--- /dev/null
+From be6f42fad5f5fd1fea9d562df82c38ad6ed3bfe9 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Tue, 21 Mar 2023 15:25:34 +0900
+Subject: ksmbd: don't terminate inactive sessions after a few seconds
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit be6f42fad5f5fd1fea9d562df82c38ad6ed3bfe9 upstream.
+
+Steve reported that inactive sessions are terminated after a few
+seconds. ksmbd terminate when receiving -EAGAIN error from
+kernel_recvmsg(). -EAGAIN means there is no data available in timeout.
+So ksmbd should keep connection with unlimited retries instead of
+terminating inactive sessions.
+
+Cc: stable@vger.kernel.org
+Reported-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ksmbd/connection.c | 4 ++--
+ fs/ksmbd/connection.h | 3 ++-
+ fs/ksmbd/transport_rdma.c | 2 +-
+ fs/ksmbd/transport_tcp.c | 35 +++++++++++++++++++++++------------
+ 4 files changed, 28 insertions(+), 16 deletions(-)
+
+--- a/fs/ksmbd/connection.c
++++ b/fs/ksmbd/connection.c
+@@ -298,7 +298,7 @@ int ksmbd_conn_handler_loop(void *p)
+ kvfree(conn->request_buf);
+ conn->request_buf = NULL;
+
+- size = t->ops->read(t, hdr_buf, sizeof(hdr_buf));
++ size = t->ops->read(t, hdr_buf, sizeof(hdr_buf), -1);
+ if (size != sizeof(hdr_buf))
+ break;
+
+@@ -344,7 +344,7 @@ int ksmbd_conn_handler_loop(void *p)
+ * We already read 4 bytes to find out PDU size, now
+ * read in PDU
+ */
+- size = t->ops->read(t, conn->request_buf + 4, pdu_size);
++ size = t->ops->read(t, conn->request_buf + 4, pdu_size, 2);
+ if (size < 0) {
+ pr_err("sock_read failed: %d\n", size);
+ break;
+--- a/fs/ksmbd/connection.h
++++ b/fs/ksmbd/connection.h
+@@ -114,7 +114,8 @@ struct ksmbd_transport_ops {
+ int (*prepare)(struct ksmbd_transport *t);
+ void (*disconnect)(struct ksmbd_transport *t);
+ void (*shutdown)(struct ksmbd_transport *t);
+- int (*read)(struct ksmbd_transport *t, char *buf, unsigned int size);
++ int (*read)(struct ksmbd_transport *t, char *buf,
++ unsigned int size, int max_retries);
+ int (*writev)(struct ksmbd_transport *t, struct kvec *iovs, int niov,
+ int size, bool need_invalidate_rkey,
+ unsigned int remote_key);
+--- a/fs/ksmbd/transport_rdma.c
++++ b/fs/ksmbd/transport_rdma.c
+@@ -670,7 +670,7 @@ static int smb_direct_post_recv(struct s
+ }
+
+ static int smb_direct_read(struct ksmbd_transport *t, char *buf,
+- unsigned int size)
++ unsigned int size, int unused)
+ {
+ struct smb_direct_recvmsg *recvmsg;
+ struct smb_direct_data_transfer *data_transfer;
+--- a/fs/ksmbd/transport_tcp.c
++++ b/fs/ksmbd/transport_tcp.c
+@@ -291,16 +291,18 @@ static int ksmbd_tcp_run_kthread(struct
+
+ /**
+ * ksmbd_tcp_readv() - read data from socket in given iovec
+- * @t: TCP transport instance
+- * @iov_orig: base IO vector
+- * @nr_segs: number of segments in base iov
+- * @to_read: number of bytes to read from socket
++ * @t: TCP transport instance
++ * @iov_orig: base IO vector
++ * @nr_segs: number of segments in base iov
++ * @to_read: number of bytes to read from socket
++ * @max_retries: maximum retry count
+ *
+ * Return: on success return number of bytes read from socket,
+ * otherwise return error number
+ */
+ static int ksmbd_tcp_readv(struct tcp_transport *t, struct kvec *iov_orig,
+- unsigned int nr_segs, unsigned int to_read)
++ unsigned int nr_segs, unsigned int to_read,
++ int max_retries)
+ {
+ int length = 0;
+ int total_read;
+@@ -308,7 +310,6 @@ static int ksmbd_tcp_readv(struct tcp_tr
+ struct msghdr ksmbd_msg;
+ struct kvec *iov;
+ struct ksmbd_conn *conn = KSMBD_TRANS(t)->conn;
+- int max_retry = 2;
+
+ iov = get_conn_iovec(t, nr_segs);
+ if (!iov)
+@@ -335,14 +336,23 @@ static int ksmbd_tcp_readv(struct tcp_tr
+ } else if (conn->status == KSMBD_SESS_NEED_RECONNECT) {
+ total_read = -EAGAIN;
+ break;
+- } else if ((length == -ERESTARTSYS || length == -EAGAIN) &&
+- max_retry) {
++ } else if (length == -ERESTARTSYS || length == -EAGAIN) {
++ /*
++ * If max_retries is negative, Allow unlimited
++ * retries to keep connection with inactive sessions.
++ */
++ if (max_retries == 0) {
++ total_read = length;
++ break;
++ } else if (max_retries > 0) {
++ max_retries--;
++ }
++
+ usleep_range(1000, 2000);
+ length = 0;
+- max_retry--;
+ continue;
+ } else if (length <= 0) {
+- total_read = -EAGAIN;
++ total_read = length;
+ break;
+ }
+ }
+@@ -358,14 +368,15 @@ static int ksmbd_tcp_readv(struct tcp_tr
+ * Return: on success return number of bytes read from socket,
+ * otherwise return error number
+ */
+-static int ksmbd_tcp_read(struct ksmbd_transport *t, char *buf, unsigned int to_read)
++static int ksmbd_tcp_read(struct ksmbd_transport *t, char *buf,
++ unsigned int to_read, int max_retries)
+ {
+ struct kvec iov;
+
+ iov.iov_base = buf;
+ iov.iov_len = to_read;
+
+- return ksmbd_tcp_readv(TCP_TRANS(t), &iov, 1, to_read);
++ return ksmbd_tcp_readv(TCP_TRANS(t), &iov, 1, to_read, max_retries);
+ }
+
+ static int ksmbd_tcp_writev(struct ksmbd_transport *t, struct kvec *iov,
--- /dev/null
+From 7a891d4b62d62566323676cb0e922ded4f37afe1 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Wed, 1 Mar 2023 00:01:21 +0900
+Subject: ksmbd: fix wrong signingkey creation when encryption is AES256
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 7a891d4b62d62566323676cb0e922ded4f37afe1 upstream.
+
+MacOS and Win11 support AES256 encrytion and it is included in the cipher
+array of encryption context. Especially on macOS, The most preferred
+cipher is AES256. Connecting to ksmbd fails on newer MacOS clients that
+support AES256 encryption. MacOS send disconnect request after receiving
+final session setup response from ksmbd. Because final session setup is
+signed with signing key was generated incorrectly.
+For signging key, 'L' value should be initialized to 128 if key size is
+16bytes.
+
+Cc: stable@vger.kernel.org
+Reported-by: Miao Lihua <441884205@qq.com>
+Tested-by: Miao Lihua <441884205@qq.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ksmbd/auth.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/ksmbd/auth.c
++++ b/fs/ksmbd/auth.c
+@@ -727,8 +727,9 @@ static int generate_key(struct ksmbd_con
+ goto smb3signkey_ret;
+ }
+
+- if (conn->cipher_type == SMB2_ENCRYPTION_AES256_CCM ||
+- conn->cipher_type == SMB2_ENCRYPTION_AES256_GCM)
++ if (key_size == SMB3_ENC_DEC_KEY_SIZE &&
++ (conn->cipher_type == SMB2_ENCRYPTION_AES256_CCM ||
++ conn->cipher_type == SMB2_ENCRYPTION_AES256_GCM))
+ rc = crypto_shash_update(CRYPTO_HMACSHA256(ctx), L256, 4);
+ else
+ rc = crypto_shash_update(CRYPTO_HMACSHA256(ctx), L128, 4);
--- /dev/null
+From b53e8cfec30b93c120623232ba27c041b1ef8f1a Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Tue, 21 Mar 2023 15:36:40 +0900
+Subject: ksmbd: return STATUS_NOT_SUPPORTED on unsupported smb2.0 dialect
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit b53e8cfec30b93c120623232ba27c041b1ef8f1a upstream.
+
+ksmbd returned "Input/output error" when mounting with vers=2.0 to
+ksmbd. It should return STATUS_NOT_SUPPORTED on unsupported smb2.0
+dialect.
+
+Cc: stable@vger.kernel.org
+Reported-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ksmbd/smb_common.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/ksmbd/smb_common.c
++++ b/fs/ksmbd/smb_common.c
+@@ -434,7 +434,7 @@ int ksmbd_extract_shortname(struct ksmbd
+
+ static int __smb2_negotiate(struct ksmbd_conn *conn)
+ {
+- return (conn->dialect >= SMB21_PROT_ID &&
++ return (conn->dialect >= SMB20_PROT_ID &&
+ conn->dialect <= SMB311_PROT_ID);
+ }
+
+@@ -465,7 +465,7 @@ int ksmbd_smb_negotiate_common(struct ks
+ }
+ }
+
+- if (command == SMB2_NEGOTIATE_HE && __smb2_negotiate(conn)) {
++ if (command == SMB2_NEGOTIATE_HE) {
+ ret = smb2_handle_negotiate(work);
+ init_smb2_neg_rsp(work);
+ return ret;
--- /dev/null
+From 39b291b86b5988bf8753c3874d5c773399d09b96 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Thu, 23 Mar 2023 21:15:52 +0900
+Subject: ksmbd: return unsupported error on smb1 mount
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 39b291b86b5988bf8753c3874d5c773399d09b96 upstream.
+
+ksmbd disconnect connection when mounting with vers=smb1.
+ksmbd should send smb1 negotiate response to client for correct
+unsupported error return. This patch add needed SMB1 macros and fill
+NegProt part of the response for smb1 negotiate response.
+
+Cc: stable@vger.kernel.org
+Reported-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ksmbd/connection.c | 7 ++-----
+ fs/ksmbd/smb_common.c | 23 ++++++++++++++++++++---
+ fs/ksmbd/smb_common.h | 30 ++++++++----------------------
+ 3 files changed, 30 insertions(+), 30 deletions(-)
+
+--- a/fs/ksmbd/connection.c
++++ b/fs/ksmbd/connection.c
+@@ -319,13 +319,10 @@ int ksmbd_conn_handler_loop(void *p)
+ }
+
+ /*
+- * Check if pdu size is valid (min : smb header size,
+- * max : 0x00FFFFFF).
++ * Check maximum pdu size(0x00FFFFFF).
+ */
+- if (pdu_size < __SMB2_HEADER_STRUCTURE_SIZE ||
+- pdu_size > MAX_STREAM_PROT_LEN) {
++ if (pdu_size > MAX_STREAM_PROT_LEN)
+ break;
+- }
+
+ /* 4 for rfc1002 length field */
+ size = pdu_size + 4;
+--- a/fs/ksmbd/smb_common.c
++++ b/fs/ksmbd/smb_common.c
+@@ -442,9 +442,26 @@ static int smb_handle_negotiate(struct k
+ {
+ struct smb_negotiate_rsp *neg_rsp = work->response_buf;
+
+- ksmbd_debug(SMB, "Unsupported SMB protocol\n");
+- neg_rsp->hdr.Status.CifsError = STATUS_INVALID_LOGON_TYPE;
+- return -EINVAL;
++ ksmbd_debug(SMB, "Unsupported SMB1 protocol\n");
++
++ /*
++ * Remove 4 byte direct TCP header, add 2 byte bcc and
++ * 2 byte DialectIndex.
++ */
++ *(__be32 *)work->response_buf =
++ cpu_to_be32(sizeof(struct smb_hdr) - 4 + 2 + 2);
++ neg_rsp->hdr.Status.CifsError = STATUS_SUCCESS;
++
++ neg_rsp->hdr.Command = SMB_COM_NEGOTIATE;
++ *(__le32 *)neg_rsp->hdr.Protocol = SMB1_PROTO_NUMBER;
++ neg_rsp->hdr.Flags = SMBFLG_RESPONSE;
++ neg_rsp->hdr.Flags2 = SMBFLG2_UNICODE | SMBFLG2_ERR_STATUS |
++ SMBFLG2_EXT_SEC | SMBFLG2_IS_LONG_NAME;
++
++ neg_rsp->hdr.WordCount = 1;
++ neg_rsp->DialectIndex = cpu_to_le16(work->conn->dialect);
++ neg_rsp->ByteCount = 0;
++ return 0;
+ }
+
+ int ksmbd_smb_negotiate_common(struct ksmbd_work *work, unsigned int command)
+--- a/fs/ksmbd/smb_common.h
++++ b/fs/ksmbd/smb_common.h
+@@ -158,8 +158,15 @@
+
+ #define SMB1_PROTO_NUMBER cpu_to_le32(0x424d53ff)
+ #define SMB_COM_NEGOTIATE 0x72
+-
+ #define SMB1_CLIENT_GUID_SIZE (16)
++
++#define SMBFLG_RESPONSE 0x80 /* this PDU is a response from server */
++
++#define SMBFLG2_IS_LONG_NAME cpu_to_le16(0x40)
++#define SMBFLG2_EXT_SEC cpu_to_le16(0x800)
++#define SMBFLG2_ERR_STATUS cpu_to_le16(0x4000)
++#define SMBFLG2_UNICODE cpu_to_le16(0x8000)
++
+ struct smb_hdr {
+ __be32 smb_buf_length;
+ __u8 Protocol[4];
+@@ -199,28 +206,7 @@ struct smb_negotiate_req {
+ struct smb_negotiate_rsp {
+ struct smb_hdr hdr; /* wct = 17 */
+ __le16 DialectIndex; /* 0xFFFF = no dialect acceptable */
+- __u8 SecurityMode;
+- __le16 MaxMpxCount;
+- __le16 MaxNumberVcs;
+- __le32 MaxBufferSize;
+- __le32 MaxRawSize;
+- __le32 SessionKey;
+- __le32 Capabilities; /* see below */
+- __le32 SystemTimeLow;
+- __le32 SystemTimeHigh;
+- __le16 ServerTimeZone;
+- __u8 EncryptionKeyLength;
+ __le16 ByteCount;
+- union {
+- unsigned char EncryptionKey[8]; /* cap extended security off */
+- /* followed by Domain name - if extended security is off */
+- /* followed by 16 bytes of server GUID */
+- /* then security blob if cap_extended_security negotiated */
+- struct {
+- unsigned char GUID[SMB1_CLIENT_GUID_SIZE];
+- unsigned char SecurityBlob[1];
+- } __packed extended_response;
+- } __packed u;
+ } __packed;
+
+ struct filesystem_attribute_info {
--- /dev/null
+From 728f14c72b71a19623df329c1c7c9d1452e56f1e Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Wed, 1 Mar 2023 00:02:30 +0900
+Subject: ksmbd: set FILE_NAMED_STREAMS attribute in FS_ATTRIBUTE_INFORMATION
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 728f14c72b71a19623df329c1c7c9d1452e56f1e upstream.
+
+If vfs objects = streams_xattr in ksmbd.conf FILE_NAMED_STREAMS should
+be set to Attributes in FS_ATTRIBUTE_INFORMATION. MacOS client show
+"Format: SMB (Unknown)" on faked NTFS and no streams support.
+
+Cc: stable@vger.kernel.org
+Reported-by: Miao Lihua <441884205@qq.com>
+Tested-by: Miao Lihua <441884205@qq.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ksmbd/smb2pdu.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/ksmbd/smb2pdu.c
++++ b/fs/ksmbd/smb2pdu.c
+@@ -4954,6 +4954,10 @@ static int smb2_get_info_filesystem(stru
+
+ info->Attributes |= cpu_to_le32(server_conf.share_fake_fscaps);
+
++ if (test_share_config_flag(work->tcon->share_conf,
++ KSMBD_SHARE_FLAG_STREAMS))
++ info->Attributes |= cpu_to_le32(FILE_NAMED_STREAMS);
++
+ info->MaxPathNameComponentLength = cpu_to_le32(stfs.f_namelen);
+ len = smbConvertToUTF16((__le16 *)info->FileSystemName,
+ "NTFS", PATH_MAX, conn->local_nls, 0);
--- /dev/null
+From 0fa99fdfe1b38da396d0b2d1496a823bcd0ebea0 Mon Sep 17 00:00:00 2001
+From: "Liam R. Howlett" <Liam.Howlett@oracle.com>
+Date: Tue, 7 Mar 2023 13:02:46 -0500
+Subject: maple_tree: fix mas_skip_node() end slot detection
+
+From: Liam R. Howlett <Liam.Howlett@oracle.com>
+
+commit 0fa99fdfe1b38da396d0b2d1496a823bcd0ebea0 upstream.
+
+Patch series "Fix mas_skip_node() for mas_empty_area()", v2.
+
+mas_empty_area() was incorrectly returning an error when there was room.
+The issue was tracked down to mas_skip_node() using the incorrect
+end-of-slot count. Instead of using the nodes hard limit, the limit of
+data should be used.
+
+mas_skip_node() was also setting the min and max to that of the child
+node, which was unnecessary. Within these limits being set, there was
+also a bug that corrupted the maple state's max if the offset was set to
+the maximum node pivot. The bug was without consequence unless there was
+a sufficient gap in the next child node which would cause an error to be
+returned.
+
+This patch set fixes these errors by removing the limit setting from
+mas_skip_node() and uses the mas_data_end() for slot limits, and adds
+tests for all failures discovered.
+
+
+This patch (of 2):
+
+mas_skip_node() is used to move the maple state to the node with a higher
+limit. It does this by walking up the tree and increasing the slot count.
+Since slot count may not be able to be increased, it may need to walk up
+multiple times to find room to walk right to a higher limit node. The
+limit of slots that was being used was the node limit and not the last
+location of data in the node. This would cause the maple state to be
+shifted outside actual data and enter an error state, thus returning
+-EBUSY.
+
+The result of the incorrect error state means that mas_awalk() would
+return an error instead of finding the allocation space.
+
+The fix is to use mas_data_end() in mas_skip_node() to detect the nodes
+data end point and continue walking the tree up until it is safe to move
+to a node with a higher limit.
+
+The walk up the tree also sets the maple state limits so remove the buggy
+code from mas_skip_node(). Setting the limits had the unfortunate side
+effect of triggering another bug if the parent node was full and the there
+was no suitable gap in the second last child, but room in the next child.
+
+mas_skip_node() may also be passed a maple state in an error state from
+mas_anode_descend() when no allocations are available. Return on such an
+error state immediately.
+
+Link: https://lkml.kernel.org/r/20230307180247.2220303-1-Liam.Howlett@oracle.com
+Link: https://lkml.kernel.org/r/20230307180247.2220303-2-Liam.Howlett@oracle.com
+Fixes: 54a611b60590 ("Maple Tree: add new data structure")
+Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>
+Reported-by: Snild Dolkow <snild@sony.com>
+ Link: https://lore.kernel.org/linux-mm/cb8dc31a-fef2-1d09-f133-e9f7b9f9e77a@sony.com/
+Tested-by: Snild Dolkow <snild@sony.com>
+Cc: Peng Zhang <zhangpeng.00@bytedance.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/maple_tree.c | 24 +++++-------------------
+ 1 file changed, 5 insertions(+), 19 deletions(-)
+
+--- a/lib/maple_tree.c
++++ b/lib/maple_tree.c
+@@ -5088,35 +5088,21 @@ static inline bool mas_rewind_node(struc
+ */
+ static inline bool mas_skip_node(struct ma_state *mas)
+ {
+- unsigned char slot, slot_count;
+- unsigned long *pivots;
+- enum maple_type mt;
++ if (mas_is_err(mas))
++ return false;
+
+- mt = mte_node_type(mas->node);
+- slot_count = mt_slots[mt] - 1;
+ do {
+ if (mte_is_root(mas->node)) {
+- slot = mas->offset;
+- if (slot > slot_count) {
++ if (mas->offset >= mas_data_end(mas)) {
+ mas_set_err(mas, -EBUSY);
+ return false;
+ }
+ } else {
+ mas_ascend(mas);
+- slot = mas->offset;
+- mt = mte_node_type(mas->node);
+- slot_count = mt_slots[mt] - 1;
+ }
+- } while (slot > slot_count);
+-
+- mas->offset = ++slot;
+- pivots = ma_pivots(mas_mn(mas), mt);
+- if (slot > 0)
+- mas->min = pivots[slot - 1] + 1;
+-
+- if (slot <= slot_count)
+- mas->max = pivots[slot];
++ } while (mas->offset >= mas_data_end(mas));
+
++ mas->offset++;
+ return true;
+ }
+
--- /dev/null
+From 003587000276f81d0114b5ce773d80c119d8cb30 Mon Sep 17 00:00:00 2001
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Date: Tue, 7 Mar 2023 17:55:48 +0900
+Subject: nilfs2: fix kernel-infoleak in nilfs_ioctl_wrap_copy()
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+commit 003587000276f81d0114b5ce773d80c119d8cb30 upstream.
+
+The ioctl helper function nilfs_ioctl_wrap_copy(), which exchanges a
+metadata array to/from user space, may copy uninitialized buffer regions
+to user space memory for read-only ioctl commands NILFS_IOCTL_GET_SUINFO
+and NILFS_IOCTL_GET_CPINFO.
+
+This can occur when the element size of the user space metadata given by
+the v_size member of the argument nilfs_argv structure is larger than the
+size of the metadata element (nilfs_suinfo structure or nilfs_cpinfo
+structure) on the file system side.
+
+KMSAN-enabled kernels detect this issue as follows:
+
+ BUG: KMSAN: kernel-infoleak in instrument_copy_to_user
+ include/linux/instrumented.h:121 [inline]
+ BUG: KMSAN: kernel-infoleak in _copy_to_user+0xc0/0x100 lib/usercopy.c:33
+ instrument_copy_to_user include/linux/instrumented.h:121 [inline]
+ _copy_to_user+0xc0/0x100 lib/usercopy.c:33
+ copy_to_user include/linux/uaccess.h:169 [inline]
+ nilfs_ioctl_wrap_copy+0x6fa/0xc10 fs/nilfs2/ioctl.c:99
+ nilfs_ioctl_get_info fs/nilfs2/ioctl.c:1173 [inline]
+ nilfs_ioctl+0x2402/0x4450 fs/nilfs2/ioctl.c:1290
+ nilfs_compat_ioctl+0x1b8/0x200 fs/nilfs2/ioctl.c:1343
+ __do_compat_sys_ioctl fs/ioctl.c:968 [inline]
+ __se_compat_sys_ioctl+0x7dd/0x1000 fs/ioctl.c:910
+ __ia32_compat_sys_ioctl+0x93/0xd0 fs/ioctl.c:910
+ do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
+ __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178
+ do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203
+ do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246
+ entry_SYSENTER_compat_after_hwframe+0x70/0x82
+
+ Uninit was created at:
+ __alloc_pages+0x9f6/0xe90 mm/page_alloc.c:5572
+ alloc_pages+0xab0/0xd80 mm/mempolicy.c:2287
+ __get_free_pages+0x34/0xc0 mm/page_alloc.c:5599
+ nilfs_ioctl_wrap_copy+0x223/0xc10 fs/nilfs2/ioctl.c:74
+ nilfs_ioctl_get_info fs/nilfs2/ioctl.c:1173 [inline]
+ nilfs_ioctl+0x2402/0x4450 fs/nilfs2/ioctl.c:1290
+ nilfs_compat_ioctl+0x1b8/0x200 fs/nilfs2/ioctl.c:1343
+ __do_compat_sys_ioctl fs/ioctl.c:968 [inline]
+ __se_compat_sys_ioctl+0x7dd/0x1000 fs/ioctl.c:910
+ __ia32_compat_sys_ioctl+0x93/0xd0 fs/ioctl.c:910
+ do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
+ __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178
+ do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203
+ do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246
+ entry_SYSENTER_compat_after_hwframe+0x70/0x82
+
+ Bytes 16-127 of 3968 are uninitialized
+ ...
+
+This eliminates the leak issue by initializing the page allocated as
+buffer using get_zeroed_page().
+
+Link: https://lkml.kernel.org/r/20230307085548.6290-1-konishi.ryusuke@gmail.com
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Reported-by: syzbot+132fdd2f1e1805fdc591@syzkaller.appspotmail.com
+ Link: https://lkml.kernel.org/r/000000000000a5bd2d05f63f04ae@google.com
+Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nilfs2/ioctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nilfs2/ioctl.c
++++ b/fs/nilfs2/ioctl.c
+@@ -71,7 +71,7 @@ static int nilfs_ioctl_wrap_copy(struct
+ if (argv->v_index > ~(__u64)0 - argv->v_nmembs)
+ return -EINVAL;
+
+- buf = (void *)__get_free_pages(GFP_NOFS, 0);
++ buf = (void *)get_zeroed_page(GFP_NOFS);
+ if (unlikely(!buf))
+ return -ENOMEM;
+ maxmembs = PAGE_SIZE / argv->v_size;
--- /dev/null
+From f446883d12b8bfa486f7c98d403054d61d38c989 Mon Sep 17 00:00:00 2001
+From: Peter Collingbourne <pcc@google.com>
+Date: Thu, 9 Mar 2023 20:29:13 -0800
+Subject: Revert "kasan: drop skip_kasan_poison variable in free_pages_prepare"
+
+From: Peter Collingbourne <pcc@google.com>
+
+commit f446883d12b8bfa486f7c98d403054d61d38c989 upstream.
+
+This reverts commit 487a32ec24be819e747af8c2ab0d5c515508086a.
+
+should_skip_kasan_poison() reads the PG_skip_kasan_poison flag from
+page->flags. However, this line of code in free_pages_prepare():
+
+ page->flags &= ~PAGE_FLAGS_CHECK_AT_PREP;
+
+clears most of page->flags, including PG_skip_kasan_poison, before calling
+should_skip_kasan_poison(), which meant that it would never return true as
+a result of the page flag being set. Therefore, fix the code to call
+should_skip_kasan_poison() before clearing the flags, as we were doing
+before the reverted patch.
+
+This fixes a measurable performance regression introduced in the reverted
+commit, where munmap() takes longer than intended if HW tags KASAN is
+supported and enabled at runtime. Without this patch, we see a
+single-digit percentage performance regression in a particular
+mmap()-heavy benchmark when enabling HW tags KASAN, and with the patch,
+there is no statistically significant performance impact when enabling HW
+tags KASAN.
+
+Link: https://lkml.kernel.org/r/20230310042914.3805818-2-pcc@google.com
+Fixes: 487a32ec24be ("kasan: drop skip_kasan_poison variable in free_pages_prepare")
+ Link: https://linux-review.googlesource.com/id/Ic4f13affeebd20548758438bb9ed9ca40e312b79
+Signed-off-by: Peter Collingbourne <pcc@google.com>
+Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>
+Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com> [arm64]
+Cc: Evgenii Stepanov <eugenis@google.com>
+Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
+Cc: Will Deacon <will@kernel.org>
+Cc: <stable@vger.kernel.org> [6.1]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/page_alloc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -1402,6 +1402,7 @@ static __always_inline bool free_pages_p
+ unsigned int order, bool check_free, fpi_t fpi_flags)
+ {
+ int bad = 0;
++ bool skip_kasan_poison = should_skip_kasan_poison(page, fpi_flags);
+ bool init = want_init_on_free();
+
+ VM_BUG_ON_PAGE(PageTail(page), page);
+@@ -1476,7 +1477,7 @@ static __always_inline bool free_pages_p
+ * With hardware tag-based KASAN, memory tags must be set before the
+ * page becomes unavailable via debug_pagealloc or arch_free_page.
+ */
+- if (!should_skip_kasan_poison(page, fpi_flags)) {
++ if (!skip_kasan_poison) {
+ kasan_poison_pages(page, order, init);
+
+ /* Memory is already initialized if KASAN did it internally. */
kfence-avoid-passing-g-for-test.patch
io_uring-net-avoid-sending-econnaborted-on-repeated-connection-requests.patch
io_uring-rsrc-fix-null-ptr-deref-in-io_file_bitmap_get.patch
+revert-kasan-drop-skip_kasan_poison-variable-in-free_pages_prepare.patch
+test_maple_tree-add-more-testing-for-mas_empty_area.patch
+maple_tree-fix-mas_skip_node-end-slot-detection.patch
+ksmbd-fix-wrong-signingkey-creation-when-encryption-is-aes256.patch
+ksmbd-set-file_named_streams-attribute-in-fs_attribute_information.patch
+ksmbd-don-t-terminate-inactive-sessions-after-a-few-seconds.patch
+ksmbd-return-status_not_supported-on-unsupported-smb2.0-dialect.patch
+ksmbd-return-unsupported-error-on-smb1-mount.patch
+wifi-mac80211-fix-qos-on-mesh-interfaces.patch
+nilfs2-fix-kernel-infoleak-in-nilfs_ioctl_wrap_copy.patch
--- /dev/null
+From 4bd6dded6318dc8e2514d74868c1f8fb38b61a60 Mon Sep 17 00:00:00 2001
+From: "Liam R. Howlett" <Liam.Howlett@oracle.com>
+Date: Tue, 7 Mar 2023 13:02:47 -0500
+Subject: test_maple_tree: add more testing for mas_empty_area()
+
+From: Liam R. Howlett <Liam.Howlett@oracle.com>
+
+commit 4bd6dded6318dc8e2514d74868c1f8fb38b61a60 upstream.
+
+Test robust filling of an entire area of the tree, then test one beyond.
+This is to test the walking back up the tree at the end of nodes and error
+condition. Test inspired by the reproducer code provided by Snild Dolkow.
+
+The last test in the function tests for the case of a corrupted maple
+state caused by the incorrect limits set during mas_skip_node(). There
+needs to be a gap in the second last child and last child, but the search
+must rule out the second last child's gap. This would avoid correcting
+the maple state to the correct max limit and return an error.
+
+Link: https://lkml.kernel.org/r/20230307180247.2220303-3-Liam.Howlett@oracle.com
+Cc: Snild Dolkow <snild@sony.com>
+Link: https://lore.kernel.org/linux-mm/cb8dc31a-fef2-1d09-f133-e9f7b9f9e77a@sony.com/
+Fixes: e15e06a83923 ("lib/test_maple_tree: add testing for maple tree")
+Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>
+Cc: Peng Zhang <zhangpeng.00@bytedance.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/test_maple_tree.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 48 insertions(+)
+
+--- a/lib/test_maple_tree.c
++++ b/lib/test_maple_tree.c
+@@ -2602,6 +2602,49 @@ static noinline void check_empty_area_wi
+ rcu_read_unlock();
+ }
+
++static noinline void check_empty_area_fill(struct maple_tree *mt)
++{
++ const unsigned long max = 0x25D78000;
++ unsigned long size;
++ int loop, shift;
++ MA_STATE(mas, mt, 0, 0);
++
++ mt_set_non_kernel(99999);
++ for (shift = 12; shift <= 16; shift++) {
++ loop = 5000;
++ size = 1 << shift;
++ while (loop--) {
++ mas_set(&mas, 0);
++ mas_lock(&mas);
++ MT_BUG_ON(mt, mas_empty_area(&mas, 0, max, size) != 0);
++ MT_BUG_ON(mt, mas.last != mas.index + size - 1);
++ mas_store_gfp(&mas, (void *)size, GFP_KERNEL);
++ mas_unlock(&mas);
++ mas_reset(&mas);
++ }
++ }
++
++ /* No space left. */
++ size = 0x1000;
++ rcu_read_lock();
++ MT_BUG_ON(mt, mas_empty_area(&mas, 0, max, size) != -EBUSY);
++ rcu_read_unlock();
++
++ /* Fill a depth 3 node to the maximum */
++ for (unsigned long i = 629440511; i <= 629440800; i += 6)
++ mtree_store_range(mt, i, i + 5, (void *)i, GFP_KERNEL);
++ /* Make space in the second-last depth 4 node */
++ mtree_erase(mt, 631668735);
++ /* Make space in the last depth 4 node */
++ mtree_erase(mt, 629506047);
++ mas_reset(&mas);
++ /* Search from just after the gap in the second-last depth 4 */
++ rcu_read_lock();
++ MT_BUG_ON(mt, mas_empty_area(&mas, 629506048, 690000000, 0x5000) != 0);
++ rcu_read_unlock();
++ mt_set_non_kernel(0);
++}
++
+ static DEFINE_MTREE(tree);
+ static int maple_tree_seed(void)
+ {
+@@ -2854,6 +2897,11 @@ static int maple_tree_seed(void)
+ check_empty_area_window(&tree);
+ mtree_destroy(&tree);
+
++ mt_init_flags(&tree, MT_FLAGS_ALLOC_RANGE);
++ check_empty_area_fill(&tree);
++ mtree_destroy(&tree);
++
++
+ #if defined(BENCH)
+ skip:
+ #endif
--- /dev/null
+From 4e348c6c6e23491ae6eb5e077848a42d0562339c Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Tue, 14 Mar 2023 10:59:50 +0100
+Subject: wifi: mac80211: fix qos on mesh interfaces
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit 4e348c6c6e23491ae6eb5e077848a42d0562339c upstream.
+
+When ieee80211_select_queue is called for mesh, the sta pointer is usually
+NULL, since the nexthop is looked up much later in the tx path.
+Explicitly check for unicast address in that case in order to make qos work
+again.
+
+Cc: stable@vger.kernel.org
+Fixes: 50e2ab392919 ("wifi: mac80211: fix queue selection for mesh/OCB interfaces")
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Link: https://lore.kernel.org/r/20230314095956.62085-1-nbd@nbd.name
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/wme.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/wme.c
++++ b/net/mac80211/wme.c
+@@ -144,12 +144,14 @@ u16 ieee80211_select_queue_80211(struct
+ u16 __ieee80211_select_queue(struct ieee80211_sub_if_data *sdata,
+ struct sta_info *sta, struct sk_buff *skb)
+ {
++ const struct ethhdr *eth = (void *)skb->data;
+ struct mac80211_qos_map *qos_map;
+ bool qos;
+
+ /* all mesh/ocb stations are required to support WME */
+- if (sta && (sdata->vif.type == NL80211_IFTYPE_MESH_POINT ||
+- sdata->vif.type == NL80211_IFTYPE_OCB))
++ if ((sdata->vif.type == NL80211_IFTYPE_MESH_POINT &&
++ !is_multicast_ether_addr(eth->h_dest)) ||
++ (sdata->vif.type == NL80211_IFTYPE_OCB && sta))
+ qos = true;
+ else if (sta)
+ qos = sta->sta.wme;
projects / thirdparty / kernel / stable-queue.git / commitdiff
