--- /dev/null
+From 141fb8cd206ace23c02cd2791c6da52c1d77d42a Mon Sep 17 00:00:00 2001
+From: Boris Burkov <boris@bur.io>
+Date: Tue, 19 Mar 2024 10:54:22 -0700
+Subject: btrfs: qgroup: correctly model root qgroup rsv in convert
+
+From: Boris Burkov <boris@bur.io>
+
+commit 141fb8cd206ace23c02cd2791c6da52c1d77d42a upstream.
+
+We use add_root_meta_rsv and sub_root_meta_rsv to track prealloc and
+pertrans reservations for subvolumes when quotas are enabled. The
+convert function does not properly increment pertrans after decrementing
+prealloc, so the count is not accurate.
+
+Note: we check that the fs is not read-only to mirror the logic in
+qgroup_convert_meta, which checks that before adding to the pertrans rsv.
+
+Fixes: 8287475a2055 ("btrfs: qgroup: Use root::qgroup_meta_rsv_* to record qgroup meta reserved space")
+CC: stable@vger.kernel.org # 6.1+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Boris Burkov <boris@bur.io>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/qgroup.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/btrfs/qgroup.c
++++ b/fs/btrfs/qgroup.c
+@@ -4080,6 +4080,8 @@ void btrfs_qgroup_convert_reserved_meta(
+ BTRFS_QGROUP_RSV_META_PREALLOC);
+ trace_qgroup_meta_convert(root, num_bytes);
+ qgroup_convert_meta(fs_info, root->root_key.objectid, num_bytes);
++ if (!sb_rdonly(fs_info->sb))
++ add_root_meta_rsv(root, num_bytes, BTRFS_QGROUP_RSV_META_PERTRANS);
+ }
+
+ /*
--- /dev/null
+From 3eadd887dbac1df8f25f701e5d404d1b90fd0fea Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Thu, 4 Apr 2024 23:33:25 +0300
+Subject: drm/client: Fully protect modes[] with dev->mode_config.mutex
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit 3eadd887dbac1df8f25f701e5d404d1b90fd0fea upstream.
+
+The modes[] array contains pointers to modes on the connectors'
+mode lists, which are protected by dev->mode_config.mutex.
+Thus we need to extend modes[] the same protection or by the
+time we use it the elements may already be pointing to
+freed/reused memory.
+
+Cc: stable@vger.kernel.org
+Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/10583
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240404203336.10454-2-ville.syrjala@linux.intel.com
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Jani Nikula <jani.nikula@intel.com>
+Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_client_modeset.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_client_modeset.c
++++ b/drivers/gpu/drm/drm_client_modeset.c
+@@ -775,6 +775,7 @@ int drm_client_modeset_probe(struct drm_
+ unsigned int total_modes_count = 0;
+ struct drm_client_offset *offsets;
+ unsigned int connector_count = 0;
++ /* points to modes protected by mode_config.mutex */
+ struct drm_display_mode **modes;
+ struct drm_crtc **crtcs;
+ int i, ret = 0;
+@@ -843,7 +844,6 @@ int drm_client_modeset_probe(struct drm_
+ drm_client_pick_crtcs(client, connectors, connector_count,
+ crtcs, modes, 0, width, height);
+ }
+- mutex_unlock(&dev->mode_config.mutex);
+
+ drm_client_modeset_release(client);
+
+@@ -873,6 +873,7 @@ int drm_client_modeset_probe(struct drm_
+ modeset->y = offset->y;
+ }
+ }
++ mutex_unlock(&dev->mode_config.mutex);
+
+ mutex_unlock(&client->modeset_mutex);
+ out:
--- /dev/null
+From dec8ced871e17eea46f097542dd074d022be4bd1 Mon Sep 17 00:00:00 2001
+From: Namhyung Kim <namhyung@kernel.org>
+Date: Tue, 5 Mar 2024 22:10:03 -0800
+Subject: perf/x86: Fix out of range data
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+commit dec8ced871e17eea46f097542dd074d022be4bd1 upstream.
+
+On x86 each struct cpu_hw_events maintains a table for counter assignment but
+it missed to update one for the deleted event in x86_pmu_del(). This
+can make perf_clear_dirty_counters() reset used counter if it's called
+before event scheduling or enabling. Then it would return out of range
+data which doesn't make sense.
+
+The following code can reproduce the problem.
+
+ $ cat repro.c
+ #include <pthread.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <unistd.h>
+ #include <linux/perf_event.h>
+ #include <sys/ioctl.h>
+ #include <sys/mman.h>
+ #include <sys/syscall.h>
+
+ struct perf_event_attr attr = {
+ .type = PERF_TYPE_HARDWARE,
+ .config = PERF_COUNT_HW_CPU_CYCLES,
+ .disabled = 1,
+ };
+
+ void *worker(void *arg)
+ {
+ int cpu = (long)arg;
+ int fd1 = syscall(SYS_perf_event_open, &attr, -1, cpu, -1, 0);
+ int fd2 = syscall(SYS_perf_event_open, &attr, -1, cpu, -1, 0);
+ void *p;
+
+ do {
+ ioctl(fd1, PERF_EVENT_IOC_ENABLE, 0);
+ p = mmap(NULL, 4096, PROT_READ, MAP_SHARED, fd1, 0);
+ ioctl(fd2, PERF_EVENT_IOC_ENABLE, 0);
+
+ ioctl(fd2, PERF_EVENT_IOC_DISABLE, 0);
+ munmap(p, 4096);
+ ioctl(fd1, PERF_EVENT_IOC_DISABLE, 0);
+ } while (1);
+
+ return NULL;
+ }
+
+ int main(void)
+ {
+ int i;
+ int n = sysconf(_SC_NPROCESSORS_ONLN);
+ pthread_t *th = calloc(n, sizeof(*th));
+
+ for (i = 0; i < n; i++)
+ pthread_create(&th[i], NULL, worker, (void *)(long)i);
+ for (i = 0; i < n; i++)
+ pthread_join(th[i], NULL);
+
+ free(th);
+ return 0;
+ }
+
+And you can see the out of range data using perf stat like this.
+Probably it'd be easier to see on a large machine.
+
+ $ gcc -o repro repro.c -pthread
+ $ ./repro &
+ $ sudo perf stat -A -I 1000 2>&1 | awk '{ if (length($3) > 15) print }'
+ 1.001028462 CPU6 196,719,295,683,763 cycles # 194290.996 GHz (71.54%)
+ 1.001028462 CPU3 396,077,485,787,730 branch-misses # 15804359784.80% of all branches (71.07%)
+ 1.001028462 CPU17 197,608,350,727,877 branch-misses # 14594186554.56% of all branches (71.22%)
+ 2.020064073 CPU4 198,372,472,612,140 cycles # 194681.113 GHz (70.95%)
+ 2.020064073 CPU6 199,419,277,896,696 cycles # 195720.007 GHz (70.57%)
+ 2.020064073 CPU20 198,147,174,025,639 cycles # 194474.654 GHz (71.03%)
+ 2.020064073 CPU20 198,421,240,580,145 stalled-cycles-frontend # 100.14% frontend cycles idle (70.93%)
+ 3.037443155 CPU4 197,382,689,923,416 cycles # 194043.065 GHz (71.30%)
+ 3.037443155 CPU20 196,324,797,879,414 cycles # 193003.773 GHz (71.69%)
+ 3.037443155 CPU5 197,679,956,608,205 stalled-cycles-backend # 1315606428.66% backend cycles idle (71.19%)
+ 3.037443155 CPU5 198,571,860,474,851 instructions # 13215422.58 insn per cycle
+
+It should move the contents in the cpuc->assign as well.
+
+Fixes: 5471eea5d3bf ("perf/x86: Reset the dirty counter to prevent the leak for an RDPMC task")
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Reviewed-by: Kan Liang <kan.liang@linux.intel.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20240306061003.1894224-1-namhyung@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/events/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/events/core.c
++++ b/arch/x86/events/core.c
+@@ -1649,6 +1649,7 @@ static void x86_pmu_del(struct perf_even
+ while (++i < cpuc->n_events) {
+ cpuc->event_list[i-1] = cpuc->event_list[i];
+ cpuc->event_constraint[i-1] = cpuc->event_constraint[i];
++ cpuc->assign[i-1] = cpuc->assign[i];
+ }
+ cpuc->event_constraint[i-1] = NULL;
+ --cpuc->n_events;
tracing-fix-ftrace_record_recursion_size-kconfig-ent.patch
tracing-hide-unused-ftrace_event_id_fops.patch
iommu-vt-d-allocate-local-memory-for-page-request-qu.patch
+btrfs-qgroup-correctly-model-root-qgroup-rsv-in-convert.patch
+drm-client-fully-protect-modes-with-dev-mode_config.mutex.patch
+vhost-add-smp_rmb-in-vhost_vq_avail_empty.patch
+perf-x86-fix-out-of-range-data.patch
+x86-cpu-actually-turn-off-mitigations-by-default-for-speculation_mitigations-n.patch
--- /dev/null
+From 22e1992cf7b034db5325660e98c41ca5afa5f519 Mon Sep 17 00:00:00 2001
+From: Gavin Shan <gshan@redhat.com>
+Date: Thu, 28 Mar 2024 10:21:47 +1000
+Subject: vhost: Add smp_rmb() in vhost_vq_avail_empty()
+
+From: Gavin Shan <gshan@redhat.com>
+
+commit 22e1992cf7b034db5325660e98c41ca5afa5f519 upstream.
+
+A smp_rmb() has been missed in vhost_vq_avail_empty(), spotted by
+Will. Otherwise, it's not ensured the available ring entries pushed
+by guest can be observed by vhost in time, leading to stale available
+ring entries fetched by vhost in vhost_get_vq_desc(), as reported by
+Yihuang Yu on NVidia's grace-hopper (ARM64) platform.
+
+ /home/gavin/sandbox/qemu.main/build/qemu-system-aarch64 \
+ -accel kvm -machine virt,gic-version=host -cpu host \
+ -smp maxcpus=1,cpus=1,sockets=1,clusters=1,cores=1,threads=1 \
+ -m 4096M,slots=16,maxmem=64G \
+ -object memory-backend-ram,id=mem0,size=4096M \
+ : \
+ -netdev tap,id=vnet0,vhost=true \
+ -device virtio-net-pci,bus=pcie.8,netdev=vnet0,mac=52:54:00:f1:26:b0
+ :
+ guest# netperf -H 10.26.1.81 -l 60 -C -c -t UDP_STREAM
+ virtio_net virtio0: output.0:id 100 is not a head!
+
+Add the missed smp_rmb() in vhost_vq_avail_empty(). When tx_can_batch()
+returns true, it means there's still pending tx buffers. Since it might
+read indices, so it still can bypass the smp_rmb() in vhost_get_vq_desc().
+Note that it should be safe until vq->avail_idx is changed by commit
+275bf960ac697 ("vhost: better detection of available buffers").
+
+Fixes: 275bf960ac69 ("vhost: better detection of available buffers")
+Cc: <stable@kernel.org> # v4.11+
+Reported-by: Yihuang Yu <yihyu@redhat.com>
+Suggested-by: Will Deacon <will@kernel.org>
+Signed-off-by: Gavin Shan <gshan@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Message-Id: <20240328002149.1141302-2-gshan@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/vhost.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -2518,9 +2518,19 @@ bool vhost_vq_avail_empty(struct vhost_d
+ r = vhost_get_avail_idx(vq, &avail_idx);
+ if (unlikely(r))
+ return false;
++
+ vq->avail_idx = vhost16_to_cpu(vq, avail_idx);
++ if (vq->avail_idx != vq->last_avail_idx) {
++ /* Since we have updated avail_idx, the following
++ * call to vhost_get_vq_desc() will read available
++ * ring entries. Make sure that read happens after
++ * the avail_idx read.
++ */
++ smp_rmb();
++ return false;
++ }
+
+- return vq->avail_idx == vq->last_avail_idx;
++ return true;
+ }
+ EXPORT_SYMBOL_GPL(vhost_vq_avail_empty);
+
--- /dev/null
+From f337a6a21e2fd67eadea471e93d05dd37baaa9be Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Tue, 9 Apr 2024 10:51:05 -0700
+Subject: x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit f337a6a21e2fd67eadea471e93d05dd37baaa9be upstream.
+
+Initialize cpu_mitigations to CPU_MITIGATIONS_OFF if the kernel is built
+with CONFIG_SPECULATION_MITIGATIONS=n, as the help text quite clearly
+states that disabling SPECULATION_MITIGATIONS is supposed to turn off all
+mitigations by default.
+
+ │ If you say N, all mitigations will be disabled. You really
+ │ should know what you are doing to say so.
+
+As is, the kernel still defaults to CPU_MITIGATIONS_AUTO, which results in
+some mitigations being enabled in spite of SPECULATION_MITIGATIONS=n.
+
+Fixes: f43b9876e857 ("x86/retbleed: Add fine grained Kconfig knobs")
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Reviewed-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
+Cc: stable@vger.kernel.org
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lore.kernel.org/r/20240409175108.1512861-2-seanjc@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/cpu.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/cpu.c
++++ b/kernel/cpu.c
+@@ -2722,7 +2722,8 @@ enum cpu_mitigations {
+ };
+
+ static enum cpu_mitigations cpu_mitigations __ro_after_init =
+- CPU_MITIGATIONS_AUTO;
++ IS_ENABLED(CONFIG_SPECULATION_MITIGATIONS) ? CPU_MITIGATIONS_AUTO :
++ CPU_MITIGATIONS_OFF;
+
+ static int __init mitigations_parse_cmdline(char *arg)
+ {
projects / thirdparty / kernel / stable-queue.git / commitdiff
