5.10-stable patches

added patches:
	btrfs-qgroup-correctly-model-root-qgroup-rsv-in-convert.patch
	drm-client-fully-protect-modes-with-dev-mode_config.mutex.patch
	vhost-add-smp_rmb-in-vhost_vq_avail_empty.patch
	x86-cpu-actually-turn-off-mitigations-by-default-for-speculation_mitigations-n.patch

5 files changed, 215 insertions, 0 deletions

diff --git a/queue-5.10/btrfs-qgroup-correctly-model-root-qgroup-rsv-in-convert.patch b/queue-5.10/btrfs-qgroup-correctly-model-root-qgroup-rsv-in-convert.patch
new file mode 100644
index 0000000000..d4c2b2d565
--- /dev/null
+++ b/queue-5.10/btrfs-qgroup-correctly-model-root-qgroup-rsv-in-convert.patch
@@ -0,0 +1,38 @@
+From 141fb8cd206ace23c02cd2791c6da52c1d77d42a Mon Sep 17 00:00:00 2001
+From: Boris Burkov <boris@bur.io>
+Date: Tue, 19 Mar 2024 10:54:22 -0700
+Subject: btrfs: qgroup: correctly model root qgroup rsv in convert
+
+From: Boris Burkov <boris@bur.io>
+
+commit 141fb8cd206ace23c02cd2791c6da52c1d77d42a upstream.
+
+We use add_root_meta_rsv and sub_root_meta_rsv to track prealloc and
+pertrans reservations for subvolumes when quotas are enabled. The
+convert function does not properly increment pertrans after decrementing
+prealloc, so the count is not accurate.
+
+Note: we check that the fs is not read-only to mirror the logic in
+qgroup_convert_meta, which checks that before adding to the pertrans rsv.
+
+Fixes: 8287475a2055 ("btrfs: qgroup: Use root::qgroup_meta_rsv_* to record qgroup meta reserved space")
+CC: stable@vger.kernel.org # 6.1+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Boris Burkov <boris@bur.io>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/qgroup.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/btrfs/qgroup.c
++++ b/fs/btrfs/qgroup.c
+@@ -4114,6 +4114,8 @@ void btrfs_qgroup_convert_reserved_meta(
+ 				      BTRFS_QGROUP_RSV_META_PREALLOC);
+ 	trace_qgroup_meta_convert(root, num_bytes);
+ 	qgroup_convert_meta(fs_info, root->root_key.objectid, num_bytes);
++	if (!sb_rdonly(fs_info->sb))
++		add_root_meta_rsv(root, num_bytes, BTRFS_QGROUP_RSV_META_PERTRANS);
+ }
+ 
+ /*
diff --git a/queue-5.10/drm-client-fully-protect-modes-with-dev-mode_config.mutex.patch b/queue-5.10/drm-client-fully-protect-modes-with-dev-mode_config.mutex.patch
new file mode 100644
index 0000000000..8d4b196b88
--- /dev/null
+++ b/queue-5.10/drm-client-fully-protect-modes-with-dev-mode_config.mutex.patch
@@ -0,0 +1,56 @@
+From 3eadd887dbac1df8f25f701e5d404d1b90fd0fea Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Thu, 4 Apr 2024 23:33:25 +0300
+Subject: drm/client: Fully protect modes[] with dev->mode_config.mutex
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit 3eadd887dbac1df8f25f701e5d404d1b90fd0fea upstream.
+
+The modes[] array contains pointers to modes on the connectors'
+mode lists, which are protected by dev->mode_config.mutex.
+Thus we need to extend modes[] the same protection or by the
+time we use it the elements may already be pointing to
+freed/reused memory.
+
+Cc: stable@vger.kernel.org
+Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/10583
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240404203336.10454-2-ville.syrjala@linux.intel.com
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Jani Nikula <jani.nikula@intel.com>
+Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_client_modeset.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_client_modeset.c
++++ b/drivers/gpu/drm/drm_client_modeset.c
+@@ -774,6 +774,7 @@ int drm_client_modeset_probe(struct drm_
+ 	unsigned int total_modes_count = 0;
+ 	struct drm_client_offset *offsets;
+ 	unsigned int connector_count = 0;
++	/* points to modes protected by mode_config.mutex */
+ 	struct drm_display_mode **modes;
+ 	struct drm_crtc **crtcs;
+ 	int i, ret = 0;
+@@ -842,7 +843,6 @@ int drm_client_modeset_probe(struct drm_
+ 		drm_client_pick_crtcs(client, connectors, connector_count,
+ 				      crtcs, modes, 0, width, height);
+ 	}
+-	mutex_unlock(&dev->mode_config.mutex);
+ 
+ 	drm_client_modeset_release(client);
+ 
+@@ -872,6 +872,7 @@ int drm_client_modeset_probe(struct drm_
+ 			modeset->y = offset->y;
+ 		}
+ 	}
++	mutex_unlock(&dev->mode_config.mutex);
+ 
+ 	mutex_unlock(&client->modeset_mutex);
+ out:
diff --git a/queue-5.10/series b/queue-5.10/series
index aebdfe7d8a..2bfc94e827 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -29,3 +29,7 @@ net-ena-wrong-missing-io-completions-check-order.patch
 net-ena-fix-incorrect-descriptor-free-behavior.patch
 iommu-vt-d-allocate-local-memory-for-page-request-qu.patch
 mailbox-imx-fix-suspend-failue.patch
+btrfs-qgroup-correctly-model-root-qgroup-rsv-in-convert.patch
+drm-client-fully-protect-modes-with-dev-mode_config.mutex.patch
+vhost-add-smp_rmb-in-vhost_vq_avail_empty.patch
+x86-cpu-actually-turn-off-mitigations-by-default-for-speculation_mitigations-n.patch
diff --git a/queue-5.10/vhost-add-smp_rmb-in-vhost_vq_avail_empty.patch b/queue-5.10/vhost-add-smp_rmb-in-vhost_vq_avail_empty.patch
new file mode 100644
index 0000000000..ca0146d8d8
--- /dev/null
+++ b/queue-5.10/vhost-add-smp_rmb-in-vhost_vq_avail_empty.patch
@@ -0,0 +1,70 @@
+From 22e1992cf7b034db5325660e98c41ca5afa5f519 Mon Sep 17 00:00:00 2001
+From: Gavin Shan <gshan@redhat.com>
+Date: Thu, 28 Mar 2024 10:21:47 +1000
+Subject: vhost: Add smp_rmb() in vhost_vq_avail_empty()
+
+From: Gavin Shan <gshan@redhat.com>
+
+commit 22e1992cf7b034db5325660e98c41ca5afa5f519 upstream.
+
+A smp_rmb() has been missed in vhost_vq_avail_empty(), spotted by
+Will. Otherwise, it's not ensured the available ring entries pushed
+by guest can be observed by vhost in time, leading to stale available
+ring entries fetched by vhost in vhost_get_vq_desc(), as reported by
+Yihuang Yu on NVidia's grace-hopper (ARM64) platform.
+
+  /home/gavin/sandbox/qemu.main/build/qemu-system-aarch64      \
+  -accel kvm -machine virt,gic-version=host -cpu host          \
+  -smp maxcpus=1,cpus=1,sockets=1,clusters=1,cores=1,threads=1 \
+  -m 4096M,slots=16,maxmem=64G                                 \
+  -object memory-backend-ram,id=mem0,size=4096M                \
+   :                                                           \
+  -netdev tap,id=vnet0,vhost=true                              \
+  -device virtio-net-pci,bus=pcie.8,netdev=vnet0,mac=52:54:00:f1:26:b0
+   :
+  guest# netperf -H 10.26.1.81 -l 60 -C -c -t UDP_STREAM
+  virtio_net virtio0: output.0:id 100 is not a head!
+
+Add the missed smp_rmb() in vhost_vq_avail_empty(). When tx_can_batch()
+returns true, it means there's still pending tx buffers. Since it might
+read indices, so it still can bypass the smp_rmb() in vhost_get_vq_desc().
+Note that it should be safe until vq->avail_idx is changed by commit
+275bf960ac697 ("vhost: better detection of available buffers").
+
+Fixes: 275bf960ac69 ("vhost: better detection of available buffers")
+Cc: <stable@kernel.org> # v4.11+
+Reported-by: Yihuang Yu <yihyu@redhat.com>
+Suggested-by: Will Deacon <will@kernel.org>
+Signed-off-by: Gavin Shan <gshan@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Message-Id: <20240328002149.1141302-2-gshan@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/vhost.c |   12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -2513,9 +2513,19 @@ bool vhost_vq_avail_empty(struct vhost_d
+ 	r = vhost_get_avail_idx(vq, &avail_idx);
+ 	if (unlikely(r))
+ 		return false;
++
+ 	vq->avail_idx = vhost16_to_cpu(vq, avail_idx);
++	if (vq->avail_idx != vq->last_avail_idx) {
++		/* Since we have updated avail_idx, the following
++		 * call to vhost_get_vq_desc() will read available
++		 * ring entries. Make sure that read happens after
++		 * the avail_idx read.
++		 */
++		smp_rmb();
++		return false;
++	}
+ 
+-	return vq->avail_idx == vq->last_avail_idx;
++	return true;
+ }
+ EXPORT_SYMBOL_GPL(vhost_vq_avail_empty);
+ 
diff --git a/queue-5.10/x86-cpu-actually-turn-off-mitigations-by-default-for-speculation_mitigations-n.patch b/queue-5.10/x86-cpu-actually-turn-off-mitigations-by-default-for-speculation_mitigations-n.patch
new file mode 100644
index 0000000000..dc7085e042
--- /dev/null
+++ b/queue-5.10/x86-cpu-actually-turn-off-mitigations-by-default-for-speculation_mitigations-n.patch
@@ -0,0 +1,47 @@
+From f337a6a21e2fd67eadea471e93d05dd37baaa9be Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Tue, 9 Apr 2024 10:51:05 -0700
+Subject: x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit f337a6a21e2fd67eadea471e93d05dd37baaa9be upstream.
+
+Initialize cpu_mitigations to CPU_MITIGATIONS_OFF if the kernel is built
+with CONFIG_SPECULATION_MITIGATIONS=n, as the help text quite clearly
+states that disabling SPECULATION_MITIGATIONS is supposed to turn off all
+mitigations by default.
+
+  │ If you say N, all mitigations will be disabled. You really
+  │ should know what you are doing to say so.
+
+As is, the kernel still defaults to CPU_MITIGATIONS_AUTO, which results in
+some mitigations being enabled in spite of SPECULATION_MITIGATIONS=n.
+
+Fixes: f43b9876e857 ("x86/retbleed: Add fine grained Kconfig knobs")
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Reviewed-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
+Cc: stable@vger.kernel.org
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lore.kernel.org/r/20240409175108.1512861-2-seanjc@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/cpu.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/cpu.c
++++ b/kernel/cpu.c
+@@ -2600,7 +2600,8 @@ enum cpu_mitigations {
+ };
+ 
+ static enum cpu_mitigations cpu_mitigations __ro_after_init =
+-	CPU_MITIGATIONS_AUTO;
++	IS_ENABLED(CONFIG_SPECULATION_MITIGATIONS) ? CPU_MITIGATIONS_AUTO :
++						     CPU_MITIGATIONS_OFF;
+ 
+ static int __init mitigations_parse_cmdline(char *arg)
+ {