--- /dev/null
+From 3b7329cf5a767c1be38352d43066012e220ad43c Mon Sep 17 00:00:00 2001
+From: Bokun Zhang <Bokun.Zhang@amd.com>
+Date: Wed, 28 Sep 2022 00:30:04 +0800
+Subject: drm/amdgpu: Add amdgpu suspend-resume code path under SRIOV
+
+From: Bokun Zhang <Bokun.Zhang@amd.com>
+
+commit 3b7329cf5a767c1be38352d43066012e220ad43c upstream.
+
+- Under SRIOV, we need to send REQ_GPU_FINI to the hypervisor
+ during the suspend time. Furthermore, we cannot request a
+ mode 1 reset under SRIOV as VF. Therefore, we will skip it
+ as it is called in suspend_noirq() function.
+
+- In the resume code path, we need to send REQ_GPU_INIT to the
+ hypervisor and also resume PSP IP block under SRIOV.
+
+Signed-off-by: Bokun Zhang <Bokun.Zhang@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 4 ++++
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 27 ++++++++++++++++++++++++++-
+ 2 files changed, 30 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
+@@ -1056,6 +1056,10 @@ bool amdgpu_acpi_should_gpu_reset(struct
+ {
+ if (adev->flags & AMD_IS_APU)
+ return false;
++
++ if (amdgpu_sriov_vf(adev))
++ return false;
++
+ return pm_suspend_target_state != PM_SUSPEND_TO_IDLE;
+ }
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -3178,7 +3178,8 @@ static int amdgpu_device_ip_resume_phase
+ continue;
+ if (adev->ip_blocks[i].version->type == AMD_IP_BLOCK_TYPE_COMMON ||
+ adev->ip_blocks[i].version->type == AMD_IP_BLOCK_TYPE_GMC ||
+- adev->ip_blocks[i].version->type == AMD_IP_BLOCK_TYPE_IH) {
++ adev->ip_blocks[i].version->type == AMD_IP_BLOCK_TYPE_IH ||
++ (adev->ip_blocks[i].version->type == AMD_IP_BLOCK_TYPE_PSP && amdgpu_sriov_vf(adev))) {
+
+ r = adev->ip_blocks[i].version->funcs->resume(adev);
+ if (r) {
+@@ -4124,12 +4125,20 @@ static void amdgpu_device_evict_resource
+ int amdgpu_device_suspend(struct drm_device *dev, bool fbcon)
+ {
+ struct amdgpu_device *adev = drm_to_adev(dev);
++ int r = 0;
+
+ if (dev->switch_power_state == DRM_SWITCH_POWER_OFF)
+ return 0;
+
+ adev->in_suspend = true;
+
++ if (amdgpu_sriov_vf(adev)) {
++ amdgpu_virt_fini_data_exchange(adev);
++ r = amdgpu_virt_request_full_gpu(adev, false);
++ if (r)
++ return r;
++ }
++
+ if (amdgpu_acpi_smart_shift_update(dev, AMDGPU_SS_DEV_D3))
+ DRM_WARN("smart shift update failed\n");
+
+@@ -4153,6 +4162,9 @@ int amdgpu_device_suspend(struct drm_dev
+
+ amdgpu_device_ip_suspend_phase2(adev);
+
++ if (amdgpu_sriov_vf(adev))
++ amdgpu_virt_release_full_gpu(adev, false);
++
+ return 0;
+ }
+
+@@ -4171,6 +4183,12 @@ int amdgpu_device_resume(struct drm_devi
+ struct amdgpu_device *adev = drm_to_adev(dev);
+ int r = 0;
+
++ if (amdgpu_sriov_vf(adev)) {
++ r = amdgpu_virt_request_full_gpu(adev, true);
++ if (r)
++ return r;
++ }
++
+ if (dev->switch_power_state == DRM_SWITCH_POWER_OFF)
+ return 0;
+
+@@ -4185,6 +4203,13 @@ int amdgpu_device_resume(struct drm_devi
+ }
+
+ r = amdgpu_device_ip_resume(adev);
++
++ /* no matter what r is, always need to properly release full GPU */
++ if (amdgpu_sriov_vf(adev)) {
++ amdgpu_virt_init_data_exchange(adev);
++ amdgpu_virt_release_full_gpu(adev, true);
++ }
++
+ if (r) {
+ dev_err(adev->dev, "amdgpu_device_ip_resume failed (%d).\n", r);
+ return r;
--- /dev/null
+From 6ef7d362123ecb5bf6d163bb9c7fd6ba2d8c968c Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Wed, 21 Sep 2022 15:52:58 +0200
+Subject: drm/i915/gt: Restrict forced preemption to the active context
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+commit 6ef7d362123ecb5bf6d163bb9c7fd6ba2d8c968c upstream.
+
+When we submit a new pair of contexts to ELSP for execution, we start a
+timer by which point we expect the HW to have switched execution to the
+pending contexts. If the promotion to the new pair of contexts has not
+occurred, we declare the executing context to have hung and force the
+preemption to take place by resetting the engine and resubmitting the
+new contexts.
+
+This can lead to an unfair situation where almost all of the preemption
+timeout is consumed by the first context which just switches into the
+second context immediately prior to the timer firing and triggering the
+preemption reset (assuming that the timer interrupts before we process
+the CS events for the context switch). The second context hasn't yet had
+a chance to yield to the incoming ELSP (and send the ACk for the
+promotion) and so ends up being blamed for the reset.
+
+If we see that a context switch has occurred since setting the
+preemption timeout, but have not yet received the ACK for the ELSP
+promotion, rearm the preemption timer and check again. This is
+especially significant if the first context was not schedulable and so
+we used the shortest timer possible, greatly increasing the chance of
+accidentally blaming the second innocent context.
+
+Fixes: 3a7a92aba8fb ("drm/i915/execlists: Force preemption")
+Fixes: d12acee84ffb ("drm/i915/execlists: Cancel banned contexts on schedule-out")
+Reported-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Cc: Andi Shyti <andi.shyti@linux.intel.com>
+Reviewed-by: Andrzej Hajda <andrzej.hajda@intel.com>
+Tested-by: Andrzej Hajda <andrzej.hajda@intel.com>
+Cc: <stable@vger.kernel.org> # v5.5+
+Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220921135258.1714873-1-andrzej.hajda@intel.com
+(cherry picked from commit 107ba1a2c705f4358f2602ec2f2fd821bb651f42)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/gt/intel_engine_types.h | 15 +++++++++++++
+ drivers/gpu/drm/i915/gt/intel_execlists_submission.c | 21 ++++++++++++++++++-
+ 2 files changed, 35 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/gt/intel_engine_types.h
++++ b/drivers/gpu/drm/i915/gt/intel_engine_types.h
+@@ -156,6 +156,21 @@ struct intel_engine_execlists {
+ struct timer_list preempt;
+
+ /**
++ * @preempt_target: active request at the time of the preemption request
++ *
++ * We force a preemption to occur if the pending contexts have not
++ * been promoted to active upon receipt of the CS ack event within
++ * the timeout. This timeout maybe chosen based on the target,
++ * using a very short timeout if the context is no longer schedulable.
++ * That short timeout may not be applicable to other contexts, so
++ * if a context switch should happen within before the preemption
++ * timeout, we may shoot early at an innocent context. To prevent this,
++ * we record which context was active at the time of the preemption
++ * request and only reset that context upon the timeout.
++ */
++ const struct i915_request *preempt_target;
++
++ /**
+ * @ccid: identifier for contexts submitted to this engine
+ */
+ u32 ccid;
+--- a/drivers/gpu/drm/i915/gt/intel_execlists_submission.c
++++ b/drivers/gpu/drm/i915/gt/intel_execlists_submission.c
+@@ -1241,6 +1241,9 @@ static unsigned long active_preempt_time
+ if (!rq)
+ return 0;
+
++ /* Only allow ourselves to force reset the currently active context */
++ engine->execlists.preempt_target = rq;
++
+ /* Force a fast reset for terminated contexts (ignoring sysfs!) */
+ if (unlikely(intel_context_is_banned(rq->context) || bad_request(rq)))
+ return 1;
+@@ -2427,8 +2430,24 @@ static void execlists_submission_tasklet
+ GEM_BUG_ON(inactive - post > ARRAY_SIZE(post));
+
+ if (unlikely(preempt_timeout(engine))) {
++ const struct i915_request *rq = *engine->execlists.active;
++
++ /*
++ * If after the preempt-timeout expired, we are still on the
++ * same active request/context as before we initiated the
++ * preemption, reset the engine.
++ *
++ * However, if we have processed a CS event to switch contexts,
++ * but not yet processed the CS event for the pending
++ * preemption, reset the timer allowing the new context to
++ * gracefully exit.
++ */
+ cancel_timer(&engine->execlists.preempt);
+- engine->execlists.error_interrupt |= ERROR_PREEMPT;
++ if (rq == engine->execlists.preempt_target)
++ engine->execlists.error_interrupt |= ERROR_PREEMPT;
++ else
++ set_timer_ms(&engine->execlists.preempt,
++ active_preempt_timeout(engine, rq));
+ }
+
+ if (unlikely(READ_ONCE(engine->execlists.error_interrupt))) {
--- /dev/null
+From ea08aec7e77bfd6599489ec430f9f859ab84575a Mon Sep 17 00:00:00 2001
+From: Niklas Cassel <niklas.cassel@wdc.com>
+Date: Mon, 26 Sep 2022 18:38:09 +0000
+Subject: libata: add ATA_HORKAGE_NOLPM for Pioneer BDR-207M and BDR-205
+
+From: Niklas Cassel <niklas.cassel@wdc.com>
+
+commit ea08aec7e77bfd6599489ec430f9f859ab84575a upstream.
+
+Commit 1527f69204fe ("ata: ahci: Add Green Sardine vendor ID as
+board_ahci_mobile") added an explicit entry for AMD Green Sardine
+AHCI controller using the board_ahci_mobile configuration (this
+configuration has later been renamed to board_ahci_low_power).
+
+The board_ahci_low_power configuration enables support for low power
+modes.
+
+This explicit entry takes precedence over the generic AHCI controller
+entry, which does not enable support for low power modes.
+
+Therefore, when commit 1527f69204fe ("ata: ahci: Add Green Sardine
+vendor ID as board_ahci_mobile") was backported to stable kernels,
+it make some Pioneer optical drives, which was working perfectly fine
+before the commit was backported, stop working.
+
+The real problem is that the Pioneer optical drives do not handle low
+power modes correctly. If these optical drives would have been tested
+on another AHCI controller using the board_ahci_low_power configuration,
+this issue would have been detected earlier.
+
+Unfortunately, the board_ahci_low_power configuration is only used in
+less than 15% of the total AHCI controller entries, so many devices
+have never been tested with an AHCI controller with low power modes.
+
+Fixes: 1527f69204fe ("ata: ahci: Add Green Sardine vendor ID as board_ahci_mobile")
+Cc: stable@vger.kernel.org
+Reported-by: Jaap Berkhout <j.j.berkhout@staalenberk.nl>
+Signed-off-by: Niklas Cassel <niklas.cassel@wdc.com>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-core.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -3988,6 +3988,10 @@ static const struct ata_blacklist_entry
+ { "PIONEER DVD-RW DVR-212D", NULL, ATA_HORKAGE_NOSETXFER },
+ { "PIONEER DVD-RW DVR-216D", NULL, ATA_HORKAGE_NOSETXFER },
+
++ /* These specific Pioneer models have LPM issues */
++ { "PIONEER BD-RW BDR-207M", NULL, ATA_HORKAGE_NOLPM },
++ { "PIONEER BD-RW BDR-205", NULL, ATA_HORKAGE_NOLPM },
++
+ /* Crucial BX100 SSD 500GB has broken LPM support */
+ { "CT500BX100SSD1", NULL, ATA_HORKAGE_NOLPM },
+
--- /dev/null
+From 1552fd3ef7dbe07208b8ae84a0a6566adf7dfc9d Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Fri, 2 Sep 2022 19:11:49 +0000
+Subject: mm/damon/dbgfs: fix memory leak when using debugfs_lookup()
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 1552fd3ef7dbe07208b8ae84a0a6566adf7dfc9d upstream.
+
+When calling debugfs_lookup() the result must have dput() called on it,
+otherwise the memory will leak over time. Fix this up by properly calling
+dput().
+
+Link: https://lkml.kernel.org/r/20220902191149.112434-1-sj@kernel.org
+Fixes: 75c1c2b53c78b ("mm/damon/dbgfs: support multiple contexts")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: SeongJae Park <sj@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/damon/dbgfs.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+--- a/mm/damon/dbgfs.c
++++ b/mm/damon/dbgfs.c
+@@ -853,6 +853,7 @@ static int dbgfs_rm_context(char *name)
+ struct dentry *root, *dir, **new_dirs;
+ struct damon_ctx **new_ctxs;
+ int i, j;
++ int ret = 0;
+
+ if (damon_nr_running_ctxs())
+ return -EBUSY;
+@@ -867,14 +868,16 @@ static int dbgfs_rm_context(char *name)
+
+ new_dirs = kmalloc_array(dbgfs_nr_ctxs - 1, sizeof(*dbgfs_dirs),
+ GFP_KERNEL);
+- if (!new_dirs)
+- return -ENOMEM;
++ if (!new_dirs) {
++ ret = -ENOMEM;
++ goto out_dput;
++ }
+
+ new_ctxs = kmalloc_array(dbgfs_nr_ctxs - 1, sizeof(*dbgfs_ctxs),
+ GFP_KERNEL);
+ if (!new_ctxs) {
+- kfree(new_dirs);
+- return -ENOMEM;
++ ret = -ENOMEM;
++ goto out_new_dirs;
+ }
+
+ for (i = 0, j = 0; i < dbgfs_nr_ctxs; i++) {
+@@ -894,7 +897,13 @@ static int dbgfs_rm_context(char *name)
+ dbgfs_ctxs = new_ctxs;
+ dbgfs_nr_ctxs--;
+
+- return 0;
++ goto out_dput;
++
++out_new_dirs:
++ kfree(new_dirs);
++out_dput:
++ dput(dir);
++ return ret;
+ }
+
+ static ssize_t dbgfs_rm_context_write(struct file *file,
--- /dev/null
+From 30c19366636f72515679aa10dad61a4d988d4c9a Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Mon, 26 Sep 2022 17:16:50 +0200
+Subject: mm: fix BUG splat with kvmalloc + GFP_ATOMIC
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 30c19366636f72515679aa10dad61a4d988d4c9a upstream.
+
+Martin Zaharinov reports BUG with 5.19.10 kernel:
+ kernel BUG at mm/vmalloc.c:2437!
+ invalid opcode: 0000 [#1] SMP
+ CPU: 28 PID: 0 Comm: swapper/28 Tainted: G W O 5.19.9 #1
+ [..]
+ RIP: 0010:__get_vm_area_node+0x120/0x130
+ __vmalloc_node_range+0x96/0x1e0
+ kvmalloc_node+0x92/0xb0
+ bucket_table_alloc.isra.0+0x47/0x140
+ rhashtable_try_insert+0x3a4/0x440
+ rhashtable_insert_slow+0x1b/0x30
+ [..]
+
+bucket_table_alloc uses kvzalloc(GPF_ATOMIC). If kmalloc fails, this now
+falls through to vmalloc and hits code paths that assume GFP_KERNEL.
+
+Link: https://lkml.kernel.org/r/20220926151650.15293-1-fw@strlen.de
+Fixes: a421ef303008 ("mm: allow !GFP_KERNEL allocations for kvmalloc")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Suggested-by: Michal Hocko <mhocko@suse.com>
+Link: https://lore.kernel.org/linux-mm/Yy3MS2uhSgjF47dy@pc636/T/#t
+Acked-by: Michal Hocko <mhocko@suse.com>
+Reported-by: Martin Zaharinov <micron10@gmail.com>
+Cc: Uladzislau Rezki (Sony) <urezki@gmail.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/util.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/mm/util.c
++++ b/mm/util.c
+@@ -619,6 +619,10 @@ void *kvmalloc_node(size_t size, gfp_t f
+ if (ret || size <= PAGE_SIZE)
+ return ret;
+
++ /* non-sleeping allocations are not supported by vmalloc */
++ if (!gfpflags_allow_blocking(flags))
++ return NULL;
++
+ /* Don't even allow crazy sizes */
+ if (unlikely(size > INT_MAX)) {
+ WARN_ON_ONCE(!(flags & __GFP_NOWARN));
--- /dev/null
+From e7afa79a3b35a27a046a2139f8b20bd6b98155c2 Mon Sep 17 00:00:00 2001
+From: Wenchao Chen <wenchao.chen@unisoc.com>
+Date: Fri, 16 Sep 2022 17:05:06 +0800
+Subject: mmc: hsq: Fix data stomping during mmc recovery
+
+From: Wenchao Chen <wenchao.chen@unisoc.com>
+
+commit e7afa79a3b35a27a046a2139f8b20bd6b98155c2 upstream.
+
+The block device uses multiple queues to access emmc. There will be up to 3
+requests in the hsq of the host. The current code will check whether there
+is a request doing recovery before entering the queue, but it will not check
+whether there is a request when the lock is issued. The request is in recovery
+mode. If there is a request in recovery, then a read and write request is
+initiated at this time, and the conflict between the request and the recovery
+request will cause the data to be trampled.
+
+Signed-off-by: Wenchao Chen <wenchao.chen@unisoc.com>
+Fixes: 511ce378e16f ("mmc: Add MMC host software queue support")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20220916090506.10662-1-wenchao.chen666@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/mmc_hsq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/mmc_hsq.c
++++ b/drivers/mmc/host/mmc_hsq.c
+@@ -34,7 +34,7 @@ static void mmc_hsq_pump_requests(struct
+ spin_lock_irqsave(&hsq->lock, flags);
+
+ /* Make sure we are not already running a request now */
+- if (hsq->mrq) {
++ if (hsq->mrq || hsq->recovery_halt) {
+ spin_unlock_irqrestore(&hsq->lock, flags);
+ return;
+ }
--- /dev/null
+From 35ca91d1338ae158f6dcc0de5d1e86197924ffda Mon Sep 17 00:00:00 2001
+From: Sergei Antonov <saproj@gmail.com>
+Date: Wed, 7 Sep 2022 23:57:53 +0300
+Subject: mmc: moxart: fix 4-bit bus width and remove 8-bit bus width
+
+From: Sergei Antonov <saproj@gmail.com>
+
+commit 35ca91d1338ae158f6dcc0de5d1e86197924ffda upstream.
+
+According to the datasheet [1] at page 377, 4-bit bus width is turned on by
+bit 2 of the Bus Width Register. Thus the current bitmask is wrong: define
+BUS_WIDTH_4 BIT(1)
+
+BIT(1) does not work but BIT(2) works. This has been verified on real MOXA
+hardware with FTSDC010 controller revision 1_6_0.
+
+The corrected value of BUS_WIDTH_4 mask collides with: define BUS_WIDTH_8
+BIT(2). Additionally, 8-bit bus width mode isn't supported according to the
+datasheet, so let's remove the corresponding code.
+
+[1]
+https://bitbucket.org/Kasreyn/mkrom-uc7112lx/src/master/documents/FIC8120_DS_v1.2.pdf
+
+Fixes: 1b66e94e6b99 ("mmc: moxart: Add MOXA ART SD/MMC driver")
+Signed-off-by: Sergei Antonov <saproj@gmail.com>
+Cc: Jonas Jensen <jonas.jensen@gmail.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20220907205753.1577434-1-saproj@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/moxart-mmc.c | 17 +++--------------
+ 1 file changed, 3 insertions(+), 14 deletions(-)
+
+--- a/drivers/mmc/host/moxart-mmc.c
++++ b/drivers/mmc/host/moxart-mmc.c
+@@ -111,8 +111,8 @@
+ #define CLK_DIV_MASK 0x7f
+
+ /* REG_BUS_WIDTH */
+-#define BUS_WIDTH_8 BIT(2)
+-#define BUS_WIDTH_4 BIT(1)
++#define BUS_WIDTH_4_SUPPORT BIT(3)
++#define BUS_WIDTH_4 BIT(2)
+ #define BUS_WIDTH_1 BIT(0)
+
+ #define MMC_VDD_360 23
+@@ -524,9 +524,6 @@ static void moxart_set_ios(struct mmc_ho
+ case MMC_BUS_WIDTH_4:
+ writel(BUS_WIDTH_4, host->base + REG_BUS_WIDTH);
+ break;
+- case MMC_BUS_WIDTH_8:
+- writel(BUS_WIDTH_8, host->base + REG_BUS_WIDTH);
+- break;
+ default:
+ writel(BUS_WIDTH_1, host->base + REG_BUS_WIDTH);
+ break;
+@@ -651,16 +648,8 @@ static int moxart_probe(struct platform_
+ dmaengine_slave_config(host->dma_chan_rx, &cfg);
+ }
+
+- switch ((readl(host->base + REG_BUS_WIDTH) >> 3) & 3) {
+- case 1:
++ if (readl(host->base + REG_BUS_WIDTH) & BUS_WIDTH_4_SUPPORT)
+ mmc->caps |= MMC_CAP_4_BIT_DATA;
+- break;
+- case 2:
+- mmc->caps |= MMC_CAP_4_BIT_DATA | MMC_CAP_8_BIT_DATA;
+- break;
+- default:
+- break;
+- }
+
+ writel(0, host->base + REG_INTERRUPT_MASK);
+
--- /dev/null
+From 26d3e21ce1aab6cb19069c510fac8e7474445b18 Mon Sep 17 00:00:00 2001
+From: Menglong Dong <imagedong@tencent.com>
+Date: Tue, 27 Sep 2022 12:31:57 -0700
+Subject: mptcp: factor out __mptcp_close() without socket lock
+
+From: Menglong Dong <imagedong@tencent.com>
+
+commit 26d3e21ce1aab6cb19069c510fac8e7474445b18 upstream.
+
+Factor out __mptcp_close() from mptcp_close(). The caller of
+__mptcp_close() should hold the socket lock, and cancel mptcp work when
+__mptcp_close() returns true.
+
+This function will be used in the next commit.
+
+Fixes: f296234c98a8 ("mptcp: Add handling of incoming MP_JOIN requests")
+Fixes: 6aeed9045071 ("mptcp: fix race on unaccepted mptcp sockets")
+Cc: stable@vger.kernel.org
+Reviewed-by: Jiang Biao <benbjiang@tencent.com>
+Reviewed-by: Mengen Sun <mengensun@tencent.com>
+Acked-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Menglong Dong <imagedong@tencent.com>
+Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c | 14 ++++++++++++--
+ net/mptcp/protocol.h | 1 +
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -2832,13 +2832,12 @@ static void __mptcp_destroy_sock(struct
+ sock_put(sk);
+ }
+
+-static void mptcp_close(struct sock *sk, long timeout)
++bool __mptcp_close(struct sock *sk, long timeout)
+ {
+ struct mptcp_subflow_context *subflow;
+ struct mptcp_sock *msk = mptcp_sk(sk);
+ bool do_cancel_work = false;
+
+- lock_sock(sk);
+ sk->sk_shutdown = SHUTDOWN_MASK;
+
+ if ((1 << sk->sk_state) & (TCPF_LISTEN | TCPF_CLOSE)) {
+@@ -2880,6 +2879,17 @@ cleanup:
+ } else {
+ mptcp_reset_timeout(msk, 0);
+ }
++
++ return do_cancel_work;
++}
++
++static void mptcp_close(struct sock *sk, long timeout)
++{
++ bool do_cancel_work;
++
++ lock_sock(sk);
++
++ do_cancel_work = __mptcp_close(sk, timeout);
+ release_sock(sk);
+ if (do_cancel_work)
+ mptcp_cancel_work(sk);
+--- a/net/mptcp/protocol.h
++++ b/net/mptcp/protocol.h
+@@ -613,6 +613,7 @@ void mptcp_subflow_reset(struct sock *ss
+ void mptcp_subflow_queue_clean(struct sock *ssk);
+ void mptcp_sock_graft(struct sock *sk, struct socket *parent);
+ struct socket *__mptcp_nmpc_socket(const struct mptcp_sock *msk);
++bool __mptcp_close(struct sock *sk, long timeout);
+
+ bool mptcp_addresses_equal(const struct mptcp_addr_info *a,
+ const struct mptcp_addr_info *b, bool use_port);
--- /dev/null
+From 30e51b923e436b631e8d5b77fa5e318c6b066dc7 Mon Sep 17 00:00:00 2001
+From: Menglong Dong <imagedong@tencent.com>
+Date: Tue, 27 Sep 2022 12:31:58 -0700
+Subject: mptcp: fix unreleased socket in accept queue
+
+From: Menglong Dong <imagedong@tencent.com>
+
+commit 30e51b923e436b631e8d5b77fa5e318c6b066dc7 upstream.
+
+The mptcp socket and its subflow sockets in accept queue can't be
+released after the process exit.
+
+While the release of a mptcp socket in listening state, the
+corresponding tcp socket will be released too. Meanwhile, the tcp
+socket in the unaccept queue will be released too. However, only init
+subflow is in the unaccept queue, and the joined subflow is not in the
+unaccept queue, which makes the joined subflow won't be released, and
+therefore the corresponding unaccepted mptcp socket will not be released
+to.
+
+This can be reproduced easily with following steps:
+
+1. create 2 namespace and veth:
+ $ ip netns add mptcp-client
+ $ ip netns add mptcp-server
+ $ sysctl -w net.ipv4.conf.all.rp_filter=0
+ $ ip netns exec mptcp-client sysctl -w net.mptcp.enabled=1
+ $ ip netns exec mptcp-server sysctl -w net.mptcp.enabled=1
+ $ ip link add red-client netns mptcp-client type veth peer red-server \
+ netns mptcp-server
+ $ ip -n mptcp-server address add 10.0.0.1/24 dev red-server
+ $ ip -n mptcp-server address add 192.168.0.1/24 dev red-server
+ $ ip -n mptcp-client address add 10.0.0.2/24 dev red-client
+ $ ip -n mptcp-client address add 192.168.0.2/24 dev red-client
+ $ ip -n mptcp-server link set red-server up
+ $ ip -n mptcp-client link set red-client up
+
+2. configure the endpoint and limit for client and server:
+ $ ip -n mptcp-server mptcp endpoint flush
+ $ ip -n mptcp-server mptcp limits set subflow 2 add_addr_accepted 2
+ $ ip -n mptcp-client mptcp endpoint flush
+ $ ip -n mptcp-client mptcp limits set subflow 2 add_addr_accepted 2
+ $ ip -n mptcp-client mptcp endpoint add 192.168.0.2 dev red-client id \
+ 1 subflow
+
+3. listen and accept on a port, such as 9999. The nc command we used
+ here is modified, which makes it use mptcp protocol by default.
+ $ ip netns exec mptcp-server nc -l -k -p 9999
+
+4. open another *two* terminal and use each of them to connect to the
+ server with the following command:
+ $ ip netns exec mptcp-client nc 10.0.0.1 9999
+ Input something after connect to trigger the connection of the second
+ subflow. So that there are two established mptcp connections, with the
+ second one still unaccepted.
+
+5. exit all the nc command, and check the tcp socket in server namespace.
+ And you will find that there is one tcp socket in CLOSE_WAIT state
+ and can't release forever.
+
+Fix this by closing all of the unaccepted mptcp socket in
+mptcp_subflow_queue_clean() with __mptcp_close().
+
+Now, we can ensure that all unaccepted mptcp sockets will be cleaned by
+__mptcp_close() before they are released, so mptcp_sock_destruct(), which
+is used to clean the unaccepted mptcp socket, is not needed anymore.
+
+The selftests for mptcp is ran for this commit, and no new failures.
+
+Fixes: f296234c98a8 ("mptcp: Add handling of incoming MP_JOIN requests")
+Fixes: 6aeed9045071 ("mptcp: fix race on unaccepted mptcp sockets")
+Cc: stable@vger.kernel.org
+Reviewed-by: Jiang Biao <benbjiang@tencent.com>
+Reviewed-by: Mengen Sun <mengensun@tencent.com>
+Acked-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Menglong Dong <imagedong@tencent.com>
+Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c | 2 +-
+ net/mptcp/protocol.h | 1 +
+ net/mptcp/subflow.c | 33 +++++++--------------------------
+ 3 files changed, 9 insertions(+), 27 deletions(-)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -2692,7 +2692,7 @@ static void __mptcp_clear_xmit(struct so
+ dfrag_clear(sk, dfrag);
+ }
+
+-static void mptcp_cancel_work(struct sock *sk)
++void mptcp_cancel_work(struct sock *sk)
+ {
+ struct mptcp_sock *msk = mptcp_sk(sk);
+
+--- a/net/mptcp/protocol.h
++++ b/net/mptcp/protocol.h
+@@ -614,6 +614,7 @@ void mptcp_subflow_queue_clean(struct so
+ void mptcp_sock_graft(struct sock *sk, struct socket *parent);
+ struct socket *__mptcp_nmpc_socket(const struct mptcp_sock *msk);
+ bool __mptcp_close(struct sock *sk, long timeout);
++void mptcp_cancel_work(struct sock *sk);
+
+ bool mptcp_addresses_equal(const struct mptcp_addr_info *a,
+ const struct mptcp_addr_info *b, bool use_port);
+--- a/net/mptcp/subflow.c
++++ b/net/mptcp/subflow.c
+@@ -602,30 +602,6 @@ static bool subflow_hmac_valid(const str
+ return !crypto_memneq(hmac, mp_opt->hmac, MPTCPOPT_HMAC_LEN);
+ }
+
+-static void mptcp_sock_destruct(struct sock *sk)
+-{
+- /* if new mptcp socket isn't accepted, it is free'd
+- * from the tcp listener sockets request queue, linked
+- * from req->sk. The tcp socket is released.
+- * This calls the ULP release function which will
+- * also remove the mptcp socket, via
+- * sock_put(ctx->conn).
+- *
+- * Problem is that the mptcp socket will be in
+- * ESTABLISHED state and will not have the SOCK_DEAD flag.
+- * Both result in warnings from inet_sock_destruct.
+- */
+- if ((1 << sk->sk_state) & (TCPF_ESTABLISHED | TCPF_CLOSE_WAIT)) {
+- sk->sk_state = TCP_CLOSE;
+- WARN_ON_ONCE(sk->sk_socket);
+- sock_orphan(sk);
+- }
+-
+- /* We don't need to clear msk->subflow, as it's still NULL at this point */
+- mptcp_destroy_common(mptcp_sk(sk), 0);
+- inet_sock_destruct(sk);
+-}
+-
+ static void mptcp_force_close(struct sock *sk)
+ {
+ /* the msk is not yet exposed to user-space */
+@@ -768,7 +744,6 @@ create_child:
+ /* new mpc subflow takes ownership of the newly
+ * created mptcp socket
+ */
+- new_msk->sk_destruct = mptcp_sock_destruct;
+ mptcp_sk(new_msk)->setsockopt_seq = ctx->setsockopt_seq;
+ mptcp_pm_new_connection(mptcp_sk(new_msk), child, 1);
+ mptcp_token_accept(subflow_req, mptcp_sk(new_msk));
+@@ -1763,13 +1738,19 @@ void mptcp_subflow_queue_clean(struct so
+
+ for (msk = head; msk; msk = next) {
+ struct sock *sk = (struct sock *)msk;
+- bool slow;
++ bool slow, do_cancel_work;
+
++ sock_hold(sk);
+ slow = lock_sock_fast_nested(sk);
+ next = msk->dl_next;
+ msk->first = NULL;
+ msk->dl_next = NULL;
++
++ do_cancel_work = __mptcp_close(sk, 0);
+ unlock_sock_fast(sk, slow);
++ if (do_cancel_work)
++ mptcp_cancel_work(sk);
++ sock_put(sk);
+ }
+
+ /* we are still under the listener msk socket lock */
--- /dev/null
+From 42bc4fafe359ed6b73602b7a2dba0dd99588f8ce Mon Sep 17 00:00:00 2001
+From: Alexander Couzens <lynxis@fe80.eu>
+Date: Sat, 17 Sep 2022 02:07:33 +0200
+Subject: net: mt7531: only do PLL once after the reset
+
+From: Alexander Couzens <lynxis@fe80.eu>
+
+commit 42bc4fafe359ed6b73602b7a2dba0dd99588f8ce upstream.
+
+Move the PLL init of the switch out of the pad configuration of the port
+6 (usally cpu port).
+
+Fix a unidirectional 100 mbit limitation on 1 gbit or 2.5 gbit links for
+outbound traffic on port 5 or port 6.
+
+Fixes: c288575f7810 ("net: dsa: mt7530: Add the support of MT7531 switch")
+Cc: stable@vger.kernel.org
+Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/mt7530.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/dsa/mt7530.c
++++ b/drivers/net/dsa/mt7530.c
+@@ -506,14 +506,19 @@ static bool mt7531_dual_sgmii_supported(
+ static int
+ mt7531_pad_setup(struct dsa_switch *ds, phy_interface_t interface)
+ {
+- struct mt7530_priv *priv = ds->priv;
++ return 0;
++}
++
++static void
++mt7531_pll_setup(struct mt7530_priv *priv)
++{
+ u32 top_sig;
+ u32 hwstrap;
+ u32 xtal;
+ u32 val;
+
+ if (mt7531_dual_sgmii_supported(priv))
+- return 0;
++ return;
+
+ val = mt7530_read(priv, MT7531_CREV);
+ top_sig = mt7530_read(priv, MT7531_TOP_SIG_SR);
+@@ -592,8 +597,6 @@ mt7531_pad_setup(struct dsa_switch *ds,
+ val |= EN_COREPLL;
+ mt7530_write(priv, MT7531_PLLGP_EN, val);
+ usleep_range(25, 35);
+-
+- return 0;
+ }
+
+ static void
+@@ -2310,6 +2313,8 @@ mt7531_setup(struct dsa_switch *ds)
+ SYS_CTRL_PHY_RST | SYS_CTRL_SW_RST |
+ SYS_CTRL_REG_RST);
+
++ mt7531_pll_setup(priv);
++
+ if (mt7531_dual_sgmii_supported(priv)) {
+ priv->p5_intf_sel = P5_INTF_SEL_GMAC5_SGMII;
+
+@@ -2863,8 +2868,6 @@ mt7531_cpu_port_config(struct dsa_switch
+ case 6:
+ interface = PHY_INTERFACE_MODE_2500BASEX;
+
+- mt7531_pad_setup(ds, interface);
+-
+ priv->p6_interface = interface;
+ break;
+ default:
--- /dev/null
+From 1b513f613731e2afc05550e8070d79fac80c661e Mon Sep 17 00:00:00 2001
+From: ChenXiaoSong <chenxiaosong2@huawei.com>
+Date: Tue, 9 Aug 2022 14:47:30 +0800
+Subject: ntfs: fix BUG_ON in ntfs_lookup_inode_by_name()
+
+From: ChenXiaoSong <chenxiaosong2@huawei.com>
+
+commit 1b513f613731e2afc05550e8070d79fac80c661e upstream.
+
+Syzkaller reported BUG_ON as follows:
+
+------------[ cut here ]------------
+kernel BUG at fs/ntfs/dir.c:86!
+invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
+CPU: 3 PID: 758 Comm: a.out Not tainted 5.19.0-next-20220808 #5
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+RIP: 0010:ntfs_lookup_inode_by_name+0xd11/0x2d10
+Code: ff e9 b9 01 00 00 e8 1e fe d6 fe 48 8b 7d 98 49 8d 5d 07 e8 91 85 29 ff 48 c7 45 98 00 00 00 00 e9 5a fb ff ff e8 ff fd d6 fe <0f> 0b e8 f8 fd d6 fe 0f 0b e8 f1 fd d6 fe 48 8b b5 50 ff ff ff 4c
+RSP: 0018:ffff888079607978 EFLAGS: 00010293
+RAX: 0000000000000000 RBX: 0000000000008000 RCX: 0000000000000000
+RDX: ffff88807cf10000 RSI: ffffffff82a4a081 RDI: 0000000000000003
+RBP: ffff888079607a70 R08: 0000000000000001 R09: ffff88807a6d01d7
+R10: ffffed100f4da03a R11: 0000000000000000 R12: ffff88800f0fb110
+R13: ffff88800f0ee000 R14: ffff88800f0fb000 R15: 0000000000000001
+FS: 00007f33b63c7540(0000) GS:ffff888108580000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f33b635c090 CR3: 000000000f39e005 CR4: 0000000000770ee0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+PKRU: 55555554
+Call Trace:
+ <TASK>
+ load_system_files+0x1f7f/0x3620
+ ntfs_fill_super+0xa01/0x1be0
+ mount_bdev+0x36a/0x440
+ ntfs_mount+0x3a/0x50
+ legacy_get_tree+0xfb/0x210
+ vfs_get_tree+0x8f/0x2f0
+ do_new_mount+0x30a/0x760
+ path_mount+0x4de/0x1880
+ __x64_sys_mount+0x2b3/0x340
+ do_syscall_64+0x38/0x90
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+RIP: 0033:0x7f33b62ff9ea
+Code: 48 8b 0d a9 f4 0b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 76 f4 0b 00 f7 d8 64 89 01 48
+RSP: 002b:00007ffd0c471aa8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f33b62ff9ea
+RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffd0c471be0
+RBP: 00007ffd0c471c60 R08: 00007ffd0c471ae0 R09: 00007ffd0c471c24
+R10: 0000000000000000 R11: 0000000000000202 R12: 000055bac5afc160
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+ </TASK>
+Modules linked in:
+---[ end trace 0000000000000000 ]---
+
+Fix this by adding sanity check on extended system files' directory inode
+to ensure that it is directory, just like ntfs_extend_init() when mounting
+ntfs3.
+
+Link: https://lkml.kernel.org/r/20220809064730.2316892-1-chenxiaosong2@huawei.com
+Signed-off-by: ChenXiaoSong <chenxiaosong2@huawei.com>
+Cc: Anton Altaparmakov <anton@tuxera.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ntfs/super.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/ntfs/super.c
++++ b/fs/ntfs/super.c
+@@ -2092,7 +2092,8 @@ get_ctx_vol_failed:
+ // TODO: Initialize security.
+ /* Get the extended system files' directory inode. */
+ vol->extend_ino = ntfs_iget(sb, FILE_Extend);
+- if (IS_ERR(vol->extend_ino) || is_bad_inode(vol->extend_ino)) {
++ if (IS_ERR(vol->extend_ino) || is_bad_inode(vol->extend_ino) ||
++ !S_ISDIR(vol->extend_ino->i_mode)) {
+ if (!IS_ERR(vol->extend_ino))
+ iput(vol->extend_ino);
+ ntfs_error(sb, "Failed to load $Extend.");
--- /dev/null
+From bedf03416913d88c796288f9dca109a53608c745 Mon Sep 17 00:00:00 2001
+From: Yang Shi <shy828301@gmail.com>
+Date: Wed, 7 Sep 2022 11:01:44 -0700
+Subject: powerpc/64s/radix: don't need to broadcast IPI for radix pmd collapse flush
+
+From: Yang Shi <shy828301@gmail.com>
+
+commit bedf03416913d88c796288f9dca109a53608c745 upstream.
+
+The IPI broadcast is used to serialize against fast-GUP, but fast-GUP will
+move to use RCU instead of disabling local interrupts in fast-GUP. Using
+an IPI is the old-styled way of serializing against fast-GUP although it
+still works as expected now.
+
+And fast-GUP now fixed the potential race with THP collapse by checking
+whether PMD is changed or not. So IPI broadcast in radix pmd collapse
+flush is not necessary anymore. But it is still needed for hash TLB.
+
+Link: https://lkml.kernel.org/r/20220907180144.555485-2-shy828301@gmail.com
+Suggested-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+Signed-off-by: Yang Shi <shy828301@gmail.com>
+Acked-by: David Hildenbrand <david@redhat.com>
+Acked-by: Peter Xu <peterx@redhat.com>
+Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Jason Gunthorpe <jgg@nvidia.com>
+Cc: John Hubbard <jhubbard@nvidia.com>
+Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Nicholas Piggin <npiggin@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/mm/book3s64/radix_pgtable.c | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+--- a/arch/powerpc/mm/book3s64/radix_pgtable.c
++++ b/arch/powerpc/mm/book3s64/radix_pgtable.c
+@@ -937,15 +937,6 @@ pmd_t radix__pmdp_collapse_flush(struct
+ pmd = *pmdp;
+ pmd_clear(pmdp);
+
+- /*
+- * pmdp collapse_flush need to ensure that there are no parallel gup
+- * walk after this call. This is needed so that we can have stable
+- * page ref count when collapsing a page. We don't allow a collapse page
+- * if we have gup taken on the page. We can ensure that by sending IPI
+- * because gup walk happens with IRQ disabled.
+- */
+- serialize_against_pte_lookup(vma->vm_mm);
+-
+ radix__flush_tlb_collapsed_pmd(vma->vm_mm, address);
+
+ return pmd;
--- /dev/null
+From 3c6656337852e9f1a4079d172f3fddfbf00868f9 Mon Sep 17 00:00:00 2001
+From: Ulf Hansson <ulf.hansson@linaro.org>
+Date: Mon, 19 Sep 2022 14:20:33 +0200
+Subject: Revert "firmware: arm_scmi: Add clock management to the SCMI power domain"
+
+From: Ulf Hansson <ulf.hansson@linaro.org>
+
+commit 3c6656337852e9f1a4079d172f3fddfbf00868f9 upstream.
+
+This reverts commit a3b884cef873 ("firmware: arm_scmi: Add clock management
+to the SCMI power domain").
+
+Using the GENPD_FLAG_PM_CLK tells genpd to gate/ungate the consumer
+device's clock(s) during runtime suspend/resume through the PM clock API.
+More precisely, in genpd_runtime_resume() the clock(s) for the consumer
+device would become ungated prior to the driver-level ->runtime_resume()
+callbacks gets invoked.
+
+This behaviour isn't a good fit for all platforms/drivers. For example, a
+driver may need to make some preparations of its device in its
+->runtime_resume() callback, like calling clk_set_rate() before the
+clock(s) should be ungated. In these cases, it's easier to let the clock(s)
+to be managed solely by the driver, rather than at the PM domain level.
+
+For these reasons, let's drop the use GENPD_FLAG_PM_CLK for the SCMI PM
+domain, as to enable it to be more easily adopted across ARM platforms.
+
+Fixes: a3b884cef873 ("firmware: arm_scmi: Add clock management to the SCMI power domain")
+Cc: Nicolas Pitre <npitre@baylibre.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Tested-by: Peng Fan <peng.fan@nxp.com>
+Acked-by: Sudeep Holla <sudeep.holla@arm.com>
+Link: https://lore.kernel.org/r/20220919122033.86126-1-ulf.hansson@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/arm_scmi/scmi_pm_domain.c | 26 --------------------------
+ 1 file changed, 26 deletions(-)
+
+--- a/drivers/firmware/arm_scmi/scmi_pm_domain.c
++++ b/drivers/firmware/arm_scmi/scmi_pm_domain.c
+@@ -8,7 +8,6 @@
+ #include <linux/err.h>
+ #include <linux/io.h>
+ #include <linux/module.h>
+-#include <linux/pm_clock.h>
+ #include <linux/pm_domain.h>
+ #include <linux/scmi_protocol.h>
+
+@@ -53,27 +52,6 @@ static int scmi_pd_power_off(struct gene
+ return scmi_pd_power(domain, false);
+ }
+
+-static int scmi_pd_attach_dev(struct generic_pm_domain *pd, struct device *dev)
+-{
+- int ret;
+-
+- ret = pm_clk_create(dev);
+- if (ret)
+- return ret;
+-
+- ret = of_pm_clk_add_clks(dev);
+- if (ret >= 0)
+- return 0;
+-
+- pm_clk_destroy(dev);
+- return ret;
+-}
+-
+-static void scmi_pd_detach_dev(struct generic_pm_domain *pd, struct device *dev)
+-{
+- pm_clk_destroy(dev);
+-}
+-
+ static int scmi_pm_domain_probe(struct scmi_device *sdev)
+ {
+ int num_domains, i;
+@@ -124,10 +102,6 @@ static int scmi_pm_domain_probe(struct s
+ scmi_pd->genpd.name = scmi_pd->name;
+ scmi_pd->genpd.power_off = scmi_pd_power_off;
+ scmi_pd->genpd.power_on = scmi_pd_power_on;
+- scmi_pd->genpd.attach_dev = scmi_pd_attach_dev;
+- scmi_pd->genpd.detach_dev = scmi_pd_detach_dev;
+- scmi_pd->genpd.flags = GENPD_FLAG_PM_CLK |
+- GENPD_FLAG_ACTIVE_WAKEUP;
+
+ pm_genpd_init(&scmi_pd->genpd, NULL,
+ state == SCMI_POWER_STATE_GENERIC_OFF);
x86-sgx-do-not-fail-on-incomplete-sanitization-on-premature-stop-of-ksgxd.patch
frontswap-don-t-call-init-if-no-ops-are-registered.patch
arm-dts-integrator-tag-pci-host-with-device_type.patch
+ntfs-fix-bug_on-in-ntfs_lookup_inode_by_name.patch
+x86-uaccess-avoid-check_object_size-in-copy_from_user_nmi.patch
+mm-damon-dbgfs-fix-memory-leak-when-using-debugfs_lookup.patch
+net-mt7531-only-do-pll-once-after-the-reset.patch
+revert-firmware-arm_scmi-add-clock-management-to-the-scmi-power-domain.patch
+powerpc-64s-radix-don-t-need-to-broadcast-ipi-for-radix-pmd-collapse-flush.patch
+drm-i915-gt-restrict-forced-preemption-to-the-active-context.patch
+drm-amdgpu-add-amdgpu-suspend-resume-code-path-under-sriov.patch
+vduse-prevent-uninitialized-memory-accesses.patch
+libata-add-ata_horkage_nolpm-for-pioneer-bdr-207m-and-bdr-205.patch
+mm-fix-bug-splat-with-kvmalloc-gfp_atomic.patch
+mptcp-factor-out-__mptcp_close-without-socket-lock.patch
+mptcp-fix-unreleased-socket-in-accept-queue.patch
+mmc-moxart-fix-4-bit-bus-width-and-remove-8-bit-bus-width.patch
+mmc-hsq-fix-data-stomping-during-mmc-recovery.patch
--- /dev/null
+From 46f8a29272e51b6df7393d58fc5cb8967397ef2b Mon Sep 17 00:00:00 2001
+From: Maxime Coquelin <maxime.coquelin@redhat.com>
+Date: Wed, 31 Aug 2022 17:49:23 +0200
+Subject: vduse: prevent uninitialized memory accesses
+
+From: Maxime Coquelin <maxime.coquelin@redhat.com>
+
+commit 46f8a29272e51b6df7393d58fc5cb8967397ef2b upstream.
+
+If the VDUSE application provides a smaller config space
+than the driver expects, the driver may use uninitialized
+memory from the stack.
+
+This patch prevents it by initializing the buffer passed by
+the driver to store the config value.
+
+This fix addresses CVE-2022-2308.
+
+Cc: stable@vger.kernel.org # v5.15+
+Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace")
+Reviewed-by: Xie Yongji <xieyongji@bytedance.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
+Message-Id: <20220831154923.97809-1-maxime.coquelin@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vdpa/vdpa_user/vduse_dev.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/vdpa/vdpa_user/vduse_dev.c
++++ b/drivers/vdpa/vdpa_user/vduse_dev.c
+@@ -662,10 +662,15 @@ static void vduse_vdpa_get_config(struct
+ {
+ struct vduse_dev *dev = vdpa_to_vduse(vdpa);
+
+- if (offset > dev->config_size ||
+- len > dev->config_size - offset)
++ /* Initialize the buffer in case of partial copy. */
++ memset(buf, 0, len);
++
++ if (offset > dev->config_size)
+ return;
+
++ if (len > dev->config_size - offset)
++ len = dev->config_size - offset;
++
+ memcpy(buf, dev->config + offset, len);
+ }
+
--- /dev/null
+From 59298997df89e19aad426d4ae0a7e5037074da5a Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Mon, 19 Sep 2022 13:16:48 -0700
+Subject: x86/uaccess: avoid check_object_size() in copy_from_user_nmi()
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 59298997df89e19aad426d4ae0a7e5037074da5a upstream.
+
+The check_object_size() helper under CONFIG_HARDENED_USERCOPY is designed
+to skip any checks where the length is known at compile time as a
+reasonable heuristic to avoid "likely known-good" cases. However, it can
+only do this when the copy_*_user() helpers are, themselves, inline too.
+
+Using find_vmap_area() requires taking a spinlock. The
+check_object_size() helper can call find_vmap_area() when the destination
+is in vmap memory. If show_regs() is called in interrupt context, it will
+attempt a call to copy_from_user_nmi(), which may call check_object_size()
+and then find_vmap_area(). If something in normal context happens to be
+in the middle of calling find_vmap_area() (with the spinlock held), the
+interrupt handler will hang forever.
+
+The copy_from_user_nmi() call is actually being called with a fixed-size
+length, so check_object_size() should never have been called in the first
+place. Given the narrow constraints, just replace the
+__copy_from_user_inatomic() call with an open-coded version that calls
+only into the sanitizers and not check_object_size(), followed by a call
+to raw_copy_from_user().
+
+[akpm@linux-foundation.org: no instrument_copy_from_user() in my tree...]
+Link: https://lkml.kernel.org/r/20220919201648.2250764-1-keescook@chromium.org
+Link: https://lore.kernel.org/all/CAOUHufaPshtKrTWOz7T7QFYUNVGFm0JBjvM700Nhf9qEL9b3EQ@mail.gmail.com
+Fixes: 0aef499f3172 ("mm/usercopy: Detect vmalloc overruns")
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reported-by: Yu Zhao <yuzhao@google.com>
+Reported-by: Florian Lehner <dev@der-flo.net>
+Suggested-by: Andrew Morton <akpm@linux-foundation.org>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Tested-by: Florian Lehner <dev@der-flo.net>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Josh Poimboeuf <jpoimboe@kernel.org>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/lib/usercopy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/lib/usercopy.c b/arch/x86/lib/usercopy.c
+index ad0139d25401..f1bb18617156 100644
+--- a/arch/x86/lib/usercopy.c
++++ b/arch/x86/lib/usercopy.c
+@@ -44,7 +44,7 @@ copy_from_user_nmi(void *to, const void __user *from, unsigned long n)
+ * called from other contexts.
+ */
+ pagefault_disable();
+- ret = __copy_from_user_inatomic(to, from, n);
++ ret = raw_copy_from_user(to, from, n);
+ pagefault_enable();
+
+ return ret;
+--
+2.37.3
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
