--- /dev/null
+From dd4f730b557ce701a2cd4f604bf1e57667bd8b6e Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Mon, 10 Feb 2025 21:28:25 -0500
+Subject: ACPI: platform-profile: Fix CFI violation when accessing sysfs files
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit dd4f730b557ce701a2cd4f604bf1e57667bd8b6e upstream.
+
+When an attribute group is created with sysfs_create_group(), the
+->sysfs_ops() callback is set to kobj_sysfs_ops, which sets the ->show()
+and ->store() callbacks to kobj_attr_show() and kobj_attr_store()
+respectively. These functions use container_of() to get the respective
+callback from the passed attribute, meaning that these callbacks need to
+be of the same type as the callbacks in 'struct kobj_attribute'.
+
+However, ->show() and ->store() in the platform_profile driver are
+defined for struct device_attribute with the help of DEVICE_ATTR_RO()
+and DEVICE_ATTR_RW(), which results in a CFI violation when accessing
+platform_profile or platform_profile_choices under /sys/firmware/acpi
+because the types do not match:
+
+ CFI failure at kobj_attr_show+0x19/0x30 (target: platform_profile_choices_show+0x0/0x140; expected type: 0x7a69590c)
+
+There is no functional issue from the type mismatch because the layout
+of 'struct kobj_attribute' and 'struct device_attribute' are the same,
+so the container_of() cast does not break anything aside from CFI.
+
+Change the type of platform_profile_choices_show() and
+platform_profile_{show,store}() to match the callbacks in
+'struct kobj_attribute' and update the attribute variables to
+match, which resolves the CFI violation.
+
+Cc: All applicable <stable@vger.kernel.org>
+Fixes: a2ff95e018f1 ("ACPI: platform: Add platform profile support")
+Reported-by: John Rowley <lkml@johnrowley.me>
+Closes: https://github.com/ClangBuiltLinux/linux/issues/2047
+Tested-by: John Rowley <lkml@johnrowley.me>
+Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reviewed-by: Mark Pearson <mpearson-lenovo@squebb.ca>
+Tested-by: Mark Pearson <mpearson-lenovo@squebb.ca>
+Link: https://patch.msgid.link/20250210-acpi-platform_profile-fix-cfi-violation-v3-1-ed9e9901c33a@kernel.org
+[ rjw: Changelog edits ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+[nathan: Fix conflicts in older stable branches]
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/platform_profile.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+--- a/drivers/acpi/platform_profile.c
++++ b/drivers/acpi/platform_profile.c
+@@ -22,8 +22,8 @@ static const char * const profile_names[
+ };
+ static_assert(ARRAY_SIZE(profile_names) == PLATFORM_PROFILE_LAST);
+
+-static ssize_t platform_profile_choices_show(struct device *dev,
+- struct device_attribute *attr,
++static ssize_t platform_profile_choices_show(struct kobject *kobj,
++ struct kobj_attribute *attr,
+ char *buf)
+ {
+ int len = 0;
+@@ -49,8 +49,8 @@ static ssize_t platform_profile_choices_
+ return len;
+ }
+
+-static ssize_t platform_profile_show(struct device *dev,
+- struct device_attribute *attr,
++static ssize_t platform_profile_show(struct kobject *kobj,
++ struct kobj_attribute *attr,
+ char *buf)
+ {
+ enum platform_profile_option profile = PLATFORM_PROFILE_BALANCED;
+@@ -77,8 +77,8 @@ static ssize_t platform_profile_show(str
+ return sysfs_emit(buf, "%s\n", profile_names[profile]);
+ }
+
+-static ssize_t platform_profile_store(struct device *dev,
+- struct device_attribute *attr,
++static ssize_t platform_profile_store(struct kobject *kobj,
++ struct kobj_attribute *attr,
+ const char *buf, size_t count)
+ {
+ int err, i;
+@@ -115,12 +115,12 @@ static ssize_t platform_profile_store(st
+ return count;
+ }
+
+-static DEVICE_ATTR_RO(platform_profile_choices);
+-static DEVICE_ATTR_RW(platform_profile);
++static struct kobj_attribute attr_platform_profile_choices = __ATTR_RO(platform_profile_choices);
++static struct kobj_attribute attr_platform_profile = __ATTR_RW(platform_profile);
+
+ static struct attribute *platform_profile_attrs[] = {
+- &dev_attr_platform_profile_choices.attr,
+- &dev_attr_platform_profile.attr,
++ &attr_platform_profile_choices.attr,
++ &attr_platform_profile.attr,
+ NULL
+ };
+
--- /dev/null
+From 55c85fa7579dc2e3f5399ef5bad67a44257c1a48 Mon Sep 17 00:00:00 2001
+From: Yi Liu <yi.l.liu@intel.com>
+Date: Wed, 5 Mar 2025 19:48:42 -0800
+Subject: iommufd: Fail replace if device has not been attached
+
+From: Yi Liu <yi.l.liu@intel.com>
+
+commit 55c85fa7579dc2e3f5399ef5bad67a44257c1a48 upstream.
+
+The current implementation of iommufd_device_do_replace() implicitly
+assumes that the input device has already been attached. However, there
+is no explicit check to verify this assumption. If another device within
+the same group has been attached, the replace operation might succeed,
+but the input device itself may not have been attached yet.
+
+As a result, the input device might not be tracked in the
+igroup->device_list, and its reserved IOVA might not be added. Despite
+this, the caller might incorrectly assume that the device has been
+successfully replaced, which could lead to unexpected behavior or errors.
+
+To address this issue, add a check to ensure that the input device has
+been attached before proceeding with the replace operation. This check
+will help maintain the integrity of the device tracking system and prevent
+potential issues arising from incorrect assumptions about the device's
+attachment status.
+
+Fixes: e88d4ec154a8 ("iommufd: Add iommufd_device_replace()")
+Link: https://patch.msgid.link/r/20250306034842.5950-1-yi.l.liu@intel.com
+Cc: stable@vger.kernel.org
+Reviewed-by: Kevin Tian <kevin.tian@intel.com>
+Signed-off-by: Yi Liu <yi.l.liu@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/iommufd/device.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/drivers/iommu/iommufd/device.c
++++ b/drivers/iommu/iommufd/device.c
+@@ -407,6 +407,17 @@ iommufd_device_do_attach(struct iommufd_
+ return NULL;
+ }
+
++/* Check if idev is attached to igroup->hwpt */
++static bool iommufd_device_is_attached(struct iommufd_device *idev)
++{
++ struct iommufd_device *cur;
++
++ list_for_each_entry(cur, &idev->igroup->device_list, group_item)
++ if (cur == idev)
++ return true;
++ return false;
++}
++
+ static struct iommufd_hw_pagetable *
+ iommufd_device_do_replace(struct iommufd_device *idev,
+ struct iommufd_hw_pagetable *hwpt)
+@@ -423,6 +434,11 @@ iommufd_device_do_replace(struct iommufd
+ rc = -EINVAL;
+ goto err_unlock;
+ }
++
++ if (!iommufd_device_is_attached(idev)) {
++ rc = -EINVAL;
++ goto err_unlock;
++ }
+
+ if (hwpt == igroup->hwpt) {
+ mutex_unlock(&idev->igroup->lock);
selftests-mptcp-close-fd_in-before-returning-in-main_loop.patch
selftests-mptcp-fix-incorrect-fd-checks-in-main_loop.patch
arm64-errata-add-newer-arm-cores-to-the-spectre_bhb_loop_affected-lists.patch
+x86-paravirt-move-halt-paravirt-calls-under-config_paravirt.patch
+acpi-platform-profile-fix-cfi-violation-when-accessing-sysfs-files.patch
+iommufd-fail-replace-if-device-has-not-been-attached.patch
--- /dev/null
+From 22cc5ca5de52bbfc36a7d4a55323f91fb4492264 Mon Sep 17 00:00:00 2001
+From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Date: Fri, 28 Feb 2025 01:44:14 +0000
+Subject: x86/paravirt: Move halt paravirt calls under CONFIG_PARAVIRT
+
+From: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+
+commit 22cc5ca5de52bbfc36a7d4a55323f91fb4492264 upstream.
+
+CONFIG_PARAVIRT_XXL is mainly defined/used by XEN PV guests. For
+other VM guest types, features supported under CONFIG_PARAVIRT
+are self sufficient. CONFIG_PARAVIRT mainly provides support for
+TLB flush operations and time related operations.
+
+For TDX guest as well, paravirt calls under CONFIG_PARVIRT meets
+most of its requirement except the need of HLT and SAFE_HLT
+paravirt calls, which is currently defined under
+CONFIG_PARAVIRT_XXL.
+
+Since enabling CONFIG_PARAVIRT_XXL is too bloated for TDX guest
+like platforms, move HLT and SAFE_HLT paravirt calls under
+CONFIG_PARAVIRT.
+
+Moving HLT and SAFE_HLT paravirt calls are not fatal and should not
+break any functionality for current users of CONFIG_PARAVIRT.
+
+Fixes: bfe6ed0c6727 ("x86/tdx: Add HLT support for TDX guests")
+Co-developed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+Signed-off-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Signed-off-by: Vishal Annapurve <vannapurve@google.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Reviewed-by: Andi Kleen <ak@linux.intel.com>
+Reviewed-by: Tony Luck <tony.luck@intel.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Tested-by: Ryan Afranji <afranji@google.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: stable@kernel.org
+Link: https://lore.kernel.org/r/20250228014416.3925664-2-vannapurve@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/irqflags.h | 40 ++++++++++++++++++----------------
+ arch/x86/include/asm/paravirt.h | 20 ++++++++---------
+ arch/x86/include/asm/paravirt_types.h | 3 --
+ arch/x86/kernel/paravirt.c | 14 ++++++-----
+ 4 files changed, 41 insertions(+), 36 deletions(-)
+
+--- a/arch/x86/include/asm/irqflags.h
++++ b/arch/x86/include/asm/irqflags.h
+@@ -56,6 +56,28 @@ static __always_inline void native_halt(
+
+ #endif
+
++#ifndef CONFIG_PARAVIRT
++#ifndef __ASSEMBLY__
++/*
++ * Used in the idle loop; sti takes one instruction cycle
++ * to complete:
++ */
++static __always_inline void arch_safe_halt(void)
++{
++ native_safe_halt();
++}
++
++/*
++ * Used when interrupts are already enabled or to
++ * shutdown the processor:
++ */
++static __always_inline void halt(void)
++{
++ native_halt();
++}
++#endif /* __ASSEMBLY__ */
++#endif /* CONFIG_PARAVIRT */
++
+ #ifdef CONFIG_PARAVIRT_XXL
+ #include <asm/paravirt.h>
+ #else
+@@ -78,24 +100,6 @@ static __always_inline void arch_local_i
+ }
+
+ /*
+- * Used in the idle loop; sti takes one instruction cycle
+- * to complete:
+- */
+-static __always_inline void arch_safe_halt(void)
+-{
+- native_safe_halt();
+-}
+-
+-/*
+- * Used when interrupts are already enabled or to
+- * shutdown the processor:
+- */
+-static __always_inline void halt(void)
+-{
+- native_halt();
+-}
+-
+-/*
+ * For spinlocks, etc:
+ */
+ static __always_inline unsigned long arch_local_irq_save(void)
+--- a/arch/x86/include/asm/paravirt.h
++++ b/arch/x86/include/asm/paravirt.h
+@@ -103,6 +103,16 @@ static inline void notify_page_enc_statu
+ PVOP_VCALL3(mmu.notify_page_enc_status_changed, pfn, npages, enc);
+ }
+
++static __always_inline void arch_safe_halt(void)
++{
++ PVOP_VCALL0(irq.safe_halt);
++}
++
++static inline void halt(void)
++{
++ PVOP_VCALL0(irq.halt);
++}
++
+ #ifdef CONFIG_PARAVIRT_XXL
+ static inline void load_sp0(unsigned long sp0)
+ {
+@@ -168,16 +178,6 @@ static inline void __write_cr4(unsigned
+ PVOP_VCALL1(cpu.write_cr4, x);
+ }
+
+-static __always_inline void arch_safe_halt(void)
+-{
+- PVOP_VCALL0(irq.safe_halt);
+-}
+-
+-static inline void halt(void)
+-{
+- PVOP_VCALL0(irq.halt);
+-}
+-
+ extern noinstr void pv_native_wbinvd(void);
+
+ static __always_inline void wbinvd(void)
+--- a/arch/x86/include/asm/paravirt_types.h
++++ b/arch/x86/include/asm/paravirt_types.h
+@@ -130,10 +130,9 @@ struct pv_irq_ops {
+ struct paravirt_callee_save save_fl;
+ struct paravirt_callee_save irq_disable;
+ struct paravirt_callee_save irq_enable;
+-
++#endif
+ void (*safe_halt)(void);
+ void (*halt)(void);
+-#endif
+ } __no_randomize_layout;
+
+ struct pv_mmu_ops {
+--- a/arch/x86/kernel/paravirt.c
++++ b/arch/x86/kernel/paravirt.c
+@@ -142,6 +142,11 @@ int paravirt_disable_iospace(void)
+ return request_resource(&ioport_resource, &reserve_ioports);
+ }
+
++static noinstr void pv_native_safe_halt(void)
++{
++ native_safe_halt();
++}
++
+ #ifdef CONFIG_PARAVIRT_XXL
+ static noinstr void pv_native_write_cr2(unsigned long val)
+ {
+@@ -162,11 +167,6 @@ noinstr void pv_native_wbinvd(void)
+ {
+ native_wbinvd();
+ }
+-
+-static noinstr void pv_native_safe_halt(void)
+-{
+- native_safe_halt();
+-}
+ #endif
+
+ struct pv_info pv_info = {
+@@ -224,9 +224,11 @@ struct paravirt_patch_template pv_ops =
+ .irq.save_fl = __PV_IS_CALLEE_SAVE(pv_native_save_fl),
+ .irq.irq_disable = __PV_IS_CALLEE_SAVE(pv_native_irq_disable),
+ .irq.irq_enable = __PV_IS_CALLEE_SAVE(pv_native_irq_enable),
++#endif /* CONFIG_PARAVIRT_XXL */
++
++ /* Irq HLT ops. */
+ .irq.safe_halt = pv_native_safe_halt,
+ .irq.halt = native_halt,
+-#endif /* CONFIG_PARAVIRT_XXL */
+
+ /* Mmu ops. */
+ .mmu.flush_tlb_user = native_flush_tlb_local,
projects / thirdparty / kernel / stable-queue.git / commitdiff
