--- /dev/null
+From 8b3a9ad86239f80ed569e23c3954a311f66481d6 Mon Sep 17 00:00:00 2001
+From: Aidan MacDonald <aidanmacdonald.0x0@gmail.com>
+Date: Sun, 23 Oct 2022 15:33:20 +0100
+Subject: ASoC: jz4740-i2s: Handle independent FIFO flush bits
+
+From: Aidan MacDonald <aidanmacdonald.0x0@gmail.com>
+
+commit 8b3a9ad86239f80ed569e23c3954a311f66481d6 upstream.
+
+On the JZ4740, there is a single bit that flushes (empties) both
+the transmit and receive FIFO. Later SoCs have independent flush
+bits for each FIFO.
+
+Independent FIFOs can be flushed before the snd_soc_dai_active()
+check because it won't disturb other active streams. This ensures
+that the FIFO we're about to use is always flushed before starting
+up. With shared FIFOs we can't do that because if another substream
+is active, flushing its FIFO would cause underrun errors.
+
+This also fixes a bug: since we were only setting the JZ4740's
+flush bit, which corresponds to the TX FIFO flush bit on other
+SoCs, other SoCs were not having their RX FIFO flushed at all.
+
+Fixes: 967beb2e8777 ("ASoC: jz4740: Add jz4780 support")
+Reviewed-by: Paul Cercueil <paul@crapouillou.net>
+Cc: stable@vger.kernel.org
+Signed-off-by: Aidan MacDonald <aidanmacdonald.0x0@gmail.com>
+Link: https://lore.kernel.org/r/20221023143328.160866-2-aidanmacdonald.0x0@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/jz4740/jz4740-i2s.c | 39 ++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 34 insertions(+), 5 deletions(-)
+
+--- a/sound/soc/jz4740/jz4740-i2s.c
++++ b/sound/soc/jz4740/jz4740-i2s.c
+@@ -55,7 +55,8 @@
+ #define JZ_AIC_CTRL_MONO_TO_STEREO BIT(11)
+ #define JZ_AIC_CTRL_SWITCH_ENDIANNESS BIT(10)
+ #define JZ_AIC_CTRL_SIGNED_TO_UNSIGNED BIT(9)
+-#define JZ_AIC_CTRL_FLUSH BIT(8)
++#define JZ_AIC_CTRL_TFLUSH BIT(8)
++#define JZ_AIC_CTRL_RFLUSH BIT(7)
+ #define JZ_AIC_CTRL_ENABLE_ROR_INT BIT(6)
+ #define JZ_AIC_CTRL_ENABLE_TUR_INT BIT(5)
+ #define JZ_AIC_CTRL_ENABLE_RFS_INT BIT(4)
+@@ -90,6 +91,8 @@ enum jz47xx_i2s_version {
+ struct i2s_soc_info {
+ enum jz47xx_i2s_version version;
+ struct snd_soc_dai_driver *dai;
++
++ bool shared_fifo_flush;
+ };
+
+ struct jz4740_i2s {
+@@ -116,19 +119,44 @@ static inline void jz4740_i2s_write(cons
+ writel(value, i2s->base + reg);
+ }
+
++static inline void jz4740_i2s_set_bits(const struct jz4740_i2s *i2s,
++ unsigned int reg, uint32_t bits)
++{
++ uint32_t value = jz4740_i2s_read(i2s, reg);
++ value |= bits;
++ jz4740_i2s_write(i2s, reg, value);
++}
++
+ static int jz4740_i2s_startup(struct snd_pcm_substream *substream,
+ struct snd_soc_dai *dai)
+ {
+ struct jz4740_i2s *i2s = snd_soc_dai_get_drvdata(dai);
+- uint32_t conf, ctrl;
++ uint32_t conf;
+ int ret;
+
++ /*
++ * When we can flush FIFOs independently, only flush the FIFO
++ * that is starting up. We can do this when the DAI is active
++ * because it does not disturb other active substreams.
++ */
++ if (!i2s->soc_info->shared_fifo_flush) {
++ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
++ jz4740_i2s_set_bits(i2s, JZ_REG_AIC_CTRL, JZ_AIC_CTRL_TFLUSH);
++ else
++ jz4740_i2s_set_bits(i2s, JZ_REG_AIC_CTRL, JZ_AIC_CTRL_RFLUSH);
++ }
++
+ if (snd_soc_dai_active(dai))
+ return 0;
+
+- ctrl = jz4740_i2s_read(i2s, JZ_REG_AIC_CTRL);
+- ctrl |= JZ_AIC_CTRL_FLUSH;
+- jz4740_i2s_write(i2s, JZ_REG_AIC_CTRL, ctrl);
++ /*
++ * When there is a shared flush bit for both FIFOs, the TFLUSH
++ * bit flushes both FIFOs. Flushing while the DAI is active would
++ * cause FIFO underruns in other active substreams so we have to
++ * guard this behind the snd_soc_dai_active() check.
++ */
++ if (i2s->soc_info->shared_fifo_flush)
++ jz4740_i2s_set_bits(i2s, JZ_REG_AIC_CTRL, JZ_AIC_CTRL_TFLUSH);
+
+ ret = clk_prepare_enable(i2s->clk_i2s);
+ if (ret)
+@@ -443,6 +471,7 @@ static struct snd_soc_dai_driver jz4740_
+ static const struct i2s_soc_info jz4740_i2s_soc_info = {
+ .version = JZ_I2S_JZ4740,
+ .dai = &jz4740_i2s_dai,
++ .shared_fifo_flush = true,
+ };
+
+ static const struct i2s_soc_info jz4760_i2s_soc_info = {
--- /dev/null
+From 869a99907faea6d1835b0bd0d0422ae3519c6ea9 Mon Sep 17 00:00:00 2001
+From: Qiang Yu <quic_qianyu@quicinc.com>
+Date: Sun, 16 Oct 2022 11:05:32 +0800
+Subject: bus: mhi: host: Fix race between channel preparation and M0 event
+
+From: Qiang Yu <quic_qianyu@quicinc.com>
+
+commit 869a99907faea6d1835b0bd0d0422ae3519c6ea9 upstream.
+
+There is a race condition where mhi_prepare_channel() updates the
+read and write pointers as the base address and in parallel, if
+an M0 transition occurs, the tasklet goes ahead and rings
+doorbells for all channels with a delta in TRE rings assuming
+they are already enabled. This causes a null pointer access. Fix
+it by adding a channel enabled check before ringing channel
+doorbells.
+
+Cc: stable@vger.kernel.org # 5.19
+Fixes: a6e2e3522f29 "bus: mhi: core: Add support for PM state transitions"
+Signed-off-by: Qiang Yu <quic_qianyu@quicinc.com>
+Reviewed-by: Manivannan Sadhasivam <mani@kernel.org>
+Link: https://lore.kernel.org/r/1665889532-13634-1-git-send-email-quic_qianyu@quicinc.com
+[mani: CCed stable list]
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bus/mhi/host/pm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/bus/mhi/host/pm.c
++++ b/drivers/bus/mhi/host/pm.c
+@@ -301,7 +301,8 @@ int mhi_pm_m0_transition(struct mhi_cont
+ read_lock_irq(&mhi_chan->lock);
+
+ /* Only ring DB if ring is not empty */
+- if (tre_ring->base && tre_ring->wp != tre_ring->rp)
++ if (tre_ring->base && tre_ring->wp != tre_ring->rp &&
++ mhi_chan->ch_state == MHI_CH_STATE_ENABLED)
+ mhi_ring_chan_db(mhi_cntrl, mhi_chan);
+ read_unlock_irq(&mhi_chan->lock);
+ }
--- /dev/null
+From 10da230a4df1dfe32a58eb09246f5ffe82346f27 Mon Sep 17 00:00:00 2001
+From: Mario Limonciello <mario.limonciello@amd.com>
+Date: Wed, 28 Sep 2022 13:45:05 -0500
+Subject: crypto: ccp - Add support for TEE for PCI ID 0x14CA
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+commit 10da230a4df1dfe32a58eb09246f5ffe82346f27 upstream.
+
+SoCs containing 0x14CA are present both in datacenter parts that
+support SEV as well as client parts that support TEE.
+
+Cc: stable@vger.kernel.org # 5.15+
+Tested-by: Rijo-john Thomas <Rijo-john.Thomas@amd.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Acked-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/ccp/sp-pci.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/crypto/ccp/sp-pci.c
++++ b/drivers/crypto/ccp/sp-pci.c
+@@ -381,6 +381,15 @@ static const struct psp_vdata pspv3 = {
+ .inten_reg = 0x10690,
+ .intsts_reg = 0x10694,
+ };
++
++static const struct psp_vdata pspv4 = {
++ .sev = &sevv2,
++ .tee = &teev1,
++ .feature_reg = 0x109fc,
++ .inten_reg = 0x10690,
++ .intsts_reg = 0x10694,
++};
++
+ #endif
+
+ static const struct sp_dev_vdata dev_vdata[] = {
+@@ -426,7 +435,7 @@ static const struct sp_dev_vdata dev_vda
+ { /* 5 */
+ .bar = 2,
+ #ifdef CONFIG_CRYPTO_DEV_SP_PSP
+- .psp_vdata = &pspv2,
++ .psp_vdata = &pspv4,
+ #endif
+ },
+ { /* 6 */
--- /dev/null
+From 2ae6feb1a1f6678fe11864f1b6920ed10b09ad6a Mon Sep 17 00:00:00 2001
+From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Date: Fri, 25 Nov 2022 20:18:11 +0800
+Subject: crypto: ccree,hisilicon - Fix dependencies to correct algorithm
+
+From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+
+commit 2ae6feb1a1f6678fe11864f1b6920ed10b09ad6a upstream.
+
+Commit d2825fa9365d ("crypto: sm3,sm4 - move into crypto directory") moves
+the SM3 and SM4 stand-alone library and the algorithm implementation for
+the Crypto API into the same directory, and the corresponding relationship
+of Kconfig is modified, CONFIG_CRYPTO_SM3/4 corresponds to the stand-alone
+library of SM3/4, and CONFIG_CRYPTO_SM3/4_GENERIC corresponds to the
+algorithm implementation for the Crypto API. Therefore, it is necessary
+for this module to depend on the correct algorithm.
+
+Fixes: d2825fa9365d ("crypto: sm3,sm4 - move into crypto directory")
+Cc: Jason A. Donenfeld <Jason@zx2c4.com>
+Cc: stable@vger.kernel.org # v5.19+
+Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/Kconfig | 4 ++--
+ drivers/crypto/hisilicon/Kconfig | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/crypto/Kconfig
++++ b/drivers/crypto/Kconfig
+@@ -790,8 +790,8 @@ config CRYPTO_DEV_CCREE
+ select CRYPTO_ECB
+ select CRYPTO_CTR
+ select CRYPTO_XTS
+- select CRYPTO_SM4
+- select CRYPTO_SM3
++ select CRYPTO_SM4_GENERIC
++ select CRYPTO_SM3_GENERIC
+ help
+ Say 'Y' to enable a driver for the REE interface of the Arm
+ TrustZone CryptoCell family of processors. Currently the
+--- a/drivers/crypto/hisilicon/Kconfig
++++ b/drivers/crypto/hisilicon/Kconfig
+@@ -26,7 +26,7 @@ config CRYPTO_DEV_HISI_SEC2
+ select CRYPTO_SHA1
+ select CRYPTO_SHA256
+ select CRYPTO_SHA512
+- select CRYPTO_SM4
++ select CRYPTO_SM4_GENERIC
+ depends on PCI && PCI_MSI
+ depends on UACCE || UACCE=n
+ depends on ARM64 || (COMPILE_TEST && 64BIT)
--- /dev/null
+From 76a4e874593543a2dff91d249c95bac728df2774 Mon Sep 17 00:00:00 2001
+From: Corentin Labbe <clabbe@baylibre.com>
+Date: Thu, 6 Oct 2022 04:34:19 +0000
+Subject: crypto: n2 - add missing hash statesize
+
+From: Corentin Labbe <clabbe@baylibre.com>
+
+commit 76a4e874593543a2dff91d249c95bac728df2774 upstream.
+
+Add missing statesize to hash templates.
+This is mandatory otherwise no algorithms can be registered as the core
+requires statesize to be set.
+
+CC: stable@kernel.org # 4.3+
+Reported-by: Rolf Eike Beer <eike-kernel@sf-tec.de>
+Tested-by: Rolf Eike Beer <eike-kernel@sf-tec.de>
+Fixes: 0a625fd2abaa ("crypto: n2 - Add Niagara2 crypto driver")
+Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/n2_core.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/crypto/n2_core.c
++++ b/drivers/crypto/n2_core.c
+@@ -1229,6 +1229,7 @@ struct n2_hash_tmpl {
+ const u8 *hash_init;
+ u8 hw_op_hashsz;
+ u8 digest_size;
++ u8 statesize;
+ u8 block_size;
+ u8 auth_type;
+ u8 hmac_type;
+@@ -1260,6 +1261,7 @@ static const struct n2_hash_tmpl hash_tm
+ .hmac_type = AUTH_TYPE_HMAC_MD5,
+ .hw_op_hashsz = MD5_DIGEST_SIZE,
+ .digest_size = MD5_DIGEST_SIZE,
++ .statesize = sizeof(struct md5_state),
+ .block_size = MD5_HMAC_BLOCK_SIZE },
+ { .name = "sha1",
+ .hash_zero = sha1_zero_message_hash,
+@@ -1268,6 +1270,7 @@ static const struct n2_hash_tmpl hash_tm
+ .hmac_type = AUTH_TYPE_HMAC_SHA1,
+ .hw_op_hashsz = SHA1_DIGEST_SIZE,
+ .digest_size = SHA1_DIGEST_SIZE,
++ .statesize = sizeof(struct sha1_state),
+ .block_size = SHA1_BLOCK_SIZE },
+ { .name = "sha256",
+ .hash_zero = sha256_zero_message_hash,
+@@ -1276,6 +1279,7 @@ static const struct n2_hash_tmpl hash_tm
+ .hmac_type = AUTH_TYPE_HMAC_SHA256,
+ .hw_op_hashsz = SHA256_DIGEST_SIZE,
+ .digest_size = SHA256_DIGEST_SIZE,
++ .statesize = sizeof(struct sha256_state),
+ .block_size = SHA256_BLOCK_SIZE },
+ { .name = "sha224",
+ .hash_zero = sha224_zero_message_hash,
+@@ -1284,6 +1288,7 @@ static const struct n2_hash_tmpl hash_tm
+ .hmac_type = AUTH_TYPE_RESERVED,
+ .hw_op_hashsz = SHA256_DIGEST_SIZE,
+ .digest_size = SHA224_DIGEST_SIZE,
++ .statesize = sizeof(struct sha256_state),
+ .block_size = SHA224_BLOCK_SIZE },
+ };
+ #define NUM_HASH_TMPLS ARRAY_SIZE(hash_tmpls)
+@@ -1424,6 +1429,7 @@ static int __n2_register_one_ahash(const
+
+ halg = &ahash->halg;
+ halg->digestsize = tmpl->digest_size;
++ halg->statesize = tmpl->statesize;
+
+ base = &halg->base;
+ snprintf(base->cra_name, CRYPTO_MAX_ALG_NAME, "%s", tmpl->name);
--- /dev/null
+From e68bfbd3b3c3a0ec3cf8c230996ad8cabe90322f Mon Sep 17 00:00:00 2001
+From: Wang Weiyang <wangweiyang2@huawei.com>
+Date: Tue, 25 Oct 2022 19:31:01 +0800
+Subject: device_cgroup: Roll back to original exceptions after copy failure
+
+From: Wang Weiyang <wangweiyang2@huawei.com>
+
+commit e68bfbd3b3c3a0ec3cf8c230996ad8cabe90322f upstream.
+
+When add the 'a *:* rwm' entry to devcgroup A's whitelist, at first A's
+exceptions will be cleaned and A's behavior is changed to
+DEVCG_DEFAULT_ALLOW. Then parent's exceptions will be copyed to A's
+whitelist. If copy failure occurs, just return leaving A to grant
+permissions to all devices. And A may grant more permissions than
+parent.
+
+Backup A's whitelist and recover original exceptions after copy
+failure.
+
+Cc: stable@vger.kernel.org
+Fixes: 4cef7299b478 ("device_cgroup: add proper checking when changing default behavior")
+Signed-off-by: Wang Weiyang <wangweiyang2@huawei.com>
+Reviewed-by: Aristeu Rozanski <aris@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/device_cgroup.c | 33 +++++++++++++++++++++++++++++----
+ 1 file changed, 29 insertions(+), 4 deletions(-)
+
+--- a/security/device_cgroup.c
++++ b/security/device_cgroup.c
+@@ -82,6 +82,17 @@ free_and_exit:
+ return -ENOMEM;
+ }
+
++static void dev_exceptions_move(struct list_head *dest, struct list_head *orig)
++{
++ struct dev_exception_item *ex, *tmp;
++
++ lockdep_assert_held(&devcgroup_mutex);
++
++ list_for_each_entry_safe(ex, tmp, orig, list) {
++ list_move_tail(&ex->list, dest);
++ }
++}
++
+ /*
+ * called under devcgroup_mutex
+ */
+@@ -604,11 +615,13 @@ static int devcgroup_update_access(struc
+ int count, rc = 0;
+ struct dev_exception_item ex;
+ struct dev_cgroup *parent = css_to_devcgroup(devcgroup->css.parent);
++ struct dev_cgroup tmp_devcgrp;
+
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+
+ memset(&ex, 0, sizeof(ex));
++ memset(&tmp_devcgrp, 0, sizeof(tmp_devcgrp));
+ b = buffer;
+
+ switch (*b) {
+@@ -620,15 +633,27 @@ static int devcgroup_update_access(struc
+
+ if (!may_allow_all(parent))
+ return -EPERM;
+- dev_exception_clean(devcgroup);
+- devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
+- if (!parent)
++ if (!parent) {
++ devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
++ dev_exception_clean(devcgroup);
+ break;
++ }
+
++ INIT_LIST_HEAD(&tmp_devcgrp.exceptions);
++ rc = dev_exceptions_copy(&tmp_devcgrp.exceptions,
++ &devcgroup->exceptions);
++ if (rc)
++ return rc;
++ dev_exception_clean(devcgroup);
+ rc = dev_exceptions_copy(&devcgroup->exceptions,
+ &parent->exceptions);
+- if (rc)
++ if (rc) {
++ dev_exceptions_move(&devcgroup->exceptions,
++ &tmp_devcgrp.exceptions);
+ return rc;
++ }
++ devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
++ dev_exception_clean(&tmp_devcgrp);
+ break;
+ case DEVCG_DENY:
+ if (css_has_online_children(&devcgroup->css))
--- /dev/null
+From 27c0d217340e47ec995557f61423ef415afba987 Mon Sep 17 00:00:00 2001
+From: "Isaac J. Manjarres" <isaacmanjarres@google.com>
+Date: Tue, 20 Sep 2022 17:14:13 -0700
+Subject: driver core: Fix bus_type.match() error handling in __driver_attach()
+
+From: Isaac J. Manjarres <isaacmanjarres@google.com>
+
+commit 27c0d217340e47ec995557f61423ef415afba987 upstream.
+
+When a driver registers with a bus, it will attempt to match with every
+device on the bus through the __driver_attach() function. Currently, if
+the bus_type.match() function encounters an error that is not
+-EPROBE_DEFER, __driver_attach() will return a negative error code, which
+causes the driver registration logic to stop trying to match with the
+remaining devices on the bus.
+
+This behavior is not correct; a failure while matching a driver to a
+device does not mean that the driver won't be able to match and bind
+with other devices on the bus. Update the logic in __driver_attach()
+to reflect this.
+
+Fixes: 656b8035b0ee ("ARM: 8524/1: driver cohandle -EPROBE_DEFER from bus_type.match()")
+Cc: stable@vger.kernel.org
+Cc: Saravana Kannan <saravanak@google.com>
+Signed-off-by: Isaac J. Manjarres <isaacmanjarres@google.com>
+Link: https://lore.kernel.org/r/20220921001414.4046492-1-isaacmanjarres@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/dd.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/base/dd.c
++++ b/drivers/base/dd.c
+@@ -1162,7 +1162,11 @@ static int __driver_attach(struct device
+ return 0;
+ } else if (ret < 0) {
+ dev_dbg(dev, "Bus failed to match device: %d\n", ret);
+- return ret;
++ /*
++ * Driver could not match with device, but may match with
++ * another device on the bus.
++ */
++ return 0;
+ } /* ret > 0 means positive match */
+
+ if (driver_allows_async_probing(drv)) {
--- /dev/null
+From 6fdc2d490ea1369d17afd7e6eb66fecc5b7209bc Mon Sep 17 00:00:00 2001
+From: Simon Ser <contact@emersion.fr>
+Date: Mon, 17 Oct 2022 15:32:01 +0000
+Subject: drm/connector: send hotplug uevent on connector cleanup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Simon Ser <contact@emersion.fr>
+
+commit 6fdc2d490ea1369d17afd7e6eb66fecc5b7209bc upstream.
+
+A typical DP-MST unplug removes a KMS connector. However care must
+be taken to properly synchronize with user-space. The expected
+sequence of events is the following:
+
+1. The kernel notices that the DP-MST port is gone.
+2. The kernel marks the connector as disconnected, then sends a
+ uevent to make user-space re-scan the connector list.
+3. User-space notices the connector goes from connected to disconnected,
+ disables it.
+4. Kernel handles the IOCTL disabling the connector. On success,
+ the very last reference to the struct drm_connector is dropped and
+ drm_connector_cleanup() is called.
+5. The connector is removed from the list, and a uevent is sent to tell
+ user-space that the connector disappeared.
+
+The very last step was missing. As a result, user-space thought the
+connector still existed and could try to disable it again. Since the
+kernel no longer knows about the connector, that would end up with
+EINVAL and confused user-space.
+
+Fix this by sending a hotplug uevent from drm_connector_cleanup().
+
+Signed-off-by: Simon Ser <contact@emersion.fr>
+Cc: stable@vger.kernel.org
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Lyude Paul <lyude@redhat.com>
+Cc: Jonas Ådahl <jadahl@redhat.com>
+Tested-by: Jonas Ådahl <jadahl@redhat.com>
+Reviewed-by: Lyude Paul <lyude@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221017153150.60675-2-contact@emersion.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_connector.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/drm_connector.c
++++ b/drivers/gpu/drm/drm_connector.c
+@@ -582,6 +582,9 @@ void drm_connector_cleanup(struct drm_co
+ mutex_destroy(&connector->mutex);
+
+ memset(connector, 0, sizeof(*connector));
++
++ if (dev->registered)
++ drm_sysfs_hotplug_event(dev);
+ }
+ EXPORT_SYMBOL(drm_connector_cleanup);
+
--- /dev/null
+From 5a40837debaa9dcc71765d32ce1a15be068b6cc2 Mon Sep 17 00:00:00 2001
+From: Lucas Stach <l.stach@pengutronix.de>
+Date: Thu, 14 Jul 2022 12:31:42 +0200
+Subject: drm/etnaviv: move idle mapping reaping into separate function
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lucas Stach <l.stach@pengutronix.de>
+
+commit 5a40837debaa9dcc71765d32ce1a15be068b6cc2 upstream.
+
+The same logic is already used in two different places and now
+it will also be needed outside of the compilation unit, so split
+it into a separate function.
+
+Cc: stable@vger.kernel.org # 5.19
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Reviewed-by: Guido Günther <agx@sigxcpu.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/etnaviv/etnaviv_mmu.c | 23 +++++++++++++++--------
+ drivers/gpu/drm/etnaviv/etnaviv_mmu.h | 1 +
+ 2 files changed, 16 insertions(+), 8 deletions(-)
+
+--- a/drivers/gpu/drm/etnaviv/etnaviv_mmu.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_mmu.c
+@@ -135,6 +135,19 @@ static void etnaviv_iommu_remove_mapping
+ drm_mm_remove_node(&mapping->vram_node);
+ }
+
++void etnaviv_iommu_reap_mapping(struct etnaviv_vram_mapping *mapping)
++{
++ struct etnaviv_iommu_context *context = mapping->context;
++
++ lockdep_assert_held(&context->lock);
++ WARN_ON(mapping->use);
++
++ etnaviv_iommu_remove_mapping(context, mapping);
++ etnaviv_iommu_context_put(mapping->context);
++ mapping->context = NULL;
++ list_del_init(&mapping->mmu_node);
++}
++
+ static int etnaviv_iommu_find_iova(struct etnaviv_iommu_context *context,
+ struct drm_mm_node *node, size_t size)
+ {
+@@ -202,10 +215,7 @@ static int etnaviv_iommu_find_iova(struc
+ * this mapping.
+ */
+ list_for_each_entry_safe(m, n, &list, scan_node) {
+- etnaviv_iommu_remove_mapping(context, m);
+- etnaviv_iommu_context_put(m->context);
+- m->context = NULL;
+- list_del_init(&m->mmu_node);
++ etnaviv_iommu_reap_mapping(m);
+ list_del_init(&m->scan_node);
+ }
+
+@@ -257,10 +267,7 @@ static int etnaviv_iommu_insert_exact(st
+ }
+
+ list_for_each_entry_safe(m, n, &scan_list, scan_node) {
+- etnaviv_iommu_remove_mapping(context, m);
+- etnaviv_iommu_context_put(m->context);
+- m->context = NULL;
+- list_del_init(&m->mmu_node);
++ etnaviv_iommu_reap_mapping(m);
+ list_del_init(&m->scan_node);
+ }
+
+--- a/drivers/gpu/drm/etnaviv/etnaviv_mmu.h
++++ b/drivers/gpu/drm/etnaviv/etnaviv_mmu.h
+@@ -91,6 +91,7 @@ int etnaviv_iommu_map_gem(struct etnaviv
+ struct etnaviv_vram_mapping *mapping, u64 va);
+ void etnaviv_iommu_unmap_gem(struct etnaviv_iommu_context *context,
+ struct etnaviv_vram_mapping *mapping);
++void etnaviv_iommu_reap_mapping(struct etnaviv_vram_mapping *mapping);
+
+ int etnaviv_iommu_get_suballoc_va(struct etnaviv_iommu_context *ctx,
+ struct etnaviv_vram_mapping *mapping,
--- /dev/null
+From 332f847212e43d584019a8264895f25cf92aa647 Mon Sep 17 00:00:00 2001
+From: Lucas Stach <l.stach@pengutronix.de>
+Date: Thu, 14 Jul 2022 12:31:43 +0200
+Subject: drm/etnaviv: reap idle mapping if it doesn't match the softpin address
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lucas Stach <l.stach@pengutronix.de>
+
+commit 332f847212e43d584019a8264895f25cf92aa647 upstream.
+
+When a idle BO, which is held open by another process, gets freed by
+userspace and subsequently referenced again by e.g. importing it again,
+userspace may assign a different softpin VA than the last time around.
+As the kernel GEM object still exists, we likely have a idle mapping
+with the old VA still cached, if it hasn't been reaped in the meantime.
+
+As the context matches, we then simply try to resurrect this mapping by
+increasing the refcount. As the VA in this mapping does not match the
+new softpin address, we consequently fail the otherwise valid submit.
+Instead of failing, reap the idle mapping.
+
+Cc: stable@vger.kernel.org # 5.19
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Reviewed-by: Guido Günther <agx@sigxcpu.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/etnaviv/etnaviv_gem.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/etnaviv/etnaviv_gem.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_gem.c
+@@ -258,7 +258,12 @@ struct etnaviv_vram_mapping *etnaviv_gem
+ if (mapping->use == 0) {
+ mutex_lock(&mmu_context->lock);
+ if (mapping->context == mmu_context)
+- mapping->use += 1;
++ if (va && mapping->iova != va) {
++ etnaviv_iommu_reap_mapping(mapping);
++ mapping = NULL;
++ } else {
++ mapping->use += 1;
++ }
+ else
+ mapping = NULL;
+ mutex_unlock(&mmu_context->lock);
--- /dev/null
+From f9cdf4130671d767071607d0a7568c9bd36a68d0 Mon Sep 17 00:00:00 2001
+From: Mikko Kovanen <mikko.kovanen@aavamobile.com>
+Date: Sat, 26 Nov 2022 13:27:13 +0000
+Subject: drm/i915/dsi: fix VBT send packet port selection for dual link DSI
+
+From: Mikko Kovanen <mikko.kovanen@aavamobile.com>
+
+commit f9cdf4130671d767071607d0a7568c9bd36a68d0 upstream.
+
+intel_dsi->ports contains bitmask of enabled ports and correspondingly
+logic for selecting port for VBT packet sending must use port specific
+bitmask when deciding appropriate port.
+
+Fixes: 08c59dde71b7 ("drm/i915/dsi: fix VBT send packet port selection for ICL+")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mikko Kovanen <mikko.kovanen@aavamobile.com>
+Reviewed-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/DBBPR09MB466592B16885D99ABBF2393A91119@DBBPR09MB4665.eurprd09.prod.outlook.com
+(cherry picked from commit 8d58bb7991c45f6b60710cc04c9498c6ea96db90)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/display/intel_dsi_vbt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/i915/display/intel_dsi_vbt.c
++++ b/drivers/gpu/drm/i915/display/intel_dsi_vbt.c
+@@ -137,9 +137,9 @@ static enum port intel_dsi_seq_port_to_p
+ return ffs(intel_dsi->ports) - 1;
+
+ if (seq_port) {
+- if (intel_dsi->ports & PORT_B)
++ if (intel_dsi->ports & BIT(PORT_B))
+ return PORT_B;
+- else if (intel_dsi->ports & PORT_C)
++ else if (intel_dsi->ports & BIT(PORT_C))
+ return PORT_C;
+ }
+
--- /dev/null
+From 47078311b8efebdefd5b3b2f87e2b02b14f49c66 Mon Sep 17 00:00:00 2001
+From: Yuan Can <yuancan@huawei.com>
+Date: Fri, 4 Nov 2022 06:45:12 +0000
+Subject: drm/ingenic: Fix missing platform_driver_unregister() call in ingenic_drm_init()
+
+From: Yuan Can <yuancan@huawei.com>
+
+commit 47078311b8efebdefd5b3b2f87e2b02b14f49c66 upstream.
+
+A problem about modprobe ingenic-drm failed is triggered with the following
+log given:
+
+ [ 303.561088] Error: Driver 'ingenic-ipu' is already registered, aborting...
+ modprobe: ERROR: could not insert 'ingenic_drm': Device or resource busy
+
+The reason is that ingenic_drm_init() returns platform_driver_register()
+directly without checking its return value, if platform_driver_register()
+failed, it returns without unregistering ingenic_ipu_driver_ptr, resulting
+the ingenic-drm can never be installed later.
+A simple call graph is shown as below:
+
+ ingenic_drm_init()
+ platform_driver_register() # ingenic_ipu_driver_ptr are registered
+ platform_driver_register()
+ driver_register()
+ bus_add_driver()
+ priv = kzalloc(...) # OOM happened
+ # return without unregister ingenic_ipu_driver_ptr
+
+Fixing this problem by checking the return value of
+platform_driver_register() and do platform_unregister_drivers() if
+error happened.
+
+Fixes: fc1acf317b01 ("drm/ingenic: Add support for the IPU")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paul Cercueil <paul@crapouillou.net>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221104064512.8569-1-yuancan@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/ingenic/ingenic-drm-drv.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/ingenic/ingenic-drm-drv.c
++++ b/drivers/gpu/drm/ingenic/ingenic-drm-drv.c
+@@ -1629,7 +1629,11 @@ static int ingenic_drm_init(void)
+ return err;
+ }
+
+- return platform_driver_register(&ingenic_drm_driver);
++ err = platform_driver_register(&ingenic_drm_driver);
++ if (IS_ENABLED(CONFIG_DRM_INGENIC_IPU) && err)
++ platform_driver_unregister(ingenic_ipu_driver_ptr);
++
++ return err;
+ }
+ module_init(ingenic_drm_init);
+
--- /dev/null
+From b389286d0234e1edbaf62ed8bc0892a568c33662 Mon Sep 17 00:00:00 2001
+From: Jocelyn Falempe <jfalempe@redhat.com>
+Date: Thu, 13 Oct 2022 15:28:10 +0200
+Subject: drm/mgag200: Fix PLL setup for G200_SE_A rev >=4
+
+From: Jocelyn Falempe <jfalempe@redhat.com>
+
+commit b389286d0234e1edbaf62ed8bc0892a568c33662 upstream.
+
+For G200_SE_A, PLL M setting is wrong, which leads to blank screen,
+or "signal out of range" on VGA display.
+previous code had "m |= 0x80" which was changed to
+m |= ((pixpllcn & BIT(8)) >> 1);
+
+Tested on G200_SE_A rev 42
+
+This line of code was moved to another file with
+commit 877507bb954e ("drm/mgag200: Provide per-device callbacks for
+PIXPLLC") but can be easily backported before this commit.
+
+v2: * put BIT(7) First to respect MSB-to-LSB (Thomas)
+ * Add a comment to explain that this bit must be set (Thomas)
+
+Fixes: 2dd040946ecf ("drm/mgag200: Store values (not bits) in struct mgag200_pll_values")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jocelyn Falempe <jfalempe@redhat.com>
+Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221013132810.521945-1-jfalempe@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/mgag200/mgag200_g200se.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/mgag200/mgag200_g200se.c
++++ b/drivers/gpu/drm/mgag200/mgag200_g200se.c
+@@ -284,7 +284,8 @@ static void mgag200_g200se_04_pixpllc_at
+ pixpllcp = pixpllc->p - 1;
+ pixpllcs = pixpllc->s;
+
+- xpixpllcm = pixpllcm | ((pixpllcn & BIT(8)) >> 1);
++ // For G200SE A, BIT(7) should be set unconditionally.
++ xpixpllcm = BIT(7) | pixpllcm;
+ xpixpllcn = pixpllcn;
+ xpixpllcp = (pixpllcs << 3) | pixpllcp;
+
--- /dev/null
+From 4cf949c7fafe21e085a4ee386bb2dade9067316e Mon Sep 17 00:00:00 2001
+From: Zack Rusin <zackr@vmware.com>
+Date: Tue, 25 Oct 2022 23:19:35 -0400
+Subject: drm/vmwgfx: Validate the box size for the snooped cursor
+
+From: Zack Rusin <zackr@vmware.com>
+
+commit 4cf949c7fafe21e085a4ee386bb2dade9067316e upstream.
+
+Invalid userspace dma surface copies could potentially overflow
+the memcpy from the surface to the snooped image leading to crashes.
+To fix it the dimensions of the copybox have to be validated
+against the expected size of the snooped cursor.
+
+Signed-off-by: Zack Rusin <zackr@vmware.com>
+Fixes: 2ac863719e51 ("vmwgfx: Snoop DMA transfers with non-covering sizes")
+Cc: <stable@vger.kernel.org> # v3.2+
+Reviewed-by: Michael Banack <banackm@vmware.com>
+Reviewed-by: Martin Krastev <krastevm@vmware.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221026031936.1004280-1-zack@kde.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+@@ -308,7 +308,8 @@ void vmw_kms_cursor_snoop(struct vmw_sur
+ if (cmd->dma.guest.ptr.offset % PAGE_SIZE ||
+ box->x != 0 || box->y != 0 || box->z != 0 ||
+ box->srcx != 0 || box->srcy != 0 || box->srcz != 0 ||
+- box->d != 1 || box_count != 1) {
++ box->d != 1 || box_count != 1 ||
++ box->w > 64 || box->h > 64) {
+ /* TODO handle none page aligned offsets */
+ /* TODO handle more dst & src != 0 */
+ /* TODO handle more then one copy */
--- /dev/null
+From 0be56a116220f9e5731a6609e66a11accfe8d8e2 Mon Sep 17 00:00:00 2001
+From: Aditya Garg <gargaditya08@live.com>
+Date: Thu, 27 Oct 2022 10:01:43 +0000
+Subject: efi: Add iMac Pro 2017 to uefi skip cert quirk
+
+From: Aditya Garg <gargaditya08@live.com>
+
+commit 0be56a116220f9e5731a6609e66a11accfe8d8e2 upstream.
+
+The iMac Pro 2017 is also a T2 Mac. Thus add it to the list of uefi skip
+cert.
+
+Cc: stable@vger.kernel.org
+Fixes: 155ca952c7ca ("efi: Do not import certificates from UEFI Secure Boot for T2 Macs")
+Link: https://lore.kernel.org/linux-integrity/9D46D92F-1381-4F10-989C-1A12CD2FFDD8@live.com/
+Signed-off-by: Aditya Garg <gargaditya08@live.com>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/integrity/platform_certs/load_uefi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/security/integrity/platform_certs/load_uefi.c
++++ b/security/integrity/platform_certs/load_uefi.c
+@@ -35,6 +35,7 @@ static const struct dmi_system_id uefi_s
+ { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacPro7,1") },
+ { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "iMac20,1") },
+ { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "iMac20,2") },
++ { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "iMacPro1,1") },
+ { }
+ };
+
--- /dev/null
+From e700898fa075c69b3ae02b702ab57fb75e1a82ec Mon Sep 17 00:00:00 2001
+From: Mike Kravetz <mike.kravetz@oracle.com>
+Date: Mon, 12 Dec 2022 15:50:41 -0800
+Subject: hugetlb: really allocate vma lock for all sharable vmas
+
+From: Mike Kravetz <mike.kravetz@oracle.com>
+
+commit e700898fa075c69b3ae02b702ab57fb75e1a82ec upstream.
+
+Commit bbff39cc6cbc ("hugetlb: allocate vma lock for all sharable vmas")
+removed the pmd sharable checks in the vma lock helper routines. However,
+it left the functional version of helper routines behind #ifdef
+CONFIG_ARCH_WANT_HUGE_PMD_SHARE. Therefore, the vma lock is not being
+used for sharable vmas on architectures that do not support pmd sharing.
+On these architectures, a potential fault/truncation race is exposed that
+could leave pages in a hugetlb file past i_size until the file is removed.
+
+Move the functional vma lock helpers outside the ifdef, and remove the
+non-functional stubs. Since the vma lock is not just for pmd sharing,
+rename the routine __vma_shareable_flags_pmd.
+
+Link: https://lkml.kernel.org/r/20221212235042.178355-1-mike.kravetz@oracle.com
+Fixes: bbff39cc6cbc ("hugetlb: allocate vma lock for all sharable vmas")
+Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
+Reviewed-by: Miaohe Lin <linmiaohe@huawei.com>
+Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
+Cc: David Hildenbrand <david@redhat.com>
+Cc: James Houghton <jthoughton@google.com>
+Cc: Mina Almasry <almasrymina@google.com>
+Cc: Muchun Song <songmuchun@bytedance.com>
+Cc: Naoya Horiguchi <naoya.horiguchi@linux.dev>
+Cc: Peter Xu <peterx@redhat.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/hugetlb.c | 333 ++++++++++++++++++++++++++---------------------------------
+ 1 file changed, 148 insertions(+), 185 deletions(-)
+
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -255,6 +255,152 @@ static inline struct hugepage_subpool *s
+ return subpool_inode(file_inode(vma->vm_file));
+ }
+
++/*
++ * hugetlb vma_lock helper routines
++ */
++static bool __vma_shareable_lock(struct vm_area_struct *vma)
++{
++ return vma->vm_flags & (VM_MAYSHARE | VM_SHARED) &&
++ vma->vm_private_data;
++}
++
++void hugetlb_vma_lock_read(struct vm_area_struct *vma)
++{
++ if (__vma_shareable_lock(vma)) {
++ struct hugetlb_vma_lock *vma_lock = vma->vm_private_data;
++
++ down_read(&vma_lock->rw_sema);
++ }
++}
++
++void hugetlb_vma_unlock_read(struct vm_area_struct *vma)
++{
++ if (__vma_shareable_lock(vma)) {
++ struct hugetlb_vma_lock *vma_lock = vma->vm_private_data;
++
++ up_read(&vma_lock->rw_sema);
++ }
++}
++
++void hugetlb_vma_lock_write(struct vm_area_struct *vma)
++{
++ if (__vma_shareable_lock(vma)) {
++ struct hugetlb_vma_lock *vma_lock = vma->vm_private_data;
++
++ down_write(&vma_lock->rw_sema);
++ }
++}
++
++void hugetlb_vma_unlock_write(struct vm_area_struct *vma)
++{
++ if (__vma_shareable_lock(vma)) {
++ struct hugetlb_vma_lock *vma_lock = vma->vm_private_data;
++
++ up_write(&vma_lock->rw_sema);
++ }
++}
++
++int hugetlb_vma_trylock_write(struct vm_area_struct *vma)
++{
++ struct hugetlb_vma_lock *vma_lock = vma->vm_private_data;
++
++ if (!__vma_shareable_lock(vma))
++ return 1;
++
++ return down_write_trylock(&vma_lock->rw_sema);
++}
++
++void hugetlb_vma_assert_locked(struct vm_area_struct *vma)
++{
++ if (__vma_shareable_lock(vma)) {
++ struct hugetlb_vma_lock *vma_lock = vma->vm_private_data;
++
++ lockdep_assert_held(&vma_lock->rw_sema);
++ }
++}
++
++void hugetlb_vma_lock_release(struct kref *kref)
++{
++ struct hugetlb_vma_lock *vma_lock = container_of(kref,
++ struct hugetlb_vma_lock, refs);
++
++ kfree(vma_lock);
++}
++
++static void __hugetlb_vma_unlock_write_put(struct hugetlb_vma_lock *vma_lock)
++{
++ struct vm_area_struct *vma = vma_lock->vma;
++
++ /*
++ * vma_lock structure may or not be released as a result of put,
++ * it certainly will no longer be attached to vma so clear pointer.
++ * Semaphore synchronizes access to vma_lock->vma field.
++ */
++ vma_lock->vma = NULL;
++ vma->vm_private_data = NULL;
++ up_write(&vma_lock->rw_sema);
++ kref_put(&vma_lock->refs, hugetlb_vma_lock_release);
++}
++
++static void __hugetlb_vma_unlock_write_free(struct vm_area_struct *vma)
++{
++ if (__vma_shareable_lock(vma)) {
++ struct hugetlb_vma_lock *vma_lock = vma->vm_private_data;
++
++ __hugetlb_vma_unlock_write_put(vma_lock);
++ }
++}
++
++static void hugetlb_vma_lock_free(struct vm_area_struct *vma)
++{
++ /*
++ * Only present in sharable vmas.
++ */
++ if (!vma || !__vma_shareable_lock(vma))
++ return;
++
++ if (vma->vm_private_data) {
++ struct hugetlb_vma_lock *vma_lock = vma->vm_private_data;
++
++ down_write(&vma_lock->rw_sema);
++ __hugetlb_vma_unlock_write_put(vma_lock);
++ }
++}
++
++static void hugetlb_vma_lock_alloc(struct vm_area_struct *vma)
++{
++ struct hugetlb_vma_lock *vma_lock;
++
++ /* Only establish in (flags) sharable vmas */
++ if (!vma || !(vma->vm_flags & VM_MAYSHARE))
++ return;
++
++ /* Should never get here with non-NULL vm_private_data */
++ if (vma->vm_private_data)
++ return;
++
++ vma_lock = kmalloc(sizeof(*vma_lock), GFP_KERNEL);
++ if (!vma_lock) {
++ /*
++ * If we can not allocate structure, then vma can not
++ * participate in pmd sharing. This is only a possible
++ * performance enhancement and memory saving issue.
++ * However, the lock is also used to synchronize page
++ * faults with truncation. If the lock is not present,
++ * unlikely races could leave pages in a file past i_size
++ * until the file is removed. Warn in the unlikely case of
++ * allocation failure.
++ */
++ pr_warn_once("HugeTLB: unable to allocate vma specific lock\n");
++ return;
++ }
++
++ kref_init(&vma_lock->refs);
++ init_rwsem(&vma_lock->rw_sema);
++ vma_lock->vma = vma;
++ vma->vm_private_data = vma_lock;
++}
++
+ /* Helper that removes a struct file_region from the resv_map cache and returns
+ * it for use.
+ */
+@@ -6557,7 +6703,8 @@ bool hugetlb_reserve_pages(struct inode
+ }
+
+ /*
+- * vma specific semaphore used for pmd sharing synchronization
++ * vma specific semaphore used for pmd sharing and fault/truncation
++ * synchronization
+ */
+ hugetlb_vma_lock_alloc(vma);
+
+@@ -6813,149 +6960,6 @@ void adjust_range_if_pmd_sharing_possibl
+ *end = ALIGN(*end, PUD_SIZE);
+ }
+
+-static bool __vma_shareable_flags_pmd(struct vm_area_struct *vma)
+-{
+- return vma->vm_flags & (VM_MAYSHARE | VM_SHARED) &&
+- vma->vm_private_data;
+-}
+-
+-void hugetlb_vma_lock_read(struct vm_area_struct *vma)
+-{
+- if (__vma_shareable_flags_pmd(vma)) {
+- struct hugetlb_vma_lock *vma_lock = vma->vm_private_data;
+-
+- down_read(&vma_lock->rw_sema);
+- }
+-}
+-
+-void hugetlb_vma_unlock_read(struct vm_area_struct *vma)
+-{
+- if (__vma_shareable_flags_pmd(vma)) {
+- struct hugetlb_vma_lock *vma_lock = vma->vm_private_data;
+-
+- up_read(&vma_lock->rw_sema);
+- }
+-}
+-
+-void hugetlb_vma_lock_write(struct vm_area_struct *vma)
+-{
+- if (__vma_shareable_flags_pmd(vma)) {
+- struct hugetlb_vma_lock *vma_lock = vma->vm_private_data;
+-
+- down_write(&vma_lock->rw_sema);
+- }
+-}
+-
+-void hugetlb_vma_unlock_write(struct vm_area_struct *vma)
+-{
+- if (__vma_shareable_flags_pmd(vma)) {
+- struct hugetlb_vma_lock *vma_lock = vma->vm_private_data;
+-
+- up_write(&vma_lock->rw_sema);
+- }
+-}
+-
+-int hugetlb_vma_trylock_write(struct vm_area_struct *vma)
+-{
+- struct hugetlb_vma_lock *vma_lock = vma->vm_private_data;
+-
+- if (!__vma_shareable_flags_pmd(vma))
+- return 1;
+-
+- return down_write_trylock(&vma_lock->rw_sema);
+-}
+-
+-void hugetlb_vma_assert_locked(struct vm_area_struct *vma)
+-{
+- if (__vma_shareable_flags_pmd(vma)) {
+- struct hugetlb_vma_lock *vma_lock = vma->vm_private_data;
+-
+- lockdep_assert_held(&vma_lock->rw_sema);
+- }
+-}
+-
+-void hugetlb_vma_lock_release(struct kref *kref)
+-{
+- struct hugetlb_vma_lock *vma_lock = container_of(kref,
+- struct hugetlb_vma_lock, refs);
+-
+- kfree(vma_lock);
+-}
+-
+-static void __hugetlb_vma_unlock_write_put(struct hugetlb_vma_lock *vma_lock)
+-{
+- struct vm_area_struct *vma = vma_lock->vma;
+-
+- /*
+- * vma_lock structure may or not be released as a result of put,
+- * it certainly will no longer be attached to vma so clear pointer.
+- * Semaphore synchronizes access to vma_lock->vma field.
+- */
+- vma_lock->vma = NULL;
+- vma->vm_private_data = NULL;
+- up_write(&vma_lock->rw_sema);
+- kref_put(&vma_lock->refs, hugetlb_vma_lock_release);
+-}
+-
+-static void __hugetlb_vma_unlock_write_free(struct vm_area_struct *vma)
+-{
+- if (__vma_shareable_flags_pmd(vma)) {
+- struct hugetlb_vma_lock *vma_lock = vma->vm_private_data;
+-
+- __hugetlb_vma_unlock_write_put(vma_lock);
+- }
+-}
+-
+-static void hugetlb_vma_lock_free(struct vm_area_struct *vma)
+-{
+- /*
+- * Only present in sharable vmas.
+- */
+- if (!vma || !__vma_shareable_flags_pmd(vma))
+- return;
+-
+- if (vma->vm_private_data) {
+- struct hugetlb_vma_lock *vma_lock = vma->vm_private_data;
+-
+- down_write(&vma_lock->rw_sema);
+- __hugetlb_vma_unlock_write_put(vma_lock);
+- }
+-}
+-
+-static void hugetlb_vma_lock_alloc(struct vm_area_struct *vma)
+-{
+- struct hugetlb_vma_lock *vma_lock;
+-
+- /* Only establish in (flags) sharable vmas */
+- if (!vma || !(vma->vm_flags & VM_MAYSHARE))
+- return;
+-
+- /* Should never get here with non-NULL vm_private_data */
+- if (vma->vm_private_data)
+- return;
+-
+- vma_lock = kmalloc(sizeof(*vma_lock), GFP_KERNEL);
+- if (!vma_lock) {
+- /*
+- * If we can not allocate structure, then vma can not
+- * participate in pmd sharing. This is only a possible
+- * performance enhancement and memory saving issue.
+- * However, the lock is also used to synchronize page
+- * faults with truncation. If the lock is not present,
+- * unlikely races could leave pages in a file past i_size
+- * until the file is removed. Warn in the unlikely case of
+- * allocation failure.
+- */
+- pr_warn_once("HugeTLB: unable to allocate vma specific lock\n");
+- return;
+- }
+-
+- kref_init(&vma_lock->refs);
+- init_rwsem(&vma_lock->rw_sema);
+- vma_lock->vma = vma;
+- vma->vm_private_data = vma_lock;
+-}
+-
+ /*
+ * Search for a shareable pmd page for hugetlb. In any case calls pmd_alloc()
+ * and returns the corresponding pte. While this is not necessary for the
+@@ -7044,47 +7048,6 @@ int huge_pmd_unshare(struct mm_struct *m
+
+ #else /* !CONFIG_ARCH_WANT_HUGE_PMD_SHARE */
+
+-void hugetlb_vma_lock_read(struct vm_area_struct *vma)
+-{
+-}
+-
+-void hugetlb_vma_unlock_read(struct vm_area_struct *vma)
+-{
+-}
+-
+-void hugetlb_vma_lock_write(struct vm_area_struct *vma)
+-{
+-}
+-
+-void hugetlb_vma_unlock_write(struct vm_area_struct *vma)
+-{
+-}
+-
+-int hugetlb_vma_trylock_write(struct vm_area_struct *vma)
+-{
+- return 1;
+-}
+-
+-void hugetlb_vma_assert_locked(struct vm_area_struct *vma)
+-{
+-}
+-
+-void hugetlb_vma_lock_release(struct kref *kref)
+-{
+-}
+-
+-static void __hugetlb_vma_unlock_write_free(struct vm_area_struct *vma)
+-{
+-}
+-
+-static void hugetlb_vma_lock_free(struct vm_area_struct *vma)
+-{
+-}
+-
+-static void hugetlb_vma_lock_alloc(struct vm_area_struct *vma)
+-{
+-}
+-
+ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma,
+ unsigned long addr, pud_t *pud)
+ {
--- /dev/null
+From 11220db412edae8dba58853238f53258268bdb88 Mon Sep 17 00:00:00 2001
+From: Huaxin Lu <luhuaxin1@huawei.com>
+Date: Thu, 3 Nov 2022 00:09:49 +0800
+Subject: ima: Fix a potential NULL pointer access in ima_restore_measurement_list
+
+From: Huaxin Lu <luhuaxin1@huawei.com>
+
+commit 11220db412edae8dba58853238f53258268bdb88 upstream.
+
+In restore_template_fmt, when kstrdup fails, a non-NULL value will still be
+returned, which causes a NULL pointer access in template_desc_init_fields.
+
+Fixes: c7d09367702e ("ima: support restoring multiple template formats")
+Cc: stable@kernel.org
+Co-developed-by: Jiaming Li <lijiaming30@huawei.com>
+Signed-off-by: Jiaming Li <lijiaming30@huawei.com>
+Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
+Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/integrity/ima/ima_template.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/security/integrity/ima/ima_template.c
++++ b/security/integrity/ima/ima_template.c
+@@ -340,8 +340,11 @@ static struct ima_template_desc *restore
+
+ template_desc->name = "";
+ template_desc->fmt = kstrdup(template_name, GFP_KERNEL);
+- if (!template_desc->fmt)
++ if (!template_desc->fmt) {
++ kfree(template_desc);
++ template_desc = NULL;
+ goto out;
++ }
+
+ spin_lock(&template_list);
+ list_add_tail_rcu(&template_desc->list, &defined_templates);
--- /dev/null
+From 8c1d6a050a0f16e0a9d32eaf53b965c77279c6f8 Mon Sep 17 00:00:00 2001
+From: Roberto Sassu <roberto.sassu@huawei.com>
+Date: Wed, 2 Nov 2022 17:30:06 +0100
+Subject: ima: Fix memory leak in __ima_inode_hash()
+
+From: Roberto Sassu <roberto.sassu@huawei.com>
+
+commit 8c1d6a050a0f16e0a9d32eaf53b965c77279c6f8 upstream.
+
+Commit f3cc6b25dcc5 ("ima: always measure and audit files in policy") lets
+measurement or audit happen even if the file digest cannot be calculated.
+
+As a result, iint->ima_hash could have been allocated despite
+ima_collect_measurement() returning an error.
+
+Since ima_hash belongs to a temporary inode metadata structure, declared
+at the beginning of __ima_inode_hash(), just add a kfree() call if
+ima_collect_measurement() returns an error different from -ENOMEM (in that
+case, ima_hash should not have been allocated).
+
+Cc: stable@vger.kernel.org
+Fixes: 280fe8367b0d ("ima: Always return a file measurement in ima_file_hash()")
+Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/integrity/ima/ima_main.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/security/integrity/ima/ima_main.c
++++ b/security/integrity/ima/ima_main.c
+@@ -542,8 +542,13 @@ static int __ima_inode_hash(struct inode
+
+ rc = ima_collect_measurement(&tmp_iint, file, NULL, 0,
+ ima_hash_algo, NULL);
+- if (rc < 0)
++ if (rc < 0) {
++ /* ima_hash could be allocated in case of failure. */
++ if (rc != -ENOMEM)
++ kfree(tmp_iint.ima_hash);
++
+ return -EOPNOTSUPP;
++ }
+
+ iint = &tmp_iint;
+ mutex_lock(&iint->mutex);
--- /dev/null
+From 1198d2316dc4265a97d0e8445a22c7a6d17580a4 Mon Sep 17 00:00:00 2001
+From: Kim Phillips <kim.phillips@amd.com>
+Date: Mon, 19 Sep 2022 10:56:38 -0500
+Subject: iommu/amd: Fix ill-formed ivrs_ioapic, ivrs_hpet and ivrs_acpihid options
+
+From: Kim Phillips <kim.phillips@amd.com>
+
+commit 1198d2316dc4265a97d0e8445a22c7a6d17580a4 upstream.
+
+Currently, these options cause the following libkmod error:
+
+libkmod: ERROR ../libkmod/libkmod-config.c:489 kcmdline_parse_result: \
+ Ignoring bad option on kernel command line while parsing module \
+ name: 'ivrs_xxxx[XX:XX'
+
+Fix by introducing a new parameter format for these options and
+throw a warning for the deprecated format.
+
+Users are still allowed to omit the PCI Segment if zero.
+
+Adding a Link: to the reason why we're modding the syntax parsing
+in the driver and not in libkmod.
+
+Fixes: ca3bf5d47cec ("iommu/amd: Introduces ivrs_acpihid kernel parameter")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/linux-modules/20200310082308.14318-2-lucas.demarchi@intel.com/
+Reported-by: Kim Phillips <kim.phillips@amd.com>
+Co-developed-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Signed-off-by: Kim Phillips <kim.phillips@amd.com>
+Link: https://lore.kernel.org/r/20220919155638.391481-2-kim.phillips@amd.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/admin-guide/kernel-parameters.txt | 27 ++++++--
+ drivers/iommu/amd/init.c | 77 ++++++++++++++++--------
+ 2 files changed, 75 insertions(+), 29 deletions(-)
+
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -2300,7 +2300,13 @@
+ Provide an override to the IOAPIC-ID<->DEVICE-ID
+ mapping provided in the IVRS ACPI table.
+ By default, PCI segment is 0, and can be omitted.
+- For example:
++
++ For example, to map IOAPIC-ID decimal 10 to
++ PCI segment 0x1 and PCI device 00:14.0,
++ write the parameter as:
++ ivrs_ioapic=10@0001:00:14.0
++
++ Deprecated formats:
+ * To map IOAPIC-ID decimal 10 to PCI device 00:14.0
+ write the parameter as:
+ ivrs_ioapic[10]=00:14.0
+@@ -2312,7 +2318,13 @@
+ Provide an override to the HPET-ID<->DEVICE-ID
+ mapping provided in the IVRS ACPI table.
+ By default, PCI segment is 0, and can be omitted.
+- For example:
++
++ For example, to map HPET-ID decimal 10 to
++ PCI segment 0x1 and PCI device 00:14.0,
++ write the parameter as:
++ ivrs_hpet=10@0001:00:14.0
++
++ Deprecated formats:
+ * To map HPET-ID decimal 0 to PCI device 00:14.0
+ write the parameter as:
+ ivrs_hpet[0]=00:14.0
+@@ -2323,15 +2335,20 @@
+ ivrs_acpihid [HW,X86-64]
+ Provide an override to the ACPI-HID:UID<->DEVICE-ID
+ mapping provided in the IVRS ACPI table.
++ By default, PCI segment is 0, and can be omitted.
+
+ For example, to map UART-HID:UID AMD0020:0 to
+ PCI segment 0x1 and PCI device ID 00:14.5,
+ write the parameter as:
+- ivrs_acpihid[0001:00:14.5]=AMD0020:0
++ ivrs_acpihid=AMD0020:0@0001:00:14.5
+
+- By default, PCI segment is 0, and can be omitted.
+- For example, PCI device 00:14.5 write the parameter as:
++ Deprecated formats:
++ * To map UART-HID:UID AMD0020:0 to PCI segment is 0,
++ PCI device ID 00:14.5, write the parameter as:
+ ivrs_acpihid[00:14.5]=AMD0020:0
++ * To map UART-HID:UID AMD0020:0 to PCI segment 0x1 and
++ PCI device ID 00:14.5, write the parameter as:
++ ivrs_acpihid[0001:00:14.5]=AMD0020:0
+
+ js= [HW,JOY] Analog joystick
+ See Documentation/input/joydev/joystick.rst.
+--- a/drivers/iommu/amd/init.c
++++ b/drivers/iommu/amd/init.c
+@@ -3402,18 +3402,24 @@ static int __init parse_amd_iommu_option
+ static int __init parse_ivrs_ioapic(char *str)
+ {
+ u32 seg = 0, bus, dev, fn;
+- int ret, id, i;
++ int id, i;
+ u32 devid;
+
+- ret = sscanf(str, "[%d]=%x:%x.%x", &id, &bus, &dev, &fn);
+- if (ret != 4) {
+- ret = sscanf(str, "[%d]=%x:%x:%x.%x", &id, &seg, &bus, &dev, &fn);
+- if (ret != 5) {
+- pr_err("Invalid command line: ivrs_ioapic%s\n", str);
+- return 1;
+- }
++ if (sscanf(str, "=%d@%x:%x.%x", &id, &bus, &dev, &fn) == 4 ||
++ sscanf(str, "=%d@%x:%x:%x.%x", &id, &seg, &bus, &dev, &fn) == 5)
++ goto found;
++
++ if (sscanf(str, "[%d]=%x:%x.%x", &id, &bus, &dev, &fn) == 4 ||
++ sscanf(str, "[%d]=%x:%x:%x.%x", &id, &seg, &bus, &dev, &fn) == 5) {
++ pr_warn("ivrs_ioapic%s option format deprecated; use ivrs_ioapic=%d@%04x:%02x:%02x.%d instead\n",
++ str, id, seg, bus, dev, fn);
++ goto found;
+ }
+
++ pr_err("Invalid command line: ivrs_ioapic%s\n", str);
++ return 1;
++
++found:
+ if (early_ioapic_map_size == EARLY_MAP_SIZE) {
+ pr_err("Early IOAPIC map overflow - ignoring ivrs_ioapic%s\n",
+ str);
+@@ -3434,18 +3440,24 @@ static int __init parse_ivrs_ioapic(char
+ static int __init parse_ivrs_hpet(char *str)
+ {
+ u32 seg = 0, bus, dev, fn;
+- int ret, id, i;
++ int id, i;
+ u32 devid;
+
+- ret = sscanf(str, "[%d]=%x:%x.%x", &id, &bus, &dev, &fn);
+- if (ret != 4) {
+- ret = sscanf(str, "[%d]=%x:%x:%x.%x", &id, &seg, &bus, &dev, &fn);
+- if (ret != 5) {
+- pr_err("Invalid command line: ivrs_hpet%s\n", str);
+- return 1;
+- }
++ if (sscanf(str, "=%d@%x:%x.%x", &id, &bus, &dev, &fn) == 4 ||
++ sscanf(str, "=%d@%x:%x:%x.%x", &id, &seg, &bus, &dev, &fn) == 5)
++ goto found;
++
++ if (sscanf(str, "[%d]=%x:%x.%x", &id, &bus, &dev, &fn) == 4 ||
++ sscanf(str, "[%d]=%x:%x:%x.%x", &id, &seg, &bus, &dev, &fn) == 5) {
++ pr_warn("ivrs_hpet%s option format deprecated; use ivrs_hpet=%d@%04x:%02x:%02x.%d instead\n",
++ str, id, seg, bus, dev, fn);
++ goto found;
+ }
+
++ pr_err("Invalid command line: ivrs_hpet%s\n", str);
++ return 1;
++
++found:
+ if (early_hpet_map_size == EARLY_MAP_SIZE) {
+ pr_err("Early HPET map overflow - ignoring ivrs_hpet%s\n",
+ str);
+@@ -3466,19 +3478,36 @@ static int __init parse_ivrs_hpet(char *
+ static int __init parse_ivrs_acpihid(char *str)
+ {
+ u32 seg = 0, bus, dev, fn;
+- char *hid, *uid, *p;
++ char *hid, *uid, *p, *addr;
+ char acpiid[ACPIHID_UID_LEN + ACPIHID_HID_LEN] = {0};
+- int ret, i;
++ int i;
+
+- ret = sscanf(str, "[%x:%x.%x]=%s", &bus, &dev, &fn, acpiid);
+- if (ret != 4) {
+- ret = sscanf(str, "[%x:%x:%x.%x]=%s", &seg, &bus, &dev, &fn, acpiid);
+- if (ret != 5) {
+- pr_err("Invalid command line: ivrs_acpihid(%s)\n", str);
+- return 1;
++ addr = strchr(str, '@');
++ if (!addr) {
++ if (sscanf(str, "[%x:%x.%x]=%s", &bus, &dev, &fn, acpiid) == 4 ||
++ sscanf(str, "[%x:%x:%x.%x]=%s", &seg, &bus, &dev, &fn, acpiid) == 5) {
++ pr_warn("ivrs_acpihid%s option format deprecated; use ivrs_acpihid=%s@%04x:%02x:%02x.%d instead\n",
++ str, acpiid, seg, bus, dev, fn);
++ goto found;
+ }
++ goto not_found;
+ }
+
++ /* We have the '@', make it the terminator to get just the acpiid */
++ *addr++ = 0;
++
++ if (sscanf(str, "=%s", acpiid) != 1)
++ goto not_found;
++
++ if (sscanf(addr, "%x:%x.%x", &bus, &dev, &fn) == 3 ||
++ sscanf(addr, "%x:%x:%x.%x", &seg, &bus, &dev, &fn) == 4)
++ goto found;
++
++not_found:
++ pr_err("Invalid command line: ivrs_acpihid%s\n", str);
++ return 1;
++
++found:
+ p = acpiid;
+ hid = strsep(&p, ":");
+ uid = p;
--- /dev/null
+From 5f18e9f8868c6d4eae71678e7ebd4977b7d8c8cf Mon Sep 17 00:00:00 2001
+From: Kim Phillips <kim.phillips@amd.com>
+Date: Mon, 19 Sep 2022 10:56:37 -0500
+Subject: iommu/amd: Fix ivrs_acpihid cmdline parsing code
+
+From: Kim Phillips <kim.phillips@amd.com>
+
+commit 5f18e9f8868c6d4eae71678e7ebd4977b7d8c8cf upstream.
+
+The second (UID) strcmp in acpi_dev_hid_uid_match considers
+"0" and "00" different, which can prevent device registration.
+
+Have the AMD IOMMU driver's ivrs_acpihid parsing code remove
+any leading zeroes to make the UID strcmp succeed. Now users
+can safely specify "AMDxxxxx:00" or "AMDxxxxx:0" and expect
+the same behaviour.
+
+Fixes: ca3bf5d47cec ("iommu/amd: Introduces ivrs_acpihid kernel parameter")
+Signed-off-by: Kim Phillips <kim.phillips@amd.com>
+Cc: stable@vger.kernel.org
+Cc: Suravee Suthikulpanit <Suravee.Suthikulpanit@amd.com>
+Cc: Joerg Roedel <jroedel@suse.de>
+Link: https://lore.kernel.org/r/20220919155638.391481-1-kim.phillips@amd.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/amd/init.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/iommu/amd/init.c
++++ b/drivers/iommu/amd/init.c
+@@ -3488,6 +3488,13 @@ static int __init parse_ivrs_acpihid(cha
+ return 1;
+ }
+
++ /*
++ * Ignore leading zeroes after ':', so e.g., AMDI0095:00
++ * will match AMDI0095:0 in the second strcmp in acpi_dev_hid_uid_match
++ */
++ while (*uid == '0' && *(uid + 1))
++ uid++;
++
+ i = early_acpihid_map_size++;
+ memcpy(early_acpihid_map[i].hid, hid, strlen(hid));
+ memcpy(early_acpihid_map[i].uid, uid, strlen(uid));
--- /dev/null
+From f6f1234d98cce69578bfac79df147a1f6660596c Mon Sep 17 00:00:00 2001
+From: Zhang Yuchen <zhangyuchen.lcr@bytedance.com>
+Date: Fri, 7 Oct 2022 17:26:16 +0800
+Subject: ipmi: fix long wait in unload when IPMI disconnect
+
+From: Zhang Yuchen <zhangyuchen.lcr@bytedance.com>
+
+commit f6f1234d98cce69578bfac79df147a1f6660596c upstream.
+
+When fixing the problem mentioned in PATCH1, we also found
+the following problem:
+
+If the IPMI is disconnected and in the sending process, the
+uninstallation driver will be stuck for a long time.
+
+The main problem is that uninstalling the driver waits for curr_msg to
+be sent or HOSED. After stopping tasklet, the only place to trigger the
+timeout mechanism is the circular poll in shutdown_smi.
+
+The poll function delays 10us and calls smi_event_handler(smi_info,10).
+Smi_event_handler deducts 10us from kcs->ibf_timeout.
+
+But the poll func is followed by schedule_timeout_uninterruptible(1).
+The time consumed here is not counted in kcs->ibf_timeout.
+
+So when 10us is deducted from kcs->ibf_timeout, at least 1 jiffies has
+actually passed. The waiting time has increased by more than a
+hundredfold.
+
+Now instead of calling poll(). call smi_event_handler() directly and
+calculate the elapsed time.
+
+For verification, you can directly use ebpf to check the kcs->
+ibf_timeout for each call to kcs_event() when IPMI is disconnected.
+Decrement at normal rate before unloading. The decrement rate becomes
+very slow after unloading.
+
+ $ bpftrace -e 'kprobe:kcs_event {printf("kcs->ibftimeout : %d\n",
+ *(arg0+584));}'
+
+Signed-off-by: Zhang Yuchen <zhangyuchen.lcr@bytedance.com>
+Message-Id: <20221007092617.87597-3-zhangyuchen.lcr@bytedance.com>
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/ipmi/ipmi_si_intf.c | 27 +++++++++++++++++++--------
+ 1 file changed, 19 insertions(+), 8 deletions(-)
+
+--- a/drivers/char/ipmi/ipmi_si_intf.c
++++ b/drivers/char/ipmi/ipmi_si_intf.c
+@@ -2153,6 +2153,20 @@ skip_fallback_noirq:
+ }
+ module_init(init_ipmi_si);
+
++static void wait_msg_processed(struct smi_info *smi_info)
++{
++ unsigned long jiffies_now;
++ long time_diff;
++
++ while (smi_info->curr_msg || (smi_info->si_state != SI_NORMAL)) {
++ jiffies_now = jiffies;
++ time_diff = (((long)jiffies_now - (long)smi_info->last_timeout_jiffies)
++ * SI_USEC_PER_JIFFY);
++ smi_event_handler(smi_info, time_diff);
++ schedule_timeout_uninterruptible(1);
++ }
++}
++
+ static void shutdown_smi(void *send_info)
+ {
+ struct smi_info *smi_info = send_info;
+@@ -2187,16 +2201,13 @@ static void shutdown_smi(void *send_info
+ * in the BMC. Note that timers and CPU interrupts are off,
+ * so no need for locks.
+ */
+- while (smi_info->curr_msg || (smi_info->si_state != SI_NORMAL)) {
+- poll(smi_info);
+- schedule_timeout_uninterruptible(1);
+- }
++ wait_msg_processed(smi_info);
++
+ if (smi_info->handlers)
+ disable_si_irq(smi_info);
+- while (smi_info->curr_msg || (smi_info->si_state != SI_NORMAL)) {
+- poll(smi_info);
+- schedule_timeout_uninterruptible(1);
+- }
++
++ wait_msg_processed(smi_info);
++
+ if (smi_info->handlers)
+ smi_info->handlers->cleanup(smi_info->si_sm);
+
--- /dev/null
+From a92ce570c81dc0feaeb12a429b4bc65686d17967 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <error27@gmail.com>
+Date: Tue, 15 Nov 2022 16:17:43 +0300
+Subject: ipmi: fix use after free in _ipmi_destroy_user()
+
+From: Dan Carpenter <error27@gmail.com>
+
+commit a92ce570c81dc0feaeb12a429b4bc65686d17967 upstream.
+
+The intf_free() function frees the "intf" pointer so we cannot
+dereference it again on the next line.
+
+Fixes: cbb79863fc31 ("ipmi: Don't allow device module unload when in use")
+Signed-off-by: Dan Carpenter <error27@gmail.com>
+Message-Id: <Y3M8xa1drZv4CToE@kili>
+Cc: <stable@vger.kernel.org> # 5.5+
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/ipmi/ipmi_msghandler.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/ipmi/ipmi_msghandler.c
++++ b/drivers/char/ipmi/ipmi_msghandler.c
+@@ -1330,6 +1330,7 @@ static void _ipmi_destroy_user(struct ip
+ unsigned long flags;
+ struct cmd_rcvr *rcvr;
+ struct cmd_rcvr *rcvrs = NULL;
++ struct module *owner;
+
+ if (!acquire_ipmi_user(user, &i)) {
+ /*
+@@ -1392,8 +1393,9 @@ static void _ipmi_destroy_user(struct ip
+ kfree(rcvr);
+ }
+
++ owner = intf->owner;
+ kref_put(&intf->refcount, intf_free);
+- module_put(intf->owner);
++ module_put(owner);
+ }
+
+ int ipmi_destroy_user(struct ipmi_user *user)
--- /dev/null
+From dc608edf7d45ba0c2ad14c06eccd66474fec7847 Mon Sep 17 00:00:00 2001
+From: Maximilian Luz <luzmaximilian@gmail.com>
+Date: Thu, 8 Sep 2022 00:44:09 +0200
+Subject: ipu3-imgu: Fix NULL pointer dereference in imgu_subdev_set_selection()
+
+From: Maximilian Luz <luzmaximilian@gmail.com>
+
+commit dc608edf7d45ba0c2ad14c06eccd66474fec7847 upstream.
+
+Calling v4l2_subdev_get_try_crop() and v4l2_subdev_get_try_compose()
+with a subdev state of NULL leads to a NULL pointer dereference. This
+can currently happen in imgu_subdev_set_selection() when the state
+passed in is NULL, as this method first gets pointers to both the "try"
+and "active" states and only then decides which to use.
+
+The same issue has been addressed for imgu_subdev_get_selection() with
+commit 30d03a0de650 ("ipu3-imgu: Fix NULL pointer dereference in active
+selection access"). However the issue still persists in
+imgu_subdev_set_selection().
+
+Therefore, apply a similar fix as done in the aforementioned commit to
+imgu_subdev_set_selection(). To keep things a bit cleaner, introduce
+helper functions for "crop" and "compose" access and use them in both
+imgu_subdev_set_selection() and imgu_subdev_get_selection().
+
+Fixes: 0d346d2a6f54 ("media: v4l2-subdev: add subdev-wide state struct")
+Cc: stable@vger.kernel.org # for v5.14 and later
+Signed-off-by: Maximilian Luz <luzmaximilian@gmail.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/media/ipu3/ipu3-v4l2.c | 57 +++++++++++++++++++--------------
+ 1 file changed, 34 insertions(+), 23 deletions(-)
+
+--- a/drivers/staging/media/ipu3/ipu3-v4l2.c
++++ b/drivers/staging/media/ipu3/ipu3-v4l2.c
+@@ -188,6 +188,28 @@ static int imgu_subdev_set_fmt(struct v4
+ return 0;
+ }
+
++static struct v4l2_rect *
++imgu_subdev_get_crop(struct imgu_v4l2_subdev *sd,
++ struct v4l2_subdev_state *sd_state, unsigned int pad,
++ enum v4l2_subdev_format_whence which)
++{
++ if (which == V4L2_SUBDEV_FORMAT_TRY)
++ return v4l2_subdev_get_try_crop(&sd->subdev, sd_state, pad);
++ else
++ return &sd->rect.eff;
++}
++
++static struct v4l2_rect *
++imgu_subdev_get_compose(struct imgu_v4l2_subdev *sd,
++ struct v4l2_subdev_state *sd_state, unsigned int pad,
++ enum v4l2_subdev_format_whence which)
++{
++ if (which == V4L2_SUBDEV_FORMAT_TRY)
++ return v4l2_subdev_get_try_compose(&sd->subdev, sd_state, pad);
++ else
++ return &sd->rect.bds;
++}
++
+ static int imgu_subdev_get_selection(struct v4l2_subdev *sd,
+ struct v4l2_subdev_state *sd_state,
+ struct v4l2_subdev_selection *sel)
+@@ -200,18 +222,12 @@ static int imgu_subdev_get_selection(str
+
+ switch (sel->target) {
+ case V4L2_SEL_TGT_CROP:
+- if (sel->which == V4L2_SUBDEV_FORMAT_TRY)
+- sel->r = *v4l2_subdev_get_try_crop(sd, sd_state,
+- sel->pad);
+- else
+- sel->r = imgu_sd->rect.eff;
++ sel->r = *imgu_subdev_get_crop(imgu_sd, sd_state, sel->pad,
++ sel->which);
+ return 0;
+ case V4L2_SEL_TGT_COMPOSE:
+- if (sel->which == V4L2_SUBDEV_FORMAT_TRY)
+- sel->r = *v4l2_subdev_get_try_compose(sd, sd_state,
+- sel->pad);
+- else
+- sel->r = imgu_sd->rect.bds;
++ sel->r = *imgu_subdev_get_compose(imgu_sd, sd_state, sel->pad,
++ sel->which);
+ return 0;
+ default:
+ return -EINVAL;
+@@ -223,10 +239,9 @@ static int imgu_subdev_set_selection(str
+ struct v4l2_subdev_selection *sel)
+ {
+ struct imgu_device *imgu = v4l2_get_subdevdata(sd);
+- struct imgu_v4l2_subdev *imgu_sd = container_of(sd,
+- struct imgu_v4l2_subdev,
+- subdev);
+- struct v4l2_rect *rect, *try_sel;
++ struct imgu_v4l2_subdev *imgu_sd =
++ container_of(sd, struct imgu_v4l2_subdev, subdev);
++ struct v4l2_rect *rect;
+
+ dev_dbg(&imgu->pci_dev->dev,
+ "set subdev %u sel which %u target 0x%4x rect [%ux%u]",
+@@ -238,22 +253,18 @@ static int imgu_subdev_set_selection(str
+
+ switch (sel->target) {
+ case V4L2_SEL_TGT_CROP:
+- try_sel = v4l2_subdev_get_try_crop(sd, sd_state, sel->pad);
+- rect = &imgu_sd->rect.eff;
++ rect = imgu_subdev_get_crop(imgu_sd, sd_state, sel->pad,
++ sel->which);
+ break;
+ case V4L2_SEL_TGT_COMPOSE:
+- try_sel = v4l2_subdev_get_try_compose(sd, sd_state, sel->pad);
+- rect = &imgu_sd->rect.bds;
++ rect = imgu_subdev_get_compose(imgu_sd, sd_state, sel->pad,
++ sel->which);
+ break;
+ default:
+ return -EINVAL;
+ }
+
+- if (sel->which == V4L2_SUBDEV_FORMAT_TRY)
+- *try_sel = sel->r;
+- else
+- *rect = sel->r;
+-
++ *rect = sel->r;
+ return 0;
+ }
+
--- /dev/null
+From 4555211190798b6b6fa2c37667d175bf67945c78 Mon Sep 17 00:00:00 2001
+From: Florian-Ewald Mueller <florian-ewald.mueller@ionos.com>
+Date: Tue, 25 Oct 2022 09:37:05 +0200
+Subject: md/bitmap: Fix bitmap chunk size overflow issues
+
+From: Florian-Ewald Mueller <florian-ewald.mueller@ionos.com>
+
+commit 4555211190798b6b6fa2c37667d175bf67945c78 upstream.
+
+- limit bitmap chunk size internal u64 variable to values not overflowing
+ the u32 bitmap superblock structure variable stored on persistent media
+- assign bitmap chunk size internal u64 variable from unsigned values to
+ avoid possible sign extension artifacts when assigning from a s32 value
+
+The bug has been there since at least kernel 4.0.
+Steps to reproduce it:
+1: mdadm -C /dev/mdx -l 1 --bitmap=internal --bitmap-chunk=256M -e 1.2
+-n2 /dev/rnbd1 /dev/rnbd2
+2 resize member device rnbd1 and rnbd2 to 8 TB
+3 mdadm --grow /dev/mdx --size=max
+
+The bitmap_chunksize will overflow without patch.
+
+Cc: stable@vger.kernel.org
+
+Signed-off-by: Florian-Ewald Mueller <florian-ewald.mueller@ionos.com>
+Signed-off-by: Jack Wang <jinpu.wang@ionos.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/md-bitmap.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+--- a/drivers/md/md-bitmap.c
++++ b/drivers/md/md-bitmap.c
+@@ -486,7 +486,7 @@ void md_bitmap_print_sb(struct bitmap *b
+ sb = kmap_atomic(bitmap->storage.sb_page);
+ pr_debug("%s: bitmap file superblock:\n", bmname(bitmap));
+ pr_debug(" magic: %08x\n", le32_to_cpu(sb->magic));
+- pr_debug(" version: %d\n", le32_to_cpu(sb->version));
++ pr_debug(" version: %u\n", le32_to_cpu(sb->version));
+ pr_debug(" uuid: %08x.%08x.%08x.%08x\n",
+ le32_to_cpu(*(__le32 *)(sb->uuid+0)),
+ le32_to_cpu(*(__le32 *)(sb->uuid+4)),
+@@ -497,11 +497,11 @@ void md_bitmap_print_sb(struct bitmap *b
+ pr_debug("events cleared: %llu\n",
+ (unsigned long long) le64_to_cpu(sb->events_cleared));
+ pr_debug(" state: %08x\n", le32_to_cpu(sb->state));
+- pr_debug(" chunksize: %d B\n", le32_to_cpu(sb->chunksize));
+- pr_debug(" daemon sleep: %ds\n", le32_to_cpu(sb->daemon_sleep));
++ pr_debug(" chunksize: %u B\n", le32_to_cpu(sb->chunksize));
++ pr_debug(" daemon sleep: %us\n", le32_to_cpu(sb->daemon_sleep));
+ pr_debug(" sync size: %llu KB\n",
+ (unsigned long long)le64_to_cpu(sb->sync_size)/2);
+- pr_debug("max write behind: %d\n", le32_to_cpu(sb->write_behind));
++ pr_debug("max write behind: %u\n", le32_to_cpu(sb->write_behind));
+ kunmap_atomic(sb);
+ }
+
+@@ -2105,7 +2105,8 @@ int md_bitmap_resize(struct bitmap *bitm
+ bytes = DIV_ROUND_UP(chunks, 8);
+ if (!bitmap->mddev->bitmap_info.external)
+ bytes += sizeof(bitmap_super_t);
+- } while (bytes > (space << 9));
++ } while (bytes > (space << 9) && (chunkshift + BITMAP_BLOCK_SHIFT) <
++ (BITS_PER_BYTE * sizeof(((bitmap_super_t *)0)->chunksize) - 1));
+ } else
+ chunkshift = ffz(~chunksize) - BITMAP_BLOCK_SHIFT;
+
+@@ -2150,7 +2151,7 @@ int md_bitmap_resize(struct bitmap *bitm
+ bitmap->counts.missing_pages = pages;
+ bitmap->counts.chunkshift = chunkshift;
+ bitmap->counts.chunks = chunks;
+- bitmap->mddev->bitmap_info.chunksize = 1 << (chunkshift +
++ bitmap->mddev->bitmap_info.chunksize = 1UL << (chunkshift +
+ BITMAP_BLOCK_SHIFT);
+
+ blocks = min(old_counts.chunks << old_counts.chunkshift,
+@@ -2176,8 +2177,8 @@ int md_bitmap_resize(struct bitmap *bitm
+ bitmap->counts.missing_pages = old_counts.pages;
+ bitmap->counts.chunkshift = old_counts.chunkshift;
+ bitmap->counts.chunks = old_counts.chunks;
+- bitmap->mddev->bitmap_info.chunksize = 1 << (old_counts.chunkshift +
+- BITMAP_BLOCK_SHIFT);
++ bitmap->mddev->bitmap_info.chunksize =
++ 1UL << (old_counts.chunkshift + BITMAP_BLOCK_SHIFT);
+ blocks = old_counts.chunks << old_counts.chunkshift;
+ pr_warn("Could not pre-allocate in-memory bitmap for cluster raid\n");
+ break;
+@@ -2537,6 +2538,9 @@ chunksize_store(struct mddev *mddev, con
+ if (csize < 512 ||
+ !is_power_of_2(csize))
+ return -EINVAL;
++ if (BITS_PER_LONG > 32 && csize >= (1ULL << (BITS_PER_BYTE *
++ sizeof(((bitmap_super_t *)0)->chunksize))))
++ return -EOVERFLOW;
+ mddev->bitmap_info.chunksize = csize;
+ return len;
+ }
--- /dev/null
+From 2ebc336be08160debfe27f87660cf550d710f3e9 Mon Sep 17 00:00:00 2001
+From: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+Date: Fri, 19 Nov 2021 09:14:12 +0100
+Subject: mtd: spi-nor: Check for zero erase size in spi_nor_find_best_erase_type()
+
+From: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+
+commit 2ebc336be08160debfe27f87660cf550d710f3e9 upstream.
+
+Erase can be zeroed in spi_nor_parse_4bait() or
+spi_nor_init_non_uniform_erase_map(). In practice it happened with
+mt25qu256a, which supports 4K, 32K, 64K erases with 3b address commands,
+but only 4K and 64K erase with 4b address commands.
+
+Fixes: dc92843159a7 ("mtd: spi-nor: fix erase_type array to indicate current map conf")
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20211119081412.29732-1-alexander.sverdlin@nokia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/spi-nor/core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/mtd/spi-nor/core.c
++++ b/drivers/mtd/spi-nor/core.c
+@@ -1184,6 +1184,8 @@ spi_nor_find_best_erase_type(const struc
+ continue;
+
+ erase = &map->erase_type[i];
++ if (!erase->size)
++ continue;
+
+ /* Alignment is not mandatory for overlaid regions */
+ if (region->offset & SNOR_OVERLAID_REGION &&
--- /dev/null
+From 4dc49062a7e9c0c7261807fb855df1c611eb78c3 Mon Sep 17 00:00:00 2001
+From: Yaliang Wang <Yaliang.Wang@windriver.com>
+Date: Mon, 17 Oct 2022 01:19:01 +0800
+Subject: mtd: spi-nor: gigadevice: gd25q256: replace gd25q256_default_init with gd25q256_post_bfpt
+
+From: Yaliang Wang <Yaliang.Wang@windriver.com>
+
+commit 4dc49062a7e9c0c7261807fb855df1c611eb78c3 upstream.
+
+When utilizing PARSE_SFDP to initialize the flash parameter, the
+deprecated initializing method spi_nor_init_params_deprecated() and the
+function spi_nor_manufacturer_init_params() within it will never be
+executed, which results in the default_init hook function will also never
+be executed.
+
+This is okay for 'D' generation of GD25Q256, because 'D' generation is
+implementing the JESD216B standards, it has QER field defined in BFPT,
+parsing the SFDP can properly set the quad_enable function. The 'E'
+generation also implements the JESD216B standards, and it has the same
+status register definitions as 'D' generation, parsing the SFDP to set
+the quad_enable function should also work for 'E' generation.
+
+However, the same thing can't apply to 'C' generation. 'C' generation
+'GD25Q256C' implements the JESD216 standards, and it doesn't have the
+QER field defined in BFPT, since it does have QE bit in status register
+1, the quad_enable hook needs to be tweaked to properly set the
+quad_enable function, this can be done in post_bfpt fixup hook.
+
+Fixes: 047275f7de18 ("mtd: spi-nor: gigadevice: gd25q256: Init flash based on SFDP")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Yaliang Wang <Yaliang.Wang@windriver.com>
+[tudor.ambarus@microchip.com: Update comment in gd25q256_post_bfpt]
+Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20221016171901.1483542-2-yaliang.wang@windriver.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/spi-nor/gigadevice.c | 24 +++++++++++++++++-------
+ 1 file changed, 17 insertions(+), 7 deletions(-)
+
+--- a/drivers/mtd/spi-nor/gigadevice.c
++++ b/drivers/mtd/spi-nor/gigadevice.c
+@@ -8,19 +8,29 @@
+
+ #include "core.h"
+
+-static void gd25q256_default_init(struct spi_nor *nor)
++static int
++gd25q256_post_bfpt(struct spi_nor *nor,
++ const struct sfdp_parameter_header *bfpt_header,
++ const struct sfdp_bfpt *bfpt)
+ {
+ /*
+- * Some manufacturer like GigaDevice may use different
+- * bit to set QE on different memories, so the MFR can't
+- * indicate the quad_enable method for this case, we need
+- * to set it in the default_init fixup hook.
++ * GD25Q256C supports the first version of JESD216 which does not define
++ * the Quad Enable methods. Overwrite the default Quad Enable method.
++ *
++ * GD25Q256 GENERATION | SFDP MAJOR VERSION | SFDP MINOR VERSION
++ * GD25Q256C | SFDP_JESD216_MAJOR | SFDP_JESD216_MINOR
++ * GD25Q256D | SFDP_JESD216_MAJOR | SFDP_JESD216B_MINOR
++ * GD25Q256E | SFDP_JESD216_MAJOR | SFDP_JESD216B_MINOR
+ */
+- nor->params->quad_enable = spi_nor_sr1_bit6_quad_enable;
++ if (bfpt_header->major == SFDP_JESD216_MAJOR &&
++ bfpt_header->minor == SFDP_JESD216_MINOR)
++ nor->params->quad_enable = spi_nor_sr1_bit6_quad_enable;
++
++ return 0;
+ }
+
+ static const struct spi_nor_fixups gd25q256_fixups = {
+- .default_init = gd25q256_default_init,
++ .post_bfpt = gd25q256_post_bfpt,
+ };
+
+ static const struct flash_info gigadevice_nor_parts[] = {
--- /dev/null
+From 9086e6017957c5cd6ea28d94b70e0d513d6b7800 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Sat, 17 Dec 2022 20:05:43 +0100
+Subject: parisc: Add missing FORCE prerequisites in Makefile
+
+From: Helge Deller <deller@gmx.de>
+
+commit 9086e6017957c5cd6ea28d94b70e0d513d6b7800 upstream.
+
+Fix those make warnings:
+ arch/parisc/kernel/vdso32/Makefile:30: FORCE prerequisite is missing
+ arch/parisc/kernel/vdso64/Makefile:30: FORCE prerequisite is missing
+
+Add the missing FORCE prerequisites for all build targets identified by
+"make help".
+
+Fixes: e1f86d7b4b2a5213 ("kbuild: warn if FORCE is missing for if_changed(_dep,_rule) and filechk")
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: <stable@vger.kernel.org> # 5.18+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/kernel/vdso32/Makefile | 4 ++--
+ arch/parisc/kernel/vdso64/Makefile | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/parisc/kernel/vdso32/Makefile
++++ b/arch/parisc/kernel/vdso32/Makefile
+@@ -26,7 +26,7 @@ $(obj)/vdso32_wrapper.o : $(obj)/vdso32.
+
+ # Force dependency (incbin is bad)
+ # link rule for the .so file, .lds has to be first
+-$(obj)/vdso32.so: $(src)/vdso32.lds $(obj-vdso32) $(obj-cvdso32) $(VDSO_LIBGCC)
++$(obj)/vdso32.so: $(src)/vdso32.lds $(obj-vdso32) $(obj-cvdso32) $(VDSO_LIBGCC) FORCE
+ $(call if_changed,vdso32ld)
+
+ # assembly rules for the .S files
+@@ -38,7 +38,7 @@ $(obj-cvdso32): %.o: %.c FORCE
+
+ # actual build commands
+ quiet_cmd_vdso32ld = VDSO32L $@
+- cmd_vdso32ld = $(CROSS32CC) $(c_flags) -Wl,-T $^ -o $@
++ cmd_vdso32ld = $(CROSS32CC) $(c_flags) -Wl,-T $(filter-out FORCE, $^) -o $@
+ quiet_cmd_vdso32as = VDSO32A $@
+ cmd_vdso32as = $(CROSS32CC) $(a_flags) -c -o $@ $<
+ quiet_cmd_vdso32cc = VDSO32C $@
+--- a/arch/parisc/kernel/vdso64/Makefile
++++ b/arch/parisc/kernel/vdso64/Makefile
+@@ -26,7 +26,7 @@ $(obj)/vdso64_wrapper.o : $(obj)/vdso64.
+
+ # Force dependency (incbin is bad)
+ # link rule for the .so file, .lds has to be first
+-$(obj)/vdso64.so: $(src)/vdso64.lds $(obj-vdso64) $(VDSO_LIBGCC)
++$(obj)/vdso64.so: $(src)/vdso64.lds $(obj-vdso64) $(VDSO_LIBGCC) FORCE
+ $(call if_changed,vdso64ld)
+
+ # assembly rules for the .S files
+@@ -35,7 +35,7 @@ $(obj-vdso64): %.o: %.S FORCE
+
+ # actual build commands
+ quiet_cmd_vdso64ld = VDSO64L $@
+- cmd_vdso64ld = $(CC) $(c_flags) -Wl,-T $^ -o $@
++ cmd_vdso64ld = $(CC) $(c_flags) -Wl,-T $(filter-out FORCE, $^) -o $@
+ quiet_cmd_vdso64as = VDSO64A $@
+ cmd_vdso64as = $(CC) $(a_flags) -c -o $@ $<
+
--- /dev/null
+From 7e6652c79ecd74e1112500668d956367dc3772a5 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Sat, 26 Nov 2022 21:35:29 +0100
+Subject: parisc: Drop duplicate kgdb_pdc console
+
+From: Helge Deller <deller@gmx.de>
+
+commit 7e6652c79ecd74e1112500668d956367dc3772a5 upstream.
+
+The kgdb console is already implemented and registered in pdc_cons.c,
+so the duplicate code can be dropped.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: <stable@vger.kernel.org> # 6.1+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/kernel/kgdb.c | 20 --------------------
+ 1 file changed, 20 deletions(-)
+
+diff --git a/arch/parisc/kernel/kgdb.c b/arch/parisc/kernel/kgdb.c
+index ab7620f695be..b16fa9bac5f4 100644
+--- a/arch/parisc/kernel/kgdb.c
++++ b/arch/parisc/kernel/kgdb.c
+@@ -208,23 +208,3 @@ int kgdb_arch_handle_exception(int trap, int signo,
+ }
+ return -1;
+ }
+-
+-/* KGDB console driver which uses PDC to read chars from keyboard */
+-
+-static void kgdb_pdc_write_char(u8 chr)
+-{
+- /* no need to print char. kgdb will do it. */
+-}
+-
+-static struct kgdb_io kgdb_pdc_io_ops = {
+- .name = "kgdb_pdc",
+- .read_char = pdc_iodc_getc,
+- .write_char = kgdb_pdc_write_char,
+-};
+-
+-static int __init kgdb_pdc_init(void)
+-{
+- kgdb_register_io_module(&kgdb_pdc_io_ops);
+- return 0;
+-}
+-early_initcall(kgdb_pdc_init);
+--
+2.39.0
+
--- /dev/null
+From 7dc4dbfe750e1f18c511e73c8ed114da8de9ff85 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Sat, 17 Dec 2022 17:45:40 +0100
+Subject: parisc: Drop locking in pdc console code
+
+From: Helge Deller <deller@gmx.de>
+
+commit 7dc4dbfe750e1f18c511e73c8ed114da8de9ff85 upstream.
+
+No need to have specific locking for console I/O since
+the PDC functions provide an own locking.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: <stable@vger.kernel.org> # 6.1+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/kernel/pdc_cons.c | 16 +++-------------
+ 1 file changed, 3 insertions(+), 13 deletions(-)
+
+diff --git a/arch/parisc/kernel/pdc_cons.c b/arch/parisc/kernel/pdc_cons.c
+index 7d0989f523d0..cf3bf8232374 100644
+--- a/arch/parisc/kernel/pdc_cons.c
++++ b/arch/parisc/kernel/pdc_cons.c
+@@ -12,37 +12,27 @@
+ #include <asm/page.h> /* for PAGE0 */
+ #include <asm/pdc.h> /* for iodc_call() proto and friends */
+
+-static DEFINE_SPINLOCK(pdc_console_lock);
+-
+ static void pdc_console_write(struct console *co, const char *s, unsigned count)
+ {
+ int i = 0;
+- unsigned long flags;
+
+- spin_lock_irqsave(&pdc_console_lock, flags);
+ do {
+ i += pdc_iodc_print(s + i, count - i);
+ } while (i < count);
+- spin_unlock_irqrestore(&pdc_console_lock, flags);
+ }
+
+ #ifdef CONFIG_KGDB
+ static int kgdb_pdc_read_char(void)
+ {
+- int c;
+- unsigned long flags;
+-
+- spin_lock_irqsave(&pdc_console_lock, flags);
+- c = pdc_iodc_getc();
+- spin_unlock_irqrestore(&pdc_console_lock, flags);
++ int c = pdc_iodc_getc();
+
+ return (c <= 0) ? NO_POLL_CHAR : c;
+ }
+
+ static void kgdb_pdc_write_char(u8 chr)
+ {
+- if (PAGE0->mem_cons.cl_class != CL_DUPLEX)
+- pdc_console_write(NULL, &chr, 1);
++ /* no need to print char as it's shown on standard console */
++ /* pdc_iodc_print(&chr, 1); */
+ }
+
+ static struct kgdb_io kgdb_pdc_io_ops = {
+--
+2.39.0
+
--- /dev/null
+From fe94cb1a614d2df2764d49ac959d8b7e4cb98e15 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Wed, 14 Dec 2022 22:17:57 +0100
+Subject: parisc: Drop PMD_SHIFT from calculation in pgtable.h
+
+From: Helge Deller <deller@gmx.de>
+
+commit fe94cb1a614d2df2764d49ac959d8b7e4cb98e15 upstream.
+
+PMD_SHIFT isn't defined if CONFIG_PGTABLE_LEVELS == 3, and as
+such the kernel test robot found this warning:
+
+ In file included from include/linux/pgtable.h:6,
+ from arch/parisc/kernel/head.S:23:
+ arch/parisc/include/asm/pgtable.h:169:32: warning: "PMD_SHIFT" is not defined, evaluates to 0 [-Wundef]
+ 169 | #if (KERNEL_INITIAL_ORDER) >= (PMD_SHIFT)
+
+Avoid the warning by using PLD_SHIFT and BITS_PER_PTE.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Reported-by: kernel test robot <lkp@intel.com>
+Cc: <stable@vger.kernel.org> # 6.0+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/include/asm/pgtable.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/parisc/include/asm/pgtable.h
++++ b/arch/parisc/include/asm/pgtable.h
+@@ -166,8 +166,8 @@ extern void __update_cache(pte_t pte);
+
+ /* This calculates the number of initial pages we need for the initial
+ * page tables */
+-#if (KERNEL_INITIAL_ORDER) >= (PMD_SHIFT)
+-# define PT_INITIAL (1 << (KERNEL_INITIAL_ORDER - PMD_SHIFT))
++#if (KERNEL_INITIAL_ORDER) >= (PLD_SHIFT + BITS_PER_PTE)
++# define PT_INITIAL (1 << (KERNEL_INITIAL_ORDER - PLD_SHIFT - BITS_PER_PTE))
+ #else
+ # define PT_INITIAL (1) /* all initial PTEs fit into one page */
+ #endif
--- /dev/null
+From 7236aae5f81f3efbd93d0601e74fc05994bc2580 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Sat, 26 Nov 2022 21:29:31 +0100
+Subject: parisc: Fix locking in pdc_iodc_print() firmware call
+
+From: Helge Deller <deller@gmx.de>
+
+commit 7236aae5f81f3efbd93d0601e74fc05994bc2580 upstream.
+
+Utilize pdc_lock spinlock to protect parallel modifications of the
+iodc_dbuf[] buffer, check length to prevent buffer overflow of
+iodc_dbuf[], drop the iodc_retbuf[] buffer and fix some wrong
+indentings.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: <stable@vger.kernel.org> # 6.0+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/kernel/firmware.c | 24 +++++++++++++-----------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+--- a/arch/parisc/kernel/firmware.c
++++ b/arch/parisc/kernel/firmware.c
+@@ -1288,9 +1288,8 @@ void pdc_io_reset_devices(void)
+
+ #endif /* defined(BOOTLOADER) */
+
+-/* locked by pdc_console_lock */
+-static int __attribute__((aligned(8))) iodc_retbuf[32];
+-static char __attribute__((aligned(64))) iodc_dbuf[4096];
++/* locked by pdc_lock */
++static char iodc_dbuf[4096] __page_aligned_bss;
+
+ /**
+ * pdc_iodc_print - Console print using IODC.
+@@ -1307,6 +1306,9 @@ int pdc_iodc_print(const unsigned char *
+ unsigned int i;
+ unsigned long flags;
+
++ count = min_t(unsigned int, count, sizeof(iodc_dbuf));
++
++ spin_lock_irqsave(&pdc_lock, flags);
+ for (i = 0; i < count;) {
+ switch(str[i]) {
+ case '\n':
+@@ -1322,12 +1324,11 @@ int pdc_iodc_print(const unsigned char *
+ }
+
+ print:
+- spin_lock_irqsave(&pdc_lock, flags);
+- real32_call(PAGE0->mem_cons.iodc_io,
+- (unsigned long)PAGE0->mem_cons.hpa, ENTRY_IO_COUT,
+- PAGE0->mem_cons.spa, __pa(PAGE0->mem_cons.dp.layers),
+- __pa(iodc_retbuf), 0, __pa(iodc_dbuf), i, 0);
+- spin_unlock_irqrestore(&pdc_lock, flags);
++ real32_call(PAGE0->mem_cons.iodc_io,
++ (unsigned long)PAGE0->mem_cons.hpa, ENTRY_IO_COUT,
++ PAGE0->mem_cons.spa, __pa(PAGE0->mem_cons.dp.layers),
++ __pa(pdc_result), 0, __pa(iodc_dbuf), i, 0);
++ spin_unlock_irqrestore(&pdc_lock, flags);
+
+ return i;
+ }
+@@ -1354,10 +1355,11 @@ int pdc_iodc_getc(void)
+ real32_call(PAGE0->mem_kbd.iodc_io,
+ (unsigned long)PAGE0->mem_kbd.hpa, ENTRY_IO_CIN,
+ PAGE0->mem_kbd.spa, __pa(PAGE0->mem_kbd.dp.layers),
+- __pa(iodc_retbuf), 0, __pa(iodc_dbuf), 1, 0);
++ __pa(pdc_result), 0, __pa(iodc_dbuf), 1, 0);
+
+ ch = *iodc_dbuf;
+- status = *iodc_retbuf;
++ /* like convert_to_wide() but for first return value only: */
++ status = *(int *)&pdc_result;
+ spin_unlock_irqrestore(&pdc_lock, flags);
+
+ if (status == 0)
--- /dev/null
+From 41f563ab3c33698bdfc3403c7c2e6c94e73681e4 Mon Sep 17 00:00:00 2001
+From: Shang XiaoJing <shangxiaojing@huawei.com>
+Date: Thu, 17 Nov 2022 10:45:14 +0800
+Subject: parisc: led: Fix potential null-ptr-deref in start_task()
+
+From: Shang XiaoJing <shangxiaojing@huawei.com>
+
+commit 41f563ab3c33698bdfc3403c7c2e6c94e73681e4 upstream.
+
+start_task() calls create_singlethread_workqueue() and not checked the
+ret value, which may return NULL. And a null-ptr-deref may happen:
+
+start_task()
+ create_singlethread_workqueue() # failed, led_wq is NULL
+ queue_delayed_work()
+ queue_delayed_work_on()
+ __queue_delayed_work() # warning here, but continue
+ __queue_work() # access wq->flags, null-ptr-deref
+
+Check the ret value and return -ENOMEM if it is NULL.
+
+Fixes: 3499495205a6 ("[PARISC] Use work queue in LED/LCD driver instead of tasklet.")
+Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/parisc/led.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/parisc/led.c
++++ b/drivers/parisc/led.c
+@@ -137,6 +137,9 @@ static int start_task(void)
+
+ /* Create the work queue and queue the LED task */
+ led_wq = create_singlethread_workqueue("led_wq");
++ if (!led_wq)
++ return -ENOMEM;
++
+ queue_delayed_work(led_wq, &led_task, 0);
+
+ return 0;
--- /dev/null
+From 98b04dd0b4577894520493d96bc4623387767445 Mon Sep 17 00:00:00 2001
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Wed, 26 Oct 2022 02:11:21 -0400
+Subject: PCI: Fix pci_device_is_present() for VFs by checking PF
+
+From: Michael S. Tsirkin <mst@redhat.com>
+
+commit 98b04dd0b4577894520493d96bc4623387767445 upstream.
+
+pci_device_is_present() previously didn't work for VFs because it reads the
+Vendor and Device ID, which are 0xffff for VFs, which looks like they
+aren't present. Check the PF instead.
+
+Wei Gong reported that if virtio I/O is in progress when the driver is
+unbound or "0" is written to /sys/.../sriov_numvfs, the virtio I/O
+operation hangs, which may result in output like this:
+
+ task:bash state:D stack: 0 pid: 1773 ppid: 1241 flags:0x00004002
+ Call Trace:
+ schedule+0x4f/0xc0
+ blk_mq_freeze_queue_wait+0x69/0xa0
+ blk_mq_freeze_queue+0x1b/0x20
+ blk_cleanup_queue+0x3d/0xd0
+ virtblk_remove+0x3c/0xb0 [virtio_blk]
+ virtio_dev_remove+0x4b/0x80
+ ...
+ device_unregister+0x1b/0x60
+ unregister_virtio_device+0x18/0x30
+ virtio_pci_remove+0x41/0x80
+ pci_device_remove+0x3e/0xb0
+
+This happened because pci_device_is_present(VF) returned "false" in
+virtio_pci_remove(), so it called virtio_break_device(). The broken vq
+meant that vring_interrupt() skipped the vq.callback() that would have
+completed the virtio I/O operation via virtblk_done().
+
+[bhelgaas: commit log, simplify to always use pci_physfn(), add stable tag]
+Link: https://lore.kernel.org/r/20221026060912.173250-1-mst@redhat.com
+Reported-by: Wei Gong <gongwei833x@gmail.com>
+Tested-by: Wei Gong <gongwei833x@gmail.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/pci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -6447,6 +6447,8 @@ bool pci_device_is_present(struct pci_de
+ {
+ u32 v;
+
++ /* Check PF if pdev is a VF, since VF Vendor/Device IDs are 0xffff */
++ pdev = pci_physfn(pdev);
+ if (pci_dev_is_disconnected(pdev))
+ return false;
+ return pci_bus_read_dev_vendor_id(pdev->bus, pdev->devfn, &v, 0);
--- /dev/null
+From aa382ffa705bea9931ec92b6f3c70e1fdb372195 Mon Sep 17 00:00:00 2001
+From: Sascha Hauer <s.hauer@pengutronix.de>
+Date: Tue, 8 Nov 2022 17:05:59 -0600
+Subject: PCI/sysfs: Fix double free in error path
+
+From: Sascha Hauer <s.hauer@pengutronix.de>
+
+commit aa382ffa705bea9931ec92b6f3c70e1fdb372195 upstream.
+
+When pci_create_attr() fails, pci_remove_resource_files() is called which
+will iterate over the res_attr[_wc] arrays and frees every non NULL entry.
+To avoid a double free here set the array entry only after it's clear we
+successfully initialized it.
+
+Fixes: b562ec8f74e4 ("PCI: Don't leak memory if sysfs_create_bin_file() fails")
+Link: https://lore.kernel.org/r/20221007070735.GX986@pengutronix.de/
+Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/pci-sysfs.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/drivers/pci/pci-sysfs.c
++++ b/drivers/pci/pci-sysfs.c
+@@ -1175,11 +1175,9 @@ static int pci_create_attr(struct pci_de
+
+ sysfs_bin_attr_init(res_attr);
+ if (write_combine) {
+- pdev->res_attr_wc[num] = res_attr;
+ sprintf(res_attr_name, "resource%d_wc", num);
+ res_attr->mmap = pci_mmap_resource_wc;
+ } else {
+- pdev->res_attr[num] = res_attr;
+ sprintf(res_attr_name, "resource%d", num);
+ if (pci_resource_flags(pdev, num) & IORESOURCE_IO) {
+ res_attr->read = pci_read_resource_io;
+@@ -1197,10 +1195,17 @@ static int pci_create_attr(struct pci_de
+ res_attr->size = pci_resource_len(pdev, num);
+ res_attr->private = (void *)(unsigned long)num;
+ retval = sysfs_create_bin_file(&pdev->dev.kobj, res_attr);
+- if (retval)
++ if (retval) {
+ kfree(res_attr);
++ return retval;
++ }
++
++ if (write_combine)
++ pdev->res_attr_wc[num] = res_attr;
++ else
++ pdev->res_attr[num] = res_attr;
+
+- return retval;
++ return 0;
+ }
+
+ /**
--- /dev/null
+From 910dd4883d757af5faac92590f33f0f7da963032 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Mon, 14 Nov 2022 09:13:43 +0100
+Subject: phy: qcom-qmp-combo: fix sc8180x reset
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit 910dd4883d757af5faac92590f33f0f7da963032 upstream.
+
+The SC8180X has two resets but the DP configuration erroneously
+described only one.
+
+In case the DP part of the PHY is initialised before the USB part (e.g.
+depending on probe order), then only the first reset would be asserted.
+
+Fixes: 1633802cd4ac ("phy: qcom: qmp: Add SC8180x USB/DP combo")
+Cc: stable@vger.kernel.org # 5.15
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20221114081346.5116-4-johan+linaro@kernel.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/phy/qualcomm/phy-qcom-qmp-combo.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/phy/qualcomm/phy-qcom-qmp-combo.c
++++ b/drivers/phy/qualcomm/phy-qcom-qmp-combo.c
+@@ -1221,8 +1221,8 @@ static const struct qmp_phy_cfg sc8180x_
+
+ .clk_list = qmp_v3_phy_clk_l,
+ .num_clks = ARRAY_SIZE(qmp_v3_phy_clk_l),
+- .reset_list = sc7180_usb3phy_reset_l,
+- .num_resets = ARRAY_SIZE(sc7180_usb3phy_reset_l),
++ .reset_list = msm8996_usb3phy_reset_l,
++ .num_resets = ARRAY_SIZE(msm8996_usb3phy_reset_l),
+ .vreg_list = qmp_phy_vreg_l,
+ .num_vregs = ARRAY_SIZE(qmp_phy_vreg_l),
+ .regs = qmp_v3_usb3phy_regs_layout,
--- /dev/null
+From e965ab8216a419fadb4520b65a95dc7017daa800 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Mon, 14 Nov 2022 09:13:42 +0100
+Subject: phy: qcom-qmp-combo: fix sdm845 reset
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit e965ab8216a419fadb4520b65a95dc7017daa800 upstream.
+
+The SDM845 has two resets but the DP configuration erroneously described
+only one.
+
+In case the DP part of the PHY is initialised before the USB part (e.g.
+depending on probe order), then only the first reset would be asserted.
+
+Add a dedicated configuration for SDM845 rather than reuse the
+incompatible SC7180 configuration.
+
+Fixes: d88497fb6bbd ("phy: qualcomm: phy-qcom-qmp: add support for combo USB3+DP phy on SDM845")
+Cc: stable@vger.kernel.org # 6.1
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20221114081346.5116-3-johan+linaro@kernel.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/phy/qualcomm/phy-qcom-qmp-combo.c | 39 +++++++++++++++++++++++++++++-
+ 1 file changed, 38 insertions(+), 1 deletion(-)
+
+--- a/drivers/phy/qualcomm/phy-qcom-qmp-combo.c
++++ b/drivers/phy/qualcomm/phy-qcom-qmp-combo.c
+@@ -1121,9 +1121,46 @@ static const struct qmp_phy_cfg sdm845_u
+ .pwrdn_delay_max = POWER_DOWN_DELAY_US_MAX,
+ };
+
++static const struct qmp_phy_cfg sdm845_dpphy_cfg = {
++ .type = PHY_TYPE_DP,
++ .lanes = 2,
++
++ .serdes_tbl = qmp_v3_dp_serdes_tbl,
++ .serdes_tbl_num = ARRAY_SIZE(qmp_v3_dp_serdes_tbl),
++ .tx_tbl = qmp_v3_dp_tx_tbl,
++ .tx_tbl_num = ARRAY_SIZE(qmp_v3_dp_tx_tbl),
++
++ .serdes_tbl_rbr = qmp_v3_dp_serdes_tbl_rbr,
++ .serdes_tbl_rbr_num = ARRAY_SIZE(qmp_v3_dp_serdes_tbl_rbr),
++ .serdes_tbl_hbr = qmp_v3_dp_serdes_tbl_hbr,
++ .serdes_tbl_hbr_num = ARRAY_SIZE(qmp_v3_dp_serdes_tbl_hbr),
++ .serdes_tbl_hbr2 = qmp_v3_dp_serdes_tbl_hbr2,
++ .serdes_tbl_hbr2_num = ARRAY_SIZE(qmp_v3_dp_serdes_tbl_hbr2),
++ .serdes_tbl_hbr3 = qmp_v3_dp_serdes_tbl_hbr3,
++ .serdes_tbl_hbr3_num = ARRAY_SIZE(qmp_v3_dp_serdes_tbl_hbr3),
++
++ .swing_hbr_rbr = &qmp_dp_v3_voltage_swing_hbr_rbr,
++ .pre_emphasis_hbr_rbr = &qmp_dp_v3_pre_emphasis_hbr_rbr,
++ .swing_hbr3_hbr2 = &qmp_dp_v3_voltage_swing_hbr3_hbr2,
++ .pre_emphasis_hbr3_hbr2 = &qmp_dp_v3_pre_emphasis_hbr3_hbr2,
++
++ .clk_list = qmp_v3_phy_clk_l,
++ .num_clks = ARRAY_SIZE(qmp_v3_phy_clk_l),
++ .reset_list = msm8996_usb3phy_reset_l,
++ .num_resets = ARRAY_SIZE(msm8996_usb3phy_reset_l),
++ .vreg_list = qmp_phy_vreg_l,
++ .num_vregs = ARRAY_SIZE(qmp_phy_vreg_l),
++ .regs = qmp_v3_usb3phy_regs_layout,
++
++ .dp_aux_init = qcom_qmp_v3_phy_dp_aux_init,
++ .configure_dp_tx = qcom_qmp_v3_phy_configure_dp_tx,
++ .configure_dp_phy = qcom_qmp_v3_phy_configure_dp_phy,
++ .calibrate_dp_phy = qcom_qmp_v3_dp_phy_calibrate,
++};
++
+ static const struct qmp_phy_combo_cfg sdm845_usb3dpphy_cfg = {
+ .usb_cfg = &sdm845_usb3phy_cfg,
+- .dp_cfg = &sc7180_dpphy_cfg,
++ .dp_cfg = &sdm845_dpphy_cfg,
+ };
+
+ static const struct qmp_phy_cfg sm8150_usb3phy_cfg = {
--- /dev/null
+From 11c7f9e3131ad14b27a957496088fa488b153a48 Mon Sep 17 00:00:00 2001
+From: Maria Yu <quic_aiquny@quicinc.com>
+Date: Tue, 6 Dec 2022 09:59:57 +0800
+Subject: remoteproc: core: Do pm_relax when in RPROC_OFFLINE state
+
+From: Maria Yu <quic_aiquny@quicinc.com>
+
+commit 11c7f9e3131ad14b27a957496088fa488b153a48 upstream.
+
+Make sure that pm_relax() happens even when the remoteproc
+is stopped before the crash handler work is scheduled.
+
+Signed-off-by: Maria Yu <quic_aiquny@quicinc.com>
+Cc: stable <stable@vger.kernel.org>
+Fixes: a781e5aa5911 ("remoteproc: core: Prevent system suspend during remoteproc recovery")
+Link: https://lore.kernel.org/r/20221206015957.2616-2-quic_aiquny@quicinc.com
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/remoteproc/remoteproc_core.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/remoteproc/remoteproc_core.c
++++ b/drivers/remoteproc/remoteproc_core.c
+@@ -1868,12 +1868,18 @@ static void rproc_crash_handler_work(str
+
+ mutex_lock(&rproc->lock);
+
+- if (rproc->state == RPROC_CRASHED || rproc->state == RPROC_OFFLINE) {
++ if (rproc->state == RPROC_CRASHED) {
+ /* handle only the first crash detected */
+ mutex_unlock(&rproc->lock);
+ return;
+ }
+
++ if (rproc->state == RPROC_OFFLINE) {
++ /* Don't recover if the remote processor was stopped */
++ mutex_unlock(&rproc->lock);
++ goto out;
++ }
++
+ rproc->state = RPROC_CRASHED;
+ dev_err(dev, "handling crash #%u in %s\n", ++rproc->crash_cnt,
+ rproc->name);
+@@ -1883,6 +1889,7 @@ static void rproc_crash_handler_work(str
+ if (!rproc->recovery_disabled)
+ rproc_trigger_recovery(rproc);
+
++out:
+ pm_relax(rproc->dev.parent);
+ }
+
--- /dev/null
+From 47e6ab07018edebf94ce873cf50a05ec76ff2dde Mon Sep 17 00:00:00 2001
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+Date: Fri, 30 Sep 2022 15:50:16 +0800
+Subject: remoteproc: imx_dsp_rproc: Add mutex protection for workqueue
+
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+
+commit 47e6ab07018edebf94ce873cf50a05ec76ff2dde upstream.
+
+The workqueue may execute late even after remoteproc is stopped or
+stopping, some resources (rpmsg device and endpoint) have been
+released in rproc_stop_subdevices(), then rproc_vq_interrupt()
+accessing these resources will cause kennel dump.
+
+Call trace:
+ virtqueue_add_split+0x1ac/0x560
+ virtqueue_add_inbuf+0x4c/0x60
+ rpmsg_recv_done+0x15c/0x294
+ vring_interrupt+0x6c/0xa4
+ rproc_vq_interrupt+0x30/0x50
+ imx_dsp_rproc_vq_work+0x24/0x40 [imx_dsp_rproc]
+ process_one_work+0x1d0/0x354
+ worker_thread+0x13c/0x470
+ kthread+0x154/0x160
+ ret_from_fork+0x10/0x20
+
+Add mutex protection in imx_dsp_rproc_vq_work(), if the state is
+not running, then just skip calling rproc_vq_interrupt().
+
+Also the flush workqueue operation can't be added in rproc stop
+for the same reason. The call sequence is
+
+rproc_shutdown
+-> rproc_stop
+ ->rproc_stop_subdevices
+ ->rproc->ops->stop()
+ ->imx_dsp_rproc_stop
+ ->flush_work
+ -> rproc_vq_interrupt
+
+The resource needed by rproc_vq_interrupt has been released in
+rproc_stop_subdevices, so flush_work is not safe to be called in
+imx_dsp_rproc_stop.
+
+Fixes: ec0e5549f358 ("remoteproc: imx_dsp_rproc: Add remoteproc driver for DSP on i.MX")
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/1664524216-19949-1-git-send-email-shengjiu.wang@nxp.com
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/remoteproc/imx_dsp_rproc.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/remoteproc/imx_dsp_rproc.c
++++ b/drivers/remoteproc/imx_dsp_rproc.c
+@@ -347,9 +347,6 @@ static int imx_dsp_rproc_stop(struct rpr
+ struct device *dev = rproc->dev.parent;
+ int ret = 0;
+
+- /* Make sure work is finished */
+- flush_work(&priv->rproc_work);
+-
+ if (rproc->state == RPROC_CRASHED) {
+ priv->flags &= ~REMOTE_IS_READY;
+ return 0;
+@@ -432,9 +429,18 @@ static void imx_dsp_rproc_vq_work(struct
+ {
+ struct imx_dsp_rproc *priv = container_of(work, struct imx_dsp_rproc,
+ rproc_work);
++ struct rproc *rproc = priv->rproc;
++
++ mutex_lock(&rproc->lock);
++
++ if (rproc->state != RPROC_RUNNING)
++ goto unlock_mutex;
+
+ rproc_vq_interrupt(priv->rproc, 0);
+ rproc_vq_interrupt(priv->rproc, 1);
++
++unlock_mutex:
++ mutex_unlock(&rproc->lock);
+ }
+
+ /**
--- /dev/null
+From ee18f2715e85f4ef051851a0c4831ee7ad7d83b3 Mon Sep 17 00:00:00 2001
+From: Peng Fan <peng.fan@nxp.com>
+Date: Wed, 2 Nov 2022 19:14:10 +0800
+Subject: remoteproc: imx_rproc: Correct i.MX93 DRAM mapping
+
+From: Peng Fan <peng.fan@nxp.com>
+
+commit ee18f2715e85f4ef051851a0c4831ee7ad7d83b3 upstream.
+
+According to updated reference mannual, the M33 DRAM view of
+0x[C,D]0000000 maps to A55 0xC0000000, so correct it.
+
+Fixes: 9222fabf0e39 ("remoteproc: imx_rproc: Support i.MX93")
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20221102111410.38737-1-peng.fan@oss.nxp.com
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/remoteproc/imx_rproc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/remoteproc/imx_rproc.c
++++ b/drivers/remoteproc/imx_rproc.c
+@@ -113,8 +113,8 @@ static const struct imx_rproc_att imx_rp
+ { 0x80000000, 0x80000000, 0x10000000, 0 },
+ { 0x90000000, 0x80000000, 0x10000000, 0 },
+
+- { 0xC0000000, 0xa0000000, 0x10000000, 0 },
+- { 0xD0000000, 0xa0000000, 0x10000000, 0 },
++ { 0xC0000000, 0xC0000000, 0x10000000, 0 },
++ { 0xD0000000, 0xC0000000, 0x10000000, 0 },
+ };
+
+ static const struct imx_rproc_att imx_rproc_att_imx8mn[] = {
--- /dev/null
+From cbc32023ddbdf4baa3d9dc513a2184a84080a5a2 Mon Sep 17 00:00:00 2001
+From: Li Huafei <lihuafei1@huawei.com>
+Date: Fri, 4 Nov 2022 17:56:58 +0800
+Subject: RISC-V: kexec: Fix memory leak of elf header buffer
+
+From: Li Huafei <lihuafei1@huawei.com>
+
+commit cbc32023ddbdf4baa3d9dc513a2184a84080a5a2 upstream.
+
+This is reported by kmemleak detector:
+
+unreferenced object 0xff2000000403d000 (size 4096):
+ comm "kexec", pid 146, jiffies 4294900633 (age 64.792s)
+ hex dump (first 32 bytes):
+ 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 .ELF............
+ 04 00 f3 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<00000000566ca97c>] kmemleak_vmalloc+0x3c/0xbe
+ [<00000000979283d8>] __vmalloc_node_range+0x3ac/0x560
+ [<00000000b4b3712a>] __vmalloc_node+0x56/0x62
+ [<00000000854f75e2>] vzalloc+0x2c/0x34
+ [<00000000e9a00db9>] crash_prepare_elf64_headers+0x80/0x30c
+ [<0000000067e8bf48>] elf_kexec_load+0x3e8/0x4ec
+ [<0000000036548e09>] kexec_image_load_default+0x40/0x4c
+ [<0000000079fbe1b4>] sys_kexec_file_load+0x1c4/0x322
+ [<0000000040c62c03>] ret_from_syscall+0x0/0x2
+
+In elf_kexec_load(), a buffer is allocated via vzalloc() to store elf
+headers. While it's not freed back to system when kdump kernel is
+reloaded or unloaded, or when image->elf_header is successfully set and
+then fails to load kdump kernel for some reason. Fix it by freeing the
+buffer in arch_kimage_file_post_load_cleanup().
+
+Fixes: 8acea455fafa ("RISC-V: Support for kexec_file on panic")
+Signed-off-by: Li Huafei <lihuafei1@huawei.com>
+Reviewed-by: Conor Dooley <conor.dooley@microchip.com>
+Link: https://lore.kernel.org/r/20221104095658.141222-2-lihuafei1@huawei.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/kernel/elf_kexec.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/riscv/kernel/elf_kexec.c
++++ b/arch/riscv/kernel/elf_kexec.c
+@@ -26,6 +26,10 @@ int arch_kimage_file_post_load_cleanup(s
+ kvfree(image->arch.fdt);
+ image->arch.fdt = NULL;
+
++ vfree(image->elf_headers);
++ image->elf_headers = NULL;
++ image->elf_headers_sz = 0;
++
+ return kexec_image_post_load_cleanup_default(image);
+ }
+
--- /dev/null
+From 96df59b1ae23f5c11698c3c2159aeb2ecd4944a4 Mon Sep 17 00:00:00 2001
+From: Li Huafei <lihuafei1@huawei.com>
+Date: Fri, 4 Nov 2022 17:56:57 +0800
+Subject: RISC-V: kexec: Fix memory leak of fdt buffer
+
+From: Li Huafei <lihuafei1@huawei.com>
+
+commit 96df59b1ae23f5c11698c3c2159aeb2ecd4944a4 upstream.
+
+This is reported by kmemleak detector:
+
+unreferenced object 0xff60000082864000 (size 9588):
+ comm "kexec", pid 146, jiffies 4294900634 (age 64.788s)
+ hex dump (first 32 bytes):
+ d0 0d fe ed 00 00 12 ed 00 00 00 48 00 00 11 40 ...........H...@
+ 00 00 00 28 00 00 00 11 00 00 00 02 00 00 00 00 ...(............
+ backtrace:
+ [<00000000f95b17c4>] kmemleak_alloc+0x34/0x3e
+ [<00000000b9ec8e3e>] kmalloc_order+0x9c/0xc4
+ [<00000000a95cf02e>] kmalloc_order_trace+0x34/0xb6
+ [<00000000f01e68b4>] __kmalloc+0x5c2/0x62a
+ [<000000002bd497b2>] kvmalloc_node+0x66/0xd6
+ [<00000000906542fa>] of_kexec_alloc_and_setup_fdt+0xa6/0x6ea
+ [<00000000e1166bde>] elf_kexec_load+0x206/0x4ec
+ [<0000000036548e09>] kexec_image_load_default+0x40/0x4c
+ [<0000000079fbe1b4>] sys_kexec_file_load+0x1c4/0x322
+ [<0000000040c62c03>] ret_from_syscall+0x0/0x2
+
+In elf_kexec_load(), a buffer is allocated via kvmalloc() to store fdt.
+While it's not freed back to system when kexec kernel is reloaded or
+unloaded. Then memory leak is caused. Fix it by introducing riscv
+specific function arch_kimage_file_post_load_cleanup(), and freeing the
+buffer there.
+
+Fixes: 6261586e0c91 ("RISC-V: Add kexec_file support")
+Signed-off-by: Li Huafei <lihuafei1@huawei.com>
+Reviewed-by: Conor Dooley <conor.dooley@microchip.com>
+Reviewed-by: Liao Chang <liaochang1@huawei.com>
+Link: https://lore.kernel.org/r/20221104095658.141222-1-lihuafei1@huawei.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/include/asm/kexec.h | 5 +++++
+ arch/riscv/kernel/elf_kexec.c | 10 ++++++++++
+ 2 files changed, 15 insertions(+)
+
+--- a/arch/riscv/include/asm/kexec.h
++++ b/arch/riscv/include/asm/kexec.h
+@@ -39,6 +39,7 @@ crash_setup_regs(struct pt_regs *newregs
+ #define ARCH_HAS_KIMAGE_ARCH
+
+ struct kimage_arch {
++ void *fdt; /* For CONFIG_KEXEC_FILE */
+ unsigned long fdt_addr;
+ };
+
+@@ -62,6 +63,10 @@ int arch_kexec_apply_relocations_add(str
+ const Elf_Shdr *relsec,
+ const Elf_Shdr *symtab);
+ #define arch_kexec_apply_relocations_add arch_kexec_apply_relocations_add
++
++struct kimage;
++int arch_kimage_file_post_load_cleanup(struct kimage *image);
++#define arch_kimage_file_post_load_cleanup arch_kimage_file_post_load_cleanup
+ #endif
+
+ #endif
+--- a/arch/riscv/kernel/elf_kexec.c
++++ b/arch/riscv/kernel/elf_kexec.c
+@@ -21,6 +21,14 @@
+ #include <linux/memblock.h>
+ #include <asm/setup.h>
+
++int arch_kimage_file_post_load_cleanup(struct kimage *image)
++{
++ kvfree(image->arch.fdt);
++ image->arch.fdt = NULL;
++
++ return kexec_image_post_load_cleanup_default(image);
++}
++
+ static int riscv_kexec_elf_load(struct kimage *image, struct elfhdr *ehdr,
+ struct kexec_elf_info *elf_info, unsigned long old_pbase,
+ unsigned long new_pbase)
+@@ -298,6 +306,8 @@ static void *elf_kexec_load(struct kimag
+ pr_err("Error add DTB kbuf ret=%d\n", ret);
+ goto out_free_fdt;
+ }
++ /* Cache the fdt buffer address for memory cleanup */
++ image->arch.fdt = fdt;
+ pr_notice("Loaded device tree at 0x%lx\n", kbuf.mem);
+ goto out;
+
--- /dev/null
+From c528ef0888b75f673f7d48022de8d31d5b451e8c Mon Sep 17 00:00:00 2001
+From: Guo Ren <guoren@linux.alibaba.com>
+Date: Wed, 7 Dec 2022 04:11:12 -0500
+Subject: riscv: Fixup compile error with !MMU
+
+From: Guo Ren <guoren@linux.alibaba.com>
+
+commit c528ef0888b75f673f7d48022de8d31d5b451e8c upstream.
+
+Current nommu_virt_defconfig can't compile:
+
+In file included from
+arch/riscv/kernel/crash_core.c:3:
+arch/riscv/kernel/crash_core.c:
+In function 'arch_crash_save_vmcoreinfo':
+arch/riscv/kernel/crash_core.c:8:27:
+error: 'VA_BITS' undeclared (first use in this function)
+ 8 | VMCOREINFO_NUMBER(VA_BITS);
+ | ^~~~~~~
+
+Add MMU dependency for KEXEC_FILE.
+
+Fixes: 6261586e0c91 ("RISC-V: Add kexec_file support")
+Reported-by: Conor Dooley <conor.dooley@microchip.com>
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Guo Ren <guoren@kernel.org>
+Signed-off-by: Guo Ren <guoren@linux.alibaba.com>
+Tested-by: Conor Dooley <conor.dooley@microchip.com>
+Link: https://lore.kernel.org/r/20221207091112.2258674-1-guoren@kernel.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/riscv/Kconfig
++++ b/arch/riscv/Kconfig
+@@ -502,7 +502,7 @@ config KEXEC_FILE
+ select KEXEC_CORE
+ select KEXEC_ELF
+ select HAVE_IMA_KEXEC if IMA
+- depends on 64BIT
++ depends on 64BIT && MMU
+ help
+ This is new version of kexec system call. This system call is
+ file based and takes file descriptors as system call argument
--- /dev/null
+From 4bd1d80efb5af640f99157f39b50fb11326ce641 Mon Sep 17 00:00:00 2001
+From: Sergey Matyukevich <sergey.matyukevich@syntacore.com>
+Date: Mon, 29 Aug 2022 23:52:19 +0300
+Subject: riscv: mm: notify remote harts about mmu cache updates
+
+From: Sergey Matyukevich <sergey.matyukevich@syntacore.com>
+
+commit 4bd1d80efb5af640f99157f39b50fb11326ce641 upstream.
+
+Current implementation of update_mmu_cache function performs local TLB
+flush. It does not take into account ASID information. Besides, it does
+not take into account other harts currently running the same mm context
+or possible migration of the running context to other harts. Meanwhile
+TLB flush is not performed for every context switch if ASID support
+is enabled.
+
+Patch [1] proposed to add ASID support to update_mmu_cache to avoid
+flushing local TLB entirely. This patch takes into account other
+harts currently running the same mm context as well as possible
+migration of this context to other harts.
+
+For this purpose the approach from flush_icache_mm is reused. Remote
+harts currently running the same mm context are informed via SBI calls
+that they need to flush their local TLBs. All the other harts are marked
+as needing a deferred TLB flush when this mm context runs on them.
+
+[1] https://lore.kernel.org/linux-riscv/20220821013926.8968-1-tjytimi@163.com/
+
+Signed-off-by: Sergey Matyukevich <sergey.matyukevich@syntacore.com>
+Fixes: 65d4b9c53017 ("RISC-V: Implement ASID allocator")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/linux-riscv/20220829205219.283543-1-geomatsi@gmail.com/#t
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/include/asm/mmu.h | 2 ++
+ arch/riscv/include/asm/pgtable.h | 2 +-
+ arch/riscv/include/asm/tlbflush.h | 18 ++++++++++++++++++
+ arch/riscv/mm/context.c | 10 ++++++++++
+ arch/riscv/mm/tlbflush.c | 28 +++++++++++-----------------
+ 5 files changed, 42 insertions(+), 18 deletions(-)
+
+--- a/arch/riscv/include/asm/mmu.h
++++ b/arch/riscv/include/asm/mmu.h
+@@ -19,6 +19,8 @@ typedef struct {
+ #ifdef CONFIG_SMP
+ /* A local icache flush is needed before user execution can resume. */
+ cpumask_t icache_stale_mask;
++ /* A local tlb flush is needed before user execution can resume. */
++ cpumask_t tlb_stale_mask;
+ #endif
+ } mm_context_t;
+
+--- a/arch/riscv/include/asm/pgtable.h
++++ b/arch/riscv/include/asm/pgtable.h
+@@ -415,7 +415,7 @@ static inline void update_mmu_cache(stru
+ * Relying on flush_tlb_fix_spurious_fault would suffice, but
+ * the extra traps reduce performance. So, eagerly SFENCE.VMA.
+ */
+- local_flush_tlb_page(address);
++ flush_tlb_page(vma, address);
+ }
+
+ static inline void update_mmu_cache_pmd(struct vm_area_struct *vma,
+--- a/arch/riscv/include/asm/tlbflush.h
++++ b/arch/riscv/include/asm/tlbflush.h
+@@ -22,6 +22,24 @@ static inline void local_flush_tlb_page(
+ {
+ ALT_FLUSH_TLB_PAGE(__asm__ __volatile__ ("sfence.vma %0" : : "r" (addr) : "memory"));
+ }
++
++static inline void local_flush_tlb_all_asid(unsigned long asid)
++{
++ __asm__ __volatile__ ("sfence.vma x0, %0"
++ :
++ : "r" (asid)
++ : "memory");
++}
++
++static inline void local_flush_tlb_page_asid(unsigned long addr,
++ unsigned long asid)
++{
++ __asm__ __volatile__ ("sfence.vma %0, %1"
++ :
++ : "r" (addr), "r" (asid)
++ : "memory");
++}
++
+ #else /* CONFIG_MMU */
+ #define local_flush_tlb_all() do { } while (0)
+ #define local_flush_tlb_page(addr) do { } while (0)
+--- a/arch/riscv/mm/context.c
++++ b/arch/riscv/mm/context.c
+@@ -196,6 +196,16 @@ switch_mm_fast:
+
+ if (need_flush_tlb)
+ local_flush_tlb_all();
++#ifdef CONFIG_SMP
++ else {
++ cpumask_t *mask = &mm->context.tlb_stale_mask;
++
++ if (cpumask_test_cpu(cpu, mask)) {
++ cpumask_clear_cpu(cpu, mask);
++ local_flush_tlb_all_asid(cntx & asid_mask);
++ }
++ }
++#endif
+ }
+
+ static void set_mm_noasid(struct mm_struct *mm)
+--- a/arch/riscv/mm/tlbflush.c
++++ b/arch/riscv/mm/tlbflush.c
+@@ -5,23 +5,7 @@
+ #include <linux/sched.h>
+ #include <asm/sbi.h>
+ #include <asm/mmu_context.h>
+-
+-static inline void local_flush_tlb_all_asid(unsigned long asid)
+-{
+- __asm__ __volatile__ ("sfence.vma x0, %0"
+- :
+- : "r" (asid)
+- : "memory");
+-}
+-
+-static inline void local_flush_tlb_page_asid(unsigned long addr,
+- unsigned long asid)
+-{
+- __asm__ __volatile__ ("sfence.vma %0, %1"
+- :
+- : "r" (addr), "r" (asid)
+- : "memory");
+-}
++#include <asm/tlbflush.h>
+
+ void flush_tlb_all(void)
+ {
+@@ -31,6 +15,7 @@ void flush_tlb_all(void)
+ static void __sbi_tlb_flush_range(struct mm_struct *mm, unsigned long start,
+ unsigned long size, unsigned long stride)
+ {
++ struct cpumask *pmask = &mm->context.tlb_stale_mask;
+ struct cpumask *cmask = mm_cpumask(mm);
+ unsigned int cpuid;
+ bool broadcast;
+@@ -44,6 +29,15 @@ static void __sbi_tlb_flush_range(struct
+ if (static_branch_unlikely(&use_asid_allocator)) {
+ unsigned long asid = atomic_long_read(&mm->context.id);
+
++ /*
++ * TLB will be immediately flushed on harts concurrently
++ * executing this MM context. TLB flush on other harts
++ * is deferred until this MM context migrates there.
++ */
++ cpumask_setall(pmask);
++ cpumask_clear_cpu(cpuid, pmask);
++ cpumask_andnot(pmask, pmask, cmask);
++
+ if (broadcast) {
+ sbi_remote_sfence_vma_asid(cmask, start, size, asid);
+ } else if (size <= stride) {
--- /dev/null
+From 5c3022e4a616d800cf5f4c3a981d7992179e44a1 Mon Sep 17 00:00:00 2001
+From: Guo Ren <guoren@linux.alibaba.com>
+Date: Wed, 9 Nov 2022 01:49:36 -0500
+Subject: riscv: stacktrace: Fixup ftrace_graph_ret_addr retp argument
+
+From: Guo Ren <guoren@linux.alibaba.com>
+
+commit 5c3022e4a616d800cf5f4c3a981d7992179e44a1 upstream.
+
+The 'retp' is a pointer to the return address on the stack, so we
+must pass the current return address pointer as the 'retp'
+argument to ftrace_push_return_trace(). Not parent function's
+return address on the stack.
+
+Fixes: b785ec129bd9 ("riscv/ftrace: Add HAVE_FUNCTION_GRAPH_RET_ADDR_PTR support")
+Signed-off-by: Guo Ren <guoren@linux.alibaba.com>
+Signed-off-by: Guo Ren <guoren@kernel.org>
+Link: https://lore.kernel.org/r/20221109064937.3643993-2-guoren@kernel.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/kernel/stacktrace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/riscv/kernel/stacktrace.c
++++ b/arch/riscv/kernel/stacktrace.c
+@@ -58,7 +58,7 @@ void notrace walk_stackframe(struct task
+ } else {
+ fp = frame->fp;
+ pc = ftrace_graph_ret_addr(current, NULL, frame->ra,
+- (unsigned long *)(fp - 8));
++ &frame->ra);
+ }
+
+ }
drm-amdgpu-fix-mmhub-register-base-coding-error.patch
block-mq-deadline-fix-dd_finish_request-for-zoned-devices.patch
block-mq-deadline-do-not-break-sequential-write-streams-to-zoned-hdds.patch
+md-bitmap-fix-bitmap-chunk-size-overflow-issues.patch
+efi-add-imac-pro-2017-to-uefi-skip-cert-quirk.patch
+wifi-wilc1000-sdio-fix-module-autoloading.patch
+asoc-jz4740-i2s-handle-independent-fifo-flush-bits.patch
+ipu3-imgu-fix-null-pointer-dereference-in-imgu_subdev_set_selection.patch
+ipmi-fix-long-wait-in-unload-when-ipmi-disconnect.patch
+mtd-spi-nor-check-for-zero-erase-size-in-spi_nor_find_best_erase_type.patch
+ima-fix-a-potential-null-pointer-access-in-ima_restore_measurement_list.patch
+ipmi-fix-use-after-free-in-_ipmi_destroy_user.patch
+mtd-spi-nor-gigadevice-gd25q256-replace-gd25q256_default_init-with-gd25q256_post_bfpt.patch
+ima-fix-memory-leak-in-__ima_inode_hash.patch
+um-virt-pci-avoid-gcc-non-null-warning.patch
+crypto-ccree-hisilicon-fix-dependencies-to-correct-algorithm.patch
+pci-fix-pci_device_is_present-for-vfs-by-checking-pf.patch
+pci-sysfs-fix-double-free-in-error-path.patch
+risc-v-kexec-fix-memory-leak-of-fdt-buffer.patch
+riscv-fixup-compile-error-with-mmu.patch
+risc-v-kexec-fix-memory-leak-of-elf-header-buffer.patch
+riscv-stacktrace-fixup-ftrace_graph_ret_addr-retp-argument.patch
+riscv-mm-notify-remote-harts-about-mmu-cache-updates.patch
+crypto-n2-add-missing-hash-statesize.patch
+crypto-ccp-add-support-for-tee-for-pci-id-0x14ca.patch
+driver-core-fix-bus_type.match-error-handling-in-__driver_attach.patch
+bus-mhi-host-fix-race-between-channel-preparation-and-m0-event.patch
+phy-qcom-qmp-combo-fix-sdm845-reset.patch
+phy-qcom-qmp-combo-fix-sc8180x-reset.patch
+iommu-amd-fix-ivrs_acpihid-cmdline-parsing-code.patch
+iommu-amd-fix-ill-formed-ivrs_ioapic-ivrs_hpet-and-ivrs_acpihid-options.patch
+test_kprobes-fix-implicit-declaration-error-of-test_kprobes.patch
+hugetlb-really-allocate-vma-lock-for-all-sharable-vmas.patch
+remoteproc-imx_dsp_rproc-add-mutex-protection-for-workqueue.patch
+remoteproc-core-do-pm_relax-when-in-rproc_offline-state.patch
+remoteproc-imx_rproc-correct-i.mx93-dram-mapping.patch
+parisc-led-fix-potential-null-ptr-deref-in-start_task.patch
+parisc-drop-locking-in-pdc-console-code.patch
+parisc-fix-locking-in-pdc_iodc_print-firmware-call.patch
+parisc-add-missing-force-prerequisites-in-makefile.patch
+parisc-drop-duplicate-kgdb_pdc-console.patch
+parisc-drop-pmd_shift-from-calculation-in-pgtable.h.patch
+device_cgroup-roll-back-to-original-exceptions-after-copy-failure.patch
+drm-connector-send-hotplug-uevent-on-connector-cleanup.patch
+drm-vmwgfx-validate-the-box-size-for-the-snooped-cursor.patch
+drm-mgag200-fix-pll-setup-for-g200_se_a-rev-4.patch
+drm-etnaviv-move-idle-mapping-reaping-into-separate-function.patch
+drm-i915-dsi-fix-vbt-send-packet-port-selection-for-dual-link-dsi.patch
+drm-ingenic-fix-missing-platform_driver_unregister-call-in-ingenic_drm_init.patch
+drm-etnaviv-reap-idle-mapping-if-it-doesn-t-match-the-softpin-address.patch
--- /dev/null
+From 63a4dc0a0bb0e9bfeb2c88ccda81abdde4cdd6b8 Mon Sep 17 00:00:00 2001
+From: Li Hua <hucool.lihua@huawei.com>
+Date: Mon, 21 Nov 2022 11:06:20 +0800
+Subject: test_kprobes: Fix implicit declaration error of test_kprobes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Li Hua <hucool.lihua@huawei.com>
+
+commit 63a4dc0a0bb0e9bfeb2c88ccda81abdde4cdd6b8 upstream.
+
+If KPROBES_SANITY_TEST and ARCH_CORRECT_STACKTRACE_ON_KRETPROBE is enabled, but
+STACKTRACE is not set. Build failed as below:
+
+lib/test_kprobes.c: In function ‘stacktrace_return_handler’:
+lib/test_kprobes.c:228:8: error: implicit declaration of function ‘stack_trace_save’; did you mean ‘stacktrace_driver’? [-Werror=implicit-function-declaration]
+ ret = stack_trace_save(stack_buf, STACK_BUF_SIZE, 0);
+ ^~~~~~~~~~~~~~~~
+ stacktrace_driver
+cc1: all warnings being treated as errors
+scripts/Makefile.build:250: recipe for target 'lib/test_kprobes.o' failed
+make[2]: *** [lib/test_kprobes.o] Error 1
+
+To fix this error, Select STACKTRACE if ARCH_CORRECT_STACKTRACE_ON_KRETPROBE is enabled.
+
+Link: https://lore.kernel.org/all/20221121030620.63181-1-hucool.lihua@huawei.com/
+
+Fixes: 1f6d3a8f5e39 ("kprobes: Add a test case for stacktrace from kretprobe handler")
+Cc: stable@vger.kernel.org
+Signed-off-by: Li Hua <hucool.lihua@huawei.com>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/Kconfig.debug | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/lib/Kconfig.debug
++++ b/lib/Kconfig.debug
+@@ -2092,6 +2092,7 @@ config TEST_MIN_HEAP
+ config TEST_SORT
+ tristate "Array-based sort test" if !KUNIT_ALL_TESTS
+ depends on KUNIT
++ select STACKTRACE if ARCH_CORRECT_STACKTRACE_ON_KRETPROBE
+ default KUNIT_ALL_TESTS
+ help
+ This option enables the self-test function of 'sort()' at boot,
--- /dev/null
+From bdc77507fecd00ddad2f502f86a48a9ec38f0f84 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Thu, 1 Dec 2022 16:23:25 -0800
+Subject: um: virt-pci: Avoid GCC non-NULL warning
+
+From: Kees Cook <keescook@chromium.org>
+
+commit bdc77507fecd00ddad2f502f86a48a9ec38f0f84 upstream.
+
+GCC gets confused about the return value of get_cpu_var() possibly
+being NULL, so explicitly test for it before calls to memcpy() and
+memset(). Avoids warnings like this:
+
+ arch/um/drivers/virt-pci.c: In function 'um_pci_send_cmd':
+ include/linux/fortify-string.h:48:33: warning: argument 1 null where non-null expected [-Wnonnull]
+ 48 | #define __underlying_memcpy __builtin_memcpy
+ | ^
+ include/linux/fortify-string.h:438:9: note: in expansion of macro '__underlying_memcpy'
+ 438 | __underlying_##op(p, q, __fortify_size); \
+ | ^~~~~~~~~~~~~
+ include/linux/fortify-string.h:483:26: note: in expansion of macro '__fortify_memcpy_chk'
+ 483 | #define memcpy(p, q, s) __fortify_memcpy_chk(p, q, s, \
+ | ^~~~~~~~~~~~~~~~~~~~
+ arch/um/drivers/virt-pci.c:100:9: note: in expansion of macro 'memcpy'
+ 100 | memcpy(buf, cmd, cmd_size);
+ | ^~~~~~
+
+While at it, avoid literal "8" and use stored sizeof(buf->data) in
+memset() and um_pci_send_cmd().
+
+Reported-by: kernel test robot <lkp@intel.com>
+Link: https://lore.kernel.org/lkml/202211271212.SUZSC9f9-lkp@intel.com
+Fixes: ba38961a069b ("um: Enable FORTIFY_SOURCE")
+Cc: Richard Weinberger <richard@nod.at>
+Cc: Anton Ivanov <anton.ivanov@cambridgegreys.com>
+Cc: Johannes Berg <johannes@sipsolutions.net>
+Cc: "Michael S. Tsirkin" <mst@redhat.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Xiu Jianfeng <xiujianfeng@huawei.com>
+Cc: Vincent Whitchurch <vincent.whitchurch@axis.com>
+Cc: linux-um@lists.infradead.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/um/drivers/virt-pci.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/arch/um/drivers/virt-pci.c
++++ b/arch/um/drivers/virt-pci.c
+@@ -97,7 +97,8 @@ static int um_pci_send_cmd(struct um_pci
+ }
+
+ buf = get_cpu_var(um_pci_msg_bufs);
+- memcpy(buf, cmd, cmd_size);
++ if (buf)
++ memcpy(buf, cmd, cmd_size);
+
+ if (posted) {
+ u8 *ncmd = kmalloc(cmd_size + extra_size, GFP_ATOMIC);
+@@ -182,6 +183,7 @@ static unsigned long um_pci_cfgspace_rea
+ struct um_pci_message_buffer *buf;
+ u8 *data;
+ unsigned long ret = ULONG_MAX;
++ size_t bytes = sizeof(buf->data);
+
+ if (!dev)
+ return ULONG_MAX;
+@@ -189,7 +191,8 @@ static unsigned long um_pci_cfgspace_rea
+ buf = get_cpu_var(um_pci_msg_bufs);
+ data = buf->data;
+
+- memset(buf->data, 0xff, sizeof(buf->data));
++ if (buf)
++ memset(data, 0xff, bytes);
+
+ switch (size) {
+ case 1:
+@@ -204,7 +207,7 @@ static unsigned long um_pci_cfgspace_rea
+ goto out;
+ }
+
+- if (um_pci_send_cmd(dev, &hdr, sizeof(hdr), NULL, 0, data, 8))
++ if (um_pci_send_cmd(dev, &hdr, sizeof(hdr), NULL, 0, data, bytes))
+ goto out;
+
+ switch (size) {
--- /dev/null
+From 57d545b5a3d6ce3a8fb6b093f02bfcbb908973f3 Mon Sep 17 00:00:00 2001
+From: Michael Walle <michael@walle.cc>
+Date: Thu, 27 Oct 2022 19:12:21 +0200
+Subject: wifi: wilc1000: sdio: fix module autoloading
+
+From: Michael Walle <michael@walle.cc>
+
+commit 57d545b5a3d6ce3a8fb6b093f02bfcbb908973f3 upstream.
+
+There are no SDIO module aliases included in the driver, therefore,
+module autoloading isn't working. Add the proper MODULE_DEVICE_TABLE().
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Michael Walle <michael@walle.cc>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20221027171221.491937-1-michael@walle.cc
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/microchip/wilc1000/sdio.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/microchip/wilc1000/sdio.c
++++ b/drivers/net/wireless/microchip/wilc1000/sdio.c
+@@ -20,6 +20,7 @@ static const struct sdio_device_id wilc_
+ { SDIO_DEVICE(SDIO_VENDOR_ID_MICROCHIP_WILC, SDIO_DEVICE_ID_MICROCHIP_WILC1000) },
+ { },
+ };
++MODULE_DEVICE_TABLE(sdio, wilc_sdio_ids);
+
+ #define WILC_SDIO_BLOCK_SIZE 512
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
