--- /dev/null
+From ca88eeb308a221c2dcd4a64031d2e5fcd3db9eaa Mon Sep 17 00:00:00 2001
+From: Luka Guzenko <l.guzenko@web.de>
+Date: Tue, 10 Jan 2023 21:25:14 +0100
+Subject: ALSA: hda/realtek: Enable mute/micmute LEDs on HP Spectre x360 13-aw0xxx
+
+From: Luka Guzenko <l.guzenko@web.de>
+
+commit ca88eeb308a221c2dcd4a64031d2e5fcd3db9eaa upstream.
+
+The HP Spectre x360 13-aw0xxx devices use the ALC285 codec with GPIO 0x04
+controlling the micmute LED and COEF 0x0b index 8 controlling the mute LED.
+A quirk was added to make these work as well as a fixup.
+
+Signed-off-by: Luka Guzenko <l.guzenko@web.de>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230110202514.2792-1-l.guzenko@web.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -4581,6 +4581,16 @@ static void alc285_fixup_hp_coef_micmute
+ }
+ }
+
++static void alc285_fixup_hp_gpio_micmute_led(struct hda_codec *codec,
++ const struct hda_fixup *fix, int action)
++{
++ struct alc_spec *spec = codec->spec;
++
++ if (action == HDA_FIXUP_ACT_PRE_PROBE)
++ spec->micmute_led_polarity = 1;
++ alc_fixup_hp_gpio_led(codec, action, 0, 0x04);
++}
++
+ static void alc236_fixup_hp_coef_micmute_led(struct hda_codec *codec,
+ const struct hda_fixup *fix, int action)
+ {
+@@ -4602,6 +4612,13 @@ static void alc285_fixup_hp_mute_led(str
+ alc285_fixup_hp_coef_micmute_led(codec, fix, action);
+ }
+
++static void alc285_fixup_hp_spectre_x360_mute_led(struct hda_codec *codec,
++ const struct hda_fixup *fix, int action)
++{
++ alc285_fixup_hp_mute_led_coefbit(codec, fix, action);
++ alc285_fixup_hp_gpio_micmute_led(codec, fix, action);
++}
++
+ static void alc236_fixup_hp_mute_led(struct hda_codec *codec,
+ const struct hda_fixup *fix, int action)
+ {
+@@ -6856,6 +6873,7 @@ enum {
+ ALC285_FIXUP_ASUS_G533Z_PINS,
+ ALC285_FIXUP_HP_GPIO_LED,
+ ALC285_FIXUP_HP_MUTE_LED,
++ ALC285_FIXUP_HP_SPECTRE_X360_MUTE_LED,
+ ALC236_FIXUP_HP_GPIO_LED,
+ ALC236_FIXUP_HP_MUTE_LED,
+ ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF,
+@@ -8224,6 +8242,10 @@ static const struct hda_fixup alc269_fix
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc285_fixup_hp_mute_led,
+ },
++ [ALC285_FIXUP_HP_SPECTRE_X360_MUTE_LED] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc285_fixup_hp_spectre_x360_mute_led,
++ },
+ [ALC236_FIXUP_HP_GPIO_LED] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc236_fixup_hp_gpio_led,
+@@ -8936,6 +8958,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x86c7, "HP Envy AiO 32", ALC274_FIXUP_HP_ENVY_GPIO),
+ SND_PCI_QUIRK(0x103c, 0x86e7, "HP Spectre x360 15-eb0xxx", ALC285_FIXUP_HP_SPECTRE_X360_EB1),
+ SND_PCI_QUIRK(0x103c, 0x86e8, "HP Spectre x360 15-eb0xxx", ALC285_FIXUP_HP_SPECTRE_X360_EB1),
++ SND_PCI_QUIRK(0x103c, 0x86f9, "HP Spectre x360 13-aw0xxx", ALC285_FIXUP_HP_SPECTRE_X360_MUTE_LED),
+ SND_PCI_QUIRK(0x103c, 0x8716, "HP Elite Dragonfly G2 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),
+ SND_PCI_QUIRK(0x103c, 0x8720, "HP EliteBook x360 1040 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),
+ SND_PCI_QUIRK(0x103c, 0x8724, "HP EliteBook 850 G7", ALC285_FIXUP_HP_GPIO_LED),
--- /dev/null
+From 000bca8d706d1bf7cca01af75787247c5a2fdedf Mon Sep 17 00:00:00 2001
+From: Brian Norris <computersforpeace@gmail.com>
+Date: Fri, 30 Dec 2022 22:15:45 -0800
+Subject: ASoC: qcom: lpass-cpu: Fix fallback SD line index handling
+
+From: Brian Norris <computersforpeace@gmail.com>
+
+commit 000bca8d706d1bf7cca01af75787247c5a2fdedf upstream.
+
+These indices should reference the ID placed within the dai_driver
+array, not the indices of the array itself.
+
+This fixes commit 4ff028f6c108 ("ASoC: qcom: lpass-cpu: Make I2S SD
+lines configurable"), which among others, broke IPQ8064 audio
+(sound/soc/qcom/lpass-ipq806x.c) because it uses ID 4 but we'd stop
+initializing the mi2s_playback_sd_mode and mi2s_capture_sd_mode arrays
+at ID 0.
+
+Fixes: 4ff028f6c108 ("ASoC: qcom: lpass-cpu: Make I2S SD lines configurable")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Brian Norris <computersforpeace@gmail.com>
+Reviewed-by: Stephan Gerhold <stephan@gerhold.net>
+Link: https://lore.kernel.org/r/20221231061545.2110253-1-computersforpeace@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/qcom/lpass-cpu.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/sound/soc/qcom/lpass-cpu.c
++++ b/sound/soc/qcom/lpass-cpu.c
+@@ -816,10 +816,11 @@ static void of_lpass_cpu_parse_dai_data(
+ struct lpass_data *data)
+ {
+ struct device_node *node;
+- int ret, id;
++ int ret, i, id;
+
+ /* Allow all channels by default for backwards compatibility */
+- for (id = 0; id < data->variant->num_dai; id++) {
++ for (i = 0; i < data->variant->num_dai; i++) {
++ id = data->variant->dai_driver[i].id;
+ data->mi2s_playback_sd_mode[id] = LPAIF_I2SCTL_MODE_8CH;
+ data->mi2s_capture_sd_mode[id] = LPAIF_I2SCTL_MODE_8CH;
+ }
--- /dev/null
+From 0283189e8f3d0917e2ac399688df85211f48447b Mon Sep 17 00:00:00 2001
+From: Jonathan Corbet <corbet@lwn.net>
+Date: Wed, 4 Jan 2023 10:47:39 -0700
+Subject: docs: Fix the docs build with Sphinx 6.0
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonathan Corbet <corbet@lwn.net>
+
+commit 0283189e8f3d0917e2ac399688df85211f48447b upstream.
+
+Sphinx 6.0 removed the execfile_() function, which we use as part of the
+configuration process. They *did* warn us... Just open-code the
+functionality as is done in Sphinx itself.
+
+Tested (using SPHINX_CONF, since this code is only executed with an
+alternative config file) on various Sphinx versions from 2.5 through 6.0.
+
+Reported-by: Martin Liška <mliska@suse.cz>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jonathan Corbet <corbet@lwn.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/sphinx/load_config.py | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/Documentation/sphinx/load_config.py
++++ b/Documentation/sphinx/load_config.py
+@@ -3,7 +3,7 @@
+
+ import os
+ import sys
+-from sphinx.util.pycompat import execfile_
++from sphinx.util.osutil import fs_encoding
+
+ # ------------------------------------------------------------------------------
+ def loadConfig(namespace):
+@@ -48,7 +48,9 @@ def loadConfig(namespace):
+ sys.stdout.write("load additional sphinx-config: %s\n" % config_file)
+ config = namespace.copy()
+ config['__file__'] = config_file
+- execfile_(config_file, config)
++ with open(config_file, 'rb') as f:
++ code = compile(f.read(), fs_encoding, 'exec')
++ exec(code, config)
+ del config['__file__']
+ namespace.update(config)
+ else:
--- /dev/null
+From d3f450533bbcb6dd4d7d59cadc9b61b7321e4ac1 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ardb@kernel.org>
+Date: Mon, 9 Jan 2023 10:44:31 +0100
+Subject: efi: tpm: Avoid READ_ONCE() for accessing the event log
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+commit d3f450533bbcb6dd4d7d59cadc9b61b7321e4ac1 upstream.
+
+Nathan reports that recent kernels built with LTO will crash when doing
+EFI boot using Fedora's GRUB and SHIM. The culprit turns out to be a
+misaligned load from the TPM event log, which is annotated with
+READ_ONCE(), and under LTO, this gets translated into a LDAR instruction
+which does not tolerate misaligned accesses.
+
+Interestingly, this does not happen when booting the same kernel
+straight from the UEFI shell, and so the fact that the event log may
+appear misaligned in memory may be caused by a bug in GRUB or SHIM.
+
+However, using READ_ONCE() to access firmware tables is slightly unusual
+in any case, and here, we only need to ensure that 'event' is not
+dereferenced again after it gets unmapped, but this is already taken
+care of by the implicit barrier() semantics of the early_memunmap()
+call.
+
+Cc: <stable@vger.kernel.org>
+Cc: Peter Jones <pjones@redhat.com>
+Cc: Jarkko Sakkinen <jarkko@kernel.org>
+Cc: Matthew Garrett <mjg59@srcf.ucam.org>
+Reported-by: Nathan Chancellor <nathan@kernel.org>
+Tested-by: Nathan Chancellor <nathan@kernel.org>
+Link: https://github.com/ClangBuiltLinux/linux/issues/1782
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/tpm_eventlog.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/linux/tpm_eventlog.h
++++ b/include/linux/tpm_eventlog.h
+@@ -198,8 +198,8 @@ static __always_inline int __calc_tpm2_e
+ * The loop below will unmap these fields if the log is larger than
+ * one page, so save them here for reference:
+ */
+- count = READ_ONCE(event->count);
+- event_type = READ_ONCE(event->event_type);
++ count = event->count;
++ event_type = event->event_type;
+
+ /* Verify that it's the log header */
+ if (event_header->pcr_idx != 0 ||
--- /dev/null
+From 406504c7b0405d74d74c15a667cd4c4620c3e7a9 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <maz@kernel.org>
+Date: Tue, 20 Dec 2022 14:03:52 +0000
+Subject: KVM: arm64: Fix S1PTW handling on RO memslots
+
+From: Marc Zyngier <maz@kernel.org>
+
+commit 406504c7b0405d74d74c15a667cd4c4620c3e7a9 upstream.
+
+A recent development on the EFI front has resulted in guests having
+their page tables baked in the firmware binary, and mapped into the
+IPA space as part of a read-only memslot. Not only is this legitimate,
+but it also results in added security, so thumbs up.
+
+It is possible to take an S1PTW translation fault if the S1 PTs are
+unmapped at stage-2. However, KVM unconditionally treats S1PTW as a
+write to correctly handle hardware AF/DB updates to the S1 PTs.
+Furthermore, KVM injects an exception into the guest for S1PTW writes.
+In the aforementioned case this results in the guest taking an abort
+it won't recover from, as the S1 PTs mapping the vectors suffer from
+the same problem.
+
+So clearly our handling is... wrong.
+
+Instead, switch to a two-pronged approach:
+
+- On S1PTW translation fault, handle the fault as a read
+
+- On S1PTW permission fault, handle the fault as a write
+
+This is of no consequence to SW that *writes* to its PTs (the write
+will trigger a non-S1PTW fault), and SW that uses RO PTs will not
+use HW-assisted AF/DB anyway, as that'd be wrong.
+
+Only in the case described in c4ad98e4b72c ("KVM: arm64: Assume write
+fault on S1PTW permission fault on instruction fetch") do we end-up
+with two back-to-back faults (page being evicted and faulted back).
+I don't think this is a case worth optimising for.
+
+Fixes: c4ad98e4b72c ("KVM: arm64: Assume write fault on S1PTW permission fault on instruction fetch")
+Reviewed-by: Oliver Upton <oliver.upton@linux.dev>
+Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
+Regression-tested-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/kvm_emulate.h | 22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/include/asm/kvm_emulate.h
++++ b/arch/arm64/include/asm/kvm_emulate.h
+@@ -382,8 +382,26 @@ static __always_inline int kvm_vcpu_sys_
+
+ static inline bool kvm_is_write_fault(struct kvm_vcpu *vcpu)
+ {
+- if (kvm_vcpu_abt_iss1tw(vcpu))
+- return true;
++ if (kvm_vcpu_abt_iss1tw(vcpu)) {
++ /*
++ * Only a permission fault on a S1PTW should be
++ * considered as a write. Otherwise, page tables baked
++ * in a read-only memslot will result in an exception
++ * being delivered in the guest.
++ *
++ * The drawback is that we end-up faulting twice if the
++ * guest is using any of HW AF/DB: a translation fault
++ * to map the page containing the PT (read only at
++ * first), then a permission fault to allow the flags
++ * to be set.
++ */
++ switch (kvm_vcpu_trap_get_fault_type(vcpu)) {
++ case ESR_ELx_FSC_PERM:
++ return true;
++ default:
++ return false;
++ }
++ }
+
+ if (kvm_vcpu_trap_is_iabt(vcpu))
+ return false;
--- /dev/null
+From 696e1a48b1a1b01edad542a1ef293665864a4dd0 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Wed, 11 Jan 2023 17:07:33 +0100
+Subject: netfilter: nft_payload: incorrect arithmetics when fetching VLAN header bits
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 696e1a48b1a1b01edad542a1ef293665864a4dd0 upstream.
+
+If the offset + length goes over the ethernet + vlan header, then the
+length is adjusted to copy the bytes that are within the boundaries of
+the vlan_ethhdr scratchpad area. The remaining bytes beyond ethernet +
+vlan header are copied directly from the skbuff data area.
+
+Fix incorrect arithmetic operator: subtract, not add, the size of the
+vlan header in case of double-tagged packets to adjust the length
+accordingly to address CVE-2023-0179.
+
+Reported-by: Davide Ornaghi <d.ornaghi97@gmail.com>
+Fixes: f6ae9f120dad ("netfilter: nft_payload: add C-VLAN support")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_payload.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/nft_payload.c
++++ b/net/netfilter/nft_payload.c
+@@ -62,7 +62,7 @@ nft_payload_copy_vlan(u32 *d, const stru
+ return false;
+
+ if (offset + len > VLAN_ETH_HLEN + vlan_hlen)
+- ethlen -= offset + len - VLAN_ETH_HLEN + vlan_hlen;
++ ethlen -= offset + len - VLAN_ETH_HLEN - vlan_hlen;
+
+ memcpy(dst_u8, vlanh + offset - vlan_hlen, ethlen);
+
--- /dev/null
+From cf129830ee820f7fc90b98df193cd49d49344d09 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Tue, 10 Jan 2023 20:56:59 +0200
+Subject: perf auxtrace: Fix address filter duplicate symbol selection
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit cf129830ee820f7fc90b98df193cd49d49344d09 upstream.
+
+When a match has been made to the nth duplicate symbol, return
+success not error.
+
+Example:
+
+ Before:
+
+ $ cat file.c
+ cat: file.c: No such file or directory
+ $ cat file1.c
+ #include <stdio.h>
+
+ static void func(void)
+ {
+ printf("First func\n");
+ }
+
+ void other(void);
+
+ int main()
+ {
+ func();
+ other();
+ return 0;
+ }
+ $ cat file2.c
+ #include <stdio.h>
+
+ static void func(void)
+ {
+ printf("Second func\n");
+ }
+
+ void other(void)
+ {
+ func();
+ }
+
+ $ gcc -Wall -Wextra -o test file1.c file2.c
+ $ perf record -e intel_pt//u --filter 'filter func @ ./test' -- ./test
+ Multiple symbols with name 'func'
+ #1 0x1149 l func
+ which is near main
+ #2 0x1179 l func
+ which is near other
+ Disambiguate symbol name by inserting #n after the name e.g. func #2
+ Or select a global symbol by inserting #0 or #g or #G
+ Failed to parse address filter: 'filter func @ ./test'
+ Filter format is: filter|start|stop|tracestop <start symbol or address> [/ <end symbol or size>] [@<file name>]
+ Where multiple filters are separated by space or comma.
+ $ perf record -e intel_pt//u --filter 'filter func #2 @ ./test' -- ./test
+ Failed to parse address filter: 'filter func #2 @ ./test'
+ Filter format is: filter|start|stop|tracestop <start symbol or address> [/ <end symbol or size>] [@<file name>]
+ Where multiple filters are separated by space or comma.
+
+ After:
+
+ $ perf record -e intel_pt//u --filter 'filter func #2 @ ./test' -- ./test
+ First func
+ Second func
+ [ perf record: Woken up 1 times to write data ]
+ [ perf record: Captured and wrote 0.016 MB perf.data ]
+ $ perf script --itrace=b -Ftime,flags,ip,sym,addr --ns
+ 1231062.526977619: tr strt 0 [unknown] => 558495708179 func
+ 1231062.526977619: tr end call 558495708188 func => 558495708050 _init
+ 1231062.526979286: tr strt 0 [unknown] => 55849570818d func
+ 1231062.526979286: tr end return 55849570818f func => 55849570819d other
+
+Fixes: 1b36c03e356936d6 ("perf record: Add support for using symbols in address filters")
+Reported-by: Dmitrii Dolgov <9erthalion6@gmail.com>
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Tested-by: Dmitry Dolgov <9erthalion6@gmail.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20230110185659.15979-1-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/auxtrace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/perf/util/auxtrace.c
++++ b/tools/perf/util/auxtrace.c
+@@ -2449,7 +2449,7 @@ static int find_dso_sym(struct dso *dso,
+ *size = sym->start - *start;
+ if (idx > 0) {
+ if (*size)
+- return 1;
++ return 0;
+ } else if (dso_sym_match(sym, sym_name, &cnt, idx)) {
+ print_duplicate_syms(dso, sym_name);
+ return -EINVAL;
--- /dev/null
+From 82d3edb50a11bf3c5ef63294d5358ba230181413 Mon Sep 17 00:00:00 2001
+From: Heiko Carstens <hca@linux.ibm.com>
+Date: Thu, 5 Jan 2023 15:44:20 +0100
+Subject: s390/cpum_sf: add READ_ONCE() semantics to compare and swap loops
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+commit 82d3edb50a11bf3c5ef63294d5358ba230181413 upstream.
+
+The current cmpxchg_double() loops within the perf hw sampling code do not
+have READ_ONCE() semantics to read the old value from memory. This allows
+the compiler to generate code which reads the "old" value several times
+from memory, which again allows for inconsistencies.
+
+For example:
+
+ /* Reset trailer (using compare-double-and-swap) */
+ do {
+ te_flags = te->flags & ~SDB_TE_BUFFER_FULL_MASK;
+ te_flags |= SDB_TE_ALERT_REQ_MASK;
+ } while (!cmpxchg_double(&te->flags, &te->overflow,
+ te->flags, te->overflow,
+ te_flags, 0ULL));
+
+The compiler could generate code where te->flags used within the
+cmpxchg_double() call may be refetched from memory and which is not
+necessarily identical to the previous read version which was used to
+generate te_flags. Which in turn means that an incorrect update could
+happen.
+
+Fix this by adding READ_ONCE() semantics to all cmpxchg_double()
+loops. Given that READ_ONCE() cannot generate code on s390 which atomically
+reads 16 bytes, use a private compare-and-swap-double implementation to
+achieve that.
+
+Also replace cmpxchg_double() with the private implementation to be able to
+re-use the old value within the loops.
+
+As a side effect this converts the whole code to only use bit fields
+to read and modify bits within the hws trailer header.
+
+Reported-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Acked-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Acked-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+Reviewed-by: Thomas Richter <tmricht@linux.ibm.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/linux-s390/Y71QJBhNTIatvxUT@osiris/T/#ma14e2a5f7aa8ed4b94b6f9576799b3ad9c60f333
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/include/asm/cpu_mf.h | 31 +++++-------
+ arch/s390/kernel/perf_cpum_sf.c | 101 ++++++++++++++++++++++++----------------
+ 2 files changed, 77 insertions(+), 55 deletions(-)
+
+--- a/arch/s390/include/asm/cpu_mf.h
++++ b/arch/s390/include/asm/cpu_mf.h
+@@ -128,19 +128,21 @@ struct hws_combined_entry {
+ struct hws_diag_entry diag; /* Diagnostic-sampling data entry */
+ } __packed;
+
+-struct hws_trailer_entry {
+- union {
+- struct {
+- unsigned int f:1; /* 0 - Block Full Indicator */
+- unsigned int a:1; /* 1 - Alert request control */
+- unsigned int t:1; /* 2 - Timestamp format */
+- unsigned int :29; /* 3 - 31: Reserved */
+- unsigned int bsdes:16; /* 32-47: size of basic SDE */
+- unsigned int dsdes:16; /* 48-63: size of diagnostic SDE */
+- };
+- unsigned long long flags; /* 0 - 63: All indicators */
++union hws_trailer_header {
++ struct {
++ unsigned int f:1; /* 0 - Block Full Indicator */
++ unsigned int a:1; /* 1 - Alert request control */
++ unsigned int t:1; /* 2 - Timestamp format */
++ unsigned int :29; /* 3 - 31: Reserved */
++ unsigned int bsdes:16; /* 32-47: size of basic SDE */
++ unsigned int dsdes:16; /* 48-63: size of diagnostic SDE */
++ unsigned long long overflow; /* 64 - Overflow Count */
+ };
+- unsigned long long overflow; /* 64 - sample Overflow count */
++ __uint128_t val;
++};
++
++struct hws_trailer_entry {
++ union hws_trailer_header header; /* 0 - 15 Flags + Overflow Count */
+ unsigned char timestamp[16]; /* 16 - 31 timestamp */
+ unsigned long long reserved1; /* 32 -Reserved */
+ unsigned long long reserved2; /* */
+@@ -287,14 +289,11 @@ static inline unsigned long sample_rate_
+ return USEC_PER_SEC * qsi->cpu_speed / rate;
+ }
+
+-#define SDB_TE_ALERT_REQ_MASK 0x4000000000000000UL
+-#define SDB_TE_BUFFER_FULL_MASK 0x8000000000000000UL
+-
+ /* Return TOD timestamp contained in an trailer entry */
+ static inline unsigned long long trailer_timestamp(struct hws_trailer_entry *te)
+ {
+ /* TOD in STCKE format */
+- if (te->t)
++ if (te->header.t)
+ return *((unsigned long long *) &te->timestamp[1]);
+
+ /* TOD in STCK format */
+--- a/arch/s390/kernel/perf_cpum_sf.c
++++ b/arch/s390/kernel/perf_cpum_sf.c
+@@ -163,14 +163,15 @@ static void free_sampling_buffer(struct
+
+ static int alloc_sample_data_block(unsigned long *sdbt, gfp_t gfp_flags)
+ {
+- unsigned long sdb, *trailer;
++ struct hws_trailer_entry *te;
++ unsigned long sdb;
+
+ /* Allocate and initialize sample-data-block */
+ sdb = get_zeroed_page(gfp_flags);
+ if (!sdb)
+ return -ENOMEM;
+- trailer = trailer_entry_ptr(sdb);
+- *trailer = SDB_TE_ALERT_REQ_MASK;
++ te = (struct hws_trailer_entry *)trailer_entry_ptr(sdb);
++ te->header.a = 1;
+
+ /* Link SDB into the sample-data-block-table */
+ *sdbt = sdb;
+@@ -1206,7 +1207,7 @@ static void hw_collect_samples(struct pe
+ "%s: Found unknown"
+ " sampling data entry: te->f %i"
+ " basic.def %#4x (%p)\n", __func__,
+- te->f, sample->def, sample);
++ te->header.f, sample->def, sample);
+ /* Sample slot is not yet written or other record.
+ *
+ * This condition can occur if the buffer was reused
+@@ -1217,7 +1218,7 @@ static void hw_collect_samples(struct pe
+ * that are not full. Stop processing if the first
+ * invalid format was detected.
+ */
+- if (!te->f)
++ if (!te->header.f)
+ break;
+ }
+
+@@ -1227,6 +1228,16 @@ static void hw_collect_samples(struct pe
+ }
+ }
+
++static inline __uint128_t __cdsg(__uint128_t *ptr, __uint128_t old, __uint128_t new)
++{
++ asm volatile(
++ " cdsg %[old],%[new],%[ptr]\n"
++ : [old] "+d" (old), [ptr] "+QS" (*ptr)
++ : [new] "d" (new)
++ : "memory", "cc");
++ return old;
++}
++
+ /* hw_perf_event_update() - Process sampling buffer
+ * @event: The perf event
+ * @flush_all: Flag to also flush partially filled sample-data-blocks
+@@ -1243,10 +1254,11 @@ static void hw_collect_samples(struct pe
+ */
+ static void hw_perf_event_update(struct perf_event *event, int flush_all)
+ {
++ unsigned long long event_overflow, sampl_overflow, num_sdb;
++ union hws_trailer_header old, prev, new;
+ struct hw_perf_event *hwc = &event->hw;
+ struct hws_trailer_entry *te;
+ unsigned long *sdbt;
+- unsigned long long event_overflow, sampl_overflow, num_sdb, te_flags;
+ int done;
+
+ /*
+@@ -1266,25 +1278,25 @@ static void hw_perf_event_update(struct
+ te = (struct hws_trailer_entry *) trailer_entry_ptr(*sdbt);
+
+ /* Leave loop if no more work to do (block full indicator) */
+- if (!te->f) {
++ if (!te->header.f) {
+ done = 1;
+ if (!flush_all)
+ break;
+ }
+
+ /* Check the sample overflow count */
+- if (te->overflow)
++ if (te->header.overflow)
+ /* Account sample overflows and, if a particular limit
+ * is reached, extend the sampling buffer.
+ * For details, see sfb_account_overflows().
+ */
+- sampl_overflow += te->overflow;
++ sampl_overflow += te->header.overflow;
+
+ /* Timestamps are valid for full sample-data-blocks only */
+ debug_sprintf_event(sfdbg, 6, "%s: sdbt %#lx "
+ "overflow %llu timestamp %#llx\n",
+- __func__, (unsigned long)sdbt, te->overflow,
+- (te->f) ? trailer_timestamp(te) : 0ULL);
++ __func__, (unsigned long)sdbt, te->header.overflow,
++ (te->header.f) ? trailer_timestamp(te) : 0ULL);
+
+ /* Collect all samples from a single sample-data-block and
+ * flag if an (perf) event overflow happened. If so, the PMU
+@@ -1294,12 +1306,16 @@ static void hw_perf_event_update(struct
+ num_sdb++;
+
+ /* Reset trailer (using compare-double-and-swap) */
++ /* READ_ONCE() 16 byte header */
++ prev.val = __cdsg(&te->header.val, 0, 0);
+ do {
+- te_flags = te->flags & ~SDB_TE_BUFFER_FULL_MASK;
+- te_flags |= SDB_TE_ALERT_REQ_MASK;
+- } while (!cmpxchg_double(&te->flags, &te->overflow,
+- te->flags, te->overflow,
+- te_flags, 0ULL));
++ old.val = prev.val;
++ new.val = prev.val;
++ new.f = 0;
++ new.a = 1;
++ new.overflow = 0;
++ prev.val = __cdsg(&te->header.val, old.val, new.val);
++ } while (prev.val != old.val);
+
+ /* Advance to next sample-data-block */
+ sdbt++;
+@@ -1384,7 +1400,7 @@ static void aux_output_end(struct perf_o
+ range_scan = AUX_SDB_NUM_ALERT(aux);
+ for (i = 0, idx = aux->head; i < range_scan; i++, idx++) {
+ te = aux_sdb_trailer(aux, idx);
+- if (!(te->flags & SDB_TE_BUFFER_FULL_MASK))
++ if (!te->header.f)
+ break;
+ }
+ /* i is num of SDBs which are full */
+@@ -1392,7 +1408,7 @@ static void aux_output_end(struct perf_o
+
+ /* Remove alert indicators in the buffer */
+ te = aux_sdb_trailer(aux, aux->alert_mark);
+- te->flags &= ~SDB_TE_ALERT_REQ_MASK;
++ te->header.a = 0;
+
+ debug_sprintf_event(sfdbg, 6, "%s: SDBs %ld range %ld head %ld\n",
+ __func__, i, range_scan, aux->head);
+@@ -1437,9 +1453,9 @@ static int aux_output_begin(struct perf_
+ idx = aux->empty_mark + 1;
+ for (i = 0; i < range_scan; i++, idx++) {
+ te = aux_sdb_trailer(aux, idx);
+- te->flags &= ~(SDB_TE_BUFFER_FULL_MASK |
+- SDB_TE_ALERT_REQ_MASK);
+- te->overflow = 0;
++ te->header.f = 0;
++ te->header.a = 0;
++ te->header.overflow = 0;
+ }
+ /* Save the position of empty SDBs */
+ aux->empty_mark = aux->head + range - 1;
+@@ -1448,7 +1464,7 @@ static int aux_output_begin(struct perf_
+ /* Set alert indicator */
+ aux->alert_mark = aux->head + range/2 - 1;
+ te = aux_sdb_trailer(aux, aux->alert_mark);
+- te->flags = te->flags | SDB_TE_ALERT_REQ_MASK;
++ te->header.a = 1;
+
+ /* Reset hardware buffer head */
+ head = AUX_SDB_INDEX(aux, aux->head);
+@@ -1475,14 +1491,17 @@ static int aux_output_begin(struct perf_
+ static bool aux_set_alert(struct aux_buffer *aux, unsigned long alert_index,
+ unsigned long long *overflow)
+ {
+- unsigned long long orig_overflow, orig_flags, new_flags;
++ union hws_trailer_header old, prev, new;
+ struct hws_trailer_entry *te;
+
+ te = aux_sdb_trailer(aux, alert_index);
++ /* READ_ONCE() 16 byte header */
++ prev.val = __cdsg(&te->header.val, 0, 0);
+ do {
+- orig_flags = te->flags;
+- *overflow = orig_overflow = te->overflow;
+- if (orig_flags & SDB_TE_BUFFER_FULL_MASK) {
++ old.val = prev.val;
++ new.val = prev.val;
++ *overflow = old.overflow;
++ if (old.f) {
+ /*
+ * SDB is already set by hardware.
+ * Abort and try to set somewhere
+@@ -1490,10 +1509,10 @@ static bool aux_set_alert(struct aux_buf
+ */
+ return false;
+ }
+- new_flags = orig_flags | SDB_TE_ALERT_REQ_MASK;
+- } while (!cmpxchg_double(&te->flags, &te->overflow,
+- orig_flags, orig_overflow,
+- new_flags, 0ULL));
++ new.a = 1;
++ new.overflow = 0;
++ prev.val = __cdsg(&te->header.val, old.val, new.val);
++ } while (prev.val != old.val);
+ return true;
+ }
+
+@@ -1522,8 +1541,9 @@ static bool aux_set_alert(struct aux_buf
+ static bool aux_reset_buffer(struct aux_buffer *aux, unsigned long range,
+ unsigned long long *overflow)
+ {
+- unsigned long long orig_overflow, orig_flags, new_flags;
+ unsigned long i, range_scan, idx, idx_old;
++ union hws_trailer_header old, prev, new;
++ unsigned long long orig_overflow;
+ struct hws_trailer_entry *te;
+
+ debug_sprintf_event(sfdbg, 6, "%s: range %ld head %ld alert %ld "
+@@ -1554,17 +1574,20 @@ static bool aux_reset_buffer(struct aux_
+ idx_old = idx = aux->empty_mark + 1;
+ for (i = 0; i < range_scan; i++, idx++) {
+ te = aux_sdb_trailer(aux, idx);
++ /* READ_ONCE() 16 byte header */
++ prev.val = __cdsg(&te->header.val, 0, 0);
+ do {
+- orig_flags = te->flags;
+- orig_overflow = te->overflow;
+- new_flags = orig_flags & ~SDB_TE_BUFFER_FULL_MASK;
++ old.val = prev.val;
++ new.val = prev.val;
++ orig_overflow = old.overflow;
++ new.f = 0;
++ new.overflow = 0;
+ if (idx == aux->alert_mark)
+- new_flags |= SDB_TE_ALERT_REQ_MASK;
++ new.a = 1;
+ else
+- new_flags &= ~SDB_TE_ALERT_REQ_MASK;
+- } while (!cmpxchg_double(&te->flags, &te->overflow,
+- orig_flags, orig_overflow,
+- new_flags, 0ULL));
++ new.a = 0;
++ prev.val = __cdsg(&te->header.val, old.val, new.val);
++ } while (prev.val != old.val);
+ *overflow += orig_overflow;
+ }
+
--- /dev/null
+From c2337a40e04dde1692b5b0a46ecc59f89aaba8a1 Mon Sep 17 00:00:00 2001
+From: Alexander Egorenkov <egorenar@linux.ibm.com>
+Date: Mon, 14 Nov 2022 11:40:08 +0100
+Subject: s390/kexec: fix ipl report address for kdump
+
+From: Alexander Egorenkov <egorenar@linux.ibm.com>
+
+commit c2337a40e04dde1692b5b0a46ecc59f89aaba8a1 upstream.
+
+This commit addresses the following erroneous situation with file-based
+kdump executed on a system with a valid IPL report.
+
+On s390, a kdump kernel, its initrd and IPL report if present are loaded
+into a special and reserved on boot memory region - crashkernel. When
+a system crashes and kdump was activated before, the purgatory code
+is entered first which swaps the crashkernel and [0 - crashkernel size]
+memory regions. Only after that the kdump kernel is entered. For this
+reason, the pointer to an IPL report in lowcore must point to the IPL report
+after the swap and not to the address of the IPL report that was located in
+crashkernel memory region before the swap. Failing to do so, makes the
+kdump's decompressor try to read memory from the crashkernel memory region
+which already contains the production's kernel memory.
+
+The situation described above caused spontaneous kdump failures/hangs
+on systems where the Secure IPL is activated because on such systems
+an IPL report is always present. In that case kdump's decompressor tried
+to parse an IPL report which frequently lead to illegal memory accesses
+because an IPL report contains addresses to various data.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 99feaa717e55 ("s390/kexec_file: Create ipl report and pass to next kernel")
+Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Alexander Egorenkov <egorenar@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kernel/machine_kexec_file.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/arch/s390/kernel/machine_kexec_file.c
++++ b/arch/s390/kernel/machine_kexec_file.c
+@@ -185,8 +185,6 @@ static int kexec_file_add_ipl_report(str
+
+ data->memsz = ALIGN(data->memsz, PAGE_SIZE);
+ buf.mem = data->memsz;
+- if (image->type == KEXEC_TYPE_CRASH)
+- buf.mem += crashk_res.start;
+
+ ptr = (void *)ipl_cert_list_addr;
+ end = ptr + ipl_cert_list_size;
+@@ -223,6 +221,9 @@ static int kexec_file_add_ipl_report(str
+ data->kernel_buf + offsetof(struct lowcore, ipl_parmblock_ptr);
+ *lc_ipl_parmblock_ptr = (__u32)buf.mem;
+
++ if (image->type == KEXEC_TYPE_CRASH)
++ buf.mem += crashk_res.start;
++
+ ret = kexec_add_buffer(&buf);
+ out:
+ return ret;
--- /dev/null
+From e3f360db08d55a14112bd27454e616a24296a8b0 Mon Sep 17 00:00:00 2001
+From: Heiko Carstens <hca@linux.ibm.com>
+Date: Mon, 9 Jan 2023 11:51:20 +0100
+Subject: s390/percpu: add READ_ONCE() to arch_this_cpu_to_op_simple()
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+commit e3f360db08d55a14112bd27454e616a24296a8b0 upstream.
+
+Make sure that *ptr__ within arch_this_cpu_to_op_simple() is only
+dereferenced once by using READ_ONCE(). Otherwise the compiler could
+generate incorrect code.
+
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/include/asm/percpu.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/s390/include/asm/percpu.h
++++ b/arch/s390/include/asm/percpu.h
+@@ -31,7 +31,7 @@
+ pcp_op_T__ *ptr__; \
+ preempt_disable_notrace(); \
+ ptr__ = raw_cpu_ptr(&(pcp)); \
+- prev__ = *ptr__; \
++ prev__ = READ_ONCE(*ptr__); \
+ do { \
+ old__ = prev__; \
+ new__ = old__ op (val); \
--- /dev/null
+netfilter-nft_payload-incorrect-arithmetics-when-fetching-vlan-header-bits.patch
+alsa-hda-realtek-enable-mute-micmute-leds-on-hp-spectre-x360-13-aw0xxx.patch
+kvm-arm64-fix-s1ptw-handling-on-ro-memslots.patch
+efi-tpm-avoid-read_once-for-accessing-the-event-log.patch
+docs-fix-the-docs-build-with-sphinx-6.0.patch
+perf-auxtrace-fix-address-filter-duplicate-symbol-selection.patch
+s390-kexec-fix-ipl-report-address-for-kdump.patch
+asoc-qcom-lpass-cpu-fix-fallback-sd-line-index-handling.patch
+s390-cpum_sf-add-read_once-semantics-to-compare-and-swap-loops.patch
+s390-percpu-add-read_once-to-arch_this_cpu_to_op_simple.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
