--- /dev/null
+From 38518593ec55e897abda4b4be77b2ec8ec4447d1 Mon Sep 17 00:00:00 2001
+From: Tanu Malhotra <tanu.malhotra@intel.com>
+Date: Mon, 27 Mar 2023 11:58:38 -0700
+Subject: HID: intel-ish-hid: Fix kernel panic during warm reset
+
+From: Tanu Malhotra <tanu.malhotra@intel.com>
+
+commit 38518593ec55e897abda4b4be77b2ec8ec4447d1 upstream.
+
+During warm reset device->fw_client is set to NULL. If a bus driver is
+registered after this NULL setting and before new firmware clients are
+enumerated by ISHTP, kernel panic will result in the function
+ishtp_cl_bus_match(). This is because of reference to
+device->fw_client->props.protocol_name.
+
+ISH firmware after getting successfully loaded, sends a warm reset
+notification to remove all clients from the bus and sets
+device->fw_client to NULL. Until kernel v5.15, all enabled ISHTP kernel
+module drivers were loaded right after any of the first ISHTP device was
+registered, regardless of whether it was a matched or an unmatched
+device. This resulted in all drivers getting registered much before the
+warm reset notification from ISH.
+
+Starting kernel v5.16, this issue got exposed after the change was
+introduced to load only bus drivers for the respective matching devices.
+In this scenario, cros_ec_ishtp device and cros_ec_ishtp driver are
+registered after the warm reset device fw_client NULL setting.
+cros_ec_ishtp driver_register() triggers the callback to
+ishtp_cl_bus_match() to match ISHTP driver to the device and causes kernel
+panic in guid_equal() when dereferencing fw_client NULL pointer to get
+protocol_name.
+
+Fixes: f155dfeaa4ee ("platform/x86: isthp_eclite: only load for matching devices")
+Fixes: facfe0a4fdce ("platform/chrome: chros_ec_ishtp: only load for matching devices")
+Fixes: 0d0cccc0fd83 ("HID: intel-ish-hid: hid-client: only load for matching devices")
+Fixes: 44e2a58cb880 ("HID: intel-ish-hid: fw-loader: only load for matching devices")
+Cc: <stable@vger.kernel.org> # 5.16+
+Signed-off-by: Tanu Malhotra <tanu.malhotra@intel.com>
+Tested-by: Shaunak Saha <shaunak.saha@intel.com>
+Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/intel-ish-hid/ishtp/bus.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/hid/intel-ish-hid/ishtp/bus.c
++++ b/drivers/hid/intel-ish-hid/ishtp/bus.c
+@@ -241,8 +241,8 @@ static int ishtp_cl_bus_match(struct dev
+ struct ishtp_cl_device *device = to_ishtp_cl_device(dev);
+ struct ishtp_cl_driver *driver = to_ishtp_cl_driver(drv);
+
+- return guid_equal(&driver->id[0].guid,
+- &device->fw_client->props.protocol_name);
++ return(device->fw_client ? guid_equal(&driver->id[0].guid,
++ &device->fw_client->props.protocol_name) : 0);
+ }
+
+ /**
--- /dev/null
+From e7067a446264a7514fa1cfaa4052cdb6803bc6a2 Mon Sep 17 00:00:00 2001
+From: David Disseldorp <ddiss@suse.de>
+Date: Thu, 13 Apr 2023 23:49:57 +0900
+Subject: ksmbd: avoid out of bounds access in decode_preauth_ctxt()
+
+From: David Disseldorp <ddiss@suse.de>
+
+commit e7067a446264a7514fa1cfaa4052cdb6803bc6a2 upstream.
+
+Confirm that the accessed pneg_ctxt->HashAlgorithms address sits within
+the SMB request boundary; deassemble_neg_contexts() only checks that the
+eight byte smb2_neg_context header + (client controlled) DataLength are
+within the packet boundary, which is insufficient.
+
+Checking for sizeof(struct smb2_preauth_neg_context) is overkill given
+that the type currently assumes SMB311_SALT_SIZE bytes of trailing Salt.
+
+Signed-off-by: David Disseldorp <ddiss@suse.de>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ksmbd/smb2pdu.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+--- a/fs/ksmbd/smb2pdu.c
++++ b/fs/ksmbd/smb2pdu.c
+@@ -872,17 +872,21 @@ static void assemble_neg_contexts(struct
+ }
+
+ static __le32 decode_preauth_ctxt(struct ksmbd_conn *conn,
+- struct smb2_preauth_neg_context *pneg_ctxt)
++ struct smb2_preauth_neg_context *pneg_ctxt,
++ int len_of_ctxts)
+ {
+- __le32 err = STATUS_NO_PREAUTH_INTEGRITY_HASH_OVERLAP;
++ /*
++ * sizeof(smb2_preauth_neg_context) assumes SMB311_SALT_SIZE Salt,
++ * which may not be present. Only check for used HashAlgorithms[1].
++ */
++ if (len_of_ctxts < MIN_PREAUTH_CTXT_DATA_LEN)
++ return STATUS_INVALID_PARAMETER;
+
+- if (pneg_ctxt->HashAlgorithms == SMB2_PREAUTH_INTEGRITY_SHA512) {
+- conn->preauth_info->Preauth_HashId =
+- SMB2_PREAUTH_INTEGRITY_SHA512;
+- err = STATUS_SUCCESS;
+- }
++ if (pneg_ctxt->HashAlgorithms != SMB2_PREAUTH_INTEGRITY_SHA512)
++ return STATUS_NO_PREAUTH_INTEGRITY_HASH_OVERLAP;
+
+- return err;
++ conn->preauth_info->Preauth_HashId = SMB2_PREAUTH_INTEGRITY_SHA512;
++ return STATUS_SUCCESS;
+ }
+
+ static void decode_encrypt_ctxt(struct ksmbd_conn *conn,
+@@ -1010,7 +1014,8 @@ static __le32 deassemble_neg_contexts(st
+ break;
+
+ status = decode_preauth_ctxt(conn,
+- (struct smb2_preauth_neg_context *)pctx);
++ (struct smb2_preauth_neg_context *)pctx,
++ len_of_ctxts);
+ if (status != STATUS_SUCCESS)
+ break;
+ } else if (pctx->ContextType == SMB2_ENCRYPTION_CAPABILITIES) {
--- /dev/null
+From a4506722dc39ca840593f14e3faa4c9ba9408211 Mon Sep 17 00:00:00 2001
+From: "Radu Pirea (OSS)" <radu-nicolae.pirea@oss.nxp.com>
+Date: Thu, 6 Apr 2023 12:59:04 +0300
+Subject: net: phy: nxp-c45-tja11xx: add remove callback
+
+From: Radu Pirea (OSS) <radu-nicolae.pirea@oss.nxp.com>
+
+commit a4506722dc39ca840593f14e3faa4c9ba9408211 upstream.
+
+Unregister PTP clock when the driver is removed.
+Purge the RX and TX skb queues.
+
+Fixes: 514def5dd339 ("phy: nxp-c45-tja11xx: add timestamping support")
+CC: stable@vger.kernel.org # 5.15+
+Signed-off-by: Radu Pirea (OSS) <radu-nicolae.pirea@oss.nxp.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/20230406095904.75456-1-radu-nicolae.pirea@oss.nxp.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/nxp-c45-tja11xx.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/net/phy/nxp-c45-tja11xx.c
++++ b/drivers/net/phy/nxp-c45-tja11xx.c
+@@ -1337,6 +1337,17 @@ no_ptp_support:
+ return ret;
+ }
+
++static void nxp_c45_remove(struct phy_device *phydev)
++{
++ struct nxp_c45_phy *priv = phydev->priv;
++
++ if (priv->ptp_clock)
++ ptp_clock_unregister(priv->ptp_clock);
++
++ skb_queue_purge(&priv->tx_queue);
++ skb_queue_purge(&priv->rx_queue);
++}
++
+ static struct phy_driver nxp_c45_driver[] = {
+ {
+ PHY_ID_MATCH_MODEL(PHY_ID_TJA_1103),
+@@ -1359,6 +1370,7 @@ static struct phy_driver nxp_c45_driver[
+ .set_loopback = genphy_c45_loopback,
+ .get_sqi = nxp_c45_get_sqi,
+ .get_sqi_max = nxp_c45_get_sqi_max,
++ .remove = nxp_c45_remove,
+ },
+ };
+
--- /dev/null
+From bdaaecc127d471c422ee9e994978617c8aa79e1e Mon Sep 17 00:00:00 2001
+From: "Radu Pirea (OSS)" <radu-nicolae.pirea@oss.nxp.com>
+Date: Thu, 6 Apr 2023 12:59:53 +0300
+Subject: net: phy: nxp-c45-tja11xx: fix unsigned long multiplication overflow
+
+From: Radu Pirea (OSS) <radu-nicolae.pirea@oss.nxp.com>
+
+commit bdaaecc127d471c422ee9e994978617c8aa79e1e upstream.
+
+Any multiplication between GENMASK(31, 0) and a number bigger than 1
+will be truncated because of the overflow, if the size of unsigned long
+is 32 bits.
+
+Replaced GENMASK with GENMASK_ULL to make sure that multiplication will
+be between 64 bits values.
+
+Cc: <stable@vger.kernel.org> # 5.15+
+Fixes: 514def5dd339 ("phy: nxp-c45-tja11xx: add timestamping support")
+Signed-off-by: Radu Pirea (OSS) <radu-nicolae.pirea@oss.nxp.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/20230406095953.75622-1-radu-nicolae.pirea@oss.nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/nxp-c45-tja11xx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/phy/nxp-c45-tja11xx.c
++++ b/drivers/net/phy/nxp-c45-tja11xx.c
+@@ -191,7 +191,7 @@
+ #define MAX_ID_PS 2260U
+ #define DEFAULT_ID_PS 2000U
+
+-#define PPM_TO_SUBNS_INC(ppb) div_u64(GENMASK(31, 0) * (ppb) * \
++#define PPM_TO_SUBNS_INC(ppb) div_u64(GENMASK_ULL(31, 0) * (ppb) * \
+ PTP_CLK_PERIOD_100BT1, NSEC_PER_SEC)
+
+ #define NXP_C45_SKB_CB(skb) ((struct nxp_c45_skb_cb *)(skb)->cb)
--- /dev/null
+From 813c2dd78618f108fdcf9cd726ea90f081ee2881 Mon Sep 17 00:00:00 2001
+From: Ivan Bornyakov <i.bornyakov@metrotek.ru>
+Date: Thu, 6 Apr 2023 16:08:32 +0300
+Subject: net: sfp: initialize sfp->i2c_block_size at sfp allocation
+
+From: Ivan Bornyakov <i.bornyakov@metrotek.ru>
+
+commit 813c2dd78618f108fdcf9cd726ea90f081ee2881 upstream.
+
+sfp->i2c_block_size is initialized at SFP module insertion in
+sfp_sm_mod_probe(). Because of that, if SFP module was never inserted
+since boot, sfp_read() call will lead to zero-length I2C read attempt,
+and not all I2C controllers are happy with zero-length reads.
+
+One way to issue sfp_read() on empty SFP cage is to execute ethtool -m.
+If SFP module was never plugged since boot, there will be a zero-length
+I2C read attempt.
+
+ # ethtool -m xge0
+ i2c i2c-3: adapter quirk: no zero length (addr 0x0050, size 0, read)
+ Cannot get Module EEPROM data: Operation not supported
+
+If SFP module was plugged then removed at least once,
+sfp->i2c_block_size will be initialized and ethtool -m will fail with
+different exit code and without I2C error
+
+ # ethtool -m xge0
+ Cannot get Module EEPROM data: Remote I/O error
+
+Fix this by initializing sfp->i2_block_size at struct sfp allocation
+stage so no wild sfp_read() could issue zero-length I2C read.
+
+Signed-off-by: Ivan Bornyakov <i.bornyakov@metrotek.ru>
+Fixes: 0d035bed2a4a ("net: sfp: VSOL V2801F / CarlitoxxPro CPGOS03-0490 v2.0 workaround")
+Cc: stable@vger.kernel.org
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/sfp.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/phy/sfp.c
++++ b/drivers/net/phy/sfp.c
+@@ -212,6 +212,12 @@ static const enum gpiod_flags gpio_flags
+ #define SFP_PHY_ADDR 22
+ #define SFP_PHY_ADDR_ROLLBALL 17
+
++/* SFP_EEPROM_BLOCK_SIZE is the size of data chunk to read the EEPROM
++ * at a time. Some SFP modules and also some Linux I2C drivers do not like
++ * reads longer than 16 bytes.
++ */
++#define SFP_EEPROM_BLOCK_SIZE 16
++
+ struct sff_data {
+ unsigned int gpios;
+ bool (*module_supported)(const struct sfp_eeprom_id *id);
+@@ -1927,11 +1933,7 @@ static int sfp_sm_mod_probe(struct sfp *
+ u8 check;
+ int ret;
+
+- /* Some SFP modules and also some Linux I2C drivers do not like reads
+- * longer than 16 bytes, so read the EEPROM in chunks of 16 bytes at
+- * a time.
+- */
+- sfp->i2c_block_size = 16;
++ sfp->i2c_block_size = SFP_EEPROM_BLOCK_SIZE;
+
+ ret = sfp_read(sfp, false, 0, &id.base, sizeof(id.base));
+ if (ret < 0) {
+@@ -2614,6 +2616,7 @@ static struct sfp *sfp_alloc(struct devi
+ return ERR_PTR(-ENOMEM);
+
+ sfp->dev = dev;
++ sfp->i2c_block_size = SFP_EEPROM_BLOCK_SIZE;
+
+ mutex_init(&sfp->sm_mutex);
+ mutex_init(&sfp->st_mutex);
--- /dev/null
+From 8d736482749f6d350892ef83a7a11d43cd49981e Mon Sep 17 00:00:00 2001
+From: Mathis Salmen <mathis.salmen@matsal.de>
+Date: Thu, 6 Apr 2023 12:11:31 +0200
+Subject: riscv: add icache flush for nommu sigreturn trampoline
+
+From: Mathis Salmen <mathis.salmen@matsal.de>
+
+commit 8d736482749f6d350892ef83a7a11d43cd49981e upstream.
+
+In a NOMMU kernel, sigreturn trampolines are generated on the user
+stack by setup_rt_frame. Currently, these trampolines are not instruction
+fenced, thus their visibility to ifetch is not guaranteed.
+
+This patch adds a flush_icache_range in setup_rt_frame to fix this
+problem.
+
+Signed-off-by: Mathis Salmen <mathis.salmen@matsal.de>
+Fixes: 6bd33e1ece52 ("riscv: add nommu support")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20230406101130.82304-1-mathis.salmen@matsal.de
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/kernel/signal.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/arch/riscv/kernel/signal.c
++++ b/arch/riscv/kernel/signal.c
+@@ -19,6 +19,7 @@
+ #include <asm/signal32.h>
+ #include <asm/switch_to.h>
+ #include <asm/csr.h>
++#include <asm/cacheflush.h>
+
+ extern u32 __user_rt_sigreturn[2];
+
+@@ -181,6 +182,7 @@ static int setup_rt_frame(struct ksignal
+ {
+ struct rt_sigframe __user *frame;
+ long err = 0;
++ unsigned long __maybe_unused addr;
+
+ frame = get_sigframe(ksig, regs, sizeof(*frame));
+ if (!access_ok(frame, sizeof(*frame)))
+@@ -209,7 +211,12 @@ static int setup_rt_frame(struct ksignal
+ if (copy_to_user(&frame->sigreturn_code, __user_rt_sigreturn,
+ sizeof(frame->sigreturn_code)))
+ return -EFAULT;
+- regs->ra = (unsigned long)&frame->sigreturn_code;
++
++ addr = (unsigned long)&frame->sigreturn_code;
++ /* Make sure the two instructions are pushed to icache. */
++ flush_icache_range(addr, addr + sizeof(frame->sigreturn_code));
++
++ regs->ra = addr;
+ #endif /* CONFIG_MMU */
+
+ /*
--- /dev/null
+From f1581626071c8e37c58c5e8f0b4126b17172a211 Mon Sep 17 00:00:00 2001
+From: Alexandre Ghiti <alexghiti@rivosinc.com>
+Date: Wed, 29 Mar 2023 10:19:31 +0200
+Subject: riscv: Do not set initial_boot_params to the linear address of the dtb
+
+From: Alexandre Ghiti <alexghiti@rivosinc.com>
+
+commit f1581626071c8e37c58c5e8f0b4126b17172a211 upstream.
+
+early_init_dt_verify() is already called in parse_dtb() and since the dtb
+address does not change anymore (it is now in the fixmap region), no need
+to reset initial_boot_params by calling early_init_dt_verify() again.
+
+Signed-off-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Link: https://lore.kernel.org/r/20230329081932.79831-3-alexghiti@rivosinc.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/kernel/setup.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/arch/riscv/kernel/setup.c
++++ b/arch/riscv/kernel/setup.c
+@@ -278,10 +278,7 @@ void __init setup_arch(char **cmdline_p)
+ #if IS_ENABLED(CONFIG_BUILTIN_DTB)
+ unflatten_and_copy_device_tree();
+ #else
+- if (early_init_dt_verify(__va(XIP_FIXUP(dtb_early_pa))))
+- unflatten_device_tree();
+- else
+- pr_err("No DTB found in kernel mappings\n");
++ unflatten_device_tree();
+ #endif
+ early_init_fdt_scan_reserved_mem();
+ misc_mem_init();
--- /dev/null
+From ef69d2559fe91f23d27a3d6fd640b5641787d22e Mon Sep 17 00:00:00 2001
+From: Alexandre Ghiti <alexghiti@rivosinc.com>
+Date: Wed, 29 Mar 2023 10:19:30 +0200
+Subject: riscv: Move early dtb mapping into the fixmap region
+
+From: Alexandre Ghiti <alexghiti@rivosinc.com>
+
+commit ef69d2559fe91f23d27a3d6fd640b5641787d22e upstream.
+
+riscv establishes 2 virtual mappings:
+
+- early_pg_dir maps the kernel which allows to discover the system
+ memory
+- swapper_pg_dir installs the final mapping (linear mapping included)
+
+We used to map the dtb in early_pg_dir using DTB_EARLY_BASE_VA, and this
+mapping was not carried over in swapper_pg_dir. It happens that
+early_init_fdt_scan_reserved_mem() must be called before swapper_pg_dir is
+setup otherwise we could allocate reserved memory defined in the dtb.
+And this function initializes reserved_mem variable with addresses that
+lie in the early_pg_dir dtb mapping: when those addresses are reused
+with swapper_pg_dir, this mapping does not exist and then we trap.
+
+The previous "fix" was incorrect as early_init_fdt_scan_reserved_mem()
+must be called before swapper_pg_dir is set up otherwise we could
+allocate in reserved memory defined in the dtb.
+
+So move the dtb mapping in the fixmap region which is established in
+early_pg_dir and handed over to swapper_pg_dir.
+
+Fixes: 922b0375fc93 ("riscv: Fix memblock reservation for device tree blob")
+Fixes: 8f3a2b4a96dc ("RISC-V: Move DT mapping outof fixmap")
+Fixes: 50e63dd8ed92 ("riscv: fix reserved memory setup")
+Reported-by: Conor Dooley <conor.dooley@microchip.com>
+Link: https://lore.kernel.org/all/f8e67f82-103d-156c-deb0-d6d6e2756f5e@microchip.com/
+Signed-off-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Reviewed-by: Conor Dooley <conor.dooley@microchip.com>
+Tested-by: Conor Dooley <conor.dooley@microchip.com>
+Link: https://lore.kernel.org/r/20230329081932.79831-2-alexghiti@rivosinc.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/riscv/vm-layout.rst | 6 +--
+ arch/riscv/include/asm/fixmap.h | 8 ++++
+ arch/riscv/include/asm/pgtable.h | 8 +++-
+ arch/riscv/kernel/setup.c | 1
+ arch/riscv/mm/init.c | 61 +++++++++++++++++++++-----------------
+ 5 files changed, 51 insertions(+), 33 deletions(-)
+
+--- a/Documentation/riscv/vm-layout.rst
++++ b/Documentation/riscv/vm-layout.rst
+@@ -47,7 +47,7 @@ RISC-V Linux Kernel SV39
+ | Kernel-space virtual memory, shared between all processes:
+ ____________________________________________________________|___________________________________________________________
+ | | | |
+- ffffffc6fee00000 | -228 GB | ffffffc6feffffff | 2 MB | fixmap
++ ffffffc6fea00000 | -228 GB | ffffffc6feffffff | 6 MB | fixmap
+ ffffffc6ff000000 | -228 GB | ffffffc6ffffffff | 16 MB | PCI io
+ ffffffc700000000 | -228 GB | ffffffc7ffffffff | 4 GB | vmemmap
+ ffffffc800000000 | -224 GB | ffffffd7ffffffff | 64 GB | vmalloc/ioremap space
+@@ -83,7 +83,7 @@ RISC-V Linux Kernel SV48
+ | Kernel-space virtual memory, shared between all processes:
+ ____________________________________________________________|___________________________________________________________
+ | | | |
+- ffff8d7ffee00000 | -114.5 TB | ffff8d7ffeffffff | 2 MB | fixmap
++ ffff8d7ffea00000 | -114.5 TB | ffff8d7ffeffffff | 6 MB | fixmap
+ ffff8d7fff000000 | -114.5 TB | ffff8d7fffffffff | 16 MB | PCI io
+ ffff8d8000000000 | -114.5 TB | ffff8f7fffffffff | 2 TB | vmemmap
+ ffff8f8000000000 | -112.5 TB | ffffaf7fffffffff | 32 TB | vmalloc/ioremap space
+@@ -119,7 +119,7 @@ RISC-V Linux Kernel SV57
+ | Kernel-space virtual memory, shared between all processes:
+ ____________________________________________________________|___________________________________________________________
+ | | | |
+- ff1bfffffee00000 | -57 PB | ff1bfffffeffffff | 2 MB | fixmap
++ ff1bfffffea00000 | -57 PB | ff1bfffffeffffff | 6 MB | fixmap
+ ff1bffffff000000 | -57 PB | ff1bffffffffffff | 16 MB | PCI io
+ ff1c000000000000 | -57 PB | ff1fffffffffffff | 1 PB | vmemmap
+ ff20000000000000 | -56 PB | ff5fffffffffffff | 16 PB | vmalloc/ioremap space
+--- a/arch/riscv/include/asm/fixmap.h
++++ b/arch/riscv/include/asm/fixmap.h
+@@ -22,6 +22,14 @@
+ */
+ enum fixed_addresses {
+ FIX_HOLE,
++ /*
++ * The fdt fixmap mapping must be PMD aligned and will be mapped
++ * using PMD entries in fixmap_pmd in 64-bit and a PGD entry in 32-bit.
++ */
++ FIX_FDT_END,
++ FIX_FDT = FIX_FDT_END + FIX_FDT_SIZE / PAGE_SIZE - 1,
++
++ /* Below fixmaps will be mapped using fixmap_pte */
+ FIX_PTE,
+ FIX_PMD,
+ FIX_PUD,
+--- a/arch/riscv/include/asm/pgtable.h
++++ b/arch/riscv/include/asm/pgtable.h
+@@ -87,9 +87,13 @@
+
+ #define FIXADDR_TOP PCI_IO_START
+ #ifdef CONFIG_64BIT
+-#define FIXADDR_SIZE PMD_SIZE
++#define MAX_FDT_SIZE PMD_SIZE
++#define FIX_FDT_SIZE (MAX_FDT_SIZE + SZ_2M)
++#define FIXADDR_SIZE (PMD_SIZE + FIX_FDT_SIZE)
+ #else
+-#define FIXADDR_SIZE PGDIR_SIZE
++#define MAX_FDT_SIZE PGDIR_SIZE
++#define FIX_FDT_SIZE MAX_FDT_SIZE
++#define FIXADDR_SIZE (PGDIR_SIZE + FIX_FDT_SIZE)
+ #endif
+ #define FIXADDR_START (FIXADDR_TOP - FIXADDR_SIZE)
+
+--- a/arch/riscv/kernel/setup.c
++++ b/arch/riscv/kernel/setup.c
+@@ -280,7 +280,6 @@ void __init setup_arch(char **cmdline_p)
+ #else
+ unflatten_device_tree();
+ #endif
+- early_init_fdt_scan_reserved_mem();
+ misc_mem_init();
+
+ init_resources();
+--- a/arch/riscv/mm/init.c
++++ b/arch/riscv/mm/init.c
+@@ -57,7 +57,6 @@ unsigned long empty_zero_page[PAGE_SIZE
+ EXPORT_SYMBOL(empty_zero_page);
+
+ extern char _start[];
+-#define DTB_EARLY_BASE_VA PGDIR_SIZE
+ void *_dtb_early_va __initdata;
+ uintptr_t _dtb_early_pa __initdata;
+
+@@ -236,6 +235,14 @@ static void __init setup_bootmem(void)
+ set_max_mapnr(max_low_pfn - ARCH_PFN_OFFSET);
+
+ reserve_initrd_mem();
++
++ /*
++ * No allocation should be done before reserving the memory as defined
++ * in the device tree, otherwise the allocation could end up in a
++ * reserved region.
++ */
++ early_init_fdt_scan_reserved_mem();
++
+ /*
+ * If DTB is built in, no need to reserve its memblock.
+ * Otherwise, do reserve it but avoid using
+@@ -262,9 +269,6 @@ pgd_t trampoline_pg_dir[PTRS_PER_PGD] __
+ static pte_t fixmap_pte[PTRS_PER_PTE] __page_aligned_bss;
+
+ pgd_t early_pg_dir[PTRS_PER_PGD] __initdata __aligned(PAGE_SIZE);
+-static p4d_t __maybe_unused early_dtb_p4d[PTRS_PER_P4D] __initdata __aligned(PAGE_SIZE);
+-static pud_t __maybe_unused early_dtb_pud[PTRS_PER_PUD] __initdata __aligned(PAGE_SIZE);
+-static pmd_t __maybe_unused early_dtb_pmd[PTRS_PER_PMD] __initdata __aligned(PAGE_SIZE);
+
+ #ifdef CONFIG_XIP_KERNEL
+ #define pt_ops (*(struct pt_alloc_ops *)XIP_FIXUP(&pt_ops))
+@@ -609,9 +613,6 @@ static void __init create_p4d_mapping(p4
+ #define trampoline_pgd_next (pgtable_l5_enabled ? \
+ (uintptr_t)trampoline_p4d : (pgtable_l4_enabled ? \
+ (uintptr_t)trampoline_pud : (uintptr_t)trampoline_pmd))
+-#define early_dtb_pgd_next (pgtable_l5_enabled ? \
+- (uintptr_t)early_dtb_p4d : (pgtable_l4_enabled ? \
+- (uintptr_t)early_dtb_pud : (uintptr_t)early_dtb_pmd))
+ #else
+ #define pgd_next_t pte_t
+ #define alloc_pgd_next(__va) pt_ops.alloc_pte(__va)
+@@ -619,7 +620,6 @@ static void __init create_p4d_mapping(p4
+ #define create_pgd_next_mapping(__nextp, __va, __pa, __sz, __prot) \
+ create_pte_mapping(__nextp, __va, __pa, __sz, __prot)
+ #define fixmap_pgd_next ((uintptr_t)fixmap_pte)
+-#define early_dtb_pgd_next ((uintptr_t)early_dtb_pmd)
+ #define create_p4d_mapping(__pmdp, __va, __pa, __sz, __prot) do {} while(0)
+ #define create_pud_mapping(__pmdp, __va, __pa, __sz, __prot) do {} while(0)
+ #define create_pmd_mapping(__pmdp, __va, __pa, __sz, __prot) do {} while(0)
+@@ -843,32 +843,28 @@ static void __init create_kernel_page_ta
+ * this means 2 PMD entries whereas for 32-bit kernel, this is only 1 PGDIR
+ * entry.
+ */
+-static void __init create_fdt_early_page_table(pgd_t *pgdir, uintptr_t dtb_pa)
++static void __init create_fdt_early_page_table(pgd_t *pgdir,
++ uintptr_t fix_fdt_va,
++ uintptr_t dtb_pa)
+ {
+-#ifndef CONFIG_BUILTIN_DTB
+ uintptr_t pa = dtb_pa & ~(PMD_SIZE - 1);
+
+- create_pgd_mapping(early_pg_dir, DTB_EARLY_BASE_VA,
+- IS_ENABLED(CONFIG_64BIT) ? early_dtb_pgd_next : pa,
+- PGDIR_SIZE,
+- IS_ENABLED(CONFIG_64BIT) ? PAGE_TABLE : PAGE_KERNEL);
+-
+- if (pgtable_l5_enabled)
+- create_p4d_mapping(early_dtb_p4d, DTB_EARLY_BASE_VA,
+- (uintptr_t)early_dtb_pud, P4D_SIZE, PAGE_TABLE);
+-
+- if (pgtable_l4_enabled)
+- create_pud_mapping(early_dtb_pud, DTB_EARLY_BASE_VA,
+- (uintptr_t)early_dtb_pmd, PUD_SIZE, PAGE_TABLE);
++#ifndef CONFIG_BUILTIN_DTB
++ /* Make sure the fdt fixmap address is always aligned on PMD size */
++ BUILD_BUG_ON(FIX_FDT % (PMD_SIZE / PAGE_SIZE));
+
+- if (IS_ENABLED(CONFIG_64BIT)) {
+- create_pmd_mapping(early_dtb_pmd, DTB_EARLY_BASE_VA,
++ /* In 32-bit only, the fdt lies in its own PGD */
++ if (!IS_ENABLED(CONFIG_64BIT)) {
++ create_pgd_mapping(early_pg_dir, fix_fdt_va,
++ pa, MAX_FDT_SIZE, PAGE_KERNEL);
++ } else {
++ create_pmd_mapping(fixmap_pmd, fix_fdt_va,
+ pa, PMD_SIZE, PAGE_KERNEL);
+- create_pmd_mapping(early_dtb_pmd, DTB_EARLY_BASE_VA + PMD_SIZE,
++ create_pmd_mapping(fixmap_pmd, fix_fdt_va + PMD_SIZE,
+ pa + PMD_SIZE, PMD_SIZE, PAGE_KERNEL);
+ }
+
+- dtb_early_va = (void *)DTB_EARLY_BASE_VA + (dtb_pa & (PMD_SIZE - 1));
++ dtb_early_va = (void *)fix_fdt_va + (dtb_pa & (PMD_SIZE - 1));
+ #else
+ /*
+ * For 64-bit kernel, __va can't be used since it would return a linear
+@@ -1038,7 +1034,8 @@ asmlinkage void __init setup_vm(uintptr_
+ create_kernel_page_table(early_pg_dir, true);
+
+ /* Setup early mapping for FDT early scan */
+- create_fdt_early_page_table(early_pg_dir, dtb_pa);
++ create_fdt_early_page_table(early_pg_dir,
++ __fix_to_virt(FIX_FDT), dtb_pa);
+
+ /*
+ * Bootime fixmap only can handle PMD_SIZE mapping. Thus, boot-ioremap
+@@ -1080,6 +1077,16 @@ static void __init setup_vm_final(void)
+ u64 i;
+
+ /* Setup swapper PGD for fixmap */
++#if !defined(CONFIG_64BIT)
++ /*
++ * In 32-bit, the device tree lies in a pgd entry, so it must be copied
++ * directly in swapper_pg_dir in addition to the pgd entry that points
++ * to fixmap_pte.
++ */
++ unsigned long idx = pgd_index(__fix_to_virt(FIX_FDT));
++
++ set_pgd(&swapper_pg_dir[idx], early_pg_dir[idx]);
++#endif
+ create_pgd_mapping(swapper_pg_dir, FIXADDR_START,
+ __pa_symbol(fixmap_pgd_next),
+ PGDIR_SIZE, PAGE_TABLE);
--- /dev/null
+From 1b50f956c8fe9082bdee4a9cfd798149c52f7043 Mon Sep 17 00:00:00 2001
+From: Alexandre Ghiti <alexghiti@rivosinc.com>
+Date: Wed, 29 Mar 2023 10:19:32 +0200
+Subject: riscv: No need to relocate the dtb as it lies in the fixmap region
+
+From: Alexandre Ghiti <alexghiti@rivosinc.com>
+
+commit 1b50f956c8fe9082bdee4a9cfd798149c52f7043 upstream.
+
+We used to access the dtb via its linear mapping address but now that the
+dtb early mapping was moved in the fixmap region, we can keep using this
+address since it is present in swapper_pg_dir, and remove the dtb
+relocation.
+
+Note that the relocation was wrong anyway since early_memremap() is
+restricted to 256K whereas the maximum fdt size is 2MB.
+
+Signed-off-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Reviewed-by: Conor Dooley <conor.dooley@microchip.com>
+Tested-by: Conor Dooley <conor.dooley@microchip.com>
+Link: https://lore.kernel.org/r/20230329081932.79831-4-alexghiti@rivosinc.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/mm/init.c | 21 ++-------------------
+ 1 file changed, 2 insertions(+), 19 deletions(-)
+
+--- a/arch/riscv/mm/init.c
++++ b/arch/riscv/mm/init.c
+@@ -242,25 +242,8 @@ static void __init setup_bootmem(void)
+ * early_init_fdt_reserve_self() since __pa() does
+ * not work for DTB pointers that are fixmap addresses
+ */
+- if (!IS_ENABLED(CONFIG_BUILTIN_DTB)) {
+- /*
+- * In case the DTB is not located in a memory region we won't
+- * be able to locate it later on via the linear mapping and
+- * get a segfault when accessing it via __va(dtb_early_pa).
+- * To avoid this situation copy DTB to a memory region.
+- * Note that memblock_phys_alloc will also reserve DTB region.
+- */
+- if (!memblock_is_memory(dtb_early_pa)) {
+- size_t fdt_size = fdt_totalsize(dtb_early_va);
+- phys_addr_t new_dtb_early_pa = memblock_phys_alloc(fdt_size, PAGE_SIZE);
+- void *new_dtb_early_va = early_memremap(new_dtb_early_pa, fdt_size);
+-
+- memcpy(new_dtb_early_va, dtb_early_va, fdt_size);
+- early_memunmap(new_dtb_early_va, fdt_size);
+- _dtb_early_pa = new_dtb_early_pa;
+- } else
+- memblock_reserve(dtb_early_pa, fdt_totalsize(dtb_early_va));
+- }
++ if (!IS_ENABLED(CONFIG_BUILTIN_DTB))
++ memblock_reserve(dtb_early_pa, fdt_totalsize(dtb_early_va));
+
+ dma_contiguous_reserve(dma32_phys_limit);
+ if (IS_ENABLED(CONFIG_64BIT))
tracing-add-trace_array_puts-to-write-into-instance.patch
tracing-have-tracing_snapshot_instance_cond-write-er.patch
maple_tree-fix-write-memory-barrier-of-nodes-once-de.patch
+ksmbd-avoid-out-of-bounds-access-in-decode_preauth_ctxt.patch
+riscv-do-not-set-initial_boot_params-to-the-linear-address-of-the-dtb.patch
+riscv-no-need-to-relocate-the-dtb-as-it-lies-in-the-fixmap-region.patch
+riscv-move-early-dtb-mapping-into-the-fixmap-region.patch
+riscv-add-icache-flush-for-nommu-sigreturn-trampoline.patch
+hid-intel-ish-hid-fix-kernel-panic-during-warm-reset.patch
+net-sfp-initialize-sfp-i2c_block_size-at-sfp-allocation.patch
+net-phy-nxp-c45-tja11xx-add-remove-callback.patch
+net-phy-nxp-c45-tja11xx-fix-unsigned-long-multiplication-overflow.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
