--- /dev/null
+From 9cea62b2cbabff8ed46f2df17778b624ad9dd25a Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Wed, 4 Jan 2023 08:52:06 -0700
+Subject: block: don't allow splitting of a REQ_NOWAIT bio
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 9cea62b2cbabff8ed46f2df17778b624ad9dd25a upstream.
+
+If we split a bio marked with REQ_NOWAIT, then we can trigger spurious
+EAGAIN if constituent parts of that split bio end up failing request
+allocations. Parts will complete just fine, but just a single failure
+in one of the chained bios will yield an EAGAIN final result for the
+parent bio.
+
+Return EAGAIN early if we end up needing to split such a bio, which
+allows for saner recovery handling.
+
+Cc: stable@vger.kernel.org # 5.15+
+Link: https://github.com/axboe/liburing/issues/766
+Reported-by: Michael Kelley <mikelley@microsoft.com>
+Reviewed-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-merge.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/block/blk-merge.c
++++ b/block/blk-merge.c
+@@ -300,6 +300,16 @@ static struct bio *bio_split_rw(struct b
+ *segs = nsegs;
+ return NULL;
+ split:
++ /*
++ * We can't sanely support splitting for a REQ_NOWAIT bio. End it
++ * with EAGAIN if splitting is required and return an error pointer.
++ */
++ if (bio->bi_opf & REQ_NOWAIT) {
++ bio->bi_status = BLK_STS_AGAIN;
++ bio_endio(bio);
++ return ERR_PTR(-EAGAIN);
++ }
++
+ *segs = nsegs;
+
+ /*
--- /dev/null
+From 9ed1d9aeef5842ecacb660fce933613b58af1e00 Mon Sep 17 00:00:00 2001
+From: Chuang Wang <nashuiliang@gmail.com>
+Date: Sat, 24 Dec 2022 21:31:46 +0800
+Subject: bpf: Fix panic due to wrong pageattr of im->image
+
+From: Chuang Wang <nashuiliang@gmail.com>
+
+commit 9ed1d9aeef5842ecacb660fce933613b58af1e00 upstream.
+
+In the scenario where livepatch and kretfunc coexist, the pageattr of
+im->image is rox after arch_prepare_bpf_trampoline in
+bpf_trampoline_update, and then modify_fentry or register_fentry returns
+-EAGAIN from bpf_tramp_ftrace_ops_func, the BPF_TRAMP_F_ORIG_STACK flag
+will be configured, and arch_prepare_bpf_trampoline will be re-executed.
+
+At this time, because the pageattr of im->image is rox,
+arch_prepare_bpf_trampoline will read and write im->image, which causes
+a fault. as follows:
+
+ insmod livepatch-sample.ko # samples/livepatch/livepatch-sample.c
+ bpftrace -e 'kretfunc:cmdline_proc_show {}'
+
+BUG: unable to handle page fault for address: ffffffffa0206000
+PGD 322d067 P4D 322d067 PUD 322e063 PMD 1297e067 PTE d428061
+Oops: 0003 [#1] PREEMPT SMP PTI
+CPU: 2 PID: 270 Comm: bpftrace Tainted: G E K 6.1.0 #5
+RIP: 0010:arch_prepare_bpf_trampoline+0xed/0x8c0
+RSP: 0018:ffffc90001083ad8 EFLAGS: 00010202
+RAX: ffffffffa0206000 RBX: 0000000000000020 RCX: 0000000000000000
+RDX: ffffffffa0206001 RSI: ffffffffa0206000 RDI: 0000000000000030
+RBP: ffffc90001083b70 R08: 0000000000000066 R09: ffff88800f51b400
+R10: 000000002e72c6e5 R11: 00000000d0a15080 R12: ffff8880110a68c8
+R13: 0000000000000000 R14: ffff88800f51b400 R15: ffffffff814fec10
+FS: 00007f87bc0dc780(0000) GS:ffff88803e600000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffffffa0206000 CR3: 0000000010b70000 CR4: 00000000000006e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+<TASK>
+ bpf_trampoline_update+0x25a/0x6b0
+ __bpf_trampoline_link_prog+0x101/0x240
+ bpf_trampoline_link_prog+0x2d/0x50
+ bpf_tracing_prog_attach+0x24c/0x530
+ bpf_raw_tp_link_attach+0x73/0x1d0
+ __sys_bpf+0x100e/0x2570
+ __x64_sys_bpf+0x1c/0x30
+ do_syscall_64+0x5b/0x80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+With this patch, when modify_fentry or register_fentry returns -EAGAIN
+from bpf_tramp_ftrace_ops_func, the pageattr of im->image will be reset
+to nx+rw.
+
+Cc: stable@vger.kernel.org
+Fixes: 00963a2e75a8 ("bpf: Support bpf_trampoline on functions with IPMODIFY (e.g. livepatch)")
+Signed-off-by: Chuang Wang <nashuiliang@gmail.com>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Acked-by: Song Liu <song@kernel.org>
+Link: https://lore.kernel.org/r/20221224133146.780578-1-nashuiliang@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/trampoline.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/kernel/bpf/trampoline.c
++++ b/kernel/bpf/trampoline.c
+@@ -489,6 +489,10 @@ again:
+ /* reset fops->func and fops->trampoline for re-register */
+ tr->fops->func = NULL;
+ tr->fops->trampoline = 0;
++
++ /* reset im->image memory attr for arch_prepare_bpf_trampoline */
++ set_memory_nx((long)im->image, 1);
++ set_memory_rw((long)im->image, 1);
+ goto again;
+ }
+ #endif
--- /dev/null
+From f685dd7a8025f2554f73748cfdb8143a21fb92c7 Mon Sep 17 00:00:00 2001
+From: Paul Menzel <pmenzel@molgen.mpg.de>
+Date: Mon, 2 Jan 2023 14:57:30 +0100
+Subject: fbdev: matroxfb: G200eW: Increase max memory from 1 MB to 16 MB
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Paul Menzel <pmenzel@molgen.mpg.de>
+
+commit f685dd7a8025f2554f73748cfdb8143a21fb92c7 upstream.
+
+Commit 62d89a7d49af ("video: fbdev: matroxfb: set maxvram of vbG200eW to
+the same as vbG200 to avoid black screen") accidently decreases the
+maximum memory size for the Matrox G200eW (102b:0532) from 8 MB to 1 MB
+by missing one zero. This caused the driver initialization to fail with
+the messages below, as the minimum required VRAM size is 2 MB:
+
+ [ 9.436420] matroxfb: Matrox MGA-G200eW (PCI) detected
+ [ 9.444502] matroxfb: cannot determine memory size
+ [ 9.449316] matroxfb: probe of 0000:0a:03.0 failed with error -1
+
+So, add the missing 0 to make it the intended 16 MB. Successfully tested on
+the Dell PowerEdge R910/0KYD3D, BIOS 2.10.0 08/29/2013, that the warning is
+gone.
+
+While at it, add a leading 0 to the maxdisplayable entry, so it’s aligned
+properly. The value could probably also be increased from 8 MB to 16 MB, as
+the G200 uses the same values, but I have not checked any datasheet.
+
+Note, matroxfb is obsolete and superseded by the maintained DRM driver
+mga200, which is used by default on most systems where both drivers are
+available. Therefore, on most systems it was only a cosmetic issue.
+
+Fixes: 62d89a7d49af ("video: fbdev: matroxfb: set maxvram of vbG200eW to the same as vbG200 to avoid black screen")
+Link: https://lore.kernel.org/linux-fbdev/972999d3-b75d-5680-fcef-6e6905c52ac5@suse.de/T/#mb6953a9995ebd18acc8552f99d6db39787aec775
+Cc: it+linux-fbdev@molgen.mpg.de
+Cc: Z. Liu <liuzx@knownsec.com>
+Cc: Rich Felker <dalias@libc.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/matrox/matroxfb_base.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/video/fbdev/matrox/matroxfb_base.c
++++ b/drivers/video/fbdev/matrox/matroxfb_base.c
+@@ -1378,8 +1378,8 @@ static struct video_board vbG200 = {
+ .lowlevel = &matrox_G100
+ };
+ static struct video_board vbG200eW = {
+- .maxvram = 0x100000,
+- .maxdisplayable = 0x800000,
++ .maxvram = 0x1000000,
++ .maxdisplayable = 0x0800000,
+ .accelID = FB_ACCEL_MATROX_MGAG200,
+ .lowlevel = &matrox_G100
+ };
--- /dev/null
+From 12521a5d5cb7ff0ad43eadfc9c135d86e1131fa8 Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Thu, 5 Jan 2023 10:49:15 +0000
+Subject: io_uring: fix CQ waiting timeout handling
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit 12521a5d5cb7ff0ad43eadfc9c135d86e1131fa8 upstream.
+
+Jiffy to ktime CQ waiting conversion broke how we treat timeouts, in
+particular we rearm it anew every time we get into
+io_cqring_wait_schedule() without adjusting the timeout. Waiting for 2
+CQEs and getting a task_work in the middle may double the timeout value,
+or even worse in some cases task may wait indefinitely.
+
+Cc: stable@vger.kernel.org
+Fixes: 228339662b398 ("io_uring: don't convert to jiffies for waiting on timeouts")
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/f7bffddd71b08f28a877d44d37ac953ddb01590d.1672915663.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/io_uring.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/io_uring/io_uring.c
++++ b/io_uring/io_uring.c
+@@ -2364,7 +2364,7 @@ int io_run_task_work_sig(struct io_ring_
+ /* when returns >0, the caller should retry */
+ static inline int io_cqring_wait_schedule(struct io_ring_ctx *ctx,
+ struct io_wait_queue *iowq,
+- ktime_t timeout)
++ ktime_t *timeout)
+ {
+ int ret;
+ unsigned long check_cq;
+@@ -2382,7 +2382,7 @@ static inline int io_cqring_wait_schedul
+ if (check_cq & BIT(IO_CHECK_CQ_DROPPED_BIT))
+ return -EBADR;
+ }
+- if (!schedule_hrtimeout(&timeout, HRTIMER_MODE_ABS))
++ if (!schedule_hrtimeout(timeout, HRTIMER_MODE_ABS))
+ return -ETIME;
+ return 1;
+ }
+@@ -2452,7 +2452,7 @@ static int io_cqring_wait(struct io_ring
+ }
+ prepare_to_wait_exclusive(&ctx->cq_wait, &iowq.wq,
+ TASK_INTERRUPTIBLE);
+- ret = io_cqring_wait_schedule(ctx, &iowq, timeout);
++ ret = io_cqring_wait_schedule(ctx, &iowq, &timeout);
+ cond_resched();
+ } while (ret > 0);
+
--- /dev/null
+From af82425c6a2d2f347c79b63ce74fca6dc6be157f Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Mon, 2 Jan 2023 16:49:46 -0700
+Subject: io_uring/io-wq: free worker if task_work creation is canceled
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit af82425c6a2d2f347c79b63ce74fca6dc6be157f upstream.
+
+If we cancel the task_work, the worker will never come into existance.
+As this is the last reference to it, ensure that we get it freed
+appropriately.
+
+Cc: stable@vger.kernel.org
+Reported-by: 진호 <wnwlsgh98@gmail.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/io-wq.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/io_uring/io-wq.c
++++ b/io_uring/io-wq.c
+@@ -1230,6 +1230,7 @@ static void io_wq_cancel_tw_create(struc
+
+ worker = container_of(cb, struct io_worker, create_work);
+ io_worker_cancel_cb(worker);
++ kfree(worker);
+ }
+ }
+
--- /dev/null
+From 9ffa13ff78a0a55df968a72d6f0ebffccee5c9f4 Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Wed, 4 Jan 2023 01:34:02 +0000
+Subject: io_uring: pin context while queueing deferred tw
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit 9ffa13ff78a0a55df968a72d6f0ebffccee5c9f4 upstream.
+
+Unlike normal tw, nothing prevents deferred tw to be executed right
+after an tw item added to ->work_llist in io_req_local_work_add(). For
+instance, the waiting task may get waken up by CQ posting or a normal
+tw. Thus we need to pin the ring for the rest of io_req_local_work_add()
+
+Cc: stable@vger.kernel.org
+Fixes: c0e0d6ba25f18 ("io_uring: add IORING_SETUP_DEFER_TASKRUN")
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/1a79362b9c10b8523ef70b061d96523650a23344.1672795998.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/io_uring.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/io_uring/io_uring.c
++++ b/io_uring/io_uring.c
+@@ -1109,13 +1109,18 @@ static void io_req_local_work_add(struct
+ {
+ struct io_ring_ctx *ctx = req->ctx;
+
+- if (!llist_add(&req->io_task_work.node, &ctx->work_llist))
++ percpu_ref_get(&ctx->refs);
++
++ if (!llist_add(&req->io_task_work.node, &ctx->work_llist)) {
++ percpu_ref_put(&ctx->refs);
+ return;
++ }
+ /* need it for the following io_cqring_wake() */
+ smp_mb__after_atomic();
+
+ if (unlikely(atomic_read(&req->task->io_uring->in_idle))) {
+ io_move_task_work_from_local(ctx);
++ percpu_ref_put(&ctx->refs);
+ return;
+ }
+
+@@ -1125,6 +1130,7 @@ static void io_req_local_work_add(struct
+ if (ctx->has_evfd)
+ io_eventfd_signal(ctx);
+ __io_cqring_wake(ctx);
++ percpu_ref_put(&ctx->refs);
+ }
+
+ static inline void __io_req_task_work_add(struct io_kiocb *req, bool allow_local)
--- /dev/null
+From 9807ae69746196ee4bbffe7d22d22ab2b61c6ed0 Mon Sep 17 00:00:00 2001
+From: Christian Marangi <ansuelsmth@gmail.com>
+Date: Thu, 29 Dec 2022 17:33:32 +0100
+Subject: net: dsa: qca8k: fix wrong length value for mgmt eth packet
+
+From: Christian Marangi <ansuelsmth@gmail.com>
+
+commit 9807ae69746196ee4bbffe7d22d22ab2b61c6ed0 upstream.
+
+The assumption that Documentation was right about how this value work was
+wrong. It was discovered that the length value of the mgmt header is in
+step of word size.
+
+As an example to process 4 byte of data the correct length to set is 2.
+To process 8 byte 4, 12 byte 6, 16 byte 8...
+
+Odd values will always return the next size on the ack packet.
+(length of 3 (6 byte) will always return 8 bytes of data)
+
+This means that a value of 15 (0xf) actually means reading/writing 32 bytes
+of data instead of 16 bytes. This behaviour is totally absent and not
+documented in the switch Documentation.
+
+In fact from Documentation the max value that mgmt eth can process is
+16 byte of data while in reality it can process 32 bytes at once.
+
+To handle this we always round up the length after deviding it for word
+size. We check if the result is odd and we round another time to align
+to what the switch will provide in the ack packet.
+The workaround for the length limit of 15 is still needed as the length
+reg max value is 0xf(15)
+
+Reported-by: Ronald Wahl <ronald.wahl@raritan.com>
+Tested-by: Ronald Wahl <ronald.wahl@raritan.com>
+Fixes: 90386223f44e ("net: dsa: qca8k: add support for larger read/write size with mgmt Ethernet")
+Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
+Cc: stable@vger.kernel.org # v5.18+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/qca/qca8k-8xxx.c | 45 ++++++++++++++++++++++++++++++---------
+ 1 file changed, 35 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/dsa/qca/qca8k-8xxx.c
++++ b/drivers/net/dsa/qca/qca8k-8xxx.c
+@@ -111,7 +111,16 @@ static void qca8k_rw_reg_ack_handler(str
+
+ command = get_unaligned_le32(&mgmt_ethhdr->command);
+ cmd = FIELD_GET(QCA_HDR_MGMT_CMD, command);
++
+ len = FIELD_GET(QCA_HDR_MGMT_LENGTH, command);
++ /* Special case for len of 15 as this is the max value for len and needs to
++ * be increased before converting it from word to dword.
++ */
++ if (len == 15)
++ len++;
++
++ /* We can ignore odd value, we always round up them in the alloc function. */
++ len *= sizeof(u16);
+
+ /* Make sure the seq match the requested packet */
+ if (get_unaligned_le32(&mgmt_ethhdr->seq) == mgmt_eth_data->seq)
+@@ -158,17 +167,33 @@ static struct sk_buff *qca8k_alloc_mdio_
+ if (!skb)
+ return NULL;
+
+- /* Max value for len reg is 15 (0xf) but the switch actually return 16 byte
+- * Actually for some reason the steps are:
+- * 0: nothing
+- * 1-4: first 4 byte
+- * 5-6: first 12 byte
+- * 7-15: all 16 byte
++ /* Hdr mgmt length value is in step of word size.
++ * As an example to process 4 byte of data the correct length to set is 2.
++ * To process 8 byte 4, 12 byte 6, 16 byte 8...
++ *
++ * Odd values will always return the next size on the ack packet.
++ * (length of 3 (6 byte) will always return 8 bytes of data)
++ *
++ * This means that a value of 15 (0xf) actually means reading/writing 32 bytes
++ * of data.
++ *
++ * To correctly calculate the length we devide the requested len by word and
++ * round up.
++ * On the ack function we can skip the odd check as we already handle the
++ * case here.
+ */
+- if (len == 16)
+- real_len = 15;
+- else
+- real_len = len;
++ real_len = DIV_ROUND_UP(len, sizeof(u16));
++
++ /* We check if the result len is odd and we round up another time to
++ * the next size. (length of 3 will be increased to 4 as switch will always
++ * return 8 bytes)
++ */
++ if (real_len % sizeof(u16) != 0)
++ real_len++;
++
++ /* Max reg value is 0xf(15) but switch will always return the next size (32 byte) */
++ if (real_len == 16)
++ real_len--;
+
+ skb_reset_mac_header(skb);
+ skb_set_network_header(skb, skb->len);
--- /dev/null
+From d9dba91be71f03cc75bcf39fc0d5d99ff33f1ae0 Mon Sep 17 00:00:00 2001
+From: Christian Marangi <ansuelsmth@gmail.com>
+Date: Thu, 29 Dec 2022 17:33:33 +0100
+Subject: net: dsa: tag_qca: fix wrong MGMT_DATA2 size
+
+From: Christian Marangi <ansuelsmth@gmail.com>
+
+commit d9dba91be71f03cc75bcf39fc0d5d99ff33f1ae0 upstream.
+
+It was discovered that MGMT_DATA2 can contain up to 28 bytes of data
+instead of the 12 bytes written in the Documentation by accounting the
+limit of 16 bytes declared in Documentation subtracting the first 4 byte
+in the packet header.
+
+Update the define with the real world value.
+
+Tested-by: Ronald Wahl <ronald.wahl@raritan.com>
+Fixes: c2ee8181fddb ("net: dsa: tag_qca: add define for handling mgmt Ethernet packet")
+Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
+Cc: stable@vger.kernel.org # v5.18+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/dsa/tag_qca.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/linux/dsa/tag_qca.h
++++ b/include/linux/dsa/tag_qca.h
+@@ -45,8 +45,8 @@ struct sk_buff;
+ QCA_HDR_MGMT_COMMAND_LEN + \
+ QCA_HDR_MGMT_DATA1_LEN)
+
+-#define QCA_HDR_MGMT_DATA2_LEN 12 /* Other 12 byte for the mdio data */
+-#define QCA_HDR_MGMT_PADDING_LEN 34 /* Padding to reach the min Ethernet packet */
++#define QCA_HDR_MGMT_DATA2_LEN 28 /* Other 28 byte for the mdio data */
++#define QCA_HDR_MGMT_PADDING_LEN 18 /* Padding to reach the min Ethernet packet */
+
+ #define QCA_HDR_MGMT_PKT_LEN (QCA_HDR_MGMT_HEADER_LEN + \
+ QCA_HDR_LEN + \
--- /dev/null
+From cad853374d85fe678d721512cecfabd7636e51f3 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@kernel.org>
+Date: Tue, 13 Dec 2022 13:08:26 -0500
+Subject: nfsd: fix handling of readdir in v4root vs. mount upcall timeout
+
+From: Jeff Layton <jlayton@kernel.org>
+
+commit cad853374d85fe678d721512cecfabd7636e51f3 upstream.
+
+If v4 READDIR operation hits a mountpoint and gets back an error,
+then it will include that entry in the reply and set RDATTR_ERROR for it
+to the error.
+
+That's fine for "normal" exported filesystems, but on the v4root, we
+need to be more careful to only expose the existence of dentries that
+lead to exports.
+
+If the mountd upcall times out while checking to see whether a
+mountpoint on the v4root is exported, then we have no recourse other
+than to fail the whole operation.
+
+Cc: Steve Dickson <steved@redhat.com>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216777
+Reported-by: JianHong Yin <yin-jianhong@163.com>
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4xdr.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -3570,6 +3570,17 @@ nfsd4_encode_dirent(void *ccdv, const ch
+ case nfserr_noent:
+ xdr_truncate_encode(xdr, start_offset);
+ goto skip_entry;
++ case nfserr_jukebox:
++ /*
++ * The pseudoroot should only display dentries that lead to
++ * exports. If we get EJUKEBOX here, then we can't tell whether
++ * this entry should be included. Just fail the whole READDIR
++ * with NFS4ERR_DELAY in that case, and hope that the situation
++ * will resolve itself by the client's next attempt.
++ */
++ if (cd->rd_fhp->fh_export->ex_flags & NFSEXP_V4ROOT)
++ goto fail;
++ fallthrough;
+ default:
+ /*
+ * If the client requested the RDATTR_ERROR attribute,
--- /dev/null
+From 6fe6ece398f7431784847e922a2c8c385dc58a35 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <mdaenzer@redhat.com>
+Date: Wed, 21 Dec 2022 16:24:13 +0100
+Subject: Revert "drm/amd/display: Enable Freesync Video Mode by default"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michel Dänzer <mdaenzer@redhat.com>
+
+commit 6fe6ece398f7431784847e922a2c8c385dc58a35 upstream.
+
+This reverts commit de05abe6b9d0fe08f65d744f7f75a4cba4df27ad.
+
+The bug referenced below was bisected to this commit. There has been no
+activity toward fixing it in 3 months, so let's revert for now.
+
+Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/2162
+Signed-off-by: Michel Dänzer <mdaenzer@redhat.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu.h | 1
+ drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 27 ++++++++++++++++++++++
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 12 +++++----
+ 3 files changed, 35 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu.h
+@@ -196,6 +196,7 @@ extern int amdgpu_emu_mode;
+ extern uint amdgpu_smu_memory_pool_size;
+ extern int amdgpu_smu_pptable_id;
+ extern uint amdgpu_dc_feature_mask;
++extern uint amdgpu_freesync_vid_mode;
+ extern uint amdgpu_dc_debug_mask;
+ extern uint amdgpu_dc_visual_confirm;
+ extern uint amdgpu_dm_abm_level;
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+@@ -180,6 +180,7 @@ int amdgpu_mes_kiq;
+ int amdgpu_noretry = -1;
+ int amdgpu_force_asic_type = -1;
+ int amdgpu_tmz = -1; /* auto */
++uint amdgpu_freesync_vid_mode;
+ int amdgpu_reset_method = -1; /* auto */
+ int amdgpu_num_kcq = -1;
+ int amdgpu_smartshift_bias;
+@@ -878,6 +879,32 @@ MODULE_PARM_DESC(tmz, "Enable TMZ featur
+ module_param_named(tmz, amdgpu_tmz, int, 0444);
+
+ /**
++ * DOC: freesync_video (uint)
++ * Enable the optimization to adjust front porch timing to achieve seamless
++ * mode change experience when setting a freesync supported mode for which full
++ * modeset is not needed.
++ *
++ * The Display Core will add a set of modes derived from the base FreeSync
++ * video mode into the corresponding connector's mode list based on commonly
++ * used refresh rates and VRR range of the connected display, when users enable
++ * this feature. From the userspace perspective, they can see a seamless mode
++ * change experience when the change between different refresh rates under the
++ * same resolution. Additionally, userspace applications such as Video playback
++ * can read this modeset list and change the refresh rate based on the video
++ * frame rate. Finally, the userspace can also derive an appropriate mode for a
++ * particular refresh rate based on the FreeSync Mode and add it to the
++ * connector's mode list.
++ *
++ * Note: This is an experimental feature.
++ *
++ * The default value: 0 (off).
++ */
++MODULE_PARM_DESC(
++ freesync_video,
++ "Enable freesync modesetting optimization feature (0 = off (default), 1 = on)");
++module_param_named(freesync_video, amdgpu_freesync_vid_mode, uint, 0444);
++
++/**
+ * DOC: reset_method (int)
+ * GPU reset method (-1 = auto (default), 0 = legacy, 1 = mode0, 2 = mode1, 3 = mode2, 4 = baco)
+ */
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -5807,7 +5807,8 @@ create_stream_for_sink(struct amdgpu_dm_
+ */
+ DRM_DEBUG_DRIVER("No preferred mode found\n");
+ } else {
+- recalculate_timing = is_freesync_video_mode(&mode, aconnector);
++ recalculate_timing = amdgpu_freesync_vid_mode &&
++ is_freesync_video_mode(&mode, aconnector);
+ if (recalculate_timing) {
+ freesync_mode = get_highest_refresh_rate_mode(aconnector, false);
+ drm_mode_copy(&saved_mode, &mode);
+@@ -6892,7 +6893,7 @@ static void amdgpu_dm_connector_add_free
+ struct amdgpu_dm_connector *amdgpu_dm_connector =
+ to_amdgpu_dm_connector(connector);
+
+- if (!edid)
++ if (!(amdgpu_freesync_vid_mode && edid))
+ return;
+
+ if (amdgpu_dm_connector->max_vfreq - amdgpu_dm_connector->min_vfreq > 10)
+@@ -8753,7 +8754,8 @@ static int dm_update_crtc_state(struct a
+ * TODO: Refactor this function to allow this check to work
+ * in all conditions.
+ */
+- if (dm_new_crtc_state->stream &&
++ if (amdgpu_freesync_vid_mode &&
++ dm_new_crtc_state->stream &&
+ is_timing_unchanged_for_freesync(new_crtc_state, old_crtc_state))
+ goto skip_modeset;
+
+@@ -8788,7 +8790,7 @@ static int dm_update_crtc_state(struct a
+ if (!dm_old_crtc_state->stream)
+ goto skip_modeset;
+
+- if (dm_new_crtc_state->stream &&
++ if (amdgpu_freesync_vid_mode && dm_new_crtc_state->stream &&
+ is_timing_unchanged_for_freesync(new_crtc_state,
+ old_crtc_state)) {
+ new_crtc_state->mode_changed = false;
+@@ -8800,7 +8802,7 @@ static int dm_update_crtc_state(struct a
+ set_freesync_fixed_config(dm_new_crtc_state);
+
+ goto skip_modeset;
+- } else if (aconnector &&
++ } else if (amdgpu_freesync_vid_mode && aconnector &&
+ is_freesync_video_mode(&new_crtc_state->mode,
+ aconnector)) {
+ struct drm_display_mode *high_mode;
--- /dev/null
+From 03cb9e6d0b32b768e3d9d473c5c4ca1100877664 Mon Sep 17 00:00:00 2001
+From: Christian Marangi <ansuelsmth@gmail.com>
+Date: Thu, 29 Dec 2022 17:33:34 +0100
+Subject: Revert "net: dsa: qca8k: cache lo and hi for mdio write"
+
+From: Christian Marangi <ansuelsmth@gmail.com>
+
+commit 03cb9e6d0b32b768e3d9d473c5c4ca1100877664 upstream.
+
+This reverts commit 2481d206fae7884cd07014fd1318e63af35e99eb.
+
+The Documentation is very confusing about the topic.
+The cache logic for hi and lo is wrong and actually miss some regs to be
+actually written.
+
+What the Documentation actually intended was that it's possible to skip
+writing hi OR lo if half of the reg is not needed to be written or read.
+
+Revert the change in favor of a better and correct implementation.
+
+Reported-by: Ronald Wahl <ronald.wahl@raritan.com>
+Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
+Cc: stable@vger.kernel.org # v5.18+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/qca/qca8k-8xxx.c | 61 +++++++--------------------------------
+ drivers/net/dsa/qca/qca8k.h | 5 ---
+ 2 files changed, 12 insertions(+), 54 deletions(-)
+
+--- a/drivers/net/dsa/qca/qca8k-8xxx.c
++++ b/drivers/net/dsa/qca/qca8k-8xxx.c
+@@ -37,44 +37,6 @@ qca8k_split_addr(u32 regaddr, u16 *r1, u
+ }
+
+ static int
+-qca8k_set_lo(struct qca8k_priv *priv, int phy_id, u32 regnum, u16 lo)
+-{
+- u16 *cached_lo = &priv->mdio_cache.lo;
+- struct mii_bus *bus = priv->bus;
+- int ret;
+-
+- if (lo == *cached_lo)
+- return 0;
+-
+- ret = bus->write(bus, phy_id, regnum, lo);
+- if (ret < 0)
+- dev_err_ratelimited(&bus->dev,
+- "failed to write qca8k 32bit lo register\n");
+-
+- *cached_lo = lo;
+- return 0;
+-}
+-
+-static int
+-qca8k_set_hi(struct qca8k_priv *priv, int phy_id, u32 regnum, u16 hi)
+-{
+- u16 *cached_hi = &priv->mdio_cache.hi;
+- struct mii_bus *bus = priv->bus;
+- int ret;
+-
+- if (hi == *cached_hi)
+- return 0;
+-
+- ret = bus->write(bus, phy_id, regnum, hi);
+- if (ret < 0)
+- dev_err_ratelimited(&bus->dev,
+- "failed to write qca8k 32bit hi register\n");
+-
+- *cached_hi = hi;
+- return 0;
+-}
+-
+-static int
+ qca8k_mii_read32(struct mii_bus *bus, int phy_id, u32 regnum, u32 *val)
+ {
+ int ret;
+@@ -97,7 +59,7 @@ qca8k_mii_read32(struct mii_bus *bus, in
+ }
+
+ static void
+-qca8k_mii_write32(struct qca8k_priv *priv, int phy_id, u32 regnum, u32 val)
++qca8k_mii_write32(struct mii_bus *bus, int phy_id, u32 regnum, u32 val)
+ {
+ u16 lo, hi;
+ int ret;
+@@ -105,9 +67,12 @@ qca8k_mii_write32(struct qca8k_priv *pri
+ lo = val & 0xffff;
+ hi = (u16)(val >> 16);
+
+- ret = qca8k_set_lo(priv, phy_id, regnum, lo);
++ ret = bus->write(bus, phy_id, regnum, lo);
+ if (ret >= 0)
+- ret = qca8k_set_hi(priv, phy_id, regnum + 1, hi);
++ ret = bus->write(bus, phy_id, regnum + 1, hi);
++ if (ret < 0)
++ dev_err_ratelimited(&bus->dev,
++ "failed to write qca8k 32bit register\n");
+ }
+
+ static int
+@@ -417,7 +382,7 @@ qca8k_regmap_write(void *ctx, uint32_t r
+ if (ret < 0)
+ goto exit;
+
+- qca8k_mii_write32(priv, 0x10 | r2, r1, val);
++ qca8k_mii_write32(bus, 0x10 | r2, r1, val);
+
+ exit:
+ mutex_unlock(&bus->mdio_lock);
+@@ -450,7 +415,7 @@ qca8k_regmap_update_bits(void *ctx, uint
+
+ val &= ~mask;
+ val |= write_val;
+- qca8k_mii_write32(priv, 0x10 | r2, r1, val);
++ qca8k_mii_write32(bus, 0x10 | r2, r1, val);
+
+ exit:
+ mutex_unlock(&bus->mdio_lock);
+@@ -725,14 +690,14 @@ qca8k_mdio_write(struct qca8k_priv *priv
+ if (ret)
+ goto exit;
+
+- qca8k_mii_write32(priv, 0x10 | r2, r1, val);
++ qca8k_mii_write32(bus, 0x10 | r2, r1, val);
+
+ ret = qca8k_mdio_busy_wait(bus, QCA8K_MDIO_MASTER_CTRL,
+ QCA8K_MDIO_MASTER_BUSY);
+
+ exit:
+ /* even if the busy_wait timeouts try to clear the MASTER_EN */
+- qca8k_mii_write32(priv, 0x10 | r2, r1, 0);
++ qca8k_mii_write32(bus, 0x10 | r2, r1, 0);
+
+ mutex_unlock(&bus->mdio_lock);
+
+@@ -762,7 +727,7 @@ qca8k_mdio_read(struct qca8k_priv *priv,
+ if (ret)
+ goto exit;
+
+- qca8k_mii_write32(priv, 0x10 | r2, r1, val);
++ qca8k_mii_write32(bus, 0x10 | r2, r1, val);
+
+ ret = qca8k_mdio_busy_wait(bus, QCA8K_MDIO_MASTER_CTRL,
+ QCA8K_MDIO_MASTER_BUSY);
+@@ -773,7 +738,7 @@ qca8k_mdio_read(struct qca8k_priv *priv,
+
+ exit:
+ /* even if the busy_wait timeouts try to clear the MASTER_EN */
+- qca8k_mii_write32(priv, 0x10 | r2, r1, 0);
++ qca8k_mii_write32(bus, 0x10 | r2, r1, 0);
+
+ mutex_unlock(&bus->mdio_lock);
+
+@@ -1943,8 +1908,6 @@ qca8k_sw_probe(struct mdio_device *mdiod
+ }
+
+ priv->mdio_cache.page = 0xffff;
+- priv->mdio_cache.lo = 0xffff;
+- priv->mdio_cache.hi = 0xffff;
+
+ /* Check the detected switch id */
+ ret = qca8k_read_switch_id(priv);
+--- a/drivers/net/dsa/qca/qca8k.h
++++ b/drivers/net/dsa/qca/qca8k.h
+@@ -375,11 +375,6 @@ struct qca8k_mdio_cache {
+ * mdio writes
+ */
+ u16 page;
+-/* lo and hi can also be cached and from Documentation we can skip one
+- * extra mdio write if lo or hi is didn't change.
+- */
+- u16 lo;
+- u16 hi;
+ };
+
+ struct qca8k_pcs {
nvmet-use-nvme_cmd_effects_csupp-instead-of-open-cod.patch
nvme-also-return-i-o-command-effects-from-nvme_comma.patch
asoc-sof-intel-pci-tgl-unblock-s5-entry-if-dma-stop-.patch
+x86-kexec-fix-double-free-of-elf-header-buffer.patch
+x86-bugs-flush-ibp-in-ib_prctl_set.patch
+nfsd-fix-handling-of-readdir-in-v4root-vs.-mount-upcall-timeout.patch
+fbdev-matroxfb-g200ew-increase-max-memory-from-1-mb-to-16-mb.patch
+bpf-fix-panic-due-to-wrong-pageattr-of-im-image.patch
+revert-drm-amd-display-enable-freesync-video-mode-by-default.patch
+revert-net-dsa-qca8k-cache-lo-and-hi-for-mdio-write.patch
+net-dsa-qca8k-fix-wrong-length-value-for-mgmt-eth-packet.patch
+net-dsa-tag_qca-fix-wrong-mgmt_data2-size.patch
+block-don-t-allow-splitting-of-a-req_nowait-bio.patch
+io_uring-io-wq-free-worker-if-task_work-creation-is-canceled.patch
+io_uring-pin-context-while-queueing-deferred-tw.patch
+io_uring-fix-cq-waiting-timeout-handling.patch
--- /dev/null
+From a664ec9158eeddd75121d39c9a0758016097fa96 Mon Sep 17 00:00:00 2001
+From: Rodrigo Branco <bsdaemon@google.com>
+Date: Tue, 3 Jan 2023 14:17:51 -0600
+Subject: x86/bugs: Flush IBP in ib_prctl_set()
+
+From: Rodrigo Branco <bsdaemon@google.com>
+
+commit a664ec9158eeddd75121d39c9a0758016097fa96 upstream.
+
+We missed the window between the TIF flag update and the next reschedule.
+
+Signed-off-by: Rodrigo Branco <bsdaemon@google.com>
+Reviewed-by: Borislav Petkov (AMD) <bp@alien8.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/cpu/bugs.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -1951,6 +1951,8 @@ static int ib_prctl_set(struct task_stru
+ if (ctrl == PR_SPEC_FORCE_DISABLE)
+ task_set_spec_ib_force_disable(task);
+ task_update_spec_tif(task);
++ if (task == current)
++ indirect_branch_prediction_barrier();
+ break;
+ default:
+ return -ERANGE;
--- /dev/null
+From d00dd2f2645dca04cf399d8fc692f3f69b6dd996 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 22 Nov 2022 12:51:22 +0100
+Subject: x86/kexec: Fix double-free of elf header buffer
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit d00dd2f2645dca04cf399d8fc692f3f69b6dd996 upstream.
+
+After
+
+ b3e34a47f989 ("x86/kexec: fix memory leak of elf header buffer"),
+
+freeing image->elf_headers in the error path of crash_load_segments()
+is not needed because kimage_file_post_load_cleanup() will take
+care of that later. And not clearing it could result in a double-free.
+
+Drop the superfluous vfree() call at the error path of
+crash_load_segments().
+
+Fixes: b3e34a47f989 ("x86/kexec: fix memory leak of elf header buffer")
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Acked-by: Baoquan He <bhe@redhat.com>
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Cc: <stable@kernel.org>
+Link: https://lore.kernel.org/r/20221122115122.13937-1-tiwai@suse.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/crash.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/arch/x86/kernel/crash.c
++++ b/arch/x86/kernel/crash.c
+@@ -401,10 +401,8 @@ int crash_load_segments(struct kimage *i
+ kbuf.buf_align = ELF_CORE_HEADER_ALIGN;
+ kbuf.mem = KEXEC_BUF_MEM_UNKNOWN;
+ ret = kexec_add_buffer(&kbuf);
+- if (ret) {
+- vfree((void *)image->elf_headers);
++ if (ret)
+ return ret;
+- }
+ image->elf_load_addr = kbuf.mem;
+ pr_debug("Loaded ELF headers at 0x%lx bufsz=0x%lx memsz=0x%lx\n",
+ image->elf_load_addr, kbuf.bufsz, kbuf.memsz);
projects / thirdparty / kernel / stable-queue.git / commitdiff
