--- /dev/null
+From f64e4275ef7407d5c3eca20436519bbd1f796e40 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Tue, 10 Jan 2023 16:30:28 +0100
+Subject: ACPI: Fix selecting wrong ACPI fwnode for the iGPU on some Dell laptops
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit f64e4275ef7407d5c3eca20436519bbd1f796e40 upstream.
+
+The Dell Latitude E6430 both with and without the optional NVidia dGPU
+has a bug in its ACPI tables which is causing Linux to assign the wrong
+ACPI fwnode / companion to the pci_device for the i915 iGPU.
+
+Specifically under the PCI root bridge there are these 2 ACPI Device()s :
+
+ Scope (_SB.PCI0)
+ {
+ Device (GFX0)
+ {
+ Name (_ADR, 0x00020000) // _ADR: Address
+ }
+
+ ...
+
+ Device (VID)
+ {
+ Name (_ADR, 0x00020000) // _ADR: Address
+ ...
+
+ Method (_DOS, 1, NotSerialized) // _DOS: Disable Output Switching
+ {
+ VDP8 = Arg0
+ VDP1 (One, VDP8)
+ }
+
+ Method (_DOD, 0, NotSerialized) // _DOD: Display Output Devices
+ {
+ ...
+ }
+ ...
+ }
+ }
+
+The non-functional GFX0 ACPI device is a problem, because this gets
+returned as ACPI companion-device by acpi_find_child_device() for the iGPU.
+
+This is a long standing problem and the i915 driver does use the ACPI
+companion for some things, but works fine without it.
+
+However since commit 63f534b8bad9 ("ACPI: PCI: Rework acpi_get_pci_dev()")
+acpi_get_pci_dev() relies on the physical-node pointer in the acpi_device
+and that is set on the wrong acpi_device because of the wrong
+acpi_find_child_device() return. This breaks the ACPI video code,
+leading to non working backlight control in some cases.
+
+Add a type.backlight flag, mark ACPI video bus devices with this and make
+find_child_checks() return a higher score for children with this flag set,
+so that it picks the right companion-device.
+
+Fixes: 63f534b8bad9 ("ACPI: PCI: Rework acpi_get_pci_dev()")
+Co-developed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Cc: 6.1+ <stable@vger.kernel.org> # 6.1+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/glue.c | 14 ++++++++++++--
+ drivers/acpi/scan.c | 7 +++++--
+ include/acpi/acpi_bus.h | 3 ++-
+ 3 files changed, 19 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/acpi/glue.c b/drivers/acpi/glue.c
+index 204fe94c7e45..a194f30876c5 100644
+--- a/drivers/acpi/glue.c
++++ b/drivers/acpi/glue.c
+@@ -75,7 +75,8 @@ static struct acpi_bus_type *acpi_get_bus_type(struct device *dev)
+ }
+
+ #define FIND_CHILD_MIN_SCORE 1
+-#define FIND_CHILD_MAX_SCORE 2
++#define FIND_CHILD_MID_SCORE 2
++#define FIND_CHILD_MAX_SCORE 3
+
+ static int match_any(struct acpi_device *adev, void *not_used)
+ {
+@@ -96,8 +97,17 @@ static int find_child_checks(struct acpi_device *adev, bool check_children)
+ return -ENODEV;
+
+ status = acpi_evaluate_integer(adev->handle, "_STA", NULL, &sta);
+- if (status == AE_NOT_FOUND)
++ if (status == AE_NOT_FOUND) {
++ /*
++ * Special case: backlight device objects without _STA are
++ * preferred to other objects with the same _ADR value, because
++ * it is more likely that they are actually useful.
++ */
++ if (adev->pnp.type.backlight)
++ return FIND_CHILD_MID_SCORE;
++
+ return FIND_CHILD_MIN_SCORE;
++ }
+
+ if (ACPI_FAILURE(status) || !(sta & ACPI_STA_DEVICE_ENABLED))
+ return -ENODEV;
+diff --git a/drivers/acpi/scan.c b/drivers/acpi/scan.c
+index 274344434282..0c6f06abe3f4 100644
+--- a/drivers/acpi/scan.c
++++ b/drivers/acpi/scan.c
+@@ -1370,9 +1370,12 @@ static void acpi_set_pnp_ids(acpi_handle handle, struct acpi_device_pnp *pnp,
+ * Some devices don't reliably have _HIDs & _CIDs, so add
+ * synthetic HIDs to make sure drivers can find them.
+ */
+- if (acpi_is_video_device(handle))
++ if (acpi_is_video_device(handle)) {
+ acpi_add_id(pnp, ACPI_VIDEO_HID);
+- else if (acpi_bay_match(handle))
++ pnp->type.backlight = 1;
++ break;
++ }
++ if (acpi_bay_match(handle))
+ acpi_add_id(pnp, ACPI_BAY_HID);
+ else if (acpi_dock_match(handle))
+ acpi_add_id(pnp, ACPI_DOCK_HID);
+diff --git a/include/acpi/acpi_bus.h b/include/acpi/acpi_bus.h
+index cd3b75e08ec3..e44be31115a6 100644
+--- a/include/acpi/acpi_bus.h
++++ b/include/acpi/acpi_bus.h
+@@ -230,7 +230,8 @@ struct acpi_pnp_type {
+ u32 hardware_id:1;
+ u32 bus_address:1;
+ u32 platform_id:1;
+- u32 reserved:29;
++ u32 backlight:1;
++ u32 reserved:28;
+ };
+
+ struct acpi_device_pnp {
+--
+2.39.0
+
--- /dev/null
+From 70051cffb31b5ee09096351c3b41fcae6f89de31 Mon Sep 17 00:00:00 2001
+From: Jaroslav Kysela <perex@perex.cz>
+Date: Mon, 9 Jan 2023 16:12:49 +0100
+Subject: ALSA: control-led: use strscpy in set_led_id()
+
+From: Jaroslav Kysela <perex@perex.cz>
+
+commit 70051cffb31b5ee09096351c3b41fcae6f89de31 upstream.
+
+The use of strncpy() in the set_led_id() was incorrect.
+The len variable should use 'min(sizeof(buf2) - 1, count)'
+expression.
+
+Use strscpy() function to simplify things and handle the error gracefully.
+
+Fixes: a135dfb5de15 ("ALSA: led control - add sysfs kcontrol LED marking layer")
+Reported-by: yang.yang29@zte.com.cn
+Link: https://lore.kernel.org/alsa-devel/202301091945513559977@zte.com.cn/
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jaroslav Kysela <perex@perex.cz>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/control_led.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/sound/core/control_led.c
++++ b/sound/core/control_led.c
+@@ -530,12 +530,11 @@ static ssize_t set_led_id(struct snd_ctl
+ bool attach)
+ {
+ char buf2[256], *s, *os;
+- size_t len = max(sizeof(s) - 1, count);
+ struct snd_ctl_elem_id id;
+ int err;
+
+- strncpy(buf2, buf, len);
+- buf2[len] = '\0';
++ if (strscpy(buf2, buf, sizeof(buf2)) < 0)
++ return -E2BIG;
+ memset(&id, 0, sizeof(id));
+ id.iface = SNDRV_CTL_ELEM_IFACE_MIXER;
+ s = buf2;
--- /dev/null
+From ca88eeb308a221c2dcd4a64031d2e5fcd3db9eaa Mon Sep 17 00:00:00 2001
+From: Luka Guzenko <l.guzenko@web.de>
+Date: Tue, 10 Jan 2023 21:25:14 +0100
+Subject: ALSA: hda/realtek: Enable mute/micmute LEDs on HP Spectre x360 13-aw0xxx
+
+From: Luka Guzenko <l.guzenko@web.de>
+
+commit ca88eeb308a221c2dcd4a64031d2e5fcd3db9eaa upstream.
+
+The HP Spectre x360 13-aw0xxx devices use the ALC285 codec with GPIO 0x04
+controlling the micmute LED and COEF 0x0b index 8 controlling the mute LED.
+A quirk was added to make these work as well as a fixup.
+
+Signed-off-by: Luka Guzenko <l.guzenko@web.de>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230110202514.2792-1-l.guzenko@web.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -4646,6 +4646,16 @@ static void alc285_fixup_hp_coef_micmute
+ }
+ }
+
++static void alc285_fixup_hp_gpio_micmute_led(struct hda_codec *codec,
++ const struct hda_fixup *fix, int action)
++{
++ struct alc_spec *spec = codec->spec;
++
++ if (action == HDA_FIXUP_ACT_PRE_PROBE)
++ spec->micmute_led_polarity = 1;
++ alc_fixup_hp_gpio_led(codec, action, 0, 0x04);
++}
++
+ static void alc236_fixup_hp_coef_micmute_led(struct hda_codec *codec,
+ const struct hda_fixup *fix, int action)
+ {
+@@ -4667,6 +4677,13 @@ static void alc285_fixup_hp_mute_led(str
+ alc285_fixup_hp_coef_micmute_led(codec, fix, action);
+ }
+
++static void alc285_fixup_hp_spectre_x360_mute_led(struct hda_codec *codec,
++ const struct hda_fixup *fix, int action)
++{
++ alc285_fixup_hp_mute_led_coefbit(codec, fix, action);
++ alc285_fixup_hp_gpio_micmute_led(codec, fix, action);
++}
++
+ static void alc236_fixup_hp_mute_led(struct hda_codec *codec,
+ const struct hda_fixup *fix, int action)
+ {
+@@ -7108,6 +7125,7 @@ enum {
+ ALC285_FIXUP_ASUS_G533Z_PINS,
+ ALC285_FIXUP_HP_GPIO_LED,
+ ALC285_FIXUP_HP_MUTE_LED,
++ ALC285_FIXUP_HP_SPECTRE_X360_MUTE_LED,
+ ALC236_FIXUP_HP_GPIO_LED,
+ ALC236_FIXUP_HP_MUTE_LED,
+ ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF,
+@@ -8488,6 +8506,10 @@ static const struct hda_fixup alc269_fix
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc285_fixup_hp_mute_led,
+ },
++ [ALC285_FIXUP_HP_SPECTRE_X360_MUTE_LED] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc285_fixup_hp_spectre_x360_mute_led,
++ },
+ [ALC236_FIXUP_HP_GPIO_LED] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc236_fixup_hp_gpio_led,
+@@ -9330,6 +9352,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x86c7, "HP Envy AiO 32", ALC274_FIXUP_HP_ENVY_GPIO),
+ SND_PCI_QUIRK(0x103c, 0x86e7, "HP Spectre x360 15-eb0xxx", ALC285_FIXUP_HP_SPECTRE_X360_EB1),
+ SND_PCI_QUIRK(0x103c, 0x86e8, "HP Spectre x360 15-eb0xxx", ALC285_FIXUP_HP_SPECTRE_X360_EB1),
++ SND_PCI_QUIRK(0x103c, 0x86f9, "HP Spectre x360 13-aw0xxx", ALC285_FIXUP_HP_SPECTRE_X360_MUTE_LED),
+ SND_PCI_QUIRK(0x103c, 0x8716, "HP Elite Dragonfly G2 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),
+ SND_PCI_QUIRK(0x103c, 0x8720, "HP EliteBook x360 1040 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),
+ SND_PCI_QUIRK(0x103c, 0x8724, "HP EliteBook 850 G7", ALC285_FIXUP_HP_GPIO_LED),
--- /dev/null
+From 1f680609bf1beac20e2a31ddcb1b88874123c39f Mon Sep 17 00:00:00 2001
+From: Yuchi Yang <yangyuchi66@gmail.com>
+Date: Fri, 30 Dec 2022 15:22:25 +0800
+Subject: ALSA: hda/realtek - Turn on power early
+
+From: Yuchi Yang <yangyuchi66@gmail.com>
+
+commit 1f680609bf1beac20e2a31ddcb1b88874123c39f upstream.
+
+Turn on power early to avoid wrong state for power relation register.
+This can earlier update JD state when resume back.
+
+Signed-off-by: Yuchi Yang <yangyuchi66@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/e35d8f4fa18f4448a2315cc7d4a3715f@realtek.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 30 ++++++++++++++++--------------
+ 1 file changed, 16 insertions(+), 14 deletions(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -3564,6 +3564,15 @@ static void alc256_init(struct hda_codec
+ hda_nid_t hp_pin = alc_get_hp_pin(spec);
+ bool hp_pin_sense;
+
++ if (spec->ultra_low_power) {
++ alc_update_coef_idx(codec, 0x03, 1<<1, 1<<1);
++ alc_update_coef_idx(codec, 0x08, 3<<2, 3<<2);
++ alc_update_coef_idx(codec, 0x08, 7<<4, 0);
++ alc_update_coef_idx(codec, 0x3b, 1<<15, 0);
++ alc_update_coef_idx(codec, 0x0e, 7<<6, 7<<6);
++ msleep(30);
++ }
++
+ if (!hp_pin)
+ hp_pin = 0x21;
+
+@@ -3575,14 +3584,6 @@ static void alc256_init(struct hda_codec
+ msleep(2);
+
+ alc_update_coefex_idx(codec, 0x57, 0x04, 0x0007, 0x1); /* Low power */
+- if (spec->ultra_low_power) {
+- alc_update_coef_idx(codec, 0x03, 1<<1, 1<<1);
+- alc_update_coef_idx(codec, 0x08, 3<<2, 3<<2);
+- alc_update_coef_idx(codec, 0x08, 7<<4, 0);
+- alc_update_coef_idx(codec, 0x3b, 1<<15, 0);
+- alc_update_coef_idx(codec, 0x0e, 7<<6, 7<<6);
+- msleep(30);
+- }
+
+ snd_hda_codec_write(codec, hp_pin, 0,
+ AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_MUTE);
+@@ -3713,6 +3714,13 @@ static void alc225_init(struct hda_codec
+ hda_nid_t hp_pin = alc_get_hp_pin(spec);
+ bool hp1_pin_sense, hp2_pin_sense;
+
++ if (spec->ultra_low_power) {
++ alc_update_coef_idx(codec, 0x08, 0x0f << 2, 3<<2);
++ alc_update_coef_idx(codec, 0x0e, 7<<6, 7<<6);
++ alc_update_coef_idx(codec, 0x33, 1<<11, 0);
++ msleep(30);
++ }
++
+ if (spec->codec_variant != ALC269_TYPE_ALC287 &&
+ spec->codec_variant != ALC269_TYPE_ALC245)
+ /* required only at boot or S3 and S4 resume time */
+@@ -3734,12 +3742,6 @@ static void alc225_init(struct hda_codec
+ msleep(2);
+
+ alc_update_coefex_idx(codec, 0x57, 0x04, 0x0007, 0x1); /* Low power */
+- if (spec->ultra_low_power) {
+- alc_update_coef_idx(codec, 0x08, 0x0f << 2, 3<<2);
+- alc_update_coef_idx(codec, 0x0e, 7<<6, 7<<6);
+- alc_update_coef_idx(codec, 0x33, 1<<11, 0);
+- msleep(30);
+- }
+
+ if (hp1_pin_sense || spec->ultra_low_power)
+ snd_hda_codec_write(codec, hp_pin, 0,
--- /dev/null
+From 291e9da91403e0e628d7692b5ed505100e7b7706 Mon Sep 17 00:00:00 2001
+From: Jaroslav Kysela <perex@perex.cz>
+Date: Mon, 9 Jan 2023 15:11:33 +0100
+Subject: ALSA: usb-audio: Always initialize fixed_rate in snd_usb_find_implicit_fb_sync_format()
+
+From: Jaroslav Kysela <perex@perex.cz>
+
+commit 291e9da91403e0e628d7692b5ed505100e7b7706 upstream.
+
+Handle the fallback code path, too.
+
+Fixes: fd28941cff1c ("ALSA: usb-audio: Add new quirk FIXED_RATE for JBL Quantum810 Wireless")
+BugLink: https://lore.kernel.org/alsa-devel/Y7frf3N%2FxzvESEsN@kili/
+Reported-by: Dan Carpenter <error27@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jaroslav Kysela <perex@perex.cz>
+Link: https://lore.kernel.org/r/20230109141133.335543-1-perex@perex.cz
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/implicit.c | 3 ++-
+ sound/usb/pcm.c | 2 ++
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/sound/usb/implicit.c
++++ b/sound/usb/implicit.c
+@@ -471,7 +471,7 @@ snd_usb_find_implicit_fb_sync_format(str
+ subs = find_matching_substream(chip, stream, target->sync_ep,
+ target->fmt_type);
+ if (!subs)
+- return sync_fmt;
++ goto end;
+
+ high_score = 0;
+ list_for_each_entry(fp, &subs->fmt_list, list) {
+@@ -485,6 +485,7 @@ snd_usb_find_implicit_fb_sync_format(str
+ }
+ }
+
++ end:
+ if (fixed_rate)
+ *fixed_rate = snd_usb_pcm_has_fixed_rate(subs);
+ return sync_fmt;
+--- a/sound/usb/pcm.c
++++ b/sound/usb/pcm.c
+@@ -163,6 +163,8 @@ bool snd_usb_pcm_has_fixed_rate(struct s
+ struct snd_usb_audio *chip = subs->stream->chip;
+ int rate = -1;
+
++ if (!subs)
++ return false;
+ if (!(chip->quirk_flags & QUIRK_FLAG_FIXED_RATE))
+ return false;
+ list_for_each_entry(fp, &subs->fmt_list, list) {
--- /dev/null
+From 031af50045ea97ed4386eb3751ca2c134d0fc911 Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Wed, 4 Jan 2023 15:16:26 +0000
+Subject: arm64: cmpxchg_double*: hazard against entire exchange variable
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+commit 031af50045ea97ed4386eb3751ca2c134d0fc911 upstream.
+
+The inline assembly for arm64's cmpxchg_double*() implementations use a
++Q constraint to hazard against other accesses to the memory location
+being exchanged. However, the pointer passed to the constraint is a
+pointer to unsigned long, and thus the hazard only applies to the first
+8 bytes of the location.
+
+GCC can take advantage of this, assuming that other portions of the
+location are unchanged, leading to a number of potential problems.
+
+This is similar to what we fixed back in commit:
+
+ fee960bed5e857eb ("arm64: xchg: hazard against entire exchange variable")
+
+... but we forgot to adjust cmpxchg_double*() similarly at the same
+time.
+
+The same problem applies, as demonstrated with the following test:
+
+| struct big {
+| u64 lo, hi;
+| } __aligned(128);
+|
+| unsigned long foo(struct big *b)
+| {
+| u64 hi_old, hi_new;
+|
+| hi_old = b->hi;
+| cmpxchg_double_local(&b->lo, &b->hi, 0x12, 0x34, 0x56, 0x78);
+| hi_new = b->hi;
+|
+| return hi_old ^ hi_new;
+| }
+
+... which GCC 12.1.0 compiles as:
+
+| 0000000000000000 <foo>:
+| 0: d503233f paciasp
+| 4: aa0003e4 mov x4, x0
+| 8: 1400000e b 40 <foo+0x40>
+| c: d2800240 mov x0, #0x12 // #18
+| 10: d2800681 mov x1, #0x34 // #52
+| 14: aa0003e5 mov x5, x0
+| 18: aa0103e6 mov x6, x1
+| 1c: d2800ac2 mov x2, #0x56 // #86
+| 20: d2800f03 mov x3, #0x78 // #120
+| 24: 48207c82 casp x0, x1, x2, x3, [x4]
+| 28: ca050000 eor x0, x0, x5
+| 2c: ca060021 eor x1, x1, x6
+| 30: aa010000 orr x0, x0, x1
+| 34: d2800000 mov x0, #0x0 // #0 <--- BANG
+| 38: d50323bf autiasp
+| 3c: d65f03c0 ret
+| 40: d2800240 mov x0, #0x12 // #18
+| 44: d2800681 mov x1, #0x34 // #52
+| 48: d2800ac2 mov x2, #0x56 // #86
+| 4c: d2800f03 mov x3, #0x78 // #120
+| 50: f9800091 prfm pstl1strm, [x4]
+| 54: c87f1885 ldxp x5, x6, [x4]
+| 58: ca0000a5 eor x5, x5, x0
+| 5c: ca0100c6 eor x6, x6, x1
+| 60: aa0600a6 orr x6, x5, x6
+| 64: b5000066 cbnz x6, 70 <foo+0x70>
+| 68: c8250c82 stxp w5, x2, x3, [x4]
+| 6c: 35ffff45 cbnz w5, 54 <foo+0x54>
+| 70: d2800000 mov x0, #0x0 // #0 <--- BANG
+| 74: d50323bf autiasp
+| 78: d65f03c0 ret
+
+Notice that at the lines with "BANG" comments, GCC has assumed that the
+higher 8 bytes are unchanged by the cmpxchg_double() call, and that
+`hi_old ^ hi_new` can be reduced to a constant zero, for both LSE and
+LL/SC versions of cmpxchg_double().
+
+This patch fixes the issue by passing a pointer to __uint128_t into the
++Q constraint, ensuring that the compiler hazards against the entire 16
+bytes being modified.
+
+With this change, GCC 12.1.0 compiles the above test as:
+
+| 0000000000000000 <foo>:
+| 0: f9400407 ldr x7, [x0, #8]
+| 4: d503233f paciasp
+| 8: aa0003e4 mov x4, x0
+| c: 1400000f b 48 <foo+0x48>
+| 10: d2800240 mov x0, #0x12 // #18
+| 14: d2800681 mov x1, #0x34 // #52
+| 18: aa0003e5 mov x5, x0
+| 1c: aa0103e6 mov x6, x1
+| 20: d2800ac2 mov x2, #0x56 // #86
+| 24: d2800f03 mov x3, #0x78 // #120
+| 28: 48207c82 casp x0, x1, x2, x3, [x4]
+| 2c: ca050000 eor x0, x0, x5
+| 30: ca060021 eor x1, x1, x6
+| 34: aa010000 orr x0, x0, x1
+| 38: f9400480 ldr x0, [x4, #8]
+| 3c: d50323bf autiasp
+| 40: ca0000e0 eor x0, x7, x0
+| 44: d65f03c0 ret
+| 48: d2800240 mov x0, #0x12 // #18
+| 4c: d2800681 mov x1, #0x34 // #52
+| 50: d2800ac2 mov x2, #0x56 // #86
+| 54: d2800f03 mov x3, #0x78 // #120
+| 58: f9800091 prfm pstl1strm, [x4]
+| 5c: c87f1885 ldxp x5, x6, [x4]
+| 60: ca0000a5 eor x5, x5, x0
+| 64: ca0100c6 eor x6, x6, x1
+| 68: aa0600a6 orr x6, x5, x6
+| 6c: b5000066 cbnz x6, 78 <foo+0x78>
+| 70: c8250c82 stxp w5, x2, x3, [x4]
+| 74: 35ffff45 cbnz w5, 5c <foo+0x5c>
+| 78: f9400480 ldr x0, [x4, #8]
+| 7c: d50323bf autiasp
+| 80: ca0000e0 eor x0, x7, x0
+| 84: d65f03c0 ret
+
+... sampling the high 8 bytes before and after the cmpxchg, and
+performing an EOR, as we'd expect.
+
+For backporting, I've tested this atop linux-4.9.y with GCC 5.5.0. Note
+that linux-4.9.y is oldest currently supported stable release, and
+mandates GCC 5.1+. Unfortunately I couldn't get a GCC 5.1 binary to run
+on my machines due to library incompatibilities.
+
+I've also used a standalone test to check that we can use a __uint128_t
+pointer in a +Q constraint at least as far back as GCC 4.8.5 and LLVM
+3.9.1.
+
+Fixes: 5284e1b4bc8a ("arm64: xchg: Implement cmpxchg_double")
+Fixes: e9a4b795652f ("arm64: cmpxchg_dbl: patch in lse instructions when supported by the CPU")
+Reported-by: Boqun Feng <boqun.feng@gmail.com>
+Link: https://lore.kernel.org/lkml/Y6DEfQXymYVgL3oJ@boqun-archlinux/
+Reported-by: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/lkml/Y6GXoO4qmH9OIZ5Q@hirez.programming.kicks-ass.net/
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: stable@vger.kernel.org
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Steve Capper <steve.capper@arm.com>
+Cc: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20230104151626.3262137-1-mark.rutland@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/atomic_ll_sc.h | 2 +-
+ arch/arm64/include/asm/atomic_lse.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/include/asm/atomic_ll_sc.h
++++ b/arch/arm64/include/asm/atomic_ll_sc.h
+@@ -315,7 +315,7 @@ __ll_sc__cmpxchg_double##name(unsigned l
+ " cbnz %w0, 1b\n" \
+ " " #mb "\n" \
+ "2:" \
+- : "=&r" (tmp), "=&r" (ret), "+Q" (*(unsigned long *)ptr) \
++ : "=&r" (tmp), "=&r" (ret), "+Q" (*(__uint128_t *)ptr) \
+ : "r" (old1), "r" (old2), "r" (new1), "r" (new2) \
+ : cl); \
+ \
+--- a/arch/arm64/include/asm/atomic_lse.h
++++ b/arch/arm64/include/asm/atomic_lse.h
+@@ -311,7 +311,7 @@ __lse__cmpxchg_double##name(unsigned lon
+ " eor %[old2], %[old2], %[oldval2]\n" \
+ " orr %[old1], %[old1], %[old2]" \
+ : [old1] "+&r" (x0), [old2] "+&r" (x1), \
+- [v] "+Q" (*(unsigned long *)ptr) \
++ [v] "+Q" (*(__uint128_t *)ptr) \
+ : [new1] "r" (x2), [new2] "r" (x3), [ptr] "r" (x4), \
+ [oldval1] "r" (oldval1), [oldval2] "r" (oldval2) \
+ : cl); \
--- /dev/null
+From 4f4c549feb4ecca95ae9abb88887b941d196f83a Mon Sep 17 00:00:00 2001
+From: Catalin Marinas <catalin.marinas@arm.com>
+Date: Thu, 22 Dec 2022 18:12:51 +0000
+Subject: arm64: mte: Avoid the racy walk of the vma list during core dump
+
+From: Catalin Marinas <catalin.marinas@arm.com>
+
+commit 4f4c549feb4ecca95ae9abb88887b941d196f83a upstream.
+
+The MTE coredump code in arch/arm64/kernel/elfcore.c iterates over the
+vma list without the mmap_lock held. This can race with another process
+or userfaultfd concurrently modifying the vma list. Change the
+for_each_mte_vma macro and its callers to instead use the vma snapshot
+taken by dump_vma_snapshot() and stored in the cprm object.
+
+Fixes: 6dd8b1a0b6cb ("arm64: mte: Dump the MTE tags in the core file")
+Cc: <stable@vger.kernel.org> # 5.18.x
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Reported-by: Seth Jenkins <sethjenkins@google.com>
+Suggested-by: Seth Jenkins <sethjenkins@google.com>
+Cc: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20221222181251.1345752-4-catalin.marinas@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/elfcore.c | 56 ++++++++++++++++++++------------------------
+ 1 file changed, 26 insertions(+), 30 deletions(-)
+
+--- a/arch/arm64/kernel/elfcore.c
++++ b/arch/arm64/kernel/elfcore.c
+@@ -8,28 +8,27 @@
+ #include <asm/cpufeature.h>
+ #include <asm/mte.h>
+
+-#define for_each_mte_vma(vmi, vma) \
++#define for_each_mte_vma(cprm, i, m) \
+ if (system_supports_mte()) \
+- for_each_vma(vmi, vma) \
+- if (vma->vm_flags & VM_MTE)
++ for (i = 0, m = cprm->vma_meta; \
++ i < cprm->vma_count; \
++ i++, m = cprm->vma_meta + i) \
++ if (m->flags & VM_MTE)
+
+-static unsigned long mte_vma_tag_dump_size(struct vm_area_struct *vma)
++static unsigned long mte_vma_tag_dump_size(struct core_vma_metadata *m)
+ {
+- if (vma->vm_flags & VM_DONTDUMP)
+- return 0;
+-
+- return vma_pages(vma) * MTE_PAGE_TAG_STORAGE;
++ return (m->dump_size >> PAGE_SHIFT) * MTE_PAGE_TAG_STORAGE;
+ }
+
+ /* Derived from dump_user_range(); start/end must be page-aligned */
+ static int mte_dump_tag_range(struct coredump_params *cprm,
+- unsigned long start, unsigned long end)
++ unsigned long start, unsigned long len)
+ {
+ int ret = 1;
+ unsigned long addr;
+ void *tags = NULL;
+
+- for (addr = start; addr < end; addr += PAGE_SIZE) {
++ for (addr = start; addr < start + len; addr += PAGE_SIZE) {
+ struct page *page = get_dump_page(addr);
+
+ /*
+@@ -78,11 +77,11 @@ static int mte_dump_tag_range(struct cor
+
+ Elf_Half elf_core_extra_phdrs(void)
+ {
+- struct vm_area_struct *vma;
++ int i;
++ struct core_vma_metadata *m;
+ int vma_count = 0;
+- VMA_ITERATOR(vmi, current->mm, 0);
+
+- for_each_mte_vma(vmi, vma)
++ for_each_mte_vma(cprm, i, m)
+ vma_count++;
+
+ return vma_count;
+@@ -90,18 +89,18 @@ Elf_Half elf_core_extra_phdrs(void)
+
+ int elf_core_write_extra_phdrs(struct coredump_params *cprm, loff_t offset)
+ {
+- struct vm_area_struct *vma;
+- VMA_ITERATOR(vmi, current->mm, 0);
++ int i;
++ struct core_vma_metadata *m;
+
+- for_each_mte_vma(vmi, vma) {
++ for_each_mte_vma(cprm, i, m) {
+ struct elf_phdr phdr;
+
+ phdr.p_type = PT_AARCH64_MEMTAG_MTE;
+ phdr.p_offset = offset;
+- phdr.p_vaddr = vma->vm_start;
++ phdr.p_vaddr = m->start;
+ phdr.p_paddr = 0;
+- phdr.p_filesz = mte_vma_tag_dump_size(vma);
+- phdr.p_memsz = vma->vm_end - vma->vm_start;
++ phdr.p_filesz = mte_vma_tag_dump_size(m);
++ phdr.p_memsz = m->end - m->start;
+ offset += phdr.p_filesz;
+ phdr.p_flags = 0;
+ phdr.p_align = 0;
+@@ -115,26 +114,23 @@ int elf_core_write_extra_phdrs(struct co
+
+ size_t elf_core_extra_data_size(void)
+ {
+- struct vm_area_struct *vma;
++ int i;
++ struct core_vma_metadata *m;
+ size_t data_size = 0;
+- VMA_ITERATOR(vmi, current->mm, 0);
+
+- for_each_mte_vma(vmi, vma)
+- data_size += mte_vma_tag_dump_size(vma);
++ for_each_mte_vma(cprm, i, m)
++ data_size += mte_vma_tag_dump_size(m);
+
+ return data_size;
+ }
+
+ int elf_core_write_extra_data(struct coredump_params *cprm)
+ {
+- struct vm_area_struct *vma;
+- VMA_ITERATOR(vmi, current->mm, 0);
+-
+- for_each_mte_vma(vmi, vma) {
+- if (vma->vm_flags & VM_DONTDUMP)
+- continue;
++ int i;
++ struct core_vma_metadata *m;
+
+- if (!mte_dump_tag_range(cprm, vma->vm_start, vma->vm_end))
++ for_each_mte_vma(cprm, i, m) {
++ if (!mte_dump_tag_range(cprm, m->start, m->dump_size))
+ return 0;
+ }
+
--- /dev/null
+From 736eedc974eaafbf4360e0ea85fc892cea72a223 Mon Sep 17 00:00:00 2001
+From: Catalin Marinas <catalin.marinas@arm.com>
+Date: Thu, 22 Dec 2022 18:12:49 +0000
+Subject: arm64: mte: Fix double-freeing of the temporary tag storage during coredump
+
+From: Catalin Marinas <catalin.marinas@arm.com>
+
+commit 736eedc974eaafbf4360e0ea85fc892cea72a223 upstream.
+
+Commit 16decce22efa ("arm64: mte: Fix the stack frame size warning in
+mte_dump_tag_range()") moved the temporary tag storage array from the
+stack to slab but it also introduced an error in double freeing this
+object. Remove the in-loop freeing.
+
+Fixes: 16decce22efa ("arm64: mte: Fix the stack frame size warning in mte_dump_tag_range()")
+Cc: <stable@vger.kernel.org> # 5.18.x
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Reported-by: Seth Jenkins <sethjenkins@google.com>
+Cc: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20221222181251.1345752-2-catalin.marinas@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/elfcore.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/arch/arm64/kernel/elfcore.c
++++ b/arch/arm64/kernel/elfcore.c
+@@ -65,7 +65,6 @@ static int mte_dump_tag_range(struct cor
+ mte_save_page_tags(page_address(page), tags);
+ put_page(page);
+ if (!dump_emit(cprm, tags, MTE_PAGE_TAG_STORAGE)) {
+- mte_free_tag_storage(tags);
+ ret = 0;
+ break;
+ }
--- /dev/null
+From 000bca8d706d1bf7cca01af75787247c5a2fdedf Mon Sep 17 00:00:00 2001
+From: Brian Norris <computersforpeace@gmail.com>
+Date: Fri, 30 Dec 2022 22:15:45 -0800
+Subject: ASoC: qcom: lpass-cpu: Fix fallback SD line index handling
+
+From: Brian Norris <computersforpeace@gmail.com>
+
+commit 000bca8d706d1bf7cca01af75787247c5a2fdedf upstream.
+
+These indices should reference the ID placed within the dai_driver
+array, not the indices of the array itself.
+
+This fixes commit 4ff028f6c108 ("ASoC: qcom: lpass-cpu: Make I2S SD
+lines configurable"), which among others, broke IPQ8064 audio
+(sound/soc/qcom/lpass-ipq806x.c) because it uses ID 4 but we'd stop
+initializing the mi2s_playback_sd_mode and mi2s_capture_sd_mode arrays
+at ID 0.
+
+Fixes: 4ff028f6c108 ("ASoC: qcom: lpass-cpu: Make I2S SD lines configurable")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Brian Norris <computersforpeace@gmail.com>
+Reviewed-by: Stephan Gerhold <stephan@gerhold.net>
+Link: https://lore.kernel.org/r/20221231061545.2110253-1-computersforpeace@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/qcom/lpass-cpu.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/sound/soc/qcom/lpass-cpu.c
++++ b/sound/soc/qcom/lpass-cpu.c
+@@ -1037,10 +1037,11 @@ static void of_lpass_cpu_parse_dai_data(
+ struct lpass_data *data)
+ {
+ struct device_node *node;
+- int ret, id;
++ int ret, i, id;
+
+ /* Allow all channels by default for backwards compatibility */
+- for (id = 0; id < data->variant->num_dai; id++) {
++ for (i = 0; i < data->variant->num_dai; i++) {
++ id = data->variant->dai_driver[i].id;
+ data->mi2s_playback_sd_mode[id] = LPAIF_I2SCTL_MODE_8CH;
+ data->mi2s_capture_sd_mode[id] = LPAIF_I2SCTL_MODE_8CH;
+ }
--- /dev/null
+From a5a36720c3f650f859f5e9535dd62d06f13f4f3b Mon Sep 17 00:00:00 2001
+From: "Ivan T. Ivanov" <iivanov@suse.de>
+Date: Fri, 6 Jan 2023 15:19:05 +0200
+Subject: brcmfmac: Prefer DT board type over DMI board type
+
+From: Ivan T. Ivanov <iivanov@suse.de>
+
+commit a5a36720c3f650f859f5e9535dd62d06f13f4f3b upstream.
+
+The introduction of support for Apple board types inadvertently changed
+the precedence order, causing hybrid SMBIOS+DT platforms to look up the
+firmware using the DMI information instead of the device tree compatible
+to generate the board type. Revert back to the old behavior,
+as affected platforms use firmwares named after the DT compatible.
+
+Fixes: 7682de8b3351 ("wifi: brcmfmac: of: Fetch Apple properties")
+
+[1] https://bugzilla.opensuse.org/show_bug.cgi?id=1206697#c13
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Ivan T. Ivanov <iivanov@suse.de>
+Reviewed-by: Hector Martin <marcan@marcan.st>
+Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Tested-by: Peter Robinson <pbrobinson@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
+index a83699de01ec..fdd0c9abc1a1 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
+@@ -79,7 +79,8 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type,
+ /* Apple ARM64 platforms have their own idea of board type, passed in
+ * via the device tree. They also have an antenna SKU parameter
+ */
+- if (!of_property_read_string(np, "brcm,board-type", &prop))
++ err = of_property_read_string(np, "brcm,board-type", &prop);
++ if (!err)
+ settings->board_type = prop;
+
+ if (!of_property_read_string(np, "apple,antenna-sku", &prop))
+@@ -87,7 +88,7 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type,
+
+ /* Set board-type to the first string of the machine compatible prop */
+ root = of_find_node_by_path("/");
+- if (root && !settings->board_type) {
++ if (root && err) {
+ char *board_type;
+ const char *tmp;
+
+--
+2.39.0
+
--- /dev/null
+From 4f3085f87b51a551a0647f218d4f324796ecb703 Mon Sep 17 00:00:00 2001
+From: Perry Yuan <perry.yuan@amd.com>
+Date: Tue, 10 Jan 2023 23:10:29 +0800
+Subject: cpufreq: amd-pstate: fix kernel hang issue while amd-pstate unregistering
+
+From: Perry Yuan <perry.yuan@amd.com>
+
+commit 4f3085f87b51a551a0647f218d4f324796ecb703 upstream.
+
+In the amd_pstate_adjust_perf(), there is one cpufreq_cpu_get() call to
+increase increments the kobject reference count of policy and make it as
+busy. Therefore, a corresponding call to cpufreq_cpu_put() is needed to
+decrement the kobject reference count back, it will resolve the kernel
+hang issue when unregistering the amd-pstate driver and register the
+`amd_pstate_epp` driver instance.
+
+Fixes: 1d215f0319 ("cpufreq: amd-pstate: Add fast switch function for AMD P-State")
+Acked-by: Huang Rui <ray.huang@amd.com>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Tested-by: Wyes Karny <wyes.karny@amd.com>
+Signed-off-by: Perry Yuan <perry.yuan@amd.com>
+Cc: 5.17+ <stable@vger.kernel.org> # 5.17+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpufreq/amd-pstate.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/cpufreq/amd-pstate.c
++++ b/drivers/cpufreq/amd-pstate.c
+@@ -307,6 +307,7 @@ static void amd_pstate_adjust_perf(unsig
+ max_perf = min_perf;
+
+ amd_pstate_update(cpudata, min_perf, des_perf, max_perf, true);
++ cpufreq_cpu_put(policy);
+ }
+
+ static int amd_get_min_freq(struct amd_cpudata *cpudata)
--- /dev/null
+From 0283189e8f3d0917e2ac399688df85211f48447b Mon Sep 17 00:00:00 2001
+From: Jonathan Corbet <corbet@lwn.net>
+Date: Wed, 4 Jan 2023 10:47:39 -0700
+Subject: docs: Fix the docs build with Sphinx 6.0
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonathan Corbet <corbet@lwn.net>
+
+commit 0283189e8f3d0917e2ac399688df85211f48447b upstream.
+
+Sphinx 6.0 removed the execfile_() function, which we use as part of the
+configuration process. They *did* warn us... Just open-code the
+functionality as is done in Sphinx itself.
+
+Tested (using SPHINX_CONF, since this code is only executed with an
+alternative config file) on various Sphinx versions from 2.5 through 6.0.
+
+Reported-by: Martin Liška <mliska@suse.cz>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jonathan Corbet <corbet@lwn.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/sphinx/load_config.py | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/Documentation/sphinx/load_config.py
++++ b/Documentation/sphinx/load_config.py
+@@ -3,7 +3,7 @@
+
+ import os
+ import sys
+-from sphinx.util.pycompat import execfile_
++from sphinx.util.osutil import fs_encoding
+
+ # ------------------------------------------------------------------------------
+ def loadConfig(namespace):
+@@ -48,7 +48,9 @@ def loadConfig(namespace):
+ sys.stdout.write("load additional sphinx-config: %s\n" % config_file)
+ config = namespace.copy()
+ config['__file__'] = config_file
+- execfile_(config_file, config)
++ with open(config_file, 'rb') as f:
++ code = compile(f.read(), fs_encoding, 'exec')
++ exec(code, config)
+ del config['__file__']
+ namespace.update(config)
+ else:
--- /dev/null
+From 1923bc5a56daeeabd7e9093bad2febcd6af2416a Mon Sep 17 00:00:00 2001
+From: Mario Limonciello <mario.limonciello@amd.com>
+Date: Tue, 27 Dec 2022 15:49:17 -0600
+Subject: drm/amd: Delay removal of the firmware framebuffer
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+commit 1923bc5a56daeeabd7e9093bad2febcd6af2416a upstream.
+
+Removing the firmware framebuffer from the driver means that even
+if the driver doesn't support the IP blocks in a GPU it will no
+longer be functional after the driver fails to initialize.
+
+This change will ensure that unsupported IP blocks at least cause
+the driver to work with the EFI framebuffer.
+
+Cc: stable@vger.kernel.org
+Suggested-by: Alex Deucher <alexander.deucher@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 8 ++++++++
+ drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 6 ------
+ 2 files changed, 8 insertions(+), 6 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -36,6 +36,7 @@
+ #include <generated/utsrelease.h>
+ #include <linux/pci-p2pdma.h>
+
++#include <drm/drm_aperture.h>
+ #include <drm/drm_atomic_helper.h>
+ #include <drm/drm_probe_helper.h>
+ #include <drm/amdgpu_drm.h>
+@@ -89,6 +90,8 @@ MODULE_FIRMWARE("amdgpu/navi12_gpu_info.
+ #define AMDGPU_MAX_RETRY_LIMIT 2
+ #define AMDGPU_RETRY_SRIOV_RESET(r) ((r) == -EBUSY || (r) == -ETIMEDOUT || (r) == -EINVAL)
+
++static const struct drm_driver amdgpu_kms_driver;
++
+ const char *amdgpu_asic_name[] = {
+ "TAHITI",
+ "PITCAIRN",
+@@ -3677,6 +3680,11 @@ int amdgpu_device_init(struct amdgpu_dev
+ if (r)
+ return r;
+
++ /* Get rid of things like offb */
++ r = drm_aperture_remove_conflicting_pci_framebuffers(adev->pdev, &amdgpu_kms_driver);
++ if (r)
++ return r;
++
+ /* Enable TMZ based on IP_VERSION */
+ amdgpu_gmc_tmz_set(adev);
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+@@ -23,7 +23,6 @@
+ */
+
+ #include <drm/amdgpu_drm.h>
+-#include <drm/drm_aperture.h>
+ #include <drm/drm_drv.h>
+ #include <drm/drm_gem.h>
+ #include <drm/drm_vblank.h>
+@@ -2123,11 +2122,6 @@ static int amdgpu_pci_probe(struct pci_d
+ }
+ #endif
+
+- /* Get rid of things like offb */
+- ret = drm_aperture_remove_conflicting_pci_framebuffers(pdev, &amdgpu_kms_driver);
+- if (ret)
+- return ret;
+-
+ adev = devm_drm_dev_alloc(&pdev->dev, &amdgpu_kms_driver, typeof(*adev), ddev);
+ if (IS_ERR(adev))
+ return PTR_ERR(adev);
--- /dev/null
+From 318ca20893c19ead02845a08204c3f9249bb74cd Mon Sep 17 00:00:00 2001
+From: Evan Quan <evan.quan@amd.com>
+Date: Wed, 4 Jan 2023 10:45:01 +0800
+Subject: drm/amd/pm: add the missing mapping for PPT feature on SMU13.0.0 and 13.0.7
+
+From: Evan Quan <evan.quan@amd.com>
+
+commit 318ca20893c19ead02845a08204c3f9249bb74cd upstream.
+
+Then we are able to set a new ppt limit via the hwmon interface(power1_cap).
+
+Signed-off-by: Evan Quan <evan.quan@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org # 6.0.x, 6.1.x
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 1 +
+ drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c
+@@ -189,6 +189,7 @@ static struct cmn2asic_mapping smu_v13_0
+ FEA_MAP(SOC_PCC),
+ [SMU_FEATURE_DPM_VCLK_BIT] = {1, FEATURE_MM_DPM_BIT},
+ [SMU_FEATURE_DPM_DCLK_BIT] = {1, FEATURE_MM_DPM_BIT},
++ [SMU_FEATURE_PPT_BIT] = {1, FEATURE_THROTTLERS_BIT},
+ };
+
+ static struct cmn2asic_mapping smu_v13_0_0_table_map[SMU_TABLE_COUNT] = {
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c
+@@ -191,6 +191,7 @@ static struct cmn2asic_mapping smu_v13_0
+ FEA_MAP(SOC_PCC),
+ [SMU_FEATURE_DPM_VCLK_BIT] = {1, FEATURE_MM_DPM_BIT},
+ [SMU_FEATURE_DPM_DCLK_BIT] = {1, FEATURE_MM_DPM_BIT},
++ [SMU_FEATURE_PPT_BIT] = {1, FEATURE_THROTTLERS_BIT},
+ };
+
+ static struct cmn2asic_mapping smu_v13_0_7_table_map[SMU_TABLE_COUNT] = {
--- /dev/null
+From 6fea87637bf36bd285227f490132e83582ab7513 Mon Sep 17 00:00:00 2001
+From: Evan Quan <evan.quan@amd.com>
+Date: Fri, 16 Dec 2022 17:12:53 +0800
+Subject: drm/amd/pm: correct the reference clock for fan speed(rpm) calculation
+
+From: Evan Quan <evan.quan@amd.com>
+
+commit 6fea87637bf36bd285227f490132e83582ab7513 upstream.
+
+Correct the reference clock as 25Mhz for SMU13 fan speed calculation.
+
+Signed-off-by: Evan Quan <evan.quan@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org # 6.0.x, 6.1.x
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c
+@@ -1258,7 +1258,8 @@ int smu_v13_0_set_fan_speed_rpm(struct s
+ uint32_t speed)
+ {
+ struct amdgpu_device *adev = smu->adev;
+- uint32_t tach_period, crystal_clock_freq;
++ uint32_t crystal_clock_freq = 2500;
++ uint32_t tach_period;
+ int ret;
+
+ if (!speed)
+@@ -1268,7 +1269,6 @@ int smu_v13_0_set_fan_speed_rpm(struct s
+ if (ret)
+ return ret;
+
+- crystal_clock_freq = amdgpu_asic_get_xclk(adev);
+ tach_period = 60 * crystal_clock_freq * 10000 / (8 * speed);
+ WREG32_SOC15(THM, 0, regCG_TACH_CTRL,
+ REG_SET_FIELD(RREG32_SOC15(THM, 0, regCG_TACH_CTRL),
--- /dev/null
+From 972fb53d3605eb6cdf0d6ae9a52e910626a91ff7 Mon Sep 17 00:00:00 2001
+From: Guchun Chen <guchun.chen@amd.com>
+Date: Tue, 10 Jan 2023 11:33:44 +0800
+Subject: drm/amd/pm/smu13: BACO is supported when it's in BACO state
+
+From: Guchun Chen <guchun.chen@amd.com>
+
+commit 972fb53d3605eb6cdf0d6ae9a52e910626a91ff7 upstream.
+
+This leverages the logic in smu11. No need to talk to SMU to
+check BACO enablement as it's in BACO state already.
+
+Signed-off-by: Guchun Chen <guchun.chen@amd.com>
+Reviewed-by: Kenneth Feng <kenneth.feng@amd.com>
+Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org # 6.0, 6.1
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c
+@@ -2249,6 +2249,10 @@ bool smu_v13_0_baco_is_support(struct sm
+ !smu_baco->platform_support)
+ return false;
+
++ /* return true if ASIC is in BACO state already */
++ if (smu_v13_0_baco_get_state(smu) == SMU_BACO_STATE_ENTER)
++ return true;
++
+ if (smu_cmn_feature_is_supported(smu, SMU_FEATURE_BACO_BIT) &&
+ !smu_cmn_feature_is_enabled(smu, SMU_FEATURE_BACO_BIT))
+ return false;
--- /dev/null
+From 99f1a36c90a7524972be5a028424c57fa17753ee Mon Sep 17 00:00:00 2001
+From: YiPeng Chai <YiPeng.Chai@amd.com>
+Date: Fri, 6 Jan 2023 14:04:15 +0800
+Subject: drm/amdgpu: Fixed bug on error when unloading amdgpu
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: YiPeng Chai <YiPeng.Chai@amd.com>
+
+commit 99f1a36c90a7524972be5a028424c57fa17753ee upstream.
+
+Fixed bug on error when unloading amdgpu.
+
+The error message is as follows:
+[ 377.706202] kernel BUG at drivers/gpu/drm/drm_buddy.c:278!
+[ 377.706215] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
+[ 377.706222] CPU: 4 PID: 8610 Comm: modprobe Tainted: G IOE 6.0.0-thomas #1
+[ 377.706231] Hardware name: ASUS System Product Name/PRIME Z390-A, BIOS 2004 11/02/2021
+[ 377.706238] RIP: 0010:drm_buddy_free_block+0x26/0x30 [drm_buddy]
+[ 377.706264] Code: 00 00 00 90 0f 1f 44 00 00 48 8b 0e 89 c8 25 00 0c 00 00 3d 00 04 00 00 75 10 48 8b 47 18 48 d3 e0 48 01 47 28 e9 fa fe ff ff <0f> 0b 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 54 55 48 89 f5 53
+[ 377.706282] RSP: 0018:ffffad2dc4683cb8 EFLAGS: 00010287
+[ 377.706289] RAX: 0000000000000000 RBX: ffff8b1743bd5138 RCX: 0000000000000000
+[ 377.706297] RDX: ffff8b1743bd5160 RSI: ffff8b1743bd5c78 RDI: ffff8b16d1b25f70
+[ 377.706304] RBP: ffff8b1743bd59e0 R08: 0000000000000001 R09: 0000000000000001
+[ 377.706311] R10: ffff8b16c8572400 R11: ffffad2dc4683cf0 R12: ffff8b16d1b25f70
+[ 377.706318] R13: ffff8b16d1b25fd0 R14: ffff8b1743bd59c0 R15: ffff8b16d1b25f70
+[ 377.706325] FS: 00007fec56c72c40(0000) GS:ffff8b1836500000(0000) knlGS:0000000000000000
+[ 377.706334] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 377.706340] CR2: 00007f9b88c1ba50 CR3: 0000000110450004 CR4: 00000000003706e0
+[ 377.706347] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 377.706354] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 377.706361] Call Trace:
+[ 377.706365] <TASK>
+[ 377.706369] drm_buddy_free_list+0x2a/0x60 [drm_buddy]
+[ 377.706376] amdgpu_vram_mgr_fini+0xea/0x180 [amdgpu]
+[ 377.706572] amdgpu_ttm_fini+0x12e/0x1a0 [amdgpu]
+[ 377.706650] amdgpu_bo_fini+0x22/0x90 [amdgpu]
+[ 377.706727] gmc_v11_0_sw_fini+0x26/0x30 [amdgpu]
+[ 377.706821] amdgpu_device_fini_sw+0xa1/0x3c0 [amdgpu]
+[ 377.706897] amdgpu_driver_release_kms+0x12/0x30 [amdgpu]
+[ 377.706975] drm_dev_release+0x20/0x40 [drm]
+[ 377.707006] release_nodes+0x35/0xb0
+[ 377.707014] devres_release_all+0x8b/0xc0
+[ 377.707020] device_unbind_cleanup+0xe/0x70
+[ 377.707027] device_release_driver_internal+0xee/0x160
+[ 377.707033] driver_detach+0x44/0x90
+[ 377.707039] bus_remove_driver+0x55/0xe0
+[ 377.707045] pci_unregister_driver+0x3b/0x90
+[ 377.707052] amdgpu_exit+0x11/0x6c [amdgpu]
+[ 377.707194] __x64_sys_delete_module+0x142/0x2b0
+[ 377.707201] ? fpregs_assert_state_consistent+0x22/0x50
+[ 377.707208] ? exit_to_user_mode_prepare+0x3e/0x190
+[ 377.707215] do_syscall_64+0x38/0x90
+[ 377.707221] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Signed-off-by: YiPeng Chai <YiPeng.Chai@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c
+@@ -882,7 +882,7 @@ void amdgpu_vram_mgr_fini(struct amdgpu_
+ kfree(rsv);
+
+ list_for_each_entry_safe(rsv, temp, &mgr->reserved_pages, blocks) {
+- drm_buddy_free_list(&mgr->mm, &rsv->blocks);
++ drm_buddy_free_list(&mgr->mm, &rsv->allocated);
+ kfree(rsv);
+ }
+ drm_buddy_fini(&mgr->mm);
--- /dev/null
+From afce71ff6daa9c0f852df0727fe32c6fb107f0fa Mon Sep 17 00:00:00 2001
+From: Rob Clark <robdclark@chromium.org>
+Date: Tue, 3 Jan 2023 15:49:46 -0800
+Subject: drm/i915: Fix potential context UAFs
+
+From: Rob Clark <robdclark@chromium.org>
+
+commit afce71ff6daa9c0f852df0727fe32c6fb107f0fa upstream.
+
+gem_context_register() makes the context visible to userspace, and which
+point a separate thread can trigger the I915_GEM_CONTEXT_DESTROY ioctl.
+So we need to ensure that nothing uses the ctx ptr after this. And we
+need to ensure that adding the ctx to the xarray is the *last* thing
+that gem_context_register() does with the ctx pointer.
+
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Fixes: eb4dedae920a ("drm/i915/gem: Delay tracking the GEM context until it is registered")
+Fixes: a4c1cdd34e2c ("drm/i915/gem: Delay context creation (v3)")
+Fixes: 49bd54b390c2 ("drm/i915: Track all user contexts per client")
+Cc: <stable@vger.kernel.org> # v5.10+
+Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
+[tursulin: Stable and fixes tags add/tidy.]
+Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230103234948.1218393-1-robdclark@gmail.com
+(cherry picked from commit bed4b455cf5374e68879be56971c1da563bcd90c)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/gem/i915_gem_context.c | 24 ++++++++++++++++++------
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+--- a/drivers/gpu/drm/i915/gem/i915_gem_context.c
++++ b/drivers/gpu/drm/i915/gem/i915_gem_context.c
+@@ -1688,6 +1688,10 @@ void i915_gem_init__contexts(struct drm_
+ init_contexts(&i915->gem.contexts);
+ }
+
++/*
++ * Note that this implicitly consumes the ctx reference, by placing
++ * the ctx in the context_xa.
++ */
+ static void gem_context_register(struct i915_gem_context *ctx,
+ struct drm_i915_file_private *fpriv,
+ u32 id)
+@@ -1703,10 +1707,6 @@ static void gem_context_register(struct
+ snprintf(ctx->name, sizeof(ctx->name), "%s[%d]",
+ current->comm, pid_nr(ctx->pid));
+
+- /* And finally expose ourselves to userspace via the idr */
+- old = xa_store(&fpriv->context_xa, id, ctx, GFP_KERNEL);
+- WARN_ON(old);
+-
+ spin_lock(&ctx->client->ctx_lock);
+ list_add_tail_rcu(&ctx->client_link, &ctx->client->ctx_list);
+ spin_unlock(&ctx->client->ctx_lock);
+@@ -1714,6 +1714,10 @@ static void gem_context_register(struct
+ spin_lock(&i915->gem.contexts.lock);
+ list_add_tail(&ctx->link, &i915->gem.contexts.list);
+ spin_unlock(&i915->gem.contexts.lock);
++
++ /* And finally expose ourselves to userspace via the idr */
++ old = xa_store(&fpriv->context_xa, id, ctx, GFP_KERNEL);
++ WARN_ON(old);
+ }
+
+ int i915_gem_context_open(struct drm_i915_private *i915,
+@@ -2199,14 +2203,22 @@ finalize_create_context_locked(struct dr
+ if (IS_ERR(ctx))
+ return ctx;
+
++ /*
++ * One for the xarray and one for the caller. We need to grab
++ * the reference *prior* to making the ctx visble to userspace
++ * in gem_context_register(), as at any point after that
++ * userspace can try to race us with another thread destroying
++ * the context under our feet.
++ */
++ i915_gem_context_get(ctx);
++
+ gem_context_register(ctx, file_priv, id);
+
+ old = xa_erase(&file_priv->proto_context_xa, id);
+ GEM_BUG_ON(old != pc);
+ proto_context_close(file_priv->dev_priv, pc);
+
+- /* One for the xarray and one for the caller */
+- return i915_gem_context_get(ctx);
++ return ctx;
+ }
+
+ struct i915_gem_context *
--- /dev/null
+From d3de5616d36462a646f5b360ba82d3b09ff668eb Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Mon, 12 Dec 2022 17:13:38 +0100
+Subject: drm/i915/gt: Reset twice
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+commit d3de5616d36462a646f5b360ba82d3b09ff668eb upstream.
+
+After applying an engine reset, on some platforms like Jasperlake, we
+occasionally detect that the engine state is not cleared until shortly
+after the resume. As we try to resume the engine with volatile internal
+state, the first request fails with a spurious CS event (it looks like
+it reports a lite-restore to the hung context, instead of the expected
+idle->active context switch).
+
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: stable@vger.kernel.org
+Cc: Mika Kuoppala <mika.kuoppala@linux.intel.com>
+Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
+Reviewed-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221212161338.1007659-1-andi.shyti@linux.intel.com
+(cherry picked from commit 3db9d590557da3aa2c952f2fecd3e9b703dad790)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/gt/intel_reset.c | 34 ++++++++++++++++++++++++++++------
+ 1 file changed, 28 insertions(+), 6 deletions(-)
+
+--- a/drivers/gpu/drm/i915/gt/intel_reset.c
++++ b/drivers/gpu/drm/i915/gt/intel_reset.c
+@@ -278,6 +278,7 @@ out:
+ static int gen6_hw_domain_reset(struct intel_gt *gt, u32 hw_domain_mask)
+ {
+ struct intel_uncore *uncore = gt->uncore;
++ int loops = 2;
+ int err;
+
+ /*
+@@ -285,18 +286,39 @@ static int gen6_hw_domain_reset(struct i
+ * for fifo space for the write or forcewake the chip for
+ * the read
+ */
+- intel_uncore_write_fw(uncore, GEN6_GDRST, hw_domain_mask);
++ do {
++ intel_uncore_write_fw(uncore, GEN6_GDRST, hw_domain_mask);
+
+- /* Wait for the device to ack the reset requests */
+- err = __intel_wait_for_register_fw(uncore,
+- GEN6_GDRST, hw_domain_mask, 0,
+- 500, 0,
+- NULL);
++ /*
++ * Wait for the device to ack the reset requests.
++ *
++ * On some platforms, e.g. Jasperlake, we see that the
++ * engine register state is not cleared until shortly after
++ * GDRST reports completion, causing a failure as we try
++ * to immediately resume while the internal state is still
++ * in flux. If we immediately repeat the reset, the second
++ * reset appears to serialise with the first, and since
++ * it is a no-op, the registers should retain their reset
++ * value. However, there is still a concern that upon
++ * leaving the second reset, the internal engine state
++ * is still in flux and not ready for resuming.
++ */
++ err = __intel_wait_for_register_fw(uncore, GEN6_GDRST,
++ hw_domain_mask, 0,
++ 2000, 0,
++ NULL);
++ } while (err == 0 && --loops);
+ if (err)
+ GT_TRACE(gt,
+ "Wait for 0x%08x engines reset failed\n",
+ hw_domain_mask);
+
++ /*
++ * As we have observed that the engine state is still volatile
++ * after GDRST is acked, impose a small delay to let everything settle.
++ */
++ udelay(50);
++
+ return err;
+ }
+
--- /dev/null
+From 476fdcdaaae7b06c780cdfc234c704107f16c529 Mon Sep 17 00:00:00 2001
+From: Nirmoy Das <nirmoy.das@intel.com>
+Date: Fri, 23 Dec 2022 10:20:11 +0100
+Subject: drm/i915: Reserve enough fence slot for i915_vma_unbind_async
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nirmoy Das <nirmoy.das@intel.com>
+
+commit 476fdcdaaae7b06c780cdfc234c704107f16c529 upstream.
+
+A nested dma_resv_reserve_fences(1) will not reserve slot from the
+2nd call onwards and folowing dma_resv_add_fence() might hit the
+"BUG_ON(fobj->num_fences >= fobj->max_fences)" check.
+
+I915 hit above nested dma_resv case in ttm_bo_handle_move_mem() with
+async unbind:
+
+dma_resv_reserve_fences() from --> ttm_bo_handle_move_mem()
+ dma_resv_reserve_fences() from --> i915_vma_unbind_async()
+ dma_resv_add_fence() from --> i915_vma_unbind_async()
+dma_resv_add_fence() from -->ttm_bo_move_accel_cleanup()
+
+Resolve this by adding an extra fence in i915_vma_unbind_async().
+
+Suggested-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Fixes: 2f6b90da9192 ("drm/i915: Use vma resources for async unbinding")
+Cc: <stable@vger.kernel.org> # v5.18+
+Signed-off-by: Nirmoy Das <nirmoy.das@intel.com>
+Reviewed-by: Matthew Auld <matthew.auld@intel.com>
+Signed-off-by: Matthew Auld <matthew.auld@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221223092011.11657-1-nirmoy.das@intel.com
+(cherry picked from commit 4f0755c2faf7388616109717facc5bbde6850e60)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/i915_vma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/i915_vma.c
++++ b/drivers/gpu/drm/i915/i915_vma.c
+@@ -2114,7 +2114,7 @@ int i915_vma_unbind_async(struct i915_vm
+ if (!obj->mm.rsgt)
+ return -EBUSY;
+
+- err = dma_resv_reserve_fences(obj->base.resv, 1);
++ err = dma_resv_reserve_fences(obj->base.resv, 2);
+ if (err)
+ return -EBUSY;
+
--- /dev/null
+From 5640e81607152d7f2d2558227c0f6cb78b8f39cf Mon Sep 17 00:00:00 2001
+From: Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam@amd.com>
+Date: Thu, 12 Jan 2023 04:00:27 -0800
+Subject: drm: Optimize drm buddy top-down allocation method
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam@amd.com>
+
+commit 5640e81607152d7f2d2558227c0f6cb78b8f39cf upstream.
+
+We are observing performance drop in many usecases which include
+games, 3D benchmark applications,etc.. To solve this problem, We
+are strictly not allowing top down flag enabled allocations to
+steal the memory space from cpu visible region.
+
+The idea is, we are sorting each order list entries in
+ascending order and compare the last entry of each order
+list in the freelist and return the max block.
+
+This patch improves the 3D benchmark scores and solves
+fragmentation issues.
+
+All drm buddy selftests are verfied.
+drm_buddy: pass:6 fail:0 skip:0 total:6
+
+Signed-off-by: Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam@amd.com>
+Acked-by: Christian König <christian.koenig@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Reviewed-by: Matthew Auld <matthew.auld@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230112120027.3072-1-Arunpravin.PaneerSelvam@amd.com
+Signed-off-by: Christian König <christian.koenig@amd.com>
+CC: Cc: stable@vger.kernel.org # 5.18+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_buddy.c | 83 +++++++++++++++++++++++++++++---------------
+ 1 file changed, 55 insertions(+), 28 deletions(-)
+
+--- a/drivers/gpu/drm/drm_buddy.c
++++ b/drivers/gpu/drm/drm_buddy.c
+@@ -38,6 +38,25 @@ static void drm_block_free(struct drm_bu
+ kmem_cache_free(slab_blocks, block);
+ }
+
++static void list_insert_sorted(struct drm_buddy *mm,
++ struct drm_buddy_block *block)
++{
++ struct drm_buddy_block *node;
++ struct list_head *head;
++
++ head = &mm->free_list[drm_buddy_block_order(block)];
++ if (list_empty(head)) {
++ list_add(&block->link, head);
++ return;
++ }
++
++ list_for_each_entry(node, head, link)
++ if (drm_buddy_block_offset(block) < drm_buddy_block_offset(node))
++ break;
++
++ __list_add(&block->link, node->link.prev, &node->link);
++}
++
+ static void mark_allocated(struct drm_buddy_block *block)
+ {
+ block->header &= ~DRM_BUDDY_HEADER_STATE;
+@@ -52,8 +71,7 @@ static void mark_free(struct drm_buddy *
+ block->header &= ~DRM_BUDDY_HEADER_STATE;
+ block->header |= DRM_BUDDY_FREE;
+
+- list_add(&block->link,
+- &mm->free_list[drm_buddy_block_order(block)]);
++ list_insert_sorted(mm, block);
+ }
+
+ static void mark_split(struct drm_buddy_block *block)
+@@ -387,20 +405,26 @@ err_undo:
+ }
+
+ static struct drm_buddy_block *
+-get_maxblock(struct list_head *head)
++get_maxblock(struct drm_buddy *mm, unsigned int order)
+ {
+ struct drm_buddy_block *max_block = NULL, *node;
++ unsigned int i;
+
+- max_block = list_first_entry_or_null(head,
+- struct drm_buddy_block,
+- link);
+- if (!max_block)
+- return NULL;
+-
+- list_for_each_entry(node, head, link) {
+- if (drm_buddy_block_offset(node) >
+- drm_buddy_block_offset(max_block))
+- max_block = node;
++ for (i = order; i <= mm->max_order; ++i) {
++ if (!list_empty(&mm->free_list[i])) {
++ node = list_last_entry(&mm->free_list[i],
++ struct drm_buddy_block,
++ link);
++ if (!max_block) {
++ max_block = node;
++ continue;
++ }
++
++ if (drm_buddy_block_offset(node) >
++ drm_buddy_block_offset(max_block)) {
++ max_block = node;
++ }
++ }
+ }
+
+ return max_block;
+@@ -412,20 +436,23 @@ alloc_from_freelist(struct drm_buddy *mm
+ unsigned long flags)
+ {
+ struct drm_buddy_block *block = NULL;
+- unsigned int i;
++ unsigned int tmp;
+ int err;
+
+- for (i = order; i <= mm->max_order; ++i) {
+- if (flags & DRM_BUDDY_TOPDOWN_ALLOCATION) {
+- block = get_maxblock(&mm->free_list[i]);
+- if (block)
+- break;
+- } else {
+- block = list_first_entry_or_null(&mm->free_list[i],
+- struct drm_buddy_block,
+- link);
+- if (block)
+- break;
++ if (flags & DRM_BUDDY_TOPDOWN_ALLOCATION) {
++ block = get_maxblock(mm, order);
++ if (block)
++ /* Store the obtained block order */
++ tmp = drm_buddy_block_order(block);
++ } else {
++ for (tmp = order; tmp <= mm->max_order; ++tmp) {
++ if (!list_empty(&mm->free_list[tmp])) {
++ block = list_last_entry(&mm->free_list[tmp],
++ struct drm_buddy_block,
++ link);
++ if (block)
++ break;
++ }
+ }
+ }
+
+@@ -434,18 +461,18 @@ alloc_from_freelist(struct drm_buddy *mm
+
+ BUG_ON(!drm_buddy_block_is_free(block));
+
+- while (i != order) {
++ while (tmp != order) {
+ err = split_block(mm, block);
+ if (unlikely(err))
+ goto err_undo;
+
+ block = block->right;
+- i--;
++ tmp--;
+ }
+ return block;
+
+ err_undo:
+- if (i != order)
++ if (tmp != order)
+ __drm_buddy_free(mm, block);
+ return ERR_PTR(err);
+ }
--- /dev/null
+From 52531258318ed59a2dc5a43df2eaf0eb1d65438e Mon Sep 17 00:00:00 2001
+From: Rob Clark <robdclark@chromium.org>
+Date: Fri, 16 Dec 2022 15:33:55 -0800
+Subject: drm/virtio: Fix GEM handle creation UAF
+
+From: Rob Clark <robdclark@chromium.org>
+
+commit 52531258318ed59a2dc5a43df2eaf0eb1d65438e upstream.
+
+Userspace can guess the handle value and try to race GEM object creation
+with handle close, resulting in a use-after-free if we dereference the
+object after dropping the handle's reference. For that reason, dropping
+the handle's reference must be done *after* we are done dereferencing
+the object.
+
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
+Fixes: 62fb7a5e1096 ("virtio-gpu: add 3d/virgl support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221216233355.542197-2-robdclark@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/virtio/virtgpu_ioctl.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/virtio/virtgpu_ioctl.c
++++ b/drivers/gpu/drm/virtio/virtgpu_ioctl.c
+@@ -358,10 +358,18 @@ static int virtio_gpu_resource_create_io
+ drm_gem_object_release(obj);
+ return ret;
+ }
+- drm_gem_object_put(obj);
+
+ rc->res_handle = qobj->hw_res_handle; /* similiar to a VM address */
+ rc->bo_handle = handle;
++
++ /*
++ * The handle owns the reference now. But we must drop our
++ * remaining reference *after* we no longer need to dereference
++ * the obj. Otherwise userspace could guess the handle and
++ * race closing it from another thread.
++ */
++ drm_gem_object_put(obj);
++
+ return 0;
+ }
+
+@@ -723,11 +731,18 @@ static int virtio_gpu_resource_create_bl
+ drm_gem_object_release(obj);
+ return ret;
+ }
+- drm_gem_object_put(obj);
+
+ rc_blob->res_handle = bo->hw_res_handle;
+ rc_blob->bo_handle = handle;
+
++ /*
++ * The handle owns the reference now. But we must drop our
++ * remaining reference *after* we no longer need to dereference
++ * the obj. Otherwise userspace could guess the handle and
++ * race closing it from another thread.
++ */
++ drm_gem_object_put(obj);
++
+ return 0;
+ }
+
--- /dev/null
+From e006ac3003080177cf0b673441a4241f77aaecce Mon Sep 17 00:00:00 2001
+From: Ding Hui <dinghui@sangfor.com.cn>
+Date: Tue, 27 Dec 2022 23:09:36 +0800
+Subject: efi: fix userspace infinite retry read efivars after EFI runtime services page fault
+
+From: Ding Hui <dinghui@sangfor.com.cn>
+
+commit e006ac3003080177cf0b673441a4241f77aaecce upstream.
+
+After [1][2], if we catch exceptions due to EFI runtime service, we will
+clear EFI_RUNTIME_SERVICES bit to disable EFI runtime service, then the
+subsequent routine which invoke the EFI runtime service should fail.
+
+But the userspace cat efivars through /sys/firmware/efi/efivars/ will stuck
+and infinite loop calling read() due to efivarfs_file_read() return -EINTR.
+
+The -EINTR is converted from EFI_ABORTED by efi_status_to_err(), and is
+an improper return value in this situation, so let virt_efi_xxx() return
+EFI_DEVICE_ERROR and converted to -EIO to invoker.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 3425d934fc03 ("efi/x86: Handle page faults occurring while running EFI runtime services")
+Fixes: 23715a26c8d8 ("arm64: efi: Recover from synchronous exceptions occurring in firmware")
+Signed-off-by: Ding Hui <dinghui@sangfor.com.cn>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/efi/runtime-wrappers.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/firmware/efi/runtime-wrappers.c b/drivers/firmware/efi/runtime-wrappers.c
+index 7feee3d9c2bf..1fba4e09cdcf 100644
+--- a/drivers/firmware/efi/runtime-wrappers.c
++++ b/drivers/firmware/efi/runtime-wrappers.c
+@@ -62,6 +62,7 @@ struct efi_runtime_work efi_rts_work;
+ \
+ if (!efi_enabled(EFI_RUNTIME_SERVICES)) { \
+ pr_warn_once("EFI Runtime Services are disabled!\n"); \
++ efi_rts_work.status = EFI_DEVICE_ERROR; \
+ goto exit; \
+ } \
+ \
+--
+2.39.0
+
--- /dev/null
+From d3f450533bbcb6dd4d7d59cadc9b61b7321e4ac1 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ardb@kernel.org>
+Date: Mon, 9 Jan 2023 10:44:31 +0100
+Subject: efi: tpm: Avoid READ_ONCE() for accessing the event log
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+commit d3f450533bbcb6dd4d7d59cadc9b61b7321e4ac1 upstream.
+
+Nathan reports that recent kernels built with LTO will crash when doing
+EFI boot using Fedora's GRUB and SHIM. The culprit turns out to be a
+misaligned load from the TPM event log, which is annotated with
+READ_ONCE(), and under LTO, this gets translated into a LDAR instruction
+which does not tolerate misaligned accesses.
+
+Interestingly, this does not happen when booting the same kernel
+straight from the UEFI shell, and so the fact that the event log may
+appear misaligned in memory may be caused by a bug in GRUB or SHIM.
+
+However, using READ_ONCE() to access firmware tables is slightly unusual
+in any case, and here, we only need to ensure that 'event' is not
+dereferenced again after it gets unmapped, but this is already taken
+care of by the implicit barrier() semantics of the early_memunmap()
+call.
+
+Cc: <stable@vger.kernel.org>
+Cc: Peter Jones <pjones@redhat.com>
+Cc: Jarkko Sakkinen <jarkko@kernel.org>
+Cc: Matthew Garrett <mjg59@srcf.ucam.org>
+Reported-by: Nathan Chancellor <nathan@kernel.org>
+Tested-by: Nathan Chancellor <nathan@kernel.org>
+Link: https://github.com/ClangBuiltLinux/linux/issues/1782
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/tpm_eventlog.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/linux/tpm_eventlog.h
++++ b/include/linux/tpm_eventlog.h
+@@ -198,8 +198,8 @@ static __always_inline int __calc_tpm2_e
+ * The loop below will unmap these fields if the log is larger than
+ * one page, so save them here for reference:
+ */
+- count = READ_ONCE(event->count);
+- event_type = READ_ONCE(event->event_type);
++ count = event->count;
++ event_type = event->event_type;
+
+ /* Verify that it's the log header */
+ if (event_header->pcr_idx != 0 ||
--- /dev/null
+From 19e183b54528f11fafeca60fc6d0821e29ff281e Mon Sep 17 00:00:00 2001
+From: Catalin Marinas <catalin.marinas@arm.com>
+Date: Thu, 22 Dec 2022 18:12:50 +0000
+Subject: elfcore: Add a cprm parameter to elf_core_extra_{phdrs,data_size}
+
+From: Catalin Marinas <catalin.marinas@arm.com>
+
+commit 19e183b54528f11fafeca60fc6d0821e29ff281e upstream.
+
+A subsequent fix for arm64 will use this parameter to parse the vma
+information from the snapshot created by dump_vma_snapshot() rather than
+traversing the vma list without the mmap_lock.
+
+Fixes: 6dd8b1a0b6cb ("arm64: mte: Dump the MTE tags in the core file")
+Cc: <stable@vger.kernel.org> # 5.18.x
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Reported-by: Seth Jenkins <sethjenkins@google.com>
+Suggested-by: Seth Jenkins <sethjenkins@google.com>
+Cc: Will Deacon <will@kernel.org>
+Cc: Eric Biederman <ebiederm@xmission.com>
+Cc: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20221222181251.1345752-3-catalin.marinas@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/elfcore.c | 4 ++--
+ arch/ia64/kernel/elfcore.c | 4 ++--
+ arch/x86/um/elfcore.c | 4 ++--
+ fs/binfmt_elf.c | 4 ++--
+ fs/binfmt_elf_fdpic.c | 4 ++--
+ include/linux/elfcore.h | 8 ++++----
+ 6 files changed, 14 insertions(+), 14 deletions(-)
+
+--- a/arch/arm64/kernel/elfcore.c
++++ b/arch/arm64/kernel/elfcore.c
+@@ -75,7 +75,7 @@ static int mte_dump_tag_range(struct cor
+ return ret;
+ }
+
+-Elf_Half elf_core_extra_phdrs(void)
++Elf_Half elf_core_extra_phdrs(struct coredump_params *cprm)
+ {
+ int i;
+ struct core_vma_metadata *m;
+@@ -112,7 +112,7 @@ int elf_core_write_extra_phdrs(struct co
+ return 1;
+ }
+
+-size_t elf_core_extra_data_size(void)
++size_t elf_core_extra_data_size(struct coredump_params *cprm)
+ {
+ int i;
+ struct core_vma_metadata *m;
+--- a/arch/ia64/kernel/elfcore.c
++++ b/arch/ia64/kernel/elfcore.c
+@@ -7,7 +7,7 @@
+ #include <asm/elf.h>
+
+
+-Elf64_Half elf_core_extra_phdrs(void)
++Elf64_Half elf_core_extra_phdrs(struct coredump_params *cprm)
+ {
+ return GATE_EHDR->e_phnum;
+ }
+@@ -60,7 +60,7 @@ int elf_core_write_extra_data(struct cor
+ return 1;
+ }
+
+-size_t elf_core_extra_data_size(void)
++size_t elf_core_extra_data_size(struct coredump_params *cprm)
+ {
+ const struct elf_phdr *const gate_phdrs =
+ (const struct elf_phdr *) (GATE_ADDR + GATE_EHDR->e_phoff);
+--- a/arch/x86/um/elfcore.c
++++ b/arch/x86/um/elfcore.c
+@@ -7,7 +7,7 @@
+ #include <asm/elf.h>
+
+
+-Elf32_Half elf_core_extra_phdrs(void)
++Elf32_Half elf_core_extra_phdrs(struct coredump_params *cprm)
+ {
+ return vsyscall_ehdr ? (((struct elfhdr *)vsyscall_ehdr)->e_phnum) : 0;
+ }
+@@ -60,7 +60,7 @@ int elf_core_write_extra_data(struct cor
+ return 1;
+ }
+
+-size_t elf_core_extra_data_size(void)
++size_t elf_core_extra_data_size(struct coredump_params *cprm)
+ {
+ if ( vsyscall_ehdr ) {
+ const struct elfhdr *const ehdrp =
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -2209,7 +2209,7 @@ static int elf_core_dump(struct coredump
+ * The number of segs are recored into ELF header as 16bit value.
+ * Please check DEFAULT_MAX_MAP_COUNT definition when you modify here.
+ */
+- segs = cprm->vma_count + elf_core_extra_phdrs();
++ segs = cprm->vma_count + elf_core_extra_phdrs(cprm);
+
+ /* for notes section */
+ segs++;
+@@ -2249,7 +2249,7 @@ static int elf_core_dump(struct coredump
+ dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
+
+ offset += cprm->vma_data_size;
+- offset += elf_core_extra_data_size();
++ offset += elf_core_extra_data_size(cprm);
+ e_shoff = offset;
+
+ if (e_phnum == PN_XNUM) {
+--- a/fs/binfmt_elf_fdpic.c
++++ b/fs/binfmt_elf_fdpic.c
+@@ -1509,7 +1509,7 @@ static int elf_fdpic_core_dump(struct co
+ tmp->next = thread_list;
+ thread_list = tmp;
+
+- segs = cprm->vma_count + elf_core_extra_phdrs();
++ segs = cprm->vma_count + elf_core_extra_phdrs(cprm);
+
+ /* for notes section */
+ segs++;
+@@ -1555,7 +1555,7 @@ static int elf_fdpic_core_dump(struct co
+ dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
+
+ offset += cprm->vma_data_size;
+- offset += elf_core_extra_data_size();
++ offset += elf_core_extra_data_size(cprm);
+ e_shoff = offset;
+
+ if (e_phnum == PN_XNUM) {
+--- a/include/linux/elfcore.h
++++ b/include/linux/elfcore.h
+@@ -114,14 +114,14 @@ static inline int elf_core_copy_task_fpr
+ * Dumping its extra ELF program headers includes all the other information
+ * a debugger needs to easily find how the gate DSO was being used.
+ */
+-extern Elf_Half elf_core_extra_phdrs(void);
++extern Elf_Half elf_core_extra_phdrs(struct coredump_params *cprm);
+ extern int
+ elf_core_write_extra_phdrs(struct coredump_params *cprm, loff_t offset);
+ extern int
+ elf_core_write_extra_data(struct coredump_params *cprm);
+-extern size_t elf_core_extra_data_size(void);
++extern size_t elf_core_extra_data_size(struct coredump_params *cprm);
+ #else
+-static inline Elf_Half elf_core_extra_phdrs(void)
++static inline Elf_Half elf_core_extra_phdrs(struct coredump_params *cprm)
+ {
+ return 0;
+ }
+@@ -136,7 +136,7 @@ static inline int elf_core_write_extra_d
+ return 1;
+ }
+
+-static inline size_t elf_core_extra_data_size(void)
++static inline size_t elf_core_extra_data_size(struct coredump_params *cprm)
+ {
+ return 0;
+ }
--- /dev/null
+From febb985c06cb6f5fac63598c0bffd4fd823d110d Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Mon, 9 Jan 2023 14:46:10 -0700
+Subject: io_uring/poll: add hash if ready poll request can't complete inline
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit febb985c06cb6f5fac63598c0bffd4fd823d110d upstream.
+
+If we don't, then we may lose access to it completely, leading to a
+request leak. This will eventually stall the ring exit process as
+well.
+
+Cc: stable@vger.kernel.org
+Fixes: 49f1c68e048f ("io_uring: optimise submission side poll_refs")
+Reported-and-tested-by: syzbot+6c95df01470a47fc3af4@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/io-uring/0000000000009f829805f1ce87b2@google.com/
+Suggested-by: Pavel Begunkov <asml.silence@gmail.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/poll.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/io_uring/poll.c
++++ b/io_uring/poll.c
+@@ -549,6 +549,14 @@ static bool io_poll_can_finish_inline(st
+ return pt->owning || io_poll_get_ownership(req);
+ }
+
++static void io_poll_add_hash(struct io_kiocb *req)
++{
++ if (req->flags & REQ_F_HASH_LOCKED)
++ io_poll_req_insert_locked(req);
++ else
++ io_poll_req_insert(req);
++}
++
+ /*
+ * Returns 0 when it's handed over for polling. The caller owns the requests if
+ * it returns non-zero, but otherwise should not touch it. Negative values
+@@ -607,18 +615,17 @@ static int __io_arm_poll_handler(struct
+
+ if (mask &&
+ ((poll->events & (EPOLLET|EPOLLONESHOT)) == (EPOLLET|EPOLLONESHOT))) {
+- if (!io_poll_can_finish_inline(req, ipt))
++ if (!io_poll_can_finish_inline(req, ipt)) {
++ io_poll_add_hash(req);
+ return 0;
++ }
+ io_poll_remove_entries(req);
+ ipt->result_mask = mask;
+ /* no one else has access to the req, forget about the ref */
+ return 1;
+ }
+
+- if (req->flags & REQ_F_HASH_LOCKED)
+- io_poll_req_insert_locked(req);
+- else
+- io_poll_req_insert(req);
++ io_poll_add_hash(req);
+
+ if (mask && (poll->events & EPOLLET) &&
+ io_poll_can_finish_inline(req, ipt)) {
--- /dev/null
+From 406504c7b0405d74d74c15a667cd4c4620c3e7a9 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <maz@kernel.org>
+Date: Tue, 20 Dec 2022 14:03:52 +0000
+Subject: KVM: arm64: Fix S1PTW handling on RO memslots
+
+From: Marc Zyngier <maz@kernel.org>
+
+commit 406504c7b0405d74d74c15a667cd4c4620c3e7a9 upstream.
+
+A recent development on the EFI front has resulted in guests having
+their page tables baked in the firmware binary, and mapped into the
+IPA space as part of a read-only memslot. Not only is this legitimate,
+but it also results in added security, so thumbs up.
+
+It is possible to take an S1PTW translation fault if the S1 PTs are
+unmapped at stage-2. However, KVM unconditionally treats S1PTW as a
+write to correctly handle hardware AF/DB updates to the S1 PTs.
+Furthermore, KVM injects an exception into the guest for S1PTW writes.
+In the aforementioned case this results in the guest taking an abort
+it won't recover from, as the S1 PTs mapping the vectors suffer from
+the same problem.
+
+So clearly our handling is... wrong.
+
+Instead, switch to a two-pronged approach:
+
+- On S1PTW translation fault, handle the fault as a read
+
+- On S1PTW permission fault, handle the fault as a write
+
+This is of no consequence to SW that *writes* to its PTs (the write
+will trigger a non-S1PTW fault), and SW that uses RO PTs will not
+use HW-assisted AF/DB anyway, as that'd be wrong.
+
+Only in the case described in c4ad98e4b72c ("KVM: arm64: Assume write
+fault on S1PTW permission fault on instruction fetch") do we end-up
+with two back-to-back faults (page being evicted and faulted back).
+I don't think this is a case worth optimising for.
+
+Fixes: c4ad98e4b72c ("KVM: arm64: Assume write fault on S1PTW permission fault on instruction fetch")
+Reviewed-by: Oliver Upton <oliver.upton@linux.dev>
+Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
+Regression-tested-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/kvm_emulate.h | 22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/include/asm/kvm_emulate.h
++++ b/arch/arm64/include/asm/kvm_emulate.h
+@@ -373,8 +373,26 @@ static __always_inline int kvm_vcpu_sys_
+
+ static inline bool kvm_is_write_fault(struct kvm_vcpu *vcpu)
+ {
+- if (kvm_vcpu_abt_iss1tw(vcpu))
+- return true;
++ if (kvm_vcpu_abt_iss1tw(vcpu)) {
++ /*
++ * Only a permission fault on a S1PTW should be
++ * considered as a write. Otherwise, page tables baked
++ * in a read-only memslot will result in an exception
++ * being delivered in the guest.
++ *
++ * The drawback is that we end-up faulting twice if the
++ * guest is using any of HW AF/DB: a translation fault
++ * to map the page containing the PT (read only at
++ * first), then a permission fault to allow the flags
++ * to be set.
++ */
++ switch (kvm_vcpu_trap_get_fault_type(vcpu)) {
++ case ESR_ELx_FSC_PERM:
++ return true;
++ default:
++ return false;
++ }
++ }
+
+ if (kvm_vcpu_trap_is_iabt(vcpu))
+ return false;
--- /dev/null
+From 45e966fcca03ecdcccac7cb236e16eea38cc18af Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Sat, 22 Oct 2022 04:17:53 -0400
+Subject: KVM: x86: Do not return host topology information from KVM_GET_SUPPORTED_CPUID
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 45e966fcca03ecdcccac7cb236e16eea38cc18af upstream.
+
+Passing the host topology to the guest is almost certainly wrong
+and will confuse the scheduler. In addition, several fields of
+these CPUID leaves vary on each processor; it is simply impossible to
+return the right values from KVM_GET_SUPPORTED_CPUID in such a way that
+they can be passed to KVM_SET_CPUID2.
+
+The values that will most likely prevent confusion are all zeroes.
+Userspace will have to override it anyway if it wishes to present a
+specific topology to the guest.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/virt/kvm/api.rst | 14 ++++++++++++++
+ arch/x86/kvm/cpuid.c | 32 ++++++++++++++++----------------
+ 2 files changed, 30 insertions(+), 16 deletions(-)
+
+--- a/Documentation/virt/kvm/api.rst
++++ b/Documentation/virt/kvm/api.rst
+@@ -8248,6 +8248,20 @@ CPU[EAX=1]:ECX[24] (TSC_DEADLINE) is not
+ It can be enabled if ``KVM_CAP_TSC_DEADLINE_TIMER`` is present and the kernel
+ has enabled in-kernel emulation of the local APIC.
+
++CPU topology
++~~~~~~~~~~~~
++
++Several CPUID values include topology information for the host CPU:
++0x0b and 0x1f for Intel systems, 0x8000001e for AMD systems. Different
++versions of KVM return different values for this information and userspace
++should not rely on it. Currently they return all zeroes.
++
++If userspace wishes to set up a guest topology, it should be careful that
++the values of these three leaves differ for each CPU. In particular,
++the APIC ID is found in EDX for all subleaves of 0x0b and 0x1f, and in EAX
++for 0x8000001e; the latter also encodes the core id and node id in bits
++7:0 of EBX and ECX respectively.
++
+ Obsolete ioctls and capabilities
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+--- a/arch/x86/kvm/cpuid.c
++++ b/arch/x86/kvm/cpuid.c
+@@ -759,16 +759,22 @@ struct kvm_cpuid_array {
+ int nent;
+ };
+
++static struct kvm_cpuid_entry2 *get_next_cpuid(struct kvm_cpuid_array *array)
++{
++ if (array->nent >= array->maxnent)
++ return NULL;
++
++ return &array->entries[array->nent++];
++}
++
+ static struct kvm_cpuid_entry2 *do_host_cpuid(struct kvm_cpuid_array *array,
+ u32 function, u32 index)
+ {
+- struct kvm_cpuid_entry2 *entry;
++ struct kvm_cpuid_entry2 *entry = get_next_cpuid(array);
+
+- if (array->nent >= array->maxnent)
++ if (!entry)
+ return NULL;
+
+- entry = &array->entries[array->nent++];
+-
+ memset(entry, 0, sizeof(*entry));
+ entry->function = function;
+ entry->index = index;
+@@ -945,22 +951,13 @@ static inline int __do_cpuid_func(struct
+ entry->edx = edx.full;
+ break;
+ }
+- /*
+- * Per Intel's SDM, the 0x1f is a superset of 0xb,
+- * thus they can be handled by common code.
+- */
+ case 0x1f:
+ case 0xb:
+ /*
+- * Populate entries until the level type (ECX[15:8]) of the
+- * previous entry is zero. Note, CPUID EAX.{0x1f,0xb}.0 is
+- * the starting entry, filled by the primary do_host_cpuid().
++ * No topology; a valid topology is indicated by the presence
++ * of subleaf 1.
+ */
+- for (i = 1; entry->ecx & 0xff00; ++i) {
+- entry = do_host_cpuid(array, function, i);
+- if (!entry)
+- goto out;
+- }
++ entry->eax = entry->ebx = entry->ecx = 0;
+ break;
+ case 0xd: {
+ u64 permitted_xcr0 = kvm_caps.supported_xcr0 & xstate_get_guest_group_perm();
+@@ -1193,6 +1190,9 @@ static inline int __do_cpuid_func(struct
+ entry->ebx = entry->ecx = entry->edx = 0;
+ break;
+ case 0x8000001e:
++ /* Do not return host topology information. */
++ entry->eax = entry->ebx = entry->ecx = 0;
++ entry->edx = 0; /* reserved */
+ break;
+ case 0x8000001F:
+ if (!kvm_cpu_cap_has(X86_FEATURE_SEV)) {
--- /dev/null
+From ae9dcb91c6069e20b3b9505d79cbc89fd6e086f5 Mon Sep 17 00:00:00 2001
+From: Noor Azura Ahmad Tarmizi <noor.azura.ahmad.tarmizi@intel.com>
+Date: Wed, 11 Jan 2023 13:02:00 +0800
+Subject: net: stmmac: add aux timestamps fifo clearance wait
+
+From: Noor Azura Ahmad Tarmizi <noor.azura.ahmad.tarmizi@intel.com>
+
+commit ae9dcb91c6069e20b3b9505d79cbc89fd6e086f5 upstream.
+
+Add timeout polling wait for auxiliary timestamps snapshot FIFO clear bit
+(ATSFC) to clear. This is to ensure no residue fifo value is being read
+erroneously.
+
+Fixes: f4da56529da6 ("net: stmmac: Add support for external trigger timestamping")
+Cc: <stable@vger.kernel.org> # 5.10.x
+Signed-off-by: Noor Azura Ahmad Tarmizi <noor.azura.ahmad.tarmizi@intel.com>
+Link: https://lore.kernel.org/r/20230111050200.2130-1-noor.azura.ahmad.tarmizi@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c
+@@ -219,7 +219,10 @@ static int stmmac_enable(struct ptp_cloc
+ }
+ writel(acr_value, ptpaddr + PTP_ACR);
+ mutex_unlock(&priv->aux_ts_lock);
+- ret = 0;
++ /* wait for auxts fifo clear to finish */
++ ret = readl_poll_timeout(ptpaddr + PTP_ACR, acr_value,
++ !(acr_value & PTP_ACR_ATSFC),
++ 10, 10000);
+ break;
+
+ default:
--- /dev/null
+From 696e1a48b1a1b01edad542a1ef293665864a4dd0 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Wed, 11 Jan 2023 17:07:33 +0100
+Subject: netfilter: nft_payload: incorrect arithmetics when fetching VLAN header bits
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 696e1a48b1a1b01edad542a1ef293665864a4dd0 upstream.
+
+If the offset + length goes over the ethernet + vlan header, then the
+length is adjusted to copy the bytes that are within the boundaries of
+the vlan_ethhdr scratchpad area. The remaining bytes beyond ethernet +
+vlan header are copied directly from the skbuff data area.
+
+Fix incorrect arithmetic operator: subtract, not add, the size of the
+vlan header in case of double-tagged packets to adjust the length
+accordingly to address CVE-2023-0179.
+
+Reported-by: Davide Ornaghi <d.ornaghi97@gmail.com>
+Fixes: f6ae9f120dad ("netfilter: nft_payload: add C-VLAN support")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_payload.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/nft_payload.c
++++ b/net/netfilter/nft_payload.c
+@@ -62,7 +62,7 @@ nft_payload_copy_vlan(u32 *d, const stru
+ return false;
+
+ if (offset + len > VLAN_ETH_HLEN + vlan_hlen)
+- ethlen -= offset + len - VLAN_ETH_HLEN + vlan_hlen;
++ ethlen -= offset + len - VLAN_ETH_HLEN - vlan_hlen;
+
+ memcpy(dst_u8, vlanh + offset - vlan_hlen, ethlen);
+
--- /dev/null
+From cf129830ee820f7fc90b98df193cd49d49344d09 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Tue, 10 Jan 2023 20:56:59 +0200
+Subject: perf auxtrace: Fix address filter duplicate symbol selection
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit cf129830ee820f7fc90b98df193cd49d49344d09 upstream.
+
+When a match has been made to the nth duplicate symbol, return
+success not error.
+
+Example:
+
+ Before:
+
+ $ cat file.c
+ cat: file.c: No such file or directory
+ $ cat file1.c
+ #include <stdio.h>
+
+ static void func(void)
+ {
+ printf("First func\n");
+ }
+
+ void other(void);
+
+ int main()
+ {
+ func();
+ other();
+ return 0;
+ }
+ $ cat file2.c
+ #include <stdio.h>
+
+ static void func(void)
+ {
+ printf("Second func\n");
+ }
+
+ void other(void)
+ {
+ func();
+ }
+
+ $ gcc -Wall -Wextra -o test file1.c file2.c
+ $ perf record -e intel_pt//u --filter 'filter func @ ./test' -- ./test
+ Multiple symbols with name 'func'
+ #1 0x1149 l func
+ which is near main
+ #2 0x1179 l func
+ which is near other
+ Disambiguate symbol name by inserting #n after the name e.g. func #2
+ Or select a global symbol by inserting #0 or #g or #G
+ Failed to parse address filter: 'filter func @ ./test'
+ Filter format is: filter|start|stop|tracestop <start symbol or address> [/ <end symbol or size>] [@<file name>]
+ Where multiple filters are separated by space or comma.
+ $ perf record -e intel_pt//u --filter 'filter func #2 @ ./test' -- ./test
+ Failed to parse address filter: 'filter func #2 @ ./test'
+ Filter format is: filter|start|stop|tracestop <start symbol or address> [/ <end symbol or size>] [@<file name>]
+ Where multiple filters are separated by space or comma.
+
+ After:
+
+ $ perf record -e intel_pt//u --filter 'filter func #2 @ ./test' -- ./test
+ First func
+ Second func
+ [ perf record: Woken up 1 times to write data ]
+ [ perf record: Captured and wrote 0.016 MB perf.data ]
+ $ perf script --itrace=b -Ftime,flags,ip,sym,addr --ns
+ 1231062.526977619: tr strt 0 [unknown] => 558495708179 func
+ 1231062.526977619: tr end call 558495708188 func => 558495708050 _init
+ 1231062.526979286: tr strt 0 [unknown] => 55849570818d func
+ 1231062.526979286: tr end return 55849570818f func => 55849570819d other
+
+Fixes: 1b36c03e356936d6 ("perf record: Add support for using symbols in address filters")
+Reported-by: Dmitrii Dolgov <9erthalion6@gmail.com>
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Tested-by: Dmitry Dolgov <9erthalion6@gmail.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20230110185659.15979-1-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/auxtrace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/perf/util/auxtrace.c
++++ b/tools/perf/util/auxtrace.c
+@@ -2610,7 +2610,7 @@ static int find_dso_sym(struct dso *dso,
+ *size = sym->start - *start;
+ if (idx > 0) {
+ if (*size)
+- return 1;
++ return 0;
+ } else if (dso_sym_match(sym, sym_name, &cnt, idx)) {
+ print_duplicate_syms(dso, sym_name);
+ return -EINVAL;
--- /dev/null
+From 16f1f838442dc6430d32d51ddda347b8421ec34b Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 4 Jan 2023 16:09:44 +0100
+Subject: Revert "ALSA: usb-audio: Drop superfluous interface setup at parsing"
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 16f1f838442dc6430d32d51ddda347b8421ec34b upstream.
+
+This reverts commit ac5e2fb425e1121ceef2b9d1b3ffccc195d55707.
+
+The commit caused a regression on Behringer UMC404HD (and likely
+others). As the change was meant only as a minor optimization, it's
+better to revert it to address the regression.
+
+Reported-and-tested-by: Michael Ralston <michael@ralston.id.au>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/CAC2975JXkS1A5Tj9b02G_sy25ZWN-ys+tc9wmkoS=qPgKCogSg@mail.gmail.com
+Link: https://lore.kernel.org/r/20230104150944.24918-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/stream.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/sound/usb/stream.c
++++ b/sound/usb/stream.c
+@@ -1222,6 +1222,12 @@ static int __snd_usb_parse_audio_interfa
+ if (err < 0)
+ return err;
+ }
++
++ /* try to set the interface... */
++ usb_set_interface(chip->dev, iface_no, 0);
++ snd_usb_init_pitch(chip, fp);
++ snd_usb_init_sample_rate(chip, fp, fp->rate_max);
++ usb_set_interface(chip->dev, iface_no, altno);
+ }
+ return 0;
+ }
--- /dev/null
+From 82d3edb50a11bf3c5ef63294d5358ba230181413 Mon Sep 17 00:00:00 2001
+From: Heiko Carstens <hca@linux.ibm.com>
+Date: Thu, 5 Jan 2023 15:44:20 +0100
+Subject: s390/cpum_sf: add READ_ONCE() semantics to compare and swap loops
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+commit 82d3edb50a11bf3c5ef63294d5358ba230181413 upstream.
+
+The current cmpxchg_double() loops within the perf hw sampling code do not
+have READ_ONCE() semantics to read the old value from memory. This allows
+the compiler to generate code which reads the "old" value several times
+from memory, which again allows for inconsistencies.
+
+For example:
+
+ /* Reset trailer (using compare-double-and-swap) */
+ do {
+ te_flags = te->flags & ~SDB_TE_BUFFER_FULL_MASK;
+ te_flags |= SDB_TE_ALERT_REQ_MASK;
+ } while (!cmpxchg_double(&te->flags, &te->overflow,
+ te->flags, te->overflow,
+ te_flags, 0ULL));
+
+The compiler could generate code where te->flags used within the
+cmpxchg_double() call may be refetched from memory and which is not
+necessarily identical to the previous read version which was used to
+generate te_flags. Which in turn means that an incorrect update could
+happen.
+
+Fix this by adding READ_ONCE() semantics to all cmpxchg_double()
+loops. Given that READ_ONCE() cannot generate code on s390 which atomically
+reads 16 bytes, use a private compare-and-swap-double implementation to
+achieve that.
+
+Also replace cmpxchg_double() with the private implementation to be able to
+re-use the old value within the loops.
+
+As a side effect this converts the whole code to only use bit fields
+to read and modify bits within the hws trailer header.
+
+Reported-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Acked-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Acked-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+Reviewed-by: Thomas Richter <tmricht@linux.ibm.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/linux-s390/Y71QJBhNTIatvxUT@osiris/T/#ma14e2a5f7aa8ed4b94b6f9576799b3ad9c60f333
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/include/asm/cpu_mf.h | 31 +++++-------
+ arch/s390/kernel/perf_cpum_sf.c | 101 ++++++++++++++++++++++++----------------
+ 2 files changed, 77 insertions(+), 55 deletions(-)
+
+--- a/arch/s390/include/asm/cpu_mf.h
++++ b/arch/s390/include/asm/cpu_mf.h
+@@ -131,19 +131,21 @@ struct hws_combined_entry {
+ struct hws_diag_entry diag; /* Diagnostic-sampling data entry */
+ } __packed;
+
+-struct hws_trailer_entry {
+- union {
+- struct {
+- unsigned int f:1; /* 0 - Block Full Indicator */
+- unsigned int a:1; /* 1 - Alert request control */
+- unsigned int t:1; /* 2 - Timestamp format */
+- unsigned int :29; /* 3 - 31: Reserved */
+- unsigned int bsdes:16; /* 32-47: size of basic SDE */
+- unsigned int dsdes:16; /* 48-63: size of diagnostic SDE */
+- };
+- unsigned long long flags; /* 0 - 63: All indicators */
++union hws_trailer_header {
++ struct {
++ unsigned int f:1; /* 0 - Block Full Indicator */
++ unsigned int a:1; /* 1 - Alert request control */
++ unsigned int t:1; /* 2 - Timestamp format */
++ unsigned int :29; /* 3 - 31: Reserved */
++ unsigned int bsdes:16; /* 32-47: size of basic SDE */
++ unsigned int dsdes:16; /* 48-63: size of diagnostic SDE */
++ unsigned long long overflow; /* 64 - Overflow Count */
+ };
+- unsigned long long overflow; /* 64 - sample Overflow count */
++ __uint128_t val;
++};
++
++struct hws_trailer_entry {
++ union hws_trailer_header header; /* 0 - 15 Flags + Overflow Count */
+ unsigned char timestamp[16]; /* 16 - 31 timestamp */
+ unsigned long long reserved1; /* 32 -Reserved */
+ unsigned long long reserved2; /* */
+@@ -290,14 +292,11 @@ static inline unsigned long sample_rate_
+ return USEC_PER_SEC * qsi->cpu_speed / rate;
+ }
+
+-#define SDB_TE_ALERT_REQ_MASK 0x4000000000000000UL
+-#define SDB_TE_BUFFER_FULL_MASK 0x8000000000000000UL
+-
+ /* Return TOD timestamp contained in an trailer entry */
+ static inline unsigned long long trailer_timestamp(struct hws_trailer_entry *te)
+ {
+ /* TOD in STCKE format */
+- if (te->t)
++ if (te->header.t)
+ return *((unsigned long long *) &te->timestamp[1]);
+
+ /* TOD in STCK format */
+--- a/arch/s390/kernel/perf_cpum_sf.c
++++ b/arch/s390/kernel/perf_cpum_sf.c
+@@ -163,14 +163,15 @@ static void free_sampling_buffer(struct
+
+ static int alloc_sample_data_block(unsigned long *sdbt, gfp_t gfp_flags)
+ {
+- unsigned long sdb, *trailer;
++ struct hws_trailer_entry *te;
++ unsigned long sdb;
+
+ /* Allocate and initialize sample-data-block */
+ sdb = get_zeroed_page(gfp_flags);
+ if (!sdb)
+ return -ENOMEM;
+- trailer = trailer_entry_ptr(sdb);
+- *trailer = SDB_TE_ALERT_REQ_MASK;
++ te = (struct hws_trailer_entry *)trailer_entry_ptr(sdb);
++ te->header.a = 1;
+
+ /* Link SDB into the sample-data-block-table */
+ *sdbt = sdb;
+@@ -1206,7 +1207,7 @@ static void hw_collect_samples(struct pe
+ "%s: Found unknown"
+ " sampling data entry: te->f %i"
+ " basic.def %#4x (%p)\n", __func__,
+- te->f, sample->def, sample);
++ te->header.f, sample->def, sample);
+ /* Sample slot is not yet written or other record.
+ *
+ * This condition can occur if the buffer was reused
+@@ -1217,7 +1218,7 @@ static void hw_collect_samples(struct pe
+ * that are not full. Stop processing if the first
+ * invalid format was detected.
+ */
+- if (!te->f)
++ if (!te->header.f)
+ break;
+ }
+
+@@ -1227,6 +1228,16 @@ static void hw_collect_samples(struct pe
+ }
+ }
+
++static inline __uint128_t __cdsg(__uint128_t *ptr, __uint128_t old, __uint128_t new)
++{
++ asm volatile(
++ " cdsg %[old],%[new],%[ptr]\n"
++ : [old] "+d" (old), [ptr] "+QS" (*ptr)
++ : [new] "d" (new)
++ : "memory", "cc");
++ return old;
++}
++
+ /* hw_perf_event_update() - Process sampling buffer
+ * @event: The perf event
+ * @flush_all: Flag to also flush partially filled sample-data-blocks
+@@ -1243,10 +1254,11 @@ static void hw_collect_samples(struct pe
+ */
+ static void hw_perf_event_update(struct perf_event *event, int flush_all)
+ {
++ unsigned long long event_overflow, sampl_overflow, num_sdb;
++ union hws_trailer_header old, prev, new;
+ struct hw_perf_event *hwc = &event->hw;
+ struct hws_trailer_entry *te;
+ unsigned long *sdbt;
+- unsigned long long event_overflow, sampl_overflow, num_sdb, te_flags;
+ int done;
+
+ /*
+@@ -1266,25 +1278,25 @@ static void hw_perf_event_update(struct
+ te = (struct hws_trailer_entry *) trailer_entry_ptr(*sdbt);
+
+ /* Leave loop if no more work to do (block full indicator) */
+- if (!te->f) {
++ if (!te->header.f) {
+ done = 1;
+ if (!flush_all)
+ break;
+ }
+
+ /* Check the sample overflow count */
+- if (te->overflow)
++ if (te->header.overflow)
+ /* Account sample overflows and, if a particular limit
+ * is reached, extend the sampling buffer.
+ * For details, see sfb_account_overflows().
+ */
+- sampl_overflow += te->overflow;
++ sampl_overflow += te->header.overflow;
+
+ /* Timestamps are valid for full sample-data-blocks only */
+ debug_sprintf_event(sfdbg, 6, "%s: sdbt %#lx "
+ "overflow %llu timestamp %#llx\n",
+- __func__, (unsigned long)sdbt, te->overflow,
+- (te->f) ? trailer_timestamp(te) : 0ULL);
++ __func__, (unsigned long)sdbt, te->header.overflow,
++ (te->header.f) ? trailer_timestamp(te) : 0ULL);
+
+ /* Collect all samples from a single sample-data-block and
+ * flag if an (perf) event overflow happened. If so, the PMU
+@@ -1294,12 +1306,16 @@ static void hw_perf_event_update(struct
+ num_sdb++;
+
+ /* Reset trailer (using compare-double-and-swap) */
++ /* READ_ONCE() 16 byte header */
++ prev.val = __cdsg(&te->header.val, 0, 0);
+ do {
+- te_flags = te->flags & ~SDB_TE_BUFFER_FULL_MASK;
+- te_flags |= SDB_TE_ALERT_REQ_MASK;
+- } while (!cmpxchg_double(&te->flags, &te->overflow,
+- te->flags, te->overflow,
+- te_flags, 0ULL));
++ old.val = prev.val;
++ new.val = prev.val;
++ new.f = 0;
++ new.a = 1;
++ new.overflow = 0;
++ prev.val = __cdsg(&te->header.val, old.val, new.val);
++ } while (prev.val != old.val);
+
+ /* Advance to next sample-data-block */
+ sdbt++;
+@@ -1384,7 +1400,7 @@ static void aux_output_end(struct perf_o
+ range_scan = AUX_SDB_NUM_ALERT(aux);
+ for (i = 0, idx = aux->head; i < range_scan; i++, idx++) {
+ te = aux_sdb_trailer(aux, idx);
+- if (!(te->flags & SDB_TE_BUFFER_FULL_MASK))
++ if (!te->header.f)
+ break;
+ }
+ /* i is num of SDBs which are full */
+@@ -1392,7 +1408,7 @@ static void aux_output_end(struct perf_o
+
+ /* Remove alert indicators in the buffer */
+ te = aux_sdb_trailer(aux, aux->alert_mark);
+- te->flags &= ~SDB_TE_ALERT_REQ_MASK;
++ te->header.a = 0;
+
+ debug_sprintf_event(sfdbg, 6, "%s: SDBs %ld range %ld head %ld\n",
+ __func__, i, range_scan, aux->head);
+@@ -1437,9 +1453,9 @@ static int aux_output_begin(struct perf_
+ idx = aux->empty_mark + 1;
+ for (i = 0; i < range_scan; i++, idx++) {
+ te = aux_sdb_trailer(aux, idx);
+- te->flags &= ~(SDB_TE_BUFFER_FULL_MASK |
+- SDB_TE_ALERT_REQ_MASK);
+- te->overflow = 0;
++ te->header.f = 0;
++ te->header.a = 0;
++ te->header.overflow = 0;
+ }
+ /* Save the position of empty SDBs */
+ aux->empty_mark = aux->head + range - 1;
+@@ -1448,7 +1464,7 @@ static int aux_output_begin(struct perf_
+ /* Set alert indicator */
+ aux->alert_mark = aux->head + range/2 - 1;
+ te = aux_sdb_trailer(aux, aux->alert_mark);
+- te->flags = te->flags | SDB_TE_ALERT_REQ_MASK;
++ te->header.a = 1;
+
+ /* Reset hardware buffer head */
+ head = AUX_SDB_INDEX(aux, aux->head);
+@@ -1475,14 +1491,17 @@ static int aux_output_begin(struct perf_
+ static bool aux_set_alert(struct aux_buffer *aux, unsigned long alert_index,
+ unsigned long long *overflow)
+ {
+- unsigned long long orig_overflow, orig_flags, new_flags;
++ union hws_trailer_header old, prev, new;
+ struct hws_trailer_entry *te;
+
+ te = aux_sdb_trailer(aux, alert_index);
++ /* READ_ONCE() 16 byte header */
++ prev.val = __cdsg(&te->header.val, 0, 0);
+ do {
+- orig_flags = te->flags;
+- *overflow = orig_overflow = te->overflow;
+- if (orig_flags & SDB_TE_BUFFER_FULL_MASK) {
++ old.val = prev.val;
++ new.val = prev.val;
++ *overflow = old.overflow;
++ if (old.f) {
+ /*
+ * SDB is already set by hardware.
+ * Abort and try to set somewhere
+@@ -1490,10 +1509,10 @@ static bool aux_set_alert(struct aux_buf
+ */
+ return false;
+ }
+- new_flags = orig_flags | SDB_TE_ALERT_REQ_MASK;
+- } while (!cmpxchg_double(&te->flags, &te->overflow,
+- orig_flags, orig_overflow,
+- new_flags, 0ULL));
++ new.a = 1;
++ new.overflow = 0;
++ prev.val = __cdsg(&te->header.val, old.val, new.val);
++ } while (prev.val != old.val);
+ return true;
+ }
+
+@@ -1522,8 +1541,9 @@ static bool aux_set_alert(struct aux_buf
+ static bool aux_reset_buffer(struct aux_buffer *aux, unsigned long range,
+ unsigned long long *overflow)
+ {
+- unsigned long long orig_overflow, orig_flags, new_flags;
+ unsigned long i, range_scan, idx, idx_old;
++ union hws_trailer_header old, prev, new;
++ unsigned long long orig_overflow;
+ struct hws_trailer_entry *te;
+
+ debug_sprintf_event(sfdbg, 6, "%s: range %ld head %ld alert %ld "
+@@ -1554,17 +1574,20 @@ static bool aux_reset_buffer(struct aux_
+ idx_old = idx = aux->empty_mark + 1;
+ for (i = 0; i < range_scan; i++, idx++) {
+ te = aux_sdb_trailer(aux, idx);
++ /* READ_ONCE() 16 byte header */
++ prev.val = __cdsg(&te->header.val, 0, 0);
+ do {
+- orig_flags = te->flags;
+- orig_overflow = te->overflow;
+- new_flags = orig_flags & ~SDB_TE_BUFFER_FULL_MASK;
++ old.val = prev.val;
++ new.val = prev.val;
++ orig_overflow = old.overflow;
++ new.f = 0;
++ new.overflow = 0;
+ if (idx == aux->alert_mark)
+- new_flags |= SDB_TE_ALERT_REQ_MASK;
++ new.a = 1;
+ else
+- new_flags &= ~SDB_TE_ALERT_REQ_MASK;
+- } while (!cmpxchg_double(&te->flags, &te->overflow,
+- orig_flags, orig_overflow,
+- new_flags, 0ULL));
++ new.a = 0;
++ prev.val = __cdsg(&te->header.val, old.val, new.val);
++ } while (prev.val != old.val);
+ *overflow += orig_overflow;
+ }
+
--- /dev/null
+From c2337a40e04dde1692b5b0a46ecc59f89aaba8a1 Mon Sep 17 00:00:00 2001
+From: Alexander Egorenkov <egorenar@linux.ibm.com>
+Date: Mon, 14 Nov 2022 11:40:08 +0100
+Subject: s390/kexec: fix ipl report address for kdump
+
+From: Alexander Egorenkov <egorenar@linux.ibm.com>
+
+commit c2337a40e04dde1692b5b0a46ecc59f89aaba8a1 upstream.
+
+This commit addresses the following erroneous situation with file-based
+kdump executed on a system with a valid IPL report.
+
+On s390, a kdump kernel, its initrd and IPL report if present are loaded
+into a special and reserved on boot memory region - crashkernel. When
+a system crashes and kdump was activated before, the purgatory code
+is entered first which swaps the crashkernel and [0 - crashkernel size]
+memory regions. Only after that the kdump kernel is entered. For this
+reason, the pointer to an IPL report in lowcore must point to the IPL report
+after the swap and not to the address of the IPL report that was located in
+crashkernel memory region before the swap. Failing to do so, makes the
+kdump's decompressor try to read memory from the crashkernel memory region
+which already contains the production's kernel memory.
+
+The situation described above caused spontaneous kdump failures/hangs
+on systems where the Secure IPL is activated because on such systems
+an IPL report is always present. In that case kdump's decompressor tried
+to parse an IPL report which frequently lead to illegal memory accesses
+because an IPL report contains addresses to various data.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 99feaa717e55 ("s390/kexec_file: Create ipl report and pass to next kernel")
+Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Alexander Egorenkov <egorenar@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kernel/machine_kexec_file.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/arch/s390/kernel/machine_kexec_file.c
++++ b/arch/s390/kernel/machine_kexec_file.c
+@@ -187,8 +187,6 @@ static int kexec_file_add_ipl_report(str
+
+ data->memsz = ALIGN(data->memsz, PAGE_SIZE);
+ buf.mem = data->memsz;
+- if (image->type == KEXEC_TYPE_CRASH)
+- buf.mem += crashk_res.start;
+
+ ptr = (void *)ipl_cert_list_addr;
+ end = ptr + ipl_cert_list_size;
+@@ -225,6 +223,9 @@ static int kexec_file_add_ipl_report(str
+ data->kernel_buf + offsetof(struct lowcore, ipl_parmblock_ptr);
+ *lc_ipl_parmblock_ptr = (__u32)buf.mem;
+
++ if (image->type == KEXEC_TYPE_CRASH)
++ buf.mem += crashk_res.start;
++
+ ret = kexec_add_buffer(&buf);
+ out:
+ return ret;
--- /dev/null
+From e3f360db08d55a14112bd27454e616a24296a8b0 Mon Sep 17 00:00:00 2001
+From: Heiko Carstens <hca@linux.ibm.com>
+Date: Mon, 9 Jan 2023 11:51:20 +0100
+Subject: s390/percpu: add READ_ONCE() to arch_this_cpu_to_op_simple()
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+commit e3f360db08d55a14112bd27454e616a24296a8b0 upstream.
+
+Make sure that *ptr__ within arch_this_cpu_to_op_simple() is only
+dereferenced once by using READ_ONCE(). Otherwise the compiler could
+generate incorrect code.
+
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/include/asm/percpu.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/s390/include/asm/percpu.h
++++ b/arch/s390/include/asm/percpu.h
+@@ -31,7 +31,7 @@
+ pcp_op_T__ *ptr__; \
+ preempt_disable_notrace(); \
+ ptr__ = raw_cpu_ptr(&(pcp)); \
+- prev__ = *ptr__; \
++ prev__ = READ_ONCE(*ptr__); \
+ do { \
+ old__ = prev__; \
+ new__ = old__ op (val); \
--- /dev/null
+netfilter-nft_payload-incorrect-arithmetics-when-fetching-vlan-header-bits.patch
+revert-alsa-usb-audio-drop-superfluous-interface-setup-at-parsing.patch
+alsa-control-led-use-strscpy-in-set_led_id.patch
+alsa-usb-audio-always-initialize-fixed_rate-in-snd_usb_find_implicit_fb_sync_format.patch
+alsa-hda-realtek-turn-on-power-early.patch
+alsa-hda-realtek-enable-mute-micmute-leds-on-hp-spectre-x360-13-aw0xxx.patch
+kvm-x86-do-not-return-host-topology-information-from-kvm_get_supported_cpuid.patch
+kvm-arm64-fix-s1ptw-handling-on-ro-memslots.patch
+efi-fix-userspace-infinite-retry-read-efivars-after-efi-runtime-services-page-fault.patch
+efi-tpm-avoid-read_once-for-accessing-the-event-log.patch
+docs-fix-the-docs-build-with-sphinx-6.0.patch
+io_uring-poll-add-hash-if-ready-poll-request-can-t-complete-inline.patch
+arm64-mte-fix-double-freeing-of-the-temporary-tag-storage-during-coredump.patch
+arm64-mte-avoid-the-racy-walk-of-the-vma-list-during-core-dump.patch
+arm64-cmpxchg_double-hazard-against-entire-exchange-variable.patch
+acpi-fix-selecting-wrong-acpi-fwnode-for-the-igpu-on-some-dell-laptops.patch
+net-stmmac-add-aux-timestamps-fifo-clearance-wait.patch
+perf-auxtrace-fix-address-filter-duplicate-symbol-selection.patch
+s390-kexec-fix-ipl-report-address-for-kdump.patch
+brcmfmac-prefer-dt-board-type-over-dmi-board-type.patch
+asoc-qcom-lpass-cpu-fix-fallback-sd-line-index-handling.patch
+elfcore-add-a-cprm-parameter-to-elf_core_extra_-phdrs-data_size.patch
+cpufreq-amd-pstate-fix-kernel-hang-issue-while-amd-pstate-unregistering.patch
+s390-cpum_sf-add-read_once-semantics-to-compare-and-swap-loops.patch
+s390-percpu-add-read_once-to-arch_this_cpu_to_op_simple.patch
+drm-virtio-fix-gem-handle-creation-uaf.patch
+drm-amd-pm-smu13-baco-is-supported-when-it-s-in-baco-state.patch
+drm-optimize-drm-buddy-top-down-allocation-method.patch
+drm-i915-gt-reset-twice.patch
+drm-i915-reserve-enough-fence-slot-for-i915_vma_unbind_async.patch
+drm-i915-fix-potential-context-uafs.patch
+drm-amd-delay-removal-of-the-firmware-framebuffer.patch
+drm-amdgpu-fixed-bug-on-error-when-unloading-amdgpu.patch
+drm-amd-pm-correct-the-reference-clock-for-fan-speed-rpm-calculation.patch
+drm-amd-pm-add-the-missing-mapping-for-ppt-feature-on-smu13.0.0-and-13.0.7.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
