--- /dev/null
+From fb294b1c0ba982144ca467a75e7d01ff26304e2b Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Mon, 6 Mar 2023 11:17:58 -0500
+Subject: dm crypt: add cond_resched() to dmcrypt_write()
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit fb294b1c0ba982144ca467a75e7d01ff26304e2b upstream.
+
+The loop in dmcrypt_write may be running for unbounded amount of time,
+thus we need cond_resched() in it.
+
+This commit fixes the following warning:
+
+[ 3391.153255][ C12] watchdog: BUG: soft lockup - CPU#12 stuck for 23s! [dmcrypt_write/2:2897]
+...
+[ 3391.387210][ C12] Call trace:
+[ 3391.390338][ C12] blk_attempt_bio_merge.part.6+0x38/0x158
+[ 3391.395970][ C12] blk_attempt_plug_merge+0xc0/0x1b0
+[ 3391.401085][ C12] blk_mq_submit_bio+0x398/0x550
+[ 3391.405856][ C12] submit_bio_noacct+0x308/0x380
+[ 3391.410630][ C12] dmcrypt_write+0x1e4/0x208 [dm_crypt]
+[ 3391.416005][ C12] kthread+0x130/0x138
+[ 3391.419911][ C12] ret_from_fork+0x10/0x18
+
+Reported-by: yangerkun <yangerkun@huawei.com>
+Fixes: dc2676210c42 ("dm crypt: offload writes to thread")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-crypt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/md/dm-crypt.c
++++ b/drivers/md/dm-crypt.c
+@@ -1934,6 +1934,7 @@ pop_from_list:
+ io = crypt_io_from_node(rb_first(&write_tree));
+ rb_erase(&io->rb_node, &write_tree);
+ kcryptd_io_write(io);
++ cond_resched();
+ } while (!RB_EMPTY_ROOT(&write_tree));
+ blk_finish_plug(&plug);
+ }
--- /dev/null
+From d3aa3e060c4a80827eb801fc448debc9daa7c46b Mon Sep 17 00:00:00 2001
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Date: Thu, 16 Mar 2023 14:55:06 +0800
+Subject: dm stats: check for and propagate alloc_percpu failure
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+commit d3aa3e060c4a80827eb801fc448debc9daa7c46b upstream.
+
+Check alloc_precpu()'s return value and return an error from
+dm_stats_init() if it fails. Update alloc_dev() to fail if
+dm_stats_init() does.
+
+Otherwise, a NULL pointer dereference will occur in dm_stats_cleanup()
+even if dm-stats isn't being actively used.
+
+Fixes: fd2ed4d25270 ("dm: add statistics support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-stats.c | 7 ++++++-
+ drivers/md/dm-stats.h | 2 +-
+ drivers/md/dm.c | 4 +++-
+ 3 files changed, 10 insertions(+), 3 deletions(-)
+
+--- a/drivers/md/dm-stats.c
++++ b/drivers/md/dm-stats.c
+@@ -188,7 +188,7 @@ static int dm_stat_in_flight(struct dm_s
+ atomic_read(&shared->in_flight[WRITE]);
+ }
+
+-void dm_stats_init(struct dm_stats *stats)
++int dm_stats_init(struct dm_stats *stats)
+ {
+ int cpu;
+ struct dm_stats_last_position *last;
+@@ -196,11 +196,16 @@ void dm_stats_init(struct dm_stats *stat
+ mutex_init(&stats->mutex);
+ INIT_LIST_HEAD(&stats->list);
+ stats->last = alloc_percpu(struct dm_stats_last_position);
++ if (!stats->last)
++ return -ENOMEM;
++
+ for_each_possible_cpu(cpu) {
+ last = per_cpu_ptr(stats->last, cpu);
+ last->last_sector = (sector_t)ULLONG_MAX;
+ last->last_rw = UINT_MAX;
+ }
++
++ return 0;
+ }
+
+ void dm_stats_cleanup(struct dm_stats *stats)
+--- a/drivers/md/dm-stats.h
++++ b/drivers/md/dm-stats.h
+@@ -22,7 +22,7 @@ struct dm_stats_aux {
+ unsigned long long duration_ns;
+ };
+
+-void dm_stats_init(struct dm_stats *st);
++int dm_stats_init(struct dm_stats *st);
+ void dm_stats_cleanup(struct dm_stats *st);
+
+ struct mapped_device;
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -1910,7 +1910,9 @@ static struct mapped_device *alloc_dev(i
+ if (!md->bdev)
+ goto bad;
+
+- dm_stats_init(&md->stats);
++ r = dm_stats_init(&md->stats);
++ if (r < 0)
++ goto bad;
+
+ /* Populate the mapping, nobody knows we exist yet */
+ spin_lock(&_minor_lock);
--- /dev/null
+From e92eb246feb9019b0b137706c934b8891cdfe3c2 Mon Sep 17 00:00:00 2001
+From: Nirmoy Das <nirmoy.das@intel.com>
+Date: Tue, 14 Mar 2023 15:29:14 +0100
+Subject: drm/i915/active: Fix missing debug object activation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nirmoy Das <nirmoy.das@intel.com>
+
+commit e92eb246feb9019b0b137706c934b8891cdfe3c2 upstream.
+
+debug_active_activate() expected ref->count to be zero
+which is not true anymore as __i915_active_activate() calls
+debug_active_activate() after incrementing the count.
+
+v2: No need to check for "ref->count == 1" as __i915_active_activate()
+already make sure of that(Janusz).
+
+References: https://gitlab.freedesktop.org/drm/intel/-/issues/6733
+Fixes: 04240e30ed06 ("drm/i915: Skip taking acquire mutex for no ref->active callback")
+Cc: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Cc: Thomas Hellström <thomas.hellstrom@intel.com>
+Cc: Andi Shyti <andi.shyti@linux.intel.com>
+Cc: intel-gfx@lists.freedesktop.org
+Cc: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
+Cc: <stable@vger.kernel.org> # v5.10+
+Signed-off-by: Nirmoy Das <nirmoy.das@intel.com>
+Reviewed-by: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
+Reviewed-by: Andrzej Hajda <andrzej.hajda@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230313114613.9874-1-nirmoy.das@intel.com
+(cherry picked from commit bfad380c542438a9b642f8190b7fd37bc77e2723)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/i915_active.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/i915/i915_active.c
++++ b/drivers/gpu/drm/i915/i915_active.c
+@@ -96,8 +96,7 @@ static void debug_active_init(struct i91
+ static void debug_active_activate(struct i915_active *ref)
+ {
+ lockdep_assert_held(&ref->tree_lock);
+- if (!atomic_read(&ref->count)) /* before the first inc */
+- debug_object_activate(ref, &active_debug_desc);
++ debug_object_activate(ref, &active_debug_desc);
+ }
+
+ static void debug_active_deactivate(struct i915_active *ref)
--- /dev/null
+From 3a84f2c6c9558c554a90ec26ad25df92fc5e05b7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Thu, 23 Feb 2023 17:20:48 +0200
+Subject: drm/i915: Preserve crtc_state->inherited during state clearing
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit 3a84f2c6c9558c554a90ec26ad25df92fc5e05b7 upstream.
+
+intel_crtc_prepare_cleared_state() is unintentionally losing
+the "inherited" flag. This will happen if intel_initial_commit()
+is forced to go through the full modeset calculations for
+whatever reason.
+
+Afterwards the first real commit from userspace will not get
+forced to the full modeset path, and thus eg. audio state may
+not get recomputed properly. So if the monitor was already
+enabled during boot audio will not work until userspace itself
+does an explicit full modeset.
+
+Cc: stable@vger.kernel.org
+Tested-by: Lee Shawn C <shawn.c.lee@intel.com>
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230223152048.20878-1-ville.syrjala@linux.intel.com
+Reviewed-by: Uma Shankar <uma.shankar@intel.com>
+(cherry picked from commit 2553bacaf953b48c59357f5a622282bc0c45adae)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/display/intel_display.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/i915/display/intel_display.c
++++ b/drivers/gpu/drm/i915/display/intel_display.c
+@@ -13335,6 +13335,7 @@ intel_crtc_prepare_cleared_state(struct
+ * only fields that are know to not cause problems are preserved. */
+
+ saved_state->uapi = crtc_state->uapi;
++ saved_state->inherited = crtc_state->inherited;
+ saved_state->scaler_state = crtc_state->scaler_state;
+ saved_state->shared_dpll = crtc_state->shared_dpll;
+ saved_state->dpll_hw_state = crtc_state->dpll_hw_state;
--- /dev/null
+From 2ab4f4018cb6b8010ca5002c3bdc37783b5d28c2 Mon Sep 17 00:00:00 2001
+From: Cristian Marussi <cristian.marussi@arm.com>
+Date: Tue, 7 Mar 2023 16:23:24 +0000
+Subject: firmware: arm_scmi: Fix device node validation for mailbox transport
+
+From: Cristian Marussi <cristian.marussi@arm.com>
+
+commit 2ab4f4018cb6b8010ca5002c3bdc37783b5d28c2 upstream.
+
+When mailboxes are used as a transport it is possible to setup the SCMI
+transport layer, depending on the underlying channels configuration, to use
+one or two mailboxes, associated, respectively, to one or two, distinct,
+shared memory areas: any other combination should be treated as invalid.
+
+Add more strict checking of SCMI mailbox transport device node descriptors.
+
+Fixes: 5c8a47a5a91d ("firmware: arm_scmi: Make scmi core independent of the transport type")
+Cc: <stable@vger.kernel.org> # 4.19
+Signed-off-by: Cristian Marussi <cristian.marussi@arm.com>
+Link: https://lore.kernel.org/r/20230307162324.891866-1-cristian.marussi@arm.com
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/arm_scmi/mailbox.c | 37 +++++++++++++++++++++++++++++
+ 1 file changed, 37 insertions(+)
+
+diff --git a/drivers/firmware/arm_scmi/mailbox.c b/drivers/firmware/arm_scmi/mailbox.c
+index 0d9c9538b7f4..112c285deb97 100644
+--- a/drivers/firmware/arm_scmi/mailbox.c
++++ b/drivers/firmware/arm_scmi/mailbox.c
+@@ -52,6 +52,39 @@ static bool mailbox_chan_available(struct device_node *of_node, int idx)
+ "#mbox-cells", idx, NULL);
+ }
+
++static int mailbox_chan_validate(struct device *cdev)
++{
++ int num_mb, num_sh, ret = 0;
++ struct device_node *np = cdev->of_node;
++
++ num_mb = of_count_phandle_with_args(np, "mboxes", "#mbox-cells");
++ num_sh = of_count_phandle_with_args(np, "shmem", NULL);
++ /* Bail out if mboxes and shmem descriptors are inconsistent */
++ if (num_mb <= 0 || num_sh > 2 || num_mb != num_sh) {
++ dev_warn(cdev, "Invalid channel descriptor for '%s'\n",
++ of_node_full_name(np));
++ return -EINVAL;
++ }
++
++ if (num_sh > 1) {
++ struct device_node *np_tx, *np_rx;
++
++ np_tx = of_parse_phandle(np, "shmem", 0);
++ np_rx = of_parse_phandle(np, "shmem", 1);
++ /* SCMI Tx and Rx shared mem areas have to be distinct */
++ if (!np_tx || !np_rx || np_tx == np_rx) {
++ dev_warn(cdev, "Invalid shmem descriptor for '%s'\n",
++ of_node_full_name(np));
++ ret = -EINVAL;
++ }
++
++ of_node_put(np_tx);
++ of_node_put(np_rx);
++ }
++
++ return ret;
++}
++
+ static int mailbox_chan_setup(struct scmi_chan_info *cinfo, struct device *dev,
+ bool tx)
+ {
+@@ -64,6 +97,10 @@ static int mailbox_chan_setup(struct scmi_chan_info *cinfo, struct device *dev,
+ resource_size_t size;
+ struct resource res;
+
++ ret = mailbox_chan_validate(cdev);
++ if (ret)
++ return ret;
++
+ smbox = devm_kzalloc(dev, sizeof(*smbox), GFP_KERNEL);
+ if (!smbox)
+ return -ENOMEM;
+--
+2.40.0
+
--- /dev/null
+From 92fbb6d1296f81f41f65effd7f5f8c0f74943d15 Mon Sep 17 00:00:00 2001
+From: Wei Chen <harperchen1110@gmail.com>
+Date: Tue, 14 Mar 2023 16:54:21 +0000
+Subject: i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer()
+
+From: Wei Chen <harperchen1110@gmail.com>
+
+commit 92fbb6d1296f81f41f65effd7f5f8c0f74943d15 upstream.
+
+The data->block[0] variable comes from user and is a number between
+0-255. Without proper check, the variable may be very large to cause
+an out-of-bounds when performing memcpy in slimpro_i2c_blkwr.
+
+Fix this bug by checking the value of writelen.
+
+Fixes: f6505fbabc42 ("i2c: add SLIMpro I2C device driver on APM X-Gene platform")
+Signed-off-by: Wei Chen <harperchen1110@gmail.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Andi Shyti <andi.shyti@kernel.org>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-xgene-slimpro.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/i2c/busses/i2c-xgene-slimpro.c
++++ b/drivers/i2c/busses/i2c-xgene-slimpro.c
+@@ -308,6 +308,9 @@ static int slimpro_i2c_blkwr(struct slim
+ u32 msg[3];
+ int rc;
+
++ if (writelen > I2C_SMBUS_BLOCK_MAX)
++ return -EINVAL;
++
+ memcpy(ctx->dma_buffer, data, writelen);
+ paddr = dma_map_single(ctx->dev, ctx->dma_buffer, writelen,
+ DMA_TO_DEVICE);
--- /dev/null
+From e89c2e815e76471cb507bd95728bf26da7976430 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Mon, 13 Mar 2023 16:00:23 -0700
+Subject: riscv: Handle zicsr/zifencei issues between clang and binutils
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit e89c2e815e76471cb507bd95728bf26da7976430 upstream.
+
+There are two related issues that appear in certain combinations with
+clang and GNU binutils.
+
+The first occurs when a version of clang that supports zicsr or zifencei
+via '-march=' [1] (i.e, >= 17.x) is used in combination with a version
+of GNU binutils that do not recognize zicsr and zifencei in the
+'-march=' value (i.e., < 2.36):
+
+ riscv64-linux-gnu-ld: -march=rv64i2p0_m2p0_a2p0_c2p0_zicsr2p0_zifencei2p0: Invalid or unknown z ISA extension: 'zifencei'
+ riscv64-linux-gnu-ld: failed to merge target specific data of file fs/efivarfs/file.o
+ riscv64-linux-gnu-ld: -march=rv64i2p0_m2p0_a2p0_c2p0_zicsr2p0_zifencei2p0: Invalid or unknown z ISA extension: 'zifencei'
+ riscv64-linux-gnu-ld: failed to merge target specific data of file fs/efivarfs/super.o
+
+The second occurs when a version of clang that does not support zicsr or
+zifencei via '-march=' (i.e., <= 16.x) is used in combination with a
+version of GNU as that defaults to a newer ISA base spec, which requires
+specifying zicsr and zifencei in the '-march=' value explicitly (i.e, >=
+2.38):
+
+ ../arch/riscv/kernel/kexec_relocate.S: Assembler messages:
+ ../arch/riscv/kernel/kexec_relocate.S:147: Error: unrecognized opcode `fence.i', extension `zifencei' required
+ clang-12: error: assembler command failed with exit code 1 (use -v to see invocation)
+
+This is the same issue addressed by commit 6df2a016c0c8 ("riscv: fix
+build with binutils 2.38") (see [2] for additional information) but
+older versions of clang miss out on it because the cc-option check
+fails:
+
+ clang-12: error: invalid arch name 'rv64imac_zicsr_zifencei', unsupported standard user-level extension 'zicsr'
+ clang-12: error: invalid arch name 'rv64imac_zicsr_zifencei', unsupported standard user-level extension 'zicsr'
+
+To resolve the first issue, only attempt to add zicsr and zifencei to
+the march string when using the GNU assembler 2.38 or newer, which is
+when the default ISA spec was updated, requiring these extensions to be
+specified explicitly. LLVM implements an older version of the base
+specification for all currently released versions, so these instructions
+are available as part of the 'i' extension. If LLVM's implementation is
+updated in the future, a CONFIG_AS_IS_LLVM condition can be added to
+CONFIG_TOOLCHAIN_NEEDS_EXPLICIT_ZICSR_ZIFENCEI.
+
+To resolve the second issue, use version 2.2 of the base ISA spec when
+using an older version of clang that does not support zicsr or zifencei
+via '-march=', as that is the spec version most compatible with the one
+clang/LLVM implements and avoids the need to specify zicsr and zifencei
+explicitly due to still being a part of 'i'.
+
+[1]: https://github.com/llvm/llvm-project/commit/22e199e6afb1263c943c0c0d4498694e15bf8a16
+[2]: https://lore.kernel.org/ZAxT7T9Xy1Fo3d5W@aurel32.net/
+
+Cc: stable@vger.kernel.org
+Link: https://github.com/ClangBuiltLinux/linux/issues/1808
+Co-developed-by: Conor Dooley <conor.dooley@microchip.com>
+Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Acked-by: Conor Dooley <conor.dooley@microchip.com>
+Link: https://lore.kernel.org/r/20230313-riscv-zicsr-zifencei-fiasco-v1-1-dd1b7840a551@kernel.org
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/Kconfig | 22 ++++++++++++++++++++++
+ arch/riscv/Makefile | 10 ++++++----
+ 2 files changed, 28 insertions(+), 4 deletions(-)
+
+--- a/arch/riscv/Kconfig
++++ b/arch/riscv/Kconfig
+@@ -331,6 +331,28 @@ config RISCV_BASE_PMU
+
+ endmenu
+
++config TOOLCHAIN_NEEDS_EXPLICIT_ZICSR_ZIFENCEI
++ def_bool y
++ # https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=aed44286efa8ae8717a77d94b51ac3614e2ca6dc
++ depends on AS_IS_GNU && AS_VERSION >= 23800
++ help
++ Newer binutils versions default to ISA spec version 20191213 which
++ moves some instructions from the I extension to the Zicsr and Zifencei
++ extensions.
++
++config TOOLCHAIN_NEEDS_OLD_ISA_SPEC
++ def_bool y
++ depends on TOOLCHAIN_NEEDS_EXPLICIT_ZICSR_ZIFENCEI
++ # https://github.com/llvm/llvm-project/commit/22e199e6afb1263c943c0c0d4498694e15bf8a16
++ depends on CC_IS_CLANG && CLANG_VERSION < 170000
++ help
++ Certain versions of clang do not support zicsr and zifencei via -march
++ but newer versions of binutils require it for the reasons noted in the
++ help text of CONFIG_TOOLCHAIN_NEEDS_EXPLICIT_ZICSR_ZIFENCEI. This
++ option causes an older ISA spec compatible with these older versions
++ of clang to be passed to GAS, which has the same result as passing zicsr
++ and zifencei to -march.
++
+ config FPU
+ bool "FPU support"
+ default y
+--- a/arch/riscv/Makefile
++++ b/arch/riscv/Makefile
+@@ -53,10 +53,12 @@ riscv-march-$(CONFIG_ARCH_RV64I) := rv64
+ riscv-march-$(CONFIG_FPU) := $(riscv-march-y)fd
+ riscv-march-$(CONFIG_RISCV_ISA_C) := $(riscv-march-y)c
+
+-# Newer binutils versions default to ISA spec version 20191213 which moves some
+-# instructions from the I extension to the Zicsr and Zifencei extensions.
+-toolchain-need-zicsr-zifencei := $(call cc-option-yn, -march=$(riscv-march-y)_zicsr_zifencei)
+-riscv-march-$(toolchain-need-zicsr-zifencei) := $(riscv-march-y)_zicsr_zifencei
++ifdef CONFIG_TOOLCHAIN_NEEDS_OLD_ISA_SPEC
++KBUILD_CFLAGS += -Wa,-misa-spec=2.2
++KBUILD_AFLAGS += -Wa,-misa-spec=2.2
++else
++riscv-march-$(CONFIG_TOOLCHAIN_NEEDS_EXPLICIT_ZICSR_ZIFENCEI) := $(riscv-march-y)_zicsr_zifencei
++endif
+
+ KBUILD_CFLAGS += -march=$(subst fd,,$(riscv-march-y))
+ KBUILD_AFLAGS += -march=$(riscv-march-y)
--- /dev/null
+From a53ce18cacb477dd0513c607f187d16f0fa96f71 Mon Sep 17 00:00:00 2001
+From: Vincent Guittot <vincent.guittot@linaro.org>
+Date: Fri, 17 Mar 2023 17:08:10 +0100
+Subject: sched/fair: Sanitize vruntime of entity being migrated
+
+From: Vincent Guittot <vincent.guittot@linaro.org>
+
+commit a53ce18cacb477dd0513c607f187d16f0fa96f71 upstream.
+
+Commit 829c1651e9c4 ("sched/fair: sanitize vruntime of entity being placed")
+fixes an overflowing bug, but ignore a case that se->exec_start is reset
+after a migration.
+
+For fixing this case, we delay the reset of se->exec_start after
+placing the entity which se->exec_start to detect long sleeping task.
+
+In order to take into account a possible divergence between the clock_task
+of 2 rqs, we increase the threshold to around 104 days.
+
+Fixes: 829c1651e9c4 ("sched/fair: sanitize vruntime of entity being placed")
+Originally-by: Zhang Qiao <zhangqiao22@huawei.com>
+Signed-off-by: Vincent Guittot <vincent.guittot@linaro.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Tested-by: Zhang Qiao <zhangqiao22@huawei.com>
+Link: https://lore.kernel.org/r/20230317160810.107988-1-vincent.guittot@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/core.c | 3 ++
+ kernel/sched/fair.c | 53 ++++++++++++++++++++++++++++++++++++++++++----------
+ 2 files changed, 46 insertions(+), 10 deletions(-)
+
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -1601,6 +1601,9 @@ static inline void dequeue_task(struct r
+
+ void activate_task(struct rq *rq, struct task_struct *p, int flags)
+ {
++ if (task_on_rq_migrating(p))
++ flags |= ENQUEUE_MIGRATED;
++
+ enqueue_task(rq, p, flags);
+
+ p->on_rq = TASK_ON_RQ_QUEUED;
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -4274,11 +4274,33 @@ static void check_spread(struct cfs_rq *
+ #endif
+ }
+
++static inline bool entity_is_long_sleeper(struct sched_entity *se)
++{
++ struct cfs_rq *cfs_rq;
++ u64 sleep_time;
++
++ if (se->exec_start == 0)
++ return false;
++
++ cfs_rq = cfs_rq_of(se);
++
++ sleep_time = rq_clock_task(rq_of(cfs_rq));
++
++ /* Happen while migrating because of clock task divergence */
++ if (sleep_time <= se->exec_start)
++ return false;
++
++ sleep_time -= se->exec_start;
++ if (sleep_time > ((1ULL << 63) / scale_load_down(NICE_0_LOAD)))
++ return true;
++
++ return false;
++}
++
+ static void
+ place_entity(struct cfs_rq *cfs_rq, struct sched_entity *se, int initial)
+ {
+ u64 vruntime = cfs_rq->min_vruntime;
+- u64 sleep_time;
+
+ /*
+ * The 'current' period is already promised to the current tasks,
+@@ -4305,13 +4327,24 @@ place_entity(struct cfs_rq *cfs_rq, stru
+
+ /*
+ * Pull vruntime of the entity being placed to the base level of
+- * cfs_rq, to prevent boosting it if placed backwards. If the entity
+- * slept for a long time, don't even try to compare its vruntime with
+- * the base as it may be too far off and the comparison may get
+- * inversed due to s64 overflow.
++ * cfs_rq, to prevent boosting it if placed backwards.
++ * However, min_vruntime can advance much faster than real time, with
++ * the extreme being when an entity with the minimal weight always runs
++ * on the cfs_rq. If the waking entity slept for a long time, its
++ * vruntime difference from min_vruntime may overflow s64 and their
++ * comparison may get inversed, so ignore the entity's original
++ * vruntime in that case.
++ * The maximal vruntime speedup is given by the ratio of normal to
++ * minimal weight: scale_load_down(NICE_0_LOAD) / MIN_SHARES.
++ * When placing a migrated waking entity, its exec_start has been set
++ * from a different rq. In order to take into account a possible
++ * divergence between new and prev rq's clocks task because of irq and
++ * stolen time, we take an additional margin.
++ * So, cutting off on the sleep time of
++ * 2^63 / scale_load_down(NICE_0_LOAD) ~ 104 days
++ * should be safe.
+ */
+- sleep_time = rq_clock_task(rq_of(cfs_rq)) - se->exec_start;
+- if ((s64)sleep_time > 60LL * NSEC_PER_SEC)
++ if (entity_is_long_sleeper(se))
+ se->vruntime = vruntime;
+ else
+ se->vruntime = max_vruntime(se->vruntime, vruntime);
+@@ -4410,6 +4443,9 @@ enqueue_entity(struct cfs_rq *cfs_rq, st
+
+ if (flags & ENQUEUE_WAKEUP)
+ place_entity(cfs_rq, se, 0);
++ /* Entity has migrated, no longer consider this task hot */
++ if (flags & ENQUEUE_MIGRATED)
++ se->exec_start = 0;
+
+ check_schedstat_required();
+ update_stats_enqueue(cfs_rq, se, flags);
+@@ -6995,9 +7031,6 @@ static void migrate_task_rq_fair(struct
+ /* Tell new CPU we are migrated */
+ p->se.avg.last_update_time = 0;
+
+- /* We have migrated, no longer consider this task hot */
+- p->se.exec_start = 0;
+-
+ update_scan_period(p, new_cpu);
+ }
+
--- /dev/null
+From 829c1651e9c4a6f78398d3e67651cef9bb6b42cc Mon Sep 17 00:00:00 2001
+From: Zhang Qiao <zhangqiao22@huawei.com>
+Date: Mon, 30 Jan 2023 13:22:16 +0100
+Subject: sched/fair: sanitize vruntime of entity being placed
+
+From: Zhang Qiao <zhangqiao22@huawei.com>
+
+commit 829c1651e9c4a6f78398d3e67651cef9bb6b42cc upstream.
+
+When a scheduling entity is placed onto cfs_rq, its vruntime is pulled
+to the base level (around cfs_rq->min_vruntime), so that the entity
+doesn't gain extra boost when placed backwards.
+
+However, if the entity being placed wasn't executed for a long time, its
+vruntime may get too far behind (e.g. while cfs_rq was executing a
+low-weight hog), which can inverse the vruntime comparison due to s64
+overflow. This results in the entity being placed with its original
+vruntime way forwards, so that it will effectively never get to the cpu.
+
+To prevent that, ignore the vruntime of the entity being placed if it
+didn't execute for much longer than the characteristic sheduler time
+scale.
+
+[rkagan: formatted, adjusted commit log, comments, cutoff value]
+Signed-off-by: Zhang Qiao <zhangqiao22@huawei.com>
+Co-developed-by: Roman Kagan <rkagan@amazon.de>
+Signed-off-by: Roman Kagan <rkagan@amazon.de>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20230130122216.3555094-1-rkagan@amazon.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/fair.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -4278,6 +4278,7 @@ static void
+ place_entity(struct cfs_rq *cfs_rq, struct sched_entity *se, int initial)
+ {
+ u64 vruntime = cfs_rq->min_vruntime;
++ u64 sleep_time;
+
+ /*
+ * The 'current' period is already promised to the current tasks,
+@@ -4302,8 +4303,18 @@ place_entity(struct cfs_rq *cfs_rq, stru
+ vruntime -= thresh;
+ }
+
+- /* ensure we never gain time by being placed backwards. */
+- se->vruntime = max_vruntime(se->vruntime, vruntime);
++ /*
++ * Pull vruntime of the entity being placed to the base level of
++ * cfs_rq, to prevent boosting it if placed backwards. If the entity
++ * slept for a long time, don't even try to compare its vruntime with
++ * the base as it may be too far off and the comparison may get
++ * inversed due to s64 overflow.
++ */
++ sleep_time = rq_clock_task(rq_of(cfs_rq)) - se->exec_start;
++ if ((s64)sleep_time > 60LL * NSEC_PER_SEC)
++ se->vruntime = vruntime;
++ else
++ se->vruntime = max_vruntime(se->vruntime, vruntime);
+ }
+
+ static void check_enqueue_throttle(struct cfs_rq *cfs_rq);
usb-ucsi-fix-null-pointer-deref-in-ucsi_connector_change.patch
wifi-mac80211-fix-qos-on-mesh-interfaces.patch
nilfs2-fix-kernel-infoleak-in-nilfs_ioctl_wrap_copy.patch
+drm-i915-active-fix-missing-debug-object-activation.patch
+drm-i915-preserve-crtc_state-inherited-during-state-clearing.patch
+riscv-handle-zicsr-zifencei-issues-between-clang-and-binutils.patch
+tee-amdtee-fix-race-condition-in-amdtee_open_session.patch
+firmware-arm_scmi-fix-device-node-validation-for-mailbox-transport.patch
+i2c-xgene-slimpro-fix-out-of-bounds-bug-in-xgene_slimpro_i2c_xfer.patch
+dm-stats-check-for-and-propagate-alloc_percpu-failure.patch
+dm-crypt-add-cond_resched-to-dmcrypt_write.patch
+sched-fair-sanitize-vruntime-of-entity-being-placed.patch
+sched-fair-sanitize-vruntime-of-entity-being-migrated.patch
--- /dev/null
+From f8502fba45bd30e1a6a354d9d898bc99d1a11e6d Mon Sep 17 00:00:00 2001
+From: Rijo Thomas <Rijo-john.Thomas@amd.com>
+Date: Tue, 28 Feb 2023 15:11:20 +0530
+Subject: tee: amdtee: fix race condition in amdtee_open_session
+
+From: Rijo Thomas <Rijo-john.Thomas@amd.com>
+
+commit f8502fba45bd30e1a6a354d9d898bc99d1a11e6d upstream.
+
+There is a potential race condition in amdtee_open_session that may
+lead to use-after-free. For instance, in amdtee_open_session() after
+sess->sess_mask is set, and before setting:
+
+ sess->session_info[i] = session_info;
+
+if amdtee_close_session() closes this same session, then 'sess' data
+structure will be released, causing kernel panic when 'sess' is
+accessed within amdtee_open_session().
+
+The solution is to set the bit sess->sess_mask as the last step in
+amdtee_open_session().
+
+Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Rijo Thomas <Rijo-john.Thomas@amd.com>
+Acked-by: Sumit Garg <sumit.garg@linaro.org>
+Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tee/amdtee/core.c | 29 ++++++++++++++---------------
+ 1 file changed, 14 insertions(+), 15 deletions(-)
+
+--- a/drivers/tee/amdtee/core.c
++++ b/drivers/tee/amdtee/core.c
+@@ -267,35 +267,34 @@ int amdtee_open_session(struct tee_conte
+ goto out;
+ }
+
++ /* Open session with loaded TA */
++ handle_open_session(arg, &session_info, param);
++ if (arg->ret != TEEC_SUCCESS) {
++ pr_err("open_session failed %d\n", arg->ret);
++ handle_unload_ta(ta_handle);
++ kref_put(&sess->refcount, destroy_session);
++ goto out;
++ }
++
+ /* Find an empty session index for the given TA */
+ spin_lock(&sess->lock);
+ i = find_first_zero_bit(sess->sess_mask, TEE_NUM_SESSIONS);
+- if (i < TEE_NUM_SESSIONS)
++ if (i < TEE_NUM_SESSIONS) {
++ sess->session_info[i] = session_info;
++ set_session_id(ta_handle, i, &arg->session);
+ set_bit(i, sess->sess_mask);
++ }
+ spin_unlock(&sess->lock);
+
+ if (i >= TEE_NUM_SESSIONS) {
+ pr_err("reached maximum session count %d\n", TEE_NUM_SESSIONS);
++ handle_close_session(ta_handle, session_info);
+ handle_unload_ta(ta_handle);
+ kref_put(&sess->refcount, destroy_session);
+ rc = -ENOMEM;
+ goto out;
+ }
+
+- /* Open session with loaded TA */
+- handle_open_session(arg, &session_info, param);
+- if (arg->ret != TEEC_SUCCESS) {
+- pr_err("open_session failed %d\n", arg->ret);
+- spin_lock(&sess->lock);
+- clear_bit(i, sess->sess_mask);
+- spin_unlock(&sess->lock);
+- handle_unload_ta(ta_handle);
+- kref_put(&sess->refcount, destroy_session);
+- goto out;
+- }
+-
+- sess->session_info[i] = session_info;
+- set_session_id(ta_handle, i, &arg->session);
+ out:
+ free_pages((u64)ta, get_order(ta_size));
+ return rc;
projects / thirdparty / kernel / stable-queue.git / commitdiff
