--- /dev/null
+From 3db66620ea90b0fd4134b31eabfec16d7b07d7e3 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Fri, 28 Apr 2023 15:23:50 +0200
+Subject: ACPI: video: Remove acpi_backlight=video quirk for Lenovo ThinkPad W530
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 3db66620ea90b0fd4134b31eabfec16d7b07d7e3 upstream.
+
+Remove the acpi_backlight=video quirk for Lenovo ThinkPad W530.
+
+This was intended to help users of the (unsupported) Nvidia binary driver,
+but this has been reported to cause backlight control issues for users
+who have the gfx configured in hybrid (dual-GPU) mode, so drop this.
+
+The Nvidia binary driver should call acpi_video_register_backlight()
+when necessary and this has been reported to Nvidia.
+
+Until this is fixed Nvidia binary driver users can work around this by
+passing "acpi_backlight=video" on the kernel commandline (with the latest
+6.1.y or newer stable series, kernels < 6.1.y don't need this).
+
+Fixes: a5b2781dcab2 ("ACPI: video: Add acpi_backlight=video quirk for Lenovo ThinkPad W530")
+Reported-by: Русев Путин <rockeraliexpress@gmail.com>
+Link: https://lore.kernel.org/linux-acpi/CAK4BXn0ngZRmzx1bodAF8nmYj0PWdUXzPGHofRrsyZj8MBpcVA@mail.gmail.com/
+Cc: 6.1+ <stable@vger.kernel.org> # 6.1+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/video_detect.c | 14 --------------
+ 1 file changed, 14 deletions(-)
+
+--- a/drivers/acpi/video_detect.c
++++ b/drivers/acpi/video_detect.c
+@@ -300,20 +300,6 @@ static const struct dmi_system_id video_
+ },
+
+ /*
+- * Older models with nvidia GPU which need acpi_video backlight
+- * control and where the old nvidia binary driver series does not
+- * call acpi_video_register_backlight().
+- */
+- {
+- .callback = video_detect_force_video,
+- /* ThinkPad W530 */
+- .matches = {
+- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+- DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad W530"),
+- },
+- },
+-
+- /*
+ * These models have a working acpi_video backlight control, and using
+ * native backlight causes a regression where backlight does not work
+ * when userspace is not handling brightness key events. Disable
--- /dev/null
+From f7f28f268b861c29dd18086bb636abedf0ff59ff Mon Sep 17 00:00:00 2001
+From: Tim Huang <tim.huang@amd.com>
+Date: Wed, 22 Mar 2023 14:39:16 +0800
+Subject: drm/amd/pm: re-enable the gfx imu when smu resume
+
+From: Tim Huang <tim.huang@amd.com>
+
+commit f7f28f268b861c29dd18086bb636abedf0ff59ff upstream.
+
+If the gfx imu is poweroff when suspend, then
+it need to be re-enabled when resume.
+
+Signed-off-by: Tim Huang <tim.huang@amd.com>
+Reviewed-by: Yifan Zhang <yifan1.zhang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 40 +++++++++++++++++++++---------
+ 1 file changed, 28 insertions(+), 12 deletions(-)
+
+--- a/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c
+@@ -161,10 +161,15 @@ int smu_get_dpm_freq_range(struct smu_co
+
+ int smu_set_gfx_power_up_by_imu(struct smu_context *smu)
+ {
+- if (!smu->ppt_funcs || !smu->ppt_funcs->set_gfx_power_up_by_imu)
+- return -EOPNOTSUPP;
++ int ret = 0;
++ struct amdgpu_device *adev = smu->adev;
+
+- return smu->ppt_funcs->set_gfx_power_up_by_imu(smu);
++ if (smu->ppt_funcs->set_gfx_power_up_by_imu) {
++ ret = smu->ppt_funcs->set_gfx_power_up_by_imu(smu);
++ if (ret)
++ dev_err(adev->dev, "Failed to enable gfx imu!\n");
++ }
++ return ret;
+ }
+
+ static u32 smu_get_mclk(void *handle, bool low)
+@@ -195,6 +200,19 @@ static u32 smu_get_sclk(void *handle, bo
+ return clk_freq * 100;
+ }
+
++static int smu_set_gfx_imu_enable(struct smu_context *smu)
++{
++ struct amdgpu_device *adev = smu->adev;
++
++ if (adev->firmware.load_type != AMDGPU_FW_LOAD_PSP)
++ return 0;
++
++ if (amdgpu_in_reset(smu->adev) || adev->in_s0ix)
++ return 0;
++
++ return smu_set_gfx_power_up_by_imu(smu);
++}
++
+ static int smu_dpm_set_vcn_enable(struct smu_context *smu,
+ bool enable)
+ {
+@@ -1386,15 +1404,9 @@ static int smu_hw_init(void *handle)
+ }
+
+ if (smu->is_apu) {
+- if ((smu->ppt_funcs->set_gfx_power_up_by_imu) &&
+- likely(adev->firmware.load_type == AMDGPU_FW_LOAD_PSP)) {
+- ret = smu->ppt_funcs->set_gfx_power_up_by_imu(smu);
+- if (ret) {
+- dev_err(adev->dev, "Failed to Enable gfx imu!\n");
+- return ret;
+- }
+- }
+-
++ ret = smu_set_gfx_imu_enable(smu);
++ if (ret)
++ return ret;
+ smu_dpm_set_vcn_enable(smu, true);
+ smu_dpm_set_jpeg_enable(smu, true);
+ smu_set_gfx_cgpg(smu, true);
+@@ -1671,6 +1683,10 @@ static int smu_resume(void *handle)
+ return ret;
+ }
+
++ ret = smu_set_gfx_imu_enable(smu);
++ if (ret)
++ return ret;
++
+ smu_set_gfx_cgpg(smu, true);
+
+ smu->disable_uclk_switch = 0;
--- /dev/null
+From c770657bd2611b077ec1e7b1fe6aa92f249399bd Mon Sep 17 00:00:00 2001
+From: Reid Tonking <reidt@ti.com>
+Date: Wed, 26 Apr 2023 14:49:56 -0500
+Subject: i2c: omap: Fix standard mode false ACK readings
+
+From: Reid Tonking <reidt@ti.com>
+
+commit c770657bd2611b077ec1e7b1fe6aa92f249399bd upstream.
+
+Using standard mode, rare false ACK responses were appearing with
+i2cdetect tool. This was happening due to NACK interrupt triggering
+ISR thread before register access interrupt was ready. Removing the
+NACK interrupt's ability to trigger ISR thread lets register access
+ready interrupt do this instead.
+
+Cc: <stable@vger.kernel.org> # v3.7+
+Fixes: 3b2f8f82dad7 ("i2c: omap: switch to threaded IRQ support")
+Signed-off-by: Reid Tonking <reidt@ti.com>
+Acked-by: Vignesh Raghavendra <vigneshr@ti.com>
+Reviewed-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-omap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-omap.c
++++ b/drivers/i2c/busses/i2c-omap.c
+@@ -1058,7 +1058,7 @@ omap_i2c_isr(int irq, void *dev_id)
+ u16 stat;
+
+ stat = omap_i2c_read_reg(omap, OMAP_I2C_STAT_REG);
+- mask = omap_i2c_read_reg(omap, OMAP_I2C_IE_REG);
++ mask = omap_i2c_read_reg(omap, OMAP_I2C_IE_REG) & ~OMAP_I2C_STAT_NACK;
+
+ if (stat & mask)
+ ret = IRQ_WAKE_THREAD;
--- /dev/null
+From 3ce29c17dc847bf4245e16aad78a7617afa96297 Mon Sep 17 00:00:00 2001
+From: Song Yoong Siang <yoong.siang.song@intel.com>
+Date: Tue, 2 May 2023 08:48:06 -0700
+Subject: igc: read before write to SRRCTL register
+
+From: Song Yoong Siang <yoong.siang.song@intel.com>
+
+commit 3ce29c17dc847bf4245e16aad78a7617afa96297 upstream.
+
+igc_configure_rx_ring() function will be called as part of XDP program
+setup. If Rx hardware timestamp is enabled prio to XDP program setup,
+this timestamp enablement will be overwritten when buffer size is
+written into SRRCTL register.
+
+Thus, this commit read the register value before write to SRRCTL
+register. This commit is tested by using xdp_hw_metadata bpf selftest
+tool. The tool enables Rx hardware timestamp and then attach XDP program
+to igc driver. It will display hardware timestamp of UDP packet with
+port number 9092. Below are detail of test steps and results.
+
+Command on DUT:
+ sudo ./xdp_hw_metadata <interface name>
+
+Command on Link Partner:
+ echo -n skb | nc -u -q1 <destination IPv4 addr> 9092
+
+Result before this patch:
+ skb hwtstamp is not found!
+
+Result after this patch:
+ found skb hwtstamp = 1677800973.642836757
+
+Optionally, read PHC to confirm the values obtained are almost the same:
+Command:
+ sudo ./testptp -d /dev/ptp0 -g
+Result:
+ clock time: 1677800973.913598978 or Fri Mar 3 07:49:33 2023
+
+Fixes: fc9df2a0b520 ("igc: Enable RX via AF_XDP zero-copy")
+Cc: <stable@vger.kernel.org> # 5.14+
+Signed-off-by: Song Yoong Siang <yoong.siang.song@intel.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Tested-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/igc/igc_base.h | 11 ++++++++---
+ drivers/net/ethernet/intel/igc/igc_main.c | 7 +++++--
+ 2 files changed, 13 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/intel/igc/igc_base.h
++++ b/drivers/net/ethernet/intel/igc/igc_base.h
+@@ -85,8 +85,13 @@ union igc_adv_rx_desc {
+ #define IGC_RXDCTL_SWFLUSH 0x04000000 /* Receive Software Flush */
+
+ /* SRRCTL bit definitions */
+-#define IGC_SRRCTL_BSIZEPKT_SHIFT 10 /* Shift _right_ */
+-#define IGC_SRRCTL_BSIZEHDRSIZE_SHIFT 2 /* Shift _left_ */
+-#define IGC_SRRCTL_DESCTYPE_ADV_ONEBUF 0x02000000
++#define IGC_SRRCTL_BSIZEPKT_MASK GENMASK(6, 0)
++#define IGC_SRRCTL_BSIZEPKT(x) FIELD_PREP(IGC_SRRCTL_BSIZEPKT_MASK, \
++ (x) / 1024) /* in 1 KB resolution */
++#define IGC_SRRCTL_BSIZEHDR_MASK GENMASK(13, 8)
++#define IGC_SRRCTL_BSIZEHDR(x) FIELD_PREP(IGC_SRRCTL_BSIZEHDR_MASK, \
++ (x) / 64) /* in 64 bytes resolution */
++#define IGC_SRRCTL_DESCTYPE_MASK GENMASK(27, 25)
++#define IGC_SRRCTL_DESCTYPE_ADV_ONEBUF FIELD_PREP(IGC_SRRCTL_DESCTYPE_MASK, 1)
+
+ #endif /* _IGC_BASE_H */
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -641,8 +641,11 @@ static void igc_configure_rx_ring(struct
+ else
+ buf_size = IGC_RXBUFFER_2048;
+
+- srrctl = IGC_RX_HDR_LEN << IGC_SRRCTL_BSIZEHDRSIZE_SHIFT;
+- srrctl |= buf_size >> IGC_SRRCTL_BSIZEPKT_SHIFT;
++ srrctl = rd32(IGC_SRRCTL(reg_idx));
++ srrctl &= ~(IGC_SRRCTL_BSIZEPKT_MASK | IGC_SRRCTL_BSIZEHDR_MASK |
++ IGC_SRRCTL_DESCTYPE_MASK);
++ srrctl |= IGC_SRRCTL_BSIZEHDR(IGC_RX_HDR_LEN);
++ srrctl |= IGC_SRRCTL_BSIZEPKT(buf_size);
+ srrctl |= IGC_SRRCTL_DESCTYPE_ADV_ONEBUF;
+
+ wr32(IGC_SRRCTL(reg_idx), srrctl);
--- /dev/null
+From ccc62b827775915a9b82db42a29813d04f92df7a Mon Sep 17 00:00:00 2001
+From: Kishon Vijay Abraham I <kvijayab@amd.com>
+Date: Wed, 5 Apr 2023 13:03:17 +0000
+Subject: iommu/amd: Fix "Guest Virtual APIC Table Root Pointer" configuration in IRTE
+
+From: Kishon Vijay Abraham I <kvijayab@amd.com>
+
+commit ccc62b827775915a9b82db42a29813d04f92df7a upstream.
+
+commit b9c6ff94e43a ("iommu/amd: Re-factor guest virtual APIC
+(de-)activation code") while refactoring guest virtual APIC
+activation/de-activation code, stored information for activate/de-activate
+in "struct amd_ir_data". It used 32-bit integer data type for storing the
+"Guest Virtual APIC Table Root Pointer" (ga_root_ptr), though the
+"ga_root_ptr" is actually a 40-bit field in IRTE (Interrupt Remapping
+Table Entry).
+
+This causes interrupts from PCIe devices to not reach the guest in the case
+of PCIe passthrough with SME (Secure Memory Encryption) enabled as _SME_
+bit in the "ga_root_ptr" is lost before writing it to the IRTE.
+
+Fix it by using 64-bit data type for storing the "ga_root_ptr". While at
+that also change the data type of "ga_tag" to u32 in order to match
+the IOMMU spec.
+
+Fixes: b9c6ff94e43a ("iommu/amd: Re-factor guest virtual APIC (de-)activation code")
+Cc: stable@vger.kernel.org # v5.4+
+Reported-by: Alejandro Jimenez <alejandro.j.jimenez@oracle.com>
+Reviewed-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Signed-off-by: Kishon Vijay Abraham I <kvijayab@amd.com>
+Link: https://lore.kernel.org/r/20230405130317.9351-1-kvijayab@amd.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/amd/amd_iommu_types.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/iommu/amd/amd_iommu_types.h
++++ b/drivers/iommu/amd/amd_iommu_types.h
+@@ -1001,8 +1001,8 @@ struct amd_ir_data {
+ */
+ struct irq_cfg *cfg;
+ int ga_vector;
+- int ga_root_ptr;
+- int ga_tag;
++ u64 ga_root_ptr;
++ u32 ga_tag;
+ };
+
+ struct amd_irte_ops {
--- /dev/null
+From eb307d09fe15844fdaebeb8cc8c9b9e925430aa5 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Wed, 3 May 2023 08:51:51 +0900
+Subject: ksmbd: call rcu_barrier() in ksmbd_server_exit()
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit eb307d09fe15844fdaebeb8cc8c9b9e925430aa5 upstream.
+
+racy issue is triggered the bug by racing between closing a connection
+and rmmod. In ksmbd, rcu_barrier() is not called at module unload time,
+so nothing prevents ksmbd from getting unloaded while it still has RCU
+callbacks pending. It leads to trigger unintended execution of kernel
+code locally and use to defeat protections such as Kernel Lockdown
+
+Cc: stable@vger.kernel.org
+Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-20477
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ksmbd/server.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/ksmbd/server.c
++++ b/fs/ksmbd/server.c
+@@ -606,6 +606,7 @@ err_unregister:
+ static void __exit ksmbd_server_exit(void)
+ {
+ ksmbd_server_shutdown();
++ rcu_barrier();
+ ksmbd_release_inode_hash();
+ }
+
--- /dev/null
+From 7b4323373d844954bb76e0e9f39c4e5fc785fa7b Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Wed, 3 May 2023 08:44:14 +0900
+Subject: ksmbd: fix deadlock in ksmbd_find_crypto_ctx()
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 7b4323373d844954bb76e0e9f39c4e5fc785fa7b upstream.
+
+Deadlock is triggered by sending multiple concurrent session setup
+requests. It should be reused after releasing when getting ctx for crypto.
+Multiple consecutive ctx uses cause deadlock while waiting for releasing
+due to the limited number of ctx.
+
+Cc: stable@vger.kernel.org
+Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-20591
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ksmbd/auth.c | 19 +++++++++++--------
+ 1 file changed, 11 insertions(+), 8 deletions(-)
+
+--- a/fs/ksmbd/auth.c
++++ b/fs/ksmbd/auth.c
+@@ -221,22 +221,22 @@ int ksmbd_auth_ntlmv2(struct ksmbd_conn
+ {
+ char ntlmv2_hash[CIFS_ENCPWD_SIZE];
+ char ntlmv2_rsp[CIFS_HMAC_MD5_HASH_SIZE];
+- struct ksmbd_crypto_ctx *ctx;
++ struct ksmbd_crypto_ctx *ctx = NULL;
+ char *construct = NULL;
+ int rc, len;
+
+- ctx = ksmbd_crypto_ctx_find_hmacmd5();
+- if (!ctx) {
+- ksmbd_debug(AUTH, "could not crypto alloc hmacmd5\n");
+- return -ENOMEM;
+- }
+-
+ rc = calc_ntlmv2_hash(conn, sess, ntlmv2_hash, domain_name);
+ if (rc) {
+ ksmbd_debug(AUTH, "could not get v2 hash rc %d\n", rc);
+ goto out;
+ }
+
++ ctx = ksmbd_crypto_ctx_find_hmacmd5();
++ if (!ctx) {
++ ksmbd_debug(AUTH, "could not crypto alloc hmacmd5\n");
++ return -ENOMEM;
++ }
++
+ rc = crypto_shash_setkey(CRYPTO_HMACMD5_TFM(ctx),
+ ntlmv2_hash,
+ CIFS_HMAC_MD5_HASH_SIZE);
+@@ -272,6 +272,8 @@ int ksmbd_auth_ntlmv2(struct ksmbd_conn
+ ksmbd_debug(AUTH, "Could not generate md5 hash\n");
+ goto out;
+ }
++ ksmbd_release_crypto_ctx(ctx);
++ ctx = NULL;
+
+ rc = ksmbd_gen_sess_key(sess, ntlmv2_hash, ntlmv2_rsp);
+ if (rc) {
+@@ -282,7 +284,8 @@ int ksmbd_auth_ntlmv2(struct ksmbd_conn
+ if (memcmp(ntlmv2->ntlmv2_hash, ntlmv2_rsp, CIFS_HMAC_MD5_HASH_SIZE) != 0)
+ rc = -EINVAL;
+ out:
+- ksmbd_release_crypto_ctx(ctx);
++ if (ctx)
++ ksmbd_release_crypto_ctx(ctx);
+ kfree(construct);
+ return rc;
+ }
--- /dev/null
+From 6d7cb549c2ca20e1f07593f15e936fd54b763028 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Wed, 3 May 2023 08:26:45 +0900
+Subject: ksmbd: fix memleak in session setup
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 6d7cb549c2ca20e1f07593f15e936fd54b763028 upstream.
+
+If client send session setup request with unknown NTLMSSP message type,
+session that does not included channel can be created. It will cause
+session memleak. because ksmbd_sessions_deregister() does not destroy
+session if channel is not included. This patch return error response if
+client send the request unknown NTLMSSP message type.
+
+Cc: stable@vger.kernel.org
+Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-20593
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ksmbd/smb2pdu.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/ksmbd/smb2pdu.c
++++ b/fs/ksmbd/smb2pdu.c
+@@ -1801,6 +1801,10 @@ int smb2_sess_setup(struct ksmbd_work *w
+ }
+ kfree(sess->Preauth_HashValue);
+ sess->Preauth_HashValue = NULL;
++ } else {
++ pr_info_ratelimited("Unknown NTLMSSP message type : 0x%x\n",
++ le32_to_cpu(negblob->MessageType));
++ rc = -EINVAL;
+ }
+ } else {
+ /* TODO: need one more negotiation */
--- /dev/null
+From 3ac00a2ab69b34189942afa9e862d5170cdcb018 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Wed, 3 May 2023 08:38:33 +0900
+Subject: ksmbd: fix NULL pointer dereference in smb2_get_info_filesystem()
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 3ac00a2ab69b34189942afa9e862d5170cdcb018 upstream.
+
+If share is , share->path is NULL and it cause NULL pointer
+dereference issue.
+
+Cc: stable@vger.kernel.org
+Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-20479
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ksmbd/smb2pdu.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/ksmbd/smb2pdu.c
++++ b/fs/ksmbd/smb2pdu.c
+@@ -4915,6 +4915,9 @@ static int smb2_get_info_filesystem(stru
+ int rc = 0, len;
+ int fs_infoclass_size = 0;
+
++ if (!share->path)
++ return -EIO;
++
+ rc = kern_path(share->path, LOOKUP_NO_SYMLINKS, &path);
+ if (rc) {
+ pr_err("cannot create vfs path\n");
--- /dev/null
+From 30210947a343b6b3ca13adc9bfc88e1543e16dd5 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Wed, 3 May 2023 08:51:12 +0900
+Subject: ksmbd: fix racy issue under cocurrent smb2 tree disconnect
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 30210947a343b6b3ca13adc9bfc88e1543e16dd5 upstream.
+
+There is UAF issue under cocurrent smb2 tree disconnect.
+This patch introduce TREE_CONN_EXPIRE flags for tcon to avoid cocurrent
+access.
+
+Cc: stable@vger.kernel.org
+Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-20592
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ksmbd/mgmt/tree_connect.c | 10 +++++++++-
+ fs/ksmbd/mgmt/tree_connect.h | 3 +++
+ fs/ksmbd/smb2pdu.c | 3 ++-
+ 3 files changed, 14 insertions(+), 2 deletions(-)
+
+--- a/fs/ksmbd/mgmt/tree_connect.c
++++ b/fs/ksmbd/mgmt/tree_connect.c
+@@ -109,7 +109,15 @@ int ksmbd_tree_conn_disconnect(struct ks
+ struct ksmbd_tree_connect *ksmbd_tree_conn_lookup(struct ksmbd_session *sess,
+ unsigned int id)
+ {
+- return xa_load(&sess->tree_conns, id);
++ struct ksmbd_tree_connect *tcon;
++
++ tcon = xa_load(&sess->tree_conns, id);
++ if (tcon) {
++ if (test_bit(TREE_CONN_EXPIRE, &tcon->status))
++ tcon = NULL;
++ }
++
++ return tcon;
+ }
+
+ struct ksmbd_share_config *ksmbd_tree_conn_share(struct ksmbd_session *sess,
+--- a/fs/ksmbd/mgmt/tree_connect.h
++++ b/fs/ksmbd/mgmt/tree_connect.h
+@@ -14,6 +14,8 @@ struct ksmbd_share_config;
+ struct ksmbd_user;
+ struct ksmbd_conn;
+
++#define TREE_CONN_EXPIRE 1
++
+ struct ksmbd_tree_connect {
+ int id;
+
+@@ -25,6 +27,7 @@ struct ksmbd_tree_connect {
+
+ int maximal_access;
+ bool posix_extensions;
++ unsigned long status;
+ };
+
+ struct ksmbd_tree_conn_status {
+--- a/fs/ksmbd/smb2pdu.c
++++ b/fs/ksmbd/smb2pdu.c
+@@ -2055,11 +2055,12 @@ int smb2_tree_disconnect(struct ksmbd_wo
+
+ ksmbd_debug(SMB, "request\n");
+
+- if (!tcon) {
++ if (!tcon || test_and_set_bit(TREE_CONN_EXPIRE, &tcon->status)) {
+ struct smb2_tree_disconnect_req *req =
+ smb2_get_msg(work->request_buf);
+
+ ksmbd_debug(SMB, "Invalid tid %d\n", req->hdr.Id.SyncId.TreeId);
++
+ rsp->hdr.Status = STATUS_NETWORK_NAME_DELETED;
+ smb2_set_err_rsp(work);
+ return 0;
--- /dev/null
+From 3353ab2df5f68dab7da8d5ebb427a2d265a1f2b2 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Wed, 3 May 2023 08:45:08 +0900
+Subject: ksmbd: not allow guest user on multichannel
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 3353ab2df5f68dab7da8d5ebb427a2d265a1f2b2 upstream.
+
+This patch return STATUS_NOT_SUPPORTED if binding session is guest.
+
+Cc: stable@vger.kernel.org
+Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-20480
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ksmbd/smb2pdu.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/fs/ksmbd/smb2pdu.c
++++ b/fs/ksmbd/smb2pdu.c
+@@ -1456,7 +1456,7 @@ static int ntlm_authenticate(struct ksmb
+ * Reuse session if anonymous try to connect
+ * on reauthetication.
+ */
+- if (ksmbd_anonymous_user(user)) {
++ if (conn->binding == false && ksmbd_anonymous_user(user)) {
+ ksmbd_free_user(user);
+ return 0;
+ }
+@@ -1470,7 +1470,7 @@ static int ntlm_authenticate(struct ksmb
+ sess->user = user;
+ }
+
+- if (user_guest(sess->user)) {
++ if (conn->binding == false && user_guest(sess->user)) {
+ rsp->SessionFlags = SMB2_SESSION_FLAG_IS_GUEST_LE;
+ } else {
+ struct authenticate_message *authblob;
+@@ -1715,6 +1715,11 @@ int smb2_sess_setup(struct ksmbd_work *w
+ goto out_err;
+ }
+
++ if (user_guest(sess->user)) {
++ rc = -EOPNOTSUPP;
++ goto out_err;
++ }
++
+ conn->binding = true;
+ } else if ((conn->dialect < SMB30_PROT_ID ||
+ server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL) &&
+@@ -1827,6 +1832,8 @@ out_err:
+ rsp->hdr.Status = STATUS_NETWORK_SESSION_EXPIRED;
+ else if (rc == -ENOMEM)
+ rsp->hdr.Status = STATUS_INSUFFICIENT_RESOURCES;
++ else if (rc == -EOPNOTSUPP)
++ rsp->hdr.Status = STATUS_NOT_SUPPORTED;
+ else if (rc)
+ rsp->hdr.Status = STATUS_LOGON_FAILURE;
+
--- /dev/null
+From 2ed90cb0938a45b12eb947af062d12c7af0067b3 Mon Sep 17 00:00:00 2001
+From: David Matlack <dmatlack@google.com>
+Date: Fri, 17 Mar 2023 14:11:06 -0700
+Subject: KVM: RISC-V: Retry fault if vma_lookup() results become invalid
+
+From: David Matlack <dmatlack@google.com>
+
+commit 2ed90cb0938a45b12eb947af062d12c7af0067b3 upstream.
+
+Read mmu_invalidate_seq before dropping the mmap_lock so that KVM can
+detect if the results of vma_lookup() (e.g. vma_shift) become stale
+before it acquires kvm->mmu_lock. This fixes a theoretical bug where a
+VMA could be changed by userspace after vma_lookup() and before KVM
+reads the mmu_invalidate_seq, causing KVM to install page table entries
+based on a (possibly) no-longer-valid vma_shift.
+
+Re-order the MMU cache top-up to earlier in user_mem_abort() so that it
+is not done after KVM has read mmu_invalidate_seq (i.e. so as to avoid
+inducing spurious fault retries).
+
+It's unlikely that any sane userspace currently modifies VMAs in such a
+way as to trigger this race. And even with directed testing I was unable
+to reproduce it. But a sufficiently motivated host userspace might be
+able to exploit this race.
+
+Note KVM/ARM had the same bug and was fixed in a separate, near
+identical patch (see Link).
+
+Link: https://lore.kernel.org/kvm/20230313235454.2964067-1-dmatlack@google.com/
+Fixes: 9955371cc014 ("RISC-V: KVM: Implement MMU notifiers")
+Cc: stable@vger.kernel.org
+Signed-off-by: David Matlack <dmatlack@google.com>
+Tested-by: Anup Patel <anup@brainfault.org>
+Signed-off-by: Anup Patel <anup@brainfault.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/kvm/mmu.c | 25 ++++++++++++++++---------
+ 1 file changed, 16 insertions(+), 9 deletions(-)
+
+--- a/arch/riscv/kvm/mmu.c
++++ b/arch/riscv/kvm/mmu.c
+@@ -628,6 +628,13 @@ int kvm_riscv_gstage_map(struct kvm_vcpu
+ !(memslot->flags & KVM_MEM_READONLY)) ? true : false;
+ unsigned long vma_pagesize, mmu_seq;
+
++ /* We need minimum second+third level pages */
++ ret = kvm_mmu_topup_memory_cache(pcache, gstage_pgd_levels);
++ if (ret) {
++ kvm_err("Failed to topup G-stage cache\n");
++ return ret;
++ }
++
+ mmap_read_lock(current->mm);
+
+ vma = vma_lookup(current->mm, hva);
+@@ -648,6 +655,15 @@ int kvm_riscv_gstage_map(struct kvm_vcpu
+ if (vma_pagesize == PMD_SIZE || vma_pagesize == PGDIR_SIZE)
+ gfn = (gpa & huge_page_mask(hstate_vma(vma))) >> PAGE_SHIFT;
+
++ /*
++ * Read mmu_invalidate_seq so that KVM can detect if the results of
++ * vma_lookup() or gfn_to_pfn_prot() become stale priort to acquiring
++ * kvm->mmu_lock.
++ *
++ * Rely on mmap_read_unlock() for an implicit smp_rmb(), which pairs
++ * with the smp_wmb() in kvm_mmu_invalidate_end().
++ */
++ mmu_seq = kvm->mmu_invalidate_seq;
+ mmap_read_unlock(current->mm);
+
+ if (vma_pagesize != PGDIR_SIZE &&
+@@ -657,15 +673,6 @@ int kvm_riscv_gstage_map(struct kvm_vcpu
+ return -EFAULT;
+ }
+
+- /* We need minimum second+third level pages */
+- ret = kvm_mmu_topup_memory_cache(pcache, gstage_pgd_levels);
+- if (ret) {
+- kvm_err("Failed to topup G-stage cache\n");
+- return ret;
+- }
+-
+- mmu_seq = kvm->mmu_invalidate_seq;
+-
+ hfn = gfn_to_pfn_prot(kvm, gfn, is_write, &writable);
+ if (hfn == KVM_PFN_ERR_HWPOISON) {
+ send_sig_mceerr(BUS_MCEERR_AR, (void __user *)hva,
--- /dev/null
+From 41cad8284d5e6bf1d49d3c10a6b52ee1ae866a20 Mon Sep 17 00:00:00 2001
+From: Andrew Jones <ajones@ventanamicro.com>
+Date: Thu, 27 Apr 2023 18:36:26 +0200
+Subject: RISC-V: Align SBI probe implementation with spec
+
+From: Andrew Jones <ajones@ventanamicro.com>
+
+commit 41cad8284d5e6bf1d49d3c10a6b52ee1ae866a20 upstream.
+
+sbi_probe_extension() is specified with "Returns 0 if the given SBI
+extension ID (EID) is not available, or 1 if it is available unless
+defined as any other non-zero value by the implementation."
+Additionally, sbiret.value is a long. Fix the implementation to
+ensure any nonzero long value is considered a success, rather
+than only positive int values.
+
+Fixes: b9dcd9e41587 ("RISC-V: Add basic support for SBI v0.2")
+Signed-off-by: Andrew Jones <ajones@ventanamicro.com>
+Reviewed-by: Conor Dooley <conor.dooley@microchip.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20230427163626.101042-1-ajones@ventanamicro.com
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/include/asm/sbi.h | 2 +-
+ arch/riscv/kernel/cpu_ops.c | 2 +-
+ arch/riscv/kernel/sbi.c | 17 ++++++++---------
+ arch/riscv/kvm/main.c | 2 +-
+ drivers/cpuidle/cpuidle-riscv-sbi.c | 2 +-
+ drivers/perf/riscv_pmu_sbi.c | 2 +-
+ 6 files changed, 13 insertions(+), 14 deletions(-)
+
+--- a/arch/riscv/include/asm/sbi.h
++++ b/arch/riscv/include/asm/sbi.h
+@@ -293,7 +293,7 @@ int sbi_remote_hfence_vvma_asid(const st
+ unsigned long start,
+ unsigned long size,
+ unsigned long asid);
+-int sbi_probe_extension(int ext);
++long sbi_probe_extension(int ext);
+
+ /* Check if current SBI specification version is 0.1 or not */
+ static inline int sbi_spec_is_0_1(void)
+--- a/arch/riscv/kernel/cpu_ops.c
++++ b/arch/riscv/kernel/cpu_ops.c
+@@ -27,7 +27,7 @@ const struct cpu_operations cpu_ops_spin
+ void __init cpu_set_ops(int cpuid)
+ {
+ #if IS_ENABLED(CONFIG_RISCV_SBI)
+- if (sbi_probe_extension(SBI_EXT_HSM) > 0) {
++ if (sbi_probe_extension(SBI_EXT_HSM)) {
+ if (!cpuid)
+ pr_info("SBI HSM extension detected\n");
+ cpu_ops[cpuid] = &cpu_ops_sbi;
+--- a/arch/riscv/kernel/sbi.c
++++ b/arch/riscv/kernel/sbi.c
+@@ -581,19 +581,18 @@ static void sbi_srst_power_off(void)
+ * sbi_probe_extension() - Check if an SBI extension ID is supported or not.
+ * @extid: The extension ID to be probed.
+ *
+- * Return: Extension specific nonzero value f yes, -ENOTSUPP otherwise.
++ * Return: 1 or an extension specific nonzero value if yes, 0 otherwise.
+ */
+-int sbi_probe_extension(int extid)
++long sbi_probe_extension(int extid)
+ {
+ struct sbiret ret;
+
+ ret = sbi_ecall(SBI_EXT_BASE, SBI_EXT_BASE_PROBE_EXT, extid,
+ 0, 0, 0, 0, 0);
+ if (!ret.error)
+- if (ret.value)
+- return ret.value;
++ return ret.value;
+
+- return -ENOTSUPP;
++ return 0;
+ }
+ EXPORT_SYMBOL(sbi_probe_extension);
+
+@@ -665,26 +664,26 @@ void __init sbi_init(void)
+ if (!sbi_spec_is_0_1()) {
+ pr_info("SBI implementation ID=0x%lx Version=0x%lx\n",
+ sbi_get_firmware_id(), sbi_get_firmware_version());
+- if (sbi_probe_extension(SBI_EXT_TIME) > 0) {
++ if (sbi_probe_extension(SBI_EXT_TIME)) {
+ __sbi_set_timer = __sbi_set_timer_v02;
+ pr_info("SBI TIME extension detected\n");
+ } else {
+ __sbi_set_timer = __sbi_set_timer_v01;
+ }
+- if (sbi_probe_extension(SBI_EXT_IPI) > 0) {
++ if (sbi_probe_extension(SBI_EXT_IPI)) {
+ __sbi_send_ipi = __sbi_send_ipi_v02;
+ pr_info("SBI IPI extension detected\n");
+ } else {
+ __sbi_send_ipi = __sbi_send_ipi_v01;
+ }
+- if (sbi_probe_extension(SBI_EXT_RFENCE) > 0) {
++ if (sbi_probe_extension(SBI_EXT_RFENCE)) {
+ __sbi_rfence = __sbi_rfence_v02;
+ pr_info("SBI RFENCE extension detected\n");
+ } else {
+ __sbi_rfence = __sbi_rfence_v01;
+ }
+ if ((sbi_spec_version >= sbi_mk_version(0, 3)) &&
+- (sbi_probe_extension(SBI_EXT_SRST) > 0)) {
++ sbi_probe_extension(SBI_EXT_SRST)) {
+ pr_info("SBI SRST extension detected\n");
+ pm_power_off = sbi_srst_power_off;
+ sbi_srst_reboot_nb.notifier_call = sbi_srst_reboot;
+--- a/arch/riscv/kvm/main.c
++++ b/arch/riscv/kvm/main.c
+@@ -84,7 +84,7 @@ int kvm_arch_init(void *opaque)
+ return -ENODEV;
+ }
+
+- if (sbi_probe_extension(SBI_EXT_RFENCE) <= 0) {
++ if (!sbi_probe_extension(SBI_EXT_RFENCE)) {
+ kvm_info("require SBI RFENCE extension\n");
+ return -ENODEV;
+ }
+--- a/drivers/cpuidle/cpuidle-riscv-sbi.c
++++ b/drivers/cpuidle/cpuidle-riscv-sbi.c
+@@ -612,7 +612,7 @@ static int __init sbi_cpuidle_init(void)
+ * 2) SBI HSM extension is available
+ */
+ if ((sbi_spec_version < sbi_mk_version(0, 3)) ||
+- sbi_probe_extension(SBI_EXT_HSM) <= 0) {
++ !sbi_probe_extension(SBI_EXT_HSM)) {
+ pr_info("HSM suspend not available\n");
+ return 0;
+ }
+--- a/drivers/perf/riscv_pmu_sbi.c
++++ b/drivers/perf/riscv_pmu_sbi.c
+@@ -883,7 +883,7 @@ static int __init pmu_sbi_devinit(void)
+ struct platform_device *pdev;
+
+ if (sbi_spec_version < sbi_mk_version(0, 3) ||
+- sbi_probe_extension(SBI_EXT_PMU) <= 0) {
++ !sbi_probe_extension(SBI_EXT_PMU)) {
+ return 0;
+ }
+
--- /dev/null
+From e4ef93edd4e0b022529303db1915766ff9de450e Mon Sep 17 00:00:00 2001
+From: Song Shuai <suagrfillet@gmail.com>
+Date: Wed, 26 Apr 2023 18:00:09 +0800
+Subject: riscv: mm: remove redundant parameter of create_fdt_early_page_table
+
+From: Song Shuai <suagrfillet@gmail.com>
+
+commit e4ef93edd4e0b022529303db1915766ff9de450e upstream.
+
+create_fdt_early_page_table() explicitly uses early_pg_dir for
+32-bit fdt mapping and the pgdir parameter is redundant here.
+So remove it and its caller.
+
+Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Signed-off-by: Song Shuai <suagrfillet@gmail.com>
+Reviewed-by: Conor Dooley <conor.dooley@microchip.com>
+Fixes: ef69d2559fe9 ("riscv: Move early dtb mapping into the fixmap region")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20230426100009.685435-1-suagrfillet@gmail.com
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/mm/init.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/arch/riscv/mm/init.c
++++ b/arch/riscv/mm/init.c
+@@ -843,8 +843,7 @@ static void __init create_kernel_page_ta
+ * this means 2 PMD entries whereas for 32-bit kernel, this is only 1 PGDIR
+ * entry.
+ */
+-static void __init create_fdt_early_page_table(pgd_t *pgdir,
+- uintptr_t fix_fdt_va,
++static void __init create_fdt_early_page_table(uintptr_t fix_fdt_va,
+ uintptr_t dtb_pa)
+ {
+ uintptr_t pa = dtb_pa & ~(PMD_SIZE - 1);
+@@ -1034,8 +1033,7 @@ asmlinkage void __init setup_vm(uintptr_
+ create_kernel_page_table(early_pg_dir, true);
+
+ /* Setup early mapping for FDT early scan */
+- create_fdt_early_page_table(early_pg_dir,
+- __fix_to_virt(FIX_FDT), dtb_pa);
++ create_fdt_early_page_table(__fix_to_virt(FIX_FDT), dtb_pa);
+
+ /*
+ * Bootime fixmap only can handle PMD_SIZE mapping. Thus, boot-ioremap
drm-amd-display-limit-timing-for-single-dimm-memory.patch
drm-amd-display-fix-psr-su-dsc-interoperability-supp.patch
drm-amd-display-fix-a-divided-by-zero-error.patch
+kvm-risc-v-retry-fault-if-vma_lookup-results-become-invalid.patch
+ksmbd-fix-racy-issue-under-cocurrent-smb2-tree-disconnect.patch
+ksmbd-call-rcu_barrier-in-ksmbd_server_exit.patch
+ksmbd-fix-null-pointer-dereference-in-smb2_get_info_filesystem.patch
+ksmbd-fix-memleak-in-session-setup.patch
+ksmbd-not-allow-guest-user-on-multichannel.patch
+ksmbd-fix-deadlock-in-ksmbd_find_crypto_ctx.patch
+acpi-video-remove-acpi_backlight-video-quirk-for-lenovo-thinkpad-w530.patch
+igc-read-before-write-to-srrctl-register.patch
+i2c-omap-fix-standard-mode-false-ack-readings.patch
+riscv-mm-remove-redundant-parameter-of-create_fdt_early_page_table.patch
+tracing-fix-permissions-for-the-buffer_percent-file.patch
+drm-amd-pm-re-enable-the-gfx-imu-when-smu-resume.patch
+iommu-amd-fix-guest-virtual-apic-table-root-pointer-configuration-in-irte.patch
+risc-v-align-sbi-probe-implementation-with-spec.patch
--- /dev/null
+From 4f94559f40ad06d627c0fdfc3319cec778a2845b Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Wed, 3 May 2023 16:01:14 +0200
+Subject: tracing: Fix permissions for the buffer_percent file
+
+From: Ondrej Mosnacek <omosnace@redhat.com>
+
+commit 4f94559f40ad06d627c0fdfc3319cec778a2845b upstream.
+
+This file defines both read and write operations, yet it is being
+created as read-only. This means that it can't be written to without the
+CAP_DAC_OVERRIDE capability. Fix the permissions to allow root to write
+to it without the need to override DAC perms.
+
+Link: https://lore.kernel.org/linux-trace-kernel/20230503140114.3280002-1-omosnace@redhat.com
+
+Cc: stable@vger.kernel.org
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Fixes: 03329f993978 ("tracing: Add tracefs file buffer_percentage")
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -9621,7 +9621,7 @@ init_tracer_tracefs(struct trace_array *
+
+ tr->buffer_percent = 50;
+
+- trace_create_file("buffer_percent", TRACE_MODE_READ, d_tracer,
++ trace_create_file("buffer_percent", TRACE_MODE_WRITE, d_tracer,
+ tr, &buffer_percent_fops);
+
+ create_trace_options_dir(tr);
projects / thirdparty / kernel / stable-queue.git / commitdiff
