--- /dev/null
+From 2efbafb91e12ff5a16cbafb0085e4c10c3fca493 Mon Sep 17 00:00:00 2001
+From: Peter Collingbourne <pcc@google.com>
+Date: Thu, 20 Apr 2023 14:09:45 -0700
+Subject: arm64: Also reset KASAN tag if page is not PG_mte_tagged
+
+From: Peter Collingbourne <pcc@google.com>
+
+commit 2efbafb91e12ff5a16cbafb0085e4c10c3fca493 upstream.
+
+Consider the following sequence of events:
+
+1) A page in a PROT_READ|PROT_WRITE VMA is faulted.
+2) Page migration allocates a page with the KASAN allocator,
+ causing it to receive a non-match-all tag, and uses it
+ to replace the page faulted in 1.
+3) The program uses mprotect() to enable PROT_MTE on the page faulted in 1.
+
+As a result of step 3, we are left with a non-match-all tag for a page
+with tags accessible to userspace, which can lead to the same kind of
+tag check faults that commit e74a68468062 ("arm64: Reset KASAN tag in
+copy_highpage with HW tags only") intended to fix.
+
+The general invariant that we have for pages in a VMA with VM_MTE_ALLOWED
+is that they cannot have a non-match-all tag. As a result of step 2, the
+invariant is broken. This means that the fix in the referenced commit
+was incomplete and we also need to reset the tag for pages without
+PG_mte_tagged.
+
+Fixes: e5b8d9218951 ("arm64: mte: reset the page tag in page->flags")
+Cc: <stable@vger.kernel.org> # 5.15
+Link: https://linux-review.googlesource.com/id/I7409cdd41acbcb215c2a7417c1e50d37b875beff
+Signed-off-by: Peter Collingbourne <pcc@google.com>
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Link: https://lore.kernel.org/r/20230420210945.2313627-1-pcc@google.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/mm/copypage.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/mm/copypage.c
++++ b/arch/arm64/mm/copypage.c
+@@ -21,9 +21,10 @@ void copy_highpage(struct page *to, stru
+
+ copy_page(kto, kfrom);
+
++ if (kasan_hw_tags_enabled())
++ page_kasan_tag_reset(to);
++
+ if (system_supports_mte() && page_mte_tagged(from)) {
+- if (kasan_hw_tags_enabled())
+- page_kasan_tag_reset(to);
+ /* It's a new page, shouldn't have been tagged yet */
+ WARN_ON_ONCE(!try_page_mte_tagging(to));
+ mte_copy_page_tags(kto, kfrom);
--- /dev/null
+From c4c597f1b367433c52c531dccd6859a39b4580fb Mon Sep 17 00:00:00 2001
+From: Peter Collingbourne <pcc@google.com>
+Date: Thu, 20 Apr 2023 14:43:27 -0700
+Subject: arm64: mte: Do not set PG_mte_tagged if tags were not initialized
+
+From: Peter Collingbourne <pcc@google.com>
+
+commit c4c597f1b367433c52c531dccd6859a39b4580fb upstream.
+
+The mte_sync_page_tags() function sets PG_mte_tagged if it initializes
+page tags. Then we return to mte_sync_tags(), which sets PG_mte_tagged
+again. At best, this is redundant. However, it is possible for
+mte_sync_page_tags() to return without having initialized tags for the
+page, i.e. in the case where check_swap is true (non-compound page),
+is_swap_pte(old_pte) is false and pte_is_tagged is false. So at worst,
+we set PG_mte_tagged on a page with uninitialized tags. This can happen
+if, for example, page migration causes a PTE for an untagged page to
+be replaced. If the userspace program subsequently uses mprotect() to
+enable PROT_MTE for that page, the uninitialized tags will be exposed
+to userspace.
+
+Fix it by removing the redundant call to set_page_mte_tagged().
+
+Fixes: e059853d14ca ("arm64: mte: Fix/clarify the PG_mte_tagged semantics")
+Signed-off-by: Peter Collingbourne <pcc@google.com>
+Cc: <stable@vger.kernel.org> # 6.1
+Link: https://linux-review.googlesource.com/id/Ib02d004d435b2ed87603b858ef7480f7b1463052
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Reviewed-by: Alexandru Elisei <alexandru.elisei@arm.com>
+Link: https://lore.kernel.org/r/20230420214327.2357985-1-pcc@google.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/mte.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/arch/arm64/kernel/mte.c
++++ b/arch/arm64/kernel/mte.c
+@@ -66,13 +66,10 @@ void mte_sync_tags(pte_t old_pte, pte_t
+ return;
+
+ /* if PG_mte_tagged is set, tags have already been initialised */
+- for (i = 0; i < nr_pages; i++, page++) {
+- if (!page_mte_tagged(page)) {
++ for (i = 0; i < nr_pages; i++, page++)
++ if (!page_mte_tagged(page))
+ mte_sync_page_tags(page, old_pte, check_swap,
+ pte_is_tagged);
+- set_page_mte_tagged(page);
+- }
+- }
+
+ /* ensure the tags are visible before the PTE is set */
+ smp_wmb();
--- /dev/null
+From bf4823267a817f7c155876a125b94336d7113e77 Mon Sep 17 00:00:00 2001
+From: Evan Quan <evan.quan@amd.com>
+Date: Thu, 11 May 2023 15:41:27 +0800
+Subject: drm/amd/pm: fix possible power mode mismatch between driver and PMFW
+
+From: Evan Quan <evan.quan@amd.com>
+
+commit bf4823267a817f7c155876a125b94336d7113e77 upstream.
+
+PMFW may boots the ASIC with a different power mode from the system's
+real one. Notify PMFW explicitly the power mode the system in. This
+is needed only when ACDC switch via gpio is not supported.
+
+Signed-off-by: Evan Quan <evan.quan@amd.com>
+Reviewed-by: Kenneth Feng <kenneth.feng@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 18 +++++++++++++++++
+ drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c | 20 -------------------
+ drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 1
+ 3 files changed, 20 insertions(+), 19 deletions(-)
+
+--- a/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c
+@@ -727,6 +727,24 @@ static int smu_late_init(void *handle)
+ return ret;
+ }
+
++ /*
++ * Explicitly notify PMFW the power mode the system in. Since
++ * the PMFW may boot the ASIC with a different mode.
++ * For those supporting ACDC switch via gpio, PMFW will
++ * handle the switch automatically. Driver involvement
++ * is unnecessary.
++ */
++ if (!smu->dc_controlled_by_gpio) {
++ ret = smu_set_power_source(smu,
++ adev->pm.ac_power ? SMU_POWER_SOURCE_AC :
++ SMU_POWER_SOURCE_DC);
++ if (ret) {
++ dev_err(adev->dev, "Failed to switch to %s mode!\n",
++ adev->pm.ac_power ? "AC" : "DC");
++ return ret;
++ }
++ }
++
+ if ((adev->ip_versions[MP1_HWIP][0] == IP_VERSION(13, 0, 1)) ||
+ (adev->ip_versions[MP1_HWIP][0] == IP_VERSION(13, 0, 3)))
+ return 0;
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c
+@@ -3412,26 +3412,8 @@ static int navi10_post_smu_init(struct s
+ return 0;
+
+ ret = navi10_run_umc_cdr_workaround(smu);
+- if (ret) {
++ if (ret)
+ dev_err(adev->dev, "Failed to apply umc cdr workaround!\n");
+- return ret;
+- }
+-
+- if (!smu->dc_controlled_by_gpio) {
+- /*
+- * For Navi1X, manually switch it to AC mode as PMFW
+- * may boot it with DC mode.
+- */
+- ret = smu_v11_0_set_power_source(smu,
+- adev->pm.ac_power ?
+- SMU_POWER_SOURCE_AC :
+- SMU_POWER_SOURCE_DC);
+- if (ret) {
+- dev_err(adev->dev, "Failed to switch to %s mode!\n",
+- adev->pm.ac_power ? "AC" : "DC");
+- return ret;
+- }
+- }
+
+ return ret;
+ }
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c
+@@ -1768,6 +1768,7 @@ static const struct pptable_funcs smu_v1
+ .enable_mgpu_fan_boost = smu_v13_0_7_enable_mgpu_fan_boost,
+ .get_power_limit = smu_v13_0_7_get_power_limit,
+ .set_power_limit = smu_v13_0_set_power_limit,
++ .set_power_source = smu_v13_0_set_power_source,
+ .get_power_profile_mode = smu_v13_0_7_get_power_profile_mode,
+ .set_power_profile_mode = smu_v13_0_7_set_power_profile_mode,
+ .set_tool_table_location = smu_v13_0_set_tool_table_location,
--- /dev/null
+From 8173cab3368a13cdc3cad0bd5cf14e9399b0f501 Mon Sep 17 00:00:00 2001
+From: Bas Nieuwenhuizen <bas@basnieuwenhuizen.nl>
+Date: Tue, 9 May 2023 18:49:46 +0200
+Subject: drm/amdgpu/gfx10: Disable gfxoff before disabling powergating.
+
+From: Bas Nieuwenhuizen <bas@basnieuwenhuizen.nl>
+
+commit 8173cab3368a13cdc3cad0bd5cf14e9399b0f501 upstream.
+
+Otherwise we get a full system lock (looks like a FW mess).
+
+Copied the order from the GFX9 powergating code.
+
+Fixes: 366468ff6c34 ("drm/amdgpu: Allow GfxOff on Vangogh as default")
+Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2545
+Signed-off-by: Bas Nieuwenhuizen <bas@basnieuwenhuizen.nl>
+Tested-by: Guilherme G. Piccoli <gpiccoli@igalia.com>
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
+@@ -8159,8 +8159,14 @@ static int gfx_v10_0_set_powergating_sta
+ case IP_VERSION(10, 3, 3):
+ case IP_VERSION(10, 3, 6):
+ case IP_VERSION(10, 3, 7):
++ if (!enable)
++ amdgpu_gfx_off_ctrl(adev, false);
++
+ gfx_v10_cntl_pg(adev, enable);
+- amdgpu_gfx_off_ctrl(adev, enable);
++
++ if (enable)
++ amdgpu_gfx_off_ctrl(adev, true);
++
+ break;
+ default:
+ break;
--- /dev/null
+From 11fbdda2ab6bf049e2869139c07016022b4e045b Mon Sep 17 00:00:00 2001
+From: "Guilherme G. Piccoli" <gpiccoli@igalia.com>
+Date: Tue, 9 May 2023 18:49:47 +0200
+Subject: drm/amdgpu/gfx11: Adjust gfxoff before powergating on gfx11 as well
+
+From: Guilherme G. Piccoli <gpiccoli@igalia.com>
+
+commit 11fbdda2ab6bf049e2869139c07016022b4e045b upstream.
+
+(Bas: speculative change to mirror gfx10/gfx9)
+
+Signed-off-by: Guilherme G. Piccoli <gpiccoli@igalia.com>
+Signed-off-by: Bas Nieuwenhuizen <bas@basnieuwenhuizen.nl>
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org # 6.1.x
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c
+@@ -5135,8 +5135,14 @@ static int gfx_v11_0_set_powergating_sta
+ break;
+ case IP_VERSION(11, 0, 1):
+ case IP_VERSION(11, 0, 4):
++ if (!enable)
++ amdgpu_gfx_off_ctrl(adev, false);
++
+ gfx_v11_cntl_pg(adev, enable);
+- amdgpu_gfx_off_ctrl(adev, enable);
++
++ if (enable)
++ amdgpu_gfx_off_ctrl(adev, true);
++
+ break;
+ default:
+ break;
--- /dev/null
+From d5aa417808cf14c052ca042920b3c6b9f1dc6aa4 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Mon, 10 Apr 2023 12:02:29 -0400
+Subject: drm/amdgpu/gfx11: update gpu_clock_counter logic
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit d5aa417808cf14c052ca042920b3c6b9f1dc6aa4 upstream.
+
+This code was written prior to previous updates to this
+logic for other chips. The RSC registers are part of
+SMUIO which is an always on block so there is no need
+to disable gfxoff. Additionally add the carryover and
+preemption checks.
+
+v2: rebase
+
+Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org # 6.1.y: 5591a051b86b: drm/amdgpu: refine get gpu clock counter method
+Cc: stable@vger.kernel.org # 6.2.y: 5591a051b86b: drm/amdgpu: refine get gpu clock counter method
+Cc: stable@vger.kernel.org # 6.3.y: 5591a051b86b: drm/amdgpu: refine get gpu clock counter method
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c
+@@ -4665,24 +4665,27 @@ static uint64_t gfx_v11_0_get_gpu_clock_
+ uint64_t clock;
+ uint64_t clock_counter_lo, clock_counter_hi_pre, clock_counter_hi_after;
+
+- amdgpu_gfx_off_ctrl(adev, false);
+- mutex_lock(&adev->gfx.gpu_clock_mutex);
+ if (amdgpu_sriov_vf(adev)) {
++ amdgpu_gfx_off_ctrl(adev, false);
++ mutex_lock(&adev->gfx.gpu_clock_mutex);
+ clock_counter_hi_pre = (uint64_t)RREG32_SOC15(GC, 0, regCP_MES_MTIME_HI);
+ clock_counter_lo = (uint64_t)RREG32_SOC15(GC, 0, regCP_MES_MTIME_LO);
+ clock_counter_hi_after = (uint64_t)RREG32_SOC15(GC, 0, regCP_MES_MTIME_HI);
+ if (clock_counter_hi_pre != clock_counter_hi_after)
+ clock_counter_lo = (uint64_t)RREG32_SOC15(GC, 0, regCP_MES_MTIME_LO);
++ mutex_unlock(&adev->gfx.gpu_clock_mutex);
++ amdgpu_gfx_off_ctrl(adev, true);
+ } else {
++ preempt_disable();
+ clock_counter_hi_pre = (uint64_t)RREG32_SOC15(SMUIO, 0, regGOLDEN_TSC_COUNT_UPPER);
+ clock_counter_lo = (uint64_t)RREG32_SOC15(SMUIO, 0, regGOLDEN_TSC_COUNT_LOWER);
+ clock_counter_hi_after = (uint64_t)RREG32_SOC15(SMUIO, 0, regGOLDEN_TSC_COUNT_UPPER);
+ if (clock_counter_hi_pre != clock_counter_hi_after)
+ clock_counter_lo = (uint64_t)RREG32_SOC15(SMUIO, 0, regGOLDEN_TSC_COUNT_LOWER);
++ preempt_enable();
+ }
+ clock = clock_counter_lo | (clock_counter_hi_after << 32ULL);
+- mutex_unlock(&adev->gfx.gpu_clock_mutex);
+- amdgpu_gfx_off_ctrl(adev, true);
++
+ return clock;
+ }
+
--- /dev/null
+From 68518294d00da6a2433357af75a63abc6030676e Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Thu, 11 May 2023 10:40:03 -0400
+Subject: drm/amdgpu/gmc11: implement get_vbios_fb_size()
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 68518294d00da6a2433357af75a63abc6030676e upstream.
+
+Implement get_vbios_fb_size() so we can properly reserve
+the vbios splash screen to avoid potential artifacts on the
+screen during the transition from the pre-OS console to the
+OS console.
+
+Acked-by: Sunil Khatri <sunil.khatri@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org # 6.1.x
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gmc_v11_0.c | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/gmc_v11_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v11_0.c
+@@ -31,6 +31,8 @@
+ #include "umc_v8_10.h"
+ #include "athub/athub_3_0_0_sh_mask.h"
+ #include "athub/athub_3_0_0_offset.h"
++#include "dcn/dcn_3_2_0_offset.h"
++#include "dcn/dcn_3_2_0_sh_mask.h"
+ #include "oss/osssys_6_0_0_offset.h"
+ #include "ivsrcid/vmc/irqsrcs_vmc_1_0.h"
+ #include "navi10_enum.h"
+@@ -542,7 +544,24 @@ static void gmc_v11_0_get_vm_pte(struct
+
+ static unsigned gmc_v11_0_get_vbios_fb_size(struct amdgpu_device *adev)
+ {
+- return 0;
++ u32 d1vga_control = RREG32_SOC15(DCE, 0, regD1VGA_CONTROL);
++ unsigned size;
++
++ if (REG_GET_FIELD(d1vga_control, D1VGA_CONTROL, D1VGA_MODE_ENABLE)) {
++ size = AMDGPU_VBIOS_VGA_ALLOCATION;
++ } else {
++ u32 viewport;
++ u32 pitch;
++
++ viewport = RREG32_SOC15(DCE, 0, regHUBP0_DCSURF_PRI_VIEWPORT_DIMENSION);
++ pitch = RREG32_SOC15(DCE, 0, regHUBPREQ0_DCSURF_SURFACE_PITCH);
++ size = (REG_GET_FIELD(viewport,
++ HUBP0_DCSURF_PRI_VIEWPORT_DIMENSION, PRI_VIEWPORT_HEIGHT) *
++ REG_GET_FIELD(pitch, HUBPREQ0_DCSURF_SURFACE_PITCH, PITCH) *
++ 4);
++ }
++
++ return size;
+ }
+
+ static const struct amdgpu_gmc_funcs gmc_v11_0_gmc_funcs = {
--- /dev/null
+From 5591a051b86be170a84943698ab140342602ff7b Mon Sep 17 00:00:00 2001
+From: Tong Liu01 <Tong.Liu01@amd.com>
+Date: Thu, 6 Apr 2023 15:58:31 +0800
+Subject: drm/amdgpu: refine get gpu clock counter method
+
+From: Tong Liu01 <Tong.Liu01@amd.com>
+
+commit 5591a051b86be170a84943698ab140342602ff7b upstream.
+
+[why]
+regGOLDEN_TSC_COUNT_LOWER/regGOLDEN_TSC_COUNT_UPPER are protected and
+unaccessible under sriov.
+The clock counter high bit may update during reading process.
+
+[How]
+Replace regGOLDEN_TSC_COUNT_LOWER/regGOLDEN_TSC_COUNT_UPPER with
+regCP_MES_MTIME_LO/regCP_MES_MTIME_HI to get gpu clock under sriov.
+Refine get gpu clock counter method to make the result more precise.
+
+Signed-off-by: Tong Liu01 <Tong.Liu01@amd.com>
+Acked-by: Luben Tuikov <luben.tuikov@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c
+@@ -4663,11 +4663,24 @@ static int gfx_v11_0_post_soft_reset(voi
+ static uint64_t gfx_v11_0_get_gpu_clock_counter(struct amdgpu_device *adev)
+ {
+ uint64_t clock;
++ uint64_t clock_counter_lo, clock_counter_hi_pre, clock_counter_hi_after;
+
+ amdgpu_gfx_off_ctrl(adev, false);
+ mutex_lock(&adev->gfx.gpu_clock_mutex);
+- clock = (uint64_t)RREG32_SOC15(SMUIO, 0, regGOLDEN_TSC_COUNT_LOWER) |
+- ((uint64_t)RREG32_SOC15(SMUIO, 0, regGOLDEN_TSC_COUNT_UPPER) << 32ULL);
++ if (amdgpu_sriov_vf(adev)) {
++ clock_counter_hi_pre = (uint64_t)RREG32_SOC15(GC, 0, regCP_MES_MTIME_HI);
++ clock_counter_lo = (uint64_t)RREG32_SOC15(GC, 0, regCP_MES_MTIME_LO);
++ clock_counter_hi_after = (uint64_t)RREG32_SOC15(GC, 0, regCP_MES_MTIME_HI);
++ if (clock_counter_hi_pre != clock_counter_hi_after)
++ clock_counter_lo = (uint64_t)RREG32_SOC15(GC, 0, regCP_MES_MTIME_LO);
++ } else {
++ clock_counter_hi_pre = (uint64_t)RREG32_SOC15(SMUIO, 0, regGOLDEN_TSC_COUNT_UPPER);
++ clock_counter_lo = (uint64_t)RREG32_SOC15(SMUIO, 0, regGOLDEN_TSC_COUNT_LOWER);
++ clock_counter_hi_after = (uint64_t)RREG32_SOC15(SMUIO, 0, regGOLDEN_TSC_COUNT_UPPER);
++ if (clock_counter_hi_pre != clock_counter_hi_after)
++ clock_counter_lo = (uint64_t)RREG32_SOC15(SMUIO, 0, regGOLDEN_TSC_COUNT_LOWER);
++ }
++ clock = clock_counter_lo | (clock_counter_hi_after << 32ULL);
+ mutex_unlock(&adev->gfx.gpu_clock_mutex);
+ amdgpu_gfx_off_ctrl(adev, true);
+ return clock;
--- /dev/null
+From a7844528722619d2f97740ae5ec747afff18c4be Mon Sep 17 00:00:00 2001
+From: Michal Simek <michal.simek@amd.com>
+Date: Fri, 12 May 2023 13:52:04 +0200
+Subject: dt-bindings: ata: ahci-ceva: Cover all 4 iommus entries
+
+From: Michal Simek <michal.simek@amd.com>
+
+commit a7844528722619d2f97740ae5ec747afff18c4be upstream.
+
+Current only one entry is enabled but IP itself is using 4 different IDs
+which are already listed in zynqmp.dtsi.
+
+sata: ahci@fd0c0000 {
+ compatible = "ceva,ahci-1v84";
+ ...
+ iommus = <&smmu 0x4c0>, <&smmu 0x4c1>,
+ <&smmu 0x4c2>, <&smmu 0x4c3>;
+};
+
+Fixes: 8ac47837f0e0 ("arm64: dts: zynqmp: Add missing iommu IDs")
+Cc: stable@vger.kernel.org # v5.12+
+Signed-off-by: Michal Simek <michal.simek@amd.com>
+Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/ata/ceva,ahci-1v84.yaml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Documentation/devicetree/bindings/ata/ceva,ahci-1v84.yaml
++++ b/Documentation/devicetree/bindings/ata/ceva,ahci-1v84.yaml
+@@ -32,7 +32,7 @@ properties:
+ maxItems: 1
+
+ iommus:
+- maxItems: 1
++ maxItems: 4
+
+ power-domains:
+ maxItems: 1
--- /dev/null
+From e36ca2fad6bb4ef0603bdb5556578e9082fe0056 Mon Sep 17 00:00:00 2001
+From: Rob Clark <robdclark@chromium.org>
+Date: Tue, 16 May 2023 15:20:36 -0700
+Subject: iommu/arm-smmu-qcom: Fix missing adreno_smmu's
+
+From: Rob Clark <robdclark@chromium.org>
+
+commit e36ca2fad6bb4ef0603bdb5556578e9082fe0056 upstream.
+
+When the special handling of qcom,adreno-smmu was moved into
+qcom_smmu_create(), it was overlooked that we didn't have all the
+required entries in qcom_smmu_impl_of_match. So we stopped getting
+adreno_smmu_priv on sc7180, breaking per-process pgtables.
+
+Fixes: 30b912a03d91 ("iommu/arm-smmu-qcom: Move the qcom,adreno-smmu check into qcom_smmu_create")
+Cc: <stable@vger.kernel.org>
+Suggested-by: Lepton Wu <lepton@chromium.org>
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/537357/
+Link: https://lore.kernel.org/r/20230516222039.907690-1-robdclark@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
++++ b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
+@@ -517,6 +517,7 @@ static const struct of_device_id __maybe
+ { .compatible = "qcom,qcm2290-smmu-500", .data = &qcom_smmu_500_impl0_data },
+ { .compatible = "qcom,qdu1000-smmu-500", .data = &qcom_smmu_500_impl0_data },
+ { .compatible = "qcom,sc7180-smmu-500", .data = &qcom_smmu_500_impl0_data },
++ { .compatible = "qcom,sc7180-smmu-v2", .data = &qcom_smmu_v2_data },
+ { .compatible = "qcom,sc7280-smmu-500", .data = &qcom_smmu_500_impl0_data },
+ { .compatible = "qcom,sc8180x-smmu-500", .data = &qcom_smmu_500_impl0_data },
+ { .compatible = "qcom,sc8280xp-smmu-500", .data = &qcom_smmu_500_impl0_data },
+@@ -561,5 +562,14 @@ struct arm_smmu_device *qcom_smmu_impl_i
+ if (match)
+ return qcom_smmu_create(smmu, match->data);
+
++ /*
++ * If you hit this WARN_ON() you are missing an entry in the
++ * qcom_smmu_impl_of_match[] table, and GPU per-process page-
++ * tables will be broken.
++ */
++ WARN(of_device_is_compatible(np, "qcom,adreno-smmu"),
++ "Missing qcom_smmu_impl_of_match entry for: %s",
++ dev_name(smmu->dev));
++
+ return smmu;
+ }
--- /dev/null
+From de9c1a23add9e7842ce63ce6f498a05c66344311 Mon Sep 17 00:00:00 2001
+From: Huayu Chen <huayu.chen@corigine.com>
+Date: Thu, 11 May 2023 08:50:56 +0200
+Subject: nfp: fix NFP_NET_MAX_DSCP definition error
+
+From: Huayu Chen <huayu.chen@corigine.com>
+
+commit de9c1a23add9e7842ce63ce6f498a05c66344311 upstream.
+
+The patch corrects the NFP_NET_MAX_DSCP definition in the main.h file.
+
+The incorrect definition result DSCP bits not being mapped properly when
+DCB is set. When NFP_NET_MAX_DSCP was defined as 4, the next 60 DSCP
+bits failed to be set.
+
+Fixes: 9b7fe8046d74 ("nfp: add DCB IEEE support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Huayu Chen <huayu.chen@corigine.com>
+Acked-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Louis Peens <louis.peens@corigine.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/nic/main.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/netronome/nfp/nic/main.h b/drivers/net/ethernet/netronome/nfp/nic/main.h
+index 094374df42b8..38b8b10b03cd 100644
+--- a/drivers/net/ethernet/netronome/nfp/nic/main.h
++++ b/drivers/net/ethernet/netronome/nfp/nic/main.h
+@@ -8,7 +8,7 @@
+
+ #ifdef CONFIG_DCB
+ /* DCB feature definitions */
+-#define NFP_NET_MAX_DSCP 4
++#define NFP_NET_MAX_DSCP 64
+ #define NFP_NET_MAX_TC IEEE_8021QAZ_MAX_TCS
+ #define NFP_NET_MAX_PRIO 8
+ #define NFP_DCB_CFG_STRIDE 256
+--
+2.40.1
+
--- /dev/null
+From 9b5a04ac3ad9898c4745cba46ea26de74ba56a8e Mon Sep 17 00:00:00 2001
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Date: Wed, 10 May 2023 00:29:56 +0900
+Subject: nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode()
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+commit 9b5a04ac3ad9898c4745cba46ea26de74ba56a8e upstream.
+
+During unmount process of nilfs2, nothing holds nilfs_root structure after
+nilfs2 detaches its writer in nilfs_detach_log_writer(). However, since
+nilfs_evict_inode() uses nilfs_root for some cleanup operations, it may
+cause use-after-free read if inodes are left in "garbage_list" and
+released by nilfs_dispose_list() at the end of nilfs_detach_log_writer().
+
+Fix this issue by modifying nilfs_evict_inode() to only clear inode
+without additional metadata changes that use nilfs_root if the file system
+is degraded to read-only or the writer is detached.
+
+Link: https://lkml.kernel.org/r/20230509152956.8313-1-konishi.ryusuke@gmail.com
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Reported-by: syzbot+78d4495558999f55d1da@syzkaller.appspotmail.com
+Closes: https://lkml.kernel.org/r/00000000000099e5ac05fb1c3b85@google.com
+Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nilfs2/inode.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/fs/nilfs2/inode.c
++++ b/fs/nilfs2/inode.c
+@@ -917,6 +917,7 @@ void nilfs_evict_inode(struct inode *ino
+ struct nilfs_transaction_info ti;
+ struct super_block *sb = inode->i_sb;
+ struct nilfs_inode_info *ii = NILFS_I(inode);
++ struct the_nilfs *nilfs;
+ int ret;
+
+ if (inode->i_nlink || !ii->i_root || unlikely(is_bad_inode(inode))) {
+@@ -929,6 +930,23 @@ void nilfs_evict_inode(struct inode *ino
+
+ truncate_inode_pages_final(&inode->i_data);
+
++ nilfs = sb->s_fs_info;
++ if (unlikely(sb_rdonly(sb) || !nilfs->ns_writer)) {
++ /*
++ * If this inode is about to be disposed after the file system
++ * has been degraded to read-only due to file system corruption
++ * or after the writer has been detached, do not make any
++ * changes that cause writes, just clear it.
++ * Do this check after read-locking ns_segctor_sem by
++ * nilfs_transaction_begin() in order to avoid a race with
++ * the writer detach operation.
++ */
++ clear_inode(inode);
++ nilfs_clear_inode(inode);
++ nilfs_transaction_abort(sb);
++ return;
++ }
++
+ /* TODO: some of the following operations may fail. */
+ nilfs_truncate_bmap(ii, 0);
+ nilfs_mark_inode_dirty(inode);
--- /dev/null
+From 66b2ca086210732954a7790d63d35542936fc664 Mon Sep 17 00:00:00 2001
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Thu, 11 May 2023 21:42:24 +1000
+Subject: powerpc/64s/radix: Fix soft dirty tracking
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+commit 66b2ca086210732954a7790d63d35542936fc664 upstream.
+
+It was reported that soft dirty tracking doesn't work when using the
+Radix MMU.
+
+The tracking is supposed to work by clearing the soft dirty bit for a
+mapping and then write protecting the PTE. If/when the page is written
+to, a page fault occurs and the soft dirty bit is added back via
+pte_mkdirty(). For example in wp_page_reuse():
+
+ entry = maybe_mkwrite(pte_mkdirty(entry), vma);
+ if (ptep_set_access_flags(vma, vmf->address, vmf->pte, entry, 1))
+ update_mmu_cache(vma, vmf->address, vmf->pte);
+
+Unfortunately on radix _PAGE_SOFTDIRTY is being dropped by
+radix__ptep_set_access_flags(), called from ptep_set_access_flags(),
+meaning the soft dirty bit is not set even though the page has been
+written to.
+
+Fix it by adding _PAGE_SOFTDIRTY to the set of bits that are able to be
+changed in radix__ptep_set_access_flags().
+
+Fixes: b0b5e9b13047 ("powerpc/mm/radix: Add radix pte #defines")
+Cc: stable@vger.kernel.org # v4.7+
+Reported-by: Dan Horák <dan@danny.cz>
+Link: https://lore.kernel.org/r/20230511095558.56663a50f86bdc4cd97700b7@danny.cz
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20230511114224.977423-1-mpe@ellerman.id.au
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/mm/book3s64/radix_pgtable.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/mm/book3s64/radix_pgtable.c
++++ b/arch/powerpc/mm/book3s64/radix_pgtable.c
+@@ -1040,8 +1040,8 @@ void radix__ptep_set_access_flags(struct
+ pte_t entry, unsigned long address, int psize)
+ {
+ struct mm_struct *mm = vma->vm_mm;
+- unsigned long set = pte_val(entry) & (_PAGE_DIRTY | _PAGE_ACCESSED |
+- _PAGE_RW | _PAGE_EXEC);
++ unsigned long set = pte_val(entry) & (_PAGE_DIRTY | _PAGE_SOFT_DIRTY |
++ _PAGE_ACCESSED | _PAGE_RW | _PAGE_EXEC);
+
+ unsigned long change = pte_val(entry) ^ pte_val(*ptep);
+ /*
--- /dev/null
+From 35a4b8ce4ac00e940b46b1034916ccb22ce9bdef Mon Sep 17 00:00:00 2001
+From: Hari Bathini <hbathini@linux.ibm.com>
+Date: Tue, 25 Apr 2023 12:28:29 +0530
+Subject: powerpc/bpf: populate extable entries only during the last pass
+
+From: Hari Bathini <hbathini@linux.ibm.com>
+
+commit 35a4b8ce4ac00e940b46b1034916ccb22ce9bdef upstream.
+
+Since commit 85e031154c7c ("powerpc/bpf: Perform complete extra passes
+to update addresses"), two additional passes are performed to avoid
+space and CPU time wastage on powerpc. But these extra passes led to
+WARN_ON_ONCE() hits in bpf_add_extable_entry() as extable entries are
+populated again, during the extra pass, without resetting the index.
+Fix it by resetting entry index before repopulating extable entries,
+if and when there is an additional pass.
+
+Fixes: 85e031154c7c ("powerpc/bpf: Perform complete extra passes to update addresses")
+Cc: stable@vger.kernel.org # v6.3+
+Signed-off-by: Hari Bathini <hbathini@linux.ibm.com>
+Reviewed-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20230425065829.18189-1-hbathini@linux.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/net/bpf_jit_comp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/powerpc/net/bpf_jit_comp.c
++++ b/arch/powerpc/net/bpf_jit_comp.c
+@@ -101,6 +101,8 @@ struct bpf_prog *bpf_int_jit_compile(str
+ bpf_hdr = jit_data->header;
+ proglen = jit_data->proglen;
+ extra_pass = true;
++ /* During extra pass, ensure index is reset before repopulating extable entries */
++ cgctx.exentry_idx = 0;
+ goto skip_init_ctx;
+ }
+
--- /dev/null
+From 096339ab84f36beae0b1db25e0ce63fb3873e8b2 Mon Sep 17 00:00:00 2001
+From: Gaurav Batra <gbatra@linux.vnet.ibm.com>
+Date: Thu, 4 May 2023 12:59:13 -0500
+Subject: powerpc/iommu: DMA address offset is incorrectly calculated with 2MB TCEs
+
+From: Gaurav Batra <gbatra@linux.vnet.ibm.com>
+
+commit 096339ab84f36beae0b1db25e0ce63fb3873e8b2 upstream.
+
+When DMA window is backed by 2MB TCEs, the DMA address for the mapped
+page should be the offset of the page relative to the 2MB TCE. The code
+was incorrectly setting the DMA address to the beginning of the TCE
+range.
+
+Mellanox driver is reporting timeout trying to ENABLE_HCA for an SR-IOV
+ethernet port, when DMA window is backed by 2MB TCEs.
+
+Fixes: 387273118714 ("powerps/pseries/dma: Add support for 2M IOMMU page size")
+Cc: stable@vger.kernel.org # v5.16+
+Signed-off-by: Gaurav Batra <gbatra@linux.vnet.ibm.com>
+Reviewed-by: Greg Joyce <gjoyce@linux.vnet.ibm.com>
+Reviewed-by: Brian King <brking@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20230504175913.83844-1-gbatra@linux.vnet.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/iommu.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/arch/powerpc/kernel/iommu.c
++++ b/arch/powerpc/kernel/iommu.c
+@@ -517,7 +517,7 @@ int ppc_iommu_map_sg(struct device *dev,
+ /* Convert entry to a dma_addr_t */
+ entry += tbl->it_offset;
+ dma_addr = entry << tbl->it_page_shift;
+- dma_addr |= (s->offset & ~IOMMU_PAGE_MASK(tbl));
++ dma_addr |= (vaddr & ~IOMMU_PAGE_MASK(tbl));
+
+ DBG(" - %lu pages, entry: %lx, dma_addr: %lx\n",
+ npages, entry, dma_addr);
+@@ -904,6 +904,7 @@ void *iommu_alloc_coherent(struct device
+ unsigned int order;
+ unsigned int nio_pages, io_order;
+ struct page *page;
++ int tcesize = (1 << tbl->it_page_shift);
+
+ size = PAGE_ALIGN(size);
+ order = get_order(size);
+@@ -930,7 +931,8 @@ void *iommu_alloc_coherent(struct device
+ memset(ret, 0, size);
+
+ /* Set up tces to cover the allocated range */
+- nio_pages = size >> tbl->it_page_shift;
++ nio_pages = IOMMU_PAGE_ALIGN(size, tbl) >> tbl->it_page_shift;
++
+ io_order = get_iommu_order(size, tbl);
+ mapping = iommu_alloc(dev, tbl, ret, nio_pages, DMA_BIDIRECTIONAL,
+ mask >> tbl->it_page_shift, io_order, 0);
+@@ -938,7 +940,8 @@ void *iommu_alloc_coherent(struct device
+ free_pages((unsigned long)ret, order);
+ return NULL;
+ }
+- *dma_handle = mapping;
++
++ *dma_handle = mapping | ((u64)ret & (tcesize - 1));
+ return ret;
+ }
+
+@@ -949,7 +952,7 @@ void iommu_free_coherent(struct iommu_ta
+ unsigned int nio_pages;
+
+ size = PAGE_ALIGN(size);
+- nio_pages = size >> tbl->it_page_shift;
++ nio_pages = IOMMU_PAGE_ALIGN(size, tbl) >> tbl->it_page_shift;
+ iommu_free(tbl, dma_handle, nio_pages);
+ size = PAGE_ALIGN(size);
+ free_pages((unsigned long)vaddr, get_order(size));
--- /dev/null
+From 1f7aacc5eb9ed2cc17be7a90da5cd559effb9d59 Mon Sep 17 00:00:00 2001
+From: Gaurav Batra <gbatra@linux.vnet.ibm.com>
+Date: Fri, 5 May 2023 13:47:01 -0500
+Subject: powerpc/iommu: Incorrect DDW Table is referenced for SR-IOV device
+
+From: Gaurav Batra <gbatra@linux.vnet.ibm.com>
+
+commit 1f7aacc5eb9ed2cc17be7a90da5cd559effb9d59 upstream.
+
+For an SR-IOV device, while enabling DDW, a new table is created and
+added at index 1 in the group. In the below 2 scenarios, the table is
+incorrectly referenced at index 0 (which is where the table is for
+default DMA window).
+
+1. When adding DDW
+
+ This issue is exposed with "slub_debug". Error thrown out from
+ dma_iommu_dma_supported()
+
+ Warning: IOMMU offset too big for device mask
+ mask: 0xffffffff, table offset: 0x800000000000000
+
+2. During Dynamic removal of the PCI device.
+
+ Error is from iommu_tce_table_put() since a NULL table pointer is
+ passed in.
+
+Fixes: 381ceda88c4c ("powerpc/pseries/iommu: Make use of DDW for indirect mapping")
+Cc: stable@vger.kernel.org # v5.15+
+Signed-off-by: Gaurav Batra <gbatra@linux.vnet.ibm.com>
+Reviewed-by: Brian King <brking@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20230505184701.91613-1-gbatra@linux.vnet.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/dma-iommu.c | 4 +++-
+ arch/powerpc/platforms/pseries/iommu.c | 13 +++++++++----
+ 2 files changed, 12 insertions(+), 5 deletions(-)
+
+--- a/arch/powerpc/kernel/dma-iommu.c
++++ b/arch/powerpc/kernel/dma-iommu.c
+@@ -144,7 +144,7 @@ static bool dma_iommu_bypass_supported(s
+ /* We support DMA to/from any memory page via the iommu */
+ int dma_iommu_dma_supported(struct device *dev, u64 mask)
+ {
+- struct iommu_table *tbl = get_iommu_table_base(dev);
++ struct iommu_table *tbl;
+
+ if (dev_is_pci(dev) && dma_iommu_bypass_supported(dev, mask)) {
+ /*
+@@ -162,6 +162,8 @@ int dma_iommu_dma_supported(struct devic
+ return 1;
+ }
+
++ tbl = get_iommu_table_base(dev);
++
+ if (!tbl) {
+ dev_err(dev, "Warning: IOMMU dma not supported: mask 0x%08llx, table unavailable\n", mask);
+ return 0;
+--- a/arch/powerpc/platforms/pseries/iommu.c
++++ b/arch/powerpc/platforms/pseries/iommu.c
+@@ -85,19 +85,24 @@ static struct iommu_table_group *iommu_p
+ static void iommu_pseries_free_group(struct iommu_table_group *table_group,
+ const char *node_name)
+ {
+- struct iommu_table *tbl;
+-
+ if (!table_group)
+ return;
+
+- tbl = table_group->tables[0];
+ #ifdef CONFIG_IOMMU_API
+ if (table_group->group) {
+ iommu_group_put(table_group->group);
+ BUG_ON(table_group->group);
+ }
+ #endif
+- iommu_tce_table_put(tbl);
++
++ /* Default DMA window table is at index 0, while DDW at 1. SR-IOV
++ * adapters only have table on index 1.
++ */
++ if (table_group->tables[0])
++ iommu_tce_table_put(table_group->tables[0]);
++
++ if (table_group->tables[1])
++ iommu_tce_table_put(table_group->tables[1]);
+
+ kfree(table_group);
+ }
--- /dev/null
+From 571a2a50a8fc546145ffd3bf673547e9fe128ed2 Mon Sep 17 00:00:00 2001
+From: Ze Gao <zegao2021@gmail.com>
+Date: Wed, 17 May 2023 11:45:09 +0800
+Subject: rethook, fprobe: do not trace rethook related functions
+
+From: Ze Gao <zegao2021@gmail.com>
+
+commit 571a2a50a8fc546145ffd3bf673547e9fe128ed2 upstream.
+
+These functions are already marked as NOKPROBE to prevent recursion and
+we have the same reason to blacklist them if rethook is used with fprobe,
+since they are beyond the recursion-free region ftrace can guard.
+
+Link: https://lore.kernel.org/all/20230517034510.15639-5-zegao@tencent.com/
+
+Fixes: f3a112c0c40d ("x86,rethook,kprobes: Replace kretprobe with rethook on x86")
+Signed-off-by: Ze Gao <zegao@tencent.com>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/kernel/probes/Makefile | 2 ++
+ arch/s390/kernel/Makefile | 1 +
+ arch/x86/kernel/Makefile | 1 +
+ 3 files changed, 4 insertions(+)
+
+--- a/arch/riscv/kernel/probes/Makefile
++++ b/arch/riscv/kernel/probes/Makefile
+@@ -4,3 +4,5 @@ obj-$(CONFIG_RETHOOK) += rethook.o reth
+ obj-$(CONFIG_KPROBES_ON_FTRACE) += ftrace.o
+ obj-$(CONFIG_UPROBES) += uprobes.o decode-insn.o simulate-insn.o
+ CFLAGS_REMOVE_simulate-insn.o = $(CC_FLAGS_FTRACE)
++CFLAGS_REMOVE_rethook.o = $(CC_FLAGS_FTRACE)
++CFLAGS_REMOVE_rethook_trampoline.o = $(CC_FLAGS_FTRACE)
+--- a/arch/s390/kernel/Makefile
++++ b/arch/s390/kernel/Makefile
+@@ -10,6 +10,7 @@ CFLAGS_REMOVE_ftrace.o = $(CC_FLAGS_FTR
+
+ # Do not trace early setup code
+ CFLAGS_REMOVE_early.o = $(CC_FLAGS_FTRACE)
++CFLAGS_REMOVE_rethook.o = $(CC_FLAGS_FTRACE)
+
+ endif
+
+--- a/arch/x86/kernel/Makefile
++++ b/arch/x86/kernel/Makefile
+@@ -17,6 +17,7 @@ CFLAGS_REMOVE_ftrace.o = -pg
+ CFLAGS_REMOVE_early_printk.o = -pg
+ CFLAGS_REMOVE_head64.o = -pg
+ CFLAGS_REMOVE_sev.o = -pg
++CFLAGS_REMOVE_rethook.o = -pg
+ endif
+
+ KASAN_SANITIZE_head$(BITS).o := n
--- /dev/null
+From be243bacfb25f5219f2396d787408e8cf1301dd1 Mon Sep 17 00:00:00 2001
+From: Ze Gao <zegao2021@gmail.com>
+Date: Wed, 17 May 2023 11:45:06 +0800
+Subject: rethook: use preempt_{disable, enable}_notrace in rethook_trampoline_handler
+
+From: Ze Gao <zegao2021@gmail.com>
+
+commit be243bacfb25f5219f2396d787408e8cf1301dd1 upstream.
+
+This patch replaces preempt_{disable, enable} with its corresponding
+notrace version in rethook_trampoline_handler so no worries about stack
+recursion or overflow introduced by preempt_count_{add, sub} under
+fprobe + rethook context.
+
+Link: https://lore.kernel.org/all/20230517034510.15639-2-zegao@tencent.com/
+
+Fixes: 54ecbe6f1ed5 ("rethook: Add a generic return hook")
+Signed-off-by: Ze Gao <zegao@tencent.com>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/rethook.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/trace/rethook.c
++++ b/kernel/trace/rethook.c
+@@ -288,7 +288,7 @@ unsigned long rethook_trampoline_handler
+ * These loops must be protected from rethook_free_rcu() because those
+ * are accessing 'rhn->rethook'.
+ */
+- preempt_disable();
++ preempt_disable_notrace();
+
+ /*
+ * Run the handler on the shadow stack. Do not unlink the list here because
+@@ -321,7 +321,7 @@ unsigned long rethook_trampoline_handler
+ first = first->next;
+ rethook_recycle(rhn);
+ }
+- preempt_enable();
++ preempt_enable_notrace();
+
+ return correct_ret_addr;
+ }
--- /dev/null
+From 8703dd6b238da0ec6c276e53836f8200983d3d9b Mon Sep 17 00:00:00 2001
+From: Heiko Carstens <hca@linux.ibm.com>
+Date: Thu, 20 Apr 2023 13:31:29 +0200
+Subject: s390/crypto: use vector instructions only if available for ChaCha20
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+commit 8703dd6b238da0ec6c276e53836f8200983d3d9b upstream.
+
+Commit 349d03ffd5f6 ("crypto: s390 - add crypto library interface for
+ChaCha20") added a library interface to the s390 specific ChaCha20
+implementation. However no check was added to verify if the required
+facilities are installed before branching into the assembler code.
+
+If compiled into the kernel, this will lead to the following crash,
+if vector instructions are not available:
+
+data exception: 0007 ilc:3 [#1] SMP
+Modules linked in:
+CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.3.0-rc7+ #11
+Hardware name: IBM 3931 A01 704 (KVM/Linux)
+Krnl PSW : 0704e00180000000 000000001857277a (chacha20_vx+0x32/0x818)
+ R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3
+Krnl GPRS: 0000037f0000000a ffffffffffffff60 000000008184b000 0000000019f5c8e6
+ 0000000000000109 0000037fffb13c58 0000037fffb13c78 0000000019bb1780
+ 0000037fffb13c58 0000000019f5c8e6 000000008184b000 0000000000000109
+ 00000000802d8000 0000000000000109 0000000018571ebc 0000037fffb13718
+Krnl Code: 000000001857276a: c07000b1f80b larl %r7,0000000019bb1780
+ 0000000018572770: a708000a lhi %r0,10
+ #0000000018572774: e78950000c36 vlm %v24,%v25,0(%r5),0
+ >000000001857277a: e7a060000806 vl %v26,0(%r6),0
+ 0000000018572780: e7bf70004c36 vlm %v27,%v31,0(%r7),4
+ 0000000018572786: e70b00000456 vlr %v0,%v27
+ 000000001857278c: e71800000456 vlr %v1,%v24
+ 0000000018572792: e74b00000456 vlr %v4,%v27
+Call Trace:
+ [<000000001857277a>] chacha20_vx+0x32/0x818
+Last Breaking-Event-Address:
+ [<0000000018571eb6>] chacha20_crypt_s390.constprop.0+0x6e/0xd8
+---[ end trace 0000000000000000 ]---
+Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
+
+Fix this by adding a missing MACHINE_HAS_VX check.
+
+Fixes: 349d03ffd5f6 ("crypto: s390 - add crypto library interface for ChaCha20")
+Reported-by: Marc Hartmayer <mhartmay@linux.ibm.com>
+Cc: <stable@vger.kernel.org> # 5.19+
+Reviewed-by: Harald Freudenberger <freude@linux.ibm.com>
+[agordeev@linux.ibm.com: remove duplicates in commit message]
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/crypto/chacha-glue.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/s390/crypto/chacha-glue.c
++++ b/arch/s390/crypto/chacha-glue.c
+@@ -82,7 +82,7 @@ void chacha_crypt_arch(u32 *state, u8 *d
+ * it cannot handle a block of data or less, but otherwise
+ * it can handle data of arbitrary size
+ */
+- if (bytes <= CHACHA_BLOCK_SIZE || nrounds != 20)
++ if (bytes <= CHACHA_BLOCK_SIZE || nrounds != 20 || !MACHINE_HAS_VX)
+ chacha_crypt_generic(state, dst, src, bytes, nrounds);
+ else
+ chacha20_crypt_s390(state, dst, src, bytes,
--- /dev/null
+From c99bff34290f1b994073557b754aff86e4c7b22e Mon Sep 17 00:00:00 2001
+From: Stefan Haberland <sth@linux.ibm.com>
+Date: Fri, 19 May 2023 12:23:40 +0200
+Subject: s390/dasd: fix command reject error on ESE devices
+
+From: Stefan Haberland <sth@linux.ibm.com>
+
+commit c99bff34290f1b994073557b754aff86e4c7b22e upstream.
+
+Formatting a thin-provisioned (ESE) device that is part of a PPRC copy
+relation might fail with the following error:
+
+dasd-eckd 0.0.f500: An error occurred in the DASD device driver, reason=09
+[...]
+24 Byte: 0 MSG 4, no MSGb to SYSOP
+
+During format of an ESE disk the Release Allocated Space command is used.
+A bit in the payload of the command is set that is not allowed to be set
+for devices in a copy relation. This bit is set to allow the partial
+release of an extent.
+
+Check for the existence of a copy relation before setting the respective
+bit.
+
+Fixes: 91dc4a197569 ("s390/dasd: Add new ioctl to release space")
+Cc: stable@kernel.org # 5.3+
+Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
+Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
+Link: https://lore.kernel.org/r/20230519102340.3854819-2-sth@linux.ibm.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/block/dasd_eckd.c | 33 +++++++++++++++++++++++++++++++--
+ 1 file changed, 31 insertions(+), 2 deletions(-)
+
+--- a/drivers/s390/block/dasd_eckd.c
++++ b/drivers/s390/block/dasd_eckd.c
+@@ -127,6 +127,8 @@ static int prepare_itcw(struct itcw *, u
+ struct dasd_device *, struct dasd_device *,
+ unsigned int, int, unsigned int, unsigned int,
+ unsigned int, unsigned int);
++static int dasd_eckd_query_pprc_status(struct dasd_device *,
++ struct dasd_pprc_data_sc4 *);
+
+ /* initial attempt at a probe function. this can be simplified once
+ * the other detection code is gone */
+@@ -3732,6 +3734,26 @@ static int count_exts(unsigned int from,
+ return count;
+ }
+
++static int dasd_in_copy_relation(struct dasd_device *device)
++{
++ struct dasd_pprc_data_sc4 *temp;
++ int rc;
++
++ if (!dasd_eckd_pprc_enabled(device))
++ return 0;
++
++ temp = kzalloc(sizeof(*temp), GFP_KERNEL);
++ if (!temp)
++ return -ENOMEM;
++
++ rc = dasd_eckd_query_pprc_status(device, temp);
++ if (!rc)
++ rc = temp->dev_info[0].state;
++
++ kfree(temp);
++ return rc;
++}
++
+ /*
+ * Release allocated space for a given range or an entire volume.
+ */
+@@ -3748,6 +3770,7 @@ dasd_eckd_dso_ras(struct dasd_device *de
+ int cur_to_trk, cur_from_trk;
+ struct dasd_ccw_req *cqr;
+ u32 beg_cyl, end_cyl;
++ int copy_relation;
+ struct ccw1 *ccw;
+ int trks_per_ext;
+ size_t ras_size;
+@@ -3759,6 +3782,10 @@ dasd_eckd_dso_ras(struct dasd_device *de
+ if (dasd_eckd_ras_sanity_checks(device, first_trk, last_trk))
+ return ERR_PTR(-EINVAL);
+
++ copy_relation = dasd_in_copy_relation(device);
++ if (copy_relation < 0)
++ return ERR_PTR(copy_relation);
++
+ rq = req ? blk_mq_rq_to_pdu(req) : NULL;
+
+ features = &private->features;
+@@ -3787,9 +3814,11 @@ dasd_eckd_dso_ras(struct dasd_device *de
+ /*
+ * This bit guarantees initialisation of tracks within an extent that is
+ * not fully specified, but is only supported with a certain feature
+- * subset.
++ * subset and for devices not in a copy relation.
+ */
+- ras_data->op_flags.guarantee_init = !!(features->feature[56] & 0x01);
++ if (features->feature[56] & 0x01 && !copy_relation)
++ ras_data->op_flags.guarantee_init = 1;
++
+ ras_data->lss = private->conf.ned->ID;
+ ras_data->dev_addr = private->conf.ned->unit_addr;
+ ras_data->nr_exts = nr_exts;
--- /dev/null
+From 2862a2fdfae875888e3c1c3634e3422e01d98147 Mon Sep 17 00:00:00 2001
+From: Heiko Carstens <hca@linux.ibm.com>
+Date: Thu, 11 May 2023 17:04:41 +0200
+Subject: s390/qdio: fix do_sqbs() inline assembly constraint
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+commit 2862a2fdfae875888e3c1c3634e3422e01d98147 upstream.
+
+Use "a" constraint instead of "d" constraint to pass the state parameter to
+the do_sqbs() inline assembly. This prevents that general purpose register
+zero is used for the state parameter.
+
+If the compiler would select general purpose register zero this would be
+problematic for the used instruction in rsy format: the register used for
+the state parameter is a base register. If the base register is general
+purpose register zero the contents of the register are unexpectedly ignored
+when the instruction is executed.
+
+This only applies to z/VM guests using QIOASSIST with dedicated (pass through)
+QDIO-based devices such as FCP [zfcp driver] as well as real OSA or
+HiperSockets [qeth driver].
+
+A possible symptom for this case using zfcp is the following repeating kernel
+message pattern:
+
+zfcp <devbusid>: A QDIO problem occurred
+zfcp <devbusid>: A QDIO problem occurred
+zfcp <devbusid>: qdio: ZFCP on SC <sc> using AI:1 QEBSM:1 PRI:1 TDD:1 SIGA: W
+zfcp <devbusid>: A QDIO problem occurred
+zfcp <devbusid>: A QDIO problem occurred
+
+Each of the qdio problem message can be accompanied by the following entries
+for the affected subchannel <sc> in
+/sys/kernel/debug/s390dbf/qdio_error/hex_ascii for zfcp or qeth:
+
+<sc> ccq: 69....
+<sc> SQBS ERROR.
+
+Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
+Cc: Steffen Maier <maier@linux.ibm.com>
+Fixes: 8129ee164267 ("[PATCH] s390: qdio V=V pass-through")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/cio/qdio.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/s390/cio/qdio.h
++++ b/drivers/s390/cio/qdio.h
+@@ -95,7 +95,7 @@ static inline int do_sqbs(u64 token, uns
+ " lgr 1,%[token]\n"
+ " .insn rsy,0xeb000000008a,%[qs],%[ccq],0(%[state])"
+ : [ccq] "+&d" (_ccq), [qs] "+&d" (_queuestart)
+- : [state] "d" ((unsigned long)state), [token] "d" (token)
++ : [state] "a" ((unsigned long)state), [token] "d" (token)
+ : "memory", "cc", "1");
+ *count = _ccq & 0xff;
+ *start = _queuestart & 0xff;
thunderbolt-clear-registers-properly-when-auto-clear-isn-t-in-use.patch
vc_screen-reload-load-of-struct-vc_data-pointer-in-vcs_write-to-avoid-uaf.patch
ceph-force-updating-the-msg-pointer-in-non-split-case.patch
+drm-amd-pm-fix-possible-power-mode-mismatch-between-driver-and-pmfw.patch
+drm-amdgpu-gmc11-implement-get_vbios_fb_size.patch
+drm-amdgpu-gfx10-disable-gfxoff-before-disabling-powergating.patch
+drm-amdgpu-gfx11-adjust-gfxoff-before-powergating-on-gfx11-as-well.patch
+drm-amdgpu-refine-get-gpu-clock-counter-method.patch
+drm-amdgpu-gfx11-update-gpu_clock_counter-logic.patch
+iommu-arm-smmu-qcom-fix-missing-adreno_smmu-s.patch
+dt-bindings-ata-ahci-ceva-cover-all-4-iommus-entries.patch
+powerpc-iommu-dma-address-offset-is-incorrectly-calculated-with-2mb-tces.patch
+powerpc-iommu-incorrect-ddw-table-is-referenced-for-sr-iov-device.patch
+tpm-tpm_tis-disable-interrupts-for-more-lenovo-devices.patch
+powerpc-64s-radix-fix-soft-dirty-tracking.patch
+powerpc-bpf-populate-extable-entries-only-during-the-last-pass.patch
+nfp-fix-nfp_net_max_dscp-definition-error.patch
+nilfs2-fix-use-after-free-bug-of-nilfs_root-in-nilfs_evict_inode.patch
+s390-dasd-fix-command-reject-error-on-ese-devices.patch
+s390-crypto-use-vector-instructions-only-if-available-for-chacha20.patch
+s390-qdio-fix-do_sqbs-inline-assembly-constraint.patch
+arm64-also-reset-kasan-tag-if-page-is-not-pg_mte_tagged.patch
+arm64-mte-do-not-set-pg_mte_tagged-if-tags-were-not-initialized.patch
+rethook-use-preempt_-disable-enable-_notrace-in-rethook_trampoline_handler.patch
+rethook-fprobe-do-not-trace-rethook-related-functions.patch
--- /dev/null
+From e7d3e5c4b1dd50a70b31524c3228c62bb41bbab2 Mon Sep 17 00:00:00 2001
+From: Jerry Snitselaar <jsnitsel@redhat.com>
+Date: Wed, 10 May 2023 17:54:03 -0700
+Subject: tpm/tpm_tis: Disable interrupts for more Lenovo devices
+
+From: Jerry Snitselaar <jsnitsel@redhat.com>
+
+commit e7d3e5c4b1dd50a70b31524c3228c62bb41bbab2 upstream.
+
+The P360 Tiny suffers from an irq storm issue like the T490s, so add
+an entry for it to tpm_tis_dmi_table, and force polling. There also
+previously was a report from the previous attempt to enable interrupts
+that involved a ThinkPad L490. So an entry is added for it as well.
+
+Cc: stable@vger.kernel.org
+Reported-by: Peter Zijlstra <peterz@infradead.org> # P360 Tiny
+Closes: https://lore.kernel.org/linux-integrity/20230505130731.GO83892@hirez.programming.kicks-ass.net/
+Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/tpm/tpm_tis.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/drivers/char/tpm/tpm_tis.c
++++ b/drivers/char/tpm/tpm_tis.c
+@@ -83,6 +83,22 @@ static const struct dmi_system_id tpm_ti
+ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad T490s"),
+ },
+ },
++ {
++ .callback = tpm_tis_disable_irq,
++ .ident = "ThinkStation P360 Tiny",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkStation P360 Tiny"),
++ },
++ },
++ {
++ .callback = tpm_tis_disable_irq,
++ .ident = "ThinkPad L490",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad L490"),
++ },
++ },
+ {}
+ };
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
