--- /dev/null
+From 211de93367304ab395357f8cb12568a4d1e20701 Mon Sep 17 00:00:00 2001
+From: Boris Burkov <boris@bur.io>
+Date: Thu, 21 Mar 2024 10:18:39 -0700
+Subject: btrfs: qgroup: convert PREALLOC to PERTRANS after record_root_in_trans
+
+From: Boris Burkov <boris@bur.io>
+
+commit 211de93367304ab395357f8cb12568a4d1e20701 upstream.
+
+The transaction is only able to free PERTRANS reservations for a root
+once that root has been recorded with the TRANS tag on the roots radix
+tree. Therefore, until we are sure that this root will get tagged, it
+isn't safe to convert. Generally, this is not an issue as *some*
+transaction will likely tag the root before long and this reservation
+will get freed in that transaction, but technically it could stick
+around until unmount and result in a warning about leaked metadata
+reservation space.
+
+This path is most exercised by running the generic/269 fstest with
+CONFIG_BTRFS_DEBUG.
+
+Fixes: a6496849671a ("btrfs: fix start transaction qgroup rsv double free")
+CC: stable@vger.kernel.org # 6.6+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Boris Burkov <boris@bur.io>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/transaction.c | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+--- a/fs/btrfs/transaction.c
++++ b/fs/btrfs/transaction.c
+@@ -700,14 +700,6 @@ again:
+ h->reloc_reserved = reloc_reserved;
+ }
+
+- /*
+- * Now that we have found a transaction to be a part of, convert the
+- * qgroup reservation from prealloc to pertrans. A different transaction
+- * can't race in and free our pertrans out from under us.
+- */
+- if (qgroup_reserved)
+- btrfs_qgroup_convert_reserved_meta(root, qgroup_reserved);
+-
+ got_it:
+ if (!current->journal_info)
+ current->journal_info = h;
+@@ -741,8 +733,15 @@ got_it:
+ * not just freed.
+ */
+ btrfs_end_transaction(h);
+- return ERR_PTR(ret);
++ goto reserve_fail;
+ }
++ /*
++ * Now that we have found a transaction to be a part of, convert the
++ * qgroup reservation from prealloc to pertrans. A different transaction
++ * can't race in and free our pertrans out from under us.
++ */
++ if (qgroup_reserved)
++ btrfs_qgroup_convert_reserved_meta(root, qgroup_reserved);
+
+ return h;
+
--- /dev/null
+From 141fb8cd206ace23c02cd2791c6da52c1d77d42a Mon Sep 17 00:00:00 2001
+From: Boris Burkov <boris@bur.io>
+Date: Tue, 19 Mar 2024 10:54:22 -0700
+Subject: btrfs: qgroup: correctly model root qgroup rsv in convert
+
+From: Boris Burkov <boris@bur.io>
+
+commit 141fb8cd206ace23c02cd2791c6da52c1d77d42a upstream.
+
+We use add_root_meta_rsv and sub_root_meta_rsv to track prealloc and
+pertrans reservations for subvolumes when quotas are enabled. The
+convert function does not properly increment pertrans after decrementing
+prealloc, so the count is not accurate.
+
+Note: we check that the fs is not read-only to mirror the logic in
+qgroup_convert_meta, which checks that before adding to the pertrans rsv.
+
+Fixes: 8287475a2055 ("btrfs: qgroup: Use root::qgroup_meta_rsv_* to record qgroup meta reserved space")
+CC: stable@vger.kernel.org # 6.1+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Boris Burkov <boris@bur.io>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/qgroup.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/btrfs/qgroup.c
++++ b/fs/btrfs/qgroup.c
+@@ -4154,6 +4154,8 @@ void btrfs_qgroup_convert_reserved_meta(
+ BTRFS_QGROUP_RSV_META_PREALLOC);
+ trace_qgroup_meta_convert(root, num_bytes);
+ qgroup_convert_meta(fs_info, root->root_key.objectid, num_bytes);
++ if (!sb_rdonly(fs_info->sb))
++ add_root_meta_rsv(root, num_bytes, BTRFS_QGROUP_RSV_META_PERTRANS);
+ }
+
+ /*
--- /dev/null
+From 71537e35c324ea6fbd68377a4f26bb93a831ae35 Mon Sep 17 00:00:00 2001
+From: Boris Burkov <boris@bur.io>
+Date: Thu, 21 Mar 2024 10:14:24 -0700
+Subject: btrfs: record delayed inode root in transaction
+
+From: Boris Burkov <boris@bur.io>
+
+commit 71537e35c324ea6fbd68377a4f26bb93a831ae35 upstream.
+
+When running delayed inode updates, we do not record the inode's root in
+the transaction, but we do allocate PREALLOC and thus converted PERTRANS
+space for it. To be sure we free that PERTRANS meta rsv, we must ensure
+that we record the root in the transaction.
+
+Fixes: 4f5427ccce5d ("btrfs: delayed-inode: Use new qgroup meta rsv for delayed inode and item")
+CC: stable@vger.kernel.org # 6.1+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Boris Burkov <boris@bur.io>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/delayed-inode.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/btrfs/delayed-inode.c
++++ b/fs/btrfs/delayed-inode.c
+@@ -1115,6 +1115,9 @@ __btrfs_commit_inode_delayed_items(struc
+ if (ret)
+ return ret;
+
++ ret = btrfs_record_root_in_trans(trans, node->root);
++ if (ret)
++ return ret;
+ ret = btrfs_update_delayed_inode(trans, node->root, path, node);
+ return ret;
+ }
--- /dev/null
+From 8bdfb4ea95ca738d33ef71376c21eba20130f2eb Mon Sep 17 00:00:00 2001
+From: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com>
+Date: Tue, 26 Mar 2024 15:32:46 -0400
+Subject: drm/amdkfd: Reset GPU on queue preemption failure
+
+From: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com>
+
+commit 8bdfb4ea95ca738d33ef71376c21eba20130f2eb upstream.
+
+Currently, with F32 HWS GPU reset is only when unmap queue fails.
+
+However, if compute queue doesn't repond to preemption request in time
+unmap will return without any error. In this case, only preemption error
+is logged and Reset is not triggered. Call GPU reset in this case also.
+
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com>
+Reviewed-by: Mukul Joshi <mukul.joshi@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
+@@ -1805,6 +1805,7 @@ static int unmap_queues_cpsch(struct dev
+ pr_err("HIQ MQD's queue_doorbell_id0 is not 0, Queue preemption time out\n");
+ while (halt_if_hws_hang)
+ schedule();
++ kfd_hws_hang(dqm);
+ return -ETIME;
+ }
+
--- /dev/null
+From bc004f5038220b1891ef4107134ccae44be55109 Mon Sep 17 00:00:00 2001
+From: Jammy Huang <jammy_huang@aspeedtech.com>
+Date: Wed, 3 Apr 2024 17:02:46 +0800
+Subject: drm/ast: Fix soft lockup
+
+From: Jammy Huang <jammy_huang@aspeedtech.com>
+
+commit bc004f5038220b1891ef4107134ccae44be55109 upstream.
+
+There is a while-loop in ast_dp_set_on_off() that could lead to
+infinite-loop. This is because the register, VGACRI-Dx, checked in
+this API is a scratch register actually controlled by a MCU, named
+DPMCU, in BMC.
+
+These scratch registers are protected by scu-lock. If suc-lock is not
+off, DPMCU can not update these registers and then host will have soft
+lockup due to never updated status.
+
+DPMCU is used to control DP and relative registers to handshake with
+host's VGA driver. Even the most time-consuming task, DP's link
+training, is less than 100ms. 200ms should be enough.
+
+Signed-off-by: Jammy Huang <jammy_huang@aspeedtech.com>
+Fixes: 594e9c04b586 ("drm/ast: Create the driver for ASPEED proprietory Display-Port")
+Reviewed-by: Jocelyn Falempe <jfalempe@redhat.com>
+Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: KuoHsiang Chou <kuohsiang_chou@aspeedtech.com>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: Dave Airlie <airlied@redhat.com>
+Cc: Jocelyn Falempe <jfalempe@redhat.com>
+Cc: dri-devel@lists.freedesktop.org
+Cc: <stable@vger.kernel.org> # v5.19+
+Link: https://patchwork.freedesktop.org/patch/msgid/20240403090246.1495487-1-jammy_huang@aspeedtech.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/ast/ast_dp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/ast/ast_dp.c
++++ b/drivers/gpu/drm/ast/ast_dp.c
+@@ -190,6 +190,7 @@ void ast_dp_set_on_off(struct drm_device
+ {
+ struct ast_private *ast = to_ast_private(dev);
+ u8 video_on_off = on;
++ u32 i = 0;
+
+ // Video On/Off
+ ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xE3, (u8) ~AST_DP_VIDEO_ENABLE, on);
+@@ -202,6 +203,8 @@ void ast_dp_set_on_off(struct drm_device
+ ASTDP_MIRROR_VIDEO_ENABLE) != video_on_off) {
+ // wait 1 ms
+ mdelay(1);
++ if (++i > 200)
++ break;
+ }
+ }
+ }
--- /dev/null
+From 3eadd887dbac1df8f25f701e5d404d1b90fd0fea Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Thu, 4 Apr 2024 23:33:25 +0300
+Subject: drm/client: Fully protect modes[] with dev->mode_config.mutex
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit 3eadd887dbac1df8f25f701e5d404d1b90fd0fea upstream.
+
+The modes[] array contains pointers to modes on the connectors'
+mode lists, which are protected by dev->mode_config.mutex.
+Thus we need to extend modes[] the same protection or by the
+time we use it the elements may already be pointing to
+freed/reused memory.
+
+Cc: stable@vger.kernel.org
+Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/10583
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240404203336.10454-2-ville.syrjala@linux.intel.com
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Jani Nikula <jani.nikula@intel.com>
+Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_client_modeset.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_client_modeset.c
++++ b/drivers/gpu/drm/drm_client_modeset.c
+@@ -781,6 +781,7 @@ int drm_client_modeset_probe(struct drm_
+ unsigned int total_modes_count = 0;
+ struct drm_client_offset *offsets;
+ unsigned int connector_count = 0;
++ /* points to modes protected by mode_config.mutex */
+ struct drm_display_mode **modes;
+ struct drm_crtc **crtcs;
+ int i, ret = 0;
+@@ -849,7 +850,6 @@ int drm_client_modeset_probe(struct drm_
+ drm_client_pick_crtcs(client, connectors, connector_count,
+ crtcs, modes, 0, width, height);
+ }
+- mutex_unlock(&dev->mode_config.mutex);
+
+ drm_client_modeset_release(client);
+
+@@ -879,6 +879,7 @@ int drm_client_modeset_probe(struct drm_
+ modeset->y = offset->y;
+ }
+ }
++ mutex_unlock(&dev->mode_config.mutex);
+
+ mutex_unlock(&client->modeset_mutex);
+ out:
--- /dev/null
+From dcd8992e47f13afb5c11a61e8d9c141c35e23751 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Fri, 5 Apr 2024 00:34:29 +0300
+Subject: drm/i915/vrr: Disable VRR when using bigjoiner
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit dcd8992e47f13afb5c11a61e8d9c141c35e23751 upstream.
+
+All joined pipes share the same transcoder/timing generator.
+Currently we just do the commits per-pipe, which doesn't really
+work if we need to change switch between non-VRR and VRR timings
+generators on the fly, or even when sending the push to the
+transcoder. For now just disable VRR when bigjoiner is needed.
+
+Cc: stable@vger.kernel.org
+Tested-by: Vidya Srinivas <vidya.srinivas@intel.com>
+Reviewed-by: Vandita Kulkarni <vandita.kulkarni@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240404213441.17637-6-ville.syrjala@linux.intel.com
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+(cherry picked from commit f9d5e51db65652dbd8a2102fd7619440e3599fd2)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/display/intel_vrr.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/gpu/drm/i915/display/intel_vrr.c
++++ b/drivers/gpu/drm/i915/display/intel_vrr.c
+@@ -110,6 +110,13 @@ intel_vrr_compute_config(struct intel_cr
+ if (!intel_vrr_is_capable(connector))
+ return;
+
++ /*
++ * FIXME all joined pipes share the same transcoder.
++ * Need to account for that during VRR toggle/push/etc.
++ */
++ if (crtc_state->bigjoiner_pipes)
++ return;
++
+ if (adjusted_mode->flags & DRM_MODE_FLAG_INTERLACE)
+ return;
+
--- /dev/null
+From 4fe82aedeb8a8cb09bfa60f55ab57b5c10a74ac4 Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Mon, 8 Apr 2024 18:11:09 +0100
+Subject: io_uring/net: restore msg_control on sendzc retry
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit 4fe82aedeb8a8cb09bfa60f55ab57b5c10a74ac4 upstream.
+
+cac9e4418f4cb ("io_uring/net: save msghdr->msg_control for retries")
+reinstatiates msg_control before every __sys_sendmsg_sock(), since the
+function can overwrite the value in msghdr. We need to do same for
+zerocopy sendmsg.
+
+Cc: stable@vger.kernel.org
+Fixes: 493108d95f146 ("io_uring/net: zerocopy sendmsg")
+Link: https://github.com/axboe/liburing/issues/1067
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/cc1d5d9df0576fa66ddad4420d240a98a020b267.1712596179.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/net.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/io_uring/net.c
++++ b/io_uring/net.c
+@@ -1229,6 +1229,7 @@ int io_sendmsg_zc(struct io_kiocb *req,
+
+ if (req_has_async_data(req)) {
+ kmsg = req->async_data;
++ kmsg->msg.msg_control_user = sr->msg_control;
+ } else {
+ ret = io_sendmsg_copy_hdr(req, &iomsg);
+ if (ret)
--- /dev/null
+From 325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8 Mon Sep 17 00:00:00 2001
+From: Zheng Yejian <zhengyejian1@huawei.com>
+Date: Wed, 10 Apr 2024 09:58:02 +0800
+Subject: kprobes: Fix possible use-after-free issue on kprobe registration
+
+From: Zheng Yejian <zhengyejian1@huawei.com>
+
+commit 325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8 upstream.
+
+When unloading a module, its state is changing MODULE_STATE_LIVE ->
+ MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take
+a time. `is_module_text_address()` and `__module_text_address()`
+works with MODULE_STATE_LIVE and MODULE_STATE_GOING.
+If we use `is_module_text_address()` and `__module_text_address()`
+separately, there is a chance that the first one is succeeded but the
+next one is failed because module->state becomes MODULE_STATE_UNFORMED
+between those operations.
+
+In `check_kprobe_address_safe()`, if the second `__module_text_address()`
+is failed, that is ignored because it expected a kernel_text address.
+But it may have failed simply because module->state has been changed
+to MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify
+non-exist module text address (use-after-free).
+
+To fix this problem, we should not use separated `is_module_text_address()`
+and `__module_text_address()`, but use only `__module_text_address()`
+once and do `try_module_get(module)` which is only available with
+MODULE_STATE_LIVE.
+
+Link: https://lore.kernel.org/all/20240410015802.265220-1-zhengyejian1@huawei.com/
+
+Fixes: 28f6c37a2910 ("kprobes: Forbid probing on trampoline and BPF code areas")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/kprobes.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+--- a/kernel/kprobes.c
++++ b/kernel/kprobes.c
+@@ -1567,10 +1567,17 @@ static int check_kprobe_address_safe(str
+ jump_label_lock();
+ preempt_disable();
+
+- /* Ensure it is not in reserved area nor out of text */
+- if (!(core_kernel_text((unsigned long) p->addr) ||
+- is_module_text_address((unsigned long) p->addr)) ||
+- in_gate_area_no_mm((unsigned long) p->addr) ||
++ /* Ensure the address is in a text area, and find a module if exists. */
++ *probed_mod = NULL;
++ if (!core_kernel_text((unsigned long) p->addr)) {
++ *probed_mod = __module_text_address((unsigned long) p->addr);
++ if (!(*probed_mod)) {
++ ret = -EINVAL;
++ goto out;
++ }
++ }
++ /* Ensure it is not in reserved area. */
++ if (in_gate_area_no_mm((unsigned long) p->addr) ||
+ within_kprobe_blacklist((unsigned long) p->addr) ||
+ jump_label_text_reserved(p->addr, p->addr) ||
+ static_call_text_reserved(p->addr, p->addr) ||
+@@ -1580,8 +1587,7 @@ static int check_kprobe_address_safe(str
+ goto out;
+ }
+
+- /* Check if 'p' is probing a module. */
+- *probed_mod = __module_text_address((unsigned long) p->addr);
++ /* Get module refcount and reject __init functions for loaded modules. */
+ if (*probed_mod) {
+ /*
+ * We must hold a refcount of the probed module while updating
--- /dev/null
+From dec8ced871e17eea46f097542dd074d022be4bd1 Mon Sep 17 00:00:00 2001
+From: Namhyung Kim <namhyung@kernel.org>
+Date: Tue, 5 Mar 2024 22:10:03 -0800
+Subject: perf/x86: Fix out of range data
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+commit dec8ced871e17eea46f097542dd074d022be4bd1 upstream.
+
+On x86 each struct cpu_hw_events maintains a table for counter assignment but
+it missed to update one for the deleted event in x86_pmu_del(). This
+can make perf_clear_dirty_counters() reset used counter if it's called
+before event scheduling or enabling. Then it would return out of range
+data which doesn't make sense.
+
+The following code can reproduce the problem.
+
+ $ cat repro.c
+ #include <pthread.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <unistd.h>
+ #include <linux/perf_event.h>
+ #include <sys/ioctl.h>
+ #include <sys/mman.h>
+ #include <sys/syscall.h>
+
+ struct perf_event_attr attr = {
+ .type = PERF_TYPE_HARDWARE,
+ .config = PERF_COUNT_HW_CPU_CYCLES,
+ .disabled = 1,
+ };
+
+ void *worker(void *arg)
+ {
+ int cpu = (long)arg;
+ int fd1 = syscall(SYS_perf_event_open, &attr, -1, cpu, -1, 0);
+ int fd2 = syscall(SYS_perf_event_open, &attr, -1, cpu, -1, 0);
+ void *p;
+
+ do {
+ ioctl(fd1, PERF_EVENT_IOC_ENABLE, 0);
+ p = mmap(NULL, 4096, PROT_READ, MAP_SHARED, fd1, 0);
+ ioctl(fd2, PERF_EVENT_IOC_ENABLE, 0);
+
+ ioctl(fd2, PERF_EVENT_IOC_DISABLE, 0);
+ munmap(p, 4096);
+ ioctl(fd1, PERF_EVENT_IOC_DISABLE, 0);
+ } while (1);
+
+ return NULL;
+ }
+
+ int main(void)
+ {
+ int i;
+ int n = sysconf(_SC_NPROCESSORS_ONLN);
+ pthread_t *th = calloc(n, sizeof(*th));
+
+ for (i = 0; i < n; i++)
+ pthread_create(&th[i], NULL, worker, (void *)(long)i);
+ for (i = 0; i < n; i++)
+ pthread_join(th[i], NULL);
+
+ free(th);
+ return 0;
+ }
+
+And you can see the out of range data using perf stat like this.
+Probably it'd be easier to see on a large machine.
+
+ $ gcc -o repro repro.c -pthread
+ $ ./repro &
+ $ sudo perf stat -A -I 1000 2>&1 | awk '{ if (length($3) > 15) print }'
+ 1.001028462 CPU6 196,719,295,683,763 cycles # 194290.996 GHz (71.54%)
+ 1.001028462 CPU3 396,077,485,787,730 branch-misses # 15804359784.80% of all branches (71.07%)
+ 1.001028462 CPU17 197,608,350,727,877 branch-misses # 14594186554.56% of all branches (71.22%)
+ 2.020064073 CPU4 198,372,472,612,140 cycles # 194681.113 GHz (70.95%)
+ 2.020064073 CPU6 199,419,277,896,696 cycles # 195720.007 GHz (70.57%)
+ 2.020064073 CPU20 198,147,174,025,639 cycles # 194474.654 GHz (71.03%)
+ 2.020064073 CPU20 198,421,240,580,145 stalled-cycles-frontend # 100.14% frontend cycles idle (70.93%)
+ 3.037443155 CPU4 197,382,689,923,416 cycles # 194043.065 GHz (71.30%)
+ 3.037443155 CPU20 196,324,797,879,414 cycles # 193003.773 GHz (71.69%)
+ 3.037443155 CPU5 197,679,956,608,205 stalled-cycles-backend # 1315606428.66% backend cycles idle (71.19%)
+ 3.037443155 CPU5 198,571,860,474,851 instructions # 13215422.58 insn per cycle
+
+It should move the contents in the cpuc->assign as well.
+
+Fixes: 5471eea5d3bf ("perf/x86: Reset the dirty counter to prevent the leak for an RDPMC task")
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Reviewed-by: Kan Liang <kan.liang@linux.intel.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20240306061003.1894224-1-namhyung@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/events/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/events/core.c
++++ b/arch/x86/events/core.c
+@@ -1644,6 +1644,7 @@ static void x86_pmu_del(struct perf_even
+ while (++i < cpuc->n_events) {
+ cpuc->event_list[i-1] = cpuc->event_list[i];
+ cpuc->event_constraint[i-1] = cpuc->event_constraint[i];
++ cpuc->assign[i-1] = cpuc->assign[i];
+ }
+ cpuc->event_constraint[i-1] = NULL;
+ --cpuc->n_events;
tracing-fix-ftrace_record_recursion_size-kconfig-ent.patch
tracing-hide-unused-ftrace_event_id_fops.patch
iommu-vt-d-allocate-local-memory-for-page-request-qu.patch
+btrfs-qgroup-correctly-model-root-qgroup-rsv-in-convert.patch
+btrfs-record-delayed-inode-root-in-transaction.patch
+btrfs-qgroup-convert-prealloc-to-pertrans-after-record_root_in_trans.patch
+io_uring-net-restore-msg_control-on-sendzc-retry.patch
+kprobes-fix-possible-use-after-free-issue-on-kprobe-registration.patch
+drm-i915-vrr-disable-vrr-when-using-bigjoiner.patch
+drm-amdkfd-reset-gpu-on-queue-preemption-failure.patch
+drm-ast-fix-soft-lockup.patch
+drm-client-fully-protect-modes-with-dev-mode_config.mutex.patch
+vhost-add-smp_rmb-in-vhost_vq_avail_empty.patch
+vhost-add-smp_rmb-in-vhost_enable_notify.patch
+perf-x86-fix-out-of-range-data.patch
+x86-cpu-actually-turn-off-mitigations-by-default-for-speculation_mitigations-n.patch
--- /dev/null
+From df9ace7647d4123209395bb9967e998d5758c645 Mon Sep 17 00:00:00 2001
+From: Gavin Shan <gshan@redhat.com>
+Date: Thu, 28 Mar 2024 10:21:48 +1000
+Subject: vhost: Add smp_rmb() in vhost_enable_notify()
+
+From: Gavin Shan <gshan@redhat.com>
+
+commit df9ace7647d4123209395bb9967e998d5758c645 upstream.
+
+A smp_rmb() has been missed in vhost_enable_notify(), inspired by
+Will. Otherwise, it's not ensured the available ring entries pushed
+by guest can be observed by vhost in time, leading to stale available
+ring entries fetched by vhost in vhost_get_vq_desc(), as reported by
+Yihuang Yu on NVidia's grace-hopper (ARM64) platform.
+
+ /home/gavin/sandbox/qemu.main/build/qemu-system-aarch64 \
+ -accel kvm -machine virt,gic-version=host -cpu host \
+ -smp maxcpus=1,cpus=1,sockets=1,clusters=1,cores=1,threads=1 \
+ -m 4096M,slots=16,maxmem=64G \
+ -object memory-backend-ram,id=mem0,size=4096M \
+ : \
+ -netdev tap,id=vnet0,vhost=true \
+ -device virtio-net-pci,bus=pcie.8,netdev=vnet0,mac=52:54:00:f1:26:b0
+ :
+ guest# netperf -H 10.26.1.81 -l 60 -C -c -t UDP_STREAM
+ virtio_net virtio0: output.0:id 100 is not a head!
+
+Add the missed smp_rmb() in vhost_enable_notify(). When it returns true,
+it means there's still pending tx buffers. Since it might read indices,
+so it still can bypass the smp_rmb() in vhost_get_vq_desc(). Note that
+it should be safe until vq->avail_idx is changed by commit d3bb267bbdcb
+("vhost: cache avail index in vhost_enable_notify()").
+
+Fixes: d3bb267bbdcb ("vhost: cache avail index in vhost_enable_notify()")
+Cc: <stable@kernel.org> # v5.18+
+Reported-by: Yihuang Yu <yihyu@redhat.com>
+Suggested-by: Will Deacon <will@kernel.org>
+Signed-off-by: Gavin Shan <gshan@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Message-Id: <20240328002149.1141302-3-gshan@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/vhost.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -2572,9 +2572,19 @@ bool vhost_enable_notify(struct vhost_de
+ &vq->avail->idx, r);
+ return false;
+ }
++
+ vq->avail_idx = vhost16_to_cpu(vq, avail_idx);
++ if (vq->avail_idx != vq->last_avail_idx) {
++ /* Since we have updated avail_idx, the following
++ * call to vhost_get_vq_desc() will read available
++ * ring entries. Make sure that read happens after
++ * the avail_idx read.
++ */
++ smp_rmb();
++ return true;
++ }
+
+- return vq->avail_idx != vq->last_avail_idx;
++ return false;
+ }
+ EXPORT_SYMBOL_GPL(vhost_enable_notify);
+
--- /dev/null
+From 22e1992cf7b034db5325660e98c41ca5afa5f519 Mon Sep 17 00:00:00 2001
+From: Gavin Shan <gshan@redhat.com>
+Date: Thu, 28 Mar 2024 10:21:47 +1000
+Subject: vhost: Add smp_rmb() in vhost_vq_avail_empty()
+
+From: Gavin Shan <gshan@redhat.com>
+
+commit 22e1992cf7b034db5325660e98c41ca5afa5f519 upstream.
+
+A smp_rmb() has been missed in vhost_vq_avail_empty(), spotted by
+Will. Otherwise, it's not ensured the available ring entries pushed
+by guest can be observed by vhost in time, leading to stale available
+ring entries fetched by vhost in vhost_get_vq_desc(), as reported by
+Yihuang Yu on NVidia's grace-hopper (ARM64) platform.
+
+ /home/gavin/sandbox/qemu.main/build/qemu-system-aarch64 \
+ -accel kvm -machine virt,gic-version=host -cpu host \
+ -smp maxcpus=1,cpus=1,sockets=1,clusters=1,cores=1,threads=1 \
+ -m 4096M,slots=16,maxmem=64G \
+ -object memory-backend-ram,id=mem0,size=4096M \
+ : \
+ -netdev tap,id=vnet0,vhost=true \
+ -device virtio-net-pci,bus=pcie.8,netdev=vnet0,mac=52:54:00:f1:26:b0
+ :
+ guest# netperf -H 10.26.1.81 -l 60 -C -c -t UDP_STREAM
+ virtio_net virtio0: output.0:id 100 is not a head!
+
+Add the missed smp_rmb() in vhost_vq_avail_empty(). When tx_can_batch()
+returns true, it means there's still pending tx buffers. Since it might
+read indices, so it still can bypass the smp_rmb() in vhost_get_vq_desc().
+Note that it should be safe until vq->avail_idx is changed by commit
+275bf960ac697 ("vhost: better detection of available buffers").
+
+Fixes: 275bf960ac69 ("vhost: better detection of available buffers")
+Cc: <stable@kernel.org> # v4.11+
+Reported-by: Yihuang Yu <yihyu@redhat.com>
+Suggested-by: Will Deacon <will@kernel.org>
+Signed-off-by: Gavin Shan <gshan@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Message-Id: <20240328002149.1141302-2-gshan@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/vhost.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -2523,9 +2523,19 @@ bool vhost_vq_avail_empty(struct vhost_d
+ r = vhost_get_avail_idx(vq, &avail_idx);
+ if (unlikely(r))
+ return false;
++
+ vq->avail_idx = vhost16_to_cpu(vq, avail_idx);
++ if (vq->avail_idx != vq->last_avail_idx) {
++ /* Since we have updated avail_idx, the following
++ * call to vhost_get_vq_desc() will read available
++ * ring entries. Make sure that read happens after
++ * the avail_idx read.
++ */
++ smp_rmb();
++ return false;
++ }
+
+- return vq->avail_idx == vq->last_avail_idx;
++ return true;
+ }
+ EXPORT_SYMBOL_GPL(vhost_vq_avail_empty);
+
--- /dev/null
+From f337a6a21e2fd67eadea471e93d05dd37baaa9be Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Tue, 9 Apr 2024 10:51:05 -0700
+Subject: x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit f337a6a21e2fd67eadea471e93d05dd37baaa9be upstream.
+
+Initialize cpu_mitigations to CPU_MITIGATIONS_OFF if the kernel is built
+with CONFIG_SPECULATION_MITIGATIONS=n, as the help text quite clearly
+states that disabling SPECULATION_MITIGATIONS is supposed to turn off all
+mitigations by default.
+
+ │ If you say N, all mitigations will be disabled. You really
+ │ should know what you are doing to say so.
+
+As is, the kernel still defaults to CPU_MITIGATIONS_AUTO, which results in
+some mitigations being enabled in spite of SPECULATION_MITIGATIONS=n.
+
+Fixes: f43b9876e857 ("x86/retbleed: Add fine grained Kconfig knobs")
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Reviewed-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
+Cc: stable@vger.kernel.org
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lore.kernel.org/r/20240409175108.1512861-2-seanjc@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/cpu.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/cpu.c
++++ b/kernel/cpu.c
+@@ -2788,7 +2788,8 @@ enum cpu_mitigations {
+ };
+
+ static enum cpu_mitigations cpu_mitigations __ro_after_init =
+- CPU_MITIGATIONS_AUTO;
++ IS_ENABLED(CONFIG_SPECULATION_MITIGATIONS) ? CPU_MITIGATIONS_AUTO :
++ CPU_MITIGATIONS_OFF;
+
+ static int __init mitigations_parse_cmdline(char *arg)
+ {
projects / thirdparty / kernel / stable-queue.git / commitdiff
