--- /dev/null
+From f0cf7ffcd02953c72fed5995378805883d16203e Mon Sep 17 00:00:00 2001
+From: "Wachowski, Karol" <karol.wachowski@intel.com>
+Date: Tue, 2 Apr 2024 12:49:22 +0200
+Subject: accel/ivpu: Check return code of ipc->lock init
+
+From: Wachowski, Karol <karol.wachowski@intel.com>
+
+commit f0cf7ffcd02953c72fed5995378805883d16203e upstream.
+
+Return value of drmm_mutex_init(ipc->lock) was unchecked.
+
+Fixes: 5d7422cfb498 ("accel/ivpu: Add IPC driver and JSM messages")
+Cc: <stable@vger.kernel.org> # v6.3+
+Signed-off-by: Wachowski, Karol <karol.wachowski@intel.com>
+Signed-off-by: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
+Reviewed-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240402104929.941186-2-jacek.lawrynowicz@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/accel/ivpu/ivpu_ipc.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/accel/ivpu/ivpu_ipc.c
++++ b/drivers/accel/ivpu/ivpu_ipc.c
+@@ -1,6 +1,6 @@
+ // SPDX-License-Identifier: GPL-2.0-only
+ /*
+- * Copyright (C) 2020-2023 Intel Corporation
++ * Copyright (C) 2020-2024 Intel Corporation
+ */
+
+ #include <linux/genalloc.h>
+@@ -501,7 +501,11 @@ int ivpu_ipc_init(struct ivpu_device *vd
+ spin_lock_init(&ipc->cons_lock);
+ INIT_LIST_HEAD(&ipc->cons_list);
+ INIT_LIST_HEAD(&ipc->cb_msg_list);
+- drmm_mutex_init(&vdev->drm, &ipc->lock);
++ ret = drmm_mutex_init(&vdev->drm, &ipc->lock);
++ if (ret) {
++ ivpu_err(vdev, "Failed to initialize ipc->lock, ret %d\n", ret);
++ goto err_free_rx;
++ }
+ ivpu_ipc_reset(vdev);
+ return 0;
+
--- /dev/null
+From fd7726e75968b27fe98534ccbf47ccd6fef686f3 Mon Sep 17 00:00:00 2001
+From: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
+Date: Tue, 2 Apr 2024 12:49:29 +0200
+Subject: accel/ivpu: Fix deadlock in context_xa
+
+From: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
+
+commit fd7726e75968b27fe98534ccbf47ccd6fef686f3 upstream.
+
+ivpu_device->context_xa is locked both in kernel thread and IRQ context.
+It requires XA_FLAGS_LOCK_IRQ flag to be passed during initialization
+otherwise the lock could be acquired from a thread and interrupted by
+an IRQ that locks it for the second time causing the deadlock.
+
+This deadlock was reported by lockdep and observed in internal tests.
+
+Fixes: 35b137630f08 ("accel/ivpu: Introduce a new DRM driver for Intel VPU")
+Cc: <stable@vger.kernel.org> # v6.3+
+Signed-off-by: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
+Reviewed-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240402104929.941186-9-jacek.lawrynowicz@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/accel/ivpu/ivpu_drv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/accel/ivpu/ivpu_drv.c
++++ b/drivers/accel/ivpu/ivpu_drv.c
+@@ -514,7 +514,7 @@ static int ivpu_dev_init(struct ivpu_dev
+ vdev->context_xa_limit.min = IVPU_USER_CONTEXT_MIN_SSID;
+ vdev->context_xa_limit.max = IVPU_USER_CONTEXT_MAX_SSID;
+ atomic64_set(&vdev->unique_id_counter, 0);
+- xa_init_flags(&vdev->context_xa, XA_FLAGS_ALLOC);
++ xa_init_flags(&vdev->context_xa, XA_FLAGS_ALLOC | XA_FLAGS_LOCK_IRQ);
+ xa_init_flags(&vdev->submitted_jobs_xa, XA_FLAGS_ALLOC1);
+ lockdep_set_class(&vdev->submitted_jobs_xa.xa_lock, &submitted_jobs_xa_lock_class_key);
+ INIT_LIST_HEAD(&vdev->bo_list);
--- /dev/null
+From 3534eacbf101f6e66105f03d869a03893407c384 Mon Sep 17 00:00:00 2001
+From: "Wachowski, Karol" <karol.wachowski@intel.com>
+Date: Tue, 2 Apr 2024 12:49:24 +0200
+Subject: accel/ivpu: Fix PCI D0 state entry in resume
+
+From: Wachowski, Karol <karol.wachowski@intel.com>
+
+commit 3534eacbf101f6e66105f03d869a03893407c384 upstream.
+
+In case of failed power up we end up left in PCI D3hot
+state making it impossible to access NPU registers on retry.
+Enter D0 state on retry before proceeding with power up sequence.
+
+Fixes: 28083ff18d3f ("accel/ivpu: Fix DevTLB errors on suspend/resume and recovery")
+Cc: <stable@vger.kernel.org> # v6.8+
+Signed-off-by: Wachowski, Karol <karol.wachowski@intel.com>
+Signed-off-by: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
+Reviewed-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240402104929.941186-4-jacek.lawrynowicz@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/accel/ivpu/ivpu_pm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/accel/ivpu/ivpu_pm.c
++++ b/drivers/accel/ivpu/ivpu_pm.c
+@@ -74,10 +74,10 @@ static int ivpu_resume(struct ivpu_devic
+ {
+ int ret;
+
+- pci_set_power_state(to_pci_dev(vdev->drm.dev), PCI_D0);
++retry:
+ pci_restore_state(to_pci_dev(vdev->drm.dev));
++ pci_set_power_state(to_pci_dev(vdev->drm.dev), PCI_D0);
+
+-retry:
+ ret = ivpu_hw_power_up(vdev);
+ if (ret) {
+ ivpu_err(vdev, "Failed to power up HW: %d\n", ret);
--- /dev/null
+From 875bc9cd1b33eb027a5663f5e6878a43d98e9a16 Mon Sep 17 00:00:00 2001
+From: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
+Date: Tue, 2 Apr 2024 12:49:25 +0200
+Subject: accel/ivpu: Put NPU back to D3hot after failed resume
+
+From: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
+
+commit 875bc9cd1b33eb027a5663f5e6878a43d98e9a16 upstream.
+
+Put NPU in D3hot after ivpu_resume() fails to power up the device.
+This will assure that D3->D0 power cycle will be performed before
+the next resume and also will minimize power usage in this corner case.
+
+Fixes: 28083ff18d3f ("accel/ivpu: Fix DevTLB errors on suspend/resume and recovery")
+Cc: <stable@vger.kernel.org> # v6.8+
+Signed-off-by: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
+Reviewed-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240402104929.941186-5-jacek.lawrynowicz@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/accel/ivpu/ivpu_pm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/accel/ivpu/ivpu_pm.c
++++ b/drivers/accel/ivpu/ivpu_pm.c
+@@ -100,6 +100,7 @@ err_mmu_disable:
+ ivpu_mmu_disable(vdev);
+ err_power_down:
+ ivpu_hw_power_down(vdev);
++ pci_set_power_state(to_pci_dev(vdev->drm.dev), PCI_D3hot);
+
+ if (!ivpu_fw_is_cold_boot(vdev)) {
+ ivpu_pm_prepare_cold_boot(vdev);
--- /dev/null
+From c52c35e5b404b95a5bcff39af9be1b9293be3434 Mon Sep 17 00:00:00 2001
+From: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
+Date: Tue, 2 Apr 2024 12:49:27 +0200
+Subject: accel/ivpu: Return max freq for DRM_IVPU_PARAM_CORE_CLOCK_RATE
+
+From: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
+
+commit c52c35e5b404b95a5bcff39af9be1b9293be3434 upstream.
+
+DRM_IVPU_PARAM_CORE_CLOCK_RATE returns current NPU frequency which
+could be 0 if device was sleeping. This value isn't really useful to
+the user space, so return max freq instead which can be used to estimate
+NPU performance.
+
+Fixes: c39dc15191c4 ("accel/ivpu: Read clock rate only if device is up")
+Cc: <stable@vger.kernel.org> # v6.7
+Signed-off-by: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
+Reviewed-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240402104929.941186-7-jacek.lawrynowicz@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/accel/ivpu/ivpu_drv.c | 18 +-----------------
+ drivers/accel/ivpu/ivpu_hw.h | 6 ++++++
+ drivers/accel/ivpu/ivpu_hw_37xx.c | 7 ++++---
+ drivers/accel/ivpu/ivpu_hw_40xx.c | 6 ++++++
+ 4 files changed, 17 insertions(+), 20 deletions(-)
+
+--- a/drivers/accel/ivpu/ivpu_drv.c
++++ b/drivers/accel/ivpu/ivpu_drv.c
+@@ -131,22 +131,6 @@ static int ivpu_get_capabilities(struct
+ return 0;
+ }
+
+-static int ivpu_get_core_clock_rate(struct ivpu_device *vdev, u64 *clk_rate)
+-{
+- int ret;
+-
+- ret = ivpu_rpm_get_if_active(vdev);
+- if (ret < 0)
+- return ret;
+-
+- *clk_rate = ret ? ivpu_hw_reg_pll_freq_get(vdev) : 0;
+-
+- if (ret)
+- ivpu_rpm_put(vdev);
+-
+- return 0;
+-}
+-
+ static int ivpu_get_param_ioctl(struct drm_device *dev, void *data, struct drm_file *file)
+ {
+ struct ivpu_file_priv *file_priv = file->driver_priv;
+@@ -170,7 +154,7 @@ static int ivpu_get_param_ioctl(struct d
+ args->value = vdev->platform;
+ break;
+ case DRM_IVPU_PARAM_CORE_CLOCK_RATE:
+- ret = ivpu_get_core_clock_rate(vdev, &args->value);
++ args->value = ivpu_hw_ratio_to_freq(vdev, vdev->hw->pll.max_ratio);
+ break;
+ case DRM_IVPU_PARAM_NUM_CONTEXTS:
+ args->value = ivpu_get_context_count(vdev);
+--- a/drivers/accel/ivpu/ivpu_hw.h
++++ b/drivers/accel/ivpu/ivpu_hw.h
+@@ -21,6 +21,7 @@ struct ivpu_hw_ops {
+ u32 (*profiling_freq_get)(struct ivpu_device *vdev);
+ void (*profiling_freq_drive)(struct ivpu_device *vdev, bool enable);
+ u32 (*reg_pll_freq_get)(struct ivpu_device *vdev);
++ u32 (*ratio_to_freq)(struct ivpu_device *vdev, u32 ratio);
+ u32 (*reg_telemetry_offset_get)(struct ivpu_device *vdev);
+ u32 (*reg_telemetry_size_get)(struct ivpu_device *vdev);
+ u32 (*reg_telemetry_enable_get)(struct ivpu_device *vdev);
+@@ -130,6 +131,11 @@ static inline u32 ivpu_hw_reg_pll_freq_g
+ return vdev->hw->ops->reg_pll_freq_get(vdev);
+ };
+
++static inline u32 ivpu_hw_ratio_to_freq(struct ivpu_device *vdev, u32 ratio)
++{
++ return vdev->hw->ops->ratio_to_freq(vdev, ratio);
++}
++
+ static inline u32 ivpu_hw_reg_telemetry_offset_get(struct ivpu_device *vdev)
+ {
+ return vdev->hw->ops->reg_telemetry_offset_get(vdev);
+--- a/drivers/accel/ivpu/ivpu_hw_37xx.c
++++ b/drivers/accel/ivpu/ivpu_hw_37xx.c
+@@ -805,12 +805,12 @@ static void ivpu_hw_37xx_profiling_freq_
+ /* Profiling freq - is a debug feature. Unavailable on VPU 37XX. */
+ }
+
+-static u32 ivpu_hw_37xx_pll_to_freq(u32 ratio, u32 config)
++static u32 ivpu_hw_37xx_ratio_to_freq(struct ivpu_device *vdev, u32 ratio)
+ {
+ u32 pll_clock = PLL_REF_CLK_FREQ * ratio;
+ u32 cpu_clock;
+
+- if ((config & 0xff) == PLL_RATIO_4_3)
++ if ((vdev->hw->config & 0xff) == PLL_RATIO_4_3)
+ cpu_clock = pll_clock * 2 / 4;
+ else
+ cpu_clock = pll_clock * 2 / 5;
+@@ -829,7 +829,7 @@ static u32 ivpu_hw_37xx_reg_pll_freq_get
+ if (!ivpu_is_silicon(vdev))
+ return PLL_SIMULATION_FREQ;
+
+- return ivpu_hw_37xx_pll_to_freq(pll_curr_ratio, vdev->hw->config);
++ return ivpu_hw_37xx_ratio_to_freq(vdev, pll_curr_ratio);
+ }
+
+ static u32 ivpu_hw_37xx_reg_telemetry_offset_get(struct ivpu_device *vdev)
+@@ -1052,6 +1052,7 @@ const struct ivpu_hw_ops ivpu_hw_37xx_op
+ .profiling_freq_get = ivpu_hw_37xx_profiling_freq_get,
+ .profiling_freq_drive = ivpu_hw_37xx_profiling_freq_drive,
+ .reg_pll_freq_get = ivpu_hw_37xx_reg_pll_freq_get,
++ .ratio_to_freq = ivpu_hw_37xx_ratio_to_freq,
+ .reg_telemetry_offset_get = ivpu_hw_37xx_reg_telemetry_offset_get,
+ .reg_telemetry_size_get = ivpu_hw_37xx_reg_telemetry_size_get,
+ .reg_telemetry_enable_get = ivpu_hw_37xx_reg_telemetry_enable_get,
+--- a/drivers/accel/ivpu/ivpu_hw_40xx.c
++++ b/drivers/accel/ivpu/ivpu_hw_40xx.c
+@@ -980,6 +980,11 @@ static u32 ivpu_hw_40xx_reg_pll_freq_get
+ return PLL_RATIO_TO_FREQ(pll_curr_ratio);
+ }
+
++static u32 ivpu_hw_40xx_ratio_to_freq(struct ivpu_device *vdev, u32 ratio)
++{
++ return PLL_RATIO_TO_FREQ(ratio);
++}
++
+ static u32 ivpu_hw_40xx_reg_telemetry_offset_get(struct ivpu_device *vdev)
+ {
+ return REGB_RD32(VPU_40XX_BUTTRESS_VPU_TELEMETRY_OFFSET);
+@@ -1230,6 +1235,7 @@ const struct ivpu_hw_ops ivpu_hw_40xx_op
+ .profiling_freq_get = ivpu_hw_40xx_profiling_freq_get,
+ .profiling_freq_drive = ivpu_hw_40xx_profiling_freq_drive,
+ .reg_pll_freq_get = ivpu_hw_40xx_reg_pll_freq_get,
++ .ratio_to_freq = ivpu_hw_40xx_ratio_to_freq,
+ .reg_telemetry_offset_get = ivpu_hw_40xx_reg_telemetry_offset_get,
+ .reg_telemetry_size_get = ivpu_hw_40xx_reg_telemetry_size_get,
+ .reg_telemetry_enable_get = ivpu_hw_40xx_reg_telemetry_enable_get,
--- /dev/null
+From 808e7716edcdb39d3498b9f567ef6017858b49aa Mon Sep 17 00:00:00 2001
+From: Frank Li <Frank.Li@nxp.com>
+Date: Mon, 1 Apr 2024 18:25:04 -0400
+Subject: arm64: dts: imx8-ss-conn: fix usb lpcg indices
+
+From: Frank Li <Frank.Li@nxp.com>
+
+commit 808e7716edcdb39d3498b9f567ef6017858b49aa upstream.
+
+usb2_lpcg: clock-controller@5b270000 {
+ ... Col1 Col2
+ clocks = <&conn_ahb_clk>, <&conn_ipg_clk>; // 0 6
+ clock-indices = <IMX_LPCG_CLK_6>, <IMX_LPCG_CLK_7>; // 0 7
+ ...
+};
+
+Col1: index, which existing dts try to get.
+Col2: actual index in lpcg driver.
+
+usbotg1: usb@5b0d0000 {
+ ...
+ clocks = <&usb2_lpcg 0>;
+ ^^
+Should be:
+ clocks = <&usb2_lpcg IMX_LPCG_CLK_6>;
+};
+
+usbphy1: usbphy@5b100000 {
+ clocks = <&usb2_lpcg 1>;
+ ^^
+SHould be:
+ clocks = <&usb2_lpcg IMX_LPCG_CLK_7>;
+};
+
+Arg0 is divided by 4 in lpcg driver. So lpcg will do dummy enable. Fix it
+by use correct clock indices.
+
+Cc: stable@vger.kernel.org
+Fixes: 8065fc937f0f ("arm64: dts: imx8dxl: add usb1 and usb2 support")
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/freescale/imx8-ss-conn.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/boot/dts/freescale/imx8-ss-conn.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8-ss-conn.dtsi
+@@ -41,7 +41,7 @@ conn_subsys: bus@5b000000 {
+ interrupts = <GIC_SPI 267 IRQ_TYPE_LEVEL_HIGH>;
+ fsl,usbphy = <&usbphy1>;
+ fsl,usbmisc = <&usbmisc1 0>;
+- clocks = <&usb2_lpcg 0>;
++ clocks = <&usb2_lpcg IMX_LPCG_CLK_6>;
+ ahb-burst-config = <0x0>;
+ tx-burst-size-dword = <0x10>;
+ rx-burst-size-dword = <0x10>;
+@@ -58,7 +58,7 @@ conn_subsys: bus@5b000000 {
+ usbphy1: usbphy@5b100000 {
+ compatible = "fsl,imx7ulp-usbphy";
+ reg = <0x5b100000 0x1000>;
+- clocks = <&usb2_lpcg 1>;
++ clocks = <&usb2_lpcg IMX_LPCG_CLK_7>;
+ power-domains = <&pd IMX_SC_R_USB_0_PHY>;
+ status = "disabled";
+ };
--- /dev/null
+From 81975080f14167610976e968e8016e92d836266f Mon Sep 17 00:00:00 2001
+From: Frank Li <Frank.Li@nxp.com>
+Date: Mon, 1 Apr 2024 18:25:07 -0400
+Subject: arm64: dts: imx8-ss-dma: fix adc lpcg indices
+
+From: Frank Li <Frank.Li@nxp.com>
+
+commit 81975080f14167610976e968e8016e92d836266f upstream.
+
+adc0_lpcg: clock-controller@5ac80000 {
+ ... Col1 Col2
+ clocks = <&clk IMX_SC_R_ADC_0 IMX_SC_PM_CLK_PER>, // 0 0
+ <&dma_ipg_clk>; // 1 4
+ clock-indices = <IMX_LPCG_CLK_0>, <IMX_LPCG_CLK_4>;
+};
+
+Col1: index, which existing dts try to get.
+Col2: actual index in lpcg driver.
+
+adc0: adc@5a880000 {
+ clocks = <&adc0_lpcg 0>, <&adc0_lpcg 1>;
+ ^^ ^^
+ clocks = <&adc0_lpcg IMX_LPCG_CLK_0>, <&adc0_lpcg IMX_LPCG_CLK_4>;
+
+Arg0 is divided by 4 in lpcg driver. So adc get IMX_SC_PM_CLK_PER by
+<&adc0_lpcg 0>, <&adc0_lpcg 1>. Although function can work, code logic is
+wrong. Fix it by using correct indices.
+
+Cc: stable@vger.kernel.org
+Fixes: 1db044b25d2e ("arm64: dts: imx8dxl: add adc0 support")
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi
+@@ -377,8 +377,8 @@ dma_subsys: bus@5a000000 {
+ reg = <0x5a880000 0x10000>;
+ interrupts = <GIC_SPI 240 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-parent = <&gic>;
+- clocks = <&adc0_lpcg 0>,
+- <&adc0_lpcg 1>;
++ clocks = <&adc0_lpcg IMX_LPCG_CLK_0>,
++ <&adc0_lpcg IMX_LPCG_CLK_4>;
+ clock-names = "per", "ipg";
+ assigned-clocks = <&clk IMX_SC_R_ADC_0 IMX_SC_PM_CLK_PER>;
+ assigned-clock-rates = <24000000>;
+@@ -392,8 +392,8 @@ dma_subsys: bus@5a000000 {
+ reg = <0x5a890000 0x10000>;
+ interrupts = <GIC_SPI 241 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-parent = <&gic>;
+- clocks = <&adc1_lpcg 0>,
+- <&adc1_lpcg 1>;
++ clocks = <&adc1_lpcg IMX_LPCG_CLK_0>,
++ <&adc1_lpcg IMX_LPCG_CLK_4>;
+ clock-names = "per", "ipg";
+ assigned-clocks = <&clk IMX_SC_R_ADC_1 IMX_SC_PM_CLK_PER>;
+ assigned-clock-rates = <24000000>;
--- /dev/null
+From 0893392334b5dffdf616a53679c6a2942c46391b Mon Sep 17 00:00:00 2001
+From: Frank Li <Frank.Li@nxp.com>
+Date: Mon, 1 Apr 2024 18:25:08 -0400
+Subject: arm64: dts: imx8-ss-dma: fix can lpcg indices
+
+From: Frank Li <Frank.Li@nxp.com>
+
+commit 0893392334b5dffdf616a53679c6a2942c46391b upstream.
+
+can0_lpcg: clock-controller@5acd0000 {
+ ... Col1 Col2
+ clocks = <&clk IMX_SC_R_CAN_0 IMX_SC_PM_CLK_PER>, // 0 0
+ <&dma_ipg_clk>, // 1 4
+ <&dma_ipg_clk>; // 2 5
+ clock-indices = <IMX_LPCG_CLK_0>,
+ <IMX_LPCG_CLK_4>,
+ <IMX_LPCG_CLK_5>;
+}
+
+Col1: index, which existing dts try to get.
+Col2: actual index in lpcg driver.
+
+flexcan1: can@5a8d0000 {
+ clocks = <&can0_lpcg 1>, <&can0_lpcg 0>;
+ ^^ ^^
+Should be:
+ clocks = <&can0_lpcg IMX_LPCG_CLK_4>, <&can0_lpcg IMX_LPCG_CLK_0>;
+};
+
+Arg0 is divided by 4 in lpcg driver. flexcan driver get IMX_SC_PM_CLK_PER
+by <&can0_lpcg 1> and <&can0_lpcg 0>. Although function can work, code
+logic is wrong. Fix it by using correct clock indices.
+
+Cc: stable@vger.kernel.org
+Fixes: 5e7d5b023e03 ("arm64: dts: imx8qxp: add flexcan in adma")
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi
+@@ -406,8 +406,8 @@ dma_subsys: bus@5a000000 {
+ reg = <0x5a8d0000 0x10000>;
+ interrupts = <GIC_SPI 235 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-parent = <&gic>;
+- clocks = <&can0_lpcg 1>,
+- <&can0_lpcg 0>;
++ clocks = <&can0_lpcg IMX_LPCG_CLK_4>,
++ <&can0_lpcg IMX_LPCG_CLK_0>;
+ clock-names = "ipg", "per";
+ assigned-clocks = <&clk IMX_SC_R_CAN_0 IMX_SC_PM_CLK_PER>;
+ assigned-clock-rates = <40000000>;
+@@ -427,8 +427,8 @@ dma_subsys: bus@5a000000 {
+ * CAN1 shares CAN0's clock and to enable CAN0's clock it
+ * has to be powered on.
+ */
+- clocks = <&can0_lpcg 1>,
+- <&can0_lpcg 0>;
++ clocks = <&can0_lpcg IMX_LPCG_CLK_4>,
++ <&can0_lpcg IMX_LPCG_CLK_0>;
+ clock-names = "ipg", "per";
+ assigned-clocks = <&clk IMX_SC_R_CAN_0 IMX_SC_PM_CLK_PER>;
+ assigned-clock-rates = <40000000>;
+@@ -448,8 +448,8 @@ dma_subsys: bus@5a000000 {
+ * CAN2 shares CAN0's clock and to enable CAN0's clock it
+ * has to be powered on.
+ */
+- clocks = <&can0_lpcg 1>,
+- <&can0_lpcg 0>;
++ clocks = <&can0_lpcg IMX_LPCG_CLK_4>,
++ <&can0_lpcg IMX_LPCG_CLK_0>;
+ clock-names = "ipg", "per";
+ assigned-clocks = <&clk IMX_SC_R_CAN_0 IMX_SC_PM_CLK_PER>;
+ assigned-clock-rates = <40000000>;
--- /dev/null
+From 9055d87bce7276234173fa90e9702af31b3f5353 Mon Sep 17 00:00:00 2001
+From: Frank Li <Frank.Li@nxp.com>
+Date: Mon, 1 Apr 2024 18:25:06 -0400
+Subject: arm64: dts: imx8-ss-dma: fix pwm lpcg indices
+
+From: Frank Li <Frank.Li@nxp.com>
+
+commit 9055d87bce7276234173fa90e9702af31b3f5353 upstream.
+
+adma_pwm_lpcg: clock-controller@5a590000 {
+ ... col1 col2
+ clocks = <&clk IMX_SC_R_LCD_0_PWM_0 IMX_SC_PM_CLK_PER>,// 0 0
+ <&dma_ipg_clk>; // 1 4
+ clock-indices = <IMX_LPCG_CLK_0>, <IMX_LPCG_CLK_4>;
+ ...
+};
+
+Col1: index, which existing dts try to get.
+Col2: actual index in lpcg driver.
+
+adma_pwm: pwm@5a190000 {
+ ...
+ clocks = <&adma_pwm_lpcg 1>, <&adma_pwm_lpcg 0>;
+ ^^ ^^
+Should be
+ clocks = <&adma_pwm_lpcg IMX_LPCG_CLK_4>,
+ <&adma_pwm_lpcg IMX_LPCG_CLK_0>;
+};
+
+Arg0 will be divided by 4 in lcpg driver, so pwm will get IMX_SC_PM_CLK_PER
+by <&adma_pwm_lpcg 1>, <&adma_pwm_lpcg 0>. Although function can work, code
+logic is wrong. Fix it by use correct indices.
+
+Cc: stable@vger.kernel.org
+Fixes: f1d6a6b991ef ("arm64: dts: imx8qxp: add adma_pwm in adma")
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi
+@@ -144,8 +144,8 @@ dma_subsys: bus@5a000000 {
+ compatible = "fsl,imx8qxp-pwm", "fsl,imx27-pwm";
+ reg = <0x5a190000 0x1000>;
+ interrupts = <GIC_SPI 127 IRQ_TYPE_LEVEL_HIGH>;
+- clocks = <&adma_pwm_lpcg 1>,
+- <&adma_pwm_lpcg 0>;
++ clocks = <&adma_pwm_lpcg IMX_LPCG_CLK_4>,
++ <&adma_pwm_lpcg IMX_LPCG_CLK_0>;
+ clock-names = "ipg", "per";
+ assigned-clocks = <&clk IMX_SC_R_LCD_0_PWM_0 IMX_SC_PM_CLK_PER>;
+ assigned-clock-rates = <24000000>;
--- /dev/null
+From f72b544a514c07d34a0d9d5380f5905b3731e647 Mon Sep 17 00:00:00 2001
+From: Frank Li <Frank.Li@nxp.com>
+Date: Mon, 1 Apr 2024 18:25:05 -0400
+Subject: arm64: dts: imx8-ss-dma: fix spi lpcg indices
+
+From: Frank Li <Frank.Li@nxp.com>
+
+commit f72b544a514c07d34a0d9d5380f5905b3731e647 upstream.
+
+spi0_lpcg: clock-controller@5a400000 {
+ ... Col0 Col1
+ clocks = <&clk IMX_SC_R_SPI_0 IMX_SC_PM_CLK_PER>,// 0 1
+ <&dma_ipg_clk>; // 1 4
+ clock-indices = <IMX_LPCG_CLK_0>, <IMX_LPCG_CLK_4>;
+};
+
+Col1: index, which existing dts try to get.
+Col2: actual index in lpcg driver.
+
+lpspi0: spi@5a000000 {
+ ...
+ clocks = <&spi0_lpcg 0>, <&spi0_lpcg 1>;
+ ^ ^
+Should be:
+ clocks = <&spi0_lpcg IMX_LPCG_CLK_0>, <&spi0_lpcg IMX_LPCG_CLK_4>;
+};
+
+Arg0 is divided by 4 in lpcg driver. <&spi0_lpcg 0> and <&spi0_lpcg 1> are
+IMX_SC_PM_CLK_PER. Although code can work, code logic is wrong. It should
+use IMX_LPCG_CLK_0 and IMX_LPCG_CLK_4 for lpcg arg0.
+
+Cc: stable@vger.kernel.org
+Fixes: c4098885e790 ("arm64: dts: imx8dxl: add lpspi support")
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi
+@@ -27,8 +27,8 @@ dma_subsys: bus@5a000000 {
+ #size-cells = <0>;
+ interrupts = <GIC_SPI 336 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-parent = <&gic>;
+- clocks = <&spi0_lpcg 0>,
+- <&spi0_lpcg 1>;
++ clocks = <&spi0_lpcg IMX_LPCG_CLK_0>,
++ <&spi0_lpcg IMX_LPCG_CLK_4>;
+ clock-names = "per", "ipg";
+ assigned-clocks = <&clk IMX_SC_R_SPI_0 IMX_SC_PM_CLK_PER>;
+ assigned-clock-rates = <60000000>;
+@@ -43,8 +43,8 @@ dma_subsys: bus@5a000000 {
+ #size-cells = <0>;
+ interrupts = <GIC_SPI 337 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-parent = <&gic>;
+- clocks = <&spi1_lpcg 0>,
+- <&spi1_lpcg 1>;
++ clocks = <&spi1_lpcg IMX_LPCG_CLK_0>,
++ <&spi1_lpcg IMX_LPCG_CLK_4>;
+ clock-names = "per", "ipg";
+ assigned-clocks = <&clk IMX_SC_R_SPI_1 IMX_SC_PM_CLK_PER>;
+ assigned-clock-rates = <60000000>;
+@@ -59,8 +59,8 @@ dma_subsys: bus@5a000000 {
+ #size-cells = <0>;
+ interrupts = <GIC_SPI 338 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-parent = <&gic>;
+- clocks = <&spi2_lpcg 0>,
+- <&spi2_lpcg 1>;
++ clocks = <&spi2_lpcg IMX_LPCG_CLK_0>,
++ <&spi2_lpcg IMX_LPCG_CLK_4>;
+ clock-names = "per", "ipg";
+ assigned-clocks = <&clk IMX_SC_R_SPI_2 IMX_SC_PM_CLK_PER>;
+ assigned-clock-rates = <60000000>;
+@@ -75,8 +75,8 @@ dma_subsys: bus@5a000000 {
+ #size-cells = <0>;
+ interrupts = <GIC_SPI 339 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-parent = <&gic>;
+- clocks = <&spi3_lpcg 0>,
+- <&spi3_lpcg 1>;
++ clocks = <&spi3_lpcg IMX_LPCG_CLK_0>,
++ <&spi3_lpcg IMX_LPCG_CLK_4>;
+ clock-names = "per", "ipg";
+ assigned-clocks = <&clk IMX_SC_R_SPI_3 IMX_SC_PM_CLK_PER>;
+ assigned-clock-rates = <60000000>;
--- /dev/null
+From 1d86c2b3946e69d6b0b93568d312aae6247847c0 Mon Sep 17 00:00:00 2001
+From: Frank Li <Frank.Li@nxp.com>
+Date: Mon, 1 Apr 2024 18:25:03 -0400
+Subject: arm64: dts: imx8-ss-lsio: fix pwm lpcg indices
+
+From: Frank Li <Frank.Li@nxp.com>
+
+commit 1d86c2b3946e69d6b0b93568d312aae6247847c0 upstream.
+
+lpcg's arg0 should use clock indices instead of index.
+
+pwm0_lpcg: clock-controller@5d400000 {
+ ... // Col1 Col2
+ clocks = <&clk IMX_SC_R_PWM_0 IMX_SC_PM_CLK_PER>, // 0 0
+ <&clk IMX_SC_R_PWM_0 IMX_SC_PM_CLK_PER>, // 1 1
+ <&clk IMX_SC_R_PWM_0 IMX_SC_PM_CLK_PER>, // 2 4
+ <&lsio_bus_clk>, // 3 5
+ <&clk IMX_SC_R_PWM_0 IMX_SC_PM_CLK_PER>; // 4 6
+ clock-indices = <IMX_LPCG_CLK_0>, <IMX_LPCG_CLK_1>,
+ <IMX_LPCG_CLK_4>, <IMX_LPCG_CLK_5>,
+ <IMX_LPCG_CLK_6>;
+};
+
+Col1: index, which existing dts try to get.
+Col2: actual index in lpcg driver.
+
+pwm1 {
+ ....
+ clocks = <&pwm1_lpcg 4>, <&pwm1_lpcg 1>;
+ ^^ ^^
+should be:
+
+ clocks = <&pwm1_lpcg IMX_LPCG_CLK_6>, <&pwm1_lpcg IMX_LPCG_CLK_1>;
+};
+
+Arg0 is divided by 4 in lpcg driver, so index 0 and 1 will be get by pwm
+driver, which are same as IMX_LPCG_CLK_6 and IMX_LPCG_CLK_1. Even it can
+work, but code logic is wrong. Fixed it by use correct indices.
+
+Cc: stable@vger.kernel.org
+Fixes: 23fa99b205ea ("arm64: dts: freescale: imx8-ss-lsio: add support for lsio_pwm0-3")
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/freescale/imx8-ss-lsio.dtsi | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/arch/arm64/boot/dts/freescale/imx8-ss-lsio.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8-ss-lsio.dtsi
+@@ -25,8 +25,8 @@ lsio_subsys: bus@5d000000 {
+ compatible = "fsl,imx27-pwm";
+ reg = <0x5d000000 0x10000>;
+ clock-names = "ipg", "per";
+- clocks = <&pwm0_lpcg 4>,
+- <&pwm0_lpcg 1>;
++ clocks = <&pwm0_lpcg IMX_LPCG_CLK_6>,
++ <&pwm0_lpcg IMX_LPCG_CLK_1>;
+ assigned-clocks = <&clk IMX_SC_R_PWM_0 IMX_SC_PM_CLK_PER>;
+ assigned-clock-rates = <24000000>;
+ #pwm-cells = <3>;
+@@ -38,8 +38,8 @@ lsio_subsys: bus@5d000000 {
+ compatible = "fsl,imx27-pwm";
+ reg = <0x5d010000 0x10000>;
+ clock-names = "ipg", "per";
+- clocks = <&pwm1_lpcg 4>,
+- <&pwm1_lpcg 1>;
++ clocks = <&pwm1_lpcg IMX_LPCG_CLK_6>,
++ <&pwm1_lpcg IMX_LPCG_CLK_1>;
+ assigned-clocks = <&clk IMX_SC_R_PWM_1 IMX_SC_PM_CLK_PER>;
+ assigned-clock-rates = <24000000>;
+ #pwm-cells = <3>;
+@@ -51,8 +51,8 @@ lsio_subsys: bus@5d000000 {
+ compatible = "fsl,imx27-pwm";
+ reg = <0x5d020000 0x10000>;
+ clock-names = "ipg", "per";
+- clocks = <&pwm2_lpcg 4>,
+- <&pwm2_lpcg 1>;
++ clocks = <&pwm2_lpcg IMX_LPCG_CLK_6>,
++ <&pwm2_lpcg IMX_LPCG_CLK_1>;
+ assigned-clocks = <&clk IMX_SC_R_PWM_2 IMX_SC_PM_CLK_PER>;
+ assigned-clock-rates = <24000000>;
+ #pwm-cells = <3>;
+@@ -64,8 +64,8 @@ lsio_subsys: bus@5d000000 {
+ compatible = "fsl,imx27-pwm";
+ reg = <0x5d030000 0x10000>;
+ clock-names = "ipg", "per";
+- clocks = <&pwm3_lpcg 4>,
+- <&pwm3_lpcg 1>;
++ clocks = <&pwm3_lpcg IMX_LPCG_CLK_6>,
++ <&pwm3_lpcg IMX_LPCG_CLK_1>;
+ assigned-clocks = <&clk IMX_SC_R_PWM_3 IMX_SC_PM_CLK_PER>;
+ assigned-clock-rates = <24000000>;
+ #pwm-cells = <3>;
--- /dev/null
+From 00b436182138310bb8d362b912b12a9df8f72ca3 Mon Sep 17 00:00:00 2001
+From: Frank Li <Frank.Li@nxp.com>
+Date: Mon, 1 Apr 2024 18:25:09 -0400
+Subject: arm64: dts: imx8qm-ss-dma: fix can lpcg indices
+
+From: Frank Li <Frank.Li@nxp.com>
+
+commit 00b436182138310bb8d362b912b12a9df8f72ca3 upstream.
+
+can1_lpcg: clock-controller@5ace0000 {
+ ... Col1 Col2
+ clocks = <&clk IMX_SC_R_CAN_1 IMX_SC_PM_CLK_PER>,// 0 0
+ <&dma_ipg_clk>, // 1 4
+ <&dma_ipg_clk>; // 2 5
+ clock-indices = <IMX_LPCG_CLK_0>,
+ <IMX_LPCG_CLK_4>,
+ <IMX_LPCG_CLK_5>;
+};
+
+Col1: index, which existing dts try to get.
+Col2: actual index in lpcg driver
+
+&flexcan2 {
+ clocks = <&can1_lpcg 1>, <&can1_lpcg 0>;
+ ^^ ^^
+Should be:
+ clocks = <&can1_lpcg IMX_LPCG_CLK_4>, <&can1_lpcg IMX_LPCG_CLK_0>;
+};
+
+Arg0 is divided by 4 in lpcg driver. So flexcan get IMX_SC_PM_CLK_PER by
+<&can1_lpcg 1> and <&can1_lpcg 0>. Although function work, code logic is
+wrong. Fix it by using correct clock indices.
+
+Cc: stable@vger.kernel.org
+Fixes: be85831de020 ("arm64: dts: imx8qm: add can node in devicetree")
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/freescale/imx8qm-ss-dma.dtsi | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/arm64/boot/dts/freescale/imx8qm-ss-dma.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8qm-ss-dma.dtsi
+@@ -127,15 +127,15 @@
+ };
+
+ &flexcan2 {
+- clocks = <&can1_lpcg 1>,
+- <&can1_lpcg 0>;
++ clocks = <&can1_lpcg IMX_LPCG_CLK_4>,
++ <&can1_lpcg IMX_LPCG_CLK_0>;
+ assigned-clocks = <&clk IMX_SC_R_CAN_1 IMX_SC_PM_CLK_PER>;
+ fsl,clk-source = /bits/ 8 <1>;
+ };
+
+ &flexcan3 {
+- clocks = <&can2_lpcg 1>,
+- <&can2_lpcg 0>;
++ clocks = <&can2_lpcg IMX_LPCG_CLK_4>,
++ <&can2_lpcg IMX_LPCG_CLK_0>;
+ assigned-clocks = <&clk IMX_SC_R_CAN_2 IMX_SC_PM_CLK_PER>;
+ fsl,clk-source = /bits/ 8 <1>;
+ };
--- /dev/null
+From 211de93367304ab395357f8cb12568a4d1e20701 Mon Sep 17 00:00:00 2001
+From: Boris Burkov <boris@bur.io>
+Date: Thu, 21 Mar 2024 10:18:39 -0700
+Subject: btrfs: qgroup: convert PREALLOC to PERTRANS after record_root_in_trans
+
+From: Boris Burkov <boris@bur.io>
+
+commit 211de93367304ab395357f8cb12568a4d1e20701 upstream.
+
+The transaction is only able to free PERTRANS reservations for a root
+once that root has been recorded with the TRANS tag on the roots radix
+tree. Therefore, until we are sure that this root will get tagged, it
+isn't safe to convert. Generally, this is not an issue as *some*
+transaction will likely tag the root before long and this reservation
+will get freed in that transaction, but technically it could stick
+around until unmount and result in a warning about leaked metadata
+reservation space.
+
+This path is most exercised by running the generic/269 fstest with
+CONFIG_BTRFS_DEBUG.
+
+Fixes: a6496849671a ("btrfs: fix start transaction qgroup rsv double free")
+CC: stable@vger.kernel.org # 6.6+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Boris Burkov <boris@bur.io>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/transaction.c | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+--- a/fs/btrfs/transaction.c
++++ b/fs/btrfs/transaction.c
+@@ -747,14 +747,6 @@ again:
+ h->reloc_reserved = reloc_reserved;
+ }
+
+- /*
+- * Now that we have found a transaction to be a part of, convert the
+- * qgroup reservation from prealloc to pertrans. A different transaction
+- * can't race in and free our pertrans out from under us.
+- */
+- if (qgroup_reserved)
+- btrfs_qgroup_convert_reserved_meta(root, qgroup_reserved);
+-
+ got_it:
+ if (!current->journal_info)
+ current->journal_info = h;
+@@ -788,8 +780,15 @@ got_it:
+ * not just freed.
+ */
+ btrfs_end_transaction(h);
+- return ERR_PTR(ret);
++ goto reserve_fail;
+ }
++ /*
++ * Now that we have found a transaction to be a part of, convert the
++ * qgroup reservation from prealloc to pertrans. A different transaction
++ * can't race in and free our pertrans out from under us.
++ */
++ if (qgroup_reserved)
++ btrfs_qgroup_convert_reserved_meta(root, qgroup_reserved);
+
+ return h;
+
--- /dev/null
+From 141fb8cd206ace23c02cd2791c6da52c1d77d42a Mon Sep 17 00:00:00 2001
+From: Boris Burkov <boris@bur.io>
+Date: Tue, 19 Mar 2024 10:54:22 -0700
+Subject: btrfs: qgroup: correctly model root qgroup rsv in convert
+
+From: Boris Burkov <boris@bur.io>
+
+commit 141fb8cd206ace23c02cd2791c6da52c1d77d42a upstream.
+
+We use add_root_meta_rsv and sub_root_meta_rsv to track prealloc and
+pertrans reservations for subvolumes when quotas are enabled. The
+convert function does not properly increment pertrans after decrementing
+prealloc, so the count is not accurate.
+
+Note: we check that the fs is not read-only to mirror the logic in
+qgroup_convert_meta, which checks that before adding to the pertrans rsv.
+
+Fixes: 8287475a2055 ("btrfs: qgroup: Use root::qgroup_meta_rsv_* to record qgroup meta reserved space")
+CC: stable@vger.kernel.org # 6.1+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Boris Burkov <boris@bur.io>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/qgroup.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/btrfs/qgroup.c
++++ b/fs/btrfs/qgroup.c
+@@ -4432,6 +4432,8 @@ void btrfs_qgroup_convert_reserved_meta(
+ BTRFS_QGROUP_RSV_META_PREALLOC);
+ trace_qgroup_meta_convert(root, num_bytes);
+ qgroup_convert_meta(fs_info, root->root_key.objectid, num_bytes);
++ if (!sb_rdonly(fs_info->sb))
++ add_root_meta_rsv(root, num_bytes, BTRFS_QGROUP_RSV_META_PERTRANS);
+ }
+
+ /*
--- /dev/null
+From 74e97958121aa1f5854da6effba70143f051b0cd Mon Sep 17 00:00:00 2001
+From: Boris Burkov <boris@bur.io>
+Date: Thu, 21 Mar 2024 10:02:04 -0700
+Subject: btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations
+
+From: Boris Burkov <boris@bur.io>
+
+commit 74e97958121aa1f5854da6effba70143f051b0cd upstream.
+
+Create subvolume, create snapshot and delete subvolume all use
+btrfs_subvolume_reserve_metadata() to reserve metadata for the changes
+done to the parent subvolume's fs tree, which cannot be mediated in the
+normal way via start_transaction. When quota groups (squota or qgroups)
+are enabled, this reserves qgroup metadata of type PREALLOC. Once the
+operation is associated to a transaction, we convert PREALLOC to
+PERTRANS, which gets cleared in bulk at the end of the transaction.
+
+However, the error paths of these three operations were not implementing
+this lifecycle correctly. They unconditionally converted the PREALLOC to
+PERTRANS in a generic cleanup step regardless of errors or whether the
+operation was fully associated to a transaction or not. This resulted in
+error paths occasionally converting this rsv to PERTRANS without calling
+record_root_in_trans successfully, which meant that unless that root got
+recorded in the transaction by some other thread, the end of the
+transaction would not free that root's PERTRANS, leaking it. Ultimately,
+this resulted in hitting a WARN in CONFIG_BTRFS_DEBUG builds at unmount
+for the leaked reservation.
+
+The fix is to ensure that every qgroup PREALLOC reservation observes the
+following properties:
+
+1. any failure before record_root_in_trans is called successfully
+ results in freeing the PREALLOC reservation.
+2. after record_root_in_trans, we convert to PERTRANS, and now the
+ transaction owns freeing the reservation.
+
+This patch enforces those properties on the three operations. Without
+it, generic/269 with squotas enabled at mkfs time would fail in ~5-10
+runs on my system. With this patch, it ran successfully 1000 times in a
+row.
+
+Fixes: e85fde5162bf ("btrfs: qgroup: fix qgroup meta rsv leak for subvolume operations")
+CC: stable@vger.kernel.org # 6.1+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Boris Burkov <boris@bur.io>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/inode.c | 13 ++++++++++++-
+ fs/btrfs/ioctl.c | 37 ++++++++++++++++++++++++++++---------
+ fs/btrfs/root-tree.c | 10 ----------
+ fs/btrfs/root-tree.h | 2 --
+ 4 files changed, 40 insertions(+), 22 deletions(-)
+
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -4476,6 +4476,7 @@ int btrfs_delete_subvolume(struct btrfs_
+ struct btrfs_trans_handle *trans;
+ struct btrfs_block_rsv block_rsv;
+ u64 root_flags;
++ u64 qgroup_reserved = 0;
+ int ret;
+
+ down_write(&fs_info->subvol_sem);
+@@ -4520,12 +4521,20 @@ int btrfs_delete_subvolume(struct btrfs_
+ ret = btrfs_subvolume_reserve_metadata(root, &block_rsv, 5, true);
+ if (ret)
+ goto out_undead;
++ qgroup_reserved = block_rsv.qgroup_rsv_reserved;
+
+ trans = btrfs_start_transaction(root, 0);
+ if (IS_ERR(trans)) {
+ ret = PTR_ERR(trans);
+ goto out_release;
+ }
++ ret = btrfs_record_root_in_trans(trans, root);
++ if (ret) {
++ btrfs_abort_transaction(trans, ret);
++ goto out_end_trans;
++ }
++ btrfs_qgroup_convert_reserved_meta(root, qgroup_reserved);
++ qgroup_reserved = 0;
+ trans->block_rsv = &block_rsv;
+ trans->bytes_reserved = block_rsv.size;
+
+@@ -4584,7 +4593,9 @@ out_end_trans:
+ ret = btrfs_end_transaction(trans);
+ inode->i_flags |= S_DEAD;
+ out_release:
+- btrfs_subvolume_release_metadata(root, &block_rsv);
++ btrfs_block_rsv_release(fs_info, &block_rsv, (u64)-1, NULL);
++ if (qgroup_reserved)
++ btrfs_qgroup_free_meta_prealloc(root, qgroup_reserved);
+ out_undead:
+ if (ret) {
+ spin_lock(&dest->root_item_lock);
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -603,6 +603,7 @@ static noinline int create_subvol(struct
+ int ret;
+ dev_t anon_dev;
+ u64 objectid;
++ u64 qgroup_reserved = 0;
+
+ root_item = kzalloc(sizeof(*root_item), GFP_KERNEL);
+ if (!root_item)
+@@ -640,13 +641,18 @@ static noinline int create_subvol(struct
+ trans_num_items, false);
+ if (ret)
+ goto out_new_inode_args;
++ qgroup_reserved = block_rsv.qgroup_rsv_reserved;
+
+ trans = btrfs_start_transaction(root, 0);
+ if (IS_ERR(trans)) {
+ ret = PTR_ERR(trans);
+- btrfs_subvolume_release_metadata(root, &block_rsv);
+- goto out_new_inode_args;
++ goto out_release_rsv;
+ }
++ ret = btrfs_record_root_in_trans(trans, BTRFS_I(dir)->root);
++ if (ret)
++ goto out;
++ btrfs_qgroup_convert_reserved_meta(root, qgroup_reserved);
++ qgroup_reserved = 0;
+ trans->block_rsv = &block_rsv;
+ trans->bytes_reserved = block_rsv.size;
+ /* Tree log can't currently deal with an inode which is a new root. */
+@@ -757,9 +763,11 @@ static noinline int create_subvol(struct
+ out:
+ trans->block_rsv = NULL;
+ trans->bytes_reserved = 0;
+- btrfs_subvolume_release_metadata(root, &block_rsv);
+-
+ btrfs_end_transaction(trans);
++out_release_rsv:
++ btrfs_block_rsv_release(fs_info, &block_rsv, (u64)-1, NULL);
++ if (qgroup_reserved)
++ btrfs_qgroup_free_meta_prealloc(root, qgroup_reserved);
+ out_new_inode_args:
+ btrfs_new_inode_args_destroy(&new_inode_args);
+ out_inode:
+@@ -781,6 +789,8 @@ static int create_snapshot(struct btrfs_
+ struct btrfs_pending_snapshot *pending_snapshot;
+ unsigned int trans_num_items;
+ struct btrfs_trans_handle *trans;
++ struct btrfs_block_rsv *block_rsv;
++ u64 qgroup_reserved = 0;
+ int ret;
+
+ /* We do not support snapshotting right now. */
+@@ -817,19 +827,19 @@ static int create_snapshot(struct btrfs_
+ goto free_pending;
+ }
+
+- btrfs_init_block_rsv(&pending_snapshot->block_rsv,
+- BTRFS_BLOCK_RSV_TEMP);
++ block_rsv = &pending_snapshot->block_rsv;
++ btrfs_init_block_rsv(block_rsv, BTRFS_BLOCK_RSV_TEMP);
+ /*
+ * 1 to add dir item
+ * 1 to add dir index
+ * 1 to update parent inode item
+ */
+ trans_num_items = create_subvol_num_items(inherit) + 3;
+- ret = btrfs_subvolume_reserve_metadata(BTRFS_I(dir)->root,
+- &pending_snapshot->block_rsv,
++ ret = btrfs_subvolume_reserve_metadata(BTRFS_I(dir)->root, block_rsv,
+ trans_num_items, false);
+ if (ret)
+ goto free_pending;
++ qgroup_reserved = block_rsv->qgroup_rsv_reserved;
+
+ pending_snapshot->dentry = dentry;
+ pending_snapshot->root = root;
+@@ -842,6 +852,13 @@ static int create_snapshot(struct btrfs_
+ ret = PTR_ERR(trans);
+ goto fail;
+ }
++ ret = btrfs_record_root_in_trans(trans, BTRFS_I(dir)->root);
++ if (ret) {
++ btrfs_end_transaction(trans);
++ goto fail;
++ }
++ btrfs_qgroup_convert_reserved_meta(root, qgroup_reserved);
++ qgroup_reserved = 0;
+
+ trans->pending_snapshot = pending_snapshot;
+
+@@ -871,7 +888,9 @@ fail:
+ if (ret && pending_snapshot->snap)
+ pending_snapshot->snap->anon_dev = 0;
+ btrfs_put_root(pending_snapshot->snap);
+- btrfs_subvolume_release_metadata(root, &pending_snapshot->block_rsv);
++ btrfs_block_rsv_release(fs_info, block_rsv, (u64)-1, NULL);
++ if (qgroup_reserved)
++ btrfs_qgroup_free_meta_prealloc(root, qgroup_reserved);
+ free_pending:
+ if (pending_snapshot->anon_dev)
+ free_anon_bdev(pending_snapshot->anon_dev);
+--- a/fs/btrfs/root-tree.c
++++ b/fs/btrfs/root-tree.c
+@@ -539,13 +539,3 @@ int btrfs_subvolume_reserve_metadata(str
+ }
+ return ret;
+ }
+-
+-void btrfs_subvolume_release_metadata(struct btrfs_root *root,
+- struct btrfs_block_rsv *rsv)
+-{
+- struct btrfs_fs_info *fs_info = root->fs_info;
+- u64 qgroup_to_release;
+-
+- btrfs_block_rsv_release(fs_info, rsv, (u64)-1, &qgroup_to_release);
+- btrfs_qgroup_convert_reserved_meta(root, qgroup_to_release);
+-}
+--- a/fs/btrfs/root-tree.h
++++ b/fs/btrfs/root-tree.h
+@@ -8,8 +8,6 @@ struct fscrypt_str;
+ int btrfs_subvolume_reserve_metadata(struct btrfs_root *root,
+ struct btrfs_block_rsv *rsv,
+ int nitems, bool use_global_rsv);
+-void btrfs_subvolume_release_metadata(struct btrfs_root *root,
+- struct btrfs_block_rsv *rsv);
+ int btrfs_add_root_ref(struct btrfs_trans_handle *trans, u64 root_id,
+ u64 ref_id, u64 dirid, u64 sequence,
+ const struct fscrypt_str *name);
--- /dev/null
+From 71537e35c324ea6fbd68377a4f26bb93a831ae35 Mon Sep 17 00:00:00 2001
+From: Boris Burkov <boris@bur.io>
+Date: Thu, 21 Mar 2024 10:14:24 -0700
+Subject: btrfs: record delayed inode root in transaction
+
+From: Boris Burkov <boris@bur.io>
+
+commit 71537e35c324ea6fbd68377a4f26bb93a831ae35 upstream.
+
+When running delayed inode updates, we do not record the inode's root in
+the transaction, but we do allocate PREALLOC and thus converted PERTRANS
+space for it. To be sure we free that PERTRANS meta rsv, we must ensure
+that we record the root in the transaction.
+
+Fixes: 4f5427ccce5d ("btrfs: delayed-inode: Use new qgroup meta rsv for delayed inode and item")
+CC: stable@vger.kernel.org # 6.1+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Boris Burkov <boris@bur.io>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/delayed-inode.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/btrfs/delayed-inode.c
++++ b/fs/btrfs/delayed-inode.c
+@@ -1128,6 +1128,9 @@ __btrfs_commit_inode_delayed_items(struc
+ if (ret)
+ return ret;
+
++ ret = btrfs_record_root_in_trans(trans, node->root);
++ if (ret)
++ return ret;
+ ret = btrfs_update_delayed_inode(trans, node->root, path, node);
+ return ret;
+ }
--- /dev/null
+From 0f1bbcc2bab25d5fb2dfb1ee3e08131437690d3d Mon Sep 17 00:00:00 2001
+From: Lang Yu <Lang.Yu@amd.com>
+Date: Mon, 25 Mar 2024 13:24:31 +0800
+Subject: drm/amdgpu/umsch: reinitialize write pointer in hw init
+
+From: Lang Yu <Lang.Yu@amd.com>
+
+commit 0f1bbcc2bab25d5fb2dfb1ee3e08131437690d3d upstream.
+
+Otherwise the old one will be used during GPU reset.
+That's not expected.
+
+Signed-off-by: Lang Yu <Lang.Yu@amd.com>
+Reviewed-by: Feifei Xu <Feifei.Xu@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/umsch_mm_v4_0.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/umsch_mm_v4_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/umsch_mm_v4_0.c
+@@ -225,6 +225,8 @@ static int umsch_mm_v4_0_ring_start(stru
+
+ WREG32_SOC15(VCN, 0, regVCN_UMSCH_RB_SIZE, ring->ring_size);
+
++ ring->wptr = 0;
++
+ data = RREG32_SOC15(VCN, 0, regVCN_RB_ENABLE);
+ data &= ~(VCN_RB_ENABLE__AUDIO_RB_EN_MASK);
+ WREG32_SOC15(VCN, 0, regVCN_RB_ENABLE, data);
--- /dev/null
+From 8bdfb4ea95ca738d33ef71376c21eba20130f2eb Mon Sep 17 00:00:00 2001
+From: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com>
+Date: Tue, 26 Mar 2024 15:32:46 -0400
+Subject: drm/amdkfd: Reset GPU on queue preemption failure
+
+From: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com>
+
+commit 8bdfb4ea95ca738d33ef71376c21eba20130f2eb upstream.
+
+Currently, with F32 HWS GPU reset is only when unmap queue fails.
+
+However, if compute queue doesn't repond to preemption request in time
+unmap will return without any error. In this case, only preemption error
+is logged and Reset is not triggered. Call GPU reset in this case also.
+
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com>
+Reviewed-by: Mukul Joshi <mukul.joshi@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
+@@ -1997,6 +1997,7 @@ static int unmap_queues_cpsch(struct dev
+ dev_err(dev, "HIQ MQD's queue_doorbell_id0 is not 0, Queue preemption time out\n");
+ while (halt_if_hws_hang)
+ schedule();
++ kfd_hws_hang(dqm);
+ return -ETIME;
+ }
+
--- /dev/null
+From bc004f5038220b1891ef4107134ccae44be55109 Mon Sep 17 00:00:00 2001
+From: Jammy Huang <jammy_huang@aspeedtech.com>
+Date: Wed, 3 Apr 2024 17:02:46 +0800
+Subject: drm/ast: Fix soft lockup
+
+From: Jammy Huang <jammy_huang@aspeedtech.com>
+
+commit bc004f5038220b1891ef4107134ccae44be55109 upstream.
+
+There is a while-loop in ast_dp_set_on_off() that could lead to
+infinite-loop. This is because the register, VGACRI-Dx, checked in
+this API is a scratch register actually controlled by a MCU, named
+DPMCU, in BMC.
+
+These scratch registers are protected by scu-lock. If suc-lock is not
+off, DPMCU can not update these registers and then host will have soft
+lockup due to never updated status.
+
+DPMCU is used to control DP and relative registers to handshake with
+host's VGA driver. Even the most time-consuming task, DP's link
+training, is less than 100ms. 200ms should be enough.
+
+Signed-off-by: Jammy Huang <jammy_huang@aspeedtech.com>
+Fixes: 594e9c04b586 ("drm/ast: Create the driver for ASPEED proprietory Display-Port")
+Reviewed-by: Jocelyn Falempe <jfalempe@redhat.com>
+Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: KuoHsiang Chou <kuohsiang_chou@aspeedtech.com>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: Dave Airlie <airlied@redhat.com>
+Cc: Jocelyn Falempe <jfalempe@redhat.com>
+Cc: dri-devel@lists.freedesktop.org
+Cc: <stable@vger.kernel.org> # v5.19+
+Link: https://patchwork.freedesktop.org/patch/msgid/20240403090246.1495487-1-jammy_huang@aspeedtech.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/ast/ast_dp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/ast/ast_dp.c
++++ b/drivers/gpu/drm/ast/ast_dp.c
+@@ -180,6 +180,7 @@ void ast_dp_set_on_off(struct drm_device
+ {
+ struct ast_device *ast = to_ast_device(dev);
+ u8 video_on_off = on;
++ u32 i = 0;
+
+ // Video On/Off
+ ast_set_index_reg_mask(ast, AST_IO_VGACRI, 0xE3, (u8) ~AST_DP_VIDEO_ENABLE, on);
+@@ -192,6 +193,8 @@ void ast_dp_set_on_off(struct drm_device
+ ASTDP_MIRROR_VIDEO_ENABLE) != video_on_off) {
+ // wait 1 ms
+ mdelay(1);
++ if (++i > 200)
++ break;
+ }
+ }
+ }
--- /dev/null
+From 3eadd887dbac1df8f25f701e5d404d1b90fd0fea Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Thu, 4 Apr 2024 23:33:25 +0300
+Subject: drm/client: Fully protect modes[] with dev->mode_config.mutex
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit 3eadd887dbac1df8f25f701e5d404d1b90fd0fea upstream.
+
+The modes[] array contains pointers to modes on the connectors'
+mode lists, which are protected by dev->mode_config.mutex.
+Thus we need to extend modes[] the same protection or by the
+time we use it the elements may already be pointing to
+freed/reused memory.
+
+Cc: stable@vger.kernel.org
+Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/10583
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240404203336.10454-2-ville.syrjala@linux.intel.com
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Jani Nikula <jani.nikula@intel.com>
+Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_client_modeset.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_client_modeset.c
++++ b/drivers/gpu/drm/drm_client_modeset.c
+@@ -777,6 +777,7 @@ int drm_client_modeset_probe(struct drm_
+ unsigned int total_modes_count = 0;
+ struct drm_client_offset *offsets;
+ unsigned int connector_count = 0;
++ /* points to modes protected by mode_config.mutex */
+ struct drm_display_mode **modes;
+ struct drm_crtc **crtcs;
+ int i, ret = 0;
+@@ -845,7 +846,6 @@ int drm_client_modeset_probe(struct drm_
+ drm_client_pick_crtcs(client, connectors, connector_count,
+ crtcs, modes, 0, width, height);
+ }
+- mutex_unlock(&dev->mode_config.mutex);
+
+ drm_client_modeset_release(client);
+
+@@ -875,6 +875,7 @@ int drm_client_modeset_probe(struct drm_
+ modeset->y = offset->y;
+ }
+ }
++ mutex_unlock(&dev->mode_config.mutex);
+
+ mutex_unlock(&client->modeset_mutex);
+ out:
--- /dev/null
+From dcd8992e47f13afb5c11a61e8d9c141c35e23751 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Fri, 5 Apr 2024 00:34:29 +0300
+Subject: drm/i915/vrr: Disable VRR when using bigjoiner
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit dcd8992e47f13afb5c11a61e8d9c141c35e23751 upstream.
+
+All joined pipes share the same transcoder/timing generator.
+Currently we just do the commits per-pipe, which doesn't really
+work if we need to change switch between non-VRR and VRR timings
+generators on the fly, or even when sending the push to the
+transcoder. For now just disable VRR when bigjoiner is needed.
+
+Cc: stable@vger.kernel.org
+Tested-by: Vidya Srinivas <vidya.srinivas@intel.com>
+Reviewed-by: Vandita Kulkarni <vandita.kulkarni@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240404213441.17637-6-ville.syrjala@linux.intel.com
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+(cherry picked from commit f9d5e51db65652dbd8a2102fd7619440e3599fd2)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/display/intel_vrr.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/gpu/drm/i915/display/intel_vrr.c
++++ b/drivers/gpu/drm/i915/display/intel_vrr.c
+@@ -117,6 +117,13 @@ intel_vrr_compute_config(struct intel_cr
+ const struct drm_display_info *info = &connector->base.display_info;
+ int vmin, vmax;
+
++ /*
++ * FIXME all joined pipes share the same transcoder.
++ * Need to account for that during VRR toggle/push/etc.
++ */
++ if (crtc_state->bigjoiner_pipes)
++ return;
++
+ if (adjusted_mode->flags & DRM_MODE_FLAG_INTERLACE)
+ return;
+
--- /dev/null
+From e86750b01a1560f198e4b3e21bb3f78bfd5bb2c3 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Wed, 13 Mar 2024 17:43:06 +0100
+Subject: drm/msm/dp: fix runtime PM leak on connect failure
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit e86750b01a1560f198e4b3e21bb3f78bfd5bb2c3 upstream.
+
+Make sure to balance the runtime PM usage counter (and suspend) before
+returning on connect failures (e.g. DPCD read failures after a spurious
+connect event or if link training fails).
+
+Fixes: 5814b8bf086a ("drm/msm/dp: incorporate pm_runtime framework into DP driver")
+Cc: stable@vger.kernel.org # 6.8
+Cc: Kuogee Hsieh <quic_khsieh@quicinc.com>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/582746/
+Link: https://lore.kernel.org/r/20240313164306.23133-3-johan+linaro@kernel.org
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/dp/dp_display.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/msm/dp/dp_display.c
++++ b/drivers/gpu/drm/msm/dp/dp_display.c
+@@ -598,6 +598,7 @@ static int dp_hpd_plug_handle(struct dp_
+ ret = dp_display_usbpd_configure_cb(&pdev->dev);
+ if (ret) { /* link train failed */
+ dp->hpd_state = ST_DISCONNECTED;
++ pm_runtime_put_sync(&pdev->dev);
+ } else {
+ dp->hpd_state = ST_MAINLINK_READY;
+ }
--- /dev/null
+From 0640f47b742667fca6aac174f7cd62b6c2c7532c Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Wed, 13 Mar 2024 17:43:05 +0100
+Subject: drm/msm/dp: fix runtime PM leak on disconnect
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit 0640f47b742667fca6aac174f7cd62b6c2c7532c upstream.
+
+Make sure to put the runtime PM usage count (and suspend) also when
+receiving a disconnect event while in the ST_MAINLINK_READY state.
+
+This specifically avoids leaking a runtime PM usage count on every
+disconnect with display servers that do not automatically enable
+external displays when receiving a hotplug notification.
+
+Fixes: 5814b8bf086a ("drm/msm/dp: incorporate pm_runtime framework into DP driver")
+Cc: stable@vger.kernel.org # 6.8
+Cc: Kuogee Hsieh <quic_khsieh@quicinc.com>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/582744/
+Link: https://lore.kernel.org/r/20240313164306.23133-2-johan+linaro@kernel.org
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/dp/dp_display.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/msm/dp/dp_display.c
++++ b/drivers/gpu/drm/msm/dp/dp_display.c
+@@ -655,6 +655,7 @@ static int dp_hpd_unplug_handle(struct d
+ dp_display_host_phy_exit(dp);
+ dp->hpd_state = ST_DISCONNECTED;
+ dp_display_notify_disconnect(&dp->dp_display.pdev->dev);
++ pm_runtime_put_sync(&pdev->dev);
+ mutex_unlock(&dp->event_mutex);
+ return 0;
+ }
--- /dev/null
+From 1fc9af813b25e146d3607669247d0f970f5a87c3 Mon Sep 17 00:00:00 2001
+From: Boris Brezillon <boris.brezillon@collabora.com>
+Date: Fri, 5 Jan 2024 21:46:11 +0300
+Subject: drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr()
+
+From: Boris Brezillon <boris.brezillon@collabora.com>
+
+commit 1fc9af813b25e146d3607669247d0f970f5a87c3 upstream.
+
+Subject: drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr()
+
+If some the pages or sgt allocation failed, we shouldn't release the
+pages ref we got earlier, otherwise we will end up with unbalanced
+get/put_pages() calls. We should instead leave everything in place
+and let the BO release function deal with extra cleanup when the object
+is destroyed, or let the fault handler try again next time it's called.
+
+Fixes: 187d2929206e ("drm/panfrost: Add support for GPU heap allocations")
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Steven Price <steven.price@arm.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com>
+Co-developed-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
+Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240105184624.508603-18-dmitry.osipenko@collabora.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/panfrost/panfrost_mmu.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/panfrost/panfrost_mmu.c
++++ b/drivers/gpu/drm/panfrost/panfrost_mmu.c
+@@ -502,11 +502,18 @@ static int panfrost_mmu_map_fault_addr(s
+ mapping_set_unevictable(mapping);
+
+ for (i = page_offset; i < page_offset + NUM_FAULT_PAGES; i++) {
++ /* Can happen if the last fault only partially filled this
++ * section of the pages array before failing. In that case
++ * we skip already filled pages.
++ */
++ if (pages[i])
++ continue;
++
+ pages[i] = shmem_read_mapping_page(mapping, i);
+ if (IS_ERR(pages[i])) {
+ ret = PTR_ERR(pages[i]);
+ pages[i] = NULL;
+- goto err_pages;
++ goto err_unlock;
+ }
+ }
+
+@@ -514,7 +521,7 @@ static int panfrost_mmu_map_fault_addr(s
+ ret = sg_alloc_table_from_pages(sgt, pages + page_offset,
+ NUM_FAULT_PAGES, 0, SZ_2M, GFP_KERNEL);
+ if (ret)
+- goto err_pages;
++ goto err_unlock;
+
+ ret = dma_map_sgtable(pfdev->dev, sgt, DMA_BIDIRECTIONAL, 0);
+ if (ret)
+@@ -537,8 +544,6 @@ out:
+
+ err_map:
+ sg_free_table(sgt);
+-err_pages:
+- drm_gem_shmem_put_pages(&bo->base);
+ err_unlock:
+ dma_resv_unlock(obj->resv);
+ err_bo:
--- /dev/null
+From 4c08f01934ab67d1d283d5cbaa52b923abcfe4cd Mon Sep 17 00:00:00 2001
+From: Zack Rusin <zack.rusin@broadcom.com>
+Date: Sun, 7 Apr 2024 22:28:02 -0400
+Subject: drm/vmwgfx: Enable DMA mappings with SEV
+
+From: Zack Rusin <zack.rusin@broadcom.com>
+
+commit 4c08f01934ab67d1d283d5cbaa52b923abcfe4cd upstream.
+
+Enable DMA mappings in vmwgfx after TTM has been fixed in commit
+3bf3710e3718 ("drm/ttm: Add a generic TTM memcpy move for page-based iomem")
+
+This enables full guest-backed memory support and in particular allows
+usage of screen targets as the presentation mechanism.
+
+Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
+Reported-by: Ye Li <ye.li@broadcom.com>
+Tested-by: Ye Li <ye.li@broadcom.com>
+Fixes: 3b0d6458c705 ("drm/vmwgfx: Refuse DMA operation when SEV encryption is active")
+Cc: Broadcom internal kernel review list <bcm-kernel-feedback-list@broadcom.com>
+Cc: dri-devel@lists.freedesktop.org
+Cc: <stable@vger.kernel.org> # v6.6+
+Reviewed-by: Martin Krastev <martin.krastev@broadcom.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240408022802.358641-1-zack.rusin@broadcom.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
+@@ -666,11 +666,12 @@ static int vmw_dma_select_mode(struct vm
+ [vmw_dma_map_populate] = "Caching DMA mappings.",
+ [vmw_dma_map_bind] = "Giving up DMA mappings early."};
+
+- /* TTM currently doesn't fully support SEV encryption. */
+- if (cc_platform_has(CC_ATTR_MEM_ENCRYPT))
+- return -EINVAL;
+-
+- if (vmw_force_coherent)
++ /*
++ * When running with SEV we always want dma mappings, because
++ * otherwise ttm tt pool pages will bounce through swiotlb running
++ * out of available space.
++ */
++ if (vmw_force_coherent || cc_platform_has(CC_ATTR_MEM_ENCRYPT))
+ dev_priv->map_mode = vmw_dma_alloc_coherent;
+ else if (vmw_restrict_iommu)
+ dev_priv->map_mode = vmw_dma_map_bind;
--- /dev/null
+From fbbdc255fbee59b4207a5398fdb4f04590681a79 Mon Sep 17 00:00:00 2001
+From: Zhenhua Huang <quic_zhenhuah@quicinc.com>
+Date: Mon, 8 Apr 2024 21:43:57 -0700
+Subject: fs/proc: remove redundant comments from /proc/bootconfig
+
+From: Zhenhua Huang <quic_zhenhuah@quicinc.com>
+
+commit fbbdc255fbee59b4207a5398fdb4f04590681a79 upstream.
+
+commit 717c7c894d4b ("fs/proc: Add boot loader arguments as comment to
+/proc/bootconfig") adds bootloader argument comments into /proc/bootconfig.
+
+/proc/bootconfig shows boot_command_line[] multiple times following
+every xbc key value pair, that's duplicated and not necessary.
+Remove redundant ones.
+
+Output before and after the fix is like:
+key1 = value1
+*bootloader argument comments*
+key2 = value2
+*bootloader argument comments*
+key3 = value3
+*bootloader argument comments*
+...
+
+key1 = value1
+key2 = value2
+key3 = value3
+*bootloader argument comments*
+...
+
+Link: https://lore.kernel.org/all/20240409044358.1156477-1-paulmck@kernel.org/
+
+Fixes: 717c7c894d4b ("fs/proc: Add boot loader arguments as comment to /proc/bootconfig")
+Signed-off-by: Zhenhua Huang <quic_zhenhuah@quicinc.com>
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Cc: <linux-trace-kernel@vger.kernel.org>
+Cc: <linux-fsdevel@vger.kernel.org>
+Cc: stable@vger.kernel.org
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/bootconfig.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/fs/proc/bootconfig.c b/fs/proc/bootconfig.c
+index 902b326e1e56..e5635a6b127b 100644
+--- a/fs/proc/bootconfig.c
++++ b/fs/proc/bootconfig.c
+@@ -62,12 +62,12 @@ static int __init copy_xbc_key_value_list(char *dst, size_t size)
+ break;
+ dst += ret;
+ }
+- if (ret >= 0 && boot_command_line[0]) {
+- ret = snprintf(dst, rest(dst, end), "# Parameters from bootloader:\n# %s\n",
+- boot_command_line);
+- if (ret > 0)
+- dst += ret;
+- }
++ }
++ if (ret >= 0 && boot_command_line[0]) {
++ ret = snprintf(dst, rest(dst, end), "# Parameters from bootloader:\n# %s\n",
++ boot_command_line);
++ if (ret > 0)
++ dst += ret;
+ }
+ out:
+ kfree(key);
+--
+2.44.0
+
--- /dev/null
+From c722cea208789d9e2660992bcd05fb9fac3adb56 Mon Sep 17 00:00:00 2001
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Mon, 8 Apr 2024 21:43:58 -0700
+Subject: fs/proc: Skip bootloader comment if no embedded kernel parameters
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+commit c722cea208789d9e2660992bcd05fb9fac3adb56 upstream.
+
+If the "bootconfig" kernel command-line argument was specified or if
+the kernel was built with CONFIG_BOOT_CONFIG_FORCE, but if there are
+no embedded kernel parameter, omit the "# Parameters from bootloader:"
+comment from the /proc/bootconfig file. This will cause automation
+to fall back to the /proc/cmdline file, which will be identical to the
+comment in this no-embedded-kernel-parameters case.
+
+Link: https://lore.kernel.org/all/20240409044358.1156477-2-paulmck@kernel.org/
+
+Fixes: 8b8ce6c75430 ("fs/proc: remove redundant comments from /proc/bootconfig")
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Cc: stable@vger.kernel.org
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/bootconfig.c | 2 +-
+ include/linux/bootconfig.h | 1 +
+ init/main.c | 5 +++++
+ 3 files changed, 7 insertions(+), 1 deletion(-)
+
+--- a/fs/proc/bootconfig.c
++++ b/fs/proc/bootconfig.c
+@@ -63,7 +63,7 @@ static int __init copy_xbc_key_value_lis
+ dst += ret;
+ }
+ }
+- if (ret >= 0 && boot_command_line[0]) {
++ if (cmdline_has_extra_options() && ret >= 0 && boot_command_line[0]) {
+ ret = snprintf(dst, rest(dst, end), "# Parameters from bootloader:\n# %s\n",
+ boot_command_line);
+ if (ret > 0)
+--- a/include/linux/bootconfig.h
++++ b/include/linux/bootconfig.h
+@@ -10,6 +10,7 @@
+ #ifdef __KERNEL__
+ #include <linux/kernel.h>
+ #include <linux/types.h>
++bool __init cmdline_has_extra_options(void);
+ #else /* !__KERNEL__ */
+ /*
+ * NOTE: This is only for tools/bootconfig, because tools/bootconfig will
+--- a/init/main.c
++++ b/init/main.c
+@@ -485,6 +485,11 @@ static int __init warn_bootconfig(char *
+
+ early_param("bootconfig", warn_bootconfig);
+
++bool __init cmdline_has_extra_options(void)
++{
++ return extra_command_line || extra_init_args;
++}
++
+ /* Change NUL term back to "=", to make "param" the whole string. */
+ static void __init repair_env_string(char *param, char *val)
+ {
--- /dev/null
+From 4fe82aedeb8a8cb09bfa60f55ab57b5c10a74ac4 Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Mon, 8 Apr 2024 18:11:09 +0100
+Subject: io_uring/net: restore msg_control on sendzc retry
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit 4fe82aedeb8a8cb09bfa60f55ab57b5c10a74ac4 upstream.
+
+cac9e4418f4cb ("io_uring/net: save msghdr->msg_control for retries")
+reinstatiates msg_control before every __sys_sendmsg_sock(), since the
+function can overwrite the value in msghdr. We need to do same for
+zerocopy sendmsg.
+
+Cc: stable@vger.kernel.org
+Fixes: 493108d95f146 ("io_uring/net: zerocopy sendmsg")
+Link: https://github.com/axboe/liburing/issues/1067
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/cc1d5d9df0576fa66ddad4420d240a98a020b267.1712596179.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/net.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/io_uring/net.c
++++ b/io_uring/net.c
+@@ -1255,6 +1255,7 @@ int io_sendmsg_zc(struct io_kiocb *req,
+
+ if (req_has_async_data(req)) {
+ kmsg = req->async_data;
++ kmsg->msg.msg_control_user = sr->msg_control;
+ } else {
+ ret = io_sendmsg_copy_hdr(req, &iomsg);
+ if (ret)
--- /dev/null
+From 325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8 Mon Sep 17 00:00:00 2001
+From: Zheng Yejian <zhengyejian1@huawei.com>
+Date: Wed, 10 Apr 2024 09:58:02 +0800
+Subject: kprobes: Fix possible use-after-free issue on kprobe registration
+
+From: Zheng Yejian <zhengyejian1@huawei.com>
+
+commit 325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8 upstream.
+
+When unloading a module, its state is changing MODULE_STATE_LIVE ->
+ MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take
+a time. `is_module_text_address()` and `__module_text_address()`
+works with MODULE_STATE_LIVE and MODULE_STATE_GOING.
+If we use `is_module_text_address()` and `__module_text_address()`
+separately, there is a chance that the first one is succeeded but the
+next one is failed because module->state becomes MODULE_STATE_UNFORMED
+between those operations.
+
+In `check_kprobe_address_safe()`, if the second `__module_text_address()`
+is failed, that is ignored because it expected a kernel_text address.
+But it may have failed simply because module->state has been changed
+to MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify
+non-exist module text address (use-after-free).
+
+To fix this problem, we should not use separated `is_module_text_address()`
+and `__module_text_address()`, but use only `__module_text_address()`
+once and do `try_module_get(module)` which is only available with
+MODULE_STATE_LIVE.
+
+Link: https://lore.kernel.org/all/20240410015802.265220-1-zhengyejian1@huawei.com/
+
+Fixes: 28f6c37a2910 ("kprobes: Forbid probing on trampoline and BPF code areas")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/kprobes.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+--- a/kernel/kprobes.c
++++ b/kernel/kprobes.c
+@@ -1567,10 +1567,17 @@ static int check_kprobe_address_safe(str
+ jump_label_lock();
+ preempt_disable();
+
+- /* Ensure it is not in reserved area nor out of text */
+- if (!(core_kernel_text((unsigned long) p->addr) ||
+- is_module_text_address((unsigned long) p->addr)) ||
+- in_gate_area_no_mm((unsigned long) p->addr) ||
++ /* Ensure the address is in a text area, and find a module if exists. */
++ *probed_mod = NULL;
++ if (!core_kernel_text((unsigned long) p->addr)) {
++ *probed_mod = __module_text_address((unsigned long) p->addr);
++ if (!(*probed_mod)) {
++ ret = -EINVAL;
++ goto out;
++ }
++ }
++ /* Ensure it is not in reserved area. */
++ if (in_gate_area_no_mm((unsigned long) p->addr) ||
+ within_kprobe_blacklist((unsigned long) p->addr) ||
+ jump_label_text_reserved(p->addr, p->addr) ||
+ static_call_text_reserved(p->addr, p->addr) ||
+@@ -1580,8 +1587,7 @@ static int check_kprobe_address_safe(str
+ goto out;
+ }
+
+- /* Check if 'p' is probing a module. */
+- *probed_mod = __module_text_address((unsigned long) p->addr);
++ /* Get module refcount and reject __init functions for loaded modules. */
+ if (*probed_mod) {
+ /*
+ * We must hold a refcount of the probed module while updating
--- /dev/null
+From dec8ced871e17eea46f097542dd074d022be4bd1 Mon Sep 17 00:00:00 2001
+From: Namhyung Kim <namhyung@kernel.org>
+Date: Tue, 5 Mar 2024 22:10:03 -0800
+Subject: perf/x86: Fix out of range data
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+commit dec8ced871e17eea46f097542dd074d022be4bd1 upstream.
+
+On x86 each struct cpu_hw_events maintains a table for counter assignment but
+it missed to update one for the deleted event in x86_pmu_del(). This
+can make perf_clear_dirty_counters() reset used counter if it's called
+before event scheduling or enabling. Then it would return out of range
+data which doesn't make sense.
+
+The following code can reproduce the problem.
+
+ $ cat repro.c
+ #include <pthread.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <unistd.h>
+ #include <linux/perf_event.h>
+ #include <sys/ioctl.h>
+ #include <sys/mman.h>
+ #include <sys/syscall.h>
+
+ struct perf_event_attr attr = {
+ .type = PERF_TYPE_HARDWARE,
+ .config = PERF_COUNT_HW_CPU_CYCLES,
+ .disabled = 1,
+ };
+
+ void *worker(void *arg)
+ {
+ int cpu = (long)arg;
+ int fd1 = syscall(SYS_perf_event_open, &attr, -1, cpu, -1, 0);
+ int fd2 = syscall(SYS_perf_event_open, &attr, -1, cpu, -1, 0);
+ void *p;
+
+ do {
+ ioctl(fd1, PERF_EVENT_IOC_ENABLE, 0);
+ p = mmap(NULL, 4096, PROT_READ, MAP_SHARED, fd1, 0);
+ ioctl(fd2, PERF_EVENT_IOC_ENABLE, 0);
+
+ ioctl(fd2, PERF_EVENT_IOC_DISABLE, 0);
+ munmap(p, 4096);
+ ioctl(fd1, PERF_EVENT_IOC_DISABLE, 0);
+ } while (1);
+
+ return NULL;
+ }
+
+ int main(void)
+ {
+ int i;
+ int n = sysconf(_SC_NPROCESSORS_ONLN);
+ pthread_t *th = calloc(n, sizeof(*th));
+
+ for (i = 0; i < n; i++)
+ pthread_create(&th[i], NULL, worker, (void *)(long)i);
+ for (i = 0; i < n; i++)
+ pthread_join(th[i], NULL);
+
+ free(th);
+ return 0;
+ }
+
+And you can see the out of range data using perf stat like this.
+Probably it'd be easier to see on a large machine.
+
+ $ gcc -o repro repro.c -pthread
+ $ ./repro &
+ $ sudo perf stat -A -I 1000 2>&1 | awk '{ if (length($3) > 15) print }'
+ 1.001028462 CPU6 196,719,295,683,763 cycles # 194290.996 GHz (71.54%)
+ 1.001028462 CPU3 396,077,485,787,730 branch-misses # 15804359784.80% of all branches (71.07%)
+ 1.001028462 CPU17 197,608,350,727,877 branch-misses # 14594186554.56% of all branches (71.22%)
+ 2.020064073 CPU4 198,372,472,612,140 cycles # 194681.113 GHz (70.95%)
+ 2.020064073 CPU6 199,419,277,896,696 cycles # 195720.007 GHz (70.57%)
+ 2.020064073 CPU20 198,147,174,025,639 cycles # 194474.654 GHz (71.03%)
+ 2.020064073 CPU20 198,421,240,580,145 stalled-cycles-frontend # 100.14% frontend cycles idle (70.93%)
+ 3.037443155 CPU4 197,382,689,923,416 cycles # 194043.065 GHz (71.30%)
+ 3.037443155 CPU20 196,324,797,879,414 cycles # 193003.773 GHz (71.69%)
+ 3.037443155 CPU5 197,679,956,608,205 stalled-cycles-backend # 1315606428.66% backend cycles idle (71.19%)
+ 3.037443155 CPU5 198,571,860,474,851 instructions # 13215422.58 insn per cycle
+
+It should move the contents in the cpuc->assign as well.
+
+Fixes: 5471eea5d3bf ("perf/x86: Reset the dirty counter to prevent the leak for an RDPMC task")
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Reviewed-by: Kan Liang <kan.liang@linux.intel.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20240306061003.1894224-1-namhyung@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/events/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/events/core.c
++++ b/arch/x86/events/core.c
+@@ -1644,6 +1644,7 @@ static void x86_pmu_del(struct perf_even
+ while (++i < cpuc->n_events) {
+ cpuc->event_list[i-1] = cpuc->event_list[i];
+ cpuc->event_constraint[i-1] = cpuc->event_constraint[i];
++ cpuc->assign[i-1] = cpuc->assign[i];
+ }
+ cpuc->event_constraint[i-1] = NULL;
+ --cpuc->n_events;
--- /dev/null
+From d4e655c49f474deffaf5ed7e65034b8167ee39c8 Mon Sep 17 00:00:00 2001
+From: Alexander Wetzel <Alexander@wetzel-home.de>
+Date: Mon, 1 Apr 2024 21:10:38 +0200
+Subject: scsi: sg: Avoid race in error handling & drop bogus warn
+
+From: Alexander Wetzel <Alexander@wetzel-home.de>
+
+commit d4e655c49f474deffaf5ed7e65034b8167ee39c8 upstream.
+
+Commit 27f58c04a8f4 ("scsi: sg: Avoid sg device teardown race") introduced
+an incorrect WARN_ON_ONCE() and missed a sequence where sg_device_destroy()
+was used after scsi_device_put().
+
+sg_device_destroy() is accessing the parent scsi_device request_queue which
+will already be set to NULL when the preceding call to scsi_device_put()
+removed the last reference to the parent scsi_device.
+
+Drop the incorrect WARN_ON_ONCE() - allowing more than one concurrent
+access to the sg device - and make sure sg_device_destroy() is not used
+after scsi_device_put() in the error handling.
+
+Link: https://lore.kernel.org/all/5375B275-D137-4D5F-BE25-6AF8ACAE41EF@linux.ibm.com
+Fixes: 27f58c04a8f4 ("scsi: sg: Avoid sg device teardown race")
+Cc: stable@vger.kernel.org
+Signed-off-by: Alexander Wetzel <Alexander@wetzel-home.de>
+Link: https://lore.kernel.org/r/20240401191038.18359-1-Alexander@wetzel-home.de
+Tested-by: Sachin Sant <sachinp@linux.ibm.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/sg.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -285,6 +285,7 @@ sg_open(struct inode *inode, struct file
+ int dev = iminor(inode);
+ int flags = filp->f_flags;
+ struct request_queue *q;
++ struct scsi_device *device;
+ Sg_device *sdp;
+ Sg_fd *sfp;
+ int retval;
+@@ -301,11 +302,12 @@ sg_open(struct inode *inode, struct file
+
+ /* This driver's module count bumped by fops_get in <linux/fs.h> */
+ /* Prevent the device driver from vanishing while we sleep */
+- retval = scsi_device_get(sdp->device);
++ device = sdp->device;
++ retval = scsi_device_get(device);
+ if (retval)
+ goto sg_put;
+
+- retval = scsi_autopm_get_device(sdp->device);
++ retval = scsi_autopm_get_device(device);
+ if (retval)
+ goto sdp_put;
+
+@@ -313,7 +315,7 @@ sg_open(struct inode *inode, struct file
+ * check if O_NONBLOCK. Permits SCSI commands to be issued
+ * during error recovery. Tread carefully. */
+ if (!((flags & O_NONBLOCK) ||
+- scsi_block_when_processing_errors(sdp->device))) {
++ scsi_block_when_processing_errors(device))) {
+ retval = -ENXIO;
+ /* we are in error recovery for this device */
+ goto error_out;
+@@ -344,7 +346,7 @@ sg_open(struct inode *inode, struct file
+
+ if (sdp->open_cnt < 1) { /* no existing opens */
+ sdp->sgdebug = 0;
+- q = sdp->device->request_queue;
++ q = device->request_queue;
+ sdp->sg_tablesize = queue_max_segments(q);
+ }
+ sfp = sg_add_sfp(sdp);
+@@ -370,10 +372,11 @@ out_undo:
+ error_mutex_locked:
+ mutex_unlock(&sdp->open_rel_lock);
+ error_out:
+- scsi_autopm_put_device(sdp->device);
++ scsi_autopm_put_device(device);
+ sdp_put:
+- scsi_device_put(sdp->device);
+- goto sg_put;
++ kref_put(&sdp->d_ref, sg_device_destroy);
++ scsi_device_put(device);
++ return retval;
+ }
+
+ /* Release resources associated with a successful sg_open()
+@@ -2233,7 +2236,6 @@ sg_remove_sfp_usercontext(struct work_st
+ "sg_remove_sfp: sfp=0x%p\n", sfp));
+ kfree(sfp);
+
+- WARN_ON_ONCE(kref_read(&sdp->d_ref) != 1);
+ kref_put(&sdp->d_ref, sg_device_destroy);
+ scsi_device_put(device);
+ module_put(THIS_MODULE);
--- /dev/null
+From 27f58c04a8f438078583041468ec60597841284d Mon Sep 17 00:00:00 2001
+From: Alexander Wetzel <Alexander@wetzel-home.de>
+Date: Wed, 20 Mar 2024 22:30:32 +0100
+Subject: scsi: sg: Avoid sg device teardown race
+
+From: Alexander Wetzel <Alexander@wetzel-home.de>
+
+commit 27f58c04a8f438078583041468ec60597841284d upstream.
+
+sg_remove_sfp_usercontext() must not use sg_device_destroy() after calling
+scsi_device_put().
+
+sg_device_destroy() is accessing the parent scsi_device request_queue which
+will already be set to NULL when the preceding call to scsi_device_put()
+removed the last reference to the parent scsi_device.
+
+The resulting NULL pointer exception will then crash the kernel.
+
+Link: https://lore.kernel.org/r/20240305150509.23896-1-Alexander@wetzel-home.de
+Fixes: db59133e9279 ("scsi: sg: fix blktrace debugfs entries leakage")
+Cc: stable@vger.kernel.org
+Signed-off-by: Alexander Wetzel <Alexander@wetzel-home.de>
+Link: https://lore.kernel.org/r/20240320213032.18221-1-Alexander@wetzel-home.de
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/sg.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -2207,6 +2207,7 @@ sg_remove_sfp_usercontext(struct work_st
+ {
+ struct sg_fd *sfp = container_of(work, struct sg_fd, ew.work);
+ struct sg_device *sdp = sfp->parentdp;
++ struct scsi_device *device = sdp->device;
+ Sg_request *srp;
+ unsigned long iflags;
+
+@@ -2232,8 +2233,9 @@ sg_remove_sfp_usercontext(struct work_st
+ "sg_remove_sfp: sfp=0x%p\n", sfp));
+ kfree(sfp);
+
+- scsi_device_put(sdp->device);
++ WARN_ON_ONCE(kref_read(&sdp->d_ref) != 1);
+ kref_put(&sdp->d_ref, sg_device_destroy);
++ scsi_device_put(device);
+ module_put(THIS_MODULE);
+ }
+
--- /dev/null
+From 6d029c25b71f2de2838a6f093ce0fa0e69336154 Mon Sep 17 00:00:00 2001
+From: Oleg Nesterov <oleg@redhat.com>
+Date: Tue, 9 Apr 2024 15:38:03 +0200
+Subject: selftests/timers/posix_timers: Reimplement check_timer_distribution()
+
+From: Oleg Nesterov <oleg@redhat.com>
+
+commit 6d029c25b71f2de2838a6f093ce0fa0e69336154 upstream.
+
+check_timer_distribution() runs ten threads in a busy loop and tries to
+test that the kernel distributes a process posix CPU timer signal to every
+thread over time.
+
+There is not guarantee that this is true even after commit bcb7ee79029d
+("posix-timers: Prefer delivery of signals to the current thread") because
+that commit only avoids waking up the sleeping process leader thread, but
+that has nothing to do with the actual signal delivery.
+
+As the signal is process wide the first thread which observes sigpending
+and wins the race to lock sighand will deliver the signal. Testing shows
+that this hangs on a regular base because some threads never win the race.
+
+The comment "This primarily tests that the kernel does not favour any one."
+is wrong. The kernel does favour a thread which hits the timer interrupt
+when CLOCK_PROCESS_CPUTIME_ID expires.
+
+Rewrite the test so it only checks that the group leader sleeping in join()
+never receives SIGALRM and the thread which burns CPU cycles receives all
+signals.
+
+In older kernels which do not have commit bcb7ee79029d ("posix-timers:
+Prefer delivery of signals to the current thread") the test-case fails
+immediately, the very 1st tick wakes the leader up. Otherwise it quickly
+succeeds after 100 ticks.
+
+CI testing wants to use newer selftest versions on stable kernels. In this
+case the test is guaranteed to fail.
+
+So check in the failure case whether the kernel version is less than v6.3
+and skip the test result in that case.
+
+[ tglx: Massaged change log, renamed the version check helper ]
+
+Fixes: e797203fb3ba ("selftests/timers/posix_timers: Test delivery of signals across threads")
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20240409133802.GD29396@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/kselftest.h | 13 +++
+ tools/testing/selftests/timers/posix_timers.c | 111 +++++++++++---------------
+ 2 files changed, 64 insertions(+), 60 deletions(-)
+
+--- a/tools/testing/selftests/kselftest.h
++++ b/tools/testing/selftests/kselftest.h
+@@ -50,6 +50,7 @@
+ #include <stdarg.h>
+ #include <string.h>
+ #include <stdio.h>
++#include <sys/utsname.h>
+ #endif
+
+ #ifndef ARRAY_SIZE
+@@ -343,4 +344,16 @@ static inline __printf(1, 2) int ksft_ex
+ exit(KSFT_SKIP);
+ }
+
++static inline int ksft_min_kernel_version(unsigned int min_major,
++ unsigned int min_minor)
++{
++ unsigned int major, minor;
++ struct utsname info;
++
++ if (uname(&info) || sscanf(info.release, "%u.%u.", &major, &minor) != 2)
++ ksft_exit_fail_msg("Can't parse kernel version\n");
++
++ return major > min_major || (major == min_major && minor >= min_minor);
++}
++
+ #endif /* __KSELFTEST_H */
+--- a/tools/testing/selftests/timers/posix_timers.c
++++ b/tools/testing/selftests/timers/posix_timers.c
+@@ -184,80 +184,71 @@ static int check_timer_create(int which)
+ return 0;
+ }
+
+-int remain;
+-__thread int got_signal;
++static pthread_t ctd_thread;
++static volatile int ctd_count, ctd_failed;
+
+-static void *distribution_thread(void *arg)
++static void ctd_sighandler(int sig)
+ {
+- while (__atomic_load_n(&remain, __ATOMIC_RELAXED));
+- return NULL;
++ if (pthread_self() != ctd_thread)
++ ctd_failed = 1;
++ ctd_count--;
+ }
+
+-static void distribution_handler(int nr)
++static void *ctd_thread_func(void *arg)
+ {
+- if (!__atomic_exchange_n(&got_signal, 1, __ATOMIC_RELAXED))
+- __atomic_fetch_sub(&remain, 1, __ATOMIC_RELAXED);
+-}
+-
+-/*
+- * Test that all running threads _eventually_ receive CLOCK_PROCESS_CPUTIME_ID
+- * timer signals. This primarily tests that the kernel does not favour any one.
+- */
+-static int check_timer_distribution(void)
+-{
+- int err, i;
+- timer_t id;
+- const int nthreads = 10;
+- pthread_t threads[nthreads];
+ struct itimerspec val = {
+ .it_value.tv_sec = 0,
+ .it_value.tv_nsec = 1000 * 1000,
+ .it_interval.tv_sec = 0,
+ .it_interval.tv_nsec = 1000 * 1000,
+ };
++ timer_t id;
++
++ /* 1/10 seconds to ensure the leader sleeps */
++ usleep(10000);
++
++ ctd_count = 100;
++ if (timer_create(CLOCK_PROCESS_CPUTIME_ID, NULL, &id))
++ return "Can't create timer\n";
++ if (timer_settime(id, 0, &val, NULL))
++ return "Can't set timer\n";
++
++ while (ctd_count > 0 && !ctd_failed)
++ ;
++
++ if (timer_delete(id))
++ return "Can't delete timer\n";
++
++ return NULL;
++}
++
++/*
++ * Test that only the running thread receives the timer signal.
++ */
++static int check_timer_distribution(void)
++{
++ const char *errmsg;
+
+- remain = nthreads + 1; /* worker threads + this thread */
+- signal(SIGALRM, distribution_handler);
+- err = timer_create(CLOCK_PROCESS_CPUTIME_ID, NULL, &id);
+- if (err < 0) {
+- ksft_perror("Can't create timer");
+- return -1;
+- }
+- err = timer_settime(id, 0, &val, NULL);
+- if (err < 0) {
+- ksft_perror("Can't set timer");
+- return -1;
+- }
+-
+- for (i = 0; i < nthreads; i++) {
+- err = pthread_create(&threads[i], NULL, distribution_thread,
+- NULL);
+- if (err) {
+- ksft_print_msg("Can't create thread: %s (%d)\n",
+- strerror(errno), errno);
+- return -1;
+- }
+- }
+-
+- /* Wait for all threads to receive the signal. */
+- while (__atomic_load_n(&remain, __ATOMIC_RELAXED));
+-
+- for (i = 0; i < nthreads; i++) {
+- err = pthread_join(threads[i], NULL);
+- if (err) {
+- ksft_print_msg("Can't join thread: %s (%d)\n",
+- strerror(errno), errno);
+- return -1;
+- }
+- }
+-
+- if (timer_delete(id)) {
+- ksft_perror("Can't delete timer");
+- return -1;
+- }
++ signal(SIGALRM, ctd_sighandler);
+
+- ksft_test_result_pass("check_timer_distribution\n");
++ errmsg = "Can't create thread\n";
++ if (pthread_create(&ctd_thread, NULL, ctd_thread_func, NULL))
++ goto err;
++
++ errmsg = "Can't join thread\n";
++ if (pthread_join(ctd_thread, (void **)&errmsg) || errmsg)
++ goto err;
++
++ if (!ctd_failed)
++ ksft_test_result_pass("check signal distribution\n");
++ else if (ksft_min_kernel_version(6, 3))
++ ksft_test_result_fail("check signal distribution\n");
++ else
++ ksft_test_result_skip("check signal distribution (old kernel)\n");
+ return 0;
++err:
++ ksft_print_msg(errmsg);
++ return -1;
+ }
+
+ int main(int argc, char **argv)
iommu-vt-d-fix-warn_on-in-iommu-probe-path.patch
io_uring-refactor-defer_taskrun-multishot-checks.patch
io_uring-disable-io-wq-execution-of-multishot-nowait-requests.patch
+btrfs-qgroup-correctly-model-root-qgroup-rsv-in-convert.patch
+btrfs-qgroup-fix-qgroup-prealloc-rsv-leak-in-subvolume-operations.patch
+btrfs-record-delayed-inode-root-in-transaction.patch
+btrfs-qgroup-convert-prealloc-to-pertrans-after-record_root_in_trans.patch
+io_uring-net-restore-msg_control-on-sendzc-retry.patch
+kprobes-fix-possible-use-after-free-issue-on-kprobe-registration.patch
+fs-proc-remove-redundant-comments-from-proc-bootconfig.patch
+fs-proc-skip-bootloader-comment-if-no-embedded-kernel-parameters.patch
+scsi-sg-avoid-sg-device-teardown-race.patch
+scsi-sg-avoid-race-in-error-handling-drop-bogus-warn.patch
+accel-ivpu-check-return-code-of-ipc-lock-init.patch
+accel-ivpu-fix-pci-d0-state-entry-in-resume.patch
+accel-ivpu-put-npu-back-to-d3hot-after-failed-resume.patch
+accel-ivpu-return-max-freq-for-drm_ivpu_param_core_clock_rate.patch
+accel-ivpu-fix-deadlock-in-context_xa.patch
+drm-vmwgfx-enable-dma-mappings-with-sev.patch
+drm-i915-vrr-disable-vrr-when-using-bigjoiner.patch
+drm-amdkfd-reset-gpu-on-queue-preemption-failure.patch
+drm-ast-fix-soft-lockup.patch
+drm-panfrost-fix-the-error-path-in-panfrost_mmu_map_fault_addr.patch
+drm-client-fully-protect-modes-with-dev-mode_config.mutex.patch
+drm-msm-dp-fix-runtime-pm-leak-on-disconnect.patch
+drm-msm-dp-fix-runtime-pm-leak-on-connect-failure.patch
+drm-amdgpu-umsch-reinitialize-write-pointer-in-hw-init.patch
+arm64-dts-imx8qm-ss-dma-fix-can-lpcg-indices.patch
+arm64-dts-imx8-ss-dma-fix-can-lpcg-indices.patch
+arm64-dts-imx8-ss-dma-fix-adc-lpcg-indices.patch
+arm64-dts-imx8-ss-conn-fix-usb-lpcg-indices.patch
+arm64-dts-imx8-ss-dma-fix-pwm-lpcg-indices.patch
+arm64-dts-imx8-ss-lsio-fix-pwm-lpcg-indices.patch
+arm64-dts-imx8-ss-dma-fix-spi-lpcg-indices.patch
+vhost-add-smp_rmb-in-vhost_vq_avail_empty.patch
+vhost-add-smp_rmb-in-vhost_enable_notify.patch
+perf-x86-fix-out-of-range-data.patch
+x86-cpu-actually-turn-off-mitigations-by-default-for-speculation_mitigations-n.patch
+selftests-timers-posix_timers-reimplement-check_timer_distribution.patch
--- /dev/null
+From df9ace7647d4123209395bb9967e998d5758c645 Mon Sep 17 00:00:00 2001
+From: Gavin Shan <gshan@redhat.com>
+Date: Thu, 28 Mar 2024 10:21:48 +1000
+Subject: vhost: Add smp_rmb() in vhost_enable_notify()
+
+From: Gavin Shan <gshan@redhat.com>
+
+commit df9ace7647d4123209395bb9967e998d5758c645 upstream.
+
+A smp_rmb() has been missed in vhost_enable_notify(), inspired by
+Will. Otherwise, it's not ensured the available ring entries pushed
+by guest can be observed by vhost in time, leading to stale available
+ring entries fetched by vhost in vhost_get_vq_desc(), as reported by
+Yihuang Yu on NVidia's grace-hopper (ARM64) platform.
+
+ /home/gavin/sandbox/qemu.main/build/qemu-system-aarch64 \
+ -accel kvm -machine virt,gic-version=host -cpu host \
+ -smp maxcpus=1,cpus=1,sockets=1,clusters=1,cores=1,threads=1 \
+ -m 4096M,slots=16,maxmem=64G \
+ -object memory-backend-ram,id=mem0,size=4096M \
+ : \
+ -netdev tap,id=vnet0,vhost=true \
+ -device virtio-net-pci,bus=pcie.8,netdev=vnet0,mac=52:54:00:f1:26:b0
+ :
+ guest# netperf -H 10.26.1.81 -l 60 -C -c -t UDP_STREAM
+ virtio_net virtio0: output.0:id 100 is not a head!
+
+Add the missed smp_rmb() in vhost_enable_notify(). When it returns true,
+it means there's still pending tx buffers. Since it might read indices,
+so it still can bypass the smp_rmb() in vhost_get_vq_desc(). Note that
+it should be safe until vq->avail_idx is changed by commit d3bb267bbdcb
+("vhost: cache avail index in vhost_enable_notify()").
+
+Fixes: d3bb267bbdcb ("vhost: cache avail index in vhost_enable_notify()")
+Cc: <stable@kernel.org> # v5.18+
+Reported-by: Yihuang Yu <yihyu@redhat.com>
+Suggested-by: Will Deacon <will@kernel.org>
+Signed-off-by: Gavin Shan <gshan@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Message-Id: <20240328002149.1141302-3-gshan@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/vhost.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -2848,9 +2848,19 @@ bool vhost_enable_notify(struct vhost_de
+ &vq->avail->idx, r);
+ return false;
+ }
++
+ vq->avail_idx = vhost16_to_cpu(vq, avail_idx);
++ if (vq->avail_idx != vq->last_avail_idx) {
++ /* Since we have updated avail_idx, the following
++ * call to vhost_get_vq_desc() will read available
++ * ring entries. Make sure that read happens after
++ * the avail_idx read.
++ */
++ smp_rmb();
++ return true;
++ }
+
+- return vq->avail_idx != vq->last_avail_idx;
++ return false;
+ }
+ EXPORT_SYMBOL_GPL(vhost_enable_notify);
+
--- /dev/null
+From 22e1992cf7b034db5325660e98c41ca5afa5f519 Mon Sep 17 00:00:00 2001
+From: Gavin Shan <gshan@redhat.com>
+Date: Thu, 28 Mar 2024 10:21:47 +1000
+Subject: vhost: Add smp_rmb() in vhost_vq_avail_empty()
+
+From: Gavin Shan <gshan@redhat.com>
+
+commit 22e1992cf7b034db5325660e98c41ca5afa5f519 upstream.
+
+A smp_rmb() has been missed in vhost_vq_avail_empty(), spotted by
+Will. Otherwise, it's not ensured the available ring entries pushed
+by guest can be observed by vhost in time, leading to stale available
+ring entries fetched by vhost in vhost_get_vq_desc(), as reported by
+Yihuang Yu on NVidia's grace-hopper (ARM64) platform.
+
+ /home/gavin/sandbox/qemu.main/build/qemu-system-aarch64 \
+ -accel kvm -machine virt,gic-version=host -cpu host \
+ -smp maxcpus=1,cpus=1,sockets=1,clusters=1,cores=1,threads=1 \
+ -m 4096M,slots=16,maxmem=64G \
+ -object memory-backend-ram,id=mem0,size=4096M \
+ : \
+ -netdev tap,id=vnet0,vhost=true \
+ -device virtio-net-pci,bus=pcie.8,netdev=vnet0,mac=52:54:00:f1:26:b0
+ :
+ guest# netperf -H 10.26.1.81 -l 60 -C -c -t UDP_STREAM
+ virtio_net virtio0: output.0:id 100 is not a head!
+
+Add the missed smp_rmb() in vhost_vq_avail_empty(). When tx_can_batch()
+returns true, it means there's still pending tx buffers. Since it might
+read indices, so it still can bypass the smp_rmb() in vhost_get_vq_desc().
+Note that it should be safe until vq->avail_idx is changed by commit
+275bf960ac697 ("vhost: better detection of available buffers").
+
+Fixes: 275bf960ac69 ("vhost: better detection of available buffers")
+Cc: <stable@kernel.org> # v4.11+
+Reported-by: Yihuang Yu <yihyu@redhat.com>
+Suggested-by: Will Deacon <will@kernel.org>
+Signed-off-by: Gavin Shan <gshan@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Message-Id: <20240328002149.1141302-2-gshan@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/vhost.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -2799,9 +2799,19 @@ bool vhost_vq_avail_empty(struct vhost_d
+ r = vhost_get_avail_idx(vq, &avail_idx);
+ if (unlikely(r))
+ return false;
++
+ vq->avail_idx = vhost16_to_cpu(vq, avail_idx);
++ if (vq->avail_idx != vq->last_avail_idx) {
++ /* Since we have updated avail_idx, the following
++ * call to vhost_get_vq_desc() will read available
++ * ring entries. Make sure that read happens after
++ * the avail_idx read.
++ */
++ smp_rmb();
++ return false;
++ }
+
+- return vq->avail_idx == vq->last_avail_idx;
++ return true;
+ }
+ EXPORT_SYMBOL_GPL(vhost_vq_avail_empty);
+
--- /dev/null
+From f337a6a21e2fd67eadea471e93d05dd37baaa9be Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Tue, 9 Apr 2024 10:51:05 -0700
+Subject: x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit f337a6a21e2fd67eadea471e93d05dd37baaa9be upstream.
+
+Initialize cpu_mitigations to CPU_MITIGATIONS_OFF if the kernel is built
+with CONFIG_SPECULATION_MITIGATIONS=n, as the help text quite clearly
+states that disabling SPECULATION_MITIGATIONS is supposed to turn off all
+mitigations by default.
+
+ │ If you say N, all mitigations will be disabled. You really
+ │ should know what you are doing to say so.
+
+As is, the kernel still defaults to CPU_MITIGATIONS_AUTO, which results in
+some mitigations being enabled in spite of SPECULATION_MITIGATIONS=n.
+
+Fixes: f43b9876e857 ("x86/retbleed: Add fine grained Kconfig knobs")
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Reviewed-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
+Cc: stable@vger.kernel.org
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lore.kernel.org/r/20240409175108.1512861-2-seanjc@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/cpu.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/cpu.c
++++ b/kernel/cpu.c
+@@ -3207,7 +3207,8 @@ enum cpu_mitigations {
+ };
+
+ static enum cpu_mitigations cpu_mitigations __ro_after_init =
+- CPU_MITIGATIONS_AUTO;
++ IS_ENABLED(CONFIG_SPECULATION_MITIGATIONS) ? CPU_MITIGATIONS_AUTO :
++ CPU_MITIGATIONS_OFF;
+
+ static int __init mitigations_parse_cmdline(char *arg)
+ {
projects / thirdparty / kernel / stable-queue.git / commitdiff
