--- /dev/null
+From bb6cc253861bd5a7cf8439e2118659696df9619f Mon Sep 17 00:00:00 2001
+From: Markus Weippert <markus@gekmihesg.de>
+Date: Fri, 24 Nov 2023 16:14:37 +0100
+Subject: bcache: revert replacing IS_ERR_OR_NULL with IS_ERR
+
+From: Markus Weippert <markus@gekmihesg.de>
+
+commit bb6cc253861bd5a7cf8439e2118659696df9619f upstream.
+
+Commit 028ddcac477b ("bcache: Remove unnecessary NULL point check in
+node allocations") replaced IS_ERR_OR_NULL by IS_ERR. This leads to a
+NULL pointer dereference.
+
+BUG: kernel NULL pointer dereference, address: 0000000000000080
+Call Trace:
+ ? __die_body.cold+0x1a/0x1f
+ ? page_fault_oops+0xd2/0x2b0
+ ? exc_page_fault+0x70/0x170
+ ? asm_exc_page_fault+0x22/0x30
+ ? btree_node_free+0xf/0x160 [bcache]
+ ? up_write+0x32/0x60
+ btree_gc_coalesce+0x2aa/0x890 [bcache]
+ ? bch_extent_bad+0x70/0x170 [bcache]
+ btree_gc_recurse+0x130/0x390 [bcache]
+ ? btree_gc_mark_node+0x72/0x230 [bcache]
+ bch_btree_gc+0x5da/0x600 [bcache]
+ ? cpuusage_read+0x10/0x10
+ ? bch_btree_gc+0x600/0x600 [bcache]
+ bch_gc_thread+0x135/0x180 [bcache]
+
+The relevant code starts with:
+
+ new_nodes[0] = NULL;
+
+ for (i = 0; i < nodes; i++) {
+ if (__bch_keylist_realloc(&keylist, bkey_u64s(&r[i].b->key)))
+ goto out_nocoalesce;
+ // ...
+out_nocoalesce:
+ // ...
+ for (i = 0; i < nodes; i++)
+ if (!IS_ERR(new_nodes[i])) { // IS_ERR_OR_NULL before
+028ddcac477b
+ btree_node_free(new_nodes[i]); // new_nodes[0] is NULL
+ rw_unlock(true, new_nodes[i]);
+ }
+
+This patch replaces IS_ERR() by IS_ERR_OR_NULL() to fix this.
+
+Fixes: 028ddcac477b ("bcache: Remove unnecessary NULL point check in node allocations")
+Link: https://lore.kernel.org/all/3DF4A87A-2AC1-4893-AE5F-E921478419A9@suse.de/
+Cc: stable@vger.kernel.org
+Cc: Zheng Wang <zyytlz.wz@163.com>
+Cc: Coly Li <colyli@suse.de>
+Signed-off-by: Markus Weippert <markus@gekmihesg.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/bcache/btree.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/bcache/btree.c
++++ b/drivers/md/bcache/btree.c
+@@ -1489,7 +1489,7 @@ out_nocoalesce:
+ bch_keylist_free(&keylist);
+
+ for (i = 0; i < nodes; i++)
+- if (!IS_ERR(new_nodes[i])) {
++ if (!IS_ERR_OR_NULL(new_nodes[i])) {
+ btree_node_free(new_nodes[i]);
+ rw_unlock(true, new_nodes[i]);
+ }
--- /dev/null
+From 2db313205f8b96eea467691917138d646bb50aef Mon Sep 17 00:00:00 2001
+From: Qu Wenruo <wqu@suse.com>
+Date: Thu, 2 Nov 2023 07:54:50 +1030
+Subject: btrfs: add dmesg output for first mount and last unmount of a filesystem
+
+From: Qu Wenruo <wqu@suse.com>
+
+commit 2db313205f8b96eea467691917138d646bb50aef upstream.
+
+There is a feature request to add dmesg output when unmounting a btrfs.
+There are several alternative methods to do the same thing, but with
+their own problems:
+
+- Use eBPF to watch btrfs_put_super()/open_ctree()
+ Not end user friendly, they have to dip their head into the source
+ code.
+
+- Watch for directory /sys/fs/<uuid>/
+ This is way more simple, but still requires some simple device -> uuid
+ lookups. And a script needs to use inotify to watch /sys/fs/.
+
+Compared to all these, directly outputting the information into dmesg
+would be the most simple one, with both device and UUID included.
+
+And since we're here, also add the output when mounting a filesystem for
+the first time for parity. A more fine grained monitoring of subvolume
+mounts should be done by another layer, like audit.
+
+Now mounting a btrfs with all default mkfs options would look like this:
+
+ [81.906566] BTRFS info (device dm-8): first mount of filesystem 633b5c16-afe3-4b79-b195-138fe145e4f2
+ [81.907494] BTRFS info (device dm-8): using crc32c (crc32c-intel) checksum algorithm
+ [81.908258] BTRFS info (device dm-8): using free space tree
+ [81.912644] BTRFS info (device dm-8): auto enabling async discard
+ [81.913277] BTRFS info (device dm-8): checking UUID tree
+ [91.668256] BTRFS info (device dm-8): last unmount of filesystem 633b5c16-afe3-4b79-b195-138fe145e4f2
+
+CC: stable@vger.kernel.org # 5.4+
+Link: https://github.com/kdave/btrfs-progs/issues/689
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+[ update changelog ]
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/disk-io.c | 1 +
+ fs/btrfs/super.c | 5 ++++-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -3493,6 +3493,7 @@ int __cold open_ctree(struct super_block
+ goto fail_alloc;
+ }
+
++ btrfs_info(fs_info, "first mount of filesystem %pU", disk_super->fsid);
+ /*
+ * Verify the type first, if that or the checksum value are
+ * corrupted, we'll find out
+--- a/fs/btrfs/super.c
++++ b/fs/btrfs/super.c
+@@ -391,7 +391,10 @@ void __btrfs_panic(struct btrfs_fs_info
+
+ static void btrfs_put_super(struct super_block *sb)
+ {
+- close_ctree(btrfs_sb(sb));
++ struct btrfs_fs_info *fs_info = btrfs_sb(sb);
++
++ btrfs_info(fs_info, "last unmount of filesystem %pU", fs_info->fs_devices->fsid);
++ close_ctree(fs_info);
+ }
+
+ enum {
--- /dev/null
+From 5de0434bc064606d6b7467ec3e5ad22963a18c04 Mon Sep 17 00:00:00 2001
+From: David Sterba <dsterba@suse.com>
+Date: Tue, 14 Nov 2023 17:44:11 +0100
+Subject: btrfs: fix 64bit compat send ioctl arguments not initializing version member
+
+From: David Sterba <dsterba@suse.com>
+
+commit 5de0434bc064606d6b7467ec3e5ad22963a18c04 upstream.
+
+When the send protocol versioning was added in 5.16 e77fbf990316
+("btrfs: send: prepare for v2 protocol"), the 32/64bit compat code was
+not updated (added by 2351f431f727 ("btrfs: fix send ioctl on 32bit with
+64bit kernel")), missing the version struct member. The compat code is
+probably rarely used, nobody reported any bugs.
+
+Found by tool https://github.com/jirislaby/clang-struct .
+
+Fixes: e77fbf990316 ("btrfs: send: prepare for v2 protocol")
+CC: stable@vger.kernel.org # 6.1+
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/ioctl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -5236,6 +5236,7 @@ static int _btrfs_ioctl_send(struct inod
+ arg->clone_sources = compat_ptr(args32.clone_sources);
+ arg->parent_root = args32.parent_root;
+ arg->flags = args32.flags;
++ arg->version = args32.version;
+ memcpy(arg->reserved, args32.reserved,
+ sizeof(args32.reserved));
+ #else
--- /dev/null
+From 5fba5a571858ce2d787fdaf55814e42725bfa895 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Tue, 21 Nov 2023 13:38:32 +0000
+Subject: btrfs: fix off-by-one when checking chunk map includes logical address
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 5fba5a571858ce2d787fdaf55814e42725bfa895 upstream.
+
+At btrfs_get_chunk_map() we get the extent map for the chunk that contains
+the given logical address stored in the 'logical' argument. Then we do
+sanity checks to verify the extent map contains the logical address. One
+of these checks verifies if the extent map covers a range with an end
+offset behind the target logical address - however this check has an
+off-by-one error since it will consider an extent map whose start offset
+plus its length matches the target logical address as inclusive, while
+the fact is that the last byte it covers is behind the target logical
+address (by 1).
+
+So fix this condition by using '<=' rather than '<' when comparing the
+extent map's "start + length" against the target logical address.
+
+CC: stable@vger.kernel.org # 4.14+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/volumes.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -3079,7 +3079,7 @@ struct extent_map *btrfs_get_chunk_map(s
+ return ERR_PTR(-EINVAL);
+ }
+
+- if (em->start > logical || em->start + em->len < logical) {
++ if (em->start > logical || em->start + em->len <= logical) {
+ btrfs_crit(fs_info,
+ "found a bad mapping, wanted %llu-%llu, found %llu-%llu",
+ logical, length, em->start, em->start + em->len);
--- /dev/null
+From 7d410d5efe04e42a6cd959bfe6d59d559fdf8b25 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Tue, 21 Nov 2023 13:38:33 +0000
+Subject: btrfs: make error messages more clear when getting a chunk map
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 7d410d5efe04e42a6cd959bfe6d59d559fdf8b25 upstream.
+
+When getting a chunk map, at btrfs_get_chunk_map(), we do some sanity
+checks to verify we found a chunk map and that map found covers the
+logical address the caller passed in. However the messages aren't very
+clear in the sense that don't mention the issue is with a chunk map and
+one of them prints the 'length' argument as if it were the end offset of
+the requested range (while the in the string format we use %llu-%llu
+which suggests a range, and the second %llu-%llu is actually a range for
+the chunk map). So improve these two details in the error messages.
+
+CC: stable@vger.kernel.org # 5.4+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/volumes.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -3074,15 +3074,16 @@ struct extent_map *btrfs_get_chunk_map(s
+ read_unlock(&em_tree->lock);
+
+ if (!em) {
+- btrfs_crit(fs_info, "unable to find logical %llu length %llu",
++ btrfs_crit(fs_info,
++ "unable to find chunk map for logical %llu length %llu",
+ logical, length);
+ return ERR_PTR(-EINVAL);
+ }
+
+ if (em->start > logical || em->start + em->len <= logical) {
+ btrfs_crit(fs_info,
+- "found a bad mapping, wanted %llu-%llu, found %llu-%llu",
+- logical, length, em->start, em->start + em->len);
++ "found a bad chunk map, wanted %llu-%llu, found %llu-%llu",
++ logical, logical + length, em->start, em->start + em->len);
+ free_extent_map(em);
+ return ERR_PTR(-EINVAL);
+ }
--- /dev/null
+From f91192cd68591c6b037da345bc9fcd5e50540358 Mon Sep 17 00:00:00 2001
+From: Bragatheswaran Manickavel <bragathemanick0908@gmail.com>
+Date: Sat, 18 Nov 2023 14:40:12 +0530
+Subject: btrfs: ref-verify: fix memory leaks in btrfs_ref_tree_mod()
+
+From: Bragatheswaran Manickavel <bragathemanick0908@gmail.com>
+
+commit f91192cd68591c6b037da345bc9fcd5e50540358 upstream.
+
+In btrfs_ref_tree_mod(), when !parent 're' was allocated through
+kmalloc(). In the following code, if an error occurs, the execution will
+be redirected to 'out' or 'out_unlock' and the function will be exited.
+However, on some of the paths, 're' are not deallocated and may lead to
+memory leaks.
+
+For example: lookup_block_entry() for 'be' returns NULL, the out label
+will be invoked. During that flow ref and 'ra' are freed but not 're',
+which can potentially lead to a memory leak.
+
+CC: stable@vger.kernel.org # 5.10+
+Reported-and-tested-by: syzbot+d66de4cbf532749df35f@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=d66de4cbf532749df35f
+Signed-off-by: Bragatheswaran Manickavel <bragathemanick0908@gmail.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/ref-verify.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/btrfs/ref-verify.c
++++ b/fs/btrfs/ref-verify.c
+@@ -788,6 +788,7 @@ int btrfs_ref_tree_mod(struct btrfs_fs_i
+ dump_ref_action(fs_info, ra);
+ kfree(ref);
+ kfree(ra);
++ kfree(re);
+ goto out_unlock;
+ } else if (be->num_refs == 0) {
+ btrfs_err(fs_info,
+@@ -797,6 +798,7 @@ int btrfs_ref_tree_mod(struct btrfs_fs_i
+ dump_ref_action(fs_info, ra);
+ kfree(ref);
+ kfree(ra);
++ kfree(re);
+ goto out_unlock;
+ }
+
--- /dev/null
+From 0ac1d13a55eb37d398b63e6ff6db4a09a2c9128c Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Fri, 24 Nov 2023 17:48:31 +0100
+Subject: btrfs: send: ensure send_fd is writable
+
+From: Jann Horn <jannh@google.com>
+
+commit 0ac1d13a55eb37d398b63e6ff6db4a09a2c9128c upstream.
+
+kernel_write() requires the caller to ensure that the file is writable.
+Let's do that directly after looking up the ->send_fd.
+
+We don't need a separate bailout path because the "out" path already
+does fput() if ->send_filp is non-NULL.
+
+This has no security impact for two reasons:
+
+ - the ioctl requires CAP_SYS_ADMIN
+ - __kernel_write() bails out on read-only files - but only since 5.8,
+ see commit a01ac27be472 ("fs: check FMODE_WRITE in __kernel_write")
+
+Reported-and-tested-by: syzbot+12e098239d20385264d3@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=12e098239d20385264d3
+Fixes: 31db9f7c23fb ("Btrfs: introduce BTRFS_IOC_SEND for btrfs send/receive")
+CC: stable@vger.kernel.org # 4.14+
+Signed-off-by: Jann Horn <jannh@google.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/send.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/send.c
++++ b/fs/btrfs/send.c
+@@ -7885,7 +7885,7 @@ long btrfs_ioctl_send(struct inode *inod
+ }
+
+ sctx->send_filp = fget(arg->send_fd);
+- if (!sctx->send_filp) {
++ if (!sctx->send_filp || !(sctx->send_filp->f_mode & FMODE_WRITE)) {
+ ret = -EBADF;
+ goto out;
+ }
--- /dev/null
+From bb87be267b8ee9b40917fb5bf51be5ddb33c37c2 Mon Sep 17 00:00:00 2001
+From: "Gautham R. Shenoy" <gautham.shenoy@amd.com>
+Date: Mon, 27 Nov 2023 16:41:21 +0530
+Subject: cpufreq/amd-pstate: Fix the return value of amd_pstate_fast_switch()
+
+From: Gautham R. Shenoy <gautham.shenoy@amd.com>
+
+commit bb87be267b8ee9b40917fb5bf51be5ddb33c37c2 upstream.
+
+cpufreq_driver->fast_switch() callback expects a frequency as a return
+value. amd_pstate_fast_switch() was returning the return value of
+amd_pstate_update_freq(), which only indicates a success or failure.
+
+Fix this by making amd_pstate_fast_switch() return the target_freq
+when the call to amd_pstate_update_freq() is successful, and return
+the current frequency from policy->cur when the call to
+amd_pstate_update_freq() is unsuccessful.
+
+Fixes: 4badf2eb1e98 ("cpufreq: amd-pstate: Add ->fast_switch() callback")
+Acked-by: Huang Rui <ray.huang@amd.com>
+Reviewed-by: Wyes Karny <wyes.karny@amd.com>
+Reviewed-by: Perry Yuan <perry.yuan@amd.com>
+Cc: 6.4+ <stable@vger.kernel.org> # v6.4+
+Signed-off-by: Gautham R. Shenoy <gautham.shenoy@amd.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpufreq/amd-pstate.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/cpufreq/amd-pstate.c
++++ b/drivers/cpufreq/amd-pstate.c
+@@ -296,7 +296,9 @@ static int amd_pstate_target(struct cpuf
+ static unsigned int amd_pstate_fast_switch(struct cpufreq_policy *policy,
+ unsigned int target_freq)
+ {
+- return amd_pstate_update_freq(policy, target_freq, true);
++ if (!amd_pstate_update_freq(policy, target_freq, true))
++ return target_freq;
++ return policy->cur;
+ }
+
+ static void amd_pstate_adjust_perf(unsigned int cpu,
--- /dev/null
+From 95ba893c9f4feb836ddce627efd0bb6af6667031 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com>
+Date: Tue, 14 Nov 2023 13:37:09 +0100
+Subject: dma-buf: fix check in dma_resv_add_fence
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Christian König <christian.koenig@amd.com>
+
+commit 95ba893c9f4feb836ddce627efd0bb6af6667031 upstream.
+
+It's valid to add the same fence multiple times to a dma-resv object and
+we shouldn't need one extra slot for each.
+
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Fixes: a3f7c10a269d5 ("dma-buf/dma-resv: check if the new fence is really later")
+Cc: stable@vger.kernel.org # v5.19+
+Link: https://patchwork.freedesktop.org/patch/msgid/20231115093035.1889-1-christian.koenig@amd.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma-buf/dma-resv.c | 2 +-
+ include/linux/dma-fence.h | 15 +++++++++++++++
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+--- a/drivers/dma-buf/dma-resv.c
++++ b/drivers/dma-buf/dma-resv.c
+@@ -296,7 +296,7 @@ void dma_resv_add_fence(struct dma_resv
+
+ dma_resv_list_entry(fobj, i, obj, &old, &old_usage);
+ if ((old->context == fence->context && old_usage >= usage &&
+- dma_fence_is_later(fence, old)) ||
++ dma_fence_is_later_or_same(fence, old)) ||
+ dma_fence_is_signaled(old)) {
+ dma_resv_list_set(fobj, i, fence, usage);
+ dma_fence_put(old);
+--- a/include/linux/dma-fence.h
++++ b/include/linux/dma-fence.h
+@@ -479,6 +479,21 @@ static inline bool dma_fence_is_later(st
+ }
+
+ /**
++ * dma_fence_is_later_or_same - return true if f1 is later or same as f2
++ * @f1: the first fence from the same context
++ * @f2: the second fence from the same context
++ *
++ * Returns true if f1 is chronologically later than f2 or the same fence. Both
++ * fences must be from the same context, since a seqno is not re-used across
++ * contexts.
++ */
++static inline bool dma_fence_is_later_or_same(struct dma_fence *f1,
++ struct dma_fence *f2)
++{
++ return f1 == f2 || dma_fence_is_later(f1, f2);
++}
++
++/**
+ * dma_fence_later - return the chronologically later fence
+ * @f1: the first fence from the same context
+ * @f2: the second fence from the same context
--- /dev/null
+From 85b80fdffa867d75dfb9084a839e7949e29064e8 Mon Sep 17 00:00:00 2001
+From: "Abdul Halim, Mohd Syazwan" <mohd.syazwan.abdul.halim@intel.com>
+Date: Wed, 22 Nov 2023 11:26:06 +0800
+Subject: iommu/vt-d: Add MTL to quirk list to skip TE disabling
+
+From: Abdul Halim, Mohd Syazwan <mohd.syazwan.abdul.halim@intel.com>
+
+commit 85b80fdffa867d75dfb9084a839e7949e29064e8 upstream.
+
+The VT-d spec requires (10.4.4 Global Command Register, TE field) that:
+
+Hardware implementations supporting DMA draining must drain any in-flight
+DMA read/write requests queued within the Root-Complex before switching
+address translation on or off and reflecting the status of the command
+through the TES field in the Global Status register.
+
+Unfortunately, some integrated graphic devices fail to do so after some
+kind of power state transition. As the result, the system might stuck in
+iommu_disable_translation(), waiting for the completion of TE transition.
+
+Add MTL to the quirk list for those devices and skips TE disabling if the
+qurik hits.
+
+Fixes: b1012ca8dc4f ("iommu/vt-d: Skip TE disabling on quirky gfx dedicated iommu")
+Cc: stable@vger.kernel.org
+Signed-off-by: Abdul Halim, Mohd Syazwan <mohd.syazwan.abdul.halim@intel.com>
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Link: https://lore.kernel.org/r/20231116022324.30120-1-baolu.lu@linux.intel.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/intel/iommu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iommu/intel/iommu.c
++++ b/drivers/iommu/intel/iommu.c
+@@ -4872,7 +4872,7 @@ static void quirk_igfx_skip_te_disable(s
+ ver = (dev->device >> 8) & 0xff;
+ if (ver != 0x45 && ver != 0x46 && ver != 0x4c &&
+ ver != 0x4e && ver != 0x8a && ver != 0x98 &&
+- ver != 0x9a && ver != 0xa7)
++ ver != 0x9a && ver != 0xa7 && ver != 0x7d)
+ return;
+
+ if (risky_device(dev))
--- /dev/null
+From dc158d23b33df9033bcc8e7117e8591dd2f9d125 Mon Sep 17 00:00:00 2001
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Wed, 22 Nov 2023 12:58:11 +1000
+Subject: KVM: PPC: Book3S HV: Fix KVM_RUN clobbering FP/VEC user registers
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+commit dc158d23b33df9033bcc8e7117e8591dd2f9d125 upstream.
+
+Before running a guest, the host process (e.g., QEMU) FP/VEC registers
+are saved if they were being used, similarly to when the kernel uses FP
+registers. The guest values are then loaded into regs, and the host
+process registers will be restored lazily when it uses FP/VEC.
+
+KVM HV has a bug here: the host process registers do get saved, but the
+user MSR bits remain enabled, which indicates the registers are valid
+for the process. After they are clobbered by running the guest, this
+valid indication causes the host process to take on the FP/VEC register
+values of the guest.
+
+Fixes: 34e119c96b2b ("KVM: PPC: Book3S HV P9: Reduce mtmsrd instructions required to save host SPRs")
+Cc: stable@vger.kernel.org # v5.17+
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20231122025811.2973-1-npiggin@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/process.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/powerpc/kernel/process.c
++++ b/arch/powerpc/kernel/process.c
+@@ -1163,11 +1163,11 @@ void kvmppc_save_user_regs(void)
+
+ usermsr = current->thread.regs->msr;
+
++ /* Caller has enabled FP/VEC/VSX/TM in MSR */
+ if (usermsr & MSR_FP)
+- save_fpu(current);
+-
++ __giveup_fpu(current);
+ if (usermsr & MSR_VEC)
+- save_altivec(current);
++ __giveup_altivec(current);
+
+ #ifdef CONFIG_PPC_TRANSACTIONAL_MEM
+ if (usermsr & MSR_TM) {
--- /dev/null
+From e5f3e299a2b1e9c3ece24a38adfc089aef307e8a Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Thu, 23 Nov 2023 20:28:27 +0100
+Subject: parisc: Drop the HP-UX ENOSYM and EREMOTERELEASE error codes
+
+From: Helge Deller <deller@gmx.de>
+
+commit e5f3e299a2b1e9c3ece24a38adfc089aef307e8a upstream.
+
+Those return codes are only defined for the parisc architecture and
+are leftovers from when we wanted to be HP-UX compatible.
+
+They are not returned by any Linux kernel syscall but do trigger
+problems with the glibc strerrorname_np() and strerror() functions as
+reported in glibc issue #31080.
+
+There is no need to keep them, so simply remove them.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Reported-by: Bruno Haible <bruno@clisp.org>
+Closes: https://sourceware.org/bugzilla/show_bug.cgi?id=31080
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/include/uapi/asm/errno.h | 2 --
+ lib/errname.c | 6 ------
+ tools/arch/parisc/include/uapi/asm/errno.h | 2 --
+ 3 files changed, 10 deletions(-)
+
+--- a/arch/parisc/include/uapi/asm/errno.h
++++ b/arch/parisc/include/uapi/asm/errno.h
+@@ -75,7 +75,6 @@
+
+ /* We now return you to your regularly scheduled HPUX. */
+
+-#define ENOSYM 215 /* symbol does not exist in executable */
+ #define ENOTSOCK 216 /* Socket operation on non-socket */
+ #define EDESTADDRREQ 217 /* Destination address required */
+ #define EMSGSIZE 218 /* Message too long */
+@@ -101,7 +100,6 @@
+ #define ETIMEDOUT 238 /* Connection timed out */
+ #define ECONNREFUSED 239 /* Connection refused */
+ #define EREFUSED ECONNREFUSED /* for HP's NFS apparently */
+-#define EREMOTERELEASE 240 /* Remote peer released connection */
+ #define EHOSTDOWN 241 /* Host is down */
+ #define EHOSTUNREACH 242 /* No route to host */
+
+--- a/lib/errname.c
++++ b/lib/errname.c
+@@ -111,9 +111,6 @@ static const char *names_0[] = {
+ E(ENOSPC),
+ E(ENOSR),
+ E(ENOSTR),
+-#ifdef ENOSYM
+- E(ENOSYM),
+-#endif
+ E(ENOSYS),
+ E(ENOTBLK),
+ E(ENOTCONN),
+@@ -144,9 +141,6 @@ static const char *names_0[] = {
+ #endif
+ E(EREMOTE),
+ E(EREMOTEIO),
+-#ifdef EREMOTERELEASE
+- E(EREMOTERELEASE),
+-#endif
+ E(ERESTART),
+ E(ERFKILL),
+ E(EROFS),
+--- a/tools/arch/parisc/include/uapi/asm/errno.h
++++ b/tools/arch/parisc/include/uapi/asm/errno.h
+@@ -75,7 +75,6 @@
+
+ /* We now return you to your regularly scheduled HPUX. */
+
+-#define ENOSYM 215 /* symbol does not exist in executable */
+ #define ENOTSOCK 216 /* Socket operation on non-socket */
+ #define EDESTADDRREQ 217 /* Destination address required */
+ #define EMSGSIZE 218 /* Message too long */
+@@ -101,7 +100,6 @@
+ #define ETIMEDOUT 238 /* Connection timed out */
+ #define ECONNREFUSED 239 /* Connection refused */
+ #define EREFUSED ECONNREFUSED /* for HP's NFS apparently */
+-#define EREMOTERELEASE 240 /* Remote peer released connection */
+ #define EHOSTDOWN 241 /* Host is down */
+ #define EHOSTUNREACH 242 /* No route to host */
+
--- /dev/null
+From c9fcb2b65c2849e8ff3be23fd8828312fb68dc19 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Sat, 25 Nov 2023 09:16:02 +0100
+Subject: parisc: Ensure 32-bit alignment on parisc unwind section
+
+From: Helge Deller <deller@gmx.de>
+
+commit c9fcb2b65c2849e8ff3be23fd8828312fb68dc19 upstream.
+
+Make sure the .PARISC.unwind section will be 32-bit aligned.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org # v6.0+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/kernel/vmlinux.lds.S | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/parisc/kernel/vmlinux.lds.S
++++ b/arch/parisc/kernel/vmlinux.lds.S
+@@ -131,6 +131,7 @@ SECTIONS
+ RO_DATA(8)
+
+ /* unwind info */
++ . = ALIGN(4);
+ .PARISC.unwind : {
+ __start___unwind = .;
+ *(.PARISC.unwind)
--- /dev/null
+From 33f806da2df68606f77d7b892cd1298ba3d463e8 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Mon, 20 Nov 2023 23:10:20 +0100
+Subject: parisc: Mark altinstructions read-only and 32-bit aligned
+
+From: Helge Deller <deller@gmx.de>
+
+commit 33f806da2df68606f77d7b892cd1298ba3d463e8 upstream.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org # v6.0+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/include/asm/alternative.h | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/arch/parisc/include/asm/alternative.h b/arch/parisc/include/asm/alternative.h
+index 1ed45fd085d3..1eb488f25b83 100644
+--- a/arch/parisc/include/asm/alternative.h
++++ b/arch/parisc/include/asm/alternative.h
+@@ -34,7 +34,8 @@ void apply_alternatives(struct alt_instr *start, struct alt_instr *end,
+
+ /* Alternative SMP implementation. */
+ #define ALTERNATIVE(cond, replacement) "!0:" \
+- ".section .altinstructions, \"aw\" !" \
++ ".section .altinstructions, \"a\" !" \
++ ".align 4 !" \
+ ".word (0b-4-.) !" \
+ ".hword 1, " __stringify(cond) " !" \
+ ".word " __stringify(replacement) " !" \
+@@ -44,7 +45,8 @@ void apply_alternatives(struct alt_instr *start, struct alt_instr *end,
+
+ /* to replace one single instructions by a new instruction */
+ #define ALTERNATIVE(from, to, cond, replacement)\
+- .section .altinstructions, "aw" ! \
++ .section .altinstructions, "a" ! \
++ .align 4 ! \
+ .word (from - .) ! \
+ .hword (to - from)/4, cond ! \
+ .word replacement ! \
+@@ -52,7 +54,8 @@ void apply_alternatives(struct alt_instr *start, struct alt_instr *end,
+
+ /* to replace multiple instructions by new code */
+ #define ALTERNATIVE_CODE(from, num_instructions, cond, new_instr_ptr)\
+- .section .altinstructions, "aw" ! \
++ .section .altinstructions, "a" ! \
++ .align 4 ! \
+ .word (from - .) ! \
+ .hword -num_instructions, cond ! \
+ .word (new_instr_ptr - .) ! \
+--
+2.43.0
+
--- /dev/null
+From e11d4cccd094a7cd4696c8c42e672c76c092dad5 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Mon, 20 Nov 2023 15:37:50 +0100
+Subject: parisc: Mark ex_table entries 32-bit aligned in assembly.h
+
+From: Helge Deller <deller@gmx.de>
+
+commit e11d4cccd094a7cd4696c8c42e672c76c092dad5 upstream.
+
+Add an align statement to tell the linker that all ex_table entries and as
+such the whole ex_table section should be 32-bit aligned in vmlinux and modules.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org # v6.0+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/include/asm/assembly.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/parisc/include/asm/assembly.h b/arch/parisc/include/asm/assembly.h
+index 75677b526b2b..74d17d7e759d 100644
+--- a/arch/parisc/include/asm/assembly.h
++++ b/arch/parisc/include/asm/assembly.h
+@@ -574,6 +574,7 @@
+ */
+ #define ASM_EXCEPTIONTABLE_ENTRY(fault_addr, except_addr) \
+ .section __ex_table,"aw" ! \
++ .align 4 ! \
+ .word (fault_addr - .), (except_addr - .) ! \
+ .previous
+
+--
+2.43.0
+
--- /dev/null
+From a80aeb86542a50aa8521729ea4cc731ee7174f03 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Mon, 20 Nov 2023 15:39:03 +0100
+Subject: parisc: Mark ex_table entries 32-bit aligned in uaccess.h
+
+From: Helge Deller <deller@gmx.de>
+
+commit a80aeb86542a50aa8521729ea4cc731ee7174f03 upstream.
+
+Add an align statement to tell the linker that all ex_table entries and as
+such the whole ex_table section should be 32-bit aligned in vmlinux and modules.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org # v6.0+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/include/asm/uaccess.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/parisc/include/asm/uaccess.h b/arch/parisc/include/asm/uaccess.h
+index 2bf660eabe42..4165079898d9 100644
+--- a/arch/parisc/include/asm/uaccess.h
++++ b/arch/parisc/include/asm/uaccess.h
+@@ -41,6 +41,7 @@ struct exception_table_entry {
+
+ #define ASM_EXCEPTIONTABLE_ENTRY( fault_addr, except_addr )\
+ ".section __ex_table,\"aw\"\n" \
++ ".align 4\n" \
+ ".word (" #fault_addr " - .), (" #except_addr " - .)\n\t" \
+ ".previous\n"
+
+--
+2.43.0
+
--- /dev/null
+From 07eecff8ae78df7f28800484d31337e1f9bfca3a Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Mon, 20 Nov 2023 23:14:39 +0100
+Subject: parisc: Mark jump_table naturally aligned
+
+From: Helge Deller <deller@gmx.de>
+
+commit 07eecff8ae78df7f28800484d31337e1f9bfca3a upstream.
+
+The jump_table stores two 32-bit words and one 32- (on 32-bit kernel)
+or one 64-bit word (on 64-bit kernel).
+Ensure that the last word is always 64-bit aligned on a 64-bit kernel
+by aligning the whole structure on sizeof(long).
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org # v6.0+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/include/asm/jump_label.h | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/arch/parisc/include/asm/jump_label.h b/arch/parisc/include/asm/jump_label.h
+index af2a598bc0f8..94428798b6aa 100644
+--- a/arch/parisc/include/asm/jump_label.h
++++ b/arch/parisc/include/asm/jump_label.h
+@@ -15,10 +15,12 @@ static __always_inline bool arch_static_branch(struct static_key *key, bool bran
+ asm_volatile_goto("1:\n\t"
+ "nop\n\t"
+ ".pushsection __jump_table, \"aw\"\n\t"
++ ".align %1\n\t"
+ ".word 1b - ., %l[l_yes] - .\n\t"
+ __stringify(ASM_ULONG_INSN) " %c0 - .\n\t"
+ ".popsection\n\t"
+- : : "i" (&((char *)key)[branch]) : : l_yes);
++ : : "i" (&((char *)key)[branch]), "i" (sizeof(long))
++ : : l_yes);
+
+ return false;
+ l_yes:
+@@ -30,10 +32,12 @@ static __always_inline bool arch_static_branch_jump(struct static_key *key, bool
+ asm_volatile_goto("1:\n\t"
+ "b,n %l[l_yes]\n\t"
+ ".pushsection __jump_table, \"aw\"\n\t"
++ ".align %1\n\t"
+ ".word 1b - ., %l[l_yes] - .\n\t"
+ __stringify(ASM_ULONG_INSN) " %c0 - .\n\t"
+ ".popsection\n\t"
+- : : "i" (&((char *)key)[branch]) : : l_yes);
++ : : "i" (&((char *)key)[branch]), "i" (sizeof(long))
++ : : l_yes);
+
+ return false;
+ l_yes:
+--
+2.43.0
+
--- /dev/null
+From b28fc0d8739c03e7b6c44914a9d00d4c6dddc0ea Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Sat, 25 Nov 2023 09:11:56 +0100
+Subject: parisc: Mark lock_aligned variables 16-byte aligned on SMP
+
+From: Helge Deller <deller@gmx.de>
+
+commit b28fc0d8739c03e7b6c44914a9d00d4c6dddc0ea upstream.
+
+On parisc we need 16-byte alignment for variables which are used for
+locking. Mark the __lock_aligned attribute acordingly so that the
+.data..lock_aligned section will get that alignment in the generated
+object files.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org # v6.0+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/include/asm/ldcw.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/parisc/include/asm/ldcw.h
++++ b/arch/parisc/include/asm/ldcw.h
+@@ -56,7 +56,7 @@
+ })
+
+ #ifdef CONFIG_SMP
+-# define __lock_aligned __section(".data..lock_aligned")
++# define __lock_aligned __section(".data..lock_aligned") __aligned(16)
+ #endif
+
+ #endif /* __PARISC_LDCW_H */
--- /dev/null
+From fe76a1349f235969381832c83d703bc911021eb6 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Mon, 20 Nov 2023 23:30:49 +0100
+Subject: parisc: Use natural CPU alignment for bug_table
+
+From: Helge Deller <deller@gmx.de>
+
+commit fe76a1349f235969381832c83d703bc911021eb6 upstream.
+
+Make sure that the __bug_table section gets 32- or 64-bit aligned,
+depending if a 32- or 64-bit kernel is being built.
+Mark it non-writeable and use .blockz instead of the .org assembler
+directive to pad the struct.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org # v6.0+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/include/asm/bug.h | 30 ++++++++++++++++++------------
+ 1 file changed, 18 insertions(+), 12 deletions(-)
+
+diff --git a/arch/parisc/include/asm/bug.h b/arch/parisc/include/asm/bug.h
+index 4b6d60b94124..b9cad0bb4461 100644
+--- a/arch/parisc/include/asm/bug.h
++++ b/arch/parisc/include/asm/bug.h
+@@ -28,13 +28,15 @@
+ do { \
+ asm volatile("\n" \
+ "1:\t" PARISC_BUG_BREAK_ASM "\n" \
+- "\t.pushsection __bug_table,\"aw\"\n" \
++ "\t.pushsection __bug_table,\"a\"\n" \
++ "\t.align %4\n" \
+ "2:\t" ASM_WORD_INSN "1b, %c0\n" \
+- "\t.short %c1, %c2\n" \
+- "\t.org 2b+%c3\n" \
++ "\t.short %1, %2\n" \
++ "\t.blockz %3-2*%4-2*2\n" \
+ "\t.popsection" \
+ : : "i" (__FILE__), "i" (__LINE__), \
+- "i" (0), "i" (sizeof(struct bug_entry)) ); \
++ "i" (0), "i" (sizeof(struct bug_entry)), \
++ "i" (sizeof(long)) ); \
+ unreachable(); \
+ } while(0)
+
+@@ -51,27 +53,31 @@
+ do { \
+ asm volatile("\n" \
+ "1:\t" PARISC_BUG_BREAK_ASM "\n" \
+- "\t.pushsection __bug_table,\"aw\"\n" \
++ "\t.pushsection __bug_table,\"a\"\n" \
++ "\t.align %4\n" \
+ "2:\t" ASM_WORD_INSN "1b, %c0\n" \
+- "\t.short %c1, %c2\n" \
+- "\t.org 2b+%c3\n" \
++ "\t.short %1, %2\n" \
++ "\t.blockz %3-2*%4-2*2\n" \
+ "\t.popsection" \
+ : : "i" (__FILE__), "i" (__LINE__), \
+ "i" (BUGFLAG_WARNING|(flags)), \
+- "i" (sizeof(struct bug_entry)) ); \
++ "i" (sizeof(struct bug_entry)), \
++ "i" (sizeof(long)) ); \
+ } while(0)
+ #else
+ #define __WARN_FLAGS(flags) \
+ do { \
+ asm volatile("\n" \
+ "1:\t" PARISC_BUG_BREAK_ASM "\n" \
+- "\t.pushsection __bug_table,\"aw\"\n" \
++ "\t.pushsection __bug_table,\"a\"\n" \
++ "\t.align %2\n" \
+ "2:\t" ASM_WORD_INSN "1b\n" \
+- "\t.short %c0\n" \
+- "\t.org 2b+%c1\n" \
++ "\t.short %0\n" \
++ "\t.blockz %1-%2-2\n" \
+ "\t.popsection" \
+ : : "i" (BUGFLAG_WARNING|(flags)), \
+- "i" (sizeof(struct bug_entry)) ); \
++ "i" (sizeof(struct bug_entry)), \
++ "i" (sizeof(long)) ); \
+ } while(0)
+ #endif
+
+--
+2.43.0
+
--- /dev/null
+From b817f1488fca548fe50e2654d84a1956a16a1a8a Mon Sep 17 00:00:00 2001
+From: Lukasz Luba <lukasz.luba@arm.com>
+Date: Mon, 27 Nov 2023 09:28:19 +0000
+Subject: powercap: DTPM: Fix unneeded conversions to micro-Watts
+
+From: Lukasz Luba <lukasz.luba@arm.com>
+
+commit b817f1488fca548fe50e2654d84a1956a16a1a8a upstream.
+
+The power values coming from the Energy Model are already in uW.
+
+The PowerCap and DTPM frameworks operate on uW, so all places should
+just use the values from the EM.
+
+Fix the code by removing all of the conversion to uW still present in it.
+
+Fixes: ae6ccaa65038 (PM: EM: convert power field to micro-Watts precision and align drivers)
+Cc: 5.19+ <stable@vger.kernel.org> # v5.19+
+Signed-off-by: Lukasz Luba <lukasz.luba@arm.com>
+[ rjw: Changelog edits ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/powercap/dtpm_cpu.c | 6 +-----
+ drivers/powercap/dtpm_devfreq.c | 11 +++--------
+ 2 files changed, 4 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/powercap/dtpm_cpu.c b/drivers/powercap/dtpm_cpu.c
+index 2ff7717530bf..8a2f18fa3faf 100644
+--- a/drivers/powercap/dtpm_cpu.c
++++ b/drivers/powercap/dtpm_cpu.c
+@@ -24,7 +24,6 @@
+ #include <linux/of.h>
+ #include <linux/pm_qos.h>
+ #include <linux/slab.h>
+-#include <linux/units.h>
+
+ struct dtpm_cpu {
+ struct dtpm dtpm;
+@@ -104,8 +103,7 @@ static u64 get_pd_power_uw(struct dtpm *dtpm)
+ if (pd->table[i].frequency < freq)
+ continue;
+
+- return scale_pd_power_uw(pd_mask, pd->table[i].power *
+- MICROWATT_PER_MILLIWATT);
++ return scale_pd_power_uw(pd_mask, pd->table[i].power);
+ }
+
+ return 0;
+@@ -122,11 +120,9 @@ static int update_pd_power_uw(struct dtpm *dtpm)
+ nr_cpus = cpumask_weight(&cpus);
+
+ dtpm->power_min = em->table[0].power;
+- dtpm->power_min *= MICROWATT_PER_MILLIWATT;
+ dtpm->power_min *= nr_cpus;
+
+ dtpm->power_max = em->table[em->nr_perf_states - 1].power;
+- dtpm->power_max *= MICROWATT_PER_MILLIWATT;
+ dtpm->power_max *= nr_cpus;
+
+ return 0;
+diff --git a/drivers/powercap/dtpm_devfreq.c b/drivers/powercap/dtpm_devfreq.c
+index 91276761a31d..612c3b59dd5b 100644
+--- a/drivers/powercap/dtpm_devfreq.c
++++ b/drivers/powercap/dtpm_devfreq.c
+@@ -39,10 +39,8 @@ static int update_pd_power_uw(struct dtpm *dtpm)
+ struct em_perf_domain *pd = em_pd_get(dev);
+
+ dtpm->power_min = pd->table[0].power;
+- dtpm->power_min *= MICROWATT_PER_MILLIWATT;
+
+ dtpm->power_max = pd->table[pd->nr_perf_states - 1].power;
+- dtpm->power_max *= MICROWATT_PER_MILLIWATT;
+
+ return 0;
+ }
+@@ -54,13 +52,10 @@ static u64 set_pd_power_limit(struct dtpm *dtpm, u64 power_limit)
+ struct device *dev = devfreq->dev.parent;
+ struct em_perf_domain *pd = em_pd_get(dev);
+ unsigned long freq;
+- u64 power;
+ int i;
+
+ for (i = 0; i < pd->nr_perf_states; i++) {
+-
+- power = pd->table[i].power * MICROWATT_PER_MILLIWATT;
+- if (power > power_limit)
++ if (pd->table[i].power > power_limit)
+ break;
+ }
+
+@@ -68,7 +63,7 @@ static u64 set_pd_power_limit(struct dtpm *dtpm, u64 power_limit)
+
+ dev_pm_qos_update_request(&dtpm_devfreq->qos_req, freq);
+
+- power_limit = pd->table[i - 1].power * MICROWATT_PER_MILLIWATT;
++ power_limit = pd->table[i - 1].power;
+
+ return power_limit;
+ }
+@@ -110,7 +105,7 @@ static u64 get_pd_power_uw(struct dtpm *dtpm)
+ if (pd->table[i].frequency < freq)
+ continue;
+
+- power = pd->table[i].power * MICROWATT_PER_MILLIWATT;
++ power = pd->table[i].power;
+ power *= status.busy_time;
+ power >>= 10;
+
+--
+2.43.0
+
--- /dev/null
+From 5e1d824f9a283cbf90f25241b66d1f69adb3835b Mon Sep 17 00:00:00 2001
+From: Timothy Pearson <tpearson@raptorengineering.com>
+Date: Sun, 19 Nov 2023 09:18:02 -0600
+Subject: powerpc: Don't clobber f0/vs0 during fp|altivec register save
+
+From: Timothy Pearson <tpearson@raptorengineering.com>
+
+commit 5e1d824f9a283cbf90f25241b66d1f69adb3835b upstream.
+
+During floating point and vector save to thread data f0/vs0 are
+clobbered by the FPSCR/VSCR store routine. This has been obvserved to
+lead to userspace register corruption and application data corruption
+with io-uring.
+
+Fix it by restoring f0/vs0 after FPSCR/VSCR store has completed for
+all the FP, altivec, VMX register save paths.
+
+Tested under QEMU in kvm mode, running on a Talos II workstation with
+dual POWER9 DD2.2 CPUs.
+
+Additional detail (mpe):
+
+Typically save_fpu() is called from __giveup_fpu() which saves the FP
+regs and also *turns off FP* in the tasks MSR, meaning the kernel will
+reload the FP regs from the thread struct before letting the task use FP
+again. So in that case save_fpu() is free to clobber f0 because the FP
+regs no longer hold live values for the task.
+
+There is another case though, which is the path via:
+ sys_clone()
+ ...
+ copy_process()
+ dup_task_struct()
+ arch_dup_task_struct()
+ flush_all_to_thread()
+ save_all()
+
+That path saves the FP regs but leaves them live. That's meant as an
+optimisation for a process that's using FP/VSX and then calls fork(),
+leaving the regs live means the parent process doesn't have to take a
+fault after the fork to get its FP regs back. The optimisation was added
+in commit 8792468da5e1 ("powerpc: Add the ability to save FPU without
+giving it up").
+
+That path does clobber f0, but f0 is volatile across function calls,
+and typically programs reach copy_process() from userspace via a syscall
+wrapper function. So in normal usage f0 being clobbered across a
+syscall doesn't cause visible data corruption.
+
+But there is now a new path, because io-uring can call copy_process()
+via create_io_thread() from the signal handling path. That's OK if the
+signal is handled as part of syscall return, but it's not OK if the
+signal is handled due to some other interrupt.
+
+That path is:
+
+interrupt_return_srr_user()
+ interrupt_exit_user_prepare()
+ interrupt_exit_user_prepare_main()
+ do_notify_resume()
+ get_signal()
+ task_work_run()
+ create_worker_cb()
+ create_io_worker()
+ copy_process()
+ dup_task_struct()
+ arch_dup_task_struct()
+ flush_all_to_thread()
+ save_all()
+ if (tsk->thread.regs->msr & MSR_FP)
+ save_fpu()
+ # f0 is clobbered and potentially live in userspace
+
+Note the above discussion applies equally to save_altivec().
+
+Fixes: 8792468da5e1 ("powerpc: Add the ability to save FPU without giving it up")
+Cc: stable@vger.kernel.org # v4.6+
+Closes: https://lore.kernel.org/all/480932026.45576726.1699374859845.JavaMail.zimbra@raptorengineeringinc.com/
+Closes: https://lore.kernel.org/linuxppc-dev/480221078.47953493.1700206777956.JavaMail.zimbra@raptorengineeringinc.com/
+Tested-by: Timothy Pearson <tpearson@raptorengineering.com>
+Tested-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Timothy Pearson <tpearson@raptorengineering.com>
+[mpe: Reword change log to describe exact path of corruption & other minor tweaks]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/1921539696.48534988.1700407082933.JavaMail.zimbra@raptorengineeringinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/fpu.S | 13 +++++++++++++
+ arch/powerpc/kernel/vector.S | 2 ++
+ 2 files changed, 15 insertions(+)
+
+--- a/arch/powerpc/kernel/fpu.S
++++ b/arch/powerpc/kernel/fpu.S
+@@ -23,6 +23,15 @@
+ #include <asm/feature-fixups.h>
+
+ #ifdef CONFIG_VSX
++#define __REST_1FPVSR(n,c,base) \
++BEGIN_FTR_SECTION \
++ b 2f; \
++END_FTR_SECTION_IFSET(CPU_FTR_VSX); \
++ REST_FPR(n,base); \
++ b 3f; \
++2: REST_VSR(n,c,base); \
++3:
++
+ #define __REST_32FPVSRS(n,c,base) \
+ BEGIN_FTR_SECTION \
+ b 2f; \
+@@ -41,9 +50,11 @@ END_FTR_SECTION_IFSET(CPU_FTR_VSX);
+ 2: SAVE_32VSRS(n,c,base); \
+ 3:
+ #else
++#define __REST_1FPVSR(n,b,base) REST_FPR(n, base)
+ #define __REST_32FPVSRS(n,b,base) REST_32FPRS(n, base)
+ #define __SAVE_32FPVSRS(n,b,base) SAVE_32FPRS(n, base)
+ #endif
++#define REST_1FPVSR(n,c,base) __REST_1FPVSR(n,__REG_##c,__REG_##base)
+ #define REST_32FPVSRS(n,c,base) __REST_32FPVSRS(n,__REG_##c,__REG_##base)
+ #define SAVE_32FPVSRS(n,c,base) __SAVE_32FPVSRS(n,__REG_##c,__REG_##base)
+
+@@ -67,6 +78,7 @@ _GLOBAL(store_fp_state)
+ SAVE_32FPVSRS(0, R4, R3)
+ mffs fr0
+ stfd fr0,FPSTATE_FPSCR(r3)
++ REST_1FPVSR(0, R4, R3)
+ blr
+ EXPORT_SYMBOL(store_fp_state)
+
+@@ -138,4 +150,5 @@ _GLOBAL(save_fpu)
+ 2: SAVE_32FPVSRS(0, R4, R6)
+ mffs fr0
+ stfd fr0,FPSTATE_FPSCR(r6)
++ REST_1FPVSR(0, R4, R6)
+ blr
+--- a/arch/powerpc/kernel/vector.S
++++ b/arch/powerpc/kernel/vector.S
+@@ -32,6 +32,7 @@ _GLOBAL(store_vr_state)
+ mfvscr v0
+ li r4, VRSTATE_VSCR
+ stvx v0, r4, r3
++ lvx v0, 0, r3
+ blr
+ EXPORT_SYMBOL(store_vr_state)
+
+@@ -108,6 +109,7 @@ _GLOBAL(save_altivec)
+ mfvscr v0
+ li r4,VRSTATE_VSCR
+ stvx v0,r4,r7
++ lvx v0,0,r7
+ blr
+
+ #ifdef CONFIG_VSX
dm-verity-initialize-fec-io-before-freeing-it.patch
dm-verity-don-t-perform-fec-for-failed-readahead-io.patch
nvme-check-for-valid-nvme_identify_ns-before-using-it.patch
+powercap-dtpm-fix-unneeded-conversions-to-micro-watts.patch
+cpufreq-amd-pstate-fix-the-return-value-of-amd_pstate_fast_switch.patch
+dma-buf-fix-check-in-dma_resv_add_fence.patch
+bcache-revert-replacing-is_err_or_null-with-is_err.patch
+iommu-vt-d-add-mtl-to-quirk-list-to-skip-te-disabling.patch
+kvm-ppc-book3s-hv-fix-kvm_run-clobbering-fp-vec-user-registers.patch
+powerpc-don-t-clobber-f0-vs0-during-fp-altivec-register-save.patch
+parisc-mark-ex_table-entries-32-bit-aligned-in-assembly.h.patch
+parisc-mark-ex_table-entries-32-bit-aligned-in-uaccess.h.patch
+parisc-use-natural-cpu-alignment-for-bug_table.patch
+parisc-mark-lock_aligned-variables-16-byte-aligned-on-smp.patch
+parisc-drop-the-hp-ux-enosym-and-eremoterelease-error-codes.patch
+parisc-mark-jump_table-naturally-aligned.patch
+parisc-ensure-32-bit-alignment-on-parisc-unwind-section.patch
+parisc-mark-altinstructions-read-only-and-32-bit-aligned.patch
+btrfs-add-dmesg-output-for-first-mount-and-last-unmount-of-a-filesystem.patch
+btrfs-ref-verify-fix-memory-leaks-in-btrfs_ref_tree_mod.patch
+btrfs-fix-off-by-one-when-checking-chunk-map-includes-logical-address.patch
+btrfs-send-ensure-send_fd-is-writable.patch
+btrfs-make-error-messages-more-clear-when-getting-a-chunk-map.patch
+btrfs-fix-64bit-compat-send-ioctl-arguments-not-initializing-version-member.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
