--- /dev/null
+From a2a871483161014f1bcc4e9a04354b01aa77cedb Mon Sep 17 00:00:00 2001
+From: Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
+Date: Fri, 9 Jun 2023 17:10:58 -0300
+Subject: ALSA: hda/realtek: Add a quirk for Compaq N14JP6
+
+From: Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
+
+commit a2a871483161014f1bcc4e9a04354b01aa77cedb upstream.
+
+Add a quirk for Compaq N14JP6 to fixup ALC897 headset MIC no sound.
+
+Signed-off-by: Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230609201058.523499-1-edson.drosdeck@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -11738,6 +11738,7 @@ static const struct snd_pci_quirk alc662
+ SND_PCI_QUIRK(0x1b0a, 0x01b8, "ACER Veriton", ALC662_FIXUP_ACER_VERITON),
+ SND_PCI_QUIRK(0x1b35, 0x1234, "CZC ET26", ALC662_FIXUP_CZC_ET26),
+ SND_PCI_QUIRK(0x1b35, 0x2206, "CZC P10T", ALC662_FIXUP_CZC_P10T),
++ SND_PCI_QUIRK(0x1c6c, 0x1239, "Compaq N14JP6-V2", ALC897_FIXUP_HP_HSMIC_VERB),
+
+ #if 0
+ /* Below is a quirk table taken from the old code.
--- /dev/null
+From 122e2cb7e1a30438cc0e8bf70d4279db245d7d5b Mon Sep 17 00:00:00 2001
+From: Lukasz Tyl <ltyl@hem-e.com>
+Date: Wed, 14 Jun 2023 14:25:24 +0200
+Subject: ALSA: usb-audio: Add quirk flag for HEM devices to enable native DSD playback
+
+From: Lukasz Tyl <ltyl@hem-e.com>
+
+commit 122e2cb7e1a30438cc0e8bf70d4279db245d7d5b upstream.
+
+This commit adds new DEVICE_FLG with QUIRK_FLAG_DSD_RAW and Vendor Id for
+HEM devices which supports native DSD. Prior to this change Linux kernel
+was not enabling native DSD playback for HEM devices, and as a result,
+DSD audio was being converted to PCM "on the fly". HEM devices,
+when connected to the system, would only play audio in PCM format,
+even if the source material was in DSD format. With the addition of new
+VENDOR_FLG in the quircks.c file, the devices are now correctly
+recognized, and raw DSD data is transmitted to the device,
+allowing for native DSD playback.
+
+Signed-off-by: Lukasz Tyl <ltyl@hem-e.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230614122524.30271-1-ltyl@hem-e.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/quirks.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -2191,6 +2191,8 @@ static const struct usb_audio_quirk_flag
+ QUIRK_FLAG_DSD_RAW),
+ VENDOR_FLG(0x2ab6, /* T+A devices */
+ QUIRK_FLAG_DSD_RAW),
++ VENDOR_FLG(0x3336, /* HEM devices */
++ QUIRK_FLAG_DSD_RAW),
+ VENDOR_FLG(0x3353, /* Khadas devices */
+ QUIRK_FLAG_DSD_RAW),
+ VENDOR_FLG(0x3842, /* EVGA */
--- /dev/null
+From 8ba61c9f6c9bdfbf9d197b0282641d24ae909778 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 12 Jun 2023 15:28:18 +0200
+Subject: ALSA: usb-audio: Fix broken resume due to UAC3 power state
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 8ba61c9f6c9bdfbf9d197b0282641d24ae909778 upstream.
+
+As reported in the bugzilla below, the PM resume of a UAC3 device may
+fail due to the incomplete power state change, stuck at D1. The
+reason is that the driver expects the full D0 power state change only
+at hw_params, while the normal PCM resume procedure doesn't call
+hw_params.
+
+For fixing the bug, we add the same power state update to D0 at the
+prepare callback, which is certainly called by the resume procedure.
+
+Note that, with this change, the power state change in the hw_params
+becomes almost redundant, since snd_usb_hw_params() doesn't touch the
+parameters (at least it tires so). But dropping it is still a bit
+risky (e.g. we have the media-driver binding), so I leave the D0 power
+state change in snd_usb_hw_params() as is for now.
+
+Fixes: a0a4959eb4e9 ("ALSA: usb-audio: Operate UAC3 Power Domains in PCM callbacks")
+Cc: <stable@vger.kernel.org>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=217539
+Link: https://lore.kernel.org/r/20230612132818.29486-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/pcm.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/sound/usb/pcm.c
++++ b/sound/usb/pcm.c
+@@ -650,6 +650,10 @@ static int snd_usb_pcm_prepare(struct sn
+ goto unlock;
+ }
+
++ ret = snd_usb_pcm_change_state(subs, UAC3_PD_STATE_D0);
++ if (ret < 0)
++ goto unlock;
++
+ again:
+ if (subs->sync_endpoint) {
+ ret = snd_usb_endpoint_prepare(chip, subs->sync_endpoint);
--- /dev/null
+From deccae40e4b30f98837e44225194d80c8baf2233 Mon Sep 17 00:00:00 2001
+From: Chris Mason <clm@fb.com>
+Date: Fri, 9 Jun 2023 10:53:41 -0700
+Subject: btrfs: can_nocow_file_extent should pass down args->strict from callers
+
+From: Chris Mason <clm@fb.com>
+
+commit deccae40e4b30f98837e44225194d80c8baf2233 upstream.
+
+Commit 619104ba453ad0 ("btrfs: move common NOCOW checks against a file
+extent into a helper") changed our call to btrfs_cross_ref_exist() to
+always pass false for the 'strict' parameter. We're passing this down
+through the stack so that we can do a full check for cross references
+during swapfile activation.
+
+With strict always false, this test fails:
+
+ btrfs subvol create swappy
+ chattr +C swappy
+ fallocate -l1G swappy/swapfile
+ chmod 600 swappy/swapfile
+ mkswap swappy/swapfile
+
+ btrfs subvol snap swappy swapsnap
+ btrfs subvol del -C swapsnap
+
+ btrfs fi sync /
+ sync;sync;sync
+
+ swapon swappy/swapfile
+
+The fix is to just use args->strict, and everyone except swapfile
+activation is passing false.
+
+Fixes: 619104ba453ad0 ("btrfs: move common NOCOW checks against a file extent into a helper")
+CC: stable@vger.kernel.org # 6.1+
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -1869,7 +1869,7 @@ static int can_nocow_file_extent(struct
+
+ ret = btrfs_cross_ref_exist(root, btrfs_ino(inode),
+ key->offset - args->extent_offset,
+- args->disk_bytenr, false, path);
++ args->disk_bytenr, args->strict, path);
+ WARN_ON_ONCE(ret > 0 && is_freespace_inode);
+ if (ret != 0)
+ goto out;
--- /dev/null
+From 745806fb4554f334e6406fa82b328562aa48f08f Mon Sep 17 00:00:00 2001
+From: Qu Wenruo <wqu@suse.com>
+Date: Sun, 11 Jun 2023 08:09:13 +0800
+Subject: btrfs: do not ASSERT() on duplicated global roots
+
+From: Qu Wenruo <wqu@suse.com>
+
+commit 745806fb4554f334e6406fa82b328562aa48f08f upstream.
+
+[BUG]
+Syzbot reports a reproducible ASSERT() when using rescue=usebackuproot
+mount option on a corrupted fs.
+
+The full report can be found here:
+https://syzkaller.appspot.com/bug?extid=c4614eae20a166c25bf0
+
+ BTRFS error (device loop0: state C): failed to load root csum
+ assertion failed: !tmp, in fs/btrfs/disk-io.c:1103
+ ------------[ cut here ]------------
+ kernel BUG at fs/btrfs/ctree.h:3664!
+ invalid opcode: 0000 [#1] PREEMPT SMP KASAN
+ CPU: 1 PID: 3608 Comm: syz-executor356 Not tainted 6.0.0-rc7-syzkaller-00029-g3800a713b607 #0
+ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
+ RIP: 0010:assertfail+0x1a/0x1c fs/btrfs/ctree.h:3663
+ RSP: 0018:ffffc90003aaf250 EFLAGS: 00010246
+ RAX: 0000000000000032 RBX: 0000000000000000 RCX: f21c13f886638400
+ RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
+ RBP: ffff888021c640a0 R08: ffffffff816bd38d R09: ffffed10173667f1
+ R10: ffffed10173667f1 R11: 1ffff110173667f0 R12: dffffc0000000000
+ R13: ffff8880229c21f7 R14: ffff888021c64060 R15: ffff8880226c0000
+ FS: 0000555556a73300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 000055a2637d7a00 CR3: 00000000709c4000 CR4: 00000000003506e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ Call Trace:
+ <TASK>
+ btrfs_global_root_insert+0x1a7/0x1b0 fs/btrfs/disk-io.c:1103
+ load_global_roots_objectid+0x482/0x8c0 fs/btrfs/disk-io.c:2467
+ load_global_roots fs/btrfs/disk-io.c:2501 [inline]
+ btrfs_read_roots fs/btrfs/disk-io.c:2528 [inline]
+ init_tree_roots+0xccb/0x203c fs/btrfs/disk-io.c:2939
+ open_ctree+0x1e53/0x33df fs/btrfs/disk-io.c:3574
+ btrfs_fill_super+0x1c6/0x2d0 fs/btrfs/super.c:1456
+ btrfs_mount_root+0x885/0x9a0 fs/btrfs/super.c:1824
+ legacy_get_tree+0xea/0x180 fs/fs_context.c:610
+ vfs_get_tree+0x88/0x270 fs/super.c:1530
+ fc_mount fs/namespace.c:1043 [inline]
+ vfs_kern_mount+0xc9/0x160 fs/namespace.c:1073
+ btrfs_mount+0x3d3/0xbb0 fs/btrfs/super.c:1884
+
+[CAUSE]
+Since the introduction of global roots, we handle
+csum/extent/free-space-tree roots as global roots, even if no
+extent-tree-v2 feature is enabled.
+
+So for regular csum/extent/fst roots, we load them into
+fs_info::global_root_tree rb tree.
+
+And we should not expect any conflicts in that rb tree, thus we have an
+ASSERT() inside btrfs_global_root_insert().
+
+But rescue=usebackuproot can break the assumption, as we will try to
+load those trees again and again as long as we have bad roots and have
+backup roots slot remaining.
+
+So in that case we can have conflicting roots in the rb tree, and
+triggering the ASSERT() crash.
+
+[FIX]
+We can safely remove that ASSERT(), as the caller will properly put the
+offending root.
+
+To make further debugging easier, also add two explicit error messages:
+
+- Error message for conflicting global roots
+- Error message when using backup roots slot
+
+Reported-by: syzbot+a694851c6ab28cbcfb9c@syzkaller.appspotmail.com
+Fixes: abed4aaae4f7 ("btrfs: track the csum, extent, and free space trees in a rb tree")
+CC: stable@vger.kernel.org # 6.1+
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/disk-io.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -996,13 +996,18 @@ int btrfs_global_root_insert(struct btrf
+ {
+ struct btrfs_fs_info *fs_info = root->fs_info;
+ struct rb_node *tmp;
++ int ret = 0;
+
+ write_lock(&fs_info->global_root_lock);
+ tmp = rb_find_add(&root->rb_node, &fs_info->global_root_tree, global_root_cmp);
+ write_unlock(&fs_info->global_root_lock);
+- ASSERT(!tmp);
+
+- return tmp ? -EEXIST : 0;
++ if (tmp) {
++ ret = -EEXIST;
++ btrfs_warn(fs_info, "global root %llu %llu already exists",
++ root->root_key.objectid, root->root_key.offset);
++ }
++ return ret;
+ }
+
+ void btrfs_global_root_delete(struct btrfs_root *root)
+@@ -2843,6 +2848,7 @@ static int __cold init_tree_roots(struct
+ /* We can't trust the free space cache either */
+ btrfs_set_opt(fs_info->mount_opt, CLEAR_CACHE);
+
++ btrfs_warn(fs_info, "try to load backup roots slot %d", i);
+ ret = read_backup_root(fs_info, i);
+ backup_index = ret;
+ if (ret < 0)
--- /dev/null
+From 7833b865953c8e62abc76a3261c04132b2fb69de Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Thu, 8 Jun 2023 11:10:25 +0200
+Subject: btrfs: fix iomap_begin length for nocow writes
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit 7833b865953c8e62abc76a3261c04132b2fb69de upstream.
+
+can_nocow_extent can reduce the len passed in, which needs to be
+propagated to btrfs_dio_iomap_begin so that iomap does not submit
+more data then is mapped.
+
+This problems exists since the btrfs_get_blocks_direct helper was added
+in commit c5794e51784a ("btrfs: Factor out write portion of
+btrfs_get_blocks_direct"), but the ordered_extent splitting added in
+commit b73a6fd1b1ef ("btrfs: split partial dio bios before submit")
+added a WARN_ON that made a syzkaller test fail.
+
+Reported-by: syzbot+ee90502d5c8fd1d0dd93@syzkaller.appspotmail.com
+Fixes: c5794e51784a ("btrfs: Factor out write portion of btrfs_get_blocks_direct")
+CC: stable@vger.kernel.org # 6.1+
+Tested-by: syzbot+ee90502d5c8fd1d0dd93@syzkaller.appspotmail.com
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/inode.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -7324,7 +7324,7 @@ static struct extent_map *create_io_em(s
+ static int btrfs_get_blocks_direct_write(struct extent_map **map,
+ struct inode *inode,
+ struct btrfs_dio_data *dio_data,
+- u64 start, u64 len,
++ u64 start, u64 *lenp,
+ unsigned int iomap_flags)
+ {
+ const bool nowait = (iomap_flags & IOMAP_NOWAIT);
+@@ -7335,6 +7335,7 @@ static int btrfs_get_blocks_direct_write
+ struct btrfs_block_group *bg;
+ bool can_nocow = false;
+ bool space_reserved = false;
++ u64 len = *lenp;
+ u64 prev_len;
+ int ret = 0;
+
+@@ -7405,15 +7406,19 @@ static int btrfs_get_blocks_direct_write
+ free_extent_map(em);
+ *map = NULL;
+
+- if (nowait)
+- return -EAGAIN;
++ if (nowait) {
++ ret = -EAGAIN;
++ goto out;
++ }
+
+ /*
+ * If we could not allocate data space before locking the file
+ * range and we can't do a NOCOW write, then we have to fail.
+ */
+- if (!dio_data->data_space_reserved)
+- return -ENOSPC;
++ if (!dio_data->data_space_reserved) {
++ ret = -ENOSPC;
++ goto out;
++ }
+
+ /*
+ * We have to COW and we have already reserved data space before,
+@@ -7454,6 +7459,7 @@ out:
+ btrfs_delalloc_release_extents(BTRFS_I(inode), len);
+ btrfs_delalloc_release_metadata(BTRFS_I(inode), len, true);
+ }
++ *lenp = len;
+ return ret;
+ }
+
+@@ -7630,7 +7636,7 @@ static int btrfs_dio_iomap_begin(struct
+
+ if (write) {
+ ret = btrfs_get_blocks_direct_write(&em, inode, dio_data,
+- start, len, flags);
++ start, &len, flags);
+ if (ret < 0)
+ goto unlock_err;
+ unlock_extents = true;
--- /dev/null
+From 981a37bab5e5f16137266d3f00cf2bd018af36ef Mon Sep 17 00:00:00 2001
+From: Chris Mason <clm@fb.com>
+Date: Mon, 5 Jun 2023 12:03:15 -0700
+Subject: btrfs: properly enable async discard when switching from RO->RW
+
+From: Chris Mason <clm@fb.com>
+
+commit 981a37bab5e5f16137266d3f00cf2bd018af36ef upstream.
+
+The async discard uses the BTRFS_FS_DISCARD_RUNNING bit in the fs_info
+to force discards off when the filesystem has aborted or we're generally
+not able to run discards. This gets flipped on when we're mounted rw,
+and also when we go from ro->rw.
+
+Commit 63a7cb13071842 ("btrfs: auto enable discard=async when possible")
+enabled async discard by default, and this meant
+"mount -o ro /dev/xxx /yyy" had async discards turned on.
+
+Unfortunately, this meant our check in btrfs_remount_cleanup() would see
+that discards are already on:
+
+ /* If we toggled discard async */
+ if (!btrfs_raw_test_opt(old_opts, DISCARD_ASYNC) &&
+ btrfs_test_opt(fs_info, DISCARD_ASYNC))
+ btrfs_discard_resume(fs_info);
+
+So, we'd never call btrfs_discard_resume() when remounting the root
+filesystem from ro->rw.
+
+drgn shows this really nicely:
+
+import os
+import sys
+
+from drgn.helpers.linux.fs import path_lookup
+from drgn import NULL, Object, Type, cast
+
+def btrfs_sb(sb):
+ return cast("struct btrfs_fs_info *", sb.s_fs_info)
+
+if len(sys.argv) == 1:
+ path = "/"
+else:
+ path = sys.argv[1]
+
+fs_info = cast("struct btrfs_fs_info *", path_lookup(prog, path).mnt.mnt_sb.s_fs_info)
+
+BTRFS_FS_DISCARD_RUNNING = 1 << prog['BTRFS_FS_DISCARD_RUNNING']
+if fs_info.flags & BTRFS_FS_DISCARD_RUNNING:
+ print("discard running flag is on")
+else:
+ print("discard running flag is off")
+
+[root]# mount | grep nvme
+/dev/nvme0n1p3 on / type btrfs
+(rw,relatime,compress-force=zstd:3,ssd,discard=async,space_cache=v2,subvolid=5,subvol=/)
+
+[root]# ./discard_running.drgn
+discard running flag is off
+
+[root]# mount -o remount,discard=sync /
+[root]# mount -o remount,discard=async /
+[root]# ./discard_running.drgn
+discard running flag is on
+
+The fix is to call btrfs_discard_resume() when we're going from ro->rw.
+It already checks to make sure the async discard flag is on, so it'll do
+the right thing.
+
+Fixes: 63a7cb13071842 ("btrfs: auto enable discard=async when possible")
+CC: stable@vger.kernel.org # 6.3+
+Reviewed-by: Boris Burkov <boris@bur.io>
+Signed-off-by: Chris Mason <clm@fb.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/super.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/btrfs/super.c
++++ b/fs/btrfs/super.c
+@@ -1840,6 +1840,12 @@ static int btrfs_remount(struct super_bl
+ btrfs_clear_sb_rdonly(sb);
+
+ set_bit(BTRFS_FS_OPEN, &fs_info->flags);
++
++ /*
++ * If we've gone from readonly -> read/write, we need to get
++ * our sync/async discard lists in the right state.
++ */
++ btrfs_discard_resume(fs_info);
+ }
+ out:
+ /*
--- /dev/null
+From 917ac77846b907dfdbd878688a9a61236ad6c51e Mon Sep 17 00:00:00 2001
+From: Qu Wenruo <wqu@suse.com>
+Date: Fri, 26 May 2023 20:30:20 +0800
+Subject: btrfs: subpage: fix a crash in metadata repair path
+
+From: Qu Wenruo <wqu@suse.com>
+
+commit 917ac77846b907dfdbd878688a9a61236ad6c51e upstream.
+
+[BUG]
+Test case btrfs/027 would crash with subpage (64K page size, 4K
+sectorsize) with the following dying messages:
+
+ debug: map_length=16384 length=65536 type=metadata|raid6(0x104)
+ assertion failed: map_length >= length, in fs/btrfs/volumes.c:8093
+ ------------[ cut here ]------------
+ kernel BUG at fs/btrfs/messages.c:259!
+ Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
+ Call trace:
+ btrfs_assertfail+0x28/0x2c [btrfs]
+ btrfs_map_repair_block+0x150/0x2b8 [btrfs]
+ btrfs_repair_io_failure+0xd4/0x31c [btrfs]
+ btrfs_read_extent_buffer+0x150/0x16c [btrfs]
+ read_tree_block+0x38/0xbc [btrfs]
+ read_tree_root_path+0xfc/0x1bc [btrfs]
+ btrfs_get_root_ref.part.0+0xd4/0x3a8 [btrfs]
+ open_ctree+0xa30/0x172c [btrfs]
+ btrfs_mount_root+0x3c4/0x4a4 [btrfs]
+ legacy_get_tree+0x30/0x60
+ vfs_get_tree+0x28/0xec
+ vfs_kern_mount.part.0+0x90/0xd4
+ vfs_kern_mount+0x14/0x28
+ btrfs_mount+0x114/0x418 [btrfs]
+ legacy_get_tree+0x30/0x60
+ vfs_get_tree+0x28/0xec
+ path_mount+0x3e0/0xb64
+ __arm64_sys_mount+0x200/0x2d8
+ invoke_syscall+0x48/0x114
+ el0_svc_common.constprop.0+0x60/0x11c
+ do_el0_svc+0x38/0x98
+ el0_svc+0x40/0xa8
+ el0t_64_sync_handler+0xf4/0x120
+ el0t_64_sync+0x190/0x194
+ Code: aa0403e2 b0fff060 91010000 959c2024 (d4210000)
+
+[CAUSE]
+In btrfs/027 we test RAID6 with missing devices, in this particular
+case, we're repairing a metadata at the end of a data stripe.
+
+But at btrfs_repair_io_failure(), we always pass a full PAGE for repair,
+and for subpage case this can cross stripe boundary and lead to the
+above BUG_ON().
+
+This metadata repair code is always there, since the introduction of
+subpage support, but this can trigger BUG_ON() after the bio split
+ability at btrfs_map_bio().
+
+[FIX]
+Instead of passing the old PAGE_SIZE, we calculate the correct length
+based on the eb size and page size for both regular and subpage cases.
+
+CC: stable@vger.kernel.org # 6.3+
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/disk-io.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
+index 2b1b227505f3..88e6d1072a35 100644
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -242,7 +242,6 @@ static int btrfs_repair_eb_io_failure(const struct extent_buffer *eb,
+ int mirror_num)
+ {
+ struct btrfs_fs_info *fs_info = eb->fs_info;
+- u64 start = eb->start;
+ int i, num_pages = num_extent_pages(eb);
+ int ret = 0;
+
+@@ -251,12 +250,14 @@ static int btrfs_repair_eb_io_failure(const struct extent_buffer *eb,
+
+ for (i = 0; i < num_pages; i++) {
+ struct page *p = eb->pages[i];
++ u64 start = max_t(u64, eb->start, page_offset(p));
++ u64 end = min_t(u64, eb->start + eb->len, page_offset(p) + PAGE_SIZE);
++ u32 len = end - start;
+
+- ret = btrfs_repair_io_failure(fs_info, 0, start, PAGE_SIZE,
+- start, p, start - page_offset(p), mirror_num);
++ ret = btrfs_repair_io_failure(fs_info, 0, start, len,
++ start, p, offset_in_page(start), mirror_num);
+ if (ret)
+ break;
+- start += PAGE_SIZE;
+ }
+
+ return ret;
+--
+2.41.0
+
--- /dev/null
+From 722d90822321497e2837cfc9000202e256e6b32f Mon Sep 17 00:00:00 2001
+From: Mike Snitzer <snitzer@kernel.org>
+Date: Tue, 13 Jun 2023 20:05:34 -0400
+Subject: dm thin: fix issue_discard to pass GFP_NOIO to __blkdev_issue_discard
+
+From: Mike Snitzer <snitzer@kernel.org>
+
+commit 722d90822321497e2837cfc9000202e256e6b32f upstream.
+
+issue_discard() passes GFP_NOWAIT to __blkdev_issue_discard() despite
+its code assuming bio_alloc() always succeeds.
+
+Commit 3dba53a958a75 ("dm thin: use __blkdev_issue_discard for async
+discard support") clearly shows where things went bad:
+
+Before commit 3dba53a958a75, dm-thin.c's open-coded
+__blkdev_issue_discard_async() properly handled using GFP_NOWAIT.
+Unfortunately __blkdev_issue_discard() doesn't and it was missed
+during review.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-thin.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/md/dm-thin.c
++++ b/drivers/md/dm-thin.c
+@@ -399,8 +399,7 @@ static int issue_discard(struct discard_
+ sector_t s = block_to_sectors(tc->pool, data_b);
+ sector_t len = block_to_sectors(tc->pool, data_e - data_b);
+
+- return __blkdev_issue_discard(tc->pool_dev->bdev, s, len, GFP_NOWAIT,
+- &op->bio);
++ return __blkdev_issue_discard(tc->pool_dev->bdev, s, len, GFP_NOIO, &op->bio);
+ }
+
+ static void end_discard(struct discard_op *op, int r)
--- /dev/null
+From cb65b282c9640c27d3129e2e04b711ce1b352838 Mon Sep 17 00:00:00 2001
+From: Li Lingfeng <lilingfeng3@huawei.com>
+Date: Tue, 6 Jun 2023 20:20:24 +0800
+Subject: dm thin metadata: check fail_io before using data_sm
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Li Lingfeng <lilingfeng3@huawei.com>
+
+commit cb65b282c9640c27d3129e2e04b711ce1b352838 upstream.
+
+Must check pmd->fail_io before using pmd->data_sm since
+pmd->data_sm may be destroyed by other processes.
+
+ P1(kworker) P2(message)
+do_worker
+ process_prepared
+ process_prepared_discard_passdown_pt2
+ dm_pool_dec_data_range
+ pool_message
+ commit
+ dm_pool_commit_metadata
+ ↓
+ // commit failed
+ metadata_operation_failed
+ abort_transaction
+ dm_pool_abort_metadata
+ __open_or_format_metadata
+ ↓
+ dm_sm_disk_open
+ ↓
+ // open failed
+ // pmd->data_sm is NULL
+ dm_sm_dec_blocks
+ ↓
+ // try to access pmd->data_sm --> UAF
+
+As shown above, if dm_pool_commit_metadata() and
+dm_pool_abort_metadata() fail in pool_message process, kworker may
+trigger UAF.
+
+Fixes: be500ed721a6 ("dm space maps: improve performance with inc/dec on ranges of blocks")
+Cc: stable@vger.kernel.org
+Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-thin-metadata.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+--- a/drivers/md/dm-thin-metadata.c
++++ b/drivers/md/dm-thin-metadata.c
+@@ -1756,13 +1756,15 @@ int dm_thin_remove_range(struct dm_thin_
+
+ int dm_pool_block_is_shared(struct dm_pool_metadata *pmd, dm_block_t b, bool *result)
+ {
+- int r;
++ int r = -EINVAL;
+ uint32_t ref_count;
+
+ down_read(&pmd->root_lock);
+- r = dm_sm_get_count(pmd->data_sm, b, &ref_count);
+- if (!r)
+- *result = (ref_count > 1);
++ if (!pmd->fail_io) {
++ r = dm_sm_get_count(pmd->data_sm, b, &ref_count);
++ if (!r)
++ *result = (ref_count > 1);
++ }
+ up_read(&pmd->root_lock);
+
+ return r;
+@@ -1770,10 +1772,11 @@ int dm_pool_block_is_shared(struct dm_po
+
+ int dm_pool_inc_data_range(struct dm_pool_metadata *pmd, dm_block_t b, dm_block_t e)
+ {
+- int r = 0;
++ int r = -EINVAL;
+
+ pmd_write_lock(pmd);
+- r = dm_sm_inc_blocks(pmd->data_sm, b, e);
++ if (!pmd->fail_io)
++ r = dm_sm_inc_blocks(pmd->data_sm, b, e);
+ pmd_write_unlock(pmd);
+
+ return r;
+@@ -1781,10 +1784,11 @@ int dm_pool_inc_data_range(struct dm_poo
+
+ int dm_pool_dec_data_range(struct dm_pool_metadata *pmd, dm_block_t b, dm_block_t e)
+ {
+- int r = 0;
++ int r = -EINVAL;
+
+ pmd_write_lock(pmd);
+- r = dm_sm_dec_blocks(pmd->data_sm, b, e);
++ if (!pmd->fail_io)
++ r = dm_sm_dec_blocks(pmd->data_sm, b, e);
+ pmd_write_unlock(pmd);
+
+ return r;
--- /dev/null
+From e749dd10e5f292061ad63d2b030194bf7d7d452c Mon Sep 17 00:00:00 2001
+From: Hersen Wu <hersenxs.wu@amd.com>
+Date: Thu, 25 May 2023 08:37:40 -0400
+Subject: drm/amd/display: edp do not add non-edid timings
+
+From: Hersen Wu <hersenxs.wu@amd.com>
+
+commit e749dd10e5f292061ad63d2b030194bf7d7d452c upstream.
+
+[Why] most edp support only timings from edid. applying
+non-edid timings, especially those timings out of edp
+bandwidth, may damage edp.
+
+[How] do not add non-edid timings for edp.
+
+Cc: Mario Limonciello <mario.limonciello@amd.com>
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Acked-by: Stylon Wang <stylon.wang@amd.com>
+Signed-off-by: Hersen Wu <hersenxs.wu@amd.com>
+Reviewed-by: Roman Li <roman.li@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -7170,7 +7170,13 @@ static int amdgpu_dm_connector_get_modes
+ drm_add_modes_noedid(connector, 640, 480);
+ } else {
+ amdgpu_dm_connector_ddc_get_modes(connector, edid);
+- amdgpu_dm_connector_add_common_modes(encoder, connector);
++ /* most eDP supports only timings from its edid,
++ * usually only detailed timings are available
++ * from eDP edid. timings which are not from edid
++ * may damage eDP
++ */
++ if (connector->connector_type != DRM_MODE_CONNECTOR_eDP)
++ amdgpu_dm_connector_add_common_modes(encoder, connector);
+ amdgpu_dm_connector_add_freesync_modes(connector, edid);
+ }
+ amdgpu_dm_fbc_init(connector);
--- /dev/null
+From 7c5835bcb9176df94683396f1c0e5df6bf5094b3 Mon Sep 17 00:00:00 2001
+From: Peichen Huang <peichen.huang@amd.com>
+Date: Wed, 31 May 2023 13:36:14 +0800
+Subject: drm/amd/display: limit DPIA link rate to HBR3
+
+From: Peichen Huang <peichen.huang@amd.com>
+
+commit 7c5835bcb9176df94683396f1c0e5df6bf5094b3 upstream.
+
+[Why]
+DPIA doesn't support UHBR, driver should not enable UHBR
+for dp tunneling
+
+[How]
+limit DPIA link rate to HBR3
+
+Cc: Mario Limonciello <mario.limonciello@amd.com>
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Acked-by: Stylon Wang <stylon.wang@amd.com>
+Signed-off-by: Peichen Huang <peichen.huang@amd.com>
+Reviewed-by: Mustapha Ghaddar <Mustapha.Ghaddar@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/link/link_detection.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/gpu/drm/amd/display/dc/link/link_detection.c
++++ b/drivers/gpu/drm/amd/display/dc/link/link_detection.c
+@@ -980,6 +980,11 @@ static bool detect_link_and_local_sink(s
+ (link->dpcd_caps.dongle_type !=
+ DISPLAY_DONGLE_DP_HDMI_CONVERTER))
+ converter_disable_audio = true;
++
++ /* limited link rate to HBR3 for DPIA until we implement USB4 V2 */
++ if (link->ep_type == DISPLAY_ENDPOINT_USB4_DPIA &&
++ link->reported_link_cap.link_rate > LINK_RATE_HIGH3)
++ link->reported_link_cap.link_rate = LINK_RATE_HIGH3;
+ break;
+ }
+
--- /dev/null
+From 3eb1a3a04056ba3df3205e169b8acc9da0c65a94 Mon Sep 17 00:00:00 2001
+From: Mario Limonciello <mario.limonciello@amd.com>
+Date: Wed, 7 Jun 2023 01:41:22 -0500
+Subject: drm/amd: Make sure image is written to trigger VBIOS image update flow
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+commit 3eb1a3a04056ba3df3205e169b8acc9da0c65a94 upstream.
+
+The VBIOS image update flow requires userspace to:
+1) Write the image to `psp_vbflash`
+2) Read `psp_vbflash`
+3) Poll `psp_vbflash_status` to check for completion
+
+If userspace reads `psp_vbflash` before writing an image, it's
+possible that it causes problems that can put the dGPU into an invalid
+state.
+
+Explicitly check that an image has been written before letting a read
+succeed.
+
+Cc: stable@vger.kernel.org
+Fixes: 8424f2ccb3c0 ("drm/amdgpu/psp: Add vbflash sysfs interface support")
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c
+@@ -3538,6 +3538,9 @@ static ssize_t amdgpu_psp_vbflash_read(s
+ void *fw_pri_cpu_addr;
+ int ret;
+
++ if (adev->psp.vbflash_image_size == 0)
++ return -EINVAL;
++
+ dev_info(adev->dev, "VBIOS flash to PSP started");
+
+ ret = amdgpu_bo_create_kernel(adev, adev->psp.vbflash_image_size,
--- /dev/null
+From 7ca302d488f80cf4529620acc1c545f9022d8bb8 Mon Sep 17 00:00:00 2001
+From: Kenneth Feng <kenneth.feng@amd.com>
+Date: Thu, 8 Jun 2023 22:07:11 +0800
+Subject: drm/amd/pm: workaround for compute workload type on some skus
+
+From: Kenneth Feng <kenneth.feng@amd.com>
+
+commit 7ca302d488f80cf4529620acc1c545f9022d8bb8 upstream.
+
+On smu 13.0.0, the compute workload type cannot be set on all the skus
+due to some other problems. This workaround is to make sure compute workload type
+can also run on some specific skus.
+
+v2: keep the variable consistent
+
+Signed-off-by: Kenneth Feng <kenneth.feng@amd.com>
+Acked-by: Lijo Lazar <lijo.lazar@amd.com>
+Reviewed-by: Feifei Xu <Feifei.Xu@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org # 6.1.x
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 33 +++++++++++++++++--
+ 1 file changed, 31 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c
+@@ -1694,10 +1694,39 @@ static int smu_v13_0_0_set_power_profile
+ }
+ }
+
+- /* conv PP_SMC_POWER_PROFILE* to WORKLOAD_PPLIB_*_BIT */
+- workload_type = smu_cmn_to_asic_specific_index(smu,
++ if (smu->power_profile_mode == PP_SMC_POWER_PROFILE_COMPUTE &&
++ (((smu->adev->pdev->device == 0x744C) && (smu->adev->pdev->revision == 0xC8)) ||
++ ((smu->adev->pdev->device == 0x744C) && (smu->adev->pdev->revision == 0xCC)))) {
++ ret = smu_cmn_update_table(smu,
++ SMU_TABLE_ACTIVITY_MONITOR_COEFF,
++ WORKLOAD_PPLIB_COMPUTE_BIT,
++ (void *)(&activity_monitor_external),
++ false);
++ if (ret) {
++ dev_err(smu->adev->dev, "[%s] Failed to get activity monitor!", __func__);
++ return ret;
++ }
++
++ ret = smu_cmn_update_table(smu,
++ SMU_TABLE_ACTIVITY_MONITOR_COEFF,
++ WORKLOAD_PPLIB_CUSTOM_BIT,
++ (void *)(&activity_monitor_external),
++ true);
++ if (ret) {
++ dev_err(smu->adev->dev, "[%s] Failed to set activity monitor!", __func__);
++ return ret;
++ }
++
++ workload_type = smu_cmn_to_asic_specific_index(smu,
++ CMN2ASIC_MAPPING_WORKLOAD,
++ PP_SMC_POWER_PROFILE_CUSTOM);
++ } else {
++ /* conv PP_SMC_POWER_PROFILE* to WORKLOAD_PPLIB_*_BIT */
++ workload_type = smu_cmn_to_asic_specific_index(smu,
+ CMN2ASIC_MAPPING_WORKLOAD,
+ smu->power_profile_mode);
++ }
++
+ if (workload_type < 0)
+ return -EINVAL;
+
--- /dev/null
+From 7ab1a4913d0051cf5196ef7987b5fa42c25e13b6 Mon Sep 17 00:00:00 2001
+From: Mario Limonciello <mario.limonciello@amd.com>
+Date: Wed, 7 Jun 2023 01:45:20 -0500
+Subject: drm/amd: Tighten permissions on VBIOS flashing attributes
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+commit 7ab1a4913d0051cf5196ef7987b5fa42c25e13b6 upstream.
+
+Non-root users shouldn't be able to try to trigger a VBIOS flash
+or query the flashing status. This should be reserved for users with the
+appropriate permissions.
+
+Cc: stable@vger.kernel.org
+Fixes: 8424f2ccb3c0 ("drm/amdgpu/psp: Add vbflash sysfs interface support")
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c
+@@ -3592,13 +3592,13 @@ static ssize_t amdgpu_psp_vbflash_status
+ }
+
+ static const struct bin_attribute psp_vbflash_bin_attr = {
+- .attr = {.name = "psp_vbflash", .mode = 0664},
++ .attr = {.name = "psp_vbflash", .mode = 0660},
+ .size = 0,
+ .write = amdgpu_psp_vbflash_write,
+ .read = amdgpu_psp_vbflash_read,
+ };
+
+-static DEVICE_ATTR(psp_vbflash_status, 0444, amdgpu_psp_vbflash_status, NULL);
++static DEVICE_ATTR(psp_vbflash_status, 0440, amdgpu_psp_vbflash_status, NULL);
+
+ int amdgpu_psp_sysfs_init(struct amdgpu_device *adev)
+ {
--- /dev/null
+From e61f67749b351c19455ce3085af2ae9af80023bc Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Tue, 6 Jun 2023 11:14:04 -0400
+Subject: drm/amdgpu: add missing radeon secondary PCI ID
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit e61f67749b351c19455ce3085af2ae9af80023bc upstream.
+
+0x5b70 is a missing RV370 secondary id. Add it so
+we don't try and probe it with amdgpu.
+
+Cc: michel@daenzer.net
+Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
+Tested-by: Michel Dänzer <mdaenzer@redhat.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+@@ -1623,6 +1623,7 @@ static const u16 amdgpu_unsupported_pcii
+ 0x5874,
+ 0x5940,
+ 0x5941,
++ 0x5b70,
+ 0x5b72,
+ 0x5b73,
+ 0x5b74,
--- /dev/null
+From 5b711e7f9c73e5ff44d6ac865711d9a05c2a0360 Mon Sep 17 00:00:00 2001
+From: Jiadong Zhu <Jiadong.Zhu@amd.com>
+Date: Thu, 25 May 2023 18:42:15 +0800
+Subject: drm/amdgpu: Implement gfx9 patch functions for resubmission
+
+From: Jiadong Zhu <Jiadong.Zhu@amd.com>
+
+commit 5b711e7f9c73e5ff44d6ac865711d9a05c2a0360 upstream.
+
+Patch the packages including CONTEXT_CONTROL and WRITE_DATA for gfx9
+during the resubmission scenario.
+
+Signed-off-by: Jiadong Zhu <Jiadong.Zhu@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org # 6.3.x
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 80 ++++++++++++++++++++++++++++++++++
+ 1 file changed, 80 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
+@@ -5136,9 +5136,83 @@ static void gfx_v9_0_ring_emit_ib_gfx(st
+ #endif
+ lower_32_bits(ib->gpu_addr));
+ amdgpu_ring_write(ring, upper_32_bits(ib->gpu_addr));
++ amdgpu_ring_ib_on_emit_cntl(ring);
+ amdgpu_ring_write(ring, control);
+ }
+
++static void gfx_v9_0_ring_patch_cntl(struct amdgpu_ring *ring,
++ unsigned offset)
++{
++ u32 control = ring->ring[offset];
++
++ control |= INDIRECT_BUFFER_PRE_RESUME(1);
++ ring->ring[offset] = control;
++}
++
++static void gfx_v9_0_ring_patch_ce_meta(struct amdgpu_ring *ring,
++ unsigned offset)
++{
++ struct amdgpu_device *adev = ring->adev;
++ void *ce_payload_cpu_addr;
++ uint64_t payload_offset, payload_size;
++
++ payload_size = sizeof(struct v9_ce_ib_state);
++
++ if (ring->is_mes_queue) {
++ payload_offset = offsetof(struct amdgpu_mes_ctx_meta_data,
++ gfx[0].gfx_meta_data) +
++ offsetof(struct v9_gfx_meta_data, ce_payload);
++ ce_payload_cpu_addr =
++ amdgpu_mes_ctx_get_offs_cpu_addr(ring, payload_offset);
++ } else {
++ payload_offset = offsetof(struct v9_gfx_meta_data, ce_payload);
++ ce_payload_cpu_addr = adev->virt.csa_cpu_addr + payload_offset;
++ }
++
++ if (offset + (payload_size >> 2) <= ring->buf_mask + 1) {
++ memcpy((void *)&ring->ring[offset], ce_payload_cpu_addr, payload_size);
++ } else {
++ memcpy((void *)&ring->ring[offset], ce_payload_cpu_addr,
++ (ring->buf_mask + 1 - offset) << 2);
++ payload_size -= (ring->buf_mask + 1 - offset) << 2;
++ memcpy((void *)&ring->ring[0],
++ ce_payload_cpu_addr + ((ring->buf_mask + 1 - offset) << 2),
++ payload_size);
++ }
++}
++
++static void gfx_v9_0_ring_patch_de_meta(struct amdgpu_ring *ring,
++ unsigned offset)
++{
++ struct amdgpu_device *adev = ring->adev;
++ void *de_payload_cpu_addr;
++ uint64_t payload_offset, payload_size;
++
++ payload_size = sizeof(struct v9_de_ib_state);
++
++ if (ring->is_mes_queue) {
++ payload_offset = offsetof(struct amdgpu_mes_ctx_meta_data,
++ gfx[0].gfx_meta_data) +
++ offsetof(struct v9_gfx_meta_data, de_payload);
++ de_payload_cpu_addr =
++ amdgpu_mes_ctx_get_offs_cpu_addr(ring, payload_offset);
++ } else {
++ payload_offset = offsetof(struct v9_gfx_meta_data, de_payload);
++ de_payload_cpu_addr = adev->virt.csa_cpu_addr + payload_offset;
++ }
++
++ if (offset + (payload_size >> 2) <= ring->buf_mask + 1) {
++ memcpy((void *)&ring->ring[offset], de_payload_cpu_addr, payload_size);
++ } else {
++ memcpy((void *)&ring->ring[offset], de_payload_cpu_addr,
++ (ring->buf_mask + 1 - offset) << 2);
++ payload_size -= (ring->buf_mask + 1 - offset) << 2;
++ memcpy((void *)&ring->ring[0],
++ de_payload_cpu_addr + ((ring->buf_mask + 1 - offset) << 2),
++ payload_size);
++ }
++}
++
+ static void gfx_v9_0_ring_emit_ib_compute(struct amdgpu_ring *ring,
+ struct amdgpu_job *job,
+ struct amdgpu_ib *ib,
+@@ -5334,6 +5408,8 @@ static void gfx_v9_0_ring_emit_ce_meta(s
+ amdgpu_ring_write(ring, lower_32_bits(ce_payload_gpu_addr));
+ amdgpu_ring_write(ring, upper_32_bits(ce_payload_gpu_addr));
+
++ amdgpu_ring_ib_on_emit_ce(ring);
++
+ if (resume)
+ amdgpu_ring_write_multiple(ring, ce_payload_cpu_addr,
+ sizeof(ce_payload) >> 2);
+@@ -5445,6 +5521,7 @@ static void gfx_v9_0_ring_emit_de_meta(s
+ amdgpu_ring_write(ring, lower_32_bits(de_payload_gpu_addr));
+ amdgpu_ring_write(ring, upper_32_bits(de_payload_gpu_addr));
+
++ amdgpu_ring_ib_on_emit_de(ring);
+ if (resume)
+ amdgpu_ring_write_multiple(ring, de_payload_cpu_addr,
+ sizeof(de_payload) >> 2);
+@@ -6857,6 +6934,9 @@ static const struct amdgpu_ring_funcs gf
+ .emit_reg_write_reg_wait = gfx_v9_0_ring_emit_reg_write_reg_wait,
+ .soft_recovery = gfx_v9_0_ring_soft_recovery,
+ .emit_mem_sync = gfx_v9_0_emit_mem_sync,
++ .patch_cntl = gfx_v9_0_ring_patch_cntl,
++ .patch_de = gfx_v9_0_ring_patch_de_meta,
++ .patch_ce = gfx_v9_0_ring_patch_ce_meta,
+ };
+
+ static const struct amdgpu_ring_funcs gfx_v9_0_ring_funcs_compute = {
--- /dev/null
+From 87af86ae89963c227a3beb4d914f3dc7959a690e Mon Sep 17 00:00:00 2001
+From: Jiadong Zhu <Jiadong.Zhu@amd.com>
+Date: Thu, 25 May 2023 16:52:55 +0800
+Subject: drm/amdgpu: Modify indirect buffer packages for resubmission
+
+From: Jiadong Zhu <Jiadong.Zhu@amd.com>
+
+commit 87af86ae89963c227a3beb4d914f3dc7959a690e upstream.
+
+When the preempted IB frame resubmitted to cp, we need to modify the frame
+data including:
+1. set PRE_RESUME 1 in CONTEXT_CONTROL.
+2. use meta data(DE and CE) read from CSA in WRITE_DATA.
+
+Add functions to save the location the first time IBs emitted and callback
+to patch the package when resubmission happens.
+
+Signed-off-by: Jiadong Zhu <Jiadong.Zhu@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org # 6.3.x
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 18 ++++++++
+ drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h | 9 ++++
+ drivers/gpu/drm/amd/amdgpu/amdgpu_ring_mux.c | 60 +++++++++++++++++++++++++++
+ drivers/gpu/drm/amd/amdgpu/amdgpu_ring_mux.h | 15 ++++++
+ 4 files changed, 102 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c
+@@ -581,3 +581,21 @@ void amdgpu_ring_ib_end(struct amdgpu_ri
+ if (ring->is_sw_ring)
+ amdgpu_sw_ring_ib_end(ring);
+ }
++
++void amdgpu_ring_ib_on_emit_cntl(struct amdgpu_ring *ring)
++{
++ if (ring->is_sw_ring)
++ amdgpu_sw_ring_ib_mark_offset(ring, AMDGPU_MUX_OFFSET_TYPE_CONTROL);
++}
++
++void amdgpu_ring_ib_on_emit_ce(struct amdgpu_ring *ring)
++{
++ if (ring->is_sw_ring)
++ amdgpu_sw_ring_ib_mark_offset(ring, AMDGPU_MUX_OFFSET_TYPE_CE);
++}
++
++void amdgpu_ring_ib_on_emit_de(struct amdgpu_ring *ring)
++{
++ if (ring->is_sw_ring)
++ amdgpu_sw_ring_ib_mark_offset(ring, AMDGPU_MUX_OFFSET_TYPE_DE);
++}
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h
+@@ -227,6 +227,9 @@ struct amdgpu_ring_funcs {
+ int (*preempt_ib)(struct amdgpu_ring *ring);
+ void (*emit_mem_sync)(struct amdgpu_ring *ring);
+ void (*emit_wave_limit)(struct amdgpu_ring *ring, bool enable);
++ void (*patch_cntl)(struct amdgpu_ring *ring, unsigned offset);
++ void (*patch_ce)(struct amdgpu_ring *ring, unsigned offset);
++ void (*patch_de)(struct amdgpu_ring *ring, unsigned offset);
+ };
+
+ struct amdgpu_ring {
+@@ -316,10 +319,16 @@ struct amdgpu_ring {
+ #define amdgpu_ring_init_cond_exec(r) (r)->funcs->init_cond_exec((r))
+ #define amdgpu_ring_patch_cond_exec(r,o) (r)->funcs->patch_cond_exec((r),(o))
+ #define amdgpu_ring_preempt_ib(r) (r)->funcs->preempt_ib(r)
++#define amdgpu_ring_patch_cntl(r, o) ((r)->funcs->patch_cntl((r), (o)))
++#define amdgpu_ring_patch_ce(r, o) ((r)->funcs->patch_ce((r), (o)))
++#define amdgpu_ring_patch_de(r, o) ((r)->funcs->patch_de((r), (o)))
+
+ int amdgpu_ring_alloc(struct amdgpu_ring *ring, unsigned ndw);
+ void amdgpu_ring_ib_begin(struct amdgpu_ring *ring);
+ void amdgpu_ring_ib_end(struct amdgpu_ring *ring);
++void amdgpu_ring_ib_on_emit_cntl(struct amdgpu_ring *ring);
++void amdgpu_ring_ib_on_emit_ce(struct amdgpu_ring *ring);
++void amdgpu_ring_ib_on_emit_de(struct amdgpu_ring *ring);
+
+ void amdgpu_ring_insert_nop(struct amdgpu_ring *ring, uint32_t count);
+ void amdgpu_ring_generic_pad_ib(struct amdgpu_ring *ring, struct amdgpu_ib *ib);
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring_mux.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring_mux.c
+@@ -105,6 +105,16 @@ static void amdgpu_mux_resubmit_chunks(s
+ amdgpu_fence_update_start_timestamp(e->ring,
+ chunk->sync_seq,
+ ktime_get());
++ if (chunk->sync_seq ==
++ le32_to_cpu(*(e->ring->fence_drv.cpu_addr + 2))) {
++ if (chunk->cntl_offset <= e->ring->buf_mask)
++ amdgpu_ring_patch_cntl(e->ring,
++ chunk->cntl_offset);
++ if (chunk->ce_offset <= e->ring->buf_mask)
++ amdgpu_ring_patch_ce(e->ring, chunk->ce_offset);
++ if (chunk->de_offset <= e->ring->buf_mask)
++ amdgpu_ring_patch_de(e->ring, chunk->de_offset);
++ }
+ amdgpu_ring_mux_copy_pkt_from_sw_ring(mux, e->ring,
+ chunk->start,
+ chunk->end);
+@@ -407,6 +417,17 @@ void amdgpu_sw_ring_ib_end(struct amdgpu
+ amdgpu_ring_mux_end_ib(mux, ring);
+ }
+
++void amdgpu_sw_ring_ib_mark_offset(struct amdgpu_ring *ring, enum amdgpu_ring_mux_offset_type type)
++{
++ struct amdgpu_device *adev = ring->adev;
++ struct amdgpu_ring_mux *mux = &adev->gfx.muxer;
++ unsigned offset;
++
++ offset = ring->wptr & ring->buf_mask;
++
++ amdgpu_ring_mux_ib_mark_offset(mux, ring, offset, type);
++}
++
+ void amdgpu_ring_mux_start_ib(struct amdgpu_ring_mux *mux, struct amdgpu_ring *ring)
+ {
+ struct amdgpu_mux_entry *e;
+@@ -429,6 +450,10 @@ void amdgpu_ring_mux_start_ib(struct amd
+ }
+
+ chunk->start = ring->wptr;
++ /* the initialized value used to check if they are set by the ib submission*/
++ chunk->cntl_offset = ring->buf_mask + 1;
++ chunk->de_offset = ring->buf_mask + 1;
++ chunk->ce_offset = ring->buf_mask + 1;
+ list_add_tail(&chunk->entry, &e->list);
+ }
+
+@@ -454,6 +479,41 @@ static void scan_and_remove_signaled_chu
+ }
+ }
+
++void amdgpu_ring_mux_ib_mark_offset(struct amdgpu_ring_mux *mux,
++ struct amdgpu_ring *ring, u64 offset,
++ enum amdgpu_ring_mux_offset_type type)
++{
++ struct amdgpu_mux_entry *e;
++ struct amdgpu_mux_chunk *chunk;
++
++ e = amdgpu_ring_mux_sw_entry(mux, ring);
++ if (!e) {
++ DRM_ERROR("cannot find entry!\n");
++ return;
++ }
++
++ chunk = list_last_entry(&e->list, struct amdgpu_mux_chunk, entry);
++ if (!chunk) {
++ DRM_ERROR("cannot find chunk!\n");
++ return;
++ }
++
++ switch (type) {
++ case AMDGPU_MUX_OFFSET_TYPE_CONTROL:
++ chunk->cntl_offset = offset;
++ break;
++ case AMDGPU_MUX_OFFSET_TYPE_DE:
++ chunk->de_offset = offset;
++ break;
++ case AMDGPU_MUX_OFFSET_TYPE_CE:
++ chunk->ce_offset = offset;
++ break;
++ default:
++ DRM_ERROR("invalid type (%d)\n", type);
++ break;
++ }
++}
++
+ void amdgpu_ring_mux_end_ib(struct amdgpu_ring_mux *mux, struct amdgpu_ring *ring)
+ {
+ struct amdgpu_mux_entry *e;
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring_mux.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring_mux.h
+@@ -50,6 +50,12 @@ struct amdgpu_mux_entry {
+ struct list_head list;
+ };
+
++enum amdgpu_ring_mux_offset_type {
++ AMDGPU_MUX_OFFSET_TYPE_CONTROL,
++ AMDGPU_MUX_OFFSET_TYPE_DE,
++ AMDGPU_MUX_OFFSET_TYPE_CE,
++};
++
+ struct amdgpu_ring_mux {
+ struct amdgpu_ring *real_ring;
+
+@@ -72,12 +78,18 @@ struct amdgpu_ring_mux {
+ * @sync_seq: the fence seqno related with the saved IB.
+ * @start:- start location on the software ring.
+ * @end:- end location on the software ring.
++ * @control_offset:- the PRE_RESUME bit position used for resubmission.
++ * @de_offset:- the anchor in write_data for de meta of resubmission.
++ * @ce_offset:- the anchor in write_data for ce meta of resubmission.
+ */
+ struct amdgpu_mux_chunk {
+ struct list_head entry;
+ uint32_t sync_seq;
+ u64 start;
+ u64 end;
++ u64 cntl_offset;
++ u64 de_offset;
++ u64 ce_offset;
+ };
+
+ int amdgpu_ring_mux_init(struct amdgpu_ring_mux *mux, struct amdgpu_ring *ring,
+@@ -89,6 +101,8 @@ u64 amdgpu_ring_mux_get_wptr(struct amdg
+ u64 amdgpu_ring_mux_get_rptr(struct amdgpu_ring_mux *mux, struct amdgpu_ring *ring);
+ void amdgpu_ring_mux_start_ib(struct amdgpu_ring_mux *mux, struct amdgpu_ring *ring);
+ void amdgpu_ring_mux_end_ib(struct amdgpu_ring_mux *mux, struct amdgpu_ring *ring);
++void amdgpu_ring_mux_ib_mark_offset(struct amdgpu_ring_mux *mux, struct amdgpu_ring *ring,
++ u64 offset, enum amdgpu_ring_mux_offset_type type);
+ bool amdgpu_mcbp_handle_trailing_fence_irq(struct amdgpu_ring_mux *mux);
+
+ u64 amdgpu_sw_ring_get_rptr_gfx(struct amdgpu_ring *ring);
+@@ -97,6 +111,7 @@ void amdgpu_sw_ring_set_wptr_gfx(struct
+ void amdgpu_sw_ring_insert_nop(struct amdgpu_ring *ring, uint32_t count);
+ void amdgpu_sw_ring_ib_begin(struct amdgpu_ring *ring);
+ void amdgpu_sw_ring_ib_end(struct amdgpu_ring *ring);
++void amdgpu_sw_ring_ib_mark_offset(struct amdgpu_ring *ring, enum amdgpu_ring_mux_offset_type type);
+ const char *amdgpu_sw_ring_name(int idx);
+ unsigned int amdgpu_sw_ring_priority(int idx);
+
--- /dev/null
+From 94034b306ddde4a4a9c1a597ae7f61f04b710dc7 Mon Sep 17 00:00:00 2001
+From: Jiadong Zhu <Jiadong.Zhu@amd.com>
+Date: Wed, 24 May 2023 16:51:32 +0800
+Subject: drm/amdgpu: Program gds backup address as zero if no gds allocated
+
+From: Jiadong Zhu <Jiadong.Zhu@amd.com>
+
+commit 94034b306ddde4a4a9c1a597ae7f61f04b710dc7 upstream.
+
+It is firmware requirement to set gds_backup_addrlo and gds_backup_addrhi
+of DE meta both zero if no gds partition is allocated for the frame.
+
+Signed-off-by: Jiadong Zhu <Jiadong.Zhu@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org # 6.3.x
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
+@@ -755,7 +755,7 @@ static void gfx_v9_0_set_rlc_funcs(struc
+ static int gfx_v9_0_get_cu_info(struct amdgpu_device *adev,
+ struct amdgpu_cu_info *cu_info);
+ static uint64_t gfx_v9_0_get_gpu_clock_counter(struct amdgpu_device *adev);
+-static void gfx_v9_0_ring_emit_de_meta(struct amdgpu_ring *ring, bool resume);
++static void gfx_v9_0_ring_emit_de_meta(struct amdgpu_ring *ring, bool resume, bool usegds);
+ static u64 gfx_v9_0_ring_get_rptr_compute(struct amdgpu_ring *ring);
+ static void gfx_v9_0_query_ras_error_count(struct amdgpu_device *adev,
+ void *ras_error_status);
+@@ -5124,7 +5124,8 @@ static void gfx_v9_0_ring_emit_ib_gfx(st
+ gfx_v9_0_ring_emit_de_meta(ring,
+ (!amdgpu_sriov_vf(ring->adev) &&
+ flags & AMDGPU_IB_PREEMPTED) ?
+- true : false);
++ true : false,
++ job->gds_size > 0 && job->gds_base != 0);
+ }
+
+ amdgpu_ring_write(ring, header);
+@@ -5399,7 +5400,7 @@ static int gfx_v9_0_ring_preempt_ib(stru
+ return r;
+ }
+
+-static void gfx_v9_0_ring_emit_de_meta(struct amdgpu_ring *ring, bool resume)
++static void gfx_v9_0_ring_emit_de_meta(struct amdgpu_ring *ring, bool resume, bool usegds)
+ {
+ struct amdgpu_device *adev = ring->adev;
+ struct v9_de_ib_state de_payload = {0};
+@@ -5430,8 +5431,10 @@ static void gfx_v9_0_ring_emit_de_meta(s
+ PAGE_SIZE);
+ }
+
+- de_payload.gds_backup_addrlo = lower_32_bits(gds_addr);
+- de_payload.gds_backup_addrhi = upper_32_bits(gds_addr);
++ if (usegds) {
++ de_payload.gds_backup_addrlo = lower_32_bits(gds_addr);
++ de_payload.gds_backup_addrhi = upper_32_bits(gds_addr);
++ }
+
+ cnt = (sizeof(de_payload) >> 2) + 4 - 2;
+ amdgpu_ring_write(ring, PACKET3(PACKET3_WRITE_DATA, cnt));
--- /dev/null
+From 1dbcf770cc2d15baf8a1e8174d6fd014a68b45ca Mon Sep 17 00:00:00 2001
+From: Jiadong Zhu <Jiadong.Zhu@amd.com>
+Date: Wed, 24 May 2023 11:42:19 +0800
+Subject: drm/amdgpu: Reset CP_VMID_PREEMPT after trailing fence signaled
+
+From: Jiadong Zhu <Jiadong.Zhu@amd.com>
+
+commit 1dbcf770cc2d15baf8a1e8174d6fd014a68b45ca upstream.
+
+When MEC executes unmap_queue for mid command buffer preemption, it will
+kick the write pointer of the gfx ring, set CP_VMID_PREEMPT to trigger the
+preemption and wait for CP_VMID_PREEMPT becomes zero after the preemption
+done. There is a race condition that PFP may excute the resetting command
+before MEC set CP_VMID_PREEMPT. As a result, hang happens as
+CP_VMID_PREEMPT is always 0xffff.
+
+To avoid this, we send resetting CP_VMID_PREEMPT command after the trailing
+fence is siganled and update gfx write pointer explicitly.
+
+Signed-off-by: Jiadong Zhu <Jiadong.Zhu@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org # 6.3.x
+Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2535
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
+@@ -5366,10 +5366,6 @@ static int gfx_v9_0_ring_preempt_ib(stru
+ amdgpu_ring_alloc(ring, 13);
+ gfx_v9_0_ring_emit_fence(ring, ring->trail_fence_gpu_addr,
+ ring->trail_seq, AMDGPU_FENCE_FLAG_EXEC | AMDGPU_FENCE_FLAG_INT);
+- /*reset the CP_VMID_PREEMPT after trailing fence*/
+- amdgpu_ring_emit_wreg(ring,
+- SOC15_REG_OFFSET(GC, 0, mmCP_VMID_PREEMPT),
+- 0x0);
+
+ /* assert IB preemption, emit the trailing fence */
+ kiq->pmf->kiq_unmap_queues(kiq_ring, ring, PREEMPT_QUEUES_NO_UNMAP,
+@@ -5392,6 +5388,10 @@ static int gfx_v9_0_ring_preempt_ib(stru
+ DRM_WARN("ring %d timeout to preempt ib\n", ring->idx);
+ }
+
++ /*reset the CP_VMID_PREEMPT after trailing fence*/
++ amdgpu_ring_emit_wreg(ring,
++ SOC15_REG_OFFSET(GC, 0, mmCP_VMID_PREEMPT),
++ 0x0);
+ amdgpu_ring_commit(ring);
+
+ /* deassert preemption condition */
--- /dev/null
+From 9db5ec1ceb5303398ec4f899d691073d531257c3 Mon Sep 17 00:00:00 2001
+From: Sonny Jiang <sonjiang@amd.com>
+Date: Tue, 6 Jun 2023 17:18:52 -0400
+Subject: drm/amdgpu: vcn_4_0 set instance 0 init sched score to 1
+
+From: Sonny Jiang <sonjiang@amd.com>
+
+commit 9db5ec1ceb5303398ec4f899d691073d531257c3 upstream.
+
+Only vcn0 can process AV1 codecx. In order to use both vcn0 and
+vcn1 in h264/265 transcode to AV1 cases, set vcn0 sched score to 1
+at initialization time.
+
+Signed-off-by: Sonny Jiang <sonjiang@amd.com>
+Reviewed-by: Leo Liu <leo.liu@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org # 6.1.x
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
+@@ -129,7 +129,11 @@ static int vcn_v4_0_sw_init(void *handle
+ if (adev->vcn.harvest_config & (1 << i))
+ continue;
+
+- atomic_set(&adev->vcn.inst[i].sched_score, 0);
++ /* Init instance 0 sched_score to 1, so it's scheduled after other instances */
++ if (i == 0)
++ atomic_set(&adev->vcn.inst[i].sched_score, 1);
++ else
++ atomic_set(&adev->vcn.inst[i].sched_score, 0);
+
+ /* VCN UNIFIED TRAP */
+ r = amdgpu_irq_add_id(adev, amdgpu_ih_clientid_vcns[i],
--- /dev/null
+From 2192bba03d80f829233bfa34506b428f71e531e7 Mon Sep 17 00:00:00 2001
+From: Benjamin Segall <bsegall@google.com>
+Date: Tue, 30 May 2023 11:32:28 -0700
+Subject: epoll: ep_autoremove_wake_function should use list_del_init_careful
+
+From: Benjamin Segall <bsegall@google.com>
+
+commit 2192bba03d80f829233bfa34506b428f71e531e7 upstream.
+
+autoremove_wake_function uses list_del_init_careful, so should epoll's
+more aggressive variant. It only doesn't because it was copied from an
+older wait.c rather than the most recent.
+
+[bsegall@google.com: add comment]
+ Link: https://lkml.kernel.org/r/xm26bki0ulsr.fsf_-_@google.com
+Link: https://lkml.kernel.org/r/xm26pm6hvfer.fsf@google.com
+Fixes: a16ceb139610 ("epoll: autoremove wakers even more aggressively")
+Signed-off-by: Ben Segall <bsegall@google.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/eventpoll.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/fs/eventpoll.c
++++ b/fs/eventpoll.c
+@@ -1760,7 +1760,11 @@ static int ep_autoremove_wake_function(s
+ {
+ int ret = default_wake_function(wq_entry, mode, sync, key);
+
+- list_del_init(&wq_entry->entry);
++ /*
++ * Pairs with list_empty_careful in ep_poll, and ensures future loop
++ * iterations see the cause of this wakeup.
++ */
++ list_del_init_careful(&wq_entry->entry);
+ return ret;
+ }
+
--- /dev/null
+From cac9e4418f4cbd548ccb065b3adcafe073f7f7d2 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Mon, 12 Jun 2023 13:51:36 -0600
+Subject: io_uring/net: save msghdr->msg_control for retries
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit cac9e4418f4cbd548ccb065b3adcafe073f7f7d2 upstream.
+
+If the application sets ->msg_control and we have to later retry this
+command, or if it got queued with IOSQE_ASYNC to begin with, then we
+need to retain the original msg_control value. This is due to the net
+stack overwriting this field with an in-kernel pointer, to copy it
+in. Hitting that path for the second time will now fail the copy from
+user, as it's attempting to copy from a non-user address.
+
+Cc: stable@vger.kernel.org # 5.10+
+Link: https://github.com/axboe/liburing/issues/880
+Reported-and-tested-by: Marek Majkowski <marek@cloudflare.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/net.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/io_uring/net.c
++++ b/io_uring/net.c
+@@ -65,6 +65,7 @@ struct io_sr_msg {
+ u16 addr_len;
+ u16 buf_group;
+ void __user *addr;
++ void __user *msg_control;
+ /* used only for send zerocopy */
+ struct io_kiocb *notif;
+ };
+@@ -195,11 +196,15 @@ static int io_sendmsg_copy_hdr(struct io
+ struct io_async_msghdr *iomsg)
+ {
+ struct io_sr_msg *sr = io_kiocb_to_cmd(req, struct io_sr_msg);
++ int ret;
+
+ iomsg->msg.msg_name = &iomsg->addr;
+ iomsg->free_iov = iomsg->fast_iov;
+- return sendmsg_copy_msghdr(&iomsg->msg, sr->umsg, sr->msg_flags,
++ ret = sendmsg_copy_msghdr(&iomsg->msg, sr->umsg, sr->msg_flags,
+ &iomsg->free_iov);
++ /* save msg_control as sys_sendmsg() overwrites it */
++ sr->msg_control = iomsg->msg.msg_control;
++ return ret;
+ }
+
+ int io_send_prep_async(struct io_kiocb *req)
+@@ -297,6 +302,7 @@ int io_sendmsg(struct io_kiocb *req, uns
+
+ if (req_has_async_data(req)) {
+ kmsg = req->async_data;
++ kmsg->msg.msg_control = sr->msg_control;
+ } else {
+ ret = io_sendmsg_copy_hdr(req, &iomsg);
+ if (ret)
--- /dev/null
+From 8652d44f466ad5772e7d1756e9457046189b0dfc Mon Sep 17 00:00:00 2001
+From: Ricardo Ribalda <ribalda@chromium.org>
+Date: Fri, 19 May 2023 16:47:36 +0200
+Subject: kexec: support purgatories with .text.hot sections
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+commit 8652d44f466ad5772e7d1756e9457046189b0dfc upstream.
+
+Patch series "kexec: Fix kexec_file_load for llvm16 with PGO", v7.
+
+When upreving llvm I realised that kexec stopped working on my test
+platform.
+
+The reason seems to be that due to PGO there are multiple .text sections
+on the purgatory, and kexec does not supports that.
+
+
+This patch (of 4):
+
+Clang16 links the purgatory text in two sections when PGO is in use:
+
+ [ 1] .text PROGBITS 0000000000000000 00000040
+ 00000000000011a1 0000000000000000 AX 0 0 16
+ [ 2] .rela.text RELA 0000000000000000 00003498
+ 0000000000000648 0000000000000018 I 24 1 8
+ ...
+ [17] .text.hot. PROGBITS 0000000000000000 00003220
+ 000000000000020b 0000000000000000 AX 0 0 1
+ [18] .rela.text.hot. RELA 0000000000000000 00004428
+ 0000000000000078 0000000000000018 I 24 17 8
+
+And both of them have their range [sh_addr ... sh_addr+sh_size] on the
+area pointed by `e_entry`.
+
+This causes that image->start is calculated twice, once for .text and
+another time for .text.hot. The second calculation leaves image->start
+in a random location.
+
+Because of this, the system crashes immediately after:
+
+kexec_core: Starting new kernel
+
+Link: https://lkml.kernel.org/r/20230321-kexec_clang16-v7-0-b05c520b7296@chromium.org
+Link: https://lkml.kernel.org/r/20230321-kexec_clang16-v7-1-b05c520b7296@chromium.org
+Fixes: 930457057abe ("kernel/kexec_file.c: split up __kexec_load_puragory")
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Reviewed-by: Ross Zwisler <zwisler@google.com>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Reviewed-by: Philipp Rudo <prudo@redhat.com>
+Cc: Albert Ou <aou@eecs.berkeley.edu>
+Cc: Baoquan He <bhe@redhat.com>
+Cc: Borislav Petkov (AMD) <bp@alien8.de>
+Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Dave Young <dyoung@redhat.com>
+Cc: Eric W. Biederman <ebiederm@xmission.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Nathan Chancellor <nathan@kernel.org>
+Cc: Nicholas Piggin <npiggin@gmail.com>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: Palmer Dabbelt <palmer@dabbelt.com>
+Cc: Palmer Dabbelt <palmer@rivosinc.com>
+Cc: Paul Walmsley <paul.walmsley@sifive.com>
+Cc: Simon Horman <horms@kernel.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tom Rix <trix@redhat.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/kexec_file.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/kernel/kexec_file.c
++++ b/kernel/kexec_file.c
+@@ -901,10 +901,22 @@ static int kexec_purgatory_setup_sechdrs
+ }
+
+ offset = ALIGN(offset, align);
++
++ /*
++ * Check if the segment contains the entry point, if so,
++ * calculate the value of image->start based on it.
++ * If the compiler has produced more than one .text section
++ * (Eg: .text.hot), they are generally after the main .text
++ * section, and they shall not be used to calculate
++ * image->start. So do not re-calculate image->start if it
++ * is not set to the initial value, and warn the user so they
++ * have a chance to fix their purgatory's linker script.
++ */
+ if (sechdrs[i].sh_flags & SHF_EXECINSTR &&
+ pi->ehdr->e_entry >= sechdrs[i].sh_addr &&
+ pi->ehdr->e_entry < (sechdrs[i].sh_addr
+- + sechdrs[i].sh_size)) {
++ + sechdrs[i].sh_size) &&
++ !WARN_ON(kbuf->image->start != pi->ehdr->e_entry)) {
+ kbuf->image->start -= sechdrs[i].sh_addr;
+ kbuf->image->start += kbuf->mem + offset;
+ }
--- /dev/null
+From 41efbb682de1231c3f6361039f46ad149e3ff5b9 Mon Sep 17 00:00:00 2001
+From: Immad Mir <mirimmad17@gmail.com>
+Date: Thu, 15 Jun 2023 14:35:56 +0800
+Subject: LoongArch: Fix debugfs_create_dir() error checking
+
+From: Immad Mir <mirimmad17@gmail.com>
+
+commit 41efbb682de1231c3f6361039f46ad149e3ff5b9 upstream.
+
+The debugfs_create_dir() returns ERR_PTR in case of an error and the
+correct way of checking it is using the IS_ERR_OR_NULL inline function
+rather than the simple null comparision. This patch fixes the issue.
+
+Cc: stable@vger.kernel.org
+Suggested-By: Ivan Orlov <ivan.orlov0322@gmail.com>
+Signed-off-by: Immad Mir <mirimmad17@gmail.com>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/kernel/unaligned.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/loongarch/kernel/unaligned.c
++++ b/arch/loongarch/kernel/unaligned.c
+@@ -485,7 +485,7 @@ static int __init debugfs_unaligned(void
+ struct dentry *d;
+
+ d = debugfs_create_dir("loongarch", NULL);
+- if (!d)
++ if (IS_ERR_OR_NULL(d))
+ return -ENOMEM;
+
+ debugfs_create_u32("unaligned_instructions_user",
--- /dev/null
+From 962369120d750cbc9c4dc492f32b4304669ff6aa Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhuacai@loongson.cn>
+Date: Thu, 15 Jun 2023 14:35:52 +0800
+Subject: LoongArch: Fix perf event id calculation
+
+From: Huacai Chen <chenhuacai@loongson.cn>
+
+commit 962369120d750cbc9c4dc492f32b4304669ff6aa upstream.
+
+LoongArch PMCFG has 10bit event id rather than 8 bit, so fix it.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jun Yi <yijun@loongson.cn>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/kernel/perf_event.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/loongarch/kernel/perf_event.c
++++ b/arch/loongarch/kernel/perf_event.c
+@@ -271,7 +271,7 @@ static void loongarch_pmu_enable_event(s
+ WARN_ON(idx < 0 || idx >= loongarch_pmu.num_counters);
+
+ /* Make sure interrupt enabled. */
+- cpuc->saved_ctrl[idx] = M_PERFCTL_EVENT(evt->event_base & 0xff) |
++ cpuc->saved_ctrl[idx] = M_PERFCTL_EVENT(evt->event_base) |
+ (evt->config_base & M_PERFCTL_CONFIG_MASK) | CSR_PERFCTRL_IE;
+
+ cpu = (event->cpu >= 0) ? event->cpu : smp_processor_id();
+@@ -594,7 +594,7 @@ static struct pmu pmu = {
+
+ static unsigned int loongarch_pmu_perf_event_encode(const struct loongarch_perf_event *pev)
+ {
+- return (pev->event_id & 0xff);
++ return M_PERFCTL_EVENT(pev->event_id);
+ }
+
+ static const struct loongarch_perf_event *loongarch_pmu_map_general_event(int idx)
+@@ -849,7 +849,7 @@ static void resume_local_counters(void)
+
+ static const struct loongarch_perf_event *loongarch_pmu_map_raw_event(u64 config)
+ {
+- raw_event.event_id = config & 0xff;
++ raw_event.event_id = M_PERFCTL_EVENT(config);
+
+ return &raw_event;
+ }
--- /dev/null
+From 5ff6e2fff88ef9bf110c5e85a48e7b557bfc64c1 Mon Sep 17 00:00:00 2001
+From: Kefeng Wang <wangkefeng.wang@huawei.com>
+Date: Sat, 27 May 2023 11:21:01 +0800
+Subject: mm/damon/core: fix divide error in damon_nr_accesses_to_accesses_bp()
+
+From: Kefeng Wang <wangkefeng.wang@huawei.com>
+
+commit 5ff6e2fff88ef9bf110c5e85a48e7b557bfc64c1 upstream.
+
+If 'aggr_interval' is smaller than 'sample_interval', max_nr_accesses in
+damon_nr_accesses_to_accesses_bp() becomes zero which leads to divide
+error, let's validate the values of them in damon_set_attrs() to fix it,
+which similar to others attrs check.
+
+Link: https://lkml.kernel.org/r/20230527032101.167788-1-wangkefeng.wang@huawei.com
+Fixes: 2f5bef5a590b ("mm/damon/core: update monitoring results for new monitoring attributes")
+Reported-by: syzbot+841a46899768ec7bec67@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=841a46899768ec7bec67
+Link: https://lore.kernel.org/damon/00000000000055fc4e05fc975bc2@google.com/
+Reviewed-by: SeongJae Park <sj@kernel.org>
+Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/damon/core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/mm/damon/core.c b/mm/damon/core.c
+index d9ef62047bf5..91cff7f2997e 100644
+--- a/mm/damon/core.c
++++ b/mm/damon/core.c
+@@ -551,6 +551,8 @@ int damon_set_attrs(struct damon_ctx *ctx, struct damon_attrs *attrs)
+ return -EINVAL;
+ if (attrs->min_nr_regions > attrs->max_nr_regions)
+ return -EINVAL;
++ if (attrs->sample_interval > attrs->aggr_interval)
++ return -EINVAL;
+
+ damon_update_monitoring_results(ctx, attrs);
+ ctx->attrs = *attrs;
+--
+2.41.0
+
--- /dev/null
+From 4f572f0074b8be8a70bd150d96a749aa94c8d85f Mon Sep 17 00:00:00 2001
+From: Haibo Li <haibo.li@mediatek.com>
+Date: Fri, 26 May 2023 10:21:25 +0800
+Subject: mm/gup_test: fix ioctl fail for compat task
+
+From: Haibo Li <haibo.li@mediatek.com>
+
+commit 4f572f0074b8be8a70bd150d96a749aa94c8d85f upstream.
+
+When tools/testing/selftests/mm/gup_test.c is compiled as 32bit, then run
+on arm64 kernel, it reports "ioctl: Inappropriate ioctl for device".
+
+Fix it by filling compat_ioctl in gup_test_fops
+
+Link: https://lkml.kernel.org/r/20230526022125.175728-1-haibo.li@mediatek.com
+Signed-off-by: Haibo Li <haibo.li@mediatek.com>
+Acked-by: David Hildenbrand <david@redhat.com>
+Cc: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Cc: Matthias Brugger <matthias.bgg@gmail.com>
+Cc: John Hubbard <jhubbard@nvidia.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/gup_test.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/mm/gup_test.c
++++ b/mm/gup_test.c
+@@ -381,6 +381,7 @@ static int gup_test_release(struct inode
+ static const struct file_operations gup_test_fops = {
+ .open = nonseekable_open,
+ .unlocked_ioctl = gup_test_ioctl,
++ .compat_ioctl = compat_ptr_ioctl,
+ .release = gup_test_release,
+ };
+
--- /dev/null
+From 270aa010620697fb27b8f892cc4e194bc2b7d134 Mon Sep 17 00:00:00 2001
+From: Peter Xu <peterx@redhat.com>
+Date: Wed, 17 May 2023 15:09:15 -0400
+Subject: mm/uffd: fix vma operation where start addr cuts part of vma
+
+From: Peter Xu <peterx@redhat.com>
+
+commit 270aa010620697fb27b8f892cc4e194bc2b7d134 upstream.
+
+Patch series "mm/uffd: Fix vma merge/split", v2.
+
+This series contains two patches that fix vma merge/split for userfaultfd
+on two separate issues.
+
+Patch 1 fixes a regression since 6.1+ due to something we overlooked when
+converting to maple tree apis. The plan is we use patch 1 to replace the
+commit "2f628010799e (mm: userfaultfd: avoid passing an invalid range to
+vma_merge())" in mm-hostfixes-unstable tree if possible, so as to bring
+uffd vma operations back aligned with the rest code again.
+
+Patch 2 fixes a long standing issue that vma can be left unmerged even if
+we can for either uffd register or unregister.
+
+Many thanks to Lorenzo on either noticing this issue from the assert
+movement patch, looking at this problem, and also provided a reproducer on
+the unmerged vma issue [1].
+
+[1] https://gist.github.com/lorenzo-stoakes/a11a10f5f479e7a977fc456331266e0e
+
+
+This patch (of 2):
+
+It seems vma merging with uffd paths is broken with either
+register/unregister, where right now we can feed wrong parameters to
+vma_merge() and it's found by recent patch which moved asserts upwards in
+vma_merge() by Lorenzo Stoakes:
+
+https://lore.kernel.org/all/ZFunF7DmMdK05MoF@FVFF77S0Q05N.cambridge.arm.com/
+
+It's possible that "start" is contained within vma but not clamped to its
+start. We need to convert this into either "cannot merge" case or "can
+merge" case 4 which permits subdivision of prev by assigning vma to prev.
+As we loop, each subsequent VMA will be clamped to the start.
+
+This patch will eliminate the report and make sure vma_merge() calls will
+become legal again.
+
+One thing to mention is that the "Fixes: 29417d292bd0" below is there only
+to help explain where the warning can start to trigger, the real commit to
+fix should be 69dbe6daf104. Commit 29417d292bd0 helps us to identify the
+issue, but unfortunately we may want to keep it in Fixes too just to ease
+kernel backporters for easier tracking.
+
+Link: https://lkml.kernel.org/r/20230517190916.3429499-1-peterx@redhat.com
+Link: https://lkml.kernel.org/r/20230517190916.3429499-2-peterx@redhat.com
+Fixes: 69dbe6daf104 ("userfaultfd: use maple tree iterator to iterate VMAs")
+Signed-off-by: Peter Xu <peterx@redhat.com>
+Reported-by: Mark Rutland <mark.rutland@arm.com>
+Reviewed-by: Lorenzo Stoakes <lstoakes@gmail.com>
+Reviewed-by: Liam R. Howlett <Liam.Howlett@oracle.com>
+Closes: https://lore.kernel.org/all/ZFunF7DmMdK05MoF@FVFF77S0Q05N.cambridge.arm.com/
+Cc: Lorenzo Stoakes <lstoakes@gmail.com>
+Cc: Mike Rapoport (IBM) <rppt@kernel.org>
+Cc: Liam R. Howlett <Liam.Howlett@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/userfaultfd.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/userfaultfd.c
++++ b/fs/userfaultfd.c
+@@ -1429,6 +1429,8 @@ static int userfaultfd_register(struct u
+
+ vma_iter_set(&vmi, start);
+ prev = vma_prev(&vmi);
++ if (vma->vm_start < start)
++ prev = vma;
+
+ ret = 0;
+ for_each_vma_range(vmi, vma, end) {
+@@ -1595,6 +1597,9 @@ static int userfaultfd_unregister(struct
+
+ vma_iter_set(&vmi, start);
+ prev = vma_prev(&vmi);
++ if (vma->vm_start < start)
++ prev = vma;
++
+ ret = 0;
+ for_each_vma_range(vmi, vma, end) {
+ cond_resched();
--- /dev/null
+From 30134b7c47bd28fdb4db4d12aef824e0579cfee4 Mon Sep 17 00:00:00 2001
+From: Christian Marangi <ansuelsmth@gmail.com>
+Date: Wed, 14 Jun 2023 11:17:14 +0200
+Subject: net: ethernet: stmicro: stmmac: fix possible memory leak in __stmmac_open
+
+From: Christian Marangi <ansuelsmth@gmail.com>
+
+commit 30134b7c47bd28fdb4db4d12aef824e0579cfee4 upstream.
+
+Fix a possible memory leak in __stmmac_open when stmmac_init_phy fails.
+It's also needed to free everything allocated by stmmac_setup_dma_desc
+and not just the dma_conf struct.
+
+Drop free_dma_desc_resources from __stmmac_open and correctly call
+free_dma_desc_resources on each user of __stmmac_open on error.
+
+Reported-by: Jose Abreu <Jose.Abreu@synopsys.com>
+Fixes: ba39b344e924 ("net: ethernet: stmicro: stmmac: generate stmmac dma conf before open")
+Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Reviewed-by: Jose Abreu <Jose.Abreu@synopsys.com>
+Link: https://lore.kernel.org/r/20230614091714.15912-1-ansuelsmth@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -3867,7 +3867,6 @@ irq_error:
+
+ stmmac_hw_teardown(dev);
+ init_error:
+- free_dma_desc_resources(priv, &priv->dma_conf);
+ phylink_disconnect_phy(priv->phylink);
+ init_phy_error:
+ pm_runtime_put(priv->device);
+@@ -3885,6 +3884,9 @@ static int stmmac_open(struct net_device
+ return PTR_ERR(dma_conf);
+
+ ret = __stmmac_open(dev, dma_conf);
++ if (ret)
++ free_dma_desc_resources(priv, dma_conf);
++
+ kfree(dma_conf);
+ return ret;
+ }
+@@ -5609,12 +5611,15 @@ static int stmmac_change_mtu(struct net_
+ stmmac_release(dev);
+
+ ret = __stmmac_open(dev, dma_conf);
+- kfree(dma_conf);
+ if (ret) {
++ free_dma_desc_resources(priv, dma_conf);
++ kfree(dma_conf);
+ netdev_err(priv->dev, "failed reopening the interface after MTU change\n");
+ return ret;
+ }
+
++ kfree(dma_conf);
++
+ stmmac_set_rx_mode(dev);
+ }
+
--- /dev/null
+From 863199199713908afaa47ba09332b87621c12496 Mon Sep 17 00:00:00 2001
+From: Wes Huang <wes.huang@moxa.com>
+Date: Thu, 8 Jun 2023 11:01:42 +0800
+Subject: net: usb: qmi_wwan: add support for Compal RXM-G1
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wes Huang <wes.huang@moxa.com>
+
+commit 863199199713908afaa47ba09332b87621c12496 upstream.
+
+Add support for Compal RXM-G1 which is based on Qualcomm SDX55 chip.
+This patch adds support for two compositions:
+
+0x9091: DIAG + MODEM + QMI_RMNET + ADB
+0x90db: DIAG + DUN + RMNET + DPL + QDSS(Trace) + ADB
+
+T: Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=5000 MxCh= 0
+D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1
+P: Vendor=05c6 ProdID=9091 Rev= 4.14
+S: Manufacturer=QCOM
+S: Product=SDXPRAIRIE-MTP _SN:719AB680
+S: SerialNumber=719ab680
+C:* #Ifs= 4 Cfg#= 1 Atr=80 MxPwr=896mA
+I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=(none)
+E: Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
+E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
+E: Ad=84(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
+E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
+E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=85(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+
+T: Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=5000 MxCh= 0
+D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1
+P: Vendor=05c6 ProdID=90db Rev= 4.14
+S: Manufacturer=QCOM
+S: Product=SDXPRAIRIE-MTP _SN:719AB680
+S: SerialNumber=719ab680
+C:* #Ifs= 6 Cfg#= 1 Atr=80 MxPwr=896mA
+I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=(none)
+E: Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
+E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
+E: Ad=84(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
+E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+I:* If#= 3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
+E: Ad=8f(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+I:* If#= 4 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
+E: Ad=85(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+I:* If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
+E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=86(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Wes Huang <wes.huang@moxa.com>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Link: https://lore.kernel.org/r/20230608030141.3546-1-wes.huang@moxa.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -1220,7 +1220,9 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x05c6, 0x9080, 8)},
+ {QMI_FIXED_INTF(0x05c6, 0x9083, 3)},
+ {QMI_FIXED_INTF(0x05c6, 0x9084, 4)},
++ {QMI_QUIRK_SET_DTR(0x05c6, 0x9091, 2)}, /* Compal RXM-G1 */
+ {QMI_FIXED_INTF(0x05c6, 0x90b2, 3)}, /* ublox R410M */
++ {QMI_QUIRK_SET_DTR(0x05c6, 0x90db, 2)}, /* Compal RXM-G1 */
+ {QMI_FIXED_INTF(0x05c6, 0x920d, 0)},
+ {QMI_FIXED_INTF(0x05c6, 0x920d, 5)},
+ {QMI_QUIRK_SET_DTR(0x05c6, 0x9625, 4)}, /* YUGA CLM920-NC5 */
--- /dev/null
+From 2f012f2baca140c488e43d27a374029c1e59098d Mon Sep 17 00:00:00 2001
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Date: Sat, 13 May 2023 19:24:28 +0900
+Subject: nilfs2: fix incomplete buffer cleanup in nilfs_btnode_abort_change_key()
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+commit 2f012f2baca140c488e43d27a374029c1e59098d upstream.
+
+A syzbot fault injection test reported that nilfs_btnode_create_block, a
+helper function that allocates a new node block for b-trees, causes a
+kernel BUG for disk images where the file system block size is smaller
+than the page size.
+
+This was due to unexpected flags on the newly allocated buffer head, and
+it turned out to be because the buffer flags were not cleared by
+nilfs_btnode_abort_change_key() after an error occurred during a b-tree
+update operation and the buffer was later reused in that state.
+
+Fix this issue by using nilfs_btnode_delete() to abandon the unused
+preallocated buffer in nilfs_btnode_abort_change_key().
+
+Link: https://lkml.kernel.org/r/20230513102428.10223-1-konishi.ryusuke@gmail.com
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Reported-by: syzbot+b0a35a5c1f7e846d3b09@syzkaller.appspotmail.com
+Closes: https://lkml.kernel.org/r/000000000000d1d6c205ebc4d512@google.com
+Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nilfs2/btnode.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/fs/nilfs2/btnode.c
++++ b/fs/nilfs2/btnode.c
+@@ -285,6 +285,14 @@ void nilfs_btnode_abort_change_key(struc
+ if (nbh == NULL) { /* blocksize == pagesize */
+ xa_erase_irq(&btnc->i_pages, newkey);
+ unlock_page(ctxt->bh->b_page);
+- } else
+- brelse(nbh);
++ } else {
++ /*
++ * When canceling a buffer that a prepare operation has
++ * allocated to copy a node block to another location, use
++ * nilfs_btnode_delete() to initialize and release the buffer
++ * so that the buffer flags will not be in an inconsistent
++ * state when it is reallocated.
++ */
++ nilfs_btnode_delete(nbh);
++ }
+ }
--- /dev/null
+From fee5eaecca86afa544355569b831c1f90f334b85 Mon Sep 17 00:00:00 2001
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Date: Wed, 24 May 2023 18:43:48 +0900
+Subject: nilfs2: fix possible out-of-bounds segment allocation in resize ioctl
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+commit fee5eaecca86afa544355569b831c1f90f334b85 upstream.
+
+Syzbot reports that in its stress test for resize ioctl, the log writing
+function nilfs_segctor_do_construct hits a WARN_ON in
+nilfs_segctor_truncate_segments().
+
+It turned out that there is a problem with the current implementation of
+the resize ioctl, which changes the writable range on the device (the
+range of allocatable segments) at the end of the resize process.
+
+This order is necessary for file system expansion to avoid corrupting the
+superblock at trailing edge. However, in the case of a file system
+shrink, if log writes occur after truncating out-of-bounds trailing
+segments and before the resize is complete, segments may be allocated from
+the truncated space.
+
+The userspace resize tool was fine as it limits the range of allocatable
+segments before performing the resize, but it can run into this issue if
+the resize ioctl is called alone.
+
+Fix this issue by changing nilfs_sufile_resize() to update the range of
+allocatable segments immediately after successful truncation of segment
+space in case of file system shrink.
+
+Link: https://lkml.kernel.org/r/20230524094348.3784-1-konishi.ryusuke@gmail.com
+Fixes: 4e33f9eab07e ("nilfs2: implement resize ioctl")
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Reported-by: syzbot+33494cd0df2ec2931851@syzkaller.appspotmail.com
+Closes: https://lkml.kernel.org/r/0000000000005434c405fbbafdc5@google.com
+Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nilfs2/sufile.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/fs/nilfs2/sufile.c
++++ b/fs/nilfs2/sufile.c
+@@ -779,6 +779,15 @@ int nilfs_sufile_resize(struct inode *su
+ goto out_header;
+
+ sui->ncleansegs -= nsegs - newnsegs;
++
++ /*
++ * If the sufile is successfully truncated, immediately adjust
++ * the segment allocation space while locking the semaphore
++ * "mi_sem" so that nilfs_sufile_alloc() never allocates
++ * segments in the truncated space.
++ */
++ sui->allocmax = newnsegs - 1;
++ sui->allocmin = 0;
+ }
+
+ kaddr = kmap_atomic(header_bh->b_page);
--- /dev/null
+From 92c5d1b860e9581d64baca76779576c0ab0d943d Mon Sep 17 00:00:00 2001
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Date: Fri, 26 May 2023 11:13:32 +0900
+Subject: nilfs2: reject devices with insufficient block count
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+commit 92c5d1b860e9581d64baca76779576c0ab0d943d upstream.
+
+The current sanity check for nilfs2 geometry information lacks checks for
+the number of segments stored in superblocks, so even for device images
+that have been destructively truncated or have an unusually high number of
+segments, the mount operation may succeed.
+
+This causes out-of-bounds block I/O on file system block reads or log
+writes to the segments, the latter in particular causing
+"a_ops->writepages" to repeatedly fail, resulting in sync_inodes_sb() to
+hang.
+
+Fix this issue by checking the number of segments stored in the superblock
+and avoiding mounting devices that can cause out-of-bounds accesses. To
+eliminate the possibility of overflow when calculating the number of
+blocks required for the device from the number of segments, this also adds
+a helper function to calculate the upper bound on the number of segments
+and inserts a check using it.
+
+Link: https://lkml.kernel.org/r/20230526021332.3431-1-konishi.ryusuke@gmail.com
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Reported-by: syzbot+7d50f1e54a12ba3aeae2@syzkaller.appspotmail.com
+ Link: https://syzkaller.appspot.com/bug?extid=7d50f1e54a12ba3aeae2
+Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nilfs2/the_nilfs.c | 43 ++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 42 insertions(+), 1 deletion(-)
+
+--- a/fs/nilfs2/the_nilfs.c
++++ b/fs/nilfs2/the_nilfs.c
+@@ -405,6 +405,18 @@ unsigned long nilfs_nrsvsegs(struct the_
+ 100));
+ }
+
++/**
++ * nilfs_max_segment_count - calculate the maximum number of segments
++ * @nilfs: nilfs object
++ */
++static u64 nilfs_max_segment_count(struct the_nilfs *nilfs)
++{
++ u64 max_count = U64_MAX;
++
++ do_div(max_count, nilfs->ns_blocks_per_segment);
++ return min_t(u64, max_count, ULONG_MAX);
++}
++
+ void nilfs_set_nsegments(struct the_nilfs *nilfs, unsigned long nsegs)
+ {
+ nilfs->ns_nsegments = nsegs;
+@@ -414,6 +426,8 @@ void nilfs_set_nsegments(struct the_nilf
+ static int nilfs_store_disk_layout(struct the_nilfs *nilfs,
+ struct nilfs_super_block *sbp)
+ {
++ u64 nsegments, nblocks;
++
+ if (le32_to_cpu(sbp->s_rev_level) < NILFS_MIN_SUPP_REV) {
+ nilfs_err(nilfs->ns_sb,
+ "unsupported revision (superblock rev.=%d.%d, current rev.=%d.%d). Please check the version of mkfs.nilfs(2).",
+@@ -457,7 +471,34 @@ static int nilfs_store_disk_layout(struc
+ return -EINVAL;
+ }
+
+- nilfs_set_nsegments(nilfs, le64_to_cpu(sbp->s_nsegments));
++ nsegments = le64_to_cpu(sbp->s_nsegments);
++ if (nsegments > nilfs_max_segment_count(nilfs)) {
++ nilfs_err(nilfs->ns_sb,
++ "segment count %llu exceeds upper limit (%llu segments)",
++ (unsigned long long)nsegments,
++ (unsigned long long)nilfs_max_segment_count(nilfs));
++ return -EINVAL;
++ }
++
++ nblocks = sb_bdev_nr_blocks(nilfs->ns_sb);
++ if (nblocks) {
++ u64 min_block_count = nsegments * nilfs->ns_blocks_per_segment;
++ /*
++ * To avoid failing to mount early device images without a
++ * second superblock, exclude that block count from the
++ * "min_block_count" calculation.
++ */
++
++ if (nblocks < min_block_count) {
++ nilfs_err(nilfs->ns_sb,
++ "total number of segment blocks %llu exceeds device size (%llu blocks)",
++ (unsigned long long)min_block_count,
++ (unsigned long long)nblocks);
++ return -EINVAL;
++ }
++ }
++
++ nilfs_set_nsegments(nilfs, nsegments);
+ nilfs->ns_crc_seed = le32_to_cpu(sbp->s_crc_seed);
+ return 0;
+ }
--- /dev/null
+From 85041e12418fd0c08ff972b7729f7971afb361f8 Mon Sep 17 00:00:00 2001
+From: Janne Grunau <j@jannau.net>
+Date: Sun, 12 Feb 2023 13:16:32 +0100
+Subject: nios2: dts: Fix tse_mac "max-frame-size" property
+
+From: Janne Grunau <j@jannau.net>
+
+commit 85041e12418fd0c08ff972b7729f7971afb361f8 upstream.
+
+The given value of 1518 seems to refer to the layer 2 ethernet frame
+size without 802.1Q tag. Actual use of the "max-frame-size" including in
+the consumer of the "altr,tse-1.0" compatible is the MTU.
+
+Fixes: 95acd4c7b69c ("nios2: Device tree support")
+Fixes: 61c610ec61bb ("nios2: Add Max10 device tree")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Janne Grunau <j@jannau.net>
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/nios2/boot/dts/10m50_devboard.dts | 2 +-
+ arch/nios2/boot/dts/3c120_devboard.dts | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/nios2/boot/dts/10m50_devboard.dts
++++ b/arch/nios2/boot/dts/10m50_devboard.dts
+@@ -97,7 +97,7 @@
+ rx-fifo-depth = <8192>;
+ tx-fifo-depth = <8192>;
+ address-bits = <48>;
+- max-frame-size = <1518>;
++ max-frame-size = <1500>;
+ local-mac-address = [00 00 00 00 00 00];
+ altr,has-supplementary-unicast;
+ altr,enable-sup-addr = <1>;
+--- a/arch/nios2/boot/dts/3c120_devboard.dts
++++ b/arch/nios2/boot/dts/3c120_devboard.dts
+@@ -106,7 +106,7 @@
+ interrupt-names = "rx_irq", "tx_irq";
+ rx-fifo-depth = <8192>;
+ tx-fifo-depth = <8192>;
+- max-frame-size = <1518>;
++ max-frame-size = <1500>;
+ local-mac-address = [ 00 00 00 00 00 00 ];
+ phy-mode = "rgmii-id";
+ phy-handle = <&phy0>;
--- /dev/null
+From c8a5d5ea3ba6a18958f8d76430e4cd68eea33943 Mon Sep 17 00:00:00 2001
+From: Dave Airlie <airlied@redhat.com>
+Date: Thu, 15 Jun 2023 12:22:11 +1000
+Subject: nouveau: fix client work fence deletion race
+
+From: Dave Airlie <airlied@redhat.com>
+
+commit c8a5d5ea3ba6a18958f8d76430e4cd68eea33943 upstream.
+
+This seems to have existed for ever but is now more apparant after
+commit 9bff18d13473 ("drm/ttm: use per BO cleanup workers")
+
+My analysis: two threads are running, one in the irq signalling the
+fence, in dma_fence_signal_timestamp_locked, it has done the
+DMA_FENCE_FLAG_SIGNALLED_BIT setting, but hasn't yet reached the
+callbacks.
+
+The second thread in nouveau_cli_work_ready, where it sees the fence is
+signalled, so then puts the fence, cleanups the object and frees the
+work item, which contains the callback.
+
+Thread one goes again and tries to call the callback and causes the
+use-after-free.
+
+Proposed fix: lock the fence signalled check in nouveau_cli_work_ready,
+so either the callbacks are done or the memory is freed.
+
+Reviewed-by: Karol Herbst <kherbst@redhat.com>
+Fixes: 11e451e74050 ("drm/nouveau: remove fence wait code from deferred client work handler")
+Cc: stable@vger.kernel.org
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Link: https://lore.kernel.org/dri-devel/20230615024008.1600281-1-airlied@gmail.com/
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_drm.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/nouveau/nouveau_drm.c
++++ b/drivers/gpu/drm/nouveau/nouveau_drm.c
+@@ -137,10 +137,16 @@ nouveau_name(struct drm_device *dev)
+ static inline bool
+ nouveau_cli_work_ready(struct dma_fence *fence)
+ {
+- if (!dma_fence_is_signaled(fence))
+- return false;
+- dma_fence_put(fence);
+- return true;
++ bool ret = true;
++
++ spin_lock_irq(fence->lock);
++ if (!dma_fence_is_signaled_locked(fence))
++ ret = false;
++ spin_unlock_irq(fence->lock);
++
++ if (ret == true)
++ dma_fence_put(fence);
++ return ret;
+ }
+
+ static void
--- /dev/null
+From 26a6ffff7de5dd369cdb12e38ba11db682f1dec0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Lu=C3=ADs=20Henriques?= <ocfs2-devel@oss.oracle.com>
+Date: Mon, 29 May 2023 16:26:45 +0100
+Subject: ocfs2: check new file size on fallocate call
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Luís Henriques <ocfs2-devel@oss.oracle.com>
+
+commit 26a6ffff7de5dd369cdb12e38ba11db682f1dec0 upstream.
+
+When changing a file size with fallocate() the new size isn't being
+checked. In particular, the FSIZE ulimit isn't being checked, which makes
+fstest generic/228 fail. Simply adding a call to inode_newsize_ok() fixes
+this issue.
+
+Link: https://lkml.kernel.org/r/20230529152645.32680-1-lhenriques@suse.de
+Signed-off-by: Luís Henriques <lhenriques@suse.de>
+Reviewed-by: Mark Fasheh <mark@fasheh.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/file.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/fs/ocfs2/file.c
++++ b/fs/ocfs2/file.c
+@@ -2100,14 +2100,20 @@ static long ocfs2_fallocate(struct file
+ struct ocfs2_space_resv sr;
+ int change_size = 1;
+ int cmd = OCFS2_IOC_RESVSP64;
++ int ret = 0;
+
+ if (mode & ~(FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE))
+ return -EOPNOTSUPP;
+ if (!ocfs2_writes_unwritten_extents(osb))
+ return -EOPNOTSUPP;
+
+- if (mode & FALLOC_FL_KEEP_SIZE)
++ if (mode & FALLOC_FL_KEEP_SIZE) {
+ change_size = 0;
++ } else {
++ ret = inode_newsize_ok(inode, offset + len);
++ if (ret)
++ return ret;
++ }
+
+ if (mode & FALLOC_FL_PUNCH_HOLE)
+ cmd = OCFS2_IOC_UNRESVSP64;
--- /dev/null
+From 50d927880e0f90d5cb25e897e9d03e5edacc79a8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Lu=C3=ADs=20Henriques?= <ocfs2-devel@oss.oracle.com>
+Date: Mon, 22 May 2023 11:21:12 +0100
+Subject: ocfs2: fix use-after-free when unmounting read-only filesystem
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Luís Henriques <ocfs2-devel@oss.oracle.com>
+
+commit 50d927880e0f90d5cb25e897e9d03e5edacc79a8 upstream.
+
+It's trivial to trigger a use-after-free bug in the ocfs2 quotas code using
+fstest generic/452. After a read-only remount, quotas are suspended and
+ocfs2_mem_dqinfo is freed through ->ocfs2_local_free_info(). When unmounting
+the filesystem, an UAF access to the oinfo will eventually cause a crash.
+
+BUG: KASAN: slab-use-after-free in timer_delete+0x54/0xc0
+Read of size 8 at addr ffff8880389a8208 by task umount/669
+...
+Call Trace:
+ <TASK>
+ ...
+ timer_delete+0x54/0xc0
+ try_to_grab_pending+0x31/0x230
+ __cancel_work_timer+0x6c/0x270
+ ocfs2_disable_quotas.isra.0+0x3e/0xf0 [ocfs2]
+ ocfs2_dismount_volume+0xdd/0x450 [ocfs2]
+ generic_shutdown_super+0xaa/0x280
+ kill_block_super+0x46/0x70
+ deactivate_locked_super+0x4d/0xb0
+ cleanup_mnt+0x135/0x1f0
+ ...
+ </TASK>
+
+Allocated by task 632:
+ kasan_save_stack+0x1c/0x40
+ kasan_set_track+0x21/0x30
+ __kasan_kmalloc+0x8b/0x90
+ ocfs2_local_read_info+0xe3/0x9a0 [ocfs2]
+ dquot_load_quota_sb+0x34b/0x680
+ dquot_load_quota_inode+0xfe/0x1a0
+ ocfs2_enable_quotas+0x190/0x2f0 [ocfs2]
+ ocfs2_fill_super+0x14ef/0x2120 [ocfs2]
+ mount_bdev+0x1be/0x200
+ legacy_get_tree+0x6c/0xb0
+ vfs_get_tree+0x3e/0x110
+ path_mount+0xa90/0xe10
+ __x64_sys_mount+0x16f/0x1a0
+ do_syscall_64+0x43/0x90
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+Freed by task 650:
+ kasan_save_stack+0x1c/0x40
+ kasan_set_track+0x21/0x30
+ kasan_save_free_info+0x2a/0x50
+ __kasan_slab_free+0xf9/0x150
+ __kmem_cache_free+0x89/0x180
+ ocfs2_local_free_info+0x2ba/0x3f0 [ocfs2]
+ dquot_disable+0x35f/0xa70
+ ocfs2_susp_quotas.isra.0+0x159/0x1a0 [ocfs2]
+ ocfs2_remount+0x150/0x580 [ocfs2]
+ reconfigure_super+0x1a5/0x3a0
+ path_mount+0xc8a/0xe10
+ __x64_sys_mount+0x16f/0x1a0
+ do_syscall_64+0x43/0x90
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+Link: https://lkml.kernel.org/r/20230522102112.9031-1-lhenriques@suse.de
+Signed-off-by: Luís Henriques <lhenriques@suse.de>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Tested-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/super.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/ocfs2/super.c
++++ b/fs/ocfs2/super.c
+@@ -952,8 +952,10 @@ static void ocfs2_disable_quotas(struct
+ for (type = 0; type < OCFS2_MAXQUOTAS; type++) {
+ if (!sb_has_quota_loaded(sb, type))
+ continue;
+- oinfo = sb_dqinfo(sb, type)->dqi_priv;
+- cancel_delayed_work_sync(&oinfo->dqi_sync_work);
++ if (!sb_has_quota_suspended(sb, type)) {
++ oinfo = sb_dqinfo(sb, type)->dqi_priv;
++ cancel_delayed_work_sync(&oinfo->dqi_sync_work);
++ }
+ inode = igrab(sb->s_dquot.files[type]);
+ /* Turn off quotas. This will remove all dquot structures from
+ * memory and so they will be automatically synced to global
--- /dev/null
+From 20188baceb7a1463dc0bcb0c8678b69c2f447df6 Mon Sep 17 00:00:00 2001
+From: Ricardo Ribalda <ribalda@chromium.org>
+Date: Fri, 19 May 2023 16:47:38 +0200
+Subject: powerpc/purgatory: remove PGO flags
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+commit 20188baceb7a1463dc0bcb0c8678b69c2f447df6 upstream.
+
+If profile-guided optimization is enabled, the purgatory ends up with
+multiple .text sections. This is not supported by kexec and crashes the
+system.
+
+Link: https://lkml.kernel.org/r/20230321-kexec_clang16-v7-3-b05c520b7296@chromium.org
+Fixes: 930457057abe ("kernel/kexec_file.c: split up __kexec_load_puragory")
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Nicholas Piggin <npiggin@gmail.com>
+Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
+Cc: <stable@vger.kernel.org>
+Cc: Albert Ou <aou@eecs.berkeley.edu>
+Cc: Baoquan He <bhe@redhat.com>
+Cc: Borislav Petkov (AMD) <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Dave Young <dyoung@redhat.com>
+Cc: Eric W. Biederman <ebiederm@xmission.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Nathan Chancellor <nathan@kernel.org>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: Palmer Dabbelt <palmer@dabbelt.com>
+Cc: Palmer Dabbelt <palmer@rivosinc.com>
+Cc: Paul Walmsley <paul.walmsley@sifive.com>
+Cc: Philipp Rudo <prudo@redhat.com>
+Cc: Ross Zwisler <zwisler@google.com>
+Cc: Simon Horman <horms@kernel.org>
+Cc: Steven Rostedt (Google) <rostedt@goodmis.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tom Rix <trix@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/purgatory/Makefile | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/arch/powerpc/purgatory/Makefile
++++ b/arch/powerpc/purgatory/Makefile
+@@ -5,6 +5,11 @@ KCSAN_SANITIZE := n
+
+ targets += trampoline_$(BITS).o purgatory.ro
+
++# When profile-guided optimization is enabled, llvm emits two different
++# overlapping text sections, which is not supported by kexec. Remove profile
++# optimization flags.
++KBUILD_CFLAGS := $(filter-out -fprofile-sample-use=% -fprofile-use=%,$(KBUILD_CFLAGS))
++
+ LDFLAGS_purgatory.ro := -e purgatory_start -r --no-undefined
+
+ $(obj)/purgatory.ro: $(obj)/trampoline_$(BITS).o FORCE
--- /dev/null
+From 0cadb4db79e1d9eea66711c4031e435c2191907e Mon Sep 17 00:00:00 2001
+From: Edward Srouji <edwards@nvidia.com>
+Date: Mon, 5 Jun 2023 13:33:24 +0300
+Subject: RDMA/uverbs: Restrict usage of privileged QKEYs
+
+From: Edward Srouji <edwards@nvidia.com>
+
+commit 0cadb4db79e1d9eea66711c4031e435c2191907e upstream.
+
+According to the IB specification rel-1.6, section 3.5.3:
+"QKEYs with the most significant bit set are considered controlled
+QKEYs, and a HCA does not allow a consumer to arbitrarily specify a
+controlled QKEY."
+
+Thus, block non-privileged users from setting such a QKEY.
+
+Cc: stable@vger.kernel.org
+Fixes: bc38a6abdd5a ("[PATCH] IB uverbs: core implementation")
+Signed-off-by: Edward Srouji <edwards@nvidia.com>
+Link: https://lore.kernel.org/r/c00c809ddafaaf87d6f6cb827978670989a511b3.1685960567.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/uverbs_cmd.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/uverbs_cmd.c
++++ b/drivers/infiniband/core/uverbs_cmd.c
+@@ -1850,8 +1850,13 @@ static int modify_qp(struct uverbs_attr_
+ attr->path_mtu = cmd->base.path_mtu;
+ if (cmd->base.attr_mask & IB_QP_PATH_MIG_STATE)
+ attr->path_mig_state = cmd->base.path_mig_state;
+- if (cmd->base.attr_mask & IB_QP_QKEY)
++ if (cmd->base.attr_mask & IB_QP_QKEY) {
++ if (cmd->base.qkey & IB_QP_SET_QKEY && !capable(CAP_NET_RAW)) {
++ ret = -EPERM;
++ goto release_qp;
++ }
+ attr->qkey = cmd->base.qkey;
++ }
+ if (cmd->base.attr_mask & IB_QP_RQ_PSN)
+ attr->rq_psn = cmd->base.rq_psn;
+ if (cmd->base.attr_mask & IB_QP_SQ_PSN)
--- /dev/null
+From 34e5a54327dce5033582f3609eb54812a8c61b90 Mon Sep 17 00:00:00 2001
+From: Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam@amd.com>
+Date: Fri, 9 Jun 2023 06:18:41 -0700
+Subject: Revert "drm/amdgpu: remove TOPDOWN flags when allocating VRAM in large bar system"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam@amd.com>
+
+commit 34e5a54327dce5033582f3609eb54812a8c61b90 upstream.
+
+This reverts commit c105518679b6e87232874ffc989ec403bee59664.
+
+This patch disables the TOPDOWN flag for APU and few dGPU cards
+which has the VRAM size equal to the BAR size.
+
+When we enable the TOPDOWN flag, we get the free blocks at
+the highest available memory region and we don't split the
+lower order blocks. This change is required to keep off
+the fragmentation related issues particularly in ASIC
+which has VRAM space <= 500MiB
+
+Hence, we are reverting this patch.
+
+Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2270
+Signed-off-by: Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
+index 3b225be89cb7..a70103ac0026 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
+@@ -140,7 +140,7 @@ void amdgpu_bo_placement_from_domain(struct amdgpu_bo *abo, u32 domain)
+
+ if (flags & AMDGPU_GEM_CREATE_CPU_ACCESS_REQUIRED)
+ places[c].lpfn = visible_pfn;
+- else if (adev->gmc.real_vram_size != adev->gmc.visible_vram_size)
++ else
+ places[c].flags |= TTM_PL_FLAG_TOPDOWN;
+
+ if (flags & AMDGPU_GEM_CREATE_VRAM_CONTIGUOUS)
+--
+2.41.0
+
--- /dev/null
+From 88ac3bbcf73853880a9b2a65c67e6854390741cc Mon Sep 17 00:00:00 2001
+From: Ricardo Ribalda <ribalda@chromium.org>
+Date: Fri, 19 May 2023 16:47:39 +0200
+Subject: riscv/purgatory: remove PGO flags
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+commit 88ac3bbcf73853880a9b2a65c67e6854390741cc upstream.
+
+If profile-guided optimization is enabled, the purgatory ends up with
+multiple .text sections. This is not supported by kexec and crashes the
+system.
+
+Link: https://lkml.kernel.org/r/20230321-kexec_clang16-v7-4-b05c520b7296@chromium.org
+Fixes: 930457057abe ("kernel/kexec_file.c: split up __kexec_load_puragory")
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Acked-by: Palmer Dabbelt <palmer@rivosinc.com>
+Cc: <stable@vger.kernel.org>
+Cc: Albert Ou <aou@eecs.berkeley.edu>
+Cc: Baoquan He <bhe@redhat.com>
+Cc: Borislav Petkov (AMD) <bp@alien8.de>
+Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Dave Young <dyoung@redhat.com>
+Cc: Eric W. Biederman <ebiederm@xmission.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Nathan Chancellor <nathan@kernel.org>
+Cc: Nicholas Piggin <npiggin@gmail.com>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: Palmer Dabbelt <palmer@dabbelt.com>
+Cc: Paul Walmsley <paul.walmsley@sifive.com>
+Cc: Philipp Rudo <prudo@redhat.com>
+Cc: Ross Zwisler <zwisler@google.com>
+Cc: Simon Horman <horms@kernel.org>
+Cc: Steven Rostedt (Google) <rostedt@goodmis.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tom Rix <trix@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/purgatory/Makefile | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/arch/riscv/purgatory/Makefile
++++ b/arch/riscv/purgatory/Makefile
+@@ -35,6 +35,11 @@ CFLAGS_sha256.o := -D__DISABLE_EXPORTS
+ CFLAGS_string.o := -D__DISABLE_EXPORTS
+ CFLAGS_ctype.o := -D__DISABLE_EXPORTS
+
++# When profile-guided optimization is enabled, llvm emits two different
++# overlapping text sections, which is not supported by kexec. Remove profile
++# optimization flags.
++KBUILD_CFLAGS := $(filter-out -fprofile-sample-use=% -fprofile-use=%,$(KBUILD_CFLAGS))
++
+ # When linking purgatory.ro with -r unresolved symbols are not checked,
+ # also link a purgatory.chk binary without -r to check for unresolved symbols.
+ PURGATORY_LDFLAGS := -e purgatory_start -z nodefaultlib
--- /dev/null
+From 78d0f94902afce8ec2c7a60f600cc0e3729d7412 Mon Sep 17 00:00:00 2001
+From: Julian Ruess <julianr@linux.ibm.com>
+Date: Tue, 13 Jun 2023 14:25:37 +0200
+Subject: s390/ism: Fix trying to free already-freed IRQ by repeated ism_dev_exit()
+
+From: Julian Ruess <julianr@linux.ibm.com>
+
+commit 78d0f94902afce8ec2c7a60f600cc0e3729d7412 upstream.
+
+This patch prevents the system from crashing when unloading the ISM module.
+
+How to reproduce: Attach an ISM device and execute 'rmmod ism'.
+
+Error-Log:
+- Trying to free already-free IRQ 0
+- WARNING: CPU: 1 PID: 966 at kernel/irq/manage.c:1890 free_irq+0x140/0x540
+
+After calling ism_dev_exit() for each ISM device in the exit routine,
+pci_unregister_driver() will execute ism_remove() for each ISM device.
+Because ism_remove() also calls ism_dev_exit(),
+free_irq(pci_irq_vector(pdev, 0), ism) is called twice for each ISM
+device. This results in a crash with the error
+'Trying to free already-free IRQ'.
+
+In the exit routine, it is enough to call pci_unregister_driver()
+because it ensures that ism_dev_exit() is called once per
+ISM device.
+
+Cc: <stable@vger.kernel.org> # 6.3+
+Fixes: 89e7d2ba61b7 ("net/ism: Add new API for client registration")
+Reviewed-by: Niklas Schnelle <schnelle@linux.ibm.com>
+Signed-off-by: Julian Ruess <julianr@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/net/ism_drv.c | 8 --------
+ 1 file changed, 8 deletions(-)
+
+--- a/drivers/s390/net/ism_drv.c
++++ b/drivers/s390/net/ism_drv.c
+@@ -774,14 +774,6 @@ static int __init ism_init(void)
+
+ static void __exit ism_exit(void)
+ {
+- struct ism_dev *ism;
+-
+- mutex_lock(&ism_dev_list.mutex);
+- list_for_each_entry(ism, &ism_dev_list.list, list) {
+- ism_dev_exit(ism);
+- }
+- mutex_unlock(&ism_dev_list.mutex);
+-
+ pci_unregister_driver(&ism_driver);
+ debug_unregister(ism_debug_info);
+ }
io_uring-unlock-sqd-lock-before-sq-thread-release-cp.patch
nvme-add-maxio-1602-to-bogus-nid-list.patch
irqchip-gic-correctly-validate-of-quirk-descriptors.patch
+wifi-cfg80211-fix-locking-in-regulatory-disconnect.patch
+wifi-cfg80211-fix-double-lock-bug-in-reg_wdev_chan_valid.patch
+epoll-ep_autoremove_wake_function-should-use-list_del_init_careful.patch
+ocfs2-fix-use-after-free-when-unmounting-read-only-filesystem.patch
+ocfs2-check-new-file-size-on-fallocate-call.patch
+zswap-do-not-shrink-if-cgroup-may-not-zswap.patch
+mm-damon-core-fix-divide-error-in-damon_nr_accesses_to_accesses_bp.patch
+nios2-dts-fix-tse_mac-max-frame-size-property.patch
+mm-uffd-fix-vma-operation-where-start-addr-cuts-part-of-vma.patch
+nilfs2-fix-incomplete-buffer-cleanup-in-nilfs_btnode_abort_change_key.patch
+nilfs2-fix-possible-out-of-bounds-segment-allocation-in-resize-ioctl.patch
+nilfs2-reject-devices-with-insufficient-block-count.patch
+loongarch-fix-debugfs_create_dir-error-checking.patch
+loongarch-fix-perf-event-id-calculation.patch
+io_uring-net-save-msghdr-msg_control-for-retries.patch
+revert-drm-amdgpu-remove-topdown-flags-when-allocating-vram-in-large-bar-system.patch
+kexec-support-purgatories-with-.text.hot-sections.patch
+x86-purgatory-remove-pgo-flags.patch
+riscv-purgatory-remove-pgo-flags.patch
+powerpc-purgatory-remove-pgo-flags.patch
+btrfs-subpage-fix-a-crash-in-metadata-repair-path.patch
+btrfs-properly-enable-async-discard-when-switching-from-ro-rw.patch
+btrfs-do-not-assert-on-duplicated-global-roots.patch
+btrfs-fix-iomap_begin-length-for-nocow-writes.patch
+btrfs-can_nocow_file_extent-should-pass-down-args-strict-from-callers.patch
+alsa-usb-audio-fix-broken-resume-due-to-uac3-power-state.patch
+alsa-usb-audio-add-quirk-flag-for-hem-devices-to-enable-native-dsd-playback.patch
+s390-ism-fix-trying-to-free-already-freed-irq-by-repeated-ism_dev_exit.patch
+dm-thin-metadata-check-fail_io-before-using-data_sm.patch
+dm-thin-fix-issue_discard-to-pass-gfp_noio-to-__blkdev_issue_discard.patch
+net-ethernet-stmicro-stmmac-fix-possible-memory-leak-in-__stmmac_open.patch
+nouveau-fix-client-work-fence-deletion-race.patch
+mm-gup_test-fix-ioctl-fail-for-compat-task.patch
+rdma-uverbs-restrict-usage-of-privileged-qkeys.patch
+drm-amdgpu-vcn_4_0-set-instance-0-init-sched-score-to-1.patch
+net-usb-qmi_wwan-add-support-for-compal-rxm-g1.patch
+drm-amd-display-limit-dpia-link-rate-to-hbr3.patch
+drm-amd-display-edp-do-not-add-non-edid-timings.patch
+drm-amd-make-sure-image-is-written-to-trigger-vbios-image-update-flow.patch
+drm-amd-tighten-permissions-on-vbios-flashing-attributes.patch
+drm-amd-pm-workaround-for-compute-workload-type-on-some-skus.patch
+drm-amdgpu-add-missing-radeon-secondary-pci-id.patch
+drm-amdgpu-reset-cp_vmid_preempt-after-trailing-fence-signaled.patch
+drm-amdgpu-program-gds-backup-address-as-zero-if-no-gds-allocated.patch
+drm-amdgpu-implement-gfx9-patch-functions-for-resubmission.patch
+drm-amdgpu-modify-indirect-buffer-packages-for-resubmission.patch
+alsa-hda-realtek-add-a-quirk-for-compaq-n14jp6.patch
--- /dev/null
+From 996c3117dae4c02b38a3cb68e5c2aec9d907ec15 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Fri, 9 Jun 2023 13:48:44 +0300
+Subject: wifi: cfg80211: fix double lock bug in reg_wdev_chan_valid()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit 996c3117dae4c02b38a3cb68e5c2aec9d907ec15 upstream.
+
+The locking was changed recently so now the caller holds the wiphy_lock()
+lock. Taking the lock inside the reg_wdev_chan_valid() function will
+lead to a deadlock.
+
+Fixes: f7e60032c661 ("wifi: cfg80211: fix locking in regulatory disconnect")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/40c4114a-6cb4-4abf-b013-300b598aba65@moroto.mountain
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/reg.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/net/wireless/reg.c
++++ b/net/wireless/reg.c
+@@ -2404,11 +2404,8 @@ static bool reg_wdev_chan_valid(struct w
+ case NL80211_IFTYPE_P2P_GO:
+ case NL80211_IFTYPE_ADHOC:
+ case NL80211_IFTYPE_MESH_POINT:
+- wiphy_lock(wiphy);
+ ret = cfg80211_reg_can_beacon_relax(wiphy, &chandef,
+ iftype);
+- wiphy_unlock(wiphy);
+-
+ if (!ret)
+ return ret;
+ break;
--- /dev/null
+From f7e60032c6618dfd643c7210d5cba2789e2de2e2 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 6 Jun 2023 14:34:48 +0200
+Subject: wifi: cfg80211: fix locking in regulatory disconnect
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit f7e60032c6618dfd643c7210d5cba2789e2de2e2 upstream.
+
+This should use wiphy_lock() now instead of requiring the
+RTNL, since __cfg80211_leave() via cfg80211_leave() is now
+requiring that lock to be held.
+
+Fixes: a05829a7222e ("cfg80211: avoid holding the RTNL when calling the driver")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/reg.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/wireless/reg.c
++++ b/net/wireless/reg.c
+@@ -2440,11 +2440,11 @@ static void reg_leave_invalid_chans(stru
+ struct wireless_dev *wdev;
+ struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
+
+- ASSERT_RTNL();
+-
++ wiphy_lock(wiphy);
+ list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list)
+ if (!reg_wdev_chan_valid(wiphy, wdev))
+ cfg80211_leave(rdev, wdev);
++ wiphy_unlock(wiphy);
+ }
+
+ static void reg_check_chans_work(struct work_struct *work)
--- /dev/null
+From 97b6b9cbba40a21c1d9a344d5c1991f8cfbf136e Mon Sep 17 00:00:00 2001
+From: Ricardo Ribalda <ribalda@chromium.org>
+Date: Fri, 19 May 2023 16:47:37 +0200
+Subject: x86/purgatory: remove PGO flags
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+commit 97b6b9cbba40a21c1d9a344d5c1991f8cfbf136e upstream.
+
+If profile-guided optimization is enabled, the purgatory ends up with
+multiple .text sections. This is not supported by kexec and crashes the
+system.
+
+Link: https://lkml.kernel.org/r/20230321-kexec_clang16-v7-2-b05c520b7296@chromium.org
+Fixes: 930457057abe ("kernel/kexec_file.c: split up __kexec_load_puragory")
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Cc: <stable@vger.kernel.org>
+Cc: Albert Ou <aou@eecs.berkeley.edu>
+Cc: Baoquan He <bhe@redhat.com>
+Cc: Borislav Petkov (AMD) <bp@alien8.de>
+Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Dave Young <dyoung@redhat.com>
+Cc: Eric W. Biederman <ebiederm@xmission.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Nathan Chancellor <nathan@kernel.org>
+Cc: Nicholas Piggin <npiggin@gmail.com>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: Palmer Dabbelt <palmer@dabbelt.com>
+Cc: Palmer Dabbelt <palmer@rivosinc.com>
+Cc: Paul Walmsley <paul.walmsley@sifive.com>
+Cc: Philipp Rudo <prudo@redhat.com>
+Cc: Ross Zwisler <zwisler@google.com>
+Cc: Simon Horman <horms@kernel.org>
+Cc: Steven Rostedt (Google) <rostedt@goodmis.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tom Rix <trix@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/purgatory/Makefile | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/arch/x86/purgatory/Makefile
++++ b/arch/x86/purgatory/Makefile
+@@ -14,6 +14,11 @@ $(obj)/sha256.o: $(srctree)/lib/crypto/s
+
+ CFLAGS_sha256.o := -D__DISABLE_EXPORTS
+
++# When profile-guided optimization is enabled, llvm emits two different
++# overlapping text sections, which is not supported by kexec. Remove profile
++# optimization flags.
++KBUILD_CFLAGS := $(filter-out -fprofile-sample-use=% -fprofile-use=%,$(KBUILD_CFLAGS))
++
+ # When linking purgatory.ro with -r unresolved symbols are not checked,
+ # also link a purgatory.chk binary without -r to check for unresolved symbols.
+ PURGATORY_LDFLAGS := -e purgatory_start -z nodefaultlib
--- /dev/null
+From 0bdf0efa180a9cb1361cbded4e2260a49306ac89 Mon Sep 17 00:00:00 2001
+From: Nhat Pham <nphamcs@gmail.com>
+Date: Tue, 30 May 2023 15:24:40 -0700
+Subject: zswap: do not shrink if cgroup may not zswap
+
+From: Nhat Pham <nphamcs@gmail.com>
+
+commit 0bdf0efa180a9cb1361cbded4e2260a49306ac89 upstream.
+
+Before storing a page, zswap first checks if the number of stored pages
+exceeds the limit specified by memory.zswap.max, for each cgroup in the
+hierarchy. If this limit is reached or exceeded, then zswap shrinking is
+triggered and short-circuits the store attempt.
+
+However, since the zswap's LRU is not memcg-aware, this can create the
+following pathological behavior: the cgroup whose zswap limit is 0 will
+evict pages from other cgroups continually, without lowering its own zswap
+usage. This means the shrinking will continue until the need for swap
+ceases or the pool becomes empty.
+
+As a result of this, we observe a disproportionate amount of zswap
+writeback and a perpetually small zswap pool in our experiments, even
+though the pool limit is never hit.
+
+More generally, a cgroup might unnecessarily evict pages from other
+cgroups before we drive the memcg back below its limit.
+
+This patch fixes the issue by rejecting zswap store attempt without
+shrinking the pool when obj_cgroup_may_zswap() returns false.
+
+[akpm@linux-foundation.org: fix return of unintialized value]
+[akpm@linux-foundation.org: s/ENOSPC/ENOMEM/]
+Link: https://lkml.kernel.org/r/20230530222440.2777700-1-nphamcs@gmail.com
+Link: https://lkml.kernel.org/r/20230530232435.3097106-1-nphamcs@gmail.com
+Fixes: f4840ccfca25 ("zswap: memcg accounting")
+Signed-off-by: Nhat Pham <nphamcs@gmail.com>
+Cc: Dan Streetman <ddstreet@ieee.org>
+Cc: Domenico Cerasuolo <cerasuolodomenico@gmail.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Seth Jennings <sjenning@redhat.com>
+Cc: Vitaly Wool <vitaly.wool@konsulko.com>
+Cc: Yosry Ahmed <yosryahmed@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/zswap.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/mm/zswap.c
++++ b/mm/zswap.c
+@@ -1141,9 +1141,16 @@ static int zswap_frontswap_store(unsigne
+ goto reject;
+ }
+
++ /*
++ * XXX: zswap reclaim does not work with cgroups yet. Without a
++ * cgroup-aware entry LRU, we will push out entries system-wide based on
++ * local cgroup limits.
++ */
+ objcg = get_obj_cgroup_from_page(page);
+- if (objcg && !obj_cgroup_may_zswap(objcg))
+- goto shrink;
++ if (objcg && !obj_cgroup_may_zswap(objcg)) {
++ ret = -ENOMEM;
++ goto reject;
++ }
+
+ /* reclaim space if needed */
+ if (zswap_is_full()) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
