--- /dev/null
+From 18d7e16c917a08f08778ecf2b780d63648d5d923 Mon Sep 17 00:00:00 2001
+From: Bo Liu <bo.liu@senarytech.com>
+Date: Thu, 9 Feb 2023 10:13:48 +0800
+Subject: ALSA: hda/conexant: add a new hda codec SN6180
+
+From: Bo Liu <bo.liu@senarytech.com>
+
+commit 18d7e16c917a08f08778ecf2b780d63648d5d923 upstream.
+
+The current kernel does not support the SN6180 codec chip.
+Add the SN6180 codec configuration item to kernel.
+
+Signed-off-by: Bo Liu <bo.liu@senarytech.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/1675908828-1012-1-git-send-email-bo.liu@senarytech.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_conexant.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -1125,6 +1125,7 @@ static const struct hda_device_id snd_hd
+ HDA_CODEC_ENTRY(0x14f11f87, "SN6140", patch_conexant_auto),
+ HDA_CODEC_ENTRY(0x14f12008, "CX8200", patch_conexant_auto),
+ HDA_CODEC_ENTRY(0x14f120d0, "CX11970", patch_conexant_auto),
++ HDA_CODEC_ENTRY(0x14f120d1, "SN6180", patch_conexant_auto),
+ HDA_CODEC_ENTRY(0x14f15045, "CX20549 (Venice)", patch_conexant_auto),
+ HDA_CODEC_ENTRY(0x14f15047, "CX20551 (Waikiki)", patch_conexant_auto),
+ HDA_CODEC_ENTRY(0x14f15051, "CX20561 (Hermosa)", patch_conexant_auto),
--- /dev/null
+From 3af4a4f7a20c94009adba65764fa5a0269d70a82 Mon Sep 17 00:00:00 2001
+From: Cezary Rojewski <cezary.rojewski@intel.com>
+Date: Fri, 10 Feb 2023 17:55:41 +0100
+Subject: ALSA: hda: Fix codec device field initializan
+
+From: Cezary Rojewski <cezary.rojewski@intel.com>
+
+commit 3af4a4f7a20c94009adba65764fa5a0269d70a82 upstream.
+
+Commit f2bd1c5ae2cb ("ALSA: hda: Fix page fault in
+snd_hda_codec_shutdown()") relocated initialization of several codec
+device fields. Due to differences between codec_exec_verb() and
+snd_hdac_bus_exec_bus() in how they handle VERB execution - the latter
+does not touch PM - assigning ->exec_verb to codec_exec_verb() causes PM
+to be engaged before it is configured for the device. Configuration of
+PM for the ASoC HDAudio sound card is done with snd_hda_set_power_save()
+during skl_hda_audio_probe() whereas the assignment happens early, in
+snd_hda_codec_device_init().
+
+Revert to previous behavior to avoid problems caused by too early PM
+manipulation.
+
+Suggested-by: Jason Montleon <jmontleo@redhat.com>
+Link: https://lore.kernel.org/regressions/CALFERdzKUodLsm6=Ub3g2+PxpNpPtPq3bGBLbff=eZr9_S=YVA@mail.gmail.com
+Fixes: f2bd1c5ae2cb ("ALSA: hda: Fix page fault in snd_hda_codec_shutdown()")
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Link: https://lore.kernel.org/r/20230210165541.3543604-1-cezary.rojewski@intel.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/hda_codec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c
+index ac1cc7c5290e..2e728aad6771 100644
+--- a/sound/pci/hda/hda_codec.c
++++ b/sound/pci/hda/hda_codec.c
+@@ -927,7 +927,6 @@ snd_hda_codec_device_init(struct hda_bus *bus, unsigned int codec_addr,
+ codec->depop_delay = -1;
+ codec->fixup_id = HDA_FIXUP_ID_NOT_SET;
+ codec->core.dev.release = snd_hda_codec_dev_release;
+- codec->core.exec_verb = codec_exec_verb;
+ codec->core.type = HDA_DEV_LEGACY;
+
+ mutex_init(&codec->spdif_mutex);
+@@ -998,6 +997,7 @@ int snd_hda_codec_device_new(struct hda_bus *bus, struct snd_card *card,
+ if (snd_BUG_ON(codec_addr > HDA_MAX_CODEC_ADDRESS))
+ return -EINVAL;
+
++ codec->core.exec_verb = codec_exec_verb;
+ codec->card = card;
+ codec->addr = codec_addr;
+
+--
+2.39.1
+
--- /dev/null
+From 9251584af09285133bec0595e5c7218fe2e595c9 Mon Sep 17 00:00:00 2001
+From: Andy Chi <andy.chi@canonical.com>
+Date: Tue, 14 Feb 2023 22:04:31 +0800
+Subject: ALSA: hda/realtek: Enable mute/micmute LEDs and speaker support for HP Laptops
+
+From: Andy Chi <andy.chi@canonical.com>
+
+commit 9251584af09285133bec0595e5c7218fe2e595c9 upstream.
+
+On HP Laptops, requires the ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED quirk to
+make its audio LEDs and speaker work.
+
+Signed-off-by: Andy Chi <andy.chi@canonical.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230214140432.39654-1-andy.chi@canonical.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -9432,6 +9432,12 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x8abb, "HP ZBook Firefly 14 G9", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8ad1, "HP EliteBook 840 14 inch G9 Notebook PC", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8ad2, "HP EliteBook 860 16 inch G9 Notebook PC", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x8b42, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x8b43, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x8b44, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x8b45, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x8b46, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x8b47, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8b5d, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
+ SND_PCI_QUIRK(0x103c, 0x8b5e, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
+ SND_PCI_QUIRK(0x103c, 0x8b7a, "HP", ALC236_FIXUP_HP_GPIO_LED),
--- /dev/null
+From 5007b848ff2234ff7ea55755cb315766888988da Mon Sep 17 00:00:00 2001
+From: Andy Chi <andy.chi@canonical.com>
+Date: Tue, 14 Feb 2023 11:58:51 +0800
+Subject: ALSA: hda/realtek: fix mute/micmute LEDs don't work for a HP platform.
+
+From: Andy Chi <andy.chi@canonical.com>
+
+commit 5007b848ff2234ff7ea55755cb315766888988da upstream.
+
+There is a HP platform needs ALC236_FIXUP_HP_GPIO_LED quirk to
+make mic-mute/audio-mute working.
+
+Signed-off-by: Andy Chi <andy.chi@canonical.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230214035853.31217-1-andy.chi@canonical.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -9436,6 +9436,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x8b5e, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
+ SND_PCI_QUIRK(0x103c, 0x8b7a, "HP", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8b7d, "HP", ALC236_FIXUP_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x8b87, "HP", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8b8a, "HP", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8b8b, "HP", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8b8d, "HP", ALC236_FIXUP_HP_GPIO_LED),
--- /dev/null
+From 2bdccfd290d421b50df4ec6a68d832dad1310748 Mon Sep 17 00:00:00 2001
+From: Kailang Yang <kailang@realtek.com>
+Date: Mon, 13 Feb 2023 14:54:22 +0800
+Subject: ALSA: hda/realtek - fixed wrong gpio assigned
+
+From: Kailang Yang <kailang@realtek.com>
+
+commit 2bdccfd290d421b50df4ec6a68d832dad1310748 upstream.
+
+GPIO2 PIN use for output. Mask Dir and Data need to assign for 0x4. Not 0x3.
+This fixed was for Lenovo Desktop(0x17aa1056). GPIO2 use for AMP enable.
+
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/8d02bb9ac8134f878cd08607fdf088fd@realtek.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -832,7 +832,7 @@ do_sku:
+ alc_setup_gpio(codec, 0x02);
+ break;
+ case 7:
+- alc_setup_gpio(codec, 0x03);
++ alc_setup_gpio(codec, 0x04);
+ break;
+ case 5:
+ default:
--- /dev/null
+From 104ff59af73aba524e57ae0fef70121643ff270e Mon Sep 17 00:00:00 2001
+From: Simon Gaiser <simon@invisiblethingslab.com>
+Date: Mon, 13 Feb 2023 11:24:49 +0100
+Subject: ata: ahci: Add Tiger Lake UP{3,4} AHCI controller
+
+From: Simon Gaiser <simon@invisiblethingslab.com>
+
+commit 104ff59af73aba524e57ae0fef70121643ff270e upstream.
+
+Mark the Tiger Lake UP{3,4} AHCI controller as "low_power". This enables
+S0ix to work out of the box. Otherwise this isn't working unless the
+user manually sets /sys/class/scsi_host/*/link_power_management_policy.
+
+Intel lists a total of 4 SATA controller IDs in [1] for those mobile
+PCHs. This commit just adds the "AHCI" variant since I only tested
+those.
+
+[1]: https://cdrdv2.intel.com/v1/dl/getContent/631119
+
+Signed-off-by: Simon Gaiser <simon@invisiblethingslab.com>
+CC: stable@vger.kernel.org
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/ahci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/ata/ahci.c
++++ b/drivers/ata/ahci.c
+@@ -422,6 +422,7 @@ static const struct pci_device_id ahci_p
+ { PCI_VDEVICE(INTEL, 0x34d3), board_ahci_low_power }, /* Ice Lake LP AHCI */
+ { PCI_VDEVICE(INTEL, 0x02d3), board_ahci_low_power }, /* Comet Lake PCH-U AHCI */
+ { PCI_VDEVICE(INTEL, 0x02d7), board_ahci_low_power }, /* Comet Lake PCH RAID */
++ { PCI_VDEVICE(INTEL, 0xa0d3), board_ahci_low_power }, /* Tiger Lake UP{3,4} AHCI */
+
+ /* JMicron 360/1/3/5/6, match class to avoid IDE function */
+ { PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
--- /dev/null
+From ead089577e0f55b238f980d9f62eaa90b7b64672 Mon Sep 17 00:00:00 2001
+From: Patrick McLean <chutzpah@gentoo.org>
+Date: Fri, 10 Feb 2023 13:51:51 -0800
+Subject: ata: libata-core: Disable READ LOG DMA EXT for Samsung MZ7LH
+
+From: Patrick McLean <chutzpah@gentoo.org>
+
+commit ead089577e0f55b238f980d9f62eaa90b7b64672 upstream.
+
+Samsung MZ7LH drives are spewing messages like this in to dmesg with AMD
+SATA controllers:
+
+ata1.00: exception Emask 0x0 SAct 0x7e0000 SErr 0x0 action 0x6 frozen
+ata1.00: failed command: SEND FPDMA QUEUED
+ata1.00: cmd 64/01:88:00:00:00/00:00:00:00:00/a0 tag 17 ncq dma 512 out
+ res 40/00:01:01:4f:c2/00:00:00:00:00/00 Emask
+ 0x4 (timeout)
+
+Since this was seen previously with SSD 840 EVO drives in
+https://bugzilla.kernel.org/show_bug.cgi?id=203475 let's add the same
+fix for these drives as the EVOs have, since they likely have very
+similar firmwares.
+
+Signed-off-by: Patrick McLean <chutzpah@gentoo.org>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -4044,6 +4044,9 @@ static const struct ata_blacklist_entry
+ { "Samsung SSD 870*", NULL, ATA_HORKAGE_NO_NCQ_TRIM |
+ ATA_HORKAGE_ZERO_AFTER_TRIM |
+ ATA_HORKAGE_NO_NCQ_ON_ATI },
++ { "SAMSUNG*MZ7LH*", NULL, ATA_HORKAGE_NO_NCQ_TRIM |
++ ATA_HORKAGE_ZERO_AFTER_TRIM |
++ ATA_HORKAGE_NO_NCQ_ON_ATI, },
+ { "FCCT*M500*", NULL, ATA_HORKAGE_NO_NCQ_TRIM |
+ ATA_HORKAGE_ZERO_AFTER_TRIM },
+
--- /dev/null
+From eedeb787ebb53de5c5dcf7b7b39d01bf1b0f037d Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Fri, 3 Feb 2023 15:31:11 +0100
+Subject: freezer,umh: Fix call_usermode_helper_exec() vs SIGKILL
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit eedeb787ebb53de5c5dcf7b7b39d01bf1b0f037d upstream.
+
+Tetsuo-San noted that commit f5d39b020809 ("freezer,sched: Rewrite
+core freezer logic") broke call_usermodehelper_exec() for the KILLABLE
+case.
+
+Specifically it was missed that the second, unconditional,
+wait_for_completion() was not optional and ensures the on-stack
+completion is unused before going out-of-scope.
+
+Fixes: f5d39b020809 ("freezer,sched: Rewrite core freezer logic")
+Reported-by: syzbot+6cd18e123583550cf469@syzkaller.appspotmail.com
+Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Debugged-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/Y90ar35uKQoUrLEK@hirez.programming.kicks-ass.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/umh.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/kernel/umh.c b/kernel/umh.c
+index 850631518665..fbf872c624cb 100644
+--- a/kernel/umh.c
++++ b/kernel/umh.c
+@@ -438,21 +438,27 @@ int call_usermodehelper_exec(struct subprocess_info *sub_info, int wait)
+ if (wait == UMH_NO_WAIT) /* task has freed sub_info */
+ goto unlock;
+
+- if (wait & UMH_KILLABLE)
+- state |= TASK_KILLABLE;
+-
+ if (wait & UMH_FREEZABLE)
+ state |= TASK_FREEZABLE;
+
+- retval = wait_for_completion_state(&done, state);
+- if (!retval)
+- goto wait_done;
+-
+ if (wait & UMH_KILLABLE) {
++ retval = wait_for_completion_state(&done, state | TASK_KILLABLE);
++ if (!retval)
++ goto wait_done;
++
+ /* umh_complete() will see NULL and free sub_info */
+ if (xchg(&sub_info->complete, NULL))
+ goto unlock;
++
++ /*
++ * fallthrough; in case of -ERESTARTSYS now do uninterruptible
++ * wait_for_completion_state(). Since umh_complete() shall call
++ * complete() in a moment if xchg() above returned NULL, this
++ * uninterruptible wait_for_completion_state() will not block
++ * SIGKILL'ed processes for long.
++ */
+ }
++ wait_for_completion_state(&done, state);
+
+ wait_done:
+ retval = sub_info->retval;
+--
+2.39.1
+
--- /dev/null
+From 79eeab1d85e0fee4c0bc36f3b6ddf3920f39f74b Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Date: Fri, 17 Feb 2023 12:02:26 +0100
+Subject: gpio: sim: fix a memory leak
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+commit 79eeab1d85e0fee4c0bc36f3b6ddf3920f39f74b upstream.
+
+Fix an inverted logic bug in gpio_sim_remove_hogs() that leads to GPIO
+hog structures never being freed.
+
+Fixes: cb8c474e79be ("gpio: sim: new testing module")
+Reported-by: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-sim.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpio-sim.c
++++ b/drivers/gpio/gpio-sim.c
+@@ -732,7 +732,7 @@ static void gpio_sim_remove_hogs(struct
+
+ gpiod_remove_hogs(dev->hogs);
+
+- for (hog = dev->hogs; !hog->chip_label; hog++) {
++ for (hog = dev->hogs; hog->chip_label; hog++) {
+ kfree(hog->chip_label);
+ kfree(hog->line_name);
+ }
--- /dev/null
+From ec4288fe63966b26d53907212ecd05dfa81dd2cc Mon Sep 17 00:00:00 2001
+From: Mike Kravetz <mike.kravetz@oracle.com>
+Date: Wed, 15 Feb 2023 17:35:42 -0800
+Subject: hugetlb: check for undefined shift on 32 bit architectures
+
+From: Mike Kravetz <mike.kravetz@oracle.com>
+
+commit ec4288fe63966b26d53907212ecd05dfa81dd2cc upstream.
+
+Users can specify the hugetlb page size in the mmap, shmget and
+memfd_create system calls. This is done by using 6 bits within the flags
+argument to encode the base-2 logarithm of the desired page size. The
+routine hstate_sizelog() uses the log2 value to find the corresponding
+hugetlb hstate structure. Converting the log2 value (page_size_log) to
+potential hugetlb page size is the simple statement:
+
+ 1UL << page_size_log
+
+Because only 6 bits are used for page_size_log, the left shift can not be
+greater than 63. This is fine on 64 bit architectures where a long is 64
+bits. However, if a value greater than 31 is passed on a 32 bit
+architecture (where long is 32 bits) the shift will result in undefined
+behavior. This was generally not an issue as the result of the undefined
+shift had to exactly match hugetlb page size to proceed.
+
+Recent improvements in runtime checking have resulted in this undefined
+behavior throwing errors such as reported below.
+
+Fix by comparing page_size_log to BITS_PER_LONG before doing shift.
+
+Link: https://lkml.kernel.org/r/20230216013542.138708-1-mike.kravetz@oracle.com
+Link: https://lore.kernel.org/lkml/CA+G9fYuei_Tr-vN9GS7SfFyU1y9hNysnf=PB7kT0=yv4MiPgVg@mail.gmail.com/
+Fixes: 42d7395feb56 ("mm: support more pagesizes for MAP_HUGETLB/SHM_HUGETLB")
+Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
+Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
+Reviewed-by: Jesper Juhl <jesperjuhl76@gmail.com>
+Acked-by: Muchun Song <songmuchun@bytedance.com>
+Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
+Tested-by: Naresh Kamboju <naresh.kamboju@linaro.org>
+Cc: Anders Roxell <anders.roxell@linaro.org>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Sasha Levin <sashal@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/hugetlb.h | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/include/linux/hugetlb.h
++++ b/include/linux/hugetlb.h
+@@ -753,7 +753,10 @@ static inline struct hstate *hstate_size
+ if (!page_size_log)
+ return &default_hstate;
+
+- return size_to_hstate(1UL << page_size_log);
++ if (page_size_log < BITS_PER_LONG)
++ return size_to_hstate(1UL << page_size_log);
++
++ return NULL;
+ }
+
+ static inline struct hstate *hstate_vma(struct vm_area_struct *vma)
--- /dev/null
+From 5956592ce337330cdff0399a6f8b6a5aea397a8e Mon Sep 17 00:00:00 2001
+From: Qian Yingjin <qian@ddn.com>
+Date: Wed, 8 Feb 2023 10:24:00 +0800
+Subject: mm/filemap: fix page end in filemap_get_read_batch
+
+From: Qian Yingjin <qian@ddn.com>
+
+commit 5956592ce337330cdff0399a6f8b6a5aea397a8e upstream.
+
+I was running traces of the read code against an RAID storage system to
+understand why read requests were being misaligned against the underlying
+RAID strips. I found that the page end offset calculation in
+filemap_get_read_batch() was off by one.
+
+When a read is submitted with end offset 1048575, then it calculates the
+end page for read of 256 when it should be 255. "last_index" is the index
+of the page beyond the end of the read and it should be skipped when get a
+batch of pages for read in @filemap_get_read_batch().
+
+The below simple patch fixes the problem. This code was introduced in
+kernel 5.12.
+
+Link: https://lkml.kernel.org/r/20230208022400.28962-1-coolqyj@163.com
+Fixes: cbd59c48ae2b ("mm/filemap: use head pages in generic_file_buffered_read")
+Signed-off-by: Qian Yingjin <qian@ddn.com>
+Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/filemap.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/mm/filemap.c
++++ b/mm/filemap.c
+@@ -2569,18 +2569,19 @@ static int filemap_get_pages(struct kioc
+ struct folio *folio;
+ int err = 0;
+
++ /* "last_index" is the index of the page beyond the end of the read */
+ last_index = DIV_ROUND_UP(iocb->ki_pos + iter->count, PAGE_SIZE);
+ retry:
+ if (fatal_signal_pending(current))
+ return -EINTR;
+
+- filemap_get_read_batch(mapping, index, last_index, fbatch);
++ filemap_get_read_batch(mapping, index, last_index - 1, fbatch);
+ if (!folio_batch_count(fbatch)) {
+ if (iocb->ki_flags & IOCB_NOIO)
+ return -EAGAIN;
+ page_cache_sync_readahead(mapping, ra, filp, index,
+ last_index - index);
+- filemap_get_read_batch(mapping, index, last_index, fbatch);
++ filemap_get_read_batch(mapping, index, last_index - 1, fbatch);
+ }
+ if (!folio_batch_count(fbatch)) {
+ if (iocb->ki_flags & (IOCB_NOWAIT | IOCB_WAITQ))
--- /dev/null
+From ae63c898f4004bbc7d212f4adcb3bb14852c30d6 Mon Sep 17 00:00:00 2001
+From: Zach O'Keefe <zokeefe@google.com>
+Date: Tue, 24 Jan 2023 17:57:37 -0800
+Subject: mm/MADV_COLLAPSE: set EAGAIN on unexpected page refcount
+
+From: Zach O'Keefe <zokeefe@google.com>
+
+commit ae63c898f4004bbc7d212f4adcb3bb14852c30d6 upstream.
+
+During collapse, in a few places we check to see if a given small page has
+any unaccounted references. If the refcount on the page doesn't match our
+expectations, it must be there is an unknown user concurrently interested
+in the page, and so it's not safe to move the contents elsewhere.
+However, the unaccounted pins are likely an ephemeral state.
+
+In this situation, MADV_COLLAPSE returns -EINVAL when it should return
+-EAGAIN. This could cause userspace to conclude that the syscall
+failed, when it in fact could succeed by retrying.
+
+Link: https://lkml.kernel.org/r/20230125015738.912924-1-zokeefe@google.com
+Fixes: 7d8faaf15545 ("mm/madvise: introduce MADV_COLLAPSE sync hugepage collapse")
+Signed-off-by: Zach O'Keefe <zokeefe@google.com>
+Reported-by: Hugh Dickins <hughd@google.com>
+Acked-by: Hugh Dickins <hughd@google.com>
+Reviewed-by: Yang Shi <shy828301@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/khugepaged.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/mm/khugepaged.c
++++ b/mm/khugepaged.c
+@@ -2608,6 +2608,7 @@ static int madvise_collapse_errno(enum s
+ case SCAN_CGROUP_CHARGE_FAIL:
+ return -EBUSY;
+ /* Resource temporary unavailable - trying again might succeed */
++ case SCAN_PAGE_COUNT:
+ case SCAN_PAGE_LOCK:
+ case SCAN_PAGE_LRU:
+ case SCAN_DEL_PAGE_LRU:
--- /dev/null
+From 96a9c287e25d690fd9623b5133703b8e310fbed1 Mon Sep 17 00:00:00 2001
+From: Peter Xu <peterx@redhat.com>
+Date: Thu, 16 Feb 2023 10:30:59 -0500
+Subject: mm/migrate: fix wrongly apply write bit after mkdirty on sparc64
+
+From: Peter Xu <peterx@redhat.com>
+
+commit 96a9c287e25d690fd9623b5133703b8e310fbed1 upstream.
+
+Nick Bowler reported another sparc64 breakage after the young/dirty
+persistent work for page migration (per "Link:" below). That's after a
+similar report [2].
+
+It turns out page migration was overlooked, and it wasn't failing before
+because page migration was not enabled in the initial report test
+environment.
+
+David proposed another way [2] to fix this from sparc64 side, but that
+patch didn't land somehow. Neither did I check whether there's any other
+arch that has similar issues.
+
+Let's fix it for now as simple as moving the write bit handling to be
+after dirty, like what we did before.
+
+Note: this is based on mm-unstable, because the breakage was since 6.1 and
+we're at a very late stage of 6.2 (-rc8), so I assume for this specific
+case we should target this at 6.3.
+
+[1] https://lore.kernel.org/all/20221021160603.GA23307@u164.east.ru/
+[2] https://lore.kernel.org/all/20221212130213.136267-1-david@redhat.com/
+
+Link: https://lkml.kernel.org/r/20230216153059.256739-1-peterx@redhat.com
+Fixes: 2e3468778dbe ("mm: remember young/dirty bit for page migrations")
+Link: https://lore.kernel.org/all/CADyTPExpEqaJiMGoV+Z6xVgL50ZoMJg49B10LcZ=8eg19u34BA@mail.gmail.com/
+Signed-off-by: Peter Xu <peterx@redhat.com>
+Reported-by: Nick Bowler <nbowler@draconx.ca>
+Acked-by: David Hildenbrand <david@redhat.com>
+Tested-by: Nick Bowler <nbowler@draconx.ca>
+Cc: <regressions@lists.linux.dev>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/huge_memory.c | 6 ++++--
+ mm/migrate.c | 2 ++
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -3253,8 +3253,6 @@ void remove_migration_pmd(struct page_vm
+ pmde = mk_huge_pmd(new, READ_ONCE(vma->vm_page_prot));
+ if (pmd_swp_soft_dirty(*pvmw->pmd))
+ pmde = pmd_mksoft_dirty(pmde);
+- if (is_writable_migration_entry(entry))
+- pmde = maybe_pmd_mkwrite(pmde, vma);
+ if (pmd_swp_uffd_wp(*pvmw->pmd))
+ pmde = pmd_wrprotect(pmd_mkuffd_wp(pmde));
+ if (!is_migration_entry_young(entry))
+@@ -3262,6 +3260,10 @@ void remove_migration_pmd(struct page_vm
+ /* NOTE: this may contain setting soft-dirty on some archs */
+ if (PageDirty(new) && is_migration_entry_dirty(entry))
+ pmde = pmd_mkdirty(pmde);
++ if (is_writable_migration_entry(entry))
++ pmde = maybe_pmd_mkwrite(pmde, vma);
++ else
++ pmde = pmd_wrprotect(pmde);
+
+ if (PageAnon(new)) {
+ rmap_t rmap_flags = RMAP_COMPOUND;
+--- a/mm/migrate.c
++++ b/mm/migrate.c
+@@ -215,6 +215,8 @@ static bool remove_migration_pte(struct
+ pte = maybe_mkwrite(pte, vma);
+ else if (pte_swp_uffd_wp(*pvmw.pte))
+ pte = pte_mkuffd_wp(pte);
++ else
++ pte = pte_wrprotect(pte);
+
+ if (folio_test_anon(folio) && !is_readable_migration_entry(entry))
+ rmap_flags |= RMAP_EXCLUSIVE;
--- /dev/null
+From 3f18c5046e633cc4bbad396b74c05d46d353033d Mon Sep 17 00:00:00 2001
+From: Paul Cercueil <paul@crapouillou.net>
+Date: Tue, 31 Jan 2023 21:02:28 +0000
+Subject: mmc: jz4740: Work around bug on JZ4760(B)
+
+From: Paul Cercueil <paul@crapouillou.net>
+
+commit 3f18c5046e633cc4bbad396b74c05d46d353033d upstream.
+
+On JZ4760 and JZ4760B, SD cards fail to run if the maximum clock
+rate is set to 50 MHz, even though the controller officially does
+support it.
+
+Until the actual bug is found and fixed, limit the maximum clock rate to
+24 MHz.
+
+Signed-off-by: Paul Cercueil <paul@crapouillou.net>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20230131210229.68129-1-paul@crapouillou.net
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/jz4740_mmc.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/mmc/host/jz4740_mmc.c
++++ b/drivers/mmc/host/jz4740_mmc.c
+@@ -1053,6 +1053,16 @@ static int jz4740_mmc_probe(struct platf
+ mmc->ops = &jz4740_mmc_ops;
+ if (!mmc->f_max)
+ mmc->f_max = JZ_MMC_CLK_RATE;
++
++ /*
++ * There seems to be a problem with this driver on the JZ4760 and
++ * JZ4760B SoCs. There, when using the maximum rate supported (50 MHz),
++ * the communication fails with many SD cards.
++ * Until this bug is sorted out, limit the maximum rate to 24 MHz.
++ */
++ if (host->version == JZ_MMC_JZ4760 && mmc->f_max > JZ_MMC_CLK_RATE)
++ mmc->f_max = JZ_MMC_CLK_RATE;
++
+ mmc->f_min = mmc->f_max / 128;
+ mmc->ocr_avail = MMC_VDD_32_33 | MMC_VDD_33_34;
+
--- /dev/null
+From 6ea6b95a7e3ec2015954cb514ee9dbc6dc80ec8f Mon Sep 17 00:00:00 2001
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Mon, 13 Feb 2023 21:55:56 +0100
+Subject: mmc: meson-gx: fix SDIO mode if cap_sdio_irq isn't set
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+commit 6ea6b95a7e3ec2015954cb514ee9dbc6dc80ec8f upstream.
+
+Some SDIO WiFi modules stopped working after SDIO interrupt mode
+was added if cap_sdio_irq isn't set in device tree. This patch was
+confirmed to fix the issue.
+
+Fixes: 066ecde6d826 ("mmc: meson-gx: add SDIO interrupt support")
+Reported-by: Geraldo Nascimento <geraldogabriel@gmail.com>
+Tested-by: Geraldo Nascimento <geraldogabriel@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Link: https://lore.kernel.org/r/816cba9f-ff92-31a2-60f0-aca542d1d13e@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/meson-gx-mmc.c | 23 +++++++++++++----------
+ 1 file changed, 13 insertions(+), 10 deletions(-)
+
+--- a/drivers/mmc/host/meson-gx-mmc.c
++++ b/drivers/mmc/host/meson-gx-mmc.c
+@@ -435,7 +435,8 @@ static int meson_mmc_clk_init(struct mes
+ clk_reg |= FIELD_PREP(CLK_CORE_PHASE_MASK, CLK_PHASE_180);
+ clk_reg |= FIELD_PREP(CLK_TX_PHASE_MASK, CLK_PHASE_0);
+ clk_reg |= FIELD_PREP(CLK_RX_PHASE_MASK, CLK_PHASE_0);
+- clk_reg |= CLK_IRQ_SDIO_SLEEP(host);
++ if (host->mmc->caps & MMC_CAP_SDIO_IRQ)
++ clk_reg |= CLK_IRQ_SDIO_SLEEP(host);
+ writel(clk_reg, host->regs + SD_EMMC_CLOCK);
+
+ /* get the mux parents */
+@@ -948,16 +949,18 @@ static irqreturn_t meson_mmc_irq(int irq
+ {
+ struct meson_host *host = dev_id;
+ struct mmc_command *cmd;
+- u32 status, raw_status;
++ u32 status, raw_status, irq_mask = IRQ_EN_MASK;
+ irqreturn_t ret = IRQ_NONE;
+
++ if (host->mmc->caps & MMC_CAP_SDIO_IRQ)
++ irq_mask |= IRQ_SDIO;
+ raw_status = readl(host->regs + SD_EMMC_STATUS);
+- status = raw_status & (IRQ_EN_MASK | IRQ_SDIO);
++ status = raw_status & irq_mask;
+
+ if (!status) {
+ dev_dbg(host->dev,
+- "Unexpected IRQ! irq_en 0x%08lx - status 0x%08x\n",
+- IRQ_EN_MASK | IRQ_SDIO, raw_status);
++ "Unexpected IRQ! irq_en 0x%08x - status 0x%08x\n",
++ irq_mask, raw_status);
+ return IRQ_NONE;
+ }
+
+@@ -1204,6 +1207,11 @@ static int meson_mmc_probe(struct platfo
+ goto free_host;
+ }
+
++ mmc->caps |= MMC_CAP_CMD23;
++
++ if (mmc->caps & MMC_CAP_SDIO_IRQ)
++ mmc->caps2 |= MMC_CAP2_SDIO_IRQ_NOTHREAD;
++
+ host->data = (struct meson_mmc_data *)
+ of_device_get_match_data(&pdev->dev);
+ if (!host->data) {
+@@ -1277,11 +1285,6 @@ static int meson_mmc_probe(struct platfo
+
+ spin_lock_init(&host->lock);
+
+- mmc->caps |= MMC_CAP_CMD23;
+-
+- if (mmc->caps & MMC_CAP_SDIO_IRQ)
+- mmc->caps2 |= MMC_CAP2_SDIO_IRQ_NOTHREAD;
+-
+ if (host->dram_access_quirk) {
+ /* Limit segments to 1 due to low available sram memory */
+ mmc->max_segs = 1;
--- /dev/null
+From cf4c9d2ac1e42c7d18b921bec39486896645b714 Mon Sep 17 00:00:00 2001
+From: Yang Yingliang <yangyingliang@huawei.com>
+Date: Tue, 31 Jan 2023 09:38:35 +0800
+Subject: mmc: mmc_spi: fix error handling in mmc_spi_probe()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+commit cf4c9d2ac1e42c7d18b921bec39486896645b714 upstream.
+
+If mmc_add_host() fails, it doesn't need to call mmc_remove_host(),
+or it will cause null-ptr-deref, because of deleting a not added
+device in mmc_remove_host().
+
+To fix this, goto label 'fail_glue_init', if mmc_add_host() fails,
+and change the label 'fail_add_host' to 'fail_gpiod_request'.
+
+Fixes: 15a0580ced08 ("mmc_spi host driver")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Cc:stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20230131013835.3564011-1-yangyingliang@huawei.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/mmc_spi.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/mmc/host/mmc_spi.c
++++ b/drivers/mmc/host/mmc_spi.c
+@@ -1437,7 +1437,7 @@ static int mmc_spi_probe(struct spi_devi
+
+ status = mmc_add_host(mmc);
+ if (status != 0)
+- goto fail_add_host;
++ goto fail_glue_init;
+
+ /*
+ * Index 0 is card detect
+@@ -1445,7 +1445,7 @@ static int mmc_spi_probe(struct spi_devi
+ */
+ status = mmc_gpiod_request_cd(mmc, NULL, 0, false, 1000);
+ if (status == -EPROBE_DEFER)
+- goto fail_add_host;
++ goto fail_gpiod_request;
+ if (!status) {
+ /*
+ * The platform has a CD GPIO signal that may support
+@@ -1460,7 +1460,7 @@ static int mmc_spi_probe(struct spi_devi
+ /* Index 1 is write protect/read only */
+ status = mmc_gpiod_request_ro(mmc, NULL, 1, 0);
+ if (status == -EPROBE_DEFER)
+- goto fail_add_host;
++ goto fail_gpiod_request;
+ if (!status)
+ has_ro = true;
+
+@@ -1474,7 +1474,7 @@ static int mmc_spi_probe(struct spi_devi
+ ? ", cd polling" : "");
+ return 0;
+
+-fail_add_host:
++fail_gpiod_request:
+ mmc_remove_host(mmc);
+ fail_glue_init:
+ mmc_spi_dma_free(host);
--- /dev/null
+From 605d9fb9556f8f5fb4566f4df1480f280f308ded Mon Sep 17 00:00:00 2001
+From: Yang Yingliang <yangyingliang@huawei.com>
+Date: Mon, 30 Jan 2023 20:58:08 +0800
+Subject: mmc: sdio: fix possible resource leaks in some error paths
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+commit 605d9fb9556f8f5fb4566f4df1480f280f308ded upstream.
+
+If sdio_add_func() or sdio_init_func() fails, sdio_remove_func() can
+not release the resources, because the sdio function is not presented
+in these two cases, it won't call of_node_put() or put_device().
+
+To fix these leaks, make sdio_func_present() only control whether
+device_del() needs to be called or not, then always call of_node_put()
+and put_device().
+
+In error case in sdio_init_func(), the reference of 'card->dev' is
+not get, to avoid redundant put in sdio_free_func_cis(), move the
+get_device() to sdio_alloc_func() and put_device() to sdio_release_func(),
+it can keep the get/put function be balanced.
+
+Without this patch, while doing fault inject test, it can get the
+following leak reports, after this fix, the leak is gone.
+
+unreferenced object 0xffff888112514000 (size 2048):
+ comm "kworker/3:2", pid 65, jiffies 4294741614 (age 124.774s)
+ hex dump (first 32 bytes):
+ 00 e0 6f 12 81 88 ff ff 60 58 8d 06 81 88 ff ff ..o.....`X......
+ 10 40 51 12 81 88 ff ff 10 40 51 12 81 88 ff ff .@Q......@Q.....
+ backtrace:
+ [<000000009e5931da>] kmalloc_trace+0x21/0x110
+ [<000000002f839ccb>] mmc_alloc_card+0x38/0xb0 [mmc_core]
+ [<0000000004adcbf6>] mmc_sdio_init_card+0xde/0x170 [mmc_core]
+ [<000000007538fea0>] mmc_attach_sdio+0xcb/0x1b0 [mmc_core]
+ [<00000000d4fdeba7>] mmc_rescan+0x54a/0x640 [mmc_core]
+
+unreferenced object 0xffff888112511000 (size 2048):
+ comm "kworker/3:2", pid 65, jiffies 4294741623 (age 124.766s)
+ hex dump (first 32 bytes):
+ 00 40 51 12 81 88 ff ff e0 58 8d 06 81 88 ff ff .@Q......X......
+ 10 10 51 12 81 88 ff ff 10 10 51 12 81 88 ff ff ..Q.......Q.....
+ backtrace:
+ [<000000009e5931da>] kmalloc_trace+0x21/0x110
+ [<00000000fcbe706c>] sdio_alloc_func+0x35/0x100 [mmc_core]
+ [<00000000c68f4b50>] mmc_attach_sdio.cold.18+0xb1/0x395 [mmc_core]
+ [<00000000d4fdeba7>] mmc_rescan+0x54a/0x640 [mmc_core]
+
+Fixes: 3d10a1ba0d37 ("sdio: fix reference counting in sdio_remove_func()")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20230130125808.3471254-1-yangyingliang@huawei.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/sdio_bus.c | 17 ++++++++++++++---
+ drivers/mmc/core/sdio_cis.c | 12 ------------
+ 2 files changed, 14 insertions(+), 15 deletions(-)
+
+--- a/drivers/mmc/core/sdio_bus.c
++++ b/drivers/mmc/core/sdio_bus.c
+@@ -294,6 +294,12 @@ static void sdio_release_func(struct dev
+ if (!(func->card->quirks & MMC_QUIRK_NONSTD_SDIO))
+ sdio_free_func_cis(func);
+
++ /*
++ * We have now removed the link to the tuples in the
++ * card structure, so remove the reference.
++ */
++ put_device(&func->card->dev);
++
+ kfree(func->info);
+ kfree(func->tmpbuf);
+ kfree(func);
+@@ -324,6 +330,12 @@ struct sdio_func *sdio_alloc_func(struct
+
+ device_initialize(&func->dev);
+
++ /*
++ * We may link to tuples in the card structure,
++ * we need make sure we have a reference to it.
++ */
++ get_device(&func->card->dev);
++
+ func->dev.parent = &card->dev;
+ func->dev.bus = &sdio_bus_type;
+ func->dev.release = sdio_release_func;
+@@ -377,10 +389,9 @@ int sdio_add_func(struct sdio_func *func
+ */
+ void sdio_remove_func(struct sdio_func *func)
+ {
+- if (!sdio_func_present(func))
+- return;
++ if (sdio_func_present(func))
++ device_del(&func->dev);
+
+- device_del(&func->dev);
+ of_node_put(func->dev.of_node);
+ put_device(&func->dev);
+ }
+--- a/drivers/mmc/core/sdio_cis.c
++++ b/drivers/mmc/core/sdio_cis.c
+@@ -404,12 +404,6 @@ int sdio_read_func_cis(struct sdio_func
+ return ret;
+
+ /*
+- * Since we've linked to tuples in the card structure,
+- * we must make sure we have a reference to it.
+- */
+- get_device(&func->card->dev);
+-
+- /*
+ * Vendor/device id is optional for function CIS, so
+ * copy it from the card structure as needed.
+ */
+@@ -434,11 +428,5 @@ void sdio_free_func_cis(struct sdio_func
+ }
+
+ func->tuples = NULL;
+-
+- /*
+- * We have now removed the link to the tuples in the
+- * card structure, so remove the reference.
+- */
+- put_device(&func->card->dev);
+ }
+
--- /dev/null
+From 99b9402a36f0799f25feee4465bfa4b8dfa74b4d Mon Sep 17 00:00:00 2001
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Date: Wed, 15 Feb 2023 07:40:43 +0900
+Subject: nilfs2: fix underflow in second superblock position calculations
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+commit 99b9402a36f0799f25feee4465bfa4b8dfa74b4d upstream.
+
+Macro NILFS_SB2_OFFSET_BYTES, which computes the position of the second
+superblock, underflows when the argument device size is less than 4096
+bytes. Therefore, when using this macro, it is necessary to check in
+advance that the device size is not less than a lower limit, or at least
+that underflow does not occur.
+
+The current nilfs2 implementation lacks this check, causing out-of-bound
+block access when mounting devices smaller than 4096 bytes:
+
+ I/O error, dev loop0, sector 36028797018963960 op 0x0:(READ) flags 0x0
+ phys_seg 1 prio class 2
+ NILFS (loop0): unable to read secondary superblock (blocksize = 1024)
+
+In addition, when trying to resize the filesystem to a size below 4096
+bytes, this underflow occurs in nilfs_resize_fs(), passing a huge number
+of segments to nilfs_sufile_resize(), corrupting parameters such as the
+number of segments in superblocks. This causes excessive loop iterations
+in nilfs_sufile_resize() during a subsequent resize ioctl, causing
+semaphore ns_segctor_sem to block for a long time and hang the writer
+thread:
+
+ INFO: task segctord:5067 blocked for more than 143 seconds.
+ Not tainted 6.2.0-rc8-syzkaller-00015-gf6feea56f66d #0
+ "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+ task:segctord state:D stack:23456 pid:5067 ppid:2
+ flags:0x00004000
+ Call Trace:
+ <TASK>
+ context_switch kernel/sched/core.c:5293 [inline]
+ __schedule+0x1409/0x43f0 kernel/sched/core.c:6606
+ schedule+0xc3/0x190 kernel/sched/core.c:6682
+ rwsem_down_write_slowpath+0xfcf/0x14a0 kernel/locking/rwsem.c:1190
+ nilfs_transaction_lock+0x25c/0x4f0 fs/nilfs2/segment.c:357
+ nilfs_segctor_thread_construct fs/nilfs2/segment.c:2486 [inline]
+ nilfs_segctor_thread+0x52f/0x1140 fs/nilfs2/segment.c:2570
+ kthread+0x270/0x300 kernel/kthread.c:376
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
+ </TASK>
+ ...
+ Call Trace:
+ <TASK>
+ folio_mark_accessed+0x51c/0xf00 mm/swap.c:515
+ __nilfs_get_page_block fs/nilfs2/page.c:42 [inline]
+ nilfs_grab_buffer+0x3d3/0x540 fs/nilfs2/page.c:61
+ nilfs_mdt_submit_block+0xd7/0x8f0 fs/nilfs2/mdt.c:121
+ nilfs_mdt_read_block+0xeb/0x430 fs/nilfs2/mdt.c:176
+ nilfs_mdt_get_block+0x12d/0xbb0 fs/nilfs2/mdt.c:251
+ nilfs_sufile_get_segment_usage_block fs/nilfs2/sufile.c:92 [inline]
+ nilfs_sufile_truncate_range fs/nilfs2/sufile.c:679 [inline]
+ nilfs_sufile_resize+0x7a3/0x12b0 fs/nilfs2/sufile.c:777
+ nilfs_resize_fs+0x20c/0xed0 fs/nilfs2/super.c:422
+ nilfs_ioctl_resize fs/nilfs2/ioctl.c:1033 [inline]
+ nilfs_ioctl+0x137c/0x2440 fs/nilfs2/ioctl.c:1301
+ ...
+
+This fixes these issues by inserting appropriate minimum device size
+checks or anti-underflow checks, depending on where the macro is used.
+
+Link: https://lkml.kernel.org/r/0000000000004e1dfa05f4a48e6b@google.com
+Link: https://lkml.kernel.org/r/20230214224043.24141-1-konishi.ryusuke@gmail.com
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Reported-by: <syzbot+f0c4082ce5ebebdac63b@syzkaller.appspotmail.com>
+Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nilfs2/ioctl.c | 7 +++++++
+ fs/nilfs2/super.c | 9 +++++++++
+ fs/nilfs2/the_nilfs.c | 8 +++++++-
+ 3 files changed, 23 insertions(+), 1 deletion(-)
+
+--- a/fs/nilfs2/ioctl.c
++++ b/fs/nilfs2/ioctl.c
+@@ -1114,7 +1114,14 @@ static int nilfs_ioctl_set_alloc_range(s
+
+ minseg = range[0] + segbytes - 1;
+ do_div(minseg, segbytes);
++
++ if (range[1] < 4096)
++ goto out;
++
+ maxseg = NILFS_SB2_OFFSET_BYTES(range[1]);
++ if (maxseg < segbytes)
++ goto out;
++
+ do_div(maxseg, segbytes);
+ maxseg--;
+
+--- a/fs/nilfs2/super.c
++++ b/fs/nilfs2/super.c
+@@ -409,6 +409,15 @@ int nilfs_resize_fs(struct super_block *
+ goto out;
+
+ /*
++ * Prevent underflow in second superblock position calculation.
++ * The exact minimum size check is done in nilfs_sufile_resize().
++ */
++ if (newsize < 4096) {
++ ret = -ENOSPC;
++ goto out;
++ }
++
++ /*
+ * Write lock is required to protect some functions depending
+ * on the number of segments, the number of reserved segments,
+ * and so forth.
+--- a/fs/nilfs2/the_nilfs.c
++++ b/fs/nilfs2/the_nilfs.c
+@@ -544,9 +544,15 @@ static int nilfs_load_super_block(struct
+ {
+ struct nilfs_super_block **sbp = nilfs->ns_sbp;
+ struct buffer_head **sbh = nilfs->ns_sbh;
+- u64 sb2off = NILFS_SB2_OFFSET_BYTES(bdev_nr_bytes(nilfs->ns_bdev));
++ u64 sb2off, devsize = bdev_nr_bytes(nilfs->ns_bdev);
+ int valid[2], swp = 0;
+
++ if (devsize < NILFS_SEG_MIN_BLOCKS * NILFS_MIN_BLOCK_SIZE + 4096) {
++ nilfs_err(sb, "device size too small");
++ return -EINVAL;
++ }
++ sb2off = NILFS_SB2_OFFSET_BYTES(devsize);
++
+ sbp[0] = nilfs_read_super_block(sb, NILFS_SB_OFFSET_BYTES, blocksize,
+ &sbh[0]);
+ sbp[1] = nilfs_read_super_block(sb, sb2off, blocksize, &sbh[1]);
--- /dev/null
+From c2dbe32d5db5c4ead121cf86dabd5ab691fb47fe Mon Sep 17 00:00:00 2001
+From: Munehisa Kamata <kamatam@amazon.com>
+Date: Tue, 14 Feb 2023 13:27:05 -0800
+Subject: sched/psi: Fix use-after-free in ep_remove_wait_queue()
+
+From: Munehisa Kamata <kamatam@amazon.com>
+
+commit c2dbe32d5db5c4ead121cf86dabd5ab691fb47fe upstream.
+
+If a non-root cgroup gets removed when there is a thread that registered
+trigger and is polling on a pressure file within the cgroup, the polling
+waitqueue gets freed in the following path:
+
+ do_rmdir
+ cgroup_rmdir
+ kernfs_drain_open_files
+ cgroup_file_release
+ cgroup_pressure_release
+ psi_trigger_destroy
+
+However, the polling thread still has a reference to the pressure file and
+will access the freed waitqueue when the file is closed or upon exit:
+
+ fput
+ ep_eventpoll_release
+ ep_free
+ ep_remove_wait_queue
+ remove_wait_queue
+
+This results in use-after-free as pasted below.
+
+The fundamental problem here is that cgroup_file_release() (and
+consequently waitqueue's lifetime) is not tied to the file's real lifetime.
+Using wake_up_pollfree() here might be less than ideal, but it is in line
+with the comment at commit 42288cb44c4b ("wait: add wake_up_pollfree()")
+since the waitqueue's lifetime is not tied to file's one and can be
+considered as another special case. While this would be fixable by somehow
+making cgroup_file_release() be tied to the fput(), it would require
+sizable refactoring at cgroups or higher layer which might be more
+justifiable if we identify more cases like this.
+
+ BUG: KASAN: use-after-free in _raw_spin_lock_irqsave+0x60/0xc0
+ Write of size 4 at addr ffff88810e625328 by task a.out/4404
+
+ CPU: 19 PID: 4404 Comm: a.out Not tainted 6.2.0-rc6 #38
+ Hardware name: Amazon EC2 c5a.8xlarge/, BIOS 1.0 10/16/2017
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x73/0xa0
+ print_report+0x16c/0x4e0
+ kasan_report+0xc3/0xf0
+ kasan_check_range+0x2d2/0x310
+ _raw_spin_lock_irqsave+0x60/0xc0
+ remove_wait_queue+0x1a/0xa0
+ ep_free+0x12c/0x170
+ ep_eventpoll_release+0x26/0x30
+ __fput+0x202/0x400
+ task_work_run+0x11d/0x170
+ do_exit+0x495/0x1130
+ do_group_exit+0x100/0x100
+ get_signal+0xd67/0xde0
+ arch_do_signal_or_restart+0x2a/0x2b0
+ exit_to_user_mode_prepare+0x94/0x100
+ syscall_exit_to_user_mode+0x20/0x40
+ do_syscall_64+0x52/0x90
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+ </TASK>
+
+ Allocated by task 4404:
+
+ kasan_set_track+0x3d/0x60
+ __kasan_kmalloc+0x85/0x90
+ psi_trigger_create+0x113/0x3e0
+ pressure_write+0x146/0x2e0
+ cgroup_file_write+0x11c/0x250
+ kernfs_fop_write_iter+0x186/0x220
+ vfs_write+0x3d8/0x5c0
+ ksys_write+0x90/0x110
+ do_syscall_64+0x43/0x90
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+ Freed by task 4407:
+
+ kasan_set_track+0x3d/0x60
+ kasan_save_free_info+0x27/0x40
+ ____kasan_slab_free+0x11d/0x170
+ slab_free_freelist_hook+0x87/0x150
+ __kmem_cache_free+0xcb/0x180
+ psi_trigger_destroy+0x2e8/0x310
+ cgroup_file_release+0x4f/0xb0
+ kernfs_drain_open_files+0x165/0x1f0
+ kernfs_drain+0x162/0x1a0
+ __kernfs_remove+0x1fb/0x310
+ kernfs_remove_by_name_ns+0x95/0xe0
+ cgroup_addrm_files+0x67f/0x700
+ cgroup_destroy_locked+0x283/0x3c0
+ cgroup_rmdir+0x29/0x100
+ kernfs_iop_rmdir+0xd1/0x140
+ vfs_rmdir+0xfe/0x240
+ do_rmdir+0x13d/0x280
+ __x64_sys_rmdir+0x2c/0x30
+ do_syscall_64+0x43/0x90
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Fixes: 0e94682b73bf ("psi: introduce psi monitor")
+Signed-off-by: Munehisa Kamata <kamatam@amazon.com>
+Signed-off-by: Mengchi Cheng <mengcc@amazon.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Acked-by: Suren Baghdasaryan <surenb@google.com>
+Acked-by: Peter Zijlstra <peterz@infradead.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/lkml/20230106224859.4123476-1-kamatam@amazon.com/
+Link: https://lore.kernel.org/r/20230214212705.4058045-1-kamatam@amazon.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/psi.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/kernel/sched/psi.c
++++ b/kernel/sched/psi.c
+@@ -1278,10 +1278,11 @@ void psi_trigger_destroy(struct psi_trig
+
+ group = t->group;
+ /*
+- * Wakeup waiters to stop polling. Can happen if cgroup is deleted
+- * from under a polling process.
++ * Wakeup waiters to stop polling and clear the queue to prevent it from
++ * being accessed later. Can happen if cgroup is deleted from under a
++ * polling process.
+ */
+- wake_up_interruptible(&t->event_wait);
++ wake_up_pollfree(&t->event_wait);
+
+ mutex_lock(&group->trigger_lock);
+
drm-amd-display-fail-atomic_check-early-on-normalize_zpos-error.patch
drm-vmwgfx-stop-accessing-buffer-objects-which-failed-init.patch
drm-vmwgfx-do-not-drop-the-reference-to-the-handle-too-soon.patch
+mmc-jz4740-work-around-bug-on-jz4760-b.patch
+mmc-meson-gx-fix-sdio-mode-if-cap_sdio_irq-isn-t-set.patch
+mmc-sdio-fix-possible-resource-leaks-in-some-error-paths.patch
+mmc-mmc_spi-fix-error-handling-in-mmc_spi_probe.patch
+alsa-hda-fix-codec-device-field-initializan.patch
+alsa-hda-conexant-add-a-new-hda-codec-sn6180.patch
+alsa-hda-realtek-fixed-wrong-gpio-assigned.patch
+alsa-hda-realtek-fix-mute-micmute-leds-don-t-work-for-a-hp-platform.patch
+alsa-hda-realtek-enable-mute-micmute-leds-and-speaker-support-for-hp-laptops.patch
+ata-ahci-add-tiger-lake-up-3-4-ahci-controller.patch
+ata-libata-core-disable-read-log-dma-ext-for-samsung-mz7lh.patch
+sched-psi-fix-use-after-free-in-ep_remove_wait_queue.patch
+hugetlb-check-for-undefined-shift-on-32-bit-architectures.patch
+nilfs2-fix-underflow-in-second-superblock-position-calculations.patch
+mm-madv_collapse-set-eagain-on-unexpected-page-refcount.patch
+mm-filemap-fix-page-end-in-filemap_get_read_batch.patch
+mm-migrate-fix-wrongly-apply-write-bit-after-mkdirty-on-sparc64.patch
+gpio-sim-fix-a-memory-leak.patch
+freezer-umh-fix-call_usermode_helper_exec-vs-sigkill.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
