commit 543aff194ab6286af7791c5a138978ee7da4c93f
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Thu Apr 6 12:10:58 2023 +0200

    Linux 6.1.23
    
    Link: https://lore.kernel.org/r/20230403140415.090615502@linuxfoundation.org
    Tested-by: Markus Reichelt <lkt+2023@mareichelt.com>
    Tested-by: Shuah Khan <skhan@linuxfoundation.org>
    Tested-by: Takeshi Ogasawara <takeshi.ogasawara@futuring-girl.com>
    Tested-by: Florian Fainelli <f.fainelli@gmail.com>
    Tested-by: Bagas Sanjaya <bagasdotme@gmail.com>
    Tested-by: Jon Hunter <jonathanh@nvidia.com>
    Tested-by: Chris Paterson (CIP) <chris.paterson2@renesas.com>
    Tested-by: Conor Dooley <conor.dooley@microchip.com>
    Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Link: https://lore.kernel.org/r/20230404183150.381314754@linuxfoundation.org
    Tested-by: Florian Fainelli <f.fainelli@gmail.com>
    Tested-by: Ron Economos <re@w6rz.net>
    Tested-by: Bagas Sanjaya <bagasdotme@gmail.com>
    Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Tested-by: Salvatore Bonaccorso <carnil@debian.org>
    Link: https://lore.kernel.org/r/20230405100302.540890806@linuxfoundation.org
    Tested-by: Takeshi Ogasawara <takeshi.ogasawara@futuring-girl.com>
    Tested-by: Florian Fainelli <f.fainelli@gmail.com>
    Tested-by: Rudi Heitbaum <rudi@heitbaum.com>
    Tested-by: Jon Hunter <jonathanh@nvidia.com>
    Tested-by: Markus Reichelt <lkt+2023@mareichelt.com>
    Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Tested-by: Guenter Roeck <linux@roeck-us.net>
    Tested-by: Kelsey Steele <kelseysteele@linux.microsoft.com>
    Tested-by: Bagas Sanjaya <bagasdotme@gmail.com>
    Tested-by: Allen Pais <apais@linux.microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9c5aa3c8619fe9c1668bcb8eccc63ff9302666e4
Author: Sasha Levin <sashal@kernel.org>
Date:   Wed Apr 5 07:31:15 2023 -0400

    Revert "cpuidle, intel_idle: Fix CPUIDLE_FLAG_IRQ_ENABLE *again*"
    
    This reverts commit 07fc78d8f0c960f7ca241de98bc8c6bfe7d200f3 which was
    upstream commit 6d9c7f51b1d9179bf7c3542267c656a934e8af23.
    
    Lockdep warnings on boot that are not seen with Linus's tree.
    
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit cafb47f5f59bf372f93ebfaab129a0e712137345
Author: Jan Beulich <jbeulich@suse.com>
Date:   Tue Mar 21 09:03:26 2023 +0100

    x86/PVH: avoid 32-bit build warning when obtaining VGA console info
    
    commit aadbd07ff8a75ed342388846da78dfaddb8b106a upstream.
    
    In the commit referenced below I failed to pay attention to this code
    also being buildable as 32-bit. Adjust the type of "ret" - there's no
    real need for it to be wider than 32 bits.
    
    Fixes: 934ef33ee75c ("x86/PVH: obtain VGA console info in Dom0")
    Reported-by: kernel test robot <lkp@intel.com>
    Signed-off-by: Jan Beulich <jbeulich@suse.com>
    Reviewed-by: Juergen Gross <jgross@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    
    Link: https://lore.kernel.org/r/2d2193ff-670b-0a27-e12d-2c5c4c121c79@suse.com
    Signed-off-by: Juergen Gross <jgross@suse.com>

commit 9f291f2348ed65eef879da461acc732e505b389f
Author: Matthieu Baerts <matthieu.baerts@tessares.net>
Date:   Wed Mar 15 21:25:17 2023 +0100

    hsr: ratelimit only when errors are printed
    
    commit 1b0120e4db0bf2838d1ce741195ce4b7cc100b91 upstream.
    
    Recently, when automatically merging -net and net-next in MPTCP devel
    tree, our CI reported [1] a conflict in hsr, the same as the one
    reported by Stephen in netdev [2].
    
    When looking at the conflict, I noticed it is in fact the v1 [3] that
    has been applied in -net and the v2 [4] in net-next. Maybe the v1 was
    applied by accident.
    
    As mentioned by Jakub Kicinski [5], the new condition makes more sense
    before the net_ratelimit(), not to update net_ratelimit's state which is
    unnecessary if we're not going to print either way.
    
    Here, this modification applies the v2 but in -net.
    
    Link: https://github.com/multipath-tcp/mptcp_net-next/actions/runs/4423171069 [1]
    Link: https://lore.kernel.org/netdev/20230315100914.53fc1760@canb.auug.org.au/ [2]
    Link: https://lore.kernel.org/netdev/20230307133229.127442-1-koverskeid@gmail.com/ [3]
    Link: https://lore.kernel.org/netdev/20230309092302.179586-1-koverskeid@gmail.com/ [4]
    Link: https://lore.kernel.org/netdev/20230308232001.2fb62013@kernel.org/ [5]
    Fixes: 28e8cabe80f3 ("net: hsr: Don't log netdev_err message on unknown prp dst node")
    Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
    Reviewed-by: Steen Hegelund <Steen.Hegelund@microchip.com>
    Link: https://lore.kernel.org/r/20230315-net-20230315-hsr_framereg-ratelimit-v1-1-61d2ef176d11@tessares.net
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d0386bd84e6d81990ef22e10657d5a5d9c209763
Author: Xiaogang Chen <xiaogang.chen@amd.com>
Date:   Thu Mar 9 17:44:55 2023 -0600

    drm/amdkfd: Get prange->offset after svm_range_vram_node_new
    
    commit 8eeddc0d4200762063e1c66b9cc63afa7b24ebf0 upstream.
    
    During miration to vram prange->offset is valid after vram buffer is located,
    either use old one or allocate a new one. Move svm_range_vram_node_new before
    migrate for each vma to get valid prange->offset.
    
    v2: squash in warning fix
    
    Fixes: b4ee9606378b ("drm/amdkfd: Fix BO offset for multi-VMA page migration")
    Signed-off-by: Xiaogang Chen <Xiaogang.Chen@amd.com>
    Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fbfe493874e98970071b15c6753116fba054487f
Author: Hans de Goede <hdegoede@redhat.com>
Date:   Wed Mar 8 16:42:43 2023 +0100

    usb: ucsi: Fix ucsi->connector race
    
    commit 0482c34ec6f8557e06cd0f8e2d0e20e8ede6a22c upstream.
    
    ucsi_init() which runs from a workqueue sets ucsi->connector and
    on an error will clear it again.
    
    ucsi->connector gets dereferenced by ucsi_resume(), this checks for
    ucsi->connector being NULL in case ucsi_init() has not finished yet;
    or in case ucsi_init() has failed.
    
    ucsi_init() setting ucsi->connector and then clearing it again on
    an error creates a race where the check in ucsi_resume() may pass,
    only to have ucsi->connector free-ed underneath it when ucsi_init()
    hits an error.
    
    Fix this race by making ucsi_init() store the connector array in
    a local variable and only assign it to ucsi->connector on success.
    
    Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API")
    Cc: stable@vger.kernel.org
    Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
    Link: https://lore.kernel.org/r/20230308154244.722337-3-hdegoede@redhat.com
    Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e5c5cb47a9ebbcfda9ba10df94c5241072ab773b
Author: Andrii Nakryiko <andrii@kernel.org>
Date:   Thu Dec 15 10:36:05 2022 -0800

    libbpf: Fix btf_dump's packed struct determination
    
    [ Upstream commit 4fb877aaa179dcdb1676d55216482febaada457e ]
    
    Fix bug in btf_dump's logic of determining if a given struct type is
    packed or not. The notion of "natural alignment" is not needed and is
    even harmful in this case, so drop it altogether. The biggest difference
    in btf_is_struct_packed() compared to its original implementation is
    that we don't really use btf__align_of() to determine overall alignment
    of a struct type (because it could be 1 for both packed and non-packed
    struct, depending on specifci field definitions), and just use field's
    actual alignment to calculate whether any field is requiring packing or
    struct's size overall necessitates packing.
    
    Add two simple test cases that demonstrate the difference this change
    would make.
    
    Fixes: ea2ce1ba99aa ("libbpf: Fix BTF-to-C converter's padding logic")
    Reported-by: Eduard Zingerman <eddyz87@gmail.com>
    Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Acked-by: Eduard Zingerman <eddyz87@gmail.com>
    Link: https://lore.kernel.org/bpf/20221215183605.4149488-1-andrii@kernel.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6c8afd54f8e99508148099e17cfec21b9fbadb6a
Author: Andrii Nakryiko <andrii@kernel.org>
Date:   Mon Dec 12 13:15:05 2022 -0800

    selftests/bpf: Add few corner cases to test padding handling of btf_dump
    
    [ Upstream commit b148c8b9b926e257a59c8eb2cd6fa3adfd443254 ]
    
    Add few hand-crafted cases and few randomized cases found using script
    from [0] that tests btf_dump's padding logic.
    
      [0] https://lore.kernel.org/bpf/85f83c333f5355c8ac026f835b18d15060725fcb.camel@ericsson.com/
    
    Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Link: https://lore.kernel.org/bpf/20221212211505.558851-7-andrii@kernel.org
    Stable-dep-of: 4fb877aaa179 ("libbpf: Fix btf_dump's packed struct determination")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 524617e553bc33f881ec3d4d5233fa1bb1e119de
Author: Andrii Nakryiko <andrii@kernel.org>
Date:   Mon Dec 12 13:15:04 2022 -0800

    libbpf: Fix BTF-to-C converter's padding logic
    
    [ Upstream commit ea2ce1ba99aa6a60c8d8a706e3abadf3de372163 ]
    
    Turns out that btf_dump API doesn't handle a bunch of tricky corner
    cases, as reported by Per, and further discovered using his testing
    Python script ([0]).
    
    This patch revamps btf_dump's padding logic significantly, making it
    more correct and also avoiding unnecessary explicit padding, where
    compiler would pad naturally. This overall topic turned out to be very
    tricky and subtle, there are lots of subtle corner cases. The comments
    in the code tries to give some clues, but comments themselves are
    supposed to be paired with good understanding of C alignment and padding
    rules. Plus some experimentation to figure out subtle things like
    whether `long :0;` means that struct is now forced to be long-aligned
    (no, it's not, turns out).
    
    Anyways, Per's script, while not completely correct in some known
    situations, doesn't show any obvious cases where this logic breaks, so
    this is a nice improvement over the previous state of this logic.
    
    Some selftests had to be adjusted to accommodate better use of natural
    alignment rules, eliminating some unnecessary padding, or changing it to
    `type: 0;` alignment markers.
    
    Note also that for when we are in between bitfields, we emit explicit
    bit size, while otherwise we use `: 0`, this feels much more natural in
    practice.
    
    Next patch will add few more test cases, found through randomized Per's
    script.
    
      [0] https://lore.kernel.org/bpf/85f83c333f5355c8ac026f835b18d15060725fcb.camel@ericsson.com/
    
    Reported-by: Per Sundström XP <per.xp.sundstrom@ericsson.com>
    Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Link: https://lore.kernel.org/bpf/20221212211505.558851-6-andrii@kernel.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 2e35b08b66b0b2558216b3764df729d9fe2012ed
Author: Eduard Zingerman <eddyz87@gmail.com>
Date:   Sat Oct 1 13:44:25 2022 +0300

    selftests/bpf: Test btf dump for struct with padding only fields
    
    [ Upstream commit d503f1176b14f722a40ea5110312614982f9a80b ]
    
    Structures with zero regular fields but some padding constitute a
    special case in btf_dump.c:btf_dump_emit_struct_def with regards to
    newline before closing '}'.
    
    Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
    Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
    Link: https://lore.kernel.org/bpf/20221001104425.415768-2-eddyz87@gmail.com
    Stable-dep-of: ea2ce1ba99aa ("libbpf: Fix BTF-to-C converter's padding logic")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0f9e728e1a6c83dfebb367f9dec6fc6ef1dc6cbb
Author: Vladimir Oltean <vladimir.oltean@nxp.com>
Date:   Fri Dec 9 19:28:17 2022 +0200

    net: dsa: mv88e6xxx: replace VTU violation prints with trace points
    
    commit 9e3d9ae52b5657399a7b61258cc7482434a911bb upstream.
    
    It is possible to trigger these VTU violation messages very easily,
    it's only necessary to send packets with an unknown VLAN ID to a port
    that belongs to a VLAN-aware bridge.
    
    Do a similar thing as for ATU violation messages, and hide them in the
    kernel's trace buffer.
    
    New usage model:
    
    $ trace-cmd list | grep mv88e6xxx
    mv88e6xxx
    mv88e6xxx:mv88e6xxx_vtu_miss_violation
    mv88e6xxx:mv88e6xxx_vtu_member_violation
    $ trace-cmd report
    
    Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
    Reviewed-by: Saeed Mahameed <saeed@kernel.org>
    Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Cc: Fabio Estevam <festevam@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit be831b5c696334e8ee6cfce2cf9b92923f07aae9
Author: Vladimir Oltean <vladimir.oltean@nxp.com>
Date:   Fri Dec 9 19:28:16 2022 +0200

    net: dsa: mv88e6xxx: replace ATU violation prints with trace points
    
    commit 8646384d80f3d3b4a66b3284dbbd8232d1b8799e upstream.
    
    In applications where the switch ports must perform 802.1X based
    authentication and are therefore locked, ATU violation interrupts are
    quite to be expected as part of normal operation. The problem is that
    they currently spam the kernel log, even if rate limited.
    
    Create a series of trace points, all derived from the same event class,
    which log these violations to the kernel's trace buffer, which is both
    much faster and much easier to ignore than printing to a serial console.
    
    New usage model:
    
    $ trace-cmd list | grep mv88e6xxx
    mv88e6xxx
    mv88e6xxx:mv88e6xxx_atu_full_violation
    mv88e6xxx:mv88e6xxx_atu_miss_violation
    mv88e6xxx:mv88e6xxx_atu_member_violation
    $ trace-cmd record -e mv88e6xxx sleep 10
    
    Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
    Reviewed-by: Saeed Mahameed <saeed@kernel.org>
    Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Cc: Fabio Estevam <festevam@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8f872c781f6476665c0b09260a429ab03139339e
Author: Hans J. Schultz <netdev@kapio-technology.com>
Date:   Fri Dec 9 19:28:15 2022 +0200

    net: dsa: mv88e6xxx: read FID when handling ATU violations
    
    commit 4bf24ad09bc0b05e97fb48b962b2c9246fc76727 upstream.
    
    When an ATU violation occurs, the switch uses the ATU FID register to
    report the FID of the MAC address that incurred the violation. It would
    be good for the driver to know the FID value for purposes such as
    logging and CPU-based authentication.
    
    Up until now, the driver has been calling the mv88e6xxx_g1_atu_op()
    function to read ATU violations, but that doesn't do exactly what we
    want, namely it calls mv88e6xxx_g1_atu_fid_write() with FID 0.
    (side note, the documentation for the ATU Get/Clear Violation command
    says that writes to the ATU FID register have no effect before the
    operation starts, it's only that we disregard the value that this
    register provides once the operation completes)
    
    So mv88e6xxx_g1_atu_fid_write() is not what we want, but rather
    mv88e6xxx_g1_atu_fid_read(). However, the latter doesn't exist, we need
    to write it.
    
    The remainder of mv88e6xxx_g1_atu_op() except for
    mv88e6xxx_g1_atu_fid_write() is still needed, namely to send a
    GET_CLR_VIOLATION command to the ATU. In principle we could have still
    kept calling mv88e6xxx_g1_atu_op(), but the MDIO writes to the ATU FID
    register are pointless, but in the interest of doing less CPU work per
    interrupt, write a new function called mv88e6xxx_g1_read_atu_violation()
    and call it.
    
    The FID will be the port default FID as set by mv88e6xxx_port_set_fid()
    if the VID from the packet cannot be found in the VTU. Otherwise it is
    the FID derived from the VTU entry associated with that VID.
    
    Signed-off-by: Hans J. Schultz <netdev@kapio-technology.com>
    Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
    Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Cc: Fabio Estevam <festevam@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e4ca4572de06013c6aeedb44c7fadbeec63fa4e7
Author: Marc Zyngier <maz@kernel.org>
Date:   Thu Mar 16 17:45:45 2023 +0000

    KVM: arm64: Disable interrupts while walking userspace PTs
    
    commit e86fc1a3a3e9b4850fe74d738e3cfcf4297d8bba upstream.
    
    We walk the userspace PTs to discover what mapping size was
    used there. However, this can race against the userspace tables
    being freed, and we end-up in the weeds.
    
    Thankfully, the mm code is being generous and will IPI us when
    doing so. So let's implement our part of the bargain and disable
    interrupts around the walk. This ensures that nothing terrible
    happens during that time.
    
    We still need to handle the removal of the page tables before
    the walk. For that, allow get_user_mapping_size() to return an
    error, and make sure this error can be propagated all the way
    to the the exit handler.
    
    Signed-off-by: Marc Zyngier <maz@kernel.org>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20230316174546.3777507-2-maz@kernel.org
    Signed-off-by: Oliver Upton <oliver.upton@linux.dev>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 051e660c8185e4c4bee6fb30d796cfe4ae2c345f
Author: Reiji Watanabe <reijiw@google.com>
Date:   Sun Mar 12 20:32:08 2023 -0700

    KVM: arm64: PMU: Fix GET_ONE_REG for vPMC regs to return the current value
    
    commit 9228b26194d1cc00449f12f306f53ef2e234a55b upstream.
    
    Have KVM_GET_ONE_REG for vPMU counter (vPMC) registers (PMCCNTR_EL0
    and PMEVCNTR<n>_EL0) return the sum of the register value in the sysreg
    file and the current perf event counter value.
    
    Values of vPMC registers are saved in sysreg files on certain occasions.
    These saved values don't represent the current values of the vPMC
    registers if the perf events for the vPMCs count events after the save.
    The current values of those registers are the sum of the sysreg file
    value and the current perf event counter value.  But, when userspace
    reads those registers (using KVM_GET_ONE_REG), KVM returns the sysreg
    file value to userspace (not the sum value).
    
    Fix this to return the sum value for KVM_GET_ONE_REG.
    
    Fixes: 051ff581ce70 ("arm64: KVM: Add access handler for event counter register")
    Cc: stable@vger.kernel.org
    Reviewed-by: Marc Zyngier <maz@kernel.org>
    Signed-off-by: Reiji Watanabe <reijiw@google.com>
    Link: https://lore.kernel.org/r/20230313033208.1475499-1-reijiw@google.com
    Signed-off-by: Oliver Upton <oliver.upton@linux.dev>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fcf712b4e5d0aacbc193e71962bdaa4d4afe3335
Author: Ville Syrjälä <ville.syrjala@linux.intel.com>
Date:   Mon Mar 20 11:54:34 2023 +0200

    drm/i915: Move CSC load back into .color_commit_arm() when PSR is enabled on skl/glk
    
    commit a8e03e00b62073b494886dbff32f8b5338066c8b upstream.
    
    SKL/GLK CSC unit suffers from a nasty issue where a CSC
    coeff/offset register read or write between DC5 exit and
    PSR exit will undo the CSC arming performed by DMC, and
    then during PSR exit the hardware will latch zeroes into
    the active CSC registers. This causes any plane going
    through the CSC to output all black.
    
    We can sidestep the issue by making sure the PSR exit has
    already actually happened before we touch the CSC coeff/offset
    registers. Easiest way to guarantee that is to just move the
    CSC programming back into the .color_commir_arm() as we force
    a PSR exit (and crucially wait for it to actually happen)
    prior to touching the arming registers.
    
    When PSR (and thus also DC states) are disabled we don't
    have anything to worry about, so we can keep using the
    more optional _noarm() hook for writing the CSC registers.
    
    Cc: <stable@vger.kernel.org> #v5.19+
    Cc: Manasi Navare <navaremanasi@google.com>
    Cc: Drew Davenport <ddavenport@chromium.org>
    Cc: Imre Deak <imre.deak@intel.com>
    Cc: Jouni Högander <jouni.hogander@intel.com>
    Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/8283
    Fixes: d13dde449580 ("drm/i915: Split pipe+output CSC programming to noarm+arm pair")
    Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20230320095438.17328-3-ville.syrjala@linux.intel.com
    Reviewed-by: Imre Deak <imre.deak@intel.com>
    (cherry picked from commit 80a892a4c2428b65366721599fc5fe50eaed35fd)
    Signed-off-by: Jani Nikula <jani.nikula@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0fc6fea41c7122aa5f2088117f50144b507e13d7
Author: Ville Syrjälä <ville.syrjala@linux.intel.com>
Date:   Mon Mar 20 20:35:32 2023 +0200

    drm/i915: Disable DC states for all commits
    
    commit a2b6e99d8a623544f3bdccd28ee35b9c1b00daa5 upstream.
    
    Keeping DC states enabled is incompatible with the _noarm()/_arm()
    split we use for writing pipe/plane registers. When DC5 and PSR
    are enabled, all pipe/plane registers effectively become self-arming
    on account of DC5 exit arming the update, and PSR exit latching it.
    
    What probably saves us most of the time is that (with PIPE_MISC[21]=0)
    all pipe register writes themselves trigger PSR exit, and then
    we don't re-enter PSR until the idle frame count has elapsed.
    So it may be that the PSR exit happens already before we've
    updated the state too much.
    
    Also the PSR1 panel (at least on this KBL) seems to discard the first
    frame we trasmit, presumably still scanning out from its internal
    framebuffer at that point. So only the second frame we transmit is
    actually visible. But I suppose that could also be panel specific
    behaviour. I haven't checked out how other PSR panels behave, nor
    did I bother to check what the eDP spec has to say about this.
    
    And since this really is all about DC states, let's switch from
    the MODESET domain to the DC_OFF domain. Functionally they are
    100% identical. We should probably remove the MODESET domain...
    
    And for good measure let's toss in an assert to the place where
    we do the _noarm() register writes to make sure DC states are
    in fact off.
    
    v2: Just use intel_display_power_is_enabled() (Imre)
    
    Cc: <stable@vger.kernel.org> #v5.17+
    Cc: Manasi Navare <navaremanasi@google.com>
    Cc: Drew Davenport <ddavenport@chromium.org>
    Cc: Jouni Högander <jouni.hogander@intel.com>
    Reviewed-by: Imre Deak <imre.deak@intel.com>
    Fixes: d13dde449580 ("drm/i915: Split pipe+output CSC programming to noarm+arm pair")
    Fixes: f8a005eb8972 ("drm/i915: Optimize icl+ universal plane programming")
    Fixes: 890b6ec4a522 ("drm/i915: Split skl+ plane update into noarm+arm pair")
    Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20230320183532.17727-1-ville.syrjala@linux.intel.com
    (cherry picked from commit 41b4c7fe72b6105a4b49395eea9aa40cef94288d)
    Signed-off-by: Jani Nikula <jani.nikula@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c781c107731fc09ce4330c8c636b8446d0f72aa4
Author: Ville Syrjälä <ville.syrjala@linux.intel.com>
Date:   Mon Mar 20 11:05:17 2023 +0200

    drm/i915/dpt: Treat the DPT BO as a framebuffer
    
    commit 3413881e1ecc3cba722a2e87ec099692eed5be28 upstream.
    
    Currently i915_gem_object_is_framebuffer() doesn't treat the
    BO containing the framebuffer's DPT as a framebuffer itself.
    This means eg. that the shrinker can evict the DPT BO while
    leaving the actual FB BO bound, when the DPT is allocated
    from regular shmem.
    
    That causes an immediate oops during hibernate as we
    try to rewrite the PTEs inside the already evicted
    DPT obj.
    
    TODO: presumably this might also be the reason for the
    DPT related display faults under heavy memory pressure,
    but I'm still not sure how that would happen as the object
    should be pinned by intel_dpt_pin() while in active use by
    the display engine...
    
    Cc: stable@vger.kernel.org
    Cc: Juha-Pekka Heikkila <juhapekka.heikkila@gmail.com>
    Cc: Matthew Auld <matthew.auld@intel.com>
    Cc: Imre Deak <imre.deak@intel.com>
    Fixes: 0dc987b699ce ("drm/i915/display: Add smem fallback allocation for dpt")
    Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20230320090522.9909-2-ville.syrjala@linux.intel.com
    Reviewed-by: Juha-Pekka Heikkila <juhapekka.heikkila@gmail.com>
    (cherry picked from commit 779cb5ba64ec7df80675a956c9022929514f517a)
    Signed-off-by: Jani Nikula <jani.nikula@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 21ee19974b19edcda7a8e4f9bd5b02c3a750a69e
Author: Chris Wilson <chris.p.wilson@linux.intel.com>
Date:   Thu Mar 16 17:59:18 2023 +0100

    drm/i915/gem: Flush lmem contents after construction
    
    commit d032ca43f2c80049ce5aabd3f208dc3849359497 upstream.
    
    i915_gem_object_create_lmem_from_data() lacks the flush of the data
    written to lmem to ensure the object is marked as dirty and the writes
    flushed to the backing store. Once created, we can immediately release
    the obj->mm.mapping caching of the vmap.
    
    Fixes: 7acbbc7cf485 ("drm/i915/guc: put all guc objects in lmem when available")
    Cc: Matthew Auld <matthew.auld@intel.com>
    Cc: Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com>
    Cc: Andi Shyti <andi.shyti@linux.intel.com>
    Cc: Matthew Brost <matthew.brost@intel.com>
    Cc: John Harrison <John.C.Harrison@Intel.com>
    Signed-off-by: Chris Wilson <chris.p.wilson@linux.intel.com>
    Cc: <stable@vger.kernel.org> # v5.16+
    Signed-off-by: Nirmoy Das <nirmoy.das@intel.com>
    Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
    Reviewed-by: Nirmoy Das <nirmoy.das@intel.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20230316165918.13074-1-nirmoy.das@intel.com
    (cherry picked from commit e2ee10474ce766686e7a7496585cdfaf79e3a1bf)
    Signed-off-by: Jani Nikula <jani.nikula@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fd71f4c9e3fa7454f9797c539abd5fcfc8b92b41
Author: Fangzhi Zuo <Jerry.Zuo@amd.com>
Date:   Tue Feb 28 21:34:58 2023 -0500

    drm/amd/display: Take FEC Overhead into Timeslot Calculation
    
    commit 68dc1846c3a44d5e633be145c169ce2fd5420695 upstream.
    
    8b/10b encoding needs to add 3% fec overhead into the pbn.
    In the Synapcis Cascaded MST hub, the first stage MST branch device
    needs the information to determine the timeslot count for the
    second stage MST branch device. Missing this overhead will leads to
    insufficient timeslot allocation.
    
    Cc: stable@vger.kernel.org
    Cc: Mario Limonciello <mario.limonciello@amd.com>
    Reviewed-by: Hersen Wu <hersenxs.wu@amd.com>
    Acked-by: Qingqing Zhuo <qingqing.zhuo@amd.com>
    Signed-off-by: Fangzhi Zuo <Jerry.Zuo@amd.com>
    Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 41abe8828c83e8f73940790a3861b498a8b5ee3f
Author: Fangzhi Zuo <Jerry.Zuo@amd.com>
Date:   Fri Feb 24 13:45:21 2023 -0500

    drm/amd/display: Add DSC Support for Synaptics Cascaded MST Hub
    
    commit f4f3b7dedbe849e780c779ba67365bb1db0d8637 upstream.
    
    Traditional synaptics hub has one MST branch device without virtual dpcd.
    Synaptics cascaded hub has two chained MST branch devices. DSC decoding
    is performed via root MST branch device, instead of the second MST branch
    device.
    
    Reviewed-by: Hersen Wu <hersenxs.wu@amd.com>
    Acked-by: Qingqing Zhuo <qingqing.zhuo@amd.com>
    Signed-off-by: Fangzhi Zuo <Jerry.Zuo@amd.com>
    Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit febacc33298f8d72d5bfd4d23a556cc21b5cd6c2
Author: Tim Huang <tim.huang@amd.com>
Date:   Thu Mar 30 10:33:02 2023 +0800

    drm/amdgpu: allow more APUs to do mode2 reset when go to S4
    
    commit 2fec9dc8e0acc3dfb56d1389151bcf405f087b10 upstream.
    
    Skip mode2 reset only for IMU enabled APUs when do S4.
    
    This patch is to fix the regression issue
    https://gitlab.freedesktop.org/drm/amd/-/issues/2483
    It is generated by commit b589626674de ("drm/amdgpu: skip ASIC reset
    for APUs when go to S4").
    
    Fixes: b589626674de ("drm/amdgpu: skip ASIC reset for APUs when go to S4")
    Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2483
    Tested-by:  Yuan  Perry <Perry.Yuan@amd.com>
    Signed-off-by: Tim Huang <tim.huang@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Cc: stable@vger.kernel.org # 6.1.x
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f931ca46773a4f02040f63b4cdd1b14abcc130c1
Author: Lucas Stach <l.stach@pengutronix.de>
Date:   Fri Feb 24 18:21:54 2023 +0100

    drm/etnaviv: fix reference leak when mmaping imported buffer
    
    commit 963b2e8c428f79489ceeb058e8314554ec9cbe6f upstream.
    
    drm_gem_prime_mmap() takes a reference on the GEM object, but before that
    drm_gem_mmap_obj() already takes a reference, which will be leaked as only
    one reference is dropped when the mapping is closed. Drop the extra
    reference when dma_buf_mmap() succeeds.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
    Reviewed-by: Christian Gmeiner <christian.gmeiner@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3f878da42862ca0a75051846bf992ff2c370bea6
Author: Jiri Slaby (SUSE) <jirislaby@kernel.org>
Date:   Thu Mar 16 12:28:09 2023 +0100

    s390: reintroduce expoline dependence to scripts
    
    commit 7bb2107e63d8a4a13bbb6fe0e1cbd68784a2e9ac upstream.
    
    Expolines depend on scripts/basic/fixdep. And build of expolines can now
    race with the fixdep build:
    
     make[1]: *** Deleting file 'arch/s390/lib/expoline/expoline.o'
     /bin/sh: line 1: scripts/basic/fixdep: Permission denied
     make[1]: *** [../scripts/Makefile.build:385: arch/s390/lib/expoline/expoline.o] Error 126
     make: *** [../arch/s390/Makefile:166: expoline_prepare] Error 2
    
    The dependence was removed in the below Fixes: commit. So reintroduce
    the dependence on scripts.
    
    Fixes: a0b0987a7811 ("s390/nospec: remove unneeded header includes")
    Cc: Joe Lawrence <joe.lawrence@redhat.com>
    Cc: stable@vger.kernel.org
    Cc: Heiko Carstens <hca@linux.ibm.com>
    Cc: Vasily Gorbik <gor@linux.ibm.com>
    Cc: Alexander Gordeev <agordeev@linux.ibm.com>
    Cc: Christian Borntraeger <borntraeger@linux.ibm.com>
    Cc: Sven Schnelle <svens@linux.ibm.com>
    Cc: linux-s390@vger.kernel.org
    Signed-off-by: Jiri Slaby (SUSE) <jirislaby@kernel.org>
    Link: https://lore.kernel.org/r/20230316112809.7903-1-jirislaby@kernel.org
    Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a028d92967bba61b4909ea26044d98260db1eaed
Author: Heiko Carstens <hca@linux.ibm.com>
Date:   Thu Mar 23 13:09:16 2023 +0100

    s390/uaccess: add missing earlyclobber annotations to __clear_user()
    
    commit 89aba4c26fae4e459f755a18912845c348ee48f3 upstream.
    
    Add missing earlyclobber annotation to size, to, and tmp2 operands of the
    __clear_user() inline assembly since they are modified or written to before
    the last usage of all input operands. This can lead to incorrect register
    allocation for the inline assembly.
    
    Fixes: 6c2a9e6df604 ("[S390] Use alternative user-copy operations for new hardware.")
    Reported-by: Mark Rutland <mark.rutland@arm.com>
    Link: https://lore.kernel.org/all/20230321122514.1743889-3-mark.rutland@arm.com/
    Cc: stable@vger.kernel.org
    Reviewed-by: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
    Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
    Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bc2f8b56217b50ef95498dc56736b955c002aade
Author: Geert Uytterhoeven <geert+renesas@glider.be>
Date:   Tue Feb 14 15:26:43 2023 +0100

    dt-bindings: mtd: jedec,spi-nor: Document CPOL/CPHA support
    
    commit a56cde41340ac4049fa6edac9e6cfbcd2804074e upstream.
    
    SPI EEPROMs typically support both SPI Mode 0 (CPOL=CPHA=0) and Mode 3
    (CPOL=CPHA=1).  However, using the latter is currently flagged as an
    error by "make dtbs_check", e.g.:
    
        arch/arm/boot/dts/r8a7791-koelsch.dtb: flash@0: Unevaluated properties are not allowed ('spi-cpha', 'spi-cpol' were unexpected)
                From schema: Documentation/devicetree/bindings/mtd/jedec,spi-nor.yaml
    
    Fix this by documenting support for CPOL=CPHA=1.
    
    Fixes: 233363aba72ac638 ("spi/panel: dt-bindings: drop CPHA and CPOL from common properties")
    Cc: stable@vger.kernel.org
    Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
    Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
    Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Reviewed-by: Tudor Ambarus <tudor.ambarus@linaro.org>
    Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
    Link: https://lore.kernel.org/linux-mtd/afe470603028db9374930b0c57464b1f6d52bdd3.1676384304.git.geert+renesas@glider.be
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 69bec5ac6ea078c6df9018ac3c26c37cb3b0b6c0
Author: Douglas Raillard <douglas.raillard@arm.com>
Date:   Mon Mar 6 12:27:43 2023 +0000

    rcu: Fix rcu_torture_read ftrace event
    
    commit d18a04157fc171fd48075e3dc96471bd3b87f0dd upstream.
    
    Fix the rcutorturename field so that its size is correctly reported in
    the text format embedded in trace.dat files. As it stands, it is
    reported as being of size 1:
    
        field:char rcutorturename[8];   offset:8;       size:1; signed:0;
    
    Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
    Reviewed-by: Mukesh Ojha <quic_mojha@quicinc.com>
    Cc: stable@vger.kernel.org
    Fixes: 04ae87a52074e ("ftrace: Rework event_create_dir()")
    Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
    [ boqun: Add "Cc" and "Fixes" tags per Steven ]
    Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
    Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 75289cdbe125e62036a72369206ce661e3e4cff2
Author: Max Filippov <jcmvbkbc@gmail.com>
Date:   Thu Mar 16 23:00:21 2023 -0700

    xtensa: fix KASAN report for show_stack
    
    commit 1d3b7a788ca7435156809a6bd5b20c95b2370d45 upstream.
    
    show_stack dumps raw stack contents which may trigger an unnecessary
    KASAN report. Fix it by copying stack contents to a temporary buffer
    with __memcpy and then printing that buffer instead of passing stack
    pointer directly to the print_hex_dump.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3a0e34af6bffee89c5344e00f15844806b9d44b1
Author: huangwenhui <huangwenhuia@uniontech.com>
Date:   Tue Mar 28 15:46:44 2023 +0800

    ALSA: hda/realtek: Add quirk for Lenovo ZhaoYang CF4620Z
    
    commit 52aad39385e1bfdb34a1b405f699a8ef302c58b0 upstream.
    
    Fix headset microphone detection on Lenovo ZhaoYang CF4620Z.
    
    [ adjusted to be applicable to the latest tree -- tiwai ]
    
    Signed-off-by: huangwenhui <huangwenhuia@uniontech.com>
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20230328074644.30142-1-huangwenhuia@uniontech.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 036d5ae0a7cf0e80617bb467e7d1fd8c8abf882f
Author: Tim Crawford <tcrawford@system76.com>
Date:   Fri Mar 17 08:18:25 2023 -0600

    ALSA: hda/realtek: Add quirks for some Clevo laptops
    
    commit b7a5822810c4398515300d614d988cf638adecad upstream.
    
    Add the audio quirk for some of Clevo's latest RPL laptops:
    
    - NP50RNJS (ALC256)
    - NP70SNE (ALC256)
    - PD50SNE (ALC1220)
    - PE60RNE (ALC1220)
    
    Co-authored-by: Jeremy Soller <jeremy@system76.com>
    Signed-off-by: Tim Crawford <tcrawford@system76.com>
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20230317141825.11807-1-tcrawford@system76.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3e120e9200160e177298db4d1ffc363942b8fcfb
Author: Takashi Iwai <tiwai@suse.de>
Date:   Fri Mar 24 08:50:05 2023 +0100

    ALSA: usb-audio: Fix regression on detection of Roland VS-100
    
    commit fa4e7a6fa12b1132340785e14bd439cbe95b7a5a upstream.
    
    It's been reported that the recent kernel can't probe the PCM devices
    on Roland VS-100 properly, and it turned out to be a regression by the
    recent addition of the bit shift range check for the format bits.
    In the old code, we just did bit-shift and it resulted in zero, which
    is then corrected to the standard PCM format, while the new code
    explicitly returns an error in such a case.
    
    For addressing the regression, relax the check and fallback to the
    standard PCM type (with the info output).
    
    Fixes: 43d5ca88dfcd ("ALSA: usb-audio: Fix potential out-of-bounds shift")
    Cc: <stable@vger.kernel.org>
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=217084
    Link: https://lore.kernel.org/r/20230324075005.19403-1-tiwai@suse.de
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0c60b9c0b77479eda2e3ab05f0e804722ec2f8b1
Author: Takashi Iwai <tiwai@suse.de>
Date:   Mon Mar 20 15:09:54 2023 +0100

    ALSA: hda/conexant: Partial revert of a quirk for Lenovo
    
    commit b871cb971c683f7f212e7ca3c9a6709a75785116 upstream.
    
    The recent commit f83bb2592482 ("ALSA: hda/conexant: Add quirk for
    LENOVO 20149 Notebook model") introduced a quirk for the device with
    17aa:3977, but this caused a regression on another model (Lenovo
    Ideadpad U31) with the very same PCI SSID.  And, through skimming over
    the net, it seems that this PCI SSID is used for multiple different
    models, so it's no good idea to apply the quirk with the SSID.
    
    Although we may take a different ID check (e.g. the codec SSID instead
    of the PCI SSID), unfortunately, the original patch author couldn't
    identify the hardware details any longer as the machine was returned,
    and we can't develop the further proper fix.
    
    In this patch, instead, we partially revert the change so that the
    quirk won't be applied as default for addressing the regression.
    Meanwhile, the quirk function itself is kept, and it's now made to be
    applicable via the explicit model=lenovo-20149 option.
    
    Fixes: f83bb2592482 ("ALSA: hda/conexant: Add quirk for LENOVO 20149 Notebook model")
    Reported-by: Jetro Jormalainen <jje-lxkl@jetro.fi>
    Link: https://lore.kernel.org/r/20230308215009.4d3e58a6@mopti
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20230320140954.31154-1-tiwai@suse.de
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f6bcbd556978edb98ad96bb2038995221f58fa58
Author: Trond Myklebust <trond.myklebust@hammerspace.com>
Date:   Tue Mar 21 00:17:36 2023 -0400

    NFSv4: Fix hangs when recovering open state after a server reboot
    
    commit 6165a16a5ad9b237bb3131cff4d3c601ccb8f9a3 upstream.
    
    When we're using a cached open stateid or a delegation in order to avoid
    sending a CLAIM_PREVIOUS open RPC call to the server, we don't have a
    new open stateid to present to update_open_stateid().
    Instead rely on nfs4_try_open_cached(), just as if we were doing a
    normal open.
    
    Fixes: d2bfda2e7aa0 ("NFSv4: don't reprocess cached open CLAIM_PREVIOUS")
    Cc: stable@vger.kernel.org
    Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
    Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3f5ded246953dd41608444a61b5ae1cfda3ef61e
Author: Benjamin Gray <bgray@linux.ibm.com>
Date:   Fri Mar 3 09:59:47 2023 +1100

    powerpc/64s: Fix __pte_needs_flush() false positive warning
    
    commit 1abce0580b89464546ae06abd5891ebec43c9470 upstream.
    
    Userspace PROT_NONE ptes set _PAGE_PRIVILEGED, triggering a false
    positive debug assertion that __pte_flags_need_flush() is not called
    on a kernel mapping.
    
    Detect when it is a userspace PROT_NONE page by checking the required
    bits of PAGE_NONE are set, and none of the RWX bits are set.
    pte_protnone() is insufficient here because it always returns 0 when
    CONFIG_NUMA_BALANCING=n.
    
    Fixes: b11931e9adc1 ("powerpc/64s: add pte_needs_flush and huge_pmd_needs_flush")
    Cc: stable@vger.kernel.org # v6.1+
    Reported-by: Russell Currey <ruscur@russell.cc>
    Signed-off-by: Benjamin Gray <bgray@linux.ibm.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://msgid.link/20230302225947.81083-1-bgray@linux.ibm.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0bb88976bdd2936caf8a2b35746f43c2d7cb6c27
Author: Haren Myneni <haren@linux.ibm.com>
Date:   Mon Mar 20 19:50:08 2023 -0700

    powerpc/pseries/vas: Ignore VAS update for DLPAR if copy/paste is not enabled
    
    commit eca9f6e6f83b6725b84e1c76fdde19b003cff0eb upstream.
    
    The hypervisor supports user-mode NX from Power10.
    
    pseries_vas_dlpar_cpu() is called from lparcfg_write() to update VAS
    windows for DLPAR event in shared processor mode and the kernel gets
    -ENOTSUPP for HCALLs if the user-mode NX is not supported. The current
    VAS implementation also supports only with Radix page tables. Whereas in
    dedicated processor mode, pseries_vas_notifier() is registered only if
    the copy/paste feature is enabled. So instead of displaying HCALL error
    messages, update VAS capabilities if the copy/paste feature is
    available.
    
    This patch ignores updating VAS capabilities in pseries_vas_dlpar_cpu()
    and returns success if the copy/paste feature is not enabled. Then
    lparcfg_write() completes the processor DLPAR operations without any
    failures.
    
    Fixes: 2147783d6bf0 ("powerpc/pseries: Use lparcfg to reconfig VAS windows for DLPAR CPU")
    Cc: stable@vger.kernel.org # v6.1+
    Signed-off-by: Haren Myneni <haren@linux.ibm.com>
    Reviewed-by: Nathan Lynch <nathanl@linux.ibm.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://msgid.link/1d0e727e7dbd9a28627ef08ca9df9c86a50175e2.camel@linux.ibm.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 064a1c7b0f8403260d77627e62424a72ca26cee2
Author: Jens Axboe <axboe@kernel.dk>
Date:   Sun Mar 26 16:15:57 2023 -0600

    powerpc: Don't try to copy PPR for task with NULL pt_regs
    
    commit fd7276189450110ed835eb0a334e62d2f1c4e3be upstream.
    
    powerpc sets up PF_KTHREAD and PF_IO_WORKER with a NULL pt_regs, which
    from my (arguably very short) checking is not commonly done for other
    archs. This is fine, except when PF_IO_WORKER's have been created and
    the task does something that causes a coredump to be generated. Then we
    get this crash:
    
      Kernel attempted to read user page (160) - exploit attempt? (uid: 1000)
      BUG: Kernel NULL pointer dereference on read at 0x00000160
      Faulting instruction address: 0xc0000000000c3a60
      Oops: Kernel access of bad area, sig: 11 [#1]
      LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=32 NUMA pSeries
      Modules linked in: bochs drm_vram_helper drm_kms_helper xts binfmt_misc ecb ctr syscopyarea sysfillrect cbc sysimgblt drm_ttm_helper aes_generic ttm sg libaes evdev joydev virtio_balloon vmx_crypto gf128mul drm dm_mod fuse loop configfs drm_panel_orientation_quirks ip_tables x_tables autofs4 hid_generic usbhid hid xhci_pci xhci_hcd usbcore usb_common sd_mod
      CPU: 1 PID: 1982 Comm: ppc-crash Not tainted 6.3.0-rc2+ #88
      Hardware name: IBM pSeries (emulated by qemu) POWER9 (raw) 0x4e1202 0xf000005 of:SLOF,HEAD hv:linux,kvm pSeries
      NIP:  c0000000000c3a60 LR: c000000000039944 CTR: c0000000000398e0
      REGS: c0000000041833b0 TRAP: 0300   Not tainted  (6.3.0-rc2+)
      MSR:  800000000280b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE>  CR: 88082828  XER: 200400f8
      ...
      NIP memcpy_power7+0x200/0x7d0
      LR  ppr_get+0x64/0xb0
      Call Trace:
        ppr_get+0x40/0xb0 (unreliable)
        __regset_get+0x180/0x1f0
        regset_get_alloc+0x64/0x90
        elf_core_dump+0xb98/0x1b60
        do_coredump+0x1c34/0x24a0
        get_signal+0x71c/0x1410
        do_notify_resume+0x140/0x6f0
        interrupt_exit_user_prepare_main+0x29c/0x320
        interrupt_exit_user_prepare+0x6c/0xa0
        interrupt_return_srr_user+0x8/0x138
    
    Because ppr_get() is trying to copy from a PF_IO_WORKER with a NULL
    pt_regs.
    
    Check for a valid pt_regs in both ppc_get/ppr_set, and return an error
    if not set. The actual error value doesn't seem to be important here, so
    just pick -EINVAL.
    
    Fixes: fa439810cc1b ("powerpc/ptrace: Enable support for NT_PPPC_TAR, NT_PPC_PPR, NT_PPC_DSCR")
    Cc: stable@vger.kernel.org # v4.8+
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    [mpe: Trim oops in change log, add Fixes & Cc stable]
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://msgid.link/d9f63344-fe7c-56ae-b420-4a1a04a2ae4c@kernel.dk
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 44917e8c38d89abd4a7e9a1694e868b83713c743
Author: Hans de Goede <hdegoede@redhat.com>
Date:   Thu Mar 30 21:46:44 2023 +0200

    platform/x86: ideapad-laptop: Stop sending KEY_TOUCHPAD_TOGGLE
    
    commit e3271a5917d1501089b1a224d702aa053e2877f4 upstream.
    
    Commit 5829f8a897e4 ("platform/x86: ideapad-laptop: Send
    KEY_TOUCHPAD_TOGGLE on some models") made ideapad-laptop send
    KEY_TOUCHPAD_TOGGLE when we receive an ACPI notify with VPC event bit 5 set
    and the touchpad-state has not been changed by the EC itself already.
    
    This was done under the assumption that this would be good to do to make
    the touchpad-toggle hotkey work on newer models where the EC does not
    toggle the touchpad on/off itself (because it is not routed through
    the PS/2 controller, but uses I2C).
    
    But it turns out that at least some models, e.g. the Yoga 7-15ITL5 the EC
    triggers an ACPI notify with VPC event bit 5 set on resume, which would
    now cause a spurious KEY_TOUCHPAD_TOGGLE on resume to which the desktop
    environment responds by disabling the touchpad in software, breaking
    the touchpad (until manually re-enabled) on resume.
    
    It was never confirmed that sending KEY_TOUCHPAD_TOGGLE actually improves
    things on new models and at least some new models like the Yoga 7-15ITL5
    don't have a touchpad on/off toggle hotkey at all, while still sending
    ACPI notify events with VPC event bit 5 set.
    
    So it seems best to revert the change to send KEY_TOUCHPAD_TOGGLE when
    receiving an ACPI notify events with VPC event bit 5 and the touchpad
    state as reported by the EC has not changed.
    
    Note this is not a full revert the code to cache the last EC touchpad
    state is kept to avoid sending spurious KEY_TOUCHPAD_ON / _OFF events
    on resume.
    
    Fixes: 5829f8a897e4 ("platform/x86: ideapad-laptop: Send KEY_TOUCHPAD_TOGGLE on some models")
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=217234
    Cc: stable@vger.kernel.org
    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
    Link: https://lore.kernel.org/r/20230330194644.64628-1-hdegoede@redhat.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 61c1f420bb01f33707a15894b26c0ae9906e913e
Author: Johan Hovold <johan+linaro@kernel.org>
Date:   Fri Feb 24 14:08:28 2023 +0100

    pinctrl: at91-pio4: fix domain name assignment
    
    commit 7bb97e360acdd38b68ad0a1defb89c6e89c85596 upstream.
    
    Since commit d59f6617eef0 ("genirq: Allow fwnode to carry name
    information only") an IRQ domain is always given a name during
    allocation (e.g. used for the debugfs entry).
    
    Drop the no longer valid name assignment, which would lead to an attempt
    to free a string constant when removing the domain on late probe
    failures (e.g. probe deferral).
    
    Fixes: d59f6617eef0 ("genirq: Allow fwnode to carry name information only")
    Cc: stable@vger.kernel.org      # 4.13
    Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
    Reviewed-by: Claudiu Beznea <claudiu.beznea@microchip.com>
    Tested-by: Claudiu Beznea <claudiu.beznea@microchip.com> # on SAMA7G5
    Link: https://lore.kernel.org/r/20230224130828.27985-1-johan+linaro@kernel.org
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d9c63daa576b24486c66024414f63d224897c796
Author: Kornel Dulęba <korneld@chromium.org>
Date:   Mon Mar 20 09:32:59 2023 +0000

    pinctrl: amd: Disable and mask interrupts on resume
    
    commit b26cd9325be4c1fcd331b77f10acb627c560d4d7 upstream.
    
    This fixes a similar problem to the one observed in:
    commit 4e5a04be88fe ("pinctrl: amd: disable and mask interrupts on probe").
    
    On some systems, during suspend/resume cycle firmware leaves
    an interrupt enabled on a pin that is not used by the kernel.
    This confuses the AMD pinctrl driver and causes spurious interrupts.
    
    The driver already has logic to detect if a pin is used by the kernel.
    Leverage it to re-initialize interrupt fields of a pin only if it's not
    used by us.
    
    Cc: stable@vger.kernel.org
    Fixes: dbad75dd1f25 ("pinctrl: add AMD GPIO driver support.")
    Signed-off-by: Kornel Dulęba <korneld@chromium.org>
    Link: https://lore.kernel.org/r/20230320093259.845178-1-korneld@chromium.org
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0e7ac17634d2254e0fc65307a5f430e4f1fdb7e9
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Wed Mar 22 19:11:45 2023 +0100

    modpost: Fix processing of CRCs on 32-bit build machines
    
    commit fb27e70f6e408dee5d22b083e7a38a59e6118253 upstream.
    
    modpost now reads CRCs from .*.cmd files, parsing them using strtol().
    This is inconsistent with its parsing of Module.symvers and with their
    definition as *unsigned* 32-bit values.
    
    strtol() clamps values to [LONG_MIN, LONG_MAX], and when building on a
    32-bit system this changes all CRCs >= 0x80000000 to be 0x7fffffff.
    
    Change extract_crcs_for_object() to use strtoul() instead.
    
    Cc: stable@vger.kernel.org
    Fixes: f292d875d0dc ("modpost: extract symbol versions from *.cmd files")
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
    Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2269be4951420af24896dd43987333ab35a72fc8
Author: Josua Mayer <josua@solid-run.com>
Date:   Thu Mar 23 12:25:36 2023 +0200

    net: phy: dp83869: fix default value for tx-/rx-internal-delay
    
    commit 82e2c39f9ef78896e9b634dfd82dc042e6956bb7 upstream.
    
    dp83869 internally uses a look-up table for mapping supported delays in
    nanoseconds to register values.
    When specific delays are defined in device-tree, phy_get_internal_delay
    does the lookup automatically returning an index.
    
    The default case wrongly assigns the nanoseconds value from the lookup
    table, resulting in numeric value 2000 applied to delay configuration
    register, rather than the expected index values 0-7 (7 for 2000).
    Ultimately this issue broke RX for 1Gbps links.
    
    Fix default delay configuration by assigning the intended index value
    directly.
    
    Cc: stable@vger.kernel.org
    Fixes: 736b25afe284 ("net: dp83869: Add RGMII internal delay configuration")
    Co-developed-by: Yazan Shhady <yazan.shhady@solid-run.com>
    Signed-off-by: Yazan Shhady <yazan.shhady@solid-run.com>
    Signed-off-by: Josua Mayer <josua@solid-run.com>
    Reviewed-by: Simon Horman <simon.horman@corigine.com>
    Link: https://lore.kernel.org/r/20230323102536.31988-1-josua@solid-run.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit cdfac0a5064187219c88ddcc9283fbeb80abf522
Author: Juergen Gross <jgross@suse.com>
Date:   Mon Mar 27 10:36:45 2023 +0200

    xen/netback: don't do grant copy across page boundary
    
    commit 05310f31ca74673a96567fb14637b7d5d6c82ea5 upstream.
    
    Fix xenvif_get_requests() not to do grant copy operations across local
    page boundaries. This requires to double the maximum number of copy
    operations per queue, as each copy could now be split into 2.
    
    Make sure that struct xenvif_tx_cb doesn't grow too large.
    
    Cc: stable@vger.kernel.org
    Fixes: ad7f402ae4f4 ("xen/netback: Ensure protocol headers don't fall in the non-linear area")
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Reviewed-by: Paul Durrant <paul@xen.org>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ace6aa2ab5ba5869563ca689bbd912100514ae7b
Author: Oleksij Rempel <linux@rempel-privat.de>
Date:   Fri Mar 24 14:01:41 2023 +0100

    can: j1939: prevent deadlock by moving j1939_sk_errqueue()
    
    commit d1366b283d94ac4537a4b3a1e8668da4df7ce7e9 upstream.
    
    This commit addresses a deadlock situation that can occur in certain
    scenarios, such as when running data TP/ETP transfer and subscribing to
    the error queue while receiving a net down event. The deadlock involves
    locks in the following order:
    
    3
      j1939_session_list_lock ->  active_session_list_lock
      j1939_session_activate
      ...
      j1939_sk_queue_activate_next -> sk_session_queue_lock
      ...
      j1939_xtp_rx_eoma_one
    
    2
      j1939_sk_queue_drop_all  ->  sk_session_queue_lock
      ...
      j1939_sk_netdev_event_netdown -> j1939_socks_lock
      j1939_netdev_notify
    
    1
      j1939_sk_errqueue -> j1939_socks_lock
      __j1939_session_cancel -> active_session_list_lock
      j1939_tp_rxtimer
    
           CPU0                    CPU1
           ----                    ----
      lock(&priv->active_session_list_lock);
                                   lock(&jsk->sk_session_queue_lock);
                                   lock(&priv->active_session_list_lock);
      lock(&priv->j1939_socks_lock);
    
    The solution implemented in this commit is to move the
    j1939_sk_errqueue() call out of the active_session_list_lock context,
    thus preventing the deadlock situation.
    
    Reported-by: syzbot+ee1cd780f69483a8616b@syzkaller.appspotmail.com
    Fixes: 5b9272e93f2e ("can: j1939: extend UAPI to notify about RX status")
    Co-developed-by: Hillf Danton <hdanton@sina.com>
    Signed-off-by: Hillf Danton <hdanton@sina.com>
    Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
    Link: https://lore.kernel.org/all/20230324130141.2132787-1-o.rempel@pengutronix.de
    Cc: stable@vger.kernel.org
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8b7c731e5444efbab518c3acf9a4d1b62d18920e
Author: Mike Snitzer <snitzer@kernel.org>
Date:   Thu Mar 30 15:09:29 2023 -0400

    dm: fix __send_duplicate_bios() to always allow for splitting IO
    
    commit 666eed46769d929c3e13636134ecfc67d75ef548 upstream.
    
    Commit 7dd76d1feec70 ("dm: improve bio splitting and associated IO
    accounting") only called setup_split_accounting() from
    __send_duplicate_bios() if a single bio were being issued. But the case
    where duplicate bios are issued must call it too.
    
    Otherwise the bio won't be split and resubmitted (via recursion through
    block core back to DM) to submit the later portions of a bio (which may
    map to an entirely different target).
    
    For example, when discarding an entire DM striped device with the
    following DM table:
     vg-lvol0: 0 159744 striped 2 128 7:0 2048 7:1 2048
     vg-lvol0: 159744 45056 striped 2 128 7:2 2048 7:3 2048
    
    Before (broken, discards the first striped target's devices twice):
     device-mapper: striped: target_stripe=0, bdev=7:0, start=2048 len=79872
     device-mapper: striped: target_stripe=1, bdev=7:1, start=2048 len=79872
     device-mapper: striped: target_stripe=0, bdev=7:0, start=2049 len=22528
     device-mapper: striped: target_stripe=1, bdev=7:1, start=2048 len=22528
    
    After (works as expected):
     device-mapper: striped: target_stripe=0, bdev=7:0, start=2048 len=79872
     device-mapper: striped: target_stripe=1, bdev=7:1, start=2048 len=79872
     device-mapper: striped: target_stripe=0, bdev=7:2, start=2048 len=22528
     device-mapper: striped: target_stripe=1, bdev=7:3, start=2048 len=22528
    
    Fixes: 7dd76d1feec70 ("dm: improve bio splitting and associated IO accounting")
    Cc: stable@vger.kernel.org
    Reported-by: Orange Kao <orange@aiven.io>
    Signed-off-by: Mike Snitzer <snitzer@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d7c67be755ccc488c7c2ae9b98bbd8b6409be4f6
Author: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Date:   Wed Mar 29 13:16:01 2023 +0900

    zonefs: Always invalidate last cached page on append write
    
    commit c1976bd8f23016d8706973908f2bb0ac0d852a8f upstream.
    
    When a direct append write is executed, the append offset may correspond
    to the last page of a sequential file inode which might have been cached
    already by buffered reads, page faults with mmap-read or non-direct
    readahead. To ensure that the on-disk and cached data is consistant for
    such last cached page, make sure to always invalidate it in
    zonefs_file_dio_append(). If the invalidation fails, return -EBUSY to
    userspace to differentiate from IO errors.
    
    This invalidation will always be a no-op when the FS block size (device
    zone write granularity) is equal to the page size (e.g. 4K).
    
    Reported-by: Hans Holmberg <Hans.Holmberg@wdc.com>
    Fixes: 02ef12a663c7 ("zonefs: use REQ_OP_ZONE_APPEND for sync DIO")
    Cc: stable@vger.kernel.org
    Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
    Tested-by: Hans Holmberg <hans.holmberg@wdc.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4d35d375efedce73bdc3c66472bad740c5ced9de
Author: Ronak Doshi <doshir@vmware.com>
Date:   Thu Mar 23 13:07:21 2023 -0700

    vmxnet3: use gro callback when UPT is enabled
    
    commit 3bced313b9a5a237c347e0f079c8c2fe4b3935aa upstream.
    
    Currently, vmxnet3 uses GRO callback only if LRO is disabled. However,
    on smartNic based setups where UPT is supported, LRO can be enabled
    from guest VM but UPT devicve does not support LRO as of now. In such
    cases, there can be performance degradation as GRO is not being done.
    
    This patch fixes this issue by calling GRO API when UPT is enabled. We
    use updateRxProd to determine if UPT mode is active or not.
    
    To clarify few things discussed over the thread:
    The patch is not neglecting any feature bits nor disabling GRO. It uses
    GRO callback when UPT is active as LRO is not available in UPT.
    GRO callback cannot be used as default for all cases as it degrades
    performance for non-UPT cases or for cases when LRO is already done in
    ESXi.
    
    Cc: stable@vger.kernel.org
    Fixes: 6f91f4ba046e ("vmxnet3: add support for capability registers")
    Signed-off-by: Ronak Doshi <doshir@vmware.com>
    Reviewed-by: Simon Horman <simon.horman@corigine.com>
    Link: https://lore.kernel.org/r/20230323200721.27622-1-doshir@vmware.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d67b3cdacac911958c6353f043fe98d42c84f5ad
Author: Pavel Begunkov <asml.silence@gmail.com>
Date:   Thu Mar 30 06:52:38 2023 -0600

    io_uring: fix poll/netmsg alloc caches
    
    commit fd30d1cdcc4ff405fc54765edf2e11b03f2ed4f3 upstream.
    
    We increase cache->nr_cached when we free into the cache but don't
    decrease when we take from it, so in some time we'll get an empty
    cache with cache->nr_cached larger than IO_ALLOC_CACHE_MAX, that fails
    io_alloc_cache_put() and effectively disables caching.
    
    Fixes: 9b797a37c4bd8 ("io_uring: add abstraction around apoll cache")
    Cc: stable@vger.kernel.org
    Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ef329fa764c3c27f43db0f7c57adbe84e9a07f00
Author: Pavel Begunkov <asml.silence@gmail.com>
Date:   Wed Mar 29 15:03:43 2023 +0100

    io_uring/rsrc: fix rogue rsrc node grabbing
    
    commit 4ff0b50de8cabba055efe50bbcb7506c41a69835 upstream.
    
    We should not be looking at ctx->rsrc_node and anyhow modifying the node
    without holding uring_lock, grabbing references in such a way is not
    safe either.
    
    Cc: stable@vger.kernel.org
    Fixes: 5106dd6e74ab6 ("io_uring: propagate issue_flags state down to file assignment")
    Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
    Link: https://lore.kernel.org/r/1202ede2d7bb90136e3482b2b84aad9ed483e5d6.1680098433.git.asml.silence@gmail.com
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3eb2138d4693d81aa6e5514f439be255117cae63
Author: Jens Axboe <axboe@kernel.dk>
Date:   Mon Mar 27 19:56:18 2023 -0600

    io_uring/poll: clear single/double poll flags on poll arming
    
    commit 005308f7bdacf5685ed1a431244a183dbbb9e0e8 upstream.
    
    Unless we have at least one entry queued, then don't call into
    io_poll_remove_entries(). Normally this isn't possible, but if we
    retry poll then we can have ->nr_entries cleared again as we're
    setting it up. If this happens for a poll retry, then we'll still have
    at least REQ_F_SINGLE_POLL set. io_poll_remove_entries() then thinks
    it has entries to remove.
    
    Clear REQ_F_SINGLE_POLL and REQ_F_DOUBLE_POLL unconditionally when
    arming a poll request.
    
    Fixes: c16bda37594f ("io_uring/poll: allow some retries for poll triggering spuriously")
    Cc: stable@vger.kernel.org
    Reported-by: Pengfei Xu <pengfei.xu@intel.com>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e5da11825ef7c3f4760b235e04e225e7c8746279
Author: Jens Axboe <axboe@kernel.dk>
Date:   Mon Mar 20 20:01:25 2023 -0600

    block/io_uring: pass in issue_flags for uring_cmd task_work handling
    
    commit 9d2789ac9d60c049d26ef6d3005d9c94c5a559e9 upstream.
    
    io_uring_cmd_done() currently assumes that the uring_lock is held
    when invoked, and while it generally is, this is not guaranteed.
    Pass in the issue_flags associated with it, so that we have
    IO_URING_F_UNLOCKED available to be able to lock the CQ ring
    appropriately when completing events.
    
    Cc: stable@vger.kernel.org
    Fixes: ee692a21e9bf ("fs,io_uring: add infrastructure for uring-cmd")
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4a8f1f5122667b1e54327ddbab7cfd096ac7dc00
Author: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Date:   Thu Mar 30 09:47:58 2023 +0900

    zonefs: Do not propagate iomap_dio_rw() ENOTBLK error to user space
    
    commit 77af13ba3c7f91d91c377c7e2d122849bbc17128 upstream.
    
    The call to invalidate_inode_pages2_range() in __iomap_dio_rw() may
    fail, in which case -ENOTBLK is returned and this error code is
    propagated back to user space trhough iomap_dio_rw() ->
    zonefs_file_dio_write() return chain. This error code is fairly obscure
    and may confuse the user. Avoid this and be consistent with the behavior
    of zonefs_file_dio_append() for similar invalidate_inode_pages2_range()
    errors by returning -EBUSY to user space when iomap_dio_rw() returns
    -ENOTBLK.
    
    Suggested-by: Christoph Hellwig <hch@infradead.org>
    Fixes: 8dcc1a9d90c1 ("fs: New zonefs file system")
    Cc: stable@vger.kernel.org
    Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
    Tested-by: Hans Holmberg <hans.holmberg@wdc.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8a6539ea362eb2cae3148012dbc9c6bc943c1b6a
Author: Anand Jain <anand.jain@oracle.com>
Date:   Thu Mar 23 15:56:48 2023 +0800

    btrfs: scan device in non-exclusive mode
    
    commit 50d281fc434cb8e2497f5e70a309ccca6b1a09f0 upstream.
    
    This fixes mkfs/mount/check failures due to race with systemd-udevd
    scan.
    
    During the device scan initiated by systemd-udevd, other user space
    EXCL operations such as mkfs, mount, or check may get blocked and result
    in a "Device or resource busy" error. This is because the device
    scan process opens the device with the EXCL flag in the kernel.
    
    Two reports were received:
    
     - btrfs/179 test case, where the fsck command failed with the -EBUSY
       error
    
     - LTP pwritev03 test case, where mkfs.vfs failed with
       the -EBUSY error, when mkfs.vfs tried to overwrite old btrfs filesystem
       on the device.
    
    In both cases, fsck and mkfs (respectively) were racing with a
    systemd-udevd device scan, and systemd-udevd won, resulting in the
    -EBUSY error for fsck and mkfs.
    
    Reproducing the problem has been difficult because there is a very
    small window during which these userspace threads can race to
    acquire the exclusive device open. Even on the system where the problem
    was observed, the problem occurrences were anywhere between 10 to 400
    iterations and chances of reproducing decreases with debug printk()s.
    
    However, an exclusive device open is unnecessary for the scan process,
    as there are no write operations on the device during scan. Furthermore,
    during the mount process, the superblock is re-read in the below
    function call chain:
    
      btrfs_mount_root
       btrfs_open_devices
        open_fs_devices
         btrfs_open_one_device
           btrfs_get_bdev_and_sb
    
    So, to fix this issue, removes the FMODE_EXCL flag from the scan
    operation, and add a comment.
    
    The case where mkfs may still write to the device and a scan is running,
    the btrfs signature is not written at that time so scan will not
    recognize such device.
    
    Reported-by: Sherry Yang <sherry.yang@oracle.com>
    Reported-by: kernel test robot <oliver.sang@intel.com>
    Link: https://lore.kernel.org/oe-lkp/202303170839.fdf23068-oliver.sang@intel.com
    CC: stable@vger.kernel.org # 5.4+
    Signed-off-by: Anand Jain <anand.jain@oracle.com>
    Reviewed-by: David Sterba <dsterba@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a38ff2024805a30d9b96f52557c6ea0bbc31252a
Author: Filipe Manana <fdmanana@suse.com>
Date:   Wed Mar 22 10:33:28 2023 +0000

    btrfs: fix race between quota disable and quota assign ioctls
    
    commit 2f1a6be12ab6c8470d5776e68644726c94257c54 upstream.
    
    The quota assign ioctl can currently run in parallel with a quota disable
    ioctl call. The assign ioctl uses the quota root, while the disable ioctl
    frees that root, and therefore we can have a use-after-free triggered in
    the assign ioctl, leading to a trace like the following when KASAN is
    enabled:
    
      [672.723][T736] BUG: KASAN: slab-use-after-free in btrfs_search_slot+0x2962/0x2db0
      [672.723][T736] Read of size 8 at addr ffff888022ec0208 by task btrfs_search_sl/27736
      [672.724][T736]
      [672.725][T736] CPU: 1 PID: 27736 Comm: btrfs_search_sl Not tainted 6.3.0-rc3 #37
      [672.723][T736] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
      [672.727][T736] Call Trace:
      [672.728][T736]  <TASK>
      [672.728][T736]  dump_stack_lvl+0xd9/0x150
      [672.725][T736]  print_report+0xc1/0x5e0
      [672.720][T736]  ? __virt_addr_valid+0x61/0x2e0
      [672.727][T736]  ? __phys_addr+0xc9/0x150
      [672.725][T736]  ? btrfs_search_slot+0x2962/0x2db0
      [672.722][T736]  kasan_report+0xc0/0xf0
      [672.729][T736]  ? btrfs_search_slot+0x2962/0x2db0
      [672.724][T736]  btrfs_search_slot+0x2962/0x2db0
      [672.723][T736]  ? fs_reclaim_acquire+0xba/0x160
      [672.722][T736]  ? split_leaf+0x13d0/0x13d0
      [672.726][T736]  ? rcu_is_watching+0x12/0xb0
      [672.723][T736]  ? kmem_cache_alloc+0x338/0x3c0
      [672.722][T736]  update_qgroup_status_item+0xf7/0x320
      [672.724][T736]  ? add_qgroup_rb+0x3d0/0x3d0
      [672.739][T736]  ? do_raw_spin_lock+0x12d/0x2b0
      [672.730][T736]  ? spin_bug+0x1d0/0x1d0
      [672.737][T736]  btrfs_run_qgroups+0x5de/0x840
      [672.730][T736]  ? btrfs_qgroup_rescan_worker+0xa70/0xa70
      [672.738][T736]  ? __del_qgroup_relation+0x4ba/0xe00
      [672.738][T736]  btrfs_ioctl+0x3d58/0x5d80
      [672.735][T736]  ? tomoyo_path_number_perm+0x16a/0x550
      [672.737][T736]  ? tomoyo_execute_permission+0x4a0/0x4a0
      [672.731][T736]  ? btrfs_ioctl_get_supported_features+0x50/0x50
      [672.737][T736]  ? __sanitizer_cov_trace_switch+0x54/0x90
      [672.734][T736]  ? do_vfs_ioctl+0x132/0x1660
      [672.730][T736]  ? vfs_fileattr_set+0xc40/0xc40
      [672.730][T736]  ? _raw_spin_unlock_irq+0x2e/0x50
      [672.732][T736]  ? sigprocmask+0xf2/0x340
      [672.737][T736]  ? __fget_files+0x26a/0x480
      [672.732][T736]  ? bpf_lsm_file_ioctl+0x9/0x10
      [672.738][T736]  ? btrfs_ioctl_get_supported_features+0x50/0x50
      [672.736][T736]  __x64_sys_ioctl+0x198/0x210
      [672.736][T736]  do_syscall_64+0x39/0xb0
      [672.731][T736]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
      [672.739][T736] RIP: 0033:0x4556ad
      [672.742][T736]  </TASK>
      [672.743][T736]
      [672.748][T736] Allocated by task 27677:
      [672.743][T736]  kasan_save_stack+0x22/0x40
      [672.741][T736]  kasan_set_track+0x25/0x30
      [672.741][T736]  __kasan_kmalloc+0xa4/0xb0
      [672.749][T736]  btrfs_alloc_root+0x48/0x90
      [672.746][T736]  btrfs_create_tree+0x146/0xa20
      [672.744][T736]  btrfs_quota_enable+0x461/0x1d20
      [672.743][T736]  btrfs_ioctl+0x4a1c/0x5d80
      [672.747][T736]  __x64_sys_ioctl+0x198/0x210
      [672.749][T736]  do_syscall_64+0x39/0xb0
      [672.744][T736]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
      [672.756][T736]
      [672.757][T736] Freed by task 27677:
      [672.759][T736]  kasan_save_stack+0x22/0x40
      [672.759][T736]  kasan_set_track+0x25/0x30
      [672.756][T736]  kasan_save_free_info+0x2e/0x50
      [672.751][T736]  ____kasan_slab_free+0x162/0x1c0
      [672.758][T736]  slab_free_freelist_hook+0x89/0x1c0
      [672.752][T736]  __kmem_cache_free+0xaf/0x2e0
      [672.752][T736]  btrfs_put_root+0x1ff/0x2b0
      [672.759][T736]  btrfs_quota_disable+0x80a/0xbc0
      [672.752][T736]  btrfs_ioctl+0x3e5f/0x5d80
      [672.756][T736]  __x64_sys_ioctl+0x198/0x210
      [672.753][T736]  do_syscall_64+0x39/0xb0
      [672.765][T736]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
      [672.769][T736]
      [672.768][T736] The buggy address belongs to the object at ffff888022ec0000
      [672.768][T736]  which belongs to the cache kmalloc-4k of size 4096
      [672.769][T736] The buggy address is located 520 bytes inside of
      [672.769][T736]  freed 4096-byte region [ffff888022ec0000, ffff888022ec1000)
      [672.760][T736]
      [672.764][T736] The buggy address belongs to the physical page:
      [672.761][T736] page:ffffea00008bb000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x22ec0
      [672.766][T736] head:ffffea00008bb000 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
      [672.779][T736] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
      [672.770][T736] raw: 00fff00000010200 ffff888012842140 ffffea000054ba00 dead000000000002
      [672.770][T736] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
      [672.771][T736] page dumped because: kasan: bad access detected
      [672.778][T736] page_owner tracks the page as allocated
      [672.777][T736] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 88
      [672.779][T736]  get_page_from_freelist+0x119c/0x2d50
      [672.779][T736]  __alloc_pages+0x1cb/0x4a0
      [672.776][T736]  alloc_pages+0x1aa/0x270
      [672.773][T736]  allocate_slab+0x260/0x390
      [672.771][T736]  ___slab_alloc+0xa9a/0x13e0
      [672.778][T736]  __slab_alloc.constprop.0+0x56/0xb0
      [672.771][T736]  __kmem_cache_alloc_node+0x136/0x320
      [672.789][T736]  __kmalloc+0x4e/0x1a0
      [672.783][T736]  tomoyo_realpath_from_path+0xc3/0x600
      [672.781][T736]  tomoyo_path_perm+0x22f/0x420
      [672.782][T736]  tomoyo_path_unlink+0x92/0xd0
      [672.780][T736]  security_path_unlink+0xdb/0x150
      [672.788][T736]  do_unlinkat+0x377/0x680
      [672.788][T736]  __x64_sys_unlink+0xca/0x110
      [672.789][T736]  do_syscall_64+0x39/0xb0
      [672.783][T736]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
      [672.784][T736] page last free stack trace:
      [672.787][T736]  free_pcp_prepare+0x4e5/0x920
      [672.787][T736]  free_unref_page+0x1d/0x4e0
      [672.784][T736]  __unfreeze_partials+0x17c/0x1a0
      [672.797][T736]  qlist_free_all+0x6a/0x180
      [672.796][T736]  kasan_quarantine_reduce+0x189/0x1d0
      [672.797][T736]  __kasan_slab_alloc+0x64/0x90
      [672.793][T736]  kmem_cache_alloc+0x17c/0x3c0
      [672.799][T736]  getname_flags.part.0+0x50/0x4e0
      [672.799][T736]  getname_flags+0x9e/0xe0
      [672.792][T736]  vfs_fstatat+0x77/0xb0
      [672.791][T736]  __do_sys_newlstat+0x84/0x100
      [672.798][T736]  do_syscall_64+0x39/0xb0
      [672.796][T736]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
      [672.790][T736]
      [672.791][T736] Memory state around the buggy address:
      [672.799][T736]  ffff888022ec0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [672.805][T736]  ffff888022ec0180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [672.802][T736] >ffff888022ec0200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [672.809][T736]                       ^
      [672.809][T736]  ffff888022ec0280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [672.809][T736]  ffff888022ec0300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    
    Fix this by having the qgroup assign ioctl take the qgroup ioctl mutex
    before calling btrfs_run_qgroups(), which is what all qgroup ioctls should
    call.
    
    Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
    Link: https://lore.kernel.org/linux-btrfs/CAFcO6XN3VD8ogmHwqRk4kbiwtpUSNySu2VAxN8waEPciCHJvMA@mail.gmail.com/
    CC: stable@vger.kernel.org # 5.10+
    Reviewed-by: Qu Wenruo <wqu@suse.com>
    Signed-off-by: Filipe Manana <fdmanana@suse.com>
    Reviewed-by: David Sterba <dsterba@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6134a4bb6b1c411a244edee041ac89266c78d45c
Author: Filipe Manana <fdmanana@suse.com>
Date:   Wed Mar 22 09:46:34 2023 +0000

    btrfs: fix deadlock when aborting transaction during relocation with scrub
    
    commit 2d82a40aa7d6fcae0250ec68b8566cdee7bfd44c upstream.
    
    Before relocating a block group we pause scrub, then do the relocation and
    then unpause scrub. The relocation process requires starting and committing
    a transaction, and if we have a failure in the critical section of the
    transaction commit path (transaction state >= TRANS_STATE_COMMIT_START),
    we will deadlock if there is a paused scrub.
    
    That results in stack traces like the following:
    
      [42.479] BTRFS info (device sdc): relocating block group 53876686848 flags metadata|raid6
      [42.936] BTRFS warning (device sdc): Skipping commit of aborted transaction.
      [42.936] ------------[ cut here ]------------
      [42.936] BTRFS: Transaction aborted (error -28)
      [42.936] WARNING: CPU: 11 PID: 346822 at fs/btrfs/transaction.c:1977 btrfs_commit_transaction+0xcc8/0xeb0 [btrfs]
      [42.936] Modules linked in: dm_flakey dm_mod loop btrfs (...)
      [42.936] CPU: 11 PID: 346822 Comm: btrfs Tainted: G        W          6.3.0-rc2-btrfs-next-127+ #1
      [42.936] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
      [42.936] RIP: 0010:btrfs_commit_transaction+0xcc8/0xeb0 [btrfs]
      [42.936] Code: ff ff 45 8b (...)
      [42.936] RSP: 0018:ffffb58649633b48 EFLAGS: 00010282
      [42.936] RAX: 0000000000000000 RBX: ffff8be6ef4d5bd8 RCX: 0000000000000000
      [42.936] RDX: 0000000000000002 RSI: ffffffffb35e7782 RDI: 00000000ffffffff
      [42.936] RBP: ffff8be6ef4d5c98 R08: 0000000000000000 R09: ffffb586496339e8
      [42.936] R10: 0000000000000001 R11: 0000000000000001 R12: ffff8be6d38c7c00
      [42.936] R13: 00000000ffffffe4 R14: ffff8be6c268c000 R15: ffff8be6ef4d5cf0
      [42.936] FS:  00007f381a82b340(0000) GS:ffff8beddfcc0000(0000) knlGS:0000000000000000
      [42.936] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [42.936] CR2: 00007f1e35fb7638 CR3: 0000000117680006 CR4: 0000000000370ee0
      [42.936] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [42.936] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [42.936] Call Trace:
      [42.936]  <TASK>
      [42.936]  ? start_transaction+0xcb/0x610 [btrfs]
      [42.936]  prepare_to_relocate+0x111/0x1a0 [btrfs]
      [42.936]  relocate_block_group+0x57/0x5d0 [btrfs]
      [42.936]  ? btrfs_wait_nocow_writers+0x25/0xb0 [btrfs]
      [42.936]  btrfs_relocate_block_group+0x248/0x3c0 [btrfs]
      [42.936]  ? __pfx_autoremove_wake_function+0x10/0x10
      [42.936]  btrfs_relocate_chunk+0x3b/0x150 [btrfs]
      [42.936]  btrfs_balance+0x8ff/0x11d0 [btrfs]
      [42.936]  ? __kmem_cache_alloc_node+0x14a/0x410
      [42.936]  btrfs_ioctl+0x2334/0x32c0 [btrfs]
      [42.937]  ? mod_objcg_state+0xd2/0x360
      [42.937]  ? refill_obj_stock+0xb0/0x160
      [42.937]  ? seq_release+0x25/0x30
      [42.937]  ? __rseq_handle_notify_resume+0x3b5/0x4b0
      [42.937]  ? percpu_counter_add_batch+0x2e/0xa0
      [42.937]  ? __x64_sys_ioctl+0x88/0xc0
      [42.937]  __x64_sys_ioctl+0x88/0xc0
      [42.937]  do_syscall_64+0x38/0x90
      [42.937]  entry_SYSCALL_64_after_hwframe+0x72/0xdc
      [42.937] RIP: 0033:0x7f381a6ffe9b
      [42.937] Code: 00 48 89 44 24 (...)
      [42.937] RSP: 002b:00007ffd45ecf060 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
      [42.937] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f381a6ffe9b
      [42.937] RDX: 00007ffd45ecf150 RSI: 00000000c4009420 RDI: 0000000000000003
      [42.937] RBP: 0000000000000003 R08: 0000000000000013 R09: 0000000000000000
      [42.937] R10: 00007f381a60c878 R11: 0000000000000246 R12: 00007ffd45ed0423
      [42.937] R13: 00007ffd45ecf150 R14: 0000000000000000 R15: 00007ffd45ecf148
      [42.937]  </TASK>
      [42.937] ---[ end trace 0000000000000000 ]---
      [42.937] BTRFS: error (device sdc: state A) in cleanup_transaction:1977: errno=-28 No space left
      [59.196] INFO: task btrfs:346772 blocked for more than 120 seconds.
      [59.196]       Tainted: G        W          6.3.0-rc2-btrfs-next-127+ #1
      [59.196] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
      [59.196] task:btrfs           state:D stack:0     pid:346772 ppid:1      flags:0x00004002
      [59.196] Call Trace:
      [59.196]  <TASK>
      [59.196]  __schedule+0x392/0xa70
      [59.196]  ? __pv_queued_spin_lock_slowpath+0x165/0x370
      [59.196]  schedule+0x5d/0xd0
      [59.196]  __scrub_blocked_if_needed+0x74/0xc0 [btrfs]
      [59.197]  ? __pfx_autoremove_wake_function+0x10/0x10
      [59.197]  scrub_pause_off+0x21/0x50 [btrfs]
      [59.197]  scrub_simple_mirror+0x1c7/0x950 [btrfs]
      [59.197]  ? scrub_parity_put+0x1a5/0x1d0 [btrfs]
      [59.198]  ? __pfx_autoremove_wake_function+0x10/0x10
      [59.198]  scrub_stripe+0x20d/0x740 [btrfs]
      [59.198]  scrub_chunk+0xc4/0x130 [btrfs]
      [59.198]  scrub_enumerate_chunks+0x3e4/0x7a0 [btrfs]
      [59.198]  ? __pfx_autoremove_wake_function+0x10/0x10
      [59.198]  btrfs_scrub_dev+0x236/0x6a0 [btrfs]
      [59.199]  ? btrfs_ioctl+0xd97/0x32c0 [btrfs]
      [59.199]  ? _copy_from_user+0x7b/0x80
      [59.199]  btrfs_ioctl+0xde1/0x32c0 [btrfs]
      [59.199]  ? refill_stock+0x33/0x50
      [59.199]  ? should_failslab+0xa/0x20
      [59.199]  ? kmem_cache_alloc_node+0x151/0x460
      [59.199]  ? alloc_io_context+0x1b/0x80
      [59.199]  ? preempt_count_add+0x70/0xa0
      [59.199]  ? __x64_sys_ioctl+0x88/0xc0
      [59.199]  __x64_sys_ioctl+0x88/0xc0
      [59.199]  do_syscall_64+0x38/0x90
      [59.199]  entry_SYSCALL_64_after_hwframe+0x72/0xdc
      [59.199] RIP: 0033:0x7f82ffaffe9b
      [59.199] RSP: 002b:00007f82ff9fcc50 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
      [59.199] RAX: ffffffffffffffda RBX: 000055b191e36310 RCX: 00007f82ffaffe9b
      [59.199] RDX: 000055b191e36310 RSI: 00000000c400941b RDI: 0000000000000003
      [59.199] RBP: 0000000000000000 R08: 00007fff1575016f R09: 0000000000000000
      [59.199] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f82ff9fd640
      [59.199] R13: 000000000000006b R14: 00007f82ffa87580 R15: 0000000000000000
      [59.199]  </TASK>
      [59.199] INFO: task btrfs:346773 blocked for more than 120 seconds.
      [59.200]       Tainted: G        W          6.3.0-rc2-btrfs-next-127+ #1
      [59.200] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
      [59.201] task:btrfs           state:D stack:0     pid:346773 ppid:1      flags:0x00004002
      [59.201] Call Trace:
      [59.201]  <TASK>
      [59.201]  __schedule+0x392/0xa70
      [59.201]  ? __pv_queued_spin_lock_slowpath+0x165/0x370
      [59.201]  schedule+0x5d/0xd0
      [59.201]  __scrub_blocked_if_needed+0x74/0xc0 [btrfs]
      [59.201]  ? __pfx_autoremove_wake_function+0x10/0x10
      [59.201]  scrub_pause_off+0x21/0x50 [btrfs]
      [59.202]  scrub_simple_mirror+0x1c7/0x950 [btrfs]
      [59.202]  ? scrub_parity_put+0x1a5/0x1d0 [btrfs]
      [59.202]  ? __pfx_autoremove_wake_function+0x10/0x10
      [59.202]  scrub_stripe+0x20d/0x740 [btrfs]
      [59.202]  scrub_chunk+0xc4/0x130 [btrfs]
      [59.203]  scrub_enumerate_chunks+0x3e4/0x7a0 [btrfs]
      [59.203]  ? __pfx_autoremove_wake_function+0x10/0x10
      [59.203]  btrfs_scrub_dev+0x236/0x6a0 [btrfs]
      [59.203]  ? btrfs_ioctl+0xd97/0x32c0 [btrfs]
      [59.203]  ? _copy_from_user+0x7b/0x80
      [59.203]  btrfs_ioctl+0xde1/0x32c0 [btrfs]
      [59.204]  ? should_failslab+0xa/0x20
      [59.204]  ? kmem_cache_alloc_node+0x151/0x460
      [59.204]  ? alloc_io_context+0x1b/0x80
      [59.204]  ? preempt_count_add+0x70/0xa0
      [59.204]  ? __x64_sys_ioctl+0x88/0xc0
      [59.204]  __x64_sys_ioctl+0x88/0xc0
      [59.204]  do_syscall_64+0x38/0x90
      [59.204]  entry_SYSCALL_64_after_hwframe+0x72/0xdc
      [59.204] RIP: 0033:0x7f82ffaffe9b
      [59.204] RSP: 002b:00007f82ff1fbc50 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
      [59.204] RAX: ffffffffffffffda RBX: 000055b191e36790 RCX: 00007f82ffaffe9b
      [59.204] RDX: 000055b191e36790 RSI: 00000000c400941b RDI: 0000000000000003
      [59.204] RBP: 0000000000000000 R08: 00007fff1575016f R09: 0000000000000000
      [59.204] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f82ff1fc640
      [59.204] R13: 000000000000006b R14: 00007f82ffa87580 R15: 0000000000000000
      [59.204]  </TASK>
      [59.204] INFO: task btrfs:346774 blocked for more than 120 seconds.
      [59.205]       Tainted: G        W          6.3.0-rc2-btrfs-next-127+ #1
      [59.205] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
      [59.206] task:btrfs           state:D stack:0     pid:346774 ppid:1      flags:0x00004002
      [59.206] Call Trace:
      [59.206]  <TASK>
      [59.206]  __schedule+0x392/0xa70
      [59.206]  schedule+0x5d/0xd0
      [59.206]  __scrub_blocked_if_needed+0x74/0xc0 [btrfs]
      [59.206]  ? __pfx_autoremove_wake_function+0x10/0x10
      [59.206]  scrub_pause_off+0x21/0x50 [btrfs]
      [59.207]  scrub_simple_mirror+0x1c7/0x950 [btrfs]
      [59.207]  ? scrub_parity_put+0x1a5/0x1d0 [btrfs]
      [59.207]  ? __pfx_autoremove_wake_function+0x10/0x10
      [59.207]  scrub_stripe+0x20d/0x740 [btrfs]
      [59.208]  scrub_chunk+0xc4/0x130 [btrfs]
      [59.208]  scrub_enumerate_chunks+0x3e4/0x7a0 [btrfs]
      [59.208]  ? __mutex_unlock_slowpath.isra.0+0x9a/0x120
      [59.208]  btrfs_scrub_dev+0x236/0x6a0 [btrfs]
      [59.208]  ? btrfs_ioctl+0xd97/0x32c0 [btrfs]
      [59.209]  ? _copy_from_user+0x7b/0x80
      [59.209]  btrfs_ioctl+0xde1/0x32c0 [btrfs]
      [59.209]  ? should_failslab+0xa/0x20
      [59.209]  ? kmem_cache_alloc_node+0x151/0x460
      [59.209]  ? alloc_io_context+0x1b/0x80
      [59.209]  ? preempt_count_add+0x70/0xa0
      [59.209]  ? __x64_sys_ioctl+0x88/0xc0
      [59.209]  __x64_sys_ioctl+0x88/0xc0
      [59.209]  do_syscall_64+0x38/0x90
      [59.209]  entry_SYSCALL_64_after_hwframe+0x72/0xdc
      [59.209] RIP: 0033:0x7f82ffaffe9b
      [59.209] RSP: 002b:00007f82fe9fac50 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
      [59.209] RAX: ffffffffffffffda RBX: 000055b191e36c10 RCX: 00007f82ffaffe9b
      [59.209] RDX: 000055b191e36c10 RSI: 00000000c400941b RDI: 0000000000000003
      [59.209] RBP: 0000000000000000 R08: 00007fff1575016f R09: 0000000000000000
      [59.209] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f82fe9fb640
      [59.209] R13: 000000000000006b R14: 00007f82ffa87580 R15: 0000000000000000
      [59.209]  </TASK>
      [59.209] INFO: task btrfs:346775 blocked for more than 120 seconds.
      [59.210]       Tainted: G        W          6.3.0-rc2-btrfs-next-127+ #1
      [59.210] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
      [59.211] task:btrfs           state:D stack:0     pid:346775 ppid:1      flags:0x00004002
      [59.211] Call Trace:
      [59.211]  <TASK>
      [59.211]  __schedule+0x392/0xa70
      [59.211]  schedule+0x5d/0xd0
      [59.211]  __scrub_blocked_if_needed+0x74/0xc0 [btrfs]
      [59.211]  ? __pfx_autoremove_wake_function+0x10/0x10
      [59.211]  scrub_pause_off+0x21/0x50 [btrfs]
      [59.212]  scrub_simple_mirror+0x1c7/0x950 [btrfs]
      [59.212]  ? scrub_parity_put+0x1a5/0x1d0 [btrfs]
      [59.212]  ? __pfx_autoremove_wake_function+0x10/0x10
      [59.212]  scrub_stripe+0x20d/0x740 [btrfs]
      [59.213]  scrub_chunk+0xc4/0x130 [btrfs]
      [59.213]  scrub_enumerate_chunks+0x3e4/0x7a0 [btrfs]
      [59.213]  ? __mutex_unlock_slowpath.isra.0+0x9a/0x120
      [59.213]  btrfs_scrub_dev+0x236/0x6a0 [btrfs]
      [59.213]  ? btrfs_ioctl+0xd97/0x32c0 [btrfs]
      [59.214]  ? _copy_from_user+0x7b/0x80
      [59.214]  btrfs_ioctl+0xde1/0x32c0 [btrfs]
      [59.214]  ? should_failslab+0xa/0x20
      [59.214]  ? kmem_cache_alloc_node+0x151/0x460
      [59.214]  ? alloc_io_context+0x1b/0x80
      [59.214]  ? preempt_count_add+0x70/0xa0
      [59.214]  ? __x64_sys_ioctl+0x88/0xc0
      [59.214]  __x64_sys_ioctl+0x88/0xc0
      [59.214]  do_syscall_64+0x38/0x90
      [59.214]  entry_SYSCALL_64_after_hwframe+0x72/0xdc
      [59.214] RIP: 0033:0x7f82ffaffe9b
      [59.214] RSP: 002b:00007f82fe1f9c50 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
      [59.214] RAX: ffffffffffffffda RBX: 000055b191e37090 RCX: 00007f82ffaffe9b
      [59.214] RDX: 000055b191e37090 RSI: 00000000c400941b RDI: 0000000000000003
      [59.214] RBP: 0000000000000000 R08: 00007fff1575016f R09: 0000000000000000
      [59.214] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f82fe1fa640
      [59.214] R13: 000000000000006b R14: 00007f82ffa87580 R15: 0000000000000000
      [59.214]  </TASK>
      [59.214] INFO: task btrfs:346776 blocked for more than 120 seconds.
      [59.215]       Tainted: G        W          6.3.0-rc2-btrfs-next-127+ #1
      [59.216] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
      [59.217] task:btrfs           state:D stack:0     pid:346776 ppid:1      flags:0x00004002
      [59.217] Call Trace:
      [59.217]  <TASK>
      [59.217]  __schedule+0x392/0xa70
      [59.217]  ? __pv_queued_spin_lock_slowpath+0x165/0x370
      [59.217]  schedule+0x5d/0xd0
      [59.217]  __scrub_blocked_if_needed+0x74/0xc0 [btrfs]
      [59.217]  ? __pfx_autoremove_wake_function+0x10/0x10
      [59.217]  scrub_pause_off+0x21/0x50 [btrfs]
      [59.217]  scrub_simple_mirror+0x1c7/0x950 [btrfs]
      [59.217]  ? scrub_parity_put+0x1a5/0x1d0 [btrfs]
      [59.218]  ? __pfx_autoremove_wake_function+0x10/0x10
      [59.218]  scrub_stripe+0x20d/0x740 [btrfs]
      [59.218]  scrub_chunk+0xc4/0x130 [btrfs]
      [59.218]  scrub_enumerate_chunks+0x3e4/0x7a0 [btrfs]
      [59.219]  ? __pfx_autoremove_wake_function+0x10/0x10
      [59.219]  btrfs_scrub_dev+0x236/0x6a0 [btrfs]
      [59.219]  ? btrfs_ioctl+0xd97/0x32c0 [btrfs]
      [59.219]  ? _copy_from_user+0x7b/0x80
      [59.219]  btrfs_ioctl+0xde1/0x32c0 [btrfs]
      [59.219]  ? should_failslab+0xa/0x20
      [59.219]  ? kmem_cache_alloc_node+0x151/0x460
      [59.219]  ? alloc_io_context+0x1b/0x80
      [59.219]  ? preempt_count_add+0x70/0xa0
      [59.219]  ? __x64_sys_ioctl+0x88/0xc0
      [59.219]  __x64_sys_ioctl+0x88/0xc0
      [59.219]  do_syscall_64+0x38/0x90
      [59.219]  entry_SYSCALL_64_after_hwframe+0x72/0xdc
      [59.219] RIP: 0033:0x7f82ffaffe9b
      [59.219] RSP: 002b:00007f82fd9f8c50 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
      [59.219] RAX: ffffffffffffffda RBX: 000055b191e37510 RCX: 00007f82ffaffe9b
      [59.219] RDX: 000055b191e37510 RSI: 00000000c400941b RDI: 0000000000000003
      [59.219] RBP: 0000000000000000 R08: 00007fff1575016f R09: 0000000000000000
      [59.219] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f82fd9f9640
      [59.219] R13: 000000000000006b R14: 00007f82ffa87580 R15: 0000000000000000
      [59.219]  </TASK>
      [59.219] INFO: task btrfs:346822 blocked for more than 120 seconds.
      [59.220]       Tainted: G        W          6.3.0-rc2-btrfs-next-127+ #1
      [59.221] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
      [59.222] task:btrfs           state:D stack:0     pid:346822 ppid:1      flags:0x00004002
      [59.222] Call Trace:
      [59.222]  <TASK>
      [59.222]  __schedule+0x392/0xa70
      [59.222]  schedule+0x5d/0xd0
      [59.222]  btrfs_scrub_cancel+0x91/0x100 [btrfs]
      [59.222]  ? __pfx_autoremove_wake_function+0x10/0x10
      [59.222]  btrfs_commit_transaction+0x572/0xeb0 [btrfs]
      [59.223]  ? start_transaction+0xcb/0x610 [btrfs]
      [59.223]  prepare_to_relocate+0x111/0x1a0 [btrfs]
      [59.223]  relocate_block_group+0x57/0x5d0 [btrfs]
      [59.223]  ? btrfs_wait_nocow_writers+0x25/0xb0 [btrfs]
      [59.223]  btrfs_relocate_block_group+0x248/0x3c0 [btrfs]
      [59.224]  ? __pfx_autoremove_wake_function+0x10/0x10
      [59.224]  btrfs_relocate_chunk+0x3b/0x150 [btrfs]
      [59.224]  btrfs_balance+0x8ff/0x11d0 [btrfs]
      [59.224]  ? __kmem_cache_alloc_node+0x14a/0x410
      [59.224]  btrfs_ioctl+0x2334/0x32c0 [btrfs]
      [59.225]  ? mod_objcg_state+0xd2/0x360
      [59.225]  ? refill_obj_stock+0xb0/0x160
      [59.225]  ? seq_release+0x25/0x30
      [59.225]  ? __rseq_handle_notify_resume+0x3b5/0x4b0
      [59.225]  ? percpu_counter_add_batch+0x2e/0xa0
      [59.225]  ? __x64_sys_ioctl+0x88/0xc0
      [59.225]  __x64_sys_ioctl+0x88/0xc0
      [59.225]  do_syscall_64+0x38/0x90
      [59.225]  entry_SYSCALL_64_after_hwframe+0x72/0xdc
      [59.225] RIP: 0033:0x7f381a6ffe9b
      [59.225] RSP: 002b:00007ffd45ecf060 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
      [59.225] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f381a6ffe9b
      [59.225] RDX: 00007ffd45ecf150 RSI: 00000000c4009420 RDI: 0000000000000003
      [59.225] RBP: 0000000000000003 R08: 0000000000000013 R09: 0000000000000000
      [59.225] R10: 00007f381a60c878 R11: 0000000000000246 R12: 00007ffd45ed0423
      [59.225] R13: 00007ffd45ecf150 R14: 0000000000000000 R15: 00007ffd45ecf148
      [59.225]  </TASK>
    
    What happens is the following:
    
    1) A scrub is running, so fs_info->scrubs_running is 1;
    
    2) Task A starts block group relocation, and at btrfs_relocate_chunk() it
       pauses scrub by calling btrfs_scrub_pause(). That increments
       fs_info->scrub_pause_req from 0 to 1 and waits for the scrub task to
       pause (for fs_info->scrubs_paused to be == to fs_info->scrubs_running);
    
    3) The scrub task pauses at scrub_pause_off(), waiting for
       fs_info->scrub_pause_req to decrease to 0;
    
    4) Task A then enters btrfs_relocate_block_group(), and down that call
       chain we start a transaction and then attempt to commit it;
    
    5) When task A calls btrfs_commit_transaction(), it either will do the
       commit itself or wait for some other task that already started the
       commit of the transaction - it doesn't matter which case;
    
    6) The transaction commit enters state TRANS_STATE_COMMIT_START;
    
    7) An error happens during the transaction commit, like -ENOSPC when
       running delayed refs or delayed items for example;
    
    8) This results in calling transaction.c:cleanup_transaction(), where
       we call btrfs_scrub_cancel(), incrementing fs_info->scrub_cancel_req
       from 0 to 1, and blocking this task waiting for fs_info->scrubs_running
       to decrease to 0;
    
    9) From this point on, both the transaction commit and the scrub task
       hang forever:
    
       1) The transaction commit is waiting for fs_info->scrubs_running to
          be decreased to 0;
    
       2) The scrub task is at scrub_pause_off() waiting for
          fs_info->scrub_pause_req to decrease to 0 - so it can not proceed
          to stop the scrub and decrement fs_info->scrubs_running from 0 to 1.
    
       Therefore resulting in a deadlock.
    
    Fix this by having cleanup_transaction(), called if a transaction commit
    fails, not call btrfs_scrub_cancel() if relocation is in progress, and
    having btrfs_relocate_block_group() call btrfs_scrub_cancel() instead if
    the relocation failed and a transaction abort happened.
    
    This was triggered with btrfs/061 from fstests.
    
    Fixes: 55e3a601c81c ("btrfs: Fix data checksum error cause by replace with io-load.")
    CC: stable@vger.kernel.org # 4.14+
    Reviewed-by: Josef Bacik <josef@toxicpanda.com>
    Signed-off-by: Filipe Manana <fdmanana@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 85ec44199b5a4408f40109d960919cde45c22c89
Author: Hans de Goede <hdegoede@redhat.com>
Date:   Fri Mar 17 03:13:12 2023 -0700

    Input: goodix - add Lenovo Yoga Book X90F to nine_bytes_report DMI table
    
    commit 8a0432bab6ea3203d220785da7ab3c7677f70ecb upstream.
    
    The Android Lenovo Yoga Book X90F / X90L uses the same goodix touchscreen
    with 9 bytes touch reports for its touch keyboard as the already supported
    Windows Lenovo Yoga Book X91F/L, add a DMI match for this to
    the nine_bytes_report DMI table.
    
    When the quirk for the X91F/L was initially added it was written to
    also apply to the X90F/L but this does not work because the Android
    version of the Yoga Book uses completely different DMI strings.
    Also adjust the X91F/L quirk to reflect that it only applies to
    the X91F/L models.
    
    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
    Reviewed-by: Bastien Nocera <hadess@hadess.net>
    Link: https://lore.kernel.org/r/20230315134442.71787-1-hdegoede@redhat.com
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 89c4b695431d33811d9b0103d5a2f059b75c10d3
Author: Jonathan Denose <jdenose@chromium.org>
Date:   Fri Mar 17 03:19:51 2023 -0700

    Input: i8042 - add quirk for Fujitsu Lifebook A574/H
    
    commit f5bad62f9107b701a6def7cac1f5f65862219b83 upstream.
    
    Fujitsu Lifebook A574/H requires the nomux option to properly
    probe the touchpad, especially when waking from sleep.
    
    Signed-off-by: Jonathan Denose <jdenose@google.com>
    Reviewed-by: Hans de Goede <hdegoede@redhat.com>
    Link: https://lore.kernel.org/r/20230303152623.45859-1-jdenose@google.com
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b7d854c33ab48e55fc233699bbefe39ec9bb5c05
Author: David Disseldorp <ddiss@suse.de>
Date:   Wed Mar 29 22:24:06 2023 +0200

    cifs: fix DFS traversal oops without CONFIG_CIFS_DFS_UPCALL
    
    commit 179a88a8558bbf42991d361595281f3e45d7edfc upstream.
    
    When compiled with CONFIG_CIFS_DFS_UPCALL disabled, cifs_dfs_d_automount
    is NULL. cifs.ko logic for mapping CIFS_FATTR_DFS_REFERRAL attributes to
    S_AUTOMOUNT and corresponding dentry flags is retained regardless of
    CONFIG_CIFS_DFS_UPCALL, leading to a NULL pointer dereference in
    VFS follow_automount() when traversing a DFS referral link:
      BUG: kernel NULL pointer dereference, address: 0000000000000000
      ...
      Call Trace:
       <TASK>
       __traverse_mounts+0xb5/0x220
       ? cifs_revalidate_mapping+0x65/0xc0 [cifs]
       step_into+0x195/0x610
       ? lookup_fast+0xe2/0xf0
       path_lookupat+0x64/0x140
       filename_lookup+0xc2/0x140
       ? __create_object+0x299/0x380
       ? kmem_cache_alloc+0x119/0x220
       ? user_path_at_empty+0x31/0x50
       user_path_at_empty+0x31/0x50
       __x64_sys_chdir+0x2a/0xd0
       ? exit_to_user_mode_prepare+0xca/0x100
       do_syscall_64+0x42/0x90
       entry_SYSCALL_64_after_hwframe+0x72/0xdc
    
    This fix adds an inline cifs_dfs_d_automount() {return -EREMOTE} handler
    when CONFIG_CIFS_DFS_UPCALL is disabled. An alternative would be to
    avoid flagging S_AUTOMOUNT, etc. without CONFIG_CIFS_DFS_UPCALL. This
    approach was chosen as it provides more control over the error path.
    
    Signed-off-by: David Disseldorp <ddiss@suse.de>
    Cc: stable@vger.kernel.org
    Reviewed-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
    Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
    Signed-off-by: Steve French <stfrench@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit eb94ea52afff7f0d4dfcb200ba45855fcf7986a3
Author: Paulo Alcantara <pc@manguebit.com>
Date:   Wed Mar 29 17:14:22 2023 -0300

    cifs: prevent infinite recursion in CIFSGetDFSRefer()
    
    commit 09ba47b44d26b475bbdf9c80db9e0193d2b58956 upstream.
    
    We can't call smb_init() in CIFSGetDFSRefer() as cifs_reconnect_tcon()
    may end up calling CIFSGetDFSRefer() again to get new DFS referrals
    and thus causing an infinite recursion.
    
    Signed-off-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
    Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
    Cc: stable@vger.kernel.org # 6.2
    Signed-off-by: Steve French <stfrench@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f8bdc959cefee58a1a17712f031bfcf3ea3e6ba1
Author: Jason A. Donenfeld <Jason@zx2c4.com>
Date:   Sun Mar 19 21:36:36 2023 -0700

    Input: focaltech - use explicitly signed char type
    
    commit 8980f190947ba29f23110408e712444884b74251 upstream.
    
    The recent change of -funsigned-char causes additions of negative
    numbers to become additions of large positive numbers, leading to wrong
    calculations of mouse movement. Change these casts to be explicitly
    signed, to take into account negative offsets.
    
    Fixes: 3bc753c06dd0 ("kbuild: treat char as always unsigned")
    Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
    Reviewed-by: Hans de Goede <hdegoede@redhat.com>
    Cc: stable@vger.kernel.org
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=217211
    Link: https://lore.kernel.org/r/20230318133010.1285202-1-Jason@zx2c4.com
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5ee6df525715002649ba8138f59d77f5d7a1e3c2
Author: msizanoen <msizanoen@qtmlabs.xyz>
Date:   Sun Mar 19 23:02:56 2023 -0700

    Input: alps - fix compatibility with -funsigned-char
    
    commit 754ff5060daf5a1cf4474eff9b4edeb6c17ef7ab upstream.
    
    The AlpsPS/2 code previously relied on the assumption that `char` is a
    signed type, which was true on x86 platforms (the only place where this
    driver is used) before kernel 6.2. However, on 6.2 and later, this
    assumption is broken due to the introduction of -funsigned-char as a new
    global compiler flag.
    
    Fix this by explicitly specifying the signedness of `char` when sign
    extending the values received from the device.
    
    Fixes: f3f33c677699 ("Input: alps - Rushmore and v7 resolution support")
    Signed-off-by: msizanoen <msizanoen@qtmlabs.xyz>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20230320045228.182259-1-msizanoen@qtmlabs.xyz
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 30a8863f21ec8451142241a77cade1b8b8ab17f7
Author: Werner Sembach <wse@tuxedocomputers.com>
Date:   Thu Mar 23 18:13:11 2023 -0700

    Input: i8042 - add TUXEDO devices to i8042 quirk tables for partial fix
    
    commit cbedf1a33970c9b825ae75b81fbd3e88e224a418 upstream.
    
    A lot of modern Clevo barebones have touchpad and/or keyboard issues after
    suspend fixable with nomux + reset + noloop + nopnp. Luckily, none of them
    have an external PS/2 port so this can safely be set for all of them.
    
    I'm not entirely sure if every device listed really needs all four quirks,
    but after testing and production use, no negative effects could be
    observed when setting all four.
    
    Setting SERIO_QUIRK_NOMUX or SERIO_QUIRK_RESET_ALWAYS on the Clevo N150CU
    and the Clevo NHxxRZQ makes the keyboard very laggy for ~5 seconds after
    boot and sometimes also after resume. However both are required for the
    keyboard to not fail completely sometimes after boot or resume.
    
    Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20230321191619.647911-1-wse@tuxedocomputers.com
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 973043d6bdea219b74b3a51442d5c77c11242c71
Author: Lu Baolu <baolu.lu@linux.intel.com>
Date:   Wed Mar 29 21:47:20 2023 +0800

    iommu/vt-d: Allow zero SAGAW if second-stage not supported
    
    [ Upstream commit bfd3c6b9fa4a1dc78139dd1621d5bea321ffa69d ]
    
    The VT-d spec states (in section 11.4.2) that hardware implementations
    reporting second-stage translation support (SSTS) field as Clear also
    report the SAGAW field as 0. Fix an inappropriate check in alloc_iommu().
    
    Fixes: 792fb43ce2c9 ("iommu/vt-d: Enable Intel IOMMU scalable mode by default")
    Suggested-by: Raghunathan Srinivasan <raghunathan.srinivasan@intel.com>
    Reviewed-by: Kevin Tian <kevin.tian@intel.com>
    Signed-off-by: Jacob Pan <jacob.jun.pan@linux.intel.com>
    Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
    Link: https://lore.kernel.org/r/20230318024824.124542-1-baolu.lu@linux.intel.com
    Link: https://lore.kernel.org/r/20230329134721.469447-3-baolu.lu@linux.intel.com
    Signed-off-by: Joerg Roedel <jroedel@suse.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit db0ac14908af0bb9bf66d1e79804f52a262679f4
Author: Matthias Benkmann <matthias.benkmann@gmail.com>
Date:   Sun Mar 19 21:30:15 2023 -0700

    Input: xpad - fix incorrectly applied patch for MAP_PROFILE_BUTTON
    
    [ Upstream commit ffa6206ebf8d39e83d87ac226df68dbbe155819a ]
    
    When commit commit fff1011a26d6 ("Input: xpad - add X-Box Adaptive Profile
    button") was applied, one hunk ended up in the wrong function; move it to
    where it belongs.
    
    Fixes: fff1011a26d6 ("Input: xpad - add X-Box Adaptive Profile button")
    Signed-off-by: Matthias Benkmann <matthias.benkmann@gmail.com>
    Link: https://lore.kernel.org/r/20230318162106.0aef4ba5@ninja
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 2a858f3f804ce62a57ed5660bf9068afe7fd6377
Author: Horatiu Vultur <horatiu.vultur@microchip.com>
Date:   Mon Feb 6 21:37:20 2023 +0100

    pinctrl: ocelot: Fix alt mode for ocelot
    
    [ Upstream commit 657fd9da2d4b4aa0a384105b236baa22fa0233bf ]
    
    In case the driver was trying to set an alternate mode for gpio
    0 or 32 then the mode was not set correctly. The reason is that
    there is computation error inside the function ocelot_pinmux_set_mux
    because in this case it was trying to shift to left by -1.
    Fix this by actually shifting the function bits and not the position.
    
    Fixes: 4b36082e2e09 ("pinctrl: ocelot: fix pinmuxing for pins after 31")
    Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
    Link: https://lore.kernel.org/r/20230206203720.1177718-1-horatiu.vultur@microchip.com
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 106fb49b14af1eeb064616090f8cc9afc27516be
Author: Felix Fietkau <nbd@nbd.name>
Date:   Thu Mar 30 14:08:40 2023 +0200

    net: ethernet: mtk_eth_soc: add missing ppe cache flush when deleting a flow
    
    [ Upstream commit 924531326e2dd4ceabe7240f2b55a88e7d894ec2 ]
    
    The cache needs to be flushed to ensure that the hardware stops offloading
    the flow immediately.
    
    Fixes: 33fc42de3327 ("net: ethernet: mtk_eth_soc: support creating mac address based offload entries")
    Reviewed-by: Simon Horman <simon.horman@corigine.com>
    Signed-off-by: Felix Fietkau <nbd@nbd.name>
    Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
    Link: https://lore.kernel.org/r/20230330120840.52079-3-nbd@nbd.name
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a7bd974edf12185341f85e1a2197b7065e2322d9
Author: Felix Fietkau <nbd@nbd.name>
Date:   Thu Mar 30 14:08:38 2023 +0200

    net: ethernet: mtk_eth_soc: fix flow block refcounting logic
    
    [ Upstream commit 8c1cb87c2a5c29da416848451a687473f379611c ]
    
    Since we call flow_block_cb_decref on FLOW_BLOCK_UNBIND, we also need to
    call flow_block_cb_incref for a newly allocated cb.
    Also fix the accidentally inverted refcount check on unbind.
    
    Fixes: 502e84e2382d ("net: ethernet: mtk_eth_soc: add flow offloading support")
    Reviewed-by: Simon Horman <simon.horman@corigine.com>
    Signed-off-by: Felix Fietkau <nbd@nbd.name>
    Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
    Link: https://lore.kernel.org/r/20230330120840.52079-1-nbd@nbd.name
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1b0e8aba451031fa031bfb96711af12c4b902fdf
Author: Steffen Bätz <steffen@innosonix.de>
Date:   Wed Mar 29 12:01:40 2023 -0300

    net: dsa: mv88e6xxx: Enable IGMP snooping on user ports only
    
    [ Upstream commit 7bcad0f0e6fbc1d613e49e0ee35c8e5f2e685bb0 ]
    
    Do not set the MV88E6XXX_PORT_CTL0_IGMP_MLD_SNOOP bit on CPU or DSA ports.
    
    This allows the host CPU port to be a regular IGMP listener by sending out
    IGMP Membership Reports, which would otherwise not be forwarded by the
    mv88exxx chip, but directly looped back to the CPU port itself.
    
    Fixes: 54d792f257c6 ("net: dsa: Centralise global and port setup code into mv88e6xxx.")
    Signed-off-by: Steffen Bätz <steffen@innosonix.de>
    Signed-off-by: Fabio Estevam <festevam@denx.de>
    Reviewed-by: Andrew Lunn <andrew@lunn.ch>
    Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
    Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
    Link: https://lore.kernel.org/r/20230329150140.701559-1-festevam@gmail.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b055e322907e4b83d366633fa761d25f7319c509
Author: Michael Chan <michael.chan@broadcom.com>
Date:   Tue Mar 28 18:30:21 2023 -0700

    bnxt_en: Add missing 200G link speed reporting
    
    [ Upstream commit 581bce7bcb7e7f100908728e7b292e266c76895b ]
    
    bnxt_fw_to_ethtool_speed() is missing the case statement for 200G
    link speed reported by firmware.  As a result, ethtool will report
    unknown speed when the firmware reports 200G link speed.
    
    Fixes: 532262ba3b84 ("bnxt_en: ethtool: support PAM4 link speeds up to 200G")
    Signed-off-by: Michael Chan <michael.chan@broadcom.com>
    Reviewed-by: Simon Horman <simon.horman@corigine.com>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f06ae13e995ad5cc0e871d19dee919fd00c92700
Author: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
Date:   Tue Mar 28 18:30:20 2023 -0700

    bnxt_en: Fix typo in PCI id to device description string mapping
    
    [ Upstream commit 62aad36ed31abc80f35db11e187e690448a79f7d ]
    
    Fix 57502 and 57508 NPAR description string entries.  The typos
    caused these devices to not match up with lspci output.
    
    Fixes: 49c98421e6ab ("bnxt_en: Add PCI IDs for 57500 series NPAR devices.")
    Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
    Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
    Signed-off-by: Michael Chan <michael.chan@broadcom.com>
    Reviewed-by: Simon Horman <simon.horman@corigine.com>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a4dd9f756973dae340c8daaae6e1d992f2553c11
Author: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
Date:   Tue Mar 28 18:30:19 2023 -0700

    bnxt_en: Fix reporting of test result in ethtool selftest
    
    [ Upstream commit 83714dc3db0e4a088673601bc8099b079bc1a077 ]
    
    When the selftest command fails, driver is not reporting the failure
    by updating the "test->flags" when bnxt_close_nic() fails.
    
    Fixes: eb51365846bc ("bnxt_en: Add basic ethtool -t selftest support.")
    Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
    Reviewed-by: Somnath Kotur <somnath.kotur@broadcom.com>
    Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
    Signed-off-by: Michael Chan <michael.chan@broadcom.com>
    Reviewed-by: Simon Horman <simon.horman@corigine.com>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 37f9fe34482ef5e19cf8fb9dfb43a26e01f101f1
Author: Radoslaw Tyl <radoslawx.tyl@intel.com>
Date:   Tue Mar 28 10:26:59 2023 -0700

    i40e: fix registers dump after run ethtool adapter self test
    
    [ Upstream commit c5cff16f461a4a434a9915a7be7ac9ced861a8a4 ]
    
    Fix invalid registers dump from ethtool -d ethX after adapter self test
    by ethtool -t ethY. It causes invalid data display.
    
    The problem was caused by overwriting i40e_reg_list[].elements
    which is common for ethtool self test and dump.
    
    Fixes: 22dd9ae8afcc ("i40e: Rework register diagnostic")
    Signed-off-by: Radoslaw Tyl <radoslawx.tyl@intel.com>
    Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
    Tested-by: Arpana Arland <arpanax.arland@intel.com> (A Contingent worker at Intel)
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
    Link: https://lore.kernel.org/r/20230328172659.3906413-1-anthony.l.nguyen@intel.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6e43dc9dcf22ebbe8ad54e3f2109f129dccd09cc
Author: Alex Elder <elder@linaro.org>
Date:   Tue Mar 28 11:27:51 2023 -0500

    net: ipa: compute DMA pool size properly
    
    [ Upstream commit 6c75dc94f2b27fff57b305af9236eea181a00b6c ]
    
    In gsi_trans_pool_init_dma(), the total size of a pool of memory
    used for DMA transactions is calculated.  However the calculation is
    done incorrectly.
    
    For 4KB pages, this total size is currently always more than one
    page, and as a result, the calculation produces a positive (though
    incorrect) total size.  The code still works in this case; we just
    end up with fewer DMA pool entries than we intended.
    
    Bjorn Andersson tested booting a kernel with 16KB pages, and hit a
    null pointer derereference in sg_alloc_append_table_from_pages(),
    descending from gsi_trans_pool_init_dma().  The cause of this was
    that a 16KB total size was going to be allocated, and with 16KB
    pages the order of that allocation is 0.  The total_size calculation
    yielded 0, which eventually led to the crash.
    
    Correcting the total_size calculation fixes the problem.
    
    Reported-by: Bjorn Andersson <quic_bjorande@quicinc.com>
    Tested-by: Bjorn Andersson <quic_bjorande@quicinc.com>
    Fixes: 9dd441e4ed57 ("soc: qcom: ipa: GSI transactions")
    Reviewed-by: Mark Bloch <mbloch@nvidia.com>
    Signed-off-by: Alex Elder <elder@linaro.org>
    Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
    Link: https://lore.kernel.org/r/20230328162751.2861791-1-elder@linaro.org
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 32b9bd7cfc2e2d92d595386add4e111b232b351f
Author: Tasos Sahanidis <tasos@tasossah.com>
Date:   Wed Mar 29 06:28:08 2023 +0300

    ALSA: ymfpci: Fix BUG_ON in probe function
    
    [ Upstream commit 6be2e7522eb529b41c16d459f33bbdbcddbf5c15 ]
    
    The snd_dma_buffer.bytes field now contains the aligned size, which this
    snd_BUG_ON() did not account for, resulting in the following:
    
    [    9.625915] ------------[ cut here ]------------
    [    9.633440] WARNING: CPU: 0 PID: 126 at sound/pci/ymfpci/ymfpci_main.c:2168 snd_ymfpci_create+0x681/0x698 [snd_ymfpci]
    [    9.648926] Modules linked in: snd_ymfpci(+) snd_intel_dspcfg kvm(+) snd_intel_sdw_acpi snd_ac97_codec snd_mpu401_uart snd_opl3_lib irqbypass snd_hda_codec gameport snd_rawmidi crct10dif_pclmul crc32_pclmul cfg80211 snd_hda_core polyval_clmulni polyval_generic gf128mul snd_seq_device ghash_clmulni_intel snd_hwdep ac97_bus sha512_ssse3 rfkill snd_pcm aesni_intel tg3 snd_timer crypto_simd snd mxm_wmi libphy cryptd k10temp fam15h_power pcspkr soundcore sp5100_tco wmi acpi_cpufreq mac_hid dm_multipath sg loop fuse dm_mod bpf_preload ip_tables x_tables ext4 crc32c_generic crc16 mbcache jbd2 sr_mod cdrom ata_generic pata_acpi firewire_ohci crc32c_intel firewire_core xhci_pci crc_itu_t pata_via xhci_pci_renesas floppy
    [    9.711849] CPU: 0 PID: 126 Comm: kworker/0:2 Not tainted 6.1.21-1-lts #1 08d2e5ece03136efa7c6aeea9a9c40916b1bd8da
    [    9.722200] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./990FX Extreme4, BIOS P2.70 06/05/2014
    [    9.732204] Workqueue: events work_for_cpu_fn
    [    9.736580] RIP: 0010:snd_ymfpci_create+0x681/0x698 [snd_ymfpci]
    [    9.742594] Code: 8c c0 4c 89 e2 48 89 df 48 c7 c6 92 c6 8c c0 e8 15 d0 e9 ff 48 83 c4 08 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f e9 d3 7a 33 e3 <0f> 0b e9 cb fd ff ff 41 bd fb ff ff ff eb db 41 bd f4 ff ff ff eb
    [    9.761358] RSP: 0018:ffffab64804e7da0 EFLAGS: 00010287
    [    9.766594] RAX: ffff8fa2df06c400 RBX: ffff8fa3073a8000 RCX: ffff8fa303fbc4a8
    [    9.773734] RDX: ffff8fa2df06d000 RSI: 0000000000000010 RDI: 0000000000000020
    [    9.780876] RBP: ffff8fa300b5d0d0 R08: ffff8fa3073a8e50 R09: 00000000df06bf00
    [    9.788018] R10: ffff8fa2df06bf00 R11: 00000000df068200 R12: ffff8fa3073a8918
    [    9.795159] R13: 0000000000000000 R14: 0000000000000080 R15: ffff8fa2df068200
    [    9.802317] FS:  0000000000000000(0000) GS:ffff8fa9fec00000(0000) knlGS:0000000000000000
    [    9.810414] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [    9.816158] CR2: 000055febaf66500 CR3: 0000000101a2e000 CR4: 00000000000406f0
    [    9.823301] Call Trace:
    [    9.825747]  <TASK>
    [    9.827889]  snd_card_ymfpci_probe+0x194/0x950 [snd_ymfpci b78a5fe64b5663a6390a909c67808567e3e73615]
    [    9.837030]  ? finish_task_switch.isra.0+0x90/0x2d0
    [    9.841918]  local_pci_probe+0x45/0x80
    [    9.845680]  work_for_cpu_fn+0x1a/0x30
    [    9.849431]  process_one_work+0x1c7/0x380
    [    9.853464]  worker_thread+0x1af/0x390
    [    9.857225]  ? rescuer_thread+0x3b0/0x3b0
    [    9.861254]  kthread+0xde/0x110
    [    9.864414]  ? kthread_complete_and_exit+0x20/0x20
    [    9.869210]  ret_from_fork+0x22/0x30
    [    9.872792]  </TASK>
    [    9.874985] ---[ end trace 0000000000000000 ]---
    
    Fixes: 5c1733e33c88 ("ALSA: memalloc: Align buffer allocations in page size")
    Signed-off-by: Tasos Sahanidis <tasos@tasossah.com>
    Link: https://lore.kernel.org/r/20230329032808.170403-1-tasos@tasossah.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit db7d7782677ff998c06997903d5400a0ba91cebb
Author: Tasos Sahanidis <tasos@tasossah.com>
Date:   Wed Mar 29 06:24:22 2023 +0300

    ALSA: ymfpci: Create card with device-managed snd_devm_card_new()
    
    [ Upstream commit f33fc1576757741479452255132d6e3aaf558ffe ]
    
    snd_card_ymfpci_remove() was removed in commit c6e6bb5eab74 ("ALSA:
    ymfpci: Allocate resources with device-managed APIs"), but the call to
    snd_card_new() was not replaced with snd_devm_card_new().
    
    Since there was no longer a call to snd_card_free, unloading the module
    would eventually result in Oops:
    
    [697561.532887] BUG: unable to handle page fault for address: ffffffffc0924480
    [697561.532893] #PF: supervisor read access in kernel mode
    [697561.532896] #PF: error_code(0x0000) - not-present page
    [697561.532899] PGD ae1e15067 P4D ae1e15067 PUD ae1e17067 PMD 11a8f5067 PTE 0
    [697561.532905] Oops: 0000 [#1] PREEMPT SMP NOPTI
    [697561.532909] CPU: 21 PID: 5080 Comm: wireplumber Tainted: G        W  OE      6.2.7 #1
    [697561.532914] Hardware name: System manufacturer System Product Name/TUF GAMING X570-PLUS, BIOS 4408 10/28/2022
    [697561.532916] RIP: 0010:try_module_get.part.0+0x1a/0xe0
    [697561.532924] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 55 41 54 49 89 fc bf 01 00 00 00 e8 56 3c f8 ff <41> 83 3c 24 02 0f 84 96 00 00 00 41 8b 84 24 30 03 00 00 85 c0 0f
    [697561.532927] RSP: 0018:ffffbe9b858c3bd8 EFLAGS: 00010246
    [697561.532930] RAX: ffff9815d14f1900 RBX: ffff9815c14e6000 RCX: 0000000000000000
    [697561.532933] RDX: 0000000000000000 RSI: ffffffffc055092c RDI: ffffffffb3778c1a
    [697561.532935] RBP: ffffbe9b858c3be8 R08: 0000000000000040 R09: ffff981a1a741380
    [697561.532937] R10: ffffbe9b858c3c80 R11: 00000009d56533a6 R12: ffffffffc0924480
    [697561.532939] R13: ffff9823439d8500 R14: 0000000000000025 R15: ffff9815cd109f80
    [697561.532942] FS:  00007f13084f1f80(0000) GS:ffff9824aef40000(0000) knlGS:0000000000000000
    [697561.532945] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [697561.532947] CR2: ffffffffc0924480 CR3: 0000000145344000 CR4: 0000000000350ee0
    [697561.532949] Call Trace:
    [697561.532951]  <TASK>
    [697561.532955]  try_module_get+0x13/0x30
    [697561.532960]  snd_ctl_open+0x61/0x1c0 [snd]
    [697561.532976]  snd_open+0xb4/0x1e0 [snd]
    [697561.532989]  chrdev_open+0xc7/0x240
    [697561.532995]  ? fsnotify_perm.part.0+0x6e/0x160
    [697561.533000]  ? __pfx_chrdev_open+0x10/0x10
    [697561.533005]  do_dentry_open+0x169/0x440
    [697561.533009]  vfs_open+0x2d/0x40
    [697561.533012]  path_openat+0xa9d/0x10d0
    [697561.533017]  ? debug_smp_processor_id+0x17/0x20
    [697561.533022]  ? trigger_load_balance+0x65/0x370
    [697561.533026]  do_filp_open+0xb2/0x160
    [697561.533032]  ? _raw_spin_unlock+0x19/0x40
    [697561.533036]  ? alloc_fd+0xa9/0x190
    [697561.533040]  do_sys_openat2+0x9f/0x160
    [697561.533044]  __x64_sys_openat+0x55/0x90
    [697561.533048]  do_syscall_64+0x3b/0x90
    [697561.533052]  entry_SYSCALL_64_after_hwframe+0x72/0xdc
    [697561.533056] RIP: 0033:0x7f1308a40db4
    [697561.533059] Code: 24 20 eb 8f 66 90 44 89 54 24 0c e8 46 68 f8 ff 44 8b 54 24 0c 44 89 e2 48 89 ee 41 89 c0 bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 32 44 89 c7 89 44 24 0c e8 78 68 f8 ff 8b 44
    [697561.533062] RSP: 002b:00007ffcce664450 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
    [697561.533066] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f1308a40db4
    [697561.533068] RDX: 0000000000080000 RSI: 00007ffcce664690 RDI: 00000000ffffff9c
    [697561.533070] RBP: 00007ffcce664690 R08: 0000000000000000 R09: 0000000000000012
    [697561.533072] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000080000
    [697561.533074] R13: 00007f13054b069b R14: 0000565209f83200 R15: 0000000000000000
    [697561.533078]  </TASK>
    
    Fixes: c6e6bb5eab74 ("ALSA: ymfpci: Allocate resources with device-managed APIs")
    Signed-off-by: Tasos Sahanidis <tasos@tasossah.com>
    Link: https://lore.kernel.org/r/20230329032422.170024-1-tasos@tasossah.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9bc9e4442fe3aee93269b5c6031c025257d98758
Author: Jakob Koschel <jkl820.git@gmail.com>
Date:   Mon Mar 20 13:48:15 2023 +0100

    ice: fix invalid check for empty list in ice_sched_assoc_vsi_to_agg()
    
    [ Upstream commit e9a1cc2e4c4ee7c7e60fb26345618c2522a2a10f ]
    
    The code implicitly assumes that the list iterator finds a correct
    handle. If 'vsi_handle' is not found the 'old_agg_vsi_info' was
    pointing to an bogus memory location. For safety a separate list
    iterator variable should be used to make the != NULL check on
    'old_agg_vsi_info' correct under any circumstances.
    
    Additionally Linus proposed to avoid any use of the list iterator
    variable after the loop, in the attempt to move the list iterator
    variable declaration into the macro to avoid any potential misuse after
    the loop. Using it in a pointer comparison after the loop is undefined
    behavior and should be omitted if possible [1].
    
    Fixes: 37c592062b16 ("ice: remove the VSI info from previous agg")
    Link: https://lore.kernel.org/all/CAHk-=wgRr_D8CB-D9Kg-c=EHreAsk5SqXPwr9Y7k9sA6cWXJ6w@mail.gmail.com/ [1]
    Signed-off-by: Jakob Koschel <jkl820.git@gmail.com>
    Tested-by: Arpana Arland <arpanax.arland@intel.com> (A Contingent worker at Intel)
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d10900058fa6d6c0a4ec6f6967a9b4c607e303ce
Author: Junfeng Guo <junfeng.guo@intel.com>
Date:   Tue Mar 14 10:03:15 2023 +0800

    ice: add profile conflict check for AVF FDIR
    
    [ Upstream commit 29486b6df3e6a63b57d1ed1dce06051267282ff4 ]
    
    Add profile conflict check while adding some FDIR rules to avoid
    unexpected flow behavior, rules may have conflict including:
            IPv4 <---> {IPv4_UDP, IPv4_TCP, IPv4_SCTP}
            IPv6 <---> {IPv6_UDP, IPv6_TCP, IPv6_SCTP}
    
    For example, when we create an FDIR rule for IPv4, this rule will work
    on packets including IPv4, IPv4_UDP, IPv4_TCP and IPv4_SCTP. But if we
    then create an FDIR rule for IPv4_UDP and then destroy it, the first
    FDIR rule for IPv4 cannot work on pkt IPv4_UDP then.
    
    To prevent this unexpected behavior, we add restriction in software
    when creating FDIR rules by adding necessary profile conflict check.
    
    Fixes: 1f7ea1cd6a37 ("ice: Enable FDIR Configure for AVF")
    Signed-off-by: Junfeng Guo <junfeng.guo@intel.com>
    Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 088573884165806248e15b69277c582c31c5f361
Author: Brett Creeley <brett.creeley@intel.com>
Date:   Mon Mar 13 13:36:08 2023 -0700

    ice: Fix ice_cfg_rdma_fltr() to only update relevant fields
    
    [ Upstream commit d94dbdc4e0209b5e7d736ab696f8d635b034e3ee ]
    
    The current implementation causes ice_vsi_update() to update all VSI
    fields based on the cached VSI context. This also assumes that the
    ICE_AQ_VSI_PROP_Q_OPT_VALID bit is set. This can cause problems if the
    VSI context is not correctly synced by the driver. Fix this by only
    updating the fields that correspond to ICE_AQ_VSI_PROP_Q_OPT_VALID.
    Also, make sure to save the updated result in the cached VSI context
    on success.
    
    Fixes: 348048e724a0 ("ice: Implement iidc operations")
    Co-developed-by: Robert Malz <robertx.malz@intel.com>
    Signed-off-by: Robert Malz <robertx.malz@intel.com>
    Signed-off-by: Brett Creeley <brett.creeley@intel.com>
    Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
    Reviewed-by: Piotr Raczynski <piotr.raczynski@intel.com>
    Tested-by: Jakub Andrysiak <jakub.andrysiak@intel.com>
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0b9541ae1dd1a7436af697e12ca76ff6a507b3cb
Author: Wolfram Sang <wsa+renesas@sang-engineering.com>
Date:   Mon Mar 27 10:31:38 2023 +0200

    smsc911x: avoid PHY being resumed when interface is not up
    
    [ Upstream commit f22c993f31fa9615df46e49cd768b713d39a852f ]
    
    SMSC911x doesn't need mdiobus suspend/resume, that's why it sets
    'mac_managed_pm'. However, setting it needs to be moved from init to
    probe, so mdiobus PM functions will really never be called (e.g. when
    the interface is not up yet during suspend/resume).
    
    Fixes: 3ce9f2bef755 ("net: smsc911x: Stop and start PHY during suspend and resume")
    Suggested-by: Heiner Kallweit <hkallweit1@gmail.com>
    Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
    Reviewed-by: Simon Horman <simon.horman@corigine.com>
    Link: https://lore.kernel.org/r/20230327083138.6044-1-wsa+renesas@sang-engineering.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a921dbbc04e3e4edfaa6245e905207030c1a14bd
Author: Sven Auhagen <sven.auhagen@voleatech.de>
Date:   Sat Mar 25 17:41:05 2023 +0100

    net: mvpp2: parser fix PPPoE
    
    [ Upstream commit 031a416c2170866be5132ae42e14453d669b0cb1 ]
    
    In PPPoE add all IPv4 header option length to the parser
    and adjust the L3 and L4 offset accordingly.
    Currently the L4 match does not work with PPPoE and
    all packets are matched as L3 IP4 OPT.
    
    Fixes: 3f518509dedc ("ethernet: Add new driver for Marvell Armada 375 network unit")
    Signed-off-by: Sven Auhagen <sven.auhagen@voleatech.de>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 2a4f74420538c53b443ee35e5ce95ffc0ecf4510
Author: Sven Auhagen <sven.auhagen@voleatech.de>
Date:   Sat Mar 25 17:40:53 2023 +0100

    net: mvpp2: parser fix QinQ
    
    [ Upstream commit a587a84813b90372cb0a7565e201a4075da67919 ]
    
    The mvpp2 parser entry for QinQ has the inner and outer VLAN
    in the wrong order.
    Fix the problem by swapping them.
    
    Fixes: 3f518509dedc ("ethernet: Add new driver for Marvell Armada 375 network unit")
    Signed-off-by: Sven Auhagen <sven.auhagen@voleatech.de>
    Reviewed-by: Marcin Wojtas <mw@semihalf.com>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5718b58ca0ec3aee1badb33021c35da1883aa9e4
Author: Sven Auhagen <sven.auhagen@voleatech.de>
Date:   Sat Mar 25 17:40:29 2023 +0100

    net: mvpp2: classifier flow fix fragmentation flags
    
    [ Upstream commit 9a251cae51d57289908222e6c322ca61fccc25fd ]
    
    Add missing IP Fragmentation Flag.
    
    Fixes: f9358e12a0af ("net: mvpp2: split ingress traffic into multiple flows")
    Signed-off-by: Sven Auhagen <sven.auhagen@voleatech.de>
    Reviewed-by: Marcin Wojtas <mw@semihalf.com>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit bee9ca40b839e9b2ca1fdb37ffcce429e7899d79
Author: Alyssa Ross <hi@alyssa.is>
Date:   Mon Mar 20 13:54:30 2023 +0100

    loop: LOOP_CONFIGURE: send uevents for partitions
    
    [ Upstream commit bb430b69422640891b0b8db762885730579a4145 ]
    
    LOOP_CONFIGURE is, as far as I understand it, supposed to be a way to
    combine LOOP_SET_FD and LOOP_SET_STATUS64 into a single syscall.  When
    using LOOP_SET_FD+LOOP_SET_STATUS64, a single uevent would be sent for
    each partition found on the loop device after the second ioctl(), but
    when using LOOP_CONFIGURE, no such uevent was being sent.
    
    In the old setup, uevents are disabled for LOOP_SET_FD, but not for
    LOOP_SET_STATUS64.  This makes sense, as it prevents uevents being
    sent for a partially configured device during LOOP_SET_FD - they're
    only sent at the end of LOOP_SET_STATUS64.  But for LOOP_CONFIGURE,
    uevents were disabled for the entire operation, so that final
    notification was never issued.  To fix this, reduce the critical
    section to exclude the loop_reread_partitions() call, which causes
    the uevents to be issued, to after uevents are re-enabled, matching
    the behaviour of the LOOP_SET_FD+LOOP_SET_STATUS64 combination.
    
    I noticed this because Busybox's losetup program recently changed from
    using LOOP_SET_FD+LOOP_SET_STATUS64 to LOOP_CONFIGURE, and this broke
    my setup, for which I want a notification from the kernel any time a
    new partition becomes available.
    
    Signed-off-by: Alyssa Ross <hi@alyssa.is>
    [hch: reduced the critical section]
    Signed-off-by: Christoph Hellwig <hch@lst.de>
    Fixes: 3448914e8cc5 ("loop: Add LOOP_CONFIGURE ioctl")
    Link: https://lore.kernel.org/r/20230320125430.55367-1-hch@lst.de
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b7707176f858a4361566ba5bdef2d3a7f519fb93
Author: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Date:   Fri Mar 24 14:33:42 2023 +0100

    ACPI: bus: Rework system-level device notification handling
    
    [ Upstream commit c56610a869bce03490faf4f157076370c71b8ae3 ]
    
    For ACPI drivers that provide a ->notify() callback and set
    ACPI_DRIVER_ALL_NOTIFY_EVENTS in their flags, that callback can be
    invoked while either the ->add() or the ->remove() callback is running
    without any synchronization at the bus type level which is counter to
    the common-sense expectation that notification handling should only be
    enabled when the driver is actually bound to the device.  As a result,
    if the driver is not careful enough, it's ->notify() callback may crash
    when it is invoked too early or too late [1].
    
    This issue has been amplified by commit d6fb6ee1820c ("ACPI: bus: Drop
    driver member of struct acpi_device") that made acpi_bus_notify() check
    for the presence of the driver and its ->notify() callback directly
    instead of using an extra driver pointer that was only set and cleared
    by the bus type code, but it was present before that commit although
    it was harder to reproduce then.
    
    It can be addressed by using the observation that
    acpi_device_install_notify_handler() can be modified to install the
    handler for all types of events when ACPI_DRIVER_ALL_NOTIFY_EVENTS is
    set in the driver flags, in which case acpi_bus_notify() will not need
    to invoke the driver's ->notify() callback any more and that callback
    will only be invoked after acpi_device_install_notify_handler() has run
    and before acpi_device_remove_notify_handler() runs, which implies the
    correct ordering with respect to the other ACPI driver callbacks.
    
    Modify the code accordingly and while at it, drop two redundant local
    variables from acpi_bus_notify() and turn its description comment into
    a proper kerneldoc one.
    
    Fixes: d6fb6ee1820c ("ACPI: bus: Drop driver member of struct acpi_device")
    Link: https://lore.kernel.org/linux-acpi/9f6cba7a8a57e5a687c934e8e406e28c.squirrel@mail.panix.com # [1]
    Reported-by: Pierre Asselin <pa@panix.com>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Tested-by: Pierre Asselin <pa@panix.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6a40fda14b4be3e38f03cc42ffd4efbc64fb3e67
Author: Tony Krowiak <akrowiak@linux.ibm.com>
Date:   Mon Mar 20 11:04:47 2023 -0400

    s390/vfio-ap: fix memory leak in vfio_ap device driver
    
    [ Upstream commit 8f8cf767589f2131ae5d40f3758429095c701c84 ]
    
    The device release callback function invoked to release the matrix device
    uses the dev_get_drvdata(device *dev) function to retrieve the
    pointer to the vfio_matrix_dev object in order to free its storage. The
    problem is, this object is not stored as drvdata with the device; since the
    kfree function will accept a NULL pointer, the memory for the
    vfio_matrix_dev object is never freed.
    
    Since the device being released is contained within the vfio_matrix_dev
    object, the container_of macro will be used to retrieve its pointer.
    
    Fixes: 1fde573413b5 ("s390: vfio-ap: base implementation of VFIO AP device driver")
    Signed-off-by: Tony Krowiak <akrowiak@linux.ibm.com>
    Reviewed-by: Harald Freudenberger <freude@linux.ibm.com>
    Link: https://lore.kernel.org/r/20230320150447.34557-1-akrowiak@linux.ibm.com
    Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
    Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c11dbc7705b3739974ac31a13f4ab81e61a5fb07
Author: Ivan Orlov <ivan.orlov0322@gmail.com>
Date:   Tue Mar 14 16:04:45 2023 +0400

    can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write
    
    [ Upstream commit 2b4c99f7d9a57ecd644eda9b1fb0a1072414959f ]
    
    Syzkaller reported the following issue:
    
    =====================================================
    BUG: KMSAN: uninit-value in aio_rw_done fs/aio.c:1520 [inline]
    BUG: KMSAN: uninit-value in aio_write+0x899/0x950 fs/aio.c:1600
     aio_rw_done fs/aio.c:1520 [inline]
     aio_write+0x899/0x950 fs/aio.c:1600
     io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019
     __do_sys_io_submit fs/aio.c:2078 [inline]
     __se_sys_io_submit+0x293/0x770 fs/aio.c:2048
     __x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]
     do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
     entry_SYSCALL_64_after_hwframe+0x63/0xcd
    
    Uninit was created at:
     slab_post_alloc_hook mm/slab.h:766 [inline]
     slab_alloc_node mm/slub.c:3452 [inline]
     __kmem_cache_alloc_node+0x71f/0xce0 mm/slub.c:3491
     __do_kmalloc_node mm/slab_common.c:967 [inline]
     __kmalloc+0x11d/0x3b0 mm/slab_common.c:981
     kmalloc_array include/linux/slab.h:636 [inline]
     bcm_tx_setup+0x80e/0x29d0 net/can/bcm.c:930
     bcm_sendmsg+0x3a2/0xce0 net/can/bcm.c:1351
     sock_sendmsg_nosec net/socket.c:714 [inline]
     sock_sendmsg net/socket.c:734 [inline]
     sock_write_iter+0x495/0x5e0 net/socket.c:1108
     call_write_iter include/linux/fs.h:2189 [inline]
     aio_write+0x63a/0x950 fs/aio.c:1600
     io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019
     __do_sys_io_submit fs/aio.c:2078 [inline]
     __se_sys_io_submit+0x293/0x770 fs/aio.c:2048
     __x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]
     do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
     entry_SYSCALL_64_after_hwframe+0x63/0xcd
    
    CPU: 1 PID: 5034 Comm: syz-executor350 Not tainted 6.2.0-rc6-syzkaller-80422-geda666ff2276 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
    =====================================================
    
    We can follow the call chain and find that 'bcm_tx_setup' function
    calls 'memcpy_from_msg' to copy some content to the newly allocated
    frame of 'op->frames'. After that the 'len' field of copied structure
    being compared with some constant value (64 or 8). However, if
    'memcpy_from_msg' returns an error, we will compare some uninitialized
    memory. This triggers 'uninit-value' issue.
    
    This patch will add 'memcpy_from_msg' possible errors processing to
    avoid uninit-value issue.
    
    Tested via syzkaller
    
    Reported-by: syzbot+c9bfd85eca611ebf5db1@syzkaller.appspotmail.com
    Link: https://syzkaller.appspot.com/bug?id=47f897f8ad958bbde5790ebf389b5e7e0a345089
    Signed-off-by: Ivan Orlov <ivan.orlov0322@gmail.com>
    Fixes: 6f3b911d5f29b ("can: bcm: add support for CAN FD frames")
    Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
    Link: https://lore.kernel.org/all/20230314120445.12407-1-ivan.orlov0322@gmail.com
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 7ffdf7e6fc92d636fb0871ecbfabf710f0ba36a9
Author: Rajvi Jingar <rajvi.jingar@linux.intel.com>
Date:   Mon Mar 20 14:20:29 2023 -0700

    platform/x86/intel/pmc: Alder Lake PCH slp_s0_residency fix
    
    [ Upstream commit fb5755100a0a5aa5957bdb204fd1e249684557fc ]
    
    For platforms with Alder Lake PCH (Alder Lake S and Raptor Lake S) the
    slp_s0_residency attribute has been reporting the wrong value. Unlike other
    platforms, ADL PCH does not have a counter for the time that the SLP_S0
    signal was asserted. Instead, firmware uses the aggregate of the Low Power
    Mode (LPM) substate counters as the S0ix value.  Since the LPM counters run
    at a different frequency, this lead to misreporting of the S0ix time.
    
    Add a check for Alder Lake PCH and adjust the frequency accordingly when
    display slp_s0_residency.
    
    Fixes: bbab31101f44 ("platform/x86/intel: pmc/core: Add Alderlake support to pmc core driver")
    Signed-off-by: Rajvi Jingar <rajvi.jingar@linux.intel.com>
    Signed-off-by: David E. Box <david.e.box@linux.intel.com>
    Reviewed-by: Rajneesh Bhardwaj <irenic.rajneesh@gmail.com>
    Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
    Link: https://lore.kernel.org/r/20230320212029.3154407-1-david.e.box@linux.intel.com
    Reviewed-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 75084659969f5cd0287a86e7faae3ef0a5651d1e
Author: Imre Deak <imre.deak@intel.com>
Date:   Thu Mar 16 15:17:13 2023 +0200

    drm/i915/tc: Fix the ICL PHY ownership check in TC-cold state
    
    [ Upstream commit 38c583019484f190d5b33f59b8ae810e6b1763c6 ]
    
    The commit renaming icl_tc_phy_is_in_safe_mode() to
    icl_tc_phy_take_ownership() didn't flip the function's return value
    accordingly, fix this up.
    
    This didn't cause an actual problem besides state check errors, since
    the function is only used during HW readout.
    
    Cc: José Roberto de Souza <jose.souza@intel.com>
    Fixes: f53979d68a77 ("drm/i915/display/tc: Rename safe_mode functions ownership")
    Reviewed-by: José Roberto de Souza <jose.souza@intel.com>
    Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
    Signed-off-by: Imre Deak <imre.deak@intel.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20230316131724.359612-4-imre.deak@intel.com
    (cherry picked from commit f2c7959dda614d9b7c6a41510492de39d31705ec)
    Signed-off-by: Jani Nikula <jani.nikula@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit ce1b88dd4013fa87bf80d3e675460f399daa508a
Author: Vladimir Oltean <vladimir.oltean@nxp.com>
Date:   Sat Mar 25 13:28:15 2023 +0200

    net: stmmac: don't reject VLANs when IFF_PROMISC is set
    
    [ Upstream commit a7602e7332b97cfbec7bacb0f1ade99a575fe104 ]
    
    The blamed commit has introduced the following tests to
    dwmac4_add_hw_vlan_rx_fltr(), called from stmmac_vlan_rx_add_vid():
    
            if (hw->promisc) {
                    netdev_err(dev,
                               "Adding VLAN in promisc mode not supported\n");
                    return -EPERM;
            }
    
    "VLAN promiscuous" mode is keyed in this driver to IFF_PROMISC, and so,
    vlan_vid_add() and vlan_vid_del() calls cannot take place in IFF_PROMISC
    mode. I have the following 2 arguments that this restriction is.... hm,
    how shall I put it nicely... unproductive :)
    
    First, take the case of a Linux bridge. If the kernel is compiled with
    CONFIG_BRIDGE_VLAN_FILTERING=y, then this bridge shall have a VLAN
    database. The bridge shall try to call vlan_add_vid() on its bridge
    ports for each VLAN in the VLAN table. It will do this irrespectively of
    whether that port is *currently* VLAN-aware or not. So it will do this
    even when the bridge was created with vlan_filtering 0.
    But the Linux bridge, in VLAN-unaware mode, configures its ports in
    promiscuous (IFF_PROMISC) mode, so that they accept packets with any
    MAC DA (a switch must do this in order to forward those packets which
    are not directly targeted to its MAC address).
    
    As a result, the stmmac driver does not work as a bridge port, when the
    kernel is compiled with CONFIG_BRIDGE_VLAN_FILTERING=y.
    
    $ ip link add br0 type bridge && ip link set br0 up
    $ ip link set eth0 master br0 && ip link set eth0 up
    [ 2333.943296] br0: port 1(eth0) entered blocking state
    [ 2333.943381] br0: port 1(eth0) entered disabled state
    [ 2333.943782] device eth0 entered promiscuous mode
    [ 2333.944080] 4033c000.ethernet eth0: Adding VLAN in promisc mode not supported
    [ 2333.976509] 4033c000.ethernet eth0: failed to initialize vlan filtering on this port
    RTNETLINK answers: Operation not permitted
    
    Secondly, take the case of stmmac as DSA master. Some switch tagging
    protocols are based on 802.1Q VLANs (tag_sja1105.c), and as such,
    tag_8021q.c uses vlan_vid_add() to work with VLAN-filtering DSA masters.
    But also, when a DSA port becomes promiscuous (for example when it joins
    a bridge), the DSA framework also makes the DSA master promiscuous.
    
    Moreover, for every VLAN that a DSA switch sends to the CPU, DSA also
    programs a VLAN filter on the DSA master, because if the the DSA switch
    uses a tail tag, then the hardware frame parser of the DSA master will
    see VLAN as VLAN, and might filter them out, for being unknown.
    
    Due to the above 2 reasons, my belief is that the stmmac driver does not
    get to choose to not accept vlan_vid_add() calls while IFF_PROMISC is
    enabled, because the 2 are completely independent and there are code
    paths in the network stack which directly lead to this situation
    occurring, without the user's direct input.
    
    In fact, my belief is that "VLAN promiscuous" mode should have never
    been keyed on IFF_PROMISC in the first place, but rather, on the
    NETIF_F_HW_VLAN_CTAG_FILTER feature flag which can be toggled by the
    user through ethtool -k, when present in netdev->hw_features.
    
    In the stmmac driver, NETIF_F_HW_VLAN_CTAG_FILTER is only present in
    "features", making this feature "on [fixed]".
    
    I have this belief because I am unaware of any definition of promiscuity
    which implies having an effect on anything other than MAC DA (therefore
    not VLAN). However, I seem to be rather alone in having this opinion,
    looking back at the disagreements from this discussion:
    https://lore.kernel.org/netdev/20201110153958.ci5ekor3o2ekg3ky@ipetronik.com/
    
    In any case, to remove the vlan_vid_add() dependency on !IFF_PROMISC,
    one would need to remove the check and see what fails. I guess the test
    was there because of the way in which dwmac4_vlan_promisc_enable() is
    implemented.
    
    For context, the dwmac4 supports Perfect Filtering for a limited number
    of VLANs - dwmac4_get_num_vlan(), priv->hw->num_vlan, with a fallback on
    Hash Filtering - priv->dma_cap.vlhash - see stmmac_vlan_update(), also
    visible in cat /sys/kernel/debug/stmmaceth/eth0/dma_cap | grep 'VLAN
    Hash Filtering'.
    
    The perfect filtering is based on MAC_VLAN_Tag_Filter/MAC_VLAN_Tag_Data
    registers, accessed in the driver through dwmac4_write_vlan_filter().
    
    The hash filtering is based on the MAC_VLAN_Hash_Table register, named
    GMAC_VLAN_HASH_TABLE in the driver and accessed by dwmac4_update_vlan_hash().
    The control bit for enabling hash filtering is GMAC_VLAN_VTHM
    (MAC_VLAN_Tag_Ctrl bit VTHM: VLAN Tag Hash Table Match Enable).
    
    Now, the description of dwmac4_vlan_promisc_enable() is that it iterates
    through the driver's cache of perfect filter entries (hw->vlan_filter[i],
    added by dwmac4_add_hw_vlan_rx_fltr()), and evicts them from hardware by
    unsetting their GMAC_VLAN_TAG_DATA_VEN (MAC_VLAN_Tag_Data bit VEN - VLAN
    Tag Enable) bit. Then it unsets the GMAC_VLAN_VTHM bit, which disables
    hash matching.
    
    This leaves the MAC, according to table "VLAN Match Status" from the
    documentation, to always enter these data paths:
    
    VID    |VLAN Perfect Filter |VTHM Bit |VLAN Hash Filter |Final VLAN Match
           |Match Result        |         |Match Result     |Status
    -------|--------------------|---------|-----------------|----------------
    VID!=0 |Fail                |0        |don't care       |Pass
    
    So, dwmac4_vlan_promisc_enable() does its job, but by unsetting
    GMAC_VLAN_VTHM, it conflicts with the other code path which controls
    this bit: dwmac4_update_vlan_hash(), called through stmmac_update_vlan_hash()
    from stmmac_vlan_rx_add_vid() and from stmmac_vlan_rx_kill_vid().
    This is, I guess, why dwmac4_add_hw_vlan_rx_fltr() is not allowed to run
    after dwmac4_vlan_promisc_enable() has unset GMAC_VLAN_VTHM: because if
    it did, then dwmac4_update_vlan_hash() would set GMAC_VLAN_VTHM again,
    breaking the "VLAN promiscuity".
    
    It turns out that dwmac4_vlan_promisc_enable() is way too complicated
    for what needs to be done. The MAC_Packet_Filter register also has the
    VTFE bit (VLAN Tag Filter Enable), which simply controls whether VLAN
    tagged packets which don't match the filtering tables (either perfect or
    hash) are dropped or not. At the moment, this driver unconditionally
    sets GMAC_PACKET_FILTER_VTFE if NETIF_F_HW_VLAN_CTAG_FILTER was detected
    through the priv->dma_cap.vlhash capability bits of the device, in
    stmmac_dvr_probe().
    
    I would suggest deleting the unnecessarily complex logic from
    dwmac4_vlan_promisc_enable(), and simply unsetting GMAC_PACKET_FILTER_VTFE
    when becoming IFF_PROMISC, which has the same effect of allowing packets
    with any VLAN tags, but has the additional benefit of being able to run
    concurrently with stmmac_vlan_rx_add_vid() and stmmac_vlan_rx_kill_vid().
    
    As much as I believe that the VTFE bit should have been exclusively
    controlled by NETIF_F_HW_VLAN_CTAG_FILTER through ethtool, and not by
    IFF_PROMISC, changing that is not a punctual fix to the problem, and it
    would probably break the VFFQ feature added by the later commit
    e0f9956a3862 ("net: stmmac: Add option for VLAN filter fail queue
    enable"). From the commit description, VFFQ needs IFF_PROMISC=on and
    VTFE=off in order to work (and this change respects that). But if VTFE
    was changed to be controlled through ethtool -k, then a user-visible
    change would have been introduced in Intel's scripts (a need to run
    "ethtool -k eth0 rx-vlan-filter off" which did not exist before).
    
    The patch was tested with this set of commands:
    
      ip link set eth0 up
      ip link add link eth0 name eth0.100 type vlan id 100
      ip addr add 192.168.100.2/24 dev eth0.100 && ip link set eth0.100 up
      ip link set eth0 promisc on
      ip link add link eth0 name eth0.101 type vlan id 101
      ip addr add 192.168.101.2/24 dev eth0.101 && ip link set eth0.101 up
      ip link set eth0 promisc off
      ping -c 5 192.168.100.1
      ping -c 5 192.168.101.1
      ip link set eth0 promisc on
      ping -c 5 192.168.100.1
      ping -c 5 192.168.101.1
      ip link del eth0.100
      ip link del eth0.101
      # Wait for VLAN-tagged pings from the other end...
      # Check with "tcpdump -i eth0 -e -n -p" and we should see them
      ip link set eth0 promisc off
      # Wait for VLAN-tagged pings from the other end...
      # Check with "tcpdump -i eth0 -e -n -p" and we shouldn't see them
      # anymore, but remove the "-p" argument from tcpdump and they're there.
    
    Fixes: c89f44ff10fd ("net: stmmac: Add support for VLAN promiscuous mode")
    Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c942f5cd63b7c2e73fe06744185a34b03267595b
Author: Faicker Mo <faicker.mo@ucloud.cn>
Date:   Fri Mar 24 17:19:54 2023 +0800

    net/net_failover: fix txq exceeding warning
    
    [ Upstream commit e3cbdcb0fbb61045ef3ce0e072927cc41737f787 ]
    
    The failover txq is inited as 16 queues.
    when a packet is transmitted from the failover device firstly,
    the failover device will select the queue which is returned from
    the primary device if the primary device is UP and running.
    If the primary device txq is bigger than the default 16,
    it can lead to the following warning:
    eth0 selects TX queue 18, but real number of TX queues is 16
    
    The warning backtrace is:
    [   32.146376] CPU: 18 PID: 9134 Comm: chronyd Tainted: G            E      6.2.8-1.el7.centos.x86_64 #1
    [   32.147175] Hardware name: Red Hat KVM, BIOS 1.10.2-3.el7_4.1 04/01/2014
    [   32.147730] Call Trace:
    [   32.147971]  <TASK>
    [   32.148183]  dump_stack_lvl+0x48/0x70
    [   32.148514]  dump_stack+0x10/0x20
    [   32.148820]  netdev_core_pick_tx+0xb1/0xe0
    [   32.149180]  __dev_queue_xmit+0x529/0xcf0
    [   32.149533]  ? __check_object_size.part.0+0x21c/0x2c0
    [   32.149967]  ip_finish_output2+0x278/0x560
    [   32.150327]  __ip_finish_output+0x1fe/0x2f0
    [   32.150690]  ip_finish_output+0x2a/0xd0
    [   32.151032]  ip_output+0x7a/0x110
    [   32.151337]  ? __pfx_ip_finish_output+0x10/0x10
    [   32.151733]  ip_local_out+0x5e/0x70
    [   32.152054]  ip_send_skb+0x19/0x50
    [   32.152366]  udp_send_skb.isra.0+0x163/0x3a0
    [   32.152736]  udp_sendmsg+0xba8/0xec0
    [   32.153060]  ? __folio_memcg_unlock+0x25/0x60
    [   32.153445]  ? __pfx_ip_generic_getfrag+0x10/0x10
    [   32.153854]  ? sock_has_perm+0x85/0xa0
    [   32.154190]  inet_sendmsg+0x6d/0x80
    [   32.154508]  ? inet_sendmsg+0x6d/0x80
    [   32.154838]  sock_sendmsg+0x62/0x70
    [   32.155152]  ____sys_sendmsg+0x134/0x290
    [   32.155499]  ___sys_sendmsg+0x81/0xc0
    [   32.155828]  ? _get_random_bytes.part.0+0x79/0x1a0
    [   32.156240]  ? ip4_datagram_release_cb+0x5f/0x1e0
    [   32.156649]  ? get_random_u16+0x69/0xf0
    [   32.156989]  ? __fget_light+0xcf/0x110
    [   32.157326]  __sys_sendmmsg+0xc4/0x210
    [   32.157657]  ? __sys_connect+0xb7/0xe0
    [   32.157995]  ? __audit_syscall_entry+0xce/0x140
    [   32.158388]  ? syscall_trace_enter.isra.0+0x12c/0x1a0
    [   32.158820]  __x64_sys_sendmmsg+0x24/0x30
    [   32.159171]  do_syscall_64+0x38/0x90
    [   32.159493]  entry_SYSCALL_64_after_hwframe+0x72/0xdc
    
    Fix that by reducing txq number as the non-existent primary-dev does.
    
    Fixes: cfc80d9a1163 ("net: Introduce net_failover driver")
    Signed-off-by: Faicker Mo <faicker.mo@ucloud.cn>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f70328a0bfb2e3dea05682638c9c0e0d7b8ce2f2
Author: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Date:   Sun Mar 26 10:29:33 2023 +0200

    regulator: Handle deferred clk
    
    [ Upstream commit 02bcba0b9f9da706d5bd1e8cbeb83493863e17b5 ]
    
    devm_clk_get() can return -EPROBE_DEFER. So it is better to return the
    error code from devm_clk_get(), instead of a hard coded -ENOENT.
    
    This gives more opportunities to successfully probe the driver.
    
    Fixes: 8959e5324485 ("regulator: fixed: add possibility to enable by clock")
    Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    Link: https://lore.kernel.org/r/18459fae3d017a66313699c7c8456b28158b2dd0.1679819354.git.christophe.jaillet@wanadoo.fr
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1b808f5d844953a2208dbb56aa2003503edc8d7a
Author: ChunHao Lin <hau@realtek.com>
Date:   Thu Mar 23 22:33:09 2023 +0800

    r8169: fix RTL8168H and RTL8107E rx crc error
    
    [ Upstream commit 33189f0a94b9639c058781fcf82e4ea3803b1682 ]
    
    When link speed is 10 Mbps and temperature is under -20°C, RTL8168H and
    RTL8107E may have rx crc error. Disable phy 10 Mbps pll off to fix this
    issue.
    
    Fixes: 6e1d0b898818 ("r8169:add support for RTL8168H and RTL8107E")
    Signed-off-by: ChunHao Lin <hau@realtek.com>
    Reviewed-by: Heiner Kallweit <hkallweit1@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 4ffa3fec1c3496c317eb54749b432f21cae77d32
Author: Oleksij Rempel <linux@rempel-privat.de>
Date:   Fri Mar 24 09:06:08 2023 +0100

    net: dsa: microchip: ksz8: fix MDB configuration with non-zero VID
    
    [ Upstream commit 9aa5757e1f71d85facdc3c98028762cbab8d15c7 ]
    
    FID is directly mapped to VID. However, configuring a MAC address with a
    VID != 0 resulted in incorrect configuration due to an incorrect bit
    mask. This kernel commit fixed the issue by correcting the bit mask and
    ensuring proper configuration of MAC addresses with non-zero VID.
    
    Fixes: 4b20a07e103f ("net: dsa: microchip: ksz8795: add support for ksz88xx chips")
    Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
    Acked-by: Arun Ramadoss <arun.ramadoss@microchip.com>
    Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit adfe556652033b6f878edb760992965aba730537
Author: Oleksij Rempel <linux@rempel-privat.de>
Date:   Fri Mar 24 09:06:07 2023 +0100

    net: dsa: microchip: ksz8863_smi: fix bulk access
    
    [ Upstream commit 392ff7a84cbca34118ca286dfbfe8aee24605897 ]
    
    Current regmap bulk access is broken, resulting to wrong reads/writes
    if ksz_read64/ksz_write64 functions are used.
    Mostly this issue was visible by using ksz8_fdb_dump(), which returned
    corrupt MAC address.
    
    The reason is that regmap was configured to have max_raw_read/write,
    even if ksz8863_mdio_read/write functions are able to handle unlimited
    read/write accesses. On ksz_read64 function we are using multiple 32bit
    accesses by incrementing each access by 1 instead of 4. Resulting buffer
    had 01234567.12345678 instead of 01234567.89abcdef.
    
    We have multiple ways to fix it:
    - enable 4 byte alignment for 32bit accesses. Since the HW do not have
      this requirement. It will break driver.
    - disable max_raw_* limit.
    
    This patch is removing max_raw_* limit for regmap accesses in ksz8863_smi.
    
    Fixes: 60a364760002 ("net: dsa: microchip: Add Microchip KSZ8863 SMI based driver support")
    Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
    Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8d86ea65e0f19d978d8b359d081f45b7684301cc
Author: Oleksij Rempel <linux@rempel-privat.de>
Date:   Fri Mar 24 09:06:06 2023 +0100

    net: dsa: microchip: ksz8: ksz8_fdb_dump: avoid extracting ghost entry from empty dynamic MAC table.
    
    [ Upstream commit 492606cdc74804d372ab1bdb8f3ef4a6fb6f9f59 ]
    
    If the dynamic MAC table is empty, we will still extract one outdated
    entry. Fix it by using correct bit offset.
    
    Fixes: 4b20a07e103f ("net: dsa: microchip: ksz8795: add support for ksz88xx chips")
    Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
    Acked-by: Arun Ramadoss <arun.ramadoss@microchip.com>
    Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 628f76b8ae7b8d63f41b5fa9086b2060390a6096
Author: Oleksij Rempel <linux@rempel-privat.de>
Date:   Fri Mar 24 09:06:05 2023 +0100

    net: dsa: microchip: ksz8: fix offset for the timestamp filed
    
    [ Upstream commit b3177aab89be540dc50d2328427b073361093e38 ]
    
    We are using wrong offset, so we will get not a timestamp.
    
    Fixes: 4b20a07e103f ("net: dsa: microchip: ksz8795: add support for ksz88xx chips")
    Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
    Acked-by: Arun Ramadoss <arun.ramadoss@microchip.com>
    Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 91840597869daf7faa35e6387f5b9636678b9e9c
Author: Oleksij Rempel <linux@rempel-privat.de>
Date:   Fri Mar 24 09:06:04 2023 +0100

    net: dsa: microchip: ksz8: fix ksz8_fdb_dump() to extract all 1024 entries
    
    [ Upstream commit 5d90492dd4ff50ad65c582c76c345d0b90001728 ]
    
    Current ksz8_fdb_dump() is able to extract only max 249 entries on
    the ksz8863/ksz8873 series of switches. This happened due to wrong
    bit mask and offset calculation.
    
    This commit corrects the issue and allows for the complete extraction of
    all 1024 entries.
    
    Fixes: 4b20a07e103f ("net: dsa: microchip: ksz8795: add support for ksz88xx chips")
    Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
    Acked-by: Arun Ramadoss <arun.ramadoss@microchip.com>
    Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9524c2ea47ccac230693135014880417102bddf7
Author: Oleksij Rempel <linux@rempel-privat.de>
Date:   Fri Mar 24 09:06:03 2023 +0100

    net: dsa: microchip: ksz8: fix ksz8_fdb_dump()
    
    [ Upstream commit 88e943e83827a349f70c3464b3eba7260be7461d ]
    
    Before this patch, the ksz8_fdb_dump() function had several issues, such
    as uninitialized variables and incorrect usage of source port as a bit
    mask. These problems caused inaccurate reporting of vid information and
    port assignment in the bridge fdb.
    
    Fixes: e587be759e6e ("net: dsa: microchip: update fdb add/del/dump in ksz_common")
    Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
    Acked-by: Arun Ramadoss <arun.ramadoss@microchip.com>
    Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 43b4331ce0cd88ccba425e0702ba35c1a52daccf
Author: SongJingyi <u201912584@hust.edu.cn>
Date:   Fri Mar 24 11:14:06 2023 +0800

    ptp_qoriq: fix memory leak in probe()
    
    [ Upstream commit f33642224e38d7e0d59336e10e7b4e370b1c4506 ]
    
    Smatch complains that:
    drivers/ptp/ptp_qoriq.c ptp_qoriq_probe()
    warn: 'base' from ioremap() not released.
    
    Fix this by revising the parameter from 'ptp_qoriq->base' to 'base'.
    This is only a bug if ptp_qoriq_init() returns on the
    first -ENODEV error path.
    For other error paths ptp_qoriq->base and base are the same.
    And this change makes the code more readable.
    
    Fixes: 7f4399ba405b ("ptp_qoriq: fix NULL access if ptp dt node missing")
    Signed-off-by: SongJingyi <u201912584@hust.edu.cn>
    Reviewed-by: Dan Carpenter <error27@gmail.com>
    Reviewed-by: Dongliang Mu <dzm91@hust.edu.cn>
    Link: https://lore.kernel.org/r/20230324031406.1895159-1-u201912584@hust.edu.cn
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit cc0f9bb99735d2b68fac68f37b585d615728ce5b
Author: Ahmad Fatoum <a.fatoum@pengutronix.de>
Date:   Thu Mar 23 11:37:35 2023 +0100

    net: dsa: realtek: fix out-of-bounds access
    
    [ Upstream commit b93eb564869321d0dffaf23fcc5c88112ed62466 ]
    
    The probe function sets priv->chip_data to (void *)priv + sizeof(*priv)
    with the expectation that priv has enough trailing space.
    
    However, only realtek-smi actually allocated this chip_data space.
    Do likewise in realtek-mdio to fix out-of-bounds accesses.
    
    These accesses likely went unnoticed so far, because of an (unused)
    buf[4096] member in struct realtek_priv, which caused kmalloc to
    round up the allocated buffer to a big enough size, so nothing of
    value was overwritten. With a different allocator (like in the barebox
    bootloader port of the driver) or with KASAN, the memory corruption
    becomes quickly apparent.
    
    Fixes: aac94001067d ("net: dsa: realtek: add new mdio interface for drivers")
    Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
    Reviewed-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
    Reviewed-by: Alvin Å ipraga <alsi@bang-olufsen.dk>
    Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
    Link: https://lore.kernel.org/r/20230323103735.2331786-1-a.fatoum@pengutronix.de
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 089e6318e1de220ec85f55bcc66d69cecd49bae3
Author: Jerry Snitselaar <jsnitsel@redhat.com>
Date:   Fri Mar 24 12:32:04 2023 -0700

    scsi: mpt3sas: Don't print sense pool info twice
    
    [ Upstream commit d684a7a26f7d2c7122a4581ac966ed64e88fb29c ]
    
    _base_allocate_sense_dma_pool() already prints out the sense pool
    information, so don't print it a second time after calling it in
    _base_allocate_memory_pools(). In addition the version in
    _base_allocate_memory_pools() was using the wrong size value, sz, which was
    last assigned when doing some nvme calculations instead of sense_sz to
    determine the pool size in kilobytes.
    
    Cc: Sathya Prakash <sathya.prakash@broadcom.com>
    Cc: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
    Cc: Suganath Prabu Subramani <suganath-prabu.subramani@broadcom.com>
    Cc: MPT-FusionLinux.pdl@broadcom.com
    Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
    Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
    Fixes: 970ac2bb70e7 ("scsi: mpt3sas: Force sense buffer allocations to be within same 4 GB region")
    Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
    Link: https://lore.kernel.org/r/20230324193204.567932-1-jsnitsel@redhat.com
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9526222c1a11a18a0e038a28c5597edde394dc8a
Author: Tomas Henzl <thenzl@redhat.com>
Date:   Fri Mar 24 16:01:34 2023 +0100

    scsi: megaraid_sas: Fix crash after a double completion
    
    [ Upstream commit 2309df27111a51734cb9240b4d3c25f2f3c6ab06 ]
    
    When a physical disk is attached directly "without JBOD MAP support" (see
    megasas_get_tm_devhandle()) then there is no real error handling in the
    driver.  Return FAILED instead of SUCCESS.
    
    Fixes: 18365b138508 ("megaraid_sas: Task management support")
    Signed-off-by: Tomas Henzl <thenzl@redhat.com>
    Link: https://lore.kernel.org/r/20230324150134.14696-1-thenzl@redhat.com
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1da26860a348e898120deade0ee4813039caee7a
Author: Íñigo Huguet <ihuguet@redhat.com>
Date:   Thu Mar 23 09:34:17 2023 +0100

    sfc: ef10: don't overwrite offload features at NIC reset
    
    [ Upstream commit ca4a80e4bb7e87daf33b27d2ab9e4f5311018a89 ]
    
    At NIC reset, some offload features related to encapsulated traffic
    might have changed (this mainly happens if the firmware-variant is
    changed with the sfboot userspace tool). Because of this, features are
    checked and set again at reset time.
    
    However, this was not done right, and some features were improperly
    overwritten at NIC reset:
    - Tunneled IPv6 segmentation was always disabled
    - Features disabled with ethtool were reenabled
    - Features that becomes unsupported after the reset were not disabled
    
    Also, checking if the device supports IPV6_CSUM to enable TSO6 is no
    longer necessary because all currently supported devices support it.
    Additionally, move the assignment of some other features to the
    EF10_OFFLOAD_FEATURES macro, like it is done in ef100, leaving the
    selection of features in efx_pci_probe_post_io a bit cleaner.
    
    Fixes: ffffd2454a7a ("sfc: correctly advertise tunneled IPv6 segmentation")
    Fixes: 24b2c3751aa3 ("sfc: advertise encapsulated offloads on EF10")
    Reported-by: Tianhao Zhao <tizhao@redhat.com>
    Suggested-by: Jonathan Cooper <jonathan.s.cooper@amd.com>
    Tested-by: Jonathan Cooper <jonathan.s.cooper@amd.com>
    Signed-off-by: Íñigo Huguet <ihuguet@redhat.com>
    Acked-by: Edward Cree <ecree.xilinx@gmail.com>
    Link: https://lore.kernel.org/r/20230323083417.7345-1-ihuguet@redhat.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c5a159d5e5591bc9336048db05752d018f3cd9fe
Author: Siddharth Kawar <Siddharth.Kawar@microsoft.com>
Date:   Mon Mar 20 20:37:40 2023 +0000

    SUNRPC: fix shutdown of NFS TCP client socket
    
    [ Upstream commit 943d045a6d796175e5d08f9973953b1d2c07d797 ]
    
    NFS server Duplicate Request Cache (DRC) algorithms rely on NFS clients
    reconnecting using the same local TCP port. Unique NFS operations are
    identified by the per-TCP connection set of XIDs. This prevents file
    corruption when non-idempotent NFS operations are retried.
    
    Currently, NFS client TCP connections are using different local TCP ports
    when reconnecting to NFS servers.
    
    After an NFS server initiates shutdown of the TCP connection, the NFS
    client's TCP socket is set to NULL after the socket state has reached
    TCP_LAST_ACK(9). When reconnecting, the new socket attempts to reuse
    the same local port but fails with EADDRNOTAVAIL (99). This forces the
    socket to use a different local TCP port to reconnect to the remote NFS
    server.
    
    State Transition and Events:
    TCP_CLOSE_WAIT(8)
    TCP_LAST_ACK(9)
    connect(fail EADDRNOTAVAIL(99))
    TCP_CLOSE(7)
    bind on new port
    connect success
    
    dmesg excerpts showing reconnect switching from TCP local port of 926 to
    763 after commit 7c81e6a9d75b:
    [13354.947854] NFS call  mkdir testW
    ...
    [13405.654781] RPC:       xs_tcp_state_change client 00000000037d0f03...
    [13405.654813] RPC:       state 8 conn 1 dead 0 zapped 1 sk_shutdown 1
    [13405.654826] RPC:       xs_data_ready...
    [13405.654892] RPC:       xs_tcp_state_change client 00000000037d0f03...
    [13405.654895] RPC:       state 9 conn 0 dead 0 zapped 1 sk_shutdown 3
    [13405.654899] RPC:       xs_tcp_state_change client 00000000037d0f03...
    [13405.654900] RPC:       state 9 conn 0 dead 0 zapped 1 sk_shutdown 3
    [13405.654950] RPC:       xs_connect scheduled xprt 00000000037d0f03
    [13405.654975] RPC:       xs_bind 0.0.0.0:926: ok (0)
    [13405.654980] RPC:       worker connecting xprt 00000000037d0f03 via tcp
                              to 10.101.6.228 (port 2049)
    [13405.654991] RPC:       00000000037d0f03 connect status 99 connected 0
                              sock state 7
    [13405.655001] RPC:       xs_tcp_state_change client 00000000037d0f03...
    [13405.655002] RPC:       state 7 conn 0 dead 0 zapped 1 sk_shutdown 3
    [13405.655024] RPC:       xs_connect scheduled xprt 00000000037d0f03
    [13405.655038] RPC:       xs_bind 0.0.0.0:763: ok (0)
    [13405.655041] RPC:       worker connecting xprt 00000000037d0f03 via tcp
                              to 10.101.6.228 (port 2049)
    [13405.655065] RPC:       00000000037d0f03 connect status 115 connected 0
                              sock state 2
    
    State Transition and Events with patch applied:
    TCP_CLOSE_WAIT(8)
    TCP_LAST_ACK(9)
    TCP_CLOSE(7)
    connect(reuse of port succeeds)
    
    dmesg excerpts showing reconnect on same TCP local port of 936 with patch
    applied:
    [  257.139935] NFS: mkdir(0:59/560857152), testQ
    [  257.139937] NFS call  mkdir testQ
    ...
    [  307.822702] RPC:       state 8 conn 1 dead 0 zapped 1 sk_shutdown 1
    [  307.822714] RPC:       xs_data_ready...
    [  307.822817] RPC:       xs_tcp_state_change client 00000000ce702f14...
    [  307.822821] RPC:       state 9 conn 0 dead 0 zapped 1 sk_shutdown 3
    [  307.822825] RPC:       xs_tcp_state_change client 00000000ce702f14...
    [  307.822826] RPC:       state 9 conn 0 dead 0 zapped 1 sk_shutdown 3
    [  307.823606] RPC:       xs_tcp_state_change client 00000000ce702f14...
    [  307.823609] RPC:       state 7 conn 0 dead 0 zapped 1 sk_shutdown 3
    [  307.823629] RPC:       xs_tcp_state_change client 00000000ce702f14...
    [  307.823632] RPC:       state 7 conn 0 dead 0 zapped 1 sk_shutdown 3
    [  307.823676] RPC:       xs_connect scheduled xprt 00000000ce702f14
    [  307.823704] RPC:       xs_bind 0.0.0.0:936: ok (0)
    [  307.823709] RPC:       worker connecting xprt 00000000ce702f14 via tcp
                              to 10.101.1.30 (port 2049)
    [  307.823748] RPC:       00000000ce702f14 connect status 115 connected 0
                              sock state 2
    ...
    [  314.916193] RPC:       state 7 conn 0 dead 0 zapped 1 sk_shutdown 3
    [  314.916251] RPC:       xs_connect scheduled xprt 00000000ce702f14
    [  314.916282] RPC:       xs_bind 0.0.0.0:936: ok (0)
    [  314.916292] RPC:       worker connecting xprt 00000000ce702f14 via tcp
                              to 10.101.1.30 (port 2049)
    [  314.916342] RPC:       00000000ce702f14 connect status 115 connected 0
                              sock state 2
    
    Fixes: 7c81e6a9d75b ("SUNRPC: Tweak TCP socket shutdown in the RPC client")
    Signed-off-by: Siddharth Rajendra Kawar <sikawar@microsoft.com>
    Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 43b70c9c4c903ec400de32604f298b3147a1ab0a
Author: Arseniy Krasnov <avkrasnov@sberdevices.ru>
Date:   Mon Mar 13 10:32:44 2023 +0300

    mtd: rawnand: meson: invalidate cache on polling ECC bit
    
    [ Upstream commit e732e39ed9929c05fd219035bc9653ba4100d4fa ]
    
    'info_buf' memory is cached and driver polls ECC bit in it. This bit
    is set by the NAND controller. If 'usleep_range()' returns before device
    sets this bit, 'info_buf' will be cached and driver won't see update of
    this bit and will loop forever.
    
    Fixes: 8fae856c5350 ("mtd: rawnand: meson: add support for Amlogic NAND flash controller")
    Signed-off-by: Arseniy Krasnov <AVKrasnov@sberdevices.ru>
    Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
    Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
    Link: https://lore.kernel.org/linux-mtd/d4ef0bd6-816e-f6fa-9385-f05f775f0ae2@sberdevices.ru
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 53dc0b69fbac82ab6b2286728e100a77a862fa83
Author: Liang He <windhl@126.com>
Date:   Wed Mar 22 11:30:57 2023 +0800

    platform/surface: aggregator: Add missing fwnode_handle_put()
    
    [ Upstream commit acd0acb802b90f88d19ad4337183e44fd0f77c50 ]
    
    In fwnode_for_each_child_node(), we should add
    fwnode_handle_put() when break out of the iteration
    fwnode_for_each_child_node() as it will automatically
    increase and decrease the refcounter.
    
    Fixes: fc622b3d36e6 ("platform/surface: Set up Surface Aggregator device registry")
    Signed-off-by: Liang He <windhl@126.com>
    Reviewed-by: Maximilian Luz <luzmaximilian@gmail.com>
    Link: https://lore.kernel.org/r/20230322033057.1855741-1-windhl@126.com
    Reviewed-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f0a67ad7dce49d93570edc795e0312bb787f19bb
Author: Mark Pearson <mpearson-lenovo@squebb.ca>
Date:   Sun Mar 19 20:32:21 2023 -0400

    platform/x86: think-lmi: Add possible_values for ThinkStation
    
    [ Upstream commit 8a02d70679fc1c434401863333c8ea7dbf201494 ]
    
    ThinkStation platforms don't support the API to return possible_values
    but instead embed it in the settings string.
    
    Try and extract this information and set the possible_values attribute
    appropriately.
    
    Fixes: a40cd7ef22fb ("platform/x86: think-lmi: Add WMI interface support on Lenovo platforms")
    Signed-off-by: Mark Pearson <mpearson-lenovo@squebb.ca>
    Link: https://lore.kernel.org/r/20230320003221.561750-4-mpearson-lenovo@squebb.ca
    Reviewed-by: Thomas Weißschuh <linux@weissschuh.net>
    Reviewed-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5b2e50d837f2c55a1101e26c4250f4462eb16f75
Author: Mark Pearson <mpearson-lenovo@squebb.ca>
Date:   Sun Mar 19 20:32:20 2023 -0400

    platform/x86: think-lmi: only display possible_values if available
    
    [ Upstream commit cf337f27f3bfc4aeab4954c468239fd6233c7638 ]
    
    Some attributes don't have any values available. In those cases don't
    make the possible_values entry visible.
    
    Fixes: a40cd7ef22fb ("platform/x86: think-lmi: Add WMI interface support on Lenovo platforms")
    Signed-off-by: Mark Pearson <mpearson-lenovo@squebb.ca>
    Link: https://lore.kernel.org/r/20230320003221.561750-3-mpearson-lenovo@squebb.ca
    Reviewed-by: Thomas Weißschuh <linux@weissschuh.net>
    Reviewed-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3991efd0c1aa989a23c4b922c7d36a31b6aab83c
Author: Mark Pearson <mpearson-lenovo@squebb.ca>
Date:   Sun Mar 19 20:32:19 2023 -0400

    platform/x86: think-lmi: use correct possible_values delimiters
    
    [ Upstream commit 45e21289bfc6e257885514790a8a8887da822d40 ]
    
    firmware-attributes class requires that possible values are delimited
    using ';' but the Lenovo firmware uses ',' instead.
    Parse string and replace where appropriate.
    
    Suggested-by: Thomas Weißschuh <linux@weissschuh.net>
    Fixes: a40cd7ef22fb ("platform/x86: think-lmi: Add WMI interface support on Lenovo platforms")
    Signed-off-by: Mark Pearson <mpearson-lenovo@squebb.ca>
    Link: https://lore.kernel.org/r/20230320003221.561750-2-mpearson-lenovo@squebb.ca
    Reviewed-by: Thomas Weißschuh <linux@weissschuh.net>
    Reviewed-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6c69f1ab7bdc97b2df37a9d3f7bbdb45ddbeab17
Author: Mark Pearson <mpearson-lenovo@squebb.ca>
Date:   Sun Mar 19 20:32:18 2023 -0400

    platform/x86: think-lmi: add missing type attribute
    
    [ Upstream commit 583329dcf22e568a328a944f20427ccfc95dce01 ]
    
    This driver was missing the mandatory type attribute...oops.
    
    Add it in along with logic to determine whether the attribute is an
    enumeration type or a string by parsing the possible_values attribute.
    
    Upstream bug https://bugzilla.kernel.org/show_bug.cgi?id=216460
    
    Fixes: a40cd7ef22fb ("platform/x86: think-lmi: Add WMI interface support on Lenovo platforms")
    Signed-off-by: Mark Pearson <mpearson-lenovo@squebb.ca>
    Link: https://lore.kernel.org/r/20230320003221.561750-1-mpearson-lenovo@squebb.ca
    Reviewed-by: Thomas Weißschuh <linux@weissschuh.net>
    Reviewed-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit ba85e83f9330b73db7d3f8ea0bf6fc41e65a8633
Author: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Date:   Fri Mar 10 21:34:58 2023 +0900

    PCI: dwc: Fix PORT_LINK_CONTROL update when CDM check enabled
    
    [ Upstream commit cdce67099117ece371582f706c6eff7d3a65326d ]
    
    If CDM_CHECK is enabled (by the DT "snps,enable-cdm-check" property), 'val'
    is overwritten by PCIE_PL_CHK_REG_CONTROL_STATUS initialization.  Commit
    ec7b952f453c ("PCI: dwc: Always enable CDM check if "snps,enable-cdm-check"
    exists") did not account for further usage of 'val', so we wrote improper
    values to PCIE_PORT_LINK_CONTROL when the CDM check is enabled.
    
    Move the PCIE_PORT_LINK_CONTROL update to be completely after the
    PCIE_PL_CHK_REG_CONTROL_STATUS register initialization.
    
    [bhelgaas: commit log adapted from Serge's version]
    Fixes: ec7b952f453c ("PCI: dwc: Always enable CDM check if "snps,enable-cdm-check" exists")
    Link: https://lore.kernel.org/r/20230310123510.675685-2-yoshihiro.shimoda.uh@renesas.com
    Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Reviewed-by: Serge Semin <fancer.lancer@gmail.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e39afd6095a59ddecfd44422241db7605c8846e7
Author: Takashi Iwai <tiwai@suse.de>
Date:   Mon Mar 20 15:28:38 2023 +0100

    ALSA: usb-audio: Fix recursive locking at XRUN during syncing
    
    [ Upstream commit 8c721c53dda512fdd48eb24d6d99e56deee57898 ]
    
    The recent support of low latency playback in USB-audio driver made
    the snd_usb_queue_pending_output_urbs() function to be called via PCM
    ack ops.  In the new code path, the function is performed already in
    the PCM stream lock.  The problem is that, when an XRUN is detected,
    the function calls snd_pcm_xrun() to notify, but snd_pcm_xrun() is
    supposed to be called only outside the stream lock.  As a result, it
    leads to a deadlock of PCM stream locking.
    
    For avoiding such a recursive locking, this patch adds an additional
    check to the code paths in PCM core that call the ack callback; now it
    checks the error code from the callback, and if it's -EPIPE, the XRUN
    is handled in the PCM core side gracefully.  Along with it, the
    USB-audio driver code is changed to follow that, i.e. -EPIPE is
    returned instead of the explicit snd_pcm_xrun() call when the function
    is performed already in the stream lock.
    
    Fixes: d5f871f89e21 ("ALSA: usb-audio: Improved lowlatency playback support")
    Reported-and-tested-by: John Keeping <john@metanate.com>
    Link: https://lore.kernel.org/r/20230317195128.3911155-1-john@metanate.com
    Reviewed-by: Jaroslav Kysela <perex@perex.cz>
    Reviewed-by; Takashi Sakamoto <o-takashi@sakamocchi.jp>
    Link: https://lore.kernel.org/r/20230320142838.494-1-tiwai@suse.de
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 2cdbcff99f15db86a10672fb220379a1ae46ccae
Author: Álvaro Fernández Rojas <noltari@gmail.com>
Date:   Fri Mar 17 11:20:04 2023 +0100

    mips: bmips: BCM6358: disable RAC flush for TP1
    
    [ Upstream commit ab327f8acdf8d06601fbf058859a539a9422afff ]
    
    RAC flush causes kernel panics on BCM6358 with EHCI/OHCI when booting from TP1:
    [    3.881739] usb 1-1: new high-speed USB device number 2 using ehci-platform
    [    3.895011] Reserved instruction in kernel code[#1]:
    [    3.900113] CPU: 0 PID: 1 Comm: init Not tainted 5.10.16 #0
    [    3.905829] $ 0   : 00000000 10008700 00000000 77d94060
    [    3.911238] $ 4   : 7fd1f088 00000000 81431cac 81431ca0
    [    3.916641] $ 8   : 00000000 ffffefff 8075cd34 00000000
    [    3.922043] $12   : 806f8d40 f3e812b7 00000000 000d9aaa
    [    3.927446] $16   : 7fd1f068 7fd1f080 7ff559b8 81428470
    [    3.932848] $20   : 00000000 00000000 55590000 77d70000
    [    3.938251] $24   : 00000018 00000010
    [    3.943655] $28   : 81430000 81431e60 81431f28 800157fc
    [    3.949058] Hi    : 00000000
    [    3.952013] Lo    : 00000000
    [    3.955019] epc   : 80015808 setup_sigcontext+0x54/0x24c
    [    3.960464] ra    : 800157fc setup_sigcontext+0x48/0x24c
    [    3.965913] Status: 10008703 KERNEL EXL IE
    [    3.970216] Cause : 00800028 (ExcCode 0a)
    [    3.974340] PrId  : 0002a010 (Broadcom BMIPS4350)
    [    3.979170] Modules linked in: ohci_platform ohci_hcd fsl_mph_dr_of ehci_platform ehci_fsl ehci_hcd gpio_button_hotplug usbcore nls_base usb_common
    [    3.992907] Process init (pid: 1, threadinfo=(ptrval), task=(ptrval), tls=77e22ec8)
    [    4.000776] Stack : 81431ef4 7fd1f080 81431f28 81428470 7fd1f068 81431edc 7ff559b8 81428470
    [    4.009467]         81431f28 7fd1f080 55590000 77d70000 77d5498c 80015c70 806f0000 8063ae74
    [    4.018149]         08100002 81431f28 0000000a 08100002 81431f28 0000000a 77d6b418 00000003
    [    4.026831]         ffffffff 80016414 80080734 81431ecc 81431ecc 00000001 00000000 04000000
    [    4.035512]         77d54874 00000000 00000000 00000000 00000000 00000012 00000002 00000000
    [    4.044196]         ...
    [    4.046706] Call Trace:
    [    4.049238] [<80015808>] setup_sigcontext+0x54/0x24c
    [    4.054356] [<80015c70>] setup_frame+0xdc/0x124
    [    4.059015] [<80016414>] do_notify_resume+0x1dc/0x288
    [    4.064207] [<80011b50>] work_notifysig+0x10/0x18
    [    4.069036]
    [    4.070538] Code: 8fc300b4  00001025  26240008 <ac820000> ac830004  3c048063  0c0228aa  24846a00  26240010
    [    4.080686]
    [    4.082517] ---[ end trace 22a8edb41f5f983b ]---
    [    4.087374] Kernel panic - not syncing: Fatal exception
    [    4.092753] Rebooting in 1 seconds..
    
    Because the bootloader (CFE) is not initializing the Read-ahead cache properly
    on the second thread (TP1). Since the RAC was not initialized properly, we
    should avoid flushing it at the risk of corrupting the instruction stream as
    seen in the trace above.
    
    Fixes: d59098a0e9cb ("MIPS: bmips: use generic dma noncoherent ops")
    Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
    Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a07cf4fd610ed4adab2eb86c56ddfed8a287c45b
Author: Rajnesh Kanwal <rkanwal@rivosinc.com>
Date:   Fri Feb 10 14:27:11 2023 +0000

    riscv/kvm: Fix VM hang in case of timer delta being zero.
    
    [ Upstream commit 6eff38048944cadc3cddcf117acfa5199ec32490 ]
    
    In case when VCPU is blocked due to WFI, we schedule the timer
    from `kvm_riscv_vcpu_timer_blocking()` to keep timer interrupt
    ticking.
    
    But in case when delta_ns comes to be zero, we never schedule
    the timer and VCPU keeps sleeping indefinitely until any activity
    is done with VM console.
    
    This is easily reproduce-able using kvmtool.
    ./lkvm-static run -c1 --console virtio -p "earlycon root=/dev/vda" \
             -k ./Image -d rootfs.ext4
    
    Also, just add a print in kvm_riscv_vcpu_vstimer_expired() to
    check the interrupt delivery and run `top` or similar auto-upating
    cmd from guest. Within sometime one can notice that print from
    timer expiry routine stops and the `top` cmd output will stop
    updating.
    
    This change fixes this by making sure we schedule the timer even
    with delta_ns being zero to bring the VCPU out of sleep immediately.
    
    Fixes: 8f5cb44b1bae ("RISC-V: KVM: Support sstc extension")
    Signed-off-by: Rajnesh Kanwal <rkanwal@rivosinc.com>
    Reviewed-by: Atish Patra <atishp@rivosinc.com>
    Signed-off-by: Anup Patel <anup@brainfault.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 60b2027077ea664016cf43f77d77e843eff582c9
Author: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Date:   Mon Mar 6 11:18:24 2023 -0800

    ca8210: Fix unsigned mac_len comparison with zero in ca8210_skb_tx()
    
    [ Upstream commit 748b2f5e82d17480404b3e2895388fc2925f7caf ]
    
    mac_len is of type unsigned, which can never be less than zero.
    
            mac_len = ieee802154_hdr_peek_addrs(skb, &header);
            if (mac_len < 0)
                    return mac_len;
    
    Change this to type int as ieee802154_hdr_peek_addrs() can return negative
    integers, this is found by static analysis with smatch.
    
    Fixes: 6c993779ea1d ("ca8210: fix mac_len negative array access")
    Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
    Acked-by: Alexander Aring <aahringo@redhat.com>
    Reviewed-by: Simon Horman <simon.horman@corigine.com>
    Link: https://lore.kernel.org/r/20230306191824.4115839-1-harshit.m.mogalapalli@oracle.com
    Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8b46440d1a6350fba0cda1be163e36235226e1d0
Author: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Date:   Wed Feb 15 12:08:45 2023 +0100

    mtd: nand: mxic-ecc: Fix mxic_ecc_data_xfer_wait_for_completion() when irq is used
    
    [ Upstream commit 75dce6a941e3f16c3b4878c8b2f46d5d07c619ce ]
    
    wait_for_completion_timeout() and readl_poll_timeout() don't handle their
    return value the same way.
    
    wait_for_completion_timeout() returns 0 on time out (and >0 in all other
    cases)
    readl_poll_timeout() returns 0 on success and -ETIMEDOUT upon a timeout.
    
    In order for the error handling path to work in both cases, the logic
    against wait_for_completion_timeout() needs to be inverted.
    
    Fixes: 48e6633a9fa2 ("mtd: nand: mxic-ecc: Add Macronix external ECC engine support")
    Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
    Link: https://lore.kernel.org/linux-mtd/beddbc374557e44ceec897e68c4a5d12764ddbb9.1676459308.git.christophe.jaillet@wanadoo.fr
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c84d28b3223655f6b83c85789d1cd024b9bedf40
Author: Arseniy Krasnov <AVKrasnov@sberdevices.ru>
Date:   Mon Feb 27 13:24:25 2023 +0300

    mtd: rawnand: meson: initialize struct with zeroes
    
    [ Upstream commit 4ce341de6c02d02aba7c78a6447ccfcaa9eeb328 ]
    
    This structure must be zeroed, because it's field 'hw->core' is used as
    'parent' in 'clk_core_fill_parent_index()', but it will be uninitialized.
    This happens, because when this struct is not zeroed, pointer 'hw' is
    "initialized" by garbage, which is valid pointer, but points to some
    garbage. So 'hw' will be dereferenced, but 'core' contains some random
    data which will be interpreted as a pointer. The following backtrace is
    result of dereference of such pointer:
    
    [    1.081319]  __clk_register+0x414/0x820
    [    1.085113]  devm_clk_register+0x64/0xd0
    [    1.088995]  meson_nfc_probe+0x258/0x6ec
    [    1.092875]  platform_probe+0x70/0xf0
    [    1.096498]  really_probe+0xc8/0x3e0
    [    1.100034]  __driver_probe_device+0x84/0x190
    [    1.104346]  driver_probe_device+0x44/0x120
    [    1.108487]  __driver_attach+0xb4/0x220
    [    1.112282]  bus_for_each_dev+0x78/0xd0
    [    1.116077]  driver_attach+0x2c/0x40
    [    1.119613]  bus_add_driver+0x184/0x240
    [    1.123408]  driver_register+0x80/0x140
    [    1.127203]  __platform_driver_register+0x30/0x40
    [    1.131860]  meson_nfc_driver_init+0x24/0x30
    
    Fixes: 1e4d3ba66888 ("mtd: rawnand: meson: fix the clock")
    Signed-off-by: Arseniy Krasnov <AVKrasnov@sberdevices.ru>
    Acked-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
    Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
    Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
    Link: https://lore.kernel.org/linux-mtd/20230227102425.793841-1-AVKrasnov@sberdevices.ru
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f5527b3b4d3dde57b15209694207f5e6d5b542e7
Author: Josef Bacik <josef@toxicpanda.com>
Date:   Wed Mar 1 16:14:43 2023 -0500

    btrfs: use temporary variable for space_info in btrfs_update_block_group
    
    [ Upstream commit df384da5a49cace5c5e3100803dfd563fd982f93 ]
    
    We do
    
      cache->space_info->counter += num_bytes;
    
    everywhere in here.  This is makes the lines longer than they need to
    be, and will be especially noticeable when we add the active tracking in,
    so add a temp variable for the space_info so this is cleaner.
    
    Reviewed-by: Naohiro Aota <naohiro.aota@wdc.com>
    Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
    Reviewed-by: Anand Jain <anand.jain@oracle.com>
    Signed-off-by: Josef Bacik <josef@toxicpanda.com>
    Reviewed-by: David Sterba <dsterba@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit bd265f2061aa9d902f605942a3cb3920729c933f
Author: Josef Bacik <josef@toxicpanda.com>
Date:   Fri Dec 16 15:15:54 2022 -0500

    btrfs: fix uninitialized variable warning in btrfs_update_block_group
    
    [ Upstream commit efbf35a102b20246cfe4409c6ae92e72ecb67ab8 ]
    
    reclaim isn't set in the alloc case, however we only care about
    reclaim in the !alloc case.  This isn't an actual problem, however
    -Wmaybe-uninitialized will complain, so initialize reclaim to quiet the
    compiler.
    
    Reviewed-by: Qu Wenruo <wqu@suse.com>
    Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
    Signed-off-by: Josef Bacik <josef@toxicpanda.com>
    Reviewed-by: David Sterba <dsterba@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Stable-dep-of: df384da5a49c ("btrfs: use temporary variable for space_info in btrfs_update_block_group")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 089d656992c0f5cfdd1ea3f86860d0b67d211a20
Author: Anton Gusev <aagusev@ispras.ru>
Date:   Tue Jan 31 10:58:18 2023 +0300

    tracing: Fix wrong return in kprobe_event_gen_test.c
    
    [ Upstream commit bc4f359b3b607daac0290d0038561237a86b38cb ]
    
    Overwriting the error code with the deletion result may cause the
    function to return 0 despite encountering an error. Commit b111545d26c0
    ("tracing: Remove the useless value assignment in
    test_create_synth_event()") solves a similar issue by
    returning the original error code, so this patch does the same.
    
    Found by Linux Verification Center (linuxtesting.org) with SVACE.
    
    Link: https://lore.kernel.org/linux-trace-kernel/20230131075818.5322-1-aagusev@ispras.ru
    
    Signed-off-by: Anton Gusev <aagusev@ispras.ru>
    Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
    Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
    Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 88cdf1d8a522bad9b87b04e21b65d1d148232034
Author: Antti Laakso <antti.laakso@intel.com>
Date:   Wed Jan 25 15:17:50 2023 +0200

    tools/power turbostat: fix decoding of HWP_STATUS
    
    [ Upstream commit 92c25393586ac799b9b7d9e50434f3c44a7622c4 ]
    
    The "excursion to minimum" information is in bit2
    in HWP_STATUS MSR. Fix the bitmask used for
    decoding the register.
    
    Signed-off-by: Antti Laakso <antti.laakso@intel.com>
    Reviewed-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
    Signed-off-by: Len Brown <len.brown@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6ecdea91ef95989bc55bc70e1ee2e2b98e46e93f
Author: Prarit Bhargava <prarit@redhat.com>
Date:   Thu Dec 15 10:18:16 2022 -0500

    tools/power turbostat: Fix /dev/cpu_dma_latency warnings
    
    [ Upstream commit 40aafc7d58d3544f152a863a0e9863014b6d5d8c ]
    
    When running as non-root the following error is seen in turbostat:
    
    turbostat: fopen /dev/cpu_dma_latency
    : Permission denied
    
    turbostat and the man page have information on how to avoid other
    permission errors, so these can be fixed the same way.
    
    Provide better /dev/cpu_dma_latency warnings that provide instructions on
    how to avoid the error, and update the man page.
    
    Signed-off-by: Prarit Bhargava <prarit@redhat.com>
    Cc: linux-pm@vger.kernel.org
    Signed-off-by: Len Brown <len.brown@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 2a3562ea9d726675e3e38094a508f8dd56726bdc
Author: Wei Chen <harperchen1110@gmail.com>
Date:   Wed Mar 15 09:22:54 2023 +0000

    fbdev: au1200fb: Fix potential divide by zero
    
    [ Upstream commit 44a3b36b42acfc433aaaf526191dd12fbb919fdb ]
    
    var->pixclock can be assigned to zero by user. Without
    proper check, divide by zero would occur when invoking
    macro PICOS2KHZ in au1200fb_fb_check_var.
    
    Error out if var->pixclock is zero.
    
    Signed-off-by: Wei Chen <harperchen1110@gmail.com>
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9f2a69d5e6770a064a7ae9bdab7e9907a8d292ff
Author: Wei Chen <harperchen1110@gmail.com>
Date:   Wed Mar 15 09:05:18 2023 +0000

    fbdev: lxfb: Fix potential divide by zero
    
    [ Upstream commit 61ac4b86a4c047c20d5cb423ddd87496f14d9868 ]
    
    var->pixclock can be assigned to zero by user. Without proper
    check, divide by zero would occur in lx_set_clock.
    
    Error out if var->pixclock is zero.
    
    Signed-off-by: Wei Chen <harperchen1110@gmail.com>
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8ab9eada22d93fa501072161ceedbd6d61bc8df7
Author: Wei Chen <harperchen1110@gmail.com>
Date:   Wed Mar 15 08:33:47 2023 +0000

    fbdev: intelfb: Fix potential divide by zero
    
    [ Upstream commit d823685486a3446d061fed7c7d2f80af984f119a ]
    
    Variable var->pixclock is controlled by user and can be assigned
    to zero. Without proper check, divide by zero would occur in
    intelfbhw_validate_mode and intelfbhw_mode_to_hw.
    
    Error out if var->pixclock is zero.
    
    Signed-off-by: Wei Chen <harperchen1110@gmail.com>
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c8d88107971e13e65575885e42ce1908b0d6799e
Author: Wei Chen <harperchen1110@gmail.com>
Date:   Wed Mar 15 07:18:31 2023 +0000

    fbdev: nvidia: Fix potential divide by zero
    
    [ Upstream commit 92e2a00f2987483e1f9253625828622edd442e61 ]
    
    variable var->pixclock can be set by user. In case it
    equals to zero, divide by zero would occur in nvidiafb_set_par.
    
    Similar crashes have happened in other fbdev drivers. There
    is no check and modification on var->pixclock along the call
    chain to nvidia_check_var and nvidiafb_set_par. We believe it
    could also be triggered in driver nvidia from user site.
    
    Signed-off-by: Wei Chen <harperchen1110@gmail.com>
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 35a32a50dc8f36dd3a0f4c7510997ecc029be586
Author: Adham Faris <afaris@nvidia.com>
Date:   Mon Jan 23 10:09:01 2023 +0200

    net/mlx5e: Lower maximum allowed MTU in XSK to match XDP prerequisites
    
    [ Upstream commit 78dee7befd56987283c13877b834c0aa97ad51b9 ]
    
    XSK redirecting XDP programs require linearity, hence applies
    restrictions on the MTU. For PAGE_SIZE=4K, MTU shouldn't exceed 3498.
    
    Features that contradict with XDP such HW-LRO and HW-GRO are enforced
    by the driver in advance, during XSK params validation, except for MTU,
    which was not enforced before this patch.
    
    This has been spotted during test scenario described below:
    Attaching xdpsock program (PAGE_SIZE=4K), with MTU < 3498, detaching
    XDP program, changing the MTU to arbitrary value in the range
    [3499, 3754], attaching XDP program again, which ended up with failure
    since MTU is > 3498.
    
    This commit lowers the XSK MTU limitation to be aligned with XDP MTU
    limitation, since XSK socket is meaningless without XDP program.
    
    Signed-off-by: Adham Faris <afaris@nvidia.com>
    Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
    Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b969838c9554a0e9aab3c3cadfcd23d246bc2abe
Author: David Belanger <david.belanger@amd.com>
Date:   Tue Feb 28 14:11:24 2023 -0500

    drm/amdkfd: Fixed kfd_process cleanup on module exit.
    
    [ Upstream commit 20bc9f76b6a2455c6b54b91ae7634f147f64987f ]
    
    Handle case when module is unloaded (kfd_exit) before a process space
    (mm_struct) is released.
    
    v2: Fixed potential race conditions by removing all kfd_process from
    the process table first, then working on releasing the resources.
    
    v3: Fixed loop element access / synchronization.  Fixed extra empty lines.
    
    Signed-off-by: David Belanger <david.belanger@amd.com>
    Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e437554b145296fef09a52d7111b137566e434ba
Author: Philipp Geulen <p.geulen@js-elektronik.de>
Date:   Mon Mar 13 11:11:50 2023 +0100

    nvme-pci: add NVME_QUIRK_BOGUS_NID for Lexar NM620
    
    [ Upstream commit b65d44fa0fe072c91bf41cd8756baa2b4c77eff2 ]
    
    Added a quirk to fix Lexar NM620 1TB SSD reporting duplicate NGUIDs.
    
    Signed-off-by: Philipp Geulen <p.geulen@js-elektronik.de>
    Reviewed-by: Chaitanya Kulkarni <kkch@nvidia.com>
    Signed-off-by: Christoph Hellwig <hch@lst.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c8943cf3ab9b83c4cdc448279dfdbd03b7beeb93
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Tue Mar 14 19:32:38 2023 -0700

    sched_getaffinity: don't assume 'cpumask_size()' is fully initialized
    
    [ Upstream commit 6015b1aca1a233379625385feb01dd014aca60b5 ]
    
    The getaffinity() system call uses 'cpumask_size()' to decide how big
    the CPU mask is - so far so good.  It is indeed the allocation size of a
    cpumask.
    
    But the code also assumes that the whole allocation is initialized
    without actually doing so itself.  That's wrong, because we might have
    fixed-size allocations (making copying and clearing more efficient), but
    not all of it is then necessarily used if 'nr_cpu_ids' is smaller.
    
    Having checked other users of 'cpumask_size()', they all seem to be ok,
    either using it purely for the allocation size, or explicitly zeroing
    the cpumask before using the size in bytes to copy it.
    
    See for example the ublk_ctrl_get_queue_affinity() function that uses
    the proper 'zalloc_cpumask_var()' to make sure that the whole mask is
    cleared, whether the storage is on the stack or if it was an external
    allocation.
    
    Fix this by just zeroing the allocation before using it.  Do the same
    for the compat version of sched_getaffinity(), which had the same logic.
    
    Also, for consistency, make sched_getaffinity() use 'cpumask_bits()' to
    access the bits.  For a cpumask_var_t, it ends up being a pointer to the
    same data either way, but it's just a good idea to treat it like you
    would a 'cpumask_t'.  The compat case already did that.
    
    Reported-by: Ryan Roberts <ryan.roberts@arm.com>
    Link: https://lore.kernel.org/lkml/7d026744-6bd6-6827-0471-b5e8eae0be3f@arm.com/
    Cc: Yury Norov <yury.norov@gmail.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 2961b331b0745bdd856a0ef18e26913ee641ff86
Author: Chen Yu <yu.c.chen@intel.com>
Date:   Wed Mar 8 21:23:09 2023 +0800

    ACPI: tools: pfrut: Check if the input of level and type is in the right numeric range
    
    [ Upstream commit 0bc23d8b2237a104d7f8379d687aa4cb82e2968b ]
    
    The user provides arbitrary non-numeic value to level and type,
    which could bring unexpected behavior. In this case the expected
    behavior would be to throw an error.
    
     pfrut -h
    usage: pfrut [OPTIONS]
    code injection:
    -l, --load
    -s, --stage
    -a, --activate
    -u, --update [stage and activate]
    -q, --query
    -d, --revid
    update telemetry:
    -G, --getloginfo
    -T, --type(0:execution, 1:history)
    -L, --level(0, 1, 2, 4)
    -R, --read
    -D, --revid log
    
     pfrut -T A
     pfrut -G
    log_level:0
    log_type:0
    log_revid:2
    max_data_size:65536
    chunk1_size:0
    chunk2_size:1530
    rollover_cnt:0
    reset_cnt:17
    
    Fix this by restricting the input to be in the expected range.
    
    Reported-by: Hariganesh Govindarajulu <hariganesh.govindarajulu@intel.com>
    Suggested-by: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
    Signed-off-by: Chen Yu <yu.c.chen@intel.com>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b8b7d5eac5ee984e42424de776ec1e04d1cc2f89
Author: Wei Chen <harperchen1110@gmail.com>
Date:   Tue Mar 7 13:08:56 2023 +0000

    fbdev: tgafb: Fix potential divide by zero
    
    [ Upstream commit f90bd245de82c095187d8c2cabb8b488a39eaecc ]
    
    fb_set_var would by called when user invokes ioctl with cmd
    FBIOPUT_VSCREENINFO. User-provided data would finally reach
    tgafb_check_var. In case var->pixclock is assigned to zero,
    divide by zero would occur when checking whether reciprocal
    of var->pixclock is too high.
    
    Similar crashes have happened in other fbdev drivers. There
    is no check and modification on var->pixclock along the call
    chain to tgafb_check_var. We believe it could also be triggered
    in driver tgafb from user site.
    
    Signed-off-by: Wei Chen <harperchen1110@gmail.com>
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 32854bc91ae7debcdefdc7ae881ed83385a04792
Author: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Date:   Mon Mar 13 00:50:28 2023 +0000

    ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set()
    
    [ Upstream commit 98e5eb110095ec77cb6d775051d181edbf9cd3cf ]
    
    tuning_ctl_set() might have buffer overrun at (X) if it didn't break
    from loop by matching (A).
    
            static int tuning_ctl_set(...)
            {
                    for (i = 0; i < TUNING_CTLS_COUNT; i++)
    (A)                     if (nid == ca0132_tuning_ctls[i].nid)
                                    break;
    
                    snd_hda_power_up(...);
    (X)             dspio_set_param(..., ca0132_tuning_ctls[i].mid, ...);
                    snd_hda_power_down(...);                ^
    
                    return 1;
            }
    
    We will get below error by cppcheck
    
            sound/pci/hda/patch_ca0132.c:4229:2: note: After for loop, i has value 12
             for (i = 0; i < TUNING_CTLS_COUNT; i++)
             ^
            sound/pci/hda/patch_ca0132.c:4234:43: note: Array index out of bounds
             dspio_set_param(codec, ca0132_tuning_ctls[i].mid, 0x20,
                                                       ^
    This patch cares non match case.
    
    Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
    Link: https://lore.kernel.org/r/87sfe9eap7.wl-kuninori.morimoto.gx@renesas.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 69280e8e669c79700346c1aa02bbb5f895b55208
Author: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Date:   Mon Mar 13 00:49:24 2023 +0000

    ALSA: asihpi: check pao in control_message()
    
    [ Upstream commit 9026c0bf233db53b86f74f4c620715e94eb32a09 ]
    
    control_message() might be called with pao = NULL.
    Here indicates control_message() as sample.
    
    (B)     static void control_message(struct hpi_adapter_obj *pao, ...)
            {                                                   ^^^
                    struct hpi_hw_obj *phw = pao->priv;
                    ...                      ^^^
            }
    
    (A)     void _HPI_6205(struct hpi_adapter_obj *pao, ...)
            {                                      ^^^
                    ...
                    case HPI_OBJ_CONTROL:
    (B)                     control_message(pao, phm, phr);
                            break;          ^^^
                    ...
            }
    
            void HPI_6205(...)
            {
                    ...
    (A)             _HPI_6205(NULL, phm, phr);
                    ...       ^^^^
            }
    
    Therefore, We will get too many warning via cppcheck, like below
    
            sound/pci/asihpi/hpi6205.c:238:27: warning: Possible null pointer dereference: pao [nullPointer]
                     struct hpi_hw_obj *phw = pao->priv;
                                              ^
            sound/pci/asihpi/hpi6205.c:433:13: note: Calling function '_HPI_6205', 1st argument 'NULL' value is 0
                      _HPI_6205(NULL, phm, phr);
                                ^
            sound/pci/asihpi/hpi6205.c:401:20: note: Calling function 'control_message', 1st argument 'pao' value is 0
               control_message(pao, phm, phr);
                               ^
    Set phr->error like many functions doing, and don't call _HPI_6205()
    with NULL.
    
    Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
    Link: https://lore.kernel.org/r/87ttypeaqz.wl-kuninori.morimoto.gx@renesas.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8b4dc07eb938d682717acfad1b9d2448c5a11a83
Author: Kristian Overskeid <koverskeid@gmail.com>
Date:   Tue Mar 7 14:32:29 2023 +0100

    net: hsr: Don't log netdev_err message on unknown prp dst node
    
    [ Upstream commit 28e8cabe80f3e6e3c98121576eda898eeb20f1b1 ]
    
    If no frames has been exchanged with a node for HSR_NODE_FORGET_TIME, the
    node will be deleted from the node_db list. If a frame is sent to the node
    after it is deleted, a netdev_err message for each slave interface is
    produced. This should not happen with dan nodes because of supervision
    frames, but can happen often with san nodes, which clutters the kernel
    log. Since the hsr protocol does not support sans, this is only relevant
    for the prp protocol.
    
    Signed-off-by: Kristian Overskeid <koverskeid@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5045360f3bb62ccd4f87202e33489f71f8bbc3fc
Author: Chia-I Wu <olvaffe@gmail.com>
Date:   Wed Mar 8 13:37:24 2023 -0800

    drm/amdkfd: fix potential kgd_mem UAFs
    
    [ Upstream commit 9da050b0d9e04439d225a2ec3044af70cdfb3933 ]
    
    kgd_mem pointers returned by kfd_process_device_translate_handle are
    only guaranteed to be valid while p->mutex is held. As soon as the mutex
    is unlocked, another thread can free the BO.
    
    Signed-off-by: Chia-I Wu <olvaffe@gmail.com>
    Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
    Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b861f0e62ae148eb5f0a48c4d6fcd5dc03b4e252
Author: Chia-I Wu <olvaffe@gmail.com>
Date:   Tue Mar 7 16:19:02 2023 -0800

    drm/amdkfd: fix a potential double free in pqm_create_queue
    
    [ Upstream commit b2ca5c5d416b4e72d1e9d0293fc720e2d525fd42 ]
    
    Set *q to NULL on errors, otherwise pqm_create_queue would free it
    again.
    
    Signed-off-by: Chia-I Wu <olvaffe@gmail.com>
    Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
    Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b61b21bcbb8a379269de7d2e3e9ceb42e5368ec4
Author: Xiaogang Chen <Xiaogang.Chen@amd.com>
Date:   Wed Mar 1 10:21:06 2023 -0600

    drm/amdkfd: Fix BO offset for multi-VMA page migration
    
    [ Upstream commit b4ee9606378bb9520c94d8b96f0305c3696f5c29 ]
    
    svm_migrate_ram_to_vram migrates a prange from sys ram to vram. The prange may
    cross multiple vma. Need remember current dst vram offset in the TTM resource for
    each migration.
    
    v2: squash in warning fix (Alex)
    
    Signed-off-by: Xiaogang Chen <Xiaogang.Chen@amd.com>
    Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3e48f7b53de41f5be2fe7d92b50f33d0f7ec7f91
Author: Jan Beulich <jbeulich@suse.com>
Date:   Mon Mar 13 15:45:48 2023 +0100

    x86/PVH: obtain VGA console info in Dom0
    
    [ Upstream commit 934ef33ee75c3846f605f18b65048acd147e3918 ]
    
    A new platform-op was added to Xen to allow obtaining the same VGA
    console information PV Dom0 is handed. Invoke the new function and have
    the output data processed by xen_init_vga().
    
    Signed-off-by: Jan Beulich <jbeulich@suse.com>
    Reviewed-by: Juergen Gross <jgross@suse.com>
    
    Link: https://lore.kernel.org/r/8f315e92-7bda-c124-71cc-478ab9c5e610@suse.com
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit df0833da4bfac69739b849b3dff4838e590542e5
Author: NeilBrown <neilb@suse.de>
Date:   Mon Mar 6 09:36:25 2023 +1100

    md: avoid signed overflow in slot_store()
    
    [ Upstream commit 3bc57292278a0b6ac4656cad94c14f2453344b57 ]
    
    slot_store() uses kstrtouint() to get a slot number, but stores the
    result in an "int" variable (by casting a pointer).
    This can result in a negative slot number if the unsigned int value is
    very large.
    
    A negative number means that the slot is empty, but setting a negative
    slot number this way will not remove the device from the array.  I don't
    think this is a serious problem, but it could cause confusion and it is
    best to fix it.
    
    Reported-by: Dan Carpenter <error27@gmail.com>
    Signed-off-by: NeilBrown <neilb@suse.de>
    Signed-off-by: Song Liu <song@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 50f6507aadf81b1bef255ab7e794b8e4758ebb70
Author: Rander Wang <rander.wang@intel.com>
Date:   Tue Mar 7 13:06:56 2023 +0200

    ASoC: SOF: IPC4: update gain ipc msg definition to align with fw
    
    [ Upstream commit e45cd86c3a78bfb9875a5eb8ab5dab459b59bbe2 ]
    
    Recent firmware changes modified the curve duration from 32 to 64 bits,
    which breaks volume ramps. A simple solution would be to change the
    definition, but unfortunately the ASoC topology framework only supports
    up to 32 bit tokens.
    
    This patch suggests breaking the 64 bit value in low and high parts, with
    only the low-part extracted from topology and high-part only zeroes. Since
    the curve duration is represented in hundred of nanoseconds, we can still
    represent a 400s ramp, which is just fine. The defacto ABI change has no
    effect on existing users since the IPC4 firmware has not been released just
    yet.
    
    Link: https://github.com/thesofproject/linux/issues/4026
    
    Signed-off-by: Rander Wang <rander.wang@intel.com>
    Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
    Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
    Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
    Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
    Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
    Link: https://lore.kernel.org/r/20230307110656.1816-1-peter.ujfalusi@linux.intel.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6d0ab3efb282191025d2583b4a5734cb54abc94f
Author: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Date:   Tue Mar 7 11:53:41 2023 +0200

    ASoC: SOF: Intel: pci-tng: revert invalid bar size setting
    
    [ Upstream commit ca09e2a351fbc7836ba9418304ff0c3e72addfe0 ]
    
    The logic for the ioremap is to find the resource index 3 (IRAM) and
    infer the BAR address by subtracting the IRAM offset. The BAR size
    defined in hardware specifications is 2MB.
    
    The commit 5947b2726beb6 ("ASoC: SOF: Intel: Check the bar size before
    remapping") tried to find the BAR size by querying the resource length
    instead of a pre-canned value, but by requesting the size for index 3
    it only gets the size of the IRAM. That's obviously wrong and prevents
    the probe from proceeding.
    
    This commit attempted to fix an issue in a fuzzing/simulated
    environment but created another on actual devices, so the best course
    of action is to revert that change.
    
    Reported-by: Ferry Toth <fntoth@gmail.com>
    Tested-by: Ferry Toth <fntoth@gmail.com> (Intel Edison-Arduino)
    Link: https://github.com/thesofproject/linux/issues/3901
    Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
    Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
    Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
    Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
    Link: https://lore.kernel.org/r/20230307095341.3222-1-peter.ujfalusi@linux.intel.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6290404aa14287f343bbffe287709e05e0cf09a0
Author: Seppo Ingalsuo <seppo.ingalsuo@linux.intel.com>
Date:   Tue Mar 7 13:07:51 2023 +0200

    ASoC: SOF: ipc4-topology: Fix incorrect sample rate print unit
    
    [ Upstream commit 9e269e3aa9006440de639597079ee7140ef5b5f3 ]
    
    This patch fixes the sample rate print unit from KHz to Hz.
    E.g. 48000KHz becomes 48000Hz.
    
    Signed-off-by: Seppo Ingalsuo <seppo.ingalsuo@linux.intel.com>
    Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
    Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
    Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
    Link: https://lore.kernel.org/r/20230307110751.2053-1-peter.ujfalusi@linux.intel.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a56be07a8c0c5229274c0d1d9efd9fbde2d1c84e
Author: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Date:   Tue Mar 7 13:49:17 2023 +0200

    ASoC: SOF: ipc3: Check for upper size limit for the received message
    
    [ Upstream commit 989a3e4479177d0f4afab8be1960731bc0ffbbd0 ]
    
    The sof_ipc3_rx_msg() checks for minimum size of a new rx message but it is
    missing the check for upper limit.
    Corrupted or compromised firmware might be able to take advantage of this
    to cause out of bounds reads outside of the message area.
    
    Reported-by: Curtis Malainey <cujomalainey@chromium.org>
    Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
    Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
    Reviewed-by: Curtis Malainey <curtis@malainey.com>
    Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
    Link: https://lore.kernel.org/r/20230307114917.5124-1-peter.ujfalusi@linux.intel.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit ab7a700fec4053412ca7dd4ae70c31d781219544
Author: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com>
Date:   Thu Mar 2 17:33:00 2023 +0800

    ACPI: video: Add backlight=native DMI quirk for Dell Vostro 15 3535
    
    [ Upstream commit 89b0411481967a2e8c91190a211a359966cfcf4b ]
    
    Sometimes the system boots up with a acpi_video0 backlight interface
    which doesn't work. So add Dell Vostro 15 3535 into the
    video_detect_dmi_table to set it to native explicitly.
    
    Signed-off-by: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com>
    Signed-off-by: Rafael J. Wysocki <rjw@rjwysocki.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 78b342f0cda74f20cea51f0f1e1e9565e3054ffc
Author: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
Date:   Sun Jan 29 14:14:36 2023 +0100

    zstd: Fix definition of assert()
    
    [ Upstream commit 6906598f1ce93761716d780b6e3f171e13f0f4ce ]
    
    assert(x) should emit a warning if x is false. WARN_ON(x) emits a
    warning if x is true. Thus, assert(x) should be defined as WARN_ON(!x)
    rather than WARN_ON(x).
    
    Signed-off-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
    Signed-off-by: Nick Terrell <terrelln@fb.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6beb32105eeafc399e684822d07674811e8da40c
Author: Cezary Rojewski <cezary.rojewski@intel.com>
Date:   Fri Mar 3 14:48:54 2023 +0100

    ASoC: Intel: avs: nau8825: Adjust clock control
    
    [ Upstream commit 6206b2e787da2ed567922c37bb588a44f6fb6705 ]
    
    Internal clock shall be adjusted also in cases when DAPM event other
    than 'ON' is triggered.
    
    Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
    Signed-off-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
    Link: https://lore.kernel.org/r/20230303134854.2277146-6-amadeuszx.slawinski@linux.intel.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 30878a7eec00d78be07cd94ea8dac98d1fb8203f
Author: Cezary Rojewski <cezary.rojewski@intel.com>
Date:   Fri Mar 3 14:48:53 2023 +0100

    ASoC: Intel: avs: ssm4567: Remove nau8825 bits
    
    [ Upstream commit 933de2d127281731166cf2880fa1e23c5a0f7faa ]
    
    Some of the nau8825 clock control got into the ssm4567, remove it.
    
    Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
    Signed-off-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
    Link: https://lore.kernel.org/r/20230303134854.2277146-5-amadeuszx.slawinski@linux.intel.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit ea7950db76506cf3d0a20898b2de82c29340bccb
Author: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
Date:   Fri Mar 3 14:48:51 2023 +0100

    ASoC: Intel: avs: da7219: Explicitly define codec format
    
    [ Upstream commit 61f368624fe4d0c25c6e9c917574b8ace51d776e ]
    
    da7219 is headset codec configured in 48000/2/S24_LE format regardless
    of front end format, so force it to be so.
    
    Reviewed-by: Cezary Rojewski <cezary.rojewski@intel.com>
    Signed-off-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
    Link: https://lore.kernel.org/r/20230303134854.2277146-3-amadeuszx.slawinski@linux.intel.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d0652061c3b85e498d9b666e63c49070b4c1caf5
Author: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
Date:   Fri Mar 3 14:48:50 2023 +0100

    ASoC: Intel: avs: max98357a: Explicitly define codec format
    
    [ Upstream commit d16c893425d07ada1fdd817ec06d322efcf69480 ]
    
    max98357a is speaker codec configured in 48000/2/S16_LE format
    regardless of front end format, so force it to be so.
    
    Reviewed-by: Cezary Rojewski <cezary.rojewski@intel.com>
    Signed-off-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
    Link: https://lore.kernel.org/r/20230303134854.2277146-2-amadeuszx.slawinski@linux.intel.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 57f9a9a232bde7abfe49c3072b29a255da9ba891
Author: Ravulapati Vishnu Vardhan Rao <quic_visr@quicinc.com>
Date:   Sat Mar 4 13:37:02 2023 +0530

    ASoC: codecs: tx-macro: Fix for KASAN: slab-out-of-bounds
    
    [ Upstream commit e5e7e398f6bb7918dab0612eb6991f7bae95520d ]
    
    When we run syzkaller we get below Out of Bound.
        "KASAN: slab-out-of-bounds Read in regcache_flat_read"
    
        Below is the backtrace of the issue:
    
        dump_backtrace+0x0/0x4c8
        show_stack+0x34/0x44
        dump_stack_lvl+0xd8/0x118
        print_address_description+0x30/0x2d8
        kasan_report+0x158/0x198
        __asan_report_load4_noabort+0x44/0x50
        regcache_flat_read+0x10c/0x110
        regcache_read+0xf4/0x180
        _regmap_read+0xc4/0x278
        _regmap_update_bits+0x130/0x290
        regmap_update_bits_base+0xc0/0x15c
        snd_soc_component_update_bits+0xa8/0x22c
        snd_soc_component_write_field+0x68/0xd4
        tx_macro_digital_mute+0xec/0x140
    
        Actually There is no need to have decimator with 32 bits.
        By limiting the variable with short type u8 issue is resolved.
    
    Signed-off-by: Ravulapati Vishnu Vardhan Rao <quic_visr@quicinc.com>
    Link: https://lore.kernel.org/r/20230304080702.609-1-quic_visr@quicinc.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5218af4ad5d8948faac19f71583bcd786c3852df
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date:   Thu Feb 9 09:09:52 2023 +0800

    xfrm: Zero padding when dumping algos and encap
    
    [ Upstream commit 8222d5910dae08213b6d9d4bc9a7f8502855e624 ]
    
    When copying data to user-space we should ensure that only valid
    data is copied over.  Padding in structures may be filled with
    random (possibly sensitve) data and should never be given directly
    to user-space.
    
    This patch fixes the copying of xfrm algorithms and the encap
    template in xfrm_user so that padding is zeroed.
    
    Reported-by: syzbot+fa5414772d5c445dac3c@syzkaller.appspotmail.com
    Reported-by: Hyunwoo Kim <v4bel@theori.io>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 2b4830eefc41b06d4943ae860abf24ec3901d89f
Author: Paulo Alcantara <pc@manguebit.com>
Date:   Fri Mar 24 16:05:19 2023 -0300

    cifs: fix missing unload_nls() in smb2_reconnect()
    
    [ Upstream commit c24bb1a87dc3f2d77d410eaac2c6a295961bf50e ]
    
    Make sure to unload_nls() @nls_codepage if we no longer need it.
    
    Fixes: bc962159e8e3 ("cifs: avoid race conditions with parallel reconnects")
    Signed-off-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
    Cc: Shyam Prasad N <sprasad@microsoft.com>
    Signed-off-by: Steve French <stfrench@microsoft.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e0169d62efce979eb7dbda3101eea180b69ca793
Author: Ard Biesheuvel <ardb@kernel.org>
Date:   Fri Mar 10 13:30:05 2023 +0100

    arm64: efi: Set NX compat flag in PE/COFF header
    
    [ Upstream commit 3c66bb1918c262dd52fb4221a8d372619c5da70a ]
    
    The PE/COFF header has a NX compat flag which informs the firmware that
    the application does not rely on memory regions being mapped with both
    executable and writable permissions at the same time.
    
    This is typically used by the firmware to decide whether it can set the
    NX attribute on all allocations it returns, but going forward, it may be
    used to enforce a policy that only permits applications with the NX flag
    set to be loaded to begin wiht in some configurations, e.g., when Secure
    Boot is in effect.
    
    Even though the arm64 version of the EFI stub may relocate the kernel
    before executing it, it always did so after disabling the MMU, and so we
    were always in line with what the NX compat flag conveys, we just never
    bothered to set it.
    
    So let's set the flag now.
    
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit ec6cd79c4e54a2a5867e0497d269ad4f008216ba
Author: Vladimir Oltean <vladimir.oltean@nxp.com>
Date:   Tue Mar 21 03:03:23 2023 +0200

    net: mscc: ocelot: fix stats region batching
    
    [ Upstream commit 6acc72a43eac78a309160d0a7512bbc59bcdd757 ]
    
    The blamed commit changed struct ocelot_stat_layout :: "u32 offset" to
    "u32 reg".
    
    However, "u32 reg" is not quite a register address, but an enum
    ocelot_reg, which in itself encodes an enum ocelot_target target in the
    upper bits, and an index into the ocelot->map[target][] array in the
    lower bits.
    
    So, whereas the previous code comparison between stats_layout[i].offset
    and last + 1 was correct (because those "offsets" at the time were
    32-bit relative addresses), the new code, comparing layout[i].reg to
    last + 4 is not correct, because the "reg" here is an enum/index, not an
    actual register address.
    
    What we want to compare are indeed register addresses, but to do that,
    we need to actually go through the same motions as
    __ocelot_bulk_read_ix() itself.
    
    With this bug, all statistics counters are deemed by
    ocelot_prepare_stats_regions() as constituting their own region.
    (Truncated) log on VSC9959 (Felix) below (prints added by me):
    
    Before:
    
    region of 1 contiguous counters starting with SYS:STAT:CNT[0x000]
    region of 1 contiguous counters starting with SYS:STAT:CNT[0x001]
    region of 1 contiguous counters starting with SYS:STAT:CNT[0x002]
    ...
    region of 1 contiguous counters starting with SYS:STAT:CNT[0x041]
    region of 1 contiguous counters starting with SYS:STAT:CNT[0x042]
    region of 1 contiguous counters starting with SYS:STAT:CNT[0x080]
    region of 1 contiguous counters starting with SYS:STAT:CNT[0x081]
    ...
    region of 1 contiguous counters starting with SYS:STAT:CNT[0x0ac]
    region of 1 contiguous counters starting with SYS:STAT:CNT[0x100]
    region of 1 contiguous counters starting with SYS:STAT:CNT[0x101]
    ...
    region of 1 contiguous counters starting with SYS:STAT:CNT[0x111]
    
    After:
    
    region of 67 contiguous counters starting with SYS:STAT:CNT[0x000]
    region of 45 contiguous counters starting with SYS:STAT:CNT[0x080]
    region of 18 contiguous counters starting with SYS:STAT:CNT[0x100]
    
    Since commit d87b1c08f38a ("net: mscc: ocelot: use bulk reads for
    stats") intended bulking as a performance improvement, and since now,
    with trivial-sized regions, performance is even worse than without
    bulking at all, this could easily qualify as a performance regression.
    
    Fixes: d4c367650704 ("net: mscc: ocelot: keep ocelot_stat_layout by reg address, not offset")
    Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
    Acked-by: Colin Foster <colin.foster@in-advantage.com>
    Tested-by: Colin Foster <colin.foster@in-advantage.com>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 39cd75f2f3a43c0e2f95749eb6dd6420c553f87d
Author: Steven Rostedt (Google) <rostedt@goodmis.org>
Date:   Wed Mar 1 20:00:52 2023 -0500

    tracing: Do not let histogram values have some modifiers
    
    [ Upstream commit e0213434fe3e4a0d118923dc98d31e7ff1cd9e45 ]
    
    Histogram values can not be strings, stacktraces, graphs, symbols,
    syscalls, or grouped in buckets or log. Give an error if a value is set to
    do so.
    
    Note, the histogram code was not prepared to handle these modifiers for
    histograms and caused a bug.
    
    Mark Rutland reported:
    
     # echo 'p:copy_to_user __arch_copy_to_user n=$arg2' >> /sys/kernel/tracing/kprobe_events
     # echo 'hist:keys=n:vals=hitcount.buckets=8:sort=hitcount' > /sys/kernel/tracing/events/kprobes/copy_to_user/trigger
     # cat /sys/kernel/tracing/events/kprobes/copy_to_user/hist
    [  143.694628] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
    [  143.695190] Mem abort info:
    [  143.695362]   ESR = 0x0000000096000004
    [  143.695604]   EC = 0x25: DABT (current EL), IL = 32 bits
    [  143.695889]   SET = 0, FnV = 0
    [  143.696077]   EA = 0, S1PTW = 0
    [  143.696302]   FSC = 0x04: level 0 translation fault
    [  143.702381] Data abort info:
    [  143.702614]   ISV = 0, ISS = 0x00000004
    [  143.702832]   CM = 0, WnR = 0
    [  143.703087] user pgtable: 4k pages, 48-bit VAs, pgdp=00000000448f9000
    [  143.703407] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000
    [  143.704137] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
    [  143.704714] Modules linked in:
    [  143.705273] CPU: 0 PID: 133 Comm: cat Not tainted 6.2.0-00003-g6fc512c10a7c #3
    [  143.706138] Hardware name: linux,dummy-virt (DT)
    [  143.706723] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
    [  143.707120] pc : hist_field_name.part.0+0x14/0x140
    [  143.707504] lr : hist_field_name.part.0+0x104/0x140
    [  143.707774] sp : ffff800008333a30
    [  143.707952] x29: ffff800008333a30 x28: 0000000000000001 x27: 0000000000400cc0
    [  143.708429] x26: ffffd7a653b20260 x25: 0000000000000000 x24: ffff10d303ee5800
    [  143.708776] x23: ffffd7a6539b27b0 x22: ffff10d303fb8c00 x21: 0000000000000001
    [  143.709127] x20: ffff10d303ec2000 x19: 0000000000000000 x18: 0000000000000000
    [  143.709478] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
    [  143.709824] x14: 0000000000000000 x13: 203a6f666e692072 x12: 6567676972742023
    [  143.710179] x11: 0a230a6d6172676f x10: 000000000000002c x9 : ffffd7a6521e018c
    [  143.710584] x8 : 000000000000002c x7 : 7f7f7f7f7f7f7f7f x6 : 000000000000002c
    [  143.710915] x5 : ffff10d303b0103e x4 : ffffd7a653b20261 x3 : 000000000000003d
    [  143.711239] x2 : 0000000000020001 x1 : 0000000000000001 x0 : 0000000000000000
    [  143.711746] Call trace:
    [  143.712115]  hist_field_name.part.0+0x14/0x140
    [  143.712642]  hist_field_name.part.0+0x104/0x140
    [  143.712925]  hist_field_print+0x28/0x140
    [  143.713125]  event_hist_trigger_print+0x174/0x4d0
    [  143.713348]  hist_show+0xf8/0x980
    [  143.713521]  seq_read_iter+0x1bc/0x4b0
    [  143.713711]  seq_read+0x8c/0xc4
    [  143.713876]  vfs_read+0xc8/0x2a4
    [  143.714043]  ksys_read+0x70/0xfc
    [  143.714218]  __arm64_sys_read+0x24/0x30
    [  143.714400]  invoke_syscall+0x50/0x120
    [  143.714587]  el0_svc_common.constprop.0+0x4c/0x100
    [  143.714807]  do_el0_svc+0x44/0xd0
    [  143.714970]  el0_svc+0x2c/0x84
    [  143.715134]  el0t_64_sync_handler+0xbc/0x140
    [  143.715334]  el0t_64_sync+0x190/0x194
    [  143.715742] Code: a9bd7bfd 910003fd a90153f3 aa0003f3 (f9400000)
    [  143.716510] ---[ end trace 0000000000000000 ]---
    Segmentation fault
    
    Link: https://lkml.kernel.org/r/20230302020810.559462599@goodmis.org
    
    Cc: stable@vger.kernel.org
    Cc: Masami Hiramatsu <mhiramat@kernel.org>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Fixes: c6afad49d127f ("tracing: Add hist trigger 'sym' and 'sym-offset' modifiers")
    Reported-by: Mark Rutland <mark.rutland@arm.com>
    Tested-by: Mark Rutland <mark.rutland@arm.com>
    Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8ebeea1052f6d02b5eb5fad32f4e3cb58246fe0b
Author: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Date:   Thu Oct 20 00:31:55 2022 +0900

    tracing: Add .graph suffix option to histogram value
    
    [ Upstream commit a2c54256dec7510477e2b4f4db187e638f7cac37 ]
    
    Add the .graph suffix which shows the bar graph of the histogram value.
    
    For example, the below example shows that the bar graph
    of the histogram of the runtime for each tasks.
    
    ------
      # cd /sys/kernel/debug/tracing/
      # echo hist:keys=pid:vals=runtime.graph:sort=pid > \
       events/sched/sched_stat_runtime/trigger
      # sleep 10
      # cat events/sched/sched_stat_runtime/hist
     # event histogram
     #
     # trigger info: hist:keys=pid:vals=hitcount,runtime.graph:sort=pid:size=2048 [active]
     #
    
     { pid:         14 } hitcount:          2  runtime:
     { pid:         16 } hitcount:          8  runtime:
     { pid:         26 } hitcount:          1  runtime:
     { pid:         57 } hitcount:          3  runtime:
     { pid:         61 } hitcount:         20  runtime: ###
     { pid:         66 } hitcount:          2  runtime:
     { pid:         70 } hitcount:          3  runtime:
     { pid:         72 } hitcount:          2  runtime:
     { pid:        145 } hitcount:         14  runtime: ####################
     { pid:        152 } hitcount:          5  runtime: #######
     { pid:        153 } hitcount:          2  runtime: ####
    
     Totals:
         Hits: 62
         Entries: 11
         Dropped: 0
    -------
    
    Link: https://lore.kernel.org/linux-trace-kernel/166610813953.56030.10944148382315789485.stgit@devnote2
    
    Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
    Reviewed-by: Tom Zanussi <zanussi@kernel.org>
    Tested-by: Tom Zanussi <zanussi@kernel.org>
    Stable-dep-of: e0213434fe3e ("tracing: Do not let histogram values have some modifiers")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 93454d1a306ea975294b861d32ffa1e44b20c733
Author: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Date:   Thu Oct 20 00:31:55 2022 +0900

    tracing: Add .percent suffix option to histogram values
    
    [ Upstream commit abaa5258ce5e5887a9de049f50a85dc023391a1c ]
    
    Add .percent suffix option to show the histogram values in percentage.
    This feature is useful when we need yo undersntand the overall trend
    for the histograms of large values.
    E.g. this shows the runtime percentage for each tasks.
    
    ------
      # cd /sys/kernel/debug/tracing/
      # echo hist:keys=pid:vals=hitcount,runtime.percent:sort=pid > \
        events/sched/sched_stat_runtime/trigger
      # sleep 10
      # cat events/sched/sched_stat_runtime/hist
     # event histogram
     #
     # trigger info: hist:keys=pid:vals=hitcount,runtime.percent:sort=pid:size=2048 [active]
     #
    
     { pid:          8 } hitcount:          7  runtime (%):   4.14
     { pid:         14 } hitcount:          5  runtime (%):   3.69
     { pid:         16 } hitcount:         11  runtime (%):   3.41
     { pid:         61 } hitcount:         41  runtime (%):  19.75
     { pid:         65 } hitcount:          4  runtime (%):   1.48
     { pid:         70 } hitcount:          6  runtime (%):   3.60
     { pid:         72 } hitcount:          2  runtime (%):   1.10
     { pid:        144 } hitcount:         10  runtime (%):  32.01
     { pid:        151 } hitcount:          8  runtime (%):  22.66
     { pid:        152 } hitcount:          2  runtime (%):   8.10
    
     Totals:
         Hits: 96
         Entries: 10
         Dropped: 0
    -----
    
    Link: https://lore.kernel.org/linux-trace-kernel/166610813077.56030.4238090506973562347.stgit@devnote2
    
    Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
    Reviewed-by: Tom Zanussi <zanussi@kernel.org>
    Tested-by: Tom Zanussi <zanussi@kernel.org>
    Stable-dep-of: e0213434fe3e ("tracing: Do not let histogram values have some modifiers")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 954fc9931f0aabf272b5674cf468affdd88d3a36
Author: Alexander Sverdlin <alexander.sverdlin@siemens.com>
Date:   Thu Mar 9 14:43:02 2023 +0100

    tty: serial: fsl_lpuart: fix race on RX DMA shutdown
    
    [ Upstream commit 1be6f2b15f902c02e055ae0b419ca789200473c9 ]
    
    From time to time DMA completion can come in the middle of DMA shutdown:
    
    <process ctx>:                          <IRQ>:
    lpuart32_shutdown()
      lpuart_dma_shutdown()
        del_timer_sync()
                                            lpuart_dma_rx_complete()
                                              lpuart_copy_rx_to_tty()
                                                mod_timer()
        lpuart_dma_rx_free()
    
    When the timer fires a bit later, sport->dma_rx_desc is NULL:
    
    Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004
    pc : lpuart_copy_rx_to_tty+0xcc/0x5bc
    lr : lpuart_timer_func+0x1c/0x2c
    Call trace:
     lpuart_copy_rx_to_tty
     lpuart_timer_func
     call_timer_fn
     __run_timers.part.0
     run_timer_softirq
     __do_softirq
     __irq_exit_rcu
     irq_exit
     handle_domain_irq
     gic_handle_irq
     call_on_irq_stack
     do_interrupt_handler
     ...
    
    To fix this fold del_timer_sync() into lpuart_dma_rx_free() after
    dmaengine_terminate_sync() to make sure timer will not be re-started in
    lpuart_copy_rx_to_tty() <= lpuart_dma_rx_complete().
    
    Fixes: 4a8588a1cf86 ("serial: fsl_lpuart: delete timer on shutdown")
    Cc: stable <stable@kernel.org>
    Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
    Link: https://lore.kernel.org/r/20230309134302.74940-2-alexander.sverdlin@siemens.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3a4d6f959caaf5bc24779fe5846a191482df524c
Author: Sherry Sun <sherry.sun@nxp.com>
Date:   Wed Nov 23 10:36:19 2022 +0800

    tty: serial: fsl_lpuart: switch to new dmaengine_terminate_* API
    
    [ Upstream commit 8682ab0eea89c300ebb120c02ead3999ca5560a8 ]
    
    Convert dmaengine_terminate_all() calls to synchronous and asynchronous
    versions where appropriate.
    
    Signed-off-by: Sherry Sun <sherry.sun@nxp.com>
    Link: https://lore.kernel.org/r/20221123023619.30173-1-sherry.sun@nxp.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Stable-dep-of: 1be6f2b15f90 ("tty: serial: fsl_lpuart: fix race on RX DMA shutdown")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 33123ad902f312de32bc149bf0d2613ce1fbb041
Author: Kuogee Hsieh <quic_khsieh@quicinc.com>
Date:   Mon Feb 27 13:36:40 2023 -0800

    drm/msm/disp/dpu: fix sc7280_pp base offset
    
    [ Upstream commit ce68153edb5b36ddf87a19ed5a85131498690bbf ]
    
    At sc7280, pingpong block is used to management the dither effects
    to reduce distortion at panel. Currently pingpong-0 base offset is
    wrongly set at 0x59000. This mistake will not cause system to crash.
    However it will make dither not work. This patch correct sc7280 ping
    pong-0 block base offset.
    
    Changes in v2:
    -- add more details info n regrading of pingpong block at commit text
    
    Fixes: 591e34a091d1 ("drm/msm/disp/dpu1: add support for display for SC7280 target")
    Signed-off-by: Kuogee Hsieh <quic_khsieh@quicinc.com>
    Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
    Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Patchwork: https://patchwork.freedesktop.org/patch/524332/
    Link: https://lore.kernel.org/r/1677533800-3125-1-git-send-email-quic_khsieh@quicinc.com
    Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3f7c4839fc041a9a4839ec40e3edccda74280d34
Author: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Date:   Sun Feb 12 01:12:18 2023 +0200

    drm/msm/dpu: correct sm8250 and sm8350 scaler
    
    [ Upstream commit 03c0c3cb22a4ff29afba1b43f0330289ea80433f ]
    
    QSEED4 is a newer variant of QSEED3LITE, which should be used on
    sm8250 and sm8350. Fix the DPU caps structure and used feature masks.
    
    Fixes: d21fc5dfc3df ("drm/msm/dpu1: add support for qseed3lite used on sm8250")
    Fixes: 0e91bcbb0016 ("drm/msm/dpu: Add SM8350 to hw catalog")
    Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
    Patchwork: https://patchwork.freedesktop.org/patch/522229/
    Link: https://lore.kernel.org/r/20230211231259.1308718-10-dmitry.baryshkov@linaro.org
    Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 30fff49ea686d1367ee2de0c45b436ae67a24c55
Author: Robert Foss <rfoss@kernel.org>
Date:   Fri Oct 28 14:08:05 2022 +0200

    drm/msm/dpu: Refactor sc7280_pp location
    
    [ Upstream commit 1a5b5372e3b0a4cc65a0cbb724b1b0859f4ac63c ]
    
    The sc7280_pp declaration is not located by the other _pp
    declarations, but rather hidden around the _merge_3d
    declarations. Let's fix this to avoid confusion.
    
    Signed-off-by: Robert Foss <robert.foss@linaro.org>
    Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Patchwork: https://patchwork.freedesktop.org/patch/509153/
    Link: https://lore.kernel.org/r/20221028120812.339100-3-robert.foss@linaro.org
    Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Stable-dep-of: 03c0c3cb22a4 ("drm/msm/dpu: correct sm8250 and sm8350 scaler")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 942100ec928cd292afc5d5cb341236d9a10f2778
Author: Eddie James <eajames@linux.ibm.com>
Date:   Tue Feb 21 11:03:52 2023 +1030

    ARM: dts: aspeed: p10bmc: Update battery node name
    
    [ Upstream commit a8cef541dd5ef9445130660008c029205c4c5aa5 ]
    
    The ADC sensor for the battery needs to be named "iio-hwmon" for
    compatibility with user space applications.
    
    Signed-off-by: Eddie James <eajames@linux.ibm.com>
    Link: https://lore.kernel.org/r/20230202152759.67069-1-eajames@linux.ibm.com
    Fixes: bf1914e2cfed ("ARM: dts: aspeed: p10bmc: Fix ADC iio-hwmon battery node name")
    Signed-off-by: Joel Stanley <joel@jms.id.au>
    Link: https://lore.kernel.org/r/20230221003352.1218797-1-joel@jms.id.au
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 84cfcf240f4a577733b1d98fcd2611a611612b03
Author: Andy Chiu <andy.chiu@sifive.com>
Date:   Thu Jan 12 04:05:57 2023 -0500

    riscv: ftrace: Fixup panic by disabling preemption
    
    [ Upstream commit 8547649981e6631328cd64f583667501ae385531 ]
    
    In RISCV, we must use an AUIPC + JALR pair to encode an immediate,
    forming a jump that jumps to an address over 4K. This may cause errors
    if we want to enable kernel preemption and remove dependency from
    patching code with stop_machine(). For example, if a task was switched
    out on auipc. And, if we changed the ftrace function before it was
    switched back, then it would jump to an address that has updated 11:0
    bits mixing with previous XLEN:12 part.
    
    p: patched area performed by dynamic ftrace
    ftrace_prologue:
    p|      REG_S   ra, -SZREG(sp)
    p|      auipc   ra, 0x? ------------> preempted
                                            ...
                                    change ftrace function
                                            ...
    p|      jalr    -?(ra) <------------- switched back
    p|      REG_L   ra, -SZREG(sp)
    func:
            xxx
            ret
    
    Fixes: afc76b8b8011 ("riscv: Using PATCHABLE_FUNCTION_ENTRY instead of MCOUNT")
    Signed-off-by: Andy Chiu <andy.chiu@sifive.com>
    Signed-off-by: Guo Ren <guoren@kernel.org>
    Link: https://lore.kernel.org/r/20230112090603.1295340-2-guoren@kernel.org
    Cc: stable@vger.kernel.org
    Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a35f863210e8025bfd51280ad63285c70ff66a1a
Author: Siddharth Vadapalli <s-vadapalli@ti.com>
Date:   Fri Jan 20 12:37:31 2023 +0530

    net: ethernet: ti: am65-cpsw/cpts: Fix CPTS release action
    
    [ Upstream commit 4ad8766cd3982744e53f107f378d2c65b76ff9a8 ]
    
    The am65_cpts_release() function is registered as a devm_action in the
    am65_cpts_create() function in am65-cpts driver. When the am65-cpsw driver
    invokes am65_cpts_create(), am65_cpts_release() is added in the set of devm
    actions associated with the am65-cpsw driver's device.
    
    In the event of probe failure or probe deferral, the platform_drv_probe()
    function invokes dev_pm_domain_detach() which powers off the CPSW and the
    CPSW's CPTS hardware, both of which share the same power domain. Since the
    am65_cpts_disable() function invoked by the am65_cpts_release() function
    attempts to reset the CPTS hardware by writing to its registers, the CPTS
    hardware is assumed to be powered on at this point. However, the hardware
    is powered off before the devm actions are executed.
    
    Fix this by getting rid of the devm action for am65_cpts_release() and
    invoking it directly on the cleanup and exit paths.
    
    Fixes: f6bd59526ca5 ("net: ethernet: ti: introduce am654 common platform time sync driver")
    Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com>
    Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
    Reviewed-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Reviewed-by: Roger Quadros <rogerq@kernel.org>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 64621e4607f48254c27b9a0caa62ee4ada243466
Author: Naohiro Aota <naohiro.aota@wdc.com>
Date:   Mon Mar 13 16:06:13 2023 +0900

    btrfs: zoned: count fresh BG region as zone unusable
    
    [ Upstream commit fa2068d7e922b434eba5bfb0131e6d39febfdb48 ]
    
    The naming of space_info->active_total_bytes is misleading. It counts
    not only active block groups but also full ones which are previously
    active but now inactive. That confusion results in a bug not counting
    the full BGs into active_total_bytes on mount time.
    
    For a background, there are three kinds of block groups in terms of
    activation.
    
      1. Block groups never activated
      2. Block groups currently active
      3. Block groups previously active and currently inactive (due to fully
         written or zone finish)
    
    What we really wanted to exclude from "total_bytes" is the total size of
    BGs #1. They seem empty and allocatable but since they are not activated,
    we cannot rely on them to do the space reservation.
    
    And, since BGs #1 never get activated, they should have no "used",
    "reserved" and "pinned" bytes.
    
    OTOH, BGs #3 can be counted in the "total", since they are already full
    we cannot allocate from them anyway. For them, "total_bytes == used +
    reserved + pinned + zone_unusable" should hold.
    
    Tracking #2 and #3 as "active_total_bytes" (current implementation) is
    confusing. And, tracking #1 and subtract that properly from "total_bytes"
    every time you need space reservation is cumbersome.
    
    Instead, we can count the whole region of a newly allocated block group as
    zone_unusable. Then, once that block group is activated, release
    [0 ..  zone_capacity] from the zone_unusable counters. With this, we can
    eliminate the confusing ->active_total_bytes and the code will be common
    among regular and the zoned mode. Also, no additional counter is needed
    with this approach.
    
    Fixes: 6a921de58992 ("btrfs: zoned: introduce space_info->active_total_bytes")
    CC: stable@vger.kernel.org # 6.1+
    Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit ea34b8bcc7aec261d2bb163a80c3ff9d368fa7eb
Author: Josef Bacik <josef@toxicpanda.com>
Date:   Wed Mar 1 16:14:42 2023 -0500

    btrfs: rename BTRFS_FS_NO_OVERCOMMIT to BTRFS_FS_ACTIVE_ZONE_TRACKING
    
    [ Upstream commit bf1f1fec2724a33b67ec12032402ea75f2a83622 ]
    
    This flag only gets set when we're doing active zone tracking, and we're
    going to need to use this flag for things related to this behavior.
    Rename the flag to represent what it actually means for the file system
    so it can be used in other ways and still make sense.
    
    Reviewed-by: Naohiro Aota <naohiro.aota@wdc.com>
    Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
    Reviewed-by: Anand Jain <anand.jain@oracle.com>
    Signed-off-by: Josef Bacik <josef@toxicpanda.com>
    Reviewed-by: David Sterba <dsterba@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit bae092f587592f3472f2d4ee66f1dc0ae3de3546
Author: Marco Elver <elver@google.com>
Date:   Thu Mar 16 23:47:05 2023 +0100

    kcsan: avoid passing -g for test
    
    [ Upstream commit 5eb39cde1e2487ba5ec1802dc5e58a77e700d99e ]
    
    Nathan reported that when building with GNU as and a version of clang that
    defaults to DWARF5, the assembler will complain with:
    
      Error: non-constant .uleb128 is not supported
    
    This is because `-g` defaults to the compiler debug info default. If the
    assembler does not support some of the directives used, the above errors
    occur. To fix, remove the explicit passing of `-g`.
    
    All the test wants is that stack traces print valid function names, and
    debug info is not required for that. (I currently cannot recall why I
    added the explicit `-g`.)
    
    Link: https://lkml.kernel.org/r/20230316224705.709984-2-elver@google.com
    Fixes: 1fe84fd4a402 ("kcsan: Add test suite")
    Signed-off-by: Marco Elver <elver@google.com>
    Reported-by: Nathan Chancellor <nathan@kernel.org>
    Cc: Alexander Potapenko <glider@google.com>
    Cc: Dmitry Vyukov <dvyukov@google.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 01f3150cc7a78cdab61796bfd76e32041ba0e629
Author: Anders Roxell <anders.roxell@linaro.org>
Date:   Mon Nov 28 11:43:58 2022 +0100

    kernel: kcsan: kcsan_test: build without structleak plugin
    
    [ Upstream commit 6fcd4267a840d0536b8e5334ad5f31e4105fce85 ]
    
    Building kcsan_test with structleak plugin enabled makes the stack frame
    size to grow.
    
    kernel/kcsan/kcsan_test.c:704:1: error: the frame size of 3296 bytes is larger than 2048 bytes [-Werror=frame-larger-than=]
    
    Turn off the structleak plugin checks for kcsan_test.
    
    Link: https://lkml.kernel.org/r/20221128104358.2660634-1-anders.roxell@linaro.org
    Signed-off-by: Anders Roxell <anders.roxell@linaro.org>
    Suggested-by: Arnd Bergmann <arnd@arndb.de>
    Acked-by: Marco Elver <elver@google.com>
    Cc: Arnd Bergmann <arnd@arndb.de>
    Cc: David Gow <davidgow@google.com>
    Cc: Jason A. Donenfeld <Jason@zx2c4.com>
    Cc: Kees Cook <keescook@chromium.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Stable-dep-of: 5eb39cde1e24 ("kcsan: avoid passing -g for test")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0b0e1551ba9a8e523d9a5ef2f400cb621d997d79
Author: Eric Biggers <ebiggers@google.com>
Date:   Tue Mar 14 16:31:32 2023 -0700

    fsverity: don't drop pagecache at end of FS_IOC_ENABLE_VERITY
    
    [ Upstream commit a075bacde257f755bea0e53400c9f1cdd1b8e8e6 ]
    
    The full pagecache drop at the end of FS_IOC_ENABLE_VERITY is causing
    performance problems and is hindering adoption of fsverity.  It was
    intended to solve a race condition where unverified pages might be left
    in the pagecache.  But actually it doesn't solve it fully.
    
    Since the incomplete solution for this race condition has too much
    performance impact for it to be worth it, let's remove it for now.
    
    Fixes: 3fda4c617e84 ("fs-verity: implement FS_IOC_ENABLE_VERITY ioctl")
    Cc: stable@vger.kernel.org
    Reviewed-by: Victor Hsieh <victorhsieh@google.com>
    Link: https://lore.kernel.org/r/20230314235332.50270-1-ebiggers@kernel.org
    Signed-off-by: Eric Biggers <ebiggers@google.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit fc426026c3a3bd939f1ebae31f880ecf2724cc74
Author: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Date:   Mon Mar 20 22:49:15 2023 +0900

    zonefs: Fix error message in zonefs_file_dio_append()
    
    [ Upstream commit 88b170088ad2c3e27086fe35769aa49f8a512564 ]
    
    Since the expected write location in a sequential file is always at the
    end of the file (append write), when an invalid write append location is
    detected in zonefs_file_dio_append(), print the invalid written location
    instead of the expected write location.
    
    Fixes: a608da3bd730 ("zonefs: Detect append writes at invalid locations")
    Cc: stable@vger.kernel.org
    Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
    Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 81cf745f110557673c8c7f0263bd8c30165bd07b
Author: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Date:   Wed Nov 16 18:15:40 2022 +0900

    zonefs: Separate zone information from inode information
    
    [ Upstream commit aa7f243f32e1d18036ee00d71d3ccfad70ae2121 ]
    
    In preparation for adding dynamic inode allocation, separate an inode
    zone information from the zonefs inode structure. The new data structure
    zonefs_zone is introduced to store in memory information about a zone
    that must be kept throughout the lifetime of the device mount.
    
    Linking between a zone file inode and its zone information is done by
    setting the inode i_private field to point to a struct zonefs_zone.
    Using the i_private pointer avoids the need for adding a pointer in
    struct zonefs_inode_info. Beside the vfs inode, this structure is
    reduced to a mutex and a write open counter.
    
    One struct zonefs_zone is created per file inode on mount. These
    structures are organized in an array using the new struct
    zonefs_zone_group data structure to represent zone groups. The
    zonefs_zone arrays are indexed per file number (the index of a struct
    zonefs_zone in its array directly gives the file number/name for that
    zone file inode).
    
    Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
    Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
    Stable-dep-of: 88b170088ad2 ("zonefs: Fix error message in zonefs_file_dio_append()")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 7558b249cb4e77b2cf58725895e05bbe0fd1a80e
Author: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Date:   Thu Nov 24 19:43:30 2022 +0900

    zonefs: Reduce struct zonefs_inode_info size
    
    [ Upstream commit 34422914dc00b291d1c47dbdabe93b154c2f2b25 ]
    
    Instead of using the i_ztype field in struct zonefs_inode_info to
    indicate the zone type of an inode, introduce the new inode flag
    ZONEFS_ZONE_CNV to be set in the i_flags field of struct
    zonefs_inode_info to identify conventional zones. If this flag is not
    set, the zone of an inode is considered to be a sequential zone.
    
    The helpers zonefs_zone_is_cnv(), zonefs_zone_is_seq(),
    zonefs_inode_is_cnv() and zonefs_inode_is_seq() are introduced to
    simplify testing the zone type of a struct zonefs_inode_info and of a
    struct inode.
    
    Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
    Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
    Stable-dep-of: 88b170088ad2 ("zonefs: Fix error message in zonefs_file_dio_append()")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3741898b169476c17ece7962e5acf415c7041265
Author: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Date:   Fri Nov 25 11:06:20 2022 +0900

    zonefs: Simplify IO error handling
    
    [ Upstream commit 46a9c526eef7fb68a00321e2a9591ce5276ae92b ]
    
    Simplify zonefs_check_zone_condition() by moving the code that changes
    an inode access rights to the new function zonefs_inode_update_mode().
    Furthermore, since on mount an inode wpoffset is always zero when
    zonefs_check_zone_condition() is called during an inode initialization,
    the "mount" boolean argument is not necessary for the readonly zone
    case. This argument is thus removed.
    
    zonefs_io_error_cb() is also modified to use the inode offline and
    zone state flags instead of checking the device zone condition. The
    multiple calls to zonefs_check_zone_condition() are reduced to the first
    call on entry, which allows removing the "warn" argument.
    zonefs_inode_update_mode() is also used to update an inode access rights
    as zonefs_io_error_cb() modifies the inode flags depending on the volume
    error handling mode (defined with a mount option). Since an inode mode
    change differs for read-only zones between mount time and IO error time,
    the flag ZONEFS_ZONE_INIT_MODE is used to differentiate both cases.
    
    Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
    Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
    Stable-dep-of: 88b170088ad2 ("zonefs: Fix error message in zonefs_file_dio_append()")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a624b4796f38b0859043249f02bcf09f43d35dd4
Author: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Date:   Fri Nov 25 09:39:33 2022 +0900

    zonefs: Reorganize code
    
    [ Upstream commit 4008e2a0b01aba982356fd15b128a47bf11bd9c7 ]
    
    Move all code related to zone file operations from super.c to the new
    file.c file. Inode and zone management code remains in super.c.
    
    Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
    Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
    Stable-dep-of: 88b170088ad2 ("zonefs: Fix error message in zonefs_file_dio_append()")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9dad2690b1269a75cb8e7de87ecdcc2d2550aed2
Author: Shyam Prasad N <sprasad@microsoft.com>
Date:   Mon Mar 20 06:08:19 2023 +0000

    cifs: avoid race conditions with parallel reconnects
    
    [ Upstream commit bc962159e8e326af634a506508034a375bf2b858 ]
    
    When multiple processes/channels do reconnects in parallel
    we used to return success immediately
    negotiate/session-setup/tree-connect, causing race conditions
    between processes that enter the function in parallel.
    This caused several errors related to session not found to
    show up during parallel reconnects.
    
    Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
    Reviewed-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Steve French <stfrench@microsoft.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a5698f3ebb785aeb73e38497a1f029c9a4b93966
Author: Paulo Alcantara <pc@manguebit.com>
Date:   Tue Feb 28 19:01:55 2023 -0300

    cifs: prevent data race in cifs_reconnect_tcon()
    
    [ Upstream commit 1bcd548d935a33c6fc58331405eb1b82fd6150de ]
    
    Make sure to get an up-to-date TCP_Server_Info::nr_targets value prior
    to waiting the server to be reconnected in cifs_reconnect_tcon().  It
    is set in cifs_tcp_ses_needs_reconnect() and protected by
    TCP_Server_Info::srv_lock.
    
    Create a new cifs_wait_for_server_reconnect() helper that can be used
    by both SMB2+ and CIFS reconnect code.
    
    Signed-off-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
    Signed-off-by: Steve French <stfrench@microsoft.com>
    Stable-dep-of: bc962159e8e3 ("cifs: avoid race conditions with parallel reconnects")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f60cdd319b2c35df32934802ce2bfb6810cac048
Author: Shyam Prasad N <sprasad@microsoft.com>
Date:   Fri Feb 10 17:41:17 2023 +0000

    cifs: update ip_addr for ses only for primary chan setup
    
    [ Upstream commit e77978de4765229e09c8fabcf4f8419ff367317f ]
    
    We update ses->ip_addr whenever we do a session setup.
    But this should happen only for primary channel in mchan
    scenario.
    
    Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
    Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
    Signed-off-by: Steve French <stfrench@microsoft.com>
    Stable-dep-of: bc962159e8e3 ("cifs: avoid race conditions with parallel reconnects")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit eddee1c229c21ad1686547d50ebd0c835a20cd30
Author: Gil Fine <gil.fine@linux.intel.com>
Date:   Tue Jan 31 13:04:52 2023 +0200

    thunderbolt: Limit USB3 bandwidth of certain Intel USB4 host routers
    
    [ Upstream commit f0a57dd33b3eadf540912cd130db727ea824d174 ]
    
    Current Intel USB4 host routers have hardware limitation that the USB3
    bandwidth cannot go higher than 16376 Mb/s. Work this around by adding a
    new quirk that limits the bandwidth for the affected host routers.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Gil Fine <gil.fine@linux.intel.com>
    Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>