--- /dev/null
+From a48fbdaab7d4b9398d93f42b9d4e016eb6aad25a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Feb 2025 18:15:59 +0100
+Subject: acct: perform last write from workqueue
+
+From: Christian Brauner <brauner@kernel.org>
+
+[ Upstream commit 56d5f3eba3f5de0efdd556de4ef381e109b973a9 ]
+
+In [1] it was reported that the acct(2) system call can be used to
+trigger NULL deref in cases where it is set to write to a file that
+triggers an internal lookup. This can e.g., happen when pointing acc(2)
+to /sys/power/resume. At the point the where the write to this file
+happens the calling task has already exited and called exit_fs(). A
+lookup will thus trigger a NULL-deref when accessing current->fs.
+
+Reorganize the code so that the the final write happens from the
+workqueue but with the caller's credentials. This preserves the
+(strange) permission model and has almost no regression risk.
+
+This api should stop to exist though.
+
+Link: https://lore.kernel.org/r/20250127091811.3183623-1-quzicheng@huawei.com [1]
+Link: https://lore.kernel.org/r/20250211-work-acct-v1-1-1c16aecab8b3@kernel.org
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Zicheng Qu <quzicheng@huawei.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/acct.c | 120 +++++++++++++++++++++++++++++---------------------
+ 1 file changed, 70 insertions(+), 50 deletions(-)
+
+diff --git a/kernel/acct.c b/kernel/acct.c
+index 2b2224b7ae55a..c0c79bdb92195 100644
+--- a/kernel/acct.c
++++ b/kernel/acct.c
+@@ -85,48 +85,50 @@ struct bsd_acct_struct {
+ atomic_long_t count;
+ struct rcu_head rcu;
+ struct mutex lock;
+- int active;
++ bool active;
++ bool check_space;
+ unsigned long needcheck;
+ struct file *file;
+ struct pid_namespace *ns;
+ struct work_struct work;
+ struct completion done;
++ acct_t ac;
+ };
+
+-static void do_acct_process(struct bsd_acct_struct *acct);
++static void fill_ac(struct bsd_acct_struct *acct);
++static void acct_write_process(struct bsd_acct_struct *acct);
+
+ /*
+ * Check the amount of free space and suspend/resume accordingly.
+ */
+-static int check_free_space(struct bsd_acct_struct *acct)
++static bool check_free_space(struct bsd_acct_struct *acct)
+ {
+ struct kstatfs sbuf;
+
+- if (time_is_after_jiffies(acct->needcheck))
+- goto out;
++ if (!acct->check_space)
++ return acct->active;
+
+ /* May block */
+ if (vfs_statfs(&acct->file->f_path, &sbuf))
+- goto out;
++ return acct->active;
+
+ if (acct->active) {
+ u64 suspend = sbuf.f_blocks * SUSPEND;
+ do_div(suspend, 100);
+ if (sbuf.f_bavail <= suspend) {
+- acct->active = 0;
++ acct->active = false;
+ pr_info("Process accounting paused\n");
+ }
+ } else {
+ u64 resume = sbuf.f_blocks * RESUME;
+ do_div(resume, 100);
+ if (sbuf.f_bavail >= resume) {
+- acct->active = 1;
++ acct->active = true;
+ pr_info("Process accounting resumed\n");
+ }
+ }
+
+ acct->needcheck = jiffies + ACCT_TIMEOUT*HZ;
+-out:
+ return acct->active;
+ }
+
+@@ -171,7 +173,11 @@ static void acct_pin_kill(struct fs_pin *pin)
+ {
+ struct bsd_acct_struct *acct = to_acct(pin);
+ mutex_lock(&acct->lock);
+- do_acct_process(acct);
++ /*
++ * Fill the accounting struct with the exiting task's info
++ * before punting to the workqueue.
++ */
++ fill_ac(acct);
+ schedule_work(&acct->work);
+ wait_for_completion(&acct->done);
+ cmpxchg(&acct->ns->bacct, pin, NULL);
+@@ -184,6 +190,9 @@ static void close_work(struct work_struct *work)
+ {
+ struct bsd_acct_struct *acct = container_of(work, struct bsd_acct_struct, work);
+ struct file *file = acct->file;
++
++ /* We were fired by acct_pin_kill() which holds acct->lock. */
++ acct_write_process(acct);
+ if (file->f_op->flush)
+ file->f_op->flush(file, NULL);
+ __fput_sync(file);
+@@ -426,13 +435,27 @@ static u32 encode_float(u64 value)
+ * do_exit() or when switching to a different output file.
+ */
+
+-static void fill_ac(acct_t *ac)
++static void fill_ac(struct bsd_acct_struct *acct)
+ {
+ struct pacct_struct *pacct = ¤t->signal->pacct;
++ struct file *file = acct->file;
++ acct_t *ac = &acct->ac;
+ u64 elapsed, run_time;
+ time64_t btime;
+ struct tty_struct *tty;
+
++ lockdep_assert_held(&acct->lock);
++
++ if (time_is_after_jiffies(acct->needcheck)) {
++ acct->check_space = false;
++
++ /* Don't fill in @ac if nothing will be written. */
++ if (!acct->active)
++ return;
++ } else {
++ acct->check_space = true;
++ }
++
+ /*
+ * Fill the accounting struct with the needed info as recorded
+ * by the different kernel functions.
+@@ -480,64 +503,61 @@ static void fill_ac(acct_t *ac)
+ ac->ac_majflt = encode_comp_t(pacct->ac_majflt);
+ ac->ac_exitcode = pacct->ac_exitcode;
+ spin_unlock_irq(¤t->sighand->siglock);
+-}
+-/*
+- * do_acct_process does all actual work. Caller holds the reference to file.
+- */
+-static void do_acct_process(struct bsd_acct_struct *acct)
+-{
+- acct_t ac;
+- unsigned long flim;
+- const struct cred *orig_cred;
+- struct file *file = acct->file;
+-
+- /*
+- * Accounting records are not subject to resource limits.
+- */
+- flim = rlimit(RLIMIT_FSIZE);
+- current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
+- /* Perform file operations on behalf of whoever enabled accounting */
+- orig_cred = override_creds(file->f_cred);
+
+- /*
+- * First check to see if there is enough free_space to continue
+- * the process accounting system.
+- */
+- if (!check_free_space(acct))
+- goto out;
+-
+- fill_ac(&ac);
+ /* we really need to bite the bullet and change layout */
+- ac.ac_uid = from_kuid_munged(file->f_cred->user_ns, orig_cred->uid);
+- ac.ac_gid = from_kgid_munged(file->f_cred->user_ns, orig_cred->gid);
++ ac->ac_uid = from_kuid_munged(file->f_cred->user_ns, current_uid());
++ ac->ac_gid = from_kgid_munged(file->f_cred->user_ns, current_gid());
+ #if ACCT_VERSION == 1 || ACCT_VERSION == 2
+ /* backward-compatible 16 bit fields */
+- ac.ac_uid16 = ac.ac_uid;
+- ac.ac_gid16 = ac.ac_gid;
++ ac->ac_uid16 = ac->ac_uid;
++ ac->ac_gid16 = ac->ac_gid;
+ #elif ACCT_VERSION == 3
+ {
+ struct pid_namespace *ns = acct->ns;
+
+- ac.ac_pid = task_tgid_nr_ns(current, ns);
++ ac->ac_pid = task_tgid_nr_ns(current, ns);
+ rcu_read_lock();
+- ac.ac_ppid = task_tgid_nr_ns(rcu_dereference(current->real_parent),
+- ns);
++ ac->ac_ppid = task_tgid_nr_ns(rcu_dereference(current->real_parent), ns);
+ rcu_read_unlock();
+ }
+ #endif
++}
++
++static void acct_write_process(struct bsd_acct_struct *acct)
++{
++ struct file *file = acct->file;
++ const struct cred *cred;
++ acct_t *ac = &acct->ac;
++
++ /* Perform file operations on behalf of whoever enabled accounting */
++ cred = override_creds(file->f_cred);
++
+ /*
+- * Get freeze protection. If the fs is frozen, just skip the write
+- * as we could deadlock the system otherwise.
++ * First check to see if there is enough free_space to continue
++ * the process accounting system. Then get freeze protection. If
++ * the fs is frozen, just skip the write as we could deadlock
++ * the system otherwise.
+ */
+- if (file_start_write_trylock(file)) {
++ if (check_free_space(acct) && file_start_write_trylock(file)) {
+ /* it's been opened O_APPEND, so position is irrelevant */
+ loff_t pos = 0;
+- __kernel_write(file, &ac, sizeof(acct_t), &pos);
++ __kernel_write(file, ac, sizeof(acct_t), &pos);
+ file_end_write(file);
+ }
+-out:
++
++ revert_creds(cred);
++}
++
++static void do_acct_process(struct bsd_acct_struct *acct)
++{
++ unsigned long flim;
++
++ /* Accounting records are not subject to resource limits. */
++ flim = rlimit(RLIMIT_FSIZE);
++ current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
++ fill_ac(acct);
++ acct_write_process(acct);
+ current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
+- revert_creds(orig_cred);
+ }
+
+ /**
+--
+2.39.5
+
--- /dev/null
+From 5aaf135ab21654c109496d7cbd10fe890d516562 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Dec 2023 11:32:06 +0800
+Subject: drm/amdgpu: Check extended configuration space register when system
+ uses large bar
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ma Jun <Jun.Ma2@amd.com>
+
+[ Upstream commit e372baeb3d336b20fd9463784c577fd8824497cd ]
+
+Some customer platforms do not enable mmconfig for various reasons,
+such as bios bug, and therefore cannot access the GPU extend configuration
+space through mmio.
+
+When the system enters the d3cold state and resumes, the amdgpu driver
+fails to resume because the extend configuration space registers of
+GPU can't be restored. At this point, Usually we only see some failure
+dmesg log printed by amdgpu driver, it is difficult to find the root
+cause.
+
+Therefor print a warnning message if the system can't access the
+extended configuration space register when using large bar.
+
+Signed-off-by: Ma Jun <Jun.Ma2@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Stable-dep-of: 099bffc7cadf ("drm/amdgpu: disable BAR resize on Dell G5 SE")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+index 2f42471e578ad..edb1b1cf05f29 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -1098,6 +1098,10 @@ int amdgpu_device_resize_fb_bar(struct amdgpu_device *adev)
+ if (amdgpu_sriov_vf(adev))
+ return 0;
+
++ /* PCI_EXT_CAP_ID_VNDR extended capability is located at 0x100 */
++ if (!pci_find_ext_capability(adev->pdev, PCI_EXT_CAP_ID_VNDR))
++ DRM_WARN("System can't access extended configuration space,please check!!\n");
++
+ /* skip if the bios has already enabled large BAR */
+ if (adev->gmc.real_vram_size &&
+ (pci_resource_len(adev->pdev, 0) >= adev->gmc.real_vram_size))
+--
+2.39.5
+
--- /dev/null
+From 0eaae9b9940ce1a5f8a9afae7116f32edd6d3859 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Feb 2025 10:55:05 -0500
+Subject: drm/amdgpu: disable BAR resize on Dell G5 SE
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+[ Upstream commit 099bffc7cadff40bfab1517c3461c53a7a38a0d7 ]
+
+There was a quirk added to add a workaround for a Sapphire
+RX 5600 XT Pulse that didn't allow BAR resizing. However,
+the quirk caused a regression with runtime pm on Dell laptops
+using those chips, rather than narrowing the scope of the
+resizing quirk, add a quirk to prevent amdgpu from resizing
+the BAR on those Dell platforms unless runtime pm is disabled.
+
+v2: update commit message, add runpm check
+
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/1707
+Fixes: 907830b0fc9e ("PCI: Add a REBAR size quirk for Sapphire RX 5600 XT Pulse")
+Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 5235053f443cef4210606e5fb71f99b915a9723d)
+Cc: stable@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+index edb1b1cf05f29..40d2f0ed1c75f 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -1098,6 +1098,13 @@ int amdgpu_device_resize_fb_bar(struct amdgpu_device *adev)
+ if (amdgpu_sriov_vf(adev))
+ return 0;
+
++ /* resizing on Dell G5 SE platforms causes problems with runtime pm */
++ if ((amdgpu_runtime_pm != 0) &&
++ adev->pdev->vendor == PCI_VENDOR_ID_ATI &&
++ adev->pdev->device == 0x731f &&
++ adev->pdev->subsystem_vendor == PCI_VENDOR_ID_DELL)
++ return 0;
++
+ /* PCI_EXT_CAP_ID_VNDR extended capability is located at 0x100 */
+ if (!pci_find_ext_capability(adev->pdev, PCI_EXT_CAP_ID_VNDR))
+ DRM_WARN("System can't access extended configuration space,please check!!\n");
+--
+2.39.5
+
--- /dev/null
+From bbfea133c5dbe4a9c1ca27e54ebcee93064e0bab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Feb 2025 15:20:55 +0000
+Subject: drop_monitor: fix incorrect initialization order
+
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+
+[ Upstream commit 07b598c0e6f06a0f254c88dafb4ad50f8a8c6eea ]
+
+Syzkaller reports the following bug:
+
+BUG: spinlock bad magic on CPU#1, syz-executor.0/7995
+ lock: 0xffff88805303f3e0, .magic: 00000000, .owner: <none>/-1, .owner_cpu: 0
+CPU: 1 PID: 7995 Comm: syz-executor.0 Tainted: G E 5.10.209+ #1
+Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x119/0x179 lib/dump_stack.c:118
+ debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline]
+ do_raw_spin_lock+0x1f6/0x270 kernel/locking/spinlock_debug.c:112
+ __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:117 [inline]
+ _raw_spin_lock_irqsave+0x50/0x70 kernel/locking/spinlock.c:159
+ reset_per_cpu_data+0xe6/0x240 [drop_monitor]
+ net_dm_cmd_trace+0x43d/0x17a0 [drop_monitor]
+ genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739
+ genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
+ genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800
+ netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2497
+ genl_rcv+0x29/0x40 net/netlink/genetlink.c:811
+ netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]
+ netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1348
+ netlink_sendmsg+0x914/0xe00 net/netlink/af_netlink.c:1916
+ sock_sendmsg_nosec net/socket.c:651 [inline]
+ __sock_sendmsg+0x157/0x190 net/socket.c:663
+ ____sys_sendmsg+0x712/0x870 net/socket.c:2378
+ ___sys_sendmsg+0xf8/0x170 net/socket.c:2432
+ __sys_sendmsg+0xea/0x1b0 net/socket.c:2461
+ do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x62/0xc7
+RIP: 0033:0x7f3f9815aee9
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f3f972bf0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00007f3f9826d050 RCX: 00007f3f9815aee9
+RDX: 0000000020000000 RSI: 0000000020001300 RDI: 0000000000000007
+RBP: 00007f3f981b63bd R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 000000000000006e R14: 00007f3f9826d050 R15: 00007ffe01ee6768
+
+If drop_monitor is built as a kernel module, syzkaller may have time
+to send a netlink NET_DM_CMD_START message during the module loading.
+This will call the net_dm_monitor_start() function that uses
+a spinlock that has not yet been initialized.
+
+To fix this, let's place resource initialization above the registration
+of a generic netlink family.
+
+Found by InfoTeCS on behalf of Linux Verification Center
+(linuxtesting.org) with Syzkaller.
+
+Fixes: 9a8afc8d3962 ("Network Drop Monitor: Adding drop monitor implementation & Netlink protocol")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ilia Gavrilov <Ilia.Gavrilov@infotecs.ru>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20250213152054.2785669-1-Ilia.Gavrilov@infotecs.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/drop_monitor.c | 29 ++++++++++++++---------------
+ 1 file changed, 14 insertions(+), 15 deletions(-)
+
+diff --git a/net/core/drop_monitor.c b/net/core/drop_monitor.c
+index 009b9e22c4e75..c8a3d6056365f 100644
+--- a/net/core/drop_monitor.c
++++ b/net/core/drop_monitor.c
+@@ -1727,30 +1727,30 @@ static int __init init_net_drop_monitor(void)
+ return -ENOSPC;
+ }
+
+- rc = genl_register_family(&net_drop_monitor_family);
+- if (rc) {
+- pr_err("Could not create drop monitor netlink family\n");
+- return rc;
++ for_each_possible_cpu(cpu) {
++ net_dm_cpu_data_init(cpu);
++ net_dm_hw_cpu_data_init(cpu);
+ }
+- WARN_ON(net_drop_monitor_family.mcgrp_offset != NET_DM_GRP_ALERT);
+
+ rc = register_netdevice_notifier(&dropmon_net_notifier);
+ if (rc < 0) {
+ pr_crit("Failed to register netdevice notifier\n");
++ return rc;
++ }
++
++ rc = genl_register_family(&net_drop_monitor_family);
++ if (rc) {
++ pr_err("Could not create drop monitor netlink family\n");
+ goto out_unreg;
+ }
++ WARN_ON(net_drop_monitor_family.mcgrp_offset != NET_DM_GRP_ALERT);
+
+ rc = 0;
+
+- for_each_possible_cpu(cpu) {
+- net_dm_cpu_data_init(cpu);
+- net_dm_hw_cpu_data_init(cpu);
+- }
+-
+ goto out;
+
+ out_unreg:
+- genl_unregister_family(&net_drop_monitor_family);
++ WARN_ON(unregister_netdevice_notifier(&dropmon_net_notifier));
+ out:
+ return rc;
+ }
+@@ -1759,19 +1759,18 @@ static void exit_net_drop_monitor(void)
+ {
+ int cpu;
+
+- BUG_ON(unregister_netdevice_notifier(&dropmon_net_notifier));
+-
+ /*
+ * Because of the module_get/put we do in the trace state change path
+ * we are guarnateed not to have any current users when we get here
+ */
++ BUG_ON(genl_unregister_family(&net_drop_monitor_family));
++
++ BUG_ON(unregister_netdevice_notifier(&dropmon_net_notifier));
+
+ for_each_possible_cpu(cpu) {
+ net_dm_hw_cpu_data_fini(cpu);
+ net_dm_cpu_data_fini(cpu);
+ }
+-
+- BUG_ON(genl_unregister_family(&net_drop_monitor_family));
+ }
+
+ module_init(init_net_drop_monitor);
+--
+2.39.5
+
--- /dev/null
+From 79d22a43e28ed120d290d1b6e3f9b9d4575cfabd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Feb 2025 15:18:39 -0500
+Subject: efi: Don't map the entire mokvar table to determine its size
+
+From: Peter Jones <pjones@redhat.com>
+
+[ Upstream commit 2b90e7ace79774a3540ce569e000388f8d22c9e0 ]
+
+Currently, when validating the mokvar table, we (re)map the entire table
+on each iteration of the loop, adding space as we discover new entries.
+If the table grows over a certain size, this fails due to limitations of
+early_memmap(), and we get a failure and traceback:
+
+ ------------[ cut here ]------------
+ WARNING: CPU: 0 PID: 0 at mm/early_ioremap.c:139 __early_ioremap+0xef/0x220
+ ...
+ Call Trace:
+ <TASK>
+ ? __early_ioremap+0xef/0x220
+ ? __warn.cold+0x93/0xfa
+ ? __early_ioremap+0xef/0x220
+ ? report_bug+0xff/0x140
+ ? early_fixup_exception+0x5d/0xb0
+ ? early_idt_handler_common+0x2f/0x3a
+ ? __early_ioremap+0xef/0x220
+ ? efi_mokvar_table_init+0xce/0x1d0
+ ? setup_arch+0x864/0xc10
+ ? start_kernel+0x6b/0xa10
+ ? x86_64_start_reservations+0x24/0x30
+ ? x86_64_start_kernel+0xed/0xf0
+ ? common_startup_64+0x13e/0x141
+ </TASK>
+ ---[ end trace 0000000000000000 ]---
+ mokvar: Failed to map EFI MOKvar config table pa=0x7c4c3000, size=265187.
+
+Mapping the entire structure isn't actually necessary, as we don't ever
+need more than one entry header mapped at once.
+
+Changes efi_mokvar_table_init() to only map each entry header, not the
+entire table, when determining the table size. Since we're not mapping
+any data past the variable name, it also changes the code to enforce
+that each variable name is NUL terminated, rather than attempting to
+verify it in place.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/mokvar-table.c | 41 +++++++++--------------------
+ 1 file changed, 13 insertions(+), 28 deletions(-)
+
+diff --git a/drivers/firmware/efi/mokvar-table.c b/drivers/firmware/efi/mokvar-table.c
+index 38722d2009e20..3ac37f8cfd680 100644
+--- a/drivers/firmware/efi/mokvar-table.c
++++ b/drivers/firmware/efi/mokvar-table.c
+@@ -103,7 +103,6 @@ void __init efi_mokvar_table_init(void)
+ void *va = NULL;
+ unsigned long cur_offset = 0;
+ unsigned long offset_limit;
+- unsigned long map_size = 0;
+ unsigned long map_size_needed = 0;
+ unsigned long size;
+ struct efi_mokvar_table_entry *mokvar_entry;
+@@ -134,48 +133,34 @@ void __init efi_mokvar_table_init(void)
+ */
+ err = -EINVAL;
+ while (cur_offset + sizeof(*mokvar_entry) <= offset_limit) {
+- mokvar_entry = va + cur_offset;
+- map_size_needed = cur_offset + sizeof(*mokvar_entry);
+- if (map_size_needed > map_size) {
+- if (va)
+- early_memunmap(va, map_size);
+- /*
+- * Map a little more than the fixed size entry
+- * header, anticipating some data. It's safe to
+- * do so as long as we stay within current memory
+- * descriptor.
+- */
+- map_size = min(map_size_needed + 2*EFI_PAGE_SIZE,
+- offset_limit);
+- va = early_memremap(efi.mokvar_table, map_size);
+- if (!va) {
+- pr_err("Failed to map EFI MOKvar config table pa=0x%lx, size=%lu.\n",
+- efi.mokvar_table, map_size);
+- return;
+- }
+- mokvar_entry = va + cur_offset;
++ if (va)
++ early_memunmap(va, sizeof(*mokvar_entry));
++ va = early_memremap(efi.mokvar_table + cur_offset, sizeof(*mokvar_entry));
++ if (!va) {
++ pr_err("Failed to map EFI MOKvar config table pa=0x%lx, size=%zu.\n",
++ efi.mokvar_table + cur_offset, sizeof(*mokvar_entry));
++ return;
+ }
++ mokvar_entry = va;
+
+ /* Check for last sentinel entry */
+ if (mokvar_entry->name[0] == '\0') {
+ if (mokvar_entry->data_size != 0)
+ break;
+ err = 0;
++ map_size_needed = cur_offset + sizeof(*mokvar_entry);
+ break;
+ }
+
+- /* Sanity check that the name is null terminated */
+- size = strnlen(mokvar_entry->name,
+- sizeof(mokvar_entry->name));
+- if (size >= sizeof(mokvar_entry->name))
+- break;
++ /* Enforce that the name is NUL terminated */
++ mokvar_entry->name[sizeof(mokvar_entry->name) - 1] = '\0';
+
+ /* Advance to the next entry */
+- cur_offset = map_size_needed + mokvar_entry->data_size;
++ cur_offset += sizeof(*mokvar_entry) + mokvar_entry->data_size;
+ }
+
+ if (va)
+- early_memunmap(va, map_size);
++ early_memunmap(va, sizeof(*mokvar_entry));
+ if (err) {
+ pr_err("EFI MOKvar config table is not valid\n");
+ return;
+--
+2.39.5
+
--- /dev/null
+From 986871fea96854f82eba8dbc8f487bc2b95eb040 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Sep 2021 19:58:18 -0700
+Subject: kernel/acct.c: use dedicated helper to access rlimit values
+
+From: Yang Yang <yang.yang29@zte.com.cn>
+
+[ Upstream commit 3c91dda97eea704ac257ddb138d1154adab8db62 ]
+
+Use rlimit() helper instead of manually writing whole chain from
+task to rlimit value. See patch "posix-cpu-timers: Use dedicated
+helper to access rlimit values".
+
+Link: https://lkml.kernel.org/r/20210728030822.524789-1-yang.yang29@zte.com.cn
+Signed-off-by: Yang Yang <yang.yang29@zte.com.cn>
+Reported-by: Zeal Robot <zealci@zte.com.cn>
+Cc: Randy Dunlap <rdunlap@infradead.org>
+Cc: sh_def@163.com <sh_def@163.com>
+Cc: Yang Yang <yang.yang29@zte.com.cn>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Stable-dep-of: 56d5f3eba3f5 ("acct: perform last write from workqueue")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/acct.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/acct.c b/kernel/acct.c
+index a7e29ca8f3591..2b2224b7ae55a 100644
+--- a/kernel/acct.c
++++ b/kernel/acct.c
+@@ -494,7 +494,7 @@ static void do_acct_process(struct bsd_acct_struct *acct)
+ /*
+ * Accounting records are not subject to resource limits.
+ */
+- flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
++ flim = rlimit(RLIMIT_FSIZE);
+ current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
+ /* Perform file operations on behalf of whoever enabled accounting */
+ orig_cred = override_creds(file->f_cred);
+--
+2.39.5
+
--- /dev/null
+From df44eece33bc37c7982836a4fedae80829f98d80 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Dec 2020 20:42:52 -0800
+Subject: kernel/acct.c: use #elif instead of #end and #elif
+
+From: Hui Su <sh_def@163.com>
+
+[ Upstream commit 35189b8ff18ee0c6f7c04f4c674584d1149d5c55 ]
+
+Cleanup: use #elif instead of #end and #elif.
+
+Link: https://lkml.kernel.org/r/20201015150736.GA91603@rlk
+Signed-off-by: Hui Su <sh_def@163.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Stable-dep-of: 56d5f3eba3f5 ("acct: perform last write from workqueue")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/acct.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/acct.c b/kernel/acct.c
+index 6552eb22dd1e4..a7e29ca8f3591 100644
+--- a/kernel/acct.c
++++ b/kernel/acct.c
+@@ -397,9 +397,7 @@ static comp2_t encode_comp2_t(u64 value)
+ return (value & (MAXFRACT2>>1)) | (exp << (MANTSIZE2-1));
+ }
+ }
+-#endif
+-
+-#if ACCT_VERSION == 3
++#elif ACCT_VERSION == 3
+ /*
+ * encode an u64 into a 32 bit IEEE float
+ */
+@@ -516,8 +514,7 @@ static void do_acct_process(struct bsd_acct_struct *acct)
+ /* backward-compatible 16 bit fields */
+ ac.ac_uid16 = ac.ac_uid;
+ ac.ac_gid16 = ac.ac_gid;
+-#endif
+-#if ACCT_VERSION == 3
++#elif ACCT_VERSION == 3
+ {
+ struct pid_namespace *ns = acct->ns;
+
+--
+2.39.5
+
--- /dev/null
+From bbd414673ff6cc7e821cf05ee44878b8650ea259 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Mar 2023 14:47:34 +0800
+Subject: Revert "riscv: Set more data to cacheinfo"
+
+From: Song Shuai <suagrfillet@gmail.com>
+
+[ Upstream commit 6a24915145c922b79d3ac78f681137a4c14a6d6b ]
+
+This reverts commit baf7cbd94b5688f167443a2cc3dcea3300132099.
+
+There are some duplicate cache attributes populations executed
+in both ci_leaf_init() and later cache_setup_properties().
+
+Revert the commit baf7cbd94b56 ("riscv: Set more data to cacheinfo")
+to setup only the level and type attributes at this early place.
+
+Signed-off-by: Song Shuai <suagrfillet@gmail.com>
+Acked-by: Sudeep Holla <sudeep.holla@arm.com>
+Acked-by: Conor Dooley <conor.dooley@microchip.com>
+Link: https://lore.kernel.org/r/20230308064734.512457-1-suagrfillet@gmail.com
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Stable-dep-of: fb8179ce2996 ("riscv: cacheinfo: Use of_property_present() for non-boolean properties")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kernel/cacheinfo.c | 66 ++++++++---------------------------
+ 1 file changed, 15 insertions(+), 51 deletions(-)
+
+diff --git a/arch/riscv/kernel/cacheinfo.c b/arch/riscv/kernel/cacheinfo.c
+index 90deabfe63eaa..56141a65c7348 100644
+--- a/arch/riscv/kernel/cacheinfo.c
++++ b/arch/riscv/kernel/cacheinfo.c
+@@ -64,53 +64,12 @@ uintptr_t get_cache_geometry(u32 level, enum cache_type type)
+ 0;
+ }
+
+-static void ci_leaf_init(struct cacheinfo *this_leaf, enum cache_type type,
+- unsigned int level, unsigned int size,
+- unsigned int sets, unsigned int line_size)
++static void ci_leaf_init(struct cacheinfo *this_leaf,
++ struct device_node *node,
++ enum cache_type type, unsigned int level)
+ {
+ this_leaf->level = level;
+ this_leaf->type = type;
+- this_leaf->size = size;
+- this_leaf->number_of_sets = sets;
+- this_leaf->coherency_line_size = line_size;
+-
+- /*
+- * If the cache is fully associative, there is no need to
+- * check the other properties.
+- */
+- if (sets == 1)
+- return;
+-
+- /*
+- * Set the ways number for n-ways associative, make sure
+- * all properties are big than zero.
+- */
+- if (sets > 0 && size > 0 && line_size > 0)
+- this_leaf->ways_of_associativity = (size / sets) / line_size;
+-}
+-
+-static void fill_cacheinfo(struct cacheinfo **this_leaf,
+- struct device_node *node, unsigned int level)
+-{
+- unsigned int size, sets, line_size;
+-
+- if (!of_property_read_u32(node, "cache-size", &size) &&
+- !of_property_read_u32(node, "cache-block-size", &line_size) &&
+- !of_property_read_u32(node, "cache-sets", &sets)) {
+- ci_leaf_init((*this_leaf)++, CACHE_TYPE_UNIFIED, level, size, sets, line_size);
+- }
+-
+- if (!of_property_read_u32(node, "i-cache-size", &size) &&
+- !of_property_read_u32(node, "i-cache-sets", &sets) &&
+- !of_property_read_u32(node, "i-cache-block-size", &line_size)) {
+- ci_leaf_init((*this_leaf)++, CACHE_TYPE_INST, level, size, sets, line_size);
+- }
+-
+- if (!of_property_read_u32(node, "d-cache-size", &size) &&
+- !of_property_read_u32(node, "d-cache-sets", &sets) &&
+- !of_property_read_u32(node, "d-cache-block-size", &line_size)) {
+- ci_leaf_init((*this_leaf)++, CACHE_TYPE_DATA, level, size, sets, line_size);
+- }
+ }
+
+ int init_cache_level(unsigned int cpu)
+@@ -163,24 +122,29 @@ int populate_cache_leaves(unsigned int cpu)
+ struct device_node *prev = NULL;
+ int levels = 1, level = 1;
+
+- /* Level 1 caches in cpu node */
+- fill_cacheinfo(&this_leaf, np, level);
++ if (of_property_read_bool(np, "cache-size"))
++ ci_leaf_init(this_leaf++, np, CACHE_TYPE_UNIFIED, level);
++ if (of_property_read_bool(np, "i-cache-size"))
++ ci_leaf_init(this_leaf++, np, CACHE_TYPE_INST, level);
++ if (of_property_read_bool(np, "d-cache-size"))
++ ci_leaf_init(this_leaf++, np, CACHE_TYPE_DATA, level);
+
+- /* Next level caches in cache nodes */
+ prev = np;
+ while ((np = of_find_next_cache_node(np))) {
+ of_node_put(prev);
+ prev = np;
+-
+ if (!of_device_is_compatible(np, "cache"))
+ break;
+ if (of_property_read_u32(np, "cache-level", &level))
+ break;
+ if (level <= levels)
+ break;
+-
+- fill_cacheinfo(&this_leaf, np, level);
+-
++ if (of_property_read_bool(np, "cache-size"))
++ ci_leaf_init(this_leaf++, np, CACHE_TYPE_UNIFIED, level);
++ if (of_property_read_bool(np, "i-cache-size"))
++ ci_leaf_init(this_leaf++, np, CACHE_TYPE_INST, level);
++ if (of_property_read_bool(np, "d-cache-size"))
++ ci_leaf_init(this_leaf++, np, CACHE_TYPE_DATA, level);
+ levels = level;
+ }
+ of_node_put(np);
+--
+2.39.5
+
--- /dev/null
+From c7ffa1c4b7defeca1ed7aa50907abd22e263a484 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Jun 2024 21:14:24 +0800
+Subject: riscv: cacheinfo: initialize cacheinfo's level and type from ACPI
+ PPTT
+
+From: Yunhui Cui <cuiyunhui@bytedance.com>
+
+[ Upstream commit 604f32ea6909b0ebb8ab0bf1ab7dc66ee3dc8955 ]
+
+Before cacheinfo can be built correctly, we need to initialize level
+and type. Since RISC-V currently does not have a register group that
+describes cache-related attributes like ARM64, we cannot obtain them
+directly, so now we obtain cache leaves from the ACPI PPTT table
+(acpi_get_cache_info()) and set the cache type through split_levels.
+
+Suggested-by: Jeremy Linton <jeremy.linton@arm.com>
+Suggested-by: Sudeep Holla <sudeep.holla@arm.com>
+Reviewed-by: Conor Dooley <conor.dooley@microchip.com>
+Reviewed-by: Sunil V L <sunilvl@ventanamicro.com>
+Reviewed-by: Jeremy Linton <jeremy.linton@arm.com>
+Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Yunhui Cui <cuiyunhui@bytedance.com>
+Link: https://lore.kernel.org/r/20240617131425.7526-2-cuiyunhui@bytedance.com
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Stable-dep-of: fb8179ce2996 ("riscv: cacheinfo: Use of_property_present() for non-boolean properties")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kernel/cacheinfo.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/arch/riscv/kernel/cacheinfo.c b/arch/riscv/kernel/cacheinfo.c
+index 7c6dff3dac2d6..8290cced2e62e 100644
+--- a/arch/riscv/kernel/cacheinfo.c
++++ b/arch/riscv/kernel/cacheinfo.c
+@@ -3,6 +3,7 @@
+ * Copyright (C) 2017 SiFive
+ */
+
++#include <linux/acpi.h>
+ #include <linux/cpu.h>
+ #include <linux/of.h>
+ #include <linux/of_device.h>
+@@ -121,6 +122,27 @@ int populate_cache_leaves(unsigned int cpu)
+ struct device_node *prev = NULL;
+ int levels = 1, level = 1;
+
++ if (!acpi_disabled) {
++ int ret, fw_levels, split_levels;
++
++ ret = acpi_get_cache_info(cpu, &fw_levels, &split_levels);
++ if (ret)
++ return ret;
++
++ BUG_ON((split_levels > fw_levels) ||
++ (split_levels + fw_levels > this_cpu_ci->num_leaves));
++
++ for (; level <= this_cpu_ci->num_levels; level++) {
++ if (level <= split_levels) {
++ ci_leaf_init(this_leaf++, CACHE_TYPE_DATA, level);
++ ci_leaf_init(this_leaf++, CACHE_TYPE_INST, level);
++ } else {
++ ci_leaf_init(this_leaf++, CACHE_TYPE_UNIFIED, level);
++ }
++ }
++ return 0;
++ }
++
+ if (of_property_read_bool(np, "cache-size"))
+ ci_leaf_init(this_leaf++, CACHE_TYPE_UNIFIED, level);
+ if (of_property_read_bool(np, "i-cache-size"))
+--
+2.39.5
+
--- /dev/null
+From 2948d79f6ffa783c397aa87f33c6f28de1eebd9c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Jun 2024 21:14:23 +0800
+Subject: riscv: cacheinfo: remove the useless input parameter (node) of
+ ci_leaf_init()
+
+From: Yunhui Cui <cuiyunhui@bytedance.com>
+
+[ Upstream commit ee3fab10cb1566562aa683f319066eaeecccf918 ]
+
+ci_leaf_init() is a declared static function. The implementation of the
+function body and the caller do not use the parameter (struct device_node
+*node) input parameter, so remove it.
+
+Fixes: 6a24915145c9 ("Revert "riscv: Set more data to cacheinfo"")
+Signed-off-by: Yunhui Cui <cuiyunhui@bytedance.com>
+Reviewed-by: Jeremy Linton <jeremy.linton@arm.com>
+Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
+Link: https://lore.kernel.org/r/20240617131425.7526-1-cuiyunhui@bytedance.com
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Stable-dep-of: fb8179ce2996 ("riscv: cacheinfo: Use of_property_present() for non-boolean properties")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kernel/cacheinfo.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/arch/riscv/kernel/cacheinfo.c b/arch/riscv/kernel/cacheinfo.c
+index 56141a65c7348..7c6dff3dac2d6 100644
+--- a/arch/riscv/kernel/cacheinfo.c
++++ b/arch/riscv/kernel/cacheinfo.c
+@@ -65,7 +65,6 @@ uintptr_t get_cache_geometry(u32 level, enum cache_type type)
+ }
+
+ static void ci_leaf_init(struct cacheinfo *this_leaf,
+- struct device_node *node,
+ enum cache_type type, unsigned int level)
+ {
+ this_leaf->level = level;
+@@ -123,11 +122,11 @@ int populate_cache_leaves(unsigned int cpu)
+ int levels = 1, level = 1;
+
+ if (of_property_read_bool(np, "cache-size"))
+- ci_leaf_init(this_leaf++, np, CACHE_TYPE_UNIFIED, level);
++ ci_leaf_init(this_leaf++, CACHE_TYPE_UNIFIED, level);
+ if (of_property_read_bool(np, "i-cache-size"))
+- ci_leaf_init(this_leaf++, np, CACHE_TYPE_INST, level);
++ ci_leaf_init(this_leaf++, CACHE_TYPE_INST, level);
+ if (of_property_read_bool(np, "d-cache-size"))
+- ci_leaf_init(this_leaf++, np, CACHE_TYPE_DATA, level);
++ ci_leaf_init(this_leaf++, CACHE_TYPE_DATA, level);
+
+ prev = np;
+ while ((np = of_find_next_cache_node(np))) {
+@@ -140,11 +139,11 @@ int populate_cache_leaves(unsigned int cpu)
+ if (level <= levels)
+ break;
+ if (of_property_read_bool(np, "cache-size"))
+- ci_leaf_init(this_leaf++, np, CACHE_TYPE_UNIFIED, level);
++ ci_leaf_init(this_leaf++, CACHE_TYPE_UNIFIED, level);
+ if (of_property_read_bool(np, "i-cache-size"))
+- ci_leaf_init(this_leaf++, np, CACHE_TYPE_INST, level);
++ ci_leaf_init(this_leaf++, CACHE_TYPE_INST, level);
+ if (of_property_read_bool(np, "d-cache-size"))
+- ci_leaf_init(this_leaf++, np, CACHE_TYPE_DATA, level);
++ ci_leaf_init(this_leaf++, CACHE_TYPE_DATA, level);
+ levels = level;
+ }
+ of_node_put(np);
+--
+2.39.5
+
--- /dev/null
+From d91dfd65707ad051bc5666c3658859aa587c86d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Nov 2024 13:03:13 -0600
+Subject: riscv: cacheinfo: Use of_property_present() for non-boolean
+ properties
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rob Herring <robh@kernel.org>
+
+[ Upstream commit fb8179ce2996bffaa36a04e2b6262843b01b7565 ]
+
+The use of of_property_read_bool() for non-boolean properties is
+deprecated in favor of of_property_present() when testing for property
+presence.
+
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Reviewed-by: Clément Léger <cleger@rivosinc.com>
+Cc: stable@vger.kernel.org
+Fixes: 76d2a0493a17 ("RISC-V: Init and Halt Code")
+Link: https://lore.kernel.org/r/20241104190314.270095-1-robh@kernel.org
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kernel/cacheinfo.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/arch/riscv/kernel/cacheinfo.c b/arch/riscv/kernel/cacheinfo.c
+index c196d1a0b8d98..f42c0886484a4 100644
+--- a/arch/riscv/kernel/cacheinfo.c
++++ b/arch/riscv/kernel/cacheinfo.c
+@@ -146,11 +146,11 @@ int populate_cache_leaves(unsigned int cpu)
+ if (!np)
+ return -ENOENT;
+
+- if (of_property_read_bool(np, "cache-size"))
++ if (of_property_present(np, "cache-size"))
+ ci_leaf_init(this_leaf++, CACHE_TYPE_UNIFIED, level);
+- if (of_property_read_bool(np, "i-cache-size"))
++ if (of_property_present(np, "i-cache-size"))
+ ci_leaf_init(this_leaf++, CACHE_TYPE_INST, level);
+- if (of_property_read_bool(np, "d-cache-size"))
++ if (of_property_present(np, "d-cache-size"))
+ ci_leaf_init(this_leaf++, CACHE_TYPE_DATA, level);
+
+ prev = np;
+@@ -163,11 +163,11 @@ int populate_cache_leaves(unsigned int cpu)
+ break;
+ if (level <= levels)
+ break;
+- if (of_property_read_bool(np, "cache-size"))
++ if (of_property_present(np, "cache-size"))
+ ci_leaf_init(this_leaf++, CACHE_TYPE_UNIFIED, level);
+- if (of_property_read_bool(np, "i-cache-size"))
++ if (of_property_present(np, "i-cache-size"))
+ ci_leaf_init(this_leaf++, CACHE_TYPE_INST, level);
+- if (of_property_read_bool(np, "d-cache-size"))
++ if (of_property_present(np, "d-cache-size"))
+ ci_leaf_init(this_leaf++, CACHE_TYPE_DATA, level);
+ levels = level;
+ }
+--
+2.39.5
+
--- /dev/null
+From 6b369a3c46963b05c18e2ef44f3407561169d48c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Sep 2024 10:00:52 +0200
+Subject: riscv: Prevent a bad reference count on CPU nodes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Miquel Sabaté Solà <mikisabate@gmail.com>
+
+[ Upstream commit 37233169a6ea912020c572f870075a63293b786a ]
+
+When populating cache leaves we previously fetched the CPU device node
+at the very beginning. But when ACPI is enabled we go through a
+specific branch which returns early and does not call 'of_node_put' for
+the node that was acquired.
+
+Since we are not using a CPU device node for the ACPI code anyways, we
+can simply move the initialization of it just passed the ACPI block, and
+we are guaranteed to have an 'of_node_put' call for the acquired node.
+This prevents a bad reference count of the CPU device node.
+
+Moreover, the previous function did not check for errors when acquiring
+the device node, so a return -ENOENT has been added for that case.
+
+Signed-off-by: Miquel Sabaté Solà <mikisabate@gmail.com>
+Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
+Reviewed-by: Sunil V L <sunilvl@ventanamicro.com>
+Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Fixes: 604f32ea6909 ("riscv: cacheinfo: initialize cacheinfo's level and type from ACPI PPTT")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20240913080053.36636-1-mikisabate@gmail.com
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Stable-dep-of: fb8179ce2996 ("riscv: cacheinfo: Use of_property_present() for non-boolean properties")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kernel/cacheinfo.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/arch/riscv/kernel/cacheinfo.c b/arch/riscv/kernel/cacheinfo.c
+index 8290cced2e62e..c196d1a0b8d98 100644
+--- a/arch/riscv/kernel/cacheinfo.c
++++ b/arch/riscv/kernel/cacheinfo.c
+@@ -118,8 +118,7 @@ int populate_cache_leaves(unsigned int cpu)
+ {
+ struct cpu_cacheinfo *this_cpu_ci = get_cpu_cacheinfo(cpu);
+ struct cacheinfo *this_leaf = this_cpu_ci->info_list;
+- struct device_node *np = of_cpu_device_node_get(cpu);
+- struct device_node *prev = NULL;
++ struct device_node *np, *prev;
+ int levels = 1, level = 1;
+
+ if (!acpi_disabled) {
+@@ -143,6 +142,10 @@ int populate_cache_leaves(unsigned int cpu)
+ return 0;
+ }
+
++ np = of_cpu_device_node_get(cpu);
++ if (!np)
++ return -ENOENT;
++
+ if (of_property_read_bool(np, "cache-size"))
+ ci_leaf_init(this_leaf++, CACHE_TYPE_UNIFIED, level);
+ if (of_property_read_bool(np, "i-cache-size"))
+--
+2.39.5
+
sched-core-prevent-rescheduling-when-interrupts-are-disabled.patch
intel_idle-handle-older-cpus-which-stop-the-tsc-in-deeper-c-states-correctly.patch
pfifo_tail_enqueue-drop-new-packet-when-sch-limit-0.patch
+drop_monitor-fix-incorrect-initialization-order.patch
+kernel-acct.c-use-elif-instead-of-end-and-elif.patch
+kernel-acct.c-use-dedicated-helper-to-access-rlimit-.patch
+acct-perform-last-write-from-workqueue.patch
+smb-client-add-check-for-next_buffer-in-receive_encr.patch
+drm-amdgpu-check-extended-configuration-space-regist.patch
+drm-amdgpu-disable-bar-resize-on-dell-g5-se.patch
+revert-riscv-set-more-data-to-cacheinfo.patch
+riscv-cacheinfo-remove-the-useless-input-parameter-n.patch
+riscv-cacheinfo-initialize-cacheinfo-s-level-and-typ.patch
+riscv-prevent-a-bad-reference-count-on-cpu-nodes.patch
+riscv-cacheinfo-use-of_property_present-for-non-bool.patch
+efi-don-t-map-the-entire-mokvar-table-to-determine-i.patch
--- /dev/null
+From 26383cc9e4f27bebd1e9d0f597c6a009be1f31ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Feb 2025 15:20:38 +0800
+Subject: smb: client: Add check for next_buffer in
+ receive_encrypted_standard()
+
+From: Haoxiang Li <haoxiang_li2024@163.com>
+
+[ Upstream commit 860ca5e50f73c2a1cef7eefc9d39d04e275417f7 ]
+
+Add check for the return value of cifs_buf_get() and cifs_small_buf_get()
+in receive_encrypted_standard() to prevent null pointer dereference.
+
+Fixes: eec04ea11969 ("smb: client: fix OOB in receive_encrypted_standard()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/smb2ops.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
+index 68f93de2b1527..70a4d101b5428 100644
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -4938,6 +4938,10 @@ receive_encrypted_standard(struct TCP_Server_Info *server,
+ next_buffer = (char *)cifs_buf_get();
+ else
+ next_buffer = (char *)cifs_small_buf_get();
++ if (!next_buffer) {
++ cifs_server_dbg(VFS, "No memory for (large) SMB response\n");
++ return -1;
++ }
+ memcpy(next_buffer, buf + next_cmd, pdu_length - next_cmd);
+ }
+
+--
+2.39.5
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
