
    
    commit eb9a85261e297292c4cc44b628c1373c996cedc2 upstream.
    
    We currently guard REGSET_{SSVE, ZA} using ARM64_SVE for no good reason.
    Both enumerations would be pointless without ARM64_SME and create two empty
    entries in aarch64_regsets[] which would then become part of a process's
    native regset view (they should be ignored though).
    
    Switch to use ARM64_SME instead.
    
    Fixes: e12310a0d30f ("arm64/sme: Implement ptrace support for streaming mode SVE registers")
    Signed-off-by: Zenghui Yu <[email protected]>
    Reviewed-by: Mark Brown <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Will Deacon <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Arnd Bergmann <[email protected]>
Date:   Wed Dec 21 14:25:48 2022 +0100

    ASoC: Intel: fix sof-nau8825 link failure
    
    [ Upstream commit 63f3d99b7efe4c5404a9388c05780917099cecf4 ]
    
    The snd-soc-sof_nau8825.ko module fails to link unless the
    sof_realtek_common support is also enabled:
    
    ERROR: modpost: "sof_rt1015p_codec_conf" [sound/soc/intel/boards/snd-soc-sof_nau8825.ko] undefined!
    ERROR: modpost: "sof_rt1015p_dai_link" [sound/soc/intel/boards/snd-soc-sof_nau8825.ko] undefined!
    
    Fixes: 8d0872f6239f ("ASoC: Intel: add sof-nau8825 machine driver")
    Signed-off-by: Arnd Bergmann <[email protected]>
    Acked-by: Pierre-Louis Bossart <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Mark Brown <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Arnd Bergmann <[email protected]>
Date:   Wed Dec 21 14:24:56 2022 +0100

    ASoC: Intel: sof-nau8825: fix module alias overflow
    
    [ Upstream commit 3e78986a840d59dd27e636eae3f52dc11125c835 ]
    
    The maximum name length for a platform_device_id entry is 20 characters
    including the trailing NUL byte. The sof_nau8825.c file exceeds that,
    which causes an obscure error message:
    
    sound/soc/intel/boards/snd-soc-sof_nau8825.mod.c:35:45: error: illegal character encoding in string literal [-Werror,-Winvalid-source-encoding]
    MODULE_ALIAS("platform:adl_max98373_nau8825<U+0018><AA>");
                                                       ^~~~
    include/linux/module.h:168:49: note: expanded from macro 'MODULE_ALIAS'
                                                    ^~~~~~
    include/linux/module.h:165:56: note: expanded from macro 'MODULE_INFO'
                                                           ^~~~
    include/linux/moduleparam.h:26:47: note: expanded from macro '__MODULE_INFO'
                    = __MODULE_INFO_PREFIX __stringify(tag) "=" info
    
    I could not figure out how to make the module handling robust enough
    to handle this better, but as a quick fix, using slightly shorter
    names that are still unique avoids the build issue.
    
    Fixes: 8d0872f6239f ("ASoC: Intel: add sof-nau8825 machine driver")
    Signed-off-by: Arnd Bergmann <[email protected]>
    Acked-by: Pierre-Louis Bossart <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Mark Brown <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Brent Lu <[email protected]>
Date:   Thu Nov 17 17:19:19 2022 -0600

    ASoC: Intel: sof_nau8825: support rt1015p speaker amplifier
    
    [ Upstream commit 13c459fa37c9f26e9bf884a832dd67598b5c4d3e ]
    
    Add rt1015p speaker amplifier support with a new board info
    'adl_rt1015p_nau8825' which supports NAU8825 on SSP0 and ALC1015Q on
    SSP1.
    
    Reviewed-by: Bard Liao <[email protected]>
    Signed-off-by: Brent Lu <[email protected]>
    Signed-off-by: Pierre-Louis Bossart <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Mark Brown <[email protected]>
    Stable-dep-of: 3e78986a840d ("ASoC: Intel: sof-nau8825: fix module alias overflow")
    Signed-off-by: Sasha Levin <[email protected]>

Author: Stephan Gerhold <[email protected]>
Date:   Sat Dec 31 12:55:06 2022 +0100

    ASoC: qcom: Fix building APQ8016 machine driver without SOUNDWIRE
    
    [ Upstream commit 0cbf1ecd8c4801ec7566231491f7ad9cec31098b ]
    
    Older Qualcomm platforms like APQ8016 do not have hardware support for
    SoundWire, so kernel configurations made specifically for those platforms
    will usually not have CONFIG_SOUNDWIRE enabled.
    
    Unfortunately commit 8d89cf6ff229 ("ASoC: qcom: cleanup and fix
    dependency of QCOM_COMMON") breaks those kernel configurations, because
    SOUNDWIRE is now a required dependency for SND_SOC_QCOM_COMMON (and in
    turn also SND_SOC_APQ8016_SBC). Trying to migrate such a kernel config
    silently disables SND_SOC_APQ8016_SBC and breaks audio functionality.
    
    The soundwire helpers in common.c are only used by two of the Qualcomm
    audio machine drivers, so building and requiring CONFIG_SOUNDWIRE for
    all platforms is unnecessary.
    
    There is no need to stuff all common code into a single module. Fix the
    issue by moving the soundwire helpers to a separate SND_SOC_QCOM_SDW
    module/option that is selected only by the machine drivers that make
    use of them. This also allows reverting the imply/depends changes from
    the previous fix because both SM8250 and SC8280XP already depend on
    SOUNDWIRE, so the soundwire helpers will be only built if SOUNDWIRE
    is really enabled.
    
    Cc: Srinivas Kandagatla <[email protected]>
    Fixes: 8d89cf6ff229 ("ASoC: qcom: cleanup and fix dependency of QCOM_COMMON")
    Signed-off-by: Stephan Gerhold <[email protected]>
    Link: https://lore.kernel.org/r/20221231115[email protected]
    Signed-off-by: Mark Brown <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Brian Norris <[email protected]>
Date:   Fri Dec 30 22:15:45 2022 -0800

    ASoC: qcom: lpass-cpu: Fix fallback SD line index handling
    
    commit 000bca8d706d1bf7cca01af75787247c5a2fdedf upstream.
    
    These indices should reference the ID placed within the dai_driver
    array, not the indices of the array itself.
    
    This fixes commit 4ff028f6c108 ("ASoC: qcom: lpass-cpu: Make I2S SD
    lines configurable"), which among others, broke IPQ8064 audio
    (sound/soc/qcom/lpass-ipq806x.c) because it uses ID 4 but we'd stop
    initializing the mi2s_playback_sd_mode and mi2s_capture_sd_mode arrays
    at ID 0.
    
    Fixes: 4ff028f6c108 ("ASoC: qcom: lpass-cpu: Make I2S SD lines configurable")
    Cc: <[email protected]>
    Signed-off-by: Brian Norris <[email protected]>
    Reviewed-by: Stephan Gerhold <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Mark Brown <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: ChiYuan Huang <[email protected]>
Date:   Thu Dec 29 16:03:53 2022 +0800

    ASoC: rt9120: Make dev PM runtime bind AsoC component PM
    
    commit 7161bd540eebebae2bbe8c79de25d8caf12dbf78 upstream.
    
    RT9120 uses PM runtime autosuspend to decrease the frequently on/off
    spent time. This exists one case, when pcm is closed and dev PM is
    waiting for autosuspend time expired to enter runtime suspend state.
    At the mean time, system is going to enter suspend, dev PM runtime
    suspend won't be called. It makes the rt9120 suspend consumption
    current not as expected.
    
    This patch can fix the rt9120 dev PM issue during runtime autosuspend
    and system suspend by binding dev PM runtime and ASoC component PM.
    
    Fixes: 80b949f332e3 ("ASoC: rt9120: Use pm_runtime and regcache to optimize 'pwdnn' logic")
    Signed-off-by: ChiYuan Huang <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Mark Brown <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Emanuele Ghidoli <[email protected]>
Date:   Fri Dec 23 09:02:47 2022 +0100

    ASoC: wm8904: fix wrong outputs volume after power reactivation
    
    [ Upstream commit 472a6309c6467af89dbf660a8310369cc9cb041f ]
    
    Restore volume after charge pump and PGA activation to ensure
    that volume settings are correctly applied when re-enabling codec
    from SND_SOC_BIAS_OFF state.
    CLASS_W, CHARGE_PUMP and POWER_MANAGEMENT_2 register configuration
    affect how the volume register are applied and must be configured first.
    
    Fixes: a91eb199e4dc ("ASoC: Initial WM8904 CODEC driver")
    Link: https://lore.kernel.org/all/[email protected]/
    Signed-off-by: Emanuele Ghidoli <[email protected]>
    Signed-off-by: Francesco Dolcini <[email protected]>
    Acked-by: Charles Keepax <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Mark Brown <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Jens Axboe <[email protected]>
Date:   Wed Jan 4 08:51:19 2023 -0700

    block: handle bio_split_to_limits() NULL return
    
    commit 613b14884b8595e20b9fac4126bf627313827fbe upstream.
    
    This can't happen right now, but in preparation for allowing
    bio_split_to_limits() returning NULL if it ended the bio, check for it
    in all the callers.
    
    Signed-off-by: Jens Axboe <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Jakub Kicinski <[email protected]>
Date:   Tue Jan 10 20:25:47 2023 -0800

    bnxt: make sure we return pages to the pool
    
    [ Upstream commit 97f5e03a4a27d27ee4fed0cdb1658c81cf2784db ]
    
    Before the commit under Fixes the page would have been released
    from the pool before the napi_alloc_skb() call, so normal page
    freeing was fine (released page == no longer in the pool).
    
    After the change we just mark the page for recycling so it's still
    in the pool if the skb alloc fails, we need to recycle.
    
    Same commit added the same bug in the new bnxt_rx_multi_page_skb().
    
    Fixes: 1dc4c557bfed ("bnxt: adding bnxt_xdp_build_skb to build skb from multibuffer xdp_buff")
    Reviewed-by: Andy Gospodarek <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Ivan T. Ivanov <[email protected]>
Date:   Fri Jan 6 15:19:05 2023 +0200

    brcmfmac: Prefer DT board type over DMI board type
    
    commit a5a36720c3f650f859f5e9535dd62d06f13f4f3b upstream.
    
    The introduction of support for Apple board types inadvertently changed
    the precedence order, causing hybrid SMBIOS+DT platforms to look up the
    firmware using the DMI information instead of the device tree compatible
    to generate the board type. Revert back to the old behavior,
    as affected platforms use firmwares named after the DT compatible.
    
    Fixes: 7682de8b3351 ("wifi: brcmfmac: of: Fetch Apple properties")
    
    [1] https://bugzilla.opensuse.org/show_bug.cgi?id=1206697#c13
    
    Cc: [email protected]
    Signed-off-by: Ivan T. Ivanov <[email protected]>
    Reviewed-by: Hector Martin <[email protected]>
    Reviewed-by: Arend van Spriel <[email protected]>
    Tested-by: Peter Robinson <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Paulo Alcantara <[email protected]>
Date:   Tue Jan 10 19:23:21 2023 -0300

    cifs: do not query ifaces on smb1 mounts
    
    commit 22aeb01db7080e18c6aeb4361cc2556c9887099a upstream.
    
    Users have reported the following error on every 600 seconds
    (SMB_INTERFACE_POLL_INTERVAL) when mounting SMB1 shares:
    
            CIFS: VFS: \\srv\share error -5 on ioctl to get interface list
    
    It's supported only by SMB2+, so do not query network interfaces on
    SMB1 mounts.
    
    Fixes: 6e1c1c08cdf3 ("cifs: periodically query network interfaces from server")
    Reviewed-by: Shyam Prasad N <[email protected]>
    Reviewed-by: Tom Talpey <[email protected]>
    Signed-off-by: Paulo Alcantara (SUSE) <[email protected]>
    Signed-off-by: Steve French <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Paulo Alcantara <[email protected]>
Date:   Tue Jan 10 17:55:20 2023 -0300

    cifs: fix double free on failed kerberos auth
    
    commit 39e8db3c860e2678ce5a7d74193925876507c9eb upstream.
    
    If session setup failed with kerberos auth, we ended up freeing
    cifs_ses::auth_key.response twice in SMB2_auth_kerberos() and
    sesInfoFree().
    
    Fix this by zeroing out cifs_ses::auth_key.response after freeing it
    in SMB2_auth_kerberos().
    
    Fixes: a4e430c8c8ba ("cifs: replace kfree() with kfree_sensitive() for sensitive data")
    Signed-off-by: Paulo Alcantara (SUSE) <[email protected]>
    Acked-by: Ronnie Sahlberg <[email protected]>
    Signed-off-by: Steve French <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Paulo Alcantara <[email protected]>
Date:   Fri Jan 6 13:34:36 2023 -0300

    cifs: fix file info setting in cifs_open_file()
    
    commit ba5d4c1596cada37793d405dd18d695cd3508902 upstream.
    
    In cifs_open_file(), @buf must hold a pointer to a cifs_open_info_data
    structure which is passed by cifs_nt_open(), so assigning @buf
    directly to @fi was obviously wrong.
    
    Fix this by passing a valid FILE_ALL_INFO structure to SMBLegacyOpen()
    and CIFS_open(), and then copy the set structure to the corresponding
    cifs_open_info_data::fi field with move_cifs_info_to_smb2() helper.
    
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=216889
    Fixes: 76894f3e2f71 ("cifs: improve symlink handling for smb2+")
    Signed-off-by: Paulo Alcantara (SUSE) <[email protected]>
    Signed-off-by: Steve French <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Paulo Alcantara <[email protected]>
Date:   Fri Jan 6 20:28:30 2023 -0300

    cifs: fix file info setting in cifs_query_path_info()
    
    commit 29cf28235e3e57e0af01ae29db57a75f87a2ada8 upstream.
    
    We missed to set file info when CIFSSMBQPathInfo() returned 0, thus
    leaving cifs_open_info_data::fi unset.
    
    Fix this by setting cifs_open_info_data::fi when either
    CIFSSMBQPathInfo() or SMBQueryInformation() succeed.
    
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=216881
    Fixes: 76894f3e2f71 ("cifs: improve symlink handling for smb2+")
    Signed-off-by: Paulo Alcantara (SUSE) <[email protected]>
    Signed-off-by: Steve French <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Volker Lendecke <[email protected]>
Date:   Wed Jan 11 12:37:58 2023 +0100

    cifs: Fix uninitialized memory read for smb311 posix symlink create
    
    commit a152d05ae4a71d802d50cf9177dba34e8bb09f68 upstream.
    
    If smb311 posix is enabled, we send the intended mode for file
    creation in the posix create context. Instead of using what's there on
    the stack, create the mfsymlink file with 0644.
    
    Fixes: ce558b0e17f8a ("smb3: Add posix create context for smb3.11 posix mounts")
    Cc: [email protected]
    Signed-off-by: Volker Lendecke <[email protected]>
    Reviewed-by: Tom Talpey <[email protected]>
    Reviewed-by: Paulo Alcantara (SUSE) <[email protected]>
    Signed-off-by: Steve French <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Perry Yuan <[email protected]>
Date:   Tue Jan 10 23:10:29 2023 +0800

    cpufreq: amd-pstate: fix kernel hang issue while amd-pstate unregistering
    
    commit 4f3085f87b51a551a0647f218d4f324796ecb703 upstream.
    
    In the amd_pstate_adjust_perf(), there is one cpufreq_cpu_get() call to
    increase increments the kobject reference count of policy and make it as
    busy. Therefore, a corresponding call to cpufreq_cpu_put() is needed to
    decrement the kobject reference count back, it will resolve the kernel
    hang issue when unregistering the amd-pstate driver and register the
    `amd_pstate_epp` driver instance.
    
    Fixes: 1d215f0319 ("cpufreq: amd-pstate: Add fast switch function for AMD P-State")
    Acked-by: Huang Rui <[email protected]>
    Reviewed-by: Mario Limonciello <[email protected]>
    Tested-by: Wyes Karny <[email protected]>
    Signed-off-by: Perry Yuan <[email protected]>
    Cc: 5.17+ <[email protected]> # 5.17+
    Signed-off-by: Rafael J. Wysocki <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Jonathan Corbet <[email protected]>
Date:   Wed Jan 4 10:47:39 2023 -0700

    docs: Fix the docs build with Sphinx 6.0
    
    commit 0283189e8f3d0917e2ac399688df85211f48447b upstream.
    
    Sphinx 6.0 removed the execfile_() function, which we use as part of the
    configuration process.  They *did* warn us...  Just open-code the
    functionality as is done in Sphinx itself.
    
    Tested (using SPHINX_CONF, since this code is only executed with an
    alternative config file) on various Sphinx versions from 2.5 through 6.0.
    
    Reported-by: Martin Liе║ka <[email protected]>
    Cc: [email protected]
    Signed-off-by: Jonathan Corbet <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Ao Zhong <[email protected]>
Date:   Tue Oct 25 23:17:49 2022 +0200

    drm/amd/display: move remaining FPU code to dml folder
    
    commit 58ddbecb14c792b7fe0d92ae5e25c9179d62ff25 upstream.
    
    pipes[pipe_cnt].pipe.src.dcc_fraction_of_zs_req_luma = 0;
    pipes[pipe_cnt].pipe.src.dcc_fraction_of_zs_req_chroma = 0;
    these two operations in dcn32/dcn32_resource.c still need to use FPU,
    This will cause compilation to fail on ARM64 platforms because
    -mgeneral-regs-only is enabled by default to disable the hardware FPU.
    Therefore, imitate the dcn31_zero_pipe_dcc_fraction function in
    dml/dcn31/dcn31_fpu.c, declare the dcn32_zero_pipe_dcc_fraction function
    in dcn32_fpu.c, and move above two operations into this function.
    
    Reviewed-by: Rodrigo Siqueira <[email protected]>
    Signed-off-by: Ao Zhong <[email protected]>
    Signed-off-by: Rodrigo Siqueira <[email protected]>
    Signed-off-by: Alex Deucher <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Guchun Chen <[email protected]>
Date:   Tue Jan 10 11:33:44 2023 +0800

    drm/amd/pm/smu13: BACO is supported when it's in BACO state
    
    commit 972fb53d3605eb6cdf0d6ae9a52e910626a91ff7 upstream.
    
    This leverages the logic in smu11. No need to talk to SMU to
    check BACO enablement as it's in BACO state already.
    
    Signed-off-by: Guchun Chen <[email protected]>
    Reviewed-by: Kenneth Feng <[email protected]>
    Reviewed-by: Lijo Lazar <[email protected]>
    Signed-off-by: Alex Deucher <[email protected]>
    Cc: [email protected] # 6.0, 6.1
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Evan Quan <[email protected]>
Date:   Wed Jan 4 10:45:01 2023 +0800

    drm/amd/pm: add the missing mapping for PPT feature on SMU13.0.0 and 13.0.7
    
    commit 318ca20893c19ead02845a08204c3f9249bb74cd upstream.
    
    Then we are able to set a new ppt limit via the hwmon interface(power1_cap).
    
    Signed-off-by: Evan Quan <[email protected]>
    Reviewed-by: Alex Deucher <[email protected]>
    Signed-off-by: Alex Deucher <[email protected]>
    Cc: [email protected] # 6.0.x, 6.1.x
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Evan Quan <[email protected]>
Date:   Fri Dec 16 17:12:53 2022 +0800

    drm/amd/pm: correct the reference clock for fan speed(rpm) calculation
    
    commit 6fea87637bf36bd285227f490132e83582ab7513 upstream.
    
    Correct the reference clock as 25Mhz for SMU13 fan speed calculation.
    
    Signed-off-by: Evan Quan <[email protected]>
    Reviewed-by: Alex Deucher <[email protected]>
    Signed-off-by: Alex Deucher <[email protected]>
    Cc: [email protected] # 6.0.x, 6.1.x
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Candice Li <[email protected]>
Date:   Thu Nov 17 20:34:15 2022 +0800

    drm/amd/pm: Enable bad memory page/channel recording support for smu v13_0_0
    
    [ Upstream commit 48aa62f07467c8fcd4b4ec7851e13c83e89a1558 ]
    
    Send message to SMU to update bad memory page and bad channel info.
    
    Signed-off-by: Candice Li <[email protected]>
    Reviewed-by: Evan Quan <[email protected]>
    Signed-off-by: Alex Deucher <[email protected]>
    Stable-dep-of: 1794f6a9535b ("drm/amd/pm: enable GPO dynamic control support for SMU13.0.0")
    Signed-off-by: Sasha Levin <[email protected]>

Author: Evan Quan <[email protected]>
Date:   Fri Dec 2 13:56:35 2022 +0800

    drm/amd/pm: enable GPO dynamic control support for SMU13.0.0
    
    [ Upstream commit 1794f6a9535bb5234c2b747d1bc6dad03249245a ]
    
    To better support UMD pstate profilings, the GPO feature needs
    to be switched on/off accordingly.
    
    Signed-off-by: Evan Quan <[email protected]>
    Reviewed-by: Alex Deucher <[email protected]>
    Signed-off-by: Alex Deucher <[email protected]>
    Cc: [email protected] # 6.0.x
    Signed-off-by: Sasha Levin <[email protected]>

Author: Evan Quan <[email protected]>
Date:   Fri Dec 2 14:03:45 2022 +0800

    drm/amd/pm: enable GPO dynamic control support for SMU13.0.7
    
    [ Upstream commit 62b9f835a6c60171845642afec4ce4b44865f10f ]
    
    To better support UMD pstate profilings, the GPO feature needs
    to be switched on/off accordingly.
    
    Signed-off-by: Evan Quan <[email protected]>
    Reviewed-by: Alex Deucher <[email protected]>
    Signed-off-by: Alex Deucher <[email protected]>
    Cc: [email protected] # 6.0.x
    Signed-off-by: Sasha Levin <[email protected]>

Author: Kenneth Feng <[email protected]>
Date:   Tue Nov 8 08:30:36 2022 +0800

    drm/amd/pm: enable mode1 reset on smu_v13_0_10
    
    [ Upstream commit 60cfad329ab877cb62975ea78ed442c2496990ba ]
    
    enable mode1 reset and prioritize debug port on smu_v13_0_10
    as a more reliable message processing
    
    v2 - move mode1 reset callback to smu_v13_0_0_ppt.c
    
    Signed-off-by: Kenneth Feng <[email protected]>
    Reviewed-by: Yang Wang <[email protected]>
    Signed-off-by: Alex Deucher <[email protected]>
    Stable-dep-of: 1794f6a9535b ("drm/amd/pm: enable GPO dynamic control support for SMU13.0.0")
    Signed-off-by: Sasha Levin <[email protected]>

Author: Mario Limonciello <[email protected]>
Date:   Tue Dec 27 15:49:17 2022 -0600

    drm/amd: Delay removal of the firmware framebuffer
    
    commit 1923bc5a56daeeabd7e9093bad2febcd6af2416a upstream.
    
    Removing the firmware framebuffer from the driver means that even
    if the driver doesn't support the IP blocks in a GPU it will no
    longer be functional after the driver fails to initialize.
    
    This change will ensure that unsupported IP blocks at least cause
    the driver to work with the EFI framebuffer.
    
    Cc: [email protected]
    Suggested-by: Alex Deucher <[email protected]>
    Reviewed-by: Alex Deucher <[email protected]>
    Reviewed-by: Lijo Lazar <[email protected]>
    Signed-off-by: Mario Limonciello <[email protected]>
    Signed-off-by: Alex Deucher <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Yifan Zhang <[email protected]>
Date:   Wed Oct 12 12:54:52 2022 +0800

    drm/amdgpu: add soc21 common ip block support for GC 11.0.4
    
    [ Upstream commit 311d52367d0a7985ee1132662bad46f09169eed2 ]
    
    Add common soc21 ip block support for GC 11.0.4.
    
    Signed-off-by: Yifan Zhang <[email protected]>
    Reviewed-by: Aaron Liu <[email protected]>
    Signed-off-by: Alex Deucher <[email protected]>
    Stable-dep-of: e1d900df63ad ("drm/amdgpu: enable VCN DPG for GC IP v11.0.4")
    Signed-off-by: Sasha Levin <[email protected]>

Author: Saleemkhan Jamadar <[email protected]>
Date:   Tue Nov 8 11:24:48 2022 +0530

    drm/amdgpu: Enable pg/cg flags on GC11_0_4 for VCN
    
    [ Upstream commit 2a0fe2ca6e9c9bf9c47a9f9f0d67c13281a13f8c ]
    
    This enable VCN PG, CG and JPEG PG, CG
    
    Signed-off-by: Saleemkhan Jamadar <[email protected]>
    Reviewed-by: Leo Liu <[email protected]>
    Signed-off-by: Yifan Zhang <[email protected]>
    Reviewed-by: Aaron Liu <[email protected]>
    Signed-off-by: Alex Deucher <[email protected]>
    Stable-dep-of: e1d900df63ad ("drm/amdgpu: enable VCN DPG for GC IP v11.0.4")
    Signed-off-by: Sasha Levin <[email protected]>

Author: Saleemkhan Jamadar <[email protected]>
Date:   Tue Dec 20 13:21:44 2022 +0530

    drm/amdgpu: enable VCN DPG for GC IP v11.0.4
    
    [ Upstream commit e1d900df63adcb748905131dd6258e570e11aed1 ]
    
    Enable VCN Dynamic Power Gating control for GC IP v11.0.4.
    
    Signed-off-by: Saleemkhan Jamadar <[email protected]>
    Reviewed-by: Veerabadhran Gopalakrishnan <[email protected]>
    Signed-off-by: Alex Deucher <[email protected]>
    Cc: [email protected] # 6.0, 6.1
    Signed-off-by: Sasha Levin <[email protected]>

Author: Luben Tuikov <[email protected]>
Date:   Wed Jan 4 17:09:02 2023 -0500

    drm/amdgpu: Fix potential NULL dereference
    
    [ Upstream commit 0be7ed8e7eb15282b5d0f6fdfea884db594ea9bf ]
    
    Fix potential NULL dereference, in the case when "man", the resource manager
    might be NULL, when/if we print debug information.
    
    Cc: Alex Deucher <[email protected]>
    Cc: Christian Kц╤nig <[email protected]>
    Cc: AMD Graphics <[email protected]>
    Cc: Dan Carpenter <[email protected]>
    Cc: kernel test robot <[email protected]>
    Fixes: 7554886daa31ea ("drm/amdgpu: Fix size validation for non-exclusive domains (v4)")
    Signed-off-by: Luben Tuikov <[email protected]>
    Reviewed-by: Christian Kц╤nig <[email protected]>
    Signed-off-by: Alex Deucher <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: YiPeng Chai <[email protected]>
Date:   Fri Jan 6 14:04:15 2023 +0800

    drm/amdgpu: Fixed bug on error when unloading amdgpu
    
    commit 99f1a36c90a7524972be5a028424c57fa17753ee upstream.
    
    Fixed bug on error when unloading amdgpu.
    
    The error message is as follows:
    [  377.706202] kernel BUG at drivers/gpu/drm/drm_buddy.c:278!
    [  377.706215] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
    [  377.706222] CPU: 4 PID: 8610 Comm: modprobe Tainted: G          IOE      6.0.0-thomas #1
    [  377.706231] Hardware name: ASUS System Product Name/PRIME Z390-A, BIOS 2004 11/02/2021
    [  377.706238] RIP: 0010:drm_buddy_free_block+0x26/0x30 [drm_buddy]
    [  377.706264] Code: 00 00 00 90 0f 1f 44 00 00 48 8b 0e 89 c8 25 00 0c 00 00 3d 00 04 00 00 75 10 48 8b 47 18 48 d3 e0 48 01 47 28 e9 fa fe ff ff <0f> 0b 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 54 55 48 89 f5 53
    [  377.706282] RSP: 0018:ffffad2dc4683cb8 EFLAGS: 00010287
    [  377.706289] RAX: 0000000000000000 RBX: ffff8b1743bd5138 RCX: 0000000000000000
    [  377.706297] RDX: ffff8b1743bd5160 RSI: ffff8b1743bd5c78 RDI: ffff8b16d1b25f70
    [  377.706304] RBP: ffff8b1743bd59e0 R08: 0000000000000001 R09: 0000000000000001
    [  377.706311] R10: ffff8b16c8572400 R11: ffffad2dc4683cf0 R12: ffff8b16d1b25f70
    [  377.706318] R13: ffff8b16d1b25fd0 R14: ffff8b1743bd59c0 R15: ffff8b16d1b25f70
    [  377.706325] FS:  00007fec56c72c40(0000) GS:ffff8b1836500000(0000) knlGS:0000000000000000
    [  377.706334] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [  377.706340] CR2: 00007f9b88c1ba50 CR3: 0000000110450004 CR4: 00000000003706e0
    [  377.706347] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    [  377.706354] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    [  377.706361] Call Trace:
    [  377.706365]  <TASK>
    [  377.706369]  drm_buddy_free_list+0x2a/0x60 [drm_buddy]
    [  377.706376]  amdgpu_vram_mgr_fini+0xea/0x180 [amdgpu]
    [  377.706572]  amdgpu_ttm_fini+0x12e/0x1a0 [amdgpu]
    [  377.706650]  amdgpu_bo_fini+0x22/0x90 [amdgpu]
    [  377.706727]  gmc_v11_0_sw_fini+0x26/0x30 [amdgpu]
    [  377.706821]  amdgpu_device_fini_sw+0xa1/0x3c0 [amdgpu]
    [  377.706897]  amdgpu_driver_release_kms+0x12/0x30 [amdgpu]
    [  377.706975]  drm_dev_release+0x20/0x40 [drm]
    [  377.707006]  release_nodes+0x35/0xb0
    [  377.707014]  devres_release_all+0x8b/0xc0
    [  377.707020]  device_unbind_cleanup+0xe/0x70
    [  377.707027]  device_release_driver_internal+0xee/0x160
    [  377.707033]  driver_detach+0x44/0x90
    [  377.707039]  bus_remove_driver+0x55/0xe0
    [  377.707045]  pci_unregister_driver+0x3b/0x90
    [  377.707052]  amdgpu_exit+0x11/0x6c [amdgpu]
    [  377.707194]  __x64_sys_delete_module+0x142/0x2b0
    [  377.707201]  ? fpregs_assert_state_consistent+0x22/0x50
    [  377.707208]  ? exit_to_user_mode_prepare+0x3e/0x190
    [  377.707215]  do_syscall_64+0x38/0x90
    [  377.707221]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
    
    Signed-off-by: YiPeng Chai <[email protected]>
    Reviewed-by: Christian Kц╤nig <[email protected]>
    Signed-off-by: Alex Deucher <[email protected]>
    Cc: [email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Chris Wilson <[email protected]>
Date:   Thu Sep 15 16:26:51 2022 -0700

    drm/i915/gt: Cleanup partial engine discovery failures
    
    [ Upstream commit 78a033433a5ae4fee85511ee075bc9a48312c79e ]
    
    If we abort driver initialisation in the middle of gt/engine discovery,
    some engines will be fully setup and some not. Those incompletely setup
    engines only have 'engine->release == NULL' and so will leak any of the
    common objects allocated.
    
    v2:
     - Drop the destroy_pinned_context() helper for now.  It's not really
       worth it with just a single callsite at the moment.  (Janusz)
    
    Signed-off-by: Chris Wilson <[email protected]>
    Cc: Janusz Krzysztofik <[email protected]>
    Signed-off-by: Matt Roper <[email protected]>
    Reviewed-by: Janusz Krzysztofik <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
    Signed-off-by: Sasha Levin <[email protected]>

Author: Chris Wilson <[email protected]>
Date:   Mon Dec 12 17:13:38 2022 +0100

    drm/i915/gt: Reset twice
    
    commit d3de5616d36462a646f5b360ba82d3b09ff668eb upstream.
    
    After applying an engine reset, on some platforms like Jasperlake, we
    occasionally detect that the engine state is not cleared until shortly
    after the resume. As we try to resume the engine with volatile internal
    state, the first request fails with a spurious CS event (it looks like
    it reports a lite-restore to the hung context, instead of the expected
    idle->active context switch).
    
    Signed-off-by: Chris Wilson <[email protected]>
    Cc: [email protected]
    Cc: Mika Kuoppala <[email protected]>
    Signed-off-by: Andi Shyti <[email protected]>
    Reviewed-by: Gwan-gyeong Mun <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
    (cherry picked from commit 3db9d590557da3aa2c952f2fecd3e9b703dad790)
    Signed-off-by: Rodrigo Vivi <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Nathan Chancellor <[email protected]>
Date:   Tue Oct 25 21:50:15 2022 +0200

    drm/i915: Fix CFI violations in gt_sysfs
    
    commit a8a4f0467d706fc22d286dfa973946e5944b793c upstream.
    
    When booting with CONFIG_CFI_CLANG, there are numerous violations when
    accessing the files under
    /sys/devices/pci0000:00/0000:00:02.0/drm/card0/gt/gt0:
    
      $ cd /sys/devices/pci0000:00/0000:00:02.0/drm/card0/gt/gt0
    
      $ grep . *
      id:0
      punit_req_freq_mhz:350
      rc6_enable:1
      rc6_residency_ms:214934
      rps_act_freq_mhz:1300
      rps_boost_freq_mhz:1300
      rps_cur_freq_mhz:350
      rps_max_freq_mhz:1300
      rps_min_freq_mhz:350
      rps_RP0_freq_mhz:1300
      rps_RP1_freq_mhz:350
      rps_RPn_freq_mhz:350
      throttle_reason_pl1:0
      throttle_reason_pl2:0
      throttle_reason_pl4:0
      throttle_reason_prochot:0
      throttle_reason_ratl:0
      throttle_reason_status:0
      throttle_reason_thermal:0
      throttle_reason_vr_tdc:0
      throttle_reason_vr_thermalert:0
    
      $ sudo dmesg &| grep "CFI failure at"
      [  214.595903] CFI failure at kobj_attr_show+0x19/0x30 (target: id_show+0x0/0x70 [i915]; expected type: 0xc527b809)
      [  214.596064] CFI failure at kobj_attr_show+0x19/0x30 (target: punit_req_freq_mhz_show+0x0/0x40 [i915]; expected type: 0xc527b809)
      [  214.596407] CFI failure at kobj_attr_show+0x19/0x30 (target: rc6_enable_show+0x0/0x40 [i915]; expected type: 0xc527b809)
      [  214.596528] CFI failure at kobj_attr_show+0x19/0x30 (target: rc6_residency_ms_show+0x0/0x270 [i915]; expected type: 0xc527b809)
      [  214.596682] CFI failure at kobj_attr_show+0x19/0x30 (target: act_freq_mhz_show+0x0/0xe0 [i915]; expected type: 0xc527b809)
      [  214.596792] CFI failure at kobj_attr_show+0x19/0x30 (target: boost_freq_mhz_show+0x0/0xe0 [i915]; expected type: 0xc527b809)
      [  214.596893] CFI failure at kobj_attr_show+0x19/0x30 (target: cur_freq_mhz_show+0x0/0xe0 [i915]; expected type: 0xc527b809)
      [  214.596996] CFI failure at kobj_attr_show+0x19/0x30 (target: max_freq_mhz_show+0x0/0xe0 [i915]; expected type: 0xc527b809)
      [  214.597099] CFI failure at kobj_attr_show+0x19/0x30 (target: min_freq_mhz_show+0x0/0xe0 [i915]; expected type: 0xc527b809)
      [  214.597198] CFI failure at kobj_attr_show+0x19/0x30 (target: RP0_freq_mhz_show+0x0/0xe0 [i915]; expected type: 0xc527b809)
      [  214.597301] CFI failure at kobj_attr_show+0x19/0x30 (target: RP1_freq_mhz_show+0x0/0xe0 [i915]; expected type: 0xc527b809)
      [  214.597405] CFI failure at kobj_attr_show+0x19/0x30 (target: RPn_freq_mhz_show+0x0/0xe0 [i915]; expected type: 0xc527b809)
      [  214.597538] CFI failure at kobj_attr_show+0x19/0x30 (target: throttle_reason_bool_show+0x0/0x50 [i915]; expected type: 0xc527b809)
      [  214.597701] CFI failure at kobj_attr_show+0x19/0x30 (target: throttle_reason_bool_show+0x0/0x50 [i915]; expected type: 0xc527b809)
      [  214.597836] CFI failure at kobj_attr_show+0x19/0x30 (target: throttle_reason_bool_show+0x0/0x50 [i915]; expected type: 0xc527b809)
      [  214.597952] CFI failure at kobj_attr_show+0x19/0x30 (target: throttle_reason_bool_show+0x0/0x50 [i915]; expected type: 0xc527b809)
      [  214.598071] CFI failure at kobj_attr_show+0x19/0x30 (target: throttle_reason_bool_show+0x0/0x50 [i915]; expected type: 0xc527b809)
      [  214.598177] CFI failure at kobj_attr_show+0x19/0x30 (target: throttle_reason_bool_show+0x0/0x50 [i915]; expected type: 0xc527b809)
      [  214.598307] CFI failure at kobj_attr_show+0x19/0x30 (target: throttle_reason_bool_show+0x0/0x50 [i915]; expected type: 0xc527b809)
      [  214.598439] CFI failure at kobj_attr_show+0x19/0x30 (target: throttle_reason_bool_show+0x0/0x50 [i915]; expected type: 0xc527b809)
      [  214.598542] CFI failure at kobj_attr_show+0x19/0x30 (target: throttle_reason_bool_show+0x0/0x50 [i915]; expected type: 0xc527b809)
    
    With kCFI, indirect calls are validated against their expected type
    versus actual type and failures occur when the two types do not match.
    The ultimate issue is that these sysfs functions are expecting to be
    called via dev_attr_show() but they may also be called via
    kobj_attr_show(), as certain files are created under two different
    kobjects that have two different sysfs_ops in intel_gt_sysfs_register(),
    hence the warnings above. When accessing the gt_ files under
    /sys/devices/pci0000:00/0000:00:02.0/drm/card0, which are using the same
    sysfs functions, there are no violations, meaning the functions are
    being called with the proper type.
    
    To make everything work properly, adjust certain functions to match the
    type of the ->show() and ->store() members in 'struct kobj_attribute'.
    Add a macro to generate functions for that can be called via both
    dev_attr_{show,store}() or kobj_attr_{show,store}() so that they can be
    called through both kobject locations without violating kCFI and adjust
    the attribute groups to account for this.
    
    Link: https://github.com/ClangBuiltLinux/linux/issues/1716
    Reviewed-by: Andi Shyti <[email protected]>
    Reviewed-by: Andrzej Hajda <[email protected]>
    Reviewed-by: Kees Cook <[email protected]>
    Signed-off-by: Nathan Chancellor <[email protected]>
    Signed-off-by: Andi Shyti <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
    Signed-off-by: Nathan Chancellor <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Rob Clark <[email protected]>
Date:   Tue Jan 3 15:49:46 2023 -0800

    drm/i915: Fix potential context UAFs
    
    commit afce71ff6daa9c0f852df0727fe32c6fb107f0fa upstream.
    
    gem_context_register() makes the context visible to userspace, and which
    point a separate thread can trigger the I915_GEM_CONTEXT_DESTROY ioctl.
    So we need to ensure that nothing uses the ctx ptr after this.  And we
    need to ensure that adding the ctx to the xarray is the *last* thing
    that gem_context_register() does with the ctx pointer.
    
    Signed-off-by: Rob Clark <[email protected]>
    Fixes: eb4dedae920a ("drm/i915/gem: Delay tracking the GEM context until it is registered")
    Fixes: a4c1cdd34e2c ("drm/i915/gem: Delay context creation (v3)")
    Fixes: 49bd54b390c2 ("drm/i915: Track all user contexts per client")
    Cc: <[email protected]> # v5.10+
    Reviewed-by: Tvrtko Ursulin <[email protected]>
    Reviewed-by: Andi Shyti <[email protected]>
    [tursulin: Stable and fixes tags add/tidy.]
    Signed-off-by: Tvrtko Ursulin <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
    (cherry picked from commit bed4b455cf5374e68879be56971c1da563bcd90c)
    Signed-off-by: Rodrigo Vivi <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Nirmoy Das <[email protected]>
Date:   Fri Dec 23 10:20:11 2022 +0100

    drm/i915: Reserve enough fence slot for i915_vma_unbind_async
    
    commit 476fdcdaaae7b06c780cdfc234c704107f16c529 upstream.
    
    A nested dma_resv_reserve_fences(1) will not reserve slot from the
    2nd call onwards and folowing dma_resv_add_fence() might hit the
    "BUG_ON(fobj->num_fences >= fobj->max_fences)" check.
    
    I915 hit above nested dma_resv case in ttm_bo_handle_move_mem() with
    async unbind:
    
    dma_resv_reserve_fences() from --> ttm_bo_handle_move_mem()
            dma_resv_reserve_fences() from --> i915_vma_unbind_async()
            dma_resv_add_fence() from --> i915_vma_unbind_async()
    dma_resv_add_fence() from -->ttm_bo_move_accel_cleanup()
    
    Resolve this by adding an extra fence in i915_vma_unbind_async().
    
    Suggested-by: Thomas Hellstrц╤m <[email protected]>
    Fixes: 2f6b90da9192 ("drm/i915: Use vma resources for async unbinding")
    Cc: <[email protected]> # v5.18+
    Signed-off-by: Nirmoy Das <[email protected]>
    Reviewed-by: Matthew Auld <[email protected]>
    Signed-off-by: Matthew Auld <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
    (cherry picked from commit 4f0755c2faf7388616109717facc5bbde6850e60)
    Signed-off-by: Rodrigo Vivi <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Konrad Dybcio <[email protected]>
Date:   Mon Jan 2 11:02:00 2023 +0100

    drm/msm/adreno: Make adreno quirks not overwrite each other
    
    commit 13ef096e342b00e30b95a90c6c13eee1f0bec4c5 upstream.
    
    So far the adreno quirks have all been assigned with an OR operator,
    which is problematic, because they were assigned consecutive integer
    values, which makes checking them with an AND operator kind of no bueno..
    
    Switch to using BIT(n) so that only the quirks that the programmer chose
    are taken into account when evaluating info->quirks & ADRENO_QUIRK_...
    
    Fixes: 370063ee427a ("drm/msm/adreno: Add A540 support")
    Reviewed-by: Dmitry Baryshkov <[email protected]>
    Reviewed-by: Marijn Suijten <[email protected]>
    Reviewed-by: Rob Clark <[email protected]>
    Signed-off-by: Konrad Dybcio <[email protected]>
    Reviewed-by: Akhil P Oommen <[email protected]>
    Patchwork: https://patchwork.freedesktop.org/patch/516456/
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Rob Clark <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Kuogee Hsieh <[email protected]>
Date:   Tue Dec 27 18:16:24 2022 -0800

    drm/msm/dp: do not complete dp_aux_cmd_fifo_tx() if irq is not for aux transfer
    
    commit 1cba0d150fa102439114a91b3e215909efc9f169 upstream.
    
    There are 3 possible interrupt sources are handled by DP controller,
    HPDstatus, Controller state changes and Aux read/write transaction.
    At every irq, DP controller have to check isr status of every interrupt
    sources and service the interrupt if its isr status bits shows interrupts
    are pending. There is potential race condition may happen at current aux
    isr handler implementation since it is always complete dp_aux_cmd_fifo_tx()
    even irq is not for aux read or write transaction. This may cause aux read
    transaction return premature if host aux data read is in the middle of
    waiting for sink to complete transferring data to host while irq happen.
    This will cause host's receiving buffer contains unexpected data. This
    patch fixes this problem by checking aux isr and return immediately at
    aux isr handler if there are no any isr status bits set.
    
    Current there is a bug report regrading eDP edid corruption happen during
    system booting up. After lengthy debugging to found that VIDEO_READY
    interrupt was continuously firing during system booting up which cause
    dp_aux_isr() to complete dp_aux_cmd_fifo_tx() prematurely to retrieve data
    from aux hardware buffer which is not yet contains complete data transfer
    from sink. This cause edid corruption.
    
    Follows are the signature at kernel logs when problem happen,
    EDID has corrupt header
    panel-simple-dp-aux aux-aea0000.edp: Couldn't identify panel via EDID
    
    Changes in v2:
    -- do complete if (ret == IRQ_HANDLED) ay dp-aux_isr()
    -- add more commit text
    
    Changes in v3:
    -- add Stephen suggested
    -- dp_aux_isr() return IRQ_XXX back to caller
    -- dp_ctrl_isr() return IRQ_XXX back to caller
    
    Changes in v4:
    -- split into two patches
    
    Changes in v5:
    -- delete empty line between tags
    
    Changes in v6:
    -- remove extra "that" and fixed line more than 75 char at commit text
    
    Fixes: c943b4948b58 ("drm/msm/dp: add displayPort driver support")
    Signed-off-by: Kuogee Hsieh <[email protected]>
    Tested-by: Douglas Anderson <[email protected]>
    Reviewed-by: Abhinav Kumar <[email protected]>
    Reviewed-by: Dmitry Baryshkov <[email protected]>
    Patchwork: https://patchwork.freedesktop.org/patch/516121/
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Abhinav Kumar <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Miaoqian Lin <[email protected]>
Date:   Wed Dec 7 10:59:22 2022 +0400

    drm/msm/dpu: Fix memory leak in msm_mdss_parse_data_bus_icc_path
    
    [ Upstream commit 45dac1352b55b1d8cb17f218936b2bc2bc1fb4ee ]
    
    of_icc_get() alloc resources for path1, we should release it when not
    need anymore. Early return when IS_ERR_OR_NULL(path0) may leak path1.
    Defer getting path1 to fix this.
    
    Fixes: b9364eed9232 ("drm/msm/dpu: Move min BW request and full BW disable back to mdss")
    Signed-off-by: Miaoqian Lin <[email protected]>
    Reviewed-by: Douglas Anderson <[email protected]>
    Reviewed-by: Abhinav Kumar <[email protected]>
    Patchwork: https://patchwork.freedesktop.org/patch/514264/
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Abhinav Kumar <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Yang Li <[email protected]>
Date:   Tue Nov 15 09:49:02 2022 +0800

    drm/msm/dpu: Fix some kernel-doc comments
    
    [ Upstream commit 1bdeb321d1f856346fe0078af09c9e7ffbd2ca7a ]
    
    Make the description of @init to @p in dpu_encoder_phys_wb_init()
    and remove @wb_roi in dpu_encoder_phys_wb_setup_fb() to clear the below
    warnings:
    
    drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c:139: warning: Excess function parameter 'wb_roi' description in 'dpu_encoder_phys_wb_setup_fb'
    drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c:699: warning: Function parameter or member 'p' not described in 'dpu_encoder_phys_wb_init'
    drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c:699: warning: Excess function parameter 'init' description in 'dpu_encoder_phys_wb_init'
    
    Link: https://bugzilla.openanolis.cn/show_bug.cgi?id=3067
    Reported-by: Abaci Robot <[email protected]>
    Signed-off-by: Yang Li <[email protected]>
    Fixes: d7d0e73f7de3 ("drm/msm/dpu: introduce the dpu_encoder_phys_* for writeback")
    Reviewed-by: Abhinav Kumar <[email protected]>
    Patchwork: https://patchwork.freedesktop.org/patch/511605/
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Abhinav Kumar <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Dmitry Baryshkov <[email protected]>
Date:   Thu Jan 5 03:47:43 2023 +0200

    drm/msm: another fix for the headless Adreno GPU
    
    commit 00dd060ab3cf95ca6ede7853bc14397014971b5e upstream.
    
    Fix another oops reproducible when rebooting the board with the Adreno
    GPU working in the headless mode (e.g. iMX platforms).
    
    Unable to handle kernel NULL pointer dereference at virtual address 00000000 when read
    [00000000] *pgd=74936831, *pte=00000000, *ppte=00000000
    Internal error: Oops: 17 [#1] ARM
    CPU: 0 PID: 51 Comm: reboot Not tainted 6.2.0-rc1-dirty #11
    Hardware name: Freescale i.MX53 (Device Tree Support)
    PC is at msm_atomic_commit_tail+0x50/0x970
    LR is at commit_tail+0x9c/0x188
    pc : [<c06aa430>]    lr : [<c067a214>]    psr: 600e0013
    sp : e0851d30  ip : ee4eb7eb  fp : 00090acc
    r10: 00000058  r9 : c2193014  r8 : c4310000
    r7 : c4759380  r6 : 07bef61d  r5 : 00000000  r4 : 00000000
    r3 : c44cc440  r2 : 00000000  r1 : 00000000  r0 : 00000000
    Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
    Control: 10c5387d  Table: 74910019  DAC: 00000051
    Register r0 information: NULL pointer
    Register r1 information: NULL pointer
    Register r2 information: NULL pointer
    Register r3 information: slab kmalloc-1k start c44cc400 pointer offset 64 size 1024
    Register r4 information: NULL pointer
    Register r5 information: NULL pointer
    Register r6 information: non-paged memory
    Register r7 information: slab kmalloc-128 start c4759380 pointer offset 0 size 128
    Register r8 information: slab kmalloc-2k start c4310000 pointer offset 0 size 2048
    Register r9 information: non-slab/vmalloc memory
    Register r10 information: non-paged memory
    Register r11 information: non-paged memory
    Register r12 information: non-paged memory
    Process reboot (pid: 51, stack limit = 0xc80046d9)
    Stack: (0xe0851d30 to 0xe0852000)
    1d20:                                     c4759380 fbd77200 000005ff 002b9c70
    1d40: c4759380 c4759380 00000000 07bef61d 00000600 c0d6fe7c c2193014 00000058
    1d60: 00090acc c067a214 00000000 c4759380 c4310000 00000000 c44cc854 c067a89c
    1d80: 00000000 00000000 00000000 c4310468 00000000 c4759380 c4310000 c4310468
    1da0: c4310470 c0643258 c4759380 00000000 00000000 c0c4ee24 00000000 c44cc810
    1dc0: 00000000 c0c4ee24 00000000 c44cc810 00000000 0347d2a8 e0851e00 e0851e00
    1de0: c4759380 c067ad20 c4310000 00000000 c44cc810 c27f8718 c44cc854 c067adb8
    1e00: c4933000 00000002 00000001 00000000 00000000 c2130850 00000000 c2130854
    1e20: c25fc488 00000000 c0ff162c 00000000 00000001 00000002 00000000 00000000
    1e40: c43102c0 c43102c0 00000000 0347d2a8 c44cc810 c44cc814 c2133da8 c06d1a60
    1e60: 00000000 00000000 00079028 c2012f24 fee1dead c4933000 00000058 c01431e4
    1e80: 01234567 c0143a20 00000000 00000000 00000000 00000000 00000000 00000000
    1ea0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    1ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    1ee0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    1f00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    1f20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    1f40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    1f60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    1f80: 00000000 00000000 00000000 0347d2a8 00000002 00000004 00000078 00000058
    1fa0: c010028c c0100060 00000002 00000004 fee1dead 28121969 01234567 00079028
    1fc0: 00000002 00000004 00000078 00000058 0002fdc5 00000000 00000000 00090acc
    1fe0: 00000058 becc9c64 b6e97e05 b6e0e5f6 600e0030 fee1dead 00000000 00000000
     msm_atomic_commit_tail from commit_tail+0x9c/0x188
     commit_tail from drm_atomic_helper_commit+0x160/0x188
     drm_atomic_helper_commit from drm_atomic_commit+0xac/0xe0
     drm_atomic_commit from drm_atomic_helper_disable_all+0x1b0/0x1c0
     drm_atomic_helper_disable_all from drm_atomic_helper_shutdown+0x88/0x140
     drm_atomic_helper_shutdown from device_shutdown+0x16c/0x240
     device_shutdown from kernel_restart+0x38/0x90
     kernel_restart from __do_sys_reboot+0x174/0x224
     __do_sys_reboot from ret_fast_syscall+0x0/0x1c
    Exception stack(0xe0851fa8 to 0xe0851ff0)
    1fa0:                   00000002 00000004 fee1dead 28121969 01234567 00079028
    1fc0: 00000002 00000004 00000078 00000058 0002fdc5 00000000 00000000 00090acc
    1fe0: 00000058 becc9c64 b6e97e05 b6e0e5f6
    Code: 15922088 1184421c e1500003 1afffff8 (e5953000)
    ---[ end trace 0000000000000000 ]---
    
    Fixes: 0a58d2ae572a ("drm/msm: Make .remove and .shutdown HW shutdown consistent")
    Reported-by: kernel test robot <[email protected]>
    Signed-off-by: Dmitry Baryshkov <[email protected]>
    Reviewed-by: Rob Clark <[email protected]>
    Reviewed-by: Abhinav Kumar <[email protected]>
    Patchwork: https://patchwork.freedesktop.org/patch/516909/
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Abhinav Kumar <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Rob Clark <[email protected]>
Date:   Fri Dec 16 15:33:55 2022 -0800

    drm/virtio: Fix GEM handle creation UAF
    
    commit 52531258318ed59a2dc5a43df2eaf0eb1d65438e upstream.
    
    Userspace can guess the handle value and try to race GEM object creation
    with handle close, resulting in a use-after-free if we dereference the
    object after dropping the handle's reference.  For that reason, dropping
    the handle's reference must be done *after* we are done dereferencing
    the object.
    
    Signed-off-by: Rob Clark <[email protected]>
    Reviewed-by: Chia-I Wu <[email protected]>
    Fixes: 62fb7a5e1096 ("virtio-gpu: add 3d/virgl support")
    Cc: [email protected]
    Signed-off-by: Dmitry Osipenko <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Maaz Mombasawala <[email protected]>
Date:   Sat Oct 22 00:02:22 2022 -0400

    drm/vmwgfx: Refactor resource manager's hashtable to use linux/hashtable implementation.
    
    [ Upstream commit 43531dc661b7fb6be249c023bf25847b38215545 ]
    
    Vmwgfx's hashtab implementation needs to be replaced with linux/hashtable
    to reduce maintenance burden.
    Refactor cmdbuf resource manager to use linux/hashtable.h implementation
    as part of this effort.
    
    Signed-off-by: Maaz Mombasawala <[email protected]>
    Reviewed-by: Zack Rusin <[email protected]>
    Reviewed-by: Martin Krastev <[email protected]>
    Signed-off-by: Zack Rusin <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
    Stable-dep-of: a309c7194e8a ("drm/vmwgfx: Remove rcu locks from user resources")
    Signed-off-by: Sasha Levin <[email protected]>

Author: Maaz Mombasawala <[email protected]>
Date:   Sat Oct 22 00:02:24 2022 -0400

    drm/vmwgfx: Refactor resource validation hashtable to use linux/hashtable implementation.
    
    [ Upstream commit 9e931f2e09701e25744f3d186a4ba13b5342b136 ]
    
    Vmwgfx's hashtab implementation needs to be replaced with linux/hashtable
    to reduce maintenence burden.
    As part of this effort, refactor the res_ht hashtable used for resource
    validation during execbuf execution to use linux/hashtable implementation.
    This also refactors vmw_validation_context to use vmw_sw_context as the
    container for the hashtable, whereas before it used a vmwgfx_open_hash
    directly. This makes vmw_validation_context less generic, but there is
    no functional change since res_ht is the only instance where validation
    context used a hashtable in vmwgfx driver.
    
    Signed-off-by: Maaz Mombasawala <[email protected]>
    Reviewed-by: Thomas Hellstrц╤m <[email protected]>
    Signed-off-by: Zack Rusin <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
    Stable-dep-of: a309c7194e8a ("drm/vmwgfx: Remove rcu locks from user resources")
    Signed-off-by: Sasha Levin <[email protected]>

Author: Maaz Mombasawala <[email protected]>
Date:   Sat Oct 22 00:02:29 2022 -0400

    drm/vmwgfx: Refactor ttm reference object hashtable to use linux/hashtable.
    
    [ Upstream commit 76a9e07f270cf5fb556ac237dbf11f5dacd61fef ]
    
    This is part of an effort to move from the vmwgfx_open_hash hashtable to
    linux/hashtable implementation.
    Refactor the ref_hash hashtable, used for fast lookup of reference objects
    associated with a ttm file.
    This also exposed a problem related to inconsistently using 32-bit and
    64-bit keys with this hashtable. The hash function used changes depending
    on the size of the type, and results are not consistent across numbers,
    for example, hash_32(329) = 329, but hash_long(329) = 328. This would
    cause the lookup to fail for objects already in the hashtable, since keys
    of different sizes were being passed during adding and lookup. This was
    not an issue before because vmwgfx_open_hash always used hash_long.
    Fix this by always using 64-bit keys for this hashtable, which means that
    hash_long is always used.
    
    Signed-off-by: Maaz Mombasawala <[email protected]>
    Reviewed-by: Zack Rusin <[email protected]>
    Signed-off-by: Zack Rusin <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
    Stable-dep-of: a309c7194e8a ("drm/vmwgfx: Remove rcu locks from user resources")
    Signed-off-by: Sasha Levin <[email protected]>

Author: Zack Rusin <[email protected]>
Date:   Wed Dec 7 12:29:07 2022 -0500

    drm/vmwgfx: Remove rcu locks from user resources
    
    [ Upstream commit a309c7194e8a2f8bd4539b9449917913f6c2cd50 ]
    
    User resource lookups used rcu to avoid two extra atomics. Unfortunately
    the rcu paths were buggy and it was easy to make the driver crash by
    submitting command buffers from two different threads. Because the
    lookups never show up in performance profiles replace them with a
    regular spin lock which fixes the races in accesses to those shared
    resources.
    
    Fixes kernel oops'es in IGT's vmwgfx execution_buffer stress test and
    seen crashes with apps using shared resources.
    
    Fixes: e14c02e6b699 ("drm/vmwgfx: Look up objects without taking a reference")
    Signed-off-by: Zack Rusin <[email protected]>
    Reviewed-by: Martin Krastev <[email protected]>
    Reviewed-by: Maaz Mombasawala <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
    Signed-off-by: Sasha Levin <[email protected]>

Author: Maaz Mombasawala <[email protected]>
Date:   Sat Oct 22 00:02:23 2022 -0400

    drm/vmwgfx: Remove ttm object hashtable
    
    [ Upstream commit 931e09d8d5b4aa19bdae0234f2727049f1cd13d9 ]
    
    The object_hash hashtable for ttm objects is not being used.
    Remove it and perform refactoring in ttm_object init function.
    
    Signed-off-by: Maaz Mombasawala <[email protected]>
    Reviewed-by: Zack Rusin <[email protected]>
    Reviewed-by: Martin Krastev <[email protected]>
    Signed-off-by: Zack Rusin <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
    Stable-dep-of: a309c7194e8a ("drm/vmwgfx: Remove rcu locks from user resources")
    Signed-off-by: Sasha Levin <[email protected]>

Author: Maaz Mombasawala <[email protected]>
Date:   Sat Oct 22 00:02:30 2022 -0400

    drm/vmwgfx: Remove vmwgfx_hashtab
    
    [ Upstream commit 9da30cdd6a318595199319708c143ae318f804ef ]
    
    The vmwgfx driver has migrated from using the hashtable in vmwgfx_hashtab
    to the linux/hashtable implementation. Remove the vmwgfx_hashtab from the
    driver.
    
    Signed-off-by: Maaz Mombasawala <[email protected]>
    Reviewed-by: Martin Krastev <[email protected]>
    Reviewed-by: Zack Rusin <[email protected]>
    Signed-off-by: Zack Rusin <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
    Stable-dep-of: a309c7194e8a ("drm/vmwgfx: Remove rcu locks from user resources")
    Signed-off-by: Sasha Levin <[email protected]>

Author: Zack Rusin <[email protected]>
Date:   Sat Oct 22 00:02:20 2022 -0400

    drm/vmwgfx: Write the driver id registers
    
    [ Upstream commit 7f4c33778686cc2d34cb4ef65b4265eea874c159 ]
    
    Driver id registers are a new mechanism in the svga device to hint to the
    device which driver is running. This should not change device behavior
    in any way, but might be convenient to work-around specific bugs
    in guest drivers.
    
    Signed-off-by: Zack Rusin <[email protected]>
    Reviewed-by: Martin Krastev <[email protected]>
    Reviewed-by: Maaz Mombasawala <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
    Stable-dep-of: a309c7194e8a ("drm/vmwgfx: Remove rcu locks from user resources")
    Signed-off-by: Sasha Levin <[email protected]>

Author: Arunpravin Paneer Selvam <[email protected]>
Date:   Thu Jan 12 04:00:27 2023 -0800

    drm: Optimize drm buddy top-down allocation method
    
    commit 5640e81607152d7f2d2558227c0f6cb78b8f39cf upstream.
    
    We are observing performance drop in many usecases which include
    games, 3D benchmark applications,etc.. To solve this problem, We
    are strictly not allowing top down flag enabled allocations to
    steal the memory space from cpu visible region.
    
    The idea is, we are sorting each order list entries in
    ascending order and compare the last entry of each order
    list in the freelist and return the max block.
    
    This patch improves the 3D benchmark scores and solves
    fragmentation issues.
    
    All drm buddy selftests are verfied.
    drm_buddy: pass:6 fail:0 skip:0 total:6
    
    Signed-off-by: Arunpravin Paneer Selvam <[email protected]>
    Acked-by: Christian Kц╤nig <[email protected]>
    Acked-by: Alex Deucher <[email protected]>
    Reviewed-by: Matthew Auld <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
    Signed-off-by: Christian Kц╤nig <[email protected]>
    CC: Cc: [email protected] # 5.18+
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Konrad Dybcio <[email protected]>
Date:   Wed Nov 30 14:58:07 2022 +0100

    dt-bindings: msm/dsi: Don't require vcca-supply on 14nm PHY
    
    commit a2117773c839a8439a3771e0c040b5c505b083a7 upstream.
    
    On some SoCs (hello SM6115) vcca-supply is not wired to any smd-rpm
    or rpmh regulator, but instead powered by the VDD_MX line, which is
    voted for in the DSI ctrl node.
    
    Signed-off-by: Konrad Dybcio <[email protected]>
    Acked-by: Krzysztof Kozlowski <[email protected]>
    Reviewed-by: Dmitry Baryshkov <[email protected]>
    Fixes: 8fc939e72ff8 ("dt-bindings: msm: dsi: add yaml schemas for DSI PHY bindings")
    Reviewed-by: Abhinav Kumar <[email protected]>
    Patchwork: https://patchwork.freedesktop.org/patch/513555/
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Abhinav Kumar <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Konrad Dybcio <[email protected]>
Date:   Wed Nov 16 17:32:18 2022 +0100

    dt-bindings: msm/dsi: Don't require vdds-supply on 10nm PHY
    
    commit ef11cb7a29c0e13031c968190ea8f86104e7fb6a upstream.
    
    On some SoCs (hello SM6350) vdds-supply is not wired to any smd-rpm
    or rpmh regulator, but instead powered by the VDD_MX/mx.lvl line,
    which is voted for in the DSI ctrl node.
    
    Signed-off-by: Konrad Dybcio <[email protected]>
    Acked-by: Rob Herring <[email protected]>
    Fixes: 8fc939e72ff8 ("dt-bindings: msm: dsi: add yaml schemas for DSI PHY bindings")
    Reviewed-by: Abhinav Kumar <[email protected]>
    Patchwork: https://patchwork.freedesktop.org/patch/511889/
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Abhinav Kumar <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Bryan O'Donoghue <[email protected]>
Date:   Fri Dec 23 02:10:10 2022 +0000

    dt-bindings: msm: dsi-controller-main: Fix description of core clock
    
    commit 654ffe4b793b42ed6b5909daff0b91809916d94e upstream.
    
    There's a typo in describing the core clock as an 'escape' clock. The
    accurate description is 'core'.
    
    Fixes: 4dbe55c97741 ("dt-bindings: msm: dsi: add yaml schemas for DSI bindings")
    Reviewed-by: Dmitry Baryshkov <[email protected]>
    Acked-by: Krzysztof Kozlowski <[email protected]>
    Signed-off-by: Bryan O'Donoghue <[email protected]>
    Patchwork: https://patchwork.freedesktop.org/patch/515938/
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Abhinav Kumar <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Bryan O'Donoghue <[email protected]>
Date:   Fri Dec 23 02:10:08 2022 +0000

    dt-bindings: msm: dsi-controller-main: Fix operating-points-v2 constraint
    
    commit cdf64343f91a1225e9e3d4ce4261962cd41b4ddd upstream.
    
    The existing msm8916.dtsi does not depend on nor require operating points.
    
    Fixes: 4dbe55c97741 ("dt-bindings: msm: dsi: add yaml schemas for DSI bindings")
    Reviewed-by: Dmitry Baryshkov <[email protected]>
    Acked-by: Krzysztof Kozlowski <[email protected]>
    Signed-off-by: Bryan O'Donoghue <[email protected]>
    Patchwork: https://patchwork.freedesktop.org/patch/515940/
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Abhinav Kumar <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Bryan O'Donoghue <[email protected]>
Date:   Fri Dec 23 02:10:09 2022 +0000

    dt-bindings: msm: dsi-controller-main: Fix power-domain constraint
    
    commit a6f033938beb31f893302a93f83ec0b6460c6cac upstream.
    
    power-domain is required for the sc7180 dispcc GDSC but not every qcom SoC
    has a similar dependency for example the apq8064.
    
    Most Qcom SoC's using mdss-dsi-ctrl seem to have the ability to
    power-collapse the MDP without collapsing DSI.
    
    For example the qcom vendor kernel commit for apq8084, msm8226, msm8916,
    msm8974.
    
    https://review.carbonrom.org/plugins/gitiles/CarbonROM/android_kernel_oneplus_msm8994/+/7b5c011a770daa2811778937ed646237a28a8694
    
    "ARM: dts: msm: add mdss gdsc supply to dsi controller device
    
     It is possible for the DSI controller to be active when MDP is
     power collapsed. DSI controller needs to have it's own vote for
     mdss gdsc to ensure that gdsc remains on in such cases."
    
    This however doesn't appear to be the case for the apq8064 so we shouldn't
    be marking power-domain as required in yaml checks.
    
    Fixes: 4dbe55c97741 ("dt-bindings: msm: dsi: add yaml schemas for DSI bindings")
    Reviewed-by: Dmitry Baryshkov <[email protected]>
    Acked-by: Krzysztof Kozlowski <[email protected]>
    Signed-off-by: Bryan O'Donoghue <[email protected]>
    Patchwork: https://patchwork.freedesktop.org/patch/515958/
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Abhinav Kumar <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Bryan O'Donoghue <[email protected]>
Date:   Thu Dec 29 12:44:38 2022 +0000

    dt-bindings: msm: dsi-phy-28nm: Add missing qcom, dsi-phy-regulator-ldo-mode
    
    commit be79f805a1e1b95605c825f1c513bdd2c8b167ed upstream.
    
    Add in missing qcom,dsi-phy-regulator-ldo-mode to the 28nm DSI PHY.
    When converting from .txt to .yaml we missed this one.
    
    Fixes: 4dbe55c97741 ("dt-bindings: msm: dsi: add yaml schemas for DSI bindings")
    Reviewed-by: Dmitry Baryshkov <[email protected]>
    Signed-off-by: Bryan O'Donoghue <[email protected]>
    Patchwork: https://patchwork.freedesktop.org/patch/516205/
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Abhinav Kumar <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Eliav Farber <[email protected]>
Date:   Thu Oct 20 12:44:58 2022 +0000

    EDAC/device: Fix period calculation in edac_device_reset_delay_period()
    
    commit e84077437902ec99eba0a6b516df772653f142c7 upstream.
    
    Fix period calculation in case user sets a value of 1000.  The input of
    round_jiffies_relative() should be in jiffies and not in milli-seconds.
    
      [ bp: Use the same code pattern as in edac_device_workq_setup() for
        clarity. ]
    
    Fixes: c4cf3b454eca ("EDAC: Rework workqueue handling")
    Signed-off-by: Eliav Farber <[email protected]>
    Signed-off-by: Borislav Petkov (AMD) <[email protected]>
    Cc: <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Johan Hovold <[email protected]>
Date:   Mon Dec 19 10:10:04 2022 +0100

    efi: fix NULL-deref in init error path
    
    [ Upstream commit 703c13fe3c9af557d312f5895ed6a5fda2711104 ]
    
    In cases where runtime services are not supported or have been disabled,
    the runtime services workqueue will never have been allocated.
    
    Do not try to destroy the workqueue unconditionally in the unlikely
    event that EFI initialisation fails to avoid dereferencing a NULL
    pointer.
    
    Fixes: 98086df8b70c ("efi: add missed destroy_workqueue when efisubsys_init fails")
    Cc: [email protected]
    Cc: Li Heng <[email protected]>
    Signed-off-by: Johan Hovold <[email protected]>
    Signed-off-by: Ard Biesheuvel <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Ding Hui <[email protected]>
Date:   Tue Dec 27 23:09:36 2022 +0800

    efi: fix userspace infinite retry read efivars after EFI runtime services page fault
    
    commit e006ac3003080177cf0b673441a4241f77aaecce upstream.
    
    After [1][2], if we catch exceptions due to EFI runtime service, we will
    clear EFI_RUNTIME_SERVICES bit to disable EFI runtime service, then the
    subsequent routine which invoke the EFI runtime service should fail.
    
    But the userspace cat efivars through /sys/firmware/efi/efivars/ will stuck
    and infinite loop calling read() due to efivarfs_file_read() return -EINTR.
    
    The -EINTR is converted from EFI_ABORTED by efi_status_to_err(), and is
    an improper return value in this situation, so let virt_efi_xxx() return
    EFI_DEVICE_ERROR and converted to -EIO to invoker.
    
    Cc: <[email protected]>
    Fixes: 3425d934fc03 ("efi/x86: Handle page faults occurring while running EFI runtime services")
    Fixes: 23715a26c8d8 ("arm64: efi: Recover from synchronous exceptions occurring in firmware")
    Signed-off-by: Ding Hui <[email protected]>
    Signed-off-by: Ard Biesheuvel <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Ard Biesheuvel <[email protected]>
Date:   Mon Jan 9 10:44:31 2023 +0100

    efi: tpm: Avoid READ_ONCE() for accessing the event log
    
    commit d3f450533bbcb6dd4d7d59cadc9b61b7321e4ac1 upstream.
    
    Nathan reports that recent kernels built with LTO will crash when doing
    EFI boot using Fedora's GRUB and SHIM. The culprit turns out to be a
    misaligned load from the TPM event log, which is annotated with
    READ_ONCE(), and under LTO, this gets translated into a LDAR instruction
    which does not tolerate misaligned accesses.
    
    Interestingly, this does not happen when booting the same kernel
    straight from the UEFI shell, and so the fact that the event log may
    appear misaligned in memory may be caused by a bug in GRUB or SHIM.
    
    However, using READ_ONCE() to access firmware tables is slightly unusual
    in any case, and here, we only need to ensure that 'event' is not
    dereferenced again after it gets unmapped, but this is already taken
    care of by the implicit barrier() semantics of the early_memunmap()
    call.
    
    Cc: <[email protected]>
    Cc: Peter Jones <[email protected]>
    Cc: Jarkko Sakkinen <[email protected]>
    Cc: Matthew Garrett <[email protected]>
    Reported-by: Nathan Chancellor <[email protected]>
    Tested-by: Nathan Chancellor <[email protected]>
    Link: https://github.com/ClangBuiltLinux/linux/issues/1782
    Signed-off-by: Ard Biesheuvel <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Catalin Marinas <[email protected]>
Date:   Thu Dec 22 18:12:50 2022 +0000

    elfcore: Add a cprm parameter to elf_core_extra_{phdrs,data_size}
    
    commit 19e183b54528f11fafeca60fc6d0821e29ff281e upstream.
    
    A subsequent fix for arm64 will use this parameter to parse the vma
    information from the snapshot created by dump_vma_snapshot() rather than
    traversing the vma list without the mmap_lock.
    
    Fixes: 6dd8b1a0b6cb ("arm64: mte: Dump the MTE tags in the core file")
    Cc: <[email protected]> # 5.18.x
    Signed-off-by: Catalin Marinas <[email protected]>
    Reported-by: Seth Jenkins <[email protected]>
    Suggested-by: Seth Jenkins <[email protected]>
    Cc: Will Deacon <[email protected]>
    Cc: Eric Biederman <[email protected]>
    Cc: Kees Cook <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Will Deacon <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Marc Zyngier <[email protected]>
Date:   Thu Jan 5 09:08:34 2023 +0000

    firmware/psci: Don't register with debugfs if PSCI isn't available
    
    commit cef139299fd86098c6e3dbd389d1d0b2462d7710 upstream.
    
    Contrary to popular belief, PSCI is not a universal property of an
    ARM/arm64 system. There is a garden variety of systems out there
    that don't (or even cannot) implement it.
    
    I'm the first one deplore such a situation, but hey...
    
    On such systems, a "cat /sys/kernel/debug/psci" results in
    fireworks, as no invocation callback is registered.
    
    Check for the invoke_psci_fn and psci_ops.get_version pointers
    before registering with the debugfs subsystem, avoiding the
    issue altogether.
    
    Fixes: 3137f2e60098 ("firmware/psci: Add debugfs support to ease debugging")
    Reported-by: Hector Martin <[email protected]>
    Signed-off-by: Marc Zyngier <[email protected]>
    Cc: Dmitry Baryshkov <[email protected]>
    Cc: Mark Brown <[email protected]>
    Cc: Ulf Hansson <[email protected]>
    Cc: Arnd Bergmann <[email protected]>
    Cc: Mark Rutland <[email protected]>
    Cc: Lorenzo Pieralisi <[email protected]>
    Reviewed-by: Hector Martin <[email protected]>
    Acked-by: Dmitry Baryshkov <[email protected]>
    Acked-by: Mark Rutland <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Will Deacon <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Will Deacon <[email protected]>
Date:   Fri Nov 25 10:18:26 2022 +0000

    firmware/psci: Fix MEM_PROTECT_RANGE function numbers
    
    commit f3dc61cde80d48751999c4cb46daf3b2185e6895 upstream.
    
    PSCI v1.1 offers 32-bit and 64-bit variants of the MEM_PROTECT_RANGE
    call using function identifier 20.
    
    Fix the incorrect definitions of the MEM_PROTECT_CHECK_RANGE calls in
    the PSCI UAPI header.
    
    Cc: Dmitry Baryshkov <[email protected]>
    Cc: Lorenzo Pieralisi <[email protected]>
    Cc: Arnd Bergmann <[email protected]>
    Fixes: 3137f2e60098 ("firmware/psci: Add debugfs support to ease debugging")
    Acked-by: Marc Zyngier <[email protected]>
    Acked-by: Mark Rutland <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Will Deacon <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Richard Gobert <[email protected]>
Date:   Tue Nov 8 13:33:28 2022 +0100

    gro: avoid checking for a failed search
    
    [ Upstream commit e081ecf084d31809242fb0b9f35484d5fb3a161a ]
    
    After searching for a protocol handler in dev_gro_receive, checking for
    failure is redundant. Skip the failure code after finding the
    corresponding handler.
    
    Suggested-by: Eric Dumazet <[email protected]>
    Signed-off-by: Richard Gobert <[email protected]>
    Reviewed-by: Eric Dumazet <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Paolo Abeni <[email protected]>
    Stable-dep-of: 7871f54e3dee ("gro: take care of DODGY packets")
    Signed-off-by: Sasha Levin <[email protected]>

Author: Eric Dumazet <[email protected]>
Date:   Fri Jan 6 14:25:23 2023 +0000

    gro: take care of DODGY packets
    
    [ Upstream commit 7871f54e3deed68a27111dda162c4fe9b9c65f8f ]
    
    Jaroslav reported a recent throughput regression with virtio_net
    caused by blamed commit.
    
    It is unclear if DODGY GSO packets coming from user space
    can be accepted by GRO engine in the future with minimal
    changes, and if there is any expected gain from it.
    
    In the meantime, make sure to detect and flush DODGY packets.
    
    Fixes: 5eddb24901ee ("gro: add support of (hw)gro packets to gro stack")
    Signed-off-by: Eric Dumazet <[email protected]>
    Reported-and-bisected-by: Jaroslav Pulchart <[email protected]>
    Cc: Coco Li <[email protected]>
    Cc: Paolo Abeni <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Roger Pau Monne <[email protected]>
Date:   Wed Nov 30 17:36:02 2022 +0100

    hvc/xen: lock console list traversal
    
    [ Upstream commit c0dccad87cf68fc6012aec7567e354353097ec1a ]
    
    The currently lockless access to the xen console list in
    vtermno_to_xencons() is incorrect, as additions and removals from the
    list can happen anytime, and as such the traversal of the list to get
    the private console data for a given termno needs to happen with the
    lock held.  Note users that modify the list already do so with the
    lock taken.
    
    Adjust current lock takers to use the _irq{save,restore} helpers,
    since the context in which vtermno_to_xencons() is called can have
    interrupts disabled.  Use the _irq{save,restore} set of helpers to
    switch the current callers to disable interrupts in the locked region.
    I haven't checked if existing users could instead use the _irq
    variant, as I think it's safer to use _irq{save,restore} upfront.
    
    While there switch from using list_for_each_entry_safe to
    list_for_each_entry: the current entry cursor won't be removed as
    part of the code in the loop body, so using the _safe variant is
    pointless.
    
    Fixes: 02e19f9c7cac ('hvc_xen: implement multiconsole support')
    Signed-off-by: Roger Pau Monnц╘ <[email protected]>
    Reviewed-by: Stefano Stabellini <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Juergen Gross <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Daniil Tatianin <[email protected]>
Date:   Tue Dec 20 09:32:46 2022 +0300

    iavf/iavf_main: actually log ->src mask when talking about it
    
    commit 6650c8e906ce58404bfdfceceeba7bd10d397d40 upstream.
    
    This fixes a copy-paste issue where dev_err would log the dst mask even
    though it is clearly talking about src.
    
    Found by Linux Verification Center (linuxtesting.org) with the SVACE
    static analysis tool.
    
    Fixes: 0075fa0fadd0 ("i40evf: Add support to apply cloud filters")
    Signed-off-by: Daniil Tatianin <[email protected]>
    Reviewed-by: Michal Swiatkowski <[email protected]>
    Signed-off-by: Tony Nguyen <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Jiasheng Jiang <[email protected]>
Date:   Thu Dec 8 21:35:52 2022 +0800

    ice: Add check for kzalloc
    
    [ Upstream commit 40543b3d9d2c13227ecd3aa90a713c201d1d7f09 ]
    
    Add the check for the return value of kzalloc in order to avoid
    NULL pointer dereference.
    Moreover, use the goto-label to share the clean code.
    
    Fixes: d6b98c8d242a ("ice: add write functionality for GNSS TTY")
    Signed-off-by: Jiasheng Jiang <[email protected]>
    Reviewed-by: Jiri Pirko <[email protected]>
    Tested-by: Gurucharan G <[email protected]> (A Contingent worker at Intel)
    Signed-off-by: Tony Nguyen <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Yuan Can <[email protected]>
Date:   Wed Dec 7 08:55:02 2022 +0000

    ice: Fix potential memory leak in ice_gnss_tty_write()
    
    [ Upstream commit f58985620f55580a07d40062c4115d8c9cf6ae27 ]
    
    The ice_gnss_tty_write() return directly if the write_buf alloc failed,
    leaking the cmd_buf.
    
    Fix by free cmd_buf if write_buf alloc failed.
    
    Fixes: d6b98c8d242a ("ice: add write functionality for GNSS TTY")
    Signed-off-by: Yuan Can <[email protected]>
    Reviewed-by: Leon Romanovsky <[email protected]>
    Tested-by: Gurucharan G <[email protected]> (A Contingent worker at Intel)
    Signed-off-by: Tony Nguyen <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Christopher S Hall <[email protected]>
Date:   Wed Dec 14 16:10:38 2022 +0800

    igc: Fix PPS delta between two synchronized end-points
    
    [ Upstream commit 5e91c72e560cc85f7163bbe3d14197268de31383 ]
    
    This patch fix the pulse per second output delta between
    two synchronized end-points.
    
    Based on Intel Discrete I225 Software User Manual Section
    4.2.15 TimeSync Auxiliary Control Register, ST0[Bit 4] and
    ST1[Bit 7] must be set to ensure that clock output will be
    toggles based on frequency value defined. This is to ensure
    that output of the PPS is aligned with the clock.
    
    How to test:
    
    1) Running time synchronization on both end points.
    Ex: ptp4l --step_threshold=1 -m -f gPTP.cfg -i <interface name>
    
    2) Configure PPS output using below command for both end-points
    Ex: SDP0 on I225 REV4 SKU variant
    
    ./testptp -d /dev/ptp0 -L 0,2
    ./testptp -d /dev/ptp0 -p 1000000000
    
    3) Measure the output using analyzer for both end-points
    
    Fixes: 87938851b6ef ("igc: enable auxiliary PHC functions for the i225")
    Signed-off-by: Christopher S Hall <[email protected]>
    Signed-off-by: Muhammad Husaini Zulkifli <[email protected]>
    Acked-by: Sasha Neftin <[email protected]>
    Tested-by: Naama Meir <[email protected]>
    Signed-off-by: Tony Nguyen <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Jens Axboe <[email protected]>
Date:   Tue Jan 10 10:24:52 2023 -0700

    io_uring/fdinfo: include locked hash table in fdinfo output
    
    commit ea97cbebaf861d99c3e892275147e6fca6d2c1ca upstream.
    
    A previous commit split the hash table for polled requests into two
    parts, but didn't get the fdinfo output updated. This means that it's
    less useful for debugging, as we may think a given request is not pending
    poll.
    
    Fix this up by dumping the locked hash table contents too.
    
    Fixes: 9ca9fb24d5fe ("io_uring: mutex locked poll hashing")
    Signed-off-by: Jens Axboe <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Jens Axboe <[email protected]>
Date:   Mon Jan 2 16:49:46 2023 -0700

    io_uring/io-wq: free worker if task_work creation is canceled
    
    commit af82425c6a2d2f347c79b63ce74fca6dc6be157f upstream.
    
    If we cancel the task_work, the worker will never come into existance.
    As this is the last reference to it, ensure that we get it freed
    appropriately.
    
    Cc: [email protected]
    Reported-by: Л╖└М≤╦ <[email protected]>
    Signed-off-by: Jens Axboe <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Jens Axboe <[email protected]>
Date:   Sun Jan 8 10:39:17 2023 -0700

    io_uring/io-wq: only free worker if it was allocated for creation
    
    commit e6db6f9398dadcbc06318a133d4c44a2d3844e61 upstream.
    
    We have two types of task_work based creation, one is using an existing
    worker to setup a new one (eg when going to sleep and we have no free
    workers), and the other is allocating a new worker. Only the latter
    should be freed when we cancel task_work creation for a new worker.
    
    Fixes: af82425c6a2d ("io_uring/io-wq: free worker if task_work creation is canceled")
    Reported-by: [email protected]
    Signed-off-by: Jens Axboe <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Jens Axboe <[email protected]>
Date:   Mon Jan 9 14:46:10 2023 -0700

    io_uring/poll: add hash if ready poll request can't complete inline
    
    commit febb985c06cb6f5fac63598c0bffd4fd823d110d upstream.
    
    If we don't, then we may lose access to it completely, leading to a
    request leak. This will eventually stall the ring exit process as
    well.
    
    Cc: [email protected]
    Fixes: 49f1c68e048f ("io_uring: optimise submission side poll_refs")
    Reported-and-tested-by: [email protected]
    Link: https://lore.kernel.org/io-uring/[email protected]/
    Suggested-by: Pavel Begunkov <[email protected]>
    Signed-off-by: Jens Axboe <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Jens Axboe <[email protected]>
Date:   Sat Jan 14 08:46:14 2023 -0700

    io_uring/poll: attempt request issue after racy poll wakeup
    
    commit 6e5aedb9324aab1c14a23fae3d8eeb64a679c20e upstream.
    
    If we have multiple requests waiting on the same target poll waitqueue,
    then it's quite possible to get a request triggered and get disappointed
    in not being able to make any progress with it. If we race in doing so,
    we'll potentially leave the poll request on the internal tables, but
    removed from the waitqueue. That means that any subsequent trigger of
    the poll waitqueue will not kick that request into action, causing an
    application to potentially wait for completion of a request that will
    never happen.
    
    Fix this by adding a new poll return state, IOU_POLL_REISSUE. Rather
    than have complicated logic for how to re-arm a given type of request,
    just punt it for a reissue.
    
    While in there, move the 'ret' variable to the only section where it
    gets used. This avoids confusion the scope of it.
    
    Cc: [email protected]
    Fixes: eb0089d629ba ("io_uring: single shot poll removal optimisation")
    Signed-off-by: Jens Axboe <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Pavel Begunkov <[email protected]>
Date:   Sat Jan 14 08:41:33 2023 -0700

    io_uring: lock overflowing for IOPOLL
    
    commit 544d163d659d45a206d8929370d5a2984e546cb7 upstream.
    
    syzbot reports an issue with overflow filling for IOPOLL:
    
    WARNING: CPU: 0 PID: 28 at io_uring/io_uring.c:734 io_cqring_event_overflow+0x1c0/0x230 io_uring/io_uring.c:734
    CPU: 0 PID: 28 Comm: kworker/u4:1 Not tainted 6.2.0-rc3-syzkaller-16369-g358a161a6a9e #0
    Workqueue: events_unbound io_ring_exit_work
    Call trace:
    б═io_cqring_event_overflow+0x1c0/0x230 io_uring/io_uring.c:734
    б═io_req_cqe_overflow+0x5c/0x70 io_uring/io_uring.c:773
    б═io_fill_cqe_req io_uring/io_uring.h:168 [inline]
    б═io_do_iopoll+0x474/0x62c io_uring/rw.c:1065
    б═io_iopoll_try_reap_events+0x6c/0x108 io_uring/io_uring.c:1513
    б═io_uring_try_cancel_requests+0x13c/0x258 io_uring/io_uring.c:3056
    б═io_ring_exit_work+0xec/0x390 io_uring/io_uring.c:2869
    б═process_one_work+0x2d8/0x504 kernel/workqueue.c:2289
    б═worker_thread+0x340/0x610 kernel/workqueue.c:2436
    б═kthread+0x12c/0x158 kernel/kthread.c:376
    б═ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:863
    
    There is no real problem for normal IOPOLL as flush is also called with
    uring_lock taken, but it's getting more complicated for IOPOLL|SQPOLL,
    for which __io_cqring_overflow_flush() happens from the CQ waiting path.
    
    Reported-and-tested-by: [email protected]
    Cc: [email protected] # 5.10+
    Signed-off-by: Pavel Begunkov <[email protected]>
    Signed-off-by: Jens Axboe <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Vladimir Oltean <[email protected]>
Date:   Thu Dec 15 16:12:51 2022 +0200

    iommu/arm-smmu-v3: Don't unregister on shutdown
    
    commit 32ea2c57dc216b6ad8125fa680d31daa5d421c95 upstream.
    
    Similar to SMMUv2, this driver calls iommu_device_unregister() from the
    shutdown path, which removes the IOMMU groups with no coordination
    whatsoever with their users - shutdown methods are optional in device
    drivers. This can lead to NULL pointer dereferences in those drivers'
    DMA API calls, or worse.
    
    Instead of calling the full arm_smmu_device_remove() from
    arm_smmu_device_shutdown(), let's pick only the relevant function call -
    arm_smmu_device_disable() - more or less the reverse of
    arm_smmu_device_reset() - and call just that from the shutdown path.
    
    Fixes: 57365a04c921 ("iommu: Move bus setup to IOMMU device registration")
    Suggested-by: Robin Murphy <[email protected]>
    Signed-off-by: Vladimir Oltean <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Will Deacon <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Vladimir Oltean <[email protected]>
Date:   Thu Dec 15 16:12:50 2022 +0200

    iommu/arm-smmu: Don't unregister on shutdown
    
    commit ce31e6ca68bd7639bd3e5ef97be215031842bbab upstream.
    
    Michael Walle says he noticed the following stack trace while performing
    a shutdown with "reboot -f". He suggests he got "lucky" and just hit the
    correct spot for the reboot while there was a packet transmission in
    flight.
    
    Unable to handle kernel NULL pointer dereference at virtual address 0000000000000098
    CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 6.1.0-rc5-00088-gf3600ff8e322 #1930
    Hardware name: Kontron KBox A-230-LS (DT)
    pc : iommu_get_dma_domain+0x14/0x20
    lr : iommu_dma_map_page+0x9c/0x254
    Call trace:
     iommu_get_dma_domain+0x14/0x20
     dma_map_page_attrs+0x1ec/0x250
     enetc_start_xmit+0x14c/0x10b0
     enetc_xmit+0x60/0xdc
     dev_hard_start_xmit+0xb8/0x210
     sch_direct_xmit+0x11c/0x420
     __dev_queue_xmit+0x354/0xb20
     ip6_finish_output2+0x280/0x5b0
     __ip6_finish_output+0x15c/0x270
     ip6_output+0x78/0x15c
     NF_HOOK.constprop.0+0x50/0xd0
     mld_sendpack+0x1bc/0x320
     mld_ifc_work+0x1d8/0x4dc
     process_one_work+0x1e8/0x460
     worker_thread+0x178/0x534
     kthread+0xe0/0xe4
     ret_from_fork+0x10/0x20
    Code: d503201f f9416800 d503233f d50323bf (f9404c00)
    ---[ end trace 0000000000000000 ]---
    Kernel panic - not syncing: Oops: Fatal exception in interrupt
    
    This appears to be reproducible when the board has a fixed IP address,
    is ping flooded from another host, and "reboot -f" is used.
    
    The following is one more manifestation of the issue:
    
    $ reboot -f
    kvm: exiting hardware virtualization
    cfg80211: failed to load regulatory.db
    arm-smmu 5000000.iommu: disabling translation
    sdhci-esdhc 2140000.mmc: Removing from iommu group 11
    sdhci-esdhc 2150000.mmc: Removing from iommu group 12
    fsl-edma 22c0000.dma-controller: Removing from iommu group 17
    dwc3 3100000.usb: Removing from iommu group 9
    dwc3 3110000.usb: Removing from iommu group 10
    ahci-qoriq 3200000.sata: Removing from iommu group 2
    fsl-qdma 8380000.dma-controller: Removing from iommu group 20
    platform f080000.display: Removing from iommu group 0
    etnaviv-gpu f0c0000.gpu: Removing from iommu group 1
    etnaviv etnaviv: Removing from iommu group 1
    caam_jr 8010000.jr: Removing from iommu group 13
    caam_jr 8020000.jr: Removing from iommu group 14
    caam_jr 8030000.jr: Removing from iommu group 15
    caam_jr 8040000.jr: Removing from iommu group 16
    fsl_enetc 0000:00:00.0: Removing from iommu group 4
    arm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with "arm-smmu.disable_bypass=0" to allow, but this may have security implications
    arm-smmu 5000000.iommu:         GFSR 0x80000002, GFSYNR0 0x00000002, GFSYNR1 0x00000429, GFSYNR2 0x00000000
    fsl_enetc 0000:00:00.1: Removing from iommu group 5
    arm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with "arm-smmu.disable_bypass=0" to allow, but this may have security implications
    arm-smmu 5000000.iommu:         GFSR 0x80000002, GFSYNR0 0x00000002, GFSYNR1 0x00000429, GFSYNR2 0x00000000
    arm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with "arm-smmu.disable_bypass=0" to allow, but this may have security implications
    arm-smmu 5000000.iommu:         GFSR 0x80000002, GFSYNR0 0x00000000, GFSYNR1 0x00000429, GFSYNR2 0x00000000
    fsl_enetc 0000:00:00.2: Removing from iommu group 6
    fsl_enetc_mdio 0000:00:00.3: Removing from iommu group 8
    mscc_felix 0000:00:00.5: Removing from iommu group 3
    fsl_enetc 0000:00:00.6: Removing from iommu group 7
    pcieport 0001:00:00.0: Removing from iommu group 18
    arm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with "arm-smmu.disable_bypass=0" to allow, but this may have security implications
    arm-smmu 5000000.iommu:         GFSR 0x00000002, GFSYNR0 0x00000000, GFSYNR1 0x00000429, GFSYNR2 0x00000000
    pcieport 0002:00:00.0: Removing from iommu group 19
    Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a8
    pc : iommu_get_dma_domain+0x14/0x20
    lr : iommu_dma_unmap_page+0x38/0xe0
    Call trace:
     iommu_get_dma_domain+0x14/0x20
     dma_unmap_page_attrs+0x38/0x1d0
     enetc_unmap_tx_buff.isra.0+0x6c/0x80
     enetc_poll+0x170/0x910
     __napi_poll+0x40/0x1e0
     net_rx_action+0x164/0x37c
     __do_softirq+0x128/0x368
     run_ksoftirqd+0x68/0x90
     smpboot_thread_fn+0x14c/0x190
    Code: d503201f f9416800 d503233f d50323bf (f9405400)
    ---[ end trace 0000000000000000 ]---
    Kernel panic - not syncing: Oops: Fatal exception in interrupt
    ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---
    
    The problem seems to be that iommu_group_remove_device() is allowed to
    run with no coordination whatsoever with the shutdown procedure of the
    enetc PCI device. In fact, it almost seems as if it implies that the
    pci_driver :: shutdown() method is mandatory if DMA is used with an
    IOMMU, otherwise this is inevitable. That was never the case; shutdown
    methods are optional in device drivers.
    
    This is the call stack that leads to iommu_group_remove_device() during
    reboot:
    
    kernel_restart
    -> device_shutdown
       -> platform_shutdown
          -> arm_smmu_device_shutdown
             -> arm_smmu_device_remove
                -> iommu_device_unregister
                   -> bus_for_each_dev
                      -> remove_iommu_group
                         -> iommu_release_device
                            -> iommu_group_remove_device
    
    I don't know much about the arm_smmu driver, but
    arm_smmu_device_shutdown() invoking arm_smmu_device_remove() looks
    suspicious, since it causes the IOMMU device to unregister and that's
    where everything starts to unravel. It forces all other devices which
    depend on IOMMU groups to also point their ->shutdown() to ->remove(),
    which will make reboot slower overall.
    
    There are 2 moments relevant to this behavior. First was commit
    b06c076ea962 ("Revert "iommu/arm-smmu: Make arm-smmu explicitly
    non-modular"") when arm_smmu_device_shutdown() was made to run the exact
    same thing as arm_smmu_device_remove(). Prior to that, there was no
    iommu_device_unregister() call in arm_smmu_device_shutdown(). However,
    that was benign until commit 57365a04c921 ("iommu: Move bus setup to
    IOMMU device registration"), which made iommu_device_unregister() call
    remove_iommu_group().
    
    Restore the old shutdown behavior by making remove() call shutdown(),
    but shutdown() does not call the remove() specific bits.
    
    Fixes: 57365a04c921 ("iommu: Move bus setup to IOMMU device registration")
    Reported-by: Michael Walle <[email protected]>
    Tested-by: Michael Walle <[email protected]> # on kontron-sl28
    Signed-off-by: Vladimir Oltean <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Will Deacon <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Robin Murphy <[email protected]>
Date:   Thu Dec 15 16:51:55 2022 +0000

    iommu/arm-smmu: Report IOMMU_CAP_CACHE_COHERENCY even betterer
    
    commit ac9c5e92dd15b9927e7355ccf79df76a58b44344 upstream.
    
    Although it's vanishingly unlikely that anyone would integrate an SMMU
    within a coherent interconnect without also making the pagetable walk
    interface coherent, the same effect happens if a coherent SMMU fails to
    advertise CTTW correctly. This turns out to be the case on some popular
    NXP SoCs, where VFIO started failing the IOMMU_CAP_CACHE_COHERENCY test,
    even though IOMMU_CACHE *was* previously achieving the desired effect
    anyway thanks to the underlying integration.
    
    While those SoCs stand to gain some more general benefits from a
    firmware update to override CTTW correctly in DT/ACPI, it's also easy
    to work around this in Linux as well, to avoid imposing too much on
    affected users - since the upstream client devices *are* correctly
    marked as coherent, we can trivially infer their coherent paths through
    the SMMU as well.
    
    Reported-by: Vladimir Oltean <[email protected]>
    Fixes: df198b37e72c ("iommu/arm-smmu: Report IOMMU_CAP_CACHE_COHERENCY better")
    Signed-off-by: Robin Murphy <[email protected]>
    Tested-by: Vladimir Oltean <[email protected]>
    Link: https://lore.kernel.org/r/d6dc4[email protected]arm.com
    Signed-off-by: Will Deacon <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Yunfei Wang <[email protected]>
Date:   Wed Jan 11 14:38:00 2023 +0800

    iommu/iova: Fix alloc iova overflows issue
    
    commit dcdb3ba7e2a8caae7bfefd603bc22fd0ce9a389c upstream.
    
    In __alloc_and_insert_iova_range, there is an issue that retry_pfn
    overflows. The value of iovad->anchor.pfn_hi is ~0UL, then when
    iovad->cached_node is iovad->anchor, curr_iova->pfn_hi + 1 will
    overflow. As a result, if the retry logic is executed, low_pfn is
    updated to 0, and then new_pfn < low_pfn returns false to make the
    allocation successful.
    
    This issue occurs in the following two situations:
    1. The first iova size exceeds the domain size. When initializing
    iova domain, iovad->cached_node is assigned as iovad->anchor. For
    example, the iova domain size is 10M, start_pfn is 0x1_F000_0000,
    and the iova size allocated for the first time is 11M. The
    following is the log information, new->pfn_lo is smaller than
    iovad->cached_node.
    
    Example log as follows:
    [  223.798112][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range
    start_pfn:0x1f0000,retry_pfn:0x0,size:0xb00,limit_pfn:0x1f0a00
    [  223.799590][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range
    success start_pfn:0x1f0000,new->pfn_lo:0x1efe00,new->pfn_hi:0x1f08ff
    
    2. The node with the largest iova->pfn_lo value in the iova domain
    is deleted, iovad->cached_node will be updated to iovad->anchor,
    and then the alloc iova size exceeds the maximum iova size that can
    be allocated in the domain.
    
    After judging that retry_pfn is less than limit_pfn, call retry_pfn+1
    to fix the overflow issue.
    
    Signed-off-by: jianjiao zeng <[email protected]>
    Signed-off-by: Yunfei Wang <[email protected]>
    Cc: <[email protected]> # 5.15.*
    Fixes: 4e89dce72521 ("iommu/iova: Retry from last rb tree node if iova search fails")
    Acked-by: Robin Murphy <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Joerg Roedel <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Christophe JAILLET <[email protected]>
Date:   Mon Dec 19 19:06:22 2022 +0100

    iommu/mediatek-v1: Fix an error handling path in mtk_iommu_v1_probe()
    
    commit 142e821f68cf5da79ce722cb9c1323afae30e185 upstream.
    
    A clk, prepared and enabled in mtk_iommu_v1_hw_init(), is not released in
    the error handling path of mtk_iommu_v1_probe().
    
    Add the corresponding clk_disable_unprepare(), as already done in the
    remove function.
    
    Fixes: b17336c55d89 ("iommu/mediatek: add support for mtk iommu generation one HW")
    Signed-off-by: Christophe JAILLET <[email protected]>
    Reviewed-by: Yong Wu <[email protected]>
    Reviewed-by: AngeloGioacchino Del Regno <[email protected]>
    Reviewed-by: Matthias Brugger <[email protected]>
    Link: https://lore.kernel.org/r/593e7b7d97c[email protected]wanadoo.fr
    Signed-off-by: Joerg Roedel <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Herbert Xu <[email protected]>
Date:   Tue Jan 10 08:59:06 2023 +0800

    ipv6: raw: Deduct extension header length in rawv6_push_pending_frames
    
    commit cb3e9864cdbe35ff6378966660edbcbac955fe17 upstream.
    
    The total cork length created by ip6_append_data includes extension
    headers, so we must exclude them when comparing them against the
    IPV6_CHECKSUM offset which does not include extension headers.
    
    Reported-by: Kyle Zeng <[email protected]>
    Fixes: 357b40a18b04 ("[IPV6]: IPV6_CHECKSUM socket option can corrupt kernel memory")
    Signed-off-by: Herbert Xu <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Yang Yingliang <[email protected]>
Date:   Tue Nov 29 09:57:48 2022 +0800

    ixgbe: fix pci device refcount leak
    
    commit b93fb4405fcb5112c5739c5349afb52ec7f15c07 upstream.
    
    As the comment of pci_get_domain_bus_and_slot() says, it
    returns a PCI device with refcount incremented, when finish
    using it, the caller must decrement the reference count by
    calling pci_dev_put().
    
    In ixgbe_get_first_secondary_devfn() and ixgbe_x550em_a_has_mii(),
    pci_dev_put() is called to avoid leak.
    
    Fixes: 8fa10ef01260 ("ixgbe: register a mdiobus")
    Signed-off-by: Yang Yingliang <[email protected]>
    Tested-by: Gurucharan G <[email protected]> (A Contingent worker at Intel)
    Signed-off-by: Tony Nguyen <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Marc Zyngier <[email protected]>
Date:   Tue Dec 20 14:03:52 2022 +0000

    KVM: arm64: Fix S1PTW handling on RO memslots
    
    commit 406504c7b0405d74d74c15a667cd4c4620c3e7a9 upstream.
    
    A recent development on the EFI front has resulted in guests having
    their page tables baked in the firmware binary, and mapped into the
    IPA space as part of a read-only memslot. Not only is this legitimate,
    but it also results in added security, so thumbs up.
    
    It is possible to take an S1PTW translation fault if the S1 PTs are
    unmapped at stage-2. However, KVM unconditionally treats S1PTW as a
    write to correctly handle hardware AF/DB updates to the S1 PTs.
    Furthermore, KVM injects an exception into the guest for S1PTW writes.
    In the aforementioned case this results in the guest taking an abort
    it won't recover from, as the S1 PTs mapping the vectors suffer from
    the same problem.
    
    So clearly our handling is... wrong.
    
    Instead, switch to a two-pronged approach:
    
    - On S1PTW translation fault, handle the fault as a read
    
    - On S1PTW permission fault, handle the fault as a write
    
    This is of no consequence to SW that *writes* to its PTs (the write
    will trigger a non-S1PTW fault), and SW that uses RO PTs will not
    use HW-assisted AF/DB anyway, as that'd be wrong.
    
    Only in the case described in c4ad98e4b72c ("KVM: arm64: Assume write
    fault on S1PTW permission fault on instruction fetch") do we end-up
    with two back-to-back faults (page being evicted and faulted back).
    I don't think this is a case worth optimising for.
    
    Fixes: c4ad98e4b72c ("KVM: arm64: Assume write fault on S1PTW permission fault on instruction fetch")
    Reviewed-by: Oliver Upton <[email protected]>
    Reviewed-by: Ard Biesheuvel <[email protected]>
    Regression-tested-by: Ard Biesheuvel <[email protected]>
    Signed-off-by: Marc Zyngier <[email protected]>
    Cc: [email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]g>

Author: Paolo Bonzini <[email protected]>
Date:   Sat Oct 22 04:17:53 2022 -0400

    KVM: x86: Do not return host topology information from KVM_GET_SUPPORTED_CPUID
    
    commit 45e966fcca03ecdcccac7cb236e16eea38cc18af upstream.
    
    Passing the host topology to the guest is almost certainly wrong
    and will confuse the scheduler.  In addition, several fields of
    these CPUID leaves vary on each processor; it is simply impossible to
    return the right values from KVM_GET_SUPPORTED_CPUID in such a way that
    they can be passed to KVM_SET_CPUID2.
    
    The values that will most likely prevent confusion are all zeroes.
    Userspace will have to override it anyway if it wishes to present a
    specific topology to the guest.
    
    Cc: [email protected]
    Signed-off-by: Paolo Bonzini <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Greg Kroah-Hartman <[email protected]>
Date:   Wed Jan 18 11:58:34 2023 +0100

    Linux 6.1.7
    
    Link: https://lore.kernel.org/r/[email protected]
    Tested-by: Salvatore Bonaccorso <[email protected]>
    Tested-by: Ronald Warsow <[email protected]>
    Tested-by: Conor Dooley <[email protected]>
    Tested-by: Shuah Khan <[email protected]>
    Tested-by: Justin M. Forbes <[email protected]>
    Tested-by: Takeshi Ogasawara <[email protected]>
    Tested-by: Rudi Heitbaum <[email protected]>
    Tested-by: Bagas Sanjaya <[email protected]>
    Tested-by: Ron Economos <[email protected]>
    Tested-by: Linux Kernel Functional Testing <[email protected]>
    Tested-by: Jon Hunter <[email protected]>
    Tested-by: Sudip Mukherjee <[email protected]>
    Tested-by: Allen Pais <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Tested-by: Allen Pais <[email protected]>
    Tested-by: Ronald Warsow <[email protected]>
    Tested-by: Ron Economos <[email protected]>
    Tested-by: Takeshi Ogasawara <[email protected]>
    Tested-by: Guenter Roeck <[email protected]>
    Tested-by: Kelsey Steele <[email protected]>
    Tested-by: Bagas Sanjaya <[email protected]>
    Tested-by: Fenil Jain <[email protected]>
    Tested-by: Linux Kernel Functional Testing <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Aaron Thompson <[email protected]>
Date:   Fri Jan 6 22:22:44 2023 +0000

    mm: Always release pages to the buddy allocator in memblock_free_late().
    
    commit 115d9d77bb0f9152c60b6e8646369fa7f6167593 upstream.
    
    If CONFIG_DEFERRED_STRUCT_PAGE_INIT is enabled, memblock_free_pages()
    only releases pages to the buddy allocator if they are not in the
    deferred range. This is correct for free pages (as defined by
    for_each_free_mem_pfn_range_in_zone()) because free pages in the
    deferred range will be initialized and released as part of the deferred
    init process. memblock_free_pages() is called by memblock_free_late(),
    which is used to free reserved ranges after memblock_free_all() has
    run. All pages in reserved ranges have been initialized at that point,
    and accordingly, those pages are not touched by the deferred init
    process. This means that currently, if the pages that
    memblock_free_late() intends to release are in the deferred range, they
    will never be released to the buddy allocator. They will forever be
    reserved.
    
    In addition, memblock_free_pages() calls kmsan_memblock_free_pages(),
    which is also correct for free pages but is not correct for reserved
    pages. KMSAN metadata for reserved pages is initialized by
    kmsan_init_shadow(), which runs shortly before memblock_free_all().
    
    For both of these reasons, memblock_free_pages() should only be called
    for free pages, and memblock_free_late() should call __free_pages_core()
    directly instead.
    
    One case where this issue can occur in the wild is EFI boot on
    x86_64. The x86 EFI code reserves all EFI boot services memory ranges
    via memblock_reserve() and frees them later via memblock_free_late()
    (efi_reserve_boot_services() and efi_free_boot_services(),
    respectively). If any of those ranges happens to fall within the
    deferred init range, the pages will not be released and that memory will
    be unavailable.
    
    For example, on an Amazon EC2 t3.micro VM (1 GB) booting via EFI:
    
    v6.2-rc2:
      # grep -E 'Node|spanned|present|managed' /proc/zoneinfo
      Node 0, zone      DMA
              spanned  4095
              present  3999
              managed  3840
      Node 0, zone    DMA32
              spanned  246652
              present  245868
              managed  178867
    
    v6.2-rc2 + patch:
      # grep -E 'Node|spanned|present|managed' /proc/zoneinfo
      Node 0, zone      DMA
              spanned  4095
              present  3999
              managed  3840
      Node 0, zone    DMA32
              spanned  246652
              present  245868
              managed  222816   # +43,949 pages
    
    Fixes: 3a80a7fa7989 ("mm: meminit: initialise a subset of struct pages if CONFIG_DEFERRED_STRUCT_PAGE_INIT is set")
    Signed-off-by: Aaron Thompson <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]west-2.amazonses.com
    Signed-off-by: Mike Rapoport (IBM) <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Arnd Bergmann <[email protected]>
Date:   Tue Dec 20 15:13:34 2022 +0100

    mtd: cfi: allow building spi-intel standalone
    
    [ Upstream commit d19ab1f785d0b6b9f709799f0938658903821ba1 ]
    
    When MTD or MTD_CFI_GEOMETRY is disabled, the spi-intel driver
    fails to build, as it includes the shared CFI header:
    
    include/linux/mtd/cfi.h:62:2: error: #warning No CONFIG_MTD_CFI_Ix selected. No NOR chip support can work. [-Werror=cpp]
       62 | #warning No CONFIG_MTD_CFI_Ix selected. No NOR chip support can work.
    
    linux/mtd/spi-nor.h does not actually need to include cfi.h, so
    remove the inclusion here to fix the warning. This uncovers a
    missing #include in spi-nor/core.c so add that there to
    prevent a different build issue.
    
    Fixes: e23e5a05d1fd ("mtd: spi-nor: intel-spi: Convert to SPI MEM")
    Signed-off-by: Arnd Bergmann <[email protected]>
    Reviewed-by: Mika Westerberg <[email protected]>
    Reviewed-by: Tokunori Ikegami <[email protected]>
    Acked-by: Pratyush Yadav <[email protected].org>
    Reviewed-by: Tudor Ambarus <[email protected]>
    Signed-off-by: Miquel Raynal <[email protected]>
    Link: https://lore.kernel.org/linux-mtd/[email protected]
    Signed-off-by: Sasha Levin <[email protected]>

Author: Mikhail Zhilkin <[email protected]>
Date:   Thu Dec 8 23:28:29 2022 +0300

    mtd: parsers: scpart: fix __udivdi3 undefined on mips
    
    [ Upstream commit 105c14b84d93168431abba5d55e6c26fa4b65abb ]
    
    This fixes the following compile error on mips architecture with clang
    version 16.0.0 reported by the 0-DAY CI Kernel Test Service:
       ld.lld: error: undefined symbol: __udivdi3
       referenced by scpart.c
       mtd/parsers/scpart.o:(scpart_parse) in archive drivers/built-in.a
    
    As a workaround this makes 'offs' a 32-bit type. This is enough, because
    the mtd containing partition table practically does not exceed 1 MB. We
    can revert this when the [Link] has been resolved.
    
    Link: https://github.com/ClangBuiltLinux/linux/issues/1635
    Fixes: 9b78ef0c7997 ("mtd: parsers: add support for Sercomm partitions")
    Reported-by: kernel test robot <[email protected]>
    Suggested-by: Arnd Bergmann <[email protected]>
    Signed-off-by: Mikhail Zhilkin <[email protected]>
    Signed-off-by: Miquel Raynal <[email protected]>
    Link: https://lore.kernel.org/linux-mtd/[email protected]
    Signed-off-by: Sasha Levin <[email protected]>

Author: Ariel Levkovich <[email protected]>
Date:   Tue Aug 16 23:19:11 2022 +0300

    net/mlx5: check attr pointer validity before dereferencing it
    
    [ Upstream commit e0bf81bf0d3d4747c146e0bf44774d3d881d7137 ]
    
    Fix attr pointer validity checks after it was already
    dereferenced.
    
    Fixes: cb0d54cbf948 ("net/mlx5e: Fix wrong source vport matching on tunnel rule")
    Signed-off-by: Ariel Levkovich <[email protected]>
    Reported-by: kernel test robot <[email protected]>
    Reported-by: Dan Carpenter <[email protected]>
    Signed-off-by: Saeed Mahameed <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Moshe Shemesh <[email protected]>
Date:   Mon Nov 28 19:05:47 2022 +0200

    net/mlx5: Fix command stats access after free
    
    [ Upstream commit da2e552b469a0cd130ff70a88ccc4139da428a65 ]
    
    Command may fail while driver is reloading and can't accept FW commands
    till command interface is reinitialized. Such command failure is being
    logged to command stats. This results in NULL pointer access as command
    stats structure is being freed and reallocated during mlx5 devlink
    reload (see kernel log below).
    
    Fix it by making command stats statically allocated on driver probe.
    
    Kernel log:
    [ 2394.808802] BUG: unable to handle kernel paging request at 000000000002a9c0
    [ 2394.810610] PGD 0 P4D 0
    [ 2394.811811] Oops: 0002 [#1] SMP NOPTI
    ...
    [ 2394.815482] RIP: 0010:native_queued_spin_lock_slowpath+0x183/0x1d0
    ...
    [ 2394.829505] Call Trace:
    [ 2394.830667]  _raw_spin_lock_irq+0x23/0x26
    [ 2394.831858]  cmd_status_err+0x55/0x110 [mlx5_core]
    [ 2394.833020]  mlx5_access_reg+0xe7/0x150 [mlx5_core]
    [ 2394.834175]  mlx5_query_port_ptys+0x78/0xa0 [mlx5_core]
    [ 2394.835337]  mlx5e_ethtool_get_link_ksettings+0x74/0x590 [mlx5_core]
    [ 2394.836454]  ? kmem_cache_alloc_trace+0x140/0x1c0
    [ 2394.837562]  __rh_call_get_link_ksettings+0x33/0x100
    [ 2394.838663]  ? __rtnl_unlock+0x25/0x50
    [ 2394.839755]  __ethtool_get_link_ksettings+0x72/0x150
    [ 2394.840862]  duplex_show+0x6e/0xc0
    [ 2394.841963]  dev_attr_show+0x1c/0x40
    [ 2394.843048]  sysfs_kf_seq_show+0x9b/0x100
    [ 2394.844123]  seq_read+0x153/0x410
    [ 2394.845187]  vfs_read+0x91/0x140
    [ 2394.846226]  ksys_read+0x4f/0xb0
    [ 2394.847234]  do_syscall_64+0x5b/0x1a0
    [ 2394.848228]  entry_SYSCALL_64_after_hwframe+0x65/0xca
    
    Fixes: 34f46ae0d4b3 ("net/mlx5: Add command failures data to debugfs")
    Signed-off-by: Moshe Shemesh <[email protected]>
    Reviewed-by: Shay Drory <[email protected]>
    Signed-off-by: Saeed Mahameed <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Rahul Rameshbabu <[email protected]>
Date:   Mon Dec 5 14:26:09 2022 -0800

    net/mlx5: Fix ptp max frequency adjustment range
    
    [ Upstream commit fe91d57277eef8bb4aca05acfa337b4a51d0bba4 ]
    
    .max_adj of ptp_clock_info acts as an absolute value for the amount in ppb
    that can be set for a single call of .adjfine. This means that a single
    call to .getfine cannot be greater than .max_adj or less than -(.max_adj).
    Provides correct value for max frequency adjustment value supported by
    devices.
    
    Fixes: 3d8c38af1493 ("net/mlx5e: Add PTP Hardware Clock (PHC) support")
    Signed-off-by: Rahul Rameshbabu <[email protected]>
    Reviewed-by: Gal Pressman <[email protected]>
    Reviewed-by: Tariq Toukan <[email protected]>
    Signed-off-by: Saeed Mahameed <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Gavin Li <[email protected]>
Date:   Tue Dec 27 04:54:09 2022 +0200

    net/mlx5e: Don't support encap rules with gbp option
    
    [ Upstream commit d515d63cae2cd186acf40deaa8ef33067bb7f637 ]
    
    Previously, encap rules with gbp option would be offloaded by mistake but
    driver does not support gbp option offload.
    
    To fix this issue, check if the encap rule has gbp option and don't
    offload the rule
    
    Fixes: d8f9dfae49ce ("net: sched: allow flower to match vxlan options")
    Signed-off-by: Gavin Li <[email protected]>
    Reviewed-by: Maor Dickman <[email protected]>
    Signed-off-by: Saeed Mahameed <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Emeel Hakim <[email protected]>
Date:   Sun Dec 11 13:22:23 2022 +0200

    net/mlx5e: Fix macsec possible null dereference when updating MAC security entity (SecY)
    
    [ Upstream commit 9828994ac492e8e7de47fe66097b7e665328f348 ]
    
    Upon updating MAC security entity (SecY) in hw offload path, the macsec
    security association (SA) initialization routine is called. In case of
    extended packet number (epn) is enabled the salt and ssci attributes are
    retrieved using the MACsec driver rx_sa context which is unavailable when
    updating a SecY property such as encoding-sa hence the null dereference.
    Fix by using the provided SA to set those attributes.
    
    Fixes: 4411a6c0abd3 ("net/mlx5e: Support MACsec offload extended packet number (EPN)")
    Signed-off-by: Emeel Hakim <[email protected]>
    Reviewed-by: Raed Salem <[email protected]>
    Signed-off-by: Saeed Mahameed <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Emeel Hakim <[email protected]>
Date:   Wed Dec 14 16:34:13 2022 +0200

    net/mlx5e: Fix macsec ssci attribute handling in offload path
    
    [ Upstream commit f5e1ed04aa2ea665a796f0109091ca3f2b01024a ]
    
    Currently when macsec offload is set with extended packet number (epn)
    enabled, the driver wrongly deduce the short secure channel identifier
    (ssci) from the salt instead of the stand alone ssci attribute as it
    should, consequently creating a mismatch between the kernel and driver's
    ssci values.
    Fix by using the ssci value from the relevant attribute.
    
    Fixes: 4411a6c0abd3 ("net/mlx5e: Support MACsec offload extended packet number (EPN)")
    Signed-off-by: Emeel Hakim <[email protected]>
    Reviewed-by: Raed Salem <[email protected]>
    Signed-off-by: Saeed Mahameed <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Dragos Tatulea <[email protected]>
Date:   Fri Nov 25 17:51:19 2022 +0200

    net/mlx5e: IPoIB, Block PKEY interfaces with less rx queues than parent
    
    [ Upstream commit 31c70bfe58ef09fe36327ddcced9143a16e9e83d ]
    
    A user is able to configure an arbitrary number of rx queues when
    creating an interface via netlink. This doesn't work for child PKEY
    interfaces because the child interface uses the parent receive channels.
    
    Although the child shares the parent's receive channels, the number of
    rx queues is important for the channel_stats array: the parent's rx
    channel index is used to access the child's channel_stats. So the array
    has to be at least as large as the parent's rx queue size for the
    counting to work correctly and to prevent out of bound accesses.
    
    This patch checks for the mentioned scenario and returns an error when
    trying to create the interface. The error is propagated to the user.
    
    Fixes: be98737a4faa ("net/mlx5e: Use dynamic per-channel allocations in stats")
    Signed-off-by: Dragos Tatulea <[email protected]>
    Reviewed-by: Tariq Toukan <[email protected]>
    Signed-off-by: Saeed Mahameed <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Dragos Tatulea <[email protected]>
Date:   Thu Dec 15 13:02:38 2022 +0200

    net/mlx5e: IPoIB, Block queue count configuration when sub interfaces are present
    
    [ Upstream commit 806a8df7126a8c05d60411eeb81057c2a8bbe7a7 ]
    
    PKEY sub interfaces share the receive queues with the parent interface.
    While setting the sub interface queue count is not supported, it is
    currently possible to change the number of queues of the parent interface.
    Thus we can end up with inconsistent queue sizes between the parent and its
    sub interfaces.
    
    This change disallows setting the queue count on the parent interface when
    sub interfaces are present.
    
    This is achieved by introducing an explicit reference to the parent netdev
    in the mlx5i_priv of the child interface. An additional counter is also
    required on the parent side to detect when sub interfaces are attached and
    for proper cleanup.
    
    The rtnl lock is taken during the ethtool op and the sub interface
    ndo_init/uninit ops. There is no race here around counting the sub
    interfaces, reading the sub interfaces and setting the number of
    channels. The ASSERT_RTNL was added to document that.
    
    Fixes: be98737a4faa ("net/mlx5e: Use dynamic per-channel allocations in stats")
    Signed-off-by: Dragos Tatulea <[email protected]>
    Reviewed-by: Tariq Toukan <[email protected]>
    Signed-off-by: Saeed Mahameed <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Dragos Tatulea <[email protected]>
Date:   Wed Nov 23 16:59:13 2022 +0200

    net/mlx5e: IPoIB, Fix child PKEY interface stats on rx path
    
    [ Upstream commit b5e23931c45a2f99f60a2f2b98a9e4d5a62a5b13 ]
    
    The current code always does the accounting using the
    stats from the parent interface (linked in the rq). This
    doesn't work when there are child interfaces configured.
    
    Fix this behavior by always using the stats from the child
    interface priv. This will also work for parent only
    interfaces: the child (netdev) and parent netdev (rq->netdev)
    will point to the same thing.
    
    Fixes: be98737a4faa ("net/mlx5e: Use dynamic per-channel allocations in stats")
    Signed-off-by: Dragos Tatulea <[email protected]>
    Reviewed-by: Tariq Toukan <[email protected]>
    Signed-off-by: Saeed Mahameed <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Ariel Levkovich <[email protected]>
Date:   Tue Aug 30 00:32:30 2022 +0300

    net/mlx5e: TC, Keep mod hdr actions after mod hdr alloc
    
    [ Upstream commit 5e72f3f1c558019082cfeedeed73748f35d780c6 ]
    
    When offloading TC NIC rule which has mod_hdr action, the
    mod_hdr actions list is freed upon mod_hdr allocation.
    
    In the new format of handling multi table actions and CT in
    particular, the mod_hdr actions list is still relevant when
    setting the pre and post rules and therefore, freeing the list
    may cause adding rules which don't set the FTE_ID.
    
    Therefore, the mod_hdr actions list needs to be kept for the
    pre/post flows as well and should be left for these handler to
    be freed.
    
    Fixes: 8300f225268b ("net/mlx5e: Create new flow attr for multi table actions")
    Signed-off-by: Ariel Levkovich <[email protected]>
    Signed-off-by: Saeed Mahameed <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Roy Novich <[email protected]>
Date:   Wed Jan 4 11:16:21 2023 +0200

    net/mlx5e: Verify dev is present for fix features ndo
    
    [ Upstream commit ab4b01bfdaa69492fb36484026b0a0f0af02d75a ]
    
    The native NIC port net device instance is being used as Uplink
    representor.  While changing profiles private resources are not
    available, fix features ndo does not check if the netdev is present.
    Add driver protection to verify private resources are ready.
    
    Fixes: 7a9fb35e8c3a ("net/mlx5e: Do not reload ethernet ports when changing eswitch mode")
    Signed-off-by: Roy Novich <[email protected]>
    Reviewed-by: Roi Dayan <[email protected]>
    Signed-off-by: Saeed Mahameed <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Ido Schimmel <[email protected]>
Date:   Sat Jan 7 19:10:04 2023 +0200

    net/sched: act_mpls: Fix warning during failed attribute validation
    
    [ Upstream commit 9e17f99220d111ea031b44153fdfe364b0024ff2 ]
    
    The 'TCA_MPLS_LABEL' attribute is of 'NLA_U32' type, but has a
    validation type of 'NLA_VALIDATE_FUNCTION'. This is an invalid
    combination according to the comment above 'struct nla_policy':
    
    "
    Meaning of `validate' field, use via NLA_POLICY_VALIDATE_FN:
       NLA_BINARY           Validation function called for the attribute.
       All other            Unused - but note that it's a union
    "
    
    This can trigger the warning [1] in nla_get_range_unsigned() when
    validation of the attribute fails. Despite being of 'NLA_U32' type, the
    associated 'min'/'max' fields in the policy are negative as they are
    aliased by the 'validate' field.
    
    Fix by changing the attribute type to 'NLA_BINARY' which is consistent
    with the above comment and all other users of NLA_POLICY_VALIDATE_FN().
    As a result, move the length validation to the validation function.
    
    No regressions in MPLS tests:
    
     # ./tdc.py -f tc-tests/actions/mpls.json
     [...]
     # echo $?
     0
    
    [1]
    WARNING: CPU: 0 PID: 17743 at lib/nlattr.c:118
    nla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117
    Modules linked in:
    CPU: 0 PID: 17743 Comm: syz-executor.0 Not tainted 6.1.0-rc8 #3
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
    rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
    RIP: 0010:nla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117
    [...]
    Call Trace:
     <TASK>
     __netlink_policy_dump_write_attr+0x23d/0x990 net/netlink/policy.c:310
     netlink_policy_dump_write_attr+0x22/0x30 net/netlink/policy.c:411
     netlink_ack_tlv_fill net/netlink/af_netlink.c:2454 [inline]
     netlink_ack+0x546/0x760 net/netlink/af_netlink.c:2506
     netlink_rcv_skb+0x1b7/0x240 net/netlink/af_netlink.c:2546
     rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:6109
     netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
     netlink_unicast+0x5e9/0x6b0 net/netlink/af_netlink.c:1345
     netlink_sendmsg+0x739/0x860 net/netlink/af_netlink.c:1921
     sock_sendmsg_nosec net/socket.c:714 [inline]
     sock_sendmsg net/socket.c:734 [inline]
     ____sys_sendmsg+0x38f/0x500 net/socket.c:2482
     ___sys_sendmsg net/socket.c:2536 [inline]
     __sys_sendmsg+0x197/0x230 net/socket.c:2565
     __do_sys_sendmsg net/socket.c:2574 [inline]
     __se_sys_sendmsg net/socket.c:2572 [inline]
     __x64_sys_sendmsg+0x42/0x50 net/socket.c:2572
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]
     do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
     entry_SYSCALL_64_after_hwframe+0x63/0xcd
    
    Link: https://lore.kernel.org/netdev/[email protected]om/
    Fixes: 2a2ea50870ba ("net: sched: add mpls manipulation actions to TC")
    Reported-by: Wei Chen <[email protected]>
    Tested-by: Wei Chen <[email protected]>
    Signed-off-by: Ido Schimmel <[email protected]>
    Reviewed-by: Alexander Duyck <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Jie Wang <[email protected]>
Date:   Tue Jan 10 19:53:59 2023 +0800

    net: hns3: fix wrong use of rss size during VF rss config
    
    [ Upstream commit ae9f29fdfd827ad06c1ae8155c042245a9d00757 ]
    
    Currently, it used old rss size to get current tc mode. As a result, the
    rss size is updated, but the tc mode is still configured based on the old
    rss size.
    
    So this patch fixes it by using the new rss size in both process.
    
    Fixes: 93969dc14fcd ("net: hns3: refactor VF rss init APIs with new common rss init APIs")
    Signed-off-by: Jie Wang <[email protected]>
    Signed-off-by: Hao Lan <[email protected]>
    Reviewed-by: Alexander Duyck <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Clц╘ment Lц╘ger <[email protected]>
Date:   Mon Jan 9 16:32:23 2023 +0100

    net: lan966x: check for ptp to be enabled in lan966x_ptp_deinit()
    
    [ Upstream commit b0e380b5d4275299adf43e249f18309331b6f54f ]
    
    If ptp was not enabled due to missing IRQ for instance,
    lan966x_ptp_deinit() will dereference NULL pointers.
    
    Fixes: d096459494a8 ("net: lan966x: Add support for ptp clocks")
    Signed-off-by: Clц╘ment Lц╘ger <[email protected]>
    Reviewed-by: Horatiu Vultur <[email protected]>
    Reviewed-by: Jiri Pirko <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Noor Azura Ahmad Tarmizi <[email protected]>
Date:   Wed Jan 11 13:02:00 2023 +0800

    net: stmmac: add aux timestamps fifo clearance wait
    
    commit ae9dcb91c6069e20b3b9505d79cbc89fd6e086f5 upstream.
    
    Add timeout polling wait for auxiliary timestamps snapshot FIFO clear bit
    (ATSFC) to clear. This is to ensure no residue fifo value is being read
    erroneously.
    
    Fixes: f4da56529da6 ("net: stmmac: Add support for external trigger timestamping")
    Cc: <[email protected]> # 5.10.x
    Signed-off-by: Noor Azura Ahmad Tarmizi <[email protected]>
    Link: https://lore.kernel.org/r/20230111050200.2130-1-noor.azura.ahm[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Gavrilov Ilia <[email protected]>
Date:   Wed Jan 11 11:57:39 2023 +0000

    netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function.
    
    commit 9ea4b476cea1b7d461d16dda25ca3c7e616e2d15 upstream.
    
    When first_ip is 0, last_ip is 0xFFFFFFFF, and netmask is 31, the value of
    an arithmetic expression 2 << (netmask - mask_bits - 1) is subject
    to overflow due to a failure casting operands to a larger data type
    before performing the arithmetic.
    
    Note that it's harmless since the value will be checked at the next step.
    
    Found by InfoTeCS on behalf of Linux Verification Center
    (linuxtesting.org) with SVACE.
    
    Fixes: b9fed748185a ("netfilter: ipset: Check and reject crazy /0 input parameters")
    Signed-off-by: Ilia.Gavrilov <[email protected]>
    Reviewed-by: Simon Horman <[email protected]>
    Signed-off-by: Pablo Neira Ayuso <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Pablo Neira Ayuso <[email protected]>
Date:   Wed Jan 11 17:07:33 2023 +0100

    netfilter: nft_payload: incorrect arithmetics when fetching VLAN header bits
    
    commit 696e1a48b1a1b01edad542a1ef293665864a4dd0 upstream.
    
    If the offset + length goes over the ethernet + vlan header, then the
    length is adjusted to copy the bytes that are within the boundaries of
    the vlan_ethhdr scratchpad area. The remaining bytes beyond ethernet +
    vlan header are copied directly from the skbuff data area.
    
    Fix incorrect arithmetic operator: subtract, not add, the size of the
    vlan header in case of double-tagged packets to adjust the length
    accordingly to address CVE-2023-0179.
    
    Reported-by: Davide Ornaghi <[email protected]>
    Fixes: f6ae9f120dad ("netfilter: nft_payload: add C-VLAN support")
    Signed-off-by: Pablo Neira Ayuso <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Minsuk Kang <[email protected]>
Date:   Fri Jan 6 17:23:44 2023 +0900

    nfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame()
    
    [ Upstream commit 9dab880d675b9d0dd56c6428e4e8352a3339371d ]
    
    Fix a use-after-free that occurs in hcd when in_urb sent from
    pn533_usb_send_frame() is completed earlier than out_urb. Its callback
    frees the skb data in pn533_send_async_complete() that is used as a
    transfer buffer of out_urb. Wait before sending in_urb until the
    callback of out_urb is called. To modify the callback of out_urb alone,
    separate the complete function of out_urb and ack_urb.
    
    Found by a modified version of syzkaller.
    
    BUG: KASAN: use-after-free in dummy_timer
    Call Trace:
     memcpy (mm/kasan/shadow.c:65)
     dummy_perform_transfer (drivers/usb/gadget/udc/dummy_hcd.c:1352)
     transfer (drivers/usb/gadget/udc/dummy_hcd.c:1453)
     dummy_timer (drivers/usb/gadget/udc/dummy_hcd.c:1972)
     arch_static_branch (arch/x86/include/asm/jump_label.h:27)
     static_key_false (include/linux/jump_label.h:207)
     timer_expire_exit (include/trace/events/timer.h:127)
     call_timer_fn (kernel/time/timer.c:1475)
     expire_timers (kernel/time/timer.c:1519)
     __run_timers (kernel/time/timer.c:1790)
     run_timer_softirq (kernel/time/timer.c:1803)
    
    Fixes: c46ee38620a2 ("NFC: pn533: add NXP pn533 nfc device driver")
    Signed-off-by: Minsuk Kang <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Chuck Lever <[email protected]>
Date:   Thu Nov 3 16:22:48 2022 -0400

    NFSD: Add an nfsd_file_fsync tracepoint
    
    [ Upstream commit d7064eaf688cfe454c50db9f59298463d80d403c ]
    
    Add a tracepoint to capture the number of filecache-triggered fsync
    calls and which files needed it. Also, record when an fsync triggers
    a write verifier reset.
    
    Examples:
    
    <...>-97    [007]   262.505611: nfsd_file_free:       inode=0xffff888171e08140 ref=0 flags=GC may=WRITE nf_file=0xffff8881373d2400
    <...>-97    [007]   262.505612: nfsd_file_fsync:      inode=0xffff888171e08140 ref=0 flags=GC may=WRITE nf_file=0xffff8881373d2400 ret=0
    <...>-97    [007]   262.505623: nfsd_file_free:       inode=0xffff888171e08dc0 ref=0 flags=GC may=WRITE nf_file=0xffff8881373d1e00
    <...>-97    [007]   262.505624: nfsd_file_fsync:      inode=0xffff888171e08dc0 ref=0 flags=GC may=WRITE nf_file=0xffff8881373d1e00 ret=0
    
    Signed-off-by: Chuck Lever <[email protected]>
    Reviewed-by: Jeff Layton <[email protected]>
    Stable-dep-of: 0b3a551fa58b ("nfsd: fix handling of cached open files in nfsd4_open codepath")
    Signed-off-by: Sasha Levin <[email protected]>

Author: Chuck Lever <[email protected]>
Date:   Fri Oct 28 10:46:51 2022 -0400

    NFSD: Add an NFSD_FILE_GC flag to enable nfsd_file garbage collection
    
    [ Upstream commit 4d1ea8455716ca070e3cd85767e6f6a562a58b1b ]
    
    NFSv4 operations manage the lifetime of nfsd_file items they use by
    means of NFSv4 OPEN and CLOSE. Hence there's no need for them to be
    garbage collected.
    
    Introduce a mechanism to enable garbage collection for nfsd_file
    items used only by NFSv2/3 callers.
    
    Note that the change in nfsd_file_put() ensures that both CLOSE and
    DELEGRETURN will actually close out and free an nfsd_file on last
    reference of a non-garbage-collected file.
    
    Link: https://bugzilla.linux-nfs.org/show_bug.cgi?id=394
    Suggested-by: Trond Myklebust <[email protected]>
    Signed-off-by: Chuck Lever <[email protected]>
    Tested-by: Jeff Layton <[email protected]>
    Reviewed-by: NeilBrown <[email protected]>
    Reviewed-by: Jeff Layton <[email protected]>
    Stable-dep-of: 0b3a551fa58b ("nfsd: fix handling of cached open files in nfsd4_open codepath")
    Signed-off-by: Sasha Levin <[email protected]>

Author: Jeff Layton <[email protected]>
Date:   Thu Jan 5 14:55:56 2023 -0500

    nfsd: fix handling of cached open files in nfsd4_open codepath
    
    [ Upstream commit 0b3a551fa58b4da941efeb209b3770868e2eddd7 ]
    
    Commit fb70bf124b05 ("NFSD: Instantiate a struct file when creating a
    regular NFSv4 file") added the ability to cache an open fd over a
    compound. There are a couple of problems with the way this currently
    works:
    
    It's racy, as a newly-created nfsd_file can end up with its PENDING bit
    cleared while the nf is hashed, and the nf_file pointer is still zeroed
    out. Other tasks can find it in this state and they expect to see a
    valid nf_file, and can oops if nf_file is NULL.
    
    Also, there is no guarantee that we'll end up creating a new nfsd_file
    if one is already in the hash. If an extant entry is in the hash with a
    valid nf_file, nfs4_get_vfs_file will clobber its nf_file pointer with
    the value of op_file and the old nf_file will leak.
    
    Fix both issues by making a new nfsd_file_acquirei_opened variant that
    takes an optional file pointer. If one is present when this is called,
    we'll take a new reference to it instead of trying to open the file. If
    the nfsd_file already has a valid nf_file, we'll just ignore the
    optional file and pass the nfsd_file back as-is.
    
    Also rework the tracepoints a bit to allow for an "opened" variant and
    don't try to avoid counting acquisitions in the case where we already
    have a cached open file.
    
    Fixes: fb70bf124b05 ("NFSD: Instantiate a struct file when creating a regular NFSv4 file")
    Cc: Trond Myklebust <[email protected]>
    Reported-by: Stanislav Saner <[email protected]>
    Reported-and-Tested-by: Ruben Vestergaard <[email protected]>
    Reported-and-Tested-by: Torkil Svensgaard <[email protected]>
    Signed-off-by: Jeff Layton <[email protected]>
    Signed-off-by: Chuck Lever <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Chuck Lever <[email protected]>
Date:   Fri Oct 28 10:46:38 2022 -0400

    NFSD: Pass the target nfsd_file to nfsd_commit()
    
    [ Upstream commit c252849082ff525af18b4f253b3c9ece94e951ed ]
    
    In a moment I'm going to introduce separate nfsd_file types, one of
    which is garbage-collected; the other, not. The garbage-collected
    variety is to be used by NFSv2 and v3, and the non-garbage-collected
    variety is to be used by NFSv4.
    
    nfsd_commit() is invoked by both NFSv3 and NFSv4 consumers. We want
    nfsd_commit() to find and use the correct variety of cached
    nfsd_file object for the NFS version that is in use.
    
    Signed-off-by: Chuck Lever <[email protected]>
    Tested-by: Jeff Layton <[email protected]>
    Reviewed-by: Jeff Layton <[email protected]>
    Reviewed-by: NeilBrown <[email protected]>
    Stable-dep-of: 0b3a551fa58b ("nfsd: fix handling of cached open files in nfsd4_open codepath")
    Signed-off-by: Sasha Levin <[email protected]>

Author: Jeff Layton <[email protected]>
Date:   Wed Nov 2 14:44:47 2022 -0400

    nfsd: remove the pages_flushed statistic from filecache
    
    [ Upstream commit 1f696e230ea5198e393368b319eb55651828d687 ]
    
    We're counting mapping->nrpages, but not all of those are necessarily
    dirty. We don't really have a simple way to count just the dirty pages,
    so just remove this stat since it's not accurate.
    
    Signed-off-by: Jeff Layton <[email protected]>
    Signed-off-by: Chuck Lever <[email protected]>
    Stable-dep-of: 0b3a551fa58b ("nfsd: fix handling of cached open files in nfsd4_open codepath")
    Signed-off-by: Sasha Levin <[email protected]>

Author: Jeff Layton <[email protected]>
Date:   Wed Nov 2 14:44:48 2022 -0400

    nfsd: reorganize filecache.c
    
    [ Upstream commit 8214118589881b2d390284410c5ff275e7a5e03c ]
    
    In a coming patch, we're going to rework how the filecache refcounting
    works. Move some code around in the function to reduce the churn in the
    later patches, and rename some of the functions with (hopefully) clearer
    names: nfsd_file_flush becomes nfsd_file_fsync, and
    nfsd_file_unhash_and_dispose is renamed to nfsd_file_unhash_and_queue.
    
    Also, the nfsd_file_put_final tracepoint is renamed to nfsd_file_free,
    to better match the name of the function from which it's called.
    
    Signed-off-by: Jeff Layton <[email protected]>
    Reviewed-by: NeilBrown <[email protected]>
    Signed-off-by: Chuck Lever <[email protected]>
    Stable-dep-of: 0b3a551fa58b ("nfsd: fix handling of cached open files in nfsd4_open codepath")
    Signed-off-by: Sasha Levin <[email protected]>

Author: Chuck Lever <[email protected]>
Date:   Fri Oct 28 10:46:44 2022 -0400

    NFSD: Revert "NFSD: NFSv4 CLOSE should release an nfsd_file immediately"
    
    [ Upstream commit dcf3f80965ca787c70def402cdf1553c93c75529 ]
    
    This reverts commit 5e138c4a750dc140d881dab4a8804b094bbc08d2.
    
    That commit attempted to make files available to other users as soon
    as all NFSv4 clients were done with them, rather than waiting until
    the filecache LRU had garbage collected them.
    
    It gets the reference counting wrong, for one thing.
    
    But it also misses that DELEGRETURN should release a file in the
    same fashion. In fact, any nfsd_file_put() on an file held open
    by an NFSv4 client needs potentially to release the file
    immediately...
    
    Clear the way for implementing that idea.
    
    Signed-off-by: Chuck Lever <chuck.le[email protected]>
    Reviewed-by: Jeff Layton <[email protected]>
    Reviewed-by: NeilBrown <[email protected]>
    Stable-dep-of: 0b3a551fa58b ("nfsd: fix handling of cached open files in nfsd4_open codepath")
    Signed-off-by: Sasha Levin <[email protected]>

Author: Jeff Layton <[email protected]>
Date:   Sun Dec 11 06:19:33 2022 -0500

    nfsd: rework refcounting in filecache
    
    [ Upstream commit ac3a2585f018f10039b4a856dcb122da88c1c1c9 ]
    
    The filecache refcounting is a bit non-standard for something searchable
    by RCU, in that we maintain a sentinel reference while it's hashed. This
    in turn requires that we have to do things differently in the "put"
    depending on whether its hashed, which we believe to have led to races.
    
    There are other problems in here too. nfsd_file_close_inode_sync can end
    up freeing an nfsd_file while there are still outstanding references to
    it, and there are a number of subtle ToC/ToU races.
    
    Rework the code so that the refcount is what drives the lifecycle. When
    the refcount goes to zero, then unhash and rcu free the object. A task
    searching for a nfsd_file is allowed to bump its refcount, but only if
    it's not already 0. Ensure that we don't make any other changes to it
    until a reference is held.
    
    With this change, the LRU carries a reference. Take special care to deal
    with it when removing an entry from the list, and ensure that we only
    repurpose the nf_lru list_head when the refcount is 0 to ensure
    exclusive access to it.
    
    Signed-off-by: Jeff Layton <[email protected]>
    Signed-off-by: Chuck Lever <[email protected]>
    Stable-dep-of: 0b3a551fa58b ("nfsd: fix handling of cached open files in nfsd4_open codepath")
    Signed-off-by: Sasha Levin <[email protected]>

Author: Angela Czubak <[email protected]>
Date:   Thu Jan 5 21:31:07 2023 +0530

    octeontx2-af: Fix LMAC config in cgx_lmac_rx_tx_enable
    
    [ Upstream commit b4e9b8763e417db31c7088103cc557d55cb7a8f5 ]
    
    PF netdev can request AF to enable or disable reception and transmission
    on assigned CGX::LMAC. The current code instead of disabling or enabling
    'reception and transmission' also disables/enable the LMAC. This patch
    fixes this issue.
    
    Fixes: 1435f66a28b4 ("octeontx2-af: CGX Rx/Tx enable/disable mbox handlers")
    Signed-off-by: Angela Czubak <[email protected]>
    Signed-off-by: Hariprasad Kelam <[email protected]>
    Reviewed-by: Leon Romanovsky <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Hariprasad Kelam <[email protected]>
Date:   Mon Jan 9 11:43:25 2023 +0530

    octeontx2-pf: Fix resource leakage in VF driver unbind
    
    [ Upstream commit 53da7aec32982f5ee775b69dce06d63992ce4af3 ]
    
    resources allocated like mcam entries to support the Ntuple feature
    and hash tables for the tc feature are not getting freed in driver
    unbind. This patch fixes the issue.
    
    Fixes: 2da489432747 ("octeontx2-pf: devlink params support to set mcam entry count")
    Signed-off-by: Hariprasad Kelam <[email protected]>
    Signed-off-by: Sunil Kovvuri Goutham <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Paolo Abeni <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Adrian Hunter <[email protected]>
Date:   Tue Jan 10 20:56:59 2023 +0200

    perf auxtrace: Fix address filter duplicate symbol selection
    
    commit cf129830ee820f7fc90b98df193cd49d49344d09 upstream.
    
    When a match has been made to the nth duplicate symbol, return
    success not error.
    
    Example:
    
      Before:
    
        $ cat file.c
        cat: file.c: No such file or directory
        $ cat file1.c
        #include <stdio.h>
    
        static void func(void)
        {
                printf("First func\n");
        }
    
        void other(void);
    
        int main()
        {
                func();
                other();
                return 0;
        }
        $ cat file2.c
        #include <stdio.h>
    
        static void func(void)
        {
                printf("Second func\n");
        }
    
        void other(void)
        {
                func();
        }
    
        $ gcc -Wall -Wextra -o test file1.c file2.c
        $ perf record -e intel_pt//u --filter 'filter func @ ./test' -- ./test
        Multiple symbols with name 'func'
        #1      0x1149  l       func
                        which is near           main
        #2      0x1179  l       func
                        which is near           other
        Disambiguate symbol name by inserting #n after the name e.g. func #2
        Or select a global symbol by inserting #0 or #g or #G
        Failed to parse address filter: 'filter func @ ./test'
        Filter format is: filter|start|stop|tracestop <start symbol or address> [/ <end symbol or size>] [@<file name>]
        Where multiple filters are separated by space or comma.
        $ perf record -e intel_pt//u --filter 'filter func #2 @ ./test' -- ./test
        Failed to parse address filter: 'filter func #2 @ ./test'
        Filter format is: filter|start|stop|tracestop <start symbol or address> [/ <end symbol or size>] [@<file name>]
        Where multiple filters are separated by space or comma.
    
      After:
    
        $ perf record -e intel_pt//u --filter 'filter func #2 @ ./test' -- ./test
        First func
        Second func
        [ perf record: Woken up 1 times to write data ]
        [ perf record: Captured and wrote 0.016 MB perf.data ]
        $ perf script --itrace=b -Ftime,flags,ip,sym,addr --ns
        1231062.526977619:   tr strt                               0 [unknown] =>     558495708179 func
        1231062.526977619:   tr end  call               558495708188 func =>     558495708050 _init
        1231062.526979286:   tr strt                               0 [unknown] =>     55849570818d func
        1231062.526979286:   tr end  return             55849570818f func =>     55849570819d other
    
    Fixes: 1b36c03e356936d6 ("perf record: Add support for using symbols in address filters")
    Reported-by: Dmitrii Dolgov <[email protected]>
    Signed-off-by: Adrian Hunter <[email protected]>
    Tested-by: Dmitry Dolgov <[email protected]>
    Cc: Adrian Hunter <[email protected]>
    Cc: Ian Rogers <[email protected]>
    Cc: Jiri Olsa <[email protected]>
    Cc: Namhyung Kim <n[email protected]>
    Cc: [email protected]
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Arnaldo Carvalho de Melo <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Ian Rogers <[email protected]>
Date:   Fri Jan 6 07:13:19 2023 -0800

    perf build: Properly guard libbpf includes
    
    [ Upstream commit d891f2b724b39a2a41e3ad7b57110193993242ff ]
    
    Including libbpf header files should be guarded by HAVE_LIBBPF_SUPPORT.
    In bpf_counter.h, move the skeleton utilities under HAVE_BPF_SKEL.
    
    Fixes: d6a735ef3277c45f ("perf bpf_counter: Move common functions to bpf_counter.h")
    Reported-by: Mike Leach <[email protected]>
    Signed-off-by: Ian Rogers <[email protected]>
    Tested-by: Arnaldo Carvalho de Melo <[email protected]>
    Tested-by: Jiri Olsa <[email protected]>
    Tested-by: Mike Leach <[email protected]>
    Cc: Alexander Shishkin <[email protected]>
    Cc: Mark Rutland <[email protected]>
    Cc: Namhyung Kim <[email protected]>
    Cc: Peter Zijlstra <[email protected]>
    Link: http://lore.kernel.org/lkml/[email protected]
    Signed-off-by: Arnaldo Carvalho de Melo <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Leo Yan <[email protected]>
Date:   Sun Jan 8 14:24:00 2023 +0800

    perf kmem: Support field "node" in evsel__process_alloc_event() coping with recent tracepoint restructuring
    
    [ Upstream commit dce088ab0d51ae3b14fb2bd608e9c649aadfe5dc ]
    
    Commit 11e9734bcb6a7361 ("mm/slab_common: unify NUMA and UMA version of
    tracepoints") adds the field "node" into the tracepoints 'kmalloc' and
    'kmem_cache_alloc', so this patch modifies the event process function to
    support the field "node".
    
    If field "node" is detected by checking function evsel__field(), it
    stats the cross allocation.
    
    When the "node" value is NUMA_NO_NODE (-1), it means the memory can be
    allocated from any memory node, in this case, we don't account it as a
    cross allocation.
    
    Fixes: 11e9734bcb6a7361 ("mm/slab_common: unify NUMA and UMA version of tracepoints")
    Reported-by: Ravi Bangoria <[email protected]>
    Reviewed-by: James Clark <[email protected]>
    Signed-off-by: Leo Yan <[email protected]>
    Cc: Alexander Shishkin <[email protected]>
    Cc: Hyeonggon Yoo <[email protected]>
    Cc: Ingo Molnar <[email protected]>
    Cc: Jiri Olsa <[email protected]>
    Cc: Mark Rutland <[email protected]>
    Cc: Namhyung Kim <[email protected]>
    Cc: Peter Zijlstra <[email protected]>
    Cc: Vlastimil Babka <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Arnaldo Carvalho de Melo <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Leo Yan <[email protected]>
Date:   Sun Jan 8 14:23:59 2023 +0800

    perf kmem: Support legacy tracepoints
    
    [ Upstream commit b3719108ae60169eda5c941ca5e1be1faa371c57 ]
    
    Commit 11e9734bcb6a7361 ("mm/slab_common: unify NUMA and UMA version of
    tracepoints") removed tracepoints 'kmalloc_node' and
    'kmem_cache_alloc_node', we need to consider the tool should be backward
    compatible.
    
    If it detect the tracepoint "kmem:kmalloc_node", this patch enables the
    legacy tracepoints, otherwise, it will ignore them.
    
    Fixes: 11e9734bcb6a7361 ("mm/slab_common: unify NUMA and UMA version of tracepoints")
    Reported-by: Ravi Bangoria <[email protected]>
    Reviewed-by: James Clark <[email protected]>
    Signed-off-by: Leo Yan <[email protected]>
    Cc: Alexander Shishkin <[email protected]>
    Cc: Hyeonggon Yoo <[email protected]>
    Cc: Ingo Molnar <[email protected]>
    Cc: Jiri Olsa <[email protected]>
    Cc: Mark Rutland <[email protected]>
    Cc: Namhyung Kim <[email protected]>
    Cc: Peter Zijlstra <[email protected]>
    Cc: Vlastimil Babka <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Arnaldo Carvalho de Melo <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Mario Limonciello <[email protected]>
Date:   Thu Oct 13 08:47:29 2022 -0500

    pinctrl: amd: Add dynamic debugging for active GPIOs
    
    commit 1d66e379731f79ae5039a869c0fde22a4f6a6a91 upstream.
    
    Some laptops have been reported to wake up from s2idle when plugging
    in the AC adapter or by closing the lid.  This is a surprising
    behavior that is further clarified by commit cb3e7d624c3ff ("PM:
    wakeup: Add extra debugging statement for multiple active IRQs").
    
    With that commit in place the following interaction can be seen
    when the lid is closed:
    
    [   28.946038] PM: suspend-to-idle
    [   28.946083] ACPI: EC: ACPI EC GPE status set
    [   28.946101] ACPI: PM: Rearming ACPI SCI for wakeup
    [   28.950152] Timekeeping suspended for 3.320 seconds
    [   28.950152] PM: Triggering wakeup from IRQ 9
    [   28.950152] ACPI: EC: ACPI EC GPE status set
    [   28.950152] ACPI: EC: ACPI EC GPE dispatched
    [   28.995057] ACPI: EC: ACPI EC work flushed
    [   28.995075] ACPI: PM: Rearming ACPI SCI for wakeup
    [   28.995131] PM: Triggering wakeup from IRQ 9
    [   28.995271] ACPI: EC: ACPI EC GPE status set
    [   28.995291] ACPI: EC: ACPI EC GPE dispatched
    [   29.098556] ACPI: EC: ACPI EC work flushed
    [   29.207020] ACPI: EC: ACPI EC work flushed
    [   29.207037] ACPI: PM: Rearming ACPI SCI for wakeup
    [   29.211095] Timekeeping suspended for 0.739 seconds
    [   29.211095] PM: Triggering wakeup from IRQ 9
    [   29.211079] PM: Triggering wakeup from IRQ 7
    [   29.211095] ACPI: PM: ACPI non-EC GPE wakeup
    [   29.211095] PM: resume from suspend-to-idle
    
    * IRQ9 on this laptop is used for the ACPI SCI.
    * IRQ7 on this laptop is used for the GPIO controller.
    
    What has occurred is when the lid was closed the EC woke up the
    SoC from it's deepest sleep state and the kernel's s2idle loop
    processed all EC events.  When it was finished processing EC events,
    it checked for any other reasons to wake (break the s2idle loop).
    
    The IRQ for the GPIO controller was active so the loop broke, and
    then this IRQ was processed.  This is not a kernel bug but it is
    certainly a surprising behavior, and to better debug it we should
    have a dynamic debugging message that we can enact to catch it.
    
    Acked-by: Basavaraj Natikar <[email protected]>
    Acked-by: Kai-Heng Feng <[email protected]>
    Acked-by: Mark Pearson <[email protected]>
    Signed-off-by: Mario Limonciello <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Linus Walleij <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Maximilian Luz <[email protected]>
Date:   Tue Dec 20 18:56:07 2022 +0100

    platform/surface: aggregator: Add missing call to ssam_request_sync_free()
    
    [ Upstream commit c965daac370f08a9b71d573a71d13cda76f2a884 ]
    
    Although rare, ssam_request_sync_init() can fail. In that case, the
    request should be freed via ssam_request_sync_free(). Currently it is
    leaked instead. Fix this.
    
    Fixes: c167b9c7e3d6 ("platform/surface: Add Surface Aggregator subsystem")
    Signed-off-by: Maximilian Luz <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Reviewed-by: Hans de Goede <[email protected]>
    Signed-off-by: Hans de Goede <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Maximilian Luz <[email protected]>
Date:   Fri Dec 2 23:33:19 2022 +0100

    platform/surface: aggregator: Ignore command messages not intended for us
    
    commit ae0fa0a3126a86c801c3220fcd8eefe03aa39f3e upstream.
    
    It is possible that we (the host/kernel driver) receive command messages
    that are not intended for us. Ignore those for now.
    
    The whole story is a bit more complicated: It is possible to enable
    debug output on SAM, which is sent via SSH command messages. By default
    this output is sent to a debug connector, with its own target ID
    (TID=0x03). It is possible to override the target of the debug output
    and set it to the host/kernel driver. This, however, does not change the
    original target ID of the message. Meaning, we receive messages with
    TID=0x03 (debug) but expect to only receive messages with TID=0x00
    (host).
    
    The problem is that the different target ID also comes with a different
    scope of request IDs. In particular, these do not follow the standard
    event rules (i.e. do not fall into a set of small reserved values).
    Therefore, current message handling interprets them as responses to
    pending requests and tries to match them up via the request ID. However,
    these debug output messages are not in fact responses, and therefore
    this will at best fail to find the request and at worst pass on the
    wrong data as response for a request.
    
    Therefore ignore any command messages not intended for us (host) for
    now. We can implement support for the debug messages once we have a
    better understanding of them.
    
    Note that this may also provide a bit more stability and avoid some
    driver confusion in case any other targets want to talk to us in the
    future, since we don't yet know what to do with those as well. A warning
    for the dropped messages should suffice for now and also give us a
    chance of discovering new targets if they come along without any
    potential for bugs/instabilities.
    
    Fixes: c167b9c7e3d6 ("platform/surface: Add Surface Aggregator subsystem")
    Signed-off-by: Maximilian Luz <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Reviewed-by: Hans de Goede <[email protected]>
    Signed-off-by: Hans de Goede <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Miaoqian Lin <[email protected]>
Date:   Thu Dec 29 11:25:33 2022 +0400

    platform/x86/amd: Fix refcount leak in amd_pmc_probe
    
    [ Upstream commit ccb32e2be14271a60e9ba89c6d5660cc9998773c ]
    
    pci_get_domain_bus_and_slot() takes reference, the caller should release
    the reference by calling pci_dev_put() after use. Call pci_dev_put() in
    the error path to fix this.
    
    Fixes: 3d7d407dfb05 ("platform/x86: amd-pmc: Add support for AMD Spill to DRAM STB feature")
    Signed-off-by: Miaoqian Lin <[email protected]>
    Reviewed-by: Mario Limonciello <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Reviewed-by: Hans de Goede <[email protected]>
    Signed-off-by: Hans de Goede <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Thomas Weiц÷schuh <[email protected]>
Date:   Wed Dec 21 17:59:51 2022 +0000

    platform/x86: asus-wmi: Don't load fan curves without fan
    
    commit 01fd7e7851ba2275662f771ee17d1f80e7bbfa52 upstream.
    
    If we do not have a fan it does not make sense to load curves for it.
    This removes the following warnings from the kernel log:
    
    asus_wmi: fan_curve_get_factory_default (0x00110024) failed: -19
    asus_wmi: fan_curve_get_factory_default (0x00110025) failed: -19
    
    Fixes: a2bdf10ce96e ("platform/x86: asus-wmi: Increase FAN_CURVE_BUF_LEN to 32")
    Signed-off-by: Thomas Weiц÷schuh <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Reviewed-by: Hans de Goede <[email protected]>
    Signed-off-by: Hans de Goede <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Hans de Goede <[email protected]>
Date:   Wed Dec 21 23:07:23 2022 +0100

    platform/x86: dell-privacy: Fix SW_CAMERA_LENS_COVER reporting
    
    commit 1af7fef0d9d3fa075bf4e850f705df1fe97d33ce upstream.
    
    Use KE_VSW instead of KE_SW for the SW_CAMERA_LENS_COVER key_entry
    and get the value of the switch from the status field when handling
    SW_CAMERA_LENS_COVER events, instead of always reporting 0.
    
    Also correctly set the initial SW_CAMERA_LENS_COVER value.
    
    Fixes: 8af9fa37b8a3 ("platform/x86: dell-privacy: Add support for Dell hardware privacy")
    Signed-off-by: Hans de Goede <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Hans de Goede <[email protected]>
Date:   Wed Dec 21 23:07:24 2022 +0100

    platform/x86: dell-privacy: Only register SW_CAMERA_LENS_COVER if present
    
    commit 6dc485f9940df8105ea729cbeb7a7d18d409dde5 upstream.
    
    Unlike keys where userspace only reacts to keypresses, userspace may act
    on switches in both (0 and 1) of their positions.
    
    For example if a SW_TABLET_MODE switch is registered then GNOME will not
    automatically show the onscreen keyboard when a text field gets focus on
    touchscreen devices when SW_TABLET_MODE reports 0 and when SW_TABLET_MODE
    reports 1 libinput will block (filter out) builtin keyboard and touchpad
    events.
    
    So to avoid unwanted side-effects EV_SW type inputs should only be
    registered if they are actually present, only register SW_CAMERA_LENS_COVER
    if it is actually there.
    
    Fixes: 8af9fa37b8a3 ("platform/x86: dell-privacy: Add support for Dell hardware privacy")
    Signed-off-by: Hans de Goede <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Hans de Goede <[email protected]>
Date:   Thu Dec 15 16:43:57 2022 +0100

    platform/x86: ideapad-laptop: Add Legion 5 15ARH05 DMI id to set_fn_lock_led_list[]
    
    commit f4b7f8febd4d9b615fbec2a06bf352b9c3729b11 upstream.
    
    The Lenovo Legion 5 15ARH05 needs ideapad-laptop to call SALS_FNLOCK_ON /
    SALS_FNLOCK_OFF on Fn-lock state change to get the LED in the Fn key to
    correctly reflect the Fn-lock state.
    
    Add a DMI match for the Legion 5 15ARH05 to the set_fn_lock_led_list[]
    table for this.
    
    Fixes: 81a5603a0f50 ("platform/x86: ideapad-laptop: Fix interrupt storm on fn-lock toggle on some Yoga laptops")
    Signed-off-by: Hans de Goede <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Hans de Goede <[email protected]>
Date:   Wed Jan 11 21:14:26 2023 +0100

    platform/x86: int3472/discrete: Ensure the clk/power enable pins are in output mode
    
    commit cf5ac2d45f6e4d11ad78e7b10ae9a4121ba5e995 upstream.
    
    acpi_get_and_request_gpiod() does not take a gpio_lookup_flags argument
    specifying that the pins direction should be initialized to a specific
    value.
    
    This means that in some cases the pins might be left in input mode, causing
    the gpiod_set() calls made to enable the clk / regulator to not work.
    
    One example of this problem is the clk-enable GPIO for the ov01a1s sensor
    on a Dell Latitude 9420 being left in input mode causing the clk to
    never get enabled.
    
    Explicitly set the direction of the pins to output to fix this.
    
    Fixes: 5de691bffe57 ("platform/x86: Add intel_skl_int3472 driver")
    Signed-off-by: Hans de Goede <[email protected]>
    Reviewed-by: Andy Shevchenko <[email protected]>
    Reviewed-by: Daniel Scally <[email protected]>
    Reviewed-by: Sakari Ailus <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Hans de Goede <[email protected]>
Date:   Tue Dec 13 13:29:43 2022 +0100

    platform/x86: sony-laptop: Don't turn off 0x153 keyboard backlight during probe
    
    commit ad75bd85b1db69c97eefea07b375567821f6ef58 upstream.
    
    The 0x153 version of the kbd backlight control SNC handle has no separate
    address to probe if the backlight is there.
    
    This turns the probe call into a set keyboard backlight call with a value
    of 0 turning off the keyboard backlight.
    
    Skip probing when there is no separate probe address to avoid this.
    
    Link: https://bugzilla.redhat.com/show_bug.cgi?id=1583752
    Fixes: 800f20170dcf ("Keyboard backlight control for some Vaio Fit models")
    Signed-off-by: Hans de Goede <[email protected]>
    Reviewed-by: Mattia Dongili <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Mark Pearson <[email protected]>
Date:   Thu Jan 12 17:12:28 2023 -0500

    platform/x86: thinkpad_acpi: Fix profile mode display in AMT mode
    
    commit fde5f74ccfc771941b018b5415fa9664426e10ad upstream.
    
    Recently AMT mode was enabled (somewhat unexpectedly) on the Lenovo
    Z13 platform. The FW is advertising it is available and the driver tries
    to use it - unfortunately it reports the profile mode incorrectly.
    
    Note, there is also some extra work needed to enable the dynamic aspect
    of AMT support that I will be following up with; but more testing is
    needed first. This patch just fixes things so the profiles are reported
    correctly.
    
    Link: https://gitlab.freedesktop.org/hadess/power-profiles-daemon/-/issues/115
    Fixes: 46dcbc61b739 ("platform/x86: thinkpad-acpi: Add support for automatic mode transitions")
    
    Reviewed-by: Mario Limonciello <[email protected]>
    Signed-off-by: Mark Pearson <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Reviewed-by: Hans de Goede <[email protected]>
    Signed-off-by: Hans de Goede <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Kajol Jain <[email protected]>
Date:   Fri Jan 6 12:21:57 2023 +0530

    powerpc/imc-pmu: Fix use of mutex in IRQs disabled section
    
    commit 76d588dddc459fefa1da96e0a081a397c5c8e216 upstream.
    
    Current imc-pmu code triggers a WARNING with CONFIG_DEBUG_ATOMIC_SLEEP
    and CONFIG_PROVE_LOCKING enabled, while running a thread_imc event.
    
    Command to trigger the warning:
      # perf stat -e thread_imc/CPM_CS_FROM_L4_MEM_X_DPTEG/ sleep 5
    
       Performance counter stats for 'sleep 5':
    
                       0      thread_imc/CPM_CS_FROM_L4_MEM_X_DPTEG/
    
             5.002117947 seconds time elapsed
    
             0.000131000 seconds user
             0.001063000 seconds sys
    
    Below is snippet of the warning in dmesg:
    
      BUG: sleeping function called from invalid context at kernel/locking/mutex.c:580
      in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 2869, name: perf-exec
      preempt_count: 2, expected: 0
      4 locks held by perf-exec/2869:
       #0: c00000004325c540 (&sig->cred_guard_mutex){+.+.}-{3:3}, at: bprm_execve+0x64/0xa90
       #1: c00000004325c5d8 (&sig->exec_update_lock){++++}-{3:3}, at: begin_new_exec+0x460/0xef0
       #2: c0000003fa99d4e0 (&cpuctx_lock){-...}-{2:2}, at: perf_event_exec+0x290/0x510
       #3: c000000017ab8418 (&ctx->lock){....}-{2:2}, at: perf_event_exec+0x29c/0x510
      irq event stamp: 4806
      hardirqs last  enabled at (4805): [<c000000000f65b94>] _raw_spin_unlock_irqrestore+0x94/0xd0
      hardirqs last disabled at (4806): [<c0000000003fae44>] perf_event_exec+0x394/0x510
      softirqs last  enabled at (0): [<c00000000013c404>] copy_process+0xc34/0x1ff0
      softirqs last disabled at (0): [<0000000000000000>] 0x0
      CPU: 36 PID: 2869 Comm: perf-exec Not tainted 6.2.0-rc2-00011-g1247637727f2 #61
      Hardware name: 8375-42A POWER9 0x4e1202 opal:v7.0-16-g9b85f7d961 PowerNV
      Call Trace:
        dump_stack_lvl+0x98/0xe0 (unreliable)
        __might_resched+0x2f8/0x310
        __mutex_lock+0x6c/0x13f0
        thread_imc_event_add+0xf4/0x1b0
        event_sched_in+0xe0/0x210
        merge_sched_in+0x1f0/0x600
        visit_groups_merge.isra.92.constprop.166+0x2bc/0x6c0
        ctx_flexible_sched_in+0xcc/0x140
        ctx_sched_in+0x20c/0x2a0
        ctx_resched+0x104/0x1c0
        perf_event_exec+0x340/0x510
        begin_new_exec+0x730/0xef0
        load_elf_binary+0x3f8/0x1e10
      ...
      do not call blocking ops when !TASK_RUNNING; state=2001 set at [<00000000fd63e7cf>] do_nanosleep+0x60/0x1a0
      WARNING: CPU: 36 PID: 2869 at kernel/sched/core.c:9912 __might_sleep+0x9c/0xb0
      CPU: 36 PID: 2869 Comm: sleep Tainted: G        W          6.2.0-rc2-00011-g1247637727f2 #61
      Hardware name: 8375-42A POWER9 0x4e1202 opal:v7.0-16-g9b85f7d961 PowerNV
      NIP:  c000000000194a1c LR: c000000000194a18 CTR: c000000000a78670
      REGS: c00000004d2134e0 TRAP: 0700   Tainted: G        W           (6.2.0-rc2-00011-g1247637727f2)
      MSR:  9000000000021033 <SF,HV,ME,IR,DR,RI,LE>  CR: 48002824  XER: 00000000
      CFAR: c00000000013fb64 IRQMASK: 1
    
    The above warning triggered because the current imc-pmu code uses mutex
    lock in interrupt disabled sections. The function mutex_lock()
    internally calls __might_resched(), which will check if IRQs are
    disabled and in case IRQs are disabled, it will trigger the warning.
    
    Fix the issue by changing the mutex lock to spinlock.
    
    Fixes: 8f95faaac56c ("powerpc/powernv: Detect and create IMC device")
    Reported-by: Michael Petlan <[email protected]>
    Reported-by: Peter Zijlstra <[email protected]>
    Signed-off-by: Kajol Jain <[email protected]>
    [mpe: Fix comments, trim oops in change log, add reported-by tags]
    Signed-off-by: Michael Ellerman <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Ricardo Ribalda <[email protected]>
Date:   Sun Nov 27 22:06:02 2022 +0100

    regulator: da9211: Use irq handler when ready
    
    [ Upstream commit 02228f6aa6a64d588bc31e3267d05ff184d772eb ]
    
    If the system does not come from reset (like when it is kexec()), the
    regulator might have an IRQ waiting for us.
    
    If we enable the IRQ handler before its structures are ready, we crash.
    
    This patch fixes:
    
    [    1.141839] Unable to handle kernel read from unreadable memory at virtual address 0000000000000078
    [    1.316096] Call trace:
    [    1.316101]  blocking_notifier_call_chain+0x20/0xa8
    [    1.322757] cpu cpu0: dummy supplies not allowed for exclusive requests
    [    1.327823]  regulator_notifier_call_chain+0x1c/0x2c
    [    1.327825]  da9211_irq_handler+0x68/0xf8
    [    1.327829]  irq_thread+0x11c/0x234
    [    1.327833]  kthread+0x13c/0x154
    
    Signed-off-by: Ricardo Ribalda <[email protected]>
    Reviewed-by: Adam Ward <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Mark Brown <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Takashi Iwai <[email protected]>
Date:   Wed Jan 4 16:09:44 2023 +0100

    Revert "ALSA: usb-audio: Drop superfluous interface setup at parsing"
    
    commit 16f1f838442dc6430d32d51ddda347b8421ec34b upstream.
    
    This reverts commit ac5e2fb425e1121ceef2b9d1b3ffccc195d55707.
    
    The commit caused a regression on Behringer UMC404HD (and likely
    others).  As the change was meant only as a minor optimization, it's
    better to revert it to address the regression.
    
    Reported-and-tested-by: Michael Ralston <[email protected]>
    Cc: <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]om
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Takashi Iwai <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Alex Deucher <[email protected]>
Date:   Fri Jan 13 14:03:02 2023 -0500

    Revert "drm/amdgpu: Revert "drm/amdgpu: getting fan speed pwm for vega10 properly""
    
    This reverts commit 9ccd11718d76b95c69aa773f2abedef560776037
    
    The original commit 16fb4dca95daa ("drm/amdgpu: getting fan speed pwm for vega10 properly")
    was reverted in commit 4545ae2ed3f2 ("drm/amdgpu: Revert "drm/amdgpu: getting fan speed pwm for vega10 properly"").
    but the test that resulted in the revert was wrong and was fixed so the
    revert was reverted in commit 30b8e7b8ee3b ("Revert "drm/amdgpu: Revert "drm/amdgpu: getting fan speed pwm for vega10 properly""").
    That should have been the end of it, but then Sasha picked up the
    original revert again and it was committed as 9ccd11718d76.  So drop
    that commit so we get back to where we need to be.
    
    Signed-off-by: Alex Deucher <[email protected]>
    Cc: Sasha Levin <[email protected]>
    Cc: [email protected] # 6.1.x
    Cc: Yury Zhuravlev <[email protected]>
    Cc: Guchun Chen <[email protected]>
    Cc: Asher Song <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Heiner Kallweit <[email protected]>
Date:   Sun Jan 8 20:37:53 2023 +0100

    Revert "r8169: disable detection of chip version 36"
    
    [ Upstream commit 2ea26b4de6f42b74a5f1701de41efa6bc9f12666 ]
    
    This reverts commit 42666b2c452ce87894786aae05e3fad3cfc6cb59.
    
    This chip version seems to be very rare, but it exits in consumer
    devices, see linked report.
    
    Link: https://stackoverflow.com/questions/75049473/cant-setup-a-wired-network-in-archlinux-fresh-install
    Fixes: 42666b2c452c ("r8169: disable detection of chip version 36")
    Signed-off-by: Heiner Kallweit <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Ferry Toth <[email protected]>
Date:   Thu Dec 22 21:53:02 2022 +0100

    Revert "usb: ulpi: defer ulpi_register on ulpi_read_id timeout"
    
    commit b659b613cea2ae39746ca8bd2b69d1985dd9d770 upstream.
    
    This reverts commit 8a7b31d545d3a15f0e6f5984ae16f0ca4fd76aac.
    
    This patch results in some qemu test failures, specifically xilinx-zynq-a9
    machine and zynq-zc702 as well as zynq-zed devicetree files, when trying
    to boot from USB drive.
    
    Link: https://lore.kernel.org/lkml/[email protected]/
    Fixes: 8a7b31d545d3 ("usb: ulpi: defer ulpi_register on ulpi_read_id timeout")
    Cc: [email protected]
    Reported-by: Guenter Roeck <[email protected]>
    Signed-off-by: Ferry Toth <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Heiko Carstens <[email protected]>
Date:   Thu Jan 5 15:44:20 2023 +0100

    s390/cpum_sf: add READ_ONCE() semantics to compare and swap loops
    
    commit 82d3edb50a11bf3c5ef63294d5358ba230181413 upstream.
    
    The current cmpxchg_double() loops within the perf hw sampling code do not
    have READ_ONCE() semantics to read the old value from memory. This allows
    the compiler to generate code which reads the "old" value several times
    from memory, which again allows for inconsistencies.
    
    For example:
    
            /* Reset trailer (using compare-double-and-swap) */
            do {
                    te_flags = te->flags & ~SDB_TE_BUFFER_FULL_MASK;
                    te_flags |= SDB_TE_ALERT_REQ_MASK;
            } while (!cmpxchg_double(&te->flags, &te->overflow,
                     te->flags, te->overflow,
                     te_flags, 0ULL));
    
    The compiler could generate code where te->flags used within the
    cmpxchg_double() call may be refetched from memory and which is not
    necessarily identical to the previous read version which was used to
    generate te_flags. Which in turn means that an incorrect update could
    happen.
    
    Fix this by adding READ_ONCE() semantics to all cmpxchg_double()
    loops. Given that READ_ONCE() cannot generate code on s390 which atomically
    reads 16 bytes, use a private compare-and-swap-double implementation to
    achieve that.
    
    Also replace cmpxchg_double() with the private implementation to be able to
    re-use the old value within the loops.
    
    As a side effect this converts the whole code to only use bit fields
    to read and modify bits within the hws trailer header.
    
    Reported-by: Alexander Gordeev <[email protected]>
    Acked-by: Alexander Gordeev <[email protected]>
    Acked-by: Hendrik Brueckner <[email protected]>
    Reviewed-by: Thomas Richter <[email protected]>
    Cc: <[email protected]>
    Link: https://lore.kernel.org/linux-s390/[email protected]/T/#ma14e2a5f7aa8ed4b94b6f9576799b3ad9c60f333
    Signed-off-by: Heiko Carstens <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Alexander Egorenkov <[email protected]>
Date:   Mon Nov 14 11:40:08 2022 +0100

    s390/kexec: fix ipl report address for kdump
    
    commit c2337a40e04dde1692b5b0a46ecc59f89aaba8a1 upstream.
    
    This commit addresses the following erroneous situation with file-based
    kdump executed on a system with a valid IPL report.
    
    On s390, a kdump kernel, its initrd and IPL report if present are loaded
    into a special and reserved on boot memory region - crashkernel. When
    a system crashes and kdump was activated before, the purgatory code
    is entered first which swaps the crashkernel and [0 - crashkernel size]
    memory regions. Only after that the kdump kernel is entered. For this
    reason, the pointer to an IPL report in lowcore must point to the IPL report
    after the swap and not to the address of the IPL report that was located in
    crashkernel memory region before the swap. Failing to do so, makes the
    kdump's decompressor try to read memory from the crashkernel memory region
    which already contains the production's kernel memory.
    
    The situation described above caused spontaneous kdump failures/hangs
    on systems where the Secure IPL is activated because on such systems
    an IPL report is always present. In that case kdump's decompressor tried
    to parse an IPL report which frequently lead to illegal memory accesses
    because an IPL report contains addresses to various data.
    
    Cc: <[email protected]>
    Fixes: 99feaa717e55 ("s390/kexec_file: Create ipl report and pass to next kernel")
    Reviewed-by: Vasily Gorbik <[email protected]>
    Signed-off-by: Alexander Egorenkov <[email protected]>
    Signed-off-by: Heiko Carstens <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Heiko Carstens <[email protected]>
Date:   Mon Jan 9 11:51:20 2023 +0100

    s390/percpu: add READ_ONCE() to arch_this_cpu_to_op_simple()
    
    commit e3f360db08d55a14112bd27454e616a24296a8b0 upstream.
    
    Make sure that *ptr__ within arch_this_cpu_to_op_simple() is only
    dereferenced once by using READ_ONCE(). Otherwise the compiler could
    generate incorrect code.
    
    Cc: <[email protected]>
    Reviewed-by: Alexander Gordeev <[email protected]>
    Signed-off-by: Heiko Carstens <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Yair Podemsky <[email protected]>
Date:   Wed Nov 30 14:51:21 2022 +0200

    sched/core: Fix arch_scale_freq_tick() on tickless systems
    
    [ Upstream commit 7fb3ff22ad8772bbf0e3ce1ef3eb7b09f431807f ]
    
    In order for the scheduler to be frequency invariant we measure the
    ratio between the maximum CPU frequency and the actual CPU frequency.
    
    During long tickless periods of time the calculations that keep track
    of that might overflow, in the function scale_freq_tick():
    
      if (check_shl_overflow(acnt, 2*SCHED_CAPACITY_SHIFT, &acnt))
              goto error;
    
    eventually forcing the kernel to disable the feature for all CPUs,
    and show the warning message:
    
       "Scheduler frequency invariance went wobbly, disabling!".
    
    Let's avoid that by limiting the frequency invariant calculations
    to CPUs with regular tick.
    
    Fixes: e2b0d619b400 ("x86, sched: check for counters overflow in frequency invariant accounting")
    Suggested-by: "Peter Zijlstra (Intel)" <[email protected]>
    Signed-off-by: Yair Podemsky <[email protected]>
    Signed-off-by: Ingo Molnar <[email protected]>
    Reviewed-by: Valentin Schneider <[email protected]>
    Acked-by: Giovanni Gherdovich <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Sasha Levin <[email protected]>

Author: Waiman Long <[email protected]>
Date:   Fri Dec 30 23:11:19 2022 -0500

    sched/core: Fix use-after-free bug in dup_user_cpus_ptr()
    
    commit 87ca4f9efbd7cc649ff43b87970888f2812945b8 upstream.
    
    Since commit 07ec77a1d4e8 ("sched: Allow task CPU affinity to be
    restricted on asymmetric systems"), the setting and clearing of
    user_cpus_ptr are done under pi_lock for arm64 architecture. However,
    dup_user_cpus_ptr() accesses user_cpus_ptr without any lock
    protection. Since sched_setaffinity() can be invoked from another
    process, the process being modified may be undergoing fork() at
    the same time.  When racing with the clearing of user_cpus_ptr in
    __set_cpus_allowed_ptr_locked(), it can lead to user-after-free and
    possibly double-free in arm64 kernel.
    
    Commit 8f9ea86fdf99 ("sched: Always preserve the user requested
    cpumask") fixes this problem as user_cpus_ptr, once set, will never
    be cleared in a task's lifetime. However, this bug was re-introduced
    in commit 851a723e45d1 ("sched: Always clear user_cpus_ptr in
    do_set_cpus_allowed()") which allows the clearing of user_cpus_ptr in
    do_set_cpus_allowed(). This time, it will affect all arches.
    
    Fix this bug by always clearing the user_cpus_ptr of the newly
    cloned/forked task before the copying process starts and check the
    user_cpus_ptr state of the source task under pi_lock.
    
    Note to stable, this patch won't be applicable to stable releases.
    Just copy the new dup_user_cpus_ptr() function over.
    
    Fixes: 07ec77a1d4e8 ("sched: Allow task CPU affinity to be restricted on asymmetric systems")
    Fixes: 851a723e45d1 ("sched: Always clear user_cpus_ptr in do_set_cpus_allowed()")
    Reported-by: David Wang Г▌▀Ф═┤ <[email protected]>
    Signed-off-by: Waiman Long <[email protected]>
    Signed-off-by: Ingo Molnar <[email protected]>
    Reviewed-by: Peter Zijlstra <[email protected]>
    Cc: [email protected]
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Shin'ichiro Kawasaki <[email protected]>
Date:   Wed Dec 7 11:36:59 2022 +0900

    scsi: mpi3mr: Refer CONFIG_SCSI_MPI3MR in Makefile
    
    [ Upstream commit f0a43ba6c66cc0688e2748d986a1459fdd3442ef ]
    
    When Kconfig item CONFIG_SCSI_MPI3MR was introduced for mpi3mr driver, the
    Makefile of the driver was not modified to refer the Kconfig item.
    
    As a result, mpi3mr.ko is built regardless of the Kconfig item value y or
    m. Also, if 'make localmodconfig' can not find the Kconfig item in the
    Makefile, then it does not generate CONFIG_SCSI_MPI3MR=m even when
    mpi3mr.ko is loaded on the system.
    
    Refer to the Kconfig item to avoid the issues.
    
    Fixes: c4f7ac64616e ("scsi: mpi3mr: Add mpi30 Rev-R headers and Kconfig")
    Signed-off-by: Shin'ichiro Kawasaki <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Reviewed-by: Damien Le Moal <[email protected]>
    Acked-by: Sathya Prakash Veerichetty <[email protected]>
    Signed-off-by: Martin K. Petersen <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Michael Kelley <[email protected]>
Date:   Sun Dec 4 11:52:44 2022 -0800

    scsi: storvsc: Fix swiotlb bounce buffer leak in confidential VM
    
    [ Upstream commit 67ff3d0a49f3d445c3922e30a54e03c161da561e ]
    
    storvsc_queuecommand() maps the scatter/gather list using scsi_dma_map(),
    which in a confidential VM allocates swiotlb bounce buffers. If the I/O
    submission fails in storvsc_do_io(), the I/O is typically retried by higher
    level code, but the bounce buffer memory is never freed.  The mostly like
    cause of I/O submission failure is a full VMBus channel ring buffer, which
    is not uncommon under high I/O loads.  Eventually enough bounce buffer
    memory leaks that the confidential VM can't do any I/O. The same problem
    can arise in a non-confidential VM with kernel boot parameter
    swiotlb=force.
    
    Fix this by doing scsi_dma_unmap() in the case of an I/O submission
    error, which frees the bounce buffer memory.
    
    Fixes: 743b237c3a7b ("scsi: storvsc: Add Isolation VM support for storvsc driver")
    Signed-off-by: Michael Kelley <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Tested-by: Dexuan Cui <[email protected]>
    Reviewed-by: Dexuan Cui <[email protected]>
    Reviewed-by: Tianyu Lan <[email protected]>
    Signed-off-by: Martin K. Petersen <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Peter Wang <[email protected]>
Date:   Thu Dec 8 15:25:20 2022 +0800

    scsi: ufs: core: WLUN suspend SSU/enter hibern8 fail recovery
    
    [ Upstream commit 1a5665fc8d7a000671ebd3fe69c6f9acf1e0dcd9 ]
    
    When SSU/enter hibern8 fail in WLUN suspend flow, trigger the error handler
    and return busy to break the suspend.  Otherwise the consumer will get
    stuck in runtime suspend status.
    
    Fixes: b294ff3e3449 ("scsi: ufs: core: Enable power management for wlun")
    Signed-off-by: Peter Wang <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Reviewed-by: Stanley Chu <[email protected]>
    Reviewed-by: Bart Van Assche <[email protected]>
    Reviewed-by: Adrian Hunter <[email protected]>
    Signed-off-by: Martin K. Petersen <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Guillaume Nault <[email protected]>
Date:   Sun Jan 8 16:45:50 2023 +0100

    selftests/net: l2_tos_ttl_inherit.sh: Ensure environment cleanup on failure.
    
    [ Upstream commit d68ff8ad3351b8fc8d6f14b9a4f5cc8ba3e8bd13 ]
    
    Use 'set -e' and an exit handler to stop the script if a command fails
    and ensure the test environment is cleaned up in any case. Also, handle
    the case where the script is interrupted by SIGINT.
    
    The only command that's expected to fail is 'wait $ping_pid', since
    it's killed by the script. Handle this case with '|| true' to make it
    play well with 'set -e'.
    
    Finally, return the Kselftest SKIP code (4) when the script breaks
    because of an environment problem or a command line failure. The 0 and
    1 return codes should now reliably indicate that all tests have been
    run (0: all tests run and passed, 1: all tests run but at least one
    failed, 4: test script didn't run completely).
    
    Fixes: b690842d12fd ("selftests/net: test l2 tunnel TOS/TTL inheriting")
    Reported-by: Mirsad Goran Todorovac <[email protected]>
    Tested-by: Mirsad Goran Todorovac <[email protected]>
    Signed-off-by: Guillaume Nault <[email protected]>
    Signed-off-by: Paolo Abeni <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Guillaume Nault <[email protected]>
Date:   Sun Jan 8 16:45:46 2023 +0100

    selftests/net: l2_tos_ttl_inherit.sh: Run tests in their own netns.
    
    [ Upstream commit c53cb00f7983a5474f2d36967f84908b85af9159 ]
    
    This selftest currently runs half in the current namespace and half in
    a netns of its own. Therefore, the test can fail if the current
    namespace is already configured with incompatible parameters (for
    example if it already has a veth0 interface).
    
    Adapt the script to put both ends of the veth pair in their own netns.
    Now veth0 is created in NS0 instead of the current namespace, while
    veth1 is set up in NS1 (instead of the 'testing' netns).
    
    The user visible netns names are randomised to minimise the risk of
    conflicts with already existing namespaces. The cleanup() function
    doesn't need to remove the virtual interface anymore: deleting NS0 and
    NS1 automatically removes the virtual interfaces they contained.
    
    We can remove $ns, which was only used to run ip commands in the
    'testing' netns (let's use the builtin "-netns" option instead).
    However, we still need a similar functionality as ping and tcpdump
    now need to run in NS0. So we now have $RUN_NS0 for that.
    
    Fixes: b690842d12fd ("selftests/net: test l2 tunnel TOS/TTL inheriting")
    Reported-by: Mirsad Goran Todorovac <[email protected]>
    Tested-by: Mirsad Goran Todorovac <[email protected]>
    Signed-off-by: Guillaume Nault <[email protected]>
    Signed-off-by: Paolo Abeni <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Guillaume Nault <[email protected]>
Date:   Sun Jan 8 16:45:41 2023 +0100

    selftests/net: l2_tos_ttl_inherit.sh: Set IPv6 addresses with "nodad".
    
    [ Upstream commit e59370b2e96eb8e7e057a2a16e999ff385a3f2fb ]
    
    The ping command can run before DAD completes. In that case, ping may
    fail and break the selftest.
    
    We don't need DAD here since we're working on isolated device pairs.
    
    Fixes: b690842d12fd ("selftests/net: test l2 tunnel TOS/TTL inheriting")
    Signed-off-by: Guillaume Nault <[email protected]>
    Signed-off-by: Paolo Abeni <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Florian Westphal <[email protected]>
Date:   Wed Jan 4 12:54:42 2023 +0100

    selftests: netfilter: fix transaction test script timeout handling
    
    commit c273289fac370b6488757236cd62cc2cf04830b7 upstream.
    
    The kselftest framework uses a default timeout of 45 seconds for
    all test scripts.
    
    Increase the timeout to two minutes for the netfilter tests, this
    should hopefully be enough,
    
    Make sure that, should the script be canceled, the net namespace and
    the spawned ping instances are removed.
    
    Fixes: 25d8bcedbf43 ("selftests: add script to stress-test nft packet path vs. control plane")
    Reported-by: Mirsad Goran Todorovac <[email protected]>
    Signed-off-by: Florian Westphal <[email protected]>
    Tested-by: Mirsad Goran Todorovac <[email protected].hr>
    Signed-off-by: Pablo Neira Ayuso <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Biao Huang <[email protected]>
Date:   Thu Jan 5 09:07:11 2023 +0800

    stmmac: dwmac-mediatek: remove the dwmac_fix_mac_speed
    
    [ Upstream commit c26de7507d1f5ffa5daf6a4980ef7896889691a9 ]
    
    In current driver, MAC will always enable 2ns delay in RGMII mode,
    but that's not the correct usage.
    
    Remove the dwmac_fix_mac_speed() in driver, and recommend "rgmii-id"
    for phy-mode in device tree.
    
    Fixes: f2d356a6ab71 ("stmmac: dwmac-mediatek: add support for mt8195")
    Reviewed-by: Andrew Lunn <[email protected]>
    Signed-off-by: Biao Huang <[email protected]>
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Tung Nguyen <[email protected]>
Date:   Thu Jan 5 06:02:51 2023 +0000

    tipc: fix unexpected link reset due to discovery messages
    
    [ Upstream commit c244c092f1ed2acfb5af3d3da81e22367d3dd733 ]
    
    This unexpected behavior is observed:
    
    node 1                    | node 2
    ------                    | ------
    link is established       | link is established
    reboot                    | link is reset
    up                        | send discovery message
    receive discovery message |
    link is established       | link is established
    send discovery message    |
                              | receive discovery message
                              | link is reset (unexpected)
                              | send reset message
    link is reset             |
    
    It is due to delayed re-discovery as described in function
    tipc_node_check_dest(): "this link endpoint has already reset
    and re-established contact with the peer, before receiving a
    discovery message from that node."
    
    However, commit 598411d70f85 has changed the condition for calling
    tipc_node_link_down() which was the acceptance of new media address.
    
    This commit fixes this by restoring the old and correct behavior.
    
    Fixes: 598411d70f85 ("tipc: make resetting of links non-atomic")
    Acked-by: Jon Maloy <[email protected]>
    Signed-off-by: Tung Nguyen <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Willy Tarreau <[email protected]>
Date:   Mon Jan 9 08:54:42 2023 +0100

    tools/nolibc: fix the O_* fcntl/open macro definitions for riscv
    
    [ Upstream commit 00b18da4089330196906b9fe075c581c17eb726c ]
    
    When RISCV port was imported in 5.2, the O_* macros were taken with
    their octal value and written as-is in hex, resulting in the getdents64()
    to fail in nolibc-test.
    
    Fixes: 582e84f7b779 ("tool headers nolibc: add RISCV support") #5.2
    Signed-off-by: Willy Tarreau <[email protected]>
    Signed-off-by: Paul E. McKenney <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Willy Tarreau <[email protected]>
Date:   Mon Jan 9 08:54:39 2023 +0100

    tools/nolibc: restore mips branch ordering in the _start block
    
    [ Upstream commit 184177c3d6e023da934761e198c281344d7dd65b ]
    
    Depending on the compiler used and the optimization options, the sbrk()
    test was crashing, both on real hardware (mips-24kc) and in qemu. One
    such example is kernel.org toolchain in version 11.3 optimizing at -Os.
    
    Inspecting the sys_brk() call shows the following code:
    
      0040047c <sys_brk>:
        40047c:       24020fcd        li      v0,4045
        400480:       27bdffe0        addiu   sp,sp,-32
        400484:       0000000c        syscall
        400488:       27bd0020        addiu   sp,sp,32
        40048c:       10e00001        beqz    a3,400494 <sys_brk+0x18>
        400490:       00021023        negu    v0,v0
        400494:       03e00008        jr      ra
    
    It is obviously wrong, the "negu" instruction is placed in beqz's
    delayed slot, and worse, there's no nop nor instruction after the
    return, so the next function's first instruction (addiu sip,sip,-32)
    will also be executed as part of the delayed slot that follows the
    return.
    
    This is caused by the ".set noreorder" directive in the _start block,
    that applies to the whole program. The compiler emits code without the
    delayed slots and relies on the compiler to swap instructions when this
    option is not set. Removing the option would require to change the
    startup code in a way that wouldn't make it look like the resulting
    code, which would not be easy to debug. Instead let's just save the
    default ordering before changing it, and restore it at the end of the
    _start block. Now the code is correct:
    
      0040047c <sys_brk>:
        40047c:       24020fcd        li      v0,4045
        400480:       27bdffe0        addiu   sp,sp,-32
        400484:       0000000c        syscall
        400488:       10e00002        beqz    a3,400494 <sys_brk+0x18>
        40048c:       27bd0020        addiu   sp,sp,32
        400490:       00021023        negu    v0,v0
        400494:       03e00008        jr      ra
        400498:       00000000        nop
    
    Fixes: 66b6f755ad45 ("rcutorture: Import a copy of nolibc") #5.0
    Signed-off-by: Willy Tarreau <[email protected]>
    Signed-off-by: Paul E. McKenney <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Ferry Toth <[email protected]>
Date:   Mon Dec 5 21:15:26 2022 +0100

    usb: ulpi: defer ulpi_register on ulpi_read_id timeout
    
    [ Upstream commit 8a7b31d545d3a15f0e6f5984ae16f0ca4fd76aac ]
    
    Since commit 0f0101719138 ("usb: dwc3: Don't switch OTG -> peripheral
    if extcon is present") Dual Role support on Intel Merrifield platform
    broke due to rearranging the call to dwc3_get_extcon().
    
    It appears to be caused by ulpi_read_id() on the first test write failing
    with -ETIMEDOUT. Currently ulpi_read_id() expects to discover the phy via
    DT when the test write fails and returns 0 in that case, even if DT does not
    provide the phy. As a result usb probe completes without phy.
    
    Make ulpi_read_id() return -ETIMEDOUT to its user if the first test write
    fails. The user should then handle it appropriately. A follow up patch
    will make dwc3_core_init() set -EPROBE_DEFER in this case and bail out.
    
    Fixes: ef6a7bcfb01c ("usb: ulpi: Support device discovery via DT")
    Cc: [email protected]
    Acked-by: Heikki Krogerus <[email protected]>
    Signed-off-by: Ferry Toth <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Author: Peter Zijlstra <[email protected]>
Date:   Tue Jan 10 12:15:40 2023 +0100

    x86/boot: Avoid using Intel mnemonics in AT&T syntax asm
    
    commit 7c6dd961d0c8e7e8f9fdc65071fb09ece702e18d upstream.
    
    With 'GNU assembler (GNU Binutils for Debian) 2.39.90.20221231' the
    build now reports:
    
      arch/x86/realmode/rm/../../boot/bioscall.S: Assembler messages:
      arch/x86/realmode/rm/../../boot/bioscall.S:35: Warning: found `movsd'; assuming `movsl' was meant
      arch/x86/realmode/rm/../../boot/bioscall.S:70: Warning: found `movsd'; assuming `movsl' was meant
    
      arch/x86/boot/bioscall.S: Assembler messages:
      arch/x86/boot/bioscall.S:35: Warning: found `movsd'; assuming `movsl' was meant
      arch/x86/boot/bioscall.S:70: Warning: found `movsd'; assuming `movsl' was meant
    
    Which is due to:
    
      PR gas/29525
    
      Note that with the dropped CMPSD and MOVSD Intel Syntax string insn
      templates taking operands, mixed IsString/non-IsString template groups
      (with memory operands) cannot occur anymore. With that
      maybe_adjust_templates() becomes unnecessary (and is hence being
      removed).
    
    More details: https://sourceware.org/bugzilla/show_bug.cgi?id=29525
    
    Borislav Petkov further explains:
    
      " the particular problem here is is that the 'd' suffix is
        "conflicting" in the sense that you can have SSE mnemonics like movsD %xmm...
        and the same thing also for string ops (which is the case here) so apparently
        the agreement in binutils land is to use the always accepted suffixes 'l' or 'q'
        and phase out 'd' slowly... "
    
    Fixes: 7a734e7dd93b ("x86, setup: "glove box" BIOS calls -- infrastructure")
    Signed-off-by: Peter Zijlstra (Intel) <[email protected]>
    Signed-off-by: Ingo Molnar <[email protected]>
    Acked-by: Borislav Petkov (AMD) <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Juergen Gross <[email protected]>
Date:   Tue Jan 10 07:54:27 2023 +0100

    x86/pat: Fix pat_x_mtrr_type() for MTRR disabled case
    
    commit 90b926e68f500844dff16b5bcea178dc55cf580a upstream.
    
    Since
    
      72cbc8f04fe2 ("x86/PAT: Have pat_enabled() properly reflect state when running on Xen")
    
    PAT can be enabled without MTRR.
    
    This has resulted in problems e.g. for a SEV-SNP guest running under Hyper-V,
    when trying to establish a new mapping via memremap() with WB caching mode, as
    pat_x_mtrr_type() will call mtrr_type_lookup(), which in turn is returning
    MTRR_TYPE_INVALID due to MTRR being disabled in this configuration.
    
    The result is a mapping with UC- caching, leading to severe performance
    degradation.
    
    Fix that by handling MTRR_TYPE_INVALID the same way as MTRR_TYPE_WRBACK
    in pat_x_mtrr_type() because MTRR_TYPE_INVALID means MTRRs are disabled.
    
      [ bp: Massage commit message. ]
    
    Fixes: 72cbc8f04fe2 ("x86/PAT: Have pat_enabled() properly reflect state when running on Xen")
    Reported-by: Michael Kelley (LINUX) <[email protected]>
    Signed-off-by: Juergen Gross <[email protected]>
    Signed-off-by: Borislav Petkov (AMD) <[email protected]>
    Reviewed-by: Michael Kelley <[email protected]>
    Tested-by: Michael Kelley <[email protected]>
    Cc: <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Peter Newman <[email protected]>
Date:   Tue Dec 20 17:41:31 2022 +0100

    x86/resctrl: Fix event counts regression in reused RMIDs
    
    commit 2a81160d29d65b5876ab3f824fda99ae0219f05e upstream.
    
    When creating a new monitoring group, the RMID allocated for it may have
    been used by a group which was previously removed. In this case, the
    hardware counters will have non-zero values which should be deducted
    from what is reported in the new group's counts.
    
    resctrl_arch_reset_rmid() initializes the prev_msr value for counters to
    0, causing the initial count to be charged to the new group. Resurrect
    __rmid_read() and use it to initialize prev_msr correctly.
    
    Unlike before, __rmid_read() checks for error bits in the MSR read so
    that callers don't need to.
    
    Fixes: 1d81d15db39c ("x86/resctrl: Move mbm_overflow_count() into resctrl_arch_rmid_read()")
    Signed-off-by: Peter Newman <[email protected]>
    Signed-off-by: Borislav Petkov (AMD) <[email protected]>
    Reviewed-by: Reinette Chatre <[email protected]>
    Tested-by: Babu Moger <[email protected]>
    Cc: [email protected]
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: Peter Newman <[email protected]>
Date:   Tue Dec 20 17:11:23 2022 +0100

    x86/resctrl: Fix task CLOSID/RMID update race
    
    commit fe1f0714385fbcf76b0cbceb02b7277d842014fc upstream.
    
    When the user moves a running task to a new rdtgroup using the task's
    file interface or by deleting its rdtgroup, the resulting change in
    CLOSID/RMID must be immediately propagated to the PQR_ASSOC MSR on the
    task(s) CPUs.
    
    x86 allows reordering loads with prior stores, so if the task starts
    running between a task_curr() check that the CPU hoisted before the
    stores in the CLOSID/RMID update then it can start running with the old
    CLOSID/RMID until it is switched again because __rdtgroup_move_task()
    failed to determine that it needs to be interrupted to obtain the new
    CLOSID/RMID.
    
    Refer to the diagram below:
    
    CPU 0                                   CPU 1
    -----                                   -----
    __rdtgroup_move_task():
      curr <- t1->cpu->rq->curr
                                            __schedule():
                                              rq->curr <- t1
                                            resctrl_sched_in():
                                              t1->{closid,rmid} -> {1,1}
      t1->{closid,rmid} <- {2,2}
      if (curr == t1) // false
       IPI(t1->cpu)
    
    A similar race impacts rdt_move_group_tasks(), which updates tasks in a
    deleted rdtgroup.
    
    In both cases, use smp_mb() to order the task_struct::{closid,rmid}
    stores before the loads in task_curr().  In particular, in the
    rdt_move_group_tasks() case, simply execute an smp_mb() on every
    iteration with a matching task.
    
    It is possible to use a single smp_mb() in rdt_move_group_tasks(), but
    this would require two passes and a means of remembering which
    task_structs were updated in the first loop. However, benchmarking
    results below showed too little performance impact in the simple
    approach to justify implementing the two-pass approach.
    
    Times below were collected using `perf stat` to measure the time to
    remove a group containing a 1600-task, parallel workload.
    
    CPU: Intel(R) Xeon(R) Platinum P-8136 CPU @ 2.00GHz (112 threads)
    
      # mkdir /sys/fs/resctrl/test
      # echo $$ > /sys/fs/resctrl/test/tasks
      # perf bench sched messaging -g 40 -l 100000
    
    task-clock time ranges collected using:
    
      # perf stat rmdir /sys/fs/resctrl/test
    
    Baseline:                     1.54 - 1.60 ms
    smp_mb() every matching task: 1.57 - 1.67 ms
    
      [ bp: Massage commit message. ]
    
    Fixes: ae28d1aae48a ("x86/resctrl: Use an IPI instead of task_work_add() to update PQR_ASSOC MSR")
    Fixes: 0efc89be9471 ("x86/intel_rdt: Update task closid immediately on CPU in rmdir and unmount")
    Signed-off-by: Peter Newman <[email protected]>
    Signed-off-by: Borislav Petkov (AMD) <[email protected]>
    Reviewed-by: Reinette Chatre <[email protected]>
    Reviewed-by: Babu Moger <[email protected]>
    Cc: <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>