--- /dev/null
+From 8fa73ee44daefc884c53a25158c25a4107eb5a94 Mon Sep 17 00:00:00 2001
+From: Shubham Panwar <shubiisp8@gmail.com>
+Date: Sun, 20 Oct 2024 15:20:46 +0530
+Subject: ACPI: button: Add DMI quirk for Samsung Galaxy Book2 to fix initial lid detection issue
+
+From: Shubham Panwar <shubiisp8@gmail.com>
+
+commit 8fa73ee44daefc884c53a25158c25a4107eb5a94 upstream.
+
+Add a DMI quirk for Samsung Galaxy Book2 to fix an initial lid state
+detection issue.
+
+The _LID device incorrectly returns the lid status as "closed" during
+boot, causing the system to enter a suspend loop right after booting.
+
+The quirk ensures that the correct lid state is reported initially,
+preventing the system from immediately suspending after startup. It
+only addresses the initial lid state detection and ensures proper
+system behavior upon boot.
+
+Signed-off-by: Shubham Panwar <shubiisp8@gmail.com>
+Link: https://patch.msgid.link/20241020095045.6036-2-shubiisp8@gmail.com
+[ rjw: Changelog edits ]
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/button.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/acpi/button.c
++++ b/drivers/acpi/button.c
+@@ -130,6 +130,17 @@ static const struct dmi_system_id dmi_li
+ },
+ .driver_data = (void *)(long)ACPI_BUTTON_LID_INIT_OPEN,
+ },
++ {
++ /*
++ * Samsung galaxybook2 ,initial _LID device notification returns
++ * lid closed.
++ */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "SAMSUNG ELECTRONICS CO., LTD."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "750XED"),
++ },
++ .driver_data = (void *)(long)ACPI_BUTTON_LID_INIT_OPEN,
++ },
+ {}
+ };
+
--- /dev/null
+From 53f1a907d36fb3aa02a4d34073bcec25823a6c74 Mon Sep 17 00:00:00 2001
+From: Christian Heusel <christian@heusel.eu>
+Date: Thu, 17 Oct 2024 13:16:26 +0200
+Subject: ACPI: resource: Add LG 16T90SP to irq1_level_low_skip_override[]
+
+From: Christian Heusel <christian@heusel.eu>
+
+commit 53f1a907d36fb3aa02a4d34073bcec25823a6c74 upstream.
+
+The LG Gram Pro 16 2-in-1 (2024) the 16T90SP has its keybopard IRQ (1)
+described as ActiveLow in the DSDT, which the kernel overrides to EdgeHigh
+which breaks the keyboard.
+
+Add the 16T90SP to the irq1_level_low_skip_override[] quirk table to fix
+this.
+
+Reported-by: Dirk Holten <dirk.holten@gmx.de>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219382
+Cc: All applicable <stable@vger.kernel.org>
+Suggested-by: Dirk Holten <dirk.holten@gmx.de>
+Signed-off-by: Christian Heusel <christian@heusel.eu>
+Link: https://patch.msgid.link/20241017-lg-gram-pro-keyboard-v2-1-7c8fbf6ff718@heusel.eu
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/resource.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/acpi/resource.c
++++ b/drivers/acpi/resource.c
+@@ -505,6 +505,13 @@ static const struct dmi_system_id tongfa
+ DMI_MATCH(DMI_BOARD_NAME, "GMxRGxx"),
+ },
+ },
++ {
++ /* LG Electronics 16T90SP */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "LG Electronics"),
++ DMI_MATCH(DMI_BOARD_NAME, "16T90SP"),
++ },
++ },
+ { }
+ };
+
--- /dev/null
+From 35fdc6e1c16099078bcbd73a6c8f1733ae7f1909 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Relvas?= <josemonsantorelvas@gmail.com>
+Date: Sun, 20 Oct 2024 11:27:56 +0100
+Subject: ALSA: hda/realtek: Add subwoofer quirk for Acer Predator G9-593
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: José Relvas <josemonsantorelvas@gmail.com>
+
+commit 35fdc6e1c16099078bcbd73a6c8f1733ae7f1909 upstream.
+
+The Acer Predator G9-593 has a 2+1 speaker system which isn't probed
+correctly.
+This patch adds a quirk with the proper pin connections.
+
+Note that I do not own this laptop, so I cannot guarantee that this
+fixes the issue.
+Testing was done by other users here:
+https://discussion.fedoraproject.org/t/-/118482
+
+This model appears to have two different dev IDs...
+
+- 0x1177 (as seen on the forum link above)
+- 0x1178 (as seen on https://linux-hardware.org/?probe=127df9999f)
+
+I don't think the audio system was changed between model revisions, so
+the patch applies for both IDs.
+
+Signed-off-by: José Relvas <josemonsantorelvas@gmail.com>
+Link: https://patch.msgid.link/20241020102756.225258-1-josemonsantorelvas@gmail.com
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -7024,6 +7024,7 @@ enum {
+ ALC286_FIXUP_ACER_AIO_HEADSET_MIC,
+ ALC256_FIXUP_ASUS_HEADSET_MIC,
+ ALC256_FIXUP_ASUS_MIC_NO_PRESENCE,
++ ALC255_FIXUP_PREDATOR_SUBWOOFER,
+ ALC299_FIXUP_PREDATOR_SPK,
+ ALC256_FIXUP_MEDION_HEADSET_NO_PRESENCE,
+ ALC289_FIXUP_DELL_SPK2,
+@@ -8259,6 +8260,13 @@ static const struct hda_fixup alc269_fix
+ .chained = true,
+ .chain_id = ALC256_FIXUP_ASUS_HEADSET_MODE
+ },
++ [ALC255_FIXUP_PREDATOR_SUBWOOFER] = {
++ .type = HDA_FIXUP_PINS,
++ .v.pins = (const struct hda_pintbl[]) {
++ { 0x17, 0x90170151 }, /* use as internal speaker (LFE) */
++ { 0x1b, 0x90170152 } /* use as internal speaker (back) */
++ }
++ },
+ [ALC299_FIXUP_PREDATOR_SPK] = {
+ .type = HDA_FIXUP_PINS,
+ .v.pins = (const struct hda_pintbl[]) {
+@@ -8997,6 +9005,8 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x1025, 0x110e, "Acer Aspire ES1-432", ALC255_FIXUP_ACER_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1025, 0x1166, "Acer Veriton N4640G", ALC269_FIXUP_LIFEBOOK),
+ SND_PCI_QUIRK(0x1025, 0x1167, "Acer Veriton N6640G", ALC269_FIXUP_LIFEBOOK),
++ SND_PCI_QUIRK(0x1025, 0x1177, "Acer Predator G9-593", ALC255_FIXUP_PREDATOR_SUBWOOFER),
++ SND_PCI_QUIRK(0x1025, 0x1178, "Acer Predator G9-593", ALC255_FIXUP_PREDATOR_SUBWOOFER),
+ SND_PCI_QUIRK(0x1025, 0x1246, "Acer Predator Helios 500", ALC299_FIXUP_PREDATOR_SPK),
+ SND_PCI_QUIRK(0x1025, 0x1247, "Acer vCopperbox", ALC269VC_FIXUP_ACER_VCOPPERBOX_PINS),
+ SND_PCI_QUIRK(0x1025, 0x1248, "Acer Veriton N4660G", ALC269VC_FIXUP_ACER_MIC_NO_PRESENCE),
--- /dev/null
+From bf9821ba4792a0d9a2e72803ae7b4341faf3d532 Mon Sep 17 00:00:00 2001
+From: Naohiro Aota <naohiro.aota@wdc.com>
+Date: Tue, 1 Oct 2024 17:03:32 +0900
+Subject: btrfs: zoned: fix zone unusable accounting for freed reserved extent
+
+From: Naohiro Aota <naohiro.aota@wdc.com>
+
+commit bf9821ba4792a0d9a2e72803ae7b4341faf3d532 upstream.
+
+When btrfs reserves an extent and does not use it (e.g, by an error), it
+calls btrfs_free_reserved_extent() to free the reserved extent. In the
+process, it calls btrfs_add_free_space() and then it accounts the region
+bytes as block_group->zone_unusable.
+
+However, it leaves the space_info->bytes_zone_unusable side not updated. As
+a result, ENOSPC can happen while a space_info reservation succeeded. The
+reservation is fine because the freed region is not added in
+space_info->bytes_zone_unusable, leaving that space as "free". OTOH,
+corresponding block group counts it as zone_unusable and its allocation
+pointer is not rewound, we cannot allocate an extent from that block group.
+That will also negate space_info's async/sync reclaim process, and cause an
+ENOSPC error from the extent allocation process.
+
+Fix that by returning the space to space_info->bytes_zone_unusable.
+Ideally, since a bio is not submitted for this reserved region, we should
+return the space to free space and rewind the allocation pointer. But, it
+needs rework on extent allocation handling, so let it work in this way for
+now.
+
+Fixes: 169e0da91a21 ("btrfs: zoned: track unusable bytes for zones")
+CC: stable@vger.kernel.org # 5.15+
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/block-group.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/btrfs/block-group.c
++++ b/fs/btrfs/block-group.c
+@@ -3386,6 +3386,8 @@ void btrfs_free_reserved_bytes(struct bt
+ spin_lock(&cache->lock);
+ if (cache->ro)
+ space_info->bytes_readonly += num_bytes;
++ else if (btrfs_is_zoned(cache->fs_info))
++ space_info->bytes_zone_unusable += num_bytes;
+ cache->reserved -= num_bytes;
+ space_info->bytes_reserved -= num_bytes;
+ space_info->max_extent_size = 0;
--- /dev/null
+From bf58f03931fdcf7b3c45cb76ac13244477a60f44 Mon Sep 17 00:00:00 2001
+From: Mario Limonciello <mario.limonciello@amd.com>
+Date: Fri, 11 Oct 2024 12:23:15 -0500
+Subject: drm/amd: Guard against bad data for ATIF ACPI method
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+commit bf58f03931fdcf7b3c45cb76ac13244477a60f44 upstream.
+
+If a BIOS provides bad data in response to an ATIF method call
+this causes a NULL pointer dereference in the caller.
+
+```
+? show_regs (arch/x86/kernel/dumpstack.c:478 (discriminator 1))
+? __die (arch/x86/kernel/dumpstack.c:423 arch/x86/kernel/dumpstack.c:434)
+? page_fault_oops (arch/x86/mm/fault.c:544 (discriminator 2) arch/x86/mm/fault.c:705 (discriminator 2))
+? do_user_addr_fault (arch/x86/mm/fault.c:440 (discriminator 1) arch/x86/mm/fault.c:1232 (discriminator 1))
+? acpi_ut_update_object_reference (drivers/acpi/acpica/utdelete.c:642)
+? exc_page_fault (arch/x86/mm/fault.c:1542)
+? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623)
+? amdgpu_atif_query_backlight_caps.constprop.0 (drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c:387 (discriminator 2)) amdgpu
+? amdgpu_atif_query_backlight_caps.constprop.0 (drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c:386 (discriminator 1)) amdgpu
+```
+
+It has been encountered on at least one system, so guard for it.
+
+Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)")
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit c9b7c809b89f24e9372a4e7f02d64c950b07fdee)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
+@@ -108,6 +108,7 @@ static union acpi_object *amdgpu_atif_ca
+ struct acpi_buffer *params)
+ {
+ acpi_status status;
++ union acpi_object *obj;
+ union acpi_object atif_arg_elements[2];
+ struct acpi_object_list atif_arg;
+ struct acpi_buffer buffer = { ACPI_ALLOCATE_BUFFER, NULL };
+@@ -130,16 +131,24 @@ static union acpi_object *amdgpu_atif_ca
+
+ status = acpi_evaluate_object(atif->handle, NULL, &atif_arg,
+ &buffer);
++ obj = (union acpi_object *)buffer.pointer;
+
+- /* Fail only if calling the method fails and ATIF is supported */
++ /* Fail if calling the method fails and ATIF is supported */
+ if (ACPI_FAILURE(status) && status != AE_NOT_FOUND) {
+ DRM_DEBUG_DRIVER("failed to evaluate ATIF got %s\n",
+ acpi_format_exception(status));
+- kfree(buffer.pointer);
++ kfree(obj);
+ return NULL;
+ }
+
+- return buffer.pointer;
++ if (obj->type != ACPI_TYPE_BUFFER) {
++ DRM_DEBUG_DRIVER("bad object returned from ATIF: %d\n",
++ obj->type);
++ kfree(obj);
++ return NULL;
++ }
++
++ return obj;
+ }
+
+ /**
--- /dev/null
+From 4c262801ea60c518b5bebc22a09f5b78b3147da2 Mon Sep 17 00:00:00 2001
+From: Haiyang Zhang <haiyangz@microsoft.com>
+Date: Fri, 18 Oct 2024 11:25:22 -0700
+Subject: hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event
+
+From: Haiyang Zhang <haiyangz@microsoft.com>
+
+commit 4c262801ea60c518b5bebc22a09f5b78b3147da2 upstream.
+
+The existing code moves VF to the same namespace as the synthetic NIC
+during netvsc_register_vf(). But, if the synthetic device is moved to a
+new namespace after the VF registration, the VF won't be moved together.
+
+To make the behavior more consistent, add a namespace check for synthetic
+NIC's NETDEV_REGISTER event (generated during its move), and move the VF
+if it is not in the same namespace.
+
+Cc: stable@vger.kernel.org
+Fixes: c0a41b887ce6 ("hv_netvsc: move VF to same namespace as netvsc device")
+Suggested-by: Stephen Hemminger <stephen@networkplumber.org>
+Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/1729275922-17595-1-git-send-email-haiyangz@microsoft.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hyperv/netvsc_drv.c | 30 ++++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+--- a/drivers/net/hyperv/netvsc_drv.c
++++ b/drivers/net/hyperv/netvsc_drv.c
+@@ -2813,6 +2813,31 @@ static struct hv_driver netvsc_drv = {
+ },
+ };
+
++/* Set VF's namespace same as the synthetic NIC */
++static void netvsc_event_set_vf_ns(struct net_device *ndev)
++{
++ struct net_device_context *ndev_ctx = netdev_priv(ndev);
++ struct net_device *vf_netdev;
++ int ret;
++
++ vf_netdev = rtnl_dereference(ndev_ctx->vf_netdev);
++ if (!vf_netdev)
++ return;
++
++ if (!net_eq(dev_net(ndev), dev_net(vf_netdev))) {
++ ret = dev_change_net_namespace(vf_netdev, dev_net(ndev),
++ "eth%d");
++ if (ret)
++ netdev_err(vf_netdev,
++ "Cannot move to same namespace as %s: %d\n",
++ ndev->name, ret);
++ else
++ netdev_info(vf_netdev,
++ "Moved VF to namespace with: %s\n",
++ ndev->name);
++ }
++}
++
+ /*
+ * On Hyper-V, every VF interface is matched with a corresponding
+ * synthetic interface. The synthetic interface is presented first
+@@ -2825,6 +2850,11 @@ static int netvsc_netdev_event(struct no
+ struct net_device *event_dev = netdev_notifier_info_to_dev(ptr);
+ int ret = 0;
+
++ if (event_dev->netdev_ops == &device_ops && event == NETDEV_REGISTER) {
++ netvsc_event_set_vf_ns(event_dev);
++ return NOTIFY_DONE;
++ }
++
+ ret = check_dev_is_matching_vf(event_dev);
+ if (ret != 0)
+ return NOTIFY_DONE;
--- /dev/null
+From f559b2e9c5c5308850544ab59396b7d53cfc67bd Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Wed, 9 Oct 2024 07:08:38 -0700
+Subject: KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit f559b2e9c5c5308850544ab59396b7d53cfc67bd upstream.
+
+Ignore nCR3[4:0] when loading PDPTEs from memory for nested SVM, as bits
+4:0 of CR3 are ignored when PAE paging is used, and thus VMRUN doesn't
+enforce 32-byte alignment of nCR3.
+
+In the absolute worst case scenario, failure to ignore bits 4:0 can result
+in an out-of-bounds read, e.g. if the target page is at the end of a
+memslot, and the VMM isn't using guard pages.
+
+Per the APM:
+
+ The CR3 register points to the base address of the page-directory-pointer
+ table. The page-directory-pointer table is aligned on a 32-byte boundary,
+ with the low 5 address bits 4:0 assumed to be 0.
+
+And the SDM's much more explicit:
+
+ 4:0 Ignored
+
+Note, KVM gets this right when loading PDPTRs, it's only the nSVM flow
+that is broken.
+
+Fixes: e4e517b4be01 ("KVM: MMU: Do not unconditionally read PDPTE from guest memory")
+Reported-by: Kirk Swidowski <swidowski@google.com>
+Cc: Andy Nguyen <theflow@google.com>
+Cc: 3pvd <3pvd@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-ID: <20241009140838.1036226-1-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/svm/nested.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/svm/nested.c
++++ b/arch/x86/kvm/svm/nested.c
+@@ -77,8 +77,12 @@ static u64 nested_svm_get_tdp_pdptr(stru
+ u64 pdpte;
+ int ret;
+
++ /*
++ * Note, nCR3 is "assumed" to be 32-byte aligned, i.e. the CPU ignores
++ * nCR3[4:0] when loading PDPTEs from memory.
++ */
+ ret = kvm_vcpu_read_guest_page(vcpu, gpa_to_gfn(cr3), &pdpte,
+- offset_in_page(cr3) + index * 8, 8);
++ (cr3 & GENMASK(11, 5)) + index * 8, 8);
+ if (ret)
+ return 0;
+ return pdpte;
--- /dev/null
+From 6ed469df0bfbef3e4b44fca954a781919db9f7ab Mon Sep 17 00:00:00 2001
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Date: Wed, 16 Oct 2024 06:32:07 +0900
+Subject: nilfs2: fix kernel bug due to missing clearing of buffer delay flag
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+commit 6ed469df0bfbef3e4b44fca954a781919db9f7ab upstream.
+
+Syzbot reported that after nilfs2 reads a corrupted file system image
+and degrades to read-only, the BUG_ON check for the buffer delay flag
+in submit_bh_wbc() may fail, causing a kernel bug.
+
+This is because the buffer delay flag is not cleared when clearing the
+buffer state flags to discard a page/folio or a buffer head. So, fix
+this.
+
+This became necessary when the use of nilfs2's own page clear routine
+was expanded. This state inconsistency does not occur if the buffer
+is written normally by log writing.
+
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Link: https://lore.kernel.org/r/20241015213300.7114-1-konishi.ryusuke@gmail.com
+Fixes: 8c26c4e2694a ("nilfs2: fix issue with flush kernel thread after remount in RO mode because of driver's internal error or metadata corruption")
+Reported-by: syzbot+985ada84bf055a575c07@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=985ada84bf055a575c07
+Cc: stable@vger.kernel.org
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nilfs2/page.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/nilfs2/page.c
++++ b/fs/nilfs2/page.c
+@@ -77,7 +77,8 @@ void nilfs_forget_buffer(struct buffer_h
+ const unsigned long clear_bits =
+ (BIT(BH_Uptodate) | BIT(BH_Dirty) | BIT(BH_Mapped) |
+ BIT(BH_Async_Write) | BIT(BH_NILFS_Volatile) |
+- BIT(BH_NILFS_Checked) | BIT(BH_NILFS_Redirected));
++ BIT(BH_NILFS_Checked) | BIT(BH_NILFS_Redirected) |
++ BIT(BH_Delay));
+
+ lock_buffer(bh);
+ set_mask_bits(&bh->b_state, clear_bits, 0);
+@@ -409,7 +410,8 @@ void nilfs_clear_dirty_page(struct page
+ const unsigned long clear_bits =
+ (BIT(BH_Uptodate) | BIT(BH_Dirty) | BIT(BH_Mapped) |
+ BIT(BH_Async_Write) | BIT(BH_NILFS_Volatile) |
+- BIT(BH_NILFS_Checked) | BIT(BH_NILFS_Redirected));
++ BIT(BH_NILFS_Checked) | BIT(BH_NILFS_Redirected) |
++ BIT(BH_Delay));
+
+ bh = head = page_buffers(page);
+ do {
--- /dev/null
+From f92f0a1b05698340836229d791b3ffecc71b265a Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <cyphar@cyphar.com>
+Date: Thu, 10 Oct 2024 07:40:36 +1100
+Subject: openat2: explicitly return -E2BIG for (usize > PAGE_SIZE)
+
+From: Aleksa Sarai <cyphar@cyphar.com>
+
+commit f92f0a1b05698340836229d791b3ffecc71b265a upstream.
+
+While we do currently return -EFAULT in this case, it seems prudent to
+follow the behaviour of other syscalls like clone3. It seems quite
+unlikely that anyone depends on this error code being EFAULT, but we can
+always revert this if it turns out to be an issue.
+
+Cc: stable@vger.kernel.org # v5.6+
+Fixes: fddb5d430ad9 ("open: introduce openat2(2) syscall")
+Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
+Link: https://lore.kernel.org/r/20241010-extensible-structs-check_fields-v3-3-d2833dfe6edd@cyphar.com
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/open.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/open.c
++++ b/fs/open.c
+@@ -1296,6 +1296,8 @@ SYSCALL_DEFINE4(openat2, int, dfd, const
+
+ if (unlikely(usize < OPEN_HOW_SIZE_VER0))
+ return -EINVAL;
++ if (unlikely(usize > PAGE_SIZE))
++ return -E2BIG;
+
+ err = copy_struct_from_user(&tmp, sizeof(tmp), how, usize);
+ if (err)
bpf-perf-fix-perf_event_detach_bpf_prog-error-handli.patch
alsa-firewire-lib-avoid-division-by-zero-in-apply_co.patch
alsa-hda-realtek-update-default-depop-procedure.patch
+btrfs-zoned-fix-zone-unusable-accounting-for-freed-reserved-extent.patch
+drm-amd-guard-against-bad-data-for-atif-acpi-method.patch
+acpi-resource-add-lg-16t90sp-to-irq1_level_low_skip_override.patch
+acpi-button-add-dmi-quirk-for-samsung-galaxy-book2-to-fix-initial-lid-detection-issue.patch
+nilfs2-fix-kernel-bug-due-to-missing-clearing-of-buffer-delay-flag.patch
+openat2-explicitly-return-e2big-for-usize-page_size.patch
+kvm-nsvm-ignore-ncr3-when-loading-pdptes-from-memory.patch
+alsa-hda-realtek-add-subwoofer-quirk-for-acer-predator-g9-593.patch
+xfrm-fix-one-more-kernel-infoleak-in-algo-dumping.patch
+hv_netvsc-fix-vf-namespace-also-in-synthetic-nic-netdev_register-event.patch
--- /dev/null
+From 6889cd2a93e1e3606b3f6e958aa0924e836de4d2 Mon Sep 17 00:00:00 2001
+From: Petr Vaganov <p.vaganov@ideco.ru>
+Date: Tue, 8 Oct 2024 14:02:58 +0500
+Subject: xfrm: fix one more kernel-infoleak in algo dumping
+
+From: Petr Vaganov <p.vaganov@ideco.ru>
+
+commit 6889cd2a93e1e3606b3f6e958aa0924e836de4d2 upstream.
+
+During fuzz testing, the following issue was discovered:
+
+BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x598/0x2a30
+ _copy_to_iter+0x598/0x2a30
+ __skb_datagram_iter+0x168/0x1060
+ skb_copy_datagram_iter+0x5b/0x220
+ netlink_recvmsg+0x362/0x1700
+ sock_recvmsg+0x2dc/0x390
+ __sys_recvfrom+0x381/0x6d0
+ __x64_sys_recvfrom+0x130/0x200
+ x64_sys_call+0x32c8/0x3cc0
+ do_syscall_64+0xd8/0x1c0
+ entry_SYSCALL_64_after_hwframe+0x79/0x81
+
+Uninit was stored to memory at:
+ copy_to_user_state_extra+0xcc1/0x1e00
+ dump_one_state+0x28c/0x5f0
+ xfrm_state_walk+0x548/0x11e0
+ xfrm_dump_sa+0x1e0/0x840
+ netlink_dump+0x943/0x1c40
+ __netlink_dump_start+0x746/0xdb0
+ xfrm_user_rcv_msg+0x429/0xc00
+ netlink_rcv_skb+0x613/0x780
+ xfrm_netlink_rcv+0x77/0xc0
+ netlink_unicast+0xe90/0x1280
+ netlink_sendmsg+0x126d/0x1490
+ __sock_sendmsg+0x332/0x3d0
+ ____sys_sendmsg+0x863/0xc30
+ ___sys_sendmsg+0x285/0x3e0
+ __x64_sys_sendmsg+0x2d6/0x560
+ x64_sys_call+0x1316/0x3cc0
+ do_syscall_64+0xd8/0x1c0
+ entry_SYSCALL_64_after_hwframe+0x79/0x81
+
+Uninit was created at:
+ __kmalloc+0x571/0xd30
+ attach_auth+0x106/0x3e0
+ xfrm_add_sa+0x2aa0/0x4230
+ xfrm_user_rcv_msg+0x832/0xc00
+ netlink_rcv_skb+0x613/0x780
+ xfrm_netlink_rcv+0x77/0xc0
+ netlink_unicast+0xe90/0x1280
+ netlink_sendmsg+0x126d/0x1490
+ __sock_sendmsg+0x332/0x3d0
+ ____sys_sendmsg+0x863/0xc30
+ ___sys_sendmsg+0x285/0x3e0
+ __x64_sys_sendmsg+0x2d6/0x560
+ x64_sys_call+0x1316/0x3cc0
+ do_syscall_64+0xd8/0x1c0
+ entry_SYSCALL_64_after_hwframe+0x79/0x81
+
+Bytes 328-379 of 732 are uninitialized
+Memory access of size 732 starts at ffff88800e18e000
+Data copied to user address 00007ff30f48aff0
+
+CPU: 2 PID: 18167 Comm: syz-executor.0 Not tainted 6.8.11 #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
+
+Fixes copying of xfrm algorithms where some random
+data of the structure fields can end up in userspace.
+Padding in structures may be filled with random (possibly sensitve)
+data and should never be given directly to user-space.
+
+A similar issue was resolved in the commit
+8222d5910dae ("xfrm: Zero padding when dumping algos and encap")
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: c7a5899eb26e ("xfrm: redact SA secret with lockdown confidentiality")
+Cc: stable@vger.kernel.org
+Co-developed-by: Boris Tonofa <b.tonofa@ideco.ru>
+Signed-off-by: Boris Tonofa <b.tonofa@ideco.ru>
+Signed-off-by: Petr Vaganov <p.vaganov@ideco.ru>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xfrm/xfrm_user.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -887,7 +887,9 @@ static int copy_to_user_auth(struct xfrm
+ if (!nla)
+ return -EMSGSIZE;
+ ap = nla_data(nla);
+- memcpy(ap, auth, sizeof(struct xfrm_algo_auth));
++ strscpy_pad(ap->alg_name, auth->alg_name, sizeof(ap->alg_name));
++ ap->alg_key_len = auth->alg_key_len;
++ ap->alg_trunc_len = auth->alg_trunc_len;
+ if (redact_secret && auth->alg_key_len)
+ memset(ap->alg_key, 0, (auth->alg_key_len + 7) / 8);
+ else
projects / thirdparty / kernel / stable-queue.git / commitdiff
