--- /dev/null
+From 9b84f0f74d0d716e3fd18dc428ac111266ef5844 Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Wed, 30 Nov 2022 22:06:04 +0900
+Subject: ALSA: dice: fix regression for Lexicon I-ONIX FW810S
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit 9b84f0f74d0d716e3fd18dc428ac111266ef5844 upstream.
+
+For Lexicon I-ONIX FW810S, the call of ioctl(2) with
+SNDRV_PCM_IOCTL_HW_PARAMS can returns -ETIMEDOUT. This is a regression due
+to the commit 41319eb56e19 ("ALSA: dice: wait just for
+NOTIFY_CLOCK_ACCEPTED after GLOBAL_CLOCK_SELECT operation"). The device
+does not emit NOTIFY_CLOCK_ACCEPTED notification when accepting
+GLOBAL_CLOCK_SELECT operation with the same parameters as current ones.
+
+This commit fixes the regression. When receiving no notification, return
+-ETIMEDOUT as long as operating for any change.
+
+Fixes: 41319eb56e19 ("ALSA: dice: wait just for NOTIFY_CLOCK_ACCEPTED after GLOBAL_CLOCK_SELECT operation")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Link: https://lore.kernel.org/r/20221130130604.29774-1-o-takashi@sakamocchi.jp
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/firewire/dice/dice-stream.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/sound/firewire/dice/dice-stream.c b/sound/firewire/dice/dice-stream.c
+index f99e00083141..4c677c8546c7 100644
+--- a/sound/firewire/dice/dice-stream.c
++++ b/sound/firewire/dice/dice-stream.c
+@@ -59,7 +59,7 @@ int snd_dice_stream_get_rate_mode(struct snd_dice *dice, unsigned int rate,
+
+ static int select_clock(struct snd_dice *dice, unsigned int rate)
+ {
+- __be32 reg;
++ __be32 reg, new;
+ u32 data;
+ int i;
+ int err;
+@@ -83,15 +83,17 @@ static int select_clock(struct snd_dice *dice, unsigned int rate)
+ if (completion_done(&dice->clock_accepted))
+ reinit_completion(&dice->clock_accepted);
+
+- reg = cpu_to_be32(data);
++ new = cpu_to_be32(data);
+ err = snd_dice_transaction_write_global(dice, GLOBAL_CLOCK_SELECT,
+- ®, sizeof(reg));
++ &new, sizeof(new));
+ if (err < 0)
+ return err;
+
+ if (wait_for_completion_timeout(&dice->clock_accepted,
+- msecs_to_jiffies(NOTIFICATION_TIMEOUT_MS)) == 0)
+- return -ETIMEDOUT;
++ msecs_to_jiffies(NOTIFICATION_TIMEOUT_MS)) == 0) {
++ if (reg != new)
++ return -ETIMEDOUT;
++ }
+
+ return 0;
+ }
+--
+2.38.1
+
--- /dev/null
+From 9a8cc8cabc1e351614fd7f9e774757a5143b6fe8 Mon Sep 17 00:00:00 2001
+From: Leo Liu <leo.liu@amd.com>
+Date: Tue, 29 Nov 2022 18:53:18 -0500
+Subject: drm/amdgpu: enable Vangogh VCN indirect sram mode
+
+From: Leo Liu <leo.liu@amd.com>
+
+commit 9a8cc8cabc1e351614fd7f9e774757a5143b6fe8 upstream.
+
+So that uses PSP to initialize HW.
+
+Fixes: 0c2c02b66c672e ("drm/amdgpu/vcn: add firmware support for dimgrey_cavefish")
+Signed-off-by: Leo Liu <leo.liu@amd.com>
+Reviewed-by: James Zhu <James.Zhu@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.c
+@@ -149,6 +149,9 @@ int amdgpu_vcn_sw_init(struct amdgpu_dev
+ break;
+ case CHIP_VANGOGH:
+ fw_name = FIRMWARE_VANGOGH;
++ if ((adev->firmware.load_type == AMDGPU_FW_LOAD_PSP) &&
++ (adev->pg_flags & AMD_PG_SUPPORT_VCN_DPG))
++ adev->vcn.indirect_sram = true;
+ break;
+ case CHIP_DIMGREY_CAVEFISH:
+ fw_name = FIRMWARE_DIMGREY_CAVEFISH;
--- /dev/null
+From 6f6cb1714365a07dbc66851879538df9f6969288 Mon Sep 17 00:00:00 2001
+From: Lee Jones <lee@kernel.org>
+Date: Fri, 25 Nov 2022 12:07:49 +0000
+Subject: drm/amdgpu: temporarily disable broken Clang builds due to blown stack-frame
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lee Jones <lee@kernel.org>
+
+commit 6f6cb1714365a07dbc66851879538df9f6969288 upstream.
+
+Patch series "Fix a bunch of allmodconfig errors", v2.
+
+Since b339ec9c229aa ("kbuild: Only default to -Werror if COMPILE_TEST")
+WERROR now defaults to COMPILE_TEST meaning that it's enabled for
+allmodconfig builds. This leads to some interesting build failures when
+using Clang, each resolved in this set.
+
+With this set applied, I am able to obtain a successful allmodconfig Arm
+build.
+
+
+This patch (of 2):
+
+calculate_bandwidth() is presently broken on all !(X86_64 || SPARC64 ||
+ARM64) architectures built with Clang (all released versions), whereby the
+stack frame gets blown up to well over 5k. This would cause an immediate
+kernel panic on most architectures. We'll revert this when the following
+bug report has been resolved:
+https://github.com/llvm/llvm-project/issues/41896.
+
+Link: https://lkml.kernel.org/r/20221125120750.3537134-1-lee@kernel.org
+Link: https://lkml.kernel.org/r/20221125120750.3537134-2-lee@kernel.org
+Signed-off-by: Lee Jones <lee@kernel.org>
+Suggested-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Cc: "Christian König" <christian.koenig@amd.com>
+Cc: Daniel Vetter <daniel@ffwll.ch>
+Cc: David Airlie <airlied@gmail.com>
+Cc: Harry Wentland <harry.wentland@amd.com>
+Cc: Lee Jones <lee@kernel.org>
+Cc: Leo Li <sunpeng.li@amd.com>
+Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Cc: Maxime Ripard <mripard@kernel.org>
+Cc: Nathan Chancellor <nathan@kernel.org>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: "Pan, Xinhui" <Xinhui.Pan@amd.com>
+Cc: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: Tom Rix <trix@redhat.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/Kconfig | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/gpu/drm/amd/display/Kconfig
++++ b/drivers/gpu/drm/amd/display/Kconfig
+@@ -5,6 +5,7 @@ menu "Display Engine Configuration"
+ config DRM_AMD_DC
+ bool "AMD DC - Enable new display engine"
+ default y
++ depends on BROKEN || !CC_IS_CLANG || X86_64 || SPARC64 || ARM64
+ select SND_HDA_COMPONENT if SND_HDA_CORE
+ select DRM_AMD_DC_DCN if (X86 || PPC64) && !(KCOV_INSTRUMENT_ALL && KCOV_ENABLE_COMPARISONS)
+ help
+@@ -12,6 +13,12 @@ config DRM_AMD_DC
+ support for AMDGPU. This adds required support for Vega and
+ Raven ASICs.
+
++ calculate_bandwidth() is presently broken on all !(X86_64 || SPARC64 || ARM64)
++ architectures built with Clang (all released versions), whereby the stack
++ frame gets blown up to well over 5k. This would cause an immediate kernel
++ panic on most architectures. We'll revert this when the following bug report
++ has been resolved: https://github.com/llvm/llvm-project/issues/41896.
++
+ config DRM_AMD_DC_DCN
+ def_bool n
+ help
--- /dev/null
+From a4412fdd49dc011bcc2c0d81ac4cab7457092650 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (Google)" <rostedt@goodmis.org>
+Date: Mon, 21 Nov 2022 10:44:03 -0500
+Subject: error-injection: Add prompt for function error injection
+
+From: Steven Rostedt (Google) <rostedt@goodmis.org>
+
+commit a4412fdd49dc011bcc2c0d81ac4cab7457092650 upstream.
+
+The config to be able to inject error codes into any function annotated
+with ALLOW_ERROR_INJECTION() is enabled when FUNCTION_ERROR_INJECTION is
+enabled. But unfortunately, this is always enabled on x86 when KPROBES
+is enabled, and there's no way to turn it off.
+
+As kprobes is useful for observability of the kernel, it is useful to
+have it enabled in production environments. But error injection should
+be avoided. Add a prompt to the config to allow it to be disabled even
+when kprobes is enabled, and get rid of the "def_bool y".
+
+This is a kernel debug feature (it's in Kconfig.debug), and should have
+never been something enabled by default.
+
+Cc: stable@vger.kernel.org
+Fixes: 540adea3809f6 ("error-injection: Separate error-injection from kprobe")
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/Kconfig.debug | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/lib/Kconfig.debug
++++ b/lib/Kconfig.debug
+@@ -1872,8 +1872,14 @@ config NETDEV_NOTIFIER_ERROR_INJECT
+ If unsure, say N.
+
+ config FUNCTION_ERROR_INJECTION
+- def_bool y
++ bool "Fault-injections of functions"
+ depends on HAVE_FUNCTION_ERROR_INJECTION && KPROBES
++ help
++ Add fault injections into various functions that are annotated with
++ ALLOW_ERROR_INJECTION() in the kernel. BPF may also modify the return
++ value of theses functions. This is useful to test error paths of code.
++
++ If unsure, say N
+
+ config FAULT_INJECTION
+ bool "Fault-injection framework"
--- /dev/null
+From 489d144563f23911262a652234b80c70c89c978b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20L=C3=B6hle?= <CLoehle@hyperstone.com>
+Date: Thu, 17 Nov 2022 14:42:09 +0000
+Subject: mmc: core: Fix ambiguous TRIM and DISCARD arg
+
+From: Christian Löhle <CLoehle@hyperstone.com>
+
+commit 489d144563f23911262a652234b80c70c89c978b upstream.
+
+Clean up the MMC_TRIM_ARGS define that became ambiguous with DISCARD
+introduction. While at it, let's fix one usage where MMC_TRIM_ARGS falsely
+included DISCARD too.
+
+Fixes: b3bf915308ca ("mmc: core: new discard feature support at eMMC v4.5")
+Signed-off-by: Christian Loehle <cloehle@hyperstone.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/11376b5714964345908f3990f17e0701@hyperstone.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/core.c | 9 +++++++--
+ include/linux/mmc/mmc.h | 2 +-
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/mmc/core/core.c
++++ b/drivers/mmc/core/core.c
+@@ -1482,6 +1482,11 @@ void mmc_init_erase(struct mmc_card *car
+ card->pref_erase = 0;
+ }
+
++static bool is_trim_arg(unsigned int arg)
++{
++ return (arg & MMC_TRIM_OR_DISCARD_ARGS) && arg != MMC_DISCARD_ARG;
++}
++
+ static unsigned int mmc_mmc_erase_timeout(struct mmc_card *card,
+ unsigned int arg, unsigned int qty)
+ {
+@@ -1764,7 +1769,7 @@ int mmc_erase(struct mmc_card *card, uns
+ !(card->ext_csd.sec_feature_support & EXT_CSD_SEC_ER_EN))
+ return -EOPNOTSUPP;
+
+- if (mmc_card_mmc(card) && (arg & MMC_TRIM_ARGS) &&
++ if (mmc_card_mmc(card) && is_trim_arg(arg) &&
+ !(card->ext_csd.sec_feature_support & EXT_CSD_SEC_GB_CL_EN))
+ return -EOPNOTSUPP;
+
+@@ -1794,7 +1799,7 @@ int mmc_erase(struct mmc_card *card, uns
+ * identified by the card->eg_boundary flag.
+ */
+ rem = card->erase_size - (from % card->erase_size);
+- if ((arg & MMC_TRIM_ARGS) && (card->eg_boundary) && (nr > rem)) {
++ if ((arg & MMC_TRIM_OR_DISCARD_ARGS) && card->eg_boundary && nr > rem) {
+ err = mmc_do_erase(card, from, from + rem - 1, arg);
+ from += rem;
+ if ((err) || (to <= from))
+--- a/include/linux/mmc/mmc.h
++++ b/include/linux/mmc/mmc.h
+@@ -445,7 +445,7 @@ static inline bool mmc_ready_for_data(u3
+ #define MMC_SECURE_TRIM1_ARG 0x80000001
+ #define MMC_SECURE_TRIM2_ARG 0x80008000
+ #define MMC_SECURE_ARGS 0x80000000
+-#define MMC_TRIM_ARGS 0x00008001
++#define MMC_TRIM_OR_DISCARD_ARGS 0x00008003
+
+ #define mmc_driver_type_mask(n) (1 << (n))
+
--- /dev/null
+From f4307b4df1c28842bb1950ff0e1b97e17031b17f Mon Sep 17 00:00:00 2001
+From: Ye Bin <yebin10@huawei.com>
+Date: Wed, 23 Nov 2022 17:55:06 +0800
+Subject: mmc: mmc_test: Fix removal of debugfs file
+
+From: Ye Bin <yebin10@huawei.com>
+
+commit f4307b4df1c28842bb1950ff0e1b97e17031b17f upstream.
+
+In __mmc_test_register_dbgfs_file(), we need to assign 'file', as it's
+being used when removing the debugfs files when the mmc_test module is
+removed.
+
+Fixes: a04c50aaa916 ("mmc: core: no need to check return value of debugfs_create functions")
+Signed-off-by: Ye Bin <yebin10@huawei.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+[Ulf: Re-wrote the commit msg]
+Link: https://lore.kernel.org/r/20221123095506.1965691-1-yebin@huaweicloud.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/mmc_test.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/core/mmc_test.c
++++ b/drivers/mmc/core/mmc_test.c
+@@ -3181,7 +3181,8 @@ static int __mmc_test_register_dbgfs_fil
+ struct mmc_test_dbgfs_file *df;
+
+ if (card->debugfs_root)
+- debugfs_create_file(name, mode, card->debugfs_root, card, fops);
++ file = debugfs_create_file(name, mode, card->debugfs_root,
++ card, fops);
+
+ df = kmalloc(sizeof(*df), GFP_KERNEL);
+ if (!df) {
--- /dev/null
+From c61bfb1cb63ddab52b31cf5f1924688917e61fad Mon Sep 17 00:00:00 2001
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+Date: Fri, 25 Nov 2022 17:01:41 +0800
+Subject: mmc: mtk-sd: Fix missing clk_disable_unprepare in msdc_of_clock_parse()
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+commit c61bfb1cb63ddab52b31cf5f1924688917e61fad upstream.
+
+The clk_disable_unprepare() should be called in the error handling
+of devm_clk_bulk_get_optional, fix it by replacing devm_clk_get_optional
+and clk_prepare_enable by devm_clk_get_optional_enabled.
+
+Fixes: f5eccd94b63f ("mmc: mediatek: Add subsys clock control for MT8192 msdc")
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20221125090141.3626747-1-cuigaosheng1@huawei.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/mtk-sd.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/mmc/host/mtk-sd.c
++++ b/drivers/mmc/host/mtk-sd.c
+@@ -2455,13 +2455,11 @@ static int msdc_of_clock_parse(struct pl
+ if (IS_ERR(host->src_clk_cg))
+ host->src_clk_cg = NULL;
+
+- host->sys_clk_cg = devm_clk_get_optional(&pdev->dev, "sys_cg");
++ /* If present, always enable for this clock gate */
++ host->sys_clk_cg = devm_clk_get_optional_enabled(&pdev->dev, "sys_cg");
+ if (IS_ERR(host->sys_clk_cg))
+ host->sys_clk_cg = NULL;
+
+- /* If present, always enable for this clock gate */
+- clk_prepare_enable(host->sys_clk_cg);
+-
+ host->bulk_clks[0].id = "pclk_cg";
+ host->bulk_clks[1].id = "axi_cg";
+ host->bulk_clks[2].id = "ahb_cg";
--- /dev/null
+From a3cab1d2132474969871b5d7f915c5c0167b48b0 Mon Sep 17 00:00:00 2001
+From: Sebastian Falbesoner <sebastian.falbesoner@gmail.com>
+Date: Mon, 21 Nov 2022 11:57:21 +0100
+Subject: mmc: sdhci-esdhc-imx: correct CQHCI exit halt state check
+
+From: Sebastian Falbesoner <sebastian.falbesoner@gmail.com>
+
+commit a3cab1d2132474969871b5d7f915c5c0167b48b0 upstream.
+
+With the current logic the "failed to exit halt state" error would be
+shown even if any other bit than CQHCI_HALT was set in the CQHCI_CTL
+register, since the right hand side is always true. Fix this by using
+the correct operator (bit-wise instead of logical AND) to only check for
+the halt bit flag, which was obviously intended here.
+
+Fixes: 85236d2be844 ("mmc: sdhci-esdhc-imx: clear the HALT bit when enable CQE")
+Signed-off-by: Sebastian Falbesoner <sebastian.falbesoner@gmail.com>
+Acked-by: Haibo Chen <haibo.chen@nxp.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20221121105721.1903878-1-sebastian.falbesoner@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-esdhc-imx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/sdhci-esdhc-imx.c
++++ b/drivers/mmc/host/sdhci-esdhc-imx.c
+@@ -1495,7 +1495,7 @@ static void esdhc_cqe_enable(struct mmc_
+ * system resume back.
+ */
+ cqhci_writel(cq_host, 0, CQHCI_CTL);
+- if (cqhci_readl(cq_host, CQHCI_CTL) && CQHCI_HALT)
++ if (cqhci_readl(cq_host, CQHCI_CTL) & CQHCI_HALT)
+ dev_err(mmc_dev(host->mmc),
+ "failed to exit halt state when enable CQE\n");
+
--- /dev/null
+From c981cdfb9925f64a364f13c2b4f98f877308a408 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Mon, 28 Nov 2022 15:32:56 +0200
+Subject: mmc: sdhci: Fix voltage switch delay
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit c981cdfb9925f64a364f13c2b4f98f877308a408 upstream.
+
+Commit 20b92a30b561 ("mmc: sdhci: update signal voltage switch code")
+removed voltage switch delays from sdhci because mmc core had been
+enhanced to support them. However that assumed that sdhci_set_ios()
+did a single clock change, which it did not, and so the delays in mmc
+core, which should have come after the first clock change, were not
+effective.
+
+Fix by avoiding re-configuring UHS and preset settings when the clock
+is turning on and the settings have not changed. That then also avoids
+the associated clock changes, so that then sdhci_set_ios() does a single
+clock change when voltage switching, and the mmc core delays become
+effective.
+
+To do that has meant keeping track of driver strength (host->drv_type),
+and cases of reinitialization (host->reinit_uhs).
+
+Note also, the 'turning_on_clk' restriction should not be necessary
+but is done to minimize the impact of the change on stable kernels.
+
+Fixes: 20b92a30b561 ("mmc: sdhci: update signal voltage switch code")
+Cc: stable@vger.kernel.org
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Link: https://lore.kernel.org/r/20221128133259.38305-2-adrian.hunter@intel.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci.c | 61 +++++++++++++++++++++++++++++++++++++++++------
+ drivers/mmc/host/sdhci.h | 2 +
+ 2 files changed, 56 insertions(+), 7 deletions(-)
+
+--- a/drivers/mmc/host/sdhci.c
++++ b/drivers/mmc/host/sdhci.c
+@@ -338,6 +338,7 @@ static void sdhci_init(struct sdhci_host
+ if (soft) {
+ /* force clock reconfiguration */
+ host->clock = 0;
++ host->reinit_uhs = true;
+ mmc->ops->set_ios(mmc, &mmc->ios);
+ }
+ }
+@@ -2257,11 +2258,46 @@ void sdhci_set_uhs_signaling(struct sdhc
+ }
+ EXPORT_SYMBOL_GPL(sdhci_set_uhs_signaling);
+
++static bool sdhci_timing_has_preset(unsigned char timing)
++{
++ switch (timing) {
++ case MMC_TIMING_UHS_SDR12:
++ case MMC_TIMING_UHS_SDR25:
++ case MMC_TIMING_UHS_SDR50:
++ case MMC_TIMING_UHS_SDR104:
++ case MMC_TIMING_UHS_DDR50:
++ case MMC_TIMING_MMC_DDR52:
++ return true;
++ };
++ return false;
++}
++
++static bool sdhci_preset_needed(struct sdhci_host *host, unsigned char timing)
++{
++ return !(host->quirks2 & SDHCI_QUIRK2_PRESET_VALUE_BROKEN) &&
++ sdhci_timing_has_preset(timing);
++}
++
++static bool sdhci_presetable_values_change(struct sdhci_host *host, struct mmc_ios *ios)
++{
++ /*
++ * Preset Values are: Driver Strength, Clock Generator and SDCLK/RCLK
++ * Frequency. Check if preset values need to be enabled, or the Driver
++ * Strength needs updating. Note, clock changes are handled separately.
++ */
++ return !host->preset_enabled &&
++ (sdhci_preset_needed(host, ios->timing) || host->drv_type != ios->drv_type);
++}
++
+ void sdhci_set_ios(struct mmc_host *mmc, struct mmc_ios *ios)
+ {
+ struct sdhci_host *host = mmc_priv(mmc);
++ bool reinit_uhs = host->reinit_uhs;
++ bool turning_on_clk = false;
+ u8 ctrl;
+
++ host->reinit_uhs = false;
++
+ if (ios->power_mode == MMC_POWER_UNDEFINED)
+ return;
+
+@@ -2287,6 +2323,8 @@ void sdhci_set_ios(struct mmc_host *mmc,
+ sdhci_enable_preset_value(host, false);
+
+ if (!ios->clock || ios->clock != host->clock) {
++ turning_on_clk = ios->clock && !host->clock;
++
+ host->ops->set_clock(host, ios->clock);
+ host->clock = ios->clock;
+
+@@ -2313,6 +2351,17 @@ void sdhci_set_ios(struct mmc_host *mmc,
+
+ host->ops->set_bus_width(host, ios->bus_width);
+
++ /*
++ * Special case to avoid multiple clock changes during voltage
++ * switching.
++ */
++ if (!reinit_uhs &&
++ turning_on_clk &&
++ host->timing == ios->timing &&
++ host->version >= SDHCI_SPEC_300 &&
++ !sdhci_presetable_values_change(host, ios))
++ return;
++
+ ctrl = sdhci_readb(host, SDHCI_HOST_CONTROL);
+
+ if (!(host->quirks & SDHCI_QUIRK_NO_HISPD_BIT)) {
+@@ -2356,6 +2405,7 @@ void sdhci_set_ios(struct mmc_host *mmc,
+ }
+
+ sdhci_writew(host, ctrl_2, SDHCI_HOST_CONTROL2);
++ host->drv_type = ios->drv_type;
+ } else {
+ /*
+ * According to SDHC Spec v3.00, if the Preset Value
+@@ -2383,19 +2433,14 @@ void sdhci_set_ios(struct mmc_host *mmc,
+ host->ops->set_uhs_signaling(host, ios->timing);
+ host->timing = ios->timing;
+
+- if (!(host->quirks2 & SDHCI_QUIRK2_PRESET_VALUE_BROKEN) &&
+- ((ios->timing == MMC_TIMING_UHS_SDR12) ||
+- (ios->timing == MMC_TIMING_UHS_SDR25) ||
+- (ios->timing == MMC_TIMING_UHS_SDR50) ||
+- (ios->timing == MMC_TIMING_UHS_SDR104) ||
+- (ios->timing == MMC_TIMING_UHS_DDR50) ||
+- (ios->timing == MMC_TIMING_MMC_DDR52))) {
++ if (sdhci_preset_needed(host, ios->timing)) {
+ u16 preset;
+
+ sdhci_enable_preset_value(host, true);
+ preset = sdhci_get_preset_value(host);
+ ios->drv_type = FIELD_GET(SDHCI_PRESET_DRV_MASK,
+ preset);
++ host->drv_type = ios->drv_type;
+ }
+
+ /* Re-enable SD Clock */
+@@ -3711,6 +3756,7 @@ int sdhci_resume_host(struct sdhci_host
+ sdhci_init(host, 0);
+ host->pwr = 0;
+ host->clock = 0;
++ host->reinit_uhs = true;
+ mmc->ops->set_ios(mmc, &mmc->ios);
+ } else {
+ sdhci_init(host, (mmc->pm_flags & MMC_PM_KEEP_POWER));
+@@ -3773,6 +3819,7 @@ int sdhci_runtime_resume_host(struct sdh
+ /* Force clock and power re-program */
+ host->pwr = 0;
+ host->clock = 0;
++ host->reinit_uhs = true;
+ mmc->ops->start_signal_voltage_switch(mmc, &mmc->ios);
+ mmc->ops->set_ios(mmc, &mmc->ios);
+
+--- a/drivers/mmc/host/sdhci.h
++++ b/drivers/mmc/host/sdhci.h
+@@ -523,6 +523,8 @@ struct sdhci_host {
+
+ unsigned int clock; /* Current clock (MHz) */
+ u8 pwr; /* Current voltage */
++ u8 drv_type; /* Current UHS-I driver type */
++ bool reinit_uhs; /* Force UHS-related re-initialization */
+
+ bool runtime_suspended; /* Host is runtime suspended */
+ bool bus_on; /* Bus power prevents runtime suspend */
--- /dev/null
+From dd30dcfa7a74a06f8dcdab260d8d5adf32f17333 Mon Sep 17 00:00:00 2001
+From: Wenchao Chen <wenchao.chen@unisoc.com>
+Date: Wed, 30 Nov 2022 20:13:28 +0800
+Subject: mmc: sdhci-sprd: Fix no reset data and command after voltage switch
+
+From: Wenchao Chen <wenchao.chen@unisoc.com>
+
+commit dd30dcfa7a74a06f8dcdab260d8d5adf32f17333 upstream.
+
+After switching the voltage, no reset data and command will cause
+CMD2 timeout.
+
+Fixes: 29ca763fc26f ("mmc: sdhci-sprd: Add pin control support for voltage switch")
+Signed-off-by: Wenchao Chen <wenchao.chen@unisoc.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20221130121328.25553-1-wenchao.chen@unisoc.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-sprd.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/sdhci-sprd.c
++++ b/drivers/mmc/host/sdhci-sprd.c
+@@ -457,7 +457,7 @@ static int sdhci_sprd_voltage_switch(str
+ }
+
+ if (IS_ERR(sprd_host->pinctrl))
+- return 0;
++ goto reset;
+
+ switch (ios->signal_voltage) {
+ case MMC_SIGNAL_VOLTAGE_180:
+@@ -485,6 +485,8 @@ static int sdhci_sprd_voltage_switch(str
+
+ /* Wait for 300 ~ 500 us for pin state stable */
+ usleep_range(300, 500);
++
++reset:
+ sdhci_reset(host, SDHCI_RESET_CMD | SDHCI_RESET_DATA);
+
+ return 0;
--- /dev/null
+From cc3d2b5fc0d6f8ad8a52da5ea679e5c2ec2adbd4 Mon Sep 17 00:00:00 2001
+From: "Goh, Wei Sheng" <wei.sheng.goh@intel.com>
+Date: Wed, 23 Nov 2022 18:51:10 +0800
+Subject: net: stmmac: Set MAC's flow control register to reflect current settings
+
+From: Goh, Wei Sheng <wei.sheng.goh@intel.com>
+
+commit cc3d2b5fc0d6f8ad8a52da5ea679e5c2ec2adbd4 upstream.
+
+Currently, pause frame register GMAC_RX_FLOW_CTRL_RFE is not updated
+correctly when 'ethtool -A <IFACE> autoneg off rx off tx off' command
+is issued. This fix ensures the flow control change is reflected directly
+in the GMAC_RX_FLOW_CTRL_RFE register.
+
+Fixes: 46f69ded988d ("net: stmmac: Use resolved link config in mac_link_up()")
+Cc: <stable@vger.kernel.org> # 5.10.x
+Signed-off-by: Goh, Wei Sheng <wei.sheng.goh@intel.com>
+Signed-off-by: Noor Azura Ahmad Tarmizi <noor.azura.ahmad.tarmizi@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 2 ++
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 12 ++++++++++--
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
+@@ -745,6 +745,8 @@ static void dwmac4_flow_ctrl(struct mac_
+ if (fc & FLOW_RX) {
+ pr_debug("\tReceive Flow-Control ON\n");
+ flow |= GMAC_RX_FLOW_CTRL_RFE;
++ } else {
++ pr_debug("\tReceive Flow-Control OFF\n");
+ }
+ writel(flow, ioaddr + GMAC_RX_FLOW_CTRL);
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -1158,8 +1158,16 @@ static void stmmac_mac_link_up(struct ph
+ ctrl |= priv->hw->link.duplex;
+
+ /* Flow Control operation */
+- if (tx_pause && rx_pause)
+- stmmac_mac_flow_ctrl(priv, duplex);
++ if (rx_pause && tx_pause)
++ priv->flow_ctrl = FLOW_AUTO;
++ else if (rx_pause && !tx_pause)
++ priv->flow_ctrl = FLOW_RX;
++ else if (!rx_pause && tx_pause)
++ priv->flow_ctrl = FLOW_TX;
++ else
++ priv->flow_ctrl = FLOW_OFF;
++
++ stmmac_mac_flow_ctrl(priv, duplex);
+
+ if (ctrl != old_ctrl)
+ writel(ctrl, priv->ioaddr + MAC_CTRL_REG);
--- /dev/null
+From f0a0ccda18d6fd826d7c7e7ad48a6ed61c20f8b4 Mon Sep 17 00:00:00 2001
+From: ZhangPeng <zhangpeng362@huawei.com>
+Date: Sat, 19 Nov 2022 21:05:42 +0900
+Subject: nilfs2: fix NULL pointer dereference in nilfs_palloc_commit_free_entry()
+
+From: ZhangPeng <zhangpeng362@huawei.com>
+
+commit f0a0ccda18d6fd826d7c7e7ad48a6ed61c20f8b4 upstream.
+
+Syzbot reported a null-ptr-deref bug:
+
+ NILFS (loop0): segctord starting. Construction interval = 5 seconds, CP
+ frequency < 30 seconds
+ general protection fault, probably for non-canonical address
+ 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN
+ KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
+ CPU: 1 PID: 3603 Comm: segctord Not tainted
+ 6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0
+ Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google
+ 10/11/2022
+ RIP: 0010:nilfs_palloc_commit_free_entry+0xe5/0x6b0
+ fs/nilfs2/alloc.c:608
+ Code: 00 00 00 00 fc ff df 80 3c 02 00 0f 85 cd 05 00 00 48 b8 00 00 00
+ 00 00 fc ff df 4c 8b 73 08 49 8d 7e 10 48 89 fa 48 c1 ea 03 <80> 3c 02
+ 00 0f 85 26 05 00 00 49 8b 46 10 be a6 00 00 00 48 c7 c7
+ RSP: 0018:ffffc90003dff830 EFLAGS: 00010212
+ RAX: dffffc0000000000 RBX: ffff88802594e218 RCX: 000000000000000d
+ RDX: 0000000000000002 RSI: 0000000000002000 RDI: 0000000000000010
+ RBP: ffff888071880222 R08: 0000000000000005 R09: 000000000000003f
+ R10: 000000000000000d R11: 0000000000000000 R12: ffff888071880158
+ R13: ffff88802594e220 R14: 0000000000000000 R15: 0000000000000004
+ FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000)
+ knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007fb1c08316a8 CR3: 0000000018560000 CR4: 0000000000350ee0
+ Call Trace:
+ <TASK>
+ nilfs_dat_commit_free fs/nilfs2/dat.c:114 [inline]
+ nilfs_dat_commit_end+0x464/0x5f0 fs/nilfs2/dat.c:193
+ nilfs_dat_commit_update+0x26/0x40 fs/nilfs2/dat.c:236
+ nilfs_btree_commit_update_v+0x87/0x4a0 fs/nilfs2/btree.c:1940
+ nilfs_btree_commit_propagate_v fs/nilfs2/btree.c:2016 [inline]
+ nilfs_btree_propagate_v fs/nilfs2/btree.c:2046 [inline]
+ nilfs_btree_propagate+0xa00/0xd60 fs/nilfs2/btree.c:2088
+ nilfs_bmap_propagate+0x73/0x170 fs/nilfs2/bmap.c:337
+ nilfs_collect_file_data+0x45/0xd0 fs/nilfs2/segment.c:568
+ nilfs_segctor_apply_buffers+0x14a/0x470 fs/nilfs2/segment.c:1018
+ nilfs_segctor_scan_file+0x3f4/0x6f0 fs/nilfs2/segment.c:1067
+ nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1197 [inline]
+ nilfs_segctor_collect fs/nilfs2/segment.c:1503 [inline]
+ nilfs_segctor_do_construct+0x12fc/0x6af0 fs/nilfs2/segment.c:2045
+ nilfs_segctor_construct+0x8e3/0xb30 fs/nilfs2/segment.c:2379
+ nilfs_segctor_thread_construct fs/nilfs2/segment.c:2487 [inline]
+ nilfs_segctor_thread+0x3c3/0xf30 fs/nilfs2/segment.c:2570
+ kthread+0x2e4/0x3a0 kernel/kthread.c:376
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
+ </TASK>
+ ...
+
+If DAT metadata file is corrupted on disk, there is a case where
+req->pr_desc_bh is NULL and blocknr is 0 at nilfs_dat_commit_end() during
+a b-tree operation that cascadingly updates ancestor nodes of the b-tree,
+because nilfs_dat_commit_alloc() for a lower level block can initialize
+the blocknr on the same DAT entry between nilfs_dat_prepare_end() and
+nilfs_dat_commit_end().
+
+If this happens, nilfs_dat_commit_end() calls nilfs_dat_commit_free()
+without valid buffer heads in req->pr_desc_bh and req->pr_bitmap_bh, and
+causes the NULL pointer dereference above in
+nilfs_palloc_commit_free_entry() function, which leads to a crash.
+
+Fix this by adding a NULL check on req->pr_desc_bh and req->pr_bitmap_bh
+before nilfs_palloc_commit_free_entry() in nilfs_dat_commit_free().
+
+This also calls nilfs_error() in that case to notify that there is a fatal
+flaw in the filesystem metadata and prevent further operations.
+
+Link: https://lkml.kernel.org/r/00000000000097c20205ebaea3d6@google.com
+Link: https://lkml.kernel.org/r/20221114040441.1649940-1-zhangpeng362@huawei.com
+Link: https://lkml.kernel.org/r/20221119120542.17204-1-konishi.ryusuke@gmail.com
+Signed-off-by: ZhangPeng <zhangpeng362@huawei.com>
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Reported-by: syzbot+ebe05ee8e98f755f61d0@syzkaller.appspotmail.com
+Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nilfs2/dat.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/nilfs2/dat.c
++++ b/fs/nilfs2/dat.c
+@@ -111,6 +111,13 @@ static void nilfs_dat_commit_free(struct
+ kunmap_atomic(kaddr);
+
+ nilfs_dat_commit_entry(dat, req);
++
++ if (unlikely(req->pr_desc_bh == NULL || req->pr_bitmap_bh == NULL)) {
++ nilfs_error(dat->i_sb,
++ "state inconsistency probably due to duplicate use of vblocknr = %llu",
++ (unsigned long long)req->pr_entry_nr);
++ return;
++ }
+ nilfs_palloc_commit_free_entry(dat, req);
+ }
+
--- /dev/null
+From 6989ea4881c8944fbf04378418bb1af63d875ef8 Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Fri, 25 Nov 2022 00:29:26 +0200
+Subject: pinctrl: intel: Save and restore pins in "direct IRQ" mode
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+commit 6989ea4881c8944fbf04378418bb1af63d875ef8 upstream.
+
+The firmware on some systems may configure GPIO pins to be
+an interrupt source in so called "direct IRQ" mode. In such
+cases the GPIO controller driver has no idea if those pins
+are being used or not. At the same time, there is a known bug
+in the firmwares that don't restore the pin settings correctly
+after suspend, i.e. by an unknown reason the Rx value becomes
+inverted.
+
+Hence, let's save and restore the pins that are configured
+as GPIOs in the input mode with GPIROUTIOXAPIC bit set.
+
+Cc: stable@vger.kernel.org
+Reported-and-tested-by: Dale Smith <dalepsmith@gmail.com>
+Reported-and-tested-by: John Harris <jmharris@gmail.com>
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=214749
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Link: https://lore.kernel.org/r/20221124222926.72326-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/intel/pinctrl-intel.c | 27 ++++++++++++++++++++++++++-
+ 1 file changed, 26 insertions(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/intel/pinctrl-intel.c
++++ b/drivers/pinctrl/intel/pinctrl-intel.c
+@@ -436,9 +436,14 @@ static void __intel_gpio_set_direction(v
+ writel(value, padcfg0);
+ }
+
++static int __intel_gpio_get_gpio_mode(u32 value)
++{
++ return (value & PADCFG0_PMODE_MASK) >> PADCFG0_PMODE_SHIFT;
++}
++
+ static int intel_gpio_get_gpio_mode(void __iomem *padcfg0)
+ {
+- return (readl(padcfg0) & PADCFG0_PMODE_MASK) >> PADCFG0_PMODE_SHIFT;
++ return __intel_gpio_get_gpio_mode(readl(padcfg0));
+ }
+
+ static void intel_gpio_set_gpio_mode(void __iomem *padcfg0)
+@@ -1659,6 +1664,7 @@ EXPORT_SYMBOL_GPL(intel_pinctrl_get_soc_
+ static bool intel_pinctrl_should_save(struct intel_pinctrl *pctrl, unsigned int pin)
+ {
+ const struct pin_desc *pd = pin_desc_get(pctrl->pctldev, pin);
++ u32 value;
+
+ if (!pd || !intel_pad_usable(pctrl, pin))
+ return false;
+@@ -1673,6 +1679,25 @@ static bool intel_pinctrl_should_save(st
+ gpiochip_line_is_irq(&pctrl->chip, intel_pin_to_gpio(pctrl, pin)))
+ return true;
+
++ /*
++ * The firmware on some systems may configure GPIO pins to be
++ * an interrupt source in so called "direct IRQ" mode. In such
++ * cases the GPIO controller driver has no idea if those pins
++ * are being used or not. At the same time, there is a known bug
++ * in the firmwares that don't restore the pin settings correctly
++ * after suspend, i.e. by an unknown reason the Rx value becomes
++ * inverted.
++ *
++ * Hence, let's save and restore the pins that are configured
++ * as GPIOs in the input mode with GPIROUTIOXAPIC bit set.
++ *
++ * See https://bugzilla.kernel.org/show_bug.cgi?id=214749.
++ */
++ value = readl(intel_get_padcfg(pctrl, pin, PADCFG0));
++ if ((value & PADCFG0_GPIROUTIOXAPIC) && (value & PADCFG0_GPIOTXDIS) &&
++ (__intel_gpio_get_gpio_mode(value) == PADCFG0_PMODE_GPIO))
++ return true;
++
+ return false;
+ }
+
--- /dev/null
+From 6fdd5d2f8c2f54b7fad4ff4df2a19542aeaf6102 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20T=C3=B6pel?= <bjorn@rivosinc.com>
+Date: Tue, 15 Nov 2022 10:06:40 +0100
+Subject: riscv: mm: Proper page permissions after initmem free
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Björn Töpel <bjorn@rivosinc.com>
+
+commit 6fdd5d2f8c2f54b7fad4ff4df2a19542aeaf6102 upstream.
+
+64-bit RISC-V kernels have the kernel image mapped separately to alias
+the linear map. The linear map and the kernel image map are documented
+as "direct mapping" and "kernel" respectively in [1].
+
+At image load time, the linear map corresponding to the kernel image
+is set to PAGE_READ permission, and the kernel image map is set to
+PAGE_READ|PAGE_EXEC.
+
+When the initmem is freed, the pages in the linear map should be
+restored to PAGE_READ|PAGE_WRITE, whereas the corresponding pages in
+the kernel image map should be restored to PAGE_READ, by removing the
+PAGE_EXEC permission.
+
+This is not the case. For 64-bit kernels, only the linear map is
+restored to its proper page permissions at initmem free, and not the
+kernel image map.
+
+In practise this results in that the kernel can potentially jump to
+dead __init code, and start executing invalid instructions, without
+getting an exception.
+
+Restore the freed initmem properly, by setting both the kernel image
+map to the correct permissions.
+
+[1] Documentation/riscv/vm-layout.rst
+
+Fixes: e5c35fa04019 ("riscv: Map the kernel with correct permissions the first time")
+Signed-off-by: Björn Töpel <bjorn@rivosinc.com>
+Reviewed-by: Alexandre Ghiti <alex@ghiti.fr>
+Tested-by: Alexandre Ghiti <alex@ghiti.fr>
+Link: https://lore.kernel.org/r/20221115090641.258476-1-bjorn@kernel.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/kernel/setup.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/arch/riscv/kernel/setup.c
++++ b/arch/riscv/kernel/setup.c
+@@ -331,10 +331,11 @@ subsys_initcall(topology_init);
+
+ void free_initmem(void)
+ {
+- if (IS_ENABLED(CONFIG_STRICT_KERNEL_RWX))
+- set_kernel_memory(lm_alias(__init_begin), lm_alias(__init_end),
+- IS_ENABLED(CONFIG_64BIT) ?
+- set_memory_rw : set_memory_rw_nx);
++ if (IS_ENABLED(CONFIG_STRICT_KERNEL_RWX)) {
++ set_kernel_memory(lm_alias(__init_begin), lm_alias(__init_end), set_memory_rw_nx);
++ if (IS_ENABLED(CONFIG_64BIT))
++ set_kernel_memory(__init_begin, __init_end, set_memory_nx);
++ }
+
+ free_initmem_default(POISON_FREE_INITMEM);
+ }
--- /dev/null
+From 74f6bb55c834da6d4bac24f44868202743189b2b Mon Sep 17 00:00:00 2001
+From: Jisheng Zhang <jszhang@kernel.org>
+Date: Thu, 3 Nov 2022 01:02:54 +0800
+Subject: riscv: vdso: fix section overlapping under some conditions
+
+From: Jisheng Zhang <jszhang@kernel.org>
+
+commit 74f6bb55c834da6d4bac24f44868202743189b2b upstream.
+
+lkp reported a build error, I tried the config and can reproduce
+build error as below:
+
+ VDSOLD arch/riscv/kernel/vdso/vdso.so.dbg
+ld.lld: error: section .note file range overlaps with .text
+>>> .note range is [0x7C8, 0x803]
+>>> .text range is [0x800, 0x1993]
+
+ld.lld: error: section .text file range overlaps with .dynamic
+>>> .text range is [0x800, 0x1993]
+>>> .dynamic range is [0x808, 0x937]
+
+ld.lld: error: section .note virtual address range overlaps with .text
+>>> .note range is [0x7C8, 0x803]
+>>> .text range is [0x800, 0x1993]
+
+Fix it by setting DISABLE_BRANCH_PROFILING which will disable branch
+tracing for vdso, thus avoid useless _ftrace_annotated_branch section
+and _ftrace_branch section. Although we can also fix it by removing
+the hardcoded .text begin address, but I think that's another story
+and should be put into another patch.
+
+Link: https://lore.kernel.org/lkml/202210122123.Cc4FPShJ-lkp@intel.com/#r
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
+Link: https://lore.kernel.org/r/20221102170254.1925-1-jszhang@kernel.org
+Fixes: ad5d1122b82f ("riscv: use vDSO common flow to reduce the latency of the time-related functions")
+Cc: stable@vger.kernel.org
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/kernel/vdso/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/riscv/kernel/vdso/Makefile
++++ b/arch/riscv/kernel/vdso/Makefile
+@@ -17,6 +17,7 @@ vdso-syms += flush_icache
+ obj-vdso = $(patsubst %, %.o, $(vdso-syms)) note.o
+
+ ccflags-y := -fno-stack-protector
++ccflags-y += -DDISABLE_BRANCH_PROFILING
+
+ ifneq ($(c-gettimeofday-y),)
+ CFLAGS_vgettimeofday.o += -fPIC -include $(c-gettimeofday-y)
net-ethernet-renesas-ravb-fix-promiscuous-mode-after.patch
hwmon-coretemp-check-for-null-before-removing-sysfs-.patch
hwmon-coretemp-fix-pci-device-refcount-leak-in-nv1a_.patch
+riscv-vdso-fix-section-overlapping-under-some-conditions.patch
+riscv-mm-proper-page-permissions-after-initmem-free.patch
+alsa-dice-fix-regression-for-lexicon-i-onix-fw810s.patch
+error-injection-add-prompt-for-function-error-injection.patch
+tools-vm-slabinfo-gnuplot-use-grep-e-instead-of-egrep.patch
+nilfs2-fix-null-pointer-dereference-in-nilfs_palloc_commit_free_entry.patch
+x86-bugs-make-sure-msr_spec_ctrl-is-updated-properly-upon-resume-from-s3.patch
+pinctrl-intel-save-and-restore-pins-in-direct-irq-mode.patch
+v4l2-don-t-fall-back-to-follow_pfn-if-pin_user_pages_fast-fails.patch
+net-stmmac-set-mac-s-flow-control-register-to-reflect-current-settings.patch
+mmc-mmc_test-fix-removal-of-debugfs-file.patch
+mmc-mtk-sd-fix-missing-clk_disable_unprepare-in-msdc_of_clock_parse.patch
+mmc-core-fix-ambiguous-trim-and-discard-arg.patch
+mmc-sdhci-esdhc-imx-correct-cqhci-exit-halt-state-check.patch
+mmc-sdhci-sprd-fix-no-reset-data-and-command-after-voltage-switch.patch
+mmc-sdhci-fix-voltage-switch-delay.patch
+drm-amdgpu-temporarily-disable-broken-clang-builds-due-to-blown-stack-frame.patch
+drm-amdgpu-enable-vangogh-vcn-indirect-sram-mode.patch
--- /dev/null
+From a435874bf626f55d7147026b059008c8de89fbb8 Mon Sep 17 00:00:00 2001
+From: Tiezhu Yang <yangtiezhu@loongson.cn>
+Date: Sat, 19 Nov 2022 10:36:59 +0800
+Subject: tools/vm/slabinfo-gnuplot: use "grep -E" instead of "egrep"
+
+From: Tiezhu Yang <yangtiezhu@loongson.cn>
+
+commit a435874bf626f55d7147026b059008c8de89fbb8 upstream.
+
+The latest version of grep claims the egrep is now obsolete so the build
+now contains warnings that look like:
+
+ egrep: warning: egrep is obsolescent; using grep -E
+
+fix this up by moving the related file to use "grep -E" instead.
+
+ sed -i "s/egrep/grep -E/g" `grep egrep -rwl tools/vm`
+
+Here are the steps to install the latest grep:
+
+ wget http://ftp.gnu.org/gnu/grep/grep-3.8.tar.gz
+ tar xf grep-3.8.tar.gz
+ cd grep-3.8 && ./configure && make
+ sudo make install
+ export PATH=/usr/local/bin:$PATH
+
+Link: https://lkml.kernel.org/r/1668825419-30584-1-git-send-email-yangtiezhu@loongson.cn
+Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn>
+Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/vm/slabinfo-gnuplot.sh | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/tools/vm/slabinfo-gnuplot.sh
++++ b/tools/vm/slabinfo-gnuplot.sh
+@@ -150,7 +150,7 @@ do_preprocess()
+ let lines=3
+ out=`basename "$in"`"-slabs-by-loss"
+ `cat "$in" | grep -A "$lines" 'Slabs sorted by loss' |\
+- egrep -iv '\-\-|Name|Slabs'\
++ grep -E -iv '\-\-|Name|Slabs'\
+ | awk '{print $1" "$4+$2*$3" "$4}' > "$out"`
+ if [ $? -eq 0 ]; then
+ do_slabs_plotting "$out"
+@@ -159,7 +159,7 @@ do_preprocess()
+ let lines=3
+ out=`basename "$in"`"-slabs-by-size"
+ `cat "$in" | grep -A "$lines" 'Slabs sorted by size' |\
+- egrep -iv '\-\-|Name|Slabs'\
++ grep -E -iv '\-\-|Name|Slabs'\
+ | awk '{print $1" "$4" "$4-$2*$3}' > "$out"`
+ if [ $? -eq 0 ]; then
+ do_slabs_plotting "$out"
--- /dev/null
+From 6647e76ab623b2b3fb2efe03a86e9c9046c52c33 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Wed, 30 Nov 2022 16:10:52 -0800
+Subject: v4l2: don't fall back to follow_pfn() if pin_user_pages_fast() fails
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 6647e76ab623b2b3fb2efe03a86e9c9046c52c33 upstream.
+
+The V4L2_MEMORY_USERPTR interface is long deprecated and shouldn't be
+used (and is discouraged for any modern v4l drivers). And Seth Jenkins
+points out that the fallback to VM_PFNMAP/VM_IO is fundamentally racy
+and dangerous.
+
+Note that it's not even a case that should trigger, since any normal
+user pointer logic ends up just using the pin_user_pages_fast() call
+that does the proper page reference counting. That's not the problem
+case, only if you try to use special device mappings do you have any
+issues.
+
+Normally I'd just remove this during the merge window, but since Seth
+pointed out the problem cases, we really want to know as soon as
+possible if there are actually any users of this odd special case of a
+legacy interface. Neither Hans nor Mauro seem to think that such
+mis-uses of the old legacy interface should exist. As Mauro says:
+
+ "See, V4L2 has actually 4 streaming APIs:
+ - Kernel-allocated mmap (usually referred simply as just mmap);
+ - USERPTR mmap;
+ - read();
+ - dmabuf;
+
+ The USERPTR is one of the oldest way to use it, coming from V4L
+ version 1 times, and by far the least used one"
+
+And Hans chimed in on the USERPTR interface:
+
+ "To be honest, I wouldn't mind if it goes away completely, but that's a
+ bit of a pipe dream right now"
+
+but while removing this legacy interface entirely may be a pipe dream we
+can at least try to remove the unlikely (and actively broken) case of
+using special device mappings for USERPTR accesses.
+
+This replaces it with a WARN_ONCE() that we can remove once we've
+hopefully confirmed that no actual users exist.
+
+NOTE! Longer term, this means that a 'struct frame_vector' only ever
+contains proper page pointers, and all the games we have with converting
+them to pages can go away (grep for 'frame_vector_to_pages()' and the
+uses of 'vec->is_pfns'). But this is just the first step, to verify
+that this code really is all dead, and do so as quickly as possible.
+
+Reported-by: Seth Jenkins <sethjenkins@google.com>
+Acked-by: Hans Verkuil <hverkuil@xs4all.nl>
+Acked-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Cc: David Hildenbrand <david@redhat.com>
+Cc: Jan Kara <jack@suse.cz>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/common/videobuf2/frame_vector.c | 55 +++++---------------------
+ 1 file changed, 12 insertions(+), 43 deletions(-)
+
+--- a/drivers/media/common/videobuf2/frame_vector.c
++++ b/drivers/media/common/videobuf2/frame_vector.c
+@@ -35,10 +35,7 @@
+ int get_vaddr_frames(unsigned long start, unsigned int nr_frames,
+ struct frame_vector *vec)
+ {
+- struct mm_struct *mm = current->mm;
+- struct vm_area_struct *vma;
+- int ret = 0;
+- int err;
++ int ret;
+
+ if (nr_frames == 0)
+ return 0;
+@@ -51,45 +48,17 @@ int get_vaddr_frames(unsigned long start
+ ret = pin_user_pages_fast(start, nr_frames,
+ FOLL_FORCE | FOLL_WRITE | FOLL_LONGTERM,
+ (struct page **)(vec->ptrs));
+- if (ret > 0) {
+- vec->got_ref = true;
+- vec->is_pfns = false;
+- goto out_unlocked;
+- }
+-
+- mmap_read_lock(mm);
+- vec->got_ref = false;
+- vec->is_pfns = true;
+- ret = 0;
+- do {
+- unsigned long *nums = frame_vector_pfns(vec);
+-
+- vma = vma_lookup(mm, start);
+- if (!vma)
+- break;
+-
+- while (ret < nr_frames && start + PAGE_SIZE <= vma->vm_end) {
+- err = follow_pfn(vma, start, &nums[ret]);
+- if (err) {
+- if (ret == 0)
+- ret = err;
+- goto out;
+- }
+- start += PAGE_SIZE;
+- ret++;
+- }
+- /* Bail out if VMA doesn't completely cover the tail page. */
+- if (start < vma->vm_end)
+- break;
+- } while (ret < nr_frames);
+-out:
+- mmap_read_unlock(mm);
+-out_unlocked:
+- if (!ret)
+- ret = -EFAULT;
+- if (ret > 0)
+- vec->nr_frames = ret;
+- return ret;
++ vec->got_ref = true;
++ vec->is_pfns = false;
++ vec->nr_frames = ret;
++
++ if (likely(ret > 0))
++ return ret;
++
++ /* This used to (racily) return non-refcounted pfns. Let people know */
++ WARN_ONCE(1, "get_vaddr_frames() cannot follow VM_IO mapping");
++ vec->nr_frames = 0;
++ return ret ? ret : -EFAULT;
+ }
+ EXPORT_SYMBOL(get_vaddr_frames);
+
--- /dev/null
+From 66065157420c5b9b3f078f43d313c153e1ff7f83 Mon Sep 17 00:00:00 2001
+From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Date: Wed, 30 Nov 2022 07:25:51 -0800
+Subject: x86/bugs: Make sure MSR_SPEC_CTRL is updated properly upon resume from S3
+
+From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+
+commit 66065157420c5b9b3f078f43d313c153e1ff7f83 upstream.
+
+The "force" argument to write_spec_ctrl_current() is currently ambiguous
+as it does not guarantee the MSR write. This is due to the optimization
+that writes to the MSR happen only when the new value differs from the
+cached value.
+
+This is fine in most cases, but breaks for S3 resume when the cached MSR
+value gets out of sync with the hardware MSR value due to S3 resetting
+it.
+
+When x86_spec_ctrl_current is same as x86_spec_ctrl_base, the MSR write
+is skipped. Which results in SPEC_CTRL mitigations not getting restored.
+
+Move the MSR write from write_spec_ctrl_current() to a new function that
+unconditionally writes to the MSR. Update the callers accordingly and
+rename functions.
+
+ [ bp: Rework a bit. ]
+
+Fixes: caa0ff24d5d0 ("x86/bugs: Keep a per-CPU IA32_SPEC_CTRL value")
+Suggested-by: Borislav Petkov <bp@alien8.de>
+Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: <stable@kernel.org>
+Link: https://lore.kernel.org/r/806d39b0bfec2fe8f50dc5446dff20f5bb24a959.1669821572.git.pawan.kumar.gupta@linux.intel.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/nospec-branch.h | 2 +-
+ arch/x86/kernel/cpu/bugs.c | 21 ++++++++++++++-------
+ arch/x86/kernel/process.c | 2 +-
+ 3 files changed, 16 insertions(+), 9 deletions(-)
+
+--- a/arch/x86/include/asm/nospec-branch.h
++++ b/arch/x86/include/asm/nospec-branch.h
+@@ -310,7 +310,7 @@ static inline void indirect_branch_predi
+ /* The Intel SPEC CTRL MSR base value cache */
+ extern u64 x86_spec_ctrl_base;
+ DECLARE_PER_CPU(u64, x86_spec_ctrl_current);
+-extern void write_spec_ctrl_current(u64 val, bool force);
++extern void update_spec_ctrl_cond(u64 val);
+ extern u64 spec_ctrl_current(void);
+
+ /*
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -60,11 +60,18 @@ EXPORT_SYMBOL_GPL(x86_spec_ctrl_current)
+
+ static DEFINE_MUTEX(spec_ctrl_mutex);
+
++/* Update SPEC_CTRL MSR and its cached copy unconditionally */
++static void update_spec_ctrl(u64 val)
++{
++ this_cpu_write(x86_spec_ctrl_current, val);
++ wrmsrl(MSR_IA32_SPEC_CTRL, val);
++}
++
+ /*
+ * Keep track of the SPEC_CTRL MSR value for the current task, which may differ
+ * from x86_spec_ctrl_base due to STIBP/SSB in __speculation_ctrl_update().
+ */
+-void write_spec_ctrl_current(u64 val, bool force)
++void update_spec_ctrl_cond(u64 val)
+ {
+ if (this_cpu_read(x86_spec_ctrl_current) == val)
+ return;
+@@ -75,7 +82,7 @@ void write_spec_ctrl_current(u64 val, bo
+ * When KERNEL_IBRS this MSR is written on return-to-user, unless
+ * forced the update can be delayed until that time.
+ */
+- if (force || !cpu_feature_enabled(X86_FEATURE_KERNEL_IBRS))
++ if (!cpu_feature_enabled(X86_FEATURE_KERNEL_IBRS))
+ wrmsrl(MSR_IA32_SPEC_CTRL, val);
+ }
+
+@@ -1328,7 +1335,7 @@ static void __init spec_ctrl_disable_ker
+
+ if (ia32_cap & ARCH_CAP_RRSBA) {
+ x86_spec_ctrl_base |= SPEC_CTRL_RRSBA_DIS_S;
+- write_spec_ctrl_current(x86_spec_ctrl_base, true);
++ update_spec_ctrl(x86_spec_ctrl_base);
+ }
+ }
+
+@@ -1450,7 +1457,7 @@ static void __init spectre_v2_select_mit
+
+ if (spectre_v2_in_ibrs_mode(mode)) {
+ x86_spec_ctrl_base |= SPEC_CTRL_IBRS;
+- write_spec_ctrl_current(x86_spec_ctrl_base, true);
++ update_spec_ctrl(x86_spec_ctrl_base);
+ }
+
+ switch (mode) {
+@@ -1564,7 +1571,7 @@ static void __init spectre_v2_select_mit
+ static void update_stibp_msr(void * __unused)
+ {
+ u64 val = spec_ctrl_current() | (x86_spec_ctrl_base & SPEC_CTRL_STIBP);
+- write_spec_ctrl_current(val, true);
++ update_spec_ctrl(val);
+ }
+
+ /* Update x86_spec_ctrl_base in case SMT state changed. */
+@@ -1797,7 +1804,7 @@ static enum ssb_mitigation __init __ssb_
+ x86_amd_ssb_disable();
+ } else {
+ x86_spec_ctrl_base |= SPEC_CTRL_SSBD;
+- write_spec_ctrl_current(x86_spec_ctrl_base, true);
++ update_spec_ctrl(x86_spec_ctrl_base);
+ }
+ }
+
+@@ -2048,7 +2055,7 @@ int arch_prctl_spec_ctrl_get(struct task
+ void x86_spec_ctrl_setup_ap(void)
+ {
+ if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
+- write_spec_ctrl_current(x86_spec_ctrl_base, true);
++ update_spec_ctrl(x86_spec_ctrl_base);
+
+ if (ssb_mode == SPEC_STORE_BYPASS_DISABLE)
+ x86_amd_ssb_disable();
+--- a/arch/x86/kernel/process.c
++++ b/arch/x86/kernel/process.c
+@@ -584,7 +584,7 @@ static __always_inline void __speculatio
+ }
+
+ if (updmsr)
+- write_spec_ctrl_current(msr, false);
++ update_spec_ctrl_cond(msr);
+ }
+
+ static unsigned long speculation_ctrl_update_tif(struct task_struct *tsk)
projects / thirdparty / kernel / stable-queue.git / commitdiff
