--- /dev/null
+From 7843380d07bbeffd3ce6504e73cf61f840ae76ca Mon Sep 17 00:00:00 2001
+From: Adam Stylinski <kungfujesus06@gmail.com>
+Date: Sun, 21 May 2023 10:52:23 -0400
+Subject: ALSA: hda/ca0132: add quirk for EVGA X299 DARK
+
+From: Adam Stylinski <kungfujesus06@gmail.com>
+
+commit 7843380d07bbeffd3ce6504e73cf61f840ae76ca upstream.
+
+This quirk is necessary for surround and other DSP effects to work
+with the onboard ca0132 based audio chipset for the EVGA X299 dark
+mainboard.
+
+Signed-off-by: Adam Stylinski <kungfujesus06@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=67071
+Link: https://lore.kernel.org/r/ZGopOe19T1QOwizS@eggsbenedict.adamsnet
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_ca0132.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_ca0132.c
++++ b/sound/pci/hda/patch_ca0132.c
+@@ -1306,6 +1306,7 @@ static const struct snd_pci_quirk ca0132
+ SND_PCI_QUIRK(0x1458, 0xA026, "Gigabyte G1.Sniper Z97", QUIRK_R3DI),
+ SND_PCI_QUIRK(0x1458, 0xA036, "Gigabyte GA-Z170X-Gaming 7", QUIRK_R3DI),
+ SND_PCI_QUIRK(0x3842, 0x1038, "EVGA X99 Classified", QUIRK_R3DI),
++ SND_PCI_QUIRK(0x3842, 0x104b, "EVGA X299 Dark", QUIRK_R3DI),
+ SND_PCI_QUIRK(0x3842, 0x1055, "EVGA Z390 DARK", QUIRK_R3DI),
+ SND_PCI_QUIRK(0x1102, 0x0013, "Recon3D", QUIRK_R3D),
+ SND_PCI_QUIRK(0x1102, 0x0018, "Recon3D", QUIRK_R3D),
--- /dev/null
+From 81302b1c7c997e8a56c1c2fc63a296ebeb0cd2d0 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 18 May 2023 13:35:20 +0200
+Subject: ALSA: hda: Fix unhandled register update during auto-suspend period
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 81302b1c7c997e8a56c1c2fc63a296ebeb0cd2d0 upstream.
+
+It's reported that the recording started right after the driver probe
+doesn't work properly, and it turned out that this is related with the
+codec auto-suspend. Namely, after the probe phase, the usage count
+goes zero, and the auto-suspend is programmed, but the codec is kept
+still active until the auto-suspend expiration. When an application
+(e.g. alsactl) updates the mixer values at this moment, the values are
+cached but not actually written. Then, starting arecord thereafter
+also results in the silence because of the missing unmute.
+
+The root cause is the handling of "lazy update" mode; when a mixer
+value is updated *after* the suspend, it should update only the cache
+and exits. At the resume, the cached value is written to the device,
+in turn. The problem is that the current code misinterprets the state
+of auto-suspend as if it were already suspended.
+
+Although we can add the check of the actual device state after
+pm_runtime_get_if_in_use() for catching the missing state, this won't
+suffice; the second call of regmap_update_bits_check() will skip
+writing the register because the cache has been already updated by the
+first call. So we'd need fixes in two different places.
+
+OTOH, a simpler fix is to replace pm_runtime_get_if_in_use() with
+pm_runtime_get_if_active() (with ign_usage_count=true). This change
+implies that the driver takes the pm refcount if the device is still
+in ACTIVE state and continues the processing. A small caveat is that
+this will leave the auto-suspend timer. But, since the timer callback
+itself checks the device state and aborts gracefully when it's active,
+this won't be any substantial problem.
+
+Long story short: we address the missing register-write problem just
+by replacing the pm_runtime_*() call in snd_hda_keep_power_up().
+
+Fixes: fc4f000bf8c0 ("ALSA: hda - Fix unexpected resume through regmap code path")
+Reported-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
+Closes: https://lore.kernel.org/r/a7478636-af11-92ab-731c-9b13c582a70d@linux.intel.com
+Suggested-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230518113520.15213-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/hda/hdac_device.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/hda/hdac_device.c
++++ b/sound/hda/hdac_device.c
+@@ -611,7 +611,7 @@ EXPORT_SYMBOL_GPL(snd_hdac_power_up_pm);
+ int snd_hdac_keep_power_up(struct hdac_device *codec)
+ {
+ if (!atomic_inc_not_zero(&codec->in_pm)) {
+- int ret = pm_runtime_get_if_in_use(&codec->dev);
++ int ret = pm_runtime_get_if_active(&codec->dev, true);
+ if (!ret)
+ return -1;
+ if (ret < 0)
--- /dev/null
+From 4ca110cab46561cd74a2acd9b447435acb4bec5f Mon Sep 17 00:00:00 2001
+From: Bin Li <bin.li@canonical.com>
+Date: Wed, 24 May 2023 19:37:55 +0800
+Subject: ALSA: hda/realtek: Enable headset onLenovo M70/M90
+
+From: Bin Li <bin.li@canonical.com>
+
+commit 4ca110cab46561cd74a2acd9b447435acb4bec5f upstream.
+
+Lenovo M70/M90 Gen4 are equipped with ALC897, and they need
+ALC897_FIXUP_HEADSET_MIC_PIN quirk to make its headset mic work.
+The previous quirk for M70/M90 is for Gen3.
+
+Signed-off-by: Bin Li <bin.li@canonical.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230524113755.1346928-1-bin.li@canonical.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -11699,6 +11699,8 @@ static const struct snd_pci_quirk alc662
+ SND_PCI_QUIRK(0x17aa, 0x32cb, "Lenovo ThinkCentre M70", ALC897_FIXUP_HEADSET_MIC_PIN),
+ SND_PCI_QUIRK(0x17aa, 0x32cf, "Lenovo ThinkCentre M950", ALC897_FIXUP_HEADSET_MIC_PIN),
+ SND_PCI_QUIRK(0x17aa, 0x32f7, "Lenovo ThinkCentre M90", ALC897_FIXUP_HEADSET_MIC_PIN),
++ SND_PCI_QUIRK(0x17aa, 0x3321, "Lenovo ThinkCentre M70 Gen4", ALC897_FIXUP_HEADSET_MIC_PIN),
++ SND_PCI_QUIRK(0x17aa, 0x331b, "Lenovo ThinkCentre M90 Gen4", ALC897_FIXUP_HEADSET_MIC_PIN),
+ SND_PCI_QUIRK(0x17aa, 0x3742, "Lenovo TianYi510Pro-14IOB", ALC897_FIXUP_HEADSET_MIC_PIN2),
+ SND_PCI_QUIRK(0x17aa, 0x38af, "Lenovo Ideapad Y550P", ALC662_FIXUP_IDEAPAD),
+ SND_PCI_QUIRK(0x17aa, 0x3a0d, "Lenovo Ideapad Y550", ALC662_FIXUP_IDEAPAD),
--- /dev/null
+From 2efbafb91e12ff5a16cbafb0085e4c10c3fca493 Mon Sep 17 00:00:00 2001
+From: Peter Collingbourne <pcc@google.com>
+Date: Thu, 20 Apr 2023 14:09:45 -0700
+Subject: arm64: Also reset KASAN tag if page is not PG_mte_tagged
+
+From: Peter Collingbourne <pcc@google.com>
+
+commit 2efbafb91e12ff5a16cbafb0085e4c10c3fca493 upstream.
+
+Consider the following sequence of events:
+
+1) A page in a PROT_READ|PROT_WRITE VMA is faulted.
+2) Page migration allocates a page with the KASAN allocator,
+ causing it to receive a non-match-all tag, and uses it
+ to replace the page faulted in 1.
+3) The program uses mprotect() to enable PROT_MTE on the page faulted in 1.
+
+As a result of step 3, we are left with a non-match-all tag for a page
+with tags accessible to userspace, which can lead to the same kind of
+tag check faults that commit e74a68468062 ("arm64: Reset KASAN tag in
+copy_highpage with HW tags only") intended to fix.
+
+The general invariant that we have for pages in a VMA with VM_MTE_ALLOWED
+is that they cannot have a non-match-all tag. As a result of step 2, the
+invariant is broken. This means that the fix in the referenced commit
+was incomplete and we also need to reset the tag for pages without
+PG_mte_tagged.
+
+Fixes: e5b8d9218951 ("arm64: mte: reset the page tag in page->flags")
+Cc: <stable@vger.kernel.org> # 5.15
+Link: https://linux-review.googlesource.com/id/I7409cdd41acbcb215c2a7417c1e50d37b875beff
+Signed-off-by: Peter Collingbourne <pcc@google.com>
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Link: https://lore.kernel.org/r/20230420210945.2313627-1-pcc@google.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/mm/copypage.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/mm/copypage.c
++++ b/arch/arm64/mm/copypage.c
+@@ -21,9 +21,10 @@ void copy_highpage(struct page *to, stru
+
+ copy_page(kto, kfrom);
+
++ if (kasan_hw_tags_enabled())
++ page_kasan_tag_reset(to);
++
+ if (system_supports_mte() && page_mte_tagged(from)) {
+- if (kasan_hw_tags_enabled())
+- page_kasan_tag_reset(to);
+ mte_copy_page_tags(kto, kfrom);
+ set_page_mte_tagged(to);
+ }
--- /dev/null
+From 8b271370e963370703819bd9795a54d658071bed Mon Sep 17 00:00:00 2001
+From: Matthias Kaehlcke <mka@chromium.org>
+Date: Tue, 16 May 2023 16:46:30 +0000
+Subject: ASoC: rt5682: Disable jack detection interrupt during suspend
+
+From: Matthias Kaehlcke <mka@chromium.org>
+
+commit 8b271370e963370703819bd9795a54d658071bed upstream.
+
+The rt5682 driver switches its regmap to cache-only when the
+device suspends and back to regular mode on resume. When the
+jack detect interrupt fires rt5682_irq() schedules the jack
+detect work. This can result in invalid reads from the regmap
+in cache-only mode if the work runs before the device has
+resumed:
+
+[ 56.245502] rt5682 9-001a: ASoC: error at soc_component_read_no_lock on rt5682.9-001a for register: [0x000000f0] -16
+
+Disable the jack detection interrupt during suspend and
+re-enable it on resume. The driver already schedules the
+jack detection work on resume, so any state change during
+suspend is still handled.
+
+This is essentially the same as commit f7d00a9be147 ("SoC:
+rt5682s: Disable jack detection interrupt during suspend")
+for the rt5682s.
+
+Cc: stable@kernel.org
+Signed-off-by: Matthias Kaehlcke <mka@chromium.org
+Reviewed-by: Douglas Anderson <dianders@chromium.org
+Reviewed-by: Stephen Boyd <swboyd@chromium.org
+Link: https://lore.kernel.org/r/20230516164629.1.Ibf79e94b3442eecc0054d2b478779cc512d967fc@changeid
+Signed-off-by: Mark Brown <broonie@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/codecs/rt5682-i2c.c | 4 +++-
+ sound/soc/codecs/rt5682.c | 6 ++++++
+ sound/soc/codecs/rt5682.h | 1 +
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+
+--- a/sound/soc/codecs/rt5682-i2c.c
++++ b/sound/soc/codecs/rt5682-i2c.c
+@@ -267,7 +267,9 @@ static int rt5682_i2c_probe(struct i2c_c
+ ret = devm_request_threaded_irq(&i2c->dev, i2c->irq, NULL,
+ rt5682_irq, IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING
+ | IRQF_ONESHOT, "rt5682", rt5682);
+- if (ret)
++ if (!ret)
++ rt5682->irq = i2c->irq;
++ else
+ dev_err(&i2c->dev, "Failed to reguest IRQ: %d\n", ret);
+ }
+
+--- a/sound/soc/codecs/rt5682.c
++++ b/sound/soc/codecs/rt5682.c
+@@ -2957,6 +2957,9 @@ static int rt5682_suspend(struct snd_soc
+ if (rt5682->is_sdw)
+ return 0;
+
++ if (rt5682->irq)
++ disable_irq(rt5682->irq);
++
+ cancel_delayed_work_sync(&rt5682->jack_detect_work);
+ cancel_delayed_work_sync(&rt5682->jd_check_work);
+ if (rt5682->hs_jack && (rt5682->jack_type & SND_JACK_HEADSET) == SND_JACK_HEADSET) {
+@@ -3025,6 +3028,9 @@ static int rt5682_resume(struct snd_soc_
+ mod_delayed_work(system_power_efficient_wq,
+ &rt5682->jack_detect_work, msecs_to_jiffies(0));
+
++ if (rt5682->irq)
++ enable_irq(rt5682->irq);
++
+ return 0;
+ }
+ #else
+--- a/sound/soc/codecs/rt5682.h
++++ b/sound/soc/codecs/rt5682.h
+@@ -1462,6 +1462,7 @@ struct rt5682_priv {
+ int pll_out[RT5682_PLLS];
+
+ int jack_type;
++ int irq;
+ int irq_work_delay_time;
+ };
+
--- /dev/null
+From b845b574f86dcb6a70dfa698aa87a237b0878d2a Mon Sep 17 00:00:00 2001
+From: Finn Thain <fthain@linux-m68k.org>
+Date: Sat, 6 May 2023 19:38:12 +1000
+Subject: m68k: Move signal frame following exception on 68020/030
+
+From: Finn Thain <fthain@linux-m68k.org>
+
+commit b845b574f86dcb6a70dfa698aa87a237b0878d2a upstream.
+
+On 68030/020, an instruction such as, moveml %a2-%a3/%a5,%sp@- may cause
+a stack page fault during instruction execution (i.e. not at an
+instruction boundary) and produce a format 0xB exception frame.
+
+In this situation, the value of USP will be unreliable. If a signal is
+to be delivered following the exception, this USP value is used to
+calculate the location for a signal frame. This can result in a
+corrupted user stack.
+
+The corruption was detected in dash (actually in glibc) where it showed
+up as an intermittent "stack smashing detected" message and crash
+following signal delivery for SIGCHLD.
+
+It was hard to reproduce that failure because delivery of the signal
+raced with the page fault and because the kernel places an unpredictable
+gap of up to 7 bytes between the USP and the signal frame.
+
+A format 0xB exception frame can be produced by a bus error or an
+address error. The 68030 Users Manual says that address errors occur
+immediately upon detection during instruction prefetch. The instruction
+pipeline allows prefetch to overlap with other instructions, which means
+an address error can arise during the execution of a different
+instruction. So it seems likely that this patch may help in the address
+error case also.
+
+Reported-and-tested-by: Stan Johnson <userm57@yahoo.com>
+Link: https://lore.kernel.org/all/CAMuHMdW3yD22_ApemzW_6me3adq6A458u1_F0v-1EYwK_62jPA@mail.gmail.com/
+Cc: Michael Schmitz <schmitzmic@gmail.com>
+Cc: Andreas Schwab <schwab@linux-m68k.org>
+Cc: stable@vger.kernel.org
+Co-developed-by: Michael Schmitz <schmitzmic@gmail.com>
+Signed-off-by: Michael Schmitz <schmitzmic@gmail.com>
+Signed-off-by: Finn Thain <fthain@linux-m68k.org>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Link: https://lore.kernel.org/r/9e66262a754fcba50208aa424188896cc52a1dd1.1683365892.git.fthain@linux-m68k.org
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/m68k/kernel/signal.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/arch/m68k/kernel/signal.c
++++ b/arch/m68k/kernel/signal.c
+@@ -858,11 +858,17 @@ static inline int rt_setup_ucontext(stru
+ }
+
+ static inline void __user *
+-get_sigframe(struct ksignal *ksig, size_t frame_size)
++get_sigframe(struct ksignal *ksig, struct pt_regs *tregs, size_t frame_size)
+ {
+ unsigned long usp = sigsp(rdusp(), ksig);
++ unsigned long gap = 0;
+
+- return (void __user *)((usp - frame_size) & -8UL);
++ if (CPU_IS_020_OR_030 && tregs->format == 0xb) {
++ /* USP is unreliable so use worst-case value */
++ gap = 256;
++ }
++
++ return (void __user *)((usp - gap - frame_size) & -8UL);
+ }
+
+ static int setup_frame(struct ksignal *ksig, sigset_t *set,
+@@ -880,7 +886,7 @@ static int setup_frame(struct ksignal *k
+ return -EFAULT;
+ }
+
+- frame = get_sigframe(ksig, sizeof(*frame) + fsize);
++ frame = get_sigframe(ksig, tregs, sizeof(*frame) + fsize);
+
+ if (fsize)
+ err |= copy_to_user (frame + 1, regs + 1, fsize);
+@@ -952,7 +958,7 @@ static int setup_rt_frame(struct ksignal
+ return -EFAULT;
+ }
+
+- frame = get_sigframe(ksig, sizeof(*frame));
++ frame = get_sigframe(ksig, tregs, sizeof(*frame));
+
+ if (fsize)
+ err |= copy_to_user (&frame->uc.uc_extra, regs + 1, fsize);
--- /dev/null
+From 003fb0a51162d940f25fc35e70b0996a12c9e08a Mon Sep 17 00:00:00 2001
+From: Christian Loehle <CLoehle@hyperstone.com>
+Date: Wed, 26 Apr 2023 16:59:39 +0000
+Subject: mmc: block: ensure error propagation for non-blk
+
+From: Christian Loehle <CLoehle@hyperstone.com>
+
+commit 003fb0a51162d940f25fc35e70b0996a12c9e08a upstream.
+
+Requests to the mmc layer usually come through a block device IO.
+The exceptions are the ioctl interface, RPMB chardev ioctl
+and debugfs, which issue their own blk_mq requests through
+blk_execute_rq and do not query the BLK_STS error but the
+mmcblk-internal drv_op_result. This patch ensures that drv_op_result
+defaults to an error and has to be overwritten by the operation
+to be considered successful.
+
+The behavior leads to a bug where the request never propagates
+the error, e.g. by directly erroring out at mmc_blk_mq_issue_rq if
+mmc_blk_part_switch fails. The ioctl caller of the rpmb chardev then
+can never see an error (BLK_STS_IOERR, but drv_op_result is unchanged)
+and thus may assume that their call executed successfully when it did not.
+
+While always checking the blk_execute_rq return value would be
+advised, let's eliminate the error by always setting
+drv_op_result as -EIO to be overwritten on success (or other error)
+
+Fixes: 614f0388f580 ("mmc: block: move single ioctl() commands to block requests")
+Signed-off-by: Christian Loehle <cloehle@hyperstone.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/59c17ada35664b818b7bd83752119b2d@hyperstone.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/block.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/mmc/core/block.c
++++ b/drivers/mmc/core/block.c
+@@ -266,6 +266,7 @@ static ssize_t power_ro_lock_store(struc
+ goto out_put;
+ }
+ req_to_mmc_queue_req(req)->drv_op = MMC_DRV_OP_BOOT_WP;
++ req_to_mmc_queue_req(req)->drv_op_result = -EIO;
+ blk_execute_rq(req, false);
+ ret = req_to_mmc_queue_req(req)->drv_op_result;
+ blk_mq_free_request(req);
+@@ -657,6 +658,7 @@ static int mmc_blk_ioctl_cmd(struct mmc_
+ idatas[0] = idata;
+ req_to_mmc_queue_req(req)->drv_op =
+ rpmb ? MMC_DRV_OP_IOCTL_RPMB : MMC_DRV_OP_IOCTL;
++ req_to_mmc_queue_req(req)->drv_op_result = -EIO;
+ req_to_mmc_queue_req(req)->drv_op_data = idatas;
+ req_to_mmc_queue_req(req)->ioc_count = 1;
+ blk_execute_rq(req, false);
+@@ -728,6 +730,7 @@ static int mmc_blk_ioctl_multi_cmd(struc
+ }
+ req_to_mmc_queue_req(req)->drv_op =
+ rpmb ? MMC_DRV_OP_IOCTL_RPMB : MMC_DRV_OP_IOCTL;
++ req_to_mmc_queue_req(req)->drv_op_result = -EIO;
+ req_to_mmc_queue_req(req)->drv_op_data = idata;
+ req_to_mmc_queue_req(req)->ioc_count = n;
+ blk_execute_rq(req, false);
+@@ -2812,6 +2815,7 @@ static int mmc_dbg_card_status_get(void
+ if (IS_ERR(req))
+ return PTR_ERR(req);
+ req_to_mmc_queue_req(req)->drv_op = MMC_DRV_OP_GET_CARD_STATUS;
++ req_to_mmc_queue_req(req)->drv_op_result = -EIO;
+ blk_execute_rq(req, false);
+ ret = req_to_mmc_queue_req(req)->drv_op_result;
+ if (ret >= 0) {
+@@ -2850,6 +2854,7 @@ static int mmc_ext_csd_open(struct inode
+ goto out_free;
+ }
+ req_to_mmc_queue_req(req)->drv_op = MMC_DRV_OP_GET_EXT_CSD;
++ req_to_mmc_queue_req(req)->drv_op_result = -EIO;
+ req_to_mmc_queue_req(req)->drv_op_data = &ext_csd;
+ blk_execute_rq(req, false);
+ err = req_to_mmc_queue_req(req)->drv_op_result;
--- /dev/null
+From 81dce1490e28439c3cd8a8650b862a712f3061ba Mon Sep 17 00:00:00 2001
+From: Haibo Chen <haibo.chen@nxp.com>
+Date: Thu, 4 May 2023 19:22:22 +0800
+Subject: mmc: sdhci-esdhc-imx: make "no-mmc-hs400" works
+
+From: Haibo Chen <haibo.chen@nxp.com>
+
+commit 81dce1490e28439c3cd8a8650b862a712f3061ba upstream.
+
+After commit 1ed5c3b22fc7 ("mmc: sdhci-esdhc-imx: Propagate
+ESDHC_FLAG_HS400* only on 8bit bus"), the property "no-mmc-hs400"
+from device tree file do not work any more.
+This patch reorder the code, which can avoid the warning message
+"drop HS400 support since no 8-bit bus" and also make the property
+"no-mmc-hs400" from dts file works.
+
+Fixes: 1ed5c3b22fc7 ("mmc: sdhci-esdhc-imx: Propagate ESDHC_FLAG_HS400* only on 8bit bus")
+Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20230504112222.3599602-1-haibo.chen@nxp.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-esdhc-imx.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+--- a/drivers/mmc/host/sdhci-esdhc-imx.c
++++ b/drivers/mmc/host/sdhci-esdhc-imx.c
+@@ -1585,6 +1585,10 @@ sdhci_esdhc_imx_probe_dt(struct platform
+ if (ret)
+ return ret;
+
++ /* HS400/HS400ES require 8 bit bus */
++ if (!(host->mmc->caps & MMC_CAP_8_BIT_DATA))
++ host->mmc->caps2 &= ~(MMC_CAP2_HS400 | MMC_CAP2_HS400_ES);
++
+ if (mmc_gpio_get_cd(host->mmc) >= 0)
+ host->quirks &= ~SDHCI_QUIRK_BROKEN_CARD_DETECTION;
+
+@@ -1669,10 +1673,6 @@ static int sdhci_esdhc_imx_probe(struct
+ host->mmc_host_ops.execute_tuning = usdhc_execute_tuning;
+ }
+
+- err = sdhci_esdhc_imx_probe_dt(pdev, host, imx_data);
+- if (err)
+- goto disable_ahb_clk;
+-
+ if (imx_data->socdata->flags & ESDHC_FLAG_MAN_TUNING)
+ sdhci_esdhc_ops.platform_execute_tuning =
+ esdhc_executing_tuning;
+@@ -1680,15 +1680,13 @@ static int sdhci_esdhc_imx_probe(struct
+ if (imx_data->socdata->flags & ESDHC_FLAG_ERR004536)
+ host->quirks |= SDHCI_QUIRK_BROKEN_ADMA;
+
+- if (host->mmc->caps & MMC_CAP_8_BIT_DATA &&
+- imx_data->socdata->flags & ESDHC_FLAG_HS400)
++ if (imx_data->socdata->flags & ESDHC_FLAG_HS400)
+ host->mmc->caps2 |= MMC_CAP2_HS400;
+
+ if (imx_data->socdata->flags & ESDHC_FLAG_BROKEN_AUTO_CMD23)
+ host->quirks2 |= SDHCI_QUIRK2_ACMD23_BROKEN;
+
+- if (host->mmc->caps & MMC_CAP_8_BIT_DATA &&
+- imx_data->socdata->flags & ESDHC_FLAG_HS400_ES) {
++ if (imx_data->socdata->flags & ESDHC_FLAG_HS400_ES) {
+ host->mmc->caps2 |= MMC_CAP2_HS400_ES;
+ host->mmc_host_ops.hs400_enhanced_strobe =
+ esdhc_hs400_enhanced_strobe;
+@@ -1710,6 +1708,10 @@ static int sdhci_esdhc_imx_probe(struct
+ goto disable_ahb_clk;
+ }
+
++ err = sdhci_esdhc_imx_probe_dt(pdev, host, imx_data);
++ if (err)
++ goto disable_ahb_clk;
++
+ sdhci_esdhc_imx_hwinit(host);
+
+ err = sdhci_add_host(host);
--- /dev/null
+From 7e01c7f7046efc2c7c192c3619db43292b98e997 Mon Sep 17 00:00:00 2001
+From: Tudor Ambarus <tudor.ambarus@linaro.org>
+Date: Wed, 17 May 2023 13:38:08 +0000
+Subject: net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize
+
+From: Tudor Ambarus <tudor.ambarus@linaro.org>
+
+commit 7e01c7f7046efc2c7c192c3619db43292b98e997 upstream.
+
+Currently in cdc_ncm_check_tx_max(), if dwNtbOutMaxSize is lower than
+the calculated "min" value, but greater than zero, the logic sets
+tx_max to dwNtbOutMaxSize. This is then used to allocate a new SKB in
+cdc_ncm_fill_tx_frame() where all the data is handled.
+
+For small values of dwNtbOutMaxSize the memory allocated during
+alloc_skb(dwNtbOutMaxSize, GFP_ATOMIC) will have the same size, due to
+how size is aligned at alloc time:
+ size = SKB_DATA_ALIGN(size);
+ size += SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
+Thus we hit the same bug that we tried to squash with
+commit 2be6d4d16a084 ("net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero")
+
+Low values of dwNtbOutMaxSize do not cause an issue presently because at
+alloc_skb() time more memory (512b) is allocated than required for the
+SKB headers alone (320b), leaving some space (512b - 320b = 192b)
+for CDC data (172b).
+
+However, if more elements (for example 3 x u64 = [24b]) were added to
+one of the SKB header structs, say 'struct skb_shared_info',
+increasing its original size (320b [320b aligned]) to something larger
+(344b [384b aligned]), then suddenly the CDC data (172b) no longer
+fits in the spare SKB data area (512b - 384b = 128b).
+
+Consequently the SKB bounds checking semantics fails and panics:
+
+skbuff: skb_over_panic: text:ffffffff831f755b len:184 put:172 head:ffff88811f1c6c00 data:ffff88811f1c6c00 tail:0xb8 end:0x80 dev:<NULL>
+------------[ cut here ]------------
+kernel BUG at net/core/skbuff.c:113!
+invalid opcode: 0000 [#1] PREEMPT SMP KASAN
+CPU: 0 PID: 57 Comm: kworker/0:2 Not tainted 5.15.106-syzkaller-00249-g19c0ed55a470 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
+Workqueue: mld mld_ifc_work
+RIP: 0010:skb_panic net/core/skbuff.c:113 [inline]
+RIP: 0010:skb_over_panic+0x14c/0x150 net/core/skbuff.c:118
+[snip]
+Call Trace:
+ <TASK>
+ skb_put+0x151/0x210 net/core/skbuff.c:2047
+ skb_put_zero include/linux/skbuff.h:2422 [inline]
+ cdc_ncm_ndp16 drivers/net/usb/cdc_ncm.c:1131 [inline]
+ cdc_ncm_fill_tx_frame+0x11ab/0x3da0 drivers/net/usb/cdc_ncm.c:1308
+ cdc_ncm_tx_fixup+0xa3/0x100
+
+Deal with too low values of dwNtbOutMaxSize, clamp it in the range
+[USB_CDC_NCM_NTB_MIN_OUT_SIZE, CDC_NCM_NTB_MAX_SIZE_TX]. We ensure
+enough data space is allocated to handle CDC data by making sure
+dwNtbOutMaxSize is not smaller than USB_CDC_NCM_NTB_MIN_OUT_SIZE.
+
+Fixes: 289507d3364f ("net: cdc_ncm: use sysfs for rx/tx aggregation tuning")
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+9f575a1f15fc0c01ed69@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?extid=b982f1059506db48409d
+Link: https://lore.kernel.org/all/20211202143437.1411410-1-lee.jones@linaro.org/
+Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20230517133808.1873695-2-tudor.ambarus@linaro.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/cdc_ncm.c | 24 +++++++++++++++---------
+ 1 file changed, 15 insertions(+), 9 deletions(-)
+
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -180,9 +180,12 @@ static u32 cdc_ncm_check_tx_max(struct u
+ else
+ min = ctx->max_datagram_size + ctx->max_ndp_size + sizeof(struct usb_cdc_ncm_nth32);
+
+- max = min_t(u32, CDC_NCM_NTB_MAX_SIZE_TX, le32_to_cpu(ctx->ncm_parm.dwNtbOutMaxSize));
+- if (max == 0)
++ if (le32_to_cpu(ctx->ncm_parm.dwNtbOutMaxSize) == 0)
+ max = CDC_NCM_NTB_MAX_SIZE_TX; /* dwNtbOutMaxSize not set */
++ else
++ max = clamp_t(u32, le32_to_cpu(ctx->ncm_parm.dwNtbOutMaxSize),
++ USB_CDC_NCM_NTB_MIN_OUT_SIZE,
++ CDC_NCM_NTB_MAX_SIZE_TX);
+
+ /* some devices set dwNtbOutMaxSize too low for the above default */
+ min = min(min, max);
+@@ -1243,6 +1246,9 @@ cdc_ncm_fill_tx_frame(struct usbnet *dev
+ * further.
+ */
+ if (skb_out == NULL) {
++ /* If even the smallest allocation fails, abort. */
++ if (ctx->tx_curr_size == USB_CDC_NCM_NTB_MIN_OUT_SIZE)
++ goto alloc_failed;
+ ctx->tx_low_mem_max_cnt = min(ctx->tx_low_mem_max_cnt + 1,
+ (unsigned)CDC_NCM_LOW_MEM_MAX_CNT);
+ ctx->tx_low_mem_val = ctx->tx_low_mem_max_cnt;
+@@ -1261,13 +1267,8 @@ cdc_ncm_fill_tx_frame(struct usbnet *dev
+ skb_out = alloc_skb(ctx->tx_curr_size, GFP_ATOMIC);
+
+ /* No allocation possible so we will abort */
+- if (skb_out == NULL) {
+- if (skb != NULL) {
+- dev_kfree_skb_any(skb);
+- dev->net->stats.tx_dropped++;
+- }
+- goto exit_no_skb;
+- }
++ if (!skb_out)
++ goto alloc_failed;
+ ctx->tx_low_mem_val--;
+ }
+ if (ctx->is_ndp16) {
+@@ -1460,6 +1461,11 @@ cdc_ncm_fill_tx_frame(struct usbnet *dev
+
+ return skb_out;
+
++alloc_failed:
++ if (skb) {
++ dev_kfree_skb_any(skb);
++ dev->net->stats.tx_dropped++;
++ }
+ exit_no_skb:
+ /* Start timer, if there is a remaining non-empty skb */
+ if (ctx->tx_curr_skb != NULL && n > 0)
--- /dev/null
+From 2028315cf59bb899a5ac7e87dc48ecb8fac7ac24 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Mon, 22 May 2023 22:57:30 +0200
+Subject: parisc: Allow to reboot machine after system halt
+
+From: Helge Deller <deller@gmx.de>
+
+commit 2028315cf59bb899a5ac7e87dc48ecb8fac7ac24 upstream.
+
+In case a machine can't power-off itself on system shutdown,
+allow the user to reboot it by pressing the RETURN key.
+
+Cc: <stable@vger.kernel.org> # v4.14+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/kernel/process.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/arch/parisc/kernel/process.c
++++ b/arch/parisc/kernel/process.c
+@@ -122,13 +122,18 @@ void machine_power_off(void)
+ /* It seems we have no way to power the system off via
+ * software. The user has to press the button himself. */
+
+- printk(KERN_EMERG "System shut down completed.\n"
+- "Please power this system off now.");
++ printk("Power off or press RETURN to reboot.\n");
+
+ /* prevent soft lockup/stalled CPU messages for endless loop. */
+ rcu_sysrq_start();
+ lockup_detector_soft_poweroff();
+- for (;;);
++ while (1) {
++ /* reboot if user presses RETURN key */
++ if (pdc_iodc_getc() == 13) {
++ printk("Rebooting...\n");
++ machine_restart(NULL);
++ }
++ }
+ }
+
+ void (*pm_power_off)(void);
--- /dev/null
+From adf8e96a7ea670d45b5de7594acc67e8f4787ae6 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Tue, 23 May 2023 09:06:40 +0200
+Subject: parisc: Enable LOCKDEP support
+
+From: Helge Deller <deller@gmx.de>
+
+commit adf8e96a7ea670d45b5de7594acc67e8f4787ae6 upstream.
+
+Cc: <stable@vger.kernel.org> # v6.0+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/Kconfig | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/parisc/Kconfig
++++ b/arch/parisc/Kconfig
+@@ -129,6 +129,10 @@ config PM
+ config STACKTRACE_SUPPORT
+ def_bool y
+
++config LOCKDEP_SUPPORT
++ bool
++ default y
++
+ config ISA_DMA_API
+ bool
+
--- /dev/null
+From 61e150fb310729c98227a5edf6e4a3619edc3702 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Wed, 24 May 2023 17:07:07 +0200
+Subject: parisc: Fix flush_dcache_page() for usage from irq context
+
+From: Helge Deller <deller@gmx.de>
+
+commit 61e150fb310729c98227a5edf6e4a3619edc3702 upstream.
+
+Since at least kernel 6.1, flush_dcache_page() is called with IRQs
+disabled, e.g. from aio_complete().
+
+But the current implementation for flush_dcache_page() on parisc
+unintentionally re-enables IRQs, which may lead to deadlocks.
+
+Fix it by using xa_lock_irqsave() and xa_unlock_irqrestore()
+for the flush_dcache_mmap_*lock() macros instead.
+
+Cc: linux-parisc@vger.kernel.org
+Cc: stable@kernel.org # 5.18+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/include/asm/cacheflush.h | 4 ++++
+ arch/parisc/kernel/cache.c | 5 +++--
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/arch/parisc/include/asm/cacheflush.h b/arch/parisc/include/asm/cacheflush.h
+index 0bdee6724132..c8b6928cee1e 100644
+--- a/arch/parisc/include/asm/cacheflush.h
++++ b/arch/parisc/include/asm/cacheflush.h
+@@ -48,6 +48,10 @@ void flush_dcache_page(struct page *page);
+
+ #define flush_dcache_mmap_lock(mapping) xa_lock_irq(&mapping->i_pages)
+ #define flush_dcache_mmap_unlock(mapping) xa_unlock_irq(&mapping->i_pages)
++#define flush_dcache_mmap_lock_irqsave(mapping, flags) \
++ xa_lock_irqsave(&mapping->i_pages, flags)
++#define flush_dcache_mmap_unlock_irqrestore(mapping, flags) \
++ xa_unlock_irqrestore(&mapping->i_pages, flags)
+
+ #define flush_icache_page(vma,page) do { \
+ flush_kernel_dcache_page_addr(page_address(page)); \
+diff --git a/arch/parisc/kernel/cache.c b/arch/parisc/kernel/cache.c
+index 1d3b8bc8a623..ca4a302d4365 100644
+--- a/arch/parisc/kernel/cache.c
++++ b/arch/parisc/kernel/cache.c
+@@ -399,6 +399,7 @@ void flush_dcache_page(struct page *page)
+ unsigned long offset;
+ unsigned long addr, old_addr = 0;
+ unsigned long count = 0;
++ unsigned long flags;
+ pgoff_t pgoff;
+
+ if (mapping && !mapping_mapped(mapping)) {
+@@ -420,7 +421,7 @@ void flush_dcache_page(struct page *page)
+ * to flush one address here for them all to become coherent
+ * on machines that support equivalent aliasing
+ */
+- flush_dcache_mmap_lock(mapping);
++ flush_dcache_mmap_lock_irqsave(mapping, flags);
+ vma_interval_tree_foreach(mpnt, &mapping->i_mmap, pgoff, pgoff) {
+ offset = (pgoff - mpnt->vm_pgoff) << PAGE_SHIFT;
+ addr = mpnt->vm_start + offset;
+@@ -460,7 +461,7 @@ void flush_dcache_page(struct page *page)
+ }
+ WARN_ON(++count == 4096);
+ }
+- flush_dcache_mmap_unlock(mapping);
++ flush_dcache_mmap_unlock_irqrestore(mapping, flags);
+ }
+ EXPORT_SYMBOL(flush_dcache_page);
+
+--
+2.40.1
+
--- /dev/null
+From 6888ff04e37d01295620a73f3f7efbc79f6ef152 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Wed, 24 May 2023 14:34:58 +0200
+Subject: parisc: Handle kgdb breakpoints only in kernel context
+
+From: Helge Deller <deller@gmx.de>
+
+commit 6888ff04e37d01295620a73f3f7efbc79f6ef152 upstream.
+
+The kernel kgdb break instructions should only be handled when running
+in kernel context.
+
+Cc: <stable@vger.kernel.org> # v5.4+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/kernel/traps.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/parisc/kernel/traps.c
++++ b/arch/parisc/kernel/traps.c
+@@ -302,8 +302,8 @@ static void handle_break(struct pt_regs
+ #endif
+
+ #ifdef CONFIG_KGDB
+- if (unlikely(iir == PARISC_KGDB_COMPILED_BREAK_INSN ||
+- iir == PARISC_KGDB_BREAK_INSN)) {
++ if (unlikely((iir == PARISC_KGDB_COMPILED_BREAK_INSN ||
++ iir == PARISC_KGDB_BREAK_INSN)) && !user_mode(regs)) {
+ kgdb_handle_exception(9, SIGTRAP, 0, regs);
+ return;
+ }
--- /dev/null
+From df419492e428b6a2bce98d0f613c58a13da6666c Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Wed, 24 May 2023 14:31:14 +0200
+Subject: parisc: Handle kprobes breakpoints only in kernel context
+
+From: Helge Deller <deller@gmx.de>
+
+commit df419492e428b6a2bce98d0f613c58a13da6666c upstream.
+
+The kernel kprobes break instructions should only be handled when running
+in kernel context.
+
+Cc: <stable@vger.kernel.org> # v5.18+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/kernel/traps.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/parisc/kernel/traps.c
++++ b/arch/parisc/kernel/traps.c
+@@ -291,11 +291,11 @@ static void handle_break(struct pt_regs
+ }
+
+ #ifdef CONFIG_KPROBES
+- if (unlikely(iir == PARISC_KPROBES_BREAK_INSN)) {
++ if (unlikely(iir == PARISC_KPROBES_BREAK_INSN && !user_mode(regs))) {
+ parisc_kprobe_break_handler(regs);
+ return;
+ }
+- if (unlikely(iir == PARISC_KPROBES_BREAK_INSN2)) {
++ if (unlikely(iir == PARISC_KPROBES_BREAK_INSN2 && !user_mode(regs))) {
+ parisc_kprobe_ss_handler(regs);
+ return;
+ }
--- /dev/null
+From b6405f0829d7b1dd926ba3ca5f691cab835abfaa Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Fri, 19 May 2023 12:12:06 +0200
+Subject: parisc: Use num_present_cpus() in alternative patching code
+
+From: Helge Deller <deller@gmx.de>
+
+commit b6405f0829d7b1dd926ba3ca5f691cab835abfaa upstream.
+
+When patching the kernel code some alternatives depend on SMP vs. !SMP.
+Use the value of num_present_cpus() instead of num_online_cpus() to
+decide, otherwise we may run into issues if and additional CPU is
+enabled after having loaded a module while only one CPU was enabled.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: <stable@vger.kernel.org> # v6.1+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/kernel/alternative.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/parisc/kernel/alternative.c b/arch/parisc/kernel/alternative.c
+index 66f5672c70bd..25c4d6c3375d 100644
+--- a/arch/parisc/kernel/alternative.c
++++ b/arch/parisc/kernel/alternative.c
+@@ -25,7 +25,7 @@ void __init_or_module apply_alternatives(struct alt_instr *start,
+ {
+ struct alt_instr *entry;
+ int index = 0, applied = 0;
+- int num_cpus = num_online_cpus();
++ int num_cpus = num_present_cpus();
+ u16 cond_check;
+
+ cond_check = ALT_COND_ALWAYS |
+--
+2.40.1
+
--- /dev/null
+From 3279decb2c3c8d58cb0b70ed5235c480735a36ee Mon Sep 17 00:00:00 2001
+From: David Arcari <darcari@redhat.com>
+Date: Tue, 23 May 2023 06:54:00 -0400
+Subject: platform/x86/intel/ifs: Annotate work queue on stack so object debug does not complain
+
+From: David Arcari <darcari@redhat.com>
+
+commit 3279decb2c3c8d58cb0b70ed5235c480735a36ee upstream.
+
+Object Debug results in the following warning while attempting to load
+ifs firmware:
+
+[ 220.007422] ODEBUG: object 000000003bf952db is on stack 00000000e843994b, but NOT annotated.
+[ 220.007459] ------------[ cut here ]------------
+[ 220.007461] WARNING: CPU: 0 PID: 11774 at lib/debugobjects.c:548 __debug_object_init.cold+0x22e/0x2d5
+[ 220.137476] RIP: 0010:__debug_object_init.cold+0x22e/0x2d5
+[ 220.254774] Call Trace:
+[ 220.257641] <TASK>
+[ 220.265606] scan_chunks_sanity_check+0x368/0x5f0 [intel_ifs]
+[ 220.288292] ifs_load_firmware+0x2a3/0x400 [intel_ifs]
+[ 220.332793] current_batch_store+0xea/0x160 [intel_ifs]
+[ 220.357947] kernfs_fop_write_iter+0x355/0x530
+[ 220.363048] new_sync_write+0x28e/0x4a0
+[ 220.381226] vfs_write+0x62a/0x920
+[ 220.385160] ksys_write+0xf9/0x1d0
+[ 220.399421] do_syscall_64+0x59/0x90
+[ 220.440635] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+[ 220.566845] ---[ end trace 3a01b299db142b41 ]---
+
+Correct this by calling INIT_WORK_ONSTACK instead of INIT_WORK.
+
+Fixes: 684ec215706d ("platform/x86/intel/ifs: Authenticate and copy to secured memory")
+
+Signed-off-by: David Arcari <darcari@redhat.com>
+Cc: Jithu Joseph <jithu.joseph@intel.com>
+Cc: Ashok Raj <ashok.raj@intel.com>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: Hans de Goede <hdegoede@redhat.com>
+Cc: Mark Gross <markgross@kernel.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: linux-kernel@vger.kernel.org
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20230523105400.674152-1-darcari@redhat.com
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/intel/ifs/load.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/platform/x86/intel/ifs/load.c
++++ b/drivers/platform/x86/intel/ifs/load.c
+@@ -154,7 +154,7 @@ static int scan_chunks_sanity_check(stru
+ continue;
+ reinit_completion(&ifs_done);
+ local_work.dev = dev;
+- INIT_WORK(&local_work.w, copy_hashes_authenticate_chunks);
++ INIT_WORK_ONSTACK(&local_work.w, copy_hashes_authenticate_chunks);
+ schedule_work_on(cpu, &local_work.w);
+ wait_for_completion(&ifs_done);
+ if (ifsd->loading_error)
--- /dev/null
+From f8319774d6f1567d6e7d03653174ab0c82c5c66d Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sat, 15 Apr 2023 18:07:30 +0200
+Subject: power: supply: axp288_fuel_gauge: Fix external_power_changed race
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit f8319774d6f1567d6e7d03653174ab0c82c5c66d upstream.
+
+fuel_gauge_external_power_changed() dereferences info->bat,
+which gets sets in axp288_fuel_gauge_probe() like this:
+
+ info->bat = devm_power_supply_register(dev, &fuel_gauge_desc, &psy_cfg);
+
+As soon as devm_power_supply_register() has called device_add()
+the external_power_changed callback can get called. So there is a window
+where fuel_gauge_external_power_changed() may get called while
+info->bat has not been set yet leading to a NULL pointer dereference.
+
+Fixing this is easy. The external_power_changed callback gets passed
+the power_supply which will eventually get stored in info->bat,
+so fuel_gauge_external_power_changed() can simply directly use
+the passed in psy argument which is always valid.
+
+Fixes: 30abb3d07929 ("power: supply: axp288_fuel_gauge: Take lock before updating the valid flag")
+Cc: stable@vger.kernel.org
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/axp288_fuel_gauge.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/power/supply/axp288_fuel_gauge.c b/drivers/power/supply/axp288_fuel_gauge.c
+index 05f413178462..3be6f3b10ea4 100644
+--- a/drivers/power/supply/axp288_fuel_gauge.c
++++ b/drivers/power/supply/axp288_fuel_gauge.c
+@@ -507,7 +507,7 @@ static void fuel_gauge_external_power_changed(struct power_supply *psy)
+ mutex_lock(&info->lock);
+ info->valid = 0; /* Force updating of the cached registers */
+ mutex_unlock(&info->lock);
+- power_supply_changed(info->bat);
++ power_supply_changed(psy);
+ }
+
+ static struct power_supply_desc fuel_gauge_desc = {
+--
+2.40.1
+
--- /dev/null
+From 029a443b9b6424170f00f6dd5b7682e682cce92e Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sat, 15 Apr 2023 18:07:31 +0200
+Subject: power: supply: bq25890: Fix external_power_changed race
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 029a443b9b6424170f00f6dd5b7682e682cce92e upstream.
+
+bq25890_charger_external_power_changed() dereferences bq->charger,
+which gets sets in bq25890_power_supply_init() like this:
+
+ bq->charger = devm_power_supply_register(bq->dev, &bq->desc, &psy_cfg);
+
+As soon as devm_power_supply_register() has called device_add()
+the external_power_changed callback can get called. So there is a window
+where bq25890_charger_external_power_changed() may get called while
+bq->charger has not been set yet leading to a NULL pointer dereference.
+
+This race hits during boot sometimes on a Lenovo Yoga Book 1 yb1-x90f
+when the cht_wcove_pwrsrc (extcon) power_supply is done with detecting
+the connected charger-type which happens to exactly hit the small window:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000018
+ <snip>
+ RIP: 0010:__power_supply_is_supplied_by+0xb/0xb0
+ <snip>
+ Call Trace:
+ <TASK>
+ __power_supply_get_supplier_property+0x19/0x50
+ class_for_each_device+0xb1/0xe0
+ power_supply_get_property_from_supplier+0x2e/0x50
+ bq25890_charger_external_power_changed+0x38/0x1b0 [bq25890_charger]
+ __power_supply_changed_work+0x30/0x40
+ class_for_each_device+0xb1/0xe0
+ power_supply_changed_work+0x5f/0xe0
+ <snip>
+
+Fixing this is easy. The external_power_changed callback gets passed
+the power_supply which will eventually get stored in bq->charger,
+so bq25890_charger_external_power_changed() can simply directly use
+the passed in psy argument which is always valid.
+
+Fixes: eab25b4f93aa ("power: supply: bq25890: On the bq25892 set the IINLIM based on external charger detection")
+Cc: stable@vger.kernel.org
+Cc: Marek Vasut <marex@denx.de>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/bq25890_charger.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/power/supply/bq25890_charger.c
++++ b/drivers/power/supply/bq25890_charger.c
+@@ -650,7 +650,7 @@ static void bq25890_charger_external_pow
+ if (bq->chip_version != BQ25892)
+ return;
+
+- ret = power_supply_get_property_from_supplier(bq->charger,
++ ret = power_supply_get_property_from_supplier(psy,
+ POWER_SUPPLY_PROP_USB_TYPE,
+ &val);
+ if (ret)
net-dsa-mv88e6xxx-add-rgmii-delay-to-88e6320.patch
drm-amd-display-hpd-rx-irq-not-working-with-edp-interface.patch
ocfs2-switch-to-security_inode_init_security.patch
+arm64-also-reset-kasan-tag-if-page-is-not-pg_mte_tagged.patch
+x86-mm-avoid-incomplete-global-invlpg-flushes.patch
+platform-x86-intel-ifs-annotate-work-queue-on-stack-so-object-debug-does-not-complain.patch
+alsa-hda-ca0132-add-quirk-for-evga-x299-dark.patch
+alsa-hda-fix-unhandled-register-update-during-auto-suspend-period.patch
+alsa-hda-realtek-enable-headset-onlenovo-m70-m90.patch
+sunrpc-don-t-change-task-tk_status-after-the-call-to-rpc_exit_task.patch
+mmc-sdhci-esdhc-imx-make-no-mmc-hs400-works.patch
+mmc-block-ensure-error-propagation-for-non-blk.patch
+power-supply-axp288_fuel_gauge-fix-external_power_changed-race.patch
+power-supply-bq25890-fix-external_power_changed-race.patch
+asoc-rt5682-disable-jack-detection-interrupt-during-suspend.patch
+net-cdc_ncm-deal-with-too-low-values-of-dwntboutmaxsize.patch
+m68k-move-signal-frame-following-exception-on-68020-030.patch
+xtensa-fix-signal-delivery-to-fdpic-process.patch
+xtensa-add-__bswap-si-di-2-helpers.patch
+parisc-use-num_present_cpus-in-alternative-patching-code.patch
+parisc-handle-kgdb-breakpoints-only-in-kernel-context.patch
+parisc-fix-flush_dcache_page-for-usage-from-irq-context.patch
+parisc-allow-to-reboot-machine-after-system-halt.patch
+parisc-enable-lockdep-support.patch
+parisc-handle-kprobes-breakpoints-only-in-kernel-context.patch
--- /dev/null
+From d180891fba995bd54e25b089b1ec98d134873586 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Wed, 10 May 2023 12:28:00 -0400
+Subject: SUNRPC: Don't change task->tk_status after the call to rpc_exit_task
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit d180891fba995bd54e25b089b1ec98d134873586 upstream.
+
+Some calls to rpc_exit_task() may deliberately change the value of
+task->tk_status, for instance because it gets checked by the RPC call's
+rpc_release() callback. That makes it wrong to reset the value to
+task->tk_rpc_status.
+In particular this causes a bug where the rpc_call_done() callback tries
+to fail over a set of pNFS/flexfiles writes to a different IP address,
+but the reset of task->tk_status causes nfs_commit_release_pages() to
+immediately mark the file as having a fatal error.
+
+Fixes: 39494194f93b ("SUNRPC: Fix races with rpc_killall_tasks()")
+Cc: stable@vger.kernel.org # 6.1.x
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sunrpc/sched.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/net/sunrpc/sched.c b/net/sunrpc/sched.c
+index c8321de341ee..6debf4fd42d4 100644
+--- a/net/sunrpc/sched.c
++++ b/net/sunrpc/sched.c
+@@ -927,11 +927,10 @@ static void __rpc_execute(struct rpc_task *task)
+ */
+ do_action = task->tk_action;
+ /* Tasks with an RPC error status should exit */
+- if (do_action != rpc_exit_task &&
++ if (do_action && do_action != rpc_exit_task &&
+ (status = READ_ONCE(task->tk_rpc_status)) != 0) {
+ task->tk_status = status;
+- if (do_action != NULL)
+- do_action = rpc_exit_task;
++ do_action = rpc_exit_task;
+ }
+ /* Callbacks override all actions */
+ if (task->tk_callback) {
+--
+2.40.1
+
--- /dev/null
+From ce0b15d11ad837fbacc5356941712218e38a0a83 Mon Sep 17 00:00:00 2001
+From: Dave Hansen <dave.hansen@linux.intel.com>
+Date: Tue, 16 May 2023 12:24:25 -0700
+Subject: x86/mm: Avoid incomplete Global INVLPG flushes
+
+From: Dave Hansen <dave.hansen@linux.intel.com>
+
+commit ce0b15d11ad837fbacc5356941712218e38a0a83 upstream.
+
+The INVLPG instruction is used to invalidate TLB entries for a
+specified virtual address. When PCIDs are enabled, INVLPG is supposed
+to invalidate TLB entries for the specified address for both the
+current PCID *and* Global entries. (Note: Only kernel mappings set
+Global=1.)
+
+Unfortunately, some INVLPG implementations can leave Global
+translations unflushed when PCIDs are enabled.
+
+As a workaround, never enable PCIDs on affected processors.
+
+I expect there to eventually be microcode mitigations to replace this
+software workaround. However, the exact version numbers where that
+will happen are not known today. Once the version numbers are set in
+stone, the processor list can be tweaked to only disable PCIDs on
+affected processors with affected microcode.
+
+Note: if anyone wants a quick fix that doesn't require patching, just
+stick 'nopcid' on your kernel command-line.
+
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/mm/init.c | 25 +++++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+--- a/arch/x86/mm/init.c
++++ b/arch/x86/mm/init.c
+@@ -9,6 +9,7 @@
+ #include <linux/sched/task.h>
+
+ #include <asm/set_memory.h>
++#include <asm/cpu_device_id.h>
+ #include <asm/e820/api.h>
+ #include <asm/init.h>
+ #include <asm/page.h>
+@@ -260,6 +261,24 @@ static void __init probe_page_size_mask(
+ }
+ }
+
++#define INTEL_MATCH(_model) { .vendor = X86_VENDOR_INTEL, \
++ .family = 6, \
++ .model = _model, \
++ }
++/*
++ * INVLPG may not properly flush Global entries
++ * on these CPUs when PCIDs are enabled.
++ */
++static const struct x86_cpu_id invlpg_miss_ids[] = {
++ INTEL_MATCH(INTEL_FAM6_ALDERLAKE ),
++ INTEL_MATCH(INTEL_FAM6_ALDERLAKE_L ),
++ INTEL_MATCH(INTEL_FAM6_ALDERLAKE_N ),
++ INTEL_MATCH(INTEL_FAM6_RAPTORLAKE ),
++ INTEL_MATCH(INTEL_FAM6_RAPTORLAKE_P),
++ INTEL_MATCH(INTEL_FAM6_RAPTORLAKE_S),
++ {}
++};
++
+ static void setup_pcid(void)
+ {
+ if (!IS_ENABLED(CONFIG_X86_64))
+@@ -268,6 +287,12 @@ static void setup_pcid(void)
+ if (!boot_cpu_has(X86_FEATURE_PCID))
+ return;
+
++ if (x86_match_cpu(invlpg_miss_ids)) {
++ pr_info("Incomplete global flushes, disabling PCID");
++ setup_clear_cpu_cap(X86_FEATURE_PCID);
++ return;
++ }
++
+ if (boot_cpu_has(X86_FEATURE_PGE)) {
+ /*
+ * This can't be cr4_set_bits_and_update_boot() -- the
--- /dev/null
+From 034f4a7877c32a8efd6beee4d71ed14e424499a9 Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Sat, 6 May 2023 17:10:36 -0700
+Subject: xtensa: add __bswap{si,di}2 helpers
+
+From: Max Filippov <jcmvbkbc@gmail.com>
+
+commit 034f4a7877c32a8efd6beee4d71ed14e424499a9 upstream.
+
+gcc-13 may generate calls for __bswap{si,di}2. This breaks the kernel
+build when optimization for size is selected. Add __bswap{si,di}2
+helpers to fix that.
+
+Cc: stable@vger.kernel.org
+Fixes: 19c5699f9aff ("xtensa: don't link with libgcc")
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/xtensa/kernel/xtensa_ksyms.c | 4 ++++
+ arch/xtensa/lib/Makefile | 2 +-
+ arch/xtensa/lib/bswapdi2.S | 21 +++++++++++++++++++++
+ arch/xtensa/lib/bswapsi2.S | 16 ++++++++++++++++
+ 4 files changed, 42 insertions(+), 1 deletion(-)
+ create mode 100644 arch/xtensa/lib/bswapdi2.S
+ create mode 100644 arch/xtensa/lib/bswapsi2.S
+
+--- a/arch/xtensa/kernel/xtensa_ksyms.c
++++ b/arch/xtensa/kernel/xtensa_ksyms.c
+@@ -56,6 +56,8 @@ EXPORT_SYMBOL(empty_zero_page);
+ */
+ extern long long __ashrdi3(long long, int);
+ extern long long __ashldi3(long long, int);
++extern long long __bswapdi2(long long);
++extern int __bswapsi2(int);
+ extern long long __lshrdi3(long long, int);
+ extern int __divsi3(int, int);
+ extern int __modsi3(int, int);
+@@ -66,6 +68,8 @@ extern unsigned long long __umulsidi3(un
+
+ EXPORT_SYMBOL(__ashldi3);
+ EXPORT_SYMBOL(__ashrdi3);
++EXPORT_SYMBOL(__bswapdi2);
++EXPORT_SYMBOL(__bswapsi2);
+ EXPORT_SYMBOL(__lshrdi3);
+ EXPORT_SYMBOL(__divsi3);
+ EXPORT_SYMBOL(__modsi3);
+--- a/arch/xtensa/lib/Makefile
++++ b/arch/xtensa/lib/Makefile
+@@ -4,7 +4,7 @@
+ #
+
+ lib-y += memcopy.o memset.o checksum.o \
+- ashldi3.o ashrdi3.o lshrdi3.o \
++ ashldi3.o ashrdi3.o bswapdi2.o bswapsi2.o lshrdi3.o \
+ divsi3.o udivsi3.o modsi3.o umodsi3.o mulsi3.o umulsidi3.o \
+ usercopy.o strncpy_user.o strnlen_user.o
+ lib-$(CONFIG_PCI) += pci-auto.o
+--- /dev/null
++++ b/arch/xtensa/lib/bswapdi2.S
+@@ -0,0 +1,21 @@
++/* SPDX-License-Identifier: GPL-2.0-or-later WITH GCC-exception-2.0 */
++#include <linux/linkage.h>
++#include <asm/asmmacro.h>
++#include <asm/core.h>
++
++ENTRY(__bswapdi2)
++
++ abi_entry_default
++ ssai 8
++ srli a4, a2, 16
++ src a4, a4, a2
++ src a4, a4, a4
++ src a4, a2, a4
++ srli a2, a3, 16
++ src a2, a2, a3
++ src a2, a2, a2
++ src a2, a3, a2
++ mov a3, a4
++ abi_ret_default
++
++ENDPROC(__bswapdi2)
+--- /dev/null
++++ b/arch/xtensa/lib/bswapsi2.S
+@@ -0,0 +1,16 @@
++/* SPDX-License-Identifier: GPL-2.0-or-later WITH GCC-exception-2.0 */
++#include <linux/linkage.h>
++#include <asm/asmmacro.h>
++#include <asm/core.h>
++
++ENTRY(__bswapsi2)
++
++ abi_entry_default
++ ssai 8
++ srli a3, a2, 16
++ src a3, a3, a2
++ src a3, a3, a3
++ src a2, a2, a3
++ abi_ret_default
++
++ENDPROC(__bswapsi2)
--- /dev/null
+From 9c2cc74fb31ec76b8b118c97041a6a154a3ff219 Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Tue, 2 May 2023 03:20:47 -0700
+Subject: xtensa: fix signal delivery to FDPIC process
+
+From: Max Filippov <jcmvbkbc@gmail.com>
+
+commit 9c2cc74fb31ec76b8b118c97041a6a154a3ff219 upstream.
+
+Fetch function descriptor pointed to by the signal handler pointer from
+userspace on signal delivery and function pointer pointed to by the
+sa_restorer on return from the signal handler.
+
+Cc: stable@vger.kernel.org
+Fixes: e3ddb8bbe0f8 ("xtensa: add FDPIC and static PIE support for noMMU")
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/xtensa/kernel/signal.c | 35 +++++++++++++++++++++++++++--------
+ 1 file changed, 27 insertions(+), 8 deletions(-)
+
+diff --git a/arch/xtensa/kernel/signal.c b/arch/xtensa/kernel/signal.c
+index 876d5df157ed..5c01d7e70d90 100644
+--- a/arch/xtensa/kernel/signal.c
++++ b/arch/xtensa/kernel/signal.c
+@@ -343,7 +343,19 @@ static int setup_frame(struct ksignal *ksig, sigset_t *set,
+ struct rt_sigframe *frame;
+ int err = 0, sig = ksig->sig;
+ unsigned long sp, ra, tp, ps;
++ unsigned long handler = (unsigned long)ksig->ka.sa.sa_handler;
++ unsigned long handler_fdpic_GOT = 0;
+ unsigned int base;
++ bool fdpic = IS_ENABLED(CONFIG_BINFMT_ELF_FDPIC) &&
++ (current->personality & FDPIC_FUNCPTRS);
++
++ if (fdpic) {
++ unsigned long __user *fdpic_func_desc =
++ (unsigned long __user *)handler;
++ if (__get_user(handler, &fdpic_func_desc[0]) ||
++ __get_user(handler_fdpic_GOT, &fdpic_func_desc[1]))
++ return -EFAULT;
++ }
+
+ sp = regs->areg[1];
+
+@@ -373,20 +385,26 @@ static int setup_frame(struct ksignal *ksig, sigset_t *set,
+ err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
+
+ if (ksig->ka.sa.sa_flags & SA_RESTORER) {
+- ra = (unsigned long)ksig->ka.sa.sa_restorer;
++ if (fdpic) {
++ unsigned long __user *fdpic_func_desc =
++ (unsigned long __user *)ksig->ka.sa.sa_restorer;
++
++ err |= __get_user(ra, fdpic_func_desc);
++ } else {
++ ra = (unsigned long)ksig->ka.sa.sa_restorer;
++ }
+ } else {
+
+ /* Create sys_rt_sigreturn syscall in stack frame */
+
+ err |= gen_return_code(frame->retcode);
+-
+- if (err) {
+- return -EFAULT;
+- }
+ ra = (unsigned long) frame->retcode;
+ }
+
+- /*
++ if (err)
++ return -EFAULT;
++
++ /*
+ * Create signal handler execution context.
+ * Return context not modified until this point.
+ */
+@@ -394,8 +412,7 @@ static int setup_frame(struct ksignal *ksig, sigset_t *set,
+ /* Set up registers for signal handler; preserve the threadptr */
+ tp = regs->threadptr;
+ ps = regs->ps;
+- start_thread(regs, (unsigned long) ksig->ka.sa.sa_handler,
+- (unsigned long) frame);
++ start_thread(regs, handler, (unsigned long)frame);
+
+ /* Set up a stack frame for a call4 if userspace uses windowed ABI */
+ if (ps & PS_WOE_MASK) {
+@@ -413,6 +430,8 @@ static int setup_frame(struct ksignal *ksig, sigset_t *set,
+ regs->areg[base + 4] = (unsigned long) &frame->uc;
+ regs->threadptr = tp;
+ regs->ps = ps;
++ if (fdpic)
++ regs->areg[base + 11] = handler_fdpic_GOT;
+
+ pr_debug("SIG rt deliver (%s:%d): signal=%d sp=%p pc=%08lx\n",
+ current->comm, current->pid, sig, frame, regs->pc);
+--
+2.40.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
