--- /dev/null
+From a20364ca9253e0f6221bb798974272243bc2333d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 15:27:53 -0700
+Subject: block, bfq: fix possible uaf for 'bfqq->bic'
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 64dc8c732f5c2b406cc752e6aaa1bd5471159cab ]
+
+Our test report a uaf for 'bfqq->bic' in 5.10:
+
+==================================================================
+BUG: KASAN: use-after-free in bfq_select_queue+0x378/0xa30
+
+CPU: 6 PID: 2318352 Comm: fsstress Kdump: loaded Not tainted 5.10.0-60.18.0.50.h602.kasan.eulerosv2r11.x86_64 #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-20220320_160524-szxrtosci10000 04/01/2014
+Call Trace:
+ bfq_select_queue+0x378/0xa30
+ bfq_dispatch_request+0xe8/0x130
+ blk_mq_do_dispatch_sched+0x62/0xb0
+ __blk_mq_sched_dispatch_requests+0x215/0x2a0
+ blk_mq_sched_dispatch_requests+0x8f/0xd0
+ __blk_mq_run_hw_queue+0x98/0x180
+ __blk_mq_delay_run_hw_queue+0x22b/0x240
+ blk_mq_run_hw_queue+0xe3/0x190
+ blk_mq_sched_insert_requests+0x107/0x200
+ blk_mq_flush_plug_list+0x26e/0x3c0
+ blk_finish_plug+0x63/0x90
+ __iomap_dio_rw+0x7b5/0x910
+ iomap_dio_rw+0x36/0x80
+ ext4_dio_read_iter+0x146/0x190 [ext4]
+ ext4_file_read_iter+0x1e2/0x230 [ext4]
+ new_sync_read+0x29f/0x400
+ vfs_read+0x24e/0x2d0
+ ksys_read+0xd5/0x1b0
+ do_syscall_64+0x33/0x40
+ entry_SYSCALL_64_after_hwframe+0x61/0xc6
+
+Commit 3bc5e683c67d ("bfq: Split shared queues on move between cgroups")
+changes that move process to a new cgroup will allocate a new bfqq to
+use, however, the old bfqq and new bfqq can point to the same bic:
+
+1) Initial state, two process with io in the same cgroup.
+
+Process 1 Process 2
+ (BIC1) (BIC2)
+ | Λ | Λ
+ | | | |
+ V | V |
+ bfqq1 bfqq2
+
+2) bfqq1 is merged to bfqq2.
+
+Process 1 Process 2
+ (BIC1) (BIC2)
+ | |
+ \-------------\|
+ V
+ bfqq1 bfqq2(coop)
+
+3) Process 1 exit, then issue new io(denoce IOA) from Process 2.
+
+ (BIC2)
+ | Λ
+ | |
+ V |
+ bfqq2(coop)
+
+4) Before IOA is completed, move Process 2 to another cgroup and issue io.
+
+Process 2
+ (BIC2)
+ Λ
+ |\--------------\
+ | V
+ bfqq2 bfqq3
+
+Now that BIC2 points to bfqq3, while bfqq2 and bfqq3 both point to BIC2.
+If all the requests are completed, and Process 2 exit, BIC2 will be
+freed while there is no guarantee that bfqq2 will be freed before BIC2.
+
+Fix the problem by clearing bfqq->bic while bfqq is detached from bic.
+
+Fixes: 3bc5e683c67d ("bfq: Split shared queues on move between cgroups")
+Suggested-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20221214030430.3304151-1-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Khazhismel Kumykov <khazhy@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bfq-iosched.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
+index 7c4b8d0635ebd..afaededb3c49c 100644
+--- a/block/bfq-iosched.c
++++ b/block/bfq-iosched.c
+@@ -373,6 +373,12 @@ struct bfq_queue *bic_to_bfqq(struct bfq_io_cq *bic, bool is_sync)
+
+ void bic_set_bfqq(struct bfq_io_cq *bic, struct bfq_queue *bfqq, bool is_sync)
+ {
++ struct bfq_queue *old_bfqq = bic->bfqq[is_sync];
++
++ /* Clear bic pointer if bfqq is detached from this bic */
++ if (old_bfqq && old_bfqq->bic == bic)
++ old_bfqq->bic = NULL;
++
+ bic->bfqq[is_sync] = bfqq;
+ }
+
+@@ -4977,7 +4983,6 @@ static void bfq_exit_icq_bfqq(struct bfq_io_cq *bic, bool is_sync)
+ unsigned long flags;
+
+ spin_lock_irqsave(&bfqd->lock, flags);
+- bfqq->bic = NULL;
+ bfq_exit_bfqq(bfqd, bfqq);
+ bic_set_bfqq(bic, NULL, is_sync);
+ spin_unlock_irqrestore(&bfqd->lock, flags);
+--
+2.39.2
+
--- /dev/null
+From 8d578c6a8eb0a4e63490fb7f8d2aa9bc5cee23d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 15:27:54 -0700
+Subject: block, bfq: fix uaf for bfqq in bfq_exit_icq_bfqq
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 246cf66e300b76099b5dbd3fdd39e9a5dbc53f02 ]
+
+Commit 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'")
+will access 'bic->bfqq' in bic_set_bfqq(), however, bfq_exit_icq_bfqq()
+can free bfqq first, and then call bic_set_bfqq(), which will cause uaf.
+
+Fix the problem by moving bfq_exit_bfqq() behind bic_set_bfqq().
+
+Fixes: 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'")
+Reported-by: Yi Zhang <yi.zhang@redhat.com>
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Link: https://lore.kernel.org/r/20221226030605.1437081-1-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Khazhismel Kumykov <khazhy@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bfq-iosched.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
+index afaededb3c49c..0a53b653a7e2e 100644
+--- a/block/bfq-iosched.c
++++ b/block/bfq-iosched.c
+@@ -4983,8 +4983,8 @@ static void bfq_exit_icq_bfqq(struct bfq_io_cq *bic, bool is_sync)
+ unsigned long flags;
+
+ spin_lock_irqsave(&bfqd->lock, flags);
+- bfq_exit_bfqq(bfqd, bfqq);
+ bic_set_bfqq(bic, NULL, is_sync);
++ bfq_exit_bfqq(bfqd, bfqq);
+ spin_unlock_irqrestore(&bfqd->lock, flags);
+ }
+ }
+--
+2.39.2
+
--- /dev/null
+From 96bd4e91efc38daae342ac7c231dc356ab084822 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 15:27:57 -0700
+Subject: block, bfq: fix uaf for bfqq in bic_set_bfqq()
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit b600de2d7d3a16f9007fad1bdae82a3951a26af2 ]
+
+After commit 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'"),
+bic->bfqq will be accessed in bic_set_bfqq(), however, in some context
+bic->bfqq will be freed, and bic_set_bfqq() is called with the freed
+bic->bfqq.
+
+Fix the problem by always freeing bfqq after bic_set_bfqq().
+
+Fixes: 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'")
+Reported-and-tested-by: Shinichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20230130014136.591038-1-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Khazhismel Kumykov <khazhy@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bfq-cgroup.c | 2 +-
+ block/bfq-iosched.c | 4 +++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/block/bfq-cgroup.c b/block/bfq-cgroup.c
+index 2f440b79183d3..1f9ccc661d574 100644
+--- a/block/bfq-cgroup.c
++++ b/block/bfq-cgroup.c
+@@ -748,8 +748,8 @@ static void *__bfq_bic_change_cgroup(struct bfq_data *bfqd,
+ * request from the old cgroup.
+ */
+ bfq_put_cooperator(sync_bfqq);
+- bfq_release_process_ref(bfqd, sync_bfqq);
+ bic_set_bfqq(bic, NULL, true);
++ bfq_release_process_ref(bfqd, sync_bfqq);
+ }
+ }
+ }
+diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
+index 016d7f32af9f1..6687b805bab3b 100644
+--- a/block/bfq-iosched.c
++++ b/block/bfq-iosched.c
+@@ -5070,9 +5070,11 @@ static void bfq_check_ioprio_change(struct bfq_io_cq *bic, struct bio *bio)
+
+ bfqq = bic_to_bfqq(bic, false);
+ if (bfqq) {
+- bfq_release_process_ref(bfqd, bfqq);
++ struct bfq_queue *old_bfqq = bfqq;
++
+ bfqq = bfq_get_queue(bfqd, bio, false, bic);
+ bic_set_bfqq(bic, bfqq, false);
++ bfq_release_process_ref(bfqd, old_bfqq);
+ }
+
+ bfqq = bic_to_bfqq(bic, true);
+--
+2.39.2
+
--- /dev/null
+From 1e98b6da6bd182cf966673fcf2fa181d9af1ab31 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 15:27:55 -0700
+Subject: block/bfq-iosched.c: use "false" rather than "BLK_RW_ASYNC"
+
+From: NeilBrown <neilb@suse.de>
+
+[ Upstream commit f6bad159f5d5e5b33531aba3d9b860ad8618afe0 ]
+
+bfq_get_queue() expects a "bool" for the third arg, so pass "false"
+rather than "BLK_RW_ASYNC" which will soon be removed.
+
+Link: https://lkml.kernel.org/r/164549983746.9187.7949730109246767909.stgit@noble.brown
+Signed-off-by: NeilBrown <neilb@suse.de>
+Acked-by: Jens Axboe <axboe@kernel.dk>
+Cc: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Cc: Chao Yu <chao@kernel.org>
+Cc: Darrick J. Wong <djwong@kernel.org>
+Cc: Ilya Dryomov <idryomov@gmail.com>
+Cc: Jaegeuk Kim <jaegeuk@kernel.org>
+Cc: Jan Kara <jack@suse.cz>
+Cc: Jeff Layton <jlayton@kernel.org>
+Cc: Lars Ellenberg <lars.ellenberg@linbit.com>
+Cc: Miklos Szeredi <miklos@szeredi.hu>
+Cc: Paolo Valente <paolo.valente@linaro.org>
+Cc: Philipp Reisner <philipp.reisner@linbit.com>
+Cc: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: Trond Myklebust <trond.myklebust@hammerspace.com>
+Cc: Wu Fengguang <fengguang.wu@intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Stable-dep-of: b600de2d7d3a ("block, bfq: fix uaf for bfqq in bic_set_bfqq()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Khazhismel Kumykov <khazhy@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bfq-iosched.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
+index 0a53b653a7e2e..35b240cba0926 100644
+--- a/block/bfq-iosched.c
++++ b/block/bfq-iosched.c
+@@ -5071,7 +5071,7 @@ static void bfq_check_ioprio_change(struct bfq_io_cq *bic, struct bio *bio)
+ bfqq = bic_to_bfqq(bic, false);
+ if (bfqq) {
+ bfq_release_process_ref(bfqd, bfqq);
+- bfqq = bfq_get_queue(bfqd, bio, BLK_RW_ASYNC, bic);
++ bfqq = bfq_get_queue(bfqd, bio, false, bic);
+ bic_set_bfqq(bic, bfqq, false);
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 2b9e5454554ac0cfe01c31bf7aa498a093bb8ca2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 15:27:56 -0700
+Subject: block, bfq: replace 0/1 with false/true in bic apis
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 337366e02b370d2800110fbc99940f6ddddcbdfa ]
+
+Just to make the code a litter cleaner, there are no functional changes.
+
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20221214033155.3455754-3-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Stable-dep-of: b600de2d7d3a ("block, bfq: fix uaf for bfqq in bic_set_bfqq()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Khazhismel Kumykov <khazhy@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bfq-cgroup.c | 8 ++++----
+ block/bfq-iosched.c | 4 ++--
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/block/bfq-cgroup.c b/block/bfq-cgroup.c
+index badb90352bf33..2f440b79183d3 100644
+--- a/block/bfq-cgroup.c
++++ b/block/bfq-cgroup.c
+@@ -705,15 +705,15 @@ static void *__bfq_bic_change_cgroup(struct bfq_data *bfqd,
+ struct bfq_io_cq *bic,
+ struct bfq_group *bfqg)
+ {
+- struct bfq_queue *async_bfqq = bic_to_bfqq(bic, 0);
+- struct bfq_queue *sync_bfqq = bic_to_bfqq(bic, 1);
++ struct bfq_queue *async_bfqq = bic_to_bfqq(bic, false);
++ struct bfq_queue *sync_bfqq = bic_to_bfqq(bic, true);
+ struct bfq_entity *entity;
+
+ if (async_bfqq) {
+ entity = &async_bfqq->entity;
+
+ if (entity->sched_data != &bfqg->sched_data) {
+- bic_set_bfqq(bic, NULL, 0);
++ bic_set_bfqq(bic, NULL, false);
+ bfq_release_process_ref(bfqd, async_bfqq);
+ }
+ }
+@@ -749,7 +749,7 @@ static void *__bfq_bic_change_cgroup(struct bfq_data *bfqd,
+ */
+ bfq_put_cooperator(sync_bfqq);
+ bfq_release_process_ref(bfqd, sync_bfqq);
+- bic_set_bfqq(bic, NULL, 1);
++ bic_set_bfqq(bic, NULL, true);
+ }
+ }
+ }
+diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
+index 35b240cba0926..016d7f32af9f1 100644
+--- a/block/bfq-iosched.c
++++ b/block/bfq-iosched.c
+@@ -2816,7 +2816,7 @@ bfq_merge_bfqqs(struct bfq_data *bfqd, struct bfq_io_cq *bic,
+ /*
+ * Merge queues (that is, let bic redirect its requests to new_bfqq)
+ */
+- bic_set_bfqq(bic, new_bfqq, 1);
++ bic_set_bfqq(bic, new_bfqq, true);
+ bfq_mark_bfqq_coop(new_bfqq);
+ /*
+ * new_bfqq now belongs to at least two bics (it is a shared queue):
+@@ -6014,7 +6014,7 @@ bfq_split_bfqq(struct bfq_io_cq *bic, struct bfq_queue *bfqq)
+ return bfqq;
+ }
+
+- bic_set_bfqq(bic, NULL, 1);
++ bic_set_bfqq(bic, NULL, true);
+
+ bfq_put_cooperator(bfqq);
+
+--
+2.39.2
+
--- /dev/null
+From 8c587a9111f9751e1e33887f738c7843a5ab4007 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Feb 2023 08:26:56 +0000
+Subject: iommu/amd: Add a length limitation for the ivrs_acpihid command-line
+ parameter
+
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+
+[ Upstream commit b6b26d86c61c441144c72f842f7469bb686e1211 ]
+
+The 'acpiid' buffer in the parse_ivrs_acpihid function may overflow,
+because the string specifier in the format string sscanf()
+has no width limitation.
+
+Found by InfoTeCS on behalf of Linux Verification Center
+(linuxtesting.org) with SVACE.
+
+Fixes: ca3bf5d47cec ("iommu/amd: Introduces ivrs_acpihid kernel parameter")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru>
+Reviewed-by: Kim Phillips <kim.phillips@amd.com>
+Link: https://lore.kernel.org/r/20230202082719.1513849-1-Ilia.Gavrilov@infotecs.ru
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd/init.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c
+index ce822347f7470..603f625a74e54 100644
+--- a/drivers/iommu/amd/init.c
++++ b/drivers/iommu/amd/init.c
+@@ -3124,15 +3124,26 @@ static int __init parse_ivrs_hpet(char *str)
+ return 1;
+ }
+
++#define ACPIID_LEN (ACPIHID_UID_LEN + ACPIHID_HID_LEN)
++
+ static int __init parse_ivrs_acpihid(char *str)
+ {
+ u32 seg = 0, bus, dev, fn;
+ char *hid, *uid, *p, *addr;
+- char acpiid[ACPIHID_UID_LEN + ACPIHID_HID_LEN] = {0};
++ char acpiid[ACPIID_LEN] = {0};
+ int i;
+
+ addr = strchr(str, '@');
+ if (!addr) {
++ addr = strchr(str, '=');
++ if (!addr)
++ goto not_found;
++
++ ++addr;
++
++ if (strlen(addr) > ACPIID_LEN)
++ goto not_found;
++
+ if (sscanf(str, "[%x:%x.%x]=%s", &bus, &dev, &fn, acpiid) == 4 ||
+ sscanf(str, "[%x:%x:%x.%x]=%s", &seg, &bus, &dev, &fn, acpiid) == 5) {
+ pr_warn("ivrs_acpihid%s option format deprecated; use ivrs_acpihid=%s@%04x:%02x:%02x.%d instead\n",
+@@ -3145,6 +3156,9 @@ static int __init parse_ivrs_acpihid(char *str)
+ /* We have the '@', make it the terminator to get just the acpiid */
+ *addr++ = 0;
+
++ if (strlen(str) > ACPIID_LEN + 1)
++ goto not_found;
++
+ if (sscanf(str, "=%s", acpiid) != 1)
+ goto not_found;
+
+--
+2.39.2
+
--- /dev/null
+From 6c5b3fa19f734213cada7f27fd08027ea142f5bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Apr 2022 16:11:35 +0200
+Subject: PCI/PM: Define pci_restore_standard_config() only for CONFIG_PM_SLEEP
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 18a94192e20de31e7e495d7c805c8930c42e99ef ]
+
+pci_restore_standard_config() was defined under CONFIG_PM but called only
+by pci_pm_resume() (defined under CONFIG_SUSPEND) and pci_pm_restore()
+(defined under CONFIG_HIBERNATE_CALLBACKS). A configuration with only
+CONFIG_PM leads to a warning:
+
+ drivers/pci/pci-driver.c:533:12: error: ‘pci_restore_standard_config’ defined but not used [-Werror=unused-function]
+
+CONFIG_PM_SLEEP depends on CONFIG_SUSPEND and CONFIG_HIBERNATE_CALLBACKS,
+so define pci_restore_standard_config() under that instead.
+
+Link: https://lore.kernel.org/r/20220420141135.444820-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Stable-dep-of: ac91e6980563 ("PCI: Unify delay handling for reset and resume")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pci-driver.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c
+index 8b587fc97f7bc..bbaecc2340371 100644
+--- a/drivers/pci/pci-driver.c
++++ b/drivers/pci/pci-driver.c
+@@ -499,9 +499,9 @@ static void pci_device_shutdown(struct device *dev)
+ pci_clear_master(pci_dev);
+ }
+
+-#ifdef CONFIG_PM
++#ifdef CONFIG_PM_SLEEP
+
+-/* Auxiliary functions used for system resume and run-time resume. */
++/* Auxiliary functions used for system resume */
+
+ /**
+ * pci_restore_standard_config - restore standard config registers of PCI device
+@@ -521,6 +521,11 @@ static int pci_restore_standard_config(struct pci_dev *pci_dev)
+ pci_pme_restore(pci_dev);
+ return 0;
+ }
++#endif /* CONFIG_PM_SLEEP */
++
++#ifdef CONFIG_PM
++
++/* Auxiliary functions used for system resume and run-time resume */
+
+ static void pci_pm_default_resume(struct pci_dev *pci_dev)
+ {
+@@ -528,10 +533,6 @@ static void pci_pm_default_resume(struct pci_dev *pci_dev)
+ pci_enable_wake(pci_dev, PCI_D0, false);
+ }
+
+-#endif
+-
+-#ifdef CONFIG_PM_SLEEP
+-
+ static void pci_pm_default_resume_early(struct pci_dev *pci_dev)
+ {
+ pci_power_up(pci_dev);
+@@ -540,6 +541,10 @@ static void pci_pm_default_resume_early(struct pci_dev *pci_dev)
+ pci_pme_restore(pci_dev);
+ }
+
++#endif /* CONFIG_PM */
++
++#ifdef CONFIG_PM_SLEEP
++
+ /*
+ * Default "suspend" method for devices that have no driver provided suspend,
+ * or not even a driver at all (second part).
+--
+2.39.2
+
riscv-use-read_once_nocheck-in-imprecise-unwinding-s.patch
risc-v-don-t-check-text_mutex-during-stop_machine.patch
ext4-fix-deadlock-during-directory-rename.patch
+iommu-amd-add-a-length-limitation-for-the-ivrs_acpih.patch
+pci-pm-define-pci_restore_standard_config-only-for-c.patch
+watch_queue-fix-ioc_watch_queue_set_size-alloc-error.patch
+tpm-eventlog-don-t-abort-tpm_read_log-on-faulty-acpi.patch
+block-bfq-fix-possible-uaf-for-bfqq-bic.patch
+block-bfq-fix-uaf-for-bfqq-in-bfq_exit_icq_bfqq.patch
+block-bfq-iosched.c-use-false-rather-than-blk_rw_asy.patch
+block-bfq-replace-0-1-with-false-true-in-bic-apis.patch
+block-bfq-fix-uaf-for-bfqq-in-bic_set_bfqq.patch
--- /dev/null
+From 8b969f52e05a2be328d44872f8602f73743de726 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Feb 2023 10:25:52 +0100
+Subject: tpm/eventlog: Don't abort tpm_read_log on faulty ACPI address
+
+From: Morten Linderud <morten@linderud.pw>
+
+[ Upstream commit 80a6c216b16d7f5c584d2148c2e4345ea4eb06ce ]
+
+tpm_read_log_acpi() should return -ENODEV when no eventlog from the ACPI
+table is found. If the firmware vendor includes an invalid log address
+we are unable to map from the ACPI memory and tpm_read_log() returns -EIO
+which would abort discovery of the eventlog.
+
+Change the return value from -EIO to -ENODEV when acpi_os_map_iomem()
+fails to map the event log.
+
+The following hardware was used to test this issue:
+ Framework Laptop (Pre-production)
+ BIOS: INSYDE Corp, Revision: 3.2
+ TPM Device: NTC, Firmware Revision: 7.2
+
+Dump of the faulty ACPI TPM2 table:
+ [000h 0000 4] Signature : "TPM2" [Trusted Platform Module hardware interface Table]
+ [004h 0004 4] Table Length : 0000004C
+ [008h 0008 1] Revision : 04
+ [009h 0009 1] Checksum : 2B
+ [00Ah 0010 6] Oem ID : "INSYDE"
+ [010h 0016 8] Oem Table ID : "TGL-ULT"
+ [018h 0024 4] Oem Revision : 00000002
+ [01Ch 0028 4] Asl Compiler ID : "ACPI"
+ [020h 0032 4] Asl Compiler Revision : 00040000
+
+ [024h 0036 2] Platform Class : 0000
+ [026h 0038 2] Reserved : 0000
+ [028h 0040 8] Control Address : 0000000000000000
+ [030h 0048 4] Start Method : 06 [Memory Mapped I/O]
+
+ [034h 0052 12] Method Parameters : 00 00 00 00 00 00 00 00 00 00 00 00
+ [040h 0064 4] Minimum Log Length : 00010000
+ [044h 0068 8] Log Address : 000000004053D000
+
+Fixes: 0cf577a03f21 ("tpm: Fix handling of missing event log")
+Tested-by: Erkki Eilonen <erkki@bearmetal.eu>
+Signed-off-by: Morten Linderud <morten@linderud.pw>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/tpm/eventlog/acpi.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/char/tpm/eventlog/acpi.c b/drivers/char/tpm/eventlog/acpi.c
+index 0913d3eb8d518..cd266021d0103 100644
+--- a/drivers/char/tpm/eventlog/acpi.c
++++ b/drivers/char/tpm/eventlog/acpi.c
+@@ -143,8 +143,12 @@ int tpm_read_log_acpi(struct tpm_chip *chip)
+
+ ret = -EIO;
+ virt = acpi_os_map_iomem(start, len);
+- if (!virt)
++ if (!virt) {
++ dev_warn(&chip->dev, "%s: Failed to map ACPI memory\n", __func__);
++ /* try EFI log next */
++ ret = -ENODEV;
+ goto err;
++ }
+
+ memcpy_fromio(log->bios_event_log, virt, len);
+
+--
+2.39.2
+
--- /dev/null
+From 2e5449946102b24a8231dfe4f8738236d7654509 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Mar 2023 16:21:06 +0100
+Subject: watch_queue: fix IOC_WATCH_QUEUE_SET_SIZE alloc error paths
+
+From: David Disseldorp <ddiss@suse.de>
+
+[ Upstream commit 03e1d60e177eedbd302b77af4ea5e21b5a7ade31 ]
+
+The watch_queue_set_size() allocation error paths return the ret value
+set via the prior pipe_resize_ring() call, which will always be zero.
+
+As a result, IOC_WATCH_QUEUE_SET_SIZE callers such as "keyctl watch"
+fail to detect kernel wqueue->notes allocation failures and proceed to
+KEYCTL_WATCH_KEY, with any notifications subsequently lost.
+
+Fixes: c73be61cede58 ("pipe: Add general notification queue support")
+Signed-off-by: David Disseldorp <ddiss@suse.de>
+Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/watch_queue.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/watch_queue.c b/kernel/watch_queue.c
+index d29731a30b8e1..73717917d8164 100644
+--- a/kernel/watch_queue.c
++++ b/kernel/watch_queue.c
+@@ -274,6 +274,7 @@ long watch_queue_set_size(struct pipe_inode_info *pipe, unsigned int nr_notes)
+ if (ret < 0)
+ goto error;
+
++ ret = -ENOMEM;
+ pages = kcalloc(sizeof(struct page *), nr_pages, GFP_KERNEL);
+ if (!pages)
+ goto error;
+--
+2.39.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
