--- /dev/null
+From 1fdbed657a4726639c4f17841fd2a0fb646c746e Mon Sep 17 00:00:00 2001
+From: Naoya Horiguchi <naoya.horiguchi@nec.com>
+Date: Mon, 7 Nov 2022 11:10:10 +0900
+Subject: arch/x86/mm/hugetlbpage.c: pud_huge() returns 0 when using 2-level paging
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Naoya Horiguchi <naoya.horiguchi@nec.com>
+
+commit 1fdbed657a4726639c4f17841fd2a0fb646c746e upstream.
+
+The following bug is reported to be triggered when starting X on x86-32
+system with i915:
+
+ [ 225.777375] kernel BUG at mm/memory.c:2664!
+ [ 225.777391] invalid opcode: 0000 [#1] PREEMPT SMP
+ [ 225.777405] CPU: 0 PID: 2402 Comm: Xorg Not tainted 6.1.0-rc3-bdg+ #86
+ [ 225.777415] Hardware name: /8I865G775-G, BIOS F1 08/29/2006
+ [ 225.777421] EIP: __apply_to_page_range+0x24d/0x31c
+ [ 225.777437] Code: ff ff 8b 55 e8 8b 45 cc e8 0a 11 ec ff 89 d8 83 c4 28 5b 5e 5f 5d c3 81 7d e0 a0 ef 96 c1 74 ad 8b 45 d0 e8 2d 83 49 00 eb a3 <0f> 0b 25 00 f0 ff ff 81 eb 00 00 00 40 01 c3 8b 45 ec 8b 00 e8 76
+ [ 225.777446] EAX: 00000001 EBX: c53a3b58 ECX: b5c00000 EDX: c258aa00
+ [ 225.777454] ESI: b5c00000 EDI: b5900000 EBP: c4b0fdb4 ESP: c4b0fd80
+ [ 225.777462] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 EFLAGS: 00010202
+ [ 225.777470] CR0: 80050033 CR2: b5900000 CR3: 053a3000 CR4: 000006d0
+ [ 225.777479] Call Trace:
+ [ 225.777486] ? i915_memcpy_init_early+0x63/0x63 [i915]
+ [ 225.777684] apply_to_page_range+0x21/0x27
+ [ 225.777694] ? i915_memcpy_init_early+0x63/0x63 [i915]
+ [ 225.777870] remap_io_mapping+0x49/0x75 [i915]
+ [ 225.778046] ? i915_memcpy_init_early+0x63/0x63 [i915]
+ [ 225.778220] ? mutex_unlock+0xb/0xd
+ [ 225.778231] ? i915_vma_pin_fence+0x6d/0xf7 [i915]
+ [ 225.778420] vm_fault_gtt+0x2a9/0x8f1 [i915]
+ [ 225.778644] ? lock_is_held_type+0x56/0xe7
+ [ 225.778655] ? lock_is_held_type+0x7a/0xe7
+ [ 225.778663] ? 0xc1000000
+ [ 225.778670] __do_fault+0x21/0x6a
+ [ 225.778679] handle_mm_fault+0x708/0xb21
+ [ 225.778686] ? mt_find+0x21e/0x5ae
+ [ 225.778696] exc_page_fault+0x185/0x705
+ [ 225.778704] ? doublefault_shim+0x127/0x127
+ [ 225.778715] handle_exception+0x130/0x130
+ [ 225.778723] EIP: 0xb700468a
+
+Recently pud_huge() got aware of non-present entry by commit 3a194f3f8ad0
+("mm/hugetlb: make pud_huge() and follow_huge_pud() aware of non-present
+pud entry") to handle some special states of gigantic page. However, it's
+overlooked that pud_none() always returns false when running with 2-level
+paging, and as a result pud_huge() can return true pointlessly.
+
+Introduce "#if CONFIG_PGTABLE_LEVELS > 2" to pud_huge() to deal with this.
+
+Link: https://lkml.kernel.org/r/20221107021010.2449306-1-naoya.horiguchi@linux.dev
+Fixes: 3a194f3f8ad0 ("mm/hugetlb: make pud_huge() and follow_huge_pud() aware of non-present pud entry")
+Signed-off-by: Naoya Horiguchi <naoya.horiguchi@nec.com>
+Reported-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Tested-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Reviewed-by: Miaohe Lin <linmiaohe@huawei.com>
+Cc: David Hildenbrand <david@redhat.com>
+Cc: Liu Shixin <liushixin2@huawei.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Muchun Song <songmuchun@bytedance.com>
+Cc: Oscar Salvador <osalvador@suse.de>
+Cc: Yang Shi <shy828301@gmail.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/mm/hugetlbpage.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/arch/x86/mm/hugetlbpage.c b/arch/x86/mm/hugetlbpage.c
+index 6b3033845c6d..5804bbae4f01 100644
+--- a/arch/x86/mm/hugetlbpage.c
++++ b/arch/x86/mm/hugetlbpage.c
+@@ -37,8 +37,12 @@ int pmd_huge(pmd_t pmd)
+ */
+ int pud_huge(pud_t pud)
+ {
++#if CONFIG_PGTABLE_LEVELS > 2
+ return !pud_none(pud) &&
+ (pud_val(pud) & (_PAGE_PRESENT|_PAGE_PSE)) != _PAGE_PRESENT;
++#else
++ return 0;
++#endif
+ }
+
+ #ifdef CONFIG_HUGETLB_PAGE
+--
+2.38.1
+
--- /dev/null
+From ea045fd344cb15c164e9ffc8b8cffb6883df8475 Mon Sep 17 00:00:00 2001
+From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Date: Mon, 7 Nov 2022 13:02:29 +0900
+Subject: ata: libata-scsi: fix SYNCHRONIZE CACHE (16) command failure
+
+From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+
+commit ea045fd344cb15c164e9ffc8b8cffb6883df8475 upstream.
+
+SAT SCSI/ATA Translation specification requires SCSI SYNCHRONIZE CACHE
+(10) and (16) commands both shall be translated to ATA flush command.
+Also, ZBC Zoned Block Commands specification mandates SYNCHRONIZE CACHE
+(16) command support. However, libata translates only SYNCHRONIZE CACHE
+(10). This results in SYNCHRONIZE CACHE (16) command failures on SATA
+drives and then libata translation does not conform to ZBC. To avoid the
+failure, add support for SYNCHRONIZE CACHE (16).
+
+Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-scsi.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/ata/libata-scsi.c
++++ b/drivers/ata/libata-scsi.c
+@@ -3266,6 +3266,7 @@ static unsigned int ata_scsiop_maint_in(
+ case REPORT_LUNS:
+ case REQUEST_SENSE:
+ case SYNCHRONIZE_CACHE:
++ case SYNCHRONIZE_CACHE_16:
+ case REZERO_UNIT:
+ case SEEK_6:
+ case SEEK_10:
+@@ -3924,6 +3925,7 @@ static inline ata_xlat_func_t ata_get_xl
+ return ata_scsi_write_same_xlat;
+
+ case SYNCHRONIZE_CACHE:
++ case SYNCHRONIZE_CACHE_16:
+ if (ata_try_flush_cache(dev))
+ return ata_scsi_flush_xlat;
+ break;
+@@ -4147,6 +4149,7 @@ void ata_scsi_simulate(struct ata_device
+ * turning this into a no-op.
+ */
+ case SYNCHRONIZE_CACHE:
++ case SYNCHRONIZE_CACHE_16:
+ fallthrough;
+
+ /* no-op's, complete with success */
--- /dev/null
+From 0fca385d6ebc3cabb20f67bcf8a71f1448bdc001 Mon Sep 17 00:00:00 2001
+From: Liu Shixin <liushixin2@huawei.com>
+Date: Thu, 3 Nov 2022 16:33:01 +0800
+Subject: btrfs: fix match incorrectly in dev_args_match_device
+
+From: Liu Shixin <liushixin2@huawei.com>
+
+commit 0fca385d6ebc3cabb20f67bcf8a71f1448bdc001 upstream.
+
+syzkaller found a failed assertion:
+
+ assertion failed: (args->devid != (u64)-1) || args->missing, in fs/btrfs/volumes.c:6921
+
+This can be triggered when we set devid to (u64)-1 by ioctl. In this
+case, the match of devid will be skipped and the match of device may
+succeed incorrectly.
+
+Patch 562d7b1512f7 introduced this function which is used to match device.
+This function contains two matching scenarios, we can distinguish them by
+checking the value of args->missing rather than check whether args->devid
+and args->uuid is default value.
+
+Reported-by: syzbot+031687116258450f9853@syzkaller.appspotmail.com
+Fixes: 562d7b1512f7 ("btrfs: handle device lookup with btrfs_dev_lookup_args")
+CC: stable@vger.kernel.org # 5.16+
+Reviewed-by: Nikolay Borisov <nborisov@suse.com>
+Signed-off-by: Liu Shixin <liushixin2@huawei.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/volumes.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -6805,18 +6805,18 @@ static bool dev_args_match_fs_devices(co
+ static bool dev_args_match_device(const struct btrfs_dev_lookup_args *args,
+ const struct btrfs_device *device)
+ {
+- ASSERT((args->devid != (u64)-1) || args->missing);
++ if (args->missing) {
++ if (test_bit(BTRFS_DEV_STATE_IN_FS_METADATA, &device->dev_state) &&
++ !device->bdev)
++ return true;
++ return false;
++ }
+
+- if ((args->devid != (u64)-1) && device->devid != args->devid)
++ if (device->devid != args->devid)
+ return false;
+ if (args->uuid && memcmp(device->uuid, args->uuid, BTRFS_UUID_SIZE) != 0)
+ return false;
+- if (!args->missing)
+- return true;
+- if (test_bit(BTRFS_DEV_STATE_IN_FS_METADATA, &device->dev_state) &&
+- !device->bdev)
+- return true;
+- return false;
++ return true;
+ }
+
+ /*
--- /dev/null
+From 9b2f20344d450137d015b380ff0c2e2a6a170135 Mon Sep 17 00:00:00 2001
+From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+Date: Tue, 1 Nov 2022 10:53:54 +0800
+Subject: btrfs: selftests: fix wrong error check in btrfs_free_dummy_root()
+
+From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+
+commit 9b2f20344d450137d015b380ff0c2e2a6a170135 upstream.
+
+The btrfs_alloc_dummy_root() uses ERR_PTR as the error return value
+rather than NULL, if error happened, there will be a NULL pointer
+dereference:
+
+ BUG: KASAN: null-ptr-deref in btrfs_free_dummy_root+0x21/0x50 [btrfs]
+ Read of size 8 at addr 000000000000002c by task insmod/258926
+
+ CPU: 2 PID: 258926 Comm: insmod Tainted: G W 6.1.0-rc2+ #5
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x34/0x44
+ kasan_report+0xb7/0x140
+ kasan_check_range+0x145/0x1a0
+ btrfs_free_dummy_root+0x21/0x50 [btrfs]
+ btrfs_test_free_space_cache+0x1a8c/0x1add [btrfs]
+ btrfs_run_sanity_tests+0x65/0x80 [btrfs]
+ init_btrfs_fs+0xec/0x154 [btrfs]
+ do_one_initcall+0x87/0x2a0
+ do_init_module+0xdf/0x320
+ load_module+0x3006/0x3390
+ __do_sys_finit_module+0x113/0x1b0
+ do_syscall_64+0x35/0x80
+ entry_SYSCALL_64_after_hwframe+0x46/0xb0
+
+Fixes: aaedb55bc08f ("Btrfs: add tests for btrfs_get_extent")
+CC: stable@vger.kernel.org # 4.9+
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tests/btrfs-tests.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/tests/btrfs-tests.c
++++ b/fs/btrfs/tests/btrfs-tests.c
+@@ -200,7 +200,7 @@ void btrfs_free_dummy_fs_info(struct btr
+
+ void btrfs_free_dummy_root(struct btrfs_root *root)
+ {
+- if (!root)
++ if (IS_ERR_OR_NULL(root))
+ return;
+ /* Will be freed by btrfs_free_fs_roots */
+ if (WARN_ON(test_bit(BTRFS_ROOT_IN_RADIX, &root->state)))
--- /dev/null
+From 21e61ec6d0bb786818490e926aa9aeb4de95ad0d Mon Sep 17 00:00:00 2001
+From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Date: Fri, 4 Nov 2022 07:12:33 -0700
+Subject: btrfs: zoned: clone zoned device info when cloning a device
+
+From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+
+commit 21e61ec6d0bb786818490e926aa9aeb4de95ad0d upstream.
+
+When cloning a btrfs_device, we're not cloning the associated
+btrfs_zoned_device_info structure of the device in case of a zoned
+filesystem.
+
+Later on this leads to a NULL pointer dereference when accessing the
+device's zone_info for instance when setting a zone as active.
+
+This was uncovered by fstests' testcase btrfs/161.
+
+CC: stable@vger.kernel.org # 5.15+
+Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/volumes.c | 12 ++++++++++++
+ fs/btrfs/zoned.c | 40 ++++++++++++++++++++++++++++++++++++++++
+ fs/btrfs/zoned.h | 11 +++++++++++
+ 3 files changed, 63 insertions(+)
+
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -1009,6 +1009,18 @@ static struct btrfs_fs_devices *clone_fs
+ rcu_assign_pointer(device->name, name);
+ }
+
++ if (orig_dev->zone_info) {
++ struct btrfs_zoned_device_info *zone_info;
++
++ zone_info = btrfs_clone_dev_zone_info(orig_dev);
++ if (!zone_info) {
++ btrfs_free_device(device);
++ ret = -ENOMEM;
++ goto error;
++ }
++ device->zone_info = zone_info;
++ }
++
+ list_add(&device->dev_list, &fs_devices->devices);
+ device->fs_devices = fs_devices;
+ fs_devices->num_devices++;
+--- a/fs/btrfs/zoned.c
++++ b/fs/btrfs/zoned.c
+@@ -639,6 +639,46 @@ void btrfs_destroy_dev_zone_info(struct
+ device->zone_info = NULL;
+ }
+
++struct btrfs_zoned_device_info *btrfs_clone_dev_zone_info(struct btrfs_device *orig_dev)
++{
++ struct btrfs_zoned_device_info *zone_info;
++
++ zone_info = kmemdup(orig_dev->zone_info, sizeof(*zone_info), GFP_KERNEL);
++ if (!zone_info)
++ return NULL;
++
++ zone_info->seq_zones = bitmap_zalloc(zone_info->nr_zones, GFP_KERNEL);
++ if (!zone_info->seq_zones)
++ goto out;
++
++ bitmap_copy(zone_info->seq_zones, orig_dev->zone_info->seq_zones,
++ zone_info->nr_zones);
++
++ zone_info->empty_zones = bitmap_zalloc(zone_info->nr_zones, GFP_KERNEL);
++ if (!zone_info->empty_zones)
++ goto out;
++
++ bitmap_copy(zone_info->empty_zones, orig_dev->zone_info->empty_zones,
++ zone_info->nr_zones);
++
++ zone_info->active_zones = bitmap_zalloc(zone_info->nr_zones, GFP_KERNEL);
++ if (!zone_info->active_zones)
++ goto out;
++
++ bitmap_copy(zone_info->active_zones, orig_dev->zone_info->active_zones,
++ zone_info->nr_zones);
++ zone_info->zone_cache = NULL;
++
++ return zone_info;
++
++out:
++ bitmap_free(zone_info->seq_zones);
++ bitmap_free(zone_info->empty_zones);
++ bitmap_free(zone_info->active_zones);
++ kfree(zone_info);
++ return NULL;
++}
++
+ int btrfs_get_dev_zone(struct btrfs_device *device, u64 pos,
+ struct blk_zone *zone)
+ {
+--- a/fs/btrfs/zoned.h
++++ b/fs/btrfs/zoned.h
+@@ -36,6 +36,7 @@ int btrfs_get_dev_zone(struct btrfs_devi
+ int btrfs_get_dev_zone_info_all_devices(struct btrfs_fs_info *fs_info);
+ int btrfs_get_dev_zone_info(struct btrfs_device *device, bool populate_cache);
+ void btrfs_destroy_dev_zone_info(struct btrfs_device *device);
++struct btrfs_zoned_device_info *btrfs_clone_dev_zone_info(struct btrfs_device *orig_dev);
+ int btrfs_check_zoned_mode(struct btrfs_fs_info *fs_info);
+ int btrfs_check_mountopts_zoned(struct btrfs_fs_info *info);
+ int btrfs_sb_log_location_bdev(struct block_device *bdev, int mirror, int rw,
+@@ -103,6 +104,16 @@ static inline int btrfs_get_dev_zone_inf
+
+ static inline void btrfs_destroy_dev_zone_info(struct btrfs_device *device) { }
+
++/*
++ * In case the kernel is compiled without CONFIG_BLK_DEV_ZONED we'll never call
++ * into btrfs_clone_dev_zone_info() so it's safe to return NULL here.
++ */
++static inline struct btrfs_zoned_device_info *btrfs_clone_dev_zone_info(
++ struct btrfs_device *orig_dev)
++{
++ return NULL;
++}
++
+ static inline int btrfs_check_zoned_mode(const struct btrfs_fs_info *fs_info)
+ {
+ if (!btrfs_is_zoned(fs_info))
--- /dev/null
+From a8d1b1647bf8244a5f270538e9e636e2657fffa3 Mon Sep 17 00:00:00 2001
+From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Date: Fri, 4 Nov 2022 07:12:34 -0700
+Subject: btrfs: zoned: initialize device's zone info for seeding
+
+From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+
+commit a8d1b1647bf8244a5f270538e9e636e2657fffa3 upstream.
+
+When performing seeding on a zoned filesystem it is necessary to
+initialize each zoned device's btrfs_zoned_device_info structure,
+otherwise mounting the filesystem will cause a NULL pointer dereference.
+
+This was uncovered by fstests' testcase btrfs/163.
+
+CC: stable@vger.kernel.org # 5.15+
+Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/disk-io.c | 4 +++-
+ fs/btrfs/volumes.c | 11 +++++++++--
+ fs/btrfs/volumes.h | 2 +-
+ 3 files changed, 13 insertions(+), 4 deletions(-)
+
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -2544,7 +2544,9 @@ static int btrfs_read_roots(struct btrfs
+ fs_info->dev_root = root;
+ }
+ /* Initialize fs_info for all devices in any case */
+- btrfs_init_devices_late(fs_info);
++ ret = btrfs_init_devices_late(fs_info);
++ if (ret)
++ goto out;
+
+ /*
+ * This tree can share blocks with some other fs tree during relocation
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -7643,10 +7643,11 @@ error:
+ return ret;
+ }
+
+-void btrfs_init_devices_late(struct btrfs_fs_info *fs_info)
++int btrfs_init_devices_late(struct btrfs_fs_info *fs_info)
+ {
+ struct btrfs_fs_devices *fs_devices = fs_info->fs_devices, *seed_devs;
+ struct btrfs_device *device;
++ int ret = 0;
+
+ fs_devices->fs_info = fs_info;
+
+@@ -7655,12 +7656,18 @@ void btrfs_init_devices_late(struct btrf
+ device->fs_info = fs_info;
+
+ list_for_each_entry(seed_devs, &fs_devices->seed_list, seed_list) {
+- list_for_each_entry(device, &seed_devs->devices, dev_list)
++ list_for_each_entry(device, &seed_devs->devices, dev_list) {
+ device->fs_info = fs_info;
++ ret = btrfs_get_dev_zone_info(device, false);
++ if (ret)
++ break;
++ }
+
+ seed_devs->fs_info = fs_info;
+ }
+ mutex_unlock(&fs_devices->device_list_mutex);
++
++ return ret;
+ }
+
+ static u64 btrfs_dev_stats_value(const struct extent_buffer *eb,
+--- a/fs/btrfs/volumes.h
++++ b/fs/btrfs/volumes.h
+@@ -629,7 +629,7 @@ int find_free_dev_extent(struct btrfs_de
+ void btrfs_dev_stat_inc_and_print(struct btrfs_device *dev, int index);
+ int btrfs_get_dev_stats(struct btrfs_fs_info *fs_info,
+ struct btrfs_ioctl_get_dev_stats *stats);
+-void btrfs_init_devices_late(struct btrfs_fs_info *fs_info);
++int btrfs_init_devices_late(struct btrfs_fs_info *fs_info);
+ int btrfs_init_dev_stats(struct btrfs_fs_info *fs_info);
+ int btrfs_run_dev_stats(struct btrfs_trans_handle *trans);
+ void btrfs_rm_dev_replace_remove_srcdev(struct btrfs_device *srcdev);
--- /dev/null
+From 866337865f3747c68a3e7bb837611e39cec1ecd6 Mon Sep 17 00:00:00 2001
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+Date: Fri, 4 Nov 2022 15:25:51 +0100
+Subject: can: isotp: fix tx state handling for echo tx processing
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+commit 866337865f3747c68a3e7bb837611e39cec1ecd6 upstream.
+
+In commit 4b7fe92c0690 ("can: isotp: add local echo tx processing for
+consecutive frames") the data flow for consecutive frames (CF) has been
+reworked to improve the reliability of long data transfers.
+
+This rework did not touch the transmission and the tx state changes of
+single frame (SF) transfers which likely led to the WARN in the
+isotp_tx_timer_handler() catching a wrong tx state. This patch makes use
+of the improved frame processing for SF frames and sets the ISOTP_SENDING
+state in isotp_sendmsg() within the cmpxchg() condition handling.
+
+A review of the state machine and the timer handling additionally revealed
+a missing echo timeout handling in the case of the burst mode in
+isotp_rcv_echo() and removes a potential timer configuration uncertainty
+in isotp_rcv_fc() when the receiver requests consecutive frames.
+
+Fixes: 4b7fe92c0690 ("can: isotp: add local echo tx processing for consecutive frames")
+Link: https://lore.kernel.org/linux-can/CAO4mrfe3dG7cMP1V5FLUkw7s+50c9vichigUMQwsxX4M=45QEw@mail.gmail.com/T/#u
+Reported-by: Wei Chen <harperchen1110@gmail.com>
+Cc: stable@vger.kernel.org # v6.0
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Link: https://lore.kernel.org/all/20221104142551.16924-1-socketcan@hartkopp.net
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/isotp.c | 71 +++++++++++++++++++++++++++++---------------------------
+ 1 file changed, 38 insertions(+), 33 deletions(-)
+
+--- a/net/can/isotp.c
++++ b/net/can/isotp.c
+@@ -111,6 +111,9 @@ MODULE_ALIAS("can-proto-6");
+ #define ISOTP_FC_WT 1 /* wait */
+ #define ISOTP_FC_OVFLW 2 /* overflow */
+
++#define ISOTP_FC_TIMEOUT 1 /* 1 sec */
++#define ISOTP_ECHO_TIMEOUT 2 /* 2 secs */
++
+ enum {
+ ISOTP_IDLE = 0,
+ ISOTP_WAIT_FIRST_FC,
+@@ -258,7 +261,8 @@ static int isotp_send_fc(struct sock *sk
+ so->lastrxcf_tstamp = ktime_set(0, 0);
+
+ /* start rx timeout watchdog */
+- hrtimer_start(&so->rxtimer, ktime_set(1, 0), HRTIMER_MODE_REL_SOFT);
++ hrtimer_start(&so->rxtimer, ktime_set(ISOTP_FC_TIMEOUT, 0),
++ HRTIMER_MODE_REL_SOFT);
+ return 0;
+ }
+
+@@ -344,6 +348,8 @@ static int check_pad(struct isotp_sock *
+ return 0;
+ }
+
++static void isotp_send_cframe(struct isotp_sock *so);
++
+ static int isotp_rcv_fc(struct isotp_sock *so, struct canfd_frame *cf, int ae)
+ {
+ struct sock *sk = &so->sk;
+@@ -398,14 +404,15 @@ static int isotp_rcv_fc(struct isotp_soc
+ case ISOTP_FC_CTS:
+ so->tx.bs = 0;
+ so->tx.state = ISOTP_SENDING;
+- /* start cyclic timer for sending CF frame */
+- hrtimer_start(&so->txtimer, so->tx_gap,
++ /* send CF frame and enable echo timeout handling */
++ hrtimer_start(&so->txtimer, ktime_set(ISOTP_ECHO_TIMEOUT, 0),
+ HRTIMER_MODE_REL_SOFT);
++ isotp_send_cframe(so);
+ break;
+
+ case ISOTP_FC_WT:
+ /* start timer to wait for next FC frame */
+- hrtimer_start(&so->txtimer, ktime_set(1, 0),
++ hrtimer_start(&so->txtimer, ktime_set(ISOTP_FC_TIMEOUT, 0),
+ HRTIMER_MODE_REL_SOFT);
+ break;
+
+@@ -600,7 +607,7 @@ static int isotp_rcv_cf(struct sock *sk,
+ /* perform blocksize handling, if enabled */
+ if (!so->rxfc.bs || ++so->rx.bs < so->rxfc.bs) {
+ /* start rx timeout watchdog */
+- hrtimer_start(&so->rxtimer, ktime_set(1, 0),
++ hrtimer_start(&so->rxtimer, ktime_set(ISOTP_FC_TIMEOUT, 0),
+ HRTIMER_MODE_REL_SOFT);
+ return 0;
+ }
+@@ -829,7 +836,7 @@ static void isotp_rcv_echo(struct sk_buf
+ struct isotp_sock *so = isotp_sk(sk);
+ struct canfd_frame *cf = (struct canfd_frame *)skb->data;
+
+- /* only handle my own local echo skb's */
++ /* only handle my own local echo CF/SF skb's (no FF!) */
+ if (skb->sk != sk || so->cfecho != *(u32 *)cf->data)
+ return;
+
+@@ -849,13 +856,16 @@ static void isotp_rcv_echo(struct sk_buf
+ if (so->txfc.bs && so->tx.bs >= so->txfc.bs) {
+ /* stop and wait for FC with timeout */
+ so->tx.state = ISOTP_WAIT_FC;
+- hrtimer_start(&so->txtimer, ktime_set(1, 0),
++ hrtimer_start(&so->txtimer, ktime_set(ISOTP_FC_TIMEOUT, 0),
+ HRTIMER_MODE_REL_SOFT);
+ return;
+ }
+
+ /* no gap between data frames needed => use burst mode */
+ if (!so->tx_gap) {
++ /* enable echo timeout handling */
++ hrtimer_start(&so->txtimer, ktime_set(ISOTP_ECHO_TIMEOUT, 0),
++ HRTIMER_MODE_REL_SOFT);
+ isotp_send_cframe(so);
+ return;
+ }
+@@ -879,7 +889,7 @@ static enum hrtimer_restart isotp_tx_tim
+ /* start timeout for unlikely lost echo skb */
+ hrtimer_set_expires(&so->txtimer,
+ ktime_add(ktime_get(),
+- ktime_set(2, 0)));
++ ktime_set(ISOTP_ECHO_TIMEOUT, 0)));
+ restart = HRTIMER_RESTART;
+
+ /* push out the next consecutive frame */
+@@ -907,7 +917,8 @@ static enum hrtimer_restart isotp_tx_tim
+ break;
+
+ default:
+- WARN_ON_ONCE(1);
++ WARN_ONCE(1, "can-isotp: tx timer state %08X cfecho %08X\n",
++ so->tx.state, so->cfecho);
+ }
+
+ return restart;
+@@ -923,7 +934,7 @@ static int isotp_sendmsg(struct socket *
+ struct canfd_frame *cf;
+ int ae = (so->opt.flags & CAN_ISOTP_EXTEND_ADDR) ? 1 : 0;
+ int wait_tx_done = (so->opt.flags & CAN_ISOTP_WAIT_TX_DONE) ? 1 : 0;
+- s64 hrtimer_sec = 0;
++ s64 hrtimer_sec = ISOTP_ECHO_TIMEOUT;
+ int off;
+ int err;
+
+@@ -942,6 +953,8 @@ static int isotp_sendmsg(struct socket *
+ err = wait_event_interruptible(so->wait, so->tx.state == ISOTP_IDLE);
+ if (err)
+ goto err_out;
++
++ so->tx.state = ISOTP_SENDING;
+ }
+
+ if (!size || size > MAX_MSG_LENGTH) {
+@@ -986,6 +999,10 @@ static int isotp_sendmsg(struct socket *
+ cf = (struct canfd_frame *)skb->data;
+ skb_put_zero(skb, so->ll.mtu);
+
++ /* cfecho should have been zero'ed by init / former isotp_rcv_echo() */
++ if (so->cfecho)
++ pr_notice_once("can-isotp: uninit cfecho %08X\n", so->cfecho);
++
+ /* check for single frame transmission depending on TX_DL */
+ if (size <= so->tx.ll_dl - SF_PCI_SZ4 - ae - off) {
+ /* The message size generally fits into a SingleFrame - good.
+@@ -1011,11 +1028,8 @@ static int isotp_sendmsg(struct socket *
+ else
+ cf->data[ae] |= size;
+
+- so->tx.state = ISOTP_IDLE;
+- wake_up_interruptible(&so->wait);
+-
+- /* don't enable wait queue for a single frame transmission */
+- wait_tx_done = 0;
++ /* set CF echo tag for isotp_rcv_echo() (SF-mode) */
++ so->cfecho = *(u32 *)cf->data;
+ } else {
+ /* send first frame */
+
+@@ -1031,31 +1045,23 @@ static int isotp_sendmsg(struct socket *
+ /* disable wait for FCs due to activated block size */
+ so->txfc.bs = 0;
+
+- /* cfecho should have been zero'ed by init */
+- if (so->cfecho)
+- pr_notice_once("can-isotp: no fc cfecho %08X\n",
+- so->cfecho);
+-
+- /* set consecutive frame echo tag */
++ /* set CF echo tag for isotp_rcv_echo() (CF-mode) */
+ so->cfecho = *(u32 *)cf->data;
+-
+- /* switch directly to ISOTP_SENDING state */
+- so->tx.state = ISOTP_SENDING;
+-
+- /* start timeout for unlikely lost echo skb */
+- hrtimer_sec = 2;
+ } else {
+ /* standard flow control check */
+ so->tx.state = ISOTP_WAIT_FIRST_FC;
+
+ /* start timeout for FC */
+- hrtimer_sec = 1;
+- }
++ hrtimer_sec = ISOTP_FC_TIMEOUT;
+
+- hrtimer_start(&so->txtimer, ktime_set(hrtimer_sec, 0),
+- HRTIMER_MODE_REL_SOFT);
++ /* no CF echo tag for isotp_rcv_echo() (FF-mode) */
++ so->cfecho = 0;
++ }
+ }
+
++ hrtimer_start(&so->txtimer, ktime_set(hrtimer_sec, 0),
++ HRTIMER_MODE_REL_SOFT);
++
+ /* send the first or only CAN frame */
+ cf->flags = so->ll.tx_flags;
+
+@@ -1068,8 +1074,7 @@ static int isotp_sendmsg(struct socket *
+ __func__, ERR_PTR(err));
+
+ /* no transmission -> no timeout monitoring */
+- if (hrtimer_sec)
+- hrtimer_cancel(&so->txtimer);
++ hrtimer_cancel(&so->txtimer);
+
+ /* reset consecutive frame echo tag */
+ so->cfecho = 0;
--- /dev/null
+From 3eb3d283e8579a22b81dd2ac3987b77465b2a22f Mon Sep 17 00:00:00 2001
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+Date: Fri, 4 Nov 2022 08:50:00 +0100
+Subject: can: j1939: j1939_send_one(): fix missing CAN header initialization
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+commit 3eb3d283e8579a22b81dd2ac3987b77465b2a22f upstream.
+
+The read access to struct canxl_frame::len inside of a j1939 created
+skbuff revealed a missing initialization of reserved and later filled
+elements in struct can_frame.
+
+This patch initializes the 8 byte CAN header with zero.
+
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Cc: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://lore.kernel.org/linux-can/20221104052235.GA6474@pengutronix.de
+Reported-by: syzbot+d168ec0caca4697e03b1@syzkaller.appspotmail.com
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Link: https://lore.kernel.org/all/20221104075000.105414-1-socketcan@hartkopp.net
+Cc: stable@vger.kernel.org
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/j1939/main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/can/j1939/main.c
++++ b/net/can/j1939/main.c
+@@ -332,6 +332,9 @@ int j1939_send_one(struct j1939_priv *pr
+ /* re-claim the CAN_HDR from the SKB */
+ cf = skb_push(skb, J1939_CAN_HDR);
+
++ /* initialize header structure */
++ memset(cf, 0, J1939_CAN_HDR);
++
+ /* make it a full can frame again */
+ skb_put(skb, J1939_CAN_FTR + (8 - dlc));
+
--- /dev/null
+From 8b043dfb3dc7c32f9c2c0c93e3c2de346ee5e358 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Fri, 28 Oct 2022 12:06:45 +0200
+Subject: can: rcar_canfd: Add missing ECC error checks for channels 2-7
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+commit 8b043dfb3dc7c32f9c2c0c93e3c2de346ee5e358 upstream.
+
+When introducing support for R-Car V3U, which has 8 instead of 2
+channels, the ECC error bitmask was extended to take into account the
+extra channels, but rcar_canfd_global_error() was not updated to act
+upon the extra bits.
+
+Replace the RCANFD_GERFL_EEF[01] macros by a new macro that takes the
+channel number, fixing R-Car V3U while simplifying the code.
+
+Fixes: 45721c406dcf50d4 ("can: rcar_canfd: Add support for r8a779a0 SoC")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Biju Das <biju.das.jz@bp.renesas.com>
+Link: https://lore.kernel.org/all/4edb2ea46cc64d0532a08a924179827481e14b4f.1666951503.git.geert+renesas@glider.be
+Cc: stable@vger.kernel.org
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/rcar/rcar_canfd.c | 13 ++++---------
+ 1 file changed, 4 insertions(+), 9 deletions(-)
+
+--- a/drivers/net/can/rcar/rcar_canfd.c
++++ b/drivers/net/can/rcar/rcar_canfd.c
+@@ -81,8 +81,7 @@ enum rcanfd_chip_id {
+
+ /* RSCFDnCFDGERFL / RSCFDnGERFL */
+ #define RCANFD_GERFL_EEF0_7 GENMASK(23, 16)
+-#define RCANFD_GERFL_EEF1 BIT(17)
+-#define RCANFD_GERFL_EEF0 BIT(16)
++#define RCANFD_GERFL_EEF(ch) BIT(16 + (ch))
+ #define RCANFD_GERFL_CMPOF BIT(3) /* CAN FD only */
+ #define RCANFD_GERFL_THLES BIT(2)
+ #define RCANFD_GERFL_MES BIT(1)
+@@ -90,7 +89,7 @@ enum rcanfd_chip_id {
+
+ #define RCANFD_GERFL_ERR(gpriv, x) \
+ ((x) & (reg_v3u(gpriv, RCANFD_GERFL_EEF0_7, \
+- RCANFD_GERFL_EEF0 | RCANFD_GERFL_EEF1) | \
++ RCANFD_GERFL_EEF(0) | RCANFD_GERFL_EEF(1)) | \
+ RCANFD_GERFL_MES | \
+ ((gpriv)->fdmode ? RCANFD_GERFL_CMPOF : 0)))
+
+@@ -936,12 +935,8 @@ static void rcar_canfd_global_error(stru
+ u32 ridx = ch + RCANFD_RFFIFO_IDX;
+
+ gerfl = rcar_canfd_read(priv->base, RCANFD_GERFL);
+- if ((gerfl & RCANFD_GERFL_EEF0) && (ch == 0)) {
+- netdev_dbg(ndev, "Ch0: ECC Error flag\n");
+- stats->tx_dropped++;
+- }
+- if ((gerfl & RCANFD_GERFL_EEF1) && (ch == 1)) {
+- netdev_dbg(ndev, "Ch1: ECC Error flag\n");
++ if (gerfl & RCANFD_GERFL_EEF(ch)) {
++ netdev_dbg(ndev, "Ch%u: ECC Error flag\n", ch);
+ stats->tx_dropped++;
+ }
+ if (gerfl & RCANFD_GERFL_MES) {
--- /dev/null
+From 0ec8ce07394442d722806fe61b901a5b2b17249d Mon Sep 17 00:00:00 2001
+From: Fenghua Yu <fenghua.yu@intel.com>
+Date: Fri, 14 Oct 2022 15:25:41 -0700
+Subject: dmaengine: idxd: Do not enable user type Work Queue without Shared Virtual Addressing
+
+From: Fenghua Yu <fenghua.yu@intel.com>
+
+commit 0ec8ce07394442d722806fe61b901a5b2b17249d upstream.
+
+When the idxd_user_drv driver is bound to a Work Queue (WQ) device
+without IOMMU or with IOMMU Passthrough without Shared Virtual
+Addressing (SVA), the application gains direct access to physical
+memory via the device by programming physical address to a submitted
+descriptor. This allows direct userspace read and write access to
+arbitrary physical memory. This is inconsistent with the security
+goals of a good kernel API.
+
+Unlike vfio_pci driver, the IDXD char device driver does not provide any
+ways to pin user pages and translate the address from user VA to IOVA or
+PA without IOMMU SVA. Therefore the application has no way to instruct the
+device to perform DMA function. This makes the char device not usable for
+normal application usage.
+
+Since user type WQ without SVA cannot be used for normal application usage
+and presents the security issue, bind idxd_user_drv driver and enable user
+type WQ only when SVA is enabled (i.e. user PASID is enabled).
+
+Fixes: 448c3de8ac83 ("dmaengine: idxd: create user driver for wq 'device'")
+Cc: stable@vger.kernel.org
+Suggested-by: Arjan Van De Ven <arjan.van.de.ven@intel.com>
+Signed-off-by: Fenghua Yu <fenghua.yu@intel.com>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com>
+Link: https://lore.kernel.org/r/20221014222541.3912195-1-fenghua.yu@intel.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/idxd/cdev.c | 18 ++++++++++++++++++
+ include/uapi/linux/idxd.h | 1 +
+ 2 files changed, 19 insertions(+)
+
+--- a/drivers/dma/idxd/cdev.c
++++ b/drivers/dma/idxd/cdev.c
+@@ -312,6 +312,24 @@ static int idxd_user_drv_probe(struct id
+ if (idxd->state != IDXD_DEV_ENABLED)
+ return -ENXIO;
+
++ /*
++ * User type WQ is enabled only when SVA is enabled for two reasons:
++ * - If no IOMMU or IOMMU Passthrough without SVA, userspace
++ * can directly access physical address through the WQ.
++ * - The IDXD cdev driver does not provide any ways to pin
++ * user pages and translate the address from user VA to IOVA or
++ * PA without IOMMU SVA. Therefore the application has no way
++ * to instruct the device to perform DMA function. This makes
++ * the cdev not usable for normal application usage.
++ */
++ if (!device_user_pasid_enabled(idxd)) {
++ idxd->cmd_status = IDXD_SCMD_WQ_USER_NO_IOMMU;
++ dev_dbg(&idxd->pdev->dev,
++ "User type WQ cannot be enabled without SVA.\n");
++
++ return -EOPNOTSUPP;
++ }
++
+ mutex_lock(&wq->wq_lock);
+ wq->type = IDXD_WQT_USER;
+ rc = drv_enable_wq(wq);
+--- a/include/uapi/linux/idxd.h
++++ b/include/uapi/linux/idxd.h
+@@ -29,6 +29,7 @@ enum idxd_scmd_stat {
+ IDXD_SCMD_WQ_NO_SIZE = 0x800e0000,
+ IDXD_SCMD_WQ_NO_PRIV = 0x800f0000,
+ IDXD_SCMD_WQ_IRQ_ERR = 0x80100000,
++ IDXD_SCMD_WQ_USER_NO_IOMMU = 0x80110000,
+ };
+
+ #define IDXD_SCMD_SOFTERR_MASK 0x80000000
--- /dev/null
+From ce62198d8b62734a985d22652e75a649be052390 Mon Sep 17 00:00:00 2001
+From: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+Date: Thu, 27 Oct 2022 15:34:33 -0400
+Subject: drm/amd/display: Fix reg timeout in enc314_enable_fifo
+
+From: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+
+commit ce62198d8b62734a985d22652e75a649be052390 upstream.
+
+[Why]
+The link enablement sequence can end up resetting the encoder while
+the PHY symclk isn't yet on.
+
+This means that waiting for symclk on will timeout, along with the reset
+bit never asserting high.
+
+This causes unnecessary delay when enabling the link and produces a
+warning affecting multiple IGT tests.
+
+[How]
+Don't wait for the symclk to be on here because firmware already does.
+
+Don't wait for reset if we know the symclk isn't on.
+
+Split the reset into a helper function that checks the bit and decides
+whether or not a delay is sufficient.
+
+Reviewed-by: Roman Li <Roman.Li@amd.com>
+Acked-by: Alan Liu <HaoPing.Liu@amd.com>
+Signed-off-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org # 6.0.x
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ .../dc/dcn314/dcn314_dio_stream_encoder.c | 24 ++++++++++++++-----
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_dio_stream_encoder.c b/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_dio_stream_encoder.c
+index 7e773bf7b895..38842f938bed 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_dio_stream_encoder.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_dio_stream_encoder.c
+@@ -49,18 +49,30 @@
+ #define CTX \
+ enc1->base.ctx
+
++static void enc314_reset_fifo(struct stream_encoder *enc, bool reset)
++{
++ struct dcn10_stream_encoder *enc1 = DCN10STRENC_FROM_STRENC(enc);
++ uint32_t reset_val = reset ? 1 : 0;
++ uint32_t is_symclk_on;
++
++ REG_UPDATE(DIG_FIFO_CTRL0, DIG_FIFO_RESET, reset_val);
++ REG_GET(DIG_FE_CNTL, DIG_SYMCLK_FE_ON, &is_symclk_on);
++
++ if (is_symclk_on)
++ REG_WAIT(DIG_FIFO_CTRL0, DIG_FIFO_RESET_DONE, reset_val, 10, 5000);
++ else
++ udelay(10);
++}
+
+ static void enc314_enable_fifo(struct stream_encoder *enc)
+ {
+ struct dcn10_stream_encoder *enc1 = DCN10STRENC_FROM_STRENC(enc);
+
+- /* TODO: Confirm if we need to wait for DIG_SYMCLK_FE_ON */
+- REG_WAIT(DIG_FE_CNTL, DIG_SYMCLK_FE_ON, 1, 10, 5000);
+ REG_UPDATE(DIG_FIFO_CTRL0, DIG_FIFO_READ_START_LEVEL, 0x7);
+- REG_UPDATE(DIG_FIFO_CTRL0, DIG_FIFO_RESET, 1);
+- REG_WAIT(DIG_FIFO_CTRL0, DIG_FIFO_RESET_DONE, 1, 10, 5000);
+- REG_UPDATE(DIG_FIFO_CTRL0, DIG_FIFO_RESET, 0);
+- REG_WAIT(DIG_FIFO_CTRL0, DIG_FIFO_RESET_DONE, 0, 10, 5000);
++
++ enc314_reset_fifo(enc, true);
++ enc314_reset_fifo(enc, false);
++
+ REG_UPDATE(DIG_FIFO_CTRL0, DIG_FIFO_ENABLE, 1);
+ }
+
+--
+2.38.1
+
--- /dev/null
+From 632d06985235d988c9d7e6eec8fa655be0761fd0 Mon Sep 17 00:00:00 2001
+From: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+Date: Tue, 25 Oct 2022 11:26:04 -0400
+Subject: drm/amd/display: Update SR watermarks for DCN314
+
+From: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+
+commit 632d06985235d988c9d7e6eec8fa655be0761fd0 upstream.
+
+[Why & How]
+New values requested by hardware after fine-tuning.
+Update for all memory types.
+
+Reviewed-by: Jun Lei <Jun.Lei@amd.com>
+Acked-by: Alan Liu <HaoPing.Liu@amd.com>
+Signed-off-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org # 6.0.x
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/clk_mgr/dcn314/dcn314_clk_mgr.c | 32 +++++-----
+ drivers/gpu/drm/amd/display/dc/dml/dcn314/dcn314_fpu.c | 4 -
+ 2 files changed, 18 insertions(+), 18 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn314/dcn314_clk_mgr.c
++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn314/dcn314_clk_mgr.c
+@@ -356,32 +356,32 @@ static struct wm_table ddr5_wm_table = {
+ .wm_inst = WM_A,
+ .wm_type = WM_TYPE_PSTATE_CHG,
+ .pstate_latency_us = 11.72,
+- .sr_exit_time_us = 9,
+- .sr_enter_plus_exit_time_us = 11,
++ .sr_exit_time_us = 12.5,
++ .sr_enter_plus_exit_time_us = 14.5,
+ .valid = true,
+ },
+ {
+ .wm_inst = WM_B,
+ .wm_type = WM_TYPE_PSTATE_CHG,
+ .pstate_latency_us = 11.72,
+- .sr_exit_time_us = 9,
+- .sr_enter_plus_exit_time_us = 11,
++ .sr_exit_time_us = 12.5,
++ .sr_enter_plus_exit_time_us = 14.5,
+ .valid = true,
+ },
+ {
+ .wm_inst = WM_C,
+ .wm_type = WM_TYPE_PSTATE_CHG,
+ .pstate_latency_us = 11.72,
+- .sr_exit_time_us = 9,
+- .sr_enter_plus_exit_time_us = 11,
++ .sr_exit_time_us = 12.5,
++ .sr_enter_plus_exit_time_us = 14.5,
+ .valid = true,
+ },
+ {
+ .wm_inst = WM_D,
+ .wm_type = WM_TYPE_PSTATE_CHG,
+ .pstate_latency_us = 11.72,
+- .sr_exit_time_us = 9,
+- .sr_enter_plus_exit_time_us = 11,
++ .sr_exit_time_us = 12.5,
++ .sr_enter_plus_exit_time_us = 14.5,
+ .valid = true,
+ },
+ }
+@@ -393,32 +393,32 @@ static struct wm_table lpddr5_wm_table =
+ .wm_inst = WM_A,
+ .wm_type = WM_TYPE_PSTATE_CHG,
+ .pstate_latency_us = 11.65333,
+- .sr_exit_time_us = 11.5,
+- .sr_enter_plus_exit_time_us = 14.5,
++ .sr_exit_time_us = 16.5,
++ .sr_enter_plus_exit_time_us = 18.5,
+ .valid = true,
+ },
+ {
+ .wm_inst = WM_B,
+ .wm_type = WM_TYPE_PSTATE_CHG,
+ .pstate_latency_us = 11.65333,
+- .sr_exit_time_us = 11.5,
+- .sr_enter_plus_exit_time_us = 14.5,
++ .sr_exit_time_us = 16.5,
++ .sr_enter_plus_exit_time_us = 18.5,
+ .valid = true,
+ },
+ {
+ .wm_inst = WM_C,
+ .wm_type = WM_TYPE_PSTATE_CHG,
+ .pstate_latency_us = 11.65333,
+- .sr_exit_time_us = 11.5,
+- .sr_enter_plus_exit_time_us = 14.5,
++ .sr_exit_time_us = 16.5,
++ .sr_enter_plus_exit_time_us = 18.5,
+ .valid = true,
+ },
+ {
+ .wm_inst = WM_D,
+ .wm_type = WM_TYPE_PSTATE_CHG,
+ .pstate_latency_us = 11.65333,
+- .sr_exit_time_us = 11.5,
+- .sr_enter_plus_exit_time_us = 14.5,
++ .sr_exit_time_us = 16.5,
++ .sr_enter_plus_exit_time_us = 18.5,
+ .valid = true,
+ },
+ }
+--- a/drivers/gpu/drm/amd/display/dc/dml/dcn314/dcn314_fpu.c
++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn314/dcn314_fpu.c
+@@ -146,8 +146,8 @@ struct _vcs_dpi_soc_bounding_box_st dcn3
+ },
+ },
+ .num_states = 5,
+- .sr_exit_time_us = 9.0,
+- .sr_enter_plus_exit_time_us = 11.0,
++ .sr_exit_time_us = 16.5,
++ .sr_enter_plus_exit_time_us = 18.5,
+ .sr_exit_z8_time_us = 442.0,
+ .sr_enter_plus_exit_z8_time_us = 560.0,
+ .writeback_latency_us = 12.0,
--- /dev/null
+From bc66c9ab162d2a633ee3eb864d7bc2369e79c1e4 Mon Sep 17 00:00:00 2001
+From: Tim Huang <tim.huang@amd.com>
+Date: Thu, 3 Nov 2022 11:05:19 +0800
+Subject: drm/amd/pm: update SMU IP v13.0.4 msg interface header
+
+From: Tim Huang <tim.huang@amd.com>
+
+commit bc66c9ab162d2a633ee3eb864d7bc2369e79c1e4 upstream.
+
+Some of the unused messages that were used earlier in development have
+been freed up as spare messages, no intended functional changes.
+
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Tim Huang <tim.huang@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Reviewed-by: Yifan Zhang <yifan1.zhang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org # 6.0.x
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ .../amd/pm/swsmu/inc/pmfw_if/smu_v13_0_4_ppsmc.h | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/swsmu/inc/pmfw_if/smu_v13_0_4_ppsmc.h b/drivers/gpu/drm/amd/pm/swsmu/inc/pmfw_if/smu_v13_0_4_ppsmc.h
+index d9b0cd752200..f4d6c07b56ea 100644
+--- a/drivers/gpu/drm/amd/pm/swsmu/inc/pmfw_if/smu_v13_0_4_ppsmc.h
++++ b/drivers/gpu/drm/amd/pm/swsmu/inc/pmfw_if/smu_v13_0_4_ppsmc.h
+@@ -54,14 +54,14 @@
+ #define PPSMC_MSG_TestMessage 0x01 ///< To check if PMFW is alive and responding. Requirement specified by PMFW team
+ #define PPSMC_MSG_GetPmfwVersion 0x02 ///< Get PMFW version
+ #define PPSMC_MSG_GetDriverIfVersion 0x03 ///< Get PMFW_DRIVER_IF version
+-#define PPSMC_MSG_EnableGfxOff 0x04 ///< Enable GFXOFF
+-#define PPSMC_MSG_DisableGfxOff 0x05 ///< Disable GFXOFF
++#define PPSMC_MSG_SPARE0 0x04 ///< SPARE
++#define PPSMC_MSG_SPARE1 0x05 ///< SPARE
+ #define PPSMC_MSG_PowerDownVcn 0x06 ///< Power down VCN
+ #define PPSMC_MSG_PowerUpVcn 0x07 ///< Power up VCN; VCN is power gated by default
+ #define PPSMC_MSG_SetHardMinVcn 0x08 ///< For wireless display
+ #define PPSMC_MSG_SetSoftMinGfxclk 0x09 ///< Set SoftMin for GFXCLK, argument is frequency in MHz
+-#define PPSMC_MSG_ActiveProcessNotify 0x0A ///< Needs update
+-#define PPSMC_MSG_ForcePowerDownGfx 0x0B ///< Force power down GFX, i.e. enter GFXOFF
++#define PPSMC_MSG_SPARE2 0x0A ///< SPARE
++#define PPSMC_MSG_SPARE3 0x0B ///< SPARE
+ #define PPSMC_MSG_PrepareMp1ForUnload 0x0C ///< Prepare PMFW for GFX driver unload
+ #define PPSMC_MSG_SetDriverDramAddrHigh 0x0D ///< Set high 32 bits of DRAM address for Driver table transfer
+ #define PPSMC_MSG_SetDriverDramAddrLow 0x0E ///< Set low 32 bits of DRAM address for Driver table transfer
+@@ -73,8 +73,7 @@
+ #define PPSMC_MSG_SetSoftMinFclk 0x14 ///< Set hard min for FCLK
+ #define PPSMC_MSG_SetSoftMinVcn 0x15 ///< Set soft min for VCN clocks (VCLK and DCLK)
+
+-
+-#define PPSMC_MSG_EnableGfxImu 0x16 ///< Needs update
++#define PPSMC_MSG_EnableGfxImu 0x16 ///< Enable GFX IMU
+
+ #define PPSMC_MSG_GetGfxclkFrequency 0x17 ///< Get GFX clock frequency
+ #define PPSMC_MSG_GetFclkFrequency 0x18 ///< Get FCLK frequency
+@@ -102,8 +101,8 @@
+ #define PPSMC_MSG_SetHardMinIspxclkByFreq 0x2C ///< Set HardMin by frequency for ISPXCLK
+ #define PPSMC_MSG_PowerDownUmsch 0x2D ///< Power down VCN.UMSCH (aka VSCH) scheduler
+ #define PPSMC_MSG_PowerUpUmsch 0x2E ///< Power up VCN.UMSCH (aka VSCH) scheduler
+-#define PPSMC_Message_IspStutterOn_MmhubPgDis 0x2F ///< ISP StutterOn mmHub PgDis
+-#define PPSMC_Message_IspStutterOff_MmhubPgEn 0x30 ///< ISP StufferOff mmHub PgEn
++#define PPSMC_MSG_IspStutterOn_MmhubPgDis 0x2F ///< ISP StutterOn mmHub PgDis
++#define PPSMC_MSG_IspStutterOff_MmhubPgEn 0x30 ///< ISP StufferOff mmHub PgEn
+
+ #define PPSMC_Message_Count 0x31 ///< Total number of PPSMC messages
+ /** @}*/
+--
+2.38.1
+
--- /dev/null
+From 0c85c067c9d9d7a1b2cc2e01a236d5d0d4a872b5 Mon Sep 17 00:00:00 2001
+From: Guchun Chen <guchun.chen@amd.com>
+Date: Mon, 7 Nov 2022 16:46:59 +0800
+Subject: drm/amdgpu: disable BACO on special BEIGE_GOBY card
+
+From: Guchun Chen <guchun.chen@amd.com>
+
+commit 0c85c067c9d9d7a1b2cc2e01a236d5d0d4a872b5 upstream.
+
+Still avoid intermittent failure.
+
+Signed-off-by: Guchun Chen <guchun.chen@amd.com>
+Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
+Acked-by: Evan Quan <evan.quan@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c
+@@ -376,7 +376,9 @@ static void sienna_cichlid_check_bxco_su
+ if (((adev->pdev->device == 0x73A1) &&
+ (adev->pdev->revision == 0x00)) ||
+ ((adev->pdev->device == 0x73BF) &&
+- (adev->pdev->revision == 0xCF)))
++ (adev->pdev->revision == 0xCF)) ||
++ ((adev->pdev->device == 0x7422) &&
++ (adev->pdev->revision == 0x00)))
+ smu_baco->platform_support = false;
+
+ }
--- /dev/null
+From 77c092e054262b594614bad5e5f47e57c5d29639 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com>
+Date: Wed, 2 Nov 2022 14:55:13 +0100
+Subject: drm/amdgpu: workaround for TLB seq race
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Christian König <christian.koenig@amd.com>
+
+commit 77c092e054262b594614bad5e5f47e57c5d29639 upstream.
+
+It can happen that we query the sequence value before the callback
+had a chance to run.
+
+Workaround that by grabbing the fence lock and releasing it again.
+Should be replaced by hw handling soon.
+
+Signed-off-by: Christian König <christian.koenig@amd.com>
+CC: stable@vger.kernel.org # 5.19+
+Fixes: 5255e146c99a6 ("drm/amdgpu: rework TLB flushing")
+Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2113
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Acked-by: Philip Yang <Philip.Yang@amd.com>
+Tested-by: Stefan Springer <stefanspr94@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h
+@@ -485,6 +485,21 @@ void amdgpu_debugfs_vm_bo_info(struct am
+ */
+ static inline uint64_t amdgpu_vm_tlb_seq(struct amdgpu_vm *vm)
+ {
++ unsigned long flags;
++ spinlock_t *lock;
++
++ /*
++ * Workaround to stop racing between the fence signaling and handling
++ * the cb. The lock is static after initially setting it up, just make
++ * sure that the dma_fence structure isn't freed up.
++ */
++ rcu_read_lock();
++ lock = vm->last_tlb_flush->lock;
++ rcu_read_unlock();
++
++ spin_lock_irqsave(lock, flags);
++ spin_unlock_irqrestore(lock, flags);
++
+ return atomic64_read(&vm->tlb_seq);
+ }
+
--- /dev/null
+From b91c23e099f0b65d62159da13458c5eefa76083f Mon Sep 17 00:00:00 2001
+From: Felix Kuehling <Felix.Kuehling@amd.com>
+Date: Tue, 1 Nov 2022 15:02:48 -0400
+Subject: drm/amdkfd: Fix error handling in criu_checkpoint
+
+From: Felix Kuehling <Felix.Kuehling@amd.com>
+
+commit b91c23e099f0b65d62159da13458c5eefa76083f upstream.
+
+Checkpoint BOs last. That way we don't need to close dmabuf FDs if
+something else fails later. This avoids problematic access to user mode
+memory in the error handling code path.
+
+criu_checkpoint_bos has its own error handling and cleanup that does not
+depend on access to user memory.
+
+In the private data, keep BOs before the remaining objects. This is
+necessary to restore things in the correct order as restoring events
+depends on the events-page BO being restored first.
+
+Fixes: be072b06c739 ("drm/amdkfd: CRIU export BOs as prime dmabuf objects")
+Reported-by: Jann Horn <jannh@google.com>
+CC: Rajneesh Bhardwaj <Rajneesh.Bhardwaj@amd.com>
+Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Reviewed-and-tested-by: Rajneesh Bhardwaj <rajneesh.bhardwaj@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 34 +++++++++++++------------------
+ 1 file changed, 15 insertions(+), 19 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+@@ -1928,7 +1928,7 @@ static int criu_checkpoint(struct file *
+ {
+ int ret;
+ uint32_t num_devices, num_bos, num_objects;
+- uint64_t priv_size, priv_offset = 0;
++ uint64_t priv_size, priv_offset = 0, bo_priv_offset;
+
+ if (!args->devices || !args->bos || !args->priv_data)
+ return -EINVAL;
+@@ -1972,38 +1972,34 @@ static int criu_checkpoint(struct file *
+ if (ret)
+ goto exit_unlock;
+
+- ret = criu_checkpoint_bos(p, num_bos, (uint8_t __user *)args->bos,
+- (uint8_t __user *)args->priv_data, &priv_offset);
+- if (ret)
+- goto exit_unlock;
++ /* Leave room for BOs in the private data. They need to be restored
++ * before events, but we checkpoint them last to simplify the error
++ * handling.
++ */
++ bo_priv_offset = priv_offset;
++ priv_offset += num_bos * sizeof(struct kfd_criu_bo_priv_data);
+
+ if (num_objects) {
+ ret = kfd_criu_checkpoint_queues(p, (uint8_t __user *)args->priv_data,
+ &priv_offset);
+ if (ret)
+- goto close_bo_fds;
++ goto exit_unlock;
+
+ ret = kfd_criu_checkpoint_events(p, (uint8_t __user *)args->priv_data,
+ &priv_offset);
+ if (ret)
+- goto close_bo_fds;
++ goto exit_unlock;
+
+ ret = kfd_criu_checkpoint_svm(p, (uint8_t __user *)args->priv_data, &priv_offset);
+ if (ret)
+- goto close_bo_fds;
++ goto exit_unlock;
+ }
+
+-close_bo_fds:
+- if (ret) {
+- /* If IOCTL returns err, user assumes all FDs opened in criu_dump_bos are closed */
+- uint32_t i;
+- struct kfd_criu_bo_bucket *bo_buckets = (struct kfd_criu_bo_bucket *) args->bos;
+-
+- for (i = 0; i < num_bos; i++) {
+- if (bo_buckets[i].alloc_flags & KFD_IOC_ALLOC_MEM_FLAGS_VRAM)
+- close_fd(bo_buckets[i].dmabuf_fd);
+- }
+- }
++ /* This must be the last thing in this function that can fail.
++ * Otherwise we leak dmabuf file descriptors.
++ */
++ ret = criu_checkpoint_bos(p, num_bos, (uint8_t __user *)args->bos,
++ (uint8_t __user *)args->priv_data, &bo_priv_offset);
+
+ exit_unlock:
+ mutex_unlock(&p->mutex);
--- /dev/null
+From 66f7903779fbbc620bf1040017e4833ef6a0b541 Mon Sep 17 00:00:00 2001
+From: Felix Kuehling <Felix.Kuehling@amd.com>
+Date: Thu, 3 Nov 2022 17:01:46 -0400
+Subject: drm/amdkfd: Fix error handling in kfd_criu_restore_events
+
+From: Felix Kuehling <Felix.Kuehling@amd.com>
+
+commit 66f7903779fbbc620bf1040017e4833ef6a0b541 upstream.
+
+mutex_unlock before the exit label because all the error code paths that
+jump there didn't take that lock. This fixes unbalanced locking errors
+in case of restore errors.
+
+Fixes: 40e8a766a761 ("drm/amdkfd: CRIU checkpoint and restore events")
+Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Reviewed-by: Rajneesh Bhardwaj <rajneesh.bhardwaj@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_events.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_events.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_events.c
+@@ -506,6 +506,7 @@ int kfd_criu_restore_event(struct file *
+ ret = create_other_event(p, ev, &ev_priv->event_id);
+ break;
+ }
++ mutex_unlock(&p->event_mutex);
+
+ exit:
+ if (ret)
+@@ -513,8 +514,6 @@ exit:
+
+ kfree(ev_priv);
+
+- mutex_unlock(&p->event_mutex);
+-
+ return ret;
+ }
+
--- /dev/null
+From f90daa975911961b65070ec72bd7dd8d448f9ef7 Mon Sep 17 00:00:00 2001
+From: Matthew Auld <matthew.auld@intel.com>
+Date: Fri, 28 Oct 2022 16:50:26 +0100
+Subject: drm/i915/dmabuf: fix sg_table handling in map_dma_buf
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matthew Auld <matthew.auld@intel.com>
+
+commit f90daa975911961b65070ec72bd7dd8d448f9ef7 upstream.
+
+We need to iterate over the original entries here for the sg_table,
+pulling out the struct page for each one, to be remapped. However
+currently this incorrectly iterates over the final dma mapped entries,
+which is likely just one gigantic sg entry if the iommu is enabled,
+leading to us only mapping the first struct page (and any physically
+contiguous pages following it), even if there is potentially lots more
+data to follow.
+
+Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/7306
+Fixes: 1286ff739773 ("i915: add dmabuf/prime buffer sharing support.")
+Signed-off-by: Matthew Auld <matthew.auld@intel.com>
+Cc: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
+Cc: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>
+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Cc: Michael J. Ruhl <michael.j.ruhl@intel.com>
+Cc: <stable@vger.kernel.org> # v3.5+
+Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221028155029.494736-1-matthew.auld@intel.com
+(cherry picked from commit 28d52f99bbca7227008cf580c9194c9b3516968e)
+Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/gem/i915_gem_dmabuf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/i915/gem/i915_gem_dmabuf.c
++++ b/drivers/gpu/drm/i915/gem/i915_gem_dmabuf.c
+@@ -40,13 +40,13 @@ static struct sg_table *i915_gem_map_dma
+ goto err;
+ }
+
+- ret = sg_alloc_table(st, obj->mm.pages->nents, GFP_KERNEL);
++ ret = sg_alloc_table(st, obj->mm.pages->orig_nents, GFP_KERNEL);
+ if (ret)
+ goto err_free;
+
+ src = obj->mm.pages->sgl;
+ dst = st->sgl;
+- for (i = 0; i < obj->mm.pages->nents; i++) {
++ for (i = 0; i < obj->mm.pages->orig_nents; i++) {
+ sg_set_page(dst, sg_page(src), src->length, 0);
+ dst = sg_next(dst);
+ src = sg_next(src);
--- /dev/null
+From 3851d25c75ed03117268a8feb34adca5a843a126 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Thu, 10 Nov 2022 10:50:55 -0700
+Subject: io_uring: check for rollover of buffer ID when providing buffers
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 3851d25c75ed03117268a8feb34adca5a843a126 upstream.
+
+We already check if the chosen starting offset for the buffer IDs fit
+within an unsigned short, as 65535 is the maximum value for a provided
+buffer. But if the caller asks to add N buffers at offset M, and M + N
+would exceed the size of the unsigned short, we simply add buffers with
+wrapping around the ID.
+
+This is not necessarily a bug and could in fact be a valid use case, but
+it seems confusing and inconsistent with the initial check for starting
+offset. Let's check for wrap consistently, and error the addition if we
+do need to wrap.
+
+Reported-by: Olivier Langlois <olivier@trillion01.com>
+Link: https://github.com/axboe/liburing/issues/726
+Cc: stable@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/kbuf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/io_uring/kbuf.c
++++ b/io_uring/kbuf.c
+@@ -346,6 +346,8 @@ int io_provide_buffers_prep(struct io_ki
+ tmp = READ_ONCE(sqe->off);
+ if (tmp > USHRT_MAX)
+ return -E2BIG;
++ if (tmp + p->nbufs >= USHRT_MAX)
++ return -EINVAL;
+ p->bid = tmp;
+ return 0;
+ }
--- /dev/null
+From 1de09a7281edecfdba19b3a07417f6d65243ab5f Mon Sep 17 00:00:00 2001
+From: SeongJae Park <sj@kernel.org>
+Date: Mon, 7 Nov 2022 16:50:00 +0000
+Subject: mm/damon/dbgfs: check if rm_contexts input is for a real context
+
+From: SeongJae Park <sj@kernel.org>
+
+commit 1de09a7281edecfdba19b3a07417f6d65243ab5f upstream.
+
+A user could write a name of a file under 'damon/' debugfs directory,
+which is not a user-created context, to 'rm_contexts' file. In the case,
+'dbgfs_rm_context()' just assumes it's the valid DAMON context directory
+only if a file of the name exist. As a result, invalid memory access
+could happen as below. Fix the bug by checking if the given input is for
+a directory. This check can filter out non-context inputs because
+directories under 'damon/' debugfs directory can be created via only
+'mk_contexts' file.
+
+This bug has found by syzbot[1].
+
+[1] https://lore.kernel.org/damon/000000000000ede3ac05ec4abf8e@google.com/
+
+Link: https://lkml.kernel.org/r/20221107165001.5717-2-sj@kernel.org
+Fixes: 75c1c2b53c78 ("mm/damon/dbgfs: support multiple contexts")
+Signed-off-by: SeongJae Park <sj@kernel.org>
+Reported-by: syzbot+6087eafb76a94c4ac9eb@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org> [5.15.x]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/damon/dbgfs.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/mm/damon/dbgfs.c
++++ b/mm/damon/dbgfs.c
+@@ -882,6 +882,7 @@ out:
+ static int dbgfs_rm_context(char *name)
+ {
+ struct dentry *root, *dir, **new_dirs;
++ struct inode *inode;
+ struct damon_ctx **new_ctxs;
+ int i, j;
+ int ret = 0;
+@@ -897,6 +898,12 @@ static int dbgfs_rm_context(char *name)
+ if (!dir)
+ return -ENOENT;
+
++ inode = d_inode(dir);
++ if (!S_ISDIR(inode->i_mode)) {
++ ret = -EINVAL;
++ goto out_dput;
++ }
++
+ new_dirs = kmalloc_array(dbgfs_nr_ctxs - 1, sizeof(*dbgfs_dirs),
+ GFP_KERNEL);
+ if (!new_dirs) {
--- /dev/null
+From db5e8d84319bcdb51e1d3cfa42b410291d6d1cfa Mon Sep 17 00:00:00 2001
+From: Vasily Gorbik <gor@linux.ibm.com>
+Date: Wed, 2 Nov 2022 19:09:17 +0100
+Subject: mm: hugetlb_vmemmap: include missing linux/moduleparam.h
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+commit db5e8d84319bcdb51e1d3cfa42b410291d6d1cfa upstream.
+
+The kernel test robot reported build failures with a 'randconfig' on s390:
+>> mm/hugetlb_vmemmap.c:421:11: error: a function declaration without a
+prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
+ core_param(hugetlb_free_vmemmap, vmemmap_optimize_enabled, bool, 0);
+ ^
+
+Link: https://lore.kernel.org/linux-mm/202210300751.rG3UDsuc-lkp@intel.com/
+Link: https://lkml.kernel.org/r/patch.git-296b83ca939b.your-ad-here.call-01667411912-ext-5073@work.hours
+Fixes: 30152245c63b ("mm: hugetlb_vmemmap: replace early_param() with core_param()")
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Reported-by: kernel test robot <lkp@intel.com>
+Reviewed-by: Muchun Song <songmuchun@bytedance.com>
+Cc: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/hugetlb_vmemmap.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/mm/hugetlb_vmemmap.c
++++ b/mm/hugetlb_vmemmap.c
+@@ -11,6 +11,7 @@
+ #define pr_fmt(fmt) "HugeTLB: " fmt
+
+ #include <linux/pgtable.h>
++#include <linux/moduleparam.h>
+ #include <linux/bootmem_info.h>
+ #include <asm/pgalloc.h>
+ #include <asm/tlbflush.h>
--- /dev/null
+From 867400af90f1f953ff9e10b1b87ecaf9369a7eb8 Mon Sep 17 00:00:00 2001
+From: Pankaj Gupta <pankaj.gupta@amd.com>
+Date: Wed, 2 Nov 2022 11:07:28 -0500
+Subject: mm/memremap.c: map FS_DAX device memory as decrypted
+
+From: Pankaj Gupta <pankaj.gupta@amd.com>
+
+commit 867400af90f1f953ff9e10b1b87ecaf9369a7eb8 upstream.
+
+virtio_pmem use devm_memremap_pages() to map the device memory. By
+default this memory is mapped as encrypted with SEV. Guest reboot changes
+the current encryption key and guest no longer properly decrypts the FSDAX
+device meta data.
+
+Mark the corresponding device memory region for FSDAX devices (mapped with
+memremap_pages) as decrypted to retain the persistent memory property.
+
+Link: https://lkml.kernel.org/r/20221102160728.3184016-1-pankaj.gupta@amd.com
+Fixes: b7b3c01b19159 ("mm/memremap_pages: support multiple ranges per invocation")
+Signed-off-by: Pankaj Gupta <pankaj.gupta@amd.com>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Tom Lendacky <thomas.lendacky@amd.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/memremap.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/mm/memremap.c
++++ b/mm/memremap.c
+@@ -330,6 +330,7 @@ void *memremap_pages(struct dev_pagemap
+ WARN(1, "File system DAX not supported\n");
+ return ERR_PTR(-EINVAL);
+ }
++ params.pgprot = pgprot_decrypted(params.pgprot);
+ break;
+ case MEMORY_DEVICE_GENERIC:
+ break;
--- /dev/null
+From 93b0d9178743a68723babe8448981f658aebc58e Mon Sep 17 00:00:00 2001
+From: Peter Xu <peterx@redhat.com>
+Date: Wed, 2 Nov 2022 14:41:52 -0400
+Subject: mm/shmem: use page_mapping() to detect page cache for uffd continue
+
+From: Peter Xu <peterx@redhat.com>
+
+commit 93b0d9178743a68723babe8448981f658aebc58e upstream.
+
+mfill_atomic_install_pte() checks page->mapping to detect whether one page
+is used in the page cache. However as pointed out by Matthew, the page
+can logically be a tail page rather than always the head in the case of
+uffd minor mode with UFFDIO_CONTINUE. It means we could wrongly install
+one pte with shmem thp tail page assuming it's an anonymous page.
+
+It's not that clear even for anonymous page, since normally anonymous
+pages also have page->mapping being setup with the anon vma. It's safe
+here only because the only such caller to mfill_atomic_install_pte() is
+always passing in a newly allocated page (mcopy_atomic_pte()), whose
+page->mapping is not yet setup. However that's not extremely obvious
+either.
+
+For either of above, use page_mapping() instead.
+
+Link: https://lkml.kernel.org/r/Y2K+y7wnhC4vbnP2@x1n
+Fixes: 153132571f02 ("userfaultfd/shmem: support UFFDIO_CONTINUE for shmem")
+Signed-off-by: Peter Xu <peterx@redhat.com>
+Reported-by: Matthew Wilcox <willy@infradead.org>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Axel Rasmussen <axelrasmussen@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/userfaultfd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/userfaultfd.c
++++ b/mm/userfaultfd.c
+@@ -64,7 +64,7 @@ int mfill_atomic_install_pte(struct mm_s
+ pte_t _dst_pte, *dst_pte;
+ bool writable = dst_vma->vm_flags & VM_WRITE;
+ bool vm_shared = dst_vma->vm_flags & VM_SHARED;
+- bool page_in_cache = page->mapping;
++ bool page_in_cache = page_mapping(page);
+ spinlock_t *ptl;
+ struct inode *inode;
+ pgoff_t offset, max_off;
--- /dev/null
+From fb1dec44c6750bb414f47b929c8c175a1a127c31 Mon Sep 17 00:00:00 2001
+From: Brian Norris <briannorris@chromium.org>
+Date: Wed, 26 Oct 2022 12:42:06 -0700
+Subject: mms: sdhci-esdhc-imx: Fix SDHCI_RESET_ALL for CQHCI
+
+From: Brian Norris <briannorris@chromium.org>
+
+commit fb1dec44c6750bb414f47b929c8c175a1a127c31 upstream.
+
+[[ NOTE: this is completely untested by the author, but included solely
+ because, as noted in commit df57d73276b8 ("mmc: sdhci-pci: Fix
+ SDHCI_RESET_ALL for CQHCI for Intel GLK-based controllers"), "other
+ drivers using CQHCI might benefit from a similar change, if they
+ also have CQHCI reset by SDHCI_RESET_ALL." We've now seen the same
+ bug on at least MSM, Arasan, and Intel hardware. ]]
+
+SDHCI_RESET_ALL resets will reset the hardware CQE state, but we aren't
+tracking that properly in software. When out of sync, we may trigger
+various timeouts.
+
+It's not typical to perform resets while CQE is enabled, but this may
+occur in some suspend or error recovery scenarios.
+
+Include this fix by way of the new sdhci_and_cqhci_reset() helper.
+
+This patch depends on (and should not compile without) the patch
+entitled "mmc: cqhci: Provide helper for resetting both SDHCI and
+CQHCI".
+
+Fixes: bb6e358169bf ("mmc: sdhci-esdhc-imx: add CMDQ support")
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Reviewed-by: Haibo Chen <haibo.chen@nxp.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20221026124150.v4.4.I7d01f9ad11bacdc9213dee61b7918982aea39115@changeid
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-esdhc-imx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/sdhci-esdhc-imx.c
++++ b/drivers/mmc/host/sdhci-esdhc-imx.c
+@@ -25,6 +25,7 @@
+ #include <linux/of_device.h>
+ #include <linux/pinctrl/consumer.h>
+ #include <linux/pm_runtime.h>
++#include "sdhci-cqhci.h"
+ #include "sdhci-pltfm.h"
+ #include "sdhci-esdhc.h"
+ #include "cqhci.h"
+@@ -1288,7 +1289,7 @@ static void esdhc_set_uhs_signaling(stru
+
+ static void esdhc_reset(struct sdhci_host *host, u8 mask)
+ {
+- sdhci_reset(host, mask);
++ sdhci_and_cqhci_reset(host, mask);
+
+ sdhci_writel(host, host->ier, SDHCI_INT_ENABLE);
+ sdhci_writel(host, host->ier, SDHCI_SIGNAL_ENABLE);
--- /dev/null
+From 1a0c016a4831ea29be09bbc8162d4a2a0690b4b8 Mon Sep 17 00:00:00 2001
+From: Roger Quadros <rogerq@kernel.org>
+Date: Wed, 2 Nov 2022 12:31:44 +0200
+Subject: net: ethernet: ti: am65-cpsw: Fix segmentation fault at module unload
+
+From: Roger Quadros <rogerq@kernel.org>
+
+commit 1a0c016a4831ea29be09bbc8162d4a2a0690b4b8 upstream.
+
+Move am65_cpsw_nuss_phylink_cleanup() call to after
+am65_cpsw_nuss_cleanup_ndev() so phylink is still valid
+to prevent the below Segmentation fault on module remove when
+first slave link is up.
+
+[ 31.652944] Unable to handle kernel paging request at virtual address 00040008000005f4
+[ 31.684627] Mem abort info:
+[ 31.687446] ESR = 0x0000000096000004
+[ 31.704614] EC = 0x25: DABT (current EL), IL = 32 bits
+[ 31.720663] SET = 0, FnV = 0
+[ 31.723729] EA = 0, S1PTW = 0
+[ 31.740617] FSC = 0x04: level 0 translation fault
+[ 31.756624] Data abort info:
+[ 31.759508] ISV = 0, ISS = 0x00000004
+[ 31.776705] CM = 0, WnR = 0
+[ 31.779695] [00040008000005f4] address between user and kernel address ranges
+[ 31.808644] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
+[ 31.814928] Modules linked in: wlcore_sdio wl18xx wlcore mac80211 libarc4 cfg80211 rfkill crct10dif_ce phy_gmii_sel ti_am65_cpsw_nuss(-) sch_fq_codel ipv6
+[ 31.828776] CPU: 0 PID: 1026 Comm: modprobe Not tainted 6.1.0-rc2-00012-gfabfcf7dafdb-dirty #160
+[ 31.837547] Hardware name: Texas Instruments AM625 (DT)
+[ 31.842760] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[ 31.849709] pc : phy_stop+0x18/0xf8
+[ 31.853202] lr : phylink_stop+0x38/0xf8
+[ 31.857031] sp : ffff80000a0839f0
+[ 31.860335] x29: ffff80000a0839f0 x28: ffff000000de1c80 x27: 0000000000000000
+[ 31.867462] x26: 0000000000000000 x25: 0000000000000000 x24: ffff80000a083b98
+[ 31.874589] x23: 0000000000000800 x22: 0000000000000001 x21: ffff000001bfba90
+[ 31.881715] x20: ffff0000015ee000 x19: 0004000800000200 x18: 0000000000000000
+[ 31.888842] x17: ffff800076c45000 x16: ffff800008004000 x15: 000058e39660b106
+[ 31.895969] x14: 0000000000000144 x13: 0000000000000144 x12: 0000000000000000
+[ 31.903095] x11: 000000000000275f x10: 00000000000009e0 x9 : ffff80000a0837d0
+[ 31.910222] x8 : ffff000000de26c0 x7 : ffff00007fbd6540 x6 : ffff00007fbd64c0
+[ 31.917349] x5 : ffff00007fbd0b10 x4 : ffff00007fbd0b10 x3 : ffff00007fbd3920
+[ 31.924476] x2 : d0a07fcff8b8d500 x1 : 0000000000000000 x0 : 0004000800000200
+[ 31.931603] Call trace:
+[ 31.934042] phy_stop+0x18/0xf8
+[ 31.937177] phylink_stop+0x38/0xf8
+[ 31.940657] am65_cpsw_nuss_ndo_slave_stop+0x28/0x1e0 [ti_am65_cpsw_nuss]
+[ 31.947452] __dev_close_many+0xa4/0x140
+[ 31.951371] dev_close_many+0x84/0x128
+[ 31.955115] unregister_netdevice_many+0x130/0x6d0
+[ 31.959897] unregister_netdevice_queue+0x94/0xd8
+[ 31.964591] unregister_netdev+0x24/0x38
+[ 31.968504] am65_cpsw_nuss_cleanup_ndev.isra.0+0x48/0x70 [ti_am65_cpsw_nuss]
+[ 31.975637] am65_cpsw_nuss_remove+0x58/0xf8 [ti_am65_cpsw_nuss]
+
+Cc: <Stable@vger.kernel.org> # v5.18+
+Fixes: e8609e69470f ("net: ethernet: ti: am65-cpsw: Convert to PHYLINK")
+Signed-off-by: Roger Quadros <rogerq@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ti/am65-cpsw-nuss.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/ti/am65-cpsw-nuss.c
++++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.c
+@@ -2791,7 +2791,6 @@ static int am65_cpsw_nuss_remove(struct
+ if (ret < 0)
+ return ret;
+
+- am65_cpsw_nuss_phylink_cleanup(common);
+ am65_cpsw_unregister_devlink(common);
+ am65_cpsw_unregister_notifiers(common);
+
+@@ -2799,6 +2798,7 @@ static int am65_cpsw_nuss_remove(struct
+ * dma_deconfigure(dev) before devres_release_all(dev)
+ */
+ am65_cpsw_nuss_cleanup_ndev(common);
++ am65_cpsw_nuss_phylink_cleanup(common);
+
+ of_platform_device_destroy(common->mdio_dev, NULL);
+
--- /dev/null
+From 8ac932a4921a96ca52f61935dbba64ea87bbd5dc Mon Sep 17 00:00:00 2001
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Date: Sat, 29 Oct 2022 13:49:12 +0900
+Subject: nilfs2: fix deadlock in nilfs_count_free_blocks()
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+commit 8ac932a4921a96ca52f61935dbba64ea87bbd5dc upstream.
+
+A semaphore deadlock can occur if nilfs_get_block() detects metadata
+corruption while locating data blocks and a superblock writeback occurs at
+the same time:
+
+task 1 task 2
+------ ------
+* A file operation *
+nilfs_truncate()
+ nilfs_get_block()
+ down_read(rwsem A) <--
+ nilfs_bmap_lookup_contig()
+ ... generic_shutdown_super()
+ nilfs_put_super()
+ * Prepare to write superblock *
+ down_write(rwsem B) <--
+ nilfs_cleanup_super()
+ * Detect b-tree corruption * nilfs_set_log_cursor()
+ nilfs_bmap_convert_error() nilfs_count_free_blocks()
+ __nilfs_error() down_read(rwsem A) <--
+ nilfs_set_error()
+ down_write(rwsem B) <--
+
+ *** DEADLOCK ***
+
+Here, nilfs_get_block() readlocks rwsem A (= NILFS_MDT(dat_inode)->mi_sem)
+and then calls nilfs_bmap_lookup_contig(), but if it fails due to metadata
+corruption, __nilfs_error() is called from nilfs_bmap_convert_error()
+inside the lock section.
+
+Since __nilfs_error() calls nilfs_set_error() unless the filesystem is
+read-only and nilfs_set_error() attempts to writelock rwsem B (=
+nilfs->ns_sem) to write back superblock exclusively, hierarchical lock
+acquisition occurs in the order rwsem A -> rwsem B.
+
+Now, if another task starts updating the superblock, it may writelock
+rwsem B during the lock sequence above, and can deadlock trying to
+readlock rwsem A in nilfs_count_free_blocks().
+
+However, there is actually no need to take rwsem A in
+nilfs_count_free_blocks() because it, within the lock section, only reads
+a single integer data on a shared struct with
+nilfs_sufile_get_ncleansegs(). This has been the case after commit
+aa474a220180 ("nilfs2: add local variable to cache the number of clean
+segments"), that is, even before this bug was introduced.
+
+So, this resolves the deadlock problem by just not taking the semaphore in
+nilfs_count_free_blocks().
+
+Link: https://lkml.kernel.org/r/20221029044912.9139-1-konishi.ryusuke@gmail.com
+Fixes: e828949e5b42 ("nilfs2: call nilfs_error inside bmap routines")
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Reported-by: syzbot+45d6ce7b7ad7ef455d03@syzkaller.appspotmail.com
+Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: <stable@vger.kernel.org> [2.6.38+
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nilfs2/the_nilfs.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/fs/nilfs2/the_nilfs.c
++++ b/fs/nilfs2/the_nilfs.c
+@@ -690,9 +690,7 @@ int nilfs_count_free_blocks(struct the_n
+ {
+ unsigned long ncleansegs;
+
+- down_read(&NILFS_MDT(nilfs->ns_dat)->mi_sem);
+ ncleansegs = nilfs_sufile_get_ncleansegs(nilfs->ns_sufile);
+- up_read(&NILFS_MDT(nilfs->ns_dat)->mi_sem);
+ *nblocks = (sector_t)ncleansegs * nilfs->ns_blocks_per_segment;
+ return 0;
+ }
--- /dev/null
+From 8cccf05fe857a18ee26e20d11a8455a73ffd4efd Mon Sep 17 00:00:00 2001
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Date: Fri, 4 Nov 2022 23:29:59 +0900
+Subject: nilfs2: fix use-after-free bug of ns_writer on remount
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+commit 8cccf05fe857a18ee26e20d11a8455a73ffd4efd upstream.
+
+If a nilfs2 filesystem is downgraded to read-only due to metadata
+corruption on disk and is remounted read/write, or if emergency read-only
+remount is performed, detaching a log writer and synchronizing the
+filesystem can be done at the same time.
+
+In these cases, use-after-free of the log writer (hereinafter
+nilfs->ns_writer) can happen as shown in the scenario below:
+
+ Task1 Task2
+ -------------------------------- ------------------------------
+ nilfs_construct_segment
+ nilfs_segctor_sync
+ init_wait
+ init_waitqueue_entry
+ add_wait_queue
+ schedule
+ nilfs_remount (R/W remount case)
+ nilfs_attach_log_writer
+ nilfs_detach_log_writer
+ nilfs_segctor_destroy
+ kfree
+ finish_wait
+ _raw_spin_lock_irqsave
+ __raw_spin_lock_irqsave
+ do_raw_spin_lock
+ debug_spin_lock_before <-- use-after-free
+
+While Task1 is sleeping, nilfs->ns_writer is freed by Task2. After Task1
+waked up, Task1 accesses nilfs->ns_writer which is already freed. This
+scenario diagram is based on the Shigeru Yoshida's post [1].
+
+This patch fixes the issue by not detaching nilfs->ns_writer on remount so
+that this UAF race doesn't happen. Along with this change, this patch
+also inserts a few necessary read-only checks with superblock instance
+where only the ns_writer pointer was used to check if the filesystem is
+read-only.
+
+Link: https://syzkaller.appspot.com/bug?id=79a4c002e960419ca173d55e863bd09e8112df8b
+Link: https://lkml.kernel.org/r/20221103141759.1836312-1-syoshida@redhat.com [1]
+Link: https://lkml.kernel.org/r/20221104142959.28296-1-konishi.ryusuke@gmail.com
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Reported-by: syzbot+f816fa82f8783f7a02bb@syzkaller.appspotmail.com
+Reported-by: Shigeru Yoshida <syoshida@redhat.com>
+Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nilfs2/segment.c | 15 ++++++++-------
+ fs/nilfs2/super.c | 2 --
+ 2 files changed, 8 insertions(+), 9 deletions(-)
+
+--- a/fs/nilfs2/segment.c
++++ b/fs/nilfs2/segment.c
+@@ -317,7 +317,7 @@ void nilfs_relax_pressure_in_lock(struct
+ struct the_nilfs *nilfs = sb->s_fs_info;
+ struct nilfs_sc_info *sci = nilfs->ns_writer;
+
+- if (!sci || !sci->sc_flush_request)
++ if (sb_rdonly(sb) || unlikely(!sci) || !sci->sc_flush_request)
+ return;
+
+ set_bit(NILFS_SC_PRIOR_FLUSH, &sci->sc_flags);
+@@ -2243,7 +2243,7 @@ int nilfs_construct_segment(struct super
+ struct nilfs_transaction_info *ti;
+ int err;
+
+- if (!sci)
++ if (sb_rdonly(sb) || unlikely(!sci))
+ return -EROFS;
+
+ /* A call inside transactions causes a deadlock. */
+@@ -2282,7 +2282,7 @@ int nilfs_construct_dsync_segment(struct
+ struct nilfs_transaction_info ti;
+ int err = 0;
+
+- if (!sci)
++ if (sb_rdonly(sb) || unlikely(!sci))
+ return -EROFS;
+
+ nilfs_transaction_lock(sb, &ti, 0);
+@@ -2778,11 +2778,12 @@ int nilfs_attach_log_writer(struct super
+
+ if (nilfs->ns_writer) {
+ /*
+- * This happens if the filesystem was remounted
+- * read/write after nilfs_error degenerated it into a
+- * read-only mount.
++ * This happens if the filesystem is made read-only by
++ * __nilfs_error or nilfs_remount and then remounted
++ * read/write. In these cases, reuse the existing
++ * writer.
+ */
+- nilfs_detach_log_writer(sb);
++ return 0;
+ }
+
+ nilfs->ns_writer = nilfs_segctor_new(sb, root);
+--- a/fs/nilfs2/super.c
++++ b/fs/nilfs2/super.c
+@@ -1133,8 +1133,6 @@ static int nilfs_remount(struct super_bl
+ if ((bool)(*flags & SB_RDONLY) == sb_rdonly(sb))
+ goto out;
+ if (*flags & SB_RDONLY) {
+- /* Shutting down log writer */
+- nilfs_detach_log_writer(sb);
+ sb->s_flags |= SB_RDONLY;
+
+ /*
--- /dev/null
+From 04948e757148f870a31f4887ea2239403f516c3c Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Wed, 26 Oct 2022 18:21:16 +0200
+Subject: phy: qcom-qmp-combo: fix NULL-deref on runtime resume
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit 04948e757148f870a31f4887ea2239403f516c3c upstream.
+
+Commit fc64623637da ("phy: qcom-qmp-combo,usb: add support for separate
+PCS_USB region") started treating the PCS_USB registers as potentially
+separate from the PCS registers but used the wrong base when no PCS_USB
+offset has been provided.
+
+Fix the PCS_USB base used at runtime resume to prevent dereferencing a
+NULL pointer on platforms that do not provide a PCS_USB offset (e.g.
+SC7180).
+
+Fixes: fc64623637da ("phy: qcom-qmp-combo,usb: add support for separate PCS_USB region")
+Cc: stable@vger.kernel.org # 5.20
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Andrew Halaney <ahalaney@redhat.com>
+Link: https://lore.kernel.org/r/20221026162116.26462-1-johan+linaro@kernel.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/phy/qualcomm/phy-qcom-qmp-combo.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/phy/qualcomm/phy-qcom-qmp-combo.c
++++ b/drivers/phy/qualcomm/phy-qcom-qmp-combo.c
+@@ -1914,7 +1914,7 @@ static void qcom_qmp_phy_combo_enable_au
+ static void qcom_qmp_phy_combo_disable_autonomous_mode(struct qmp_phy *qphy)
+ {
+ const struct qmp_phy_cfg *cfg = qphy->cfg;
+- void __iomem *pcs_usb = qphy->pcs_usb ?: qphy->pcs_usb;
++ void __iomem *pcs_usb = qphy->pcs_usb ?: qphy->pcs;
+ void __iomem *pcs_misc = qphy->pcs_misc;
+
+ /* Disable i/o clamp_n on resume for normal mode */
--- /dev/null
+From 1598bfa8e1faa932de42e1ee7628a1c4c4263f0a Mon Sep 17 00:00:00 2001
+From: Jorge Lopez <jorge.lopez2@hp.com>
+Date: Fri, 28 Oct 2022 10:55:27 -0500
+Subject: platform/x86: hp_wmi: Fix rfkill causing soft blocked wifi
+
+From: Jorge Lopez <jorge.lopez2@hp.com>
+
+commit 1598bfa8e1faa932de42e1ee7628a1c4c4263f0a upstream.
+
+After upgrading BIOS to U82 01.02.01 Rev.A, the console is flooded
+strange char "^@" which printed out every second and makes login
+nearly impossible. Also the below messages were shown both in console
+and journal/dmesg every second:
+
+usb 1-3: Device not responding to setup address.
+usb 1-3: device not accepting address 4, error -71
+usb 1-3: device descriptor read/all, error -71
+usb usb1-port3: unable to enumerate USB device
+
+Wifi is soft blocked by checking rfkill. When unblocked manually,
+after few seconds it would be soft blocked again. So I was suspecting
+something triggered rfkill to soft block wifi. At the end it was
+fixed by removing hp_wmi module.
+
+The root cause is the way hp-wmi driver handles command 1B on
+post-2009 BIOS. In pre-2009 BIOS, command 1Bh return 0x4 to indicate
+that BIOS no longer controls the power for the wireless devices.
+
+Signed-off-by: Jorge Lopez <jorge.lopez2@hp.com>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216468
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Link: https://lore.kernel.org/r/20221028155527.7724-1-jorge.lopez2@hp.com
+Cc: stable@vger.kernel.org
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/hp-wmi.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/platform/x86/hp-wmi.c
++++ b/drivers/platform/x86/hp-wmi.c
+@@ -1298,8 +1298,16 @@ static int __init hp_wmi_bios_setup(stru
+ wwan_rfkill = NULL;
+ rfkill2_count = 0;
+
+- if (hp_wmi_rfkill_setup(device))
+- hp_wmi_rfkill2_setup(device);
++ /*
++ * In pre-2009 BIOS, command 1Bh return 0x4 to indicate that
++ * BIOS no longer controls the power for the wireless
++ * devices. All features supported by this command will no
++ * longer be supported.
++ */
++ if (!hp_wmi_bios_2009_later()) {
++ if (hp_wmi_rfkill_setup(device))
++ hp_wmi_rfkill2_setup(device);
++ }
+
+ err = hp_wmi_hwmon_init();
+
alsa-usb-audio-yet-more-regression-for-for-the-delayed-card-registration.patch
alsa-usb-audio-add-quirk-entry-for-m-audio-micro.patch
alsa-usb-audio-add-dsd-support-for-accuphase-dac-60.patch
+vmlinux.lds.h-fix-placement-of-.data..decrypted-section.patch
+ata-libata-scsi-fix-synchronize-cache-16-command-failure.patch
+nilfs2-fix-deadlock-in-nilfs_count_free_blocks.patch
+nilfs2-fix-use-after-free-bug-of-ns_writer-on-remount.patch
+drm-i915-dmabuf-fix-sg_table-handling-in-map_dma_buf.patch
+drm-amd-display-fix-reg-timeout-in-enc314_enable_fifo.patch
+drm-amd-pm-update-smu-ip-v13.0.4-msg-interface-header.patch
+drm-amd-display-update-sr-watermarks-for-dcn314.patch
+drm-amdgpu-workaround-for-tlb-seq-race.patch
+drm-amdgpu-disable-baco-on-special-beige_goby-card.patch
+drm-amdkfd-fix-error-handling-in-criu_checkpoint.patch
+drm-amdkfd-fix-error-handling-in-kfd_criu_restore_events.patch
+platform-x86-hp_wmi-fix-rfkill-causing-soft-blocked-wifi.patch
+wifi-ath11k-avoid-deadlock-during-regulatory-update-in-ath11k_regd_update.patch
+btrfs-fix-match-incorrectly-in-dev_args_match_device.patch
+btrfs-selftests-fix-wrong-error-check-in-btrfs_free_dummy_root.patch
+btrfs-zoned-clone-zoned-device-info-when-cloning-a-device.patch
+btrfs-zoned-initialize-device-s-zone-info-for-seeding.patch
+io_uring-check-for-rollover-of-buffer-id-when-providing-buffers.patch
+phy-qcom-qmp-combo-fix-null-deref-on-runtime-resume.patch
+net-ethernet-ti-am65-cpsw-fix-segmentation-fault-at-module-unload.patch
+mms-sdhci-esdhc-imx-fix-sdhci_reset_all-for-cqhci.patch
+udf-fix-a-slab-out-of-bounds-write-bug-in-udf_find_entry.patch
+spi-intel-use-correct-mask-for-flash-and-protected-regions.patch
+arch-x86-mm-hugetlbpage.c-pud_huge-returns-0-when-using-2-level-paging.patch
+mm-hugetlb_vmemmap-include-missing-linux-moduleparam.h.patch
+dmaengine-idxd-do-not-enable-user-type-work-queue-without-shared-virtual-addressing.patch
+mm-damon-dbgfs-check-if-rm_contexts-input-is-for-a-real-context.patch
+mm-memremap.c-map-fs_dax-device-memory-as-decrypted.patch
+mm-shmem-use-page_mapping-to-detect-page-cache-for-uffd-continue.patch
+can-j1939-j1939_send_one-fix-missing-can-header-initialization.patch
+can-isotp-fix-tx-state-handling-for-echo-tx-processing.patch
+can-rcar_canfd-add-missing-ecc-error-checks-for-channels-2-7.patch
--- /dev/null
+From 92a66cbf6b30eda5719fbdfb24cd15fb341bba32 Mon Sep 17 00:00:00 2001
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Tue, 25 Oct 2022 09:28:00 +0300
+Subject: spi: intel: Use correct mask for flash and protected regions
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+commit 92a66cbf6b30eda5719fbdfb24cd15fb341bba32 upstream.
+
+The flash and protected region mask is actually 0x7fff (30:16 and 14:0)
+and not 0x3fff so fix this accordingly. While there use GENMASK() instead.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Link: https://lore.kernel.org/r/20221025062800.22357-1-mika.westerberg@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-intel.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/spi/spi-intel.c
++++ b/drivers/spi/spi-intel.c
+@@ -52,17 +52,17 @@
+ #define FRACC 0x50
+
+ #define FREG(n) (0x54 + ((n) * 4))
+-#define FREG_BASE_MASK 0x3fff
++#define FREG_BASE_MASK GENMASK(14, 0)
+ #define FREG_LIMIT_SHIFT 16
+-#define FREG_LIMIT_MASK (0x03fff << FREG_LIMIT_SHIFT)
++#define FREG_LIMIT_MASK GENMASK(30, 16)
+
+ /* Offset is from @ispi->pregs */
+ #define PR(n) ((n) * 4)
+ #define PR_WPE BIT(31)
+ #define PR_LIMIT_SHIFT 16
+-#define PR_LIMIT_MASK (0x3fff << PR_LIMIT_SHIFT)
++#define PR_LIMIT_MASK GENMASK(30, 16)
+ #define PR_RPE BIT(15)
+-#define PR_BASE_MASK 0x3fff
++#define PR_BASE_MASK GENMASK(14, 0)
+
+ /* Offsets are from @ispi->sregs */
+ #define SSFSTS_CTL 0x00
--- /dev/null
+From c8af247de385ce49afabc3bf1cf4fd455c94bfe8 Mon Sep 17 00:00:00 2001
+From: ZhangPeng <zhangpeng362@huawei.com>
+Date: Wed, 9 Nov 2022 01:35:42 +0000
+Subject: udf: Fix a slab-out-of-bounds write bug in udf_find_entry()
+
+From: ZhangPeng <zhangpeng362@huawei.com>
+
+commit c8af247de385ce49afabc3bf1cf4fd455c94bfe8 upstream.
+
+Syzbot reported a slab-out-of-bounds Write bug:
+
+loop0: detected capacity change from 0 to 2048
+==================================================================
+BUG: KASAN: slab-out-of-bounds in udf_find_entry+0x8a5/0x14f0
+fs/udf/namei.c:253
+Write of size 105 at addr ffff8880123ff896 by task syz-executor323/3610
+
+CPU: 0 PID: 3610 Comm: syz-executor323 Not tainted
+6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0
+Hardware name: Google Compute Engine/Google Compute Engine, BIOS
+Google 10/11/2022
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106
+ print_address_description+0x74/0x340 mm/kasan/report.c:284
+ print_report+0x107/0x1f0 mm/kasan/report.c:395
+ kasan_report+0xcd/0x100 mm/kasan/report.c:495
+ kasan_check_range+0x2a7/0x2e0 mm/kasan/generic.c:189
+ memcpy+0x3c/0x60 mm/kasan/shadow.c:66
+ udf_find_entry+0x8a5/0x14f0 fs/udf/namei.c:253
+ udf_lookup+0xef/0x340 fs/udf/namei.c:309
+ lookup_open fs/namei.c:3391 [inline]
+ open_last_lookups fs/namei.c:3481 [inline]
+ path_openat+0x10e6/0x2df0 fs/namei.c:3710
+ do_filp_open+0x264/0x4f0 fs/namei.c:3740
+ do_sys_openat2+0x124/0x4e0 fs/open.c:1310
+ do_sys_open fs/open.c:1326 [inline]
+ __do_sys_creat fs/open.c:1402 [inline]
+ __se_sys_creat fs/open.c:1396 [inline]
+ __x64_sys_creat+0x11f/0x160 fs/open.c:1396
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+RIP: 0033:0x7ffab0d164d9
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89
+f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
+f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007ffe1a7e6bb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000055
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffab0d164d9
+RDX: 00007ffab0d164d9 RSI: 0000000000000000 RDI: 0000000020000180
+RBP: 00007ffab0cd5a10 R08: 0000000000000000 R09: 0000000000000000
+R10: 00005555573552c0 R11: 0000000000000246 R12: 00007ffab0cd5aa0
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+ </TASK>
+
+Allocated by task 3610:
+ kasan_save_stack mm/kasan/common.c:45 [inline]
+ kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
+ ____kasan_kmalloc mm/kasan/common.c:371 [inline]
+ __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380
+ kmalloc include/linux/slab.h:576 [inline]
+ udf_find_entry+0x7b6/0x14f0 fs/udf/namei.c:243
+ udf_lookup+0xef/0x340 fs/udf/namei.c:309
+ lookup_open fs/namei.c:3391 [inline]
+ open_last_lookups fs/namei.c:3481 [inline]
+ path_openat+0x10e6/0x2df0 fs/namei.c:3710
+ do_filp_open+0x264/0x4f0 fs/namei.c:3740
+ do_sys_openat2+0x124/0x4e0 fs/open.c:1310
+ do_sys_open fs/open.c:1326 [inline]
+ __do_sys_creat fs/open.c:1402 [inline]
+ __se_sys_creat fs/open.c:1396 [inline]
+ __x64_sys_creat+0x11f/0x160 fs/open.c:1396
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+The buggy address belongs to the object at ffff8880123ff800
+ which belongs to the cache kmalloc-256 of size 256
+The buggy address is located 150 bytes inside of
+ 256-byte region [ffff8880123ff800, ffff8880123ff900)
+
+The buggy address belongs to the physical page:
+page:ffffea000048ff80 refcount:1 mapcount:0 mapping:0000000000000000
+index:0x0 pfn:0x123fe
+head:ffffea000048ff80 order:1 compound_mapcount:0 compound_pincount:0
+flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
+raw: 00fff00000010200 ffffea00004b8500 dead000000000003 ffff888012041b40
+raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+page_owner tracks the page as allocated
+page last allocated via order 0, migratetype Unmovable, gfp_mask 0x0(),
+pid 1, tgid 1 (swapper/0), ts 1841222404, free_ts 0
+ create_dummy_stack mm/page_owner.c:67 [inline]
+ register_early_stack+0x77/0xd0 mm/page_owner.c:83
+ init_page_owner+0x3a/0x731 mm/page_owner.c:93
+ kernel_init_freeable+0x41c/0x5d5 init/main.c:1629
+ kernel_init+0x19/0x2b0 init/main.c:1519
+page_owner free stack trace missing
+
+Memory state around the buggy address:
+ ffff8880123ff780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff8880123ff800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+>ffff8880123ff880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06
+ ^
+ ffff8880123ff900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff8880123ff980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+==================================================================
+
+Fix this by changing the memory size allocated for copy_name from
+UDF_NAME_LEN(254) to UDF_NAME_LEN_CS0(255), because the total length
+(lfi) of subsequent memcpy can be up to 255.
+
+CC: stable@vger.kernel.org
+Reported-by: syzbot+69c9fdccc6dd08961d34@syzkaller.appspotmail.com
+Fixes: 066b9cded00b ("udf: Use separate buffer for copying split names")
+Signed-off-by: ZhangPeng <zhangpeng362@huawei.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20221109013542.442790-1-zhangpeng362@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/udf/namei.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/udf/namei.c
++++ b/fs/udf/namei.c
+@@ -240,7 +240,7 @@ static struct fileIdentDesc *udf_find_en
+ poffset - lfi);
+ else {
+ if (!copy_name) {
+- copy_name = kmalloc(UDF_NAME_LEN,
++ copy_name = kmalloc(UDF_NAME_LEN_CS0,
+ GFP_NOFS);
+ if (!copy_name) {
+ fi = ERR_PTR(-ENOMEM);
--- /dev/null
+From 000f8870a47bdc36730357883b6aef42bced91ee Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Tue, 8 Nov 2022 10:49:34 -0700
+Subject: vmlinux.lds.h: Fix placement of '.data..decrypted' section
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit 000f8870a47bdc36730357883b6aef42bced91ee upstream.
+
+Commit d4c639990036 ("vmlinux.lds.h: Avoid orphan section with !SMP")
+fixed an orphan section warning by adding the '.data..decrypted' section
+to the linker script under the PERCPU_DECRYPTED_SECTION define but that
+placement introduced a panic with !SMP, as the percpu sections are not
+instantiated with that configuration so attempting to access variables
+defined with DEFINE_PER_CPU_DECRYPTED() will result in a page fault.
+
+Move the '.data..decrypted' section to the DATA_MAIN define so that the
+variables in it are properly instantiated at boot time with
+CONFIG_SMP=n.
+
+Cc: stable@vger.kernel.org
+Fixes: d4c639990036 ("vmlinux.lds.h: Avoid orphan section with !SMP")
+Link: https://lore.kernel.org/cbbd3548-880c-d2ca-1b67-5bb93b291d5f@huawei.com/
+Debugged-by: Ard Biesheuvel <ardb@kernel.org>
+Reported-by: Zhao Wenhui <zhaowenhui8@huawei.com>
+Tested-by: xiafukun <xiafukun@huawei.com>
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20221108174934.3384275-1-nathan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/asm-generic/vmlinux.lds.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/asm-generic/vmlinux.lds.h
++++ b/include/asm-generic/vmlinux.lds.h
+@@ -333,6 +333,7 @@
+ #define DATA_DATA \
+ *(.xiptext) \
+ *(DATA_MAIN) \
++ *(.data..decrypted) \
+ *(.ref.data) \
+ *(.data..shared_aligned) /* percpu related */ \
+ MEM_KEEP(init.data*) \
+@@ -975,7 +976,6 @@
+ #ifdef CONFIG_AMD_MEM_ENCRYPT
+ #define PERCPU_DECRYPTED_SECTION \
+ . = ALIGN(PAGE_SIZE); \
+- *(.data..decrypted) \
+ *(.data..percpu..decrypted) \
+ . = ALIGN(PAGE_SIZE);
+ #else
--- /dev/null
+From f45cb6b29cd36514e13f7519770873d8c0457008 Mon Sep 17 00:00:00 2001
+From: Wen Gong <quic_wgong@quicinc.com>
+Date: Wed, 2 Nov 2022 13:48:03 +0200
+Subject: wifi: ath11k: avoid deadlock during regulatory update in ath11k_regd_update()
+
+From: Wen Gong <quic_wgong@quicinc.com>
+
+commit f45cb6b29cd36514e13f7519770873d8c0457008 upstream.
+
+(cherry picked from commit d99884ad9e3673a12879bc2830f6e5a66cccbd78 in ath-next
+as users are seeing this bug more now, also cc stable)
+
+Running this test in a loop it is easy to reproduce an rtnl deadlock:
+
+iw reg set FI
+ifconfig wlan0 down
+
+What happens is that thread A (workqueue) tries to update the regulatory:
+
+ try to acquire the rtnl_lock of ar->regd_update_work
+
+ rtnl_lock+0x17/0x20
+ ath11k_regd_update+0x15a/0x260 [ath11k]
+ ath11k_regd_update_work+0x15/0x20 [ath11k]
+ process_one_work+0x228/0x670
+ worker_thread+0x4d/0x440
+ kthread+0x16d/0x1b0
+ ret_from_fork+0x22/0x30
+
+And thread B (ifconfig) tries to stop the interface:
+
+ try to cancel_work_sync(&ar->regd_update_work) in ath11k_mac_op_stop().
+ ifconfig 3109 [003] 2414.232506: probe:
+
+ ath11k_mac_op_stop: (ffffffffc14187a0)
+ drv_stop+0x30 ([mac80211])
+ ieee80211_do_stop+0x5d2 ([mac80211])
+ ieee80211_stop+0x3e ([mac80211])
+ __dev_close_many+0x9e ([kernel.kallsyms])
+ __dev_change_flags+0xbe ([kernel.kallsyms])
+ dev_change_flags+0x23 ([kernel.kallsyms])
+ devinet_ioctl+0x5e3 ([kernel.kallsyms])
+ inet_ioctl+0x197 ([kernel.kallsyms])
+ sock_do_ioctl+0x4d ([kernel.kallsyms])
+ sock_ioctl+0x264 ([kernel.kallsyms])
+ __x64_sys_ioctl+0x92 ([kernel.kallsyms])
+ do_syscall_64+0x3a ([kernel.kallsyms])
+ entry_SYSCALL_64_after_hwframe+0x63 ([kernel.kallsyms])
+ __GI___ioctl+0x7 (/lib/x86_64-linux-gnu/libc-2.23.so)
+
+The sequence of deadlock is:
+
+1. Thread B calls rtnl_lock().
+
+2. Thread A starts to run and calls rtnl_lock() from within
+ ath11k_regd_update_work(), then enters wait state because the lock is owned by
+ thread B.
+
+3. Thread B continues to run and tries to call
+ cancel_work_sync(&ar->regd_update_work), but thread A is in
+ ath11k_regd_update_work() waiting for rtnl_lock(). So cancel_work_sync()
+ forever waits for ath11k_regd_update_work() to finish and we have a deadlock.
+
+Fix this by switching from using regulatory_set_wiphy_regd_sync() to
+regulatory_set_wiphy_regd(). Now cfg80211 will schedule another workqueue which
+handles the locking on it's own. So the ath11k workqueue can simply exit without
+taking any locks, avoiding the deadlock.
+
+Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Wen Gong <quic_wgong@quicinc.com>
+[kvalo: improve commit log]
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath11k/reg.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath11k/reg.c
++++ b/drivers/net/wireless/ath/ath11k/reg.c
+@@ -287,11 +287,7 @@ int ath11k_regd_update(struct ath11k *ar
+ goto err;
+ }
+
+- rtnl_lock();
+- wiphy_lock(ar->hw->wiphy);
+- ret = regulatory_set_wiphy_regd_sync(ar->hw->wiphy, regd_copy);
+- wiphy_unlock(ar->hw->wiphy);
+- rtnl_unlock();
++ ret = regulatory_set_wiphy_regd(ar->hw->wiphy, regd_copy);
+
+ kfree(regd_copy);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
