--- /dev/null
+From 979556f1521a835a059de3b117b9c6c6642c7d58 Mon Sep 17 00:00:00 2001
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+Date: Wed, 12 Oct 2022 15:11:05 +0200
+Subject: ata: ahci-imx: Fix MODULE_ALIAS
+
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+
+commit 979556f1521a835a059de3b117b9c6c6642c7d58 upstream.
+
+'ahci:' is an invalid prefix, preventing the module from autoloading.
+Fix this by using the 'platform:' prefix and DRV_NAME.
+
+Fixes: 9e54eae23bc9 ("ahci_imx: add ahci sata support on imx platforms")
+Cc: stable@vger.kernel.org
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/ahci_imx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/ata/ahci_imx.c
++++ b/drivers/ata/ahci_imx.c
+@@ -1230,4 +1230,4 @@ module_platform_driver(imx_ahci_driver);
+ MODULE_DESCRIPTION("Freescale i.MX AHCI SATA platform driver");
+ MODULE_AUTHOR("Richard Zhu <Hong-Xing.Zhu@freescale.com>");
+ MODULE_LICENSE("GPL");
+-MODULE_ALIAS("ahci:imx");
++MODULE_ALIAS("platform:" DRV_NAME);
--- /dev/null
+From 1e41e693f458eef2d5728207dbd327cd3b16580a Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Tue, 11 Oct 2022 10:46:17 +0800
+Subject: ata: ahci: Match EM_MAX_SLOTS with SATA_PMP_MAX_PORTS
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit 1e41e693f458eef2d5728207dbd327cd3b16580a upstream.
+
+UBSAN complains about array-index-out-of-bounds:
+[ 1.980703] kernel: UBSAN: array-index-out-of-bounds in /build/linux-9H675w/linux-5.15.0/drivers/ata/libahci.c:968:41
+[ 1.980709] kernel: index 15 is out of range for type 'ahci_em_priv [8]'
+[ 1.980713] kernel: CPU: 0 PID: 209 Comm: scsi_eh_8 Not tainted 5.15.0-25-generic #25-Ubuntu
+[ 1.980716] kernel: Hardware name: System manufacturer System Product Name/P5Q3, BIOS 1102 06/11/2010
+[ 1.980718] kernel: Call Trace:
+[ 1.980721] kernel: <TASK>
+[ 1.980723] kernel: show_stack+0x52/0x58
+[ 1.980729] kernel: dump_stack_lvl+0x4a/0x5f
+[ 1.980734] kernel: dump_stack+0x10/0x12
+[ 1.980736] kernel: ubsan_epilogue+0x9/0x45
+[ 1.980739] kernel: __ubsan_handle_out_of_bounds.cold+0x44/0x49
+[ 1.980742] kernel: ahci_qc_issue+0x166/0x170 [libahci]
+[ 1.980748] kernel: ata_qc_issue+0x135/0x240
+[ 1.980752] kernel: ata_exec_internal_sg+0x2c4/0x580
+[ 1.980754] kernel: ? vprintk_default+0x1d/0x20
+[ 1.980759] kernel: ata_exec_internal+0x67/0xa0
+[ 1.980762] kernel: sata_pmp_read+0x8d/0xc0
+[ 1.980765] kernel: sata_pmp_read_gscr+0x3c/0x90
+[ 1.980768] kernel: sata_pmp_attach+0x8b/0x310
+[ 1.980771] kernel: ata_eh_revalidate_and_attach+0x28c/0x4b0
+[ 1.980775] kernel: ata_eh_recover+0x6b6/0xb30
+[ 1.980778] kernel: ? ahci_do_hardreset+0x180/0x180 [libahci]
+[ 1.980783] kernel: ? ahci_stop_engine+0xb0/0xb0 [libahci]
+[ 1.980787] kernel: ? ahci_do_softreset+0x290/0x290 [libahci]
+[ 1.980792] kernel: ? trace_event_raw_event_ata_eh_link_autopsy_qc+0xe0/0xe0
+[ 1.980795] kernel: sata_pmp_eh_recover.isra.0+0x214/0x560
+[ 1.980799] kernel: sata_pmp_error_handler+0x23/0x40
+[ 1.980802] kernel: ahci_error_handler+0x43/0x80 [libahci]
+[ 1.980806] kernel: ata_scsi_port_error_handler+0x2b1/0x600
+[ 1.980810] kernel: ata_scsi_error+0x9c/0xd0
+[ 1.980813] kernel: scsi_error_handler+0xa1/0x180
+[ 1.980817] kernel: ? scsi_unjam_host+0x1c0/0x1c0
+[ 1.980820] kernel: kthread+0x12a/0x150
+[ 1.980823] kernel: ? set_kthread_struct+0x50/0x50
+[ 1.980826] kernel: ret_from_fork+0x22/0x30
+[ 1.980831] kernel: </TASK>
+
+This happens because sata_pmp_init_links() initialize link->pmp up to
+SATA_PMP_MAX_PORTS while em_priv is declared as 8 elements array.
+
+I can't find the maximum Enclosure Management ports specified in AHCI
+spec v1.3.1, but "12.2.1 LED message type" states that "Port Multiplier
+Information" can utilize 4 bits, which implies it can support up to 16
+ports. Hence, use SATA_PMP_MAX_PORTS as EM_MAX_SLOTS to resolve the
+issue.
+
+BugLink: https://bugs.launchpad.net/bugs/1970074
+Cc: stable@vger.kernel.org
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/ahci.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/ata/ahci.h
++++ b/drivers/ata/ahci.h
+@@ -252,7 +252,7 @@ enum {
+ PCS_7 = 0x94, /* 7+ port PCS (Denverton) */
+
+ /* em constants */
+- EM_MAX_SLOTS = 8,
++ EM_MAX_SLOTS = SATA_PMP_MAX_PORTS,
+ EM_MAX_RETRY = 5,
+
+ /* em_ctl bits */
--- /dev/null
+From 9f42cf54403a42cb092636804d2628d8ecf71e75 Mon Sep 17 00:00:00 2001
+From: Fabien Parent <fabien.parent@linaro.org>
+Date: Sat, 15 Oct 2022 15:04:22 +0200
+Subject: cpufreq: qcom: fix memory leak in error path
+
+From: Fabien Parent <fabien.parent@linaro.org>
+
+commit 9f42cf54403a42cb092636804d2628d8ecf71e75 upstream.
+
+If for some reason the speedbin length is incorrect, then there is a
+memory leak in the error path because we never free the speedbin buffer.
+This commit fixes the error path to always free the speedbin buffer.
+
+Cc: v5.7+ <stable@vger.kernel.org> # v5.7+
+Fixes: a8811ec764f9 ("cpufreq: qcom: Add support for krait based socs")
+Signed-off-by: Fabien Parent <fabien.parent@linaro.org>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpufreq/qcom-cpufreq-nvmem.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/cpufreq/qcom-cpufreq-nvmem.c
++++ b/drivers/cpufreq/qcom-cpufreq-nvmem.c
+@@ -213,6 +213,7 @@ static int qcom_cpufreq_krait_name_versi
+ int speed = 0, pvs = 0, pvs_ver = 0;
+ u8 *speedbin;
+ size_t len;
++ int ret = 0;
+
+ speedbin = nvmem_cell_read(speedbin_nvmem, &len);
+
+@@ -230,7 +231,8 @@ static int qcom_cpufreq_krait_name_versi
+ break;
+ default:
+ dev_err(cpu_dev, "Unable to read nvmem data. Defaulting to 0!\n");
+- return -ENODEV;
++ ret = -ENODEV;
++ goto len_error;
+ }
+
+ snprintf(*pvs_name, sizeof("speedXX-pvsXX-vXX"), "speed%d-pvs%d-v%d",
+@@ -238,8 +240,9 @@ static int qcom_cpufreq_krait_name_versi
+
+ drv->versions = (1 << speed);
+
++len_error:
+ kfree(speedbin);
+- return 0;
++ return ret;
+ }
+
+ static const struct qcom_cpufreq_match_data match_data_kryo = {
--- /dev/null
+From 01039fb8e90c9cb684430414bff70cea9eb168c5 Mon Sep 17 00:00:00 2001
+From: Fabien Parent <fabien.parent@linaro.org>
+Date: Sat, 15 Oct 2022 15:04:23 +0200
+Subject: cpufreq: qcom: fix writes in read-only memory region
+
+From: Fabien Parent <fabien.parent@linaro.org>
+
+commit 01039fb8e90c9cb684430414bff70cea9eb168c5 upstream.
+
+This commit fixes a kernel oops because of a write in some read-only memory:
+
+ [ 9.068287] Unable to handle kernel write to read-only memory at virtual address ffff800009240ad8
+ ..snip..
+ [ 9.138790] Internal error: Oops: 9600004f [#1] PREEMPT SMP
+ ..snip..
+ [ 9.269161] Call trace:
+ [ 9.276271] __memcpy+0x5c/0x230
+ [ 9.278531] snprintf+0x58/0x80
+ [ 9.282002] qcom_cpufreq_msm8939_name_version+0xb4/0x190
+ [ 9.284869] qcom_cpufreq_probe+0xc8/0x39c
+ ..snip..
+
+The following line defines a pointer that point to a char buffer stored
+in read-only memory:
+
+ char *pvs_name = "speedXX-pvsXX-vXX";
+
+This pointer is meant to hold a template "speedXX-pvsXX-vXX" where the
+XX values get overridden by the qcom_cpufreq_krait_name_version function. Since
+the template is actually stored in read-only memory, when the function
+executes the following call we get an oops:
+
+ snprintf(*pvs_name, sizeof("speedXX-pvsXX-vXX"), "speed%d-pvs%d-v%d",
+ speed, pvs, pvs_ver);
+
+To fix this issue, we instead store the template name onto the stack by
+using the following syntax:
+
+ char pvs_name_buffer[] = "speedXX-pvsXX-vXX";
+
+Because the `pvs_name` needs to be able to be assigned to NULL, the
+template buffer is stored in the pvs_name_buffer and not under the
+pvs_name variable.
+
+Cc: v5.7+ <stable@vger.kernel.org> # v5.7+
+Fixes: a8811ec764f9 ("cpufreq: qcom: Add support for krait based socs")
+Signed-off-by: Fabien Parent <fabien.parent@linaro.org>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpufreq/qcom-cpufreq-nvmem.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/cpufreq/qcom-cpufreq-nvmem.c
++++ b/drivers/cpufreq/qcom-cpufreq-nvmem.c
+@@ -262,7 +262,8 @@ static int qcom_cpufreq_probe(struct pla
+ struct nvmem_cell *speedbin_nvmem;
+ struct device_node *np;
+ struct device *cpu_dev;
+- char *pvs_name = "speedXX-pvsXX-vXX";
++ char pvs_name_buffer[] = "speedXX-pvsXX-vXX";
++ char *pvs_name = pvs_name_buffer;
+ unsigned cpu;
+ const struct of_device_id *match;
+ int ret;
--- /dev/null
+From 1dcaf30725c32b26daa70d22083999972ab99c29 Mon Sep 17 00:00:00 2001
+From: Jon Hunter <jonathanh@nvidia.com>
+Date: Tue, 11 Oct 2022 16:32:43 +0100
+Subject: cpufreq: tegra194: Fix module loading
+
+From: Jon Hunter <jonathanh@nvidia.com>
+
+commit 1dcaf30725c32b26daa70d22083999972ab99c29 upstream.
+
+When the Tegra194 CPUFREQ driver is built as a module it is not
+automatically loaded as expected on Tegra194 devices. Populate the
+MODULE_DEVICE_TABLE to fix this.
+
+Cc: v5.9+ <stable@vger.kernel.org> # v5.9+
+Fixes: df320f89359c ("cpufreq: Add Tegra194 cpufreq driver")
+Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpufreq/tegra194-cpufreq.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/cpufreq/tegra194-cpufreq.c
++++ b/drivers/cpufreq/tegra194-cpufreq.c
+@@ -592,6 +592,7 @@ static const struct of_device_id tegra19
+ { .compatible = "nvidia,tegra234-ccplex-cluster", .data = &tegra234_cpufreq_soc },
+ { /* sentinel */ }
+ };
++MODULE_DEVICE_TABLE(of, tegra194_cpufreq_of_match);
+
+ static struct platform_driver tegra194_ccplex_driver = {
+ .driver = {
--- /dev/null
+From 50b0e4d4da09fa501e722af886f97e60a4f820d6 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Wed, 19 Oct 2022 16:57:42 -0400
+Subject: drm/amdgpu: fix sdma doorbell init ordering on APUs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 50b0e4d4da09fa501e722af886f97e60a4f820d6 upstream.
+
+Commit 8795e182b02d ("PCI/portdrv: Don't disable AER reporting in get_port_device_capability()")
+uncovered a bug in amdgpu that required a reordering of the driver
+init sequence to avoid accessing a special register on the GPU
+before it was properly set up leading to an PCI AER error. This
+reordering uncovered a different hw programming ordering dependency
+in some APUs where the SDMA doorbells need to be programmed before
+the GFX doorbells. To fix this, move the SDMA doorbell programming
+back into the soc15 common code, but use the actual doorbell range
+values directly rather than the values stored in the ring structure
+since those will not be initialized at this point.
+
+This is a partial revert, but with the doorbell assignment
+fixed so the proper doorbell index is set before it's used.
+
+Fixes: e3163bc8ffdfdb ("drm/amdgpu: move nbio sdma_doorbell_range() into sdma code for vega")
+Acked-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: skhan@linuxfoundation.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c | 5 -----
+ drivers/gpu/drm/amd/amdgpu/soc15.c | 21 +++++++++++++++++++++
+ 2 files changed, 21 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
+@@ -1504,11 +1504,6 @@ static int sdma_v4_0_start(struct amdgpu
+ WREG32_SDMA(i, mmSDMA0_CNTL, temp);
+
+ if (!amdgpu_sriov_vf(adev)) {
+- ring = &adev->sdma.instance[i].ring;
+- adev->nbio.funcs->sdma_doorbell_range(adev, i,
+- ring->use_doorbell, ring->doorbell_index,
+- adev->doorbell_index.sdma_doorbell_range);
+-
+ /* unhalt engine */
+ temp = RREG32_SDMA(i, mmSDMA0_F32_CNTL);
+ temp = REG_SET_FIELD(temp, SDMA0_F32_CNTL, HALT, 0);
+--- a/drivers/gpu/drm/amd/amdgpu/soc15.c
++++ b/drivers/gpu/drm/amd/amdgpu/soc15.c
+@@ -1211,6 +1211,20 @@ static int soc15_common_sw_fini(void *ha
+ return 0;
+ }
+
++static void soc15_sdma_doorbell_range_init(struct amdgpu_device *adev)
++{
++ int i;
++
++ /* sdma doorbell range is programed by hypervisor */
++ if (!amdgpu_sriov_vf(adev)) {
++ for (i = 0; i < adev->sdma.num_instances; i++) {
++ adev->nbio.funcs->sdma_doorbell_range(adev, i,
++ true, adev->doorbell_index.sdma_engine[i] << 1,
++ adev->doorbell_index.sdma_doorbell_range);
++ }
++ }
++}
++
+ static int soc15_common_hw_init(void *handle)
+ {
+ struct amdgpu_device *adev = (struct amdgpu_device *)handle;
+@@ -1230,6 +1244,13 @@ static int soc15_common_hw_init(void *ha
+
+ /* enable the doorbell aperture */
+ soc15_enable_doorbell_aperture(adev, true);
++ /* HW doorbell routing policy: doorbell writing not
++ * in SDMA/IH/MM/ACV range will be routed to CP. So
++ * we need to init SDMA doorbell range prior
++ * to CP ip block init and ring test. IH already
++ * happens before CP.
++ */
++ soc15_sdma_doorbell_range_init(adev);
+
+ return 0;
+ }
--- /dev/null
+From 7108b80a542b9d65e44b36d64a700a83658c0b73 Mon Sep 17 00:00:00 2001
+From: Zhang Rui <rui.zhang@intel.com>
+Date: Fri, 14 Oct 2022 17:01:45 +0800
+Subject: hwmon/coretemp: Handle large core ID value
+
+From: Zhang Rui <rui.zhang@intel.com>
+
+commit 7108b80a542b9d65e44b36d64a700a83658c0b73 upstream.
+
+The coretemp driver supports up to a hard-coded limit of 128 cores.
+
+Today, the driver can not support a core with an ID above that limit.
+Yet, the encoding of core ID's is arbitrary (BIOS APIC-ID) and so they
+may be sparse and they may be large.
+
+Update the driver to map arbitrary core ID numbers into appropriate
+array indexes so that 128 cores can be supported, no matter the encoding
+of core ID's.
+
+Signed-off-by: Zhang Rui <rui.zhang@intel.com>
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Acked-by: Len Brown <len.brown@intel.com>
+Acked-by: Guenter Roeck <linux@roeck-us.net>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20221014090147.1836-3-rui.zhang@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/coretemp.c | 56 ++++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 41 insertions(+), 15 deletions(-)
+
+--- a/drivers/hwmon/coretemp.c
++++ b/drivers/hwmon/coretemp.c
+@@ -46,9 +46,6 @@ MODULE_PARM_DESC(tjmax, "TjMax value in
+ #define TOTAL_ATTRS (MAX_CORE_ATTRS + 1)
+ #define MAX_CORE_DATA (NUM_REAL_CORES + BASE_SYSFS_ATTR_NO)
+
+-#define TO_CORE_ID(cpu) (cpu_data(cpu).cpu_core_id)
+-#define TO_ATTR_NO(cpu) (TO_CORE_ID(cpu) + BASE_SYSFS_ATTR_NO)
+-
+ #ifdef CONFIG_SMP
+ #define for_each_sibling(i, cpu) \
+ for_each_cpu(i, topology_sibling_cpumask(cpu))
+@@ -91,6 +88,8 @@ struct temp_data {
+ struct platform_data {
+ struct device *hwmon_dev;
+ u16 pkg_id;
++ u16 cpu_map[NUM_REAL_CORES];
++ struct ida ida;
+ struct cpumask cpumask;
+ struct temp_data *core_data[MAX_CORE_DATA];
+ struct device_attribute name_attr;
+@@ -441,7 +440,7 @@ static struct temp_data *init_temp_data(
+ MSR_IA32_THERM_STATUS;
+ tdata->is_pkg_data = pkg_flag;
+ tdata->cpu = cpu;
+- tdata->cpu_core_id = TO_CORE_ID(cpu);
++ tdata->cpu_core_id = topology_core_id(cpu);
+ tdata->attr_size = MAX_CORE_ATTRS;
+ mutex_init(&tdata->update_lock);
+ return tdata;
+@@ -454,7 +453,7 @@ static int create_core_data(struct platf
+ struct platform_data *pdata = platform_get_drvdata(pdev);
+ struct cpuinfo_x86 *c = &cpu_data(cpu);
+ u32 eax, edx;
+- int err, attr_no;
++ int err, index, attr_no;
+
+ /*
+ * Find attr number for sysfs:
+@@ -462,14 +461,26 @@ static int create_core_data(struct platf
+ * The attr number is always core id + 2
+ * The Pkgtemp will always show up as temp1_*, if available
+ */
+- attr_no = pkg_flag ? PKG_SYSFS_ATTR_NO : TO_ATTR_NO(cpu);
++ if (pkg_flag) {
++ attr_no = PKG_SYSFS_ATTR_NO;
++ } else {
++ index = ida_alloc(&pdata->ida, GFP_KERNEL);
++ if (index < 0)
++ return index;
++ pdata->cpu_map[index] = topology_core_id(cpu);
++ attr_no = index + BASE_SYSFS_ATTR_NO;
++ }
+
+- if (attr_no > MAX_CORE_DATA - 1)
+- return -ERANGE;
++ if (attr_no > MAX_CORE_DATA - 1) {
++ err = -ERANGE;
++ goto ida_free;
++ }
+
+ tdata = init_temp_data(cpu, pkg_flag);
+- if (!tdata)
+- return -ENOMEM;
++ if (!tdata) {
++ err = -ENOMEM;
++ goto ida_free;
++ }
+
+ /* Test if we can access the status register */
+ err = rdmsr_safe_on_cpu(cpu, tdata->status_reg, &eax, &edx);
+@@ -505,6 +516,9 @@ static int create_core_data(struct platf
+ exit_free:
+ pdata->core_data[attr_no] = NULL;
+ kfree(tdata);
++ida_free:
++ if (!pkg_flag)
++ ida_free(&pdata->ida, index);
+ return err;
+ }
+
+@@ -524,6 +538,9 @@ static void coretemp_remove_core(struct
+
+ kfree(pdata->core_data[indx]);
+ pdata->core_data[indx] = NULL;
++
++ if (indx >= BASE_SYSFS_ATTR_NO)
++ ida_free(&pdata->ida, indx - BASE_SYSFS_ATTR_NO);
+ }
+
+ static int coretemp_probe(struct platform_device *pdev)
+@@ -537,6 +554,7 @@ static int coretemp_probe(struct platfor
+ return -ENOMEM;
+
+ pdata->pkg_id = pdev->id;
++ ida_init(&pdata->ida);
+ platform_set_drvdata(pdev, pdata);
+
+ pdata->hwmon_dev = devm_hwmon_device_register_with_groups(dev, DRVNAME,
+@@ -553,6 +571,7 @@ static int coretemp_remove(struct platfo
+ if (pdata->core_data[i])
+ coretemp_remove_core(pdata, i);
+
++ ida_destroy(&pdata->ida);
+ return 0;
+ }
+
+@@ -647,7 +666,7 @@ static int coretemp_cpu_offline(unsigned
+ struct platform_device *pdev = coretemp_get_pdev(cpu);
+ struct platform_data *pd;
+ struct temp_data *tdata;
+- int indx, target;
++ int i, indx = -1, target;
+
+ /*
+ * Don't execute this on suspend as the device remove locks
+@@ -660,12 +679,19 @@ static int coretemp_cpu_offline(unsigned
+ if (!pdev)
+ return 0;
+
+- /* The core id is too big, just return */
+- indx = TO_ATTR_NO(cpu);
+- if (indx > MAX_CORE_DATA - 1)
++ pd = platform_get_drvdata(pdev);
++
++ for (i = 0; i < NUM_REAL_CORES; i++) {
++ if (pd->cpu_map[i] == topology_core_id(cpu)) {
++ indx = i + BASE_SYSFS_ATTR_NO;
++ break;
++ }
++ }
++
++ /* Too many cores and this core is not populated, just return */
++ if (indx < 0)
+ return 0;
+
+- pd = platform_get_drvdata(pdev);
+ tdata = pd->core_data[indx];
+
+ cpumask_clear_cpu(cpu, &pd->cpumask);
--- /dev/null
+From 61775d54d674ff8ec3658495e0dbc537227dc5c1 Mon Sep 17 00:00:00 2001
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Date: Tue, 18 Oct 2022 03:19:20 +0100
+Subject: i2c: qcom-cci: Fix ordering of pm_runtime_xx and i2c_add_adapter
+
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+
+commit 61775d54d674ff8ec3658495e0dbc537227dc5c1 upstream.
+
+When we compile-in the CCI along with the imx412 driver and run on the RB5
+we see that i2c_add_adapter() causes the probe of the imx412 driver to
+happen.
+
+This probe tries to perform an i2c xfer() and the xfer() in i2c-qcom-cci.c
+fails on pm_runtime_get() because the i2c-qcom-cci.c::probe() function has
+not completed to pm_runtime_enable(dev).
+
+Fix this sequence by ensuring pm_runtime_xxx() calls happen prior to adding
+the i2c adapter.
+
+Fixes: e517526195de ("i2c: Add Qualcomm CCI I2C driver")
+Reported-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
+Reviewed-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
+Tested-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Reviewed-by: Robert Foss <robert.foss@linaro.org>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-qcom-cci.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-qcom-cci.c
++++ b/drivers/i2c/busses/i2c-qcom-cci.c
+@@ -639,6 +639,11 @@ static int cci_probe(struct platform_dev
+ if (ret < 0)
+ goto error;
+
++ pm_runtime_set_autosuspend_delay(dev, MSEC_PER_SEC);
++ pm_runtime_use_autosuspend(dev);
++ pm_runtime_set_active(dev);
++ pm_runtime_enable(dev);
++
+ for (i = 0; i < cci->data->num_masters; i++) {
+ if (!cci->master[i].cci)
+ continue;
+@@ -650,14 +655,12 @@ static int cci_probe(struct platform_dev
+ }
+ }
+
+- pm_runtime_set_autosuspend_delay(dev, MSEC_PER_SEC);
+- pm_runtime_use_autosuspend(dev);
+- pm_runtime_set_active(dev);
+- pm_runtime_enable(dev);
+-
+ return 0;
+
+ error_i2c:
++ pm_runtime_disable(dev);
++ pm_runtime_dont_use_autosuspend(dev);
++
+ for (--i ; i >= 0; i--) {
+ if (cci->master[i].cci) {
+ i2c_del_adapter(&cci->master[i].adap);
--- /dev/null
+From ed51862f2f57cbce6fed2d4278cfe70a490899fd Mon Sep 17 00:00:00 2001
+From: Alexander Graf <graf@amazon.com>
+Date: Mon, 17 Oct 2022 20:45:39 +0200
+Subject: kvm: Add support for arch compat vm ioctls
+
+From: Alexander Graf <graf@amazon.com>
+
+commit ed51862f2f57cbce6fed2d4278cfe70a490899fd upstream.
+
+We will introduce the first architecture specific compat vm ioctl in the
+next patch. Add all necessary boilerplate to allow architectures to
+override compat vm ioctls when necessary.
+
+Signed-off-by: Alexander Graf <graf@amazon.com>
+Message-Id: <20221017184541.2658-2-graf@amazon.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/kvm_host.h | 2 ++
+ virt/kvm/kvm_main.c | 11 +++++++++++
+ 2 files changed, 13 insertions(+)
+
+--- a/include/linux/kvm_host.h
++++ b/include/linux/kvm_host.h
+@@ -1391,6 +1391,8 @@ int kvm_vm_ioctl_enable_cap(struct kvm *
+ struct kvm_enable_cap *cap);
+ long kvm_arch_vm_ioctl(struct file *filp,
+ unsigned int ioctl, unsigned long arg);
++long kvm_arch_vm_compat_ioctl(struct file *filp, unsigned int ioctl,
++ unsigned long arg);
+
+ int kvm_arch_vcpu_ioctl_get_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu);
+ int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu);
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -4834,6 +4834,12 @@ struct compat_kvm_clear_dirty_log {
+ };
+ };
+
++long __weak kvm_arch_vm_compat_ioctl(struct file *filp, unsigned int ioctl,
++ unsigned long arg)
++{
++ return -ENOTTY;
++}
++
+ static long kvm_vm_compat_ioctl(struct file *filp,
+ unsigned int ioctl, unsigned long arg)
+ {
+@@ -4842,6 +4848,11 @@ static long kvm_vm_compat_ioctl(struct f
+
+ if (kvm->mm != current->mm || kvm->vm_dead)
+ return -EIO;
++
++ r = kvm_arch_vm_compat_ioctl(filp, ioctl, arg);
++ if (r != -ENOTTY)
++ return r;
++
+ switch (ioctl) {
+ #ifdef CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT
+ case KVM_CLEAR_DIRTY_LOG: {
--- /dev/null
+From c000a2607145d28b06c697f968491372ea56c23a Mon Sep 17 00:00:00 2001
+From: Eric Ren <renzhengeek@gmail.com>
+Date: Sat, 15 Oct 2022 11:19:28 +0800
+Subject: KVM: arm64: vgic: Fix exit condition in scan_its_table()
+
+From: Eric Ren <renzhengeek@gmail.com>
+
+commit c000a2607145d28b06c697f968491372ea56c23a upstream.
+
+With some PCIe topologies, restoring a guest fails while
+parsing the ITS device tables.
+
+Reproducer hints:
+1. Create ARM virt VM with pxb-pcie bus which adds
+ extra host bridges, with qemu command like:
+
+```
+ -device pxb-pcie,bus_nr=8,id=pci.x,numa_node=0,bus=pcie.0 \
+ -device pcie-root-port,..,bus=pci.x \
+ ...
+ -device pxb-pcie,bus_nr=37,id=pci.y,numa_node=1,bus=pcie.0 \
+ -device pcie-root-port,..,bus=pci.y \
+ ...
+
+```
+2. Ensure the guest uses 2-level device table
+3. Perform VM migration which calls save/restore device tables
+
+In that setup, we get a big "offset" between 2 device_ids,
+which makes unsigned "len" round up a big positive number,
+causing the scan loop to continue with a bad GPA. For example:
+
+1. L1 table has 2 entries;
+2. and we are now scanning at L2 table entry index 2075 (pointed
+ to by L1 first entry)
+3. if next device id is 9472, we will get a big offset: 7397;
+4. with unsigned 'len', 'len -= offset * esz', len will underflow to a
+ positive number, mistakenly into next iteration with a bad GPA;
+ (It should break out of the current L2 table scanning, and jump
+ into the next L1 table entry)
+5. that bad GPA fails the guest read.
+
+Fix it by stopping the L2 table scan when the next device id is
+outside of the current table, allowing the scan to continue from
+the next L1 table entry.
+
+Thanks to Eric Auger for the fix suggestion.
+
+Fixes: 920a7a8fa92a ("KVM: arm64: vgic-its: Add infrastructure for tableookup")
+Suggested-by: Eric Auger <eric.auger@redhat.com>
+Signed-off-by: Eric Ren <renzhengeek@gmail.com>
+[maz: commit message tidy-up]
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/d9c3a564af9e2c5bf63f48a7dcbf08cd593c5c0b.1665802985.git.renzhengeek@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kvm/vgic/vgic-its.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/kvm/vgic/vgic-its.c
++++ b/arch/arm64/kvm/vgic/vgic-its.c
+@@ -2149,7 +2149,7 @@ static int scan_its_table(struct vgic_it
+
+ memset(entry, 0, esz);
+
+- while (len > 0) {
++ while (true) {
+ int next_offset;
+ size_t byte_offset;
+
+@@ -2162,6 +2162,9 @@ static int scan_its_table(struct vgic_it
+ return next_offset;
+
+ byte_offset = next_offset * esz;
++ if (byte_offset >= len)
++ break;
++
+ id += next_offset;
+ gpa += byte_offset;
+ len -= byte_offset;
--- /dev/null
+From 1739c7017fb1d759965dcbab925ff5980a5318cb Mon Sep 17 00:00:00 2001
+From: Alexander Graf <graf@amazon.com>
+Date: Mon, 17 Oct 2022 20:45:41 +0200
+Subject: KVM: x86: Add compat handler for KVM_X86_SET_MSR_FILTER
+
+From: Alexander Graf <graf@amazon.com>
+
+commit 1739c7017fb1d759965dcbab925ff5980a5318cb upstream.
+
+The KVM_X86_SET_MSR_FILTER ioctls contains a pointer in the passed in
+struct which means it has a different struct size depending on whether
+it gets called from 32bit or 64bit code.
+
+This patch introduces compat code that converts from the 32bit struct to
+its 64bit counterpart which then gets used going forward internally.
+With this applied, 32bit QEMU can successfully set MSR bitmaps when
+running on 64bit kernels.
+
+Reported-by: Andrew Randrianasulu <randrianasulu@gmail.com>
+Fixes: 1a155254ff937 ("KVM: x86: Introduce MSR filtering")
+Signed-off-by: Alexander Graf <graf@amazon.com>
+Message-Id: <20221017184541.2658-4-graf@amazon.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/x86.c | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 56 insertions(+)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -6453,6 +6453,62 @@ static int kvm_vm_ioctl_set_msr_filter(s
+ return 0;
+ }
+
++#ifdef CONFIG_KVM_COMPAT
++/* for KVM_X86_SET_MSR_FILTER */
++struct kvm_msr_filter_range_compat {
++ __u32 flags;
++ __u32 nmsrs;
++ __u32 base;
++ __u32 bitmap;
++};
++
++struct kvm_msr_filter_compat {
++ __u32 flags;
++ struct kvm_msr_filter_range_compat ranges[KVM_MSR_FILTER_MAX_RANGES];
++};
++
++#define KVM_X86_SET_MSR_FILTER_COMPAT _IOW(KVMIO, 0xc6, struct kvm_msr_filter_compat)
++
++long kvm_arch_vm_compat_ioctl(struct file *filp, unsigned int ioctl,
++ unsigned long arg)
++{
++ void __user *argp = (void __user *)arg;
++ struct kvm *kvm = filp->private_data;
++ long r = -ENOTTY;
++
++ switch (ioctl) {
++ case KVM_X86_SET_MSR_FILTER_COMPAT: {
++ struct kvm_msr_filter __user *user_msr_filter = argp;
++ struct kvm_msr_filter_compat filter_compat;
++ struct kvm_msr_filter filter;
++ int i;
++
++ if (copy_from_user(&filter_compat, user_msr_filter,
++ sizeof(filter_compat)))
++ return -EFAULT;
++
++ filter.flags = filter_compat.flags;
++ for (i = 0; i < ARRAY_SIZE(filter.ranges); i++) {
++ struct kvm_msr_filter_range_compat *cr;
++
++ cr = &filter_compat.ranges[i];
++ filter.ranges[i] = (struct kvm_msr_filter_range) {
++ .flags = cr->flags,
++ .nmsrs = cr->nmsrs,
++ .base = cr->base,
++ .bitmap = (__u8 *)(ulong)cr->bitmap,
++ };
++ }
++
++ r = kvm_vm_ioctl_set_msr_filter(kvm, &filter);
++ break;
++ }
++ }
++
++ return r;
++}
++#endif
++
+ #ifdef CONFIG_HAVE_KVM_PM_NOTIFIER
+ static int kvm_arch_suspend_notifier(struct kvm *kvm)
+ {
--- /dev/null
+From 2e3272bc1790825c43d2c39690bf2836b81c6d36 Mon Sep 17 00:00:00 2001
+From: Alexander Graf <graf@amazon.com>
+Date: Mon, 17 Oct 2022 20:45:40 +0200
+Subject: KVM: x86: Copy filter arg outside kvm_vm_ioctl_set_msr_filter()
+
+From: Alexander Graf <graf@amazon.com>
+
+commit 2e3272bc1790825c43d2c39690bf2836b81c6d36 upstream.
+
+In the next patch we want to introduce a second caller to
+set_msr_filter() which constructs its own filter list on the stack.
+Refactor the original function so it takes it as argument instead of
+reading it through copy_from_user().
+
+Signed-off-by: Alexander Graf <graf@amazon.com>
+Message-Id: <20221017184541.2658-3-graf@amazon.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/x86.c | 31 +++++++++++++++++--------------
+ 1 file changed, 17 insertions(+), 14 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -6406,26 +6406,22 @@ static int kvm_add_msr_filter(struct kvm
+ return 0;
+ }
+
+-static int kvm_vm_ioctl_set_msr_filter(struct kvm *kvm, void __user *argp)
++static int kvm_vm_ioctl_set_msr_filter(struct kvm *kvm,
++ struct kvm_msr_filter *filter)
+ {
+- struct kvm_msr_filter __user *user_msr_filter = argp;
+ struct kvm_x86_msr_filter *new_filter, *old_filter;
+- struct kvm_msr_filter filter;
+ bool default_allow;
+ bool empty = true;
+ int r = 0;
+ u32 i;
+
+- if (copy_from_user(&filter, user_msr_filter, sizeof(filter)))
+- return -EFAULT;
+-
+- if (filter.flags & ~KVM_MSR_FILTER_DEFAULT_DENY)
++ if (filter->flags & ~KVM_MSR_FILTER_DEFAULT_DENY)
+ return -EINVAL;
+
+- for (i = 0; i < ARRAY_SIZE(filter.ranges); i++)
+- empty &= !filter.ranges[i].nmsrs;
++ for (i = 0; i < ARRAY_SIZE(filter->ranges); i++)
++ empty &= !filter->ranges[i].nmsrs;
+
+- default_allow = !(filter.flags & KVM_MSR_FILTER_DEFAULT_DENY);
++ default_allow = !(filter->flags & KVM_MSR_FILTER_DEFAULT_DENY);
+ if (empty && !default_allow)
+ return -EINVAL;
+
+@@ -6433,8 +6429,8 @@ static int kvm_vm_ioctl_set_msr_filter(s
+ if (!new_filter)
+ return -ENOMEM;
+
+- for (i = 0; i < ARRAY_SIZE(filter.ranges); i++) {
+- r = kvm_add_msr_filter(new_filter, &filter.ranges[i]);
++ for (i = 0; i < ARRAY_SIZE(filter->ranges); i++) {
++ r = kvm_add_msr_filter(new_filter, &filter->ranges[i]);
+ if (r) {
+ kvm_free_msr_filter(new_filter);
+ return r;
+@@ -6879,9 +6875,16 @@ set_pit2_out:
+ case KVM_SET_PMU_EVENT_FILTER:
+ r = kvm_vm_ioctl_set_pmu_event_filter(kvm, argp);
+ break;
+- case KVM_X86_SET_MSR_FILTER:
+- r = kvm_vm_ioctl_set_msr_filter(kvm, argp);
++ case KVM_X86_SET_MSR_FILTER: {
++ struct kvm_msr_filter __user *user_msr_filter = argp;
++ struct kvm_msr_filter filter;
++
++ if (copy_from_user(&filter, user_msr_filter, sizeof(filter)))
++ return -EFAULT;
++
++ r = kvm_vm_ioctl_set_msr_filter(kvm, &filter);
+ break;
++ }
+ default:
+ r = -ENOTTY;
+ }
--- /dev/null
+From b9eb3ab6f30bf32f7326909f17949ccb11bab514 Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Thu, 25 Aug 2022 20:36:37 +0200
+Subject: media: ipu3-imgu: Fix NULL pointer dereference in active selection access
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit b9eb3ab6f30bf32f7326909f17949ccb11bab514 upstream.
+
+What the IMGU driver did was that it first acquired the pointers to active
+and try V4L2 subdev state, and only then figured out which one to use.
+
+The problem with that approach and a later patch (see Fixes: tag) is that
+as sd_state argument to v4l2_subdev_get_try_crop() et al is NULL, there is
+now an attempt to dereference that.
+
+Fix this.
+
+Also rewrap lines a little.
+
+Fixes: 0d346d2a6f54 ("media: v4l2-subdev: add subdev-wide state struct")
+Cc: stable@vger.kernel.org # for v5.14 and later
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Bingbu Cao <bingbu.cao@intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/media/ipu3/ipu3-v4l2.c | 31 ++++++++++++++-----------------
+ 1 file changed, 14 insertions(+), 17 deletions(-)
+
+--- a/drivers/staging/media/ipu3/ipu3-v4l2.c
++++ b/drivers/staging/media/ipu3/ipu3-v4l2.c
+@@ -192,33 +192,30 @@ static int imgu_subdev_get_selection(str
+ struct v4l2_subdev_state *sd_state,
+ struct v4l2_subdev_selection *sel)
+ {
+- struct v4l2_rect *try_sel, *r;
+- struct imgu_v4l2_subdev *imgu_sd = container_of(sd,
+- struct imgu_v4l2_subdev,
+- subdev);
++ struct imgu_v4l2_subdev *imgu_sd =
++ container_of(sd, struct imgu_v4l2_subdev, subdev);
+
+ if (sel->pad != IMGU_NODE_IN)
+ return -EINVAL;
+
+ switch (sel->target) {
+ case V4L2_SEL_TGT_CROP:
+- try_sel = v4l2_subdev_get_try_crop(sd, sd_state, sel->pad);
+- r = &imgu_sd->rect.eff;
+- break;
++ if (sel->which == V4L2_SUBDEV_FORMAT_TRY)
++ sel->r = *v4l2_subdev_get_try_crop(sd, sd_state,
++ sel->pad);
++ else
++ sel->r = imgu_sd->rect.eff;
++ return 0;
+ case V4L2_SEL_TGT_COMPOSE:
+- try_sel = v4l2_subdev_get_try_compose(sd, sd_state, sel->pad);
+- r = &imgu_sd->rect.bds;
+- break;
++ if (sel->which == V4L2_SUBDEV_FORMAT_TRY)
++ sel->r = *v4l2_subdev_get_try_compose(sd, sd_state,
++ sel->pad);
++ else
++ sel->r = imgu_sd->rect.bds;
++ return 0;
+ default:
+ return -EINVAL;
+ }
+-
+- if (sel->which == V4L2_SUBDEV_FORMAT_TRY)
+- sel->r = *try_sel;
+- else
+- sel->r = *r;
+-
+- return 0;
+ }
+
+ static int imgu_subdev_set_selection(struct v4l2_subdev *sd,
--- /dev/null
+From 20b794ddce475ed012deb365000527c17b3e93e6 Mon Sep 17 00:00:00 2001
+From: Sean Young <sean@mess.org>
+Date: Fri, 2 Sep 2022 12:32:21 +0200
+Subject: media: mceusb: set timeout to at least timeout provided
+
+From: Sean Young <sean@mess.org>
+
+commit 20b794ddce475ed012deb365000527c17b3e93e6 upstream.
+
+By rounding down, the actual timeout can be lower than requested. As a
+result, long spaces just below the requested timeout can be incorrectly
+reported as timeout and truncated.
+
+Fixes: 877f1a7cee3f ("media: rc: mceusb: allow the timeout to be configurable")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/rc/mceusb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/rc/mceusb.c
++++ b/drivers/media/rc/mceusb.c
+@@ -1077,7 +1077,7 @@ static int mceusb_set_timeout(struct rc_
+ struct mceusb_dev *ir = dev->priv;
+ unsigned int units;
+
+- units = DIV_ROUND_CLOSEST(timeout, MCE_TIME_UNIT);
++ units = DIV_ROUND_UP(timeout, MCE_TIME_UNIT);
+
+ cmdbuf[2] = units >> 8;
+ cmdbuf[3] = units;
--- /dev/null
+From 06a2da340f762addc5935bf851d95b14d4692db2 Mon Sep 17 00:00:00 2001
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Date: Tue, 26 Jul 2022 04:14:54 +0200
+Subject: media: venus: dec: Handle the case where find_format fails
+
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+
+commit 06a2da340f762addc5935bf851d95b14d4692db2 upstream.
+
+Debugging the decoder on msm8916 I noticed the vdec probe was crashing if
+the fmt pointer was NULL.
+
+A similar fix from Colin Ian King found by Coverity was implemented for the
+encoder. Implement the same fix on the decoder.
+
+Fixes: 7472c1c69138 ("[media] media: venus: vdec: add video decoder files")
+Cc: stable@vger.kernel.org # v4.13+
+Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/vdec.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/platform/qcom/venus/vdec.c
++++ b/drivers/media/platform/qcom/venus/vdec.c
+@@ -183,6 +183,8 @@ vdec_try_fmt_common(struct venus_inst *i
+ else
+ return NULL;
+ fmt = find_format(inst, pixmp->pixelformat, f->type);
++ if (!fmt)
++ return NULL;
+ }
+
+ pixmp->width = clamp(pixmp->width, frame_width_min(inst),
--- /dev/null
+From 7f77fa9f378c528edb38dbf23ff1273c81429d49 Mon Sep 17 00:00:00 2001
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Date: Tue, 26 Jul 2022 04:14:55 +0200
+Subject: media: venus: Fix NV12 decoder buffer discovery on HFI_VERSION_1XX
+
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+
+commit 7f77fa9f378c528edb38dbf23ff1273c81429d49 upstream.
+
+HFI_VERSION_1XX uses HFI_BUFFER_OUTPUT not HFI_BUFFER_OUTPUT2 for decoder
+buffers.
+
+venus_helper_check_format() places a constraint on an output buffer to be
+of type HFI_BUFFER_OUTPUT2. HFI_1XX uses HFI_BUFFER_OUTPUT though.
+
+Switching to the logic used in venus_helper_get_out_fmts() first checking
+for HFI_BUFFER_OUTPUT and then HFI_BUFFER_OUTPUT2 resolves on HFI_1XX.
+
+db410c before:
+root@linaro-alip:~# v4l2-ctl -d /dev/video0 --list-formats
+ioctl: VIDIOC_ENUM_FMT
+ Type: Video Capture Multiplanar
+
+ [0]: 'MPG4' (MPEG-4 Part 2 ES, compressed)
+ [1]: 'H263' (H.263, compressed)
+ [2]: 'H264' (H.264, compressed)
+ [3]: 'VP80' (VP8, compressed)
+
+root@linaro-alip:~# v4l2-ctl -d /dev/video1 --list-formats
+ioctl: VIDIOC_ENUM_FMT
+ Type: Video Capture Multiplanar
+
+db410c after:
+root@linaro-alip:~# v4l2-ctl -d /dev/video0 --list-formats
+ioctl: VIDIOC_ENUM_FMT
+ Type: Video Capture Multiplanar
+
+ [0]: 'MPG4' (MPEG-4 Part 2 ES, compressed)
+ [1]: 'H263' (H.263, compressed)
+ [2]: 'H264' (H.264, compressed)
+ [3]: 'VP80' (VP8, compressed)
+
+root@linaro-alip:~# v4l2-ctl -d /dev/video1 --list-formats
+ioctl: VIDIOC_ENUM_FMT
+ Type: Video Capture Multiplanar
+
+ [0]: 'NV12' (Y/CbCr 4:2:0)
+
+Validated playback with ffplay on db410c with h264 and vp8 decoding.
+
+Fixes: 9593126dae3e ("media: venus: Add a handling of QC08C compressed format")
+Cc: stable@vger.kernel.org # v5.19
+Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/helpers.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/platform/qcom/venus/helpers.c
++++ b/drivers/media/platform/qcom/venus/helpers.c
+@@ -1800,7 +1800,7 @@ bool venus_helper_check_format(struct ve
+ struct venus_core *core = inst->core;
+ u32 fmt = to_hfi_raw_fmt(v4l2_pixfmt);
+ struct hfi_plat_caps *caps;
+- u32 buftype;
++ bool found;
+
+ if (!fmt)
+ return false;
+@@ -1809,12 +1809,13 @@ bool venus_helper_check_format(struct ve
+ if (!caps)
+ return false;
+
+- if (inst->session_type == VIDC_SESSION_TYPE_DEC)
+- buftype = HFI_BUFFER_OUTPUT2;
+- else
+- buftype = HFI_BUFFER_OUTPUT;
++ found = find_fmt_from_caps(caps, HFI_BUFFER_OUTPUT, fmt);
++ if (found)
++ goto done;
+
+- return find_fmt_from_caps(caps, buftype, fmt);
++ found = find_fmt_from_caps(caps, HFI_BUFFER_OUTPUT2, fmt);
++done:
++ return found;
+ }
+ EXPORT_SYMBOL_GPL(venus_helper_check_format);
+
--- /dev/null
+From 12df140f0bdfae5dcfc81800970dd7f6f632e00c Mon Sep 17 00:00:00 2001
+From: Rik van Riel <riel@surriel.com>
+Date: Mon, 17 Oct 2022 20:25:05 -0400
+Subject: mm,hugetlb: take hugetlb_lock before decrementing h->resv_huge_pages
+
+From: Rik van Riel <riel@surriel.com>
+
+commit 12df140f0bdfae5dcfc81800970dd7f6f632e00c upstream.
+
+The h->*_huge_pages counters are protected by the hugetlb_lock, but
+alloc_huge_page has a corner case where it can decrement the counter
+outside of the lock.
+
+This could lead to a corrupted value of h->resv_huge_pages, which we have
+observed on our systems.
+
+Take the hugetlb_lock before decrementing h->resv_huge_pages to avoid a
+potential race.
+
+Link: https://lkml.kernel.org/r/20221017202505.0e6a4fcd@imladris.surriel.com
+Fixes: a88c76954804 ("mm: hugetlb: fix hugepage memory leak caused by wrong reserve count")
+Signed-off-by: Rik van Riel <riel@surriel.com>
+Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Cc: Glen McCready <gkmccready@meta.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Muchun Song <songmuchun@bytedance.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/hugetlb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -2928,11 +2928,11 @@ struct page *alloc_huge_page(struct vm_a
+ page = alloc_buddy_huge_page_with_mpol(h, vma, addr);
+ if (!page)
+ goto out_uncharge_cgroup;
++ spin_lock_irq(&hugetlb_lock);
+ if (!avoid_reserve && vma_has_reserves(vma, gbl_chg)) {
+ SetHPageRestoreReserve(page);
+ h->resv_huge_pages--;
+ }
+- spin_lock_irq(&hugetlb_lock);
+ list_add(&page->lru, &h->hugepage_activelist);
+ /* Fall through */
+ }
--- /dev/null
+From 28f4821b1b53e0649706912e810c6c232fc506f9 Mon Sep 17 00:00:00 2001
+From: Joseph Qi <joseph.qi@linux.alibaba.com>
+Date: Mon, 17 Oct 2022 21:02:27 +0800
+Subject: ocfs2: clear dinode links count in case of error
+
+From: Joseph Qi <joseph.qi@linux.alibaba.com>
+
+commit 28f4821b1b53e0649706912e810c6c232fc506f9 upstream.
+
+In ocfs2_mknod(), if error occurs after dinode successfully allocated,
+ocfs2 i_links_count will not be 0.
+
+So even though we clear inode i_nlink before iput in error handling, it
+still won't wipe inode since we'll refresh inode from dinode during inode
+lock. So just like clear inode i_nlink, we clear ocfs2 i_links_count as
+well. Also do the same change for ocfs2_symlink().
+
+Link: https://lkml.kernel.org/r/20221017130227.234480-2-joseph.qi@linux.alibaba.com
+Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Reported-by: Yan Wang <wangyan122@huawei.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/namei.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/fs/ocfs2/namei.c
++++ b/fs/ocfs2/namei.c
+@@ -232,6 +232,7 @@ static int ocfs2_mknod(struct user_names
+ handle_t *handle = NULL;
+ struct ocfs2_super *osb;
+ struct ocfs2_dinode *dirfe;
++ struct ocfs2_dinode *fe = NULL;
+ struct buffer_head *new_fe_bh = NULL;
+ struct inode *inode = NULL;
+ struct ocfs2_alloc_context *inode_ac = NULL;
+@@ -382,6 +383,7 @@ static int ocfs2_mknod(struct user_names
+ goto leave;
+ }
+
++ fe = (struct ocfs2_dinode *) new_fe_bh->b_data;
+ if (S_ISDIR(mode)) {
+ status = ocfs2_fill_new_dir(osb, handle, dir, inode,
+ new_fe_bh, data_ac, meta_ac);
+@@ -454,8 +456,11 @@ roll_back:
+ leave:
+ if (status < 0 && did_quota_inode)
+ dquot_free_inode(inode);
+- if (handle)
++ if (handle) {
++ if (status < 0 && fe)
++ ocfs2_set_links_count(fe, 0);
+ ocfs2_commit_trans(osb, handle);
++ }
+
+ ocfs2_inode_unlock(dir, 1);
+ if (did_block_signals)
+@@ -2028,8 +2033,11 @@ bail:
+ ocfs2_clusters_to_bytes(osb->sb, 1));
+ if (status < 0 && did_quota_inode)
+ dquot_free_inode(inode);
+- if (handle)
++ if (handle) {
++ if (status < 0 && fe)
++ ocfs2_set_links_count(fe, 0);
+ ocfs2_commit_trans(osb, handle);
++ }
+
+ ocfs2_inode_unlock(dir, 1);
+ if (did_block_signals)
--- /dev/null
+From 759a7c6126eef5635506453e9b9d55a6a3ac2084 Mon Sep 17 00:00:00 2001
+From: Joseph Qi <joseph.qi@linux.alibaba.com>
+Date: Mon, 17 Oct 2022 21:02:26 +0800
+Subject: ocfs2: fix BUG when iput after ocfs2_mknod fails
+
+From: Joseph Qi <joseph.qi@linux.alibaba.com>
+
+commit 759a7c6126eef5635506453e9b9d55a6a3ac2084 upstream.
+
+Commit b1529a41f777 "ocfs2: should reclaim the inode if
+'__ocfs2_mknod_locked' returns an error" tried to reclaim the claimed
+inode if __ocfs2_mknod_locked() fails later. But this introduce a race,
+the freed bit may be reused immediately by another thread, which will
+update dinode, e.g. i_generation. Then iput this inode will lead to BUG:
+inode->i_generation != le32_to_cpu(fe->i_generation)
+
+We could make this inode as bad, but we did want to do operations like
+wipe in some cases. Since the claimed inode bit can only affect that an
+dinode is missing and will return back after fsck, it seems not a big
+problem. So just leave it as is by revert the reclaim logic.
+
+Link: https://lkml.kernel.org/r/20221017130227.234480-1-joseph.qi@linux.alibaba.com
+Fixes: b1529a41f777 ("ocfs2: should reclaim the inode if '__ocfs2_mknod_locked' returns an error")
+Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Reported-by: Yan Wang <wangyan122@huawei.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/namei.c | 11 +----------
+ 1 file changed, 1 insertion(+), 10 deletions(-)
+
+--- a/fs/ocfs2/namei.c
++++ b/fs/ocfs2/namei.c
+@@ -637,18 +637,9 @@ static int ocfs2_mknod_locked(struct ocf
+ return status;
+ }
+
+- status = __ocfs2_mknod_locked(dir, inode, dev, new_fe_bh,
++ return __ocfs2_mknod_locked(dir, inode, dev, new_fe_bh,
+ parent_fe_bh, handle, inode_ac,
+ fe_blkno, suballoc_loc, suballoc_bit);
+- if (status < 0) {
+- u64 bg_blkno = ocfs2_which_suballoc_group(fe_blkno, suballoc_bit);
+- int tmp = ocfs2_free_suballoc_bits(handle, inode_ac->ac_inode,
+- inode_ac->ac_bh, suballoc_bit, bg_blkno, 1);
+- if (tmp)
+- mlog_errno(tmp);
+- }
+-
+- return status;
+ }
+
+ static int ocfs2_mkdir(struct user_namespace *mnt_userns,
--- /dev/null
+From abe3c631447dcd1ba7af972fe6f054bee6f136fa Mon Sep 17 00:00:00 2001
+From: "GONG, Ruiqi" <gongruiqi1@huawei.com>
+Date: Wed, 19 Oct 2022 10:57:10 +0800
+Subject: selinux: enable use of both GFP_KERNEL and GFP_ATOMIC in convert_context()
+
+From: GONG, Ruiqi <gongruiqi1@huawei.com>
+
+commit abe3c631447dcd1ba7af972fe6f054bee6f136fa upstream.
+
+The following warning was triggered on a hardware environment:
+
+ SELinux: Converting 162 SID table entries...
+ BUG: sleeping function called from invalid context at
+ __might_sleep+0x60/0x74 0x0
+ in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 5943, name: tar
+ CPU: 7 PID: 5943 Comm: tar Tainted: P O 5.10.0 #1
+ Call trace:
+ dump_backtrace+0x0/0x1c8
+ show_stack+0x18/0x28
+ dump_stack+0xe8/0x15c
+ ___might_sleep+0x168/0x17c
+ __might_sleep+0x60/0x74
+ __kmalloc_track_caller+0xa0/0x7dc
+ kstrdup+0x54/0xac
+ convert_context+0x48/0x2e4
+ sidtab_context_to_sid+0x1c4/0x36c
+ security_context_to_sid_core+0x168/0x238
+ security_context_to_sid_default+0x14/0x24
+ inode_doinit_use_xattr+0x164/0x1e4
+ inode_doinit_with_dentry+0x1c0/0x488
+ selinux_d_instantiate+0x20/0x34
+ security_d_instantiate+0x70/0xbc
+ d_splice_alias+0x4c/0x3c0
+ ext4_lookup+0x1d8/0x200 [ext4]
+ __lookup_slow+0x12c/0x1e4
+ walk_component+0x100/0x200
+ path_lookupat+0x88/0x118
+ filename_lookup+0x98/0x130
+ user_path_at_empty+0x48/0x60
+ vfs_statx+0x84/0x140
+ vfs_fstatat+0x20/0x30
+ __se_sys_newfstatat+0x30/0x74
+ __arm64_sys_newfstatat+0x1c/0x2c
+ el0_svc_common.constprop.0+0x100/0x184
+ do_el0_svc+0x1c/0x2c
+ el0_svc+0x20/0x34
+ el0_sync_handler+0x80/0x17c
+ el0_sync+0x13c/0x140
+ SELinux: Context system_u:object_r:pssp_rsyslog_log_t:s0:c0 is
+ not valid (left unmapped).
+
+It was found that within a critical section of spin_lock_irqsave in
+sidtab_context_to_sid(), convert_context() (hooked by
+sidtab_convert_params.func) might cause the process to sleep via
+allocating memory with GFP_KERNEL, which is problematic.
+
+As Ondrej pointed out [1], convert_context()/sidtab_convert_params.func
+has another caller sidtab_convert_tree(), which is okay with GFP_KERNEL.
+Therefore, fix this problem by adding a gfp_t argument for
+convert_context()/sidtab_convert_params.func and pass GFP_KERNEL/_ATOMIC
+properly in individual callers.
+
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/all/20221018120111.1474581-1-gongruiqi1@huawei.com/ [1]
+Reported-by: Tan Ninghao <tanninghao1@huawei.com>
+Fixes: ee1a84fdfeed ("selinux: overhaul sidtab to fix bug and improve performance")
+Signed-off-by: GONG, Ruiqi <gongruiqi1@huawei.com>
+Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
+[PM: wrap long BUG() output lines, tweak subject line]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/selinux/ss/services.c | 5 +++--
+ security/selinux/ss/sidtab.c | 4 ++--
+ security/selinux/ss/sidtab.h | 2 +-
+ 3 files changed, 6 insertions(+), 5 deletions(-)
+
+--- a/security/selinux/ss/services.c
++++ b/security/selinux/ss/services.c
+@@ -2022,7 +2022,8 @@ static inline int convert_context_handle
+ * in `newc'. Verify that the context is valid
+ * under the new policy.
+ */
+-static int convert_context(struct context *oldc, struct context *newc, void *p)
++static int convert_context(struct context *oldc, struct context *newc, void *p,
++ gfp_t gfp_flags)
+ {
+ struct convert_context_args *args;
+ struct ocontext *oc;
+@@ -2036,7 +2037,7 @@ static int convert_context(struct contex
+ args = p;
+
+ if (oldc->str) {
+- s = kstrdup(oldc->str, GFP_KERNEL);
++ s = kstrdup(oldc->str, gfp_flags);
+ if (!s)
+ return -ENOMEM;
+
+--- a/security/selinux/ss/sidtab.c
++++ b/security/selinux/ss/sidtab.c
+@@ -325,7 +325,7 @@ int sidtab_context_to_sid(struct sidtab
+ }
+
+ rc = convert->func(context, &dst_convert->context,
+- convert->args);
++ convert->args, GFP_ATOMIC);
+ if (rc) {
+ context_destroy(&dst->context);
+ goto out_unlock;
+@@ -404,7 +404,7 @@ static int sidtab_convert_tree(union sid
+ while (i < SIDTAB_LEAF_ENTRIES && *pos < count) {
+ rc = convert->func(&esrc->ptr_leaf->entries[i].context,
+ &edst->ptr_leaf->entries[i].context,
+- convert->args);
++ convert->args, GFP_KERNEL);
+ if (rc)
+ return rc;
+ (*pos)++;
+--- a/security/selinux/ss/sidtab.h
++++ b/security/selinux/ss/sidtab.h
+@@ -65,7 +65,7 @@ struct sidtab_isid_entry {
+ };
+
+ struct sidtab_convert_params {
+- int (*func)(struct context *oldc, struct context *newc, void *args);
++ int (*func)(struct context *oldc, struct context *newc, void *args, gfp_t gfp_flags);
+ void *args;
+ struct sidtab *target;
+ };
video-aperture-call-sysfb_disable-before-removing-pci-devices.patch
+ocfs2-clear-dinode-links-count-in-case-of-error.patch
+ocfs2-fix-bug-when-iput-after-ocfs2_mknod-fails.patch
+smb3-interface-count-displayed-incorrectly.patch
+selinux-enable-use-of-both-gfp_kernel-and-gfp_atomic-in-convert_context.patch
+cpufreq-qcom-fix-writes-in-read-only-memory-region.patch
+i2c-qcom-cci-fix-ordering-of-pm_runtime_xx-and-i2c_add_adapter.patch
+cpufreq-tegra194-fix-module-loading.patch
+x86-microcode-amd-apply-the-patch-early-on-every-logical-thread.patch
+hwmon-coretemp-handle-large-core-id-value.patch
+ata-ahci-imx-fix-module_alias.patch
+ata-ahci-match-em_max_slots-with-sata_pmp_max_ports.patch
+x86-resctrl-fix-min_cbm_bits-for-amd.patch
+cpufreq-qcom-fix-memory-leak-in-error-path.patch
+drm-amdgpu-fix-sdma-doorbell-init-ordering-on-apus.patch
+mm-hugetlb-take-hugetlb_lock-before-decrementing-h-resv_huge_pages.patch
+kvm-add-support-for-arch-compat-vm-ioctls.patch
+kvm-x86-copy-filter-arg-outside-kvm_vm_ioctl_set_msr_filter.patch
+kvm-x86-add-compat-handler-for-kvm_x86_set_msr_filter.patch
+kvm-arm64-vgic-fix-exit-condition-in-scan_its_table.patch
+media-ipu3-imgu-fix-null-pointer-dereference-in-active-selection-access.patch
+media-mceusb-set-timeout-to-at-least-timeout-provided.patch
+media-venus-dec-handle-the-case-where-find_format-fails.patch
+media-venus-fix-nv12-decoder-buffer-discovery-on-hfi_version_1xx.patch
--- /dev/null
+From 096bbeec7bd6fb683831a9ca4850a6b6a3f04740 Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Sat, 15 Oct 2022 17:02:30 -0500
+Subject: smb3: interface count displayed incorrectly
+
+From: Steve French <stfrench@microsoft.com>
+
+commit 096bbeec7bd6fb683831a9ca4850a6b6a3f04740 upstream.
+
+The "Server interfaces" count in /proc/fs/cifs/DebugData increases
+as the interfaces are requeried, rather than being reset to the new
+value. This could cause a problem if the server disabled
+multichannel as the iface_count is checked in try_adding_channels
+to see if multichannel still supported.
+
+Also fixes a coverity warning:
+
+Addresses-Coverity: 1526374 ("Concurrent data access violations (MISSING_LOCK)")
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Bharath SM <bharathsm@microsoft.com>
+Reviewed-by: Shyam Prasad N <sprasad@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/smb2ops.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -530,6 +530,7 @@ parse_server_interfaces(struct network_i
+ p = buf;
+
+ spin_lock(&ses->iface_lock);
++ ses->iface_count = 0;
+ /*
+ * Go through iface_list and do kref_put to remove
+ * any unused ifaces. ifaces in use will be removed
+@@ -650,9 +651,9 @@ parse_server_interfaces(struct network_i
+ kref_put(&iface->refcount, release_iface);
+ } else
+ list_add_tail(&info->iface_head, &ses->iface_list);
+- spin_unlock(&ses->iface_lock);
+
+ ses->iface_count++;
++ spin_unlock(&ses->iface_lock);
+ ses->iface_last_update = jiffies;
+ next_iface:
+ nb_iface++;
--- /dev/null
+From e7ad18d1169c62e6c78c01ff693fd362d9d65278 Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Wed, 5 Oct 2022 12:00:08 +0200
+Subject: x86/microcode/AMD: Apply the patch early on every logical thread
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Borislav Petkov <bp@suse.de>
+
+commit e7ad18d1169c62e6c78c01ff693fd362d9d65278 upstream.
+
+Currently, the patch application logic checks whether the revision
+needs to be applied on each logical CPU (SMT thread). Therefore, on SMT
+designs where the microcode engine is shared between the two threads,
+the application happens only on one of them as that is enough to update
+the shared microcode engine.
+
+However, there are microcode patches which do per-thread modification,
+see Link tag below.
+
+Therefore, drop the revision check and try applying on each thread. This
+is what the BIOS does too so this method is very much tested.
+
+Btw, change only the early paths. On the late loading paths, there's no
+point in doing per-thread modification because if is it some case like
+in the bugzilla below - removing a CPUID flag - the kernel cannot go and
+un-use features it has detected are there early. For that, one should
+use early loading anyway.
+
+ [ bp: Fixes does not contain the oldest commit which did check for
+ equality but that is good enough. ]
+
+Fixes: 8801b3fcb574 ("x86/microcode/AMD: Rework container parsing")
+Reported-by: Ștefan Talpalaru <stefantalpalaru@yahoo.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Tested-by: Ștefan Talpalaru <stefantalpalaru@yahoo.com>
+Cc: <stable@vger.kernel.org>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216211
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/cpu/microcode/amd.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kernel/cpu/microcode/amd.c
++++ b/arch/x86/kernel/cpu/microcode/amd.c
+@@ -440,7 +440,13 @@ apply_microcode_early_amd(u32 cpuid_1_ea
+ return ret;
+
+ native_rdmsr(MSR_AMD64_PATCH_LEVEL, rev, dummy);
+- if (rev >= mc->hdr.patch_id)
++
++ /*
++ * Allow application of the same revision to pick up SMT-specific
++ * changes even if the revision of the other SMT thread is already
++ * up-to-date.
++ */
++ if (rev > mc->hdr.patch_id)
+ return ret;
+
+ if (!__apply_microcode_amd(mc)) {
+@@ -528,8 +534,12 @@ void load_ucode_amd_ap(unsigned int cpui
+
+ native_rdmsr(MSR_AMD64_PATCH_LEVEL, rev, dummy);
+
+- /* Check whether we have saved a new patch already: */
+- if (*new_rev && rev < mc->hdr.patch_id) {
++ /*
++ * Check whether a new patch has been saved already. Also, allow application of
++ * the same revision in order to pick up SMT-thread-specific configuration even
++ * if the sibling SMT thread already has an up-to-date revision.
++ */
++ if (*new_rev && rev <= mc->hdr.patch_id) {
+ if (!__apply_microcode_amd(mc)) {
+ *new_rev = mc->hdr.patch_id;
+ return;
--- /dev/null
+From 67bf6493449b09590f9f71d7df29efb392b12d25 Mon Sep 17 00:00:00 2001
+From: Babu Moger <babu.moger@amd.com>
+Date: Tue, 27 Sep 2022 15:16:29 -0500
+Subject: x86/resctrl: Fix min_cbm_bits for AMD
+
+From: Babu Moger <babu.moger@amd.com>
+
+commit 67bf6493449b09590f9f71d7df29efb392b12d25 upstream.
+
+AMD systems support zero CBM (capacity bit mask) for cache allocation.
+That is reflected in rdt_init_res_defs_amd() by:
+
+ r->cache.arch_has_empty_bitmaps = true;
+
+However given the unified code in cbm_validate(), checking for:
+
+ val == 0 && !arch_has_empty_bitmaps
+
+is not enough because of another check in cbm_validate():
+
+ if ((zero_bit - first_bit) < r->cache.min_cbm_bits)
+
+The default value of r->cache.min_cbm_bits = 1.
+
+Leading to:
+
+ $ cd /sys/fs/resctrl
+ $ mkdir foo
+ $ cd foo
+ $ echo L3:0=0 > schemata
+ -bash: echo: write error: Invalid argument
+ $ cat /sys/fs/resctrl/info/last_cmd_status
+ Need at least 1 bits in the mask
+
+Initialize the min_cbm_bits to 0 for AMD. Also, remove the default
+setting of min_cbm_bits and initialize it separately.
+
+After the fix:
+
+ $ cd /sys/fs/resctrl
+ $ mkdir foo
+ $ cd foo
+ $ echo L3:0=0 > schemata
+ $ cat /sys/fs/resctrl/info/last_cmd_status
+ ok
+
+Fixes: 316e7f901f5a ("x86/resctrl: Add struct rdt_cache::arch_has_{sparse, empty}_bitmaps")
+Co-developed-by: Stephane Eranian <eranian@google.com>
+Signed-off-by: Stephane Eranian <eranian@google.com>
+Signed-off-by: Babu Moger <babu.moger@amd.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Ingo Molnar <mingo@kernel.org>
+Reviewed-by: James Morse <james.morse@arm.com>
+Reviewed-by: Reinette Chatre <reinette.chatre@intel.com>
+Reviewed-by: Fenghua Yu <fenghua.yu@intel.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/lkml/20220517001234.3137157-1-eranian@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/cpu/resctrl/core.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/kernel/cpu/resctrl/core.c
++++ b/arch/x86/kernel/cpu/resctrl/core.c
+@@ -66,9 +66,6 @@ struct rdt_hw_resource rdt_resources_all
+ .rid = RDT_RESOURCE_L3,
+ .name = "L3",
+ .cache_level = 3,
+- .cache = {
+- .min_cbm_bits = 1,
+- },
+ .domains = domain_init(RDT_RESOURCE_L3),
+ .parse_ctrlval = parse_cbm,
+ .format_str = "%d=%0*x",
+@@ -83,9 +80,6 @@ struct rdt_hw_resource rdt_resources_all
+ .rid = RDT_RESOURCE_L2,
+ .name = "L2",
+ .cache_level = 2,
+- .cache = {
+- .min_cbm_bits = 1,
+- },
+ .domains = domain_init(RDT_RESOURCE_L2),
+ .parse_ctrlval = parse_cbm,
+ .format_str = "%d=%0*x",
+@@ -877,6 +871,7 @@ static __init void rdt_init_res_defs_int
+ r->cache.arch_has_sparse_bitmaps = false;
+ r->cache.arch_has_empty_bitmaps = false;
+ r->cache.arch_has_per_cpu_cfg = false;
++ r->cache.min_cbm_bits = 1;
+ } else if (r->rid == RDT_RESOURCE_MBA) {
+ hw_res->msr_base = MSR_IA32_MBA_THRTL_BASE;
+ hw_res->msr_update = mba_wrmsr_intel;
+@@ -897,6 +892,7 @@ static __init void rdt_init_res_defs_amd
+ r->cache.arch_has_sparse_bitmaps = true;
+ r->cache.arch_has_empty_bitmaps = true;
+ r->cache.arch_has_per_cpu_cfg = true;
++ r->cache.min_cbm_bits = 0;
+ } else if (r->rid == RDT_RESOURCE_MBA) {
+ hw_res->msr_base = MSR_IA32_MBA_BW_BASE;
+ hw_res->msr_update = mba_wrmsr_amd;
projects / thirdparty / kernel / stable-queue.git / commitdiff
