--- /dev/null
+From 977a3009547dad4a5bc95d91be4a58c9f7eedac0 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri, 6 Jan 2023 19:25:59 -0500
+Subject: alpha: fix FEN fault handling
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 977a3009547dad4a5bc95d91be4a58c9f7eedac0 upstream.
+
+Type 3 instruction fault (FPU insn with FPU disabled) is handled
+by quietly enabling FPU and returning. Which is fine, except that
+we need to do that both for fault in userland and in the kernel;
+the latter *can* legitimately happen - all it takes is this:
+
+.global _start
+_start:
+ call_pal 0xae
+ lda $0, 0
+ ldq $0, 0($0)
+
+- call_pal CLRFEN to clear "FPU enabled" flag and arrange for
+a signal delivery (SIGSEGV in this case).
+
+Fixed by moving the handling of type 3 into the common part of
+do_entIF(), before we check for kernel vs. user mode.
+
+Incidentally, the check for kernel mode is unidiomatic; the normal
+way to do that is !user_mode(regs). The difference is that
+the open-coded variant treats any of bits 63..3 of regs->ps being
+set as "it's user mode" while the normal approach is to check just
+the bit 3. PS is a 4-bit register and regs->ps always will have
+bits 63..4 clear, so the open-coded variant here is actually equivalent
+to !user_mode(regs). Harder to follow, though...
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Richard Henderson <rth@twiddle.net>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/alpha/kernel/traps.c | 30 +++++++++++++++---------------
+ 1 file changed, 15 insertions(+), 15 deletions(-)
+
+--- a/arch/alpha/kernel/traps.c
++++ b/arch/alpha/kernel/traps.c
+@@ -233,7 +233,21 @@ do_entIF(unsigned long type, struct pt_r
+ {
+ int signo, code;
+
+- if ((regs->ps & ~IPL_MAX) == 0) {
++ if (type == 3) { /* FEN fault */
++ /* Irritating users can call PAL_clrfen to disable the
++ FPU for the process. The kernel will then trap in
++ do_switch_stack and undo_switch_stack when we try
++ to save and restore the FP registers.
++
++ Given that GCC by default generates code that uses the
++ FP registers, PAL_clrfen is not useful except for DoS
++ attacks. So turn the bleeding FPU back on and be done
++ with it. */
++ current_thread_info()->pcb.flags |= 1;
++ __reload_thread(¤t_thread_info()->pcb);
++ return;
++ }
++ if (!user_mode(regs)) {
+ if (type == 1) {
+ const unsigned int *data
+ = (const unsigned int *) regs->pc;
+@@ -366,20 +380,6 @@ do_entIF(unsigned long type, struct pt_r
+ }
+ break;
+
+- case 3: /* FEN fault */
+- /* Irritating users can call PAL_clrfen to disable the
+- FPU for the process. The kernel will then trap in
+- do_switch_stack and undo_switch_stack when we try
+- to save and restore the FP registers.
+-
+- Given that GCC by default generates code that uses the
+- FP registers, PAL_clrfen is not useful except for DoS
+- attacks. So turn the bleeding FPU back on and be done
+- with it. */
+- current_thread_info()->pcb.flags |= 1;
+- __reload_thread(¤t_thread_info()->pcb);
+- return;
+-
+ case 5: /* illoc */
+ default: /* unexpected instruction-fault type */
+ ;
--- /dev/null
+From ea24b9953bcd3889f77a66e7f1d7e86e995dd9c3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=C5=81ukasz=20Stelmach?= <l.stelmach@samsung.com>
+Date: Thu, 23 Feb 2023 08:47:48 +0100
+Subject: ALSA: hda/realtek: Add quirk for HP EliteDesk 800 G6 Tower PC
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Łukasz Stelmach <l.stelmach@samsung.com>
+
+commit ea24b9953bcd3889f77a66e7f1d7e86e995dd9c3 upstream.
+
+HP EliteDesk 800 G6 Tower PC (103c:870c) requires a quirk for enabling
+headset-mic.
+
+Signed-off-by: Łukasz Stelmach <l.stelmach@samsung.com>
+Cc: <stable@vger.kernel.org>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=217008
+Link: https://lore.kernel.org/r/20230223074749.1026060-1-l.stelmach@samsung.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -11617,6 +11617,7 @@ static const struct snd_pci_quirk alc662
+ SND_PCI_QUIRK(0x1028, 0x0698, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1028, 0x069f, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x103c, 0x1632, "HP RP5800", ALC662_FIXUP_HP_RP5800),
++ SND_PCI_QUIRK(0x103c, 0x870c, "HP", ALC897_FIXUP_HP_HSMIC_VERB),
+ SND_PCI_QUIRK(0x103c, 0x8719, "HP", ALC897_FIXUP_HP_HSMIC_VERB),
+ SND_PCI_QUIRK(0x103c, 0x873e, "HP", ALC671_FIXUP_HP_HEADSET_MIC2),
+ SND_PCI_QUIRK(0x103c, 0x877e, "HP 288 Pro G6", ALC671_FIXUP_HP_HEADSET_MIC2),
--- /dev/null
+From 951606a14a8901e3551fe4d8d3cedd73fe954ce1 Mon Sep 17 00:00:00 2001
+From: Dmitry Fomin <fomindmitriyfoma@mail.ru>
+Date: Sat, 25 Feb 2023 21:43:21 +0300
+Subject: ALSA: ice1712: Do not left ice->gpio_mutex locked in aureon_add_controls()
+
+From: Dmitry Fomin <fomindmitriyfoma@mail.ru>
+
+commit 951606a14a8901e3551fe4d8d3cedd73fe954ce1 upstream.
+
+If snd_ctl_add() fails in aureon_add_controls(), it immediately returns
+and leaves ice->gpio_mutex locked. ice->gpio_mutex locks in
+snd_ice1712_save_gpio_status and unlocks in
+snd_ice1712_restore_gpio_status(ice).
+
+It seems that the mutex is required only for aureon_cs8415_get(),
+so snd_ice1712_restore_gpio_status(ice) can be placed
+just after that. Compile tested only.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Dmitry Fomin <fomindmitriyfoma@mail.ru>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230225184322.6286-1-fomindmitriyfoma@mail.ru
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/ice1712/aureon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/pci/ice1712/aureon.c
++++ b/sound/pci/ice1712/aureon.c
+@@ -1892,6 +1892,7 @@ static int aureon_add_controls(struct sn
+ unsigned char id;
+ snd_ice1712_save_gpio_status(ice);
+ id = aureon_cs8415_get(ice, CS8415_ID);
++ snd_ice1712_restore_gpio_status(ice);
+ if (id != 0x41)
+ dev_info(ice->card->dev,
+ "No CS8415 chip. Skipping CS8415 controls.\n");
+@@ -1909,7 +1910,6 @@ static int aureon_add_controls(struct sn
+ kctl->id.device = ice->pcm->device;
+ }
+ }
+- snd_ice1712_restore_gpio_status(ice);
+ }
+
+ return 0;
--- /dev/null
+From 8e4505e617a80f601e2f53a917611777f128f925 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Thu, 9 Feb 2023 11:58:36 +0100
+Subject: ARM: dts: exynos: correct TMU phandle in Exynos4
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit 8e4505e617a80f601e2f53a917611777f128f925 upstream.
+
+TMU node uses 0 as thermal-sensor-cells, thus thermal zone referencing
+it must not have an argument to phandle.
+
+Fixes: 328829a6ad70 ("ARM: dts: define default thermal-zones for exynos4")
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230209105841.779596-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/exynos4-cpu-thermal.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/exynos4-cpu-thermal.dtsi
++++ b/arch/arm/boot/dts/exynos4-cpu-thermal.dtsi
+@@ -10,7 +10,7 @@
+ / {
+ thermal-zones {
+ cpu_thermal: cpu-thermal {
+- thermal-sensors = <&tmu 0>;
++ thermal-sensors = <&tmu>;
+ polling-delay-passive = <0>;
+ polling-delay = <0>;
+ trips {
--- /dev/null
+From 408ab6786dbf6dd696488054c9559681112ef994 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Thu, 9 Feb 2023 11:58:37 +0100
+Subject: ARM: dts: exynos: correct TMU phandle in Exynos4210
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit 408ab6786dbf6dd696488054c9559681112ef994 upstream.
+
+TMU node uses 0 as thermal-sensor-cells, thus thermal zone referencing
+it must not have an argument to phandle. Since thermal-sensors property is
+already defined in included exynos4-cpu-thermal.dtsi, drop it from
+exynos4210.dtsi to fix the error and remoev redundancy.
+
+Fixes: 9843a2236003 ("ARM: dts: Provide dt bindings identical for Exynos TMU")
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230209105841.779596-2-krzysztof.kozlowski@linaro.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/exynos4210.dtsi | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/arch/arm/boot/dts/exynos4210.dtsi
++++ b/arch/arm/boot/dts/exynos4210.dtsi
+@@ -393,7 +393,6 @@
+ &cpu_thermal {
+ polling-delay-passive = <0>;
+ polling-delay = <0>;
+- thermal-sensors = <&tmu 0>;
+ };
+
+ &gic {
--- /dev/null
+From 33e2c595e2e4016991ead44933a29d1ef93d5f26 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Thu, 9 Feb 2023 11:58:38 +0100
+Subject: ARM: dts: exynos: correct TMU phandle in Exynos5250
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit 33e2c595e2e4016991ead44933a29d1ef93d5f26 upstream.
+
+TMU node uses 0 as thermal-sensor-cells, thus thermal zone referencing
+it must not have an argument to phandle.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 9843a2236003 ("ARM: dts: Provide dt bindings identical for Exynos TMU")
+Link: https://lore.kernel.org/r/20230209105841.779596-3-krzysztof.kozlowski@linaro.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/exynos5250.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/exynos5250.dtsi
++++ b/arch/arm/boot/dts/exynos5250.dtsi
+@@ -1107,7 +1107,7 @@
+ &cpu_thermal {
+ polling-delay-passive = <0>;
+ polling-delay = <0>;
+- thermal-sensors = <&tmu 0>;
++ thermal-sensors = <&tmu>;
+
+ cooling-maps {
+ map0 {
--- /dev/null
+From 2e3d0e20d8456f876607a8af61fdb83dfbf98cb6 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Thu, 9 Feb 2023 11:58:40 +0100
+Subject: ARM: dts: exynos: correct TMU phandle in Odroid HC1
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit 2e3d0e20d8456f876607a8af61fdb83dfbf98cb6 upstream.
+
+TMU node uses 0 as thermal-sensor-cells, thus thermal zone referencing
+it must not have an argument to phandle. This was not critical before,
+but since rework of thermal Devicetree initialization in the
+commit 3fd6d6e2b4e8 ("thermal/of: Rework the thermal device tree
+initialization"), this leads to errors registering thermal zones other
+than first one:
+
+ thermal_sys: cpu0-thermal: Failed to read thermal-sensors cells: -2
+ thermal_sys: Failed to find thermal zone for tmu id=0
+ exynos-tmu 10064000.tmu: Failed to register sensor: -2
+ exynos-tmu: probe of 10064000.tmu failed with error -2
+
+Fixes: 1ac49427b566 ("ARM: dts: exynos: Add support for Hardkernel's Odroid HC1 board")
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230209105841.779596-5-krzysztof.kozlowski@linaro.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/exynos5422-odroidhc1.dts | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/arch/arm/boot/dts/exynos5422-odroidhc1.dts
++++ b/arch/arm/boot/dts/exynos5422-odroidhc1.dts
+@@ -31,7 +31,7 @@
+
+ thermal-zones {
+ cpu0_thermal: cpu0-thermal {
+- thermal-sensors = <&tmu_cpu0 0>;
++ thermal-sensors = <&tmu_cpu0>;
+ trips {
+ cpu0_alert0: cpu-alert-0 {
+ temperature = <70000>; /* millicelsius */
+@@ -86,7 +86,7 @@
+ };
+ };
+ cpu1_thermal: cpu1-thermal {
+- thermal-sensors = <&tmu_cpu1 0>;
++ thermal-sensors = <&tmu_cpu1>;
+ trips {
+ cpu1_alert0: cpu-alert-0 {
+ temperature = <70000>;
+@@ -130,7 +130,7 @@
+ };
+ };
+ cpu2_thermal: cpu2-thermal {
+- thermal-sensors = <&tmu_cpu2 0>;
++ thermal-sensors = <&tmu_cpu2>;
+ trips {
+ cpu2_alert0: cpu-alert-0 {
+ temperature = <70000>;
+@@ -174,7 +174,7 @@
+ };
+ };
+ cpu3_thermal: cpu3-thermal {
+- thermal-sensors = <&tmu_cpu3 0>;
++ thermal-sensors = <&tmu_cpu3>;
+ trips {
+ cpu3_alert0: cpu-alert-0 {
+ temperature = <70000>;
+@@ -218,7 +218,7 @@
+ };
+ };
+ gpu_thermal: gpu-thermal {
+- thermal-sensors = <&tmu_gpu 0>;
++ thermal-sensors = <&tmu_gpu>;
+ trips {
+ gpu_alert0: gpu-alert-0 {
+ temperature = <70000>;
--- /dev/null
+From 9372eca505e7a19934d750b4b4c89a3652738e66 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Thu, 9 Feb 2023 11:58:39 +0100
+Subject: ARM: dts: exynos: correct TMU phandle in Odroid XU
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit 9372eca505e7a19934d750b4b4c89a3652738e66 upstream.
+
+TMU node uses 0 as thermal-sensor-cells, thus thermal zone referencing
+it must not have an argument to phandle. Since thermal-sensors property
+is already defined in included exynosi5410.dtsi, drop it from
+exynos5410-odroidxu.dts to fix the error and remoev redundancy.
+
+Fixes: 88644b4c750b ("ARM: dts: exynos: Configure PWM, usb3503, PMIC and thermal on Odroid XU board")
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230209105841.779596-4-krzysztof.kozlowski@linaro.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/exynos5410-odroidxu.dts | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/arch/arm/boot/dts/exynos5410-odroidxu.dts
++++ b/arch/arm/boot/dts/exynos5410-odroidxu.dts
+@@ -120,7 +120,6 @@
+ };
+
+ &cpu0_thermal {
+- thermal-sensors = <&tmu_cpu0 0>;
+ polling-delay-passive = <0>;
+ polling-delay = <0>;
+
--- /dev/null
+From a3583e92d188ec6c58c7f603ac5e72dd8a11c21a Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Thu, 9 Feb 2023 11:58:41 +0100
+Subject: ARM: dts: exynos: correct TMU phandle in Odroid XU3 family
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit a3583e92d188ec6c58c7f603ac5e72dd8a11c21a upstream.
+
+TMU node uses 0 as thermal-sensor-cells, thus thermal zone referencing
+it must not have an argument to phandle. This was not critical before,
+but since rework of thermal Devicetree initialization in the
+commit 3fd6d6e2b4e8 ("thermal/of: Rework the thermal device tree
+initialization"), this leads to errors registering thermal zones other
+than first one:
+
+ thermal_sys: cpu0-thermal: Failed to read thermal-sensors cells: -2
+ thermal_sys: Failed to find thermal zone for tmu id=0
+ exynos-tmu 10064000.tmu: Failed to register sensor: -2
+ exynos-tmu: probe of 10064000.tmu failed with error -2
+
+Fixes: f1722d7dd8b8 ("ARM: dts: Define default thermal-zones for exynos5422")
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230209105841.779596-6-krzysztof.kozlowski@linaro.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/exynos5422-odroidxu3-common.dtsi | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/arch/arm/boot/dts/exynos5422-odroidxu3-common.dtsi
++++ b/arch/arm/boot/dts/exynos5422-odroidxu3-common.dtsi
+@@ -50,7 +50,7 @@
+
+ thermal-zones {
+ cpu0_thermal: cpu0-thermal {
+- thermal-sensors = <&tmu_cpu0 0>;
++ thermal-sensors = <&tmu_cpu0>;
+ polling-delay-passive = <250>;
+ polling-delay = <0>;
+ trips {
+@@ -139,7 +139,7 @@
+ };
+ };
+ cpu1_thermal: cpu1-thermal {
+- thermal-sensors = <&tmu_cpu1 0>;
++ thermal-sensors = <&tmu_cpu1>;
+ polling-delay-passive = <250>;
+ polling-delay = <0>;
+ trips {
+@@ -212,7 +212,7 @@
+ };
+ };
+ cpu2_thermal: cpu2-thermal {
+- thermal-sensors = <&tmu_cpu2 0>;
++ thermal-sensors = <&tmu_cpu2>;
+ polling-delay-passive = <250>;
+ polling-delay = <0>;
+ trips {
+@@ -285,7 +285,7 @@
+ };
+ };
+ cpu3_thermal: cpu3-thermal {
+- thermal-sensors = <&tmu_cpu3 0>;
++ thermal-sensors = <&tmu_cpu3>;
+ polling-delay-passive = <250>;
+ polling-delay = <0>;
+ trips {
+@@ -358,7 +358,7 @@
+ };
+ };
+ gpu_thermal: gpu-thermal {
+- thermal-sensors = <&tmu_gpu 0>;
++ thermal-sensors = <&tmu_gpu>;
+ polling-delay-passive = <250>;
+ polling-delay = <0>;
+ trips {
--- /dev/null
+From af4ab377543853b690cc85b4c46cf976ab560dc2 Mon Sep 17 00:00:00 2001
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Date: Mon, 23 Jan 2023 18:49:30 +0530
+Subject: ARM: dts: qcom: sdx55: Add Qcom SMMU-500 as the fallback for IOMMU node
+
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+
+commit af4ab377543853b690cc85b4c46cf976ab560dc2 upstream.
+
+SDX55 uses the Qcom version of the SMMU-500 IP. So use "qcom,smmu-500"
+compatible as the fallback to the SoC specific compatible.
+
+Cc: <stable@vger.kernel.org> # 5.12
+Fixes: a2bdfdfba2af ("ARM: dts: qcom: sdx55: Enable ARM SMMU")
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20230123131931.263024-3-manivannan.sadhasivam@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/qcom-sdx55.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/qcom-sdx55.dtsi
++++ b/arch/arm/boot/dts/qcom-sdx55.dtsi
+@@ -577,7 +577,7 @@
+ };
+
+ apps_smmu: iommu@15000000 {
+- compatible = "qcom,sdx55-smmu-500", "arm,mmu-500";
++ compatible = "qcom,sdx55-smmu-500", "qcom,smmu-500", "arm,mmu-500";
+ reg = <0x15000000 0x20000>;
+ #iommu-cells = <2>;
+ #global-interrupts = <1>;
--- /dev/null
+From 157178a7912e00a0aa0371dc9041952c1a21d112 Mon Sep 17 00:00:00 2001
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Date: Mon, 23 Jan 2023 18:49:31 +0530
+Subject: ARM: dts: qcom: sdx65: Add Qcom SMMU-500 as the fallback for IOMMU node
+
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+
+commit 157178a7912e00a0aa0371dc9041952c1a21d112 upstream.
+
+SDX65 uses the Qcom version of the SMMU-500 IP. So use "qcom,smmu-500"
+compatible as the fallback to the SoC specific compatible.
+
+Cc: <stable@vger.kernel.org> # 5.19
+Fixes: 98187f7b74bf ("ARM: dts: qcom: sdx65: Enable ARM SMMU")
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20230123131931.263024-4-manivannan.sadhasivam@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/qcom-sdx65.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/qcom-sdx65.dtsi
++++ b/arch/arm/boot/dts/qcom-sdx65.dtsi
+@@ -455,7 +455,7 @@
+ };
+
+ apps_smmu: iommu@15000000 {
+- compatible = "qcom,sdx65-smmu-500", "arm,mmu-500";
++ compatible = "qcom,sdx65-smmu-500", "qcom,smmu-500", "arm,mmu-500";
+ reg = <0x15000000 0x40000>;
+ #iommu-cells = <2>;
+ #global-interrupts = <1>;
--- /dev/null
+From 060a2c92d1b627c86c5c42ca69baf00457c00c5a Mon Sep 17 00:00:00 2001
+From: Catalin Marinas <catalin.marinas@arm.com>
+Date: Wed, 22 Feb 2023 17:52:32 +0000
+Subject: arm64: mm: hugetlb: Disable HUGETLB_PAGE_OPTIMIZE_VMEMMAP
+
+From: Catalin Marinas <catalin.marinas@arm.com>
+
+commit 060a2c92d1b627c86c5c42ca69baf00457c00c5a upstream.
+
+Revert the HUGETLB_PAGE_FREE_VMEMMAP selection from commit 1e63ac088f20
+("arm64: mm: hugetlb: enable HUGETLB_PAGE_FREE_VMEMMAP for arm64") but
+keep the flush_dcache_page() compound_head() change as it aligns with
+the corresponding check in the __sync_icache_dcache() function.
+
+The original config option was renamed in commit 47010c040dec ("mm:
+hugetlb_vmemmap: cleanup CONFIG_HUGETLB_PAGE_FREE_VMEMMAP*") to
+HUGETLB_PAGE_OPTIMIZE_VMEMMAP and the flush_dcache_page() check was
+further simplified by commit 2da1c30929a2 ("mm: hugetlb_vmemmap: delete
+hugetlb_optimize_vmemmap_enabled()").
+
+The reason for the revert is that the generic vmemmap_remap_pte()
+function changes both the permissions (writeable to read-only) and the
+output address (pfn) of the vmemmap ptes. This is deemed UNPREDICTABLE
+by the Arm architecture without a break-before-make sequence (make the
+PTE invalid, TLBI, write the new valid PTE). However, such sequence is
+not possible since the vmemmap may be concurrently accessed by the
+kernel. Disable the optimisation until a better solution is found.
+
+Fixes: 1e63ac088f20 ("arm64: mm: hugetlb: enable HUGETLB_PAGE_FREE_VMEMMAP for arm64")
+Cc: <stable@vger.kernel.org> # 5.19.x
+Cc: Muchun Song <muchun.song@linux.dev>
+Cc: Will Deacon <will@kernel.org>
+Cc: Anshuman Khandual <anshuman.khandual@arm.com>
+Link: https://lore.kernel.org/r/Y9pZALdn3pKiJUeQ@arm.com
+Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Link: https://lore.kernel.org/r/20230222175232.540851-1-catalin.marinas@arm.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/Kconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/arch/arm64/Kconfig
++++ b/arch/arm64/Kconfig
+@@ -98,7 +98,6 @@ config ARM64
+ select ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT
+ select ARCH_WANT_FRAME_POINTERS
+ select ARCH_WANT_HUGE_PMD_SHARE if ARM64_4K_PAGES || (ARM64_16K_PAGES && !ARM64_VA_BITS_36)
+- select ARCH_WANT_HUGETLB_PAGE_OPTIMIZE_VMEMMAP
+ select ARCH_WANT_LD_ORPHAN_WARN
+ select ARCH_WANTS_NO_INSTR
+ select ARCH_WANTS_THP_SWAP if ARM64_4K_PAGES
--- /dev/null
+From e5cfefa97bccf956ea0bb6464c1f6c84fd7a8d9f Mon Sep 17 00:00:00 2001
+From: Yu Kuai <yukuai3@huawei.com>
+Date: Fri, 17 Feb 2023 10:22:00 +0800
+Subject: block: fix scan partition for exclusively open device again
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+commit e5cfefa97bccf956ea0bb6464c1f6c84fd7a8d9f upstream.
+
+As explained in commit 36369f46e917 ("block: Do not reread partition table
+on exclusively open device"), reread partition on the device that is
+exclusively opened by someone else is problematic.
+
+This patch will make sure partition scan will only be proceed if current
+thread open the device exclusively, or the device is not opened
+exclusively, and in the later case, other scanners and exclusive openers
+will be blocked temporarily until partition scan is done.
+
+Fixes: 10c70d95c0f2 ("block: remove the bd_openers checks in blk_drop_partitions")
+Cc: <stable@vger.kernel.org>
+Suggested-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20230217022200.3092987-3-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/genhd.c | 30 ++++++++++++++++++++++++++----
+ block/ioctl.c | 3 +--
+ 2 files changed, 27 insertions(+), 6 deletions(-)
+
+--- a/block/genhd.c
++++ b/block/genhd.c
+@@ -359,6 +359,7 @@ EXPORT_SYMBOL_GPL(disk_uevent);
+ int disk_scan_partitions(struct gendisk *disk, fmode_t mode, void *owner)
+ {
+ struct block_device *bdev;
++ int ret = 0;
+
+ if (disk->flags & (GENHD_FL_NO_PART | GENHD_FL_HIDDEN))
+ return -EINVAL;
+@@ -371,11 +372,27 @@ int disk_scan_partitions(struct gendisk
+ return -EBUSY;
+
+ set_bit(GD_NEED_PART_SCAN, &disk->state);
+- bdev = blkdev_get_by_dev(disk_devt(disk), mode, NULL);
++ /*
++ * If the device is opened exclusively by current thread already, it's
++ * safe to scan partitons, otherwise, use bd_prepare_to_claim() to
++ * synchronize with other exclusive openers and other partition
++ * scanners.
++ */
++ if (!(mode & FMODE_EXCL)) {
++ ret = bd_prepare_to_claim(disk->part0, disk_scan_partitions);
++ if (ret)
++ return ret;
++ }
++
++ bdev = blkdev_get_by_dev(disk_devt(disk), mode & ~FMODE_EXCL, NULL);
+ if (IS_ERR(bdev))
+- return PTR_ERR(bdev);
+- blkdev_put(bdev, mode);
+- return 0;
++ ret = PTR_ERR(bdev);
++ else
++ blkdev_put(bdev, mode);
++
++ if (!(mode & FMODE_EXCL))
++ bd_abort_claiming(disk->part0, disk_scan_partitions);
++ return ret;
+ }
+
+ /**
+@@ -501,6 +518,11 @@ int __must_check device_add_disk(struct
+ if (ret)
+ goto out_unregister_bdi;
+
++ /* Make sure the first partition scan will be proceed */
++ if (get_capacity(disk) && !(disk->flags & GENHD_FL_NO_PART) &&
++ !test_bit(GD_SUPPRESS_PART_SCAN, &disk->state))
++ set_bit(GD_NEED_PART_SCAN, &disk->state);
++
+ bdev_add(disk->part0, ddev->devt);
+ if (get_capacity(disk))
+ disk_scan_partitions(disk, FMODE_READ, NULL);
+--- a/block/ioctl.c
++++ b/block/ioctl.c
+@@ -528,8 +528,7 @@ static int blkdev_common_ioctl(struct fi
+ return -EACCES;
+ if (bdev_is_partition(bdev))
+ return -EINVAL;
+- return disk_scan_partitions(bdev->bd_disk, mode & ~FMODE_EXCL,
+- file);
++ return disk_scan_partitions(bdev->bd_disk, mode, file);
+ case BLKTRACESTART:
+ case BLKTRACESTOP:
+ case BLKTRACETEARDOWN:
--- /dev/null
+From e027253c4b77d395798600a90b6a96fe4adf4d5e Mon Sep 17 00:00:00 2001
+From: Xiubo Li <xiubli@redhat.com>
+Date: Mon, 13 Feb 2023 13:56:20 +0800
+Subject: ceph: update the time stamps and try to drop the suid/sgid
+
+From: Xiubo Li <xiubli@redhat.com>
+
+commit e027253c4b77d395798600a90b6a96fe4adf4d5e upstream.
+
+The fallocate will try to clear the suid/sgid if a unprevileged user
+changed the file.
+
+There is no POSIX item requires that we should clear the suid/sgid
+in fallocate code path but this is the default behaviour for most of
+the filesystems and the VFS layer. And also the same for the write
+code path, which have already support it.
+
+And also we need to update the time stamps since the fallocate will
+change the file contents.
+
+Cc: stable@vger.kernel.org
+Link: https://tracker.ceph.com/issues/58054
+Signed-off-by: Xiubo Li <xiubli@redhat.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ceph/file.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/ceph/file.c
++++ b/fs/ceph/file.c
+@@ -2095,6 +2095,9 @@ static long ceph_fallocate(struct file *
+ loff_t endoff = 0;
+ loff_t size;
+
++ dout("%s %p %llx.%llx mode %x, offset %llu length %llu\n", __func__,
++ inode, ceph_vinop(inode), mode, offset, length);
++
+ if (mode != (FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE))
+ return -EOPNOTSUPP;
+
+@@ -2129,6 +2132,10 @@ static long ceph_fallocate(struct file *
+ if (ret < 0)
+ goto unlock;
+
++ ret = file_modified(file);
++ if (ret)
++ goto put_caps;
++
+ filemap_invalidate_lock(inode->i_mapping);
+ ceph_fscache_invalidate(inode, false);
+ ceph_zero_pagecache_range(inode, offset, length);
+@@ -2144,6 +2151,7 @@ static long ceph_fallocate(struct file *
+ }
+ filemap_invalidate_unlock(inode->i_mapping);
+
++put_caps:
+ ceph_put_cap_refs(ci, got);
+ unlock:
+ inode_unlock(inode);
--- /dev/null
+From 7787943a3a8ade6594a68db28c166adbb1d3708c Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 6 Feb 2023 20:33:06 +0100
+Subject: cpuidle: add ARCH_SUSPEND_POSSIBLE dependencies
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 7787943a3a8ade6594a68db28c166adbb1d3708c upstream.
+
+Some ARMv4 processors don't support suspend, which leads
+to a build failure with the tegra and qualcomm cpuidle driver:
+
+WARNING: unmet direct dependencies detected for ARM_CPU_SUSPEND
+ Depends on [n]: ARCH_SUSPEND_POSSIBLE [=n]
+ Selected by [y]:
+ - ARM_TEGRA_CPUIDLE [=y] && CPU_IDLE [=y] && (ARM [=y] || ARM64) && (ARCH_TEGRA [=n] || COMPILE_TEST [=y]) && !ARM64 && MMU [=y]
+
+arch/arm/kernel/sleep.o: in function `__cpu_suspend':
+(.text+0x68): undefined reference to `cpu_sa110_suspend_size'
+(.text+0x68): undefined reference to `cpu_fa526_suspend_size'
+
+Add an explicit dependency to make randconfig builds avoid
+this combination.
+
+Fixes: faae6c9f2e68 ("cpuidle: tegra: Enable compile testing")
+Fixes: a871be6b8eee ("cpuidle: Convert Qualcomm SPM driver to a generic CPUidle driver")
+Link: https://lore.kernel.org/all/20211013160125.772873-1-arnd@kernel.org/
+Cc: All applicable <stable@vger.kernel.org>
+Reviewed-by: Dmitry Osipenko <digetx@gmail.com>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpuidle/Kconfig.arm | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/cpuidle/Kconfig.arm
++++ b/drivers/cpuidle/Kconfig.arm
+@@ -102,6 +102,7 @@ config ARM_MVEBU_V7_CPUIDLE
+ config ARM_TEGRA_CPUIDLE
+ bool "CPU Idle Driver for NVIDIA Tegra SoCs"
+ depends on (ARCH_TEGRA || COMPILE_TEST) && !ARM64 && MMU
++ depends on ARCH_SUSPEND_POSSIBLE
+ select ARCH_NEEDS_CPU_IDLE_COUPLED if SMP
+ select ARM_CPU_SUSPEND
+ help
+@@ -110,6 +111,7 @@ config ARM_TEGRA_CPUIDLE
+ config ARM_QCOM_SPM_CPUIDLE
+ bool "CPU Idle Driver for Qualcomm Subsystem Power Manager (SPM)"
+ depends on (ARCH_QCOM || COMPILE_TEST) && !ARM64 && MMU
++ depends on ARCH_SUSPEND_POSSIBLE
+ select ARM_CPU_SUSPEND
+ select CPU_IDLE_MULTIPLE_DRIVERS
+ select DT_IDLE_STATES
--- /dev/null
+From f57aec443c24d2e8e1f3b5b4856aea12ddda4254 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Mon, 13 Feb 2023 17:01:05 -0800
+Subject: cxl/pmem: Fix nvdimm registration races
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit f57aec443c24d2e8e1f3b5b4856aea12ddda4254 upstream.
+
+A loop of the form:
+
+ while true; do modprobe cxl_pci; modprobe -r cxl_pci; done
+
+...fails with the following crash signature:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000040
+ [..]
+ RIP: 0010:cxl_internal_send_cmd+0x5/0xb0 [cxl_core]
+ [..]
+ Call Trace:
+ <TASK>
+ cxl_pmem_ctl+0x121/0x240 [cxl_pmem]
+ nvdimm_get_config_data+0xd6/0x1a0 [libnvdimm]
+ nd_label_data_init+0x135/0x7e0 [libnvdimm]
+ nvdimm_probe+0xd6/0x1c0 [libnvdimm]
+ nvdimm_bus_probe+0x7a/0x1e0 [libnvdimm]
+ really_probe+0xde/0x380
+ __driver_probe_device+0x78/0x170
+ driver_probe_device+0x1f/0x90
+ __device_attach_driver+0x85/0x110
+ bus_for_each_drv+0x7d/0xc0
+ __device_attach+0xb4/0x1e0
+ bus_probe_device+0x9f/0xc0
+ device_add+0x445/0x9c0
+ nd_async_device_register+0xe/0x40 [libnvdimm]
+ async_run_entry_fn+0x30/0x130
+
+...namely that the bottom half of async nvdimm device registration runs
+after the CXL has already torn down the context that cxl_pmem_ctl()
+needs. Unlike the ACPI NFIT case that benefits from launching multiple
+nvdimm device registrations in parallel from those listed in the table,
+CXL is already marked PROBE_PREFER_ASYNCHRONOUS. So provide for a
+synchronous registration path to preclude this scenario.
+
+Fixes: 21083f51521f ("cxl/pmem: Register 'pmem' / cxl_nvdimm devices")
+Cc: <stable@vger.kernel.org>
+Reported-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cxl/pmem.c | 1 +
+ drivers/nvdimm/bus.c | 19 ++++++++++++++++---
+ drivers/nvdimm/dimm_devs.c | 5 ++++-
+ drivers/nvdimm/nd-core.h | 1 +
+ include/linux/libnvdimm.h | 3 +++
+ 5 files changed, 25 insertions(+), 4 deletions(-)
+
+--- a/drivers/cxl/pmem.c
++++ b/drivers/cxl/pmem.c
+@@ -75,6 +75,7 @@ static int cxl_nvdimm_probe(struct devic
+ goto out;
+
+ set_bit(NDD_LABELING, &flags);
++ set_bit(NDD_REGISTER_SYNC, &flags);
+ set_bit(ND_CMD_GET_CONFIG_SIZE, &cmd_mask);
+ set_bit(ND_CMD_GET_CONFIG_DATA, &cmd_mask);
+ set_bit(ND_CMD_SET_CONFIG_DATA, &cmd_mask);
+--- a/drivers/nvdimm/bus.c
++++ b/drivers/nvdimm/bus.c
+@@ -508,7 +508,7 @@ static void nd_async_device_unregister(v
+ put_device(dev);
+ }
+
+-void nd_device_register(struct device *dev)
++static void __nd_device_register(struct device *dev, bool sync)
+ {
+ if (!dev)
+ return;
+@@ -531,11 +531,24 @@ void nd_device_register(struct device *d
+ }
+ get_device(dev);
+
+- async_schedule_dev_domain(nd_async_device_register, dev,
+- &nd_async_domain);
++ if (sync)
++ nd_async_device_register(dev, 0);
++ else
++ async_schedule_dev_domain(nd_async_device_register, dev,
++ &nd_async_domain);
++}
++
++void nd_device_register(struct device *dev)
++{
++ __nd_device_register(dev, false);
+ }
+ EXPORT_SYMBOL(nd_device_register);
+
++void nd_device_register_sync(struct device *dev)
++{
++ __nd_device_register(dev, true);
++}
++
+ void nd_device_unregister(struct device *dev, enum nd_async_mode mode)
+ {
+ bool killed;
+--- a/drivers/nvdimm/dimm_devs.c
++++ b/drivers/nvdimm/dimm_devs.c
+@@ -617,7 +617,10 @@ struct nvdimm *__nvdimm_create(struct nv
+ nvdimm->sec.ext_flags = nvdimm_security_flags(nvdimm, NVDIMM_MASTER);
+ device_initialize(dev);
+ lockdep_set_class(&dev->mutex, &nvdimm_key);
+- nd_device_register(dev);
++ if (test_bit(NDD_REGISTER_SYNC, &flags))
++ nd_device_register_sync(dev);
++ else
++ nd_device_register(dev);
+
+ return nvdimm;
+ }
+--- a/drivers/nvdimm/nd-core.h
++++ b/drivers/nvdimm/nd-core.h
+@@ -107,6 +107,7 @@ int nvdimm_bus_create_ndctl(struct nvdim
+ void nvdimm_bus_destroy_ndctl(struct nvdimm_bus *nvdimm_bus);
+ void nd_synchronize(void);
+ void nd_device_register(struct device *dev);
++void nd_device_register_sync(struct device *dev);
+ struct nd_label_id;
+ char *nd_label_gen_id(struct nd_label_id *label_id, const uuid_t *uuid,
+ u32 flags);
+--- a/include/linux/libnvdimm.h
++++ b/include/linux/libnvdimm.h
+@@ -36,6 +36,9 @@ enum {
+ /* dimm supports namespace labels */
+ NDD_LABELING = 6,
+
++ /* dimm provider wants synchronous registration by __nvdimm_create() */
++ NDD_REGISTER_SYNC = 8,
++
+ /* need to set a limit somewhere, but yes, this is likely overkill */
+ ND_IOCTL_MAX_BUFLEN = SZ_4M,
+ ND_CMD_MAX_ELEM = 5,
--- /dev/null
+From e686c32590f40bffc45f105c04c836ffad3e531a Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Thu, 16 Feb 2023 00:36:02 -0800
+Subject: dax/kmem: Fix leak of memory-hotplug resources
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit e686c32590f40bffc45f105c04c836ffad3e531a upstream.
+
+While experimenting with CXL region removal the following corruption of
+/proc/iomem appeared.
+
+Before:
+f010000000-f04fffffff : CXL Window 0
+ f010000000-f02fffffff : region4
+ f010000000-f02fffffff : dax4.0
+ f010000000-f02fffffff : System RAM (kmem)
+
+After (modprobe -r cxl_test):
+f010000000-f02fffffff : **redacted binary garbage**
+ f010000000-f02fffffff : System RAM (kmem)
+
+...and testing further the same is visible with persistent memory
+assigned to kmem:
+
+Before:
+480000000-243fffffff : Persistent Memory
+ 480000000-57e1fffff : namespace3.0
+ 580000000-243fffffff : dax3.0
+ 580000000-243fffffff : System RAM (kmem)
+
+After (ndctl disable-region all):
+480000000-243fffffff : Persistent Memory
+ 580000000-243fffffff : ***redacted binary garbage***
+ 580000000-243fffffff : System RAM (kmem)
+
+The corrupted data is from a use-after-free of the "dax4.0" and "dax3.0"
+resources, and it also shows that the "System RAM (kmem)" resource is
+not being removed. The bug does not appear after "modprobe -r kmem", it
+requires the parent of "dax4.0" and "dax3.0" to be removed which
+re-parents the leaked "System RAM (kmem)" instances. Those in turn
+reference the freed resource as a parent.
+
+First up for the fix is release_mem_region_adjustable() needs to
+reliably delete the resource inserted by add_memory_driver_managed().
+That is thwarted by a check for IORESOURCE_SYSRAM that predates the
+dax/kmem driver, from commit:
+
+65c78784135f ("kernel, resource: check for IORESOURCE_SYSRAM in release_mem_region_adjustable")
+
+That appears to be working around the behavior of HMM's
+"MEMORY_DEVICE_PUBLIC" facility that has since been deleted. With that
+check removed the "System RAM (kmem)" resource gets removed, but
+corruption still occurs occasionally because the "dax" resource is not
+reliably removed.
+
+The dax range information is freed before the device is unregistered, so
+the driver can not reliably recall (another use after free) what it is
+meant to release. Lastly if that use after free got lucky, the driver
+was covering up the leak of "System RAM (kmem)" due to its use of
+release_resource() which detaches, but does not free, child resources.
+The switch to remove_resource() forces remove_memory() to be responsible
+for the deletion of the resource added by add_memory_driver_managed().
+
+Fixes: c2f3011ee697 ("device-dax: add an allocation interface for device-dax instances")
+Cc: <stable@vger.kernel.org>
+Cc: Oscar Salvador <osalvador@suse.de>
+Cc: David Hildenbrand <david@redhat.com>
+Cc: Pavel Tatashin <pasha.tatashin@soleen.com>
+Reviewed-by: Vishal Verma <vishal.l.verma@intel.com>
+Reviewed-by: Pasha Tatashin <pasha.tatashin@soleen.com>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Link: https://lore.kernel.org/r/167653656244.3147810.5705900882794040229.stgit@dwillia2-xfh.jf.intel.com
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dax/bus.c | 2 +-
+ drivers/dax/kmem.c | 4 ++--
+ kernel/resource.c | 14 --------------
+ 3 files changed, 3 insertions(+), 17 deletions(-)
+
+--- a/drivers/dax/bus.c
++++ b/drivers/dax/bus.c
+@@ -427,8 +427,8 @@ static void unregister_dev_dax(void *dev
+ dev_dbg(dev, "%s\n", __func__);
+
+ kill_dev_dax(dev_dax);
+- free_dev_dax_ranges(dev_dax);
+ device_del(dev);
++ free_dev_dax_ranges(dev_dax);
+ put_device(dev);
+ }
+
+--- a/drivers/dax/kmem.c
++++ b/drivers/dax/kmem.c
+@@ -146,7 +146,7 @@ static int dev_dax_kmem_probe(struct dev
+ if (rc) {
+ dev_warn(dev, "mapping%d: %#llx-%#llx memory add failed\n",
+ i, range.start, range.end);
+- release_resource(res);
++ remove_resource(res);
+ kfree(res);
+ data->res[i] = NULL;
+ if (mapped)
+@@ -195,7 +195,7 @@ static void dev_dax_kmem_remove(struct d
+
+ rc = remove_memory(range.start, range_len(&range));
+ if (rc == 0) {
+- release_resource(data->res[i]);
++ remove_resource(data->res[i]);
+ kfree(data->res[i]);
+ data->res[i] = NULL;
+ success++;
+--- a/kernel/resource.c
++++ b/kernel/resource.c
+@@ -1345,20 +1345,6 @@ retry:
+ continue;
+ }
+
+- /*
+- * All memory regions added from memory-hotplug path have the
+- * flag IORESOURCE_SYSTEM_RAM. If the resource does not have
+- * this flag, we know that we are dealing with a resource coming
+- * from HMM/devm. HMM/devm use another mechanism to add/release
+- * a resource. This goes via devm_request_mem_region and
+- * devm_release_mem_region.
+- * HMM/devm take care to release their resources when they want,
+- * so if we are dealing with them, let us just back off here.
+- */
+- if (!(res->flags & IORESOURCE_SYSRAM)) {
+- break;
+- }
+-
+ if (!(res->flags & IORESOURCE_MEM))
+ break;
+
--- /dev/null
+From f77692d65d54665d81815349cc727baa85e8b71d Mon Sep 17 00:00:00 2001
+From: Mike Snitzer <snitzer@kernel.org>
+Date: Thu, 16 Feb 2023 12:10:05 -0500
+Subject: dm: add cond_resched() to dm_wq_requeue_work()
+
+From: Mike Snitzer <snitzer@kernel.org>
+
+commit f77692d65d54665d81815349cc727baa85e8b71d upstream.
+
+Otherwise the while() loop in dm_wq_requeue_work() can result in a
+"dead loop" on systems that have preemption disabled. This is
+particularly problematic on single cpu systems.
+
+Fixes: 8b211aaccb915 ("dm: add two stage requeue mechanism")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -1020,6 +1020,7 @@ static void dm_wq_requeue_work(struct wo
+ io->next = NULL;
+ __dm_io_complete(io, false);
+ io = next;
++ cond_resched();
+ }
+ }
+
--- /dev/null
+From 0ca44fcef241768fd25ee763b3d203b9852f269b Mon Sep 17 00:00:00 2001
+From: Pingfan Liu <piliu@redhat.com>
+Date: Wed, 15 Feb 2023 19:23:40 +0800
+Subject: dm: add cond_resched() to dm_wq_work()
+
+From: Pingfan Liu <piliu@redhat.com>
+
+commit 0ca44fcef241768fd25ee763b3d203b9852f269b upstream.
+
+Otherwise the while() loop in dm_wq_work() can result in a "dead
+loop" on systems that have preemption disabled. This is particularly
+problematic on single cpu systems.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Pingfan Liu <piliu@redhat.com>
+Acked-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -2578,6 +2578,7 @@ static void dm_wq_work(struct work_struc
+ break;
+
+ submit_bio_noacct(bio);
++ cond_resched();
+ }
+ }
+
--- /dev/null
+From 95ab80a8a0fef2ce0cc494a306dd283948066ce7 Mon Sep 17 00:00:00 2001
+From: Joe Thornber <ejt@redhat.com>
+Date: Thu, 26 Jan 2023 09:59:10 +0000
+Subject: dm cache: free background tracker's queued work in btracker_destroy
+
+From: Joe Thornber <ejt@redhat.com>
+
+commit 95ab80a8a0fef2ce0cc494a306dd283948066ce7 upstream.
+
+Otherwise the kernel can BUG with:
+
+[ 2245.426978] =============================================================================
+[ 2245.435155] BUG bt_work (Tainted: G B W ): Objects remaining in bt_work on __kmem_cache_shutdown()
+[ 2245.445233] -----------------------------------------------------------------------------
+[ 2245.445233]
+[ 2245.454879] Slab 0x00000000b0ce2b30 objects=64 used=2 fp=0x000000000a3c6a4e flags=0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff)
+[ 2245.467300] CPU: 7 PID: 10805 Comm: lvm Kdump: loaded Tainted: G B W 6.0.0-rc2 #19
+[ 2245.476078] Hardware name: Dell Inc. PowerEdge R7525/0590KW, BIOS 2.5.6 10/06/2021
+[ 2245.483646] Call Trace:
+[ 2245.486100] <TASK>
+[ 2245.488206] dump_stack_lvl+0x34/0x48
+[ 2245.491878] slab_err+0x95/0xcd
+[ 2245.495028] __kmem_cache_shutdown.cold+0x31/0x136
+[ 2245.499821] kmem_cache_destroy+0x49/0x130
+[ 2245.503928] btracker_destroy+0x12/0x20 [dm_cache]
+[ 2245.508728] smq_destroy+0x15/0x60 [dm_cache_smq]
+[ 2245.513435] dm_cache_policy_destroy+0x12/0x20 [dm_cache]
+[ 2245.518834] destroy+0xc0/0x110 [dm_cache]
+[ 2245.522933] dm_table_destroy+0x5c/0x120 [dm_mod]
+[ 2245.527649] __dm_destroy+0x10e/0x1c0 [dm_mod]
+[ 2245.532102] dev_remove+0x117/0x190 [dm_mod]
+[ 2245.536384] ctl_ioctl+0x1a2/0x290 [dm_mod]
+[ 2245.540579] dm_ctl_ioctl+0xa/0x20 [dm_mod]
+[ 2245.544773] __x64_sys_ioctl+0x8a/0xc0
+[ 2245.548524] do_syscall_64+0x5c/0x90
+[ 2245.552104] ? syscall_exit_to_user_mode+0x12/0x30
+[ 2245.556897] ? do_syscall_64+0x69/0x90
+[ 2245.560648] ? do_syscall_64+0x69/0x90
+[ 2245.564394] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+[ 2245.569447] RIP: 0033:0x7fe52583ec6b
+...
+[ 2245.646771] ------------[ cut here ]------------
+[ 2245.651395] kmem_cache_destroy bt_work: Slab cache still has objects when called from btracker_destroy+0x12/0x20 [dm_cache]
+[ 2245.651408] WARNING: CPU: 7 PID: 10805 at mm/slab_common.c:478 kmem_cache_destroy+0x128/0x130
+
+Found using: lvm2-testsuite --only "cache-single-split.sh"
+
+Ben bisected and found that commit 0495e337b703 ("mm/slab_common:
+Deleting kobject in kmem_cache_destroy() without holding
+slab_mutex/cpu_hotplug_lock") first exposed dm-cache's incomplete
+cleanup of its background tracker work objects.
+
+Reported-by: Benjamin Marzinski <bmarzins@redhat.com>
+Tested-by: Benjamin Marzinski <bmarzins@redhat.com>
+Cc: stable@vger.kernel.org # 6.0+
+Signed-off-by: Joe Thornber <ejt@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-cache-background-tracker.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/md/dm-cache-background-tracker.c b/drivers/md/dm-cache-background-tracker.c
+index 84814e819e4c..7887f99b82bd 100644
+--- a/drivers/md/dm-cache-background-tracker.c
++++ b/drivers/md/dm-cache-background-tracker.c
+@@ -60,6 +60,14 @@ EXPORT_SYMBOL_GPL(btracker_create);
+
+ void btracker_destroy(struct background_tracker *b)
+ {
++ struct bt_work *w, *tmp;
++
++ BUG_ON(!list_empty(&b->issued));
++ list_for_each_entry_safe (w, tmp, &b->queued, list) {
++ list_del(&w->list);
++ kmem_cache_free(b->work_cache, w);
++ }
++
+ kmem_cache_destroy(b->work_cache);
+ kfree(b);
+ }
+--
+2.39.2
+
--- /dev/null
+From f50714b57aecb6b3dc81d578e295f86d9c73f078 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Sun, 22 Jan 2023 14:02:57 -0500
+Subject: dm flakey: don't corrupt the zero page
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit f50714b57aecb6b3dc81d578e295f86d9c73f078 upstream.
+
+When we need to zero some range on a block device, the function
+__blkdev_issue_zero_pages submits a write bio with the bio vector pointing
+to the zero page. If we use dm-flakey with corrupt bio writes option, it
+will corrupt the content of the zero page which results in crashes of
+various userspace programs. Glibc assumes that memory returned by mmap is
+zeroed and it uses it for calloc implementation; if the newly mapped
+memory is not zeroed, calloc will return non-zeroed memory.
+
+Fix this bug by testing if the page is equal to ZERO_PAGE(0) and
+avoiding the corruption in this case.
+
+Cc: stable@vger.kernel.org
+Fixes: a00f5276e266 ("dm flakey: Properly corrupt multi-page bios.")
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Reviewed-by: Sweet Tea Dorminy <sweettea-kernel@dorminy.me>
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-flakey.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/dm-flakey.c
++++ b/drivers/md/dm-flakey.c
+@@ -303,8 +303,11 @@ static void corrupt_bio_data(struct bio
+ */
+ bio_for_each_segment(bvec, bio, iter) {
+ if (bio_iter_len(bio, iter) > corrupt_bio_byte) {
+- char *segment = (page_address(bio_iter_page(bio, iter))
+- + bio_iter_offset(bio, iter));
++ char *segment;
++ struct page *page = bio_iter_page(bio, iter);
++ if (unlikely(page == ZERO_PAGE(0)))
++ break;
++ segment = (page_address(page) + bio_iter_offset(bio, iter));
+ segment[corrupt_bio_byte] = fc->corrupt_bio_value;
+ DMDEBUG("Corrupting data bio=%p by writing %u to byte %u "
+ "(rw=%c bi_opf=%u bi_sector=%llu size=%u)\n",
--- /dev/null
+From 8eb29c4fbf9661e6bd4dd86197a37ffe0ecc9d50 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Sun, 22 Jan 2023 14:03:31 -0500
+Subject: dm flakey: fix a bug with 32-bit highmem systems
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 8eb29c4fbf9661e6bd4dd86197a37ffe0ecc9d50 upstream.
+
+The function page_address does not work with 32-bit systems with high
+memory. Use bvec_kmap_local/kunmap_local instead.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Reviewed-by: Sweet Tea Dorminy <sweettea-kernel@dorminy.me>
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-flakey.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/dm-flakey.c
++++ b/drivers/md/dm-flakey.c
+@@ -307,8 +307,9 @@ static void corrupt_bio_data(struct bio
+ struct page *page = bio_iter_page(bio, iter);
+ if (unlikely(page == ZERO_PAGE(0)))
+ break;
+- segment = (page_address(page) + bio_iter_offset(bio, iter));
++ segment = bvec_kmap_local(&bvec);
+ segment[corrupt_bio_byte] = fc->corrupt_bio_value;
++ kunmap_local(segment);
+ DMDEBUG("Corrupting data bio=%p by writing %u to byte %u "
+ "(rw=%c bi_opf=%u bi_sector=%llu size=%u)\n",
+ bio, fc->corrupt_bio_value, fc->corrupt_bio_byte,
--- /dev/null
+From aa56b9b75996ff4c76a0a4181c2fa0206c3d91cc Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Sun, 22 Jan 2023 14:03:56 -0500
+Subject: dm flakey: fix logic when corrupting a bio
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit aa56b9b75996ff4c76a0a4181c2fa0206c3d91cc upstream.
+
+If "corrupt_bio_byte" is set to corrupt reads and corrupt_bio_flags is
+used, dm-flakey would erroneously return all writes as errors. Likewise,
+if "corrupt_bio_byte" is set to corrupt writes, dm-flakey would return
+errors for all reads.
+
+Fix the logic so that if fc->corrupt_bio_byte is non-zero, dm-flakey
+will not abort reads on writes with an error.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Reviewed-by: Sweet Tea Dorminy <sweettea-kernel@dorminy.me>
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-flakey.c | 23 +++++++++++++----------
+ 1 file changed, 13 insertions(+), 10 deletions(-)
+
+--- a/drivers/md/dm-flakey.c
++++ b/drivers/md/dm-flakey.c
+@@ -361,9 +361,11 @@ static int flakey_map(struct dm_target *
+ /*
+ * Corrupt matching writes.
+ */
+- if (fc->corrupt_bio_byte && (fc->corrupt_bio_rw == WRITE)) {
+- if (all_corrupt_bio_flags_match(bio, fc))
+- corrupt_bio_data(bio, fc);
++ if (fc->corrupt_bio_byte) {
++ if (fc->corrupt_bio_rw == WRITE) {
++ if (all_corrupt_bio_flags_match(bio, fc))
++ corrupt_bio_data(bio, fc);
++ }
+ goto map_bio;
+ }
+
+@@ -389,13 +391,14 @@ static int flakey_end_io(struct dm_targe
+ return DM_ENDIO_DONE;
+
+ if (!*error && pb->bio_submitted && (bio_data_dir(bio) == READ)) {
+- if (fc->corrupt_bio_byte && (fc->corrupt_bio_rw == READ) &&
+- all_corrupt_bio_flags_match(bio, fc)) {
+- /*
+- * Corrupt successful matching READs while in down state.
+- */
+- corrupt_bio_data(bio, fc);
+-
++ if (fc->corrupt_bio_byte) {
++ if ((fc->corrupt_bio_rw == READ) &&
++ all_corrupt_bio_flags_match(bio, fc)) {
++ /*
++ * Corrupt successful matching READs while in down state.
++ */
++ corrupt_bio_data(bio, fc);
++ }
+ } else if (!test_bit(DROP_WRITES, &fc->flags) &&
+ !test_bit(ERROR_WRITES, &fc->flags)) {
+ /*
--- /dev/null
+From 7533afa1d27ba1234146d31d2402c195cf195962 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Tue, 7 Feb 2023 08:33:06 -0500
+Subject: dm: send just one event on resize, not two
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 7533afa1d27ba1234146d31d2402c195cf195962 upstream.
+
+Device mapper sends an uevent when the device is suspended, using the
+function set_capacity_and_notify. However, this causes a race condition
+with udev.
+
+Udev skips scanning dm devices that are suspended. If we send an uevent
+while we are suspended, udev will be racing with device mapper resume
+code. If the device mapper resume code wins the race, udev will process
+the uevent after the device is resumed and it will properly scan the
+device.
+
+However, if udev wins the race, it will receive the uevent, find out that
+the dm device is suspended and skip scanning the device. This causes bugs
+such as systemd unmounting the device - see
+https://bugzilla.redhat.com/show_bug.cgi?id=2158628
+
+This commit fixes this race.
+
+We replace the function set_capacity_and_notify with set_capacity, so that
+the uevent is not sent at this point. In do_resume, we detect if the
+capacity has changed and we pass a boolean variable need_resize_uevent to
+dm_kobject_uevent. dm_kobject_uevent adds "RESIZE=1" to the uevent if
+need_resize_uevent is set.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Tested-by: Peter Rajnoha <prajnoha@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-ioctl.c | 13 ++++++++++---
+ drivers/md/dm.c | 27 +++++++++++++--------------
+ drivers/md/dm.h | 2 +-
+ 3 files changed, 24 insertions(+), 18 deletions(-)
+
+--- a/drivers/md/dm-ioctl.c
++++ b/drivers/md/dm-ioctl.c
+@@ -482,7 +482,7 @@ static struct mapped_device *dm_hash_ren
+ dm_table_event(table);
+ dm_put_live_table(hc->md, srcu_idx);
+
+- if (!dm_kobject_uevent(hc->md, KOBJ_CHANGE, param->event_nr))
++ if (!dm_kobject_uevent(hc->md, KOBJ_CHANGE, param->event_nr, false))
+ param->flags |= DM_UEVENT_GENERATED_FLAG;
+
+ md = hc->md;
+@@ -995,7 +995,7 @@ static int dev_remove(struct file *filp,
+
+ dm_ima_measure_on_device_remove(md, false);
+
+- if (!dm_kobject_uevent(md, KOBJ_REMOVE, param->event_nr))
++ if (!dm_kobject_uevent(md, KOBJ_REMOVE, param->event_nr, false))
+ param->flags |= DM_UEVENT_GENERATED_FLAG;
+
+ dm_put(md);
+@@ -1129,6 +1129,7 @@ static int do_resume(struct dm_ioctl *pa
+ struct hash_cell *hc;
+ struct mapped_device *md;
+ struct dm_table *new_map, *old_map = NULL;
++ bool need_resize_uevent = false;
+
+ down_write(&_hash_lock);
+
+@@ -1149,6 +1150,8 @@ static int do_resume(struct dm_ioctl *pa
+
+ /* Do we need to load a new map ? */
+ if (new_map) {
++ sector_t old_size, new_size;
++
+ /* Suspend if it isn't already suspended */
+ if (param->flags & DM_SKIP_LOCKFS_FLAG)
+ suspend_flags &= ~DM_SUSPEND_LOCKFS_FLAG;
+@@ -1157,6 +1160,7 @@ static int do_resume(struct dm_ioctl *pa
+ if (!dm_suspended_md(md))
+ dm_suspend(md, suspend_flags);
+
++ old_size = dm_get_size(md);
+ old_map = dm_swap_table(md, new_map);
+ if (IS_ERR(old_map)) {
+ dm_sync_table(md);
+@@ -1164,6 +1168,9 @@ static int do_resume(struct dm_ioctl *pa
+ dm_put(md);
+ return PTR_ERR(old_map);
+ }
++ new_size = dm_get_size(md);
++ if (old_size && new_size && old_size != new_size)
++ need_resize_uevent = true;
+
+ if (dm_table_get_mode(new_map) & FMODE_WRITE)
+ set_disk_ro(dm_disk(md), 0);
+@@ -1176,7 +1183,7 @@ static int do_resume(struct dm_ioctl *pa
+ if (!r) {
+ dm_ima_measure_on_device_resume(md, new_map ? true : false);
+
+- if (!dm_kobject_uevent(md, KOBJ_CHANGE, param->event_nr))
++ if (!dm_kobject_uevent(md, KOBJ_CHANGE, param->event_nr, need_resize_uevent))
+ param->flags |= DM_UEVENT_GENERATED_FLAG;
+ }
+ }
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -2184,10 +2184,7 @@ static struct dm_table *__bind(struct ma
+ if (size != dm_get_size(md))
+ memset(&md->geometry, 0, sizeof(md->geometry));
+
+- if (!get_capacity(md->disk))
+- set_capacity(md->disk, size);
+- else
+- set_capacity_and_notify(md->disk, size);
++ set_capacity(md->disk, size);
+
+ dm_table_event_callback(t, event_callback, md);
+
+@@ -2980,23 +2977,25 @@ EXPORT_SYMBOL_GPL(dm_internal_resume_fas
+ * Event notification.
+ *---------------------------------------------------------------*/
+ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action,
+- unsigned cookie)
++ unsigned cookie, bool need_resize_uevent)
+ {
+ int r;
+ unsigned noio_flag;
+ char udev_cookie[DM_COOKIE_LENGTH];
+- char *envp[] = { udev_cookie, NULL };
+-
+- noio_flag = memalloc_noio_save();
+-
+- if (!cookie)
+- r = kobject_uevent(&disk_to_dev(md->disk)->kobj, action);
+- else {
++ char *envp[3] = { NULL, NULL, NULL };
++ char **envpp = envp;
++ if (cookie) {
+ snprintf(udev_cookie, DM_COOKIE_LENGTH, "%s=%u",
+ DM_COOKIE_ENV_VAR_NAME, cookie);
+- r = kobject_uevent_env(&disk_to_dev(md->disk)->kobj,
+- action, envp);
++ *envpp++ = udev_cookie;
+ }
++ if (need_resize_uevent) {
++ *envpp++ = "RESIZE=1";
++ }
++
++ noio_flag = memalloc_noio_save();
++
++ r = kobject_uevent_env(&disk_to_dev(md->disk)->kobj, action, envp);
+
+ memalloc_noio_restore(noio_flag);
+
+--- a/drivers/md/dm.h
++++ b/drivers/md/dm.h
+@@ -203,7 +203,7 @@ int dm_get_table_device(struct mapped_de
+ void dm_put_table_device(struct mapped_device *md, struct dm_dev *d);
+
+ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action,
+- unsigned cookie);
++ unsigned cookie, bool need_resize_uevent);
+
+ void dm_internal_suspend(struct mapped_device *md);
+ void dm_internal_resume(struct mapped_device *md);
--- /dev/null
+From f2e4cca2f670c8e52fbb551a295f2afc9aa2bd72 Mon Sep 17 00:00:00 2001
+From: John Ogness <john.ogness@linutronix.de>
+Date: Thu, 29 Dec 2022 14:49:39 +0106
+Subject: docs: gdbmacros: print newest record
+
+From: John Ogness <john.ogness@linutronix.de>
+
+commit f2e4cca2f670c8e52fbb551a295f2afc9aa2bd72 upstream.
+
+@head_id points to the newest record, but the printing loop
+exits when it increments to this value (before printing).
+
+Exit the printing loop after the newest record has been printed.
+
+The python-based function in scripts/gdb/linux/dmesg.py already
+does this correctly.
+
+Fixes: e60768311af8 ("scripts/gdb: update for lockless printk ringbuffer")
+Cc: stable@vger.kernel.org
+Signed-off-by: John Ogness <john.ogness@linutronix.de>
+Reviewed-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Link: https://lore.kernel.org/r/20221229134339.197627-1-john.ogness@linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/admin-guide/kdump/gdbmacros.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Documentation/admin-guide/kdump/gdbmacros.txt
++++ b/Documentation/admin-guide/kdump/gdbmacros.txt
+@@ -312,10 +312,10 @@ define dmesg
+ set var $prev_flags = $info->flags
+ end
+
+- set var $id = ($id + 1) & $id_mask
+ if ($id == $end_id)
+ loop_break
+ end
++ set var $id = ($id + 1) & $id_mask
+ end
+ end
+ document dmesg
--- /dev/null
+From 0813299c586b175d7edb25f56412c54b812d0379 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Thu, 26 Jan 2023 12:22:21 +0100
+Subject: ext4: Fix possible corruption when moving a directory
+
+From: Jan Kara <jack@suse.cz>
+
+commit 0813299c586b175d7edb25f56412c54b812d0379 upstream.
+
+When we are renaming a directory to a different directory, we need to
+update '..' entry in the moved directory. However nothing prevents moved
+directory from being modified and even converted from the inline format
+to the normal format. When such race happens the rename code gets
+confused and we crash. Fix the problem by locking the moved directory.
+
+CC: stable@vger.kernel.org
+Fixes: 32f7f22c0b52 ("ext4: let ext4_rename handle inline dir")
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20230126112221.11866-1-jack@suse.cz
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/namei.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -3872,9 +3872,16 @@ static int ext4_rename(struct user_names
+ if (new.dir != old.dir && EXT4_DIR_LINK_MAX(new.dir))
+ goto end_rename;
+ }
++ /*
++ * We need to protect against old.inode directory getting
++ * converted from inline directory format into a normal one.
++ */
++ inode_lock_nested(old.inode, I_MUTEX_NONDIR2);
+ retval = ext4_rename_dir_prepare(handle, &old);
+- if (retval)
++ if (retval) {
++ inode_unlock(old.inode);
+ goto end_rename;
++ }
+ }
+ /*
+ * If we're renaming a file within an inline_data dir and adding or
+@@ -4006,6 +4013,8 @@ end_rename:
+ } else {
+ ext4_journal_stop(handle);
+ }
++ if (old.dir_bh)
++ inode_unlock(old.inode);
+ release_bh:
+ brelse(old.dir_bh);
+ brelse(old.bh);
--- /dev/null
+From 1e9d62d252812575ded7c620d8fc67c32ff06c16 Mon Sep 17 00:00:00 2001
+From: Jun Nie <jun.nie@linaro.org>
+Date: Tue, 3 Jan 2023 09:45:16 +0800
+Subject: ext4: optimize ea_inode block expansion
+
+From: Jun Nie <jun.nie@linaro.org>
+
+commit 1e9d62d252812575ded7c620d8fc67c32ff06c16 upstream.
+
+Copy ea data from inode entry when expanding ea block if possible.
+Then remove the ea entry if expansion success. Thus memcpy to a
+temporary buffer may be avoided.
+
+If the expansion fails, we do not need to recovery the removed ea
+entry neither in this way.
+
+Reported-by: syzbot+2dacb8f015bf1420155f@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?id=3613786cb88c93aa1c6a279b1df6a7b201347d08
+Link: https://lore.kernel.org/r/20230103014517.495275-2-jun.nie@linaro.org
+Cc: stable@kernel.org
+Signed-off-by: Jun Nie <jun.nie@linaro.org>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/xattr.c | 28 +++++++++++++++++-----------
+ 1 file changed, 17 insertions(+), 11 deletions(-)
+
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -2550,9 +2550,8 @@ static int ext4_xattr_move_to_block(hand
+
+ is = kzalloc(sizeof(struct ext4_xattr_ibody_find), GFP_NOFS);
+ bs = kzalloc(sizeof(struct ext4_xattr_block_find), GFP_NOFS);
+- buffer = kvmalloc(value_size, GFP_NOFS);
+ b_entry_name = kmalloc(entry->e_name_len + 1, GFP_NOFS);
+- if (!is || !bs || !buffer || !b_entry_name) {
++ if (!is || !bs || !b_entry_name) {
+ error = -ENOMEM;
+ goto out;
+ }
+@@ -2564,12 +2563,18 @@ static int ext4_xattr_move_to_block(hand
+
+ /* Save the entry name and the entry value */
+ if (entry->e_value_inum) {
++ buffer = kvmalloc(value_size, GFP_NOFS);
++ if (!buffer) {
++ error = -ENOMEM;
++ goto out;
++ }
++
+ error = ext4_xattr_inode_get(inode, entry, buffer, value_size);
+ if (error)
+ goto out;
+ } else {
+ size_t value_offs = le16_to_cpu(entry->e_value_offs);
+- memcpy(buffer, (void *)IFIRST(header) + value_offs, value_size);
++ buffer = (void *)IFIRST(header) + value_offs;
+ }
+
+ memcpy(b_entry_name, entry->e_name, entry->e_name_len);
+@@ -2584,25 +2589,26 @@ static int ext4_xattr_move_to_block(hand
+ if (error)
+ goto out;
+
+- /* Remove the chosen entry from the inode */
+- error = ext4_xattr_ibody_set(handle, inode, &i, is);
+- if (error)
+- goto out;
+-
+ i.value = buffer;
+ i.value_len = value_size;
+ error = ext4_xattr_block_find(inode, &i, bs);
+ if (error)
+ goto out;
+
+- /* Add entry which was removed from the inode into the block */
++ /* Move ea entry from the inode into the block */
+ error = ext4_xattr_block_set(handle, inode, &i, bs);
+ if (error)
+ goto out;
+- error = 0;
++
++ /* Remove the chosen entry from the inode */
++ i.value = NULL;
++ i.value_len = 0;
++ error = ext4_xattr_ibody_set(handle, inode, &i, is);
++
+ out:
+ kfree(b_entry_name);
+- kvfree(buffer);
++ if (entry->e_value_inum && buffer)
++ kvfree(buffer);
+ if (is)
+ brelse(is->iloc.bh);
+ if (bs)
--- /dev/null
+From f31173c19901a96bb2ebf6bcfec8a08df7095c91 Mon Sep 17 00:00:00 2001
+From: Jun Nie <jun.nie@linaro.org>
+Date: Tue, 3 Jan 2023 09:45:17 +0800
+Subject: ext4: refuse to create ea block when umounted
+
+From: Jun Nie <jun.nie@linaro.org>
+
+commit f31173c19901a96bb2ebf6bcfec8a08df7095c91 upstream.
+
+The ea block expansion need to access s_root while it is
+already set as NULL when umount is triggered. Refuse this
+request to avoid panic.
+
+Reported-by: syzbot+2dacb8f015bf1420155f@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?id=3613786cb88c93aa1c6a279b1df6a7b201347d08
+Link: https://lore.kernel.org/r/20230103014517.495275-3-jun.nie@linaro.org
+Cc: stable@kernel.org
+Signed-off-by: Jun Nie <jun.nie@linaro.org>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/xattr.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -1422,6 +1422,13 @@ static struct inode *ext4_xattr_inode_cr
+ uid_t owner[2] = { i_uid_read(inode), i_gid_read(inode) };
+ int err;
+
++ if (inode->i_sb->s_root == NULL) {
++ ext4_warning(inode->i_sb,
++ "refuse to create EA inode when umounting");
++ WARN_ON(1);
++ return ERR_PTR(-EINVAL);
++ }
++
+ /*
+ * Let the next inode be the goal, so we try and allocate the EA inode
+ * in the same group, or nearby one.
--- /dev/null
+From 1cc4606d19e3710bfab3f6704b87ff9580493c69 Mon Sep 17 00:00:00 2001
+From: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
+Date: Thu, 26 Jan 2023 11:23:18 +0100
+Subject: fuse: add inode/permission checks to fileattr_get/fileattr_set
+
+From: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
+
+commit 1cc4606d19e3710bfab3f6704b87ff9580493c69 upstream.
+
+It looks like these checks were accidentally lost during the conversion to
+fileattr API.
+
+Fixes: 72227eac177d ("fuse: convert to fileattr")
+Cc: <stable@vger.kernel.org> # v5.13
+Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fuse/ioctl.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/fuse/ioctl.c
++++ b/fs/fuse/ioctl.c
+@@ -419,6 +419,12 @@ static struct fuse_file *fuse_priv_ioctl
+ struct fuse_mount *fm = get_fuse_mount(inode);
+ bool isdir = S_ISDIR(inode->i_mode);
+
++ if (!fuse_allow_current_process(fm->fc))
++ return ERR_PTR(-EACCES);
++
++ if (fuse_is_bad(inode))
++ return ERR_PTR(-EIO);
++
+ if (!S_ISREG(inode->i_mode) && !isdir)
+ return ERR_PTR(-ENOTTY);
+
--- /dev/null
+From 2fbb848b65cde5b876cce52ebcb34de4aaa5a94a Mon Sep 17 00:00:00 2001
+From: Zev Weiss <zev@bewilderbeest.net>
+Date: Mon, 2 Jan 2023 13:28:57 -0800
+Subject: hwmon: (nct6775) Fix incorrect parenthesization in nct6775_write_fan_div()
+
+From: Zev Weiss <zev@bewilderbeest.net>
+
+commit 2fbb848b65cde5b876cce52ebcb34de4aaa5a94a upstream.
+
+Commit 4ef2774511dc ("hwmon: (nct6775) Convert register access to
+regmap API") fumbled the shifting & masking of the fan_div values such
+that odd-numbered fan divisors would always be set to zero. Fix it so
+that we actually OR in the bits we meant to.
+
+Signed-off-by: Zev Weiss <zev@bewilderbeest.net>
+Fixes: 4ef2774511dc ("hwmon: (nct6775) Convert register access to regmap API")
+Cc: stable@kernel.org # v5.19+
+Link: https://lore.kernel.org/r/20230102212857.5670-1-zev@bewilderbeest.net
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/nct6775-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/nct6775-core.c b/drivers/hwmon/nct6775-core.c
+index da9ec6983e13..c54233f0369b 100644
+--- a/drivers/hwmon/nct6775-core.c
++++ b/drivers/hwmon/nct6775-core.c
+@@ -1150,7 +1150,7 @@ static int nct6775_write_fan_div(struct nct6775_data *data, int nr)
+ if (err)
+ return err;
+ reg &= 0x70 >> oddshift;
+- reg |= data->fan_div[nr] & (0x7 << oddshift);
++ reg |= (data->fan_div[nr] & 0x7) << oddshift;
+ return nct6775_write_value(data, fandiv_reg, reg);
+ }
+
+--
+2.39.2
+
--- /dev/null
+From f00093608fa790580da309bb9feb5108fbe7c331 Mon Sep 17 00:00:00 2001
+From: Zev Weiss <zev@bewilderbeest.net>
+Date: Wed, 1 Feb 2023 18:18:25 -0800
+Subject: hwmon: (peci/cputemp) Fix off-by-one in coretemp_label allocation
+
+From: Zev Weiss <zev@bewilderbeest.net>
+
+commit f00093608fa790580da309bb9feb5108fbe7c331 upstream.
+
+The find_last_bit() call produces the index of the highest-numbered
+core in core_mask; because cores are numbered from zero, the number of
+elements we need to allocate is one more than that.
+
+Signed-off-by: Zev Weiss <zev@bewilderbeest.net>
+Cc: stable@kernel.org # v5.18
+Fixes: bf3608f338e9 ("hwmon: peci: Add cputemp driver")
+Reviewed-by: Iwona Winiarska <iwona.winiarska@intel.com>
+Link: https://lore.kernel.org/r/20230202021825.21486-1-zev@bewilderbeest.net
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/peci/cputemp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/peci/cputemp.c b/drivers/hwmon/peci/cputemp.c
+index 57470fda5f6c..30850a479f61 100644
+--- a/drivers/hwmon/peci/cputemp.c
++++ b/drivers/hwmon/peci/cputemp.c
+@@ -402,7 +402,7 @@ static int create_temp_label(struct peci_cputemp *priv)
+ unsigned long core_max = find_last_bit(priv->core_mask, CORE_NUMS_MAX);
+ int i;
+
+- priv->coretemp_label = devm_kzalloc(priv->dev, core_max * sizeof(char *), GFP_KERNEL);
++ priv->coretemp_label = devm_kzalloc(priv->dev, (core_max + 1) * sizeof(char *), GFP_KERNEL);
+ if (!priv->coretemp_label)
+ return -ENOMEM;
+
+--
+2.39.2
+
--- /dev/null
+From b6b26d86c61c441144c72f842f7469bb686e1211 Mon Sep 17 00:00:00 2001
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+Date: Thu, 2 Feb 2023 08:26:56 +0000
+Subject: iommu/amd: Add a length limitation for the ivrs_acpihid command-line parameter
+
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+
+commit b6b26d86c61c441144c72f842f7469bb686e1211 upstream.
+
+The 'acpiid' buffer in the parse_ivrs_acpihid function may overflow,
+because the string specifier in the format string sscanf()
+has no width limitation.
+
+Found by InfoTeCS on behalf of Linux Verification Center
+(linuxtesting.org) with SVACE.
+
+Fixes: ca3bf5d47cec ("iommu/amd: Introduces ivrs_acpihid kernel parameter")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru>
+Reviewed-by: Kim Phillips <kim.phillips@amd.com>
+Link: https://lore.kernel.org/r/20230202082719.1513849-1-Ilia.Gavrilov@infotecs.ru
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/amd/init.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+--- a/drivers/iommu/amd/init.c
++++ b/drivers/iommu/amd/init.c
+@@ -3475,15 +3475,26 @@ found:
+ return 1;
+ }
+
++#define ACPIID_LEN (ACPIHID_UID_LEN + ACPIHID_HID_LEN)
++
+ static int __init parse_ivrs_acpihid(char *str)
+ {
+ u32 seg = 0, bus, dev, fn;
+ char *hid, *uid, *p, *addr;
+- char acpiid[ACPIHID_UID_LEN + ACPIHID_HID_LEN] = {0};
++ char acpiid[ACPIID_LEN] = {0};
+ int i;
+
+ addr = strchr(str, '@');
+ if (!addr) {
++ addr = strchr(str, '=');
++ if (!addr)
++ goto not_found;
++
++ ++addr;
++
++ if (strlen(addr) > ACPIID_LEN)
++ goto not_found;
++
+ if (sscanf(str, "[%x:%x.%x]=%s", &bus, &dev, &fn, acpiid) == 4 ||
+ sscanf(str, "[%x:%x:%x.%x]=%s", &seg, &bus, &dev, &fn, acpiid) == 5) {
+ pr_warn("ivrs_acpihid%s option format deprecated; use ivrs_acpihid=%s@%04x:%02x:%02x.%d instead\n",
+@@ -3496,6 +3507,9 @@ static int __init parse_ivrs_acpihid(cha
+ /* We have the '@', make it the terminator to get just the acpiid */
+ *addr++ = 0;
+
++ if (strlen(str) > ACPIID_LEN + 1)
++ goto not_found;
++
+ if (sscanf(str, "=%s", acpiid) != 1)
+ goto not_found;
+
--- /dev/null
+From 996d120b4de2b0d6b592bd9fbbe6e244b81ab3cc Mon Sep 17 00:00:00 2001
+From: Vasant Hegde <vasant.hegde@amd.com>
+Date: Wed, 15 Feb 2023 05:26:42 +0000
+Subject: iommu/amd: Improve page fault error reporting
+
+From: Vasant Hegde <vasant.hegde@amd.com>
+
+commit 996d120b4de2b0d6b592bd9fbbe6e244b81ab3cc upstream.
+
+If IOMMU domain for device group is not setup properly then we may hit
+IOMMU page fault. Current page fault handler assumes that domain is
+always setup and it will hit NULL pointer derefence (see below sample log).
+
+Lets check whether domain is setup or not and log appropriate message.
+
+Sample log:
+----------
+ amdgpu 0000:00:01.0: amdgpu: SE 1, SH per SE 1, CU per SH 8, active_cu_number 6
+ BUG: kernel NULL pointer dereference, address: 0000000000000058
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: 0000 [#1] PREEMPT SMP NOPTI
+ CPU: 2 PID: 56 Comm: irq/24-AMD-Vi Not tainted 6.2.0-rc2+ #89
+ Hardware name: xxx
+ RIP: 0010:report_iommu_fault+0x11/0x90
+ [...]
+ Call Trace:
+ <TASK>
+ amd_iommu_int_thread+0x60c/0x760
+ ? __pfx_irq_thread_fn+0x10/0x10
+ irq_thread_fn+0x1f/0x60
+ irq_thread+0xea/0x1a0
+ ? preempt_count_add+0x6a/0xa0
+ ? __pfx_irq_thread_dtor+0x10/0x10
+ ? __pfx_irq_thread+0x10/0x10
+ kthread+0xe9/0x110
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork+0x2c/0x50
+ </TASK>
+
+Reported-by: Matt Fagnani <matt.fagnani@bell.net>
+Suggested-by: Joerg Roedel <joro@8bytes.org>
+Signed-off-by: Vasant Hegde <vasant.hegde@amd.com>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216865
+Link: https://lore.kernel.org/lkml/15d0f9ff-2a56-b3e9-5b45-e6b23300ae3b@leemhuis.info/
+Link: https://lore.kernel.org/r/20230215052642.6016-3-vasant.hegde@amd.com
+Cc: stable@vger.kernel.org
+[joro: Edit commit message]
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/amd/iommu.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/iommu/amd/iommu.c
++++ b/drivers/iommu/amd/iommu.c
+@@ -558,6 +558,15 @@ static void amd_iommu_report_page_fault(
+ * prevent logging it.
+ */
+ if (IS_IOMMU_MEM_TRANSACTION(flags)) {
++ /* Device not attached to domain properly */
++ if (dev_data->domain == NULL) {
++ pr_err_ratelimited("Event logged [Device not attached to domain properly]\n");
++ pr_err_ratelimited(" device=%04x:%02x:%02x.%x domain=0x%04x\n",
++ iommu->pci_seg->id, PCI_BUS_NUM(devid), PCI_SLOT(devid),
++ PCI_FUNC(devid), domain_id);
++ goto out;
++ }
++
+ if (!report_iommu_fault(&dev_data->domain->domain,
+ &pdev->dev, address,
+ IS_WRITE_REQUEST(flags) ?
--- /dev/null
+From e6b9bd7290d334451ce054e98e752abc055e0034 Mon Sep 17 00:00:00 2001
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+Date: Tue, 10 Jan 2023 09:53:27 +0800
+Subject: jbd2: fix data missing when reusing bh which is ready to be checkpointed
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+commit e6b9bd7290d334451ce054e98e752abc055e0034 upstream.
+
+Following process will make data lost and could lead to a filesystem
+corrupted problem:
+
+1. jh(bh) is inserted into T1->t_checkpoint_list, bh is dirty, and
+ jh->b_transaction = NULL
+2. T1 is added into journal->j_checkpoint_transactions.
+3. Get bh prepare to write while doing checkpoing:
+ PA PB
+ do_get_write_access jbd2_log_do_checkpoint
+ spin_lock(&jh->b_state_lock)
+ if (buffer_dirty(bh))
+ clear_buffer_dirty(bh) // clear buffer dirty
+ set_buffer_jbddirty(bh)
+ transaction =
+ journal->j_checkpoint_transactions
+ jh = transaction->t_checkpoint_list
+ if (!buffer_dirty(bh))
+ __jbd2_journal_remove_checkpoint(jh)
+ // bh won't be flushed
+ jbd2_cleanup_journal_tail
+ __jbd2_journal_file_buffer(jh, transaction, BJ_Reserved)
+4. Aborting journal/Power-cut before writing latest bh on journal area.
+
+In this way we get a corrupted filesystem with bh's data lost.
+
+Fix it by moving the clearing of buffer_dirty bit just before the call
+to __jbd2_journal_file_buffer(), both bit clearing and jh->b_transaction
+assignment are under journal->j_list_lock locked, so that
+jbd2_log_do_checkpoint() will wait until jh's new transaction fininshed
+even bh is currently not dirty. And journal_shrink_one_cp_list() won't
+remove jh from checkpoint list if the buffer head is reused in
+do_get_write_access().
+
+Fetch a reproducer in [Link].
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216898
+Cc: <stable@kernel.org>
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: zhanchengbin <zhanchengbin1@huawei.com>
+Suggested-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20230110015327.1181863-1-chengzhihao1@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/jbd2/transaction.c | 50 +++++++++++++++++++++++++++++---------------------
+ 1 file changed, 29 insertions(+), 21 deletions(-)
+
+--- a/fs/jbd2/transaction.c
++++ b/fs/jbd2/transaction.c
+@@ -1010,36 +1010,28 @@ repeat:
+ * ie. locked but not dirty) or tune2fs (which may actually have
+ * the buffer dirtied, ugh.) */
+
+- if (buffer_dirty(bh)) {
++ if (buffer_dirty(bh) && jh->b_transaction) {
++ warn_dirty_buffer(bh);
+ /*
+- * First question: is this buffer already part of the current
+- * transaction or the existing committing transaction?
+- */
+- if (jh->b_transaction) {
+- J_ASSERT_JH(jh,
+- jh->b_transaction == transaction ||
+- jh->b_transaction ==
+- journal->j_committing_transaction);
+- if (jh->b_next_transaction)
+- J_ASSERT_JH(jh, jh->b_next_transaction ==
+- transaction);
+- warn_dirty_buffer(bh);
+- }
+- /*
+- * In any case we need to clean the dirty flag and we must
+- * do it under the buffer lock to be sure we don't race
+- * with running write-out.
++ * We need to clean the dirty flag and we must do it under the
++ * buffer lock to be sure we don't race with running write-out.
+ */
+ JBUFFER_TRACE(jh, "Journalling dirty buffer");
+ clear_buffer_dirty(bh);
++ /*
++ * The buffer is going to be added to BJ_Reserved list now and
++ * nothing guarantees jbd2_journal_dirty_metadata() will be
++ * ever called for it. So we need to set jbddirty bit here to
++ * make sure the buffer is dirtied and written out when the
++ * journaling machinery is done with it.
++ */
+ set_buffer_jbddirty(bh);
+ }
+
+- unlock_buffer(bh);
+-
+ error = -EROFS;
+ if (is_handle_aborted(handle)) {
+ spin_unlock(&jh->b_state_lock);
++ unlock_buffer(bh);
+ goto out;
+ }
+ error = 0;
+@@ -1049,8 +1041,10 @@ repeat:
+ * b_next_transaction points to it
+ */
+ if (jh->b_transaction == transaction ||
+- jh->b_next_transaction == transaction)
++ jh->b_next_transaction == transaction) {
++ unlock_buffer(bh);
+ goto done;
++ }
+
+ /*
+ * this is the first time this transaction is touching this buffer,
+@@ -1074,10 +1068,24 @@ repeat:
+ */
+ smp_wmb();
+ spin_lock(&journal->j_list_lock);
++ if (test_clear_buffer_dirty(bh)) {
++ /*
++ * Execute buffer dirty clearing and jh->b_transaction
++ * assignment under journal->j_list_lock locked to
++ * prevent bh being removed from checkpoint list if
++ * the buffer is in an intermediate state (not dirty
++ * and jh->b_transaction is NULL).
++ */
++ JBUFFER_TRACE(jh, "Journalling dirty buffer");
++ set_buffer_jbddirty(bh);
++ }
+ __jbd2_journal_file_buffer(jh, transaction, BJ_Reserved);
+ spin_unlock(&journal->j_list_lock);
++ unlock_buffer(bh);
+ goto done;
+ }
++ unlock_buffer(bh);
++
+ /*
+ * If there is already a copy-out version of this buffer, then we don't
+ * need to make another one
--- /dev/null
+From 4fbd2f83fda0ca44a2ec6421ca3508b355b31858 Mon Sep 17 00:00:00 2001
+From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Date: Tue, 21 Feb 2023 08:49:16 +0900
+Subject: kprobes: Fix to handle forcibly unoptimized kprobes on freeing_list
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+commit 4fbd2f83fda0ca44a2ec6421ca3508b355b31858 upstream.
+
+Since forcibly unoptimized kprobes will be put on the freeing_list directly
+in the unoptimize_kprobe(), do_unoptimize_kprobes() must continue to check
+the freeing_list even if unoptimizing_list is empty.
+
+This bug can happen if a kprobe is put in an instruction which is in the
+middle of the jump-replaced instruction sequence of an optprobe, *and* the
+optprobe is recently unregistered and queued on unoptimizing_list.
+In this case, the optprobe will be unoptimized forcibly (means immediately)
+and put it into the freeing_list, expecting the optprobe will be handled in
+do_unoptimize_kprobe().
+But if there is no other optprobes on the unoptimizing_list, current code
+returns from the do_unoptimize_kprobe() soon and does not handle the
+optprobe which is on the freeing_list. Then the optprobe will hit the
+WARN_ON_ONCE() in the do_free_cleaned_kprobes(), because it is not handled
+in the latter loop of the do_unoptimize_kprobe().
+
+To solve this issue, do not return from do_unoptimize_kprobes() immediately
+even if unoptimizing_list is empty.
+
+Moreover, this change affects another case. kill_optimized_kprobes() expects
+kprobe_optimizer() will just free the optprobe on freeing_list.
+So I changed it to just do list_move() to freeing_list if optprobes are on
+unoptimizing list. And the do_unoptimize_kprobe() will skip
+arch_disarm_kprobe() if the probe on freeing_list has gone flag.
+
+Link: https://lore.kernel.org/all/Y8URdIfVr3pq2X8w@xpf.sh.intel.com/
+Link: https://lore.kernel.org/all/167448024501.3253718.13037333683110512967.stgit@devnote3/
+
+Fixes: e4add247789e ("kprobes: Fix optimize_kprobe()/unoptimize_kprobe() cancellation logic")
+Reported-by: Pengfei Xu <pengfei.xu@intel.com>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Cc: stable@vger.kernel.org
+Acked-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/kprobes.c | 23 ++++++++++-------------
+ 1 file changed, 10 insertions(+), 13 deletions(-)
+
+--- a/kernel/kprobes.c
++++ b/kernel/kprobes.c
+@@ -555,17 +555,15 @@ static void do_unoptimize_kprobes(void)
+ /* See comment in do_optimize_kprobes() */
+ lockdep_assert_cpus_held();
+
+- /* Unoptimization must be done anytime */
+- if (list_empty(&unoptimizing_list))
+- return;
++ if (!list_empty(&unoptimizing_list))
++ arch_unoptimize_kprobes(&unoptimizing_list, &freeing_list);
+
+- arch_unoptimize_kprobes(&unoptimizing_list, &freeing_list);
+- /* Loop on 'freeing_list' for disarming */
++ /* Loop on 'freeing_list' for disarming and removing from kprobe hash list */
+ list_for_each_entry_safe(op, tmp, &freeing_list, list) {
+ /* Switching from detour code to origin */
+ op->kp.flags &= ~KPROBE_FLAG_OPTIMIZED;
+- /* Disarm probes if marked disabled */
+- if (kprobe_disabled(&op->kp))
++ /* Disarm probes if marked disabled and not gone */
++ if (kprobe_disabled(&op->kp) && !kprobe_gone(&op->kp))
+ arch_disarm_kprobe(&op->kp);
+ if (kprobe_unused(&op->kp)) {
+ /*
+@@ -797,14 +795,13 @@ static void kill_optimized_kprobe(struct
+ op->kp.flags &= ~KPROBE_FLAG_OPTIMIZED;
+
+ if (kprobe_unused(p)) {
+- /* Enqueue if it is unused */
+- list_add(&op->list, &freeing_list);
+ /*
+- * Remove unused probes from the hash list. After waiting
+- * for synchronization, this probe is reclaimed.
+- * (reclaiming is done by do_free_cleaned_kprobes().)
++ * Unused kprobe is on unoptimizing or freeing list. We move it
++ * to freeing_list and let the kprobe_optimizer() remove it from
++ * the kprobe hash list and free it.
+ */
+- hlist_del_rcu(&op->kp.hlist);
++ if (optprobe_queued_unopt(op))
++ list_move(&op->list, &freeing_list);
+ }
+
+ /* Don't touch the code, because it is already freed. */
--- /dev/null
+From 4e7d2a8f0b52abf23b1dc13b3d88bc0923383cd5 Mon Sep 17 00:00:00 2001
+From: Steven Rostedt <rostedt@goodmis.org>
+Date: Wed, 18 Jan 2023 16:37:25 -0500
+Subject: ktest.pl: Add RUN_TIMEOUT option with default unlimited
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+commit 4e7d2a8f0b52abf23b1dc13b3d88bc0923383cd5 upstream.
+
+There is a disconnect between the run_command function and the
+wait_for_input. The wait_for_input has a default timeout of 2 minutes. But
+if that happens, the run_command loop will exit out to the waitpid() of
+the executing command. This fails in that it no longer monitors the
+command, and also, the ssh to the test box can hang when its finished, as
+it's waiting for the pipe it's writing to to flush, but the loop that
+reads that pipe has already exited, leaving the command stuck, and the
+test hangs.
+
+Instead, make the default "wait_for_input" of the run_command infinite,
+and allow the user to override it if they want with a default timeout
+option "RUN_TIMEOUT".
+
+But this fixes the hang that happens when the pipe is full and the ssh
+session never exits.
+
+Cc: stable@vger.kernel.org
+Fixes: 6e98d1b4415fe ("ktest: Add timeout to ssh command")
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/ktest/ktest.pl | 20 ++++++++++++++++----
+ tools/testing/ktest/sample.conf | 5 +++++
+ 2 files changed, 21 insertions(+), 4 deletions(-)
+
+--- a/tools/testing/ktest/ktest.pl
++++ b/tools/testing/ktest/ktest.pl
+@@ -178,6 +178,7 @@ my $store_failures;
+ my $store_successes;
+ my $test_name;
+ my $timeout;
++my $run_timeout;
+ my $connect_timeout;
+ my $config_bisect_exec;
+ my $booted_timeout;
+@@ -340,6 +341,7 @@ my %option_map = (
+ "STORE_SUCCESSES" => \$store_successes,
+ "TEST_NAME" => \$test_name,
+ "TIMEOUT" => \$timeout,
++ "RUN_TIMEOUT" => \$run_timeout,
+ "CONNECT_TIMEOUT" => \$connect_timeout,
+ "CONFIG_BISECT_EXEC" => \$config_bisect_exec,
+ "BOOTED_TIMEOUT" => \$booted_timeout,
+@@ -1851,6 +1853,14 @@ sub run_command {
+ $command =~ s/\$SSH_USER/$ssh_user/g;
+ $command =~ s/\$MACHINE/$machine/g;
+
++ if (!defined($timeout)) {
++ $timeout = $run_timeout;
++ }
++
++ if (!defined($timeout)) {
++ $timeout = -1; # tell wait_for_input to wait indefinitely
++ }
++
+ doprint("$command ... ");
+ $start_time = time;
+
+@@ -1877,13 +1887,10 @@ sub run_command {
+
+ while (1) {
+ my $fp = \*CMD;
+- if (defined($timeout)) {
+- doprint "timeout = $timeout\n";
+- }
+ my $line = wait_for_input($fp, $timeout);
+ if (!defined($line)) {
+ my $now = time;
+- if (defined($timeout) && (($now - $start_time) >= $timeout)) {
++ if ($timeout >= 0 && (($now - $start_time) >= $timeout)) {
+ doprint "Hit timeout of $timeout, killing process\n";
+ $hit_timeout = 1;
+ kill 9, $pid;
+@@ -2055,6 +2062,11 @@ sub wait_for_input {
+ $time = $timeout;
+ }
+
++ if ($time < 0) {
++ # Negative number means wait indefinitely
++ undef $time;
++ }
++
+ $rin = '';
+ vec($rin, fileno($fp), 1) = 1;
+ vec($rin, fileno(\*STDIN), 1) = 1;
+--- a/tools/testing/ktest/sample.conf
++++ b/tools/testing/ktest/sample.conf
+@@ -809,6 +809,11 @@
+ # is issued instead of a reboot.
+ # CONNECT_TIMEOUT = 25
+
++# The timeout in seconds for how long to wait for any running command
++# to timeout. If not defined, it will let it go indefinitely.
++# (default undefined)
++#RUN_TIMEOUT = 600
++
+ # In between tests, a reboot of the box may occur, and this
+ # is the time to wait for the console after it stops producing
+ # output. Some machines may not produce a large lag on reboot
--- /dev/null
+From e8bf9b98d40dbdf4e39362e3b85a70c61da68cb7 Mon Sep 17 00:00:00 2001
+From: Steven Rostedt <rostedt@goodmis.org>
+Date: Wed, 18 Jan 2023 11:31:25 -0500
+Subject: ktest.pl: Fix missing "end_monitor" when machine check fails
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+commit e8bf9b98d40dbdf4e39362e3b85a70c61da68cb7 upstream.
+
+In the "reboot" command, it does a check of the machine to see if it is
+still alive with a simple "ssh echo" command. If it fails, it will assume
+that a normal "ssh reboot" is not possible and force a power cycle.
+
+In this case, the "start_monitor" is executed, but the "end_monitor" is
+not, and this causes the screen will not be given back to the console. That
+is, after the test, a "reset" command needs to be performed, as "echo" is
+turned off.
+
+Cc: stable@vger.kernel.org
+Fixes: 6474ace999edd ("ktest.pl: Powercycle the box on reboot if no connection can be made")
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/ktest/ktest.pl | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/tools/testing/ktest/ktest.pl
++++ b/tools/testing/ktest/ktest.pl
+@@ -1488,7 +1488,8 @@ sub reboot {
+
+ # Still need to wait for the reboot to finish
+ wait_for_monitor($time, $reboot_success_line);
+-
++ }
++ if ($powercycle || $time) {
+ end_monitor;
+ }
+ }
--- /dev/null
+From 83d29d439cd3ef23041570d55841f814af2ecac0 Mon Sep 17 00:00:00 2001
+From: Steven Rostedt <rostedt@goodmis.org>
+Date: Wed, 18 Jan 2023 16:32:13 -0500
+Subject: ktest.pl: Give back console on Ctrt^C on monitor
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+commit 83d29d439cd3ef23041570d55841f814af2ecac0 upstream.
+
+When monitoring the console output, the stdout is being redirected to do
+so. If Ctrl^C is hit during this mode, the stdout is not back to the
+console, the user does not see anything they type (no echo).
+
+Add "end_monitor" to the SIGINT interrupt handler to give back the console
+on Ctrl^C.
+
+Cc: stable@vger.kernel.org
+Fixes: 9f2cdcbbb90e7 ("ktest: Give console process a dedicated tty")
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/ktest/ktest.pl | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/tools/testing/ktest/ktest.pl
++++ b/tools/testing/ktest/ktest.pl
+@@ -4193,6 +4193,9 @@ sub send_email {
+ }
+
+ sub cancel_test {
++ if ($monitor_cnt) {
++ end_monitor;
++ }
+ if ($email_when_canceled) {
+ my $name = get_test_name;
+ send_email("KTEST: Your [$name] test was cancelled",
--- /dev/null
+From 909d3096ac99fa2289f9b8945a3eab2269947a0a Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Wed, 21 Dec 2022 09:30:11 +0100
+Subject: media: ipu3-cio2: Fix PM runtime usage_count in driver unbind
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit 909d3096ac99fa2289f9b8945a3eab2269947a0a upstream.
+
+Get the PM runtime usage_count and forbid PM runtime at driver unbind. The
+opposite is being done in probe() already.
+
+Fixes: commit c2a6a07afe4a ("media: intel-ipu3: cio2: add new MIPI-CSI2 driver")
+Cc: stable@vger.kernel.org # for >= 4.16
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Bingbu Cao <bingbu.cao@intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/pci/intel/ipu3/ipu3-cio2-main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/media/pci/intel/ipu3/ipu3-cio2-main.c
++++ b/drivers/media/pci/intel/ipu3/ipu3-cio2-main.c
+@@ -1843,6 +1843,9 @@ static void cio2_pci_remove(struct pci_d
+ v4l2_device_unregister(&cio2->v4l2_dev);
+ media_device_cleanup(&cio2->media_dev);
+ mutex_destroy(&cio2->lock);
++
++ pm_runtime_forbid(&pci_dev->dev);
++ pm_runtime_get_noresume(&pci_dev->dev);
+ }
+
+ static int __maybe_unused cio2_runtime_suspend(struct device *dev)
--- /dev/null
+From 93419139fa14124c1c507d804f2b28866ebee28d Mon Sep 17 00:00:00 2001
+From: Tong Tiangen <tongtiangen@huawei.com>
+Date: Sun, 29 Jan 2023 04:06:51 +0000
+Subject: memory tier: release the new_memtier in find_create_memory_tier()
+
+From: Tong Tiangen <tongtiangen@huawei.com>
+
+commit 93419139fa14124c1c507d804f2b28866ebee28d upstream.
+
+In find_create_memory_tier(), if failed to register device, then we should
+release new_memtier from the tier list and put device instead of memtier.
+
+Link: https://lkml.kernel.org/r/20230129040651.1329208-1-tongtiangen@huawei.com
+Fixes: 9832fb87834e ("mm/demotion: expose memory tier details via sysfs")
+Signed-off-by: Tong Tiangen <tongtiangen@huawei.com>
+Cc: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+Cc: Hanjun Guo <guohanjun@huawei.com>
+Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
+Cc: Guohanjun <guohanjun@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/memory-tiers.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/mm/memory-tiers.c b/mm/memory-tiers.c
+index c734658c6242..e593e56e530b 100644
+--- a/mm/memory-tiers.c
++++ b/mm/memory-tiers.c
+@@ -211,8 +211,8 @@ static struct memory_tier *find_create_memory_tier(struct memory_dev_type *memty
+
+ ret = device_register(&new_memtier->dev);
+ if (ret) {
+- list_del(&memtier->list);
+- put_device(&memtier->dev);
++ list_del(&new_memtier->list);
++ put_device(&new_memtier->dev);
+ return ERR_PTR(ret);
+ }
+ memtier = new_memtier;
+--
+2.39.2
+
--- /dev/null
+From 85cc91e2ba4262a602ec65e2b76c4391a9e60d3d Mon Sep 17 00:00:00 2001
+From: Elvira Khabirova <lineprinter0@gmail.com>
+Date: Sat, 18 Feb 2023 23:43:59 +0100
+Subject: mips: fix syscall_get_nr
+
+From: Elvira Khabirova <lineprinter0@gmail.com>
+
+commit 85cc91e2ba4262a602ec65e2b76c4391a9e60d3d upstream.
+
+The implementation of syscall_get_nr on mips used to ignore the task
+argument and return the syscall number of the calling thread instead of
+the target thread.
+
+The bug was exposed to user space by commit 201766a20e30f ("ptrace: add
+PTRACE_GET_SYSCALL_INFO request") and detected by strace test suite.
+
+Link: https://github.com/strace/strace/issues/235
+Fixes: c2d9f1775731 ("MIPS: Fix syscall_get_nr for the syscall exit tracing.")
+Cc: <stable@vger.kernel.org> # v3.19+
+Co-developed-by: Dmitry V. Levin <ldv@strace.io>
+Signed-off-by: Dmitry V. Levin <ldv@strace.io>
+Signed-off-by: Elvira Khabirova <lineprinter0@gmail.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/include/asm/syscall.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/include/asm/syscall.h
++++ b/arch/mips/include/asm/syscall.h
+@@ -38,7 +38,7 @@ static inline bool mips_syscall_is_indir
+ static inline long syscall_get_nr(struct task_struct *task,
+ struct pt_regs *regs)
+ {
+- return current_thread_info()->syscall;
++ return task_thread_info(task)->syscall;
+ }
+
+ static inline void mips_syscall_update_nr(struct task_struct *task,
--- /dev/null
+From 6da6b1d4a7df8c35770186b53ef65d388398e139 Mon Sep 17 00:00:00 2001
+From: Naoya Horiguchi <naoya.horiguchi@nec.com>
+Date: Tue, 21 Feb 2023 17:59:05 +0900
+Subject: mm/hwpoison: convert TTU_IGNORE_HWPOISON to TTU_HWPOISON
+
+From: Naoya Horiguchi <naoya.horiguchi@nec.com>
+
+commit 6da6b1d4a7df8c35770186b53ef65d388398e139 upstream.
+
+After a memory error happens on a clean folio, a process unexpectedly
+receives SIGBUS when it accesses the error page. This SIGBUS killing is
+pointless and simply degrades the level of RAS of the system, because the
+clean folio can be dropped without any data lost on memory error handling
+as we do for a clean pagecache.
+
+When memory_failure() is called on a clean folio, try_to_unmap() is called
+twice (one from split_huge_page() and one from hwpoison_user_mappings()).
+The root cause of the issue is that pte conversion to hwpoisoned entry is
+now done in the first call of try_to_unmap() because PageHWPoison is
+already set at this point, while it's actually expected to be done in the
+second call. This behavior disturbs the error handling operation like
+removing pagecache, which results in the malfunction described above.
+
+So convert TTU_IGNORE_HWPOISON into TTU_HWPOISON and set TTU_HWPOISON only
+when we really intend to convert pte to hwpoison entry. This can prevent
+other callers of try_to_unmap() from accidentally converting to hwpoison
+entries.
+
+Link: https://lkml.kernel.org/r/20230221085905.1465385-1-naoya.horiguchi@linux.dev
+Fixes: a42634a6c07d ("readahead: Use a folio in read_pages()")
+Signed-off-by: Naoya Horiguchi <naoya.horiguchi@nec.com>
+Cc: David Hildenbrand <david@redhat.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Miaohe Lin <linmiaohe@huawei.com>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/rmap.h | 2 +-
+ mm/memory-failure.c | 8 ++++----
+ mm/rmap.c | 2 +-
+ 3 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/include/linux/rmap.h
++++ b/include/linux/rmap.h
+@@ -94,7 +94,7 @@ enum ttu_flags {
+ TTU_SPLIT_HUGE_PMD = 0x4, /* split huge PMD if any */
+ TTU_IGNORE_MLOCK = 0x8, /* ignore mlock */
+ TTU_SYNC = 0x10, /* avoid racy checks with PVMW_SYNC */
+- TTU_IGNORE_HWPOISON = 0x20, /* corrupted page is recoverable */
++ TTU_HWPOISON = 0x20, /* do convert pte to hwpoison entry */
+ TTU_BATCH_FLUSH = 0x40, /* Batch TLB flushes where possible
+ * and caller guarantees they will
+ * do a final flush if necessary */
+--- a/mm/memory-failure.c
++++ b/mm/memory-failure.c
+@@ -1020,7 +1020,7 @@ static int me_pagecache_dirty(struct pag
+ * cache and swap cache(ie. page is freshly swapped in). So it could be
+ * referenced concurrently by 2 types of PTEs:
+ * normal PTEs and swap PTEs. We try to handle them consistently by calling
+- * try_to_unmap(TTU_IGNORE_HWPOISON) to convert the normal PTEs to swap PTEs,
++ * try_to_unmap(!TTU_HWPOISON) to convert the normal PTEs to swap PTEs,
+ * and then
+ * - clear dirty bit to prevent IO
+ * - remove from LRU
+@@ -1401,7 +1401,7 @@ static bool hwpoison_user_mappings(struc
+ int flags, struct page *hpage)
+ {
+ struct folio *folio = page_folio(hpage);
+- enum ttu_flags ttu = TTU_IGNORE_MLOCK | TTU_SYNC;
++ enum ttu_flags ttu = TTU_IGNORE_MLOCK | TTU_SYNC | TTU_HWPOISON;
+ struct address_space *mapping;
+ LIST_HEAD(tokill);
+ bool unmap_success;
+@@ -1431,7 +1431,7 @@ static bool hwpoison_user_mappings(struc
+
+ if (PageSwapCache(p)) {
+ pr_err("%#lx: keeping poisoned page in swap cache\n", pfn);
+- ttu |= TTU_IGNORE_HWPOISON;
++ ttu &= ~TTU_HWPOISON;
+ }
+
+ /*
+@@ -1446,7 +1446,7 @@ static bool hwpoison_user_mappings(struc
+ if (page_mkclean(hpage)) {
+ SetPageDirty(hpage);
+ } else {
+- ttu |= TTU_IGNORE_HWPOISON;
++ ttu &= ~TTU_HWPOISON;
+ pr_info("%#lx: corrupted page was clean: dropped without side effects\n",
+ pfn);
+ }
+--- a/mm/rmap.c
++++ b/mm/rmap.c
+@@ -1623,7 +1623,7 @@ static bool try_to_unmap_one(struct foli
+ /* Update high watermark before we lower rss */
+ update_hiwater_rss(mm);
+
+- if (PageHWPoison(subpage) && !(flags & TTU_IGNORE_HWPOISON)) {
++ if (PageHWPoison(subpage) && (flags & TTU_HWPOISON)) {
+ pteval = swp_entry_to_pte(make_hwpoison_entry(subpage));
+ if (folio_test_hugetlb(folio)) {
+ hugetlb_count_sub(folio_nr_pages(folio), mm);
--- /dev/null
+From da34a8484d162585e22ed8c1e4114aa2f60e3567 Mon Sep 17 00:00:00 2001
+From: Johannes Weiner <hannes@cmpxchg.org>
+Date: Wed, 7 Dec 2022 14:00:39 +0100
+Subject: mm: memcontrol: deprecate charge moving
+
+From: Johannes Weiner <hannes@cmpxchg.org>
+
+commit da34a8484d162585e22ed8c1e4114aa2f60e3567 upstream.
+
+Charge moving mode in cgroup1 allows memory to follow tasks as they
+migrate between cgroups. This is, and always has been, a questionable
+thing to do - for several reasons.
+
+First, it's expensive. Pages need to be identified, locked and isolated
+from various MM operations, and reassigned, one by one.
+
+Second, it's unreliable. Once pages are charged to a cgroup, there isn't
+always a clear owner task anymore. Cache isn't moved at all, for example.
+Mapped memory is moved - but if trylocking or isolating a page fails,
+it's arbitrarily left behind. Frequent moving between domains may leave a
+task's memory scattered all over the place.
+
+Third, it isn't really needed. Launcher tasks can kick off workload tasks
+directly in their target cgroup. Using dedicated per-workload groups
+allows fine-grained policy adjustments - no need to move tasks and their
+physical pages between control domains. The feature was never
+forward-ported to cgroup2, and it hasn't been missed.
+
+Despite it being a niche usecase, the maintenance overhead of supporting
+it is enormous. Because pages are moved while they are live and subject
+to various MM operations, the synchronization rules are complicated.
+There are lock_page_memcg() in MM and FS code, which non-cgroup people
+don't understand. In some cases we've been able to shift code and cgroup
+API calls around such that we can rely on native locking as much as
+possible. But that's fragile, and sometimes we need to hold MM locks for
+longer than we otherwise would (pte lock e.g.).
+
+Mark the feature deprecated. Hopefully we can remove it soon.
+
+And backport into -stable kernels so that people who develop against
+earlier kernels are warned about this deprecation as early as possible.
+
+[akpm@linux-foundation.org: fix memory.rst underlining]
+Link: https://lkml.kernel.org/r/Y5COd+qXwk/S+n8N@cmpxchg.org
+Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
+Acked-by: Shakeel Butt <shakeelb@google.com>
+Acked-by: Hugh Dickins <hughd@google.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: Muchun Song <songmuchun@bytedance.com>
+Cc: Roman Gushchin <roman.gushchin@linux.dev>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/admin-guide/cgroup-v1/memory.rst | 13 +++++++++++--
+ mm/memcontrol.c | 4 ++++
+ 2 files changed, 15 insertions(+), 2 deletions(-)
+
+--- a/Documentation/admin-guide/cgroup-v1/memory.rst
++++ b/Documentation/admin-guide/cgroup-v1/memory.rst
+@@ -86,6 +86,8 @@ Brief summary of control files.
+ memory.swappiness set/show swappiness parameter of vmscan
+ (See sysctl's vm.swappiness)
+ memory.move_charge_at_immigrate set/show controls of moving charges
++ This knob is deprecated and shouldn't be
++ used.
+ memory.oom_control set/show oom controls.
+ memory.numa_stat show the number of memory usage per numa
+ node
+@@ -716,8 +718,15 @@ NOTE2:
+ It is recommended to set the soft limit always below the hard limit,
+ otherwise the hard limit will take precedence.
+
+-8. Move charges at task migration
+-=================================
++8. Move charges at task migration (DEPRECATED!)
++===============================================
++
++THIS IS DEPRECATED!
++
++It's expensive and unreliable! It's better practice to launch workload
++tasks directly from inside their target cgroup. Use dedicated workload
++cgroups to allow fine-grained policy adjustments without having to
++move physical pages between control domains.
+
+ Users can move charges associated with a task along with task migration, that
+ is, uncharge task's pages from the old cgroup and charge them to the new cgroup.
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -3910,6 +3910,10 @@ static int mem_cgroup_move_charge_write(
+ {
+ struct mem_cgroup *memcg = mem_cgroup_from_css(css);
+
++ pr_warn_once("Cgroup memory moving (move_charge_at_immigrate) is deprecated. "
++ "Please report your usecase to linux-mm@kvack.org if you "
++ "depend on this functionality.\n");
++
+ if (val & ~MOVE_MASK)
+ return -EINVAL;
+
--- /dev/null
+From 81e506bec9be1eceaf5a2c654e28ba5176ef48d8 Mon Sep 17 00:00:00 2001
+From: Yin Fengwei <fengwei.yin@intel.com>
+Date: Fri, 23 Dec 2022 21:52:07 +0800
+Subject: mm/thp: check and bail out if page in deferred queue already
+
+From: Yin Fengwei <fengwei.yin@intel.com>
+
+commit 81e506bec9be1eceaf5a2c654e28ba5176ef48d8 upstream.
+
+Kernel build regression with LLVM was reported here:
+https://lore.kernel.org/all/Y1GCYXGtEVZbcv%2F5@dev-arch.thelio-3990X/ with
+commit f35b5d7d676e ("mm: align larger anonymous mappings on THP
+boundaries"). And the commit f35b5d7d676e was reverted.
+
+It turned out the regression is related with madvise(MADV_DONTNEED)
+was used by ld.lld. But with none PMD_SIZE aligned parameter len.
+trace-bpfcc captured:
+531607 531732 ld.lld do_madvise.part.0 start: 0x7feca9000000, len: 0x7fb000, behavior: 0x4
+531607 531793 ld.lld do_madvise.part.0 start: 0x7fec86a00000, len: 0x7fb000, behavior: 0x4
+
+If the underneath physical page is THP, the madvise(MADV_DONTNEED) can
+trigger split_queue_lock contention raised significantly. perf showed
+following data:
+ 14.85% 0.00% ld.lld [kernel.kallsyms] [k]
+ entry_SYSCALL_64_after_hwframe
+ 11.52%
+ entry_SYSCALL_64_after_hwframe
+ do_syscall_64
+ __x64_sys_madvise
+ do_madvise.part.0
+ zap_page_range
+ unmap_single_vma
+ unmap_page_range
+ page_remove_rmap
+ deferred_split_huge_page
+ __lock_text_start
+ native_queued_spin_lock_slowpath
+
+If THP can't be removed from rmap as whole THP, partial THP will be
+removed from rmap by removing sub-pages from rmap. Even the THP head page
+is added to deferred queue already, the split_queue_lock will be acquired
+and check whether the THP head page is in the queue already. Thus, the
+contention of split_queue_lock is raised.
+
+Before acquire split_queue_lock, check and bail out early if the THP
+head page is in the queue already. The checking without holding
+split_queue_lock could race with deferred_split_scan, but it doesn't
+impact the correctness here.
+
+Test result of building kernel with ld.lld:
+commit 7b5a0b664ebe (parent commit of f35b5d7d676e):
+time -f "\t%E real,\t%U user,\t%S sys" make LD=ld.lld -skj96 allmodconfig all
+ 6:07.99 real, 26367.77 user, 5063.35 sys
+
+commit f35b5d7d676e:
+time -f "\t%E real,\t%U user,\t%S sys" make LD=ld.lld -skj96 allmodconfig all
+ 7:22.15 real, 26235.03 user, 12504.55 sys
+
+commit f35b5d7d676e with the fixing patch:
+time -f "\t%E real,\t%U user,\t%S sys" make LD=ld.lld -skj96 allmodconfig all
+ 6:08.49 real, 26520.15 user, 5047.91 sys
+
+Link: https://lkml.kernel.org/r/20221223135207.2275317-1-fengwei.yin@intel.com
+Signed-off-by: Yin Fengwei <fengwei.yin@intel.com>
+Tested-by: Nathan Chancellor <nathan@kernel.org>
+Acked-by: David Rientjes <rientjes@google.com>
+Reviewed-by: "Huang, Ying" <ying.huang@intel.com>
+Cc: Feng Tang <feng.tang@intel.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Rik van Riel <riel@surriel.com>
+Cc: Xing Zhengjun <zhengjun.xing@linux.intel.com>
+Cc: Yang Shi <shy828301@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/huge_memory.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -2818,6 +2818,9 @@ void deferred_split_huge_page(struct pag
+ if (PageSwapCache(page))
+ return;
+
++ if (!list_empty(page_deferred_list(page)))
++ return;
++
+ spin_lock_irqsave(&ds_queue->split_queue_lock, flags);
+ if (list_empty(page_deferred_list(page))) {
+ count_vm_event(THP_DEFERRED_SPLIT_PAGE);
--- /dev/null
+From f0f0cfdc3a024e21161714f2e05f0df3b84d42ad Mon Sep 17 00:00:00 2001
+From: Louis Rannou <lrannou@baylibre.com>
+Date: Fri, 3 Feb 2023 09:07:54 +0200
+Subject: mtd: spi-nor: Fix shift-out-of-bounds in spi_nor_set_erase_type
+
+From: Louis Rannou <lrannou@baylibre.com>
+
+commit f0f0cfdc3a024e21161714f2e05f0df3b84d42ad upstream.
+
+spi_nor_set_erase_type() was used either to set or to mask out an erase
+type. When we used it to mask out an erase type a shift-out-of-bounds
+was hit:
+UBSAN: shift-out-of-bounds in drivers/mtd/spi-nor/core.c:2237:24
+shift exponent 4294967295 is too large for 32-bit type 'int'
+
+The setting of the size_{shift, mask} and of the opcode are unnecessary
+when the erase size is zero, as throughout the code just the erase size
+is considered to determine whether an erase type is supported or not.
+Setting the opcode to 0xFF was wrong too as nobody guarantees that 0xFF
+is an unused opcode. Thus when masking out an erase type, just set the
+erase size to zero. This will fix the shift-out-of-bounds.
+
+Fixes: 5390a8df769e ("mtd: spi-nor: add support to non-uniform SFDP SPI NOR flash memories")
+Cc: stable@vger.kernel.org
+Reported-by: Alexander Stein <Alexander.Stein@tq-group.com>
+Signed-off-by: Louis Rannou <lrannou@baylibre.com>
+Tested-by: Alexander Stein <Alexander.Stein@tq-group.com>
+Link: https://lore.kernel.org/r/20230203070754.50677-1-tudor.ambarus@linaro.org
+[ta: refine changes, new commit message, fix compilation error]
+Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/spi-nor/core.c | 9 +++++++++
+ drivers/mtd/spi-nor/core.h | 1 +
+ drivers/mtd/spi-nor/sfdp.c | 4 ++--
+ 3 files changed, 12 insertions(+), 2 deletions(-)
+
+--- a/drivers/mtd/spi-nor/core.c
++++ b/drivers/mtd/spi-nor/core.c
+@@ -2004,6 +2004,15 @@ void spi_nor_set_erase_type(struct spi_n
+ }
+
+ /**
++ * spi_nor_mask_erase_type() - mask out a SPI NOR erase type
++ * @erase: pointer to a structure that describes a SPI NOR erase type
++ */
++void spi_nor_mask_erase_type(struct spi_nor_erase_type *erase)
++{
++ erase->size = 0;
++}
++
++/**
+ * spi_nor_init_uniform_erase_map() - Initialize uniform erase map
+ * @map: the erase map of the SPI NOR
+ * @erase_mask: bitmask encoding erase types that can erase the entire
+--- a/drivers/mtd/spi-nor/core.h
++++ b/drivers/mtd/spi-nor/core.h
+@@ -682,6 +682,7 @@ void spi_nor_set_pp_settings(struct spi_
+
+ void spi_nor_set_erase_type(struct spi_nor_erase_type *erase, u32 size,
+ u8 opcode);
++void spi_nor_mask_erase_type(struct spi_nor_erase_type *erase);
+ struct spi_nor_erase_region *
+ spi_nor_region_next(struct spi_nor_erase_region *region);
+ void spi_nor_init_uniform_erase_map(struct spi_nor_erase_map *map,
+--- a/drivers/mtd/spi-nor/sfdp.c
++++ b/drivers/mtd/spi-nor/sfdp.c
+@@ -876,7 +876,7 @@ static int spi_nor_init_non_uniform_eras
+ */
+ for (i = 0; i < SNOR_ERASE_TYPE_MAX; i++)
+ if (!(regions_erase_type & BIT(erase[i].idx)))
+- spi_nor_set_erase_type(&erase[i], 0, 0xFF);
++ spi_nor_mask_erase_type(&erase[i]);
+
+ return 0;
+ }
+@@ -1090,7 +1090,7 @@ static int spi_nor_parse_4bait(struct sp
+ erase_type[i].opcode = (dwords[1] >>
+ erase_type[i].idx * 8) & 0xFF;
+ else
+- spi_nor_set_erase_type(&erase_type[i], 0u, 0xFF);
++ spi_nor_mask_erase_type(&erase_type[i]);
+ }
+
+ /*
--- /dev/null
+From ad9679f3811899fd1c21dc7bdd715e8e1cfb46b9 Mon Sep 17 00:00:00 2001
+From: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
+Date: Mon, 26 Dec 2022 13:01:58 +0900
+Subject: mtd: spi-nor: sfdp: Fix index value for SCCR dwords
+
+From: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
+
+commit ad9679f3811899fd1c21dc7bdd715e8e1cfb46b9 upstream.
+
+Array index for SCCR 22th DOWRD should be 21.
+
+Fixes: 981a8d60e01f ("mtd: spi-nor: Parse SFDP SCCR Map")
+Signed-off-by: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
+Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
+Reviewed-by: Michael Walle <michael@walle.cc>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/d8a2a77c2c95cf776e7dcae6392d29fdcf5d6307.1672026365.git.Takahiro.Kuwano@infineon.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/spi-nor/sfdp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/spi-nor/sfdp.c
++++ b/drivers/mtd/spi-nor/sfdp.c
+@@ -1222,7 +1222,7 @@ static int spi_nor_parse_sccr(struct spi
+
+ le32_to_cpu_array(dwords, sccr_header->length);
+
+- if (FIELD_GET(SCCR_DWORD22_OCTAL_DTR_EN_VOLATILE, dwords[22]))
++ if (FIELD_GET(SCCR_DWORD22_OCTAL_DTR_EN_VOLATILE, dwords[21]))
+ nor->flags |= SNOR_F_IO_MODE_EN_VOLATILE;
+
+ out:
--- /dev/null
+From 3f592a869f87723314f0cb1ac232bd3bf8245be8 Mon Sep 17 00:00:00 2001
+From: Tudor Ambarus <tudor.ambarus@linaro.org>
+Date: Tue, 10 Jan 2023 18:47:02 +0200
+Subject: mtd: spi-nor: spansion: Consider reserved bits in CFR5 register
+
+From: Tudor Ambarus <tudor.ambarus@linaro.org>
+
+commit 3f592a869f87723314f0cb1ac232bd3bf8245be8 upstream.
+
+CFR5[6] is reserved bit and must be always 1. Set it to comply with flash
+requirements. While fixing SPINOR_REG_CYPRESS_CFR5V_OCT_DTR_{EN, DS}
+definition, stop using magic numbers and describe the missing bit fields
+in CFR5 register. This is useful for both readability and future possible
+addition of Octal STR mode support.
+
+Fixes: c3266af101f2 ("mtd: spi-nor: spansion: add support for Cypress Semper flash")
+Cc: stable@vger.kernel.org
+Reported-by: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
+Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
+Reviewed-by: Dhruva Gole <d-gole@ti.com>
+Reviewed-by: Pratyush Yadav <ptyadav@amazon.de>
+Tested-by: Dhruva Gole <d-gole@ti.com>
+Link: https://lore.kernel.org/linux-mtd/20230110164703.83413-1-tudor.ambarus@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/spi-nor/spansion.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/mtd/spi-nor/spansion.c
++++ b/drivers/mtd/spi-nor/spansion.c
+@@ -21,8 +21,13 @@
+ #define SPINOR_REG_CYPRESS_CFR3V 0x00800004
+ #define SPINOR_REG_CYPRESS_CFR3V_PGSZ BIT(4) /* Page size. */
+ #define SPINOR_REG_CYPRESS_CFR5V 0x00800006
+-#define SPINOR_REG_CYPRESS_CFR5V_OCT_DTR_EN 0x3
+-#define SPINOR_REG_CYPRESS_CFR5V_OCT_DTR_DS 0
++#define SPINOR_REG_CYPRESS_CFR5_BIT6 BIT(6)
++#define SPINOR_REG_CYPRESS_CFR5_DDR BIT(1)
++#define SPINOR_REG_CYPRESS_CFR5_OPI BIT(0)
++#define SPINOR_REG_CYPRESS_CFR5V_OCT_DTR_EN \
++ (SPINOR_REG_CYPRESS_CFR5_BIT6 | SPINOR_REG_CYPRESS_CFR5_DDR | \
++ SPINOR_REG_CYPRESS_CFR5_OPI)
++#define SPINOR_REG_CYPRESS_CFR5V_OCT_DTR_DS SPINOR_REG_CYPRESS_CFR5_BIT6
+ #define SPINOR_OP_CYPRESS_RD_FAST 0xee
+
+ /* Cypress SPI NOR flash operations. */
--- /dev/null
+From b905039e428d639adeebb719b76f98865ea38d4d Mon Sep 17 00:00:00 2001
+From: "Guilherme G. Piccoli" <gpiccoli@igalia.com>
+Date: Sun, 26 Feb 2023 13:08:38 -0300
+Subject: panic: fix the panic_print NMI backtrace setting
+
+From: Guilherme G. Piccoli <gpiccoli@igalia.com>
+
+commit b905039e428d639adeebb719b76f98865ea38d4d upstream.
+
+Commit 8d470a45d1a6 ("panic: add option to dump all CPUs backtraces in
+panic_print") introduced a setting for the "panic_print" kernel parameter
+to allow users to request a NMI backtrace on panic. Problem is that the
+panic_print handling happens after the secondary CPUs are already
+disabled, hence this option ended-up being kind of a no-op - kernel skips
+the NMI trace in idling CPUs, which is the case of offline CPUs.
+
+Fix it by checking the NMI backtrace bit in the panic_print prior to the
+CPU disabling function.
+
+Link: https://lkml.kernel.org/r/20230226160838.414257-1-gpiccoli@igalia.com
+Fixes: 8d470a45d1a6 ("panic: add option to dump all CPUs backtraces in panic_print")
+Signed-off-by: Guilherme G. Piccoli <gpiccoli@igalia.com>
+Cc: <stable@vger.kernel.org>
+Cc: Baoquan He <bhe@redhat.com>
+Cc: Dave Young <dyoung@redhat.com>
+Cc: Feng Tang <feng.tang@intel.com>
+Cc: HATAYAMA Daisuke <d.hatayama@jp.fujitsu.com>
+Cc: Hidehiro Kawai <hidehiro.kawai.ez@hitachi.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Michael Kelley <mikelley@microsoft.com>
+Cc: Petr Mladek <pmladek@suse.com>
+Cc: Vivek Goyal <vgoyal@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/panic.c | 44 ++++++++++++++++++++++++++------------------
+ 1 file changed, 26 insertions(+), 18 deletions(-)
+
+--- a/kernel/panic.c
++++ b/kernel/panic.c
+@@ -211,9 +211,6 @@ static void panic_print_sys_info(bool co
+ return;
+ }
+
+- if (panic_print & PANIC_PRINT_ALL_CPU_BT)
+- trigger_all_cpu_backtrace();
+-
+ if (panic_print & PANIC_PRINT_TASK_INFO)
+ show_state();
+
+@@ -243,6 +240,30 @@ void check_panic_on_warn(const char *ori
+ origin, limit);
+ }
+
++/*
++ * Helper that triggers the NMI backtrace (if set in panic_print)
++ * and then performs the secondary CPUs shutdown - we cannot have
++ * the NMI backtrace after the CPUs are off!
++ */
++static void panic_other_cpus_shutdown(bool crash_kexec)
++{
++ if (panic_print & PANIC_PRINT_ALL_CPU_BT)
++ trigger_all_cpu_backtrace();
++
++ /*
++ * Note that smp_send_stop() is the usual SMP shutdown function,
++ * which unfortunately may not be hardened to work in a panic
++ * situation. If we want to do crash dump after notifier calls
++ * and kmsg_dump, we will need architecture dependent extra
++ * bits in addition to stopping other CPUs, hence we rely on
++ * crash_smp_send_stop() for that.
++ */
++ if (!crash_kexec)
++ smp_send_stop();
++ else
++ crash_smp_send_stop();
++}
++
+ /**
+ * panic - halt the system
+ * @fmt: The text string to print
+@@ -333,23 +354,10 @@ void panic(const char *fmt, ...)
+ *
+ * Bypass the panic_cpu check and call __crash_kexec directly.
+ */
+- if (!_crash_kexec_post_notifiers) {
++ if (!_crash_kexec_post_notifiers)
+ __crash_kexec(NULL);
+
+- /*
+- * Note smp_send_stop is the usual smp shutdown function, which
+- * unfortunately means it may not be hardened to work in a
+- * panic situation.
+- */
+- smp_send_stop();
+- } else {
+- /*
+- * If we want to do crash dump after notifier calls and
+- * kmsg_dump, we will need architecture dependent extra
+- * works in addition to stopping other CPUs.
+- */
+- crash_smp_send_stop();
+- }
++ panic_other_cpus_shutdown(_crash_kexec_post_notifiers);
+
+ /*
+ * Run any panic handlers, including those that might need to
--- /dev/null
+From 908d4bb7c54caa58253a363d63e797a468eaf321 Mon Sep 17 00:00:00 2001
+From: Manish Chopra <manishc@marvell.com>
+Date: Thu, 16 Feb 2023 03:54:47 -0800
+Subject: qede: fix interrupt coalescing configuration
+
+From: Manish Chopra <manishc@marvell.com>
+
+commit 908d4bb7c54caa58253a363d63e797a468eaf321 upstream.
+
+On default driver load device gets configured with unexpected
+higher interrupt coalescing values instead of default expected
+values as memory allocated from krealloc() is not supposed to
+be zeroed out and may contain garbage values.
+
+Fix this by allocating the memory of required size first with
+kcalloc() and then use krealloc() to resize and preserve the
+contents across down/up of the interface.
+
+Signed-off-by: Manish Chopra <manishc@marvell.com>
+Fixes: b0ec5489c480 ("qede: preserve per queue stats across up/down of interface")
+Cc: stable@vger.kernel.org
+Cc: Bhaskar Upadhaya <bupadhaya@marvell.com>
+Cc: David S. Miller <davem@davemloft.net>
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=2160054
+Signed-off-by: Alok Prasad <palok@marvell.com>
+Signed-off-by: Ariel Elior <aelior@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qede/qede_main.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/qlogic/qede/qede_main.c
++++ b/drivers/net/ethernet/qlogic/qede/qede_main.c
+@@ -970,8 +970,15 @@ static int qede_alloc_fp_array(struct qe
+ goto err;
+ }
+
+- mem = krealloc(edev->coal_entry, QEDE_QUEUE_CNT(edev) *
+- sizeof(*edev->coal_entry), GFP_KERNEL);
++ if (!edev->coal_entry) {
++ mem = kcalloc(QEDE_MAX_RSS_CNT(edev),
++ sizeof(*edev->coal_entry), GFP_KERNEL);
++ } else {
++ mem = krealloc(edev->coal_entry,
++ QEDE_QUEUE_CNT(edev) * sizeof(*edev->coal_entry),
++ GFP_KERNEL);
++ }
++
+ if (!mem) {
+ DP_ERR(edev, "coalesce entry allocation failed\n");
+ kfree(edev->coal_entry);
--- /dev/null
+From f7c4d9b133c7a04ca619355574e96b6abf209fba Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Fri, 24 Feb 2023 18:48:54 +0100
+Subject: rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create() fails
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit f7c4d9b133c7a04ca619355574e96b6abf209fba upstream.
+
+If getting an ID or setting up a work queue in rbd_dev_create() fails,
+use-after-free on rbd_dev->rbd_client, rbd_dev->spec and rbd_dev->opts
+is triggered in do_rbd_add(). The root cause is that the ownership of
+these structures is transfered to rbd_dev prematurely and they all end
+up getting freed when rbd_dev_create() calls rbd_dev_free() prior to
+returning to do_rbd_add().
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE, an
+incomplete patch submitted by Natalia Petrova <n.petrova@fintech.ru>.
+
+Cc: stable@vger.kernel.org
+Fixes: 1643dfa4c2c8 ("rbd: introduce a per-device ordered workqueue")
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/rbd.c | 20 +++++++++-----------
+ 1 file changed, 9 insertions(+), 11 deletions(-)
+
+--- a/drivers/block/rbd.c
++++ b/drivers/block/rbd.c
+@@ -5292,8 +5292,7 @@ static void rbd_dev_release(struct devic
+ module_put(THIS_MODULE);
+ }
+
+-static struct rbd_device *__rbd_dev_create(struct rbd_client *rbdc,
+- struct rbd_spec *spec)
++static struct rbd_device *__rbd_dev_create(struct rbd_spec *spec)
+ {
+ struct rbd_device *rbd_dev;
+
+@@ -5338,9 +5337,6 @@ static struct rbd_device *__rbd_dev_crea
+ rbd_dev->dev.parent = &rbd_root_dev;
+ device_initialize(&rbd_dev->dev);
+
+- rbd_dev->rbd_client = rbdc;
+- rbd_dev->spec = spec;
+-
+ return rbd_dev;
+ }
+
+@@ -5353,12 +5349,10 @@ static struct rbd_device *rbd_dev_create
+ {
+ struct rbd_device *rbd_dev;
+
+- rbd_dev = __rbd_dev_create(rbdc, spec);
++ rbd_dev = __rbd_dev_create(spec);
+ if (!rbd_dev)
+ return NULL;
+
+- rbd_dev->opts = opts;
+-
+ /* get an id and fill in device name */
+ rbd_dev->dev_id = ida_simple_get(&rbd_dev_id_ida, 0,
+ minor_to_rbd_dev_id(1 << MINORBITS),
+@@ -5375,6 +5369,10 @@ static struct rbd_device *rbd_dev_create
+ /* we have a ref from do_rbd_add() */
+ __module_get(THIS_MODULE);
+
++ rbd_dev->rbd_client = rbdc;
++ rbd_dev->spec = spec;
++ rbd_dev->opts = opts;
++
+ dout("%s rbd_dev %p dev_id %d\n", __func__, rbd_dev, rbd_dev->dev_id);
+ return rbd_dev;
+
+@@ -6736,7 +6734,7 @@ static int rbd_dev_probe_parent(struct r
+ goto out_err;
+ }
+
+- parent = __rbd_dev_create(rbd_dev->rbd_client, rbd_dev->parent_spec);
++ parent = __rbd_dev_create(rbd_dev->parent_spec);
+ if (!parent) {
+ ret = -ENOMEM;
+ goto out_err;
+@@ -6746,8 +6744,8 @@ static int rbd_dev_probe_parent(struct r
+ * Images related by parent/child relationships always share
+ * rbd_client and spec/parent_spec, so bump their refcounts.
+ */
+- __rbd_get_client(rbd_dev->rbd_client);
+- rbd_spec_get(rbd_dev->parent_spec);
++ parent->rbd_client = __rbd_get_client(rbd_dev->rbd_client);
++ parent->spec = rbd_spec_get(rbd_dev->parent_spec);
+
+ __set_bit(RBD_DEV_FLAG_READONLY, &parent->flags);
+
--- /dev/null
+From 80d2c29e09e663761c2778167a625b25ffe01b6f Mon Sep 17 00:00:00 2001
+From: Matthias Kaehlcke <mka@chromium.org>
+Date: Thu, 23 Feb 2023 00:33:30 +0000
+Subject: regulator: core: Use ktime_get_boottime() to determine how long a regulator was off
+
+From: Matthias Kaehlcke <mka@chromium.org>
+
+commit 80d2c29e09e663761c2778167a625b25ffe01b6f upstream.
+
+For regulators with 'off-on-delay-us' the regulator framework currently
+uses ktime_get() to determine how long the regulator has been off
+before re-enabling it (after a delay if needed). A problem with using
+ktime_get() is that it doesn't account for the time the system is
+suspended. As a result a regulator with a longer 'off-on-delay' (e.g.
+500ms) that was switched off during suspend might still incurr in a
+delay on resume before it is re-enabled, even though the regulator
+might have been off for hours. ktime_get_boottime() accounts for
+suspend time, use it instead of ktime_get().
+
+Fixes: a8ce7bd89689 ("regulator: core: Fix off_on_delay handling")
+Cc: stable@vger.kernel.org # 5.13+
+Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Link: https://lore.kernel.org/r/20230223003301.v2.1.I9719661b8eb0a73b8c416f9c26cf5bd8c0563f99@changeid
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/regulator/core.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/regulator/core.c
++++ b/drivers/regulator/core.c
+@@ -1584,7 +1584,7 @@ static int set_machine_constraints(struc
+ }
+
+ if (rdev->desc->off_on_delay)
+- rdev->last_off = ktime_get();
++ rdev->last_off = ktime_get_boottime();
+
+ /* If the constraints say the regulator should be on at this point
+ * and we have control then make sure it is enabled.
+@@ -2673,7 +2673,7 @@ static int _regulator_do_enable(struct r
+ * this regulator was disabled.
+ */
+ ktime_t end = ktime_add_us(rdev->last_off, rdev->desc->off_on_delay);
+- s64 remaining = ktime_us_delta(end, ktime_get());
++ s64 remaining = ktime_us_delta(end, ktime_get_boottime());
+
+ if (remaining > 0)
+ _regulator_delay_helper(remaining);
+@@ -2912,7 +2912,7 @@ static int _regulator_do_disable(struct
+ }
+
+ if (rdev->desc->off_on_delay)
+- rdev->last_off = ktime_get();
++ rdev->last_off = ktime_get_boottime();
+
+ trace_regulator_disable_complete(rdev_get_name(rdev));
+
--- /dev/null
+From e46ceea3148163166ef9b7bcac578e72dd30c064 Mon Sep 17 00:00:00 2001
+From: Chen-Yu Tsai <wenst@chromium.org>
+Date: Wed, 4 Jan 2023 16:31:10 +0800
+Subject: remoteproc/mtk_scp: Move clk ops outside send_lock
+
+From: Chen-Yu Tsai <wenst@chromium.org>
+
+commit e46ceea3148163166ef9b7bcac578e72dd30c064 upstream.
+
+Clocks are properly reference counted and do not need to be inside the
+lock range.
+
+Right now this triggers a false-positive lockdep warning on MT8192 based
+Chromebooks, through a combination of mtk-scp that has a cros-ec-rpmsg
+sub-device, the (actual) cros-ec I2C adapter registration, I2C client
+(not on cros-ec) probe doing i2c transfers and enabling clocks.
+
+This is a false positive because the cros-ec-rpmsg under mtk-scp does
+not have an I2C adapter, and also each I2C adapter and cros-ec instance
+have their own mutex.
+
+Move the clk operations outside of the send_lock range.
+
+Fixes: 63c13d61eafe ("remoteproc/mediatek: add SCP support for mt8183")
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20230104083110.736377-1-wenst@chromium.org
+[Fixed "Fixes:" tag line]
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/remoteproc/mtk_scp_ipi.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+--- a/drivers/remoteproc/mtk_scp_ipi.c
++++ b/drivers/remoteproc/mtk_scp_ipi.c
+@@ -164,21 +164,21 @@ int scp_ipi_send(struct mtk_scp *scp, u3
+ WARN_ON(len > sizeof(send_obj->share_buf)) || WARN_ON(!buf))
+ return -EINVAL;
+
+- mutex_lock(&scp->send_lock);
+-
+ ret = clk_prepare_enable(scp->clk);
+ if (ret) {
+ dev_err(scp->dev, "failed to enable clock\n");
+- goto unlock_mutex;
++ return ret;
+ }
+
++ mutex_lock(&scp->send_lock);
++
+ /* Wait until SCP receives the last command */
+ timeout = jiffies + msecs_to_jiffies(2000);
+ do {
+ if (time_after(jiffies, timeout)) {
+ dev_err(scp->dev, "%s: IPI timeout!\n", __func__);
+ ret = -ETIMEDOUT;
+- goto clock_disable;
++ goto unlock_mutex;
+ }
+ } while (readl(scp->reg_base + scp->data->host_to_scp_reg));
+
+@@ -205,10 +205,9 @@ int scp_ipi_send(struct mtk_scp *scp, u3
+ ret = 0;
+ }
+
+-clock_disable:
+- clk_disable_unprepare(scp->clk);
+ unlock_mutex:
+ mutex_unlock(&scp->send_lock);
++ clk_disable_unprepare(scp->clk);
+
+ return ret;
+ }
--- /dev/null
+From 8843e06f67b14f71c044bf6267b2387784c7e198 Mon Sep 17 00:00:00 2001
+From: Mukesh Ojha <quic_mojha@quicinc.com>
+Date: Tue, 14 Feb 2023 17:36:43 +0530
+Subject: ring-buffer: Handle race between rb_move_tail and rb_check_pages
+
+From: Mukesh Ojha <quic_mojha@quicinc.com>
+
+commit 8843e06f67b14f71c044bf6267b2387784c7e198 upstream.
+
+It seems a data race between ring_buffer writing and integrity check.
+That is, RB_FLAG of head_page is been updating, while at same time
+RB_FLAG was cleared when doing integrity check rb_check_pages():
+
+ rb_check_pages() rb_handle_head_page():
+ -------- --------
+ rb_head_page_deactivate()
+ rb_head_page_set_normal()
+ rb_head_page_activate()
+
+We do intergrity test of the list to check if the list is corrupted and
+it is still worth doing it. So, let's refactor rb_check_pages() such that
+we no longer clear and set flag during the list sanity checking.
+
+[1] and [2] are the test to reproduce and the crash report respectively.
+
+1:
+``` read_trace.sh
+ while true;
+ do
+ # the "trace" file is closed after read
+ head -1 /sys/kernel/tracing/trace > /dev/null
+ done
+```
+``` repro.sh
+ sysctl -w kernel.panic_on_warn=1
+ # function tracer will writing enough data into ring_buffer
+ echo function > /sys/kernel/tracing/current_tracer
+ ./read_trace.sh &
+ ./read_trace.sh &
+ ./read_trace.sh &
+ ./read_trace.sh &
+ ./read_trace.sh &
+ ./read_trace.sh &
+ ./read_trace.sh &
+ ./read_trace.sh &
+```
+
+2:
+------------[ cut here ]------------
+WARNING: CPU: 9 PID: 62 at kernel/trace/ring_buffer.c:2653
+rb_move_tail+0x450/0x470
+Modules linked in:
+CPU: 9 PID: 62 Comm: ksoftirqd/9 Tainted: G W 6.2.0-rc6+
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
+RIP: 0010:rb_move_tail+0x450/0x470
+Code: ff ff 4c 89 c8 f0 4d 0f b1 02 48 89 c2 48 83 e2 fc 49 39 d0 75 24
+83 e0 03 83 f8 02 0f 84 e1 fb ff ff 48 8b 57 10 f0 ff 42 08 <0f> 0b 83
+f8 02 0f 84 ce fb ff ff e9 db
+RSP: 0018:ffffb5564089bd00 EFLAGS: 00000203
+RAX: 0000000000000000 RBX: ffff9db385a2bf81 RCX: ffffb5564089bd18
+RDX: ffff9db281110100 RSI: 0000000000000fe4 RDI: ffff9db380145400
+RBP: ffff9db385a2bf80 R08: ffff9db385a2bfc0 R09: ffff9db385a2bfc2
+R10: ffff9db385a6c000 R11: ffff9db385a2bf80 R12: 0000000000000000
+R13: 00000000000003e8 R14: ffff9db281110100 R15: ffffffffbb006108
+FS: 0000000000000000(0000) GS:ffff9db3bdcc0000(0000)
+knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00005602323024c8 CR3: 0000000022e0c000 CR4: 00000000000006e0
+Call Trace:
+ <TASK>
+ ring_buffer_lock_reserve+0x136/0x360
+ ? __do_softirq+0x287/0x2df
+ ? __pfx_rcu_softirq_qs+0x10/0x10
+ trace_function+0x21/0x110
+ ? __pfx_rcu_softirq_qs+0x10/0x10
+ ? __do_softirq+0x287/0x2df
+ function_trace_call+0xf6/0x120
+ 0xffffffffc038f097
+ ? rcu_softirq_qs+0x5/0x140
+ rcu_softirq_qs+0x5/0x140
+ __do_softirq+0x287/0x2df
+ run_ksoftirqd+0x2a/0x30
+ smpboot_thread_fn+0x188/0x220
+ ? __pfx_smpboot_thread_fn+0x10/0x10
+ kthread+0xe7/0x110
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork+0x2c/0x50
+ </TASK>
+---[ end trace 0000000000000000 ]---
+
+[ crash report and test reproducer credit goes to Zheng Yejian]
+
+Link: https://lore.kernel.org/linux-trace-kernel/1676376403-16462-1-git-send-email-quic_mojha@quicinc.com
+
+Cc: <mhiramat@kernel.org>
+Cc: stable@vger.kernel.org
+Fixes: 1039221cc278 ("ring-buffer: Do not disable recording when there is an iterator")
+Reported-by: Zheng Yejian <zhengyejian1@huawei.com>
+Signed-off-by: Mukesh Ojha <quic_mojha@quicinc.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/ring_buffer.c | 42 ++++++++++--------------------------------
+ 1 file changed, 10 insertions(+), 32 deletions(-)
+
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -1581,19 +1581,6 @@ static int rb_check_bpage(struct ring_bu
+ }
+
+ /**
+- * rb_check_list - make sure a pointer to a list has the last bits zero
+- */
+-static int rb_check_list(struct ring_buffer_per_cpu *cpu_buffer,
+- struct list_head *list)
+-{
+- if (RB_WARN_ON(cpu_buffer, rb_list_head(list->prev) != list->prev))
+- return 1;
+- if (RB_WARN_ON(cpu_buffer, rb_list_head(list->next) != list->next))
+- return 1;
+- return 0;
+-}
+-
+-/**
+ * rb_check_pages - integrity check of buffer pages
+ * @cpu_buffer: CPU buffer with pages to test
+ *
+@@ -1602,36 +1589,27 @@ static int rb_check_list(struct ring_buf
+ */
+ static int rb_check_pages(struct ring_buffer_per_cpu *cpu_buffer)
+ {
+- struct list_head *head = cpu_buffer->pages;
+- struct buffer_page *bpage, *tmp;
++ struct list_head *head = rb_list_head(cpu_buffer->pages);
++ struct list_head *tmp;
+
+- /* Reset the head page if it exists */
+- if (cpu_buffer->head_page)
+- rb_set_head_page(cpu_buffer);
+-
+- rb_head_page_deactivate(cpu_buffer);
+-
+- if (RB_WARN_ON(cpu_buffer, head->next->prev != head))
+- return -1;
+- if (RB_WARN_ON(cpu_buffer, head->prev->next != head))
++ if (RB_WARN_ON(cpu_buffer,
++ rb_list_head(rb_list_head(head->next)->prev) != head))
+ return -1;
+
+- if (rb_check_list(cpu_buffer, head))
++ if (RB_WARN_ON(cpu_buffer,
++ rb_list_head(rb_list_head(head->prev)->next) != head))
+ return -1;
+
+- list_for_each_entry_safe(bpage, tmp, head, list) {
++ for (tmp = rb_list_head(head->next); tmp != head; tmp = rb_list_head(tmp->next)) {
+ if (RB_WARN_ON(cpu_buffer,
+- bpage->list.next->prev != &bpage->list))
++ rb_list_head(rb_list_head(tmp->next)->prev) != tmp))
+ return -1;
++
+ if (RB_WARN_ON(cpu_buffer,
+- bpage->list.prev->next != &bpage->list))
+- return -1;
+- if (rb_check_list(cpu_buffer, &bpage->list))
++ rb_list_head(rb_list_head(tmp->prev)->next) != tmp))
+ return -1;
+ }
+
+- rb_head_page_activate(cpu_buffer);
+-
+ return 0;
+ }
+
irqdomain-fix-domain-registration-race.patch
crypto-qat-fix-out-of-bounds-read.patch
mm-damon-paddr-fix-missing-folio_put.patch
+alsa-ice1712-do-not-left-ice-gpio_mutex-locked-in-aureon_add_controls.patch
+alsa-hda-realtek-add-quirk-for-hp-elitedesk-800-g6-tower-pc.patch
+jbd2-fix-data-missing-when-reusing-bh-which-is-ready-to-be-checkpointed.patch
+ext4-optimize-ea_inode-block-expansion.patch
+ext4-refuse-to-create-ea-block-when-umounted.patch
+ext4-fix-possible-corruption-when-moving-a-directory.patch
+cxl-pmem-fix-nvdimm-registration-races.patch
+mtd-spi-nor-sfdp-fix-index-value-for-sccr-dwords.patch
+mtd-spi-nor-spansion-consider-reserved-bits-in-cfr5-register.patch
+mtd-spi-nor-fix-shift-out-of-bounds-in-spi_nor_set_erase_type.patch
+dm-send-just-one-event-on-resize-not-two.patch
+dm-add-cond_resched-to-dm_wq_work.patch
+dm-add-cond_resched-to-dm_wq_requeue_work.patch
+wifi-rtw88-use-rtw_flag_poweron-flag-to-prevent-to-power-on-off-twice.patch
+wifi-rtl8xxxu-use-a-longer-retry-limit-of-48.patch
+wifi-ath11k-allow-system-suspend-to-survive-ath11k.patch
+wifi-cfg80211-fix-use-after-free-for-wext.patch
+wifi-cfg80211-set-ssid-if-it-is-not-already-set.patch
+cpuidle-add-arch_suspend_possible-dependencies.patch
+qede-fix-interrupt-coalescing-configuration.patch
+thermal-intel-powerclamp-fix-cur_state-for-multi-package-system.patch
+dm-flakey-fix-logic-when-corrupting-a-bio.patch
+dm-cache-free-background-tracker-s-queued-work-in-btracker_destroy.patch
+dm-flakey-don-t-corrupt-the-zero-page.patch
+dm-flakey-fix-a-bug-with-32-bit-highmem-systems.patch
+hwmon-peci-cputemp-fix-off-by-one-in-coretemp_label-allocation.patch
+hwmon-nct6775-fix-incorrect-parenthesization-in-nct6775_write_fan_div.patch
+arm-dts-qcom-sdx65-add-qcom-smmu-500-as-the-fallback-for-iommu-node.patch
+arm-dts-qcom-sdx55-add-qcom-smmu-500-as-the-fallback-for-iommu-node.patch
+arm-dts-exynos-correct-tmu-phandle-in-exynos4210.patch
+arm-dts-exynos-correct-tmu-phandle-in-exynos4.patch
+arm-dts-exynos-correct-tmu-phandle-in-odroid-xu3-family.patch
+arm-dts-exynos-correct-tmu-phandle-in-exynos5250.patch
+arm-dts-exynos-correct-tmu-phandle-in-odroid-xu.patch
+arm-dts-exynos-correct-tmu-phandle-in-odroid-hc1.patch
+arm64-mm-hugetlb-disable-hugetlb_page_optimize_vmemmap.patch
+fuse-add-inode-permission-checks-to-fileattr_get-fileattr_set.patch
+rbd-avoid-use-after-free-in-do_rbd_add-when-rbd_dev_create-fails.patch
+ceph-update-the-time-stamps-and-try-to-drop-the-suid-sgid.patch
+regulator-core-use-ktime_get_boottime-to-determine-how-long-a-regulator-was-off.patch
+block-fix-scan-partition-for-exclusively-open-device-again.patch
+panic-fix-the-panic_print-nmi-backtrace-setting.patch
+mm-hwpoison-convert-ttu_ignore_hwpoison-to-ttu_hwpoison.patch
+alpha-fix-fen-fault-handling.patch
+dax-kmem-fix-leak-of-memory-hotplug-resources.patch
+mips-fix-syscall_get_nr.patch
+media-ipu3-cio2-fix-pm-runtime-usage_count-in-driver-unbind.patch
+remoteproc-mtk_scp-move-clk-ops-outside-send_lock.patch
+docs-gdbmacros-print-newest-record.patch
+mm-memcontrol-deprecate-charge-moving.patch
+mm-thp-check-and-bail-out-if-page-in-deferred-queue-already.patch
+ktest.pl-give-back-console-on-ctrt-c-on-monitor.patch
+kprobes-fix-to-handle-forcibly-unoptimized-kprobes-on-freeing_list.patch
+ktest.pl-fix-missing-end_monitor-when-machine-check-fails.patch
+ktest.pl-add-run_timeout-option-with-default-unlimited.patch
+memory-tier-release-the-new_memtier-in-find_create_memory_tier.patch
+ring-buffer-handle-race-between-rb_move_tail-and-rb_check_pages.patch
+tools-bootconfig-fix-single-used-for-logical-condition.patch
+tracing-eprobe-fix-to-add-filter-on-eprobe-description-in-readme-file.patch
+iommu-amd-add-a-length-limitation-for-the-ivrs_acpihid-command-line-parameter.patch
+iommu-amd-improve-page-fault-error-reporting.patch
--- /dev/null
+From 8e47363588377e1bdb65e2b020b409cfb44dd260 Mon Sep 17 00:00:00 2001
+From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Date: Wed, 1 Feb 2023 12:39:41 -0800
+Subject: thermal: intel: powerclamp: Fix cur_state for multi package system
+
+From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+
+commit 8e47363588377e1bdb65e2b020b409cfb44dd260 upstream.
+
+The powerclamp cooling device cur_state shows actual idle observed by
+package C-state idle counters. But the implementation is not sufficient
+for multi package or multi die system. The cur_state value is incorrect.
+On these systems, these counters must be read from each package/die and
+somehow aggregate them. But there is no good method for aggregation.
+
+It was not a problem when explicit CPU model addition was required to
+enable intel powerclamp. In this way certain CPU models could have
+been avoided. But with the removal of CPU model check with the
+availability of Package C-state counters, the driver is loaded on most
+of the recent systems.
+
+For multi package/die systems, just show the actual target idle state,
+the system is trying to achieve. In powerclamp this is the user set
+state minus one.
+
+Also there is no use of starting a worker thread for polling package
+C-state counters and applying any compensation for multiple package
+or multiple die systems.
+
+Fixes: b721ca0d1927 ("thermal/powerclamp: remove cpu whitelist")
+Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Cc: 4.14+ <stable@vger.kernel.org> # 4.14+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thermal/intel/intel_powerclamp.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+--- a/drivers/thermal/intel/intel_powerclamp.c
++++ b/drivers/thermal/intel/intel_powerclamp.c
+@@ -57,6 +57,7 @@
+
+ static unsigned int target_mwait;
+ static struct dentry *debug_dir;
++static bool poll_pkg_cstate_enable;
+
+ /* user selected target */
+ static unsigned int set_target_ratio;
+@@ -261,6 +262,9 @@ static unsigned int get_compensation(int
+ {
+ unsigned int comp = 0;
+
++ if (!poll_pkg_cstate_enable)
++ return 0;
++
+ /* we only use compensation if all adjacent ones are good */
+ if (ratio == 1 &&
+ cal_data[ratio].confidence >= CONFIDENCE_OK &&
+@@ -519,7 +523,8 @@ static int start_power_clamp(void)
+ control_cpu = cpumask_first(cpu_online_mask);
+
+ clamping = true;
+- schedule_delayed_work(&poll_pkg_cstate_work, 0);
++ if (poll_pkg_cstate_enable)
++ schedule_delayed_work(&poll_pkg_cstate_work, 0);
+
+ /* start one kthread worker per online cpu */
+ for_each_online_cpu(cpu) {
+@@ -585,11 +590,15 @@ static int powerclamp_get_max_state(stru
+ static int powerclamp_get_cur_state(struct thermal_cooling_device *cdev,
+ unsigned long *state)
+ {
+- if (true == clamping)
+- *state = pkg_cstate_ratio_cur;
+- else
++ if (clamping) {
++ if (poll_pkg_cstate_enable)
++ *state = pkg_cstate_ratio_cur;
++ else
++ *state = set_target_ratio;
++ } else {
+ /* to save power, do not poll idle ratio while not clamping */
+ *state = -1; /* indicates invalid state */
++ }
+
+ return 0;
+ }
+@@ -712,6 +721,9 @@ static int __init powerclamp_init(void)
+ goto exit_unregister;
+ }
+
++ if (topology_max_packages() == 1 && topology_max_die_per_package() == 1)
++ poll_pkg_cstate_enable = true;
++
+ cooling_dev = thermal_cooling_device_register("intel_powerclamp", NULL,
+ &powerclamp_cooling_ops);
+ if (IS_ERR(cooling_dev)) {
--- /dev/null
+From cf8c59a3756b2735c409a9b3ac1e4ec556546a7a Mon Sep 17 00:00:00 2001
+From: Antonio Alvarez Feijoo <antonio.feijoo@suse.com>
+Date: Wed, 22 Feb 2023 08:27:35 +0900
+Subject: tools/bootconfig: fix single & used for logical condition
+
+From: Antonio Alvarez Feijoo <antonio.feijoo@suse.com>
+
+commit cf8c59a3756b2735c409a9b3ac1e4ec556546a7a upstream.
+
+A single & will create a background process and return true, so the grep
+command will run even if the file checked in the first condition does not
+exist.
+
+Link: https://lore.kernel.org/all/20230112114215.17103-1-antonio.feijoo@suse.com/
+
+Fixes: 1eaad3ac3f39 ("tools/bootconfig: Use per-group/all enable option in ftrace2bconf script")
+Signed-off-by: Antonio Alvarez Feijoo <antonio.feijoo@suse.com>
+Cc: stable@vger.kernel.org
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/bootconfig/scripts/ftrace2bconf.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/bootconfig/scripts/ftrace2bconf.sh
++++ b/tools/bootconfig/scripts/ftrace2bconf.sh
+@@ -93,7 +93,7 @@ referred_vars() {
+ }
+
+ event_is_enabled() { # enable-file
+- test -f $1 & grep -q "1" $1
++ test -f $1 && grep -q "1" $1
+ }
+
+ per_event_options() { # event-dir
--- /dev/null
+From 133921530c42960c07d25d12677f9e131a2b0cdf Mon Sep 17 00:00:00 2001
+From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Date: Tue, 21 Feb 2023 08:49:16 +0900
+Subject: tracing/eprobe: Fix to add filter on eprobe description in README file
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+commit 133921530c42960c07d25d12677f9e131a2b0cdf upstream.
+
+Fix to add a description of the filter on eprobe in README file. This
+is required to identify the kernel supports the filter on eprobe or not.
+
+Link: https://lore.kernel.org/all/167309833728.640500.12232259238201433587.stgit@devnote3/
+
+Fixes: 752be5c5c910 ("tracing/eprobe: Add eprobe filter support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -5599,7 +5599,7 @@ static const char readme_msg[] =
+ #ifdef CONFIG_HIST_TRIGGERS
+ "\t s:[synthetic/]<event> <field> [<field>]\n"
+ #endif
+- "\t e[:[<group>/][<event>]] <attached-group>.<attached-event> [<args>]\n"
++ "\t e[:[<group>/][<event>]] <attached-group>.<attached-event> [<args>] [if <filter>]\n"
+ "\t -:[<group>/][<event>]\n"
+ #ifdef CONFIG_KPROBE_EVENTS
+ "\t place: [<module>:]<symbol>[+<offset>]|<memaddr>\n"
--- /dev/null
+From 7c15430822e71e90203d87e6d0cfe83fa058b0dc Mon Sep 17 00:00:00 2001
+From: Len Brown <len.brown@intel.com>
+Date: Wed, 1 Feb 2023 12:32:01 -0600
+Subject: wifi: ath11k: allow system suspend to survive ath11k
+
+From: Len Brown <len.brown@intel.com>
+
+commit 7c15430822e71e90203d87e6d0cfe83fa058b0dc upstream.
+
+When ath11k runs into internal errors upon suspend,
+it returns an error code to pci_pm_suspend, which
+aborts the entire system suspend.
+
+The driver should not abort system suspend, but should
+keep its internal errors to itself, and allow the system
+to suspend. Otherwise, a user can suspend a laptop
+by closing the lid and sealing it into a case, assuming
+that is will suspend, rather than heating up and draining
+the battery when in transit.
+
+In practice, the ath11k device seems to have plenty of transient
+errors, and subsequent suspend cycles after this failure
+often succeed.
+
+https://bugzilla.kernel.org/show_bug.cgi?id=216968
+
+Fixes: d1b0c33850d29 ("ath11k: implement suspend for QCA6390 PCI devices")
+
+Signed-off-by: Len Brown <len.brown@intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20230201183201.14431-1-len.brown@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath11k/pci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath11k/pci.c
++++ b/drivers/net/wireless/ath/ath11k/pci.c
+@@ -979,7 +979,7 @@ static __maybe_unused int ath11k_pci_pm_
+ if (ret)
+ ath11k_warn(ab, "failed to suspend core: %d\n", ret);
+
+- return ret;
++ return 0;
+ }
+
+ static __maybe_unused int ath11k_pci_pm_resume(struct device *dev)
--- /dev/null
+From 015b8cc5e7c4d7bb671f1984d7b7338c310b185b Mon Sep 17 00:00:00 2001
+From: Alexander Wetzel <alexander@wetzel-home.de>
+Date: Tue, 24 Jan 2023 15:18:56 +0100
+Subject: wifi: cfg80211: Fix use after free for wext
+
+From: Alexander Wetzel <alexander@wetzel-home.de>
+
+commit 015b8cc5e7c4d7bb671f1984d7b7338c310b185b upstream.
+
+Key information in wext.connect is not reset on (re)connect and can hold
+data from a previous connection.
+
+Reset key data to avoid that drivers or mac80211 incorrectly detect a
+WEP connection request and access the freed or already reused memory.
+
+Additionally optimize cfg80211_sme_connect() and avoid an useless
+schedule of conn_work.
+
+Fixes: fffd0934b939 ("cfg80211: rework key operation")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20230124141856.356646-1-alexander@wetzel-home.de
+Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/sme.c | 31 ++++++++++++++++++++++++++-----
+ 1 file changed, 26 insertions(+), 5 deletions(-)
+
+--- a/net/wireless/sme.c
++++ b/net/wireless/sme.c
+@@ -285,6 +285,15 @@ void cfg80211_conn_work(struct work_stru
+ wiphy_unlock(&rdev->wiphy);
+ }
+
++static void cfg80211_step_auth_next(struct cfg80211_conn *conn,
++ struct cfg80211_bss *bss)
++{
++ memcpy(conn->bssid, bss->bssid, ETH_ALEN);
++ conn->params.bssid = conn->bssid;
++ conn->params.channel = bss->channel;
++ conn->state = CFG80211_CONN_AUTHENTICATE_NEXT;
++}
++
+ /* Returned bss is reference counted and must be cleaned up appropriately. */
+ static struct cfg80211_bss *cfg80211_get_conn_bss(struct wireless_dev *wdev)
+ {
+@@ -302,10 +311,7 @@ static struct cfg80211_bss *cfg80211_get
+ if (!bss)
+ return NULL;
+
+- memcpy(wdev->conn->bssid, bss->bssid, ETH_ALEN);
+- wdev->conn->params.bssid = wdev->conn->bssid;
+- wdev->conn->params.channel = bss->channel;
+- wdev->conn->state = CFG80211_CONN_AUTHENTICATE_NEXT;
++ cfg80211_step_auth_next(wdev->conn, bss);
+ schedule_work(&rdev->conn_work);
+
+ return bss;
+@@ -597,7 +603,12 @@ static int cfg80211_sme_connect(struct w
+ wdev->conn->params.ssid_len = wdev->u.client.ssid_len;
+
+ /* see if we have the bss already */
+- bss = cfg80211_get_conn_bss(wdev);
++ bss = cfg80211_get_bss(wdev->wiphy, wdev->conn->params.channel,
++ wdev->conn->params.bssid,
++ wdev->conn->params.ssid,
++ wdev->conn->params.ssid_len,
++ wdev->conn_bss_type,
++ IEEE80211_PRIVACY(wdev->conn->params.privacy));
+
+ if (prev_bssid) {
+ memcpy(wdev->conn->prev_bssid, prev_bssid, ETH_ALEN);
+@@ -608,6 +619,7 @@ static int cfg80211_sme_connect(struct w
+ if (bss) {
+ enum nl80211_timeout_reason treason;
+
++ cfg80211_step_auth_next(wdev->conn, bss);
+ err = cfg80211_conn_do_work(wdev, &treason);
+ cfg80211_put_bss(wdev->wiphy, bss);
+ } else {
+@@ -1450,6 +1462,15 @@ int cfg80211_connect(struct cfg80211_reg
+ } else {
+ if (WARN_ON(connkeys))
+ return -EINVAL;
++
++ /* connect can point to wdev->wext.connect which
++ * can hold key data from a previous connection
++ */
++ connect->key = NULL;
++ connect->key_len = 0;
++ connect->key_idx = 0;
++ connect->crypto.cipher_group = 0;
++ connect->crypto.n_ciphers_pairwise = 0;
+ }
+
+ wdev->connect_keys = connkeys;
--- /dev/null
+From c38c701851011c94ce3be1ccb3593678d2933fd8 Mon Sep 17 00:00:00 2001
+From: Marc Bornand <dev.mbornand@systemb.ch>
+Date: Wed, 15 Feb 2023 08:47:53 +0000
+Subject: wifi: cfg80211: Set SSID if it is not already set
+
+From: Marc Bornand <dev.mbornand@systemb.ch>
+
+commit c38c701851011c94ce3be1ccb3593678d2933fd8 upstream.
+
+When a connection was established without going through
+NL80211_CMD_CONNECT, the ssid was never set in the wireless_dev struct.
+Now we set it in __cfg80211_connect_result() when it is not already set.
+
+When using a userspace configuration that does not call
+cfg80211_connect() (can be checked with breakpoints in the kernel),
+this patch should allow `networkctl status device_name` to output the
+SSID instead of null.
+
+Cc: stable@vger.kernel.org
+Reported-by: Yohan Prod'homme <kernel@zoddo.fr>
+Fixes: 7b0a0e3c3a88 (wifi: cfg80211: do some rework towards MLO link APIs)
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216711
+Signed-off-by: Marc Bornand <dev.mbornand@systemb.ch>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/sme.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+--- a/net/wireless/sme.c
++++ b/net/wireless/sme.c
+@@ -736,6 +736,7 @@ void __cfg80211_connect_result(struct ne
+ {
+ struct wireless_dev *wdev = dev->ieee80211_ptr;
+ const struct element *country_elem = NULL;
++ const struct element *ssid;
+ const u8 *country_data;
+ u8 country_datalen;
+ #ifdef CONFIG_CFG80211_WEXT
+@@ -881,6 +882,22 @@ void __cfg80211_connect_result(struct ne
+ country_data, country_datalen);
+ kfree(country_data);
+
++ if (!wdev->u.client.ssid_len) {
++ rcu_read_lock();
++ for_each_valid_link(cr, link) {
++ ssid = ieee80211_bss_get_elem(cr->links[link].bss,
++ WLAN_EID_SSID);
++
++ if (!ssid || !ssid->datalen)
++ continue;
++
++ memcpy(wdev->u.client.ssid, ssid->data, ssid->datalen);
++ wdev->u.client.ssid_len = ssid->datalen;
++ break;
++ }
++ rcu_read_unlock();
++ }
++
+ return;
+ out:
+ for_each_valid_link(cr, link)
--- /dev/null
+From 2a86aa9a1892d60ef2e3f310f5b42b8b05546d65 Mon Sep 17 00:00:00 2001
+From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+Date: Sun, 8 Jan 2023 17:08:16 +0200
+Subject: wifi: rtl8xxxu: Use a longer retry limit of 48
+
+From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+
+commit 2a86aa9a1892d60ef2e3f310f5b42b8b05546d65 upstream.
+
+The Realtek rate control algorithm goes back and forth a lot between
+the highest and the lowest rate it's allowed to use. This is due to
+a lot of frames being dropped because the retry limits set by
+IEEE80211_CONF_CHANGE_RETRY_LIMITS are too low. (Experimentally, they
+are 4 for long frames and 7 for short frames.)
+
+The vendor drivers hardcode the value 48 for both retry limits (for
+station mode), which makes dropped frames very rare and thus the rate
+control is more stable.
+
+Because most Realtek chips handle the rate control in the firmware,
+which can't be modified, ignore the limits set by
+IEEE80211_CONF_CHANGE_RETRY_LIMITS and use the value 48 (set during
+chip initialisation), same as the vendor drivers.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+Reviewed-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/477d745b-6bac-111d-403c-487fc19aa30d@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+@@ -5966,7 +5966,6 @@ static int rtl8xxxu_config(struct ieee80
+ {
+ struct rtl8xxxu_priv *priv = hw->priv;
+ struct device *dev = &priv->udev->dev;
+- u16 val16;
+ int ret = 0, channel;
+ bool ht40;
+
+@@ -5976,14 +5975,6 @@ static int rtl8xxxu_config(struct ieee80
+ __func__, hw->conf.chandef.chan->hw_value,
+ changed, hw->conf.chandef.width);
+
+- if (changed & IEEE80211_CONF_CHANGE_RETRY_LIMITS) {
+- val16 = ((hw->conf.long_frame_max_tx_count <<
+- RETRY_LIMIT_LONG_SHIFT) & RETRY_LIMIT_LONG_MASK) |
+- ((hw->conf.short_frame_max_tx_count <<
+- RETRY_LIMIT_SHORT_SHIFT) & RETRY_LIMIT_SHORT_MASK);
+- rtl8xxxu_write16(priv, REG_RETRY_LIMIT, val16);
+- }
+-
+ if (changed & IEEE80211_CONF_CHANGE_CHANNEL) {
+ switch (hw->conf.chandef.width) {
+ case NL80211_CHAN_WIDTH_20_NOHT:
--- /dev/null
+From 4a267bc5ea8f159b614d0549030216d0434eccca Mon Sep 17 00:00:00 2001
+From: Ping-Ke Shih <pkshih@realtek.com>
+Date: Thu, 16 Feb 2023 13:36:33 +0800
+Subject: wifi: rtw88: use RTW_FLAG_POWERON flag to prevent to power on/off twice
+
+From: Ping-Ke Shih <pkshih@realtek.com>
+
+commit 4a267bc5ea8f159b614d0549030216d0434eccca upstream.
+
+Use power state to decide whether we can enter or leave IPS accurately,
+and then prevent to power on/off twice.
+
+The commit 6bf3a083407b ("wifi: rtw88: add flag check before enter or leave IPS")
+would like to prevent this as well, but it still can't entirely handle all
+cases. The exception is that WiFi gets connected and does suspend/resume,
+it will power on twice and cause it failed to power on after resuming,
+like:
+
+ rtw_8723de 0000:03:00.0: failed to poll offset=0x6 mask=0x2 value=0x2
+ rtw_8723de 0000:03:00.0: mac power on failed
+ rtw_8723de 0000:03:00.0: failed to power on mac
+ rtw_8723de 0000:03:00.0: leave idle state failed
+ rtw_8723de 0000:03:00.0: failed to leave ips state
+ rtw_8723de 0000:03:00.0: failed to leave idle state
+ rtw_8723de 0000:03:00.0: failed to send h2c command
+
+To fix this, introduce new flag RTW_FLAG_POWERON to reflect power state,
+and call rtw_mac_pre_system_cfg() to configure registers properly between
+power-off/-on.
+
+Reported-by: Paul Gover <pmw.gover@yahoo.co.uk>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=217016
+Fixes: 6bf3a083407b ("wifi: rtw88: add flag check before enter or leave IPS")
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20230216053633.20366-1-pkshih@realtek.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/realtek/rtw88/coex.c | 2 +-
+ drivers/net/wireless/realtek/rtw88/mac.c | 10 ++++++++++
+ drivers/net/wireless/realtek/rtw88/main.h | 2 +-
+ drivers/net/wireless/realtek/rtw88/ps.c | 4 ++--
+ drivers/net/wireless/realtek/rtw88/wow.c | 2 +-
+ 5 files changed, 15 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wireless/realtek/rtw88/coex.c
++++ b/drivers/net/wireless/realtek/rtw88/coex.c
+@@ -4057,7 +4057,7 @@ void rtw_coex_display_coex_info(struct r
+ rtwdev->stats.tx_throughput, rtwdev->stats.rx_throughput);
+ seq_printf(m, "%-40s = %u/ %u/ %u\n",
+ "IPS/ Low Power/ PS mode",
+- test_bit(RTW_FLAG_INACTIVE_PS, rtwdev->flags),
++ !test_bit(RTW_FLAG_POWERON, rtwdev->flags),
+ test_bit(RTW_FLAG_LEISURE_PS_DEEP, rtwdev->flags),
+ rtwdev->lps_conf.mode);
+
+--- a/drivers/net/wireless/realtek/rtw88/mac.c
++++ b/drivers/net/wireless/realtek/rtw88/mac.c
+@@ -273,6 +273,11 @@ static int rtw_mac_power_switch(struct r
+ if (rtw_pwr_seq_parser(rtwdev, pwr_seq))
+ return -EINVAL;
+
++ if (pwr_on)
++ set_bit(RTW_FLAG_POWERON, rtwdev->flags);
++ else
++ clear_bit(RTW_FLAG_POWERON, rtwdev->flags);
++
+ return 0;
+ }
+
+@@ -335,6 +340,11 @@ int rtw_mac_power_on(struct rtw_dev *rtw
+ ret = rtw_mac_power_switch(rtwdev, true);
+ if (ret == -EALREADY) {
+ rtw_mac_power_switch(rtwdev, false);
++
++ ret = rtw_mac_pre_system_cfg(rtwdev);
++ if (ret)
++ goto err;
++
+ ret = rtw_mac_power_switch(rtwdev, true);
+ if (ret)
+ goto err;
+--- a/drivers/net/wireless/realtek/rtw88/main.h
++++ b/drivers/net/wireless/realtek/rtw88/main.h
+@@ -356,7 +356,7 @@ enum rtw_flags {
+ RTW_FLAG_RUNNING,
+ RTW_FLAG_FW_RUNNING,
+ RTW_FLAG_SCANNING,
+- RTW_FLAG_INACTIVE_PS,
++ RTW_FLAG_POWERON,
+ RTW_FLAG_LEISURE_PS,
+ RTW_FLAG_LEISURE_PS_DEEP,
+ RTW_FLAG_DIG_DISABLE,
+--- a/drivers/net/wireless/realtek/rtw88/ps.c
++++ b/drivers/net/wireless/realtek/rtw88/ps.c
+@@ -25,7 +25,7 @@ static int rtw_ips_pwr_up(struct rtw_dev
+
+ int rtw_enter_ips(struct rtw_dev *rtwdev)
+ {
+- if (test_and_set_bit(RTW_FLAG_INACTIVE_PS, rtwdev->flags))
++ if (!test_bit(RTW_FLAG_POWERON, rtwdev->flags))
+ return 0;
+
+ rtw_coex_ips_notify(rtwdev, COEX_IPS_ENTER);
+@@ -50,7 +50,7 @@ int rtw_leave_ips(struct rtw_dev *rtwdev
+ {
+ int ret;
+
+- if (!test_and_clear_bit(RTW_FLAG_INACTIVE_PS, rtwdev->flags))
++ if (test_bit(RTW_FLAG_POWERON, rtwdev->flags))
+ return 0;
+
+ rtw_hci_link_ps(rtwdev, false);
+--- a/drivers/net/wireless/realtek/rtw88/wow.c
++++ b/drivers/net/wireless/realtek/rtw88/wow.c
+@@ -592,7 +592,7 @@ static int rtw_wow_leave_no_link_ps(stru
+ if (rtw_get_lps_deep_mode(rtwdev) != LPS_DEEP_MODE_NONE)
+ rtw_leave_lps_deep(rtwdev);
+ } else {
+- if (test_bit(RTW_FLAG_INACTIVE_PS, rtwdev->flags)) {
++ if (!test_bit(RTW_FLAG_POWERON, rtwdev->flags)) {
+ rtw_wow->ips_enabled = true;
+ ret = rtw_leave_ips(rtwdev);
+ if (ret)
projects / thirdparty / kernel / stable-queue.git / commitdiff
