--- /dev/null
+From 70051cffb31b5ee09096351c3b41fcae6f89de31 Mon Sep 17 00:00:00 2001
+From: Jaroslav Kysela <perex@perex.cz>
+Date: Mon, 9 Jan 2023 16:12:49 +0100
+Subject: ALSA: control-led: use strscpy in set_led_id()
+
+From: Jaroslav Kysela <perex@perex.cz>
+
+commit 70051cffb31b5ee09096351c3b41fcae6f89de31 upstream.
+
+The use of strncpy() in the set_led_id() was incorrect.
+The len variable should use 'min(sizeof(buf2) - 1, count)'
+expression.
+
+Use strscpy() function to simplify things and handle the error gracefully.
+
+Fixes: a135dfb5de15 ("ALSA: led control - add sysfs kcontrol LED marking layer")
+Reported-by: yang.yang29@zte.com.cn
+Link: https://lore.kernel.org/alsa-devel/202301091945513559977@zte.com.cn/
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jaroslav Kysela <perex@perex.cz>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/control_led.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/sound/core/control_led.c
++++ b/sound/core/control_led.c
+@@ -530,12 +530,11 @@ static ssize_t set_led_id(struct snd_ctl
+ bool attach)
+ {
+ char buf2[256], *s, *os;
+- size_t len = max(sizeof(s) - 1, count);
+ struct snd_ctl_elem_id id;
+ int err;
+
+- strncpy(buf2, buf, len);
+- buf2[len] = '\0';
++ if (strscpy(buf2, buf, sizeof(buf2)) < 0)
++ return -E2BIG;
+ memset(&id, 0, sizeof(id));
+ id.iface = SNDRV_CTL_ELEM_IFACE_MIXER;
+ s = buf2;
--- /dev/null
+From ca88eeb308a221c2dcd4a64031d2e5fcd3db9eaa Mon Sep 17 00:00:00 2001
+From: Luka Guzenko <l.guzenko@web.de>
+Date: Tue, 10 Jan 2023 21:25:14 +0100
+Subject: ALSA: hda/realtek: Enable mute/micmute LEDs on HP Spectre x360 13-aw0xxx
+
+From: Luka Guzenko <l.guzenko@web.de>
+
+commit ca88eeb308a221c2dcd4a64031d2e5fcd3db9eaa upstream.
+
+The HP Spectre x360 13-aw0xxx devices use the ALC285 codec with GPIO 0x04
+controlling the micmute LED and COEF 0x0b index 8 controlling the mute LED.
+A quirk was added to make these work as well as a fixup.
+
+Signed-off-by: Luka Guzenko <l.guzenko@web.de>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230110202514.2792-1-l.guzenko@web.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -4639,6 +4639,16 @@ static void alc285_fixup_hp_coef_micmute
+ }
+ }
+
++static void alc285_fixup_hp_gpio_micmute_led(struct hda_codec *codec,
++ const struct hda_fixup *fix, int action)
++{
++ struct alc_spec *spec = codec->spec;
++
++ if (action == HDA_FIXUP_ACT_PRE_PROBE)
++ spec->micmute_led_polarity = 1;
++ alc_fixup_hp_gpio_led(codec, action, 0, 0x04);
++}
++
+ static void alc236_fixup_hp_coef_micmute_led(struct hda_codec *codec,
+ const struct hda_fixup *fix, int action)
+ {
+@@ -4660,6 +4670,13 @@ static void alc285_fixup_hp_mute_led(str
+ alc285_fixup_hp_coef_micmute_led(codec, fix, action);
+ }
+
++static void alc285_fixup_hp_spectre_x360_mute_led(struct hda_codec *codec,
++ const struct hda_fixup *fix, int action)
++{
++ alc285_fixup_hp_mute_led_coefbit(codec, fix, action);
++ alc285_fixup_hp_gpio_micmute_led(codec, fix, action);
++}
++
+ static void alc236_fixup_hp_mute_led(struct hda_codec *codec,
+ const struct hda_fixup *fix, int action)
+ {
+@@ -6913,6 +6930,7 @@ enum {
+ ALC285_FIXUP_ASUS_G533Z_PINS,
+ ALC285_FIXUP_HP_GPIO_LED,
+ ALC285_FIXUP_HP_MUTE_LED,
++ ALC285_FIXUP_HP_SPECTRE_X360_MUTE_LED,
+ ALC236_FIXUP_HP_GPIO_LED,
+ ALC236_FIXUP_HP_MUTE_LED,
+ ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF,
+@@ -8282,6 +8300,10 @@ static const struct hda_fixup alc269_fix
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc285_fixup_hp_mute_led,
+ },
++ [ALC285_FIXUP_HP_SPECTRE_X360_MUTE_LED] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc285_fixup_hp_spectre_x360_mute_led,
++ },
+ [ALC236_FIXUP_HP_GPIO_LED] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc236_fixup_hp_gpio_led,
+@@ -9000,6 +9022,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x86c7, "HP Envy AiO 32", ALC274_FIXUP_HP_ENVY_GPIO),
+ SND_PCI_QUIRK(0x103c, 0x86e7, "HP Spectre x360 15-eb0xxx", ALC285_FIXUP_HP_SPECTRE_X360_EB1),
+ SND_PCI_QUIRK(0x103c, 0x86e8, "HP Spectre x360 15-eb0xxx", ALC285_FIXUP_HP_SPECTRE_X360_EB1),
++ SND_PCI_QUIRK(0x103c, 0x86f9, "HP Spectre x360 13-aw0xxx", ALC285_FIXUP_HP_SPECTRE_X360_MUTE_LED),
+ SND_PCI_QUIRK(0x103c, 0x8716, "HP Elite Dragonfly G2 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),
+ SND_PCI_QUIRK(0x103c, 0x8720, "HP EliteBook x360 1040 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),
+ SND_PCI_QUIRK(0x103c, 0x8724, "HP EliteBook 850 G7", ALC285_FIXUP_HP_GPIO_LED),
--- /dev/null
+From 1f680609bf1beac20e2a31ddcb1b88874123c39f Mon Sep 17 00:00:00 2001
+From: Yuchi Yang <yangyuchi66@gmail.com>
+Date: Fri, 30 Dec 2022 15:22:25 +0800
+Subject: ALSA: hda/realtek - Turn on power early
+
+From: Yuchi Yang <yangyuchi66@gmail.com>
+
+commit 1f680609bf1beac20e2a31ddcb1b88874123c39f upstream.
+
+Turn on power early to avoid wrong state for power relation register.
+This can earlier update JD state when resume back.
+
+Signed-off-by: Yuchi Yang <yangyuchi66@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/e35d8f4fa18f4448a2315cc7d4a3715f@realtek.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 30 ++++++++++++++++--------------
+ 1 file changed, 16 insertions(+), 14 deletions(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -3558,6 +3558,15 @@ static void alc256_init(struct hda_codec
+ hda_nid_t hp_pin = alc_get_hp_pin(spec);
+ bool hp_pin_sense;
+
++ if (spec->ultra_low_power) {
++ alc_update_coef_idx(codec, 0x03, 1<<1, 1<<1);
++ alc_update_coef_idx(codec, 0x08, 3<<2, 3<<2);
++ alc_update_coef_idx(codec, 0x08, 7<<4, 0);
++ alc_update_coef_idx(codec, 0x3b, 1<<15, 0);
++ alc_update_coef_idx(codec, 0x0e, 7<<6, 7<<6);
++ msleep(30);
++ }
++
+ if (!hp_pin)
+ hp_pin = 0x21;
+
+@@ -3569,14 +3578,6 @@ static void alc256_init(struct hda_codec
+ msleep(2);
+
+ alc_update_coefex_idx(codec, 0x57, 0x04, 0x0007, 0x1); /* Low power */
+- if (spec->ultra_low_power) {
+- alc_update_coef_idx(codec, 0x03, 1<<1, 1<<1);
+- alc_update_coef_idx(codec, 0x08, 3<<2, 3<<2);
+- alc_update_coef_idx(codec, 0x08, 7<<4, 0);
+- alc_update_coef_idx(codec, 0x3b, 1<<15, 0);
+- alc_update_coef_idx(codec, 0x0e, 7<<6, 7<<6);
+- msleep(30);
+- }
+
+ snd_hda_codec_write(codec, hp_pin, 0,
+ AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_MUTE);
+@@ -3707,6 +3708,13 @@ static void alc225_init(struct hda_codec
+ hda_nid_t hp_pin = alc_get_hp_pin(spec);
+ bool hp1_pin_sense, hp2_pin_sense;
+
++ if (spec->ultra_low_power) {
++ alc_update_coef_idx(codec, 0x08, 0x0f << 2, 3<<2);
++ alc_update_coef_idx(codec, 0x0e, 7<<6, 7<<6);
++ alc_update_coef_idx(codec, 0x33, 1<<11, 0);
++ msleep(30);
++ }
++
+ if (spec->codec_variant != ALC269_TYPE_ALC287 &&
+ spec->codec_variant != ALC269_TYPE_ALC245)
+ /* required only at boot or S3 and S4 resume time */
+@@ -3728,12 +3736,6 @@ static void alc225_init(struct hda_codec
+ msleep(2);
+
+ alc_update_coefex_idx(codec, 0x57, 0x04, 0x0007, 0x1); /* Low power */
+- if (spec->ultra_low_power) {
+- alc_update_coef_idx(codec, 0x08, 0x0f << 2, 3<<2);
+- alc_update_coef_idx(codec, 0x0e, 7<<6, 7<<6);
+- alc_update_coef_idx(codec, 0x33, 1<<11, 0);
+- msleep(30);
+- }
+
+ if (hp1_pin_sense || spec->ultra_low_power)
+ snd_hda_codec_write(codec, hp_pin, 0,
--- /dev/null
+From 000bca8d706d1bf7cca01af75787247c5a2fdedf Mon Sep 17 00:00:00 2001
+From: Brian Norris <computersforpeace@gmail.com>
+Date: Fri, 30 Dec 2022 22:15:45 -0800
+Subject: ASoC: qcom: lpass-cpu: Fix fallback SD line index handling
+
+From: Brian Norris <computersforpeace@gmail.com>
+
+commit 000bca8d706d1bf7cca01af75787247c5a2fdedf upstream.
+
+These indices should reference the ID placed within the dai_driver
+array, not the indices of the array itself.
+
+This fixes commit 4ff028f6c108 ("ASoC: qcom: lpass-cpu: Make I2S SD
+lines configurable"), which among others, broke IPQ8064 audio
+(sound/soc/qcom/lpass-ipq806x.c) because it uses ID 4 but we'd stop
+initializing the mi2s_playback_sd_mode and mi2s_capture_sd_mode arrays
+at ID 0.
+
+Fixes: 4ff028f6c108 ("ASoC: qcom: lpass-cpu: Make I2S SD lines configurable")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Brian Norris <computersforpeace@gmail.com>
+Reviewed-by: Stephan Gerhold <stephan@gerhold.net>
+Link: https://lore.kernel.org/r/20221231061545.2110253-1-computersforpeace@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/qcom/lpass-cpu.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/sound/soc/qcom/lpass-cpu.c
++++ b/sound/soc/qcom/lpass-cpu.c
+@@ -851,10 +851,11 @@ static void of_lpass_cpu_parse_dai_data(
+ struct lpass_data *data)
+ {
+ struct device_node *node;
+- int ret, id;
++ int ret, i, id;
+
+ /* Allow all channels by default for backwards compatibility */
+- for (id = 0; id < data->variant->num_dai; id++) {
++ for (i = 0; i < data->variant->num_dai; i++) {
++ id = data->variant->dai_driver[i].id;
+ data->mi2s_playback_sd_mode[id] = LPAIF_I2SCTL_MODE_8CH;
+ data->mi2s_capture_sd_mode[id] = LPAIF_I2SCTL_MODE_8CH;
+ }
--- /dev/null
+From 0283189e8f3d0917e2ac399688df85211f48447b Mon Sep 17 00:00:00 2001
+From: Jonathan Corbet <corbet@lwn.net>
+Date: Wed, 4 Jan 2023 10:47:39 -0700
+Subject: docs: Fix the docs build with Sphinx 6.0
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonathan Corbet <corbet@lwn.net>
+
+commit 0283189e8f3d0917e2ac399688df85211f48447b upstream.
+
+Sphinx 6.0 removed the execfile_() function, which we use as part of the
+configuration process. They *did* warn us... Just open-code the
+functionality as is done in Sphinx itself.
+
+Tested (using SPHINX_CONF, since this code is only executed with an
+alternative config file) on various Sphinx versions from 2.5 through 6.0.
+
+Reported-by: Martin Liška <mliska@suse.cz>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jonathan Corbet <corbet@lwn.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/sphinx/load_config.py | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/Documentation/sphinx/load_config.py
++++ b/Documentation/sphinx/load_config.py
+@@ -3,7 +3,7 @@
+
+ import os
+ import sys
+-from sphinx.util.pycompat import execfile_
++from sphinx.util.osutil import fs_encoding
+
+ # ------------------------------------------------------------------------------
+ def loadConfig(namespace):
+@@ -48,7 +48,9 @@ def loadConfig(namespace):
+ sys.stdout.write("load additional sphinx-config: %s\n" % config_file)
+ config = namespace.copy()
+ config['__file__'] = config_file
+- execfile_(config_file, config)
++ with open(config_file, 'rb') as f:
++ code = compile(f.read(), fs_encoding, 'exec')
++ exec(code, config)
+ del config['__file__']
+ namespace.update(config)
+ else:
--- /dev/null
+From d3de5616d36462a646f5b360ba82d3b09ff668eb Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Mon, 12 Dec 2022 17:13:38 +0100
+Subject: drm/i915/gt: Reset twice
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+commit d3de5616d36462a646f5b360ba82d3b09ff668eb upstream.
+
+After applying an engine reset, on some platforms like Jasperlake, we
+occasionally detect that the engine state is not cleared until shortly
+after the resume. As we try to resume the engine with volatile internal
+state, the first request fails with a spurious CS event (it looks like
+it reports a lite-restore to the hung context, instead of the expected
+idle->active context switch).
+
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: stable@vger.kernel.org
+Cc: Mika Kuoppala <mika.kuoppala@linux.intel.com>
+Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
+Reviewed-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221212161338.1007659-1-andi.shyti@linux.intel.com
+(cherry picked from commit 3db9d590557da3aa2c952f2fecd3e9b703dad790)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/gt/intel_reset.c | 34 ++++++++++++++++++++++++++++------
+ 1 file changed, 28 insertions(+), 6 deletions(-)
+
+--- a/drivers/gpu/drm/i915/gt/intel_reset.c
++++ b/drivers/gpu/drm/i915/gt/intel_reset.c
+@@ -271,6 +271,7 @@ out:
+ static int gen6_hw_domain_reset(struct intel_gt *gt, u32 hw_domain_mask)
+ {
+ struct intel_uncore *uncore = gt->uncore;
++ int loops = 2;
+ int err;
+
+ /*
+@@ -278,18 +279,39 @@ static int gen6_hw_domain_reset(struct i
+ * for fifo space for the write or forcewake the chip for
+ * the read
+ */
+- intel_uncore_write_fw(uncore, GEN6_GDRST, hw_domain_mask);
++ do {
++ intel_uncore_write_fw(uncore, GEN6_GDRST, hw_domain_mask);
+
+- /* Wait for the device to ack the reset requests */
+- err = __intel_wait_for_register_fw(uncore,
+- GEN6_GDRST, hw_domain_mask, 0,
+- 500, 0,
+- NULL);
++ /*
++ * Wait for the device to ack the reset requests.
++ *
++ * On some platforms, e.g. Jasperlake, we see that the
++ * engine register state is not cleared until shortly after
++ * GDRST reports completion, causing a failure as we try
++ * to immediately resume while the internal state is still
++ * in flux. If we immediately repeat the reset, the second
++ * reset appears to serialise with the first, and since
++ * it is a no-op, the registers should retain their reset
++ * value. However, there is still a concern that upon
++ * leaving the second reset, the internal engine state
++ * is still in flux and not ready for resuming.
++ */
++ err = __intel_wait_for_register_fw(uncore, GEN6_GDRST,
++ hw_domain_mask, 0,
++ 2000, 0,
++ NULL);
++ } while (err == 0 && --loops);
+ if (err)
+ GT_TRACE(gt,
+ "Wait for 0x%08x engines reset failed\n",
+ hw_domain_mask);
+
++ /*
++ * As we have observed that the engine state is still volatile
++ * after GDRST is acked, impose a small delay to let everything settle.
++ */
++ udelay(50);
++
+ return err;
+ }
+
--- /dev/null
+From 52531258318ed59a2dc5a43df2eaf0eb1d65438e Mon Sep 17 00:00:00 2001
+From: Rob Clark <robdclark@chromium.org>
+Date: Fri, 16 Dec 2022 15:33:55 -0800
+Subject: drm/virtio: Fix GEM handle creation UAF
+
+From: Rob Clark <robdclark@chromium.org>
+
+commit 52531258318ed59a2dc5a43df2eaf0eb1d65438e upstream.
+
+Userspace can guess the handle value and try to race GEM object creation
+with handle close, resulting in a use-after-free if we dereference the
+object after dropping the handle's reference. For that reason, dropping
+the handle's reference must be done *after* we are done dereferencing
+the object.
+
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
+Fixes: 62fb7a5e1096 ("virtio-gpu: add 3d/virgl support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221216233355.542197-2-robdclark@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/virtio/virtgpu_ioctl.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/virtio/virtgpu_ioctl.c
++++ b/drivers/gpu/drm/virtio/virtgpu_ioctl.c
+@@ -292,10 +292,18 @@ static int virtio_gpu_resource_create_io
+ drm_gem_object_release(obj);
+ return ret;
+ }
+- drm_gem_object_put(obj);
+
+ rc->res_handle = qobj->hw_res_handle; /* similiar to a VM address */
+ rc->bo_handle = handle;
++
++ /*
++ * The handle owns the reference now. But we must drop our
++ * remaining reference *after* we no longer need to dereference
++ * the obj. Otherwise userspace could guess the handle and
++ * race closing it from another thread.
++ */
++ drm_gem_object_put(obj);
++
+ return 0;
+ }
+
+@@ -656,11 +664,18 @@ static int virtio_gpu_resource_create_bl
+ drm_gem_object_release(obj);
+ return ret;
+ }
+- drm_gem_object_put(obj);
+
+ rc_blob->res_handle = bo->hw_res_handle;
+ rc_blob->bo_handle = handle;
+
++ /*
++ * The handle owns the reference now. But we must drop our
++ * remaining reference *after* we no longer need to dereference
++ * the obj. Otherwise userspace could guess the handle and
++ * race closing it from another thread.
++ */
++ drm_gem_object_put(obj);
++
+ return 0;
+ }
+
--- /dev/null
+From d3f450533bbcb6dd4d7d59cadc9b61b7321e4ac1 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ardb@kernel.org>
+Date: Mon, 9 Jan 2023 10:44:31 +0100
+Subject: efi: tpm: Avoid READ_ONCE() for accessing the event log
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+commit d3f450533bbcb6dd4d7d59cadc9b61b7321e4ac1 upstream.
+
+Nathan reports that recent kernels built with LTO will crash when doing
+EFI boot using Fedora's GRUB and SHIM. The culprit turns out to be a
+misaligned load from the TPM event log, which is annotated with
+READ_ONCE(), and under LTO, this gets translated into a LDAR instruction
+which does not tolerate misaligned accesses.
+
+Interestingly, this does not happen when booting the same kernel
+straight from the UEFI shell, and so the fact that the event log may
+appear misaligned in memory may be caused by a bug in GRUB or SHIM.
+
+However, using READ_ONCE() to access firmware tables is slightly unusual
+in any case, and here, we only need to ensure that 'event' is not
+dereferenced again after it gets unmapped, but this is already taken
+care of by the implicit barrier() semantics of the early_memunmap()
+call.
+
+Cc: <stable@vger.kernel.org>
+Cc: Peter Jones <pjones@redhat.com>
+Cc: Jarkko Sakkinen <jarkko@kernel.org>
+Cc: Matthew Garrett <mjg59@srcf.ucam.org>
+Reported-by: Nathan Chancellor <nathan@kernel.org>
+Tested-by: Nathan Chancellor <nathan@kernel.org>
+Link: https://github.com/ClangBuiltLinux/linux/issues/1782
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/tpm_eventlog.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/linux/tpm_eventlog.h
++++ b/include/linux/tpm_eventlog.h
+@@ -198,8 +198,8 @@ static __always_inline int __calc_tpm2_e
+ * The loop below will unmap these fields if the log is larger than
+ * one page, so save them here for reference:
+ */
+- count = READ_ONCE(event->count);
+- event_type = READ_ONCE(event->event_type);
++ count = event->count;
++ event_type = event->event_type;
+
+ /* Verify that it's the log header */
+ if (event_header->pcr_idx != 0 ||
--- /dev/null
+From 406504c7b0405d74d74c15a667cd4c4620c3e7a9 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <maz@kernel.org>
+Date: Tue, 20 Dec 2022 14:03:52 +0000
+Subject: KVM: arm64: Fix S1PTW handling on RO memslots
+
+From: Marc Zyngier <maz@kernel.org>
+
+commit 406504c7b0405d74d74c15a667cd4c4620c3e7a9 upstream.
+
+A recent development on the EFI front has resulted in guests having
+their page tables baked in the firmware binary, and mapped into the
+IPA space as part of a read-only memslot. Not only is this legitimate,
+but it also results in added security, so thumbs up.
+
+It is possible to take an S1PTW translation fault if the S1 PTs are
+unmapped at stage-2. However, KVM unconditionally treats S1PTW as a
+write to correctly handle hardware AF/DB updates to the S1 PTs.
+Furthermore, KVM injects an exception into the guest for S1PTW writes.
+In the aforementioned case this results in the guest taking an abort
+it won't recover from, as the S1 PTs mapping the vectors suffer from
+the same problem.
+
+So clearly our handling is... wrong.
+
+Instead, switch to a two-pronged approach:
+
+- On S1PTW translation fault, handle the fault as a read
+
+- On S1PTW permission fault, handle the fault as a write
+
+This is of no consequence to SW that *writes* to its PTs (the write
+will trigger a non-S1PTW fault), and SW that uses RO PTs will not
+use HW-assisted AF/DB anyway, as that'd be wrong.
+
+Only in the case described in c4ad98e4b72c ("KVM: arm64: Assume write
+fault on S1PTW permission fault on instruction fetch") do we end-up
+with two back-to-back faults (page being evicted and faulted back).
+I don't think this is a case worth optimising for.
+
+Fixes: c4ad98e4b72c ("KVM: arm64: Assume write fault on S1PTW permission fault on instruction fetch")
+Reviewed-by: Oliver Upton <oliver.upton@linux.dev>
+Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
+Regression-tested-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/kvm_emulate.h | 22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/include/asm/kvm_emulate.h
++++ b/arch/arm64/include/asm/kvm_emulate.h
+@@ -366,8 +366,26 @@ static __always_inline int kvm_vcpu_sys_
+
+ static inline bool kvm_is_write_fault(struct kvm_vcpu *vcpu)
+ {
+- if (kvm_vcpu_abt_iss1tw(vcpu))
+- return true;
++ if (kvm_vcpu_abt_iss1tw(vcpu)) {
++ /*
++ * Only a permission fault on a S1PTW should be
++ * considered as a write. Otherwise, page tables baked
++ * in a read-only memslot will result in an exception
++ * being delivered in the guest.
++ *
++ * The drawback is that we end-up faulting twice if the
++ * guest is using any of HW AF/DB: a translation fault
++ * to map the page containing the PT (read only at
++ * first), then a permission fault to allow the flags
++ * to be set.
++ */
++ switch (kvm_vcpu_trap_get_fault_type(vcpu)) {
++ case ESR_ELx_FSC_PERM:
++ return true;
++ default:
++ return false;
++ }
++ }
+
+ if (kvm_vcpu_trap_is_iabt(vcpu))
+ return false;
--- /dev/null
+From bde971a83bbff78561458ded236605a365411b87 Mon Sep 17 00:00:00 2001
+From: Denis Nikitin <denik@chromium.org>
+Date: Fri, 14 Oct 2022 11:45:32 -0700
+Subject: KVM: arm64: nvhe: Fix build with profile optimization
+
+From: Denis Nikitin <denik@chromium.org>
+
+commit bde971a83bbff78561458ded236605a365411b87 upstream.
+
+Kernel build with clang and KCFLAGS=-fprofile-sample-use=<profile> fails with:
+
+error: arch/arm64/kvm/hyp/nvhe/kvm_nvhe.tmp.o: Unexpected SHT_REL
+section ".rel.llvm.call-graph-profile"
+
+Starting from 13.0.0 llvm can generate SHT_REL section, see
+https://reviews.llvm.org/rGca3bdb57fa1ac98b711a735de048c12b5fdd8086.
+gen-hyprel does not support SHT_REL relocation section.
+
+Filter out profile use flags to fix the build with profile optimization.
+
+Signed-off-by: Denis Nikitin <denik@chromium.org>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20221014184532.3153551-1-denik@chromium.org
+Signed-off-by: Stephen Boyd <swboyd@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kvm/hyp/nvhe/Makefile | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/arm64/kvm/hyp/nvhe/Makefile
++++ b/arch/arm64/kvm/hyp/nvhe/Makefile
+@@ -83,6 +83,10 @@ quiet_cmd_hypcopy = HYPCOPY $@
+ # Remove ftrace, Shadow Call Stack, and CFI CFLAGS.
+ # This is equivalent to the 'notrace', '__noscs', and '__nocfi' annotations.
+ KBUILD_CFLAGS := $(filter-out $(CC_FLAGS_FTRACE) $(CC_FLAGS_SCS) $(CC_FLAGS_CFI), $(KBUILD_CFLAGS))
++# Starting from 13.0.0 llvm emits SHT_REL section '.llvm.call-graph-profile'
++# when profile optimization is applied. gen-hyprel does not support SHT_REL and
++# causes a build failure. Remove profile optimization flags.
++KBUILD_CFLAGS := $(filter-out -fprofile-sample-use=% -fprofile-use=%, $(KBUILD_CFLAGS))
+
+ # KVM nVHE code is run at a different exception code with a different map, so
+ # compiler instrumentation that inserts callbacks or checks into the code may
--- /dev/null
+From ae9dcb91c6069e20b3b9505d79cbc89fd6e086f5 Mon Sep 17 00:00:00 2001
+From: Noor Azura Ahmad Tarmizi <noor.azura.ahmad.tarmizi@intel.com>
+Date: Wed, 11 Jan 2023 13:02:00 +0800
+Subject: net: stmmac: add aux timestamps fifo clearance wait
+
+From: Noor Azura Ahmad Tarmizi <noor.azura.ahmad.tarmizi@intel.com>
+
+commit ae9dcb91c6069e20b3b9505d79cbc89fd6e086f5 upstream.
+
+Add timeout polling wait for auxiliary timestamps snapshot FIFO clear bit
+(ATSFC) to clear. This is to ensure no residue fifo value is being read
+erroneously.
+
+Fixes: f4da56529da6 ("net: stmmac: Add support for external trigger timestamping")
+Cc: <stable@vger.kernel.org> # 5.10.x
+Signed-off-by: Noor Azura Ahmad Tarmizi <noor.azura.ahmad.tarmizi@intel.com>
+Link: https://lore.kernel.org/r/20230111050200.2130-1-noor.azura.ahmad.tarmizi@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c
+@@ -229,7 +229,10 @@ static int stmmac_enable(struct ptp_cloc
+ }
+ writel(acr_value, ptpaddr + PTP_ACR);
+ mutex_unlock(&priv->aux_ts_lock);
+- ret = 0;
++ /* wait for auxts fifo clear to finish */
++ ret = readl_poll_timeout(ptpaddr + PTP_ACR, acr_value,
++ !(acr_value & PTP_ACR_ATSFC),
++ 10, 10000);
+ break;
+
+ default:
--- /dev/null
+From 696e1a48b1a1b01edad542a1ef293665864a4dd0 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Wed, 11 Jan 2023 17:07:33 +0100
+Subject: netfilter: nft_payload: incorrect arithmetics when fetching VLAN header bits
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 696e1a48b1a1b01edad542a1ef293665864a4dd0 upstream.
+
+If the offset + length goes over the ethernet + vlan header, then the
+length is adjusted to copy the bytes that are within the boundaries of
+the vlan_ethhdr scratchpad area. The remaining bytes beyond ethernet +
+vlan header are copied directly from the skbuff data area.
+
+Fix incorrect arithmetic operator: subtract, not add, the size of the
+vlan header in case of double-tagged packets to adjust the length
+accordingly to address CVE-2023-0179.
+
+Reported-by: Davide Ornaghi <d.ornaghi97@gmail.com>
+Fixes: f6ae9f120dad ("netfilter: nft_payload: add C-VLAN support")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_payload.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/nft_payload.c
++++ b/net/netfilter/nft_payload.c
+@@ -63,7 +63,7 @@ nft_payload_copy_vlan(u32 *d, const stru
+ return false;
+
+ if (offset + len > VLAN_ETH_HLEN + vlan_hlen)
+- ethlen -= offset + len - VLAN_ETH_HLEN + vlan_hlen;
++ ethlen -= offset + len - VLAN_ETH_HLEN - vlan_hlen;
+
+ memcpy(dst_u8, vlanh + offset - vlan_hlen, ethlen);
+
--- /dev/null
+From cf129830ee820f7fc90b98df193cd49d49344d09 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Tue, 10 Jan 2023 20:56:59 +0200
+Subject: perf auxtrace: Fix address filter duplicate symbol selection
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit cf129830ee820f7fc90b98df193cd49d49344d09 upstream.
+
+When a match has been made to the nth duplicate symbol, return
+success not error.
+
+Example:
+
+ Before:
+
+ $ cat file.c
+ cat: file.c: No such file or directory
+ $ cat file1.c
+ #include <stdio.h>
+
+ static void func(void)
+ {
+ printf("First func\n");
+ }
+
+ void other(void);
+
+ int main()
+ {
+ func();
+ other();
+ return 0;
+ }
+ $ cat file2.c
+ #include <stdio.h>
+
+ static void func(void)
+ {
+ printf("Second func\n");
+ }
+
+ void other(void)
+ {
+ func();
+ }
+
+ $ gcc -Wall -Wextra -o test file1.c file2.c
+ $ perf record -e intel_pt//u --filter 'filter func @ ./test' -- ./test
+ Multiple symbols with name 'func'
+ #1 0x1149 l func
+ which is near main
+ #2 0x1179 l func
+ which is near other
+ Disambiguate symbol name by inserting #n after the name e.g. func #2
+ Or select a global symbol by inserting #0 or #g or #G
+ Failed to parse address filter: 'filter func @ ./test'
+ Filter format is: filter|start|stop|tracestop <start symbol or address> [/ <end symbol or size>] [@<file name>]
+ Where multiple filters are separated by space or comma.
+ $ perf record -e intel_pt//u --filter 'filter func #2 @ ./test' -- ./test
+ Failed to parse address filter: 'filter func #2 @ ./test'
+ Filter format is: filter|start|stop|tracestop <start symbol or address> [/ <end symbol or size>] [@<file name>]
+ Where multiple filters are separated by space or comma.
+
+ After:
+
+ $ perf record -e intel_pt//u --filter 'filter func #2 @ ./test' -- ./test
+ First func
+ Second func
+ [ perf record: Woken up 1 times to write data ]
+ [ perf record: Captured and wrote 0.016 MB perf.data ]
+ $ perf script --itrace=b -Ftime,flags,ip,sym,addr --ns
+ 1231062.526977619: tr strt 0 [unknown] => 558495708179 func
+ 1231062.526977619: tr end call 558495708188 func => 558495708050 _init
+ 1231062.526979286: tr strt 0 [unknown] => 55849570818d func
+ 1231062.526979286: tr end return 55849570818f func => 55849570819d other
+
+Fixes: 1b36c03e356936d6 ("perf record: Add support for using symbols in address filters")
+Reported-by: Dmitrii Dolgov <9erthalion6@gmail.com>
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Tested-by: Dmitry Dolgov <9erthalion6@gmail.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20230110185659.15979-1-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/auxtrace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/perf/util/auxtrace.c
++++ b/tools/perf/util/auxtrace.c
+@@ -2545,7 +2545,7 @@ static int find_dso_sym(struct dso *dso,
+ *size = sym->start - *start;
+ if (idx > 0) {
+ if (*size)
+- return 1;
++ return 0;
+ } else if (dso_sym_match(sym, sym_name, &cnt, idx)) {
+ print_duplicate_syms(dso, sym_name);
+ return -EINVAL;
--- /dev/null
+From 82d3edb50a11bf3c5ef63294d5358ba230181413 Mon Sep 17 00:00:00 2001
+From: Heiko Carstens <hca@linux.ibm.com>
+Date: Thu, 5 Jan 2023 15:44:20 +0100
+Subject: s390/cpum_sf: add READ_ONCE() semantics to compare and swap loops
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+commit 82d3edb50a11bf3c5ef63294d5358ba230181413 upstream.
+
+The current cmpxchg_double() loops within the perf hw sampling code do not
+have READ_ONCE() semantics to read the old value from memory. This allows
+the compiler to generate code which reads the "old" value several times
+from memory, which again allows for inconsistencies.
+
+For example:
+
+ /* Reset trailer (using compare-double-and-swap) */
+ do {
+ te_flags = te->flags & ~SDB_TE_BUFFER_FULL_MASK;
+ te_flags |= SDB_TE_ALERT_REQ_MASK;
+ } while (!cmpxchg_double(&te->flags, &te->overflow,
+ te->flags, te->overflow,
+ te_flags, 0ULL));
+
+The compiler could generate code where te->flags used within the
+cmpxchg_double() call may be refetched from memory and which is not
+necessarily identical to the previous read version which was used to
+generate te_flags. Which in turn means that an incorrect update could
+happen.
+
+Fix this by adding READ_ONCE() semantics to all cmpxchg_double()
+loops. Given that READ_ONCE() cannot generate code on s390 which atomically
+reads 16 bytes, use a private compare-and-swap-double implementation to
+achieve that.
+
+Also replace cmpxchg_double() with the private implementation to be able to
+re-use the old value within the loops.
+
+As a side effect this converts the whole code to only use bit fields
+to read and modify bits within the hws trailer header.
+
+Reported-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Acked-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Acked-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+Reviewed-by: Thomas Richter <tmricht@linux.ibm.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/linux-s390/Y71QJBhNTIatvxUT@osiris/T/#ma14e2a5f7aa8ed4b94b6f9576799b3ad9c60f333
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/include/asm/cpu_mf.h | 31 +++++-------
+ arch/s390/kernel/perf_cpum_sf.c | 101 ++++++++++++++++++++++++----------------
+ 2 files changed, 77 insertions(+), 55 deletions(-)
+
+--- a/arch/s390/include/asm/cpu_mf.h
++++ b/arch/s390/include/asm/cpu_mf.h
+@@ -128,19 +128,21 @@ struct hws_combined_entry {
+ struct hws_diag_entry diag; /* Diagnostic-sampling data entry */
+ } __packed;
+
+-struct hws_trailer_entry {
+- union {
+- struct {
+- unsigned int f:1; /* 0 - Block Full Indicator */
+- unsigned int a:1; /* 1 - Alert request control */
+- unsigned int t:1; /* 2 - Timestamp format */
+- unsigned int :29; /* 3 - 31: Reserved */
+- unsigned int bsdes:16; /* 32-47: size of basic SDE */
+- unsigned int dsdes:16; /* 48-63: size of diagnostic SDE */
+- };
+- unsigned long long flags; /* 0 - 63: All indicators */
++union hws_trailer_header {
++ struct {
++ unsigned int f:1; /* 0 - Block Full Indicator */
++ unsigned int a:1; /* 1 - Alert request control */
++ unsigned int t:1; /* 2 - Timestamp format */
++ unsigned int :29; /* 3 - 31: Reserved */
++ unsigned int bsdes:16; /* 32-47: size of basic SDE */
++ unsigned int dsdes:16; /* 48-63: size of diagnostic SDE */
++ unsigned long long overflow; /* 64 - Overflow Count */
+ };
+- unsigned long long overflow; /* 64 - sample Overflow count */
++ __uint128_t val;
++};
++
++struct hws_trailer_entry {
++ union hws_trailer_header header; /* 0 - 15 Flags + Overflow Count */
+ unsigned char timestamp[16]; /* 16 - 31 timestamp */
+ unsigned long long reserved1; /* 32 -Reserved */
+ unsigned long long reserved2; /* */
+@@ -287,14 +289,11 @@ static inline unsigned long sample_rate_
+ return USEC_PER_SEC * qsi->cpu_speed / rate;
+ }
+
+-#define SDB_TE_ALERT_REQ_MASK 0x4000000000000000UL
+-#define SDB_TE_BUFFER_FULL_MASK 0x8000000000000000UL
+-
+ /* Return TOD timestamp contained in an trailer entry */
+ static inline unsigned long long trailer_timestamp(struct hws_trailer_entry *te)
+ {
+ /* TOD in STCKE format */
+- if (te->t)
++ if (te->header.t)
+ return *((unsigned long long *) &te->timestamp[1]);
+
+ /* TOD in STCK format */
+--- a/arch/s390/kernel/perf_cpum_sf.c
++++ b/arch/s390/kernel/perf_cpum_sf.c
+@@ -163,14 +163,15 @@ static void free_sampling_buffer(struct
+
+ static int alloc_sample_data_block(unsigned long *sdbt, gfp_t gfp_flags)
+ {
+- unsigned long sdb, *trailer;
++ struct hws_trailer_entry *te;
++ unsigned long sdb;
+
+ /* Allocate and initialize sample-data-block */
+ sdb = get_zeroed_page(gfp_flags);
+ if (!sdb)
+ return -ENOMEM;
+- trailer = trailer_entry_ptr(sdb);
+- *trailer = SDB_TE_ALERT_REQ_MASK;
++ te = (struct hws_trailer_entry *)trailer_entry_ptr(sdb);
++ te->header.a = 1;
+
+ /* Link SDB into the sample-data-block-table */
+ *sdbt = sdb;
+@@ -1206,7 +1207,7 @@ static void hw_collect_samples(struct pe
+ "%s: Found unknown"
+ " sampling data entry: te->f %i"
+ " basic.def %#4x (%p)\n", __func__,
+- te->f, sample->def, sample);
++ te->header.f, sample->def, sample);
+ /* Sample slot is not yet written or other record.
+ *
+ * This condition can occur if the buffer was reused
+@@ -1217,7 +1218,7 @@ static void hw_collect_samples(struct pe
+ * that are not full. Stop processing if the first
+ * invalid format was detected.
+ */
+- if (!te->f)
++ if (!te->header.f)
+ break;
+ }
+
+@@ -1227,6 +1228,16 @@ static void hw_collect_samples(struct pe
+ }
+ }
+
++static inline __uint128_t __cdsg(__uint128_t *ptr, __uint128_t old, __uint128_t new)
++{
++ asm volatile(
++ " cdsg %[old],%[new],%[ptr]\n"
++ : [old] "+d" (old), [ptr] "+QS" (*ptr)
++ : [new] "d" (new)
++ : "memory", "cc");
++ return old;
++}
++
+ /* hw_perf_event_update() - Process sampling buffer
+ * @event: The perf event
+ * @flush_all: Flag to also flush partially filled sample-data-blocks
+@@ -1243,10 +1254,11 @@ static void hw_collect_samples(struct pe
+ */
+ static void hw_perf_event_update(struct perf_event *event, int flush_all)
+ {
++ unsigned long long event_overflow, sampl_overflow, num_sdb;
++ union hws_trailer_header old, prev, new;
+ struct hw_perf_event *hwc = &event->hw;
+ struct hws_trailer_entry *te;
+ unsigned long *sdbt;
+- unsigned long long event_overflow, sampl_overflow, num_sdb, te_flags;
+ int done;
+
+ /*
+@@ -1266,25 +1278,25 @@ static void hw_perf_event_update(struct
+ te = (struct hws_trailer_entry *) trailer_entry_ptr(*sdbt);
+
+ /* Leave loop if no more work to do (block full indicator) */
+- if (!te->f) {
++ if (!te->header.f) {
+ done = 1;
+ if (!flush_all)
+ break;
+ }
+
+ /* Check the sample overflow count */
+- if (te->overflow)
++ if (te->header.overflow)
+ /* Account sample overflows and, if a particular limit
+ * is reached, extend the sampling buffer.
+ * For details, see sfb_account_overflows().
+ */
+- sampl_overflow += te->overflow;
++ sampl_overflow += te->header.overflow;
+
+ /* Timestamps are valid for full sample-data-blocks only */
+ debug_sprintf_event(sfdbg, 6, "%s: sdbt %#lx "
+ "overflow %llu timestamp %#llx\n",
+- __func__, (unsigned long)sdbt, te->overflow,
+- (te->f) ? trailer_timestamp(te) : 0ULL);
++ __func__, (unsigned long)sdbt, te->header.overflow,
++ (te->header.f) ? trailer_timestamp(te) : 0ULL);
+
+ /* Collect all samples from a single sample-data-block and
+ * flag if an (perf) event overflow happened. If so, the PMU
+@@ -1294,12 +1306,16 @@ static void hw_perf_event_update(struct
+ num_sdb++;
+
+ /* Reset trailer (using compare-double-and-swap) */
++ /* READ_ONCE() 16 byte header */
++ prev.val = __cdsg(&te->header.val, 0, 0);
+ do {
+- te_flags = te->flags & ~SDB_TE_BUFFER_FULL_MASK;
+- te_flags |= SDB_TE_ALERT_REQ_MASK;
+- } while (!cmpxchg_double(&te->flags, &te->overflow,
+- te->flags, te->overflow,
+- te_flags, 0ULL));
++ old.val = prev.val;
++ new.val = prev.val;
++ new.f = 0;
++ new.a = 1;
++ new.overflow = 0;
++ prev.val = __cdsg(&te->header.val, old.val, new.val);
++ } while (prev.val != old.val);
+
+ /* Advance to next sample-data-block */
+ sdbt++;
+@@ -1384,7 +1400,7 @@ static void aux_output_end(struct perf_o
+ range_scan = AUX_SDB_NUM_ALERT(aux);
+ for (i = 0, idx = aux->head; i < range_scan; i++, idx++) {
+ te = aux_sdb_trailer(aux, idx);
+- if (!(te->flags & SDB_TE_BUFFER_FULL_MASK))
++ if (!te->header.f)
+ break;
+ }
+ /* i is num of SDBs which are full */
+@@ -1392,7 +1408,7 @@ static void aux_output_end(struct perf_o
+
+ /* Remove alert indicators in the buffer */
+ te = aux_sdb_trailer(aux, aux->alert_mark);
+- te->flags &= ~SDB_TE_ALERT_REQ_MASK;
++ te->header.a = 0;
+
+ debug_sprintf_event(sfdbg, 6, "%s: SDBs %ld range %ld head %ld\n",
+ __func__, i, range_scan, aux->head);
+@@ -1437,9 +1453,9 @@ static int aux_output_begin(struct perf_
+ idx = aux->empty_mark + 1;
+ for (i = 0; i < range_scan; i++, idx++) {
+ te = aux_sdb_trailer(aux, idx);
+- te->flags &= ~(SDB_TE_BUFFER_FULL_MASK |
+- SDB_TE_ALERT_REQ_MASK);
+- te->overflow = 0;
++ te->header.f = 0;
++ te->header.a = 0;
++ te->header.overflow = 0;
+ }
+ /* Save the position of empty SDBs */
+ aux->empty_mark = aux->head + range - 1;
+@@ -1448,7 +1464,7 @@ static int aux_output_begin(struct perf_
+ /* Set alert indicator */
+ aux->alert_mark = aux->head + range/2 - 1;
+ te = aux_sdb_trailer(aux, aux->alert_mark);
+- te->flags = te->flags | SDB_TE_ALERT_REQ_MASK;
++ te->header.a = 1;
+
+ /* Reset hardware buffer head */
+ head = AUX_SDB_INDEX(aux, aux->head);
+@@ -1475,14 +1491,17 @@ static int aux_output_begin(struct perf_
+ static bool aux_set_alert(struct aux_buffer *aux, unsigned long alert_index,
+ unsigned long long *overflow)
+ {
+- unsigned long long orig_overflow, orig_flags, new_flags;
++ union hws_trailer_header old, prev, new;
+ struct hws_trailer_entry *te;
+
+ te = aux_sdb_trailer(aux, alert_index);
++ /* READ_ONCE() 16 byte header */
++ prev.val = __cdsg(&te->header.val, 0, 0);
+ do {
+- orig_flags = te->flags;
+- *overflow = orig_overflow = te->overflow;
+- if (orig_flags & SDB_TE_BUFFER_FULL_MASK) {
++ old.val = prev.val;
++ new.val = prev.val;
++ *overflow = old.overflow;
++ if (old.f) {
+ /*
+ * SDB is already set by hardware.
+ * Abort and try to set somewhere
+@@ -1490,10 +1509,10 @@ static bool aux_set_alert(struct aux_buf
+ */
+ return false;
+ }
+- new_flags = orig_flags | SDB_TE_ALERT_REQ_MASK;
+- } while (!cmpxchg_double(&te->flags, &te->overflow,
+- orig_flags, orig_overflow,
+- new_flags, 0ULL));
++ new.a = 1;
++ new.overflow = 0;
++ prev.val = __cdsg(&te->header.val, old.val, new.val);
++ } while (prev.val != old.val);
+ return true;
+ }
+
+@@ -1522,8 +1541,9 @@ static bool aux_set_alert(struct aux_buf
+ static bool aux_reset_buffer(struct aux_buffer *aux, unsigned long range,
+ unsigned long long *overflow)
+ {
+- unsigned long long orig_overflow, orig_flags, new_flags;
+ unsigned long i, range_scan, idx, idx_old;
++ union hws_trailer_header old, prev, new;
++ unsigned long long orig_overflow;
+ struct hws_trailer_entry *te;
+
+ debug_sprintf_event(sfdbg, 6, "%s: range %ld head %ld alert %ld "
+@@ -1554,17 +1574,20 @@ static bool aux_reset_buffer(struct aux_
+ idx_old = idx = aux->empty_mark + 1;
+ for (i = 0; i < range_scan; i++, idx++) {
+ te = aux_sdb_trailer(aux, idx);
++ /* READ_ONCE() 16 byte header */
++ prev.val = __cdsg(&te->header.val, 0, 0);
+ do {
+- orig_flags = te->flags;
+- orig_overflow = te->overflow;
+- new_flags = orig_flags & ~SDB_TE_BUFFER_FULL_MASK;
++ old.val = prev.val;
++ new.val = prev.val;
++ orig_overflow = old.overflow;
++ new.f = 0;
++ new.overflow = 0;
+ if (idx == aux->alert_mark)
+- new_flags |= SDB_TE_ALERT_REQ_MASK;
++ new.a = 1;
+ else
+- new_flags &= ~SDB_TE_ALERT_REQ_MASK;
+- } while (!cmpxchg_double(&te->flags, &te->overflow,
+- orig_flags, orig_overflow,
+- new_flags, 0ULL));
++ new.a = 0;
++ prev.val = __cdsg(&te->header.val, old.val, new.val);
++ } while (prev.val != old.val);
+ *overflow += orig_overflow;
+ }
+
--- /dev/null
+From c2337a40e04dde1692b5b0a46ecc59f89aaba8a1 Mon Sep 17 00:00:00 2001
+From: Alexander Egorenkov <egorenar@linux.ibm.com>
+Date: Mon, 14 Nov 2022 11:40:08 +0100
+Subject: s390/kexec: fix ipl report address for kdump
+
+From: Alexander Egorenkov <egorenar@linux.ibm.com>
+
+commit c2337a40e04dde1692b5b0a46ecc59f89aaba8a1 upstream.
+
+This commit addresses the following erroneous situation with file-based
+kdump executed on a system with a valid IPL report.
+
+On s390, a kdump kernel, its initrd and IPL report if present are loaded
+into a special and reserved on boot memory region - crashkernel. When
+a system crashes and kdump was activated before, the purgatory code
+is entered first which swaps the crashkernel and [0 - crashkernel size]
+memory regions. Only after that the kdump kernel is entered. For this
+reason, the pointer to an IPL report in lowcore must point to the IPL report
+after the swap and not to the address of the IPL report that was located in
+crashkernel memory region before the swap. Failing to do so, makes the
+kdump's decompressor try to read memory from the crashkernel memory region
+which already contains the production's kernel memory.
+
+The situation described above caused spontaneous kdump failures/hangs
+on systems where the Secure IPL is activated because on such systems
+an IPL report is always present. In that case kdump's decompressor tried
+to parse an IPL report which frequently lead to illegal memory accesses
+because an IPL report contains addresses to various data.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 99feaa717e55 ("s390/kexec_file: Create ipl report and pass to next kernel")
+Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Alexander Egorenkov <egorenar@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kernel/machine_kexec_file.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/arch/s390/kernel/machine_kexec_file.c
++++ b/arch/s390/kernel/machine_kexec_file.c
+@@ -185,8 +185,6 @@ static int kexec_file_add_ipl_report(str
+
+ data->memsz = ALIGN(data->memsz, PAGE_SIZE);
+ buf.mem = data->memsz;
+- if (image->type == KEXEC_TYPE_CRASH)
+- buf.mem += crashk_res.start;
+
+ ptr = (void *)ipl_cert_list_addr;
+ end = ptr + ipl_cert_list_size;
+@@ -223,6 +221,9 @@ static int kexec_file_add_ipl_report(str
+ data->kernel_buf + offsetof(struct lowcore, ipl_parmblock_ptr);
+ *lc_ipl_parmblock_ptr = (__u32)buf.mem;
+
++ if (image->type == KEXEC_TYPE_CRASH)
++ buf.mem += crashk_res.start;
++
+ ret = kexec_add_buffer(&buf);
+ out:
+ return ret;
--- /dev/null
+From e3f360db08d55a14112bd27454e616a24296a8b0 Mon Sep 17 00:00:00 2001
+From: Heiko Carstens <hca@linux.ibm.com>
+Date: Mon, 9 Jan 2023 11:51:20 +0100
+Subject: s390/percpu: add READ_ONCE() to arch_this_cpu_to_op_simple()
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+commit e3f360db08d55a14112bd27454e616a24296a8b0 upstream.
+
+Make sure that *ptr__ within arch_this_cpu_to_op_simple() is only
+dereferenced once by using READ_ONCE(). Otherwise the compiler could
+generate incorrect code.
+
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/include/asm/percpu.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/s390/include/asm/percpu.h
++++ b/arch/s390/include/asm/percpu.h
+@@ -31,7 +31,7 @@
+ pcp_op_T__ *ptr__; \
+ preempt_disable_notrace(); \
+ ptr__ = raw_cpu_ptr(&(pcp)); \
+- prev__ = *ptr__; \
++ prev__ = READ_ONCE(*ptr__); \
+ do { \
+ old__ = prev__; \
+ new__ = old__ op (val); \
--- /dev/null
+From 561cafebb2cf97b0927b4fb0eba22de6200f682e Mon Sep 17 00:00:00 2001
+From: Jinrong Liang <cloudliang@tencent.com>
+Date: Tue, 2 Aug 2022 15:12:40 +0800
+Subject: selftests: kvm: Fix a compile error in selftests/kvm/rseq_test.c
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jinrong Liang <cloudliang@tencent.com>
+
+commit 561cafebb2cf97b0927b4fb0eba22de6200f682e upstream.
+
+The following warning appears when executing:
+ make -C tools/testing/selftests/kvm
+
+rseq_test.c: In function ‘main’:
+rseq_test.c:237:33: warning: implicit declaration of function ‘gettid’; did you mean ‘getgid’? [-Wimplicit-function-declaration]
+ (void *)(unsigned long)gettid());
+ ^~~~~~
+ getgid
+/usr/bin/ld: /tmp/ccr5mMko.o: in function `main':
+../kvm/tools/testing/selftests/kvm/rseq_test.c:237: undefined reference to `gettid'
+collect2: error: ld returned 1 exit status
+make: *** [../lib.mk:173: ../kvm/tools/testing/selftests/kvm/rseq_test] Error 1
+
+Use the more compatible syscall(SYS_gettid) instead of gettid() to fix it.
+More subsequent reuse may cause it to be wrapped in a lib file.
+
+Signed-off-by: Jinrong Liang <cloudliang@tencent.com>
+Message-Id: <20220802071240.84626-1-cloudliang@tencent.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/kvm/rseq_test.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/kvm/rseq_test.c
++++ b/tools/testing/selftests/kvm/rseq_test.c
+@@ -233,7 +233,7 @@ int main(int argc, char *argv[])
+ ucall_init(vm, NULL);
+
+ pthread_create(&migration_thread, NULL, migration_worker,
+- (void *)(unsigned long)gettid());
++ (void *)(unsigned long)syscall(SYS_gettid));
+
+ for (i = 0; !done; i++) {
+ vcpu_run(vm, VCPU_ID);
--- /dev/null
+netfilter-nft_payload-incorrect-arithmetics-when-fetching-vlan-header-bits.patch
+alsa-control-led-use-strscpy-in-set_led_id.patch
+alsa-hda-realtek-turn-on-power-early.patch
+alsa-hda-realtek-enable-mute-micmute-leds-on-hp-spectre-x360-13-aw0xxx.patch
+kvm-arm64-fix-s1ptw-handling-on-ro-memslots.patch
+kvm-arm64-nvhe-fix-build-with-profile-optimization.patch
+selftests-kvm-fix-a-compile-error-in-selftests-kvm-rseq_test.c.patch
+efi-tpm-avoid-read_once-for-accessing-the-event-log.patch
+docs-fix-the-docs-build-with-sphinx-6.0.patch
+net-stmmac-add-aux-timestamps-fifo-clearance-wait.patch
+perf-auxtrace-fix-address-filter-duplicate-symbol-selection.patch
+s390-kexec-fix-ipl-report-address-for-kdump.patch
+asoc-qcom-lpass-cpu-fix-fallback-sd-line-index-handling.patch
+s390-cpum_sf-add-read_once-semantics-to-compare-and-swap-loops.patch
+s390-percpu-add-read_once-to-arch_this_cpu_to_op_simple.patch
+drm-virtio-fix-gem-handle-creation-uaf.patch
+drm-i915-gt-reset-twice.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
