--- /dev/null
+From stable-owner@vger.kernel.org Thu May 4 13:10:15 2023
+From: Eric Biggers <ebiggers@kernel.org>
+Date: Wed, 3 May 2023 21:09:41 -0700
+Subject: blk-crypto: make blk_crypto_evict_key() more robust
+To: stable@vger.kernel.org
+Cc: linux-block@vger.kernel.org, Christoph Hellwig <hch@lst.de>, Jens Axboe <axboe@kernel.dk>
+Message-ID: <20230504040941.152614-4-ebiggers@kernel.org>
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 5c7cb94452901a93e90c2230632e2c12a681bc92 upstream.
+
+If blk_crypto_evict_key() sees that the key is still in-use (due to a
+bug) or that ->keyslot_evict failed, it currently just returns while
+leaving the key linked into the keyslot management structures.
+
+However, blk_crypto_evict_key() is only called in contexts such as inode
+eviction where failure is not an option. So actually the caller
+proceeds with freeing the blk_crypto_key regardless of the return value
+of blk_crypto_evict_key().
+
+These two assumptions don't match, and the result is that there can be a
+use-after-free in blk_crypto_reprogram_all_keys() after one of these
+errors occurs. (Note, these errors *shouldn't* happen; we're just
+talking about what happens if they do anyway.)
+
+Fix this by making blk_crypto_evict_key() unlink the key from the
+keyslot management structures even on failure.
+
+Also improve some comments.
+
+Fixes: 1b2628397058 ("block: Keyslot Manager for Inline Encryption")
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20230315183907.53675-2-ebiggers@kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-crypto.c | 29 +++++++++++++++++++++--------
+ block/keyslot-manager.c | 43 +++++++++++++++++++++----------------------
+ 2 files changed, 42 insertions(+), 30 deletions(-)
+
+--- a/block/blk-crypto.c
++++ b/block/blk-crypto.c
+@@ -385,15 +385,20 @@ int blk_crypto_start_using_key(const str
+ }
+
+ /**
+- * blk_crypto_evict_key() - Evict a key from any inline encryption hardware
+- * it may have been programmed into
+- * @q: The request queue who's associated inline encryption hardware this key
+- * might have been programmed into
+- * @key: The key to evict
++ * blk_crypto_evict_key() - Evict a blk_crypto_key from a request_queue
++ * @q: a request_queue on which I/O using the key may have been done
++ * @key: the key to evict
+ *
+- * Upper layers (filesystems) must call this function to ensure that a key is
+- * evicted from any hardware that it might have been programmed into. The key
+- * must not be in use by any in-flight IO when this function is called.
++ * For a given request_queue, this function removes the given blk_crypto_key
++ * from the keyslot management structures and evicts it from any underlying
++ * hardware keyslot(s) or blk-crypto-fallback keyslot it may have been
++ * programmed into.
++ *
++ * Upper layers must call this before freeing the blk_crypto_key. It must be
++ * called for every request_queue the key may have been used on. The key must
++ * no longer be in use by any I/O when this function is called.
++ *
++ * Context: May sleep.
+ */
+ void blk_crypto_evict_key(struct request_queue *q,
+ const struct blk_crypto_key *key)
+@@ -404,6 +409,14 @@ void blk_crypto_evict_key(struct request
+ err = blk_ksm_evict_key(q->ksm, key);
+ else
+ err = blk_crypto_fallback_evict_key(key);
++ /*
++ * An error can only occur here if the key failed to be evicted from a
++ * keyslot (due to a hardware or driver issue) or is allegedly still in
++ * use by I/O (due to a kernel bug). Even in these cases, the key is
++ * still unlinked from the keyslot management structures, and the caller
++ * is allowed and expected to free it right away. There's nothing
++ * callers can do to handle errors, so just log them and return void.
++ */
+ if (err)
+ pr_warn_ratelimited("error %d evicting key\n", err);
+ }
+--- a/block/keyslot-manager.c
++++ b/block/keyslot-manager.c
+@@ -305,44 +305,43 @@ bool blk_ksm_crypto_cfg_supported(struct
+ return true;
+ }
+
+-/**
+- * blk_ksm_evict_key() - Evict a key from the lower layer device.
+- * @ksm: The keyslot manager to evict from
+- * @key: The key to evict
+- *
+- * Find the keyslot that the specified key was programmed into, and evict that
+- * slot from the lower layer device. The slot must not be in use by any
+- * in-flight IO when this function is called.
+- *
+- * Context: Process context. Takes and releases ksm->lock.
+- * Return: 0 on success or if there's no keyslot with the specified key, -EBUSY
+- * if the keyslot is still in use, or another -errno value on other
+- * error.
++/*
++ * This is an internal function that evicts a key from an inline encryption
++ * device that can be either a real device or the blk-crypto-fallback "device".
++ * It is used only by blk_crypto_evict_key(); see that function for details.
+ */
+ int blk_ksm_evict_key(struct blk_keyslot_manager *ksm,
+ const struct blk_crypto_key *key)
+ {
+ struct blk_ksm_keyslot *slot;
+- int err = 0;
++ int err;
+
+ blk_ksm_hw_enter(ksm);
+ slot = blk_ksm_find_keyslot(ksm, key);
+- if (!slot)
+- goto out_unlock;
++ if (!slot) {
++ /*
++ * Not an error, since a key not in use by I/O is not guaranteed
++ * to be in a keyslot. There can be more keys than keyslots.
++ */
++ err = 0;
++ goto out;
++ }
+
+ if (WARN_ON_ONCE(atomic_read(&slot->slot_refs) != 0)) {
++ /* BUG: key is still in use by I/O */
+ err = -EBUSY;
+- goto out_unlock;
++ goto out_remove;
+ }
+ err = ksm->ksm_ll_ops.keyslot_evict(ksm, key,
+ blk_ksm_get_slot_idx(slot));
+- if (err)
+- goto out_unlock;
+-
++out_remove:
++ /*
++ * Callers free the key even on error, so unlink the key from the hash
++ * table and clear slot->key even on error.
++ */
+ hlist_del(&slot->hash_node);
+ slot->key = NULL;
+- err = 0;
+-out_unlock:
++out:
+ blk_ksm_hw_exit(ksm);
+ return err;
+ }
--- /dev/null
+From stable-owner@vger.kernel.org Thu May 4 13:10:12 2023
+From: Eric Biggers <ebiggers@kernel.org>
+Date: Wed, 3 May 2023 21:09:40 -0700
+Subject: blk-crypto: make blk_crypto_evict_key() return void
+To: stable@vger.kernel.org
+Cc: linux-block@vger.kernel.org, Christoph Hellwig <hch@lst.de>, Jens Axboe <axboe@kernel.dk>
+Message-ID: <20230504040941.152614-3-ebiggers@kernel.org>
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 70493a63ba04f754f7a7dd53a4fcc82700181490 upstream.
+
+blk_crypto_evict_key() is only called in contexts such as inode eviction
+where failure is not an option. So there is nothing the caller can do
+with errors except log them. (dm-table.c does "use" the error code, but
+only to pass on to upper layers, so it doesn't really count.)
+
+Just make blk_crypto_evict_key() return void and log errors itself.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20230315183907.53675-2-ebiggers@kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-crypto.c | 22 ++++++++++------------
+ include/linux/blk-crypto.h | 4 ++--
+ 2 files changed, 12 insertions(+), 14 deletions(-)
+
+--- a/block/blk-crypto.c
++++ b/block/blk-crypto.c
+@@ -13,6 +13,7 @@
+ #include <linux/blkdev.h>
+ #include <linux/keyslot-manager.h>
+ #include <linux/module.h>
++#include <linux/ratelimit.h>
+ #include <linux/slab.h>
+
+ #include "blk-crypto-internal.h"
+@@ -393,19 +394,16 @@ int blk_crypto_start_using_key(const str
+ * Upper layers (filesystems) must call this function to ensure that a key is
+ * evicted from any hardware that it might have been programmed into. The key
+ * must not be in use by any in-flight IO when this function is called.
+- *
+- * Return: 0 on success or if key is not present in the q's ksm, -err on error.
+ */
+-int blk_crypto_evict_key(struct request_queue *q,
+- const struct blk_crypto_key *key)
++void blk_crypto_evict_key(struct request_queue *q,
++ const struct blk_crypto_key *key)
+ {
+- if (blk_ksm_crypto_cfg_supported(q->ksm, &key->crypto_cfg))
+- return blk_ksm_evict_key(q->ksm, key);
++ int err;
+
+- /*
+- * If the request queue's associated inline encryption hardware didn't
+- * have support for the key, then the key might have been programmed
+- * into the fallback keyslot manager, so try to evict from there.
+- */
+- return blk_crypto_fallback_evict_key(key);
++ if (blk_ksm_crypto_cfg_supported(q->ksm, &key->crypto_cfg))
++ err = blk_ksm_evict_key(q->ksm, key);
++ else
++ err = blk_crypto_fallback_evict_key(key);
++ if (err)
++ pr_warn_ratelimited("error %d evicting key\n", err);
+ }
+--- a/include/linux/blk-crypto.h
++++ b/include/linux/blk-crypto.h
+@@ -97,8 +97,8 @@ int blk_crypto_init_key(struct blk_crypt
+ int blk_crypto_start_using_key(const struct blk_crypto_key *key,
+ struct request_queue *q);
+
+-int blk_crypto_evict_key(struct request_queue *q,
+- const struct blk_crypto_key *key);
++void blk_crypto_evict_key(struct request_queue *q,
++ const struct blk_crypto_key *key);
+
+ bool blk_crypto_config_supported(struct request_queue *q,
+ const struct blk_crypto_config *cfg);
--- /dev/null
+From stable-owner@vger.kernel.org Thu May 4 13:10:13 2023
+From: Eric Biggers <ebiggers@kernel.org>
+Date: Wed, 3 May 2023 21:09:39 -0700
+Subject: blk-mq: release crypto keyslot before reporting I/O complete
+To: stable@vger.kernel.org
+Cc: linux-block@vger.kernel.org, Nathan Huckleberry <nhuck@google.com>, Christoph Hellwig <hch@lst.de>, Jens Axboe <axboe@kernel.dk>
+Message-ID: <20230504040941.152614-2-ebiggers@kernel.org>
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 9cd1e566676bbcb8a126acd921e4e194e6339603 upstream.
+
+Once all I/O using a blk_crypto_key has completed, filesystems can call
+blk_crypto_evict_key(). However, the block layer currently doesn't call
+blk_crypto_put_keyslot() until the request is being freed, which happens
+after upper layers have been told (via bio_endio()) the I/O has
+completed. This causes a race condition where blk_crypto_evict_key()
+can see 'slot_refs != 0' without there being an actual bug.
+
+This makes __blk_crypto_evict_key() hit the
+'WARN_ON_ONCE(atomic_read(&slot->slot_refs) != 0)' and return without
+doing anything, eventually causing a use-after-free in
+blk_crypto_reprogram_all_keys(). (This is a very rare bug and has only
+been seen when per-file keys are being used with fscrypt.)
+
+There are two options to fix this: either release the keyslot before
+bio_endio() is called on the request's last bio, or make
+__blk_crypto_evict_key() ignore slot_refs. Let's go with the first
+solution, since it preserves the ability to report bugs (via
+WARN_ON_ONCE) where a key is evicted while still in-use.
+
+Fixes: a892c8d52c02 ("block: Inline encryption support for blk-mq")
+Cc: stable@vger.kernel.org
+Reviewed-by: Nathan Huckleberry <nhuck@google.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Link: https://lore.kernel.org/r/20230315183907.53675-2-ebiggers@kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-core.c | 7 +++++++
+ block/blk-crypto-internal.h | 25 +++++++++++++++++++++----
+ block/blk-crypto.c | 24 ++++++++++++------------
+ block/blk-merge.c | 2 ++
+ block/blk-mq.c | 2 +-
+ 5 files changed, 43 insertions(+), 17 deletions(-)
+
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -1444,6 +1444,13 @@ bool blk_update_request(struct request *
+ req->q->integrity.profile->complete_fn(req, nr_bytes);
+ #endif
+
++ /*
++ * Upper layers may call blk_crypto_evict_key() anytime after the last
++ * bio_endio(). Therefore, the keyslot must be released before that.
++ */
++ if (blk_crypto_rq_has_keyslot(req) && nr_bytes >= blk_rq_bytes(req))
++ __blk_crypto_rq_put_keyslot(req);
++
+ if (unlikely(error && !blk_rq_is_passthrough(req) &&
+ !(req->rq_flags & RQF_QUIET)))
+ print_req_error(req, error, __func__);
+--- a/block/blk-crypto-internal.h
++++ b/block/blk-crypto-internal.h
+@@ -60,6 +60,11 @@ static inline bool blk_crypto_rq_is_encr
+ return rq->crypt_ctx;
+ }
+
++static inline bool blk_crypto_rq_has_keyslot(struct request *rq)
++{
++ return rq->crypt_keyslot;
++}
++
+ #else /* CONFIG_BLK_INLINE_ENCRYPTION */
+
+ static inline bool bio_crypt_rq_ctx_compatible(struct request *rq,
+@@ -93,6 +98,11 @@ static inline bool blk_crypto_rq_is_encr
+ return false;
+ }
+
++static inline bool blk_crypto_rq_has_keyslot(struct request *rq)
++{
++ return false;
++}
++
+ #endif /* CONFIG_BLK_INLINE_ENCRYPTION */
+
+ void __bio_crypt_advance(struct bio *bio, unsigned int bytes);
+@@ -127,14 +137,21 @@ static inline bool blk_crypto_bio_prep(s
+ return true;
+ }
+
+-blk_status_t __blk_crypto_init_request(struct request *rq);
+-static inline blk_status_t blk_crypto_init_request(struct request *rq)
++blk_status_t __blk_crypto_rq_get_keyslot(struct request *rq);
++static inline blk_status_t blk_crypto_rq_get_keyslot(struct request *rq)
+ {
+ if (blk_crypto_rq_is_encrypted(rq))
+- return __blk_crypto_init_request(rq);
++ return __blk_crypto_rq_get_keyslot(rq);
+ return BLK_STS_OK;
+ }
+
++void __blk_crypto_rq_put_keyslot(struct request *rq);
++static inline void blk_crypto_rq_put_keyslot(struct request *rq)
++{
++ if (blk_crypto_rq_has_keyslot(rq))
++ __blk_crypto_rq_put_keyslot(rq);
++}
++
+ void __blk_crypto_free_request(struct request *rq);
+ static inline void blk_crypto_free_request(struct request *rq)
+ {
+@@ -173,7 +190,7 @@ static inline blk_status_t blk_crypto_in
+ {
+
+ if (blk_crypto_rq_is_encrypted(rq))
+- return blk_crypto_init_request(rq);
++ return blk_crypto_rq_get_keyslot(rq);
+ return BLK_STS_OK;
+ }
+
+--- a/block/blk-crypto.c
++++ b/block/blk-crypto.c
+@@ -216,26 +216,26 @@ static bool bio_crypt_check_alignment(st
+ return true;
+ }
+
+-blk_status_t __blk_crypto_init_request(struct request *rq)
++blk_status_t __blk_crypto_rq_get_keyslot(struct request *rq)
+ {
+ return blk_ksm_get_slot_for_key(rq->q->ksm, rq->crypt_ctx->bc_key,
+ &rq->crypt_keyslot);
+ }
+
+-/**
+- * __blk_crypto_free_request - Uninitialize the crypto fields of a request.
+- *
+- * @rq: The request whose crypto fields to uninitialize.
+- *
+- * Completely uninitializes the crypto fields of a request. If a keyslot has
+- * been programmed into some inline encryption hardware, that keyslot is
+- * released. The rq->crypt_ctx is also freed.
+- */
+-void __blk_crypto_free_request(struct request *rq)
++void __blk_crypto_rq_put_keyslot(struct request *rq)
+ {
+ blk_ksm_put_slot(rq->crypt_keyslot);
++ rq->crypt_keyslot = NULL;
++}
++
++void __blk_crypto_free_request(struct request *rq)
++{
++ /* The keyslot, if one was needed, should have been released earlier. */
++ if (WARN_ON_ONCE(rq->crypt_keyslot))
++ __blk_crypto_rq_put_keyslot(rq);
++
+ mempool_free(rq->crypt_ctx, bio_crypt_ctx_pool);
+- blk_crypto_rq_set_defaults(rq);
++ rq->crypt_ctx = NULL;
+ }
+
+ /**
+--- a/block/blk-merge.c
++++ b/block/blk-merge.c
+@@ -801,6 +801,8 @@ static struct request *attempt_merge(str
+ if (!blk_discard_mergable(req))
+ elv_merge_requests(q, req, next);
+
++ blk_crypto_rq_put_keyslot(next);
++
+ /*
+ * 'next' is going away, so update stats accordingly
+ */
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -2193,7 +2193,7 @@ blk_qc_t blk_mq_submit_bio(struct bio *b
+
+ blk_mq_bio_to_request(rq, bio, nr_segs);
+
+- ret = blk_crypto_init_request(rq);
++ ret = blk_crypto_rq_get_keyslot(rq);
+ if (ret != BLK_STS_OK) {
+ bio->bi_status = ret;
+ bio_endio(bio);
--- /dev/null
+From 2729cfdcfa1cc49bef5a90d046fa4a187fdfcc69 Mon Sep 17 00:00:00 2001
+From: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
+Date: Thu, 23 Dec 2021 12:21:37 -0800
+Subject: ext4: use ext4_journal_start/stop for fast commit transactions
+
+From: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
+
+commit 2729cfdcfa1cc49bef5a90d046fa4a187fdfcc69 upstream.
+
+This patch drops all calls to ext4_fc_start_update() and
+ext4_fc_stop_update(). To ensure that there are no ongoing journal
+updates during fast commit, we also make jbd2_fc_begin_commit() lock
+journal for updates. This way we don't have to maintain two different
+transaction start stop APIs for fast commit and full commit. This
+patch doesn't remove the functions altogether since in future we want
+to have inode level locking for fast commits.
+
+Signed-off-by: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
+Link: https://lore.kernel.org/r/20211223202140.2061101-2-harshads@google.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/acl.c | 2 --
+ fs/ext4/extents.c | 2 --
+ fs/ext4/file.c | 4 ----
+ fs/ext4/inode.c | 7 +------
+ fs/ext4/ioctl.c | 8 +-------
+ fs/jbd2/journal.c | 2 ++
+ 6 files changed, 4 insertions(+), 21 deletions(-)
+
+--- a/fs/ext4/acl.c
++++ b/fs/ext4/acl.c
+@@ -242,7 +242,6 @@ retry:
+ handle = ext4_journal_start(inode, EXT4_HT_XATTR, credits);
+ if (IS_ERR(handle))
+ return PTR_ERR(handle);
+- ext4_fc_start_update(inode);
+
+ if ((type == ACL_TYPE_ACCESS) && acl) {
+ error = posix_acl_update_mode(inode, &mode, &acl);
+@@ -260,7 +259,6 @@ retry:
+ }
+ out_stop:
+ ext4_journal_stop(handle);
+- ext4_fc_stop_update(inode);
+ if (error == -ENOSPC && ext4_should_retry_alloc(inode->i_sb, &retries))
+ goto retry;
+ return error;
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -4694,7 +4694,6 @@ long ext4_fallocate(struct file *file, i
+ FALLOC_FL_INSERT_RANGE))
+ return -EOPNOTSUPP;
+
+- ext4_fc_start_update(inode);
+ inode_lock(inode);
+ ret = ext4_convert_inline_data(inode);
+ inode_unlock(inode);
+@@ -4764,7 +4763,6 @@ out:
+ inode_unlock(inode);
+ trace_ext4_fallocate_exit(inode, offset, max_blocks, ret);
+ exit:
+- ext4_fc_stop_update(inode);
+ return ret;
+ }
+
+--- a/fs/ext4/file.c
++++ b/fs/ext4/file.c
+@@ -260,7 +260,6 @@ static ssize_t ext4_buffered_write_iter(
+ if (iocb->ki_flags & IOCB_NOWAIT)
+ return -EOPNOTSUPP;
+
+- ext4_fc_start_update(inode);
+ inode_lock(inode);
+ ret = ext4_write_checks(iocb, from);
+ if (ret <= 0)
+@@ -272,7 +271,6 @@ static ssize_t ext4_buffered_write_iter(
+
+ out:
+ inode_unlock(inode);
+- ext4_fc_stop_update(inode);
+ if (likely(ret > 0)) {
+ iocb->ki_pos += ret;
+ ret = generic_write_sync(iocb, ret);
+@@ -559,9 +557,7 @@ static ssize_t ext4_dio_write_iter(struc
+ goto out;
+ }
+
+- ext4_fc_start_update(inode);
+ ret = ext4_orphan_add(handle, inode);
+- ext4_fc_stop_update(inode);
+ if (ret) {
+ ext4_journal_stop(handle);
+ goto out;
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -5437,7 +5437,7 @@ int ext4_setattr(struct dentry *dentry,
+ if (error)
+ return error;
+ }
+- ext4_fc_start_update(inode);
++
+ if ((ia_valid & ATTR_UID && !uid_eq(attr->ia_uid, inode->i_uid)) ||
+ (ia_valid & ATTR_GID && !gid_eq(attr->ia_gid, inode->i_gid))) {
+ handle_t *handle;
+@@ -5461,7 +5461,6 @@ int ext4_setattr(struct dentry *dentry,
+
+ if (error) {
+ ext4_journal_stop(handle);
+- ext4_fc_stop_update(inode);
+ return error;
+ }
+ /* Update corresponding info in inode so that everything is in
+@@ -5473,7 +5472,6 @@ int ext4_setattr(struct dentry *dentry,
+ error = ext4_mark_inode_dirty(handle, inode);
+ ext4_journal_stop(handle);
+ if (unlikely(error)) {
+- ext4_fc_stop_update(inode);
+ return error;
+ }
+ }
+@@ -5488,12 +5486,10 @@ int ext4_setattr(struct dentry *dentry,
+ struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb);
+
+ if (attr->ia_size > sbi->s_bitmap_maxbytes) {
+- ext4_fc_stop_update(inode);
+ return -EFBIG;
+ }
+ }
+ if (!S_ISREG(inode->i_mode)) {
+- ext4_fc_stop_update(inode);
+ return -EINVAL;
+ }
+
+@@ -5619,7 +5615,6 @@ err_out:
+ ext4_std_error(inode->i_sb, error);
+ if (!error)
+ error = rc;
+- ext4_fc_stop_update(inode);
+ return error;
+ }
+
+--- a/fs/ext4/ioctl.c
++++ b/fs/ext4/ioctl.c
+@@ -1322,13 +1322,7 @@ out:
+
+ long ext4_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
+ {
+- long ret;
+-
+- ext4_fc_start_update(file_inode(filp));
+- ret = __ext4_ioctl(filp, cmd, arg);
+- ext4_fc_stop_update(file_inode(filp));
+-
+- return ret;
++ return __ext4_ioctl(filp, cmd, arg);
+ }
+
+ #ifdef CONFIG_COMPAT
+--- a/fs/jbd2/journal.c
++++ b/fs/jbd2/journal.c
+@@ -757,6 +757,7 @@ int jbd2_fc_begin_commit(journal_t *jour
+ }
+ journal->j_flags |= JBD2_FAST_COMMIT_ONGOING;
+ write_unlock(&journal->j_state_lock);
++ jbd2_journal_lock_updates(journal);
+
+ return 0;
+ }
+@@ -768,6 +769,7 @@ EXPORT_SYMBOL(jbd2_fc_begin_commit);
+ */
+ static int __jbd2_fc_end_commit(journal_t *journal, tid_t tid, bool fallback)
+ {
++ jbd2_journal_unlock_updates(journal);
+ if (journal->j_fc_cleanup_callback)
+ journal->j_fc_cleanup_callback(journal, 0);
+ write_lock(&journal->j_state_lock);
--- /dev/null
+From 2a8e41ad337508fc5d598c0f9288890214f8e318 Mon Sep 17 00:00:00 2001
+From: Chris Packham <chris.packham@alliedtelesis.co.nz>
+Date: Wed, 19 Apr 2023 11:36:55 +1200
+Subject: hwmon: (adt7475) Use device_property APIs when configuring polarity
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chris Packham <chris.packham@alliedtelesis.co.nz>
+
+commit 2a8e41ad337508fc5d598c0f9288890214f8e318 upstream.
+
+On DT unaware platforms of_property_read_u32_array() returns -ENOSYS
+which wasn't handled by the code treating adi,pwm-active-state as
+optional. Update the code to use device_property_read_u32_array() which
+deals gracefully with DT unaware platforms.
+
+Fixes: 86da28eed4fb ("hwmon: (adt7475) Add support for inverting pwm output")
+Reported-by: Mariusz Białończyk <manio@skyboo.net>
+Link: https://lore.kernel.org/linux-hwmon/52e26a67-9131-2dc0-40cb-db5c07370027@alliedtelesis.co.nz/T/#mdd0505801e0a4e72340de009a47c0fca4f771ed3
+Signed-off-by: Chris Packham <chris.packham@alliedtelesis.co.nz>
+Link: https://lore.kernel.org/r/20230418233656.869055-2-chris.packham@alliedtelesis.co.nz
+Cc: stable@vger.kernel.org
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/adt7475.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/hwmon/adt7475.c
++++ b/drivers/hwmon/adt7475.c
+@@ -1515,9 +1515,9 @@ static int adt7475_set_pwm_polarity(stru
+ int ret, i;
+ u8 val;
+
+- ret = of_property_read_u32_array(client->dev.of_node,
+- "adi,pwm-active-state", states,
+- ARRAY_SIZE(states));
++ ret = device_property_read_u32_array(&client->dev,
++ "adi,pwm-active-state", states,
++ ARRAY_SIZE(states));
+ if (ret)
+ return ret;
+
--- /dev/null
+From 0c072385348e3ac5229145644055d3e2afb5b3db Mon Sep 17 00:00:00 2001
+From: Babu Moger <Babu.Moger@amd.com>
+Date: Thu, 13 Apr 2023 16:39:58 -0500
+Subject: hwmon: (k10temp) Check range scale when CUR_TEMP register is read-write
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Babu Moger <Babu.Moger@amd.com>
+
+commit 0c072385348e3ac5229145644055d3e2afb5b3db upstream.
+
+Spec says, when CUR_TEMP_TJ_SEL == 3 and CUR_TEMP_RANGE_SEL == 0,
+it should use RangeUnadjusted is 0, which is (CurTmp*0.125 -49) C. The
+CUR_TEMP register is read-write when CUR_TEMP_TJ_SEL == 3 (bit 17-16).
+
+Add the check to detect it.
+
+Sensors command's output before the patch.
+$sensors
+ k10temp-pci-00c3
+ Adapter: PCI adapter
+ Tctl: +76.6°C <- Wrong value
+ Tccd1: +26.5°C
+ Tccd2: +27.5°C
+ Tccd3: +27.2°C
+ Tccd4: +27.5°C
+ Tccd5: +26.0°C
+ Tccd6: +26.2°C
+ Tccd7: +25.0°C
+ Tccd8: +26.5°C
+
+Sensors command's output after the patch.
+$sensors
+ k10temp-pci-00c3
+ Adapter: PCI adapter
+ Tctl: +28.8°C <- corrected value
+ Tccd1: +27.5°C
+ Tccd2: +28.5°C
+ Tccd3: +28.5°C
+ Tccd4: +28.5°C
+ Tccd5: +27.0°C
+ Tccd6: +27.5°C
+ Tccd7: +27.0°C
+ Tccd8: +27.5°C
+
+Signed-off-by: Babu Moger <babu.moger@amd.com>
+Fixes: 1b59788979ac ("hwmon: (k10temp) Add temperature offset for Ryzen 2700X")
+Link: https://lore.kernel.org/r/20230413213958.847634-1-babu.moger@amd.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/k10temp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/hwmon/k10temp.c
++++ b/drivers/hwmon/k10temp.c
+@@ -74,6 +74,7 @@ static DEFINE_MUTEX(nb_smu_ind_mutex);
+
+ #define ZEN_CUR_TEMP_SHIFT 21
+ #define ZEN_CUR_TEMP_RANGE_SEL_MASK BIT(19)
++#define ZEN_CUR_TEMP_TJ_SEL_MASK GENMASK(17, 16)
+
+ #define ZEN_SVI_BASE 0x0005A000
+
+@@ -173,7 +174,8 @@ static long get_raw_temp(struct k10temp_
+
+ data->read_tempreg(data->pdev, ®val);
+ temp = (regval >> ZEN_CUR_TEMP_SHIFT) * 125;
+- if (regval & data->temp_adjust_mask)
++ if ((regval & data->temp_adjust_mask) ||
++ (regval & ZEN_CUR_TEMP_TJ_SEL_MASK) == ZEN_CUR_TEMP_TJ_SEL_MASK)
+ temp -= 49000;
+ return temp;
+ }
--- /dev/null
+From 644f17412f5acf01a19af9d04a921937a2bc86c6 Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Thu, 23 Feb 2023 19:27:03 -0800
+Subject: IMA: allow/fix UML builds
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit 644f17412f5acf01a19af9d04a921937a2bc86c6 upstream.
+
+UML supports HAS_IOMEM since 0bbadafdc49d (um: allow disabling
+NO_IOMEM).
+
+Current IMA build on UML fails on allmodconfig (with TCG_TPM=m):
+
+ld: security/integrity/ima/ima_queue.o: in function `ima_add_template_entry':
+ima_queue.c:(.text+0x2d9): undefined reference to `tpm_pcr_extend'
+ld: security/integrity/ima/ima_init.o: in function `ima_init':
+ima_init.c:(.init.text+0x43f): undefined reference to `tpm_default_chip'
+ld: security/integrity/ima/ima_crypto.o: in function `ima_calc_boot_aggregate_tfm':
+ima_crypto.c:(.text+0x1044): undefined reference to `tpm_pcr_read'
+ld: ima_crypto.c:(.text+0x10d8): undefined reference to `tpm_pcr_read'
+
+Modify the IMA Kconfig entry so that it selects TCG_TPM if HAS_IOMEM
+is set, regardless of the UML Kconfig setting.
+This updates TCG_TPM from =m to =y and fixes the linker errors.
+
+Fixes: f4a0391dfa91 ("ima: fix Kconfig dependencies")
+Cc: Stable <stable@vger.kernel.org> # v5.14+
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Fabio Estevam <festevam@gmail.com>
+Cc: Richard Weinberger <richard@nod.at>
+Cc: Anton Ivanov <anton.ivanov@cambridgegreys.com>
+Cc: Johannes Berg <johannes@sipsolutions.net>
+Cc: linux-um@lists.infradead.org
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/integrity/ima/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/integrity/ima/Kconfig
++++ b/security/integrity/ima/Kconfig
+@@ -8,7 +8,7 @@ config IMA
+ select CRYPTO_HMAC
+ select CRYPTO_SHA1
+ select CRYPTO_HASH_INFO
+- select TCG_TPM if HAS_IOMEM && !UML
++ select TCG_TPM if HAS_IOMEM
+ select TCG_TIS if TCG_TPM && X86
+ select TCG_CRB if TCG_TPM && ACPI
+ select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES
--- /dev/null
+From 6d2555cde2918409b0331560e66f84a0ad4849c6 Mon Sep 17 00:00:00 2001
+From: Zhang Yuchen <zhangyuchen.lcr@bytedance.com>
+Date: Wed, 12 Apr 2023 15:49:07 +0800
+Subject: ipmi: fix SSIF not responding under certain cond.
+
+From: Zhang Yuchen <zhangyuchen.lcr@bytedance.com>
+
+commit 6d2555cde2918409b0331560e66f84a0ad4849c6 upstream.
+
+The ipmi communication is not restored after a specific version of BMC is
+upgraded on our server.
+The ipmi driver does not respond after printing the following log:
+
+ ipmi_ssif: Invalid response getting flags: 1c 1
+
+I found that after entering this branch, ssif_info->ssif_state always
+holds SSIF_GETTING_FLAGS and never return to IDLE.
+
+As a result, the driver cannot be loaded, because the driver status is
+checked during the unload process and must be IDLE in shutdown_ssif():
+
+ while (ssif_info->ssif_state != SSIF_IDLE)
+ schedule_timeout(1);
+
+The process trigger this problem is:
+
+1. One msg timeout and next msg start send, and call
+ssif_set_need_watch().
+
+2. ssif_set_need_watch()->watch_timeout()->start_flag_fetch() change
+ssif_state to SSIF_GETTING_FLAGS.
+
+3. In msg_done_handler() ssif_state == SSIF_GETTING_FLAGS, if an error
+message is received, the second branch does not modify the ssif_state.
+
+4. All retry action need IS_SSIF_IDLE() == True. Include retry action in
+watch_timeout(), msg_done_handler(). Sending msg does not work either.
+SSIF_IDLE is also checked in start_next_msg().
+
+5. The only thing that can be triggered in the SSIF driver is
+watch_timeout(), after destory_user(), this timer will stop too.
+
+So, if enter this branch, the ssif_state will remain SSIF_GETTING_FLAGS
+and can't send msg, no timer started, can't unload.
+
+We did a comparative test before and after adding this patch, and the
+result is effective.
+
+Fixes: 259307074bfc ("ipmi: Add SMBus interface driver (SSIF)")
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Zhang Yuchen <zhangyuchen.lcr@bytedance.com>
+Message-Id: <20230412074907.80046-1-zhangyuchen.lcr@bytedance.com>
+Signed-off-by: Corey Minyard <minyard@acm.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/ipmi/ipmi_ssif.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/char/ipmi/ipmi_ssif.c
++++ b/drivers/char/ipmi/ipmi_ssif.c
+@@ -794,9 +794,9 @@ static void msg_done_handler(struct ssif
+ } else if (data[0] != (IPMI_NETFN_APP_REQUEST | 1) << 2
+ || data[1] != IPMI_GET_MSG_FLAGS_CMD) {
+ /*
+- * Don't abort here, maybe it was a queued
+- * response to a previous command.
++ * Recv error response, give up.
+ */
++ ssif_info->ssif_state = SSIF_IDLE;
+ ipmi_ssif_unlock_cond(ssif_info, flags);
+ dev_warn(&ssif_info->client->dev,
+ "Invalid response getting flags: %x %x\n",
--- /dev/null
+From 6ce7995a43febe693d4894033c6e29314970646a Mon Sep 17 00:00:00 2001
+From: Corey Minyard <minyard@acm.org>
+Date: Tue, 4 Apr 2023 12:09:14 +0000
+Subject: ipmi:ssif: Add send_retries increment
+
+From: Corey Minyard <minyard@acm.org>
+
+commit 6ce7995a43febe693d4894033c6e29314970646a upstream.
+
+A recent change removed an increment of send_retries, re-add it.
+
+Fixes: 95767ed78a18 ipmi:ssif: resend_msg() cannot fail
+Reported-by: Pavel Machek <pavel@denx.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Corey Minyard <minyard@acm.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/ipmi/ipmi_ssif.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/ipmi/ipmi_ssif.c
++++ b/drivers/char/ipmi/ipmi_ssif.c
+@@ -564,8 +564,10 @@ static void retry_timeout(struct timer_l
+
+ if (waiting)
+ start_get(ssif_info);
+- if (resend)
++ if (resend) {
+ start_resend(ssif_info);
++ ssif_inc_stat(ssif_info, send_retries);
++ }
+ }
+
+ static void watch_timeout(struct timer_list *t)
--- /dev/null
+From b69edab47f1da8edd8e7bfdf8c70f51a2a5d89fb Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Thu, 2 Mar 2023 14:49:50 -0800
+Subject: kheaders: Use array declaration instead of char
+
+From: Kees Cook <keescook@chromium.org>
+
+commit b69edab47f1da8edd8e7bfdf8c70f51a2a5d89fb upstream.
+
+Under CONFIG_FORTIFY_SOURCE, memcpy() will check the size of destination
+and source buffers. Defining kernel_headers_data as "char" would trip
+this check. Since these addresses are treated as byte arrays, define
+them as arrays (as done everywhere else).
+
+This was seen with:
+
+ $ cat /sys/kernel/kheaders.tar.xz >> /dev/null
+
+ detected buffer overflow in memcpy
+ kernel BUG at lib/string_helpers.c:1027!
+ ...
+ RIP: 0010:fortify_panic+0xf/0x20
+ [...]
+ Call Trace:
+ <TASK>
+ ikheaders_read+0x45/0x50 [kheaders]
+ kernfs_fop_read_iter+0x1a4/0x2f0
+ ...
+
+Reported-by: Jakub Kicinski <kuba@kernel.org>
+Link: https://lore.kernel.org/bpf/20230302112130.6e402a98@kernel.org/
+Acked-by: Joel Fernandes (Google) <joel@joelfernandes.org>
+Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
+Tested-by: Jakub Kicinski <kuba@kernel.org>
+Fixes: 43d8ce9d65a5 ("Provide in-kernel headers to make extending kernel easier")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20230302224946.never.243-kees@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/kheaders.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/kernel/kheaders.c
++++ b/kernel/kheaders.c
+@@ -26,15 +26,15 @@ asm (
+ " .popsection \n"
+ );
+
+-extern char kernel_headers_data;
+-extern char kernel_headers_data_end;
++extern char kernel_headers_data[];
++extern char kernel_headers_data_end[];
+
+ static ssize_t
+ ikheaders_read(struct file *file, struct kobject *kobj,
+ struct bin_attribute *bin_attr,
+ char *buf, loff_t off, size_t len)
+ {
+- memcpy(buf, &kernel_headers_data + off, len);
++ memcpy(buf, &kernel_headers_data[off], len);
+ return len;
+ }
+
+@@ -48,8 +48,8 @@ static struct bin_attribute kheaders_att
+
+ static int __init ikheaders_init(void)
+ {
+- kheaders_attr.size = (&kernel_headers_data_end -
+- &kernel_headers_data);
++ kheaders_attr.size = (kernel_headers_data_end -
++ kernel_headers_data);
+ return sysfs_create_bin_file(kernel_kobj, &kheaders_attr);
+ }
+
--- /dev/null
+From ee1809ed7bc456a72dc8410b475b73021a3a68d5 Mon Sep 17 00:00:00 2001
+From: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Date: Tue, 11 Apr 2023 12:14:26 +0100
+Subject: MIPS: fw: Allow firmware to pass a empty env
+
+From: Jiaxun Yang <jiaxun.yang@flygoat.com>
+
+commit ee1809ed7bc456a72dc8410b475b73021a3a68d5 upstream.
+
+fw_getenv will use env entry to determine style of env,
+however it is legal for firmware to just pass a empty list.
+
+Check if first entry exist before running strchr to avoid
+null pointer dereference.
+
+Cc: stable@vger.kernel.org
+Link: https://github.com/clbr/n64bootloader/issues/5
+Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/fw/lib/cmdline.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/fw/lib/cmdline.c
++++ b/arch/mips/fw/lib/cmdline.c
+@@ -53,7 +53,7 @@ char *fw_getenv(char *envname)
+ {
+ char *result = NULL;
+
+- if (_fw_envp != NULL) {
++ if (_fw_envp != NULL && fw_envp(0) != NULL) {
+ /*
+ * Return a pointer to the given environment variable.
+ * YAMON uses "name", "value" pairs, while U-Boot uses
--- /dev/null
+From f5eff5591b8f9c5effd25c92c758a127765f74c1 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Tue, 11 Apr 2023 08:21:02 +0200
+Subject: PCI: pciehp: Fix AB-BA deadlock between reset_lock and device_lock
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit f5eff5591b8f9c5effd25c92c758a127765f74c1 upstream.
+
+In 2013, commits
+
+ 2e35afaefe64 ("PCI: pciehp: Add reset_slot() method")
+ 608c388122c7 ("PCI: Add slot reset option to pci_dev_reset()")
+
+amended PCIe hotplug to mask Presence Detect Changed events during a
+Secondary Bus Reset. The reset thus no longer causes gratuitous slot
+bringdown and bringup.
+
+However the commits neglected to serialize reset with code paths reading
+slot registers. For instance, a slot bringup due to an earlier hotplug
+event may see the Presence Detect State bit cleared during a concurrent
+Secondary Bus Reset.
+
+In 2018, commit
+
+ 5b3f7b7d062b ("PCI: pciehp: Avoid slot access during reset")
+
+retrofitted the missing locking. It introduced a reset_lock which
+serializes a Secondary Bus Reset with other parts of pciehp.
+
+Unfortunately the locking turns out to be overzealous: reset_lock is
+held for the entire enumeration and de-enumeration of hotplugged devices,
+including driver binding and unbinding.
+
+Driver binding and unbinding acquires device_lock while the reset_lock
+of the ancestral hotplug port is held. A concurrent Secondary Bus Reset
+acquires the ancestral reset_lock while already holding the device_lock.
+The asymmetric locking order in the two code paths can lead to AB-BA
+deadlocks.
+
+Michael Haeuptle reports such deadlocks on simultaneous hot-removal and
+vfio release (the latter implies a Secondary Bus Reset):
+
+ pciehp_ist() # down_read(reset_lock)
+ pciehp_handle_presence_or_link_change()
+ pciehp_disable_slot()
+ __pciehp_disable_slot()
+ remove_board()
+ pciehp_unconfigure_device()
+ pci_stop_and_remove_bus_device()
+ pci_stop_bus_device()
+ pci_stop_dev()
+ device_release_driver()
+ device_release_driver_internal()
+ __device_driver_lock() # device_lock()
+
+ SYS_munmap()
+ vfio_device_fops_release()
+ vfio_device_group_close()
+ vfio_device_close()
+ vfio_device_last_close()
+ vfio_pci_core_close_device()
+ vfio_pci_core_disable() # device_lock()
+ __pci_reset_function_locked()
+ pci_reset_bus_function()
+ pci_dev_reset_slot_function()
+ pci_reset_hotplug_slot()
+ pciehp_reset_slot() # down_write(reset_lock)
+
+Ian May reports the same deadlock on simultaneous hot-removal and an
+AER-induced Secondary Bus Reset:
+
+ aer_recover_work_func()
+ pcie_do_recovery()
+ aer_root_reset()
+ pci_bus_error_reset()
+ pci_slot_reset()
+ pci_slot_lock() # device_lock()
+ pci_reset_hotplug_slot()
+ pciehp_reset_slot() # down_write(reset_lock)
+
+Fix by releasing the reset_lock during driver binding and unbinding,
+thereby splitting and shrinking the critical section.
+
+Driver binding and unbinding is protected by the device_lock() and thus
+serialized with a Secondary Bus Reset. There's no need to additionally
+protect it with the reset_lock. However, pciehp does not bind and
+unbind devices directly, but rather invokes PCI core functions which
+also perform certain enumeration and de-enumeration steps.
+
+The reset_lock's purpose is to protect slot registers, not enumeration
+and de-enumeration of hotplugged devices. That would arguably be the
+job of the PCI core, not the PCIe hotplug driver. After all, an
+AER-induced Secondary Bus Reset may as well happen during boot-time
+enumeration of the PCI hierarchy and there's no locking to prevent that
+either.
+
+Exempting *de-enumeration* from the reset_lock is relatively harmless:
+A concurrent Secondary Bus Reset may foil config space accesses such as
+PME interrupt disablement. But if the device is physically gone, those
+accesses are pointless anyway. If the device is physically present and
+only logically removed through an Attention Button press or the sysfs
+"power" attribute, PME interrupts as well as DMA cannot come through
+because pciehp_unconfigure_device() disables INTx and Bus Master bits.
+That's still protected by the reset_lock in the present commit.
+
+Exempting *enumeration* from the reset_lock also has limited impact:
+The exempted call to pci_bus_add_device() may perform device accesses
+through pcibios_bus_add_device() and pci_fixup_device() which are now
+no longer protected from a concurrent Secondary Bus Reset. Otherwise
+there should be no impact.
+
+In essence, the present commit seeks to fix the AB-BA deadlocks while
+still retaining a best-effort reset protection for enumeration and
+de-enumeration of hotplugged devices -- until a general solution is
+implemented in the PCI core.
+
+Link: https://lore.kernel.org/linux-pci/CS1PR8401MB0728FC6FDAB8A35C22BD90EC95F10@CS1PR8401MB0728.NAMPRD84.PROD.OUTLOOK.COM
+Link: https://lore.kernel.org/linux-pci/20200615143250.438252-1-ian.may@canonical.com
+Link: https://lore.kernel.org/linux-pci/ce878dab-c0c4-5bd0-a725-9805a075682d@amd.com
+Link: https://lore.kernel.org/linux-pci/ed831249-384a-6d35-0831-70af191e9bce@huawei.com
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=215590
+Fixes: 5b3f7b7d062b ("PCI: pciehp: Avoid slot access during reset")
+Link: https://lore.kernel.org/r/fef2b2e9edf245c049a8c5b94743c0f74ff5008a.1681191902.git.lukas@wunner.de
+Reported-by: Michael Haeuptle <michael.haeuptle@hpe.com>
+Reported-by: Ian May <ian.may@canonical.com>
+Reported-by: Andrey Grodzovsky <andrey2805@gmail.com>
+Reported-by: Rahul Kumar <rahul.kumar1@amd.com>
+Reported-by: Jialin Zhang <zhangjialin11@huawei.com>
+Tested-by: Anatoli Antonovitch <Anatoli.Antonovitch@amd.com>
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org # v4.19+
+Cc: Dan Stein <dstein@hpe.com>
+Cc: Ashok Raj <ashok.raj@intel.com>
+Cc: Alex Michon <amichon@kalrayinc.com>
+Cc: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+Cc: Alex Williamson <alex.williamson@redhat.com>
+Cc: Mika Westerberg <mika.westerberg@linux.intel.com>
+Cc: Sathyanarayanan Kuppuswamy <sathyanarayanan.kuppuswamy@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/hotplug/pciehp_pci.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/drivers/pci/hotplug/pciehp_pci.c
++++ b/drivers/pci/hotplug/pciehp_pci.c
+@@ -63,7 +63,14 @@ int pciehp_configure_device(struct contr
+
+ pci_assign_unassigned_bridge_resources(bridge);
+ pcie_bus_configure_settings(parent);
++
++ /*
++ * Release reset_lock during driver binding
++ * to avoid AB-BA deadlock with device_lock.
++ */
++ up_read(&ctrl->reset_lock);
+ pci_bus_add_devices(parent);
++ down_read_nested(&ctrl->reset_lock, ctrl->depth);
+
+ out:
+ pci_unlock_rescan_remove();
+@@ -104,7 +111,15 @@ void pciehp_unconfigure_device(struct co
+ list_for_each_entry_safe_reverse(dev, temp, &parent->devices,
+ bus_list) {
+ pci_dev_get(dev);
++
++ /*
++ * Release reset_lock during driver unbinding
++ * to avoid AB-BA deadlock with device_lock.
++ */
++ up_read(&ctrl->reset_lock);
+ pci_stop_and_remove_bus_device(dev);
++ down_read_nested(&ctrl->reset_lock, ctrl->depth);
++
+ /*
+ * Ensure that no new Requests will be generated from
+ * the device.
--- /dev/null
+From 2542e16c392508800f1d9037feee881a9c444951 Mon Sep 17 00:00:00 2001
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Date: Thu, 16 Mar 2023 13:40:59 +0530
+Subject: PCI: qcom: Fix the incorrect register usage in v2.7.0 config
+
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+
+commit 2542e16c392508800f1d9037feee881a9c444951 upstream.
+
+Qcom PCIe IP version v2.7.0 and its derivatives don't contain the
+PCIE20_PARF_AXI_MSTR_WR_ADDR_HALT register. Instead, they have the new
+PCIE20_PARF_AXI_MSTR_WR_ADDR_HALT_V2 register. So fix the incorrect
+register usage which is modifying a different register.
+
+Also in this IP version, this register change doesn't depend on MSI
+being enabled. So remove that check also.
+
+Link: https://lore.kernel.org/r/20230316081117.14288-2-manivannan.sadhasivam@linaro.org
+Fixes: ed8cc3b1fc84 ("PCI: qcom: Add support for SDM845 PCIe controller")
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
+Cc: <stable@vger.kernel.org> # 5.6+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/dwc/pcie-qcom.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/pci/controller/dwc/pcie-qcom.c
++++ b/drivers/pci/controller/dwc/pcie-qcom.c
+@@ -1210,11 +1210,9 @@ static int qcom_pcie_init_2_7_0(struct q
+ val |= BIT(4);
+ writel(val, pcie->parf + PCIE20_PARF_MHI_CLOCK_RESET_CTRL);
+
+- if (IS_ENABLED(CONFIG_PCI_MSI)) {
+- val = readl(pcie->parf + PCIE20_PARF_AXI_MSTR_WR_ADDR_HALT);
+- val |= BIT(31);
+- writel(val, pcie->parf + PCIE20_PARF_AXI_MSTR_WR_ADDR_HALT);
+- }
++ val = readl(pcie->parf + PCIE20_PARF_AXI_MSTR_WR_ADDR_HALT_V2);
++ val |= BIT(31);
++ writel(val, pcie->parf + PCIE20_PARF_AXI_MSTR_WR_ADDR_HALT_V2);
+
+ return 0;
+ err_disable_clocks:
--- /dev/null
+From d08c84e01afa7a7eee6badab25d5420fa847f783 Mon Sep 17 00:00:00 2001
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+Date: Wed, 14 Jul 2021 13:06:38 -0300
+Subject: perf sched: Cast PTHREAD_STACK_MIN to int as it may turn into sysconf(__SC_THREAD_STACK_MIN_VALUE)
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+commit d08c84e01afa7a7eee6badab25d5420fa847f783 upstream.
+
+In fedora rawhide the PTHREAD_STACK_MIN define may end up expanded to a
+sysconf() call, and that will return 'long int', breaking the build:
+
+ 45 fedora:rawhide : FAIL gcc version 11.1.1 20210623 (Red Hat 11.1.1-6) (GCC)
+ builtin-sched.c: In function 'create_tasks':
+ /git/perf-5.14.0-rc1/tools/include/linux/kernel.h:43:24: error: comparison of distinct pointer types lacks a cast [-Werror]
+ 43 | (void) (&_max1 == &_max2); \
+ | ^~
+ builtin-sched.c:673:34: note: in expansion of macro 'max'
+ 673 | (size_t) max(16 * 1024, PTHREAD_STACK_MIN));
+ | ^~~
+ cc1: all warnings being treated as errors
+
+ $ grep __sysconf /usr/include/*/*.h
+ /usr/include/bits/pthread_stack_min-dynamic.h:extern long int __sysconf (int __name) __THROW;
+ /usr/include/bits/pthread_stack_min-dynamic.h:# define PTHREAD_STACK_MIN __sysconf (__SC_THREAD_STACK_MIN_VALUE)
+ /usr/include/bits/time.h:extern long int __sysconf (int);
+ /usr/include/bits/time.h:# define CLK_TCK ((__clock_t) __sysconf (2)) /* 2 is _SC_CLK_TCK */
+ $
+
+So cast it to int to cope with that.
+
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/builtin-sched.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/perf/builtin-sched.c
++++ b/tools/perf/builtin-sched.c
+@@ -670,7 +670,7 @@ static void create_tasks(struct perf_sch
+ err = pthread_attr_init(&attr);
+ BUG_ON(err);
+ err = pthread_attr_setstacksize(&attr,
+- (size_t) max(16 * 1024, PTHREAD_STACK_MIN));
++ (size_t) max(16 * 1024, (int)PTHREAD_STACK_MIN));
+ BUG_ON(err);
+ err = pthread_mutex_lock(&sched->start_work_mutex);
+ BUG_ON(err);
--- /dev/null
+From f7abf14f0001a5a47539d9f60bbdca649e43536b Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Mon, 17 Apr 2023 15:37:55 +0200
+Subject: posix-cpu-timers: Implement the missing timer_wait_running callback
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit f7abf14f0001a5a47539d9f60bbdca649e43536b upstream.
+
+For some unknown reason the introduction of the timer_wait_running callback
+missed to fixup posix CPU timers, which went unnoticed for almost four years.
+Marco reported recently that the WARN_ON() in timer_wait_running()
+triggers with a posix CPU timer test case.
+
+Posix CPU timers have two execution models for expiring timers depending on
+CONFIG_POSIX_CPU_TIMERS_TASK_WORK:
+
+1) If not enabled, the expiry happens in hard interrupt context so
+ spin waiting on the remote CPU is reasonably time bound.
+
+ Implement an empty stub function for that case.
+
+2) If enabled, the expiry happens in task work before returning to user
+ space or guest mode. The expired timers are marked as firing and moved
+ from the timer queue to a local list head with sighand lock held. Once
+ the timers are moved, sighand lock is dropped and the expiry happens in
+ fully preemptible context. That means the expiring task can be scheduled
+ out, migrated, interrupted etc. So spin waiting on it is more than
+ suboptimal.
+
+ The timer wheel has a timer_wait_running() mechanism for RT, which uses
+ a per CPU timer-base expiry lock which is held by the expiry code and the
+ task waiting for the timer function to complete blocks on that lock.
+
+ This does not work in the same way for posix CPU timers as there is no
+ timer base and expiry for process wide timers can run on any task
+ belonging to that process, but the concept of waiting on an expiry lock
+ can be used too in a slightly different way:
+
+ - Add a mutex to struct posix_cputimers_work. This struct is per task
+ and used to schedule the expiry task work from the timer interrupt.
+
+ - Add a task_struct pointer to struct cpu_timer which is used to store
+ a the task which runs the expiry. That's filled in when the task
+ moves the expired timers to the local expiry list. That's not
+ affecting the size of the k_itimer union as there are bigger union
+ members already
+
+ - Let the task take the expiry mutex around the expiry function
+
+ - Let the waiter acquire a task reference with rcu_read_lock() held and
+ block on the expiry mutex
+
+ This avoids spin-waiting on a task which might not even be on a CPU and
+ works nicely for RT too.
+
+Fixes: ec8f954a40da ("posix-timers: Use a callback for cancel synchronization on PREEMPT_RT")
+Reported-by: Marco Elver <elver@google.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Marco Elver <elver@google.com>
+Tested-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/87zg764ojw.ffs@tglx
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/posix-timers.h | 17 +++++---
+ kernel/time/posix-cpu-timers.c | 81 +++++++++++++++++++++++++++++++++--------
+ kernel/time/posix-timers.c | 4 ++
+ 3 files changed, 82 insertions(+), 20 deletions(-)
+
+--- a/include/linux/posix-timers.h
++++ b/include/linux/posix-timers.h
+@@ -4,6 +4,7 @@
+
+ #include <linux/spinlock.h>
+ #include <linux/list.h>
++#include <linux/mutex.h>
+ #include <linux/alarmtimer.h>
+ #include <linux/timerqueue.h>
+ #include <linux/task_work.h>
+@@ -63,16 +64,18 @@ static inline int clockid_to_fd(const cl
+ * cpu_timer - Posix CPU timer representation for k_itimer
+ * @node: timerqueue node to queue in the task/sig
+ * @head: timerqueue head on which this timer is queued
+- * @task: Pointer to target task
++ * @pid: Pointer to target task PID
+ * @elist: List head for the expiry list
+ * @firing: Timer is currently firing
++ * @handling: Pointer to the task which handles expiry
+ */
+ struct cpu_timer {
+- struct timerqueue_node node;
+- struct timerqueue_head *head;
+- struct pid *pid;
+- struct list_head elist;
+- int firing;
++ struct timerqueue_node node;
++ struct timerqueue_head *head;
++ struct pid *pid;
++ struct list_head elist;
++ int firing;
++ struct task_struct __rcu *handling;
+ };
+
+ static inline bool cpu_timer_enqueue(struct timerqueue_head *head,
+@@ -129,10 +132,12 @@ struct posix_cputimers {
+ /**
+ * posix_cputimers_work - Container for task work based posix CPU timer expiry
+ * @work: The task work to be scheduled
++ * @mutex: Mutex held around expiry in context of this task work
+ * @scheduled: @work has been scheduled already, no further processing
+ */
+ struct posix_cputimers_work {
+ struct callback_head work;
++ struct mutex mutex;
+ unsigned int scheduled;
+ };
+
+--- a/kernel/time/posix-cpu-timers.c
++++ b/kernel/time/posix-cpu-timers.c
+@@ -782,6 +782,8 @@ static u64 collect_timerqueue(struct tim
+ return expires;
+
+ ctmr->firing = 1;
++ /* See posix_cpu_timer_wait_running() */
++ rcu_assign_pointer(ctmr->handling, current);
+ cpu_timer_dequeue(ctmr);
+ list_add_tail(&ctmr->elist, firing);
+ }
+@@ -1097,7 +1099,49 @@ static void handle_posix_cpu_timers(stru
+ #ifdef CONFIG_POSIX_CPU_TIMERS_TASK_WORK
+ static void posix_cpu_timers_work(struct callback_head *work)
+ {
++ struct posix_cputimers_work *cw = container_of(work, typeof(*cw), work);
++
++ mutex_lock(&cw->mutex);
+ handle_posix_cpu_timers(current);
++ mutex_unlock(&cw->mutex);
++}
++
++/*
++ * Invoked from the posix-timer core when a cancel operation failed because
++ * the timer is marked firing. The caller holds rcu_read_lock(), which
++ * protects the timer and the task which is expiring it from being freed.
++ */
++static void posix_cpu_timer_wait_running(struct k_itimer *timr)
++{
++ struct task_struct *tsk = rcu_dereference(timr->it.cpu.handling);
++
++ /* Has the handling task completed expiry already? */
++ if (!tsk)
++ return;
++
++ /* Ensure that the task cannot go away */
++ get_task_struct(tsk);
++ /* Now drop the RCU protection so the mutex can be locked */
++ rcu_read_unlock();
++ /* Wait on the expiry mutex */
++ mutex_lock(&tsk->posix_cputimers_work.mutex);
++ /* Release it immediately again. */
++ mutex_unlock(&tsk->posix_cputimers_work.mutex);
++ /* Drop the task reference. */
++ put_task_struct(tsk);
++ /* Relock RCU so the callsite is balanced */
++ rcu_read_lock();
++}
++
++static void posix_cpu_timer_wait_running_nsleep(struct k_itimer *timr)
++{
++ /* Ensure that timr->it.cpu.handling task cannot go away */
++ rcu_read_lock();
++ spin_unlock_irq(&timr->it_lock);
++ posix_cpu_timer_wait_running(timr);
++ rcu_read_unlock();
++ /* @timr is on stack and is valid */
++ spin_lock_irq(&timr->it_lock);
+ }
+
+ /*
+@@ -1113,6 +1157,7 @@ void clear_posix_cputimers_work(struct t
+ sizeof(p->posix_cputimers_work.work));
+ init_task_work(&p->posix_cputimers_work.work,
+ posix_cpu_timers_work);
++ mutex_init(&p->posix_cputimers_work.mutex);
+ p->posix_cputimers_work.scheduled = false;
+ }
+
+@@ -1191,6 +1236,18 @@ static inline void __run_posix_cpu_timer
+ lockdep_posixtimer_exit();
+ }
+
++static void posix_cpu_timer_wait_running(struct k_itimer *timr)
++{
++ cpu_relax();
++}
++
++static void posix_cpu_timer_wait_running_nsleep(struct k_itimer *timr)
++{
++ spin_unlock_irq(&timr->it_lock);
++ cpu_relax();
++ spin_lock_irq(&timr->it_lock);
++}
++
+ static inline bool posix_cpu_timers_work_scheduled(struct task_struct *tsk)
+ {
+ return false;
+@@ -1299,6 +1356,8 @@ static void handle_posix_cpu_timers(stru
+ */
+ if (likely(cpu_firing >= 0))
+ cpu_timer_fire(timer);
++ /* See posix_cpu_timer_wait_running() */
++ rcu_assign_pointer(timer->it.cpu.handling, NULL);
+ spin_unlock(&timer->it_lock);
+ }
+ }
+@@ -1434,23 +1493,16 @@ static int do_cpu_nanosleep(const clocki
+ expires = cpu_timer_getexpires(&timer.it.cpu);
+ error = posix_cpu_timer_set(&timer, 0, &zero_it, &it);
+ if (!error) {
+- /*
+- * Timer is now unarmed, deletion can not fail.
+- */
++ /* Timer is now unarmed, deletion can not fail. */
+ posix_cpu_timer_del(&timer);
++ } else {
++ while (error == TIMER_RETRY) {
++ posix_cpu_timer_wait_running_nsleep(&timer);
++ error = posix_cpu_timer_del(&timer);
++ }
+ }
+- spin_unlock_irq(&timer.it_lock);
+
+- while (error == TIMER_RETRY) {
+- /*
+- * We need to handle case when timer was or is in the
+- * middle of firing. In other cases we already freed
+- * resources.
+- */
+- spin_lock_irq(&timer.it_lock);
+- error = posix_cpu_timer_del(&timer);
+- spin_unlock_irq(&timer.it_lock);
+- }
++ spin_unlock_irq(&timer.it_lock);
+
+ if ((it.it_value.tv_sec | it.it_value.tv_nsec) == 0) {
+ /*
+@@ -1560,6 +1612,7 @@ const struct k_clock clock_posix_cpu = {
+ .timer_del = posix_cpu_timer_del,
+ .timer_get = posix_cpu_timer_get,
+ .timer_rearm = posix_cpu_timer_rearm,
++ .timer_wait_running = posix_cpu_timer_wait_running,
+ };
+
+ const struct k_clock clock_process = {
+--- a/kernel/time/posix-timers.c
++++ b/kernel/time/posix-timers.c
+@@ -846,6 +846,10 @@ static struct k_itimer *timer_wait_runni
+ rcu_read_lock();
+ unlock_timer(timer, *flags);
+
++ /*
++ * kc->timer_wait_running() might drop RCU lock. So @timer
++ * cannot be touched anymore after the function returns!
++ */
+ if (!WARN_ON_ONCE(!kc->timer_wait_running))
+ kc->timer_wait_running(timer);
+
asoc-intel-bytcr_rt5640-add-quirk-for-the-acer-iconi.patch
asm-generic-io.h-suppress-endianness-warnings-for-re.patch
wireguard-timers-cast-enum-limits-members-to-int-in-prints.patch
+pci-pciehp-fix-ab-ba-deadlock-between-reset_lock-and-device_lock.patch
+pci-qcom-fix-the-incorrect-register-usage-in-v2.7.0-config.patch
+ima-allow-fix-uml-builds.patch
+usb-dwc3-fix-runtime-pm-imbalance-on-probe-errors.patch
+usb-dwc3-fix-runtime-pm-imbalance-on-unbind.patch
+hwmon-k10temp-check-range-scale-when-cur_temp-register-is-read-write.patch
+hwmon-adt7475-use-device_property-apis-when-configuring-polarity.patch
+posix-cpu-timers-implement-the-missing-timer_wait_running-callback.patch
+perf-sched-cast-pthread_stack_min-to-int-as-it-may-turn-into-sysconf-__sc_thread_stack_min_value.patch
+blk-mq-release-crypto-keyslot-before-reporting-i-o-complete.patch
+blk-crypto-make-blk_crypto_evict_key-return-void.patch
+blk-crypto-make-blk_crypto_evict_key-more-robust.patch
+ext4-use-ext4_journal_start-stop-for-fast-commit-transactions.patch
+staging-iio-resolver-ads1210-fix-config-mode.patch
+xhci-fix-debugfs-register-accesses-while-suspended.patch
+tick-nohz-fix-cpu_is_hotpluggable-by-checking-with-nohz-subsystem.patch
+mips-fw-allow-firmware-to-pass-a-empty-env.patch
+ipmi-ssif-add-send_retries-increment.patch
+ipmi-fix-ssif-not-responding-under-certain-cond.patch
+kheaders-use-array-declaration-instead-of-char.patch
--- /dev/null
+From 16313403d873ff17a587818b61f84c8cb4971cef Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nuno=20S=C3=A1?= <nuno.sa@analog.com>
+Date: Mon, 27 Mar 2023 16:54:14 +0200
+Subject: staging: iio: resolver: ads1210: fix config mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nuno Sá <nuno.sa@analog.com>
+
+commit 16313403d873ff17a587818b61f84c8cb4971cef upstream.
+
+As stated in the device datasheet [1], bits a0 and a1 have to be set to
+1 for the configuration mode.
+
+[1]: https://www.analog.com/media/en/technical-documentation/data-sheets/ad2s1210.pdf
+
+Fixes: b19e9ad5e2cb9 ("staging:iio:resolver:ad2s1210 general driver cleanup")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Nuno Sá <nuno.sa@analog.com>
+Link: https://lore.kernel.org/r/20230327145414.1505537-1-nuno.sa@analog.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/iio/resolver/ad2s1210.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/iio/resolver/ad2s1210.c
++++ b/drivers/staging/iio/resolver/ad2s1210.c
+@@ -101,7 +101,7 @@ struct ad2s1210_state {
+ static const int ad2s1210_mode_vals[4][2] = {
+ [MOD_POS] = { 0, 0 },
+ [MOD_VEL] = { 0, 1 },
+- [MOD_CONFIG] = { 1, 0 },
++ [MOD_CONFIG] = { 1, 1 },
+ };
+
+ static inline void ad2s1210_set_mode(enum ad2s1210_mode mode,
--- /dev/null
+From 58d7668242647e661a20efe065519abd6454287e Mon Sep 17 00:00:00 2001
+From: "Joel Fernandes (Google)" <joel@joelfernandes.org>
+Date: Tue, 24 Jan 2023 17:31:26 +0000
+Subject: tick/nohz: Fix cpu_is_hotpluggable() by checking with nohz subsystem
+
+From: Joel Fernandes (Google) <joel@joelfernandes.org>
+
+commit 58d7668242647e661a20efe065519abd6454287e upstream.
+
+For CONFIG_NO_HZ_FULL systems, the tick_do_timer_cpu cannot be offlined.
+However, cpu_is_hotpluggable() still returns true for those CPUs. This causes
+torture tests that do offlining to end up trying to offline this CPU causing
+test failures. Such failure happens on all architectures.
+
+Fix the repeated error messages thrown by this (even if the hotplug errors are
+harmless) by asking the opinion of the nohz subsystem on whether the CPU can be
+hotplugged.
+
+[ Apply Frederic Weisbecker feedback on refactoring tick_nohz_cpu_down(). ]
+
+For drivers/base/ portion:
+Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Frederic Weisbecker <frederic@kernel.org>
+Cc: Frederic Weisbecker <frederic@kernel.org>
+Cc: "Paul E. McKenney" <paulmck@kernel.org>
+Cc: Zhouyi Zhou <zhouzhouyi@gmail.com>
+Cc: Will Deacon <will@kernel.org>
+Cc: Marc Zyngier <maz@kernel.org>
+Cc: rcu <rcu@vger.kernel.org>
+Cc: stable@vger.kernel.org
+Fixes: 2987557f52b9 ("driver-core/cpu: Expose hotpluggability to the rest of the kernel")
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/cpu.c | 3 ++-
+ include/linux/tick.h | 2 ++
+ kernel/time/tick-sched.c | 11 ++++++++---
+ 3 files changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/base/cpu.c
++++ b/drivers/base/cpu.c
+@@ -489,7 +489,8 @@ static const struct attribute_group *cpu
+ bool cpu_is_hotpluggable(unsigned cpu)
+ {
+ struct device *dev = get_cpu_device(cpu);
+- return dev && container_of(dev, struct cpu, dev)->hotpluggable;
++ return dev && container_of(dev, struct cpu, dev)->hotpluggable
++ && tick_nohz_cpu_hotpluggable(cpu);
+ }
+ EXPORT_SYMBOL_GPL(cpu_is_hotpluggable);
+
+--- a/include/linux/tick.h
++++ b/include/linux/tick.h
+@@ -211,6 +211,7 @@ extern void tick_nohz_dep_set_signal(str
+ enum tick_dep_bits bit);
+ extern void tick_nohz_dep_clear_signal(struct signal_struct *signal,
+ enum tick_dep_bits bit);
++extern bool tick_nohz_cpu_hotpluggable(unsigned int cpu);
+
+ /*
+ * The below are tick_nohz_[set,clear]_dep() wrappers that optimize off-cases
+@@ -275,6 +276,7 @@ static inline void tick_nohz_full_add_cp
+
+ static inline void tick_nohz_dep_set_cpu(int cpu, enum tick_dep_bits bit) { }
+ static inline void tick_nohz_dep_clear_cpu(int cpu, enum tick_dep_bits bit) { }
++static inline bool tick_nohz_cpu_hotpluggable(unsigned int cpu) { return true; }
+
+ static inline void tick_dep_set(enum tick_dep_bits bit) { }
+ static inline void tick_dep_clear(enum tick_dep_bits bit) { }
+--- a/kernel/time/tick-sched.c
++++ b/kernel/time/tick-sched.c
+@@ -426,7 +426,7 @@ void __init tick_nohz_full_setup(cpumask
+ tick_nohz_full_running = true;
+ }
+
+-static int tick_nohz_cpu_down(unsigned int cpu)
++bool tick_nohz_cpu_hotpluggable(unsigned int cpu)
+ {
+ /*
+ * The tick_do_timer_cpu CPU handles housekeeping duty (unbound
+@@ -434,8 +434,13 @@ static int tick_nohz_cpu_down(unsigned i
+ * CPUs. It must remain online when nohz full is enabled.
+ */
+ if (tick_nohz_full_running && tick_do_timer_cpu == cpu)
+- return -EBUSY;
+- return 0;
++ return false;
++ return true;
++}
++
++static int tick_nohz_cpu_down(unsigned int cpu)
++{
++ return tick_nohz_cpu_hotpluggable(cpu) ? 0 : -EBUSY;
+ }
+
+ void __init tick_nohz_init(void)
--- /dev/null
+From 9a8ad10c9f2e0925ff26308ec6756b93fc2f4977 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Tue, 4 Apr 2023 09:25:14 +0200
+Subject: USB: dwc3: fix runtime pm imbalance on probe errors
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit 9a8ad10c9f2e0925ff26308ec6756b93fc2f4977 upstream.
+
+Make sure not to suspend the device when probe fails to avoid disabling
+clocks and phys multiple times.
+
+Fixes: 328082376aea ("usb: dwc3: fix runtime PM in error path")
+Cc: stable@vger.kernel.org # 4.8
+Cc: Roger Quadros <rogerq@ti.com>
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20230404072524.19014-2-johan+linaro@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/core.c | 14 +++++---------
+ 1 file changed, 5 insertions(+), 9 deletions(-)
+
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -1567,13 +1567,11 @@ static int dwc3_probe(struct platform_de
+ spin_lock_init(&dwc->lock);
+ mutex_init(&dwc->mutex);
+
++ pm_runtime_get_noresume(dev);
+ pm_runtime_set_active(dev);
+ pm_runtime_use_autosuspend(dev);
+ pm_runtime_set_autosuspend_delay(dev, DWC3_DEFAULT_AUTOSUSPEND_DELAY);
+ pm_runtime_enable(dev);
+- ret = pm_runtime_get_sync(dev);
+- if (ret < 0)
+- goto err1;
+
+ pm_runtime_forbid(dev);
+
+@@ -1633,12 +1631,10 @@ err3:
+ dwc3_free_event_buffers(dwc);
+
+ err2:
+- pm_runtime_allow(&pdev->dev);
+-
+-err1:
+- pm_runtime_put_sync(&pdev->dev);
+- pm_runtime_disable(&pdev->dev);
+-
++ pm_runtime_allow(dev);
++ pm_runtime_disable(dev);
++ pm_runtime_set_suspended(dev);
++ pm_runtime_put_noidle(dev);
+ disable_clks:
+ clk_bulk_disable_unprepare(dwc->num_clks, dwc->clks);
+ assert_reset:
--- /dev/null
+From 44d257e9012ee8040e41d224d0e5bfb5ef5427ea Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Tue, 4 Apr 2023 09:25:15 +0200
+Subject: USB: dwc3: fix runtime pm imbalance on unbind
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit 44d257e9012ee8040e41d224d0e5bfb5ef5427ea upstream.
+
+Make sure to balance the runtime PM usage count on driver unbind by
+adding back the pm_runtime_allow() call that had been erroneously
+removed.
+
+Fixes: 266d0493900a ("usb: dwc3: core: don't trigger runtime pm when remove driver")
+Cc: stable@vger.kernel.org # 5.9
+Cc: Li Jun <jun.li@nxp.com>
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20230404072524.19014-3-johan+linaro@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -1655,6 +1655,7 @@ static int dwc3_remove(struct platform_d
+ dwc3_core_exit(dwc);
+ dwc3_ulpi_exit(dwc);
+
++ pm_runtime_allow(&pdev->dev);
+ pm_runtime_disable(&pdev->dev);
+ pm_runtime_put_noidle(&pdev->dev);
+ pm_runtime_set_suspended(&pdev->dev);
--- /dev/null
+From 735baf1b23458f71a8b15cb924af22c9ff9cd125 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Wed, 5 Apr 2023 11:03:42 +0200
+Subject: xhci: fix debugfs register accesses while suspended
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit 735baf1b23458f71a8b15cb924af22c9ff9cd125 upstream.
+
+Wire up the debugfs regset device pointer so that the controller is
+resumed before accessing registers to avoid crashing or locking up if it
+happens to be runtime suspended.
+
+Fixes: 02b6fdc2a153 ("usb: xhci: Add debugfs interface for xHCI driver")
+Cc: stable@vger.kernel.org # 4.15: 30332eeefec8: debugfs: regset32: Add Runtime PM support
+Cc: stable@vger.kernel.org # 4.15
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20230405090342.7363-1-johan+linaro@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-debugfs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/host/xhci-debugfs.c
++++ b/drivers/usb/host/xhci-debugfs.c
+@@ -133,6 +133,7 @@ static void xhci_debugfs_regset(struct x
+ regset->regs = regs;
+ regset->nregs = nregs;
+ regset->base = hcd->regs + base;
++ regset->dev = hcd->self.controller;
+
+ debugfs_create_regset32((const char *)rgs->name, 0444, parent, regset);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
