--- /dev/null
+From 32f86da7c86b27ebed31c24453a0713f612e43fb Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Fri, 17 Feb 2023 16:06:26 +0100
+Subject: arm64: dts: imx8mm-nitrogen-r2: fix WM8960 clock name
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit 32f86da7c86b27ebed31c24453a0713f612e43fb upstream.
+
+The WM8960 Linux driver expects the clock to be named "mclk". Otherwise
+the clock will be ignored and not prepared/enabled by the driver.
+
+Fixes: 40ba2eda0a7b ("arm64: dts: imx8mm-nitrogen-r2: add audio")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mm-nitrogen-r2.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/boot/dts/freescale/imx8mm-nitrogen-r2.dts
++++ b/arch/arm64/boot/dts/freescale/imx8mm-nitrogen-r2.dts
+@@ -247,7 +247,7 @@
+ compatible = "wlf,wm8960";
+ reg = <0x1a>;
+ clocks = <&clk IMX8MM_CLK_SAI1_ROOT>;
+- clock-names = "mclk1";
++ clock-names = "mclk";
+ wlf,shared-lrclk;
+ #sound-dai-cells = <0>;
+ };
--- /dev/null
+From 3c66bb1918c262dd52fb4221a8d372619c5da70a Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ardb@kernel.org>
+Date: Fri, 10 Mar 2023 13:30:05 +0100
+Subject: arm64: efi: Set NX compat flag in PE/COFF header
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+commit 3c66bb1918c262dd52fb4221a8d372619c5da70a upstream.
+
+The PE/COFF header has a NX compat flag which informs the firmware that
+the application does not rely on memory regions being mapped with both
+executable and writable permissions at the same time.
+
+This is typically used by the firmware to decide whether it can set the
+NX attribute on all allocations it returns, but going forward, it may be
+used to enforce a policy that only permits applications with the NX flag
+set to be loaded to begin wiht in some configurations, e.g., when Secure
+Boot is in effect.
+
+Even though the arm64 version of the EFI stub may relocate the kernel
+before executing it, it always did so after disabling the MMU, and so we
+were always in line with what the NX compat flag conveys, we just never
+bothered to set it.
+
+So let's set the flag now.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/efi-header.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/kernel/efi-header.S
++++ b/arch/arm64/kernel/efi-header.S
+@@ -66,7 +66,7 @@
+ .long .Lefi_header_end - .L_head // SizeOfHeaders
+ .long 0 // CheckSum
+ .short IMAGE_SUBSYSTEM_EFI_APPLICATION // Subsystem
+- .short 0 // DllCharacteristics
++ .short IMAGE_DLL_CHARACTERISTICS_NX_COMPAT // DllCharacteristics
+ .quad 0 // SizeOfStackReserve
+ .quad 0 // SizeOfStackCommit
+ .quad 0 // SizeOfHeapReserve
--- /dev/null
+From 1c66bee492a5fe00ae3fe890bb693bfc99f994c6 Mon Sep 17 00:00:00 2001
+From: Min Li <lm0963hack@gmail.com>
+Date: Sat, 4 Mar 2023 21:50:35 +0800
+Subject: Bluetooth: Fix race condition in hci_cmd_sync_clear
+
+From: Min Li <lm0963hack@gmail.com>
+
+commit 1c66bee492a5fe00ae3fe890bb693bfc99f994c6 upstream.
+
+There is a potential race condition in hci_cmd_sync_work and
+hci_cmd_sync_clear, and could lead to use-after-free. For instance,
+hci_cmd_sync_work is added to the 'req_workqueue' after cancel_work_sync
+The entry of 'cmd_sync_work_list' may be freed in hci_cmd_sync_clear, and
+causing kernel panic when it is used in 'hci_cmd_sync_work'.
+
+Here's the call trace:
+
+dump_stack_lvl+0x49/0x63
+print_report.cold+0x5e/0x5d3
+? hci_cmd_sync_work+0x282/0x320
+kasan_report+0xaa/0x120
+? hci_cmd_sync_work+0x282/0x320
+__asan_report_load8_noabort+0x14/0x20
+hci_cmd_sync_work+0x282/0x320
+process_one_work+0x77b/0x11c0
+? _raw_spin_lock_irq+0x8e/0xf0
+worker_thread+0x544/0x1180
+? poll_idle+0x1e0/0x1e0
+kthread+0x285/0x320
+? process_one_work+0x11c0/0x11c0
+? kthread_complete_and_exit+0x30/0x30
+ret_from_fork+0x22/0x30
+</TASK>
+
+Allocated by task 266:
+kasan_save_stack+0x26/0x50
+__kasan_kmalloc+0xae/0xe0
+kmem_cache_alloc_trace+0x191/0x350
+hci_cmd_sync_queue+0x97/0x2b0
+hci_update_passive_scan+0x176/0x1d0
+le_conn_complete_evt+0x1b5/0x1a00
+hci_le_conn_complete_evt+0x234/0x340
+hci_le_meta_evt+0x231/0x4e0
+hci_event_packet+0x4c5/0xf00
+hci_rx_work+0x37d/0x880
+process_one_work+0x77b/0x11c0
+worker_thread+0x544/0x1180
+kthread+0x285/0x320
+ret_from_fork+0x22/0x30
+
+Freed by task 269:
+kasan_save_stack+0x26/0x50
+kasan_set_track+0x25/0x40
+kasan_set_free_info+0x24/0x40
+____kasan_slab_free+0x176/0x1c0
+__kasan_slab_free+0x12/0x20
+slab_free_freelist_hook+0x95/0x1a0
+kfree+0xba/0x2f0
+hci_cmd_sync_clear+0x14c/0x210
+hci_unregister_dev+0xff/0x440
+vhci_release+0x7b/0xf0
+__fput+0x1f3/0x970
+____fput+0xe/0x20
+task_work_run+0xd4/0x160
+do_exit+0x8b0/0x22a0
+do_group_exit+0xba/0x2a0
+get_signal+0x1e4a/0x25b0
+arch_do_signal_or_restart+0x93/0x1f80
+exit_to_user_mode_prepare+0xf5/0x1a0
+syscall_exit_to_user_mode+0x26/0x50
+ret_from_fork+0x15/0x30
+
+Fixes: 6a98e3836fa2 ("Bluetooth: Add helper for serialized HCI command execution")
+Cc: stable@vger.kernel.org
+Signed-off-by: Min Li <lm0963hack@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_sync.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -643,6 +643,7 @@ void hci_cmd_sync_clear(struct hci_dev *
+ cancel_work_sync(&hdev->cmd_sync_work);
+ cancel_work_sync(&hdev->reenable_adv_work);
+
++ mutex_lock(&hdev->cmd_sync_work_lock);
+ list_for_each_entry_safe(entry, tmp, &hdev->cmd_sync_work_list, list) {
+ if (entry->destroy)
+ entry->destroy(hdev, entry->data, -ECANCELED);
+@@ -650,6 +651,7 @@ void hci_cmd_sync_clear(struct hci_dev *
+ list_del(&entry->list);
+ kfree(entry);
+ }
++ mutex_unlock(&hdev->cmd_sync_work_lock);
+ }
+
+ void __hci_cmd_sync_cancel(struct hci_dev *hdev, int err)
--- /dev/null
+From 9e1cdf0c354e46e428c0e0cab008abbe81b6013d Mon Sep 17 00:00:00 2001
+From: Naohiro Aota <naohiro.aota@wdc.com>
+Date: Mon, 13 Mar 2023 16:29:49 +0900
+Subject: btrfs: zoned: fix btrfs_can_activate_zone() to support DUP profile
+
+From: Naohiro Aota <naohiro.aota@wdc.com>
+
+commit 9e1cdf0c354e46e428c0e0cab008abbe81b6013d upstream.
+
+btrfs_can_activate_zone() returns true if at least one device has one zone
+available for activation. This is OK for the single profile, but not OK for
+DUP profile. We need two zones to create a DUP block group. Fix it by
+properly handling the case with the profile flags.
+
+Fixes: 265f7237dd25 ("btrfs: zoned: allow DUP on meta-data block groups")
+CC: stable@vger.kernel.org # 6.1+
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/zoned.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/zoned.c
++++ b/fs/btrfs/zoned.c
+@@ -2100,11 +2100,21 @@ bool btrfs_can_activate_zone(struct btrf
+ if (!device->bdev)
+ continue;
+
+- if (!zinfo->max_active_zones ||
+- atomic_read(&zinfo->active_zones_left)) {
++ if (!zinfo->max_active_zones) {
+ ret = true;
+ break;
+ }
++
++ switch (flags & BTRFS_BLOCK_GROUP_PROFILE_MASK) {
++ case 0: /* single */
++ ret = (atomic_read(&zinfo->active_zones_left) >= 1);
++ break;
++ case BTRFS_BLOCK_GROUP_DUP:
++ ret = (atomic_read(&zinfo->active_zones_left) >= 2);
++ break;
++ }
++ if (ret)
++ break;
+ }
+ mutex_unlock(&fs_info->chunk_mutex);
+
--- /dev/null
+From 9bbf5feecc7eab2c370496c1c161bbfe62084028 Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Mon, 27 Feb 2023 23:23:17 +0800
+Subject: dm thin: fix deadlock when swapping to thin device
+
+From: Coly Li <colyli@suse.de>
+
+commit 9bbf5feecc7eab2c370496c1c161bbfe62084028 upstream.
+
+This is an already known issue that dm-thin volume cannot be used as
+swap, otherwise a deadlock may happen when dm-thin internal memory
+demand triggers swap I/O on the dm-thin volume itself.
+
+But thanks to commit a666e5c05e7c ("dm: fix deadlock when swapping to
+encrypted device"), the limit_swap_bios target flag can also be used
+for dm-thin to avoid the recursive I/O when it is used as swap.
+
+Fix is to simply set ti->limit_swap_bios to true in both pool_ctr()
+and thin_ctr().
+
+In my test, I create a dm-thin volume /dev/vg/swap and use it as swap
+device. Then I run fio on another dm-thin volume /dev/vg/main and use
+large --blocksize to trigger swap I/O onto /dev/vg/swap.
+
+The following fio command line is used in my test,
+ fio --name recursive-swap-io --lockmem 1 --iodepth 128 \
+ --ioengine libaio --filename /dev/vg/main --rw randrw \
+ --blocksize 1M --numjobs 32 --time_based --runtime=12h
+
+Without this fix, the whole system can be locked up within 15 seconds.
+
+With this fix, there is no any deadlock or hung task observed after
+2 hours of running fio.
+
+Furthermore, if blocksize is changed from 1M to 128M, after around 30
+seconds fio has no visible I/O, and the out-of-memory killer message
+shows up in kernel message. After around 20 minutes all fio processes
+are killed and the whole system is back to being alive.
+
+This is exactly what is expected when recursive I/O happens on dm-thin
+volume when it is used as swap.
+
+Depends-on: a666e5c05e7c ("dm: fix deadlock when swapping to encrypted device")
+Cc: stable@vger.kernel.org
+Signed-off-by: Coly Li <colyli@suse.de>
+Acked-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-thin.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/md/dm-thin.c
++++ b/drivers/md/dm-thin.c
+@@ -3357,6 +3357,7 @@ static int pool_ctr(struct dm_target *ti
+ pt->low_water_blocks = low_water_blocks;
+ pt->adjusted_pf = pt->requested_pf = pf;
+ ti->num_flush_bios = 1;
++ ti->limit_swap_bios = true;
+
+ /*
+ * Only need to enable discards if the pool should pass
+@@ -4235,6 +4236,7 @@ static int thin_ctr(struct dm_target *ti
+ goto bad;
+
+ ti->num_flush_bios = 1;
++ ti->limit_swap_bios = true;
+ ti->flush_supported = true;
+ ti->accounts_remapped_io = true;
+ ti->per_io_data_size = sizeof(struct dm_thin_endio_hook);
--- /dev/null
+From c7d9e628b8ff4d52a365a441bdacb3209ee83c81 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ardb@kernel.org>
+Date: Fri, 10 Mar 2023 12:15:24 +0100
+Subject: efi/libstub: zboot: Mark zboot EFI application as NX compatible
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+commit c7d9e628b8ff4d52a365a441bdacb3209ee83c81 upstream.
+
+Now that the zboot loader will invoke the EFI memory attributes protocol
+to remap the decompressed code and rodata as read-only/executable, we
+can set the PE/COFF header flag that indicates to the firmware that the
+application does not rely on writable memory being executable at the
+same time.
+
+Cc: <stable@vger.kernel.org> # v6.2+
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/efi/libstub/zboot-header.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/firmware/efi/libstub/zboot-header.S
++++ b/drivers/firmware/efi/libstub/zboot-header.S
+@@ -63,7 +63,7 @@ __efistub_efi_zboot_header:
+ .long .Lefi_header_end - .Ldoshdr
+ .long 0
+ .short IMAGE_SUBSYSTEM_EFI_APPLICATION
+- .short 0
++ .short IMAGE_DLL_CHARACTERISTICS_NX_COMPAT
+ #ifdef CONFIG_64BIT
+ .quad 0, 0, 0, 0
+ #else
--- /dev/null
+From 3615c78673c332b69aaacefbcde5937c5c706686 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Tue, 14 Mar 2023 13:31:02 +0100
+Subject: efi: sysfb_efi: Fix DMI quirks not working for simpledrm
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 3615c78673c332b69aaacefbcde5937c5c706686 upstream.
+
+Commit 8633ef82f101 ("drivers/firmware: consolidate EFI framebuffer setup
+for all arches") moved the sysfb_apply_efi_quirks() call in sysfb_init()
+from before the [sysfb_]parse_mode() call to after it.
+But sysfb_apply_efi_quirks() modifies the global screen_info struct which
+[sysfb_]parse_mode() parses, so doing it later is too late.
+
+This has broken all DMI based quirks for correcting wrong firmware efifb
+settings when simpledrm is used.
+
+To fix this move the sysfb_apply_efi_quirks() call back to its old place
+and split the new setup of the efifb_fwnode (which requires
+the platform_device) into its own function and call that at
+the place of the moved sysfb_apply_efi_quirks(pd) calls.
+
+Fixes: 8633ef82f101 ("drivers/firmware: consolidate EFI framebuffer setup for all arches")
+Cc: stable@vger.kernel.org
+Cc: Javier Martinez Canillas <javierm@redhat.com>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/efi/sysfb_efi.c | 5 ++++-
+ drivers/firmware/sysfb.c | 4 +++-
+ drivers/firmware/sysfb_simplefb.c | 2 +-
+ include/linux/sysfb.h | 9 +++++++--
+ 4 files changed, 15 insertions(+), 5 deletions(-)
+
+--- a/drivers/firmware/efi/sysfb_efi.c
++++ b/drivers/firmware/efi/sysfb_efi.c
+@@ -341,7 +341,7 @@ static const struct fwnode_operations ef
+ #ifdef CONFIG_EFI
+ static struct fwnode_handle efifb_fwnode;
+
+-__init void sysfb_apply_efi_quirks(struct platform_device *pd)
++__init void sysfb_apply_efi_quirks(void)
+ {
+ if (screen_info.orig_video_isVGA != VIDEO_TYPE_EFI ||
+ !(screen_info.capabilities & VIDEO_CAPABILITY_SKIP_QUIRKS))
+@@ -355,7 +355,10 @@ __init void sysfb_apply_efi_quirks(struc
+ screen_info.lfb_height = temp;
+ screen_info.lfb_linelength = 4 * screen_info.lfb_width;
+ }
++}
+
++__init void sysfb_set_efifb_fwnode(struct platform_device *pd)
++{
+ if (screen_info.orig_video_isVGA == VIDEO_TYPE_EFI && IS_ENABLED(CONFIG_PCI)) {
+ fwnode_init(&efifb_fwnode, &efifb_fwnode_ops);
+ pd->dev.fwnode = &efifb_fwnode;
+--- a/drivers/firmware/sysfb.c
++++ b/drivers/firmware/sysfb.c
+@@ -81,6 +81,8 @@ static __init int sysfb_init(void)
+ if (disabled)
+ goto unlock_mutex;
+
++ sysfb_apply_efi_quirks();
++
+ /* try to create a simple-framebuffer device */
+ compatible = sysfb_parse_mode(si, &mode);
+ if (compatible) {
+@@ -107,7 +109,7 @@ static __init int sysfb_init(void)
+ goto unlock_mutex;
+ }
+
+- sysfb_apply_efi_quirks(pd);
++ sysfb_set_efifb_fwnode(pd);
+
+ ret = platform_device_add_data(pd, si, sizeof(*si));
+ if (ret)
+--- a/drivers/firmware/sysfb_simplefb.c
++++ b/drivers/firmware/sysfb_simplefb.c
+@@ -110,7 +110,7 @@ __init struct platform_device *sysfb_cre
+ if (!pd)
+ return ERR_PTR(-ENOMEM);
+
+- sysfb_apply_efi_quirks(pd);
++ sysfb_set_efifb_fwnode(pd);
+
+ ret = platform_device_add_resources(pd, &res, 1);
+ if (ret)
+--- a/include/linux/sysfb.h
++++ b/include/linux/sysfb.h
+@@ -70,11 +70,16 @@ static inline void sysfb_disable(void)
+ #ifdef CONFIG_EFI
+
+ extern struct efifb_dmi_info efifb_dmi_list[];
+-void sysfb_apply_efi_quirks(struct platform_device *pd);
++void sysfb_apply_efi_quirks(void);
++void sysfb_set_efifb_fwnode(struct platform_device *pd);
+
+ #else /* CONFIG_EFI */
+
+-static inline void sysfb_apply_efi_quirks(struct platform_device *pd)
++static inline void sysfb_apply_efi_quirks(void)
++{
++}
++
++static inline void sysfb_set_efifb_fwnode(struct platform_device *pd)
+ {
+ }
+
--- /dev/null
+From ccb820dc7d2236b1af0d54ae038a27b5b6d5ae5a Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 13 Mar 2023 15:12:29 -0700
+Subject: fscrypt: destroy keyring after security_sb_delete()
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit ccb820dc7d2236b1af0d54ae038a27b5b6d5ae5a upstream.
+
+fscrypt_destroy_keyring() must be called after all potentially-encrypted
+inodes were evicted; otherwise it cannot safely destroy the keyring.
+Since inodes that are in-use by the Landlock LSM don't get evicted until
+security_sb_delete(), this means that fscrypt_destroy_keyring() must be
+called *after* security_sb_delete().
+
+This fixes a WARN_ON followed by a NULL dereference, only possible if
+Landlock was being used on encrypted files.
+
+Fixes: d7e7b9af104c ("fscrypt: stop using keyrings subsystem for fscrypt_master_key")
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+93e495f6a4f748827c88@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/00000000000044651705f6ca1e30@google.com
+Reviewed-by: Christian Brauner <brauner@kernel.org>
+Link: https://lore.kernel.org/r/20230313221231.272498-2-ebiggers@kernel.org
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/super.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/fs/super.c
++++ b/fs/super.c
+@@ -476,13 +476,22 @@ void generic_shutdown_super(struct super
+
+ cgroup_writeback_umount();
+
+- /* evict all inodes with zero refcount */
++ /* Evict all inodes with zero refcount. */
+ evict_inodes(sb);
+- /* only nonzero refcount inodes can have marks */
++
++ /*
++ * Clean up and evict any inodes that still have references due
++ * to fsnotify or the security policy.
++ */
+ fsnotify_sb_delete(sb);
+- fscrypt_destroy_keyring(sb);
+ security_sb_delete(sb);
+
++ /*
++ * Now that all potentially-encrypted inodes have been evicted,
++ * the fscrypt keyring can be destroyed.
++ */
++ fscrypt_destroy_keyring(sb);
++
+ if (sb->s_dio_done_wq) {
+ destroy_workqueue(sb->s_dio_done_wq);
+ sb->s_dio_done_wq = NULL;
--- /dev/null
+From f959325e6ac3f499450088b8d9c626d1177be160 Mon Sep 17 00:00:00 2001
+From: Nathan Huckleberry <nhuck@google.com>
+Date: Fri, 10 Mar 2023 11:33:25 -0800
+Subject: fsverity: Remove WQ_UNBOUND from fsverity read workqueue
+
+From: Nathan Huckleberry <nhuck@google.com>
+
+commit f959325e6ac3f499450088b8d9c626d1177be160 upstream.
+
+WQ_UNBOUND causes significant scheduler latency on ARM64/Android. This
+is problematic for latency sensitive workloads, like I/O
+post-processing.
+
+Removing WQ_UNBOUND gives a 96% reduction in fsverity workqueue related
+scheduler latency and improves app cold startup times by ~30ms.
+WQ_UNBOUND was also removed from the dm-verity workqueue for the same
+reason [1].
+
+This code was tested by running Android app startup benchmarks and
+measuring how long the fsverity workqueue spent in the runnable state.
+
+Before
+Total workqueue scheduler latency: 553800us
+After
+Total workqueue scheduler latency: 18962us
+
+[1]: https://lore.kernel.org/all/20230202012348.885402-1-nhuck@google.com/
+
+Signed-off-by: Nathan Huckleberry <nhuck@google.com>
+Fixes: 8a1d0f9cacc9 ("fs-verity: add data verification hooks for ->readpages()")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20230310193325.620493-1-nhuck@google.com
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/verity/verify.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/fs/verity/verify.c
++++ b/fs/verity/verify.c
+@@ -269,15 +269,15 @@ EXPORT_SYMBOL_GPL(fsverity_enqueue_verif
+ int __init fsverity_init_workqueue(void)
+ {
+ /*
+- * Use an unbound workqueue to allow bios to be verified in parallel
+- * even when they happen to complete on the same CPU. This sacrifices
+- * locality, but it's worthwhile since hashing is CPU-intensive.
++ * Use a high-priority workqueue to prioritize verification work, which
++ * blocks reads from completing, over regular application tasks.
+ *
+- * Also use a high-priority workqueue to prioritize verification work,
+- * which blocks reads from completing, over regular application tasks.
++ * For performance reasons, don't use an unbound workqueue. Using an
++ * unbound workqueue for crypto operations causes excessive scheduler
++ * latency on ARM64.
+ */
+ fsverity_read_workqueue = alloc_workqueue("fsverity_read_queue",
+- WQ_UNBOUND | WQ_HIGHPRI,
++ WQ_HIGHPRI,
+ num_online_cpus());
+ if (!fsverity_read_workqueue)
+ return -ENOMEM;
--- /dev/null
+From 65f69851e44d71248b952a687e44759a7abb5016 Mon Sep 17 00:00:00 2001
+From: Lin Ma <linma@zju.edu.cn>
+Date: Tue, 7 Mar 2023 23:29:17 +0800
+Subject: igb: revert rtnl_lock() that causes deadlock
+
+From: Lin Ma <linma@zju.edu.cn>
+
+commit 65f69851e44d71248b952a687e44759a7abb5016 upstream.
+
+The commit 6faee3d4ee8b ("igb: Add lock to avoid data race") adds
+rtnl_lock to eliminate a false data race shown below
+
+ (FREE from device detaching) | (USE from netdev core)
+igb_remove | igb_ndo_get_vf_config
+ igb_disable_sriov | vf >= adapter->vfs_allocated_count?
+ kfree(adapter->vf_data) |
+ adapter->vfs_allocated_count = 0 |
+ | memcpy(... adapter->vf_data[vf]
+
+The above race will never happen and the extra rtnl_lock causes deadlock
+below
+
+[ 141.420169] <TASK>
+[ 141.420672] __schedule+0x2dd/0x840
+[ 141.421427] schedule+0x50/0xc0
+[ 141.422041] schedule_preempt_disabled+0x11/0x20
+[ 141.422678] __mutex_lock.isra.13+0x431/0x6b0
+[ 141.423324] unregister_netdev+0xe/0x20
+[ 141.423578] igbvf_remove+0x45/0xe0 [igbvf]
+[ 141.423791] pci_device_remove+0x36/0xb0
+[ 141.423990] device_release_driver_internal+0xc1/0x160
+[ 141.424270] pci_stop_bus_device+0x6d/0x90
+[ 141.424507] pci_stop_and_remove_bus_device+0xe/0x20
+[ 141.424789] pci_iov_remove_virtfn+0xba/0x120
+[ 141.425452] sriov_disable+0x2f/0xf0
+[ 141.425679] igb_disable_sriov+0x4e/0x100 [igb]
+[ 141.426353] igb_remove+0xa0/0x130 [igb]
+[ 141.426599] pci_device_remove+0x36/0xb0
+[ 141.426796] device_release_driver_internal+0xc1/0x160
+[ 141.427060] driver_detach+0x44/0x90
+[ 141.427253] bus_remove_driver+0x55/0xe0
+[ 141.427477] pci_unregister_driver+0x2a/0xa0
+[ 141.428296] __x64_sys_delete_module+0x141/0x2b0
+[ 141.429126] ? mntput_no_expire+0x4a/0x240
+[ 141.429363] ? syscall_trace_enter.isra.19+0x126/0x1a0
+[ 141.429653] do_syscall_64+0x5b/0x80
+[ 141.429847] ? exit_to_user_mode_prepare+0x14d/0x1c0
+[ 141.430109] ? syscall_exit_to_user_mode+0x12/0x30
+[ 141.430849] ? do_syscall_64+0x67/0x80
+[ 141.431083] ? syscall_exit_to_user_mode_prepare+0x183/0x1b0
+[ 141.431770] ? syscall_exit_to_user_mode+0x12/0x30
+[ 141.432482] ? do_syscall_64+0x67/0x80
+[ 141.432714] ? exc_page_fault+0x64/0x140
+[ 141.432911] entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+Since the igb_disable_sriov() will call pci_disable_sriov() before
+releasing any resources, the netdev core will synchronize the cleanup to
+avoid any races. This patch removes the useless rtnl_(un)lock to guarantee
+correctness.
+
+CC: stable@vger.kernel.org
+Fixes: 6faee3d4ee8b ("igb: Add lock to avoid data race")
+Reported-by: Corinna Vinschen <vinschen@redhat.com>
+Link: https://lore.kernel.org/intel-wired-lan/ZAcJvkEPqWeJHO2r@calimero.vinschen.de/
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Tested-by: Corinna Vinschen <vinschen@redhat.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -3841,9 +3841,7 @@ static void igb_remove(struct pci_dev *p
+ igb_release_hw_control(adapter);
+
+ #ifdef CONFIG_PCI_IOV
+- rtnl_lock();
+ igb_disable_sriov(pdev);
+- rtnl_unlock();
+ #endif
+
+ unregister_netdev(netdev);
--- /dev/null
+From 74e2e17ee1f8d8a0928b90434ad7e2df70f8483e Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Mon, 20 Mar 2023 11:13:49 -0600
+Subject: io_uring/net: avoid sending -ECONNABORTED on repeated connection requests
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 74e2e17ee1f8d8a0928b90434ad7e2df70f8483e upstream.
+
+Since io_uring does nonblocking connect requests, if we do two repeated
+ones without having a listener, the second will get -ECONNABORTED rather
+than the expected -ECONNREFUSED. Treat -ECONNABORTED like a normal retry
+condition if we're nonblocking, if we haven't already seen it.
+
+Cc: stable@vger.kernel.org
+Fixes: 3fb1bd688172 ("io_uring/net: handle -EINPROGRESS correct for IORING_OP_CONNECT")
+Link: https://github.com/axboe/liburing/issues/828
+Reported-by: Hui, Chunyang <sanqian.hcy@antgroup.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/net.c | 25 ++++++++++++++++---------
+ 1 file changed, 16 insertions(+), 9 deletions(-)
+
+--- a/io_uring/net.c
++++ b/io_uring/net.c
+@@ -47,6 +47,7 @@ struct io_connect {
+ struct sockaddr __user *addr;
+ int addr_len;
+ bool in_progress;
++ bool seen_econnaborted;
+ };
+
+ struct io_sr_msg {
+@@ -1431,7 +1432,7 @@ int io_connect_prep(struct io_kiocb *req
+
+ conn->addr = u64_to_user_ptr(READ_ONCE(sqe->addr));
+ conn->addr_len = READ_ONCE(sqe->addr2);
+- conn->in_progress = false;
++ conn->in_progress = conn->seen_econnaborted = false;
+ return 0;
+ }
+
+@@ -1468,18 +1469,24 @@ int io_connect(struct io_kiocb *req, uns
+
+ ret = __sys_connect_file(req->file, &io->address,
+ connect->addr_len, file_flags);
+- if ((ret == -EAGAIN || ret == -EINPROGRESS) && force_nonblock) {
++ if ((ret == -EAGAIN || ret == -EINPROGRESS || ret == -ECONNABORTED)
++ && force_nonblock) {
+ if (ret == -EINPROGRESS) {
+ connect->in_progress = true;
+- } else {
+- if (req_has_async_data(req))
+- return -EAGAIN;
+- if (io_alloc_async_data(req)) {
+- ret = -ENOMEM;
++ return -EAGAIN;
++ }
++ if (ret == -ECONNABORTED) {
++ if (connect->seen_econnaborted)
+ goto out;
+- }
+- memcpy(req->async_data, &__io, sizeof(__io));
++ connect->seen_econnaborted = true;
++ }
++ if (req_has_async_data(req))
++ return -EAGAIN;
++ if (io_alloc_async_data(req)) {
++ ret = -ENOMEM;
++ goto out;
+ }
++ memcpy(req->async_data, &__io, sizeof(__io));
+ return -EAGAIN;
+ }
+ if (ret == -ERESTARTSYS)
--- /dev/null
+From 02a4d923e4400a36d340ea12d8058f69ebf3a383 Mon Sep 17 00:00:00 2001
+From: Savino Dicanosa <sd7.dev@pm.me>
+Date: Tue, 21 Mar 2023 19:44:02 +0000
+Subject: io_uring/rsrc: fix null-ptr-deref in io_file_bitmap_get()
+
+From: Savino Dicanosa <sd7.dev@pm.me>
+
+commit 02a4d923e4400a36d340ea12d8058f69ebf3a383 upstream.
+
+When fixed files are unregistered, file_alloc_end and alloc_hint
+are not cleared. This can later cause a NULL pointer dereference in
+io_file_bitmap_get() if auto index selection is enabled via
+IORING_FILE_INDEX_ALLOC:
+
+[ 6.519129] BUG: kernel NULL pointer dereference, address: 0000000000000000
+[...]
+[ 6.541468] RIP: 0010:_find_next_zero_bit+0x1a/0x70
+[...]
+[ 6.560906] Call Trace:
+[ 6.561322] <TASK>
+[ 6.561672] io_file_bitmap_get+0x38/0x60
+[ 6.562281] io_fixed_fd_install+0x63/0xb0
+[ 6.562851] ? __pfx_io_socket+0x10/0x10
+[ 6.563396] io_socket+0x93/0xf0
+[ 6.563855] ? __pfx_io_socket+0x10/0x10
+[ 6.564411] io_issue_sqe+0x5b/0x3d0
+[ 6.564914] io_submit_sqes+0x1de/0x650
+[ 6.565452] __do_sys_io_uring_enter+0x4fc/0xb20
+[ 6.566083] ? __do_sys_io_uring_register+0x11e/0xd80
+[ 6.566779] do_syscall_64+0x3c/0x90
+[ 6.567247] entry_SYSCALL_64_after_hwframe+0x72/0xdc
+[...]
+
+To fix the issue, set file alloc range and alloc_hint to zero after
+file tables are freed.
+
+Cc: stable@vger.kernel.org
+Fixes: 4278a0deb1f6 ("io_uring: defer alloc_hint update to io_file_bitmap_set()")
+Signed-off-by: Savino Dicanosa <sd7.dev@pm.me>
+[axboe: add explicit bitmap == NULL check as well]
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/filetable.c | 3 +++
+ io_uring/rsrc.c | 1 +
+ 2 files changed, 4 insertions(+)
+
+--- a/io_uring/filetable.c
++++ b/io_uring/filetable.c
+@@ -19,6 +19,9 @@ static int io_file_bitmap_get(struct io_
+ unsigned long nr = ctx->file_alloc_end;
+ int ret;
+
++ if (!table->bitmap)
++ return -ENFILE;
++
+ do {
+ ret = find_next_zero_bit(table->bitmap, nr, table->alloc_hint);
+ if (ret != nr)
+--- a/io_uring/rsrc.c
++++ b/io_uring/rsrc.c
+@@ -794,6 +794,7 @@ void __io_sqe_files_unregister(struct io
+ }
+ #endif
+ io_free_file_tables(&ctx->file_table);
++ io_file_table_set_alloc_range(ctx, 0, 0);
+ io_rsrc_data_free(ctx->file_data);
+ ctx->file_data = NULL;
+ ctx->nr_user_files = 0;
--- /dev/null
+From 2e08ca1802441224f5b7cc6bffbb687f7406de95 Mon Sep 17 00:00:00 2001
+From: Marco Elver <elver@google.com>
+Date: Thu, 16 Mar 2023 23:47:04 +0100
+Subject: kfence: avoid passing -g for test
+
+From: Marco Elver <elver@google.com>
+
+commit 2e08ca1802441224f5b7cc6bffbb687f7406de95 upstream.
+
+Nathan reported that when building with GNU as and a version of clang that
+defaults to DWARF5:
+
+ $ make -skj"$(nproc)" ARCH=riscv CROSS_COMPILE=riscv64-linux-gnu- \
+ LLVM=1 LLVM_IAS=0 O=build \
+ mrproper allmodconfig mm/kfence/kfence_test.o
+ /tmp/kfence_test-08a0a0.s: Assembler messages:
+ /tmp/kfence_test-08a0a0.s:14627: Error: non-constant .uleb128 is not supported
+ /tmp/kfence_test-08a0a0.s:14628: Error: non-constant .uleb128 is not supported
+ /tmp/kfence_test-08a0a0.s:14632: Error: non-constant .uleb128 is not supported
+ /tmp/kfence_test-08a0a0.s:14633: Error: non-constant .uleb128 is not supported
+ /tmp/kfence_test-08a0a0.s:14639: Error: non-constant .uleb128 is not supported
+ ...
+
+This is because `-g` defaults to the compiler debug info default. If the
+assembler does not support some of the directives used, the above errors
+occur. To fix, remove the explicit passing of `-g`.
+
+All the test wants is that stack traces print valid function names, and
+debug info is not required for that. (I currently cannot recall why I
+added the explicit `-g`.)
+
+Link: https://lkml.kernel.org/r/20230316224705.709984-1-elver@google.com
+Fixes: bc8fbc5f305a ("kfence: add test suite")
+Signed-off-by: Marco Elver <elver@google.com>
+Reported-by: Nathan Chancellor <nathan@kernel.org>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/kfence/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/kfence/Makefile
++++ b/mm/kfence/Makefile
+@@ -2,5 +2,5 @@
+
+ obj-y := core.o report.o
+
+-CFLAGS_kfence_test.o := -g -fno-omit-frame-pointer -fno-optimize-sibling-calls
++CFLAGS_kfence_test.o := -fno-omit-frame-pointer -fno-optimize-sibling-calls
+ obj-$(CONFIG_KFENCE_KUNIT_TEST) += kfence_test.o
--- /dev/null
+From 7ff84910c66c9144cc0de9d9deed9fb84c03aff0 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@kernel.org>
+Date: Tue, 14 Mar 2023 06:20:58 -0400
+Subject: lockd: set file_lock start and end when decoding nlm4 testargs
+
+From: Jeff Layton <jlayton@kernel.org>
+
+commit 7ff84910c66c9144cc0de9d9deed9fb84c03aff0 upstream.
+
+Commit 6930bcbfb6ce dropped the setting of the file_lock range when
+decoding a nlm_lock off the wire. This causes the client side grant
+callback to miss matching blocks and reject the lock, only to rerequest
+it 30s later.
+
+Add a helper function to set the file_lock range from the start and end
+values that the protocol uses, and have the nlm_lock decoder call that to
+set up the file_lock args properly.
+
+Fixes: 6930bcbfb6ce ("lockd: detect and reject lock arguments that overflow")
+Reported-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Tested-by: Amir Goldstein <amir73il@gmail.com>
+Cc: stable@vger.kernel.org #6.0
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/lockd/clnt4xdr.c | 9 +--------
+ fs/lockd/xdr4.c | 13 ++++++++++++-
+ include/linux/lockd/xdr4.h | 1 +
+ 3 files changed, 14 insertions(+), 9 deletions(-)
+
+--- a/fs/lockd/clnt4xdr.c
++++ b/fs/lockd/clnt4xdr.c
+@@ -261,7 +261,6 @@ static int decode_nlm4_holder(struct xdr
+ u32 exclusive;
+ int error;
+ __be32 *p;
+- s32 end;
+
+ memset(lock, 0, sizeof(*lock));
+ locks_init_lock(fl);
+@@ -285,13 +284,7 @@ static int decode_nlm4_holder(struct xdr
+ fl->fl_type = exclusive != 0 ? F_WRLCK : F_RDLCK;
+ p = xdr_decode_hyper(p, &l_offset);
+ xdr_decode_hyper(p, &l_len);
+- end = l_offset + l_len - 1;
+-
+- fl->fl_start = (loff_t)l_offset;
+- if (l_len == 0 || end < 0)
+- fl->fl_end = OFFSET_MAX;
+- else
+- fl->fl_end = (loff_t)end;
++ nlm4svc_set_file_lock_range(fl, l_offset, l_len);
+ error = 0;
+ out:
+ return error;
+--- a/fs/lockd/xdr4.c
++++ b/fs/lockd/xdr4.c
+@@ -33,6 +33,17 @@ loff_t_to_s64(loff_t offset)
+ return res;
+ }
+
++void nlm4svc_set_file_lock_range(struct file_lock *fl, u64 off, u64 len)
++{
++ s64 end = off + len - 1;
++
++ fl->fl_start = off;
++ if (len == 0 || end < 0)
++ fl->fl_end = OFFSET_MAX;
++ else
++ fl->fl_end = end;
++}
++
+ /*
+ * NLM file handles are defined by specification to be a variable-length
+ * XDR opaque no longer than 1024 bytes. However, this implementation
+@@ -80,7 +91,7 @@ svcxdr_decode_lock(struct xdr_stream *xd
+ locks_init_lock(fl);
+ fl->fl_flags = FL_POSIX;
+ fl->fl_type = F_RDLCK;
+-
++ nlm4svc_set_file_lock_range(fl, lock->lock_start, lock->lock_len);
+ return true;
+ }
+
+--- a/include/linux/lockd/xdr4.h
++++ b/include/linux/lockd/xdr4.h
+@@ -22,6 +22,7 @@
+ #define nlm4_fbig cpu_to_be32(NLM_FBIG)
+ #define nlm4_failed cpu_to_be32(NLM_FAILED)
+
++void nlm4svc_set_file_lock_range(struct file_lock *fl, u64 off, u64 len);
+ bool nlm4svc_decode_void(struct svc_rqst *rqstp, struct xdr_stream *xdr);
+ bool nlm4svc_decode_testargs(struct svc_rqst *rqstp, struct xdr_stream *xdr);
+ bool nlm4svc_decode_lockargs(struct svc_rqst *rqstp, struct xdr_stream *xdr);
--- /dev/null
+From 1c86a188e03156223a34d09ce290b49bd4dd0403 Mon Sep 17 00:00:00 2001
+From: Muchun Song <songmuchun@bytedance.com>
+Date: Wed, 15 Mar 2023 11:44:41 +0800
+Subject: mm: kfence: fix using kfence_metadata without initialization in show_object()
+
+From: Muchun Song <songmuchun@bytedance.com>
+
+commit 1c86a188e03156223a34d09ce290b49bd4dd0403 upstream.
+
+The variable kfence_metadata is initialized in kfence_init_pool(), then,
+it is not initialized if kfence is disabled after booting. In this case,
+kfence_metadata will be used (e.g. ->lock and ->state fields) without
+initialization when reading /sys/kernel/debug/kfence/objects. There will
+be a warning if you enable CONFIG_DEBUG_SPINLOCK. Fix it by creating
+debugfs files when necessary.
+
+Link: https://lkml.kernel.org/r/20230315034441.44321-1-songmuchun@bytedance.com
+Fixes: 0ce20dd84089 ("mm: add Kernel Electric-Fence infrastructure")
+Signed-off-by: Muchun Song <songmuchun@bytedance.com>
+Tested-by: Marco Elver <elver@google.com>
+Reviewed-by: Marco Elver <elver@google.com>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Jann Horn <jannh@google.com>
+Cc: SeongJae Park <sjpark@amazon.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/kfence/core.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/mm/kfence/core.c
++++ b/mm/kfence/core.c
+@@ -726,10 +726,14 @@ static const struct seq_operations objec
+ };
+ DEFINE_SEQ_ATTRIBUTE(objects);
+
+-static int __init kfence_debugfs_init(void)
++static int kfence_debugfs_init(void)
+ {
+- struct dentry *kfence_dir = debugfs_create_dir("kfence", NULL);
++ struct dentry *kfence_dir;
+
++ if (!READ_ONCE(kfence_enabled))
++ return 0;
++
++ kfence_dir = debugfs_create_dir("kfence", NULL);
+ debugfs_create_file("stats", 0444, kfence_dir, NULL, &stats_fops);
+ debugfs_create_file("objects", 0400, kfence_dir, NULL, &objects_fops);
+ return 0;
+@@ -883,6 +887,8 @@ static int kfence_init_late(void)
+ }
+
+ kfence_init_enable();
++ kfence_debugfs_init();
++
+ return 0;
+ }
+
--- /dev/null
+From 66a1c22b709178e7b823d44465d0c2e5ed7492fb Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Tue, 21 Mar 2023 09:30:59 +0100
+Subject: mm/slab: Fix undefined init_cache_node_node() for NUMA and !SMP
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+commit 66a1c22b709178e7b823d44465d0c2e5ed7492fb upstream.
+
+sh/migor_defconfig:
+
+ mm/slab.c: In function ‘slab_memory_callback’:
+ mm/slab.c:1127:23: error: implicit declaration of function ‘init_cache_node_node’; did you mean ‘drain_cache_node_node’? [-Werror=implicit-function-declaration]
+ 1127 | ret = init_cache_node_node(nid);
+ | ^~~~~~~~~~~~~~~~~~~~
+ | drain_cache_node_node
+
+The #ifdef condition protecting the definition of init_cache_node_node()
+no longer matches the conditions protecting the (multiple) users.
+
+Fix this by syncing the conditions.
+
+Fixes: 76af6a054da40553 ("mm/migrate: add CPU hotplug to demotion #ifdef")
+Reported-by: Randy Dunlap <rdunlap@infradead.org>
+Link: https://lore.kernel.org/r/b5bdea22-ed2f-3187-6efe-0c72330270a4@infradead.org
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Acked-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/slab.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/slab.c
++++ b/mm/slab.c
+@@ -840,7 +840,7 @@ static int init_cache_node(struct kmem_c
+ return 0;
+ }
+
+-#if (defined(CONFIG_NUMA) && defined(CONFIG_MEMORY_HOTPLUG)) || defined(CONFIG_SMP)
++#if defined(CONFIG_NUMA) || defined(CONFIG_SMP)
+ /*
+ * Allocates and initializes node for a node on each slab cache, used for
+ * either memory or cpu hotplug. If memory is being hot-added, the kmem_cache_node
usb-dwc2-fix-a-devres-leak-in-hw_enable-upon-suspend-resume.patch
block-io_uring-pass-in-issue_flags-for-uring_cmd-task_work-handling.patch
usb-gadget-u_audio-don-t-let-userspace-block-driver-unbind.patch
+btrfs-zoned-fix-btrfs_can_activate_zone-to-support-dup-profile.patch
+bluetooth-fix-race-condition-in-hci_cmd_sync_clear.patch
+efi-sysfb_efi-fix-dmi-quirks-not-working-for-simpledrm.patch
+mm-slab-fix-undefined-init_cache_node_node-for-numa-and-smp.patch
+efi-libstub-zboot-mark-zboot-efi-application-as-nx-compatible.patch
+arm64-efi-set-nx-compat-flag-in-pe-coff-header.patch
+fscrypt-destroy-keyring-after-security_sb_delete.patch
+fsverity-remove-wq_unbound-from-fsverity-read-workqueue.patch
+lockd-set-file_lock-start-and-end-when-decoding-nlm4-testargs.patch
+arm64-dts-imx8mm-nitrogen-r2-fix-wm8960-clock-name.patch
+igb-revert-rtnl_lock-that-causes-deadlock.patch
+dm-thin-fix-deadlock-when-swapping-to-thin-device.patch
+usb-typec-tcpm-fix-create-duplicate-source-capabilities-file.patch
+usb-typec-tcpm-fix-warning-when-handle-discover_identity-message.patch
+usb-cdns3-fix-issue-with-using-incorrect-pci-device-function.patch
+usb-cdnsp-fixes-issue-with-redundant-status-stage.patch
+usb-cdnsp-changes-pci-device-id-to-fix-conflict-with-cnds3-driver.patch
+usb-chipdea-core-fix-return-einval-if-request-role-is-the-same-with-current-role.patch
+usb-chipidea-core-fix-possible-concurrent-when-switch-role.patch
+usb-dwc3-gadget-add-1ms-delay-after-end-transfer-command-without-ioc.patch
+usb-ucsi-fix-null-pointer-deref-in-ucsi_connector_change.patch
+usb-ucsi_acpi-increase-the-command-completion-timeout.patch
+mm-kfence-fix-using-kfence_metadata-without-initialization-in-show_object.patch
+kfence-avoid-passing-g-for-test.patch
+io_uring-net-avoid-sending-econnaborted-on-repeated-connection-requests.patch
+io_uring-rsrc-fix-null-ptr-deref-in-io_file_bitmap_get.patch
--- /dev/null
+From 1272fd652a226ccb34e9f47371b6121948048438 Mon Sep 17 00:00:00 2001
+From: Pawel Laszczak <pawell@cadence.com>
+Date: Wed, 8 Mar 2023 07:44:27 -0500
+Subject: usb: cdns3: Fix issue with using incorrect PCI device function
+
+From: Pawel Laszczak <pawell@cadence.com>
+
+commit 1272fd652a226ccb34e9f47371b6121948048438 upstream.
+
+PCI based platform can have more than two PCI functions.
+USBSS PCI Glue driver during initialization should
+consider only DRD/HOST/DEVICE PCI functions and
+all other should be ignored. This patch adds additional
+condition which causes that only DRD and HOST/DEVICE
+function will be accepted.
+
+cc: <stable@vger.kernel.org>
+Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver")
+Signed-off-by: Pawel Laszczak <pawell@cadence.com>
+Link: https://lore.kernel.org/r/20230308124427.311245-1-pawell@cadence.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/cdns3/cdns3-pci-wrap.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/cdns3/cdns3-pci-wrap.c
++++ b/drivers/usb/cdns3/cdns3-pci-wrap.c
+@@ -60,6 +60,11 @@ static struct pci_dev *cdns3_get_second_
+ return NULL;
+ }
+
++ if (func->devfn != PCI_DEV_FN_HOST_DEVICE &&
++ func->devfn != PCI_DEV_FN_OTG) {
++ return NULL;
++ }
++
+ return func;
+ }
+
--- /dev/null
+From 96b96b2a567fb34dd41c87e6cf01f6902ce8cae4 Mon Sep 17 00:00:00 2001
+From: Pawel Laszczak <pawell@cadence.com>
+Date: Thu, 9 Mar 2023 01:30:48 -0500
+Subject: usb: cdnsp: changes PCI Device ID to fix conflict with CNDS3 driver
+
+From: Pawel Laszczak <pawell@cadence.com>
+
+commit 96b96b2a567fb34dd41c87e6cf01f6902ce8cae4 upstream.
+
+Patch changes CDNS_DEVICE_ID in USBSSP PCI Glue driver to remove
+the conflict with Cadence USBSS driver.
+
+cc: <stable@vger.kernel.org>
+Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
+Signed-off-by: Pawel Laszczak <pawell@cadence.com>
+Link: https://lore.kernel.org/r/20230309063048.299378-1-pawell@cadence.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/cdns3/cdnsp-pci.c | 27 +++++++++++----------------
+ 1 file changed, 11 insertions(+), 16 deletions(-)
+
+--- a/drivers/usb/cdns3/cdnsp-pci.c
++++ b/drivers/usb/cdns3/cdnsp-pci.c
+@@ -29,30 +29,23 @@
+ #define PLAT_DRIVER_NAME "cdns-usbssp"
+
+ #define CDNS_VENDOR_ID 0x17cd
+-#define CDNS_DEVICE_ID 0x0100
++#define CDNS_DEVICE_ID 0x0200
++#define CDNS_DRD_ID 0x0100
+ #define CDNS_DRD_IF (PCI_CLASS_SERIAL_USB << 8 | 0x80)
+
+ static struct pci_dev *cdnsp_get_second_fun(struct pci_dev *pdev)
+ {
+- struct pci_dev *func;
+-
+ /*
+ * Gets the second function.
+- * It's little tricky, but this platform has two function.
+- * The fist keeps resources for Host/Device while the second
+- * keeps resources for DRD/OTG.
++ * Platform has two function. The fist keeps resources for
++ * Host/Device while the secon keeps resources for DRD/OTG.
+ */
+- func = pci_get_device(pdev->vendor, pdev->device, NULL);
+- if (!func)
+- return NULL;
++ if (pdev->device == CDNS_DEVICE_ID)
++ return pci_get_device(pdev->vendor, CDNS_DRD_ID, NULL);
++ else if (pdev->device == CDNS_DRD_ID)
++ return pci_get_device(pdev->vendor, CDNS_DEVICE_ID, NULL);
+
+- if (func->devfn == pdev->devfn) {
+- func = pci_get_device(pdev->vendor, pdev->device, func);
+- if (!func)
+- return NULL;
+- }
+-
+- return func;
++ return NULL;
+ }
+
+ static int cdnsp_pci_probe(struct pci_dev *pdev,
+@@ -230,6 +223,8 @@ static const struct pci_device_id cdnsp_
+ PCI_CLASS_SERIAL_USB_DEVICE, PCI_ANY_ID },
+ { PCI_VENDOR_ID_CDNS, CDNS_DEVICE_ID, PCI_ANY_ID, PCI_ANY_ID,
+ CDNS_DRD_IF, PCI_ANY_ID },
++ { PCI_VENDOR_ID_CDNS, CDNS_DRD_ID, PCI_ANY_ID, PCI_ANY_ID,
++ CDNS_DRD_IF, PCI_ANY_ID },
+ { 0, }
+ };
+
--- /dev/null
+From 5bc38d33a5a1209fd4de65101d1ae8255ea12c6e Mon Sep 17 00:00:00 2001
+From: Pawel Laszczak <pawell@cadence.com>
+Date: Tue, 7 Mar 2023 06:14:20 -0500
+Subject: usb: cdnsp: Fixes issue with redundant Status Stage
+
+From: Pawel Laszczak <pawell@cadence.com>
+
+commit 5bc38d33a5a1209fd4de65101d1ae8255ea12c6e upstream.
+
+In some cases, driver trees to send Status Stage twice.
+The first one from upper layer of gadget usb subsystem and
+second time from controller driver.
+This patch fixes this issue and remove tricky handling of
+SET_INTERFACE from controller driver which is no longer
+needed.
+
+cc: <stable@vger.kernel.org>
+Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
+Signed-off-by: Pawel Laszczak <pawell@cadence.com>
+Link: https://lore.kernel.org/r/20230307111420.376056-1-pawell@cadence.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/cdns3/cdnsp-ep0.c | 19 +------------------
+ 1 file changed, 1 insertion(+), 18 deletions(-)
+
+--- a/drivers/usb/cdns3/cdnsp-ep0.c
++++ b/drivers/usb/cdns3/cdnsp-ep0.c
+@@ -403,20 +403,6 @@ static int cdnsp_ep0_std_request(struct
+ case USB_REQ_SET_ISOCH_DELAY:
+ ret = cdnsp_ep0_set_isoch_delay(pdev, ctrl);
+ break;
+- case USB_REQ_SET_INTERFACE:
+- /*
+- * Add request into pending list to block sending status stage
+- * by libcomposite.
+- */
+- list_add_tail(&pdev->ep0_preq.list,
+- &pdev->ep0_preq.pep->pending_list);
+-
+- ret = cdnsp_ep0_delegate_req(pdev, ctrl);
+- if (ret == -EBUSY)
+- ret = 0;
+-
+- list_del(&pdev->ep0_preq.list);
+- break;
+ default:
+ ret = cdnsp_ep0_delegate_req(pdev, ctrl);
+ break;
+@@ -474,9 +460,6 @@ void cdnsp_setup_analyze(struct cdnsp_de
+ else
+ ret = cdnsp_ep0_delegate_req(pdev, ctrl);
+
+- if (!len)
+- pdev->ep0_stage = CDNSP_STATUS_STAGE;
+-
+ if (ret == USB_GADGET_DELAYED_STATUS) {
+ trace_cdnsp_ep0_status_stage("delayed");
+ return;
+@@ -484,6 +467,6 @@ void cdnsp_setup_analyze(struct cdnsp_de
+ out:
+ if (ret < 0)
+ cdnsp_ep0_stall(pdev);
+- else if (pdev->ep0_stage == CDNSP_STATUS_STAGE)
++ else if (!len && pdev->ep0_stage != CDNSP_STATUS_STAGE)
+ cdnsp_status_stage(pdev);
+ }
--- /dev/null
+From 3670de80678961eda7fa2220883fc77c16868951 Mon Sep 17 00:00:00 2001
+From: Xu Yang <xu.yang_2@nxp.com>
+Date: Fri, 17 Mar 2023 14:15:15 +0800
+Subject: usb: chipdea: core: fix return -EINVAL if request role is the same with current role
+
+From: Xu Yang <xu.yang_2@nxp.com>
+
+commit 3670de80678961eda7fa2220883fc77c16868951 upstream.
+
+It should not return -EINVAL if the request role is the same with current
+role, return non-error and without do anything instead.
+
+Fixes: a932a8041ff9 ("usb: chipidea: core: add sysfs group")
+cc: <stable@vger.kernel.org>
+Acked-by: Peter Chen <peter.chen@kernel.org>
+Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
+Link: https://lore.kernel.org/r/20230317061516.2451728-1-xu.yang_2@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/chipidea/core.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/chipidea/core.c
++++ b/drivers/usb/chipidea/core.c
+@@ -984,9 +984,12 @@ static ssize_t role_store(struct device
+ strlen(ci->roles[role]->name)))
+ break;
+
+- if (role == CI_ROLE_END || role == ci->role)
++ if (role == CI_ROLE_END)
+ return -EINVAL;
+
++ if (role == ci->role)
++ return n;
++
+ pm_runtime_get_sync(dev);
+ disable_irq(ci->irq);
+ ci_role_stop(ci);
--- /dev/null
+From 451b15ed138ec15bffbebb58a00ebdd884c3e659 Mon Sep 17 00:00:00 2001
+From: Xu Yang <xu.yang_2@nxp.com>
+Date: Fri, 17 Mar 2023 14:15:16 +0800
+Subject: usb: chipidea: core: fix possible concurrent when switch role
+
+From: Xu Yang <xu.yang_2@nxp.com>
+
+commit 451b15ed138ec15bffbebb58a00ebdd884c3e659 upstream.
+
+The user may call role_store() when driver is handling
+ci_handle_id_switch() which is triggerred by otg event or power lost
+event. Unfortunately, the controller may go into chaos in this case.
+Fix this by protecting it with mutex lock.
+
+Fixes: a932a8041ff9 ("usb: chipidea: core: add sysfs group")
+cc: <stable@vger.kernel.org>
+Acked-by: Peter Chen <peter.chen@kernel.org>
+Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
+Link: https://lore.kernel.org/r/20230317061516.2451728-2-xu.yang_2@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/chipidea/ci.h | 2 ++
+ drivers/usb/chipidea/core.c | 8 +++++++-
+ drivers/usb/chipidea/otg.c | 5 ++++-
+ 3 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/chipidea/ci.h b/drivers/usb/chipidea/ci.h
+index 005c67cb3afb..f210b7489fd5 100644
+--- a/drivers/usb/chipidea/ci.h
++++ b/drivers/usb/chipidea/ci.h
+@@ -208,6 +208,7 @@ struct hw_bank {
+ * @in_lpm: if the core in low power mode
+ * @wakeup_int: if wakeup interrupt occur
+ * @rev: The revision number for controller
++ * @mutex: protect code from concorrent running when doing role switch
+ */
+ struct ci_hdrc {
+ struct device *dev;
+@@ -260,6 +261,7 @@ struct ci_hdrc {
+ bool in_lpm;
+ bool wakeup_int;
+ enum ci_revision rev;
++ struct mutex mutex;
+ };
+
+ static inline struct ci_role_driver *ci_role(struct ci_hdrc *ci)
+diff --git a/drivers/usb/chipidea/core.c b/drivers/usb/chipidea/core.c
+index b6f2a41de20e..281fc51720ce 100644
+--- a/drivers/usb/chipidea/core.c
++++ b/drivers/usb/chipidea/core.c
+@@ -987,8 +987,12 @@ static ssize_t role_store(struct device *dev,
+ if (role == CI_ROLE_END)
+ return -EINVAL;
+
+- if (role == ci->role)
++ mutex_lock(&ci->mutex);
++
++ if (role == ci->role) {
++ mutex_unlock(&ci->mutex);
+ return n;
++ }
+
+ pm_runtime_get_sync(dev);
+ disable_irq(ci->irq);
+@@ -998,6 +1002,7 @@ static ssize_t role_store(struct device *dev,
+ ci_handle_vbus_change(ci);
+ enable_irq(ci->irq);
+ pm_runtime_put_sync(dev);
++ mutex_unlock(&ci->mutex);
+
+ return (ret == 0) ? n : ret;
+ }
+@@ -1033,6 +1038,7 @@ static int ci_hdrc_probe(struct platform_device *pdev)
+ return -ENOMEM;
+
+ spin_lock_init(&ci->lock);
++ mutex_init(&ci->mutex);
+ ci->dev = dev;
+ ci->platdata = dev_get_platdata(dev);
+ ci->imx28_write_fix = !!(ci->platdata->flags &
+diff --git a/drivers/usb/chipidea/otg.c b/drivers/usb/chipidea/otg.c
+index 622c3b68aa1e..f5490f2a5b6b 100644
+--- a/drivers/usb/chipidea/otg.c
++++ b/drivers/usb/chipidea/otg.c
+@@ -167,8 +167,10 @@ static int hw_wait_vbus_lower_bsv(struct ci_hdrc *ci)
+
+ void ci_handle_id_switch(struct ci_hdrc *ci)
+ {
+- enum ci_role role = ci_otg_role(ci);
++ enum ci_role role;
+
++ mutex_lock(&ci->mutex);
++ role = ci_otg_role(ci);
+ if (role != ci->role) {
+ dev_dbg(ci->dev, "switching from %s to %s\n",
+ ci_role(ci)->name, ci->roles[role]->name);
+@@ -198,6 +200,7 @@ void ci_handle_id_switch(struct ci_hdrc *ci)
+ if (role == CI_ROLE_GADGET)
+ ci_handle_vbus_change(ci);
+ }
++ mutex_unlock(&ci->mutex);
+ }
+ /**
+ * ci_otg_work - perform otg (vbus/id) event handle
+--
+2.40.0
+
--- /dev/null
+From d8a2bb4eb75866275b5cf7de2e593ac3449643e2 Mon Sep 17 00:00:00 2001
+From: Wesley Cheng <quic_wcheng@quicinc.com>
+Date: Mon, 6 Mar 2023 12:05:57 -0800
+Subject: usb: dwc3: gadget: Add 1ms delay after end transfer command without IOC
+
+From: Wesley Cheng <quic_wcheng@quicinc.com>
+
+commit d8a2bb4eb75866275b5cf7de2e593ac3449643e2 upstream.
+
+Previously, there was a 100uS delay inserted after issuing an end transfer
+command for specific controller revisions. This was due to the fact that
+there was a GUCTL2 bit field which enabled synchronous completion of the
+end transfer command once the CMDACT bit was cleared in the DEPCMD
+register. Since this bit does not exist for all controller revisions and
+the current implementation heavily relies on utizling the EndTransfer
+command completion interrupt, add the delay back in for uses where the
+interrupt on completion bit is not set, and increase the duration to 1ms
+for the controller to complete the command.
+
+An issue was seen where the USB request buffer was unmapped while the DWC3
+controller was still accessing the TRB. However, it was confirmed that the
+end transfer command was successfully submitted. (no end transfer timeout)
+In situations, such as dwc3_gadget_soft_disconnect() and
+__dwc3_gadget_ep_disable(), the dwc3_remove_request() is utilized, which
+will issue the end transfer command, and follow up with
+dwc3_gadget_giveback(). At least for the USB ep disable path, it is
+required for any pending and started requests to be completed and returned
+to the function driver in the same context of the disable call. Without
+the GUCTL2 bit, it is not ensured that the end transfer is completed before
+the buffers are unmapped.
+
+Fixes: cf2f8b63f7f1 ("usb: dwc3: gadget: Remove END_TRANSFER delay")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Wesley Cheng <quic_wcheng@quicinc.com>
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://lore.kernel.org/r/20230306200557.29387-1-quic_wcheng@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/gadget.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -1699,6 +1699,7 @@ static int __dwc3_gadget_get_frame(struc
+ */
+ static int __dwc3_stop_active_transfer(struct dwc3_ep *dep, bool force, bool interrupt)
+ {
++ struct dwc3 *dwc = dep->dwc;
+ struct dwc3_gadget_ep_cmd_params params;
+ u32 cmd;
+ int ret;
+@@ -1722,10 +1723,13 @@ static int __dwc3_stop_active_transfer(s
+ WARN_ON_ONCE(ret);
+ dep->resource_index = 0;
+
+- if (!interrupt)
++ if (!interrupt) {
++ if (!DWC3_IP_IS(DWC3) || DWC3_VER_IS_PRIOR(DWC3, 310A))
++ mdelay(1);
+ dep->flags &= ~DWC3_EP_TRANSFER_STARTED;
+- else if (!ret)
++ } else if (!ret) {
+ dep->flags |= DWC3_EP_END_TRANSFER_PENDING;
++ }
+
+ dep->flags &= ~DWC3_EP_DELAY_STOP;
+ return ret;
+@@ -3774,7 +3778,11 @@ void dwc3_stop_active_transfer(struct dw
+ * enabled, the EndTransfer command will have completed upon
+ * returning from this function.
+ *
+- * This mode is NOT available on the DWC_usb31 IP.
++ * This mode is NOT available on the DWC_usb31 IP. In this
++ * case, if the IOC bit is not set, then delay by 1ms
++ * after issuing the EndTransfer command. This allows for the
++ * controller to handle the command completely before DWC3
++ * remove requests attempts to unmap USB request buffers.
+ */
+
+ __dwc3_stop_active_transfer(dep, force, interrupt);
--- /dev/null
+From a826492fc9dfe32afd70fff93955ae8174bbf14b Mon Sep 17 00:00:00 2001
+From: Xu Yang <xu.yang_2@nxp.com>
+Date: Wed, 15 Feb 2023 13:49:51 +0800
+Subject: usb: typec: tcpm: fix create duplicate source-capabilities file
+
+From: Xu Yang <xu.yang_2@nxp.com>
+
+commit a826492fc9dfe32afd70fff93955ae8174bbf14b upstream.
+
+The kernel will dump in the below cases:
+sysfs: cannot create duplicate filename
+'/devices/virtual/usb_power_delivery/pd1/source-capabilities'
+
+1. After soft reset has completed, an Explicit Contract negotiation occurs.
+The sink device will receive source capabilitys again. This will cause
+a duplicate source-capabilities file be created.
+2. Power swap twice on a device that is initailly sink role.
+
+This will unregister existing capabilities when above cases occurs.
+
+Fixes: 8203d26905ee ("usb: typec: tcpm: Register USB Power Delivery Capabilities")
+cc: <stable@vger.kernel.org>
+Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20230215054951.238394-1-xu.yang_2@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/tcpm/tcpm.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/usb/typec/tcpm/tcpm.c
++++ b/drivers/usb/typec/tcpm/tcpm.c
+@@ -4547,6 +4547,9 @@ static void run_state_machine(struct tcp
+ case SOFT_RESET:
+ port->message_id = 0;
+ port->rx_msgid = -1;
++ /* remove existing capabilities */
++ usb_power_delivery_unregister_capabilities(port->partner_source_caps);
++ port->partner_source_caps = NULL;
+ tcpm_pd_send_control(port, PD_CTRL_ACCEPT);
+ tcpm_ams_finish(port);
+ if (port->pwr_role == TYPEC_SOURCE) {
+@@ -4566,6 +4569,9 @@ static void run_state_machine(struct tcp
+ case SOFT_RESET_SEND:
+ port->message_id = 0;
+ port->rx_msgid = -1;
++ /* remove existing capabilities */
++ usb_power_delivery_unregister_capabilities(port->partner_source_caps);
++ port->partner_source_caps = NULL;
+ if (tcpm_pd_send_control(port, PD_CTRL_SOFT_RESET))
+ tcpm_set_state_cond(port, hard_reset_state(port), 0);
+ else
+@@ -4695,6 +4701,9 @@ static void run_state_machine(struct tcp
+ tcpm_set_state(port, SNK_STARTUP, 0);
+ break;
+ case PR_SWAP_SNK_SRC_SINK_OFF:
++ /* will be source, remove existing capabilities */
++ usb_power_delivery_unregister_capabilities(port->partner_source_caps);
++ port->partner_source_caps = NULL;
+ /*
+ * Prevent vbus discharge circuit from turning on during PR_SWAP
+ * as this is not a disconnect.
--- /dev/null
+From abfc4fa28f0160df61c7149567da4f6494dfb488 Mon Sep 17 00:00:00 2001
+From: Xu Yang <xu.yang_2@nxp.com>
+Date: Thu, 16 Feb 2023 11:15:15 +0800
+Subject: usb: typec: tcpm: fix warning when handle discover_identity message
+
+From: Xu Yang <xu.yang_2@nxp.com>
+
+commit abfc4fa28f0160df61c7149567da4f6494dfb488 upstream.
+
+Since both source and sink device can send discover_identity message in
+PD3, kernel may dump below warning:
+
+------------[ cut here ]------------
+WARNING: CPU: 0 PID: 169 at drivers/usb/typec/tcpm/tcpm.c:1446 tcpm_queue_vdm+0xe0/0xf0
+Modules linked in:
+CPU: 0 PID: 169 Comm: 1-0050 Not tainted 6.1.1-00038-g6a3c36cf1da2-dirty #567
+Hardware name: NXP i.MX8MPlus EVK board (DT)
+pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : tcpm_queue_vdm+0xe0/0xf0
+lr : tcpm_queue_vdm+0x2c/0xf0
+sp : ffff80000c19bcd0
+x29: ffff80000c19bcd0 x28: 0000000000000001 x27: ffff0000d11c8ab8
+x26: ffff0000d11cc000 x25: 0000000000000000 x24: 00000000ff008081
+x23: 0000000000000001 x22: 00000000ff00a081 x21: ffff80000c19bdbc
+x20: 0000000000000000 x19: ffff0000d11c8080 x18: ffffffffffffffff
+x17: 0000000000000000 x16: 0000000000000000 x15: ffff0000d716f580
+x14: 0000000000000001 x13: ffff0000d716f507 x12: 0000000000000001
+x11: 0000000000000000 x10: 0000000000000020 x9 : 00000000000ee098
+x8 : 00000000ffffffff x7 : 000000000000001c x6 : ffff0000d716f580
+x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
+x2 : ffff80000c19bdbc x1 : 00000000ff00a081 x0 : 0000000000000004
+Call trace:
+tcpm_queue_vdm+0xe0/0xf0
+tcpm_pd_rx_handler+0x340/0x1ab0
+kthread_worker_fn+0xcc/0x18c
+kthread+0x10c/0x110
+ret_from_fork+0x10/0x20
+---[ end trace 0000000000000000 ]---
+
+Below sequences may trigger this warning:
+
+tcpm_send_discover_work(work)
+ tcpm_send_vdm(port, USB_SID_PD, CMD_DISCOVER_IDENT, NULL, 0);
+ tcpm_queue_vdm(port, header, data, count);
+ port->vdm_state = VDM_STATE_READY;
+
+vdm_state_machine_work(work);
+ <-- received discover_identity from partner
+ vdm_run_state_machine(port);
+ port->vdm_state = VDM_STATE_SEND_MESSAGE;
+ mod_vdm_delayed_work(port, x);
+
+tcpm_pd_rx_handler(work);
+ tcpm_pd_data_request(port, msg);
+ tcpm_handle_vdm_request(port, msg->payload, cnt);
+ tcpm_queue_vdm(port, response[0], &response[1], rlen - 1);
+--> WARN_ON(port->vdm_state > VDM_STATE_DONE);
+
+For this case, the state machine could still send out discover
+identity message later if we skip current discover_identity message.
+So we should handle the received message firstly and override the pending
+discover_identity message without warning in this case. Then, a delayed
+send_discover work will send discover_identity message again.
+
+Fixes: e00943e91678 ("usb: typec: tcpm: PD3.0 sinks can send Discover Identity even in device mode")
+cc: <stable@vger.kernel.org>
+Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20230216031515.4151117-1-xu.yang_2@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/tcpm/tcpm.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/typec/tcpm/tcpm.c
++++ b/drivers/usb/typec/tcpm/tcpm.c
+@@ -1436,10 +1436,18 @@ static int tcpm_ams_start(struct tcpm_po
+ static void tcpm_queue_vdm(struct tcpm_port *port, const u32 header,
+ const u32 *data, int cnt)
+ {
++ u32 vdo_hdr = port->vdo_data[0];
++
+ WARN_ON(!mutex_is_locked(&port->lock));
+
+- /* Make sure we are not still processing a previous VDM packet */
+- WARN_ON(port->vdm_state > VDM_STATE_DONE);
++ /* If is sending discover_identity, handle received message first */
++ if (PD_VDO_SVDM(vdo_hdr) && PD_VDO_CMD(vdo_hdr) == CMD_DISCOVER_IDENT) {
++ port->send_discover = true;
++ mod_send_discover_delayed_work(port, SEND_DISCOVER_RETRY_MS);
++ } else {
++ /* Make sure we are not still processing a previous VDM packet */
++ WARN_ON(port->vdm_state > VDM_STATE_DONE);
++ }
+
+ port->vdo_count = cnt + 1;
+ port->vdo_data[0] = header;
+@@ -1942,11 +1950,13 @@ static void vdm_run_state_machine(struct
+ switch (PD_VDO_CMD(vdo_hdr)) {
+ case CMD_DISCOVER_IDENT:
+ res = tcpm_ams_start(port, DISCOVER_IDENTITY);
+- if (res == 0)
++ if (res == 0) {
+ port->send_discover = false;
+- else if (res == -EAGAIN)
++ } else if (res == -EAGAIN) {
++ port->vdo_data[0] = 0;
+ mod_send_discover_delayed_work(port,
+ SEND_DISCOVER_RETRY_MS);
++ }
+ break;
+ case CMD_DISCOVER_SVID:
+ res = tcpm_ams_start(port, DISCOVER_SVIDS);
+@@ -2029,6 +2039,7 @@ static void vdm_run_state_machine(struct
+ unsigned long timeout;
+
+ port->vdm_retries = 0;
++ port->vdo_data[0] = 0;
+ port->vdm_state = VDM_STATE_BUSY;
+ timeout = vdm_ready_timeout(vdo_hdr);
+ mod_vdm_delayed_work(port, timeout);
--- /dev/null
+From f87fb985452ab2083967103ac00bfd68fb182764 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 8 Mar 2023 16:42:42 +0100
+Subject: usb: ucsi: Fix NULL pointer deref in ucsi_connector_change()
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit f87fb985452ab2083967103ac00bfd68fb182764 upstream.
+
+When ucsi_init() fails, ucsi->connector is NULL, yet in case of
+ucsi_acpi we may still get events which cause the ucs_acpi code to call
+ucsi_connector_change(), which then derefs the NULL ucsi->connector
+pointer.
+
+Fix this by not setting ucsi->ntfy inside ucsi_init() until ucsi_init()
+has succeeded, so that ucsi_connector_change() ignores the events
+because UCSI_ENABLE_NTFY_CONNECTOR_CHANGE is not set in the ntfy mask.
+
+Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API")
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=217106
+Cc: stable@vger.kernel.org
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20230308154244.722337-2-hdegoede@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/ucsi/ucsi.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/typec/ucsi/ucsi.c
++++ b/drivers/usb/typec/ucsi/ucsi.c
+@@ -1205,7 +1205,7 @@ out_unlock:
+ static int ucsi_init(struct ucsi *ucsi)
+ {
+ struct ucsi_connector *con;
+- u64 command;
++ u64 command, ntfy;
+ int ret;
+ int i;
+
+@@ -1217,8 +1217,8 @@ static int ucsi_init(struct ucsi *ucsi)
+ }
+
+ /* Enable basic notifications */
+- ucsi->ntfy = UCSI_ENABLE_NTFY_CMD_COMPLETE | UCSI_ENABLE_NTFY_ERROR;
+- command = UCSI_SET_NOTIFICATION_ENABLE | ucsi->ntfy;
++ ntfy = UCSI_ENABLE_NTFY_CMD_COMPLETE | UCSI_ENABLE_NTFY_ERROR;
++ command = UCSI_SET_NOTIFICATION_ENABLE | ntfy;
+ ret = ucsi_send_command(ucsi, command, NULL, 0);
+ if (ret < 0)
+ goto err_reset;
+@@ -1250,12 +1250,13 @@ static int ucsi_init(struct ucsi *ucsi)
+ }
+
+ /* Enable all notifications */
+- ucsi->ntfy = UCSI_ENABLE_NTFY_ALL;
+- command = UCSI_SET_NOTIFICATION_ENABLE | ucsi->ntfy;
++ ntfy = UCSI_ENABLE_NTFY_ALL;
++ command = UCSI_SET_NOTIFICATION_ENABLE | ntfy;
+ ret = ucsi_send_command(ucsi, command, NULL, 0);
+ if (ret < 0)
+ goto err_unregister;
+
++ ucsi->ntfy = ntfy;
+ return 0;
+
+ err_unregister:
--- /dev/null
+From 02d210f434249a7edbc160969b75df030dc6934d Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 8 Mar 2023 16:42:44 +0100
+Subject: usb: ucsi_acpi: Increase the command completion timeout
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 02d210f434249a7edbc160969b75df030dc6934d upstream.
+
+Commit 130a96d698d7 ("usb: typec: ucsi: acpi: Increase command
+completion timeout value") increased the timeout from 5 seconds
+to 60 seconds due to issues related to alternate mode discovery.
+
+After the alternate mode discovery switch to polled mode
+the timeout was reduced, but instead of being set back to
+5 seconds it was reduced to 1 second.
+
+This is causing problems when using a Lenovo ThinkPad X1 yoga gen7
+connected over Type-C to a LG 27UL850-W (charging DP over Type-C).
+
+When the monitor is already connected at boot the following error
+is logged: "PPM init failed (-110)", /sys/class/typec is empty and
+on unplugging the NULL pointer deref fixed earlier in this series
+happens.
+
+When the monitor is connected after boot the following error
+is logged instead: "GET_CONNECTOR_STATUS failed (-110)".
+
+Setting the timeout back to 5 seconds fixes both cases.
+
+Fixes: e08065069fc7 ("usb: typec: ucsi: acpi: Reduce the command completion timeout")
+Cc: stable@vger.kernel.org
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20230308154244.722337-4-hdegoede@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/ucsi/ucsi_acpi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/typec/ucsi/ucsi_acpi.c
++++ b/drivers/usb/typec/ucsi/ucsi_acpi.c
+@@ -78,7 +78,7 @@ static int ucsi_acpi_sync_write(struct u
+ if (ret)
+ goto out_clear_bit;
+
+- if (!wait_for_completion_timeout(&ua->complete, HZ))
++ if (!wait_for_completion_timeout(&ua->complete, 5 * HZ))
+ ret = -ETIMEDOUT;
+
+ out_clear_bit:
projects / thirdparty / kernel / stable-queue.git / commitdiff
