--- /dev/null
+From 284b75a3d83c7631586d98f6dede1d90f128f0db Mon Sep 17 00:00:00 2001
+From: Zheng Qixing <zhengqixing@huawei.com>
+Date: Thu, 22 Aug 2024 11:30:50 +0800
+Subject: ata: libata: Fix memory leak for error path in ata_host_alloc()
+
+From: Zheng Qixing <zhengqixing@huawei.com>
+
+commit 284b75a3d83c7631586d98f6dede1d90f128f0db upstream.
+
+In ata_host_alloc(), if devres_alloc() fails to allocate the device host
+resource data pointer, the already allocated ata_host structure is not
+freed before returning from the function. This results in a potential
+memory leak.
+
+Call kfree(host) before jumping to the error handling path to ensure
+that the ata_host structure is properly freed if devres_alloc() fails.
+
+Fixes: 2623c7a5f279 ("libata: add refcounting to ata_host")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zheng Qixing <zhengqixing@huawei.com>
+Reviewed-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -5583,8 +5583,10 @@ struct ata_host *ata_host_alloc(struct d
+ }
+
+ dr = devres_alloc(ata_devres_release, 0, GFP_KERNEL);
+- if (!dr)
++ if (!dr) {
++ kfree(host);
+ goto err_out;
++ }
+
+ devres_add(dev, dr);
+ dev_set_drvdata(dev, host);
--- /dev/null
+From c5af2c90ba5629f0424a8d315f75fb8d91713c3c Mon Sep 17 00:00:00 2001
+From: Ma Ke <make24@iscas.ac.cn>
+Date: Tue, 20 Aug 2024 17:28:43 +0800
+Subject: irqchip/gic-v2m: Fix refcount leak in gicv2m_of_init()
+
+From: Ma Ke <make24@iscas.ac.cn>
+
+commit c5af2c90ba5629f0424a8d315f75fb8d91713c3c upstream.
+
+gicv2m_of_init() fails to perform an of_node_put() when
+of_address_to_resource() fails, leading to a refcount leak.
+
+Address this by moving the error handling path outside of the loop and
+making it common to all failure modes.
+
+Fixes: 4266ab1a8ff5 ("irqchip/gic-v2m: Refactor to prepare for ACPI support")
+Signed-off-by: Ma Ke <make24@iscas.ac.cn>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Marc Zyngier <maz@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/all/20240820092843.1219933-1-make24@iscas.ac.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-gic-v2m.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/irqchip/irq-gic-v2m.c
++++ b/drivers/irqchip/irq-gic-v2m.c
+@@ -438,12 +438,12 @@ static int __init gicv2m_of_init(struct
+
+ ret = gicv2m_init_one(&child->fwnode, spi_start, nr_spis,
+ &res, 0);
+- if (ret) {
+- of_node_put(child);
++ if (ret)
+ break;
+- }
+ }
+
++ if (ret && child)
++ of_node_put(child);
+ if (!ret)
+ ret = gicv2m_allocate_domains(parent);
+ if (ret)
--- /dev/null
+From efe81b7bdf7d882d0ce3d183f1571321046da8f1 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Tue, 20 Aug 2024 11:42:40 +0300
+Subject: irqchip/riscv-aplic: Fix an IS_ERR() vs NULL bug in probe()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit efe81b7bdf7d882d0ce3d183f1571321046da8f1 upstream.
+
+The devm_platform_ioremap_resource() function doesn't return NULL, it
+returns error pointers. Fix the error handling to match.
+
+Fixes: 2333df5ae51e ("irqchip: Add RISC-V advanced PLIC driver for direct-mode")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Reviewed-by: Anup Patel <anup@brainfault.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/all/a5a628d6-81d8-4933-81a8-64aad4743ec4@stanley.mountain
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-riscv-aplic-main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/irqchip/irq-riscv-aplic-main.c b/drivers/irqchip/irq-riscv-aplic-main.c
+index 28dd175b5764..981fad6fb8f7 100644
+--- a/drivers/irqchip/irq-riscv-aplic-main.c
++++ b/drivers/irqchip/irq-riscv-aplic-main.c
+@@ -175,9 +175,9 @@ static int aplic_probe(struct platform_device *pdev)
+
+ /* Map the MMIO registers */
+ regs = devm_platform_ioremap_resource(pdev, 0);
+- if (!regs) {
++ if (IS_ERR(regs)) {
+ dev_err(dev, "failed map MMIO registers\n");
+- return -ENOMEM;
++ return PTR_ERR(regs);
+ }
+
+ /*
+--
+2.46.0
+
--- /dev/null
+From 4d936f10ff80274841537a26d1fbfe9984de0ef9 Mon Sep 17 00:00:00 2001
+From: Anup Patel <apatel@ventanamicro.com>
+Date: Tue, 20 Aug 2024 09:18:50 +0530
+Subject: irqchip/sifive-plic: Probe plic driver early for Allwinner D1 platform
+
+From: Anup Patel <apatel@ventanamicro.com>
+
+commit 4d936f10ff80274841537a26d1fbfe9984de0ef9 upstream.
+
+The latest Linux RISC-V no longer boots on the Allwinner D1 platform
+because the sun4i_timer driver fails to get an interrupt from PLIC due to
+the recent conversion of the PLIC to a platform driver. Converting the
+sun4i timer to a platform driver does not work either because the D1 does
+not have a SBI timer available so early boot hangs. See the 'Closes:'
+link for deeper analysis.
+
+The real fix requires enabling the SBI time extension in the platform
+firmware (OpenSBI) and convert sun4i_timer into platform driver.
+Unfortunately, the real fix involves changing multiple places and can't be
+achieved in a short duration and aside of that requires users to update
+firmware.
+
+As a work-around, retrofit PLIC probing such that the PLIC is probed early
+only for the Allwinner D1 platform and probed as a regular platform driver
+for rest of the RISC-V platforms. In the process, partially revert some of
+the previous changes because the PLIC device pointer is not available in
+all probing paths.
+
+Fixes: e306a894bd51 ("irqchip/sifive-plic: Chain to parent IRQ after handlers are ready")
+Fixes: 8ec99b033147 ("irqchip/sifive-plic: Convert PLIC driver into a platform driver")
+Suggested-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Anup Patel <apatel@ventanamicro.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Samuel Holland <samuel.holland@sifive.com>
+Tested-by: Emil Renner Berthing <emil.renner.berthing@canonical.com>
+Tested-by: Charlie Jenkins <charlie@rivosinc.com>
+Reviewed-by: Samuel Holland <samuel.holland@sifive.com>
+Reviewed-by: Charlie Jenkins <charlie@rivosinc.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/all/20240820034850.3189912-1-apatel@ventanamicro.com
+Closes: https://lore.kernel.org/lkml/20240814145642.344485-1-emil.renner.berthing@canonical.com/
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-sifive-plic.c | 115 +++++++++++++++++++++++---------------
+ 1 file changed, 71 insertions(+), 44 deletions(-)
+
+--- a/drivers/irqchip/irq-sifive-plic.c
++++ b/drivers/irqchip/irq-sifive-plic.c
+@@ -3,6 +3,7 @@
+ * Copyright (C) 2017 SiFive
+ * Copyright (C) 2018 Christoph Hellwig
+ */
++#define pr_fmt(fmt) "riscv-plic: " fmt
+ #include <linux/cpu.h>
+ #include <linux/interrupt.h>
+ #include <linux/io.h>
+@@ -63,7 +64,7 @@
+ #define PLIC_QUIRK_EDGE_INTERRUPT 0
+
+ struct plic_priv {
+- struct device *dev;
++ struct fwnode_handle *fwnode;
+ struct cpumask lmask;
+ struct irq_domain *irqdomain;
+ void __iomem *regs;
+@@ -378,8 +379,8 @@ static void plic_handle_irq(struct irq_d
+ int err = generic_handle_domain_irq(handler->priv->irqdomain,
+ hwirq);
+ if (unlikely(err)) {
+- dev_warn_ratelimited(handler->priv->dev,
+- "can't find mapping for hwirq %lu\n", hwirq);
++ pr_warn_ratelimited("%pfwP: can't find mapping for hwirq %lu\n",
++ handler->priv->fwnode, hwirq);
+ }
+ }
+
+@@ -408,7 +409,8 @@ static int plic_starting_cpu(unsigned in
+ enable_percpu_irq(plic_parent_irq,
+ irq_get_trigger_type(plic_parent_irq));
+ else
+- dev_warn(handler->priv->dev, "cpu%d: parent irq not available\n", cpu);
++ pr_warn("%pfwP: cpu%d: parent irq not available\n",
++ handler->priv->fwnode, cpu);
+ plic_set_threshold(handler, PLIC_ENABLE_THRESHOLD);
+
+ return 0;
+@@ -424,38 +426,36 @@ static const struct of_device_id plic_ma
+ {}
+ };
+
+-static int plic_parse_nr_irqs_and_contexts(struct platform_device *pdev,
++static int plic_parse_nr_irqs_and_contexts(struct fwnode_handle *fwnode,
+ u32 *nr_irqs, u32 *nr_contexts)
+ {
+- struct device *dev = &pdev->dev;
+ int rc;
+
+ /*
+ * Currently, only OF fwnode is supported so extend this
+ * function for ACPI support.
+ */
+- if (!is_of_node(dev->fwnode))
++ if (!is_of_node(fwnode))
+ return -EINVAL;
+
+- rc = of_property_read_u32(to_of_node(dev->fwnode), "riscv,ndev", nr_irqs);
++ rc = of_property_read_u32(to_of_node(fwnode), "riscv,ndev", nr_irqs);
+ if (rc) {
+- dev_err(dev, "riscv,ndev property not available\n");
++ pr_err("%pfwP: riscv,ndev property not available\n", fwnode);
+ return rc;
+ }
+
+- *nr_contexts = of_irq_count(to_of_node(dev->fwnode));
++ *nr_contexts = of_irq_count(to_of_node(fwnode));
+ if (WARN_ON(!(*nr_contexts))) {
+- dev_err(dev, "no PLIC context available\n");
++ pr_err("%pfwP: no PLIC context available\n", fwnode);
+ return -EINVAL;
+ }
+
+ return 0;
+ }
+
+-static int plic_parse_context_parent(struct platform_device *pdev, u32 context,
++static int plic_parse_context_parent(struct fwnode_handle *fwnode, u32 context,
+ u32 *parent_hwirq, int *parent_cpu)
+ {
+- struct device *dev = &pdev->dev;
+ struct of_phandle_args parent;
+ unsigned long hartid;
+ int rc;
+@@ -464,10 +464,10 @@ static int plic_parse_context_parent(str
+ * Currently, only OF fwnode is supported so extend this
+ * function for ACPI support.
+ */
+- if (!is_of_node(dev->fwnode))
++ if (!is_of_node(fwnode))
+ return -EINVAL;
+
+- rc = of_irq_parse_one(to_of_node(dev->fwnode), context, &parent);
++ rc = of_irq_parse_one(to_of_node(fwnode), context, &parent);
+ if (rc)
+ return rc;
+
+@@ -480,48 +480,55 @@ static int plic_parse_context_parent(str
+ return 0;
+ }
+
+-static int plic_probe(struct platform_device *pdev)
++static int plic_probe(struct fwnode_handle *fwnode)
+ {
+ int error = 0, nr_contexts, nr_handlers = 0, cpu, i;
+- struct device *dev = &pdev->dev;
+ unsigned long plic_quirks = 0;
+ struct plic_handler *handler;
+ u32 nr_irqs, parent_hwirq;
+ struct plic_priv *priv;
+ irq_hw_number_t hwirq;
++ void __iomem *regs;
+
+- if (is_of_node(dev->fwnode)) {
++ if (is_of_node(fwnode)) {
+ const struct of_device_id *id;
+
+- id = of_match_node(plic_match, to_of_node(dev->fwnode));
++ id = of_match_node(plic_match, to_of_node(fwnode));
+ if (id)
+ plic_quirks = (unsigned long)id->data;
++
++ regs = of_iomap(to_of_node(fwnode), 0);
++ if (!regs)
++ return -ENOMEM;
++ } else {
++ return -ENODEV;
+ }
+
+- error = plic_parse_nr_irqs_and_contexts(pdev, &nr_irqs, &nr_contexts);
++ error = plic_parse_nr_irqs_and_contexts(fwnode, &nr_irqs, &nr_contexts);
+ if (error)
+- return error;
++ goto fail_free_regs;
+
+- priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL);
+- if (!priv)
+- return -ENOMEM;
++ priv = kzalloc(sizeof(*priv), GFP_KERNEL);
++ if (!priv) {
++ error = -ENOMEM;
++ goto fail_free_regs;
++ }
+
+- priv->dev = dev;
++ priv->fwnode = fwnode;
+ priv->plic_quirks = plic_quirks;
+ priv->nr_irqs = nr_irqs;
++ priv->regs = regs;
+
+- priv->regs = devm_platform_ioremap_resource(pdev, 0);
+- if (WARN_ON(!priv->regs))
+- return -EIO;
+-
+- priv->prio_save = devm_bitmap_zalloc(dev, nr_irqs, GFP_KERNEL);
+- if (!priv->prio_save)
+- return -ENOMEM;
++ priv->prio_save = bitmap_zalloc(nr_irqs, GFP_KERNEL);
++ if (!priv->prio_save) {
++ error = -ENOMEM;
++ goto fail_free_priv;
++ }
+
+ for (i = 0; i < nr_contexts; i++) {
+- error = plic_parse_context_parent(pdev, i, &parent_hwirq, &cpu);
++ error = plic_parse_context_parent(fwnode, i, &parent_hwirq, &cpu);
+ if (error) {
+- dev_warn(dev, "hwirq for context%d not found\n", i);
++ pr_warn("%pfwP: hwirq for context%d not found\n", fwnode, i);
+ continue;
+ }
+
+@@ -543,7 +550,7 @@ static int plic_probe(struct platform_de
+ }
+
+ if (cpu < 0) {
+- dev_warn(dev, "Invalid cpuid for context %d\n", i);
++ pr_warn("%pfwP: Invalid cpuid for context %d\n", fwnode, i);
+ continue;
+ }
+
+@@ -554,7 +561,7 @@ static int plic_probe(struct platform_de
+ */
+ handler = per_cpu_ptr(&plic_handlers, cpu);
+ if (handler->present) {
+- dev_warn(dev, "handler already present for context %d.\n", i);
++ pr_warn("%pfwP: handler already present for context %d.\n", fwnode, i);
+ plic_set_threshold(handler, PLIC_DISABLE_THRESHOLD);
+ goto done;
+ }
+@@ -568,8 +575,8 @@ static int plic_probe(struct platform_de
+ i * CONTEXT_ENABLE_SIZE;
+ handler->priv = priv;
+
+- handler->enable_save = devm_kcalloc(dev, DIV_ROUND_UP(nr_irqs, 32),
+- sizeof(*handler->enable_save), GFP_KERNEL);
++ handler->enable_save = kcalloc(DIV_ROUND_UP(nr_irqs, 32),
++ sizeof(*handler->enable_save), GFP_KERNEL);
+ if (!handler->enable_save)
+ goto fail_cleanup_contexts;
+ done:
+@@ -581,7 +588,7 @@ done:
+ nr_handlers++;
+ }
+
+- priv->irqdomain = irq_domain_add_linear(to_of_node(dev->fwnode), nr_irqs + 1,
++ priv->irqdomain = irq_domain_add_linear(to_of_node(fwnode), nr_irqs + 1,
+ &plic_irqdomain_ops, priv);
+ if (WARN_ON(!priv->irqdomain))
+ goto fail_cleanup_contexts;
+@@ -619,13 +626,13 @@ done:
+ }
+ }
+
+- dev_info(dev, "mapped %d interrupts with %d handlers for %d contexts.\n",
+- nr_irqs, nr_handlers, nr_contexts);
++ pr_info("%pfwP: mapped %d interrupts with %d handlers for %d contexts.\n",
++ fwnode, nr_irqs, nr_handlers, nr_contexts);
+ return 0;
+
+ fail_cleanup_contexts:
+ for (i = 0; i < nr_contexts; i++) {
+- if (plic_parse_context_parent(pdev, i, &parent_hwirq, &cpu))
++ if (plic_parse_context_parent(fwnode, i, &parent_hwirq, &cpu))
+ continue;
+ if (parent_hwirq != RV_IRQ_EXT || cpu < 0)
+ continue;
+@@ -634,17 +641,37 @@ fail_cleanup_contexts:
+ handler->present = false;
+ handler->hart_base = NULL;
+ handler->enable_base = NULL;
++ kfree(handler->enable_save);
+ handler->enable_save = NULL;
+ handler->priv = NULL;
+ }
+- return -ENOMEM;
++ bitmap_free(priv->prio_save);
++fail_free_priv:
++ kfree(priv);
++fail_free_regs:
++ iounmap(regs);
++ return error;
++}
++
++static int plic_platform_probe(struct platform_device *pdev)
++{
++ return plic_probe(pdev->dev.fwnode);
+ }
+
+ static struct platform_driver plic_driver = {
+ .driver = {
+ .name = "riscv-plic",
+ .of_match_table = plic_match,
++ .suppress_bind_attrs = true,
+ },
+- .probe = plic_probe,
++ .probe = plic_platform_probe,
+ };
+ builtin_platform_driver(plic_driver);
++
++static int __init plic_early_probe(struct device_node *node,
++ struct device_node *parent)
++{
++ return plic_probe(&node->fwnode);
++}
++
++IRQCHIP_DECLARE(riscv, "allwinner,sun20i-d1-plic", plic_early_probe);
--- /dev/null
+From 844436e045ac2ab7895d8b281cb784a24de1d14d Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Thu, 29 Aug 2024 22:22:35 +0300
+Subject: ksmbd: Unlock on in ksmbd_tcp_set_interfaces()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit 844436e045ac2ab7895d8b281cb784a24de1d14d upstream.
+
+Unlock before returning an error code if this allocation fails.
+
+Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
+Cc: stable@vger.kernel.org # v5.15+
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/transport_tcp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/server/transport_tcp.c
++++ b/fs/smb/server/transport_tcp.c
+@@ -624,8 +624,10 @@ int ksmbd_tcp_set_interfaces(char *ifc_l
+ for_each_netdev(&init_net, netdev) {
+ if (netif_is_bridge_port(netdev))
+ continue;
+- if (!alloc_iface(kstrdup(netdev->name, GFP_KERNEL)))
++ if (!alloc_iface(kstrdup(netdev->name, GFP_KERNEL))) {
++ rtnl_unlock();
+ return -ENOMEM;
++ }
+ }
+ rtnl_unlock();
+ bind_additional_ifaces = 1;
--- /dev/null
+From 78c5a6f1f630172b19af4912e755e1da93ef0ab5 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Tue, 27 Aug 2024 21:44:41 +0900
+Subject: ksmbd: unset the binding mark of a reused connection
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 78c5a6f1f630172b19af4912e755e1da93ef0ab5 upstream.
+
+Steve French reported null pointer dereference error from sha256 lib.
+cifs.ko can send session setup requests on reused connection.
+If reused connection is used for binding session, conn->binding can
+still remain true and generate_preauth_hash() will not set
+sess->Preauth_HashValue and it will be NULL.
+It is used as a material to create an encryption key in
+ksmbd_gen_smb311_encryptionkey. ->Preauth_HashValue cause null pointer
+dereference error from crypto_shash_update().
+
+BUG: kernel NULL pointer dereference, address: 0000000000000000
+#PF: supervisor read access in kernel mode
+#PF: error_code(0x0000) - not-present page
+PGD 0 P4D 0
+Oops: 0000 [#1] PREEMPT SMP PTI
+CPU: 8 PID: 429254 Comm: kworker/8:39
+Hardware name: LENOVO 20MAS08500/20MAS08500, BIOS N2CET69W (1.52 )
+Workqueue: ksmbd-io handle_ksmbd_work [ksmbd]
+RIP: 0010:lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3]
+<TASK>
+? show_regs+0x6d/0x80
+? __die+0x24/0x80
+? page_fault_oops+0x99/0x1b0
+? do_user_addr_fault+0x2ee/0x6b0
+? exc_page_fault+0x83/0x1b0
+? asm_exc_page_fault+0x27/0x30
+? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]
+? lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3]
+? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]
+? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]
+_sha256_update+0x77/0xa0 [sha256_ssse3]
+sha256_avx2_update+0x15/0x30 [sha256_ssse3]
+crypto_shash_update+0x1e/0x40
+hmac_update+0x12/0x20
+crypto_shash_update+0x1e/0x40
+generate_key+0x234/0x380 [ksmbd]
+generate_smb3encryptionkey+0x40/0x1c0 [ksmbd]
+ksmbd_gen_smb311_encryptionkey+0x72/0xa0 [ksmbd]
+ntlm_authenticate.isra.0+0x423/0x5d0 [ksmbd]
+smb2_sess_setup+0x952/0xaa0 [ksmbd]
+__process_request+0xa3/0x1d0 [ksmbd]
+__handle_ksmbd_work+0x1c4/0x2f0 [ksmbd]
+handle_ksmbd_work+0x2d/0xa0 [ksmbd]
+process_one_work+0x16c/0x350
+worker_thread+0x306/0x440
+? __pfx_worker_thread+0x10/0x10
+kthread+0xef/0x120
+? __pfx_kthread+0x10/0x10
+ret_from_fork+0x44/0x70
+? __pfx_kthread+0x10/0x10
+ret_from_fork_asm+0x1b/0x30
+</TASK>
+
+Fixes: f5a544e3bab7 ("ksmbd: add support for SMB3 multichannel")
+Cc: stable@vger.kernel.org # v5.15+
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -1687,6 +1687,8 @@ int smb2_sess_setup(struct ksmbd_work *w
+ rc = ksmbd_session_register(conn, sess);
+ if (rc)
+ goto out_err;
++
++ conn->binding = false;
+ } else if (conn->dialect >= SMB30_PROT_ID &&
+ (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL) &&
+ req->Flags & SMB2_SESSION_REQ_FLAG_BINDING) {
+@@ -1765,6 +1767,8 @@ int smb2_sess_setup(struct ksmbd_work *w
+ sess = NULL;
+ goto out_err;
+ }
++
++ conn->binding = false;
+ }
+ work->sess = sess;
+
--- /dev/null
+From 25dfc9e357af8aed1ca79b318a73f2c59c1f0b2b Mon Sep 17 00:00:00 2001
+From: Kan Liang <kan.liang@linux.intel.com>
+Date: Mon, 19 Aug 2024 11:30:04 -0700
+Subject: perf/x86/intel: Limit the period on Haswell
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+commit 25dfc9e357af8aed1ca79b318a73f2c59c1f0b2b upstream.
+
+Running the ltp test cve-2015-3290 concurrently reports the following
+warnings.
+
+perfevents: irq loop stuck!
+ WARNING: CPU: 31 PID: 32438 at arch/x86/events/intel/core.c:3174
+ intel_pmu_handle_irq+0x285/0x370
+ Call Trace:
+ <NMI>
+ ? __warn+0xa4/0x220
+ ? intel_pmu_handle_irq+0x285/0x370
+ ? __report_bug+0x123/0x130
+ ? intel_pmu_handle_irq+0x285/0x370
+ ? __report_bug+0x123/0x130
+ ? intel_pmu_handle_irq+0x285/0x370
+ ? report_bug+0x3e/0xa0
+ ? handle_bug+0x3c/0x70
+ ? exc_invalid_op+0x18/0x50
+ ? asm_exc_invalid_op+0x1a/0x20
+ ? irq_work_claim+0x1e/0x40
+ ? intel_pmu_handle_irq+0x285/0x370
+ perf_event_nmi_handler+0x3d/0x60
+ nmi_handle+0x104/0x330
+
+Thanks to Thomas Gleixner's analysis, the issue is caused by the low
+initial period (1) of the frequency estimation algorithm, which triggers
+the defects of the HW, specifically erratum HSW11 and HSW143. (For the
+details, please refer https://lore.kernel.org/lkml/87plq9l5d2.ffs@tglx/)
+
+The HSW11 requires a period larger than 100 for the INST_RETIRED.ALL
+event, but the initial period in the freq mode is 1. The erratum is the
+same as the BDM11, which has been supported in the kernel. A minimum
+period of 128 is enforced as well on HSW.
+
+HSW143 is regarding that the fixed counter 1 may overcount 32 with the
+Hyper-Threading is enabled. However, based on the test, the hardware
+has more issues than it tells. Besides the fixed counter 1, the message
+'interrupt took too long' can be observed on any counter which was armed
+with a period < 32 and two events expired in the same NMI. A minimum
+period of 32 is enforced for the rest of the events.
+The recommended workaround code of the HSW143 is not implemented.
+Because it only addresses the issue for the fixed counter. It brings
+extra overhead through extra MSR writing. No related overcounting issue
+has been reported so far.
+
+Fixes: 3a632cb229bf ("perf/x86/intel: Add simple Haswell PMU support")
+Reported-by: Li Huafei <lihuafei1@huawei.com>
+Suggested-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/all/20240819183004.3132920-1-kan.liang@linux.intel.com
+Closes: https://lore.kernel.org/lkml/20240729223328.327835-1-lihuafei1@huawei.com/
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/events/intel/core.c | 23 +++++++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/events/intel/core.c
++++ b/arch/x86/events/intel/core.c
+@@ -4529,6 +4529,25 @@ static enum hybrid_cpu_type adl_get_hybr
+ return HYBRID_INTEL_CORE;
+ }
+
++static inline bool erratum_hsw11(struct perf_event *event)
++{
++ return (event->hw.config & INTEL_ARCH_EVENT_MASK) ==
++ X86_CONFIG(.event=0xc0, .umask=0x01);
++}
++
++/*
++ * The HSW11 requires a period larger than 100 which is the same as the BDM11.
++ * A minimum period of 128 is enforced as well for the INST_RETIRED.ALL.
++ *
++ * The message 'interrupt took too long' can be observed on any counter which
++ * was armed with a period < 32 and two events expired in the same NMI.
++ * A minimum period of 32 is enforced for the rest of the events.
++ */
++static void hsw_limit_period(struct perf_event *event, s64 *left)
++{
++ *left = max(*left, erratum_hsw11(event) ? 128 : 32);
++}
++
+ /*
+ * Broadwell:
+ *
+@@ -4546,8 +4565,7 @@ static enum hybrid_cpu_type adl_get_hybr
+ */
+ static void bdw_limit_period(struct perf_event *event, s64 *left)
+ {
+- if ((event->hw.config & INTEL_ARCH_EVENT_MASK) ==
+- X86_CONFIG(.event=0xc0, .umask=0x01)) {
++ if (erratum_hsw11(event)) {
+ if (*left < 128)
+ *left = 128;
+ *left &= ~0x3fULL;
+@@ -6573,6 +6591,7 @@ __init int intel_pmu_init(void)
+
+ x86_pmu.hw_config = hsw_hw_config;
+ x86_pmu.get_event_constraints = hsw_get_event_constraints;
++ x86_pmu.limit_period = hsw_limit_period;
+ x86_pmu.lbr_double_abort = true;
+ extra_attr = boot_cpu_has(X86_FEATURE_RTM) ?
+ hsw_format_attr : nhm_format_attr;
--- /dev/null
+From 734ad0af3609464f8f93e00b6c0de1e112f44559 Mon Sep 17 00:00:00 2001
+From: "Nysal Jan K.A." <nysal@linux.ibm.com>
+Date: Thu, 29 Aug 2024 07:58:27 +0530
+Subject: powerpc/qspinlock: Fix deadlock in MCS queue
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nysal Jan K.A. <nysal@linux.ibm.com>
+
+commit 734ad0af3609464f8f93e00b6c0de1e112f44559 upstream.
+
+If an interrupt occurs in queued_spin_lock_slowpath() after we increment
+qnodesp->count and before node->lock is initialized, another CPU might
+see stale lock values in get_tail_qnode(). If the stale lock value happens
+to match the lock on that CPU, then we write to the "next" pointer of
+the wrong qnode. This causes a deadlock as the former CPU, once it becomes
+the head of the MCS queue, will spin indefinitely until it's "next" pointer
+is set by its successor in the queue.
+
+Running stress-ng on a 16 core (16EC/16VP) shared LPAR, results in
+occasional lockups similar to the following:
+
+ $ stress-ng --all 128 --vm-bytes 80% --aggressive \
+ --maximize --oomable --verify --syslog \
+ --metrics --times --timeout 5m
+
+ watchdog: CPU 15 Hard LOCKUP
+ ......
+ NIP [c0000000000b78f4] queued_spin_lock_slowpath+0x1184/0x1490
+ LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90
+ Call Trace:
+ 0xc000002cfffa3bf0 (unreliable)
+ _raw_spin_lock+0x6c/0x90
+ raw_spin_rq_lock_nested.part.135+0x4c/0xd0
+ sched_ttwu_pending+0x60/0x1f0
+ __flush_smp_call_function_queue+0x1dc/0x670
+ smp_ipi_demux_relaxed+0xa4/0x100
+ xive_muxed_ipi_action+0x20/0x40
+ __handle_irq_event_percpu+0x80/0x240
+ handle_irq_event_percpu+0x2c/0x80
+ handle_percpu_irq+0x84/0xd0
+ generic_handle_irq+0x54/0x80
+ __do_irq+0xac/0x210
+ __do_IRQ+0x74/0xd0
+ 0x0
+ do_IRQ+0x8c/0x170
+ hardware_interrupt_common_virt+0x29c/0x2a0
+ --- interrupt: 500 at queued_spin_lock_slowpath+0x4b8/0x1490
+ ......
+ NIP [c0000000000b6c28] queued_spin_lock_slowpath+0x4b8/0x1490
+ LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90
+ --- interrupt: 500
+ 0xc0000029c1a41d00 (unreliable)
+ _raw_spin_lock+0x6c/0x90
+ futex_wake+0x100/0x260
+ do_futex+0x21c/0x2a0
+ sys_futex+0x98/0x270
+ system_call_exception+0x14c/0x2f0
+ system_call_vectored_common+0x15c/0x2ec
+
+The following code flow illustrates how the deadlock occurs.
+For the sake of brevity, assume that both locks (A and B) are
+contended and we call the queued_spin_lock_slowpath() function.
+
+ CPU0 CPU1
+ ---- ----
+ spin_lock_irqsave(A) |
+ spin_unlock_irqrestore(A) |
+ spin_lock(B) |
+ | |
+ ▼ |
+ id = qnodesp->count++; |
+ (Note that nodes[0].lock == A) |
+ | |
+ ▼ |
+ Interrupt |
+ (happens before "nodes[0].lock = B") |
+ | |
+ ▼ |
+ spin_lock_irqsave(A) |
+ | |
+ ▼ |
+ id = qnodesp->count++ |
+ nodes[1].lock = A |
+ | |
+ ▼ |
+ Tail of MCS queue |
+ | spin_lock_irqsave(A)
+ ▼ |
+ Head of MCS queue ▼
+ | CPU0 is previous tail
+ ▼ |
+ Spin indefinitely ▼
+ (until "nodes[1].next != NULL") prev = get_tail_qnode(A, CPU0)
+ |
+ ▼
+ prev == &qnodes[CPU0].nodes[0]
+ (as qnodes[CPU0].nodes[0].lock == A)
+ |
+ ▼
+ WRITE_ONCE(prev->next, node)
+ |
+ ▼
+ Spin indefinitely
+ (until nodes[0].locked == 1)
+
+Thanks to Saket Kumar Bhaskar for help with recreating the issue
+
+Fixes: 84990b169557 ("powerpc/qspinlock: add mcs queueing for contended waiters")
+Cc: stable@vger.kernel.org # v6.2+
+Reported-by: Geetika Moolchandani <geetika@linux.ibm.com>
+Reported-by: Vaishnavi Bhat <vaish123@in.ibm.com>
+Reported-by: Jijo Varghese <vargjijo@in.ibm.com>
+Signed-off-by: Nysal Jan K.A. <nysal@linux.ibm.com>
+Reviewed-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20240829022830.1164355-1-nysal@linux.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/lib/qspinlock.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/lib/qspinlock.c
++++ b/arch/powerpc/lib/qspinlock.c
+@@ -697,7 +697,15 @@ again:
+ }
+
+ release:
+- qnodesp->count--; /* release the node */
++ /*
++ * Clear the lock before releasing the node, as another CPU might see stale
++ * values if an interrupt occurs after we increment qnodesp->count
++ * but before node->lock is initialized. The barrier ensures that
++ * there are no further stores to the node after it has been released.
++ */
++ node->lock = NULL;
++ barrier();
++ qnodesp->count--;
+ }
+
+ void queued_spin_lock_slowpath(struct qspinlock *lock)
--- /dev/null
+From d33d26036a0274b472299d7dcdaa5fb34329f91b Mon Sep 17 00:00:00 2001
+From: Roland Xu <mu001999@outlook.com>
+Date: Thu, 15 Aug 2024 10:58:13 +0800
+Subject: rtmutex: Drop rt_mutex::wait_lock before scheduling
+
+From: Roland Xu <mu001999@outlook.com>
+
+commit d33d26036a0274b472299d7dcdaa5fb34329f91b upstream.
+
+rt_mutex_handle_deadlock() is called with rt_mutex::wait_lock held. In the
+good case it returns with the lock held and in the deadlock case it emits a
+warning and goes into an endless scheduling loop with the lock held, which
+triggers the 'scheduling in atomic' warning.
+
+Unlock rt_mutex::wait_lock in the dead lock case before issuing the warning
+and dropping into the schedule for ever loop.
+
+[ tglx: Moved unlock before the WARN(), removed the pointless comment,
+ massaged changelog, added Fixes tag ]
+
+Fixes: 3d5c9340d194 ("rtmutex: Handle deadlock detection smarter")
+Signed-off-by: Roland Xu <mu001999@outlook.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/all/ME0P300MB063599BEF0743B8FA339C2CECC802@ME0P300MB0635.AUSP300.PROD.OUTLOOK.COM
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/locking/rtmutex.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/kernel/locking/rtmutex.c
++++ b/kernel/locking/rtmutex.c
+@@ -1644,6 +1644,7 @@ static int __sched rt_mutex_slowlock_blo
+ }
+
+ static void __sched rt_mutex_handle_deadlock(int res, int detect_deadlock,
++ struct rt_mutex_base *lock,
+ struct rt_mutex_waiter *w)
+ {
+ /*
+@@ -1656,10 +1657,10 @@ static void __sched rt_mutex_handle_dead
+ if (build_ww_mutex() && w->ww_ctx)
+ return;
+
+- /*
+- * Yell loudly and stop the task right here.
+- */
++ raw_spin_unlock_irq(&lock->wait_lock);
++
+ WARN(1, "rtmutex deadlock detected\n");
++
+ while (1) {
+ set_current_state(TASK_INTERRUPTIBLE);
+ rt_mutex_schedule();
+@@ -1713,7 +1714,7 @@ static int __sched __rt_mutex_slowlock(s
+ } else {
+ __set_current_state(TASK_RUNNING);
+ remove_waiter(lock, waiter);
+- rt_mutex_handle_deadlock(ret, chwalk, waiter);
++ rt_mutex_handle_deadlock(ret, chwalk, lock, waiter);
+ }
+
+ /*
alsa-hda-realtek-enable-mute-led-for-hp-victus-15-fb1xxx.patch
alsa-hda-realtek-fix-inactive-headset-mic-jack-for-asus-vivobook-15-x1504vap.patch
alsa-hda-realtek-support-mute-led-on-hp-laptop-14-dq2xxx.patch
+powerpc-qspinlock-fix-deadlock-in-mcs-queue.patch
+smb-client-fix-double-put-of-cfile-in-smb2_set_path_size.patch
+ksmbd-unset-the-binding-mark-of-a-reused-connection.patch
+ksmbd-unlock-on-in-ksmbd_tcp_set_interfaces.patch
+ata-libata-fix-memory-leak-for-error-path-in-ata_host_alloc.patch
+x86-tdx-fix-data-leak-in-mmio_read.patch
+perf-x86-intel-limit-the-period-on-haswell.patch
+irqchip-gic-v2m-fix-refcount-leak-in-gicv2m_of_init.patch
+irqchip-sifive-plic-probe-plic-driver-early-for-allwinner-d1-platform.patch
+x86-kaslr-expose-and-use-the-end-of-the-physical-memory-address-space.patch
+rtmutex-drop-rt_mutex-wait_lock-before-scheduling.patch
+irqchip-riscv-aplic-fix-an-is_err-vs-null-bug-in-probe.patch
--- /dev/null
+From f9c169b51b6ce20394594ef674d6b10efba31220 Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <pc@manguebit.com>
+Date: Tue, 3 Sep 2024 10:53:24 -0300
+Subject: smb: client: fix double put of @cfile in smb2_set_path_size()
+
+From: Paulo Alcantara <pc@manguebit.com>
+
+commit f9c169b51b6ce20394594ef674d6b10efba31220 upstream.
+
+If smb2_compound_op() is called with a valid @cfile and returned
+-EINVAL, we need to call cifs_get_writable_path() before retrying it
+as the reference of @cfile was already dropped by previous call.
+
+This fixes the following KASAN splat when running fstests generic/013
+against Windows Server 2022:
+
+ CIFS: Attempting to mount //w22-fs0/scratch
+ run fstests generic/013 at 2024-09-02 19:48:59
+ ==================================================================
+ BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200
+ Write of size 8 at addr ffff88811f1a3730 by task kworker/3:2/176
+
+ CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40
+ 04/01/2014
+ Workqueue: cifsoplockd cifs_oplock_break [cifs]
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x5d/0x80
+ ? detach_if_pending+0xab/0x200
+ print_report+0x156/0x4d9
+ ? detach_if_pending+0xab/0x200
+ ? __virt_addr_valid+0x145/0x300
+ ? __phys_addr+0x46/0x90
+ ? detach_if_pending+0xab/0x200
+ kasan_report+0xda/0x110
+ ? detach_if_pending+0xab/0x200
+ detach_if_pending+0xab/0x200
+ timer_delete+0x96/0xe0
+ ? __pfx_timer_delete+0x10/0x10
+ ? rcu_is_watching+0x20/0x50
+ try_to_grab_pending+0x46/0x3b0
+ __cancel_work+0x89/0x1b0
+ ? __pfx___cancel_work+0x10/0x10
+ ? kasan_save_track+0x14/0x30
+ cifs_close_deferred_file+0x110/0x2c0 [cifs]
+ ? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]
+ ? __pfx_down_read+0x10/0x10
+ cifs_oplock_break+0x4c1/0xa50 [cifs]
+ ? __pfx_cifs_oplock_break+0x10/0x10 [cifs]
+ ? lock_is_held_type+0x85/0xf0
+ ? mark_held_locks+0x1a/0x90
+ process_one_work+0x4c6/0x9f0
+ ? find_held_lock+0x8a/0xa0
+ ? __pfx_process_one_work+0x10/0x10
+ ? lock_acquired+0x220/0x550
+ ? __list_add_valid_or_report+0x37/0x100
+ worker_thread+0x2e4/0x570
+ ? __kthread_parkme+0xd1/0xf0
+ ? __pfx_worker_thread+0x10/0x10
+ kthread+0x17f/0x1c0
+ ? kthread+0xda/0x1c0
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork+0x31/0x60
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork_asm+0x1a/0x30
+ </TASK>
+
+ Allocated by task 1118:
+ kasan_save_stack+0x30/0x50
+ kasan_save_track+0x14/0x30
+ __kasan_kmalloc+0xaa/0xb0
+ cifs_new_fileinfo+0xc8/0x9d0 [cifs]
+ cifs_atomic_open+0x467/0x770 [cifs]
+ lookup_open.isra.0+0x665/0x8b0
+ path_openat+0x4c3/0x1380
+ do_filp_open+0x167/0x270
+ do_sys_openat2+0x129/0x160
+ __x64_sys_creat+0xad/0xe0
+ do_syscall_64+0xbb/0x1d0
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+ Freed by task 83:
+ kasan_save_stack+0x30/0x50
+ kasan_save_track+0x14/0x30
+ kasan_save_free_info+0x3b/0x70
+ poison_slab_object+0xe9/0x160
+ __kasan_slab_free+0x32/0x50
+ kfree+0xf2/0x300
+ process_one_work+0x4c6/0x9f0
+ worker_thread+0x2e4/0x570
+ kthread+0x17f/0x1c0
+ ret_from_fork+0x31/0x60
+ ret_from_fork_asm+0x1a/0x30
+
+ Last potentially related work creation:
+ kasan_save_stack+0x30/0x50
+ __kasan_record_aux_stack+0xad/0xc0
+ insert_work+0x29/0xe0
+ __queue_work+0x5ea/0x760
+ queue_work_on+0x6d/0x90
+ _cifsFileInfo_put+0x3f6/0x770 [cifs]
+ smb2_compound_op+0x911/0x3940 [cifs]
+ smb2_set_path_size+0x228/0x270 [cifs]
+ cifs_set_file_size+0x197/0x460 [cifs]
+ cifs_setattr+0xd9c/0x14b0 [cifs]
+ notify_change+0x4e3/0x740
+ do_truncate+0xfa/0x180
+ vfs_truncate+0x195/0x200
+ __x64_sys_truncate+0x109/0x150
+ do_syscall_64+0xbb/0x1d0
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 71f15c90e785 ("smb: client: retry compound request without reusing lease")
+Cc: stable@vger.kernel.org
+Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
+Cc: David Howells <dhowells@redhat.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/smb2inode.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/smb/client/smb2inode.c
++++ b/fs/smb/client/smb2inode.c
+@@ -1149,6 +1149,7 @@ smb2_set_path_size(const unsigned int xi
+ cfile, NULL, NULL, dentry);
+ if (rc == -EINVAL) {
+ cifs_dbg(FYI, "invalid lease key, resending request without lease");
++ cifs_get_writable_path(tcon, full_path, FIND_WR_ANY, &cfile);
+ rc = smb2_compound_op(xid, tcon, cifs_sb,
+ full_path, &oparms, &in_iov,
+ &(int){SMB2_OP_SET_EOF}, 1,
--- /dev/null
+From ea72ce5da22806d5713f3ffb39a6d5ae73841f93 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Wed, 14 Aug 2024 00:29:36 +0200
+Subject: x86/kaslr: Expose and use the end of the physical memory address space
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit ea72ce5da22806d5713f3ffb39a6d5ae73841f93 upstream.
+
+iounmap() on x86 occasionally fails to unmap because the provided valid
+ioremap address is not below high_memory. It turned out that this
+happens due to KASLR.
+
+KASLR uses the full address space between PAGE_OFFSET and vaddr_end to
+randomize the starting points of the direct map, vmalloc and vmemmap
+regions. It thereby limits the size of the direct map by using the
+installed memory size plus an extra configurable margin for hot-plug
+memory. This limitation is done to gain more randomization space
+because otherwise only the holes between the direct map, vmalloc,
+vmemmap and vaddr_end would be usable for randomizing.
+
+The limited direct map size is not exposed to the rest of the kernel, so
+the memory hot-plug and resource management related code paths still
+operate under the assumption that the available address space can be
+determined with MAX_PHYSMEM_BITS.
+
+request_free_mem_region() allocates from (1 << MAX_PHYSMEM_BITS) - 1
+downwards. That means the first allocation happens past the end of the
+direct map and if unlucky this address is in the vmalloc space, which
+causes high_memory to become greater than VMALLOC_START and consequently
+causes iounmap() to fail for valid ioremap addresses.
+
+MAX_PHYSMEM_BITS cannot be changed for that because the randomization
+does not align with address bit boundaries and there are other places
+which actually require to know the maximum number of address bits. All
+remaining usage sites of MAX_PHYSMEM_BITS have been analyzed and found
+to be correct.
+
+Cure this by exposing the end of the direct map via PHYSMEM_END and use
+that for the memory hot-plug and resource management related places
+instead of relying on MAX_PHYSMEM_BITS. In the KASLR case PHYSMEM_END
+maps to a variable which is initialized by the KASLR initialization and
+otherwise it is based on MAX_PHYSMEM_BITS as before.
+
+To prevent future hickups add a check into add_pages() to catch callers
+trying to add memory above PHYSMEM_END.
+
+Fixes: 0483e1fa6e09 ("x86/mm: Implement ASLR for kernel memory regions")
+Reported-by: Max Ramanouski <max8rr8@gmail.com>
+Reported-by: Alistair Popple <apopple@nvidia.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-By: Max Ramanouski <max8rr8@gmail.com>
+Tested-by: Alistair Popple <apopple@nvidia.com>
+Reviewed-by: Dan Williams <dan.j.williams@intel.com>
+Reviewed-by: Alistair Popple <apopple@nvidia.com>
+Reviewed-by: Kees Cook <kees@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/all/87ed6soy3z.ffs@tglx
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/page_64.h | 1 +
+ arch/x86/include/asm/pgtable_64_types.h | 4 ++++
+ arch/x86/mm/init_64.c | 4 ++++
+ arch/x86/mm/kaslr.c | 32 ++++++++++++++++++++++++++------
+ include/linux/mm.h | 4 ++++
+ kernel/resource.c | 6 ++----
+ mm/memory_hotplug.c | 2 +-
+ mm/sparse.c | 2 +-
+ 8 files changed, 43 insertions(+), 12 deletions(-)
+
+--- a/arch/x86/include/asm/page_64.h
++++ b/arch/x86/include/asm/page_64.h
+@@ -17,6 +17,7 @@ extern unsigned long phys_base;
+ extern unsigned long page_offset_base;
+ extern unsigned long vmalloc_base;
+ extern unsigned long vmemmap_base;
++extern unsigned long physmem_end;
+
+ static __always_inline unsigned long __phys_addr_nodebug(unsigned long x)
+ {
+--- a/arch/x86/include/asm/pgtable_64_types.h
++++ b/arch/x86/include/asm/pgtable_64_types.h
+@@ -140,6 +140,10 @@ extern unsigned int ptrs_per_p4d;
+ # define VMEMMAP_START __VMEMMAP_BASE_L4
+ #endif /* CONFIG_DYNAMIC_MEMORY_LAYOUT */
+
++#ifdef CONFIG_RANDOMIZE_MEMORY
++# define PHYSMEM_END physmem_end
++#endif
++
+ /*
+ * End of the region for which vmalloc page tables are pre-allocated.
+ * For non-KMSAN builds, this is the same as VMALLOC_END.
+--- a/arch/x86/mm/init_64.c
++++ b/arch/x86/mm/init_64.c
+@@ -950,8 +950,12 @@ static void update_end_of_memory_vars(u6
+ int add_pages(int nid, unsigned long start_pfn, unsigned long nr_pages,
+ struct mhp_params *params)
+ {
++ unsigned long end = ((start_pfn + nr_pages) << PAGE_SHIFT) - 1;
+ int ret;
+
++ if (WARN_ON_ONCE(end > PHYSMEM_END))
++ return -ERANGE;
++
+ ret = __add_pages(nid, start_pfn, nr_pages, params);
+ WARN_ON_ONCE(ret);
+
+--- a/arch/x86/mm/kaslr.c
++++ b/arch/x86/mm/kaslr.c
+@@ -47,13 +47,24 @@ static const unsigned long vaddr_end = C
+ */
+ static __initdata struct kaslr_memory_region {
+ unsigned long *base;
++ unsigned long *end;
+ unsigned long size_tb;
+ } kaslr_regions[] = {
+- { &page_offset_base, 0 },
+- { &vmalloc_base, 0 },
+- { &vmemmap_base, 0 },
++ {
++ .base = &page_offset_base,
++ .end = &physmem_end,
++ },
++ {
++ .base = &vmalloc_base,
++ },
++ {
++ .base = &vmemmap_base,
++ },
+ };
+
++/* The end of the possible address space for physical memory */
++unsigned long physmem_end __ro_after_init;
++
+ /* Get size in bytes used by the memory region */
+ static inline unsigned long get_padding(struct kaslr_memory_region *region)
+ {
+@@ -82,6 +93,8 @@ void __init kernel_randomize_memory(void
+ BUILD_BUG_ON(vaddr_end != CPU_ENTRY_AREA_BASE);
+ BUILD_BUG_ON(vaddr_end > __START_KERNEL_map);
+
++ /* Preset the end of the possible address space for physical memory */
++ physmem_end = ((1ULL << MAX_PHYSMEM_BITS) - 1);
+ if (!kaslr_memory_enabled())
+ return;
+
+@@ -128,11 +141,18 @@ void __init kernel_randomize_memory(void
+ vaddr += entropy;
+ *kaslr_regions[i].base = vaddr;
+
++ /* Calculate the end of the region */
++ vaddr += get_padding(&kaslr_regions[i]);
+ /*
+- * Jump the region and add a minimum padding based on
+- * randomization alignment.
++ * KASLR trims the maximum possible size of the
++ * direct-map. Update the physmem_end boundary.
++ * No rounding required as the region starts
++ * PUD aligned and size is in units of TB.
+ */
+- vaddr += get_padding(&kaslr_regions[i]);
++ if (kaslr_regions[i].end)
++ *kaslr_regions[i].end = __pa_nodebug(vaddr - 1);
++
++ /* Add a minimum padding based on randomization alignment. */
+ vaddr = round_up(vaddr + 1, PUD_SIZE);
+ remain_entropy -= entropy;
+ }
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -97,6 +97,10 @@ extern const int mmap_rnd_compat_bits_ma
+ extern int mmap_rnd_compat_bits __read_mostly;
+ #endif
+
++#ifndef PHYSMEM_END
++# define PHYSMEM_END ((1ULL << MAX_PHYSMEM_BITS) - 1)
++#endif
++
+ #include <asm/page.h>
+ #include <asm/processor.h>
+
+--- a/kernel/resource.c
++++ b/kernel/resource.c
+@@ -1832,8 +1832,7 @@ static resource_size_t gfr_start(struct
+ if (flags & GFR_DESCENDING) {
+ resource_size_t end;
+
+- end = min_t(resource_size_t, base->end,
+- (1ULL << MAX_PHYSMEM_BITS) - 1);
++ end = min_t(resource_size_t, base->end, PHYSMEM_END);
+ return end - size + 1;
+ }
+
+@@ -1850,8 +1849,7 @@ static bool gfr_continue(struct resource
+ * @size did not wrap 0.
+ */
+ return addr > addr - size &&
+- addr <= min_t(resource_size_t, base->end,
+- (1ULL << MAX_PHYSMEM_BITS) - 1);
++ addr <= min_t(resource_size_t, base->end, PHYSMEM_END);
+ }
+
+ static resource_size_t gfr_next(resource_size_t addr, resource_size_t size,
+--- a/mm/memory_hotplug.c
++++ b/mm/memory_hotplug.c
+@@ -1682,7 +1682,7 @@ struct range __weak arch_get_mappable_ra
+
+ struct range mhp_get_pluggable_range(bool need_mapping)
+ {
+- const u64 max_phys = (1ULL << MAX_PHYSMEM_BITS) - 1;
++ const u64 max_phys = PHYSMEM_END;
+ struct range mhp_range;
+
+ if (need_mapping) {
+--- a/mm/sparse.c
++++ b/mm/sparse.c
+@@ -129,7 +129,7 @@ static inline int sparse_early_nid(struc
+ static void __meminit mminit_validate_memmodel_limits(unsigned long *start_pfn,
+ unsigned long *end_pfn)
+ {
+- unsigned long max_sparsemem_pfn = 1UL << (MAX_PHYSMEM_BITS-PAGE_SHIFT);
++ unsigned long max_sparsemem_pfn = (PHYSMEM_END + 1) >> PAGE_SHIFT;
+
+ /*
+ * Sanity checks - do not allow an architecture to pass
--- /dev/null
+From b6fb565a2d15277896583d471b21bc14a0c99661 Mon Sep 17 00:00:00 2001
+From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Date: Mon, 26 Aug 2024 15:53:04 +0300
+Subject: x86/tdx: Fix data leak in mmio_read()
+
+From: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+
+commit b6fb565a2d15277896583d471b21bc14a0c99661 upstream.
+
+The mmio_read() function makes a TDVMCALL to retrieve MMIO data for an
+address from the VMM.
+
+Sean noticed that mmio_read() unintentionally exposes the value of an
+initialized variable (val) on the stack to the VMM.
+
+This variable is only needed as an output value. It did not need to be
+passed to the VMM in the first place.
+
+Do not send the original value of *val to the VMM.
+
+[ dhansen: clarify what 'val' is used for. ]
+
+Fixes: 31d58c4e557d ("x86/tdx: Handle in-kernel MMIO")
+Reported-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Cc:stable@vger.kernel.org
+Link: https://lore.kernel.org/all/20240826125304.1566719-1-kirill.shutemov%40linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/coco/tdx/tdx.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/arch/x86/coco/tdx/tdx.c
++++ b/arch/x86/coco/tdx/tdx.c
+@@ -385,7 +385,6 @@ static bool mmio_read(int size, unsigned
+ .r12 = size,
+ .r13 = EPT_READ,
+ .r14 = addr,
+- .r15 = *val,
+ };
+
+ if (__tdx_hypercall(&args))
projects / thirdparty / kernel / stable-queue.git / commitdiff
