--- /dev/null
+From b1c6ecfdd06907554518ec384ce8e99889d15193 Mon Sep 17 00:00:00 2001
+From: Sergey Matyukevich <sergey.matyukevich@synopsys.com>
+Date: Thu, 14 Apr 2022 11:17:22 +0300
+Subject: ARC: entry: fix syscall_trace_exit argument
+
+From: Sergey Matyukevich <sergey.matyukevich@synopsys.com>
+
+commit b1c6ecfdd06907554518ec384ce8e99889d15193 upstream.
+
+Function syscall_trace_exit expects pointer to pt_regs. However
+r0 is also used to keep syscall return value. Restore pointer
+to pt_regs before calling syscall_trace_exit.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Sergey Matyukevich <sergey.matyukevich@synopsys.com>
+Signed-off-by: Vineet Gupta <vgupta@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arc/kernel/entry.S | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arc/kernel/entry.S
++++ b/arch/arc/kernel/entry.S
+@@ -196,6 +196,7 @@ tracesys_exit:
+ st r0, [sp, PT_r0] ; sys call return value in pt_regs
+
+ ;POST Sys Call Ptrace Hook
++ mov r0, sp ; pt_regs needed
+ bl @syscall_trace_exit
+ b ret_from_exception ; NOT ret_from_system_call at is saves r0 which
+ ; we'd done before calling post hook above
--- /dev/null
+From c8618d65007ba68d7891130642d73e89372101e8 Mon Sep 17 00:00:00 2001
+From: Xiaomeng Tong <xiam0nd.tong@gmail.com>
+Date: Sun, 27 Mar 2022 16:10:02 +0800
+Subject: ASoC: rt5682: fix an incorrect NULL check on list iterator
+
+From: Xiaomeng Tong <xiam0nd.tong@gmail.com>
+
+commit c8618d65007ba68d7891130642d73e89372101e8 upstream.
+
+The bug is here:
+ if (!dai) {
+
+The list iterator value 'dai' will *always* be set and non-NULL
+by for_each_component_dais(), so it is incorrect to assume that
+the iterator value will be NULL if the list is empty or no element
+is found (In fact, it will be a bogus pointer to an invalid struct
+object containing the HEAD). Otherwise it will bypass the check
+'if (!dai) {' (never call dev_err() and never return -ENODEV;)
+and lead to invalid memory access lately when calling
+'rt5682_set_bclk1_ratio(dai, factor);'.
+
+To fix the bug, just return rt5682_set_bclk1_ratio(dai, factor);
+when found the 'dai', otherwise dev_err() and return -ENODEV;
+
+Cc: stable@vger.kernel.org
+Fixes: ebbfabc16d23d ("ASoC: rt5682: Add CCF usage for providing I2S clks")
+Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
+Link: https://lore.kernel.org/r/20220327081002.12684-1-xiam0nd.tong@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/codecs/rt5682.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+--- a/sound/soc/codecs/rt5682.c
++++ b/sound/soc/codecs/rt5682.c
+@@ -2822,14 +2822,11 @@ static int rt5682_bclk_set_rate(struct c
+
+ for_each_component_dais(component, dai)
+ if (dai->id == RT5682_AIF1)
+- break;
+- if (!dai) {
+- dev_err(rt5682->i2c_dev, "dai %d not found in component\n",
+- RT5682_AIF1);
+- return -ENODEV;
+- }
++ return rt5682_set_bclk1_ratio(dai, factor);
+
+- return rt5682_set_bclk1_ratio(dai, factor);
++ dev_err(rt5682->i2c_dev, "dai %d not found in component\n",
++ RT5682_AIF1);
++ return -ENODEV;
+ }
+
+ static const struct clk_ops rt5682_dai_clk_ops[RT5682_DAI_NUM_CLKS] = {
--- /dev/null
+From f730a46b931d894816af34a0ff8e4ad51565b39f Mon Sep 17 00:00:00 2001
+From: Xiaomeng Tong <xiam0nd.tong@gmail.com>
+Date: Tue, 29 Mar 2022 09:21:34 +0800
+Subject: ASoC: soc-dapm: fix two incorrect uses of list iterator
+
+From: Xiaomeng Tong <xiam0nd.tong@gmail.com>
+
+commit f730a46b931d894816af34a0ff8e4ad51565b39f upstream.
+
+These two bug are here:
+ list_for_each_entry_safe_continue(w, n, list,
+ power_list);
+ list_for_each_entry_safe_continue(w, n, list,
+ power_list);
+
+After the list_for_each_entry_safe_continue() exits, the list iterator
+will always be a bogus pointer which point to an invalid struct objdect
+containing HEAD member. The funciton poniter 'w->event' will be a
+invalid value which can lead to a control-flow hijack if the 'w' can be
+controlled.
+
+The original intention was to continue the outer list_for_each_entry_safe()
+loop with the same entry if w->event is NULL, but misunderstanding the
+meaning of list_for_each_entry_safe_continue().
+
+So just add a 'continue;' to fix the bug.
+
+Cc: stable@vger.kernel.org
+Fixes: 163cac061c973 ("ASoC: Factor out DAPM sequence execution")
+Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
+Link: https://lore.kernel.org/r/20220329012134.9375-1-xiam0nd.tong@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/soc-dapm.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/sound/soc/soc-dapm.c
++++ b/sound/soc/soc-dapm.c
+@@ -1687,8 +1687,7 @@ static void dapm_seq_run(struct snd_soc_
+ switch (w->id) {
+ case snd_soc_dapm_pre:
+ if (!w->event)
+- list_for_each_entry_safe_continue(w, n, list,
+- power_list);
++ continue;
+
+ if (event == SND_SOC_DAPM_STREAM_START)
+ ret = w->event(w,
+@@ -1700,8 +1699,7 @@ static void dapm_seq_run(struct snd_soc_
+
+ case snd_soc_dapm_post:
+ if (!w->event)
+- list_for_each_entry_safe_continue(w, n, list,
+- power_list);
++ continue;
+
+ if (event == SND_SOC_DAPM_STREAM_START)
+ ret = w->event(w,
--- /dev/null
+From 41f10081a92a0ed280008218a8ec18ad8ba0fceb Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <pc@cjr.nz>
+Date: Wed, 20 Apr 2022 21:05:45 -0300
+Subject: cifs: fix NULL ptr dereference in refresh_mounts()
+
+From: Paulo Alcantara <pc@cjr.nz>
+
+commit 41f10081a92a0ed280008218a8ec18ad8ba0fceb upstream.
+
+Either mount(2) or automount might not have server->origin_fullpath
+set yet while refresh_cache_worker() is attempting to refresh DFS
+referrals. Add missing NULL check and locking around it.
+
+This fixes bellow crash:
+
+[ 1070.276835] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
+[ 1070.277676] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+[ 1070.278219] CPU: 1 PID: 8506 Comm: kworker/u8:1 Not tainted 5.18.0-rc3 #10
+[ 1070.278701] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014
+[ 1070.279495] Workqueue: cifs-dfscache refresh_cache_worker [cifs]
+[ 1070.280044] RIP: 0010:strcasecmp+0x34/0x150
+[ 1070.280359] Code: 00 00 00 fc ff df 41 54 55 48 89 fd 53 48 83 ec 10 eb 03 4c 89 fe 48 89 ef 48 83 c5 01 48 89 f8 48 89 fa 48 c1 e8 03 83 e2 07 <42> 0f b6 04 28 38 d0 7f 08 84 c0 0f 85 bc 00 00 00 0f b6 45 ff 44
+[ 1070.281729] RSP: 0018:ffffc90008367958 EFLAGS: 00010246
+[ 1070.282114] RAX: 0000000000000000 RBX: dffffc0000000000 RCX: 0000000000000000
+[ 1070.282691] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
+[ 1070.283273] RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffff873eda27
+[ 1070.283857] R10: ffffc900083679a0 R11: 0000000000000001 R12: ffff88812624c000
+[ 1070.284436] R13: dffffc0000000000 R14: ffff88810e6e9a88 R15: ffff888119bb9000
+[ 1070.284990] FS: 0000000000000000(0000) GS:ffff888151200000(0000) knlGS:0000000000000000
+[ 1070.285625] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 1070.286100] CR2: 0000561a4d922418 CR3: 000000010aecc000 CR4: 0000000000350ee0
+[ 1070.286683] Call Trace:
+[ 1070.286890] <TASK>
+[ 1070.287070] refresh_cache_worker+0x895/0xd20 [cifs]
+[ 1070.287475] ? __refresh_tcon.isra.0+0xfb0/0xfb0 [cifs]
+[ 1070.287905] ? __lock_acquire+0xcd1/0x6960
+[ 1070.288247] ? is_dynamic_key+0x1a0/0x1a0
+[ 1070.288591] ? lockdep_hardirqs_on_prepare+0x410/0x410
+[ 1070.289012] ? lock_downgrade+0x6f0/0x6f0
+[ 1070.289318] process_one_work+0x7bd/0x12d0
+[ 1070.289637] ? worker_thread+0x160/0xec0
+[ 1070.289970] ? pwq_dec_nr_in_flight+0x230/0x230
+[ 1070.290318] ? _raw_spin_lock_irq+0x5e/0x90
+[ 1070.290619] worker_thread+0x5ac/0xec0
+[ 1070.290891] ? process_one_work+0x12d0/0x12d0
+[ 1070.291199] kthread+0x2a5/0x350
+[ 1070.291430] ? kthread_complete_and_exit+0x20/0x20
+[ 1070.291770] ret_from_fork+0x22/0x30
+[ 1070.292050] </TASK>
+[ 1070.292223] Modules linked in: bpfilter cifs cifs_arc4 cifs_md4
+[ 1070.292765] ---[ end trace 0000000000000000 ]---
+[ 1070.293108] RIP: 0010:strcasecmp+0x34/0x150
+[ 1070.293471] Code: 00 00 00 fc ff df 41 54 55 48 89 fd 53 48 83 ec 10 eb 03 4c 89 fe 48 89 ef 48 83 c5 01 48 89 f8 48 89 fa 48 c1 e8 03 83 e2 07 <42> 0f b6 04 28 38 d0 7f 08 84 c0 0f 85 bc 00 00 00 0f b6 45 ff 44
+[ 1070.297718] RSP: 0018:ffffc90008367958 EFLAGS: 00010246
+[ 1070.298622] RAX: 0000000000000000 RBX: dffffc0000000000 RCX: 0000000000000000
+[ 1070.299428] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
+[ 1070.300296] RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffff873eda27
+[ 1070.301204] R10: ffffc900083679a0 R11: 0000000000000001 R12: ffff88812624c000
+[ 1070.301932] R13: dffffc0000000000 R14: ffff88810e6e9a88 R15: ffff888119bb9000
+[ 1070.302645] FS: 0000000000000000(0000) GS:ffff888151200000(0000) knlGS:0000000000000000
+[ 1070.303462] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 1070.304131] CR2: 0000561a4d922418 CR3: 000000010aecc000 CR4: 0000000000350ee0
+[ 1070.305004] Kernel panic - not syncing: Fatal exception
+[ 1070.305711] Kernel Offset: disabled
+[ 1070.305971] ---[ end Kernel panic - not syncing: Fatal exception ]---
+
+Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
+Cc: stable@vger.kernel.org
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/connect.c | 2 ++
+ fs/cifs/dfs_cache.c | 19 ++++++++++++-------
+ 2 files changed, 14 insertions(+), 7 deletions(-)
+
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -3675,9 +3675,11 @@ static void setup_server_referral_paths(
+ {
+ struct TCP_Server_Info *server = mnt_ctx->server;
+
++ mutex_lock(&server->refpath_lock);
+ server->origin_fullpath = mnt_ctx->origin_fullpath;
+ server->leaf_fullpath = mnt_ctx->leaf_fullpath;
+ server->current_fullpath = mnt_ctx->leaf_fullpath;
++ mutex_unlock(&server->refpath_lock);
+ mnt_ctx->origin_fullpath = mnt_ctx->leaf_fullpath = NULL;
+ }
+
+--- a/fs/cifs/dfs_cache.c
++++ b/fs/cifs/dfs_cache.c
+@@ -1422,12 +1422,14 @@ static int refresh_tcon(struct cifs_ses
+ struct TCP_Server_Info *server = tcon->ses->server;
+
+ mutex_lock(&server->refpath_lock);
+- if (strcasecmp(server->leaf_fullpath, server->origin_fullpath))
+- __refresh_tcon(server->leaf_fullpath + 1, sessions, tcon, force_refresh);
++ if (server->origin_fullpath) {
++ if (server->leaf_fullpath && strcasecmp(server->leaf_fullpath,
++ server->origin_fullpath))
++ __refresh_tcon(server->leaf_fullpath + 1, sessions, tcon, force_refresh);
++ __refresh_tcon(server->origin_fullpath + 1, sessions, tcon, force_refresh);
++ }
+ mutex_unlock(&server->refpath_lock);
+
+- __refresh_tcon(server->origin_fullpath + 1, sessions, tcon, force_refresh);
+-
+ return 0;
+ }
+
+@@ -1530,11 +1532,14 @@ static void refresh_mounts(struct cifs_s
+ list_del_init(&tcon->ulist);
+
+ mutex_lock(&server->refpath_lock);
+- if (strcasecmp(server->leaf_fullpath, server->origin_fullpath))
+- __refresh_tcon(server->leaf_fullpath + 1, sessions, tcon, false);
++ if (server->origin_fullpath) {
++ if (server->leaf_fullpath && strcasecmp(server->leaf_fullpath,
++ server->origin_fullpath))
++ __refresh_tcon(server->leaf_fullpath + 1, sessions, tcon, false);
++ __refresh_tcon(server->origin_fullpath + 1, sessions, tcon, false);
++ }
+ mutex_unlock(&server->refpath_lock);
+
+- __refresh_tcon(server->origin_fullpath + 1, sessions, tcon, false);
+ cifs_put_tcon(tcon);
+ }
+ }
--- /dev/null
+From cd70a3e8988a999c42d307d2616a5e7b6a33c7c8 Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <pc@cjr.nz>
+Date: Wed, 20 Apr 2022 21:05:46 -0300
+Subject: cifs: use correct lock type in cifs_reconnect()
+
+From: Paulo Alcantara <pc@cjr.nz>
+
+commit cd70a3e8988a999c42d307d2616a5e7b6a33c7c8 upstream.
+
+TCP_Server_Info::origin_fullpath and TCP_Server_Info::leaf_fullpath
+are protected by refpath_lock mutex and not cifs_tcp_ses_lock
+spinlock.
+
+Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
+Cc: stable@vger.kernel.org
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/connect.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -534,12 +534,19 @@ int cifs_reconnect(struct TCP_Server_Inf
+ {
+ /* If tcp session is not an dfs connection, then reconnect to last target server */
+ spin_lock(&cifs_tcp_ses_lock);
+- if (!server->is_dfs_conn || !server->origin_fullpath || !server->leaf_fullpath) {
++ if (!server->is_dfs_conn) {
+ spin_unlock(&cifs_tcp_ses_lock);
+ return __cifs_reconnect(server, mark_smb_session);
+ }
+ spin_unlock(&cifs_tcp_ses_lock);
+
++ mutex_lock(&server->refpath_lock);
++ if (!server->origin_fullpath || !server->leaf_fullpath) {
++ mutex_unlock(&server->refpath_lock);
++ return __cifs_reconnect(server, mark_smb_session);
++ }
++ mutex_unlock(&server->refpath_lock);
++
+ return reconnect_dfs_server(server);
+ }
+ #else
--- /dev/null
+From acc72863e0f11cd0bedc888b663700229f9ba5ff Mon Sep 17 00:00:00 2001
+From: Xiaomeng Tong <xiam0nd.tong@gmail.com>
+Date: Sun, 27 Mar 2022 16:13:00 +0800
+Subject: codecs: rt5682s: fix an incorrect NULL check on list iterator
+
+From: Xiaomeng Tong <xiam0nd.tong@gmail.com>
+
+commit acc72863e0f11cd0bedc888b663700229f9ba5ff upstream.
+
+The bug is here:
+ if (!dai) {
+
+The list iterator value 'dai' will *always* be set and non-NULL
+by for_each_component_dais(), so it is incorrect to assume that
+the iterator value will be NULL if the list is empty or no element
+is found (In fact, it will be a bogus pointer to an invalid struct
+object containing the HEAD). Otherwise it will bypass the check
+'if (!dai) {' (never call dev_err() and never return -ENODEV;)
+and lead to invalid memory access lately when calling
+'rt5682s_set_bclk1_ratio(dai, factor);'.
+
+To fix the bug, just return rt5682s_set_bclk1_ratio(dai, factor);
+when found the 'dai', otherwise dev_err() and return -ENODEV;
+
+Cc: stable@vger.kernel.org
+Fixes: bdd229ab26be9 ("ASoC: rt5682s: Add driver for ALC5682I-VS codec")
+Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
+Link: https://lore.kernel.org/r/20220327081300.12962-1-xiam0nd.tong@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/codecs/rt5682s.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+--- a/sound/soc/codecs/rt5682s.c
++++ b/sound/soc/codecs/rt5682s.c
+@@ -2679,14 +2679,11 @@ static int rt5682s_bclk_set_rate(struct
+
+ for_each_component_dais(component, dai)
+ if (dai->id == RT5682S_AIF1)
+- break;
+- if (!dai) {
+- dev_err(component->dev, "dai %d not found in component\n",
+- RT5682S_AIF1);
+- return -ENODEV;
+- }
++ return rt5682s_set_bclk1_ratio(dai, factor);
+
+- return rt5682s_set_bclk1_ratio(dai, factor);
++ dev_err(component->dev, "dai %d not found in component\n",
++ RT5682S_AIF1);
++ return -ENODEV;
+ }
+
+ static const struct clk_ops rt5682s_dai_clk_ops[RT5682S_DAI_NUM_CLKS] = {
--- /dev/null
+From 298799a28264ce400d9ff95c51b7adcb123d866e Mon Sep 17 00:00:00 2001
+From: Zack Rusin <zackr@vmware.com>
+Date: Wed, 20 Apr 2022 00:03:28 -0400
+Subject: drm/vmwgfx: Fix gem refcounting and memory evictions
+
+From: Zack Rusin <zackr@vmware.com>
+
+commit 298799a28264ce400d9ff95c51b7adcb123d866e upstream.
+
+v2: Add the last part of the ref count fix which was spotted by
+Philipp Sieweck where the ref count of cpu writers is off due to
+ERESTARTSYS or EBUSY during bo waits.
+
+The initial GEM port broke refcounting on shareable (prime) surfaces and
+memory evictions. The prime surfaces broke because the parent surfaces
+weren't increasing the ref count on GEM surfaces, which meant that
+the memory backing textures could have been deleted while the texture
+was still accessible. The evictions broke due to a typo, the code was
+supposed to exit if the passed buffers were not vmw_buffer_object
+not if they were. They're tied because the evictions depend on having
+memory to actually evict.
+
+This fixes crashes with XA state tracker which is used for xrender
+acceleration on xf86-video-vmware, apps/tests which use a lot of
+memory (a good test being the piglit's streaming-texture-leak) and
+desktops.
+
+Signed-off-by: Zack Rusin <zackr@vmware.com>
+Fixes: 8afa13a0583f ("drm/vmwgfx: Implement DRIVER_GEM")
+Reported-by: Philipp Sieweck <psi@informatik.uni-kiel.de>
+Cc: <stable@vger.kernel.org> # v5.17+
+Reviewed-by: Maaz Mombasawala <mombasawalam@vmware.com>
+Reviewed-by: Martin Krastev <krastevm@vmware.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220420040328.1007409-1-zack@kde.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_bo.c | 43 ++++++++++++++------------------
+ drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 8 +----
+ drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 7 ++++-
+ 3 files changed, 28 insertions(+), 30 deletions(-)
+
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c
+@@ -46,6 +46,21 @@ vmw_buffer_object(struct ttm_buffer_obje
+ return container_of(bo, struct vmw_buffer_object, base);
+ }
+
++/**
++ * bo_is_vmw - check if the buffer object is a &vmw_buffer_object
++ * @bo: ttm buffer object to be checked
++ *
++ * Uses destroy function associated with the object to determine if this is
++ * a &vmw_buffer_object.
++ *
++ * Returns:
++ * true if the object is of &vmw_buffer_object type, false if not.
++ */
++static bool bo_is_vmw(struct ttm_buffer_object *bo)
++{
++ return bo->destroy == &vmw_bo_bo_free ||
++ bo->destroy == &vmw_gem_destroy;
++}
+
+ /**
+ * vmw_bo_pin_in_placement - Validate a buffer to placement.
+@@ -615,8 +630,9 @@ int vmw_user_bo_synccpu_ioctl(struct drm
+
+ ret = vmw_user_bo_synccpu_grab(vbo, arg->flags);
+ vmw_bo_unreference(&vbo);
+- if (unlikely(ret != 0 && ret != -ERESTARTSYS &&
+- ret != -EBUSY)) {
++ if (unlikely(ret != 0)) {
++ if (ret == -ERESTARTSYS || ret == -EBUSY)
++ return -EBUSY;
+ DRM_ERROR("Failed synccpu grab on handle 0x%08x.\n",
+ (unsigned int) arg->handle);
+ return ret;
+@@ -798,7 +814,7 @@ int vmw_dumb_create(struct drm_file *fil
+ void vmw_bo_swap_notify(struct ttm_buffer_object *bo)
+ {
+ /* Is @bo embedded in a struct vmw_buffer_object? */
+- if (vmw_bo_is_vmw_bo(bo))
++ if (!bo_is_vmw(bo))
+ return;
+
+ /* Kill any cached kernel maps before swapout */
+@@ -822,7 +838,7 @@ void vmw_bo_move_notify(struct ttm_buffe
+ struct vmw_buffer_object *vbo;
+
+ /* Make sure @bo is embedded in a struct vmw_buffer_object? */
+- if (vmw_bo_is_vmw_bo(bo))
++ if (!bo_is_vmw(bo))
+ return;
+
+ vbo = container_of(bo, struct vmw_buffer_object, base);
+@@ -843,22 +859,3 @@ void vmw_bo_move_notify(struct ttm_buffe
+ if (mem->mem_type != VMW_PL_MOB && bo->resource->mem_type == VMW_PL_MOB)
+ vmw_resource_unbind_list(vbo);
+ }
+-
+-/**
+- * vmw_bo_is_vmw_bo - check if the buffer object is a &vmw_buffer_object
+- * @bo: buffer object to be checked
+- *
+- * Uses destroy function associated with the object to determine if this is
+- * a &vmw_buffer_object.
+- *
+- * Returns:
+- * true if the object is of &vmw_buffer_object type, false if not.
+- */
+-bool vmw_bo_is_vmw_bo(struct ttm_buffer_object *bo)
+-{
+- if (bo->destroy == &vmw_bo_bo_free ||
+- bo->destroy == &vmw_gem_destroy)
+- return true;
+-
+- return false;
+-}
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
+@@ -997,13 +997,10 @@ static int vmw_driver_load(struct vmw_pr
+ goto out_no_fman;
+ }
+
+- drm_vma_offset_manager_init(&dev_priv->vma_manager,
+- DRM_FILE_PAGE_OFFSET_START,
+- DRM_FILE_PAGE_OFFSET_SIZE);
+ ret = ttm_device_init(&dev_priv->bdev, &vmw_bo_driver,
+ dev_priv->drm.dev,
+ dev_priv->drm.anon_inode->i_mapping,
+- &dev_priv->vma_manager,
++ dev_priv->drm.vma_offset_manager,
+ dev_priv->map_mode == vmw_dma_alloc_coherent,
+ false);
+ if (unlikely(ret != 0)) {
+@@ -1173,7 +1170,6 @@ static void vmw_driver_unload(struct drm
+ vmw_devcaps_destroy(dev_priv);
+ vmw_vram_manager_fini(dev_priv);
+ ttm_device_fini(&dev_priv->bdev);
+- drm_vma_offset_manager_destroy(&dev_priv->vma_manager);
+ vmw_release_device_late(dev_priv);
+ vmw_fence_manager_takedown(dev_priv->fman);
+ if (dev_priv->capabilities & SVGA_CAP_IRQMASK)
+@@ -1397,7 +1393,7 @@ vmw_get_unmapped_area(struct file *file,
+ struct vmw_private *dev_priv = vmw_priv(file_priv->minor->dev);
+
+ return drm_get_unmapped_area(file, uaddr, len, pgoff, flags,
+- &dev_priv->vma_manager);
++ dev_priv->drm.vma_offset_manager);
+ }
+
+ static int vmwgfx_pm_notifier(struct notifier_block *nb, unsigned long val,
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
+@@ -683,6 +683,9 @@ static void vmw_user_surface_base_releas
+ container_of(base, struct vmw_user_surface, prime.base);
+ struct vmw_resource *res = &user_srf->srf.res;
+
++ if (base->shareable && res && res->backup)
++ drm_gem_object_put(&res->backup->base.base);
++
+ *p_base = NULL;
+ vmw_resource_unreference(&res);
+ }
+@@ -857,6 +860,7 @@ int vmw_surface_define_ioctl(struct drm_
+ goto out_unlock;
+ }
+ vmw_bo_reference(res->backup);
++ drm_gem_object_get(&res->backup->base.base);
+ }
+
+ tmp = vmw_resource_reference(&srf->res);
+@@ -1513,7 +1517,6 @@ vmw_gb_surface_define_internal(struct dr
+ &res->backup);
+ if (ret == 0)
+ vmw_bo_reference(res->backup);
+-
+ }
+
+ if (unlikely(ret != 0)) {
+@@ -1561,6 +1564,8 @@ vmw_gb_surface_define_internal(struct dr
+ drm_vma_node_offset_addr(&res->backup->base.base.vma_node);
+ rep->buffer_size = res->backup->base.base.size;
+ rep->buffer_handle = backup_handle;
++ if (user_srf->prime.base.shareable)
++ drm_gem_object_get(&res->backup->base.base);
+ } else {
+ rep->buffer_map_handle = 0;
+ rep->buffer_size = 0;
--- /dev/null
+From 04ebaa1cfddae5f240cc7404f009133bb0389a47 Mon Sep 17 00:00:00 2001
+From: Sasha Neftin <sasha.neftin@intel.com>
+Date: Tue, 5 Apr 2022 18:56:01 +0300
+Subject: e1000e: Fix possible overflow in LTR decoding
+
+From: Sasha Neftin <sasha.neftin@intel.com>
+
+commit 04ebaa1cfddae5f240cc7404f009133bb0389a47 upstream.
+
+When we decode the latency and the max_latency, u16 value may not fit
+the required size and could lead to the wrong LTR representation.
+
+Scaling is represented as:
+scale 0 - 1 (2^(5*0)) = 2^0
+scale 1 - 32 (2^(5 *1))= 2^5
+scale 2 - 1024 (2^(5 *2)) =2^10
+scale 3 - 32768 (2^(5 *3)) =2^15
+scale 4 - 1048576 (2^(5 *4)) = 2^20
+scale 5 - 33554432 (2^(5 *4)) = 2^25
+scale 4 and scale 5 required 20 and 25 bits respectively.
+scale 6 reserved.
+
+Replace the u16 type with the u32 type and allow corrected LTR
+representation.
+
+Cc: stable@vger.kernel.org
+Fixes: 44a13a5d99c7 ("e1000e: Fix the max snoop/no-snoop latency for 10M")
+Reported-by: James Hutchinson <jahutchinson99@googlemail.com>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=215689
+Suggested-by: Dima Ruinskiy <dima.ruinskiy@intel.com>
+Signed-off-by: Sasha Neftin <sasha.neftin@intel.com>
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Tested-by: James Hutchinson <jahutchinson99@googlemail.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/e1000e/ich8lan.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/intel/e1000e/ich8lan.c
++++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c
+@@ -1009,8 +1009,8 @@ static s32 e1000_platform_pm_pch_lpt(str
+ {
+ u32 reg = link << (E1000_LTRV_REQ_SHIFT + E1000_LTRV_NOSNOOP_SHIFT) |
+ link << E1000_LTRV_REQ_SHIFT | E1000_LTRV_SEND;
+- u16 max_ltr_enc_d = 0; /* maximum LTR decoded by platform */
+- u16 lat_enc_d = 0; /* latency decoded */
++ u32 max_ltr_enc_d = 0; /* maximum LTR decoded by platform */
++ u32 lat_enc_d = 0; /* latency decoded */
+ u16 lat_enc = 0; /* latency encoded */
+
+ if (link) {
--- /dev/null
+From 705191b03d507744c7e097f78d583621c14988ac Mon Sep 17 00:00:00 2001
+From: Christian Brauner <brauner@kernel.org>
+Date: Tue, 19 Apr 2022 15:14:23 +0200
+Subject: fs: fix acl translation
+
+From: Christian Brauner <brauner@kernel.org>
+
+commit 705191b03d507744c7e097f78d583621c14988ac upstream.
+
+Last cycle we extended the idmapped mounts infrastructure to support
+idmapped mounts of idmapped filesystems (No such filesystem yet exist.).
+Since then, the meaning of an idmapped mount is a mount whose idmapping
+is different from the filesystems idmapping.
+
+While doing that work we missed to adapt the acl translation helpers.
+They still assume that checking for the identity mapping is enough. But
+they need to use the no_idmapping() helper instead.
+
+Note, POSIX ACLs are always translated right at the userspace-kernel
+boundary using the caller's current idmapping and the initial idmapping.
+The order depends on whether we're coming from or going to userspace.
+The filesystem's idmapping doesn't matter at the border.
+
+Consequently, if a non-idmapped mount is passed we need to make sure to
+always pass the initial idmapping as the mount's idmapping and not the
+filesystem idmapping. Since it's irrelevant here it would yield invalid
+ids and prevent setting acls for filesystems that are mountable in a
+userns and support posix acls (tmpfs and fuse).
+
+I verified the regression reported in [1] and verified that this patch
+fixes it. A regression test will be added to xfstests in parallel.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=215849 [1]
+Fixes: bd303368b776 ("fs: support mapped mounts of mapped filesystems")
+Cc: Seth Forshee <sforshee@digitalocean.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: <stable@vger.kernel.org> # 5.17
+Cc: <regressions@lists.linux.dev>
+Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/posix_acl.c | 10 ++++++++++
+ fs/xattr.c | 6 ++++--
+ include/linux/posix_acl_xattr.h | 4 ++++
+ 3 files changed, 18 insertions(+), 2 deletions(-)
+
+--- a/fs/posix_acl.c
++++ b/fs/posix_acl.c
+@@ -759,9 +759,14 @@ static void posix_acl_fix_xattr_userns(
+ }
+
+ void posix_acl_fix_xattr_from_user(struct user_namespace *mnt_userns,
++ struct inode *inode,
+ void *value, size_t size)
+ {
+ struct user_namespace *user_ns = current_user_ns();
++
++ /* Leave ids untouched on non-idmapped mounts. */
++ if (no_idmapping(mnt_userns, i_user_ns(inode)))
++ mnt_userns = &init_user_ns;
+ if ((user_ns == &init_user_ns) && (mnt_userns == &init_user_ns))
+ return;
+ posix_acl_fix_xattr_userns(&init_user_ns, user_ns, mnt_userns, value,
+@@ -769,9 +774,14 @@ void posix_acl_fix_xattr_from_user(struc
+ }
+
+ void posix_acl_fix_xattr_to_user(struct user_namespace *mnt_userns,
++ struct inode *inode,
+ void *value, size_t size)
+ {
+ struct user_namespace *user_ns = current_user_ns();
++
++ /* Leave ids untouched on non-idmapped mounts. */
++ if (no_idmapping(mnt_userns, i_user_ns(inode)))
++ mnt_userns = &init_user_ns;
+ if ((user_ns == &init_user_ns) && (mnt_userns == &init_user_ns))
+ return;
+ posix_acl_fix_xattr_userns(user_ns, &init_user_ns, mnt_userns, value,
+--- a/fs/xattr.c
++++ b/fs/xattr.c
+@@ -569,7 +569,8 @@ setxattr(struct user_namespace *mnt_user
+ }
+ if ((strcmp(kname, XATTR_NAME_POSIX_ACL_ACCESS) == 0) ||
+ (strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0))
+- posix_acl_fix_xattr_from_user(mnt_userns, kvalue, size);
++ posix_acl_fix_xattr_from_user(mnt_userns, d_inode(d),
++ kvalue, size);
+ }
+
+ error = vfs_setxattr(mnt_userns, d, kname, kvalue, size, flags);
+@@ -667,7 +668,8 @@ getxattr(struct user_namespace *mnt_user
+ if (error > 0) {
+ if ((strcmp(kname, XATTR_NAME_POSIX_ACL_ACCESS) == 0) ||
+ (strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0))
+- posix_acl_fix_xattr_to_user(mnt_userns, kvalue, error);
++ posix_acl_fix_xattr_to_user(mnt_userns, d_inode(d),
++ kvalue, error);
+ if (size && copy_to_user(value, kvalue, error))
+ error = -EFAULT;
+ } else if (error == -ERANGE && size >= XATTR_SIZE_MAX) {
+--- a/include/linux/posix_acl_xattr.h
++++ b/include/linux/posix_acl_xattr.h
+@@ -34,15 +34,19 @@ posix_acl_xattr_count(size_t size)
+
+ #ifdef CONFIG_FS_POSIX_ACL
+ void posix_acl_fix_xattr_from_user(struct user_namespace *mnt_userns,
++ struct inode *inode,
+ void *value, size_t size);
+ void posix_acl_fix_xattr_to_user(struct user_namespace *mnt_userns,
++ struct inode *inode,
+ void *value, size_t size);
+ #else
+ static inline void posix_acl_fix_xattr_from_user(struct user_namespace *mnt_userns,
++ struct inode *inode,
+ void *value, size_t size)
+ {
+ }
+ static inline void posix_acl_fix_xattr_to_user(struct user_namespace *mnt_userns,
++ struct inode *inode,
+ void *value, size_t size)
+ {
+ }
--- /dev/null
+From 06fb4ecfeac7e00d6704fa5ed19299f2fefb3cc9 Mon Sep 17 00:00:00 2001
+From: Mario Limonciello <mario.limonciello@amd.com>
+Date: Fri, 22 Apr 2022 08:14:52 -0500
+Subject: gpio: Request interrupts after IRQ is initialized
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+commit 06fb4ecfeac7e00d6704fa5ed19299f2fefb3cc9 upstream.
+
+Commit 5467801f1fcb ("gpio: Restrict usage of GPIO chip irq members
+before initialization") attempted to fix a race condition that lead to a
+NULL pointer, but in the process caused a regression for _AEI/_EVT
+declared GPIOs.
+
+This manifests in messages showing deferred probing while trying to
+allocate IRQs like so:
+
+ amd_gpio AMDI0030:00: Failed to translate GPIO pin 0x0000 to IRQ, err -517
+ amd_gpio AMDI0030:00: Failed to translate GPIO pin 0x002C to IRQ, err -517
+ amd_gpio AMDI0030:00: Failed to translate GPIO pin 0x003D to IRQ, err -517
+ [ .. more of the same .. ]
+
+The code for walking _AEI doesn't handle deferred probing and so this
+leads to non-functional GPIO interrupts.
+
+Fix this issue by moving the call to `acpi_gpiochip_request_interrupts`
+to occur after gc->irc.initialized is set.
+
+Fixes: 5467801f1fcb ("gpio: Restrict usage of GPIO chip irq members before initialization")
+Link: https://lore.kernel.org/linux-gpio/BL1PR12MB51577A77F000A008AA694675E2EF9@BL1PR12MB5157.namprd12.prod.outlook.com/
+Link: https://bugzilla.suse.com/show_bug.cgi?id=1198697
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=215850
+Link: https://gitlab.freedesktop.org/drm/amd/-/issues/1979
+Link: https://gitlab.freedesktop.org/drm/amd/-/issues/1976
+Reported-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Reviewed-by: Shreeya Patel <shreeya.patel@collabora.com>
+Tested-By: Samuel Čavoj <samuel@cavoj.net>
+Tested-By: lukeluk498@gmail.com Link:
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Acked-by: Linus Walleij <linus.walleij@linaro.org>
+Reviewed-and-tested-by: Takashi Iwai <tiwai@suse.de>
+Cc: Shreeya Patel <shreeya.patel@collabora.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpiolib.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -1601,8 +1601,6 @@ static int gpiochip_add_irqchip(struct g
+
+ gpiochip_set_irq_hooks(gc);
+
+- acpi_gpiochip_request_interrupts(gc);
+-
+ /*
+ * Using barrier() here to prevent compiler from reordering
+ * gc->irq.initialized before initialization of above
+@@ -1612,6 +1610,8 @@ static int gpiochip_add_irqchip(struct g
+
+ gc->irq.initialized = true;
+
++ acpi_gpiochip_request_interrupts(gc);
++
+ return 0;
+ }
+
--- /dev/null
+From cefa91b2332d7009bc0be5d951d6cbbf349f90f8 Mon Sep 17 00:00:00 2001
+From: Paolo Valerio <pvalerio@redhat.com>
+Date: Fri, 15 Apr 2022 10:08:41 +0200
+Subject: openvswitch: fix OOB access in reserve_sfa_size()
+
+From: Paolo Valerio <pvalerio@redhat.com>
+
+commit cefa91b2332d7009bc0be5d951d6cbbf349f90f8 upstream.
+
+Given a sufficiently large number of actions, while copying and
+reserving memory for a new action of a new flow, if next_offset is
+greater than MAX_ACTIONS_BUFSIZE, the function reserve_sfa_size() does
+not return -EMSGSIZE as expected, but it allocates MAX_ACTIONS_BUFSIZE
+bytes increasing actions_len by req_size. This can then lead to an OOB
+write access, especially when further actions need to be copied.
+
+Fix it by rearranging the flow action size check.
+
+KASAN splat below:
+
+==================================================================
+BUG: KASAN: slab-out-of-bounds in reserve_sfa_size+0x1ba/0x380 [openvswitch]
+Write of size 65360 at addr ffff888147e4001c by task handler15/836
+
+CPU: 1 PID: 836 Comm: handler15 Not tainted 5.18.0-rc1+ #27
+...
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x45/0x5a
+ print_report.cold+0x5e/0x5db
+ ? __lock_text_start+0x8/0x8
+ ? reserve_sfa_size+0x1ba/0x380 [openvswitch]
+ kasan_report+0xb5/0x130
+ ? reserve_sfa_size+0x1ba/0x380 [openvswitch]
+ kasan_check_range+0xf5/0x1d0
+ memcpy+0x39/0x60
+ reserve_sfa_size+0x1ba/0x380 [openvswitch]
+ __add_action+0x24/0x120 [openvswitch]
+ ovs_nla_add_action+0xe/0x20 [openvswitch]
+ ovs_ct_copy_action+0x29d/0x1130 [openvswitch]
+ ? __kernel_text_address+0xe/0x30
+ ? unwind_get_return_address+0x56/0xa0
+ ? create_prof_cpu_mask+0x20/0x20
+ ? ovs_ct_verify+0xf0/0xf0 [openvswitch]
+ ? prep_compound_page+0x198/0x2a0
+ ? __kasan_check_byte+0x10/0x40
+ ? kasan_unpoison+0x40/0x70
+ ? ksize+0x44/0x60
+ ? reserve_sfa_size+0x75/0x380 [openvswitch]
+ __ovs_nla_copy_actions+0xc26/0x2070 [openvswitch]
+ ? __zone_watermark_ok+0x420/0x420
+ ? validate_set.constprop.0+0xc90/0xc90 [openvswitch]
+ ? __alloc_pages+0x1a9/0x3e0
+ ? __alloc_pages_slowpath.constprop.0+0x1da0/0x1da0
+ ? unwind_next_frame+0x991/0x1e40
+ ? __mod_node_page_state+0x99/0x120
+ ? __mod_lruvec_page_state+0x2e3/0x470
+ ? __kasan_kmalloc_large+0x90/0xe0
+ ovs_nla_copy_actions+0x1b4/0x2c0 [openvswitch]
+ ovs_flow_cmd_new+0x3cd/0xb10 [openvswitch]
+ ...
+
+Cc: stable@vger.kernel.org
+Fixes: f28cd2af22a0 ("openvswitch: fix flow actions reallocation")
+Signed-off-by: Paolo Valerio <pvalerio@redhat.com>
+Acked-by: Eelco Chaudron <echaudro@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/openvswitch/flow_netlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/openvswitch/flow_netlink.c
++++ b/net/openvswitch/flow_netlink.c
+@@ -2436,7 +2436,7 @@ static struct nlattr *reserve_sfa_size(s
+ new_acts_size = max(next_offset + req_size, ksize(*sfa) * 2);
+
+ if (new_acts_size > MAX_ACTIONS_BUFSIZE) {
+- if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) {
++ if ((next_offset + req_size) > MAX_ACTIONS_BUFSIZE) {
+ OVS_NLERR(log, "Flow action size exceeds max %u",
+ MAX_ACTIONS_BUFSIZE);
+ return ERR_PTR(-EMSGSIZE);
arm-xen-fix-some-refcount-leaks.patch
perf-script-always-allow-field-data_src-for-auxtrace.patch
perf-report-set-perf_sample_data_src-bit-for-arm-spe.patch
+fs-fix-acl-translation.patch
+cifs-fix-null-ptr-dereference-in-refresh_mounts.patch
+cifs-use-correct-lock-type-in-cifs_reconnect.patch
+xtensa-patch_text-fixup-last-cpu-should-be-master.patch
+xtensa-fix-a7-clobbering-in-coprocessor-context-load-store.patch
+openvswitch-fix-oob-access-in-reserve_sfa_size.patch
+gpio-request-interrupts-after-irq-is-initialized.patch
+asoc-rt5682-fix-an-incorrect-null-check-on-list-iterator.patch
+asoc-soc-dapm-fix-two-incorrect-uses-of-list-iterator.patch
+e1000e-fix-possible-overflow-in-ltr-decoding.patch
+codecs-rt5682s-fix-an-incorrect-null-check-on-list-iterator.patch
+arc-entry-fix-syscall_trace_exit-argument.patch
+drm-vmwgfx-fix-gem-refcounting-and-memory-evictions.patch
--- /dev/null
+From 839769c35477d4acc2369e45000ca7b0b6af39a7 Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Wed, 13 Apr 2022 22:44:36 -0700
+Subject: xtensa: fix a7 clobbering in coprocessor context load/store
+
+From: Max Filippov <jcmvbkbc@gmail.com>
+
+commit 839769c35477d4acc2369e45000ca7b0b6af39a7 upstream.
+
+Fast coprocessor exception handler saves a3..a6, but coprocessor context
+load/store code uses a4..a7 as temporaries, potentially clobbering a7.
+'Potentially' because coprocessor state load/store macros may not use
+all four temporary registers (and neither FPU nor HiFi macros do).
+Use a3..a6 as intended.
+
+Cc: stable@vger.kernel.org
+Fixes: c658eac628aa ("[XTENSA] Add support for configurable registers and coprocessors")
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/xtensa/kernel/coprocessor.S | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/xtensa/kernel/coprocessor.S
++++ b/arch/xtensa/kernel/coprocessor.S
+@@ -29,7 +29,7 @@
+ .if XTENSA_HAVE_COPROCESSOR(x); \
+ .align 4; \
+ .Lsave_cp_regs_cp##x: \
+- xchal_cp##x##_store a2 a4 a5 a6 a7; \
++ xchal_cp##x##_store a2 a3 a4 a5 a6; \
+ jx a0; \
+ .endif
+
+@@ -46,7 +46,7 @@
+ .if XTENSA_HAVE_COPROCESSOR(x); \
+ .align 4; \
+ .Lload_cp_regs_cp##x: \
+- xchal_cp##x##_load a2 a4 a5 a6 a7; \
++ xchal_cp##x##_load a2 a3 a4 a5 a6; \
+ jx a0; \
+ .endif
+
--- /dev/null
+From ee69d4be8fd064cd08270b4808d2dfece3614ee0 Mon Sep 17 00:00:00 2001
+From: Guo Ren <guoren@linux.alibaba.com>
+Date: Thu, 7 Apr 2022 15:33:22 +0800
+Subject: xtensa: patch_text: Fixup last cpu should be master
+
+From: Guo Ren <guoren@linux.alibaba.com>
+
+commit ee69d4be8fd064cd08270b4808d2dfece3614ee0 upstream.
+
+These patch_text implementations are using stop_machine_cpuslocked
+infrastructure with atomic cpu_count. The original idea: When the
+master CPU patch_text, the others should wait for it. But current
+implementation is using the first CPU as master, which couldn't
+guarantee the remaining CPUs are waiting. This patch changes the
+last CPU as the master to solve the potential risk.
+
+Fixes: 64711f9a47d4 ("xtensa: implement jump_label support")
+Signed-off-by: Guo Ren <guoren@linux.alibaba.com>
+Signed-off-by: Guo Ren <guoren@kernel.org>
+Reviewed-by: Max Filippov <jcmvbkbc@gmail.com>
+Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: <stable@vger.kernel.org>
+Message-Id: <20220407073323.743224-4-guoren@kernel.org>
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/xtensa/kernel/jump_label.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/xtensa/kernel/jump_label.c
++++ b/arch/xtensa/kernel/jump_label.c
+@@ -40,7 +40,7 @@ static int patch_text_stop_machine(void
+ {
+ struct patch *patch = data;
+
+- if (atomic_inc_return(&patch->cpu_count) == 1) {
++ if (atomic_inc_return(&patch->cpu_count) == num_online_cpus()) {
+ local_patch_text(patch->addr, patch->data, patch->sz);
+ atomic_inc(&patch->cpu_count);
+ } else {
projects / thirdparty / kernel / stable-queue.git / commitdiff
