--- /dev/null
+From 55251fbdf0146c252ceff146a1bb145546f3e034 Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <dlemoal@kernel.org>
+Date: Thu, 28 Mar 2024 09:43:40 +0900
+Subject: block: Do not force full zone append completion in req_bio_endio()
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+commit 55251fbdf0146c252ceff146a1bb145546f3e034 upstream.
+
+This reverts commit 748dc0b65ec2b4b7b3dbd7befcc4a54fdcac7988.
+
+Partial zone append completions cannot be supported as there is no
+guarantees that the fragmented data will be written sequentially in the
+same manner as with a full command. Commit 748dc0b65ec2 ("block: fix
+partial zone append completion handling in req_bio_endio()") changed
+req_bio_endio() to always advance a partially failed BIO by its full
+length, but this can lead to incorrect accounting. So revert this
+change and let low level device drivers handle this case by always
+failing completely zone append operations. With this revert, users will
+still see an IO error for a partially completed zone append BIO.
+
+Fixes: 748dc0b65ec2 ("block: fix partial zone append completion handling in req_bio_endio()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20240328004409.594888-2-dlemoal@kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-mq.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -767,16 +767,11 @@ static void req_bio_endio(struct request
+ /*
+ * Partial zone append completions cannot be supported as the
+ * BIO fragments may end up not being written sequentially.
+- * For such case, force the completed nbytes to be equal to
+- * the BIO size so that bio_advance() sets the BIO remaining
+- * size to 0 and we end up calling bio_endio() before returning.
+ */
+- if (bio->bi_iter.bi_size != nbytes) {
++ if (bio->bi_iter.bi_size != nbytes)
+ bio->bi_status = BLK_STS_IOERR;
+- nbytes = bio->bi_iter.bi_size;
+- } else {
++ else
+ bio->bi_iter.bi_sector = rq->__sector;
+- }
+ }
+
+ bio_advance(bio, nbytes);
--- /dev/null
+From ef1e68236b9153c27cb7cf29ead0c532870d4215 Mon Sep 17 00:00:00 2001
+From: Tavian Barnes <tavianator@tavianator.com>
+Date: Fri, 15 Mar 2024 21:14:29 -0400
+Subject: btrfs: fix race in read_extent_buffer_pages()
+
+From: Tavian Barnes <tavianator@tavianator.com>
+
+commit ef1e68236b9153c27cb7cf29ead0c532870d4215 upstream.
+
+There are reports from tree-checker that detects corrupted nodes,
+without any obvious pattern so possibly an overwrite in memory.
+After some debugging it turns out there's a race when reading an extent
+buffer the uptodate status can be missed.
+
+To prevent concurrent reads for the same extent buffer,
+read_extent_buffer_pages() performs these checks:
+
+ /* (1) */
+ if (test_bit(EXTENT_BUFFER_UPTODATE, &eb->bflags))
+ return 0;
+
+ /* (2) */
+ if (test_and_set_bit(EXTENT_BUFFER_READING, &eb->bflags))
+ goto done;
+
+At this point, it seems safe to start the actual read operation. Once
+that completes, end_bbio_meta_read() does
+
+ /* (3) */
+ set_extent_buffer_uptodate(eb);
+
+ /* (4) */
+ clear_bit(EXTENT_BUFFER_READING, &eb->bflags);
+
+Normally, this is enough to ensure only one read happens, and all other
+callers wait for it to finish before returning. Unfortunately, there is
+a racey interleaving:
+
+ Thread A | Thread B | Thread C
+ ---------+----------+---------
+ (1) | |
+ | (1) |
+ (2) | |
+ (3) | |
+ (4) | |
+ | (2) |
+ | | (1)
+
+When this happens, thread B kicks of an unnecessary read. Worse, thread
+C will see UPTODATE set and return immediately, while the read from
+thread B is still in progress. This race could result in tree-checker
+errors like this as the extent buffer is concurrently modified:
+
+ BTRFS critical (device dm-0): corrupted node, root=256
+ block=8550954455682405139 owner mismatch, have 11858205567642294356
+ expect [256, 18446744073709551360]
+
+Fix it by testing UPTODATE again after setting the READING bit, and if
+it's been set, skip the unnecessary read.
+
+Fixes: d7172f52e993 ("btrfs: use per-buffer locking for extent_buffer reading")
+Link: https://lore.kernel.org/linux-btrfs/CAHk-=whNdMaN9ntZ47XRKP6DBes2E5w7fi-0U3H2+PS18p+Pzw@mail.gmail.com/
+Link: https://lore.kernel.org/linux-btrfs/f51a6d5d7432455a6a858d51b49ecac183e0bbc9.1706312914.git.wqu@suse.com/
+Link: https://lore.kernel.org/linux-btrfs/c7241ea4-fcc6-48d2-98c8-b5ea790d6c89@gmx.com/
+CC: stable@vger.kernel.org # 6.5+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Tavian Barnes <tavianator@tavianator.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+[ minor update of changelog ]
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/extent_io.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/fs/btrfs/extent_io.c
++++ b/fs/btrfs/extent_io.c
+@@ -4047,6 +4047,19 @@ int read_extent_buffer_pages(struct exte
+ if (test_and_set_bit(EXTENT_BUFFER_READING, &eb->bflags))
+ goto done;
+
++ /*
++ * Between the initial test_bit(EXTENT_BUFFER_UPTODATE) and the above
++ * test_and_set_bit(EXTENT_BUFFER_READING), someone else could have
++ * started and finished reading the same eb. In this case, UPTODATE
++ * will now be set, and we shouldn't read it in again.
++ */
++ if (unlikely(test_bit(EXTENT_BUFFER_UPTODATE, &eb->bflags))) {
++ clear_bit(EXTENT_BUFFER_READING, &eb->bflags);
++ smp_mb__after_atomic();
++ wake_up_bit(&eb->bflags, EXTENT_BUFFER_READING);
++ return 0;
++ }
++
+ clear_bit(EXTENT_BUFFER_READ_ERR, &eb->bflags);
+ eb->read_mirror = 0;
+ check_buffer_tree_ref(eb);
--- /dev/null
+From a8b70c7f8600bc77d03c0b032c0662259b9e615e Mon Sep 17 00:00:00 2001
+From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Date: Wed, 21 Feb 2024 07:35:52 -0800
+Subject: btrfs: zoned: don't skip block groups with 100% zone unusable
+
+From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+
+commit a8b70c7f8600bc77d03c0b032c0662259b9e615e upstream.
+
+Commit f4a9f219411f ("btrfs: do not delete unused block group if it may be
+used soon") changed the behaviour of deleting unused block-groups on zoned
+filesystems. Starting with this commit, we're using
+btrfs_space_info_used() to calculate the number of used bytes in a
+space_info. But btrfs_space_info_used() also accounts
+btrfs_space_info::bytes_zone_unusable as used bytes.
+
+So if a block group is 100% zone_unusable it is skipped from the deletion
+step.
+
+In order not to skip fully zone_unusable block-groups, also check if the
+block-group has bytes left that can be used on a zoned filesystem.
+
+Fixes: f4a9f219411f ("btrfs: do not delete unused block group if it may be used soon")
+CC: stable@vger.kernel.org # 6.1+
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/block-group.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/block-group.c
++++ b/fs/btrfs/block-group.c
+@@ -1562,7 +1562,8 @@ void btrfs_delete_unused_bgs(struct btrf
+ * needing to allocate extents from the block group.
+ */
+ used = btrfs_space_info_used(space_info, true);
+- if (space_info->total_bytes - block_group->length < used) {
++ if (space_info->total_bytes - block_group->length < used &&
++ block_group->zone_unusable < block_group->length) {
+ /*
+ * Add a reference for the list, compensate for the ref
+ * drop under the "next" label for the
--- /dev/null
+From 74098a989b9c3370f768140b7783a7aaec2759b3 Mon Sep 17 00:00:00 2001
+From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Date: Mon, 26 Feb 2024 16:39:13 +0100
+Subject: btrfs: zoned: use zone aware sb location for scrub
+
+From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+
+commit 74098a989b9c3370f768140b7783a7aaec2759b3 upstream.
+
+At the moment scrub_supers() doesn't grab the super block's location via
+the zoned device aware btrfs_sb_log_location() but via btrfs_sb_offset().
+
+This leads to checksum errors on 'scrub' as we're not accessing the
+correct location of the super block.
+
+So use btrfs_sb_log_location() for getting the super blocks location on
+scrub.
+
+Reported-by: WA AM <waautomata@gmail.com>
+Link: http://lore.kernel.org/linux-btrfs/CANU2Z0EvUzfYxczLgGUiREoMndE9WdQnbaawV5Fv5gNXptPUKw@mail.gmail.com
+CC: stable@vger.kernel.org # 5.15+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: Naohiro Aota <naohiro.aota@wdc.com>
+Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/scrub.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/scrub.c
++++ b/fs/btrfs/scrub.c
+@@ -2739,7 +2739,17 @@ static noinline_for_stack int scrub_supe
+ gen = fs_info->last_trans_committed;
+
+ for (i = 0; i < BTRFS_SUPER_MIRROR_MAX; i++) {
+- bytenr = btrfs_sb_offset(i);
++ ret = btrfs_sb_log_location(scrub_dev, i, 0, &bytenr);
++ if (ret == -ENOENT)
++ break;
++
++ if (ret) {
++ spin_lock(&sctx->stat_lock);
++ sctx->stat.super_errors++;
++ spin_unlock(&sctx->stat_lock);
++ continue;
++ }
++
+ if (bytenr + BTRFS_SUPER_INFO_SIZE >
+ scrub_dev->commit_total_bytes)
+ break;
--- /dev/null
+From 8678b1060ae2b75feb60b87e5b75e17374e3c1c5 Mon Sep 17 00:00:00 2001
+From: Johannes Weiner <hannes@cmpxchg.org>
+Date: Thu, 7 Mar 2024 17:07:37 -0500
+Subject: drm/amdgpu: fix deadlock while reading mqd from debugfs
+
+From: Johannes Weiner <hannes@cmpxchg.org>
+
+commit 8678b1060ae2b75feb60b87e5b75e17374e3c1c5 upstream.
+
+An errant disk backup on my desktop got into debugfs and triggered the
+following deadlock scenario in the amdgpu debugfs files. The machine
+also hard-resets immediately after those lines are printed (although I
+wasn't able to reproduce that part when reading by hand):
+
+[ 1318.016074][ T1082] ======================================================
+[ 1318.016607][ T1082] WARNING: possible circular locking dependency detected
+[ 1318.017107][ T1082] 6.8.0-rc7-00015-ge0c8221b72c0 #17 Not tainted
+[ 1318.017598][ T1082] ------------------------------------------------------
+[ 1318.018096][ T1082] tar/1082 is trying to acquire lock:
+[ 1318.018585][ T1082] ffff98c44175d6a0 (&mm->mmap_lock){++++}-{3:3}, at: __might_fault+0x40/0x80
+[ 1318.019084][ T1082]
+[ 1318.019084][ T1082] but task is already holding lock:
+[ 1318.020052][ T1082] ffff98c4c13f55f8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: amdgpu_debugfs_mqd_read+0x6a/0x250 [amdgpu]
+[ 1318.020607][ T1082]
+[ 1318.020607][ T1082] which lock already depends on the new lock.
+[ 1318.020607][ T1082]
+[ 1318.022081][ T1082]
+[ 1318.022081][ T1082] the existing dependency chain (in reverse order) is:
+[ 1318.023083][ T1082]
+[ 1318.023083][ T1082] -> #2 (reservation_ww_class_mutex){+.+.}-{3:3}:
+[ 1318.024114][ T1082] __ww_mutex_lock.constprop.0+0xe0/0x12f0
+[ 1318.024639][ T1082] ww_mutex_lock+0x32/0x90
+[ 1318.025161][ T1082] dma_resv_lockdep+0x18a/0x330
+[ 1318.025683][ T1082] do_one_initcall+0x6a/0x350
+[ 1318.026210][ T1082] kernel_init_freeable+0x1a3/0x310
+[ 1318.026728][ T1082] kernel_init+0x15/0x1a0
+[ 1318.027242][ T1082] ret_from_fork+0x2c/0x40
+[ 1318.027759][ T1082] ret_from_fork_asm+0x11/0x20
+[ 1318.028281][ T1082]
+[ 1318.028281][ T1082] -> #1 (reservation_ww_class_acquire){+.+.}-{0:0}:
+[ 1318.029297][ T1082] dma_resv_lockdep+0x16c/0x330
+[ 1318.029790][ T1082] do_one_initcall+0x6a/0x350
+[ 1318.030263][ T1082] kernel_init_freeable+0x1a3/0x310
+[ 1318.030722][ T1082] kernel_init+0x15/0x1a0
+[ 1318.031168][ T1082] ret_from_fork+0x2c/0x40
+[ 1318.031598][ T1082] ret_from_fork_asm+0x11/0x20
+[ 1318.032011][ T1082]
+[ 1318.032011][ T1082] -> #0 (&mm->mmap_lock){++++}-{3:3}:
+[ 1318.032778][ T1082] __lock_acquire+0x14bf/0x2680
+[ 1318.033141][ T1082] lock_acquire+0xcd/0x2c0
+[ 1318.033487][ T1082] __might_fault+0x58/0x80
+[ 1318.033814][ T1082] amdgpu_debugfs_mqd_read+0x103/0x250 [amdgpu]
+[ 1318.034181][ T1082] full_proxy_read+0x55/0x80
+[ 1318.034487][ T1082] vfs_read+0xa7/0x360
+[ 1318.034788][ T1082] ksys_read+0x70/0xf0
+[ 1318.035085][ T1082] do_syscall_64+0x94/0x180
+[ 1318.035375][ T1082] entry_SYSCALL_64_after_hwframe+0x46/0x4e
+[ 1318.035664][ T1082]
+[ 1318.035664][ T1082] other info that might help us debug this:
+[ 1318.035664][ T1082]
+[ 1318.036487][ T1082] Chain exists of:
+[ 1318.036487][ T1082] &mm->mmap_lock --> reservation_ww_class_acquire --> reservation_ww_class_mutex
+[ 1318.036487][ T1082]
+[ 1318.037310][ T1082] Possible unsafe locking scenario:
+[ 1318.037310][ T1082]
+[ 1318.037838][ T1082] CPU0 CPU1
+[ 1318.038101][ T1082] ---- ----
+[ 1318.038350][ T1082] lock(reservation_ww_class_mutex);
+[ 1318.038590][ T1082] lock(reservation_ww_class_acquire);
+[ 1318.038839][ T1082] lock(reservation_ww_class_mutex);
+[ 1318.039083][ T1082] rlock(&mm->mmap_lock);
+[ 1318.039328][ T1082]
+[ 1318.039328][ T1082] *** DEADLOCK ***
+[ 1318.039328][ T1082]
+[ 1318.040029][ T1082] 1 lock held by tar/1082:
+[ 1318.040259][ T1082] #0: ffff98c4c13f55f8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: amdgpu_debugfs_mqd_read+0x6a/0x250 [amdgpu]
+[ 1318.040560][ T1082]
+[ 1318.040560][ T1082] stack backtrace:
+[ 1318.041053][ T1082] CPU: 22 PID: 1082 Comm: tar Not tainted 6.8.0-rc7-00015-ge0c8221b72c0 #17 3316c85d50e282c5643b075d1f01a4f6365e39c2
+[ 1318.041329][ T1082] Hardware name: Gigabyte Technology Co., Ltd. B650 AORUS PRO AX/B650 AORUS PRO AX, BIOS F20 12/14/2023
+[ 1318.041614][ T1082] Call Trace:
+[ 1318.041895][ T1082] <TASK>
+[ 1318.042175][ T1082] dump_stack_lvl+0x4a/0x80
+[ 1318.042460][ T1082] check_noncircular+0x145/0x160
+[ 1318.042743][ T1082] __lock_acquire+0x14bf/0x2680
+[ 1318.043022][ T1082] lock_acquire+0xcd/0x2c0
+[ 1318.043301][ T1082] ? __might_fault+0x40/0x80
+[ 1318.043580][ T1082] ? __might_fault+0x40/0x80
+[ 1318.043856][ T1082] __might_fault+0x58/0x80
+[ 1318.044131][ T1082] ? __might_fault+0x40/0x80
+[ 1318.044408][ T1082] amdgpu_debugfs_mqd_read+0x103/0x250 [amdgpu 8fe2afaa910cbd7654c8cab23563a94d6caebaab]
+[ 1318.044749][ T1082] full_proxy_read+0x55/0x80
+[ 1318.045042][ T1082] vfs_read+0xa7/0x360
+[ 1318.045333][ T1082] ksys_read+0x70/0xf0
+[ 1318.045623][ T1082] do_syscall_64+0x94/0x180
+[ 1318.045913][ T1082] ? do_syscall_64+0xa0/0x180
+[ 1318.046201][ T1082] ? lockdep_hardirqs_on+0x7d/0x100
+[ 1318.046487][ T1082] ? do_syscall_64+0xa0/0x180
+[ 1318.046773][ T1082] ? do_syscall_64+0xa0/0x180
+[ 1318.047057][ T1082] ? do_syscall_64+0xa0/0x180
+[ 1318.047337][ T1082] ? do_syscall_64+0xa0/0x180
+[ 1318.047611][ T1082] entry_SYSCALL_64_after_hwframe+0x46/0x4e
+[ 1318.047887][ T1082] RIP: 0033:0x7f480b70a39d
+[ 1318.048162][ T1082] Code: 91 ba 0d 00 f7 d8 64 89 02 b8 ff ff ff ff eb b2 e8 18 a3 01 00 0f 1f 84 00 00 00 00 00 80 3d a9 3c 0e 00 00 74 17 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 5b c3 66 2e 0f 1f 84 00 00 00 00 00 53 48 83
+[ 1318.048769][ T1082] RSP: 002b:00007ffde77f5c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
+[ 1318.049083][ T1082] RAX: ffffffffffffffda RBX: 0000000000000800 RCX: 00007f480b70a39d
+[ 1318.049392][ T1082] RDX: 0000000000000800 RSI: 000055c9f2120c00 RDI: 0000000000000008
+[ 1318.049703][ T1082] RBP: 0000000000000800 R08: 000055c9f2120a94 R09: 0000000000000007
+[ 1318.050011][ T1082] R10: 0000000000000000 R11: 0000000000000246 R12: 000055c9f2120c00
+[ 1318.050324][ T1082] R13: 0000000000000008 R14: 0000000000000008 R15: 0000000000000800
+[ 1318.050638][ T1082] </TASK>
+
+amdgpu_debugfs_mqd_read() holds a reservation when it calls
+put_user(), which may fault and acquire the mmap_sem. This violates
+the established locking order.
+
+Bounce the mqd data through a kernel buffer to get put_user() out of
+the illegal section.
+
+Fixes: 445d85e3c1df ("drm/amdgpu: add debugfs interface for reading MQDs")
+Cc: stable@vger.kernel.org # v6.5+
+Reviewed-by: Shashank Sharma <shashank.sharma@amd.com>
+Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 46 +++++++++++++++++++------------
+ 1 file changed, 29 insertions(+), 17 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c
+@@ -520,46 +520,58 @@ static ssize_t amdgpu_debugfs_mqd_read(s
+ {
+ struct amdgpu_ring *ring = file_inode(f)->i_private;
+ volatile u32 *mqd;
+- int r;
++ u32 *kbuf;
++ int r, i;
+ uint32_t value, result;
+
+ if (*pos & 3 || size & 3)
+ return -EINVAL;
+
+- result = 0;
++ kbuf = kmalloc(ring->mqd_size, GFP_KERNEL);
++ if (!kbuf)
++ return -ENOMEM;
+
+ r = amdgpu_bo_reserve(ring->mqd_obj, false);
+ if (unlikely(r != 0))
+- return r;
++ goto err_free;
+
+ r = amdgpu_bo_kmap(ring->mqd_obj, (void **)&mqd);
+- if (r) {
+- amdgpu_bo_unreserve(ring->mqd_obj);
+- return r;
+- }
++ if (r)
++ goto err_unreserve;
++
++ /*
++ * Copy to local buffer to avoid put_user(), which might fault
++ * and acquire mmap_sem, under reservation_ww_class_mutex.
++ */
++ for (i = 0; i < ring->mqd_size/sizeof(u32); i++)
++ kbuf[i] = mqd[i];
++
++ amdgpu_bo_kunmap(ring->mqd_obj);
++ amdgpu_bo_unreserve(ring->mqd_obj);
+
++ result = 0;
+ while (size) {
+ if (*pos >= ring->mqd_size)
+- goto done;
++ break;
+
+- value = mqd[*pos/4];
++ value = kbuf[*pos/4];
+ r = put_user(value, (uint32_t *)buf);
+ if (r)
+- goto done;
++ goto err_free;
+ buf += 4;
+ result += 4;
+ size -= 4;
+ *pos += 4;
+ }
+
+-done:
+- amdgpu_bo_kunmap(ring->mqd_obj);
+- mqd = NULL;
+- amdgpu_bo_unreserve(ring->mqd_obj);
+- if (r)
+- return r;
+-
++ kfree(kbuf);
+ return result;
++
++err_unreserve:
++ amdgpu_bo_unreserve(ring->mqd_obj);
++err_free:
++ kfree(kbuf);
++ return r;
+ }
+
+ static const struct file_operations amdgpu_debugfs_mqd_fops = {
--- /dev/null
+From 1210e2f1033dc56b666c9f6dfb761a2d3f9f5d6c Mon Sep 17 00:00:00 2001
+From: Eric Huang <jinhuieric.huang@amd.com>
+Date: Wed, 20 Mar 2024 15:53:47 -0400
+Subject: drm/amdkfd: fix TLB flush after unmap for GFX9.4.2
+
+From: Eric Huang <jinhuieric.huang@amd.com>
+
+commit 1210e2f1033dc56b666c9f6dfb761a2d3f9f5d6c upstream.
+
+TLB flush after unmap accidentially was removed on
+gfx9.4.2. It is to add it back.
+
+Signed-off-by: Eric Huang <jinhuieric.huang@amd.com>
+Reviewed-by: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_priv.h
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_priv.h
+@@ -1466,7 +1466,7 @@ void kfd_flush_tlb(struct kfd_process_de
+
+ static inline bool kfd_flush_tlb_after_unmap(struct kfd_dev *dev)
+ {
+- return KFD_GC_VERSION(dev) > IP_VERSION(9, 4, 2) ||
++ return KFD_GC_VERSION(dev) >= IP_VERSION(9, 4, 2) ||
+ (KFD_GC_VERSION(dev) == IP_VERSION(9, 4, 1) && dev->sdma_fw_version >= 18) ||
+ KFD_GC_VERSION(dev) == IP_VERSION(9, 4, 0);
+ }
--- /dev/null
+From 4be9075fec0a639384ed19975634b662bfab938f Mon Sep 17 00:00:00 2001
+From: Jocelyn Falempe <jfalempe@redhat.com>
+Date: Tue, 12 Mar 2024 10:35:12 +0100
+Subject: drm/vmwgfx: Create debugfs ttm_resource_manager entry only if needed
+
+From: Jocelyn Falempe <jfalempe@redhat.com>
+
+commit 4be9075fec0a639384ed19975634b662bfab938f upstream.
+
+The driver creates /sys/kernel/debug/dri/0/mob_ttm even when the
+corresponding ttm_resource_manager is not allocated.
+This leads to a crash when trying to read from this file.
+
+Add a check to create mob_ttm, system_mob_ttm, and gmr_ttm debug file
+only when the corresponding ttm_resource_manager is allocated.
+
+crash> bt
+PID: 3133409 TASK: ffff8fe4834a5000 CPU: 3 COMMAND: "grep"
+ #0 [ffffb954506b3b20] machine_kexec at ffffffffb2a6bec3
+ #1 [ffffb954506b3b78] __crash_kexec at ffffffffb2bb598a
+ #2 [ffffb954506b3c38] crash_kexec at ffffffffb2bb68c1
+ #3 [ffffb954506b3c50] oops_end at ffffffffb2a2a9b1
+ #4 [ffffb954506b3c70] no_context at ffffffffb2a7e913
+ #5 [ffffb954506b3cc8] __bad_area_nosemaphore at ffffffffb2a7ec8c
+ #6 [ffffb954506b3d10] do_page_fault at ffffffffb2a7f887
+ #7 [ffffb954506b3d40] page_fault at ffffffffb360116e
+ [exception RIP: ttm_resource_manager_debug+0x11]
+ RIP: ffffffffc04afd11 RSP: ffffb954506b3df0 RFLAGS: 00010246
+ RAX: ffff8fe41a6d1200 RBX: 0000000000000000 RCX: 0000000000000940
+ RDX: 0000000000000000 RSI: ffffffffc04b4338 RDI: 0000000000000000
+ RBP: ffffb954506b3e08 R8: ffff8fee3ffad000 R9: 0000000000000000
+ R10: ffff8fe41a76a000 R11: 0000000000000001 R12: 00000000ffffffff
+ R13: 0000000000000001 R14: ffff8fe5bb6f3900 R15: ffff8fe41a6d1200
+ ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
+ #8 [ffffb954506b3e00] ttm_resource_manager_show at ffffffffc04afde7 [ttm]
+ #9 [ffffb954506b3e30] seq_read at ffffffffb2d8f9f3
+ RIP: 00007f4c4eda8985 RSP: 00007ffdbba9e9f8 RFLAGS: 00000246
+ RAX: ffffffffffffffda RBX: 000000000037e000 RCX: 00007f4c4eda8985
+ RDX: 000000000037e000 RSI: 00007f4c41573000 RDI: 0000000000000003
+ RBP: 000000000037e000 R8: 0000000000000000 R9: 000000000037fe30
+ R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4c41573000
+ R13: 0000000000000003 R14: 00007f4c41572010 R15: 0000000000000003
+ ORIG_RAX: 0000000000000000 CS: 0033 SS: 002b
+
+Signed-off-by: Jocelyn Falempe <jfalempe@redhat.com>
+Fixes: af4a25bbe5e7 ("drm/vmwgfx: Add debugfs entries for various ttm resource managers")
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Zack Rusin <zack.rusin@broadcom.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240312093551.196609-1-jfalempe@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
+@@ -1444,12 +1444,15 @@ static void vmw_debugfs_resource_manager
+ root, "system_ttm");
+ ttm_resource_manager_create_debugfs(ttm_manager_type(&vmw->bdev, TTM_PL_VRAM),
+ root, "vram_ttm");
+- ttm_resource_manager_create_debugfs(ttm_manager_type(&vmw->bdev, VMW_PL_GMR),
+- root, "gmr_ttm");
+- ttm_resource_manager_create_debugfs(ttm_manager_type(&vmw->bdev, VMW_PL_MOB),
+- root, "mob_ttm");
+- ttm_resource_manager_create_debugfs(ttm_manager_type(&vmw->bdev, VMW_PL_SYSTEM),
+- root, "system_mob_ttm");
++ if (vmw->has_gmr)
++ ttm_resource_manager_create_debugfs(ttm_manager_type(&vmw->bdev, VMW_PL_GMR),
++ root, "gmr_ttm");
++ if (vmw->has_mob) {
++ ttm_resource_manager_create_debugfs(ttm_manager_type(&vmw->bdev, VMW_PL_MOB),
++ root, "mob_ttm");
++ ttm_resource_manager_create_debugfs(ttm_manager_type(&vmw->bdev, VMW_PL_SYSTEM),
++ root, "system_mob_ttm");
++ }
+ }
+
+ static int vmwgfx_pm_notifier(struct notifier_block *nb, unsigned long val,
--- /dev/null
+From 2aea94ac14d1e0a8ae9e34febebe208213ba72f7 Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Wed, 20 Mar 2024 11:26:07 -0700
+Subject: exec: Fix NOMMU linux_binprm::exec in transfer_args_to_stack()
+
+From: Max Filippov <jcmvbkbc@gmail.com>
+
+commit 2aea94ac14d1e0a8ae9e34febebe208213ba72f7 upstream.
+
+In NOMMU kernel the value of linux_binprm::p is the offset inside the
+temporary program arguments array maintained in separate pages in the
+linux_binprm::page. linux_binprm::exec being a copy of linux_binprm::p
+thus must be adjusted when that array is copied to the user stack.
+Without that adjustment the value passed by the NOMMU kernel to the ELF
+program in the AT_EXECFN entry of the aux array doesn't make any sense
+and it may break programs that try to access memory pointed to by that
+entry.
+
+Adjust linux_binprm::exec before the successful return from the
+transfer_args_to_stack().
+
+Cc: <stable@vger.kernel.org>
+Fixes: b6a2fea39318 ("mm: variable length argument support")
+Fixes: 5edc2a5123a7 ("binfmt_elf_fdpic: wire up AT_EXECFD, AT_EXECFN, AT_SECURE")
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Link: https://lore.kernel.org/r/20240320182607.1472887-1-jcmvbkbc@gmail.com
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/exec.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -894,6 +894,7 @@ int transfer_args_to_stack(struct linux_
+ goto out;
+ }
+
++ bprm->exec += *sp_location - MAX_ARG_PAGES * PAGE_SIZE;
+ *sp_location = sp;
+
+ out:
--- /dev/null
+From b34490879baa847d16fc529c8ea6e6d34f004b38 Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Date: Mon, 25 Mar 2024 10:02:42 +0100
+Subject: gpio: cdev: sanitize the label before requesting the interrupt
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+commit b34490879baa847d16fc529c8ea6e6d34f004b38 upstream.
+
+When an interrupt is requested, a procfs directory is created under
+"/proc/irq/<irqnum>/<label>" where <label> is the string passed to one of
+the request_irq() variants.
+
+What follows is that the string must not contain the "/" character or
+the procfs mkdir operation will fail. We don't have such constraints for
+GPIO consumer labels which are used verbatim as interrupt labels for
+GPIO irqs. We must therefore sanitize the consumer string before
+requesting the interrupt.
+
+Let's replace all "/" with ":".
+
+Cc: stable@vger.kernel.org
+Reported-by: Stefan Wahren <wahrenst@gmx.net>
+Closes: https://lore.kernel.org/linux-gpio/39fe95cb-aa83-4b8b-8cab-63947a726754@gmx.net/
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Reviewed-by: Kent Gibson <warthog618@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpiolib-cdev.c | 38 ++++++++++++++++++++++++++++++++------
+ 1 file changed, 32 insertions(+), 6 deletions(-)
+
+--- a/drivers/gpio/gpiolib-cdev.c
++++ b/drivers/gpio/gpiolib-cdev.c
+@@ -1010,10 +1010,20 @@ static u32 gpio_v2_line_config_debounce_
+ return 0;
+ }
+
++static inline char *make_irq_label(const char *orig)
++{
++ return kstrdup_and_replace(orig, '/', ':', GFP_KERNEL);
++}
++
++static inline void free_irq_label(const char *label)
++{
++ kfree(label);
++}
++
+ static void edge_detector_stop(struct line *line)
+ {
+ if (line->irq) {
+- free_irq(line->irq, line);
++ free_irq_label(free_irq(line->irq, line));
+ line->irq = 0;
+ }
+
+@@ -1038,6 +1048,7 @@ static int edge_detector_setup(struct li
+ unsigned long irqflags = 0;
+ u64 eflags;
+ int irq, ret;
++ char *label;
+
+ eflags = edflags & GPIO_V2_LINE_EDGE_FLAGS;
+ if (eflags && !kfifo_initialized(&line->req->events)) {
+@@ -1074,11 +1085,17 @@ static int edge_detector_setup(struct li
+ IRQF_TRIGGER_RISING : IRQF_TRIGGER_FALLING;
+ irqflags |= IRQF_ONESHOT;
+
++ label = make_irq_label(line->req->label);
++ if (!label)
++ return -ENOMEM;
++
+ /* Request a thread to read the events */
+ ret = request_threaded_irq(irq, edge_irq_handler, edge_irq_thread,
+- irqflags, line->req->label, line);
+- if (ret)
++ irqflags, label, line);
++ if (ret) {
++ free_irq_label(label);
+ return ret;
++ }
+
+ line->irq = irq;
+ return 0;
+@@ -1943,7 +1960,7 @@ static void lineevent_free(struct lineev
+ blocking_notifier_chain_unregister(&le->gdev->device_notifier,
+ &le->device_unregistered_nb);
+ if (le->irq)
+- free_irq(le->irq, le);
++ free_irq_label(free_irq(le->irq, le));
+ if (le->desc)
+ gpiod_free(le->desc);
+ kfree(le->label);
+@@ -2091,6 +2108,7 @@ static int lineevent_create(struct gpio_
+ int fd;
+ int ret;
+ int irq, irqflags = 0;
++ char *label;
+
+ if (copy_from_user(&eventreq, ip, sizeof(eventreq)))
+ return -EFAULT;
+@@ -2175,15 +2193,23 @@ static int lineevent_create(struct gpio_
+ if (ret)
+ goto out_free_le;
+
++ label = make_irq_label(le->label);
++ if (!label) {
++ ret = -ENOMEM;
++ goto out_free_le;
++ }
++
+ /* Request a thread to read the events */
+ ret = request_threaded_irq(irq,
+ lineevent_irq_handler,
+ lineevent_irq_thread,
+ irqflags,
+- le->label,
++ label,
+ le);
+- if (ret)
++ if (ret) {
++ free_irq_label(label);
+ goto out_free_le;
++ }
+
+ le->irq = irq;
+
--- /dev/null
+From 549aa9678a0b3981d4821bf244579d9937650562 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Tue, 19 Mar 2024 17:37:46 -0700
+Subject: hexagon: vmlinux.lds.S: handle attributes section
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit 549aa9678a0b3981d4821bf244579d9937650562 upstream.
+
+After the linked LLVM change, the build fails with
+CONFIG_LD_ORPHAN_WARN_LEVEL="error", which happens with allmodconfig:
+
+ ld.lld: error: vmlinux.a(init/main.o):(.hexagon.attributes) is being placed in '.hexagon.attributes'
+
+Handle the attributes section in a similar manner as arm and riscv by
+adding it after the primary ELF_DETAILS grouping in vmlinux.lds.S, which
+fixes the error.
+
+Link: https://lkml.kernel.org/r/20240319-hexagon-handle-attributes-section-vmlinux-lds-s-v1-1-59855dab8872@kernel.org
+Fixes: 113616ec5b64 ("hexagon: select ARCH_WANT_LD_ORPHAN_WARN")
+Link: https://github.com/llvm/llvm-project/commit/31f4b329c8234fab9afa59494d7f8bdaeaefeaad
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Brian Cain <bcain@quicinc.com>
+Cc: Bill Wendling <morbo@google.com>
+Cc: Justin Stitt <justinstitt@google.com>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/hexagon/kernel/vmlinux.lds.S | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/hexagon/kernel/vmlinux.lds.S
++++ b/arch/hexagon/kernel/vmlinux.lds.S
+@@ -63,6 +63,7 @@ SECTIONS
+ STABS_DEBUG
+ DWARF_DEBUG
+ ELF_DETAILS
++ .hexagon.attributes 0 : { *(.hexagon.attributes) }
+
+ DISCARDS
+ }
--- /dev/null
+From d5d39c707a4cf0bcc84680178677b97aa2cb2627 Mon Sep 17 00:00:00 2001
+From: Johannes Weiner <hannes@cmpxchg.org>
+Date: Fri, 15 Mar 2024 05:55:56 -0400
+Subject: mm: cachestat: fix two shmem bugs
+
+From: Johannes Weiner <hannes@cmpxchg.org>
+
+commit d5d39c707a4cf0bcc84680178677b97aa2cb2627 upstream.
+
+When cachestat on shmem races with swapping and invalidation, there
+are two possible bugs:
+
+1) A swapin error can have resulted in a poisoned swap entry in the
+ shmem inode's xarray. Calling get_shadow_from_swap_cache() on it
+ will result in an out-of-bounds access to swapper_spaces[].
+
+ Validate the entry with non_swap_entry() before going further.
+
+2) When we find a valid swap entry in the shmem's inode, the shadow
+ entry in the swapcache might not exist yet: swap IO is still in
+ progress and we're before __remove_mapping; swapin, invalidation,
+ or swapoff have removed the shadow from swapcache after we saw the
+ shmem swap entry.
+
+ This will send a NULL to workingset_test_recent(). The latter
+ purely operates on pointer bits, so it won't crash - node 0, memcg
+ ID 0, eviction timestamp 0, etc. are all valid inputs - but it's a
+ bogus test. In theory that could result in a false "recently
+ evicted" count.
+
+ Such a false positive wouldn't be the end of the world. But for
+ code clarity and (future) robustness, be explicit about this case.
+
+ Bail on get_shadow_from_swap_cache() returning NULL.
+
+Link: https://lkml.kernel.org/r/20240315095556.GC581298@cmpxchg.org
+Fixes: cf264e1329fb ("cachestat: implement cachestat syscall")
+Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
+Reported-by: Chengming Zhou <chengming.zhou@linux.dev> [Bug #1]
+Reported-by: Jann Horn <jannh@google.com> [Bug #2]
+Reviewed-by: Chengming Zhou <chengming.zhou@linux.dev>
+Reviewed-by: Nhat Pham <nphamcs@gmail.com>
+Cc: <stable@vger.kernel.org> [v6.5+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/filemap.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/mm/filemap.c
++++ b/mm/filemap.c
+@@ -4201,7 +4201,23 @@ static void filemap_cachestat(struct add
+ /* shmem file - in swap cache */
+ swp_entry_t swp = radix_to_swp_entry(folio);
+
++ /* swapin error results in poisoned entry */
++ if (non_swap_entry(swp))
++ goto resched;
++
++ /*
++ * Getting a swap entry from the shmem
++ * inode means we beat
++ * shmem_unuse(). rcu_read_lock()
++ * ensures swapoff waits for us before
++ * freeing the swapper space. However,
++ * we can race with swapping and
++ * invalidation, so there might not be
++ * a shadow in the swapcache (yet).
++ */
+ shadow = get_shadow_from_swap_cache(swp);
++ if (!shadow)
++ goto resched;
+ }
+ #endif
+ if (workingset_test_recent(shadow, true, &workingset))
--- /dev/null
+From cf55a7acd1ed38afe43bba1c8a0935b51d1dc014 Mon Sep 17 00:00:00 2001
+From: Mikko Rapeli <mikko.rapeli@linaro.org>
+Date: Wed, 13 Mar 2024 15:37:44 +0200
+Subject: mmc: core: Avoid negative index with array access
+
+From: Mikko Rapeli <mikko.rapeli@linaro.org>
+
+commit cf55a7acd1ed38afe43bba1c8a0935b51d1dc014 upstream.
+
+Commit 4d0c8d0aef63 ("mmc: core: Use mrq.sbc in close-ended ffu") assigns
+prev_idata = idatas[i - 1], but doesn't check that the iterator i is
+greater than zero. Let's fix this by adding a check.
+
+Fixes: 4d0c8d0aef63 ("mmc: core: Use mrq.sbc in close-ended ffu")
+Link: https://lore.kernel.org/all/20231129092535.3278-1-avri.altman@wdc.com/
+Cc: stable@vger.kernel.org
+Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
+Reviewed-by: Avri Altman <avri.altman@wdc.com>
+Tested-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Link: https://lore.kernel.org/r/20240313133744.2405325-2-mikko.rapeli@linaro.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/block.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mmc/core/block.c
++++ b/drivers/mmc/core/block.c
+@@ -488,7 +488,7 @@ static int __mmc_blk_ioctl_cmd(struct mm
+ if (idata->flags & MMC_BLK_IOC_DROP)
+ return 0;
+
+- if (idata->flags & MMC_BLK_IOC_SBC)
++ if (idata->flags & MMC_BLK_IOC_SBC && i > 0)
+ prev_idata = idatas[i - 1];
+
+ /*
--- /dev/null
+From 0cdfe5b0bf295c0dee97436a8ed13336933a0211 Mon Sep 17 00:00:00 2001
+From: Mikko Rapeli <mikko.rapeli@linaro.org>
+Date: Wed, 13 Mar 2024 15:37:43 +0200
+Subject: mmc: core: Initialize mmc_blk_ioc_data
+
+From: Mikko Rapeli <mikko.rapeli@linaro.org>
+
+commit 0cdfe5b0bf295c0dee97436a8ed13336933a0211 upstream.
+
+Commit 4d0c8d0aef63 ("mmc: core: Use mrq.sbc in close-ended ffu") adds
+flags uint to struct mmc_blk_ioc_data, but it does not get initialized for
+RPMB ioctls which now fails.
+
+Let's fix this by always initializing the struct and flags to zero.
+
+Fixes: 4d0c8d0aef63 ("mmc: core: Use mrq.sbc in close-ended ffu")
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218587
+Link: https://lore.kernel.org/all/20231129092535.3278-1-avri.altman@wdc.com/
+Cc: stable@vger.kernel.org
+Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
+Reviewed-by: Avri Altman <avri.altman@wdc.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Tested-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Link: https://lore.kernel.org/r/20240313133744.2405325-1-mikko.rapeli@linaro.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/block.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mmc/core/block.c
++++ b/drivers/mmc/core/block.c
+@@ -413,7 +413,7 @@ static struct mmc_blk_ioc_data *mmc_blk_
+ struct mmc_blk_ioc_data *idata;
+ int err;
+
+- idata = kmalloc(sizeof(*idata), GFP_KERNEL);
++ idata = kzalloc(sizeof(*idata), GFP_KERNEL);
+ if (!idata) {
+ err = -ENOMEM;
+ goto out;
--- /dev/null
+From f9e2a5b00a35f2c064dc679808bc8db5cc779ed6 Mon Sep 17 00:00:00 2001
+From: Romain Naour <romain.naour@skf.com>
+Date: Sat, 16 Mar 2024 00:44:44 +0100
+Subject: mmc: sdhci-omap: re-tuning is needed after a pm transition to support emmc HS200 mode
+
+From: Romain Naour <romain.naour@skf.com>
+
+commit f9e2a5b00a35f2c064dc679808bc8db5cc779ed6 upstream.
+
+"PM runtime functions" was been added in sdhci-omap driver in commit
+f433e8aac6b9 ("mmc: sdhci-omap: Implement PM runtime functions") along
+with "card power off and enable aggressive PM" in commit 3edf588e7fe0
+("mmc: sdhci-omap: Allow SDIO card power off and enable aggressive PM").
+
+Since then, the sdhci-omap driver doesn't work using mmc-hs200 mode
+due to the tuning values being lost during a pm transition.
+
+As for the sdhci_am654 driver, request a new tuning sequence before
+suspend (sdhci_omap_runtime_suspend()), otherwise the device will
+trigger cache flush error:
+
+ mmc1: cache flush error -110 (ETIMEDOUT)
+ mmc1: error -110 doing aggressive suspend
+
+followed by I/O errors produced by fdisk -l /dev/mmcblk1boot1:
+
+ I/O error, dev mmcblk1boot0, sector 64384 op 0x0:(READ) flags 0x80700 phys_seg 1
+ prio class 2
+ I/O error, dev mmcblk1boot1, sector 64384 op 0x0:(READ) flags 0x80700 phys_seg 1
+ prio class 2
+ I/O error, dev mmcblk1boot1, sector 64384 op 0x0:(READ) flags 0x0 phys_seg 1
+ prio class 2
+ Buffer I/O error on dev mmcblk1boot1, logical block 8048, async page read
+ I/O error, dev mmcblk1boot0, sector 64384 op 0x0:(READ) flags 0x0 phys_seg 1
+ prio class 2
+ Buffer I/O error on dev mmcblk1boot0, logical block 8048, async page read
+
+Don't re-tune if auto retuning is supported in HW (when SDHCI_TUNING_MODE_3
+is available).
+
+Link: https://lore.kernel.org/all/2e5f1997-564c-44e4-b357-6343e0dae7ab@smile.fr
+Fixes: f433e8aac6b9 ("mmc: sdhci-omap: Implement PM runtime functions")
+Signed-off-by: Romain Naour <romain.naour@skf.com>
+Reviewed-by: Tony Lindgren <tony@atomide.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20240315234444.816978-1-romain.naour@smile.fr
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-omap.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/mmc/host/sdhci-omap.c
++++ b/drivers/mmc/host/sdhci-omap.c
+@@ -1439,6 +1439,9 @@ static int __maybe_unused sdhci_omap_run
+ struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
+ struct sdhci_omap_host *omap_host = sdhci_pltfm_priv(pltfm_host);
+
++ if (host->tuning_mode != SDHCI_TUNING_MODE_3)
++ mmc_retune_needed(host->mmc);
++
+ if (omap_host->con != -EINVAL)
+ sdhci_runtime_suspend_host(host);
+
--- /dev/null
+From 3a38a829c8bc27d78552c28e582eb1d885d07d11 Mon Sep 17 00:00:00 2001
+From: Claus Hansen Ries <chr@terma.com>
+Date: Thu, 21 Mar 2024 13:08:59 +0000
+Subject: net: ll_temac: platform_get_resource replaced by wrong function
+
+From: Claus Hansen Ries <chr@terma.com>
+
+commit 3a38a829c8bc27d78552c28e582eb1d885d07d11 upstream.
+
+The function platform_get_resource was replaced with
+devm_platform_ioremap_resource_byname and is called using 0 as name.
+
+This eventually ends up in platform_get_resource_byname in the call
+stack, where it causes a null pointer in strcmp.
+
+ if (type == resource_type(r) && !strcmp(r->name, name))
+
+It should have been replaced with devm_platform_ioremap_resource.
+
+Fixes: bd69058f50d5 ("net: ll_temac: Use devm_platform_ioremap_resource_byname()")
+Signed-off-by: Claus Hansen Ries <chr@terma.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/cca18f9c630a41c18487729770b492bb@terma.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/xilinx/ll_temac_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/xilinx/ll_temac_main.c
++++ b/drivers/net/ethernet/xilinx/ll_temac_main.c
+@@ -1443,7 +1443,7 @@ static int temac_probe(struct platform_d
+ }
+
+ /* map device registers */
+- lp->regs = devm_platform_ioremap_resource_byname(pdev, 0);
++ lp->regs = devm_platform_ioremap_resource(pdev, 0);
+ if (IS_ERR(lp->regs)) {
+ dev_err(&pdev->dev, "could not map TEMAC registers\n");
+ return -ENOMEM;
--- /dev/null
+From 16e87fe23d4af6df920406494ced5c0f4354567b Mon Sep 17 00:00:00 2001
+From: Duoming Zhou <duoming@zju.edu.cn>
+Date: Wed, 6 Mar 2024 13:01:04 +0800
+Subject: nouveau/dmem: handle kcalloc() allocation failure
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+commit 16e87fe23d4af6df920406494ced5c0f4354567b upstream.
+
+The kcalloc() in nouveau_dmem_evict_chunk() will return null if
+the physical memory has run out. As a result, if we dereference
+src_pfns, dst_pfns or dma_addrs, the null pointer dereference bugs
+will happen.
+
+Moreover, the GPU is going away. If the kcalloc() fails, we could not
+evict all pages mapping a chunk. So this patch adds a __GFP_NOFAIL
+flag in kcalloc().
+
+Finally, as there is no need to have physically contiguous memory,
+this patch switches kcalloc() to kvcalloc() in order to avoid
+failing allocations.
+
+CC: <stable@vger.kernel.org> # v6.1
+Fixes: 249881232e14 ("nouveau/dmem: evict device private memory during release")
+Suggested-by: Danilo Krummrich <dakr@redhat.com>
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Signed-off-by: Danilo Krummrich <dakr@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240306050104.11259-1-duoming@zju.edu.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_dmem.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/gpu/drm/nouveau/nouveau_dmem.c
++++ b/drivers/gpu/drm/nouveau/nouveau_dmem.c
+@@ -378,9 +378,9 @@ nouveau_dmem_evict_chunk(struct nouveau_
+ dma_addr_t *dma_addrs;
+ struct nouveau_fence *fence;
+
+- src_pfns = kcalloc(npages, sizeof(*src_pfns), GFP_KERNEL);
+- dst_pfns = kcalloc(npages, sizeof(*dst_pfns), GFP_KERNEL);
+- dma_addrs = kcalloc(npages, sizeof(*dma_addrs), GFP_KERNEL);
++ src_pfns = kvcalloc(npages, sizeof(*src_pfns), GFP_KERNEL | __GFP_NOFAIL);
++ dst_pfns = kvcalloc(npages, sizeof(*dst_pfns), GFP_KERNEL | __GFP_NOFAIL);
++ dma_addrs = kvcalloc(npages, sizeof(*dma_addrs), GFP_KERNEL | __GFP_NOFAIL);
+
+ migrate_device_range(src_pfns, chunk->pagemap.range.start >> PAGE_SHIFT,
+ npages);
+@@ -406,11 +406,11 @@ nouveau_dmem_evict_chunk(struct nouveau_
+ migrate_device_pages(src_pfns, dst_pfns, npages);
+ nouveau_dmem_fence_done(&fence);
+ migrate_device_finalize(src_pfns, dst_pfns, npages);
+- kfree(src_pfns);
+- kfree(dst_pfns);
++ kvfree(src_pfns);
++ kvfree(dst_pfns);
+ for (i = 0; i < npages; i++)
+ dma_unmap_page(chunk->drm->dev->dev, dma_addrs[i], PAGE_SIZE, DMA_BIDIRECTIONAL);
+- kfree(dma_addrs);
++ kvfree(dma_addrs);
+ }
+
+ void
--- /dev/null
+From 78aca9ee5e012e130dbfbd7191bc2302b0cf3b37 Mon Sep 17 00:00:00 2001
+From: Harry Wentland <harry.wentland@amd.com>
+Date: Tue, 12 Mar 2024 11:21:32 -0400
+Subject: Revert "drm/amd/display: Fix sending VSC (+ colorimetry) packets for DP/eDP displays without PSR"
+
+From: Harry Wentland <harry.wentland@amd.com>
+
+commit 78aca9ee5e012e130dbfbd7191bc2302b0cf3b37 upstream.
+
+This causes flicker on a bunch of eDP panels. The info_packet code
+also caused regressions on other OSes that we haven't' seen on Linux
+yet, but that is likely due to the fact that we haven't had a chance
+to test those environments on Linux.
+
+We'll need to revisit this.
+
+This reverts commit 202260f64519e591b5cd99626e441b6559f571a3.
+
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3207
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3151
+Signed-off-by: Harry Wentland <harry.wentland@amd.com>
+Reviewed-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 8 ++----
+ drivers/gpu/drm/amd/display/modules/info_packet/info_packet.c | 13 +++-------
+ 2 files changed, 8 insertions(+), 13 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -6121,9 +6121,8 @@ create_stream_for_sink(struct amdgpu_dm_
+
+ if (stream->signal == SIGNAL_TYPE_HDMI_TYPE_A)
+ mod_build_hf_vsif_infopacket(stream, &stream->vsp_infopacket);
+- else if (stream->signal == SIGNAL_TYPE_DISPLAY_PORT ||
+- stream->signal == SIGNAL_TYPE_DISPLAY_PORT_MST ||
+- stream->signal == SIGNAL_TYPE_EDP) {
++
++ if (stream->link->psr_settings.psr_feature_enabled || stream->link->replay_settings.replay_feature_enabled) {
+ //
+ // should decide stream support vsc sdp colorimetry capability
+ // before building vsc info packet
+@@ -6139,9 +6138,8 @@ create_stream_for_sink(struct amdgpu_dm_
+ if (stream->out_transfer_func->tf == TRANSFER_FUNCTION_GAMMA22)
+ tf = TRANSFER_FUNC_GAMMA_22;
+ mod_build_vsc_infopacket(stream, &stream->vsc_infopacket, stream->output_color_space, tf);
++ aconnector->psr_skip_count = AMDGPU_DM_PSR_ENTRY_DELAY;
+
+- if (stream->link->psr_settings.psr_feature_enabled)
+- aconnector->psr_skip_count = AMDGPU_DM_PSR_ENTRY_DELAY;
+ }
+ finish:
+ dc_sink_release(sink);
+--- a/drivers/gpu/drm/amd/display/modules/info_packet/info_packet.c
++++ b/drivers/gpu/drm/amd/display/modules/info_packet/info_packet.c
+@@ -147,15 +147,12 @@ void mod_build_vsc_infopacket(const stru
+ }
+
+ /* VSC packet set to 4 for PSR-SU, or 2 for PSR1 */
+- if (stream->link->psr_settings.psr_feature_enabled) {
+- if (stream->link->psr_settings.psr_version == DC_PSR_VERSION_SU_1)
+- vsc_packet_revision = vsc_packet_rev4;
+- else if (stream->link->psr_settings.psr_version == DC_PSR_VERSION_1)
+- vsc_packet_revision = vsc_packet_rev2;
+- }
+-
+- if (stream->link->replay_settings.config.replay_supported)
++ if (stream->link->psr_settings.psr_version == DC_PSR_VERSION_SU_1)
++ vsc_packet_revision = vsc_packet_rev4;
++ else if (stream->link->replay_settings.config.replay_supported)
+ vsc_packet_revision = vsc_packet_rev4;
++ else if (stream->link->psr_settings.psr_version == DC_PSR_VERSION_1)
++ vsc_packet_revision = vsc_packet_rev2;
+
+ /* Update to revision 5 for extended colorimetry support */
+ if (stream->use_vsc_sdp_for_colorimetry)
--- /dev/null
+From 03749309909935070253accab314288d332a204d Mon Sep 17 00:00:00 2001
+From: Liming Sun <limings@nvidia.com>
+Date: Tue, 19 Mar 2024 12:16:16 -0400
+Subject: sdhci-of-dwcmshc: disable PM runtime in dwcmshc_remove()
+
+From: Liming Sun <limings@nvidia.com>
+
+commit 03749309909935070253accab314288d332a204d upstream.
+
+This commit disables PM runtime in dwcmshc_remove() to avoid the
+error message below when reloading the sdhci-of-dwcmshc.ko
+
+ sdhci-dwcmshc MLNXBF30:00: Unbalanced pm_runtime_enable!
+
+Fixes: 48fe8fadbe5e ("mmc: sdhci-of-dwcmshc: Add runtime PM operations")
+Reviewed-by: David Thompson <davthompson@nvidia.com>
+Signed-off-by: Liming Sun <limings@nvidia.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/b9155963ffb12d18375002bf9ac9a3f98b727fc8.1710854108.git.limings@nvidia.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-of-dwcmshc.c | 28 +++++++++++++++++-----------
+ 1 file changed, 17 insertions(+), 11 deletions(-)
+
+--- a/drivers/mmc/host/sdhci-of-dwcmshc.c
++++ b/drivers/mmc/host/sdhci-of-dwcmshc.c
+@@ -584,6 +584,17 @@ free_pltfm:
+ return err;
+ }
+
++static void dwcmshc_disable_card_clk(struct sdhci_host *host)
++{
++ u16 ctrl;
++
++ ctrl = sdhci_readw(host, SDHCI_CLOCK_CONTROL);
++ if (ctrl & SDHCI_CLOCK_CARD_EN) {
++ ctrl &= ~SDHCI_CLOCK_CARD_EN;
++ sdhci_writew(host, ctrl, SDHCI_CLOCK_CONTROL);
++ }
++}
++
+ static void dwcmshc_remove(struct platform_device *pdev)
+ {
+ struct sdhci_host *host = platform_get_drvdata(pdev);
+@@ -591,8 +602,14 @@ static void dwcmshc_remove(struct platfo
+ struct dwcmshc_priv *priv = sdhci_pltfm_priv(pltfm_host);
+ struct rk35xx_priv *rk_priv = priv->priv;
+
++ pm_runtime_get_sync(&pdev->dev);
++ pm_runtime_disable(&pdev->dev);
++ pm_runtime_put_noidle(&pdev->dev);
++
+ sdhci_remove_host(host, 0);
+
++ dwcmshc_disable_card_clk(host);
++
+ clk_disable_unprepare(pltfm_host->clk);
+ clk_disable_unprepare(priv->bus_clk);
+ if (rk_priv)
+@@ -683,17 +700,6 @@ static void dwcmshc_enable_card_clk(stru
+ sdhci_writew(host, ctrl, SDHCI_CLOCK_CONTROL);
+ }
+ }
+-
+-static void dwcmshc_disable_card_clk(struct sdhci_host *host)
+-{
+- u16 ctrl;
+-
+- ctrl = sdhci_readw(host, SDHCI_CLOCK_CONTROL);
+- if (ctrl & SDHCI_CLOCK_CARD_EN) {
+- ctrl &= ~SDHCI_CLOCK_CARD_EN;
+- sdhci_writew(host, ctrl, SDHCI_CLOCK_CONTROL);
+- }
+-}
+
+ static int dwcmshc_runtime_suspend(struct device *dev)
+ {
--- /dev/null
+From 8c864371b2a15a23ce35aa7e2bd241baaad6fbe8 Mon Sep 17 00:00:00 2001
+From: Edward Liaw <edliaw@google.com>
+Date: Mon, 25 Mar 2024 19:40:52 +0000
+Subject: selftests/mm: fix ARM related issue with fork after pthread_create
+
+From: Edward Liaw <edliaw@google.com>
+
+commit 8c864371b2a15a23ce35aa7e2bd241baaad6fbe8 upstream.
+
+Following issue was observed while running the uffd-unit-tests selftest
+on ARM devices. On x86_64 no issues were detected:
+
+pthread_create followed by fork caused deadlock in certain cases wherein
+fork required some work to be completed by the created thread. Used
+synchronization to ensure that created thread's start function has started
+before invoking fork.
+
+[edliaw@google.com: refactored to use atomic_bool]
+Link: https://lkml.kernel.org/r/20240325194100.775052-1-edliaw@google.com
+Fixes: 760aee0b71e3 ("selftests/mm: add tests for RO pinning vs fork()")
+Signed-off-by: Lokesh Gidra <lokeshgidra@google.com>
+Signed-off-by: Edward Liaw <edliaw@google.com>
+Cc: Peter Xu <peterx@redhat.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/mm/uffd-common.c | 3 +++
+ tools/testing/selftests/mm/uffd-common.h | 2 ++
+ tools/testing/selftests/mm/uffd-unit-tests.c | 10 ++++++++++
+ 3 files changed, 15 insertions(+)
+
+--- a/tools/testing/selftests/mm/uffd-common.c
++++ b/tools/testing/selftests/mm/uffd-common.c
+@@ -17,6 +17,7 @@ bool map_shared;
+ bool test_uffdio_wp = true;
+ unsigned long long *count_verify;
+ uffd_test_ops_t *uffd_test_ops;
++atomic_bool ready_for_fork;
+
+ static int uffd_mem_fd_create(off_t mem_size, bool hugetlb)
+ {
+@@ -507,6 +508,8 @@ void *uffd_poll_thread(void *arg)
+ pollfd[1].fd = pipefd[cpu*2];
+ pollfd[1].events = POLLIN;
+
++ ready_for_fork = true;
++
+ for (;;) {
+ ret = poll(pollfd, 2, -1);
+ if (ret <= 0) {
+--- a/tools/testing/selftests/mm/uffd-common.h
++++ b/tools/testing/selftests/mm/uffd-common.h
+@@ -32,6 +32,7 @@
+ #include <inttypes.h>
+ #include <stdint.h>
+ #include <sys/random.h>
++#include <stdatomic.h>
+
+ #include "../kselftest.h"
+ #include "vm_util.h"
+@@ -97,6 +98,7 @@ extern bool map_shared;
+ extern bool test_uffdio_wp;
+ extern unsigned long long *count_verify;
+ extern volatile bool test_uffdio_copy_eexist;
++extern atomic_bool ready_for_fork;
+
+ extern uffd_test_ops_t anon_uffd_test_ops;
+ extern uffd_test_ops_t shmem_uffd_test_ops;
+--- a/tools/testing/selftests/mm/uffd-unit-tests.c
++++ b/tools/testing/selftests/mm/uffd-unit-tests.c
+@@ -770,6 +770,8 @@ static void uffd_sigbus_test_common(bool
+ char c;
+ struct uffd_args args = { 0 };
+
++ ready_for_fork = false;
++
+ fcntl(uffd, F_SETFL, uffd_flags | O_NONBLOCK);
+
+ if (uffd_register(uffd, area_dst, nr_pages * page_size,
+@@ -785,6 +787,9 @@ static void uffd_sigbus_test_common(bool
+ if (pthread_create(&uffd_mon, NULL, uffd_poll_thread, &args))
+ err("uffd_poll_thread create");
+
++ while (!ready_for_fork)
++ ; /* Wait for the poll_thread to start executing before forking */
++
+ pid = fork();
+ if (pid < 0)
+ err("fork");
+@@ -824,6 +829,8 @@ static void uffd_events_test_common(bool
+ char c;
+ struct uffd_args args = { 0 };
+
++ ready_for_fork = false;
++
+ fcntl(uffd, F_SETFL, uffd_flags | O_NONBLOCK);
+ if (uffd_register(uffd, area_dst, nr_pages * page_size,
+ true, wp, false))
+@@ -833,6 +840,9 @@ static void uffd_events_test_common(bool
+ if (pthread_create(&uffd_mon, NULL, uffd_poll_thread, &args))
+ err("uffd_poll_thread create");
+
++ while (!ready_for_fork)
++ ; /* Wait for the poll_thread to start executing before forking */
++
+ pid = fork();
+ if (pid < 0)
+ err("fork");
--- /dev/null
+From 105840ebd76d8dbc1a7d734748ae320076f3201e Mon Sep 17 00:00:00 2001
+From: Edward Liaw <edliaw@google.com>
+Date: Thu, 21 Mar 2024 23:20:21 +0000
+Subject: selftests/mm: sigbus-wp test requires UFFD_FEATURE_WP_HUGETLBFS_SHMEM
+
+From: Edward Liaw <edliaw@google.com>
+
+commit 105840ebd76d8dbc1a7d734748ae320076f3201e upstream.
+
+The sigbus-wp test requires the UFFD_FEATURE_WP_HUGETLBFS_SHMEM flag for
+shmem and hugetlb targets. Otherwise it is not backwards compatible with
+kernels <5.19 and fails with EINVAL.
+
+Link: https://lkml.kernel.org/r/20240321232023.2064975-1-edliaw@google.com
+Fixes: 73c1ea939b65 ("selftests/mm: move uffd sig/events tests into uffd unit tests")
+Signed-off-by: Edward Liaw <edliaw@google.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Peter Xu <peterx@redhat.com
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/mm/uffd-unit-tests.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/mm/uffd-unit-tests.c
++++ b/tools/testing/selftests/mm/uffd-unit-tests.c
+@@ -1219,7 +1219,8 @@ uffd_test_case_t uffd_tests[] = {
+ .uffd_fn = uffd_sigbus_wp_test,
+ .mem_targets = MEM_ALL,
+ .uffd_feature_required = UFFD_FEATURE_SIGBUS |
+- UFFD_FEATURE_EVENT_FORK | UFFD_FEATURE_PAGEFAULT_FLAG_WP,
++ UFFD_FEATURE_EVENT_FORK | UFFD_FEATURE_PAGEFAULT_FLAG_WP |
++ UFFD_FEATURE_WP_HUGETLBFS_SHMEM,
+ },
+ {
+ .name = "events",
prctl-generalize-pr_set_mdwe-support-check-to-be-per-arch.patch
arm-prctl-reject-pr_set_mdwe-on-pre-armv6.patch
tmpfs-fix-race-on-handling-dquot-rbtree.patch
+btrfs-fix-race-in-read_extent_buffer_pages.patch
+btrfs-zoned-don-t-skip-block-groups-with-100-zone-unusable.patch
+btrfs-zoned-use-zone-aware-sb-location-for-scrub.patch
+wifi-mac80211-check-clear-fast-rx-for-non-4addr-sta-vlan-changes.patch
+wifi-cfg80211-add-a-flag-to-disable-wireless-extensions.patch
+wifi-iwlwifi-mvm-disable-mlo-for-the-time-being.patch
+wifi-iwlwifi-fw-don-t-always-use-fw-dump-trig.patch
+revert-drm-amd-display-fix-sending-vsc-colorimetry-packets-for-dp-edp-displays-without-psr.patch
+gpio-cdev-sanitize-the-label-before-requesting-the-interrupt.patch
+exec-fix-nommu-linux_binprm-exec-in-transfer_args_to_stack.patch
+hexagon-vmlinux.lds.s-handle-attributes-section.patch
+mm-cachestat-fix-two-shmem-bugs.patch
+selftests-mm-sigbus-wp-test-requires-uffd_feature_wp_hugetlbfs_shmem.patch
+selftests-mm-fix-arm-related-issue-with-fork-after-pthread_create.patch
+mmc-sdhci-omap-re-tuning-is-needed-after-a-pm-transition-to-support-emmc-hs200-mode.patch
+mmc-core-initialize-mmc_blk_ioc_data.patch
+mmc-core-avoid-negative-index-with-array-access.patch
+sdhci-of-dwcmshc-disable-pm-runtime-in-dwcmshc_remove.patch
+block-do-not-force-full-zone-append-completion-in-req_bio_endio.patch
+thermal-devfreq_cooling-fix-perf-state-when-calculate-dfc-res_util.patch
+nouveau-dmem-handle-kcalloc-allocation-failure.patch
+net-ll_temac-platform_get_resource-replaced-by-wrong-function.patch
+drm-vmwgfx-create-debugfs-ttm_resource_manager-entry-only-if-needed.patch
+drm-amdkfd-fix-tlb-flush-after-unmap-for-gfx9.4.2.patch
+drm-amdgpu-fix-deadlock-while-reading-mqd-from-debugfs.patch
--- /dev/null
+From a26de34b3c77ae3a969654d94be49e433c947e3b Mon Sep 17 00:00:00 2001
+From: Ye Zhang <ye.zhang@rock-chips.com>
+Date: Thu, 21 Mar 2024 18:21:00 +0800
+Subject: thermal: devfreq_cooling: Fix perf state when calculate dfc res_util
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ye Zhang <ye.zhang@rock-chips.com>
+
+commit a26de34b3c77ae3a969654d94be49e433c947e3b upstream.
+
+The issue occurs when the devfreq cooling device uses the EM power model
+and the get_real_power() callback is provided by the driver.
+
+The EM power table is sorted ascending,can't index the table by cooling
+device state,so convert cooling state to performance state by
+dfc->max_state - dfc->capped_state.
+
+Fixes: 615510fe13bd ("thermal: devfreq_cooling: remove old power model and use EM")
+Cc: 5.11+ <stable@vger.kernel.org> # 5.11+
+Signed-off-by: Ye Zhang <ye.zhang@rock-chips.com>
+Reviewed-by: Dhruva Gole <d-gole@ti.com>
+Reviewed-by: Lukasz Luba <lukasz.luba@arm.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thermal/devfreq_cooling.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/thermal/devfreq_cooling.c
++++ b/drivers/thermal/devfreq_cooling.c
+@@ -201,7 +201,7 @@ static int devfreq_cooling_get_requested
+
+ res = dfc->power_ops->get_real_power(df, power, freq, voltage);
+ if (!res) {
+- state = dfc->capped_state;
++ state = dfc->max_state - dfc->capped_state;
+
+ /* Convert EM power into milli-Watts first */
+ dfc->res_util = dfc->em_pd->table[state].power;
--- /dev/null
+From be23b2d7c3b7c8bf57b1cf0bf890bd65df9d0186 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Thu, 14 Mar 2024 11:09:51 +0100
+Subject: wifi: cfg80211: add a flag to disable wireless extensions
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit be23b2d7c3b7c8bf57b1cf0bf890bd65df9d0186 upstream.
+
+Wireless extensions are already disabled if MLO is enabled,
+given that we cannot support MLO there with all the hard-
+coded assumptions about BSSID etc.
+
+However, the WiFi7 ecosystem is still stabilizing, and some
+devices may need MLO disabled while that happens. In that
+case, we might end up with a device that supports wext (but
+not MLO) in one kernel, and then breaks wext in the future
+(by enabling MLO), which is not desirable.
+
+Add a flag to let such drivers/devices disable wext even if
+MLO isn't yet enabled.
+
+Cc: stable@vger.kernel.org
+Link: https://msgid.link/20240314110951.b50f1dc4ec21.I656ddd8178eedb49dc5c6c0e70f8ce5807afb54f@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/cfg80211.h | 2 ++
+ net/wireless/wext-core.c | 7 +++++--
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+--- a/include/net/cfg80211.h
++++ b/include/net/cfg80211.h
+@@ -4816,6 +4816,7 @@ struct cfg80211_ops {
+ * @WIPHY_FLAG_SUPPORTS_EXT_KCK_32: The device supports 32-byte KCK keys.
+ * @WIPHY_FLAG_NOTIFY_REGDOM_BY_DRIVER: The device could handle reg notify for
+ * NL80211_REGDOM_SET_BY_DRIVER.
++ * @WIPHY_FLAG_DISABLE_WEXT: disable wireless extensions for this device
+ */
+ enum wiphy_flags {
+ WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK = BIT(0),
+@@ -4827,6 +4828,7 @@ enum wiphy_flags {
+ WIPHY_FLAG_4ADDR_STATION = BIT(6),
+ WIPHY_FLAG_CONTROL_PORT_PROTOCOL = BIT(7),
+ WIPHY_FLAG_IBSS_RSN = BIT(8),
++ WIPHY_FLAG_DISABLE_WEXT = BIT(9),
+ WIPHY_FLAG_MESH_AUTH = BIT(10),
+ WIPHY_FLAG_SUPPORTS_EXT_KCK_32 = BIT(11),
+ /* use hole at 12 */
+--- a/net/wireless/wext-core.c
++++ b/net/wireless/wext-core.c
+@@ -4,6 +4,7 @@
+ * Authors : Jean Tourrilhes - HPL - <jt@hpl.hp.com>
+ * Copyright (c) 1997-2007 Jean Tourrilhes, All Rights Reserved.
+ * Copyright 2009 Johannes Berg <johannes@sipsolutions.net>
++ * Copyright (C) 2024 Intel Corporation
+ *
+ * (As all part of the Linux kernel, this file is GPL)
+ */
+@@ -662,7 +663,8 @@ struct iw_statistics *get_wireless_stats
+ dev->ieee80211_ptr->wiphy->wext &&
+ dev->ieee80211_ptr->wiphy->wext->get_wireless_stats) {
+ wireless_warn_cfg80211_wext();
+- if (dev->ieee80211_ptr->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO)
++ if (dev->ieee80211_ptr->wiphy->flags & (WIPHY_FLAG_SUPPORTS_MLO |
++ WIPHY_FLAG_DISABLE_WEXT))
+ return NULL;
+ return dev->ieee80211_ptr->wiphy->wext->get_wireless_stats(dev);
+ }
+@@ -704,7 +706,8 @@ static iw_handler get_handler(struct net
+ #ifdef CONFIG_CFG80211_WEXT
+ if (dev->ieee80211_ptr && dev->ieee80211_ptr->wiphy) {
+ wireless_warn_cfg80211_wext();
+- if (dev->ieee80211_ptr->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO)
++ if (dev->ieee80211_ptr->wiphy->flags & (WIPHY_FLAG_SUPPORTS_MLO |
++ WIPHY_FLAG_DISABLE_WEXT))
+ return NULL;
+ handlers = dev->ieee80211_ptr->wiphy->wext;
+ }
--- /dev/null
+From 045a5b645dd59929b0e05375f493cde3a0318271 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 19 Mar 2024 10:10:20 +0200
+Subject: wifi: iwlwifi: fw: don't always use FW dump trig
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 045a5b645dd59929b0e05375f493cde3a0318271 upstream.
+
+Since the dump_data (struct iwl_fwrt_dump_data) is a union,
+it's not safe to unconditionally access and use the 'trig'
+member, it might be 'desc' instead. Access it only if it's
+known to be 'trig' rather than 'desc', i.e. if ini-debug
+is present.
+
+Cc: stable@vger.kernel.org
+Fixes: 0eb50c674a1e ("iwlwifi: yoyo: send hcmd to fw after dump collection completes.")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://msgid.link/20240319100755.e2976bc58b29.I72fbd6135b3623227de53d8a2bb82776066cb72b@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
++++ b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
+@@ -2933,8 +2933,6 @@ static void iwl_fw_dbg_collect_sync(stru
+ struct iwl_fw_dbg_params params = {0};
+ struct iwl_fwrt_dump_data *dump_data =
+ &fwrt->dump.wks[wk_idx].dump_data;
+- u32 policy;
+- u32 time_point;
+ if (!test_bit(wk_idx, &fwrt->dump.active_wks))
+ return;
+
+@@ -2965,13 +2963,16 @@ static void iwl_fw_dbg_collect_sync(stru
+
+ iwl_fw_dbg_stop_restart_recording(fwrt, ¶ms, false);
+
+- policy = le32_to_cpu(dump_data->trig->apply_policy);
+- time_point = le32_to_cpu(dump_data->trig->time_point);
+-
+- if (policy & IWL_FW_INI_APPLY_POLICY_DUMP_COMPLETE_CMD) {
+- IWL_DEBUG_FW_INFO(fwrt, "WRT: sending dump complete\n");
+- iwl_send_dbg_dump_complete_cmd(fwrt, time_point, 0);
++ if (iwl_trans_dbg_ini_valid(fwrt->trans)) {
++ u32 policy = le32_to_cpu(dump_data->trig->apply_policy);
++ u32 time_point = le32_to_cpu(dump_data->trig->time_point);
++
++ if (policy & IWL_FW_INI_APPLY_POLICY_DUMP_COMPLETE_CMD) {
++ IWL_DEBUG_FW_INFO(fwrt, "WRT: sending dump complete\n");
++ iwl_send_dbg_dump_complete_cmd(fwrt, time_point, 0);
++ }
+ }
++
+ if (fwrt->trans->dbg.last_tp_resetfw == IWL_FW_INI_RESET_FW_MODE_STOP_FW_ONLY)
+ iwl_force_nmi(fwrt->trans);
+
--- /dev/null
+From 5f404005055304830bbbee0d66af2964fc48f29e Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Thu, 14 Mar 2024 11:09:52 +0100
+Subject: wifi: iwlwifi: mvm: disable MLO for the time being
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 5f404005055304830bbbee0d66af2964fc48f29e upstream.
+
+MLO ended up not really fully stable yet, we want to make
+sure it works well with the ecosystem before enabling it.
+Thus, remove the flag, but set WIPHY_FLAG_DISABLE_WEXT so
+we don't get wireless extensions back until we enable MLO
+for this hardware.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://msgid.link/20240314110951.d6ad146df98d.I47127e4fdbdef89e4ccf7483641570ee7871d4e6@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+@@ -318,7 +318,7 @@ int iwl_mvm_mac_setup_register(struct iw
+ if (mvm->mld_api_is_used && mvm->nvm_data->sku_cap_11be_enable &&
+ !iwlwifi_mod_params.disable_11ax &&
+ !iwlwifi_mod_params.disable_11be)
+- hw->wiphy->flags |= WIPHY_FLAG_SUPPORTS_MLO;
++ hw->wiphy->flags |= WIPHY_FLAG_DISABLE_WEXT;
+
+ /* With MLD FW API, it tracks timing by itself,
+ * no need for any timing from the host
--- /dev/null
+From 4f2bdb3c5e3189297e156b3ff84b140423d64685 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Sat, 16 Mar 2024 08:43:36 +0100
+Subject: wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit 4f2bdb3c5e3189297e156b3ff84b140423d64685 upstream.
+
+When moving a station out of a VLAN and deleting the VLAN afterwards, the
+fast_rx entry still holds a pointer to the VLAN's netdev, which can cause
+use-after-free bugs. Fix this by immediately calling ieee80211_check_fast_rx
+after the VLAN change.
+
+Cc: stable@vger.kernel.org
+Reported-by: ranygh@riseup.net
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Link: https://msgid.link/20240316074336.40442-1-nbd@nbd.name
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/cfg.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -2187,15 +2187,14 @@ static int ieee80211_change_station(stru
+ }
+
+ if (sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
+- sta->sdata->u.vlan.sta) {
+- ieee80211_clear_fast_rx(sta);
++ sta->sdata->u.vlan.sta)
+ RCU_INIT_POINTER(sta->sdata->u.vlan.sta, NULL);
+- }
+
+ if (test_sta_flag(sta, WLAN_STA_AUTHORIZED))
+ ieee80211_vif_dec_num_mcast(sta->sdata);
+
+ sta->sdata = vlansdata;
++ ieee80211_check_fast_rx(sta);
+ ieee80211_check_fast_xmit(sta);
+
+ if (test_sta_flag(sta, WLAN_STA_AUTHORIZED)) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
