--- /dev/null
+From 9a61f813fcc8d56d85fcf9ca6119cf2b5ac91dd5 Mon Sep 17 00:00:00 2001
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Date: Tue, 16 Nov 2021 02:34:07 +0300
+Subject: clk: qcom: regmap-mux: fix parent clock lookup
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+commit 9a61f813fcc8d56d85fcf9ca6119cf2b5ac91dd5 upstream.
+
+The function mux_get_parent() uses qcom_find_src_index() to find the
+parent clock index, which is incorrect: qcom_find_src_index() uses src
+enum for the lookup, while mux_get_parent() should use cfg field (which
+corresponds to the register value). Add qcom_find_cfg_index() function
+doing this kind of lookup and use it for mux parent lookup.
+
+Fixes: df964016490b ("clk: qcom: add parent map for regmap mux")
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20211115233407.1046179-1-dmitry.baryshkov@linaro.org
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/qcom/clk-regmap-mux.c | 2 +-
+ drivers/clk/qcom/common.c | 12 ++++++++++++
+ drivers/clk/qcom/common.h | 2 ++
+ 3 files changed, 15 insertions(+), 1 deletion(-)
+
+--- a/drivers/clk/qcom/clk-regmap-mux.c
++++ b/drivers/clk/qcom/clk-regmap-mux.c
+@@ -28,7 +28,7 @@ static u8 mux_get_parent(struct clk_hw *
+ val &= mask;
+
+ if (mux->parent_map)
+- return qcom_find_src_index(hw, mux->parent_map, val);
++ return qcom_find_cfg_index(hw, mux->parent_map, val);
+
+ return val;
+ }
+--- a/drivers/clk/qcom/common.c
++++ b/drivers/clk/qcom/common.c
+@@ -69,6 +69,18 @@ int qcom_find_src_index(struct clk_hw *h
+ }
+ EXPORT_SYMBOL_GPL(qcom_find_src_index);
+
++int qcom_find_cfg_index(struct clk_hw *hw, const struct parent_map *map, u8 cfg)
++{
++ int i, num_parents = clk_hw_get_num_parents(hw);
++
++ for (i = 0; i < num_parents; i++)
++ if (cfg == map[i].cfg)
++ return i;
++
++ return -ENOENT;
++}
++EXPORT_SYMBOL_GPL(qcom_find_cfg_index);
++
+ struct regmap *
+ qcom_cc_map(struct platform_device *pdev, const struct qcom_cc_desc *desc)
+ {
+--- a/drivers/clk/qcom/common.h
++++ b/drivers/clk/qcom/common.h
+@@ -49,6 +49,8 @@ extern void
+ qcom_pll_set_fsm_mode(struct regmap *m, u32 reg, u8 bias_count, u8 lock_count);
+ extern int qcom_find_src_index(struct clk_hw *hw, const struct parent_map *map,
+ u8 src);
++extern int qcom_find_cfg_index(struct clk_hw *hw, const struct parent_map *map,
++ u8 cfg);
+
+ extern int qcom_cc_register_board_clk(struct device *dev, const char *path,
+ const char *name, unsigned long rate);
--- /dev/null
+From b19926d4f3a660a8b76e5d989ffd1168e619a5c4 Mon Sep 17 00:00:00 2001
+From: Bas Nieuwenhuizen <bas@basnieuwenhuizen.nl>
+Date: Wed, 8 Dec 2021 03:39:35 +0100
+Subject: drm/syncobj: Deal with signalled fences in drm_syncobj_find_fence.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Bas Nieuwenhuizen <bas@basnieuwenhuizen.nl>
+
+commit b19926d4f3a660a8b76e5d989ffd1168e619a5c4 upstream.
+
+dma_fence_chain_find_seqno only ever returns the top fence in the
+chain or an unsignalled fence. Hence if we request a seqno that
+is already signalled it returns a NULL fence. Some callers are
+not prepared to handle this, like the syncobj transfer functions
+for example.
+
+This behavior is "new" with timeline syncobj and it looks like
+not all callers were updated. To fix this behavior make sure
+that a successful drm_sync_find_fence always returns a non-NULL
+fence.
+
+v2: Move the fix to drm_syncobj_find_fence from the transfer
+ functions.
+
+Fixes: ea569910cbab ("drm/syncobj: add transition iotcls between binary and timeline v2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Bas Nieuwenhuizen <bas@basnieuwenhuizen.nl>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Acked-by: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20211208023935.17018-1-bas@basnieuwenhuizen.nl
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_syncobj.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_syncobj.c
++++ b/drivers/gpu/drm/drm_syncobj.c
+@@ -404,8 +404,17 @@ int drm_syncobj_find_fence(struct drm_fi
+
+ if (*fence) {
+ ret = dma_fence_chain_find_seqno(fence, point);
+- if (!ret)
++ if (!ret) {
++ /* If the requested seqno is already signaled
++ * drm_syncobj_find_fence may return a NULL
++ * fence. To make sure the recipient gets
++ * signalled, use a new fence instead.
++ */
++ if (!*fence)
++ *fence = dma_fence_get_stub();
++
+ goto out;
++ }
+ dma_fence_put(*fence);
+ } else {
+ ret = -EINVAL;
--- /dev/null
+From a2ca752055edd39be38b887e264d3de7ca2bc1bb Mon Sep 17 00:00:00 2001
+From: Billy Tsai <billy_tsai@aspeedtech.com>
+Date: Tue, 30 Nov 2021 17:22:12 +0800
+Subject: hwmon: (pwm-fan) Ensure the fan going on in .probe()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Billy Tsai <billy_tsai@aspeedtech.com>
+
+commit a2ca752055edd39be38b887e264d3de7ca2bc1bb upstream.
+
+Before commit 86585c61972f ("hwmon: (pwm-fan) stop using legacy
+PWM functions and some cleanups") pwm_apply_state() was called
+unconditionally in pwm_fan_probe(). In this commit this direct
+call was replaced by a call to __set_pwm(ct, MAX_PWM) which
+however is a noop if ctx->pwm_value already matches the value to
+set.
+After probe the fan is supposed to run at full speed, and the
+internal driver state suggests it does, but this isn't asserted
+and depending on bootloader and pwm low-level driver, the fan
+might just be off.
+So drop setting pwm_value to MAX_PWM to ensure the check in
+__set_pwm doesn't make it exit early and the fan goes on as
+intended.
+
+Cc: stable@vger.kernel.org
+Fixes: 86585c61972f ("hwmon: (pwm-fan) stop using legacy PWM functions and some cleanups")
+Signed-off-by: Billy Tsai <billy_tsai@aspeedtech.com>
+Reviewed-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Link: https://lore.kernel.org/r/20211130092212.17783-1-billy_tsai@aspeedtech.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/pwm-fan.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/hwmon/pwm-fan.c
++++ b/drivers/hwmon/pwm-fan.c
+@@ -336,8 +336,6 @@ static int pwm_fan_probe(struct platform
+ return ret;
+ }
+
+- ctx->pwm_value = MAX_PWM;
+-
+ pwm_init_state(ctx->pwm, &ctx->pwm_state);
+
+ /*
--- /dev/null
+From 78a780602075d8b00c98070fa26e389b3b3efa72 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Thu, 9 Dec 2021 08:54:29 -0700
+Subject: io_uring: ensure task_work gets run as part of cancelations
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 78a780602075d8b00c98070fa26e389b3b3efa72 upstream.
+
+If we successfully cancel a work item but that work item needs to be
+processed through task_work, then we can be sleeping uninterruptibly
+in io_uring_cancel_generic() and never process it. Hence we don't
+make forward progress and we end up with an uninterruptible sleep
+warning.
+
+While in there, correct a comment that should be IFF, not IIF.
+
+Reported-and-tested-by: syzbot+21e6887c0be14181206d@syzkaller.appspotmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/io_uring.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -9775,7 +9775,7 @@ static void io_uring_drop_tctx_refs(stru
+
+ /*
+ * Find any io_uring ctx that this task has registered or done IO on, and cancel
+- * requests. @sqd should be not-null IIF it's an SQPOLL thread cancellation.
++ * requests. @sqd should be not-null IFF it's an SQPOLL thread cancellation.
+ */
+ static void io_uring_cancel_generic(bool cancel_all, struct io_sq_data *sqd)
+ {
+@@ -9816,8 +9816,10 @@ static void io_uring_cancel_generic(bool
+ cancel_all);
+ }
+
+- prepare_to_wait(&tctx->wait, &wait, TASK_UNINTERRUPTIBLE);
++ prepare_to_wait(&tctx->wait, &wait, TASK_INTERRUPTIBLE);
++ io_run_task_work();
+ io_uring_drop_tctx_refs(current);
++
+ /*
+ * If we've seen completions, retry without waiting. This
+ * avoids a race where a completion comes in before we did
--- /dev/null
+From a66307d473077b7aeba74e9b09c841ab3d399c2d Mon Sep 17 00:00:00 2001
+From: Hannes Reinecke <hare@suse.de>
+Date: Wed, 8 Dec 2021 07:58:53 +0100
+Subject: libata: add horkage for ASMedia 1092
+
+From: Hannes Reinecke <hare@suse.de>
+
+commit a66307d473077b7aeba74e9b09c841ab3d399c2d upstream.
+
+The ASMedia 1092 has a configuration mode which will present a
+dummy device; sadly the implementation falsely claims to provide
+a device with 100M which doesn't actually exist.
+So disable this device to avoid errors during boot.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -3856,6 +3856,8 @@ static const struct ata_blacklist_entry
+ { "VRFDFC22048UCHC-TE*", NULL, ATA_HORKAGE_NODMA },
+ /* Odd clown on sil3726/4726 PMPs */
+ { "Config Disk", NULL, ATA_HORKAGE_DISABLE },
++ /* Similar story with ASMedia 1092 */
++ { "ASMT109x- Config", NULL, ATA_HORKAGE_DISABLE },
+
+ /* Weird ATAPI devices */
+ { "TORiSAN DVD-ROM DRD-N216", NULL, ATA_HORKAGE_MAX_SEC_128 },
--- /dev/null
+From 55df1ce0d4e086e05a8ab20619c73c729350f965 Mon Sep 17 00:00:00 2001
+From: Markus Hochholdinger <markus@hochholdinger.net>
+Date: Tue, 16 Nov 2021 10:21:35 +0000
+Subject: md: fix update super 1.0 on rdev size change
+
+From: Markus Hochholdinger <markus@hochholdinger.net>
+
+commit 55df1ce0d4e086e05a8ab20619c73c729350f965 upstream.
+
+The superblock of version 1.0 doesn't get moved to the new position on a
+device size change. This leads to a rdev without a superblock on a known
+position, the raid can't be re-assembled.
+
+The line was removed by mistake and is re-added by this patch.
+
+Fixes: d9c0fa509eaf ("md: fix max sectors calculation for super 1.0")
+Cc: stable@vger.kernel.org
+Signed-off-by: Markus Hochholdinger <markus@hochholdinger.net>
+Reviewed-by: Xiao Ni <xni@redhat.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/md.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -2193,6 +2193,7 @@ super_1_rdev_size_change(struct md_rdev
+
+ if (!num_sectors || num_sectors > max_sectors)
+ num_sectors = max_sectors;
++ rdev->sb_start = sb_start;
+ }
+ sb = page_address(rdev->sb_page);
+ sb->data_size = cpu_to_le64(num_sectors);
--- /dev/null
+From 7dba402807a85fa3723f4a27504813caf81cc9d7 Mon Sep 17 00:00:00 2001
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Date: Tue, 30 Nov 2021 14:23:09 +0100
+Subject: mmc: renesas_sdhi: initialize variable properly when tuning
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+commit 7dba402807a85fa3723f4a27504813caf81cc9d7 upstream.
+
+'cmd_error' is not necessarily initialized on some error paths in
+mmc_send_tuning(). Initialize it.
+
+Fixes: 2c9017d0b5d3 ("mmc: renesas_sdhi: abort tuning when timeout detected")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20211130132309.18246-1-wsa+renesas@sang-engineering.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/renesas_sdhi_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/renesas_sdhi_core.c
++++ b/drivers/mmc/host/renesas_sdhi_core.c
+@@ -673,7 +673,7 @@ static int renesas_sdhi_execute_tuning(s
+
+ /* Issue CMD19 twice for each tap */
+ for (i = 0; i < 2 * priv->tap_num; i++) {
+- int cmd_error;
++ int cmd_error = 0;
+
+ /* Set sampling clock position */
+ sd_scc_write32(host, priv, SH_MOBILE_SDHI_SCC_TAPSET, i % priv->tap_num);
--- /dev/null
+From b10252c7ae9c9d7c90552f88b544a44ee773af64 Mon Sep 17 00:00:00 2001
+From: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+Date: Tue, 7 Dec 2021 15:00:39 +0100
+Subject: nfsd: Fix nsfd startup race (again)
+
+From: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+
+commit b10252c7ae9c9d7c90552f88b544a44ee773af64 upstream.
+
+Commit bd5ae9288d64 ("nfsd: register pernet ops last, unregister first")
+has re-opened rpc_pipefs_event() race against nfsd_net_id registration
+(register_pernet_subsys()) which has been fixed by commit bb7ffbf29e76
+("nfsd: fix nsfd startup race triggering BUG_ON").
+
+Restore the order of register_pernet_subsys() vs register_cld_notifier().
+Add WARN_ON() to prevent a future regression.
+
+Crash info:
+Unable to handle kernel NULL pointer dereference at virtual address 0000000000000012
+CPU: 8 PID: 345 Comm: mount Not tainted 5.4.144-... #1
+pc : rpc_pipefs_event+0x54/0x120 [nfsd]
+lr : rpc_pipefs_event+0x48/0x120 [nfsd]
+Call trace:
+ rpc_pipefs_event+0x54/0x120 [nfsd]
+ blocking_notifier_call_chain
+ rpc_fill_super
+ get_tree_keyed
+ rpc_fs_get_tree
+ vfs_get_tree
+ do_mount
+ ksys_mount
+ __arm64_sys_mount
+ el0_svc_handler
+ el0_svc
+
+Fixes: bd5ae9288d64 ("nfsd: register pernet ops last, unregister first")
+Cc: stable@vger.kernel.org
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4recover.c | 1 +
+ fs/nfsd/nfsctl.c | 14 +++++++-------
+ 2 files changed, 8 insertions(+), 7 deletions(-)
+
+--- a/fs/nfsd/nfs4recover.c
++++ b/fs/nfsd/nfs4recover.c
+@@ -2156,6 +2156,7 @@ static struct notifier_block nfsd4_cld_b
+ int
+ register_cld_notifier(void)
+ {
++ WARN_ON(!nfsd_net_id);
+ return rpc_pipefs_notifier_register(&nfsd4_cld_block);
+ }
+
+--- a/fs/nfsd/nfsctl.c
++++ b/fs/nfsd/nfsctl.c
+@@ -1521,12 +1521,9 @@ static int __init init_nfsd(void)
+ int retval;
+ printk(KERN_INFO "Installing knfsd (copyright (C) 1996 okir@monad.swb.de).\n");
+
+- retval = register_cld_notifier();
+- if (retval)
+- return retval;
+ retval = nfsd4_init_slabs();
+ if (retval)
+- goto out_unregister_notifier;
++ return retval;
+ retval = nfsd4_init_pnfs();
+ if (retval)
+ goto out_free_slabs;
+@@ -1545,9 +1542,14 @@ static int __init init_nfsd(void)
+ goto out_free_exports;
+ retval = register_pernet_subsys(&nfsd_net_ops);
+ if (retval < 0)
++ goto out_free_filesystem;
++ retval = register_cld_notifier();
++ if (retval)
+ goto out_free_all;
+ return 0;
+ out_free_all:
++ unregister_pernet_subsys(&nfsd_net_ops);
++out_free_filesystem:
+ unregister_filesystem(&nfsd_fs_type);
+ out_free_exports:
+ remove_proc_entry("fs/nfs/exports", NULL);
+@@ -1561,13 +1563,12 @@ out_free_pnfs:
+ nfsd4_exit_pnfs();
+ out_free_slabs:
+ nfsd4_free_slabs();
+-out_unregister_notifier:
+- unregister_cld_notifier();
+ return retval;
+ }
+
+ static void __exit exit_nfsd(void)
+ {
++ unregister_cld_notifier();
+ unregister_pernet_subsys(&nfsd_net_ops);
+ nfsd_drc_slab_free();
+ remove_proc_entry("fs/nfs/exports", NULL);
+@@ -1577,7 +1578,6 @@ static void __exit exit_nfsd(void)
+ nfsd4_free_slabs();
+ nfsd4_exit_pnfs();
+ unregister_filesystem(&nfsd_fs_type);
+- unregister_cld_notifier();
+ }
+
+ MODULE_AUTHOR("Olaf Kirch <okir@monad.swb.de>");
--- /dev/null
+From 548ec0805c399c65ed66c6641be467f717833ab5 Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Mon, 29 Nov 2021 15:08:00 -0500
+Subject: nfsd: fix use-after-free due to delegation race
+
+From: J. Bruce Fields <bfields@redhat.com>
+
+commit 548ec0805c399c65ed66c6641be467f717833ab5 upstream.
+
+A delegation break could arrive as soon as we've called vfs_setlease. A
+delegation break runs a callback which immediately (in
+nfsd4_cb_recall_prepare) adds the delegation to del_recall_lru. If we
+then exit nfs4_set_delegation without hashing the delegation, it will be
+freed as soon as the callback is done with it, without ever being
+removed from del_recall_lru.
+
+Symptoms show up later as use-after-free or list corruption warnings,
+usually in the laundromat thread.
+
+I suspect aba2072f4523 "nfsd: grant read delegations to clients holding
+writes" made this bug easier to hit, but I looked as far back as v3.0
+and it looks to me it already had the same problem. So I'm not sure
+where the bug was introduced; it may have been there from the beginning.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4state.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -1207,6 +1207,11 @@ hash_delegation_locked(struct nfs4_deleg
+ return 0;
+ }
+
++static bool delegation_hashed(struct nfs4_delegation *dp)
++{
++ return !(list_empty(&dp->dl_perfile));
++}
++
+ static bool
+ unhash_delegation_locked(struct nfs4_delegation *dp)
+ {
+@@ -1214,7 +1219,7 @@ unhash_delegation_locked(struct nfs4_del
+
+ lockdep_assert_held(&state_lock);
+
+- if (list_empty(&dp->dl_perfile))
++ if (!delegation_hashed(dp))
+ return false;
+
+ dp->dl_stid.sc_type = NFS4_CLOSED_DELEG_STID;
+@@ -4598,7 +4603,7 @@ static void nfsd4_cb_recall_prepare(stru
+ * queued for a lease break. Don't queue it again.
+ */
+ spin_lock(&state_lock);
+- if (dp->dl_time == 0) {
++ if (delegation_hashed(dp) && dp->dl_time == 0) {
+ dp->dl_time = ktime_get_boottime_seconds();
+ list_add_tail(&dp->dl_recall_lru, &nn->del_recall_lru);
+ }
--- /dev/null
+From 6665b8e4836caa8023cbc7e53733acd234969c8c Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Fri, 10 Dec 2021 18:23:03 +0200
+Subject: perf intel-pt: Fix error timestamp setting on the decoder error path
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit 6665b8e4836caa8023cbc7e53733acd234969c8c upstream.
+
+An error timestamp shows the last known timestamp for the queue, but this
+is not updated on the error path. Fix by setting it.
+
+Fixes: f4aa081949e7b6 ("perf tools: Add Intel PT decoder")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: stable@vger.kernel.org # v5.15+
+Link: https://lore.kernel.org/r/20211210162303.2288710-8-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/intel-pt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/tools/perf/util/intel-pt.c
++++ b/tools/perf/util/intel-pt.c
+@@ -2510,6 +2510,7 @@ static int intel_pt_run_decoder(struct i
+ ptq->sync_switch = false;
+ intel_pt_next_tid(pt, ptq);
+ }
++ ptq->timestamp = state->est_timestamp;
+ if (pt->synth_opts.errors) {
+ err = intel_ptq_synth_error(ptq, state);
+ if (err)
--- /dev/null
+From 4c761d805bb2d2ead1b9baaba75496152b394c80 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Fri, 10 Dec 2021 18:22:59 +0200
+Subject: perf intel-pt: Fix intel_pt_fup_event() assumptions about setting state type
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit 4c761d805bb2d2ead1b9baaba75496152b394c80 upstream.
+
+intel_pt_fup_event() assumes it can overwrite the state type if there has
+been an FUP event, but this is an unnecessary and unexpected constraint on
+callers.
+
+Fix by touching only the state type flags that are affected by an FUP
+event.
+
+Fixes: a472e65fc490a ("perf intel-pt: Add decoder support for ptwrite and power event packets")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: stable@vger.kernel.org # v5.15+
+Link: https://lore.kernel.org/r/20211210162303.2288710-4-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/intel-pt-decoder/intel-pt-decoder.c | 32 ++++++++------------
+ 1 file changed, 13 insertions(+), 19 deletions(-)
+
+--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
+@@ -1204,61 +1204,55 @@ out_no_progress:
+
+ static bool intel_pt_fup_event(struct intel_pt_decoder *decoder)
+ {
++ enum intel_pt_sample_type type = decoder->state.type;
+ bool ret = false;
+
++ decoder->state.type &= ~INTEL_PT_BRANCH;
++
+ if (decoder->set_fup_tx_flags) {
+ decoder->set_fup_tx_flags = false;
+ decoder->tx_flags = decoder->fup_tx_flags;
+- decoder->state.type = INTEL_PT_TRANSACTION;
++ decoder->state.type |= INTEL_PT_TRANSACTION;
+ if (decoder->fup_tx_flags & INTEL_PT_ABORT_TX)
+ decoder->state.type |= INTEL_PT_BRANCH;
+- decoder->state.from_ip = decoder->ip;
+- decoder->state.to_ip = 0;
+ decoder->state.flags = decoder->fup_tx_flags;
+- return true;
++ ret = true;
+ }
+ if (decoder->set_fup_ptw) {
+ decoder->set_fup_ptw = false;
+- decoder->state.type = INTEL_PT_PTW;
++ decoder->state.type |= INTEL_PT_PTW;
+ decoder->state.flags |= INTEL_PT_FUP_IP;
+- decoder->state.from_ip = decoder->ip;
+- decoder->state.to_ip = 0;
+ decoder->state.ptw_payload = decoder->fup_ptw_payload;
+- return true;
++ ret = true;
+ }
+ if (decoder->set_fup_mwait) {
+ decoder->set_fup_mwait = false;
+- decoder->state.type = INTEL_PT_MWAIT_OP;
+- decoder->state.from_ip = decoder->ip;
+- decoder->state.to_ip = 0;
++ decoder->state.type |= INTEL_PT_MWAIT_OP;
+ decoder->state.mwait_payload = decoder->fup_mwait_payload;
+ ret = true;
+ }
+ if (decoder->set_fup_pwre) {
+ decoder->set_fup_pwre = false;
+ decoder->state.type |= INTEL_PT_PWR_ENTRY;
+- decoder->state.type &= ~INTEL_PT_BRANCH;
+- decoder->state.from_ip = decoder->ip;
+- decoder->state.to_ip = 0;
+ decoder->state.pwre_payload = decoder->fup_pwre_payload;
+ ret = true;
+ }
+ if (decoder->set_fup_exstop) {
+ decoder->set_fup_exstop = false;
+ decoder->state.type |= INTEL_PT_EX_STOP;
+- decoder->state.type &= ~INTEL_PT_BRANCH;
+ decoder->state.flags |= INTEL_PT_FUP_IP;
+- decoder->state.from_ip = decoder->ip;
+- decoder->state.to_ip = 0;
+ ret = true;
+ }
+ if (decoder->set_fup_bep) {
+ decoder->set_fup_bep = false;
+ decoder->state.type |= INTEL_PT_BLK_ITEMS;
+- decoder->state.type &= ~INTEL_PT_BRANCH;
++ ret = true;
++ }
++ if (ret) {
+ decoder->state.from_ip = decoder->ip;
+ decoder->state.to_ip = 0;
+- ret = true;
++ } else {
++ decoder->state.type = type;
+ }
+ return ret;
+ }
--- /dev/null
+From a882cc94971093e146ffa1163b140ad956236754 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Fri, 10 Dec 2021 18:23:02 +0200
+Subject: perf intel-pt: Fix missing 'instruction' events with 'q' option
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit a882cc94971093e146ffa1163b140ad956236754 upstream.
+
+FUP packets contain IP information, which makes them also an 'instruction'
+event in 'hop' mode i.e. the itrace 'q' option. That wasn't happening, so
+restructure the logic so that FUP events are added along with appropriate
+'instruction' and 'branch' events.
+
+Fixes: 7c1b16ba0e26e6 ("perf intel-pt: Add support for decoding FUP/TIP only")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: stable@vger.kernel.org # v5.15+
+Link: https://lore.kernel.org/r/20211210162303.2288710-7-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/intel-pt-decoder/intel-pt-decoder.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
+@@ -2682,6 +2682,8 @@ static int intel_pt_scan_for_psb(struct
+ /* Hop mode: Ignore TNT, do not walk code, but get ip from FUPs and TIPs */
+ static int intel_pt_hop_trace(struct intel_pt_decoder *decoder, bool *no_tip, int *err)
+ {
++ *err = 0;
++
+ /* Leap from PSB to PSB, getting ip from FUP within PSB+ */
+ if (decoder->leap && !decoder->in_psb && decoder->packet.type != INTEL_PT_PSB) {
+ *err = intel_pt_scan_for_psb(decoder);
+@@ -2722,18 +2724,21 @@ static int intel_pt_hop_trace(struct int
+ if (!decoder->packet.count)
+ return HOP_IGNORE;
+ intel_pt_set_ip(decoder);
+- if (intel_pt_fup_event(decoder))
+- return HOP_RETURN;
++ if (decoder->set_fup_mwait || decoder->set_fup_pwre)
++ *no_tip = true;
+ if (!decoder->branch_enable || !decoder->pge)
+ *no_tip = true;
+ if (*no_tip) {
+ decoder->state.type = INTEL_PT_INSTRUCTION;
+ decoder->state.from_ip = decoder->ip;
+ decoder->state.to_ip = 0;
++ intel_pt_fup_event(decoder);
+ return HOP_RETURN;
+ }
++ intel_pt_fup_event(decoder);
++ decoder->state.type |= INTEL_PT_INSTRUCTION | INTEL_PT_BRANCH;
+ *err = intel_pt_walk_fup_tip(decoder);
+- if (!*err)
++ if (!*err && decoder->state.to_ip)
+ decoder->pkt_state = INTEL_PT_STATE_RESAMPLE;
+ return HOP_RETURN;
+
--- /dev/null
+From a32e6c5da599dbf49e60622a4dfb5b9b40ece029 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Fri, 10 Dec 2021 18:23:01 +0200
+Subject: perf intel-pt: Fix next 'err' value, walking trace
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit a32e6c5da599dbf49e60622a4dfb5b9b40ece029 upstream.
+
+Code after label 'next:' in intel_pt_walk_trace() assumes 'err' is zero,
+but it may not be, if arrived at via a 'goto'. Ensure it is zero.
+
+Fixes: 7c1b16ba0e26e6 ("perf intel-pt: Add support for decoding FUP/TIP only")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: stable@vger.kernel.org # v5.15+
+Link: https://lore.kernel.org/r/20211210162303.2288710-6-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/intel-pt-decoder/intel-pt-decoder.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
+@@ -2941,6 +2941,7 @@ static int intel_pt_walk_trace(struct in
+ if (err)
+ return err;
+ next:
++ err = 0;
+ if (decoder->cyc_threshold) {
+ if (decoder->sample_cyc && last_packet_type != INTEL_PT_CYC)
+ decoder->sample_cyc = false;
--- /dev/null
+From 057ae59f5a1d924511beb1b09f395bdb316cfd03 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Fri, 10 Dec 2021 18:22:57 +0200
+Subject: perf intel-pt: Fix some PGE (packet generation enable/control flow packets) usage
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit 057ae59f5a1d924511beb1b09f395bdb316cfd03 upstream.
+
+Packet generation enable (PGE) refers to whether control flow (COFI)
+packets are being produced.
+
+PGE may be false even when branch-tracing is enabled, due to being
+out-of-context, or outside a filter address range. Fix some missing PGE
+usage.
+
+Fixes: 7c1b16ba0e26e6 ("perf intel-pt: Add support for decoding FUP/TIP only")
+Fixes: 839598176b0554 ("perf intel-pt: Allow decoding with branch tracing disabled")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: stable@vger.kernel.org # v5.15+
+Link: https://lore.kernel.org/r/20211210162303.2288710-2-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/intel-pt-decoder/intel-pt-decoder.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
+@@ -2677,6 +2677,7 @@ static int intel_pt_hop_trace(struct int
+ return HOP_IGNORE;
+
+ case INTEL_PT_TIP_PGD:
++ decoder->pge = false;
+ if (!decoder->packet.count) {
+ intel_pt_set_nr(decoder);
+ return HOP_IGNORE;
+@@ -2706,7 +2707,7 @@ static int intel_pt_hop_trace(struct int
+ intel_pt_set_ip(decoder);
+ if (intel_pt_fup_event(decoder))
+ return HOP_RETURN;
+- if (!decoder->branch_enable)
++ if (!decoder->branch_enable || !decoder->pge)
+ *no_tip = true;
+ if (*no_tip) {
+ decoder->state.type = INTEL_PT_INSTRUCTION;
+@@ -2896,7 +2897,7 @@ static bool intel_pt_psb_with_fup(struct
+ {
+ struct intel_pt_psb_info data = { .fup = false };
+
+- if (!decoder->branch_enable || !decoder->pge)
++ if (!decoder->branch_enable)
+ return false;
+
+ intel_pt_pkt_lookahead(decoder, intel_pt_psb_lookahead_cb, &data);
+@@ -2998,7 +2999,7 @@ next:
+ break;
+ }
+ intel_pt_set_last_ip(decoder);
+- if (!decoder->branch_enable) {
++ if (!decoder->branch_enable || !decoder->pge) {
+ decoder->ip = decoder->last_ip;
+ if (intel_pt_fup_event(decoder))
+ return 0;
--- /dev/null
+From c79ee2b2160909889df67c8801352d3e69d43a1a Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Fri, 10 Dec 2021 18:23:00 +0200
+Subject: perf intel-pt: Fix state setting when receiving overflow (OVF) packet
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit c79ee2b2160909889df67c8801352d3e69d43a1a upstream.
+
+An overflow (OVF packet) is treated as an error because it represents a
+loss of trace data, but there is no loss of synchronization, so the packet
+state should be INTEL_PT_STATE_IN_SYNC not INTEL_PT_STATE_ERR_RESYNC.
+
+To support that, some additional variables must be reset, and the FUP
+packet that may follow OVF is treated as an FUP event.
+
+Fixes: f4aa081949e7b6 ("perf tools: Add Intel PT decoder")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: stable@vger.kernel.org # v5.15+
+Link: https://lore.kernel.org/r/20211210162303.2288710-5-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/intel-pt-decoder/intel-pt-decoder.c | 32 +++++++++++++++++---
+ 1 file changed, 28 insertions(+), 4 deletions(-)
+
+--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
+@@ -1248,6 +1248,20 @@ static bool intel_pt_fup_event(struct in
+ decoder->state.type |= INTEL_PT_BLK_ITEMS;
+ ret = true;
+ }
++ if (decoder->overflow) {
++ decoder->overflow = false;
++ if (!ret && !decoder->pge) {
++ if (decoder->hop) {
++ decoder->state.type = 0;
++ decoder->pkt_state = INTEL_PT_STATE_RESAMPLE;
++ }
++ decoder->pge = true;
++ decoder->state.type |= INTEL_PT_BRANCH | INTEL_PT_TRACE_BEGIN;
++ decoder->state.from_ip = 0;
++ decoder->state.to_ip = decoder->ip;
++ return true;
++ }
++ }
+ if (ret) {
+ decoder->state.from_ip = decoder->ip;
+ decoder->state.to_ip = 0;
+@@ -1601,7 +1615,16 @@ static int intel_pt_overflow(struct inte
+ intel_pt_clear_tx_flags(decoder);
+ intel_pt_set_nr(decoder);
+ decoder->timestamp_insn_cnt = 0;
+- decoder->pkt_state = INTEL_PT_STATE_ERR_RESYNC;
++ decoder->pkt_state = INTEL_PT_STATE_IN_SYNC;
++ decoder->state.from_ip = decoder->ip;
++ decoder->ip = 0;
++ decoder->pge = false;
++ decoder->set_fup_tx_flags = false;
++ decoder->set_fup_ptw = false;
++ decoder->set_fup_mwait = false;
++ decoder->set_fup_pwre = false;
++ decoder->set_fup_exstop = false;
++ decoder->set_fup_bep = false;
+ decoder->overflow = true;
+ return -EOVERFLOW;
+ }
+@@ -2956,6 +2979,7 @@ next:
+
+ case INTEL_PT_TIP_PGE: {
+ decoder->pge = true;
++ decoder->overflow = false;
+ intel_pt_mtc_cyc_cnt_pge(decoder);
+ intel_pt_set_nr(decoder);
+ if (decoder->packet.count == 0) {
+@@ -3461,10 +3485,10 @@ static int intel_pt_sync_ip(struct intel
+ decoder->set_fup_pwre = false;
+ decoder->set_fup_exstop = false;
+ decoder->set_fup_bep = false;
++ decoder->overflow = false;
+
+ if (!decoder->branch_enable) {
+ decoder->pkt_state = INTEL_PT_STATE_IN_SYNC;
+- decoder->overflow = false;
+ decoder->state.type = 0; /* Do not have a sample */
+ return 0;
+ }
+@@ -3479,7 +3503,6 @@ static int intel_pt_sync_ip(struct intel
+ decoder->pkt_state = INTEL_PT_STATE_RESAMPLE;
+ else
+ decoder->pkt_state = INTEL_PT_STATE_IN_SYNC;
+- decoder->overflow = false;
+
+ decoder->state.from_ip = 0;
+ decoder->state.to_ip = decoder->ip;
+@@ -3698,7 +3721,8 @@ const struct intel_pt_state *intel_pt_de
+
+ if (err) {
+ decoder->state.err = intel_pt_ext_err(err);
+- decoder->state.from_ip = decoder->ip;
++ if (err != -EOVERFLOW)
++ decoder->state.from_ip = decoder->ip;
+ intel_pt_update_sample_time(decoder);
+ decoder->sample_tot_cyc_cnt = decoder->tot_cyc_cnt;
+ intel_pt_set_nr(decoder);
--- /dev/null
+From ad106a26aef3a95ac7ca88d033b431661ba346ce Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Fri, 10 Dec 2021 18:22:58 +0200
+Subject: perf intel-pt: Fix sync state when a PSB (synchronization) packet is found
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit ad106a26aef3a95ac7ca88d033b431661ba346ce upstream.
+
+When syncing, it may be that branch packet generation is not enabled at
+that point, in which case there will not immediately be a control-flow
+packet, so some packets before a control flow packet turns up, get
+ignored. However, the decoder is in sync as soon as a PSB is found, so
+the state should be set accordingly.
+
+Fixes: f4aa081949e7b6 ("perf tools: Add Intel PT decoder")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: stable@vger.kernel.org # v5.15+
+Link: https://lore.kernel.org/r/20211210162303.2288710-3-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/intel-pt-decoder/intel-pt-decoder.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
+@@ -3607,7 +3607,7 @@ static int intel_pt_sync(struct intel_pt
+ }
+
+ decoder->have_last_ip = true;
+- decoder->pkt_state = INTEL_PT_STATE_NO_IP;
++ decoder->pkt_state = INTEL_PT_STATE_IN_SYNC;
+
+ err = intel_pt_walk_psb(decoder);
+ if (err)
--- /dev/null
+From c8cc43c1eae2910ac96daa4216e0fb3391ad0504 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu, 5 Aug 2021 06:54:23 -0400
+Subject: selftests: KVM: avoid failures due to reserved HyperTransport region
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit c8cc43c1eae2910ac96daa4216e0fb3391ad0504 upstream.
+
+AMD proceessors define an address range that is reserved by HyperTransport
+and causes a failure if used for guest physical addresses. Avoid
+selftests failures by reserving those guest physical addresses; the
+rules are:
+
+- On parts with <40 bits, its fully hidden from software.
+
+- Before Fam17h, it was always 12G just below 1T, even if there was more
+RAM above this location. In this case we just not use any RAM above 1T.
+
+- On Fam17h and later, it is variable based on SME, and is either just
+below 2^48 (no encryption) or 2^43 (encryption).
+
+Fixes: ef4c9f4f6546 ("KVM: selftests: Fix 32-bit truncation of vm_get_max_gfn()")
+Cc: stable@vger.kernel.org
+Cc: David Matlack <dmatlack@google.com>
+Reported-by: Maxim Levitsky <mlevitsk@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Message-Id: <20210805105423.412878-1-pbonzini@redhat.com>
+Reviewed-by: Sean Christopherson <seanjc@google.com>
+Tested-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/kvm/include/kvm_util.h | 9 ++
+ tools/testing/selftests/kvm/lib/kvm_util.c | 2
+ tools/testing/selftests/kvm/lib/x86_64/processor.c | 68 +++++++++++++++++++++
+ 3 files changed, 78 insertions(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/kvm/include/kvm_util.h
++++ b/tools/testing/selftests/kvm/include/kvm_util.h
+@@ -69,6 +69,15 @@ enum vm_guest_mode {
+
+ #endif
+
++#if defined(__x86_64__)
++unsigned long vm_compute_max_gfn(struct kvm_vm *vm);
++#else
++static inline unsigned long vm_compute_max_gfn(struct kvm_vm *vm)
++{
++ return ((1ULL << vm->pa_bits) >> vm->page_shift) - 1;
++}
++#endif
++
+ #define MIN_PAGE_SIZE (1U << MIN_PAGE_SHIFT)
+ #define PTES_PER_MIN_PAGE ptes_per_page(MIN_PAGE_SIZE)
+
+--- a/tools/testing/selftests/kvm/lib/kvm_util.c
++++ b/tools/testing/selftests/kvm/lib/kvm_util.c
+@@ -307,7 +307,7 @@ struct kvm_vm *vm_create(enum vm_guest_m
+ (1ULL << (vm->va_bits - 1)) >> vm->page_shift);
+
+ /* Limit physical addresses to PA-bits. */
+- vm->max_gfn = ((1ULL << vm->pa_bits) >> vm->page_shift) - 1;
++ vm->max_gfn = vm_compute_max_gfn(vm);
+
+ /* Allocate and setup memory for guest. */
+ vm->vpages_mapped = sparsebit_alloc();
+--- a/tools/testing/selftests/kvm/lib/x86_64/processor.c
++++ b/tools/testing/selftests/kvm/lib/x86_64/processor.c
+@@ -1433,3 +1433,71 @@ struct kvm_cpuid2 *vcpu_get_supported_hv
+
+ return cpuid;
+ }
++
++#define X86EMUL_CPUID_VENDOR_AuthenticAMD_ebx 0x68747541
++#define X86EMUL_CPUID_VENDOR_AuthenticAMD_ecx 0x444d4163
++#define X86EMUL_CPUID_VENDOR_AuthenticAMD_edx 0x69746e65
++
++static inline unsigned x86_family(unsigned int eax)
++{
++ unsigned int x86;
++
++ x86 = (eax >> 8) & 0xf;
++
++ if (x86 == 0xf)
++ x86 += (eax >> 20) & 0xff;
++
++ return x86;
++}
++
++unsigned long vm_compute_max_gfn(struct kvm_vm *vm)
++{
++ const unsigned long num_ht_pages = 12 << (30 - vm->page_shift); /* 12 GiB */
++ unsigned long ht_gfn, max_gfn, max_pfn;
++ uint32_t eax, ebx, ecx, edx, max_ext_leaf;
++
++ max_gfn = (1ULL << (vm->pa_bits - vm->page_shift)) - 1;
++
++ /* Avoid reserved HyperTransport region on AMD processors. */
++ eax = ecx = 0;
++ cpuid(&eax, &ebx, &ecx, &edx);
++ if (ebx != X86EMUL_CPUID_VENDOR_AuthenticAMD_ebx ||
++ ecx != X86EMUL_CPUID_VENDOR_AuthenticAMD_ecx ||
++ edx != X86EMUL_CPUID_VENDOR_AuthenticAMD_edx)
++ return max_gfn;
++
++ /* On parts with <40 physical address bits, the area is fully hidden */
++ if (vm->pa_bits < 40)
++ return max_gfn;
++
++ /* Before family 17h, the HyperTransport area is just below 1T. */
++ ht_gfn = (1 << 28) - num_ht_pages;
++ eax = 1;
++ cpuid(&eax, &ebx, &ecx, &edx);
++ if (x86_family(eax) < 0x17)
++ goto done;
++
++ /*
++ * Otherwise it's at the top of the physical address space, possibly
++ * reduced due to SME by bits 11:6 of CPUID[0x8000001f].EBX. Use
++ * the old conservative value if MAXPHYADDR is not enumerated.
++ */
++ eax = 0x80000000;
++ cpuid(&eax, &ebx, &ecx, &edx);
++ max_ext_leaf = eax;
++ if (max_ext_leaf < 0x80000008)
++ goto done;
++
++ eax = 0x80000008;
++ cpuid(&eax, &ebx, &ecx, &edx);
++ max_pfn = (1ULL << ((eax & 0xff) - vm->page_shift)) - 1;
++ if (max_ext_leaf >= 0x8000001f) {
++ eax = 0x8000001f;
++ cpuid(&eax, &ebx, &ecx, &edx);
++ max_pfn >>= (ebx >> 6) & 0x3f;
++ }
++
++ ht_gfn = max_pfn - num_ht_pages;
++done:
++ return min(max_gfn, ht_gfn - 1);
++}
btrfs-fix-re-dirty-process-of-tree-log-nodes.patch
btrfs-replace-the-bug_on-in-btrfs_del_root_ref-with-proper-error-handling.patch
btrfs-free-exchange-changeset-on-failures.patch
+perf-intel-pt-fix-some-pge-packet-generation-enable-control-flow-packets-usage.patch
+perf-intel-pt-fix-sync-state-when-a-psb-synchronization-packet-is-found.patch
+perf-intel-pt-fix-intel_pt_fup_event-assumptions-about-setting-state-type.patch
+perf-intel-pt-fix-state-setting-when-receiving-overflow-ovf-packet.patch
+perf-intel-pt-fix-next-err-value-walking-trace.patch
+perf-intel-pt-fix-missing-instruction-events-with-q-option.patch
+perf-intel-pt-fix-error-timestamp-setting-on-the-decoder-error-path.patch
+md-fix-update-super-1.0-on-rdev-size-change.patch
+nfsd-fix-use-after-free-due-to-delegation-race.patch
+nfsd-fix-nsfd-startup-race-again.patch
+tracefs-have-new-files-inherit-the-ownership-of-their-parent.patch
+selftests-kvm-avoid-failures-due-to-reserved-hypertransport-region.patch
+hwmon-pwm-fan-ensure-the-fan-going-on-in-.probe.patch
+mmc-renesas_sdhi-initialize-variable-properly-when-tuning.patch
+clk-qcom-regmap-mux-fix-parent-clock-lookup.patch
+thermal-int340x-fix-vcoreflow-mmio-bit-offset-for-tgl.patch
+drm-syncobj-deal-with-signalled-fences-in-drm_syncobj_find_fence.patch
+libata-add-horkage-for-asmedia-1092.patch
+io_uring-ensure-task_work-gets-run-as-part-of-cancelations.patch
--- /dev/null
+From f872f73601b92c86f3da8bdf3e19abd0f1780eb9 Mon Sep 17 00:00:00 2001
+From: Sumeet Pawnikar <sumeet.r.pawnikar@intel.com>
+Date: Tue, 7 Dec 2021 18:05:39 +0530
+Subject: thermal: int340x: Fix VCoRefLow MMIO bit offset for TGL
+
+From: Sumeet Pawnikar <sumeet.r.pawnikar@intel.com>
+
+commit f872f73601b92c86f3da8bdf3e19abd0f1780eb9 upstream.
+
+The VCoRefLow CPU FIVR register definition for Tiger Lake is incorrect.
+
+Current implementation reads it from MMIO offset 0x5A18 and bit
+offset [12:14], but the actual correct register definition is from
+bit offset [11:13].
+
+Update to fix the bit offset.
+
+Fixes: 473be51142ad ("thermal: int340x: processor_thermal: Add RFIM driver")
+Signed-off-by: Sumeet Pawnikar <sumeet.r.pawnikar@intel.com>
+Cc: 5.14+ <stable@vger.kernel.org> # 5.14+
+[ rjw: New subject, changelog edits ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thermal/intel/int340x_thermal/processor_thermal_rfim.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/thermal/intel/int340x_thermal/processor_thermal_rfim.c
++++ b/drivers/thermal/intel/int340x_thermal/processor_thermal_rfim.c
+@@ -29,7 +29,7 @@ static const char * const fivr_strings[]
+ };
+
+ static const struct mmio_reg tgl_fivr_mmio_regs[] = {
+- { 0, 0x5A18, 3, 0x7, 12}, /* vco_ref_code_lo */
++ { 0, 0x5A18, 3, 0x7, 11}, /* vco_ref_code_lo */
+ { 0, 0x5A18, 8, 0xFF, 16}, /* vco_ref_code_hi */
+ { 0, 0x5A08, 8, 0xFF, 0}, /* spread_spectrum_pct */
+ { 0, 0x5A08, 1, 0x1, 8}, /* spread_spectrum_clk_enable */
--- /dev/null
+From ee7f3666995d8537dec17b1d35425f28877671a9 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Wed, 8 Dec 2021 07:57:20 -0500
+Subject: tracefs: Have new files inherit the ownership of their parent
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit ee7f3666995d8537dec17b1d35425f28877671a9 upstream.
+
+If directories in tracefs have their ownership changed, then any new files
+and directories that are created under those directories should inherit
+the ownership of the director they are created in.
+
+Link: https://lkml.kernel.org/r/20211208075720.4855d180@gandalf.local.home
+
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Yabin Cui <yabinc@google.com>
+Cc: Christian Brauner <christian.brauner@ubuntu.com>
+Cc: stable@vger.kernel.org
+Fixes: 4282d60689d4f ("tracefs: Add new tracefs file system")
+Reported-by: Kalesh Singh <kaleshsingh@google.com>
+Reported: https://lore.kernel.org/all/CAC_TJve8MMAv+H_NdLSJXZUSoxOEq2zB_pVaJ9p=7H6Bu3X76g@mail.gmail.com/
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/tracefs/inode.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/tracefs/inode.c
++++ b/fs/tracefs/inode.c
+@@ -414,6 +414,8 @@ struct dentry *tracefs_create_file(const
+ inode->i_mode = mode;
+ inode->i_fop = fops ? fops : &tracefs_file_operations;
+ inode->i_private = data;
++ inode->i_uid = d_inode(dentry->d_parent)->i_uid;
++ inode->i_gid = d_inode(dentry->d_parent)->i_gid;
+ d_instantiate(dentry, inode);
+ fsnotify_create(dentry->d_parent->d_inode, dentry);
+ return end_creating(dentry);
+@@ -436,6 +438,8 @@ static struct dentry *__create_dir(const
+ inode->i_mode = S_IFDIR | S_IRWXU | S_IRUSR| S_IRGRP | S_IXUSR | S_IXGRP;
+ inode->i_op = ops;
+ inode->i_fop = &simple_dir_operations;
++ inode->i_uid = d_inode(dentry->d_parent)->i_uid;
++ inode->i_gid = d_inode(dentry->d_parent)->i_gid;
+
+ /* directory inodes start off with i_nlink == 2 (for "." entry) */
+ inc_nlink(inode);