From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 12 Aug 2024 10:27:13 +0000 (+0200)
Subject: 6.1-stable patches
X-Git-Tag: v6.1.105~83
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=544e496b22f7c4e652bd441f27c3b853cb06cf9f;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	scsi-mpi3mr-avoid-iommu-page-faults-on-report-zones.patch
	scsi-ufs-core-fix-hba-last_dme_cmd_tstamp-timestamp-updating-logic.patch
	tick-broadcast-move-per-cpu-pointer-access-into-the-atomic-section.patch
	usb-gadget-core-check-for-unset-descriptor.patch
	usb-gadget-u_audio-check-return-codes-from-usb_ep_enable-and-config_ep_by_speed.patch
	usb-gadget-u_serial-set-start_delayed-during-suspend.patch
	vhost-vdpa-switch-to-use-vmf_insert_pfn-in-the-fault-handler.patch
---

diff --git a/queue-6.1/scsi-mpi3mr-avoid-iommu-page-faults-on-report-zones.patch b/queue-6.1/scsi-mpi3mr-avoid-iommu-page-faults-on-report-zones.patch
new file mode 100644
index 00000000000..8c881c4f769
--- /dev/null
+++ b/queue-6.1/scsi-mpi3mr-avoid-iommu-page-faults-on-report-zones.patch
@@ -0,0 +1,66 @@
+From 1abc900ddda8ad2ef739fedf498d415655b6c3b8 Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <dlemoal@kernel.org>
+Date: Fri, 19 Jul 2024 16:39:11 +0900
+Subject: scsi: mpi3mr: Avoid IOMMU page faults on REPORT ZONES
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+commit 1abc900ddda8ad2ef739fedf498d415655b6c3b8 upstream.
+
+Some firmware versions of the 9600 series SAS HBA byte-swap the REPORT
+ZONES command reply buffer from ATA-ZAC devices by directly accessing the
+buffer in the host memory. This does not respect the default command DMA
+direction and causes IOMMU page faults on architectures with an IOMMU
+enforcing write-only mappings for DMA_FROM_DEVICE DMA direction (e.g. AMD
+hosts), leading to the device capacity to be dropped to 0:
+
+scsi 18:0:58:0: Direct-Access-ZBC ATA      WDC  WSH722626AL W930 PQ: 0 ANSI: 7
+scsi 18:0:58:0: Power-on or device reset occurred
+sd 18:0:58:0: Attached scsi generic sg9 type 20
+sd 18:0:58:0: [sdj] Host-managed zoned block device
+mpi3mr 0000:c1:00.0: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0001 address=0xfec0c400 flags=0x0050]
+mpi3mr 0000:c1:00.0: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0001 address=0xfec0c500 flags=0x0050]
+sd 18:0:58:0: [sdj] REPORT ZONES start lba 0 failed
+sd 18:0:58:0: [sdj] REPORT ZONES: Result: hostbyte=DID_SOFT_ERROR driverbyte=DRIVER_OK
+sd 18:0:58:0: [sdj] 0 4096-byte logical blocks: (0 B/0 B)
+sd 18:0:58:0: [sdj] Write Protect is off
+sd 18:0:58:0: [sdj] Mode Sense: 6b 00 10 08
+sd 18:0:58:0: [sdj] Write cache: enabled, read cache: enabled, supports DPO and FUA
+sd 18:0:58:0: [sdj] Attached SCSI disk
+
+Avoid this issue by always mapping the buffer of REPORT ZONES commands
+using DMA_BIDIRECTIONAL, that is, using a read-write IOMMU mapping.
+
+Suggested-by: Christoph Hellwig <hch@lst.de>
+Fixes: 023ab2a9b4ed ("scsi: mpi3mr: Add support for queue command processing")
+Cc: stable@vger.kernel.org
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Link: https://lore.kernel.org/r/20240719073913.179559-2-dlemoal@kernel.org
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/mpi3mr/mpi3mr_os.c |   11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/scsi/mpi3mr/mpi3mr_os.c
++++ b/drivers/scsi/mpi3mr/mpi3mr_os.c
+@@ -3389,6 +3389,17 @@ static int mpi3mr_prepare_sg_scmd(struct
+ 		    scmd->sc_data_direction);
+ 		priv->meta_sg_valid = 1; /* To unmap meta sg DMA */
+ 	} else {
++		/*
++		 * Some firmware versions byte-swap the REPORT ZONES command
++		 * reply from ATA-ZAC devices by directly accessing in the host
++		 * buffer. This does not respect the default command DMA
++		 * direction and causes IOMMU page faults on some architectures
++		 * with an IOMMU enforcing write mappings (e.g. AMD hosts).
++		 * Avoid such issue by making the REPORT ZONES buffer mapping
++		 * bi-directional.
++		 */
++		if (scmd->cmnd[0] == ZBC_IN && scmd->cmnd[1] == ZI_REPORT_ZONES)
++			scmd->sc_data_direction = DMA_BIDIRECTIONAL;
+ 		sg_scmd = scsi_sglist(scmd);
+ 		sges_left = scsi_dma_map(scmd);
+ 	}
diff --git a/queue-6.1/scsi-ufs-core-fix-hba-last_dme_cmd_tstamp-timestamp-updating-logic.patch b/queue-6.1/scsi-ufs-core-fix-hba-last_dme_cmd_tstamp-timestamp-updating-logic.patch
new file mode 100644
index 00000000000..45aee88a0cd
--- /dev/null
+++ b/queue-6.1/scsi-ufs-core-fix-hba-last_dme_cmd_tstamp-timestamp-updating-logic.patch
@@ -0,0 +1,54 @@
+From ab9fd06cb8f0db0854291833fc40c789e43a361f Mon Sep 17 00:00:00 2001
+From: Vamshi Gajjela <vamshigajjela@google.com>
+Date: Wed, 24 Jul 2024 19:21:26 +0530
+Subject: scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic
+
+From: Vamshi Gajjela <vamshigajjela@google.com>
+
+commit ab9fd06cb8f0db0854291833fc40c789e43a361f upstream.
+
+The ufshcd_add_delay_before_dme_cmd() always introduces a delay of
+MIN_DELAY_BEFORE_DME_CMDS_US between DME commands even when it's not
+required. The delay is added when the UFS host controller supplies the
+quirk UFSHCD_QUIRK_DELAY_BEFORE_DME_CMDS.
+
+Fix the logic to update hba->last_dme_cmd_tstamp to ensure subsequent DME
+commands have the correct delay in the range of 0 to
+MIN_DELAY_BEFORE_DME_CMDS_US.
+
+Update the timestamp at the end of the function to ensure it captures the
+latest time after any necessary delay has been applied.
+
+Signed-off-by: Vamshi Gajjela <vamshigajjela@google.com>
+Link: https://lore.kernel.org/r/20240724135126.1786126-1-vamshigajjela@google.com
+Fixes: cad2e03d8607 ("ufs: add support to allow non standard behaviours (quirks)")
+Cc: stable@vger.kernel.org
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ufs/core/ufshcd.c |   11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/ufs/core/ufshcd.c
++++ b/drivers/ufs/core/ufshcd.c
+@@ -3909,11 +3909,16 @@ static inline void ufshcd_add_delay_befo
+ 			min_sleep_time_us =
+ 				MIN_DELAY_BEFORE_DME_CMDS_US - delta;
+ 		else
+-			return; /* no more delay required */
++			min_sleep_time_us = 0; /* no more delay required */
+ 	}
+ 
+-	/* allow sleep for extra 50us if needed */
+-	usleep_range(min_sleep_time_us, min_sleep_time_us + 50);
++	if (min_sleep_time_us > 0) {
++		/* allow sleep for extra 50us if needed */
++		usleep_range(min_sleep_time_us, min_sleep_time_us + 50);
++	}
++
++	/* update the last_dme_cmd_tstamp */
++	hba->last_dme_cmd_tstamp = ktime_get();
+ }
+ 
+ /**
diff --git a/queue-6.1/series b/queue-6.1/series
index d6b7f54f195..c19eb663ac3 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -92,3 +92,10 @@ alsa-hda-realtek-add-framework-laptop-13-intel-core-ultra-to-quirks.patch
 alsa-hda-hdmi-yet-more-pin-fix-for-hp-elitedesk-800-g4.patch
 usb-vhci-hcd-do-not-drop-references-before-new-references-are-gained.patch
 usb-serial-debug-do-not-echo-input-by-default.patch
+usb-gadget-core-check-for-unset-descriptor.patch
+usb-gadget-u_serial-set-start_delayed-during-suspend.patch
+usb-gadget-u_audio-check-return-codes-from-usb_ep_enable-and-config_ep_by_speed.patch
+scsi-mpi3mr-avoid-iommu-page-faults-on-report-zones.patch
+scsi-ufs-core-fix-hba-last_dme_cmd_tstamp-timestamp-updating-logic.patch
+tick-broadcast-move-per-cpu-pointer-access-into-the-atomic-section.patch
+vhost-vdpa-switch-to-use-vmf_insert_pfn-in-the-fault-handler.patch
diff --git a/queue-6.1/tick-broadcast-move-per-cpu-pointer-access-into-the-atomic-section.patch b/queue-6.1/tick-broadcast-move-per-cpu-pointer-access-into-the-atomic-section.patch
new file mode 100644
index 00000000000..7292739f34d
--- /dev/null
+++ b/queue-6.1/tick-broadcast-move-per-cpu-pointer-access-into-the-atomic-section.patch
@@ -0,0 +1,52 @@
+From 6881e75237a84093d0986f56223db3724619f26e Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Wed, 31 Jul 2024 12:23:51 +0200
+Subject: tick/broadcast: Move per CPU pointer access into the atomic section
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 6881e75237a84093d0986f56223db3724619f26e upstream.
+
+The recent fix for making the take over of the broadcast timer more
+reliable retrieves a per CPU pointer in preemptible context.
+
+This went unnoticed as compilers hoist the access into the non-preemptible
+region where the pointer is actually used. But of course it's valid that
+the compiler keeps it at the place where the code puts it which rightfully
+triggers:
+
+  BUG: using smp_processor_id() in preemptible [00000000] code:
+       caller is hotplug_cpu__broadcast_tick_pull+0x1c/0xc0
+
+Move it to the actual usage site which is in a non-preemptible region.
+
+Fixes: f7d43dd206e7 ("tick/broadcast: Make takeover of broadcast hrtimer reliable")
+Reported-by: David Wang <00107082@163.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Yu Liao <liaoyu15@huawei.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/all/87ttg56ers.ffs@tglx
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/time/tick-broadcast.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/time/tick-broadcast.c
++++ b/kernel/time/tick-broadcast.c
+@@ -1137,7 +1137,6 @@ void tick_broadcast_switch_to_oneshot(vo
+ #ifdef CONFIG_HOTPLUG_CPU
+ void hotplug_cpu__broadcast_tick_pull(int deadcpu)
+ {
+-	struct tick_device *td = this_cpu_ptr(&tick_cpu_device);
+ 	struct clock_event_device *bc;
+ 	unsigned long flags;
+ 
+@@ -1163,6 +1162,8 @@ void hotplug_cpu__broadcast_tick_pull(in
+ 		 * device to avoid the starvation.
+ 		 */
+ 		if (tick_check_broadcast_expired()) {
++			struct tick_device *td = this_cpu_ptr(&tick_cpu_device);
++
+ 			cpumask_clear_cpu(smp_processor_id(), tick_broadcast_force_mask);
+ 			tick_program_event(td->evtdev->next_event, 1);
+ 		}
diff --git a/queue-6.1/usb-gadget-core-check-for-unset-descriptor.patch b/queue-6.1/usb-gadget-core-check-for-unset-descriptor.patch
new file mode 100644
index 00000000000..e3d44379d52
--- /dev/null
+++ b/queue-6.1/usb-gadget-core-check-for-unset-descriptor.patch
@@ -0,0 +1,47 @@
+From 973a57891608a98e894db2887f278777f564de18 Mon Sep 17 00:00:00 2001
+From: Chris Wulff <crwulff@gmail.com>
+Date: Wed, 24 Jul 2024 21:04:20 -0400
+Subject: usb: gadget: core: Check for unset descriptor
+
+From: Chris Wulff <crwulff@gmail.com>
+
+commit 973a57891608a98e894db2887f278777f564de18 upstream.
+
+Make sure the descriptor has been set before looking at maxpacket.
+This fixes a null pointer panic in this case.
+
+This may happen if the gadget doesn't properly set up the endpoint
+for the current speed, or the gadget descriptors are malformed and
+the descriptor for the speed/endpoint are not found.
+
+No current gadget driver is known to have this problem, but this
+may cause a hard-to-find bug during development of new gadgets.
+
+Fixes: 54f83b8c8ea9 ("USB: gadget: Reject endpoints with 0 maxpacket value")
+Cc: stable@vger.kernel.org
+Signed-off-by: Chris Wulff <crwulff@gmail.com>
+Link: https://lore.kernel.org/r/20240725010419.314430-2-crwulff@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/core.c |   10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/gadget/udc/core.c
++++ b/drivers/usb/gadget/udc/core.c
+@@ -118,12 +118,10 @@ int usb_ep_enable(struct usb_ep *ep)
+ 		goto out;
+ 
+ 	/* UDC drivers can't handle endpoints with maxpacket size 0 */
+-	if (usb_endpoint_maxp(ep->desc) == 0) {
+-		/*
+-		 * We should log an error message here, but we can't call
+-		 * dev_err() because there's no way to find the gadget
+-		 * given only ep.
+-		 */
++	if (!ep->desc || usb_endpoint_maxp(ep->desc) == 0) {
++		WARN_ONCE(1, "%s: ep%d (%s) has %s\n", __func__, ep->address, ep->name,
++			  (!ep->desc) ? "NULL descriptor" : "maxpacket 0");
++
+ 		ret = -EINVAL;
+ 		goto out;
+ 	}
diff --git a/queue-6.1/usb-gadget-u_audio-check-return-codes-from-usb_ep_enable-and-config_ep_by_speed.patch b/queue-6.1/usb-gadget-u_audio-check-return-codes-from-usb_ep_enable-and-config_ep_by_speed.patch
new file mode 100644
index 00000000000..e1854db362d
--- /dev/null
+++ b/queue-6.1/usb-gadget-u_audio-check-return-codes-from-usb_ep_enable-and-config_ep_by_speed.patch
@@ -0,0 +1,107 @@
+From 76a7bfc445b8e9893c091e24ccfd4f51dfdc0a70 Mon Sep 17 00:00:00 2001
+From: Chris Wulff <crwulff@gmail.com>
+Date: Sun, 21 Jul 2024 15:23:15 -0400
+Subject: usb: gadget: u_audio: Check return codes from usb_ep_enable and config_ep_by_speed.
+
+From: Chris Wulff <crwulff@gmail.com>
+
+commit 76a7bfc445b8e9893c091e24ccfd4f51dfdc0a70 upstream.
+
+These functions can fail if descriptors are malformed, or missing,
+for the selected USB speed.
+
+Fixes: eb9fecb9e69b ("usb: gadget: f_uac2: split out audio core")
+Fixes: 24f779dac8f3 ("usb: gadget: f_uac2/u_audio: add feedback endpoint support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Chris Wulff <crwulff@gmail.com>
+Link: https://lore.kernel.org/r/20240721192314.3532697-2-crwulff@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/u_audio.c |   42 +++++++++++++++++++++++++++-------
+ 1 file changed, 34 insertions(+), 8 deletions(-)
+
+--- a/drivers/usb/gadget/function/u_audio.c
++++ b/drivers/usb/gadget/function/u_audio.c
+@@ -592,16 +592,25 @@ int u_audio_start_capture(struct g_audio
+ 	struct usb_ep *ep, *ep_fback;
+ 	struct uac_rtd_params *prm;
+ 	struct uac_params *params = &audio_dev->params;
+-	int req_len, i;
++	int req_len, i, ret;
+ 
+ 	prm = &uac->c_prm;
+ 	dev_dbg(dev, "start capture with rate %d\n", prm->srate);
+ 	ep = audio_dev->out_ep;
+-	config_ep_by_speed(gadget, &audio_dev->func, ep);
++	ret = config_ep_by_speed(gadget, &audio_dev->func, ep);
++	if (ret < 0) {
++		dev_err(dev, "config_ep_by_speed for out_ep failed (%d)\n", ret);
++		return ret;
++	}
++
+ 	req_len = ep->maxpacket;
+ 
+ 	prm->ep_enabled = true;
+-	usb_ep_enable(ep);
++	ret = usb_ep_enable(ep);
++	if (ret < 0) {
++		dev_err(dev, "usb_ep_enable failed for out_ep (%d)\n", ret);
++		return ret;
++	}
+ 
+ 	for (i = 0; i < params->req_number; i++) {
+ 		if (!prm->reqs[i]) {
+@@ -629,9 +638,18 @@ int u_audio_start_capture(struct g_audio
+ 		return 0;
+ 
+ 	/* Setup feedback endpoint */
+-	config_ep_by_speed(gadget, &audio_dev->func, ep_fback);
++	ret = config_ep_by_speed(gadget, &audio_dev->func, ep_fback);
++	if (ret < 0) {
++		dev_err(dev, "config_ep_by_speed in_ep_fback failed (%d)\n", ret);
++		return ret; // TODO: Clean up out_ep
++	}
++
+ 	prm->fb_ep_enabled = true;
+-	usb_ep_enable(ep_fback);
++	ret = usb_ep_enable(ep_fback);
++	if (ret < 0) {
++		dev_err(dev, "usb_ep_enable failed for in_ep_fback (%d)\n", ret);
++		return ret; // TODO: Clean up out_ep
++	}
+ 	req_len = ep_fback->maxpacket;
+ 
+ 	req_fback = usb_ep_alloc_request(ep_fback, GFP_ATOMIC);
+@@ -687,13 +705,17 @@ int u_audio_start_playback(struct g_audi
+ 	struct uac_params *params = &audio_dev->params;
+ 	unsigned int factor;
+ 	const struct usb_endpoint_descriptor *ep_desc;
+-	int req_len, i;
++	int req_len, i, ret;
+ 	unsigned int p_pktsize;
+ 
+ 	prm = &uac->p_prm;
+ 	dev_dbg(dev, "start playback with rate %d\n", prm->srate);
+ 	ep = audio_dev->in_ep;
+-	config_ep_by_speed(gadget, &audio_dev->func, ep);
++	ret = config_ep_by_speed(gadget, &audio_dev->func, ep);
++	if (ret < 0) {
++		dev_err(dev, "config_ep_by_speed for in_ep failed (%d)\n", ret);
++		return ret;
++	}
+ 
+ 	ep_desc = ep->desc;
+ 	/*
+@@ -720,7 +742,11 @@ int u_audio_start_playback(struct g_audi
+ 	uac->p_residue_mil = 0;
+ 
+ 	prm->ep_enabled = true;
+-	usb_ep_enable(ep);
++	ret = usb_ep_enable(ep);
++	if (ret < 0) {
++		dev_err(dev, "usb_ep_enable failed for in_ep (%d)\n", ret);
++		return ret;
++	}
+ 
+ 	for (i = 0; i < params->req_number; i++) {
+ 		if (!prm->reqs[i]) {
diff --git a/queue-6.1/usb-gadget-u_serial-set-start_delayed-during-suspend.patch b/queue-6.1/usb-gadget-u_serial-set-start_delayed-during-suspend.patch
new file mode 100644
index 00000000000..dcfba9f6ea0
--- /dev/null
+++ b/queue-6.1/usb-gadget-u_serial-set-start_delayed-during-suspend.patch
@@ -0,0 +1,36 @@
+From 5a444bea37e2759549ef72bfe83d1c8712e76b3d Mon Sep 17 00:00:00 2001
+From: Prashanth K <quic_prashk@quicinc.com>
+Date: Tue, 30 Jul 2024 18:27:54 +0530
+Subject: usb: gadget: u_serial: Set start_delayed during suspend
+
+From: Prashanth K <quic_prashk@quicinc.com>
+
+commit 5a444bea37e2759549ef72bfe83d1c8712e76b3d upstream.
+
+Upstream commit aba3a8d01d62 ("usb: gadget: u_serial: add suspend
+resume callbacks") added started_delayed flag, so that new ports
+which are opened after USB suspend can start IO while resuming.
+But if the port was already opened, and gadget suspend kicks in
+afterwards, start_delayed will never be set. This causes resume
+to bail out before calling gs_start_io(). Fix this by setting
+start_delayed during suspend.
+
+Fixes: aba3a8d01d62 ("usb: gadget: u_serial: add suspend resume callbacks")
+Cc: stable@vger.kernel.org
+Signed-off-by: Prashanth K <quic_prashk@quicinc.com>
+Link: https://lore.kernel.org/r/20240730125754.576326-1-quic_prashk@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/u_serial.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/gadget/function/u_serial.c
++++ b/drivers/usb/gadget/function/u_serial.c
+@@ -1436,6 +1436,7 @@ void gserial_suspend(struct gserial *gse
+ 	spin_lock(&port->port_lock);
+ 	spin_unlock(&serial_port_lock);
+ 	port->suspended = true;
++	port->start_delayed = true;
+ 	spin_unlock_irqrestore(&port->port_lock, flags);
+ }
+ EXPORT_SYMBOL_GPL(gserial_suspend);
diff --git a/queue-6.1/vhost-vdpa-switch-to-use-vmf_insert_pfn-in-the-fault-handler.patch b/queue-6.1/vhost-vdpa-switch-to-use-vmf_insert_pfn-in-the-fault-handler.patch
new file mode 100644
index 00000000000..ad900029f0a
--- /dev/null
+++ b/queue-6.1/vhost-vdpa-switch-to-use-vmf_insert_pfn-in-the-fault-handler.patch
@@ -0,0 +1,45 @@
+From 0823dc64586ba5ea13a7d200a5d33e4c5fa45950 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Mon, 1 Jul 2024 11:31:59 +0800
+Subject: vhost-vdpa: switch to use vmf_insert_pfn() in the fault handler
+
+From: Jason Wang <jasowang@redhat.com>
+
+commit 0823dc64586ba5ea13a7d200a5d33e4c5fa45950 upstream.
+
+remap_pfn_page() should not be called in the fault handler as it may
+change the vma->flags which may trigger lockdep warning since the vma
+write lock is not held. Actually there's no need to modify the
+vma->flags as it has been set in the mmap(). So this patch switches to
+use vmf_insert_pfn() instead.
+
+Reported-by: Dragos Tatulea <dtatulea@nvidia.com>
+Tested-by: Dragos Tatulea <dtatulea@nvidia.com>
+Fixes: ddd89d0a059d ("vhost_vdpa: support doorbell mapping via mmap")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Message-Id: <20240701033159.18133-1-jasowang@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Michal Kubiak <michal.kubiak@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/vdpa.c |    8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+--- a/drivers/vhost/vdpa.c
++++ b/drivers/vhost/vdpa.c
+@@ -1294,13 +1294,7 @@ static vm_fault_t vhost_vdpa_fault(struc
+ 
+ 	notify = ops->get_vq_notification(vdpa, index);
+ 
+-	vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
+-	if (remap_pfn_range(vma, vmf->address & PAGE_MASK,
+-			    PFN_DOWN(notify.addr), PAGE_SIZE,
+-			    vma->vm_page_prot))
+-		return VM_FAULT_SIGBUS;
+-
+-	return VM_FAULT_NOPAGE;
++	return vmf_insert_pfn(vma, vmf->address & PAGE_MASK, PFN_DOWN(notify.addr));
+ }
+ 
+ static const struct vm_operations_struct vhost_vdpa_vm_ops = {