--- /dev/null
+From 5b4a056f5c4df51e1462c40d80a7973bbccb53cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Dec 2022 21:13:11 +0100
+Subject: ACPI: resource: do IRQ override on Lenovo 14ALC7
+
+From: Adrian Freund <adrian@freund.io>
+
+[ Upstream commit f3cb9b740869712d448edf3b9ef5952b847caf8b ]
+
+Commit bfcdf58380b1 ("ACPI: resource: do IRQ override on LENOVO IdeaPad")
+added an override for Lenovo IdeaPad 5 16ALC7. The 14ALC7 variant also
+suffers from a broken touchscreen and trackpad.
+
+Fixes: 9946e39fe8d0 ("ACPI: resource: skip IRQ override on AMD Zen platforms")
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216804
+Signed-off-by: Adrian Freund <adrian@freund.io>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/resource.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c
+index d0bed7e66a33..33921949bd8f 100644
+--- a/drivers/acpi/resource.c
++++ b/drivers/acpi/resource.c
+@@ -417,7 +417,14 @@ static const struct dmi_system_id asus_laptop[] = {
+ { }
+ };
+
+-static const struct dmi_system_id lenovo_82ra[] = {
++static const struct dmi_system_id lenovo_laptop[] = {
++ {
++ .ident = "LENOVO IdeaPad Flex 5 14ALC7",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "82R9"),
++ },
++ },
+ {
+ .ident = "LENOVO IdeaPad Flex 5 16ALC7",
+ .matches = {
+@@ -451,8 +458,8 @@ struct irq_override_cmp {
+ static const struct irq_override_cmp override_table[] = {
+ { medion_laptop, 1, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, false },
+ { asus_laptop, 1, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, false },
+- { lenovo_82ra, 6, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, true },
+- { lenovo_82ra, 10, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, true },
++ { lenovo_laptop, 6, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, true },
++ { lenovo_laptop, 10, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, true },
+ { schenker_gm_rg, 1, ACPI_EDGE_SENSITIVE, ACPI_ACTIVE_LOW, 1, true },
+ };
+
+--
+2.35.1
+
--- /dev/null
+From cb256c03348bba9ad63c9ac6319dba06fe732997 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Oct 2022 12:33:40 +0200
+Subject: ACPI: resource: do IRQ override on LENOVO IdeaPad
+
+From: Jiri Slaby (SUSE) <jirislaby@kernel.org>
+
+[ Upstream commit bfcdf58380b1d9be564a78a9370da722ed1a9965 ]
+
+LENOVO IdeaPad Flex 5 is ryzen-5 based and the commit below removed IRQ
+overriding for those. This broke touchscreen and trackpad:
+ i2c_designware AMDI0010:00: controller timed out
+ i2c_designware AMDI0010:03: controller timed out
+ i2c_hid_acpi i2c-MSFT0001:00: failed to reset device: -61
+ i2c_designware AMDI0010:03: controller timed out
+ ...
+ i2c_hid_acpi i2c-MSFT0001:00: can't add hid device: -61
+ i2c_hid_acpi: probe of i2c-MSFT0001:00 failed with error -61
+
+White-list this specific model in the override_table.
+
+For this to work, the ZEN test needs to be put below the table walk.
+
+Fixes: 37c81d9f1d1b (ACPI: resource: skip IRQ override on AMD Zen platforms)
+Link: https://bugzilla.suse.com/show_bug.cgi?id=1203794
+Signed-off-by: Jiri Slaby (SUSE) <jirislaby@kernel.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Stable-dep-of: f3cb9b740869 ("ACPI: resource: do IRQ override on Lenovo 14ALC7")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/resource.c | 42 +++++++++++++++++++++++++++--------------
+ 1 file changed, 28 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c
+index 596ca9fae389..5154c9861ece 100644
+--- a/drivers/acpi/resource.c
++++ b/drivers/acpi/resource.c
+@@ -417,17 +417,31 @@ static const struct dmi_system_id asus_laptop[] = {
+ { }
+ };
+
++static const struct dmi_system_id lenovo_82ra[] = {
++ {
++ .ident = "LENOVO IdeaPad Flex 5 16ALC7",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "82RA"),
++ },
++ },
++ { }
++};
++
+ struct irq_override_cmp {
+ const struct dmi_system_id *system;
+ unsigned char irq;
+ unsigned char triggering;
+ unsigned char polarity;
+ unsigned char shareable;
++ bool override;
+ };
+
+-static const struct irq_override_cmp skip_override_table[] = {
+- { medion_laptop, 1, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0 },
+- { asus_laptop, 1, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0 },
++static const struct irq_override_cmp override_table[] = {
++ { medion_laptop, 1, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, false },
++ { asus_laptop, 1, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, false },
++ { lenovo_82ra, 6, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, true },
++ { lenovo_82ra, 10, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, true },
+ };
+
+ static bool acpi_dev_irq_override(u32 gsi, u8 triggering, u8 polarity,
+@@ -435,6 +449,17 @@ static bool acpi_dev_irq_override(u32 gsi, u8 triggering, u8 polarity,
+ {
+ int i;
+
++ for (i = 0; i < ARRAY_SIZE(override_table); i++) {
++ const struct irq_override_cmp *entry = &override_table[i];
++
++ if (dmi_check_system(entry->system) &&
++ entry->irq == gsi &&
++ entry->triggering == triggering &&
++ entry->polarity == polarity &&
++ entry->shareable == shareable)
++ return entry->override;
++ }
++
+ #ifdef CONFIG_X86
+ /*
+ * IRQ override isn't needed on modern AMD Zen systems and
+@@ -445,17 +470,6 @@ static bool acpi_dev_irq_override(u32 gsi, u8 triggering, u8 polarity,
+ return false;
+ #endif
+
+- for (i = 0; i < ARRAY_SIZE(skip_override_table); i++) {
+- const struct irq_override_cmp *entry = &skip_override_table[i];
+-
+- if (dmi_check_system(entry->system) &&
+- entry->irq == gsi &&
+- entry->triggering == triggering &&
+- entry->polarity == polarity &&
+- entry->shareable == shareable)
+- return false;
+- }
+-
+ return true;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 869fbebd35b0272bd69b679190ad43a6c49b31ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 Dec 2022 14:33:22 +0100
+Subject: ACPI: resource: do IRQ override on XMG Core 15
+
+From: Erik Schumacher <ofenfisch@googlemail.com>
+
+[ Upstream commit 7592b79ba4a91350b38469e05238308bcfe1019b ]
+
+The Schenker XMG CORE 15 (M22) is Ryzen-6 based and needs IRQ overriding
+for the keyboard to work. Adding an entry for this laptop to the
+override_table makes the internal keyboard functional again.
+
+Signed-off-by: Erik Schumacher <ofenfisch@googlemail.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Stable-dep-of: f3cb9b740869 ("ACPI: resource: do IRQ override on Lenovo 14ALC7")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/resource.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c
+index 5154c9861ece..d0bed7e66a33 100644
+--- a/drivers/acpi/resource.c
++++ b/drivers/acpi/resource.c
+@@ -428,6 +428,17 @@ static const struct dmi_system_id lenovo_82ra[] = {
+ { }
+ };
+
++static const struct dmi_system_id schenker_gm_rg[] = {
++ {
++ .ident = "XMG CORE 15 (M22)",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "SchenkerTechnologiesGmbH"),
++ DMI_MATCH(DMI_BOARD_NAME, "GMxRGxx"),
++ },
++ },
++ { }
++};
++
+ struct irq_override_cmp {
+ const struct dmi_system_id *system;
+ unsigned char irq;
+@@ -442,6 +453,7 @@ static const struct irq_override_cmp override_table[] = {
+ { asus_laptop, 1, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, false },
+ { lenovo_82ra, 6, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, true },
+ { lenovo_82ra, 10, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, true },
++ { schenker_gm_rg, 1, ACPI_EDGE_SENSITIVE, ACPI_ACTIVE_LOW, 1, true },
+ };
+
+ static bool acpi_dev_irq_override(u32 gsi, u8 triggering, u8 polarity,
+--
+2.35.1
+
--- /dev/null
+From 24c46f3901bc96e4922b91ea7cb68dcafb0495a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Aug 2022 23:04:19 -0400
+Subject: ACPI: resource: Skip IRQ override on Asus Vivobook K3402ZA/K3502ZA
+
+From: Tamim Khan <tamim@fusetak.com>
+
+[ Upstream commit e12dee3736731e24b1e7367f87d66ac0fcd73ce7 ]
+
+In the ACPI DSDT table for Asus VivoBook K3402ZA/K3502ZA
+IRQ 1 is described as ActiveLow; however, the kernel overrides
+it to Edge_High. This prevents the internal keyboard from working
+on these laptops. In order to fix this add these laptops to the
+skip_override_table so that the kernel does not override IRQ 1 to
+Edge_High.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216158
+Reviewed-by: Hui Wang <hui.wang@canonical.com>
+Tested-by: Tamim Khan <tamim@fusetak.com>
+Tested-by: Sunand <sunandchakradhar@gmail.com>
+Signed-off-by: Tamim Khan <tamim@fusetak.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Stable-dep-of: f3cb9b740869 ("ACPI: resource: do IRQ override on Lenovo 14ALC7")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/resource.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c
+index 19358a641610..596ca9fae389 100644
+--- a/drivers/acpi/resource.c
++++ b/drivers/acpi/resource.c
+@@ -399,6 +399,24 @@ static const struct dmi_system_id medion_laptop[] = {
+ { }
+ };
+
++static const struct dmi_system_id asus_laptop[] = {
++ {
++ .ident = "Asus Vivobook K3402ZA",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
++ DMI_MATCH(DMI_BOARD_NAME, "K3402ZA"),
++ },
++ },
++ {
++ .ident = "Asus Vivobook K3502ZA",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
++ DMI_MATCH(DMI_BOARD_NAME, "K3502ZA"),
++ },
++ },
++ { }
++};
++
+ struct irq_override_cmp {
+ const struct dmi_system_id *system;
+ unsigned char irq;
+@@ -409,6 +427,7 @@ struct irq_override_cmp {
+
+ static const struct irq_override_cmp skip_override_table[] = {
+ { medion_laptop, 1, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0 },
++ { asus_laptop, 1, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0 },
+ };
+
+ static bool acpi_dev_irq_override(u32 gsi, u8 triggering, u8 polarity,
+--
+2.35.1
+
--- /dev/null
+From b427d14ec06d8f83185f206dc9edc07f19f616be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Dec 2022 09:26:34 +0000
+Subject: ata: ahci: Fix PCS quirk application for suspend
+
+From: Adam Vodopjan <grozzly@protonmail.com>
+
+[ Upstream commit 37e14e4f3715428b809e4df9a9958baa64c77d51 ]
+
+Since kernel 5.3.4 my laptop (ICH8M controller) does not see Kingston
+SV300S37A60G SSD disk connected into a SATA connector on wake from
+suspend. The problem was introduced in c312ef176399 ("libata/ahci: Drop
+PCS quirk for Denverton and beyond"): the quirk is not applied on wake
+from suspend as it originally was.
+
+It is worth to mention the commit contained another bug: the quirk is
+not applied at all to controllers which require it. The fix commit
+09d6ac8dc51a ("libata/ahci: Fix PCS quirk application") landed in 5.3.8.
+So testing my patch anywhere between commits c312ef176399 and
+09d6ac8dc51a is pointless.
+
+Not all disks trigger the problem. For example nothing bad happens with
+Western Digital WD5000LPCX HDD.
+
+Test hardware:
+- Acer 5920G with ICH8M SATA controller
+- sda: some SATA HDD connnected into the DVD drive IDE port with a
+ SATA-IDE caddy. It is a boot disk
+- sdb: Kingston SV300S37A60G SSD connected into the only SATA port
+
+Sample "dmesg --notime | grep -E '^(sd |ata)'" output on wake:
+
+sd 0:0:0:0: [sda] Starting disk
+sd 2:0:0:0: [sdb] Starting disk
+ata4: SATA link down (SStatus 4 SControl 300)
+ata3: SATA link down (SStatus 4 SControl 300)
+ata1.00: ACPI cmd ef/03:0c:00:00:00:a0 (SET FEATURES) filtered out
+ata1.00: ACPI cmd ef/03:42:00:00:00:a0 (SET FEATURES) filtered out
+ata1: FORCE: cable set to 80c
+ata5: SATA link down (SStatus 0 SControl 300)
+ata3: SATA link down (SStatus 4 SControl 300)
+ata3: SATA link down (SStatus 4 SControl 300)
+ata3.00: disabled
+sd 2:0:0:0: rejecting I/O to offline device
+ata3.00: detaching (SCSI 2:0:0:0)
+sd 2:0:0:0: [sdb] Start/Stop Unit failed: Result: hostbyte=DID_NO_CONNECT
+ driverbyte=DRIVER_OK
+sd 2:0:0:0: [sdb] Synchronizing SCSI cache
+sd 2:0:0:0: [sdb] Synchronize Cache(10) failed: Result:
+ hostbyte=DID_BAD_TARGET driverbyte=DRIVER_OK
+sd 2:0:0:0: [sdb] Stopping disk
+sd 2:0:0:0: [sdb] Start/Stop Unit failed: Result: hostbyte=DID_BAD_TARGET
+ driverbyte=DRIVER_OK
+
+Commit c312ef176399 dropped ahci_pci_reset_controller() which internally
+calls ahci_reset_controller() and applies the PCS quirk if needed after
+that. It was called each time a reset was required instead of just
+ahci_reset_controller(). This patch puts the function back in place.
+
+Fixes: c312ef176399 ("libata/ahci: Drop PCS quirk for Denverton and beyond")
+Signed-off-by: Adam Vodopjan <grozzly@protonmail.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/ahci.c | 32 +++++++++++++++++++++++---------
+ 1 file changed, 23 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
+index c1bf7117a9ff..149ee16fd022 100644
+--- a/drivers/ata/ahci.c
++++ b/drivers/ata/ahci.c
+@@ -83,6 +83,7 @@ enum board_ids {
+ static int ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent);
+ static void ahci_remove_one(struct pci_dev *dev);
+ static void ahci_shutdown_one(struct pci_dev *dev);
++static void ahci_intel_pcs_quirk(struct pci_dev *pdev, struct ahci_host_priv *hpriv);
+ static int ahci_vt8251_hardreset(struct ata_link *link, unsigned int *class,
+ unsigned long deadline);
+ static int ahci_avn_hardreset(struct ata_link *link, unsigned int *class,
+@@ -668,6 +669,25 @@ static void ahci_pci_save_initial_config(struct pci_dev *pdev,
+ ahci_save_initial_config(&pdev->dev, hpriv);
+ }
+
++static int ahci_pci_reset_controller(struct ata_host *host)
++{
++ struct pci_dev *pdev = to_pci_dev(host->dev);
++ struct ahci_host_priv *hpriv = host->private_data;
++ int rc;
++
++ rc = ahci_reset_controller(host);
++ if (rc)
++ return rc;
++
++ /*
++ * If platform firmware failed to enable ports, try to enable
++ * them here.
++ */
++ ahci_intel_pcs_quirk(pdev, hpriv);
++
++ return 0;
++}
++
+ static void ahci_pci_init_controller(struct ata_host *host)
+ {
+ struct ahci_host_priv *hpriv = host->private_data;
+@@ -869,7 +889,7 @@ static int ahci_pci_device_runtime_resume(struct device *dev)
+ struct ata_host *host = pci_get_drvdata(pdev);
+ int rc;
+
+- rc = ahci_reset_controller(host);
++ rc = ahci_pci_reset_controller(host);
+ if (rc)
+ return rc;
+ ahci_pci_init_controller(host);
+@@ -904,7 +924,7 @@ static int ahci_pci_device_resume(struct device *dev)
+ ahci_mcp89_apple_enable(pdev);
+
+ if (pdev->dev.power.power_state.event == PM_EVENT_SUSPEND) {
+- rc = ahci_reset_controller(host);
++ rc = ahci_pci_reset_controller(host);
+ if (rc)
+ return rc;
+
+@@ -1789,12 +1809,6 @@ static int ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
+ /* save initial config */
+ ahci_pci_save_initial_config(pdev, hpriv);
+
+- /*
+- * If platform firmware failed to enable ports, try to enable
+- * them here.
+- */
+- ahci_intel_pcs_quirk(pdev, hpriv);
+-
+ /* prepare host */
+ if (hpriv->cap & HOST_CAP_NCQ) {
+ pi.flags |= ATA_FLAG_NCQ;
+@@ -1904,7 +1918,7 @@ static int ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
+ if (rc)
+ return rc;
+
+- rc = ahci_reset_controller(host);
++ rc = ahci_pci_reset_controller(host);
+ if (rc)
+ return rc;
+
+--
+2.35.1
+
--- /dev/null
+From 2a7b5eafdcb56a4e1140101a85beb40fffed67f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Dec 2022 11:06:05 +0800
+Subject: block, bfq: fix uaf for bfqq in bfq_exit_icq_bfqq
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 246cf66e300b76099b5dbd3fdd39e9a5dbc53f02 ]
+
+Commit 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'")
+will access 'bic->bfqq' in bic_set_bfqq(), however, bfq_exit_icq_bfqq()
+can free bfqq first, and then call bic_set_bfqq(), which will cause uaf.
+
+Fix the problem by moving bfq_exit_bfqq() behind bic_set_bfqq().
+
+Fixes: 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'")
+Reported-by: Yi Zhang <yi.zhang@redhat.com>
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Link: https://lore.kernel.org/r/20221226030605.1437081-1-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bfq-iosched.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
+index b8b6e9eae94b..85120d7b5cf0 100644
+--- a/block/bfq-iosched.c
++++ b/block/bfq-iosched.c
+@@ -5251,8 +5251,8 @@ static void bfq_exit_icq_bfqq(struct bfq_io_cq *bic, bool is_sync)
+ unsigned long flags;
+
+ spin_lock_irqsave(&bfqd->lock, flags);
+- bfq_exit_bfqq(bfqd, bfqq);
+ bic_set_bfqq(bic, NULL, is_sync);
++ bfq_exit_bfqq(bfqd, bfqq);
+ spin_unlock_irqrestore(&bfqd->lock, flags);
+ }
+ }
+--
+2.35.1
+
--- /dev/null
+From 3330a3b2095de62d1c8682153b05154556194c99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Sep 2022 09:03:10 +0800
+Subject: fs/ntfs3: Add null pointer check for inode operations
+
+From: Edward Lo <edward.lo@ambergroup.io>
+
+[ Upstream commit c1ca8ef0262b25493631ecbd9cb8c9893e1481a1 ]
+
+This adds a sanity check for the i_op pointer of the inode which is
+returned after reading Root directory MFT record. We should check the
+i_op is valid before trying to create the root dentry, otherwise we may
+encounter a NPD while mounting a image with a funny Root directory MFT
+record.
+
+[ 114.484325] BUG: kernel NULL pointer dereference, address: 0000000000000008
+[ 114.484811] #PF: supervisor read access in kernel mode
+[ 114.485084] #PF: error_code(0x0000) - not-present page
+[ 114.485606] PGD 0 P4D 0
+[ 114.485975] Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI
+[ 114.486570] CPU: 0 PID: 237 Comm: mount Tainted: G B 6.0.0-rc4 #28
+[ 114.486977] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
+[ 114.488169] RIP: 0010:d_flags_for_inode+0xe0/0x110
+[ 114.488816] Code: 24 f7 ff 49 83 3e 00 74 41 41 83 cd 02 66 44 89 6b 02 eb 92 48 8d 7b 20 e8 6d 24 f7 ff 4c 8b 73 20 49 8d 7e 08 e8 60 241
+[ 114.490326] RSP: 0018:ffff8880065e7aa8 EFLAGS: 00000296
+[ 114.490695] RAX: 0000000000000001 RBX: ffff888008ccd750 RCX: ffffffff84af2aea
+[ 114.490986] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff87abd020
+[ 114.491364] RBP: ffff8880065e7ac8 R08: 0000000000000001 R09: fffffbfff0f57a05
+[ 114.491675] R10: ffffffff87abd027 R11: fffffbfff0f57a04 R12: 0000000000000000
+[ 114.491954] R13: 0000000000000008 R14: 0000000000000000 R15: ffff888008ccd750
+[ 114.492397] FS: 00007fdc8a627e40(0000) GS:ffff888058200000(0000) knlGS:0000000000000000
+[ 114.492797] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 114.493150] CR2: 0000000000000008 CR3: 00000000013ba000 CR4: 00000000000006f0
+[ 114.493671] Call Trace:
+[ 114.493890] <TASK>
+[ 114.494075] __d_instantiate+0x24/0x1c0
+[ 114.494505] d_instantiate.part.0+0x35/0x50
+[ 114.494754] d_make_root+0x53/0x80
+[ 114.494998] ntfs_fill_super+0x1232/0x1b50
+[ 114.495260] ? put_ntfs+0x1d0/0x1d0
+[ 114.495499] ? vsprintf+0x20/0x20
+[ 114.495723] ? set_blocksize+0x95/0x150
+[ 114.495964] get_tree_bdev+0x232/0x370
+[ 114.496272] ? put_ntfs+0x1d0/0x1d0
+[ 114.496502] ntfs_fs_get_tree+0x15/0x20
+[ 114.496859] vfs_get_tree+0x4c/0x130
+[ 114.497099] path_mount+0x654/0xfe0
+[ 114.497507] ? putname+0x80/0xa0
+[ 114.497933] ? finish_automount+0x2e0/0x2e0
+[ 114.498362] ? putname+0x80/0xa0
+[ 114.498571] ? kmem_cache_free+0x1c4/0x440
+[ 114.498819] ? putname+0x80/0xa0
+[ 114.499069] do_mount+0xd6/0xf0
+[ 114.499343] ? path_mount+0xfe0/0xfe0
+[ 114.499683] ? __kasan_check_write+0x14/0x20
+[ 114.500133] __x64_sys_mount+0xca/0x110
+[ 114.500592] do_syscall_64+0x3b/0x90
+[ 114.500930] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+[ 114.501294] RIP: 0033:0x7fdc898e948a
+[ 114.501542] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008
+[ 114.502716] RSP: 002b:00007ffd793e58f8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
+[ 114.503175] RAX: ffffffffffffffda RBX: 0000564b2228f060 RCX: 00007fdc898e948a
+[ 114.503588] RDX: 0000564b2228f260 RSI: 0000564b2228f2e0 RDI: 0000564b22297ce0
+[ 114.504925] RBP: 0000000000000000 R08: 0000564b2228f280 R09: 0000000000000020
+[ 114.505484] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000564b22297ce0
+[ 114.505823] R13: 0000564b2228f260 R14: 0000000000000000 R15: 00000000ffffffff
+[ 114.506562] </TASK>
+[ 114.506887] Modules linked in:
+[ 114.507648] CR2: 0000000000000008
+[ 114.508884] ---[ end trace 0000000000000000 ]---
+[ 114.509675] RIP: 0010:d_flags_for_inode+0xe0/0x110
+[ 114.510140] Code: 24 f7 ff 49 83 3e 00 74 41 41 83 cd 02 66 44 89 6b 02 eb 92 48 8d 7b 20 e8 6d 24 f7 ff 4c 8b 73 20 49 8d 7e 08 e8 60 241
+[ 114.511762] RSP: 0018:ffff8880065e7aa8 EFLAGS: 00000296
+[ 114.512401] RAX: 0000000000000001 RBX: ffff888008ccd750 RCX: ffffffff84af2aea
+[ 114.513103] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff87abd020
+[ 114.513512] RBP: ffff8880065e7ac8 R08: 0000000000000001 R09: fffffbfff0f57a05
+[ 114.513831] R10: ffffffff87abd027 R11: fffffbfff0f57a04 R12: 0000000000000000
+[ 114.514757] R13: 0000000000000008 R14: 0000000000000000 R15: ffff888008ccd750
+[ 114.515411] FS: 00007fdc8a627e40(0000) GS:ffff888058200000(0000) knlGS:0000000000000000
+[ 114.515794] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 114.516208] CR2: 0000000000000008 CR3: 00000000013ba000 CR4: 00000000000006f0
+
+Signed-off-by: Edward Lo <edward.lo@ambergroup.io>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/super.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c
+index 4ff0d2c9507c..a18fb431abbe 100644
+--- a/fs/ntfs3/super.c
++++ b/fs/ntfs3/super.c
+@@ -1255,9 +1255,9 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc)
+ ref.low = cpu_to_le32(MFT_REC_ROOT);
+ ref.seq = cpu_to_le16(MFT_REC_ROOT);
+ inode = ntfs_iget5(sb, &ref, &NAME_ROOT);
+- if (IS_ERR(inode)) {
++ if (IS_ERR(inode) || !inode->i_op) {
+ ntfs_err(sb, "Failed to load root.");
+- err = PTR_ERR(inode);
++ err = IS_ERR(inode) ? PTR_ERR(inode) : -EINVAL;
+ goto out;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From b803fe1ed5a66a3d5b2ca2388be0abce9d6e3f45 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 7 Aug 2022 01:05:18 +0800
+Subject: fs/ntfs3: Add null pointer check to attr_load_runs_vcn
+
+From: Edward Lo <edward.lo@ambergroup.io>
+
+[ Upstream commit 2681631c29739509eec59cc0b34e977bb04c6cf1 ]
+
+Some metadata files are handled before MFT. This adds a null pointer
+check for some corner cases that could lead to NPD while reading these
+metadata files for a malformed NTFS image.
+
+[ 240.190827] BUG: kernel NULL pointer dereference, address: 0000000000000158
+[ 240.191583] #PF: supervisor read access in kernel mode
+[ 240.191956] #PF: error_code(0x0000) - not-present page
+[ 240.192391] PGD 0 P4D 0
+[ 240.192897] Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI
+[ 240.193805] CPU: 0 PID: 242 Comm: mount Tainted: G B 5.19.0+ #17
+[ 240.194477] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
+[ 240.195152] RIP: 0010:ni_find_attr+0xae/0x300
+[ 240.195679] Code: c8 48 c7 45 88 c0 4e 5e 86 c7 00 f1 f1 f1 f1 c7 40 04 00 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 e2 d9f
+[ 240.196642] RSP: 0018:ffff88800812f690 EFLAGS: 00000286
+[ 240.197019] RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffffffff85ef037a
+[ 240.197523] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff88e95f60
+[ 240.197877] RBP: ffff88800812f738 R08: 0000000000000001 R09: fffffbfff11d2bed
+[ 240.198292] R10: ffffffff88e95f67 R11: fffffbfff11d2bec R12: 0000000000000000
+[ 240.198647] R13: 0000000000000080 R14: 0000000000000000 R15: 0000000000000000
+[ 240.199410] FS: 00007f233c33be40(0000) GS:ffff888058200000(0000) knlGS:0000000000000000
+[ 240.199895] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 240.200314] CR2: 0000000000000158 CR3: 0000000004d32000 CR4: 00000000000006f0
+[ 240.200839] Call Trace:
+[ 240.201104] <TASK>
+[ 240.201502] ? ni_load_mi+0x80/0x80
+[ 240.202297] ? ___slab_alloc+0x465/0x830
+[ 240.202614] attr_load_runs_vcn+0x8c/0x1a0
+[ 240.202886] ? __kasan_slab_alloc+0x32/0x90
+[ 240.203157] ? attr_data_write_resident+0x250/0x250
+[ 240.203543] mi_read+0x133/0x2c0
+[ 240.203785] mi_get+0x70/0x140
+[ 240.204012] ni_load_mi_ex+0xfa/0x190
+[ 240.204346] ? ni_std5+0x90/0x90
+[ 240.204588] ? __kasan_kmalloc+0x88/0xb0
+[ 240.204859] ni_enum_attr_ex+0xf1/0x1c0
+[ 240.205107] ? ni_fname_type.part.0+0xd0/0xd0
+[ 240.205600] ? ntfs_load_attr_list+0xbe/0x300
+[ 240.205864] ? ntfs_cmp_names_cpu+0x125/0x180
+[ 240.206157] ntfs_iget5+0x56c/0x1870
+[ 240.206510] ? ntfs_get_block_bmap+0x70/0x70
+[ 240.206776] ? __kasan_kmalloc+0x88/0xb0
+[ 240.207030] ? set_blocksize+0x95/0x150
+[ 240.207545] ntfs_fill_super+0xb8f/0x1e20
+[ 240.207839] ? put_ntfs+0x1d0/0x1d0
+[ 240.208069] ? vsprintf+0x20/0x20
+[ 240.208467] ? mutex_unlock+0x81/0xd0
+[ 240.208846] ? set_blocksize+0x95/0x150
+[ 240.209221] get_tree_bdev+0x232/0x370
+[ 240.209804] ? put_ntfs+0x1d0/0x1d0
+[ 240.210519] ntfs_fs_get_tree+0x15/0x20
+[ 240.210991] vfs_get_tree+0x4c/0x130
+[ 240.211455] path_mount+0x645/0xfd0
+[ 240.211806] ? putname+0x80/0xa0
+[ 240.212112] ? finish_automount+0x2e0/0x2e0
+[ 240.212559] ? kmem_cache_free+0x110/0x390
+[ 240.212906] ? putname+0x80/0xa0
+[ 240.213329] do_mount+0xd6/0xf0
+[ 240.213829] ? path_mount+0xfd0/0xfd0
+[ 240.214246] ? __kasan_check_write+0x14/0x20
+[ 240.214774] __x64_sys_mount+0xca/0x110
+[ 240.215080] do_syscall_64+0x3b/0x90
+[ 240.215442] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+[ 240.215811] RIP: 0033:0x7f233b4e948a
+[ 240.216104] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008
+[ 240.217615] RSP: 002b:00007fff02211ec8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
+[ 240.218718] RAX: ffffffffffffffda RBX: 0000561cdc35b060 RCX: 00007f233b4e948a
+[ 240.219556] RDX: 0000561cdc35b260 RSI: 0000561cdc35b2e0 RDI: 0000561cdc363af0
+[ 240.219975] RBP: 0000000000000000 R08: 0000561cdc35b280 R09: 0000000000000020
+[ 240.220403] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000561cdc363af0
+[ 240.220803] R13: 0000561cdc35b260 R14: 0000000000000000 R15: 00000000ffffffff
+[ 240.221256] </TASK>
+[ 240.221567] Modules linked in:
+[ 240.222028] CR2: 0000000000000158
+[ 240.223291] ---[ end trace 0000000000000000 ]---
+[ 240.223669] RIP: 0010:ni_find_attr+0xae/0x300
+[ 240.224058] Code: c8 48 c7 45 88 c0 4e 5e 86 c7 00 f1 f1 f1 f1 c7 40 04 00 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 e2 d9f
+[ 240.225033] RSP: 0018:ffff88800812f690 EFLAGS: 00000286
+[ 240.225968] RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffffffff85ef037a
+[ 240.226624] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff88e95f60
+[ 240.227307] RBP: ffff88800812f738 R08: 0000000000000001 R09: fffffbfff11d2bed
+[ 240.227816] R10: ffffffff88e95f67 R11: fffffbfff11d2bec R12: 0000000000000000
+[ 240.228330] R13: 0000000000000080 R14: 0000000000000000 R15: 0000000000000000
+[ 240.228729] FS: 00007f233c33be40(0000) GS:ffff888058200000(0000) knlGS:0000000000000000
+[ 240.229281] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 240.230298] CR2: 0000000000000158 CR3: 0000000004d32000 CR4: 00000000000006f0
+
+Signed-off-by: Edward Lo <edward.lo@ambergroup.io>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/attrib.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/fs/ntfs3/attrib.c b/fs/ntfs3/attrib.c
+index 43e85c493c05..42af83bcaf13 100644
+--- a/fs/ntfs3/attrib.c
++++ b/fs/ntfs3/attrib.c
+@@ -1146,6 +1146,11 @@ int attr_load_runs_vcn(struct ntfs_inode *ni, enum ATTR_TYPE type,
+ CLST svcn, evcn;
+ u16 ro;
+
++ if (!ni) {
++ /* Is record corrupted? */
++ return -ENOENT;
++ }
++
+ attr = ni_find_attr(ni, NULL, NULL, type, name, name_len, &vcn, NULL);
+ if (!attr) {
+ /* Is record corrupted? */
+--
+2.35.1
+
--- /dev/null
+From 7100b1c42641153fa725d47b35e60addf39ea7d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Aug 2022 18:20:51 +0800
+Subject: fs/ntfs3: Add overflow check for attribute size
+
+From: edward lo <edward.lo@ambergroup.io>
+
+[ Upstream commit e19c6277652efba203af4ecd8eed4bd30a0054c9 ]
+
+The offset addition could overflow and pass the used size check given an
+attribute with very large size (e.g., 0xffffff7f) while parsing MFT
+attributes. This could lead to out-of-bound memory R/W if we try to
+access the next attribute derived by Add2Ptr(attr, asize)
+
+[ 32.963847] BUG: unable to handle page fault for address: ffff956a83c76067
+[ 32.964301] #PF: supervisor read access in kernel mode
+[ 32.964526] #PF: error_code(0x0000) - not-present page
+[ 32.964893] PGD 4dc01067 P4D 4dc01067 PUD 0
+[ 32.965316] Oops: 0000 [#1] PREEMPT SMP NOPTI
+[ 32.965727] CPU: 0 PID: 243 Comm: mount Not tainted 5.19.0+ #6
+[ 32.966050] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
+[ 32.966628] RIP: 0010:mi_enum_attr+0x44/0x110
+[ 32.967239] Code: 89 f0 48 29 c8 48 89 c1 39 c7 0f 86 94 00 00 00 8b 56 04 83 fa 17 0f 86 88 00 00 00 89 d0 01 ca 48 01 f0 8d 4a 08 39 f9a
+[ 32.968101] RSP: 0018:ffffba15c06a7c38 EFLAGS: 00000283
+[ 32.968364] RAX: ffff956a83c76067 RBX: ffff956983c76050 RCX: 000000000000006f
+[ 32.968651] RDX: 0000000000000067 RSI: ffff956983c760e8 RDI: 00000000000001c8
+[ 32.968963] RBP: ffffba15c06a7c38 R08: 0000000000000064 R09: 00000000ffffff7f
+[ 32.969249] R10: 0000000000000007 R11: ffff956983c760e8 R12: ffff95698225e000
+[ 32.969870] R13: 0000000000000000 R14: ffffba15c06a7cd8 R15: ffff95698225e170
+[ 32.970655] FS: 00007fdab8189e40(0000) GS:ffff9569fdc00000(0000) knlGS:0000000000000000
+[ 32.971098] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 32.971378] CR2: ffff956a83c76067 CR3: 0000000002c58000 CR4: 00000000000006f0
+[ 32.972098] Call Trace:
+[ 32.972842] <TASK>
+[ 32.973341] ni_enum_attr_ex+0xda/0xf0
+[ 32.974087] ntfs_iget5+0x1db/0xde0
+[ 32.974386] ? slab_post_alloc_hook+0x53/0x270
+[ 32.974778] ? ntfs_fill_super+0x4c7/0x12a0
+[ 32.975115] ntfs_fill_super+0x5d6/0x12a0
+[ 32.975336] get_tree_bdev+0x175/0x270
+[ 32.975709] ? put_ntfs+0x150/0x150
+[ 32.975956] ntfs_fs_get_tree+0x15/0x20
+[ 32.976191] vfs_get_tree+0x2a/0xc0
+[ 32.976374] ? capable+0x19/0x20
+[ 32.976572] path_mount+0x484/0xaa0
+[ 32.977025] ? putname+0x57/0x70
+[ 32.977380] do_mount+0x80/0xa0
+[ 32.977555] __x64_sys_mount+0x8b/0xe0
+[ 32.978105] do_syscall_64+0x3b/0x90
+[ 32.978830] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+[ 32.979311] RIP: 0033:0x7fdab72e948a
+[ 32.980015] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008
+[ 32.981251] RSP: 002b:00007ffd15b87588 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
+[ 32.981832] RAX: ffffffffffffffda RBX: 0000557de0aaf060 RCX: 00007fdab72e948a
+[ 32.982234] RDX: 0000557de0aaf260 RSI: 0000557de0aaf2e0 RDI: 0000557de0ab7ce0
+[ 32.982714] RBP: 0000000000000000 R08: 0000557de0aaf280 R09: 0000000000000020
+[ 32.983046] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000557de0ab7ce0
+[ 32.983494] R13: 0000557de0aaf260 R14: 0000000000000000 R15: 00000000ffffffff
+[ 32.984094] </TASK>
+[ 32.984352] Modules linked in:
+[ 32.984753] CR2: ffff956a83c76067
+[ 32.985911] ---[ end trace 0000000000000000 ]---
+[ 32.986555] RIP: 0010:mi_enum_attr+0x44/0x110
+[ 32.987217] Code: 89 f0 48 29 c8 48 89 c1 39 c7 0f 86 94 00 00 00 8b 56 04 83 fa 17 0f 86 88 00 00 00 89 d0 01 ca 48 01 f0 8d 4a 08 39 f9a
+[ 32.988232] RSP: 0018:ffffba15c06a7c38 EFLAGS: 00000283
+[ 32.988532] RAX: ffff956a83c76067 RBX: ffff956983c76050 RCX: 000000000000006f
+[ 32.988916] RDX: 0000000000000067 RSI: ffff956983c760e8 RDI: 00000000000001c8
+[ 32.989356] RBP: ffffba15c06a7c38 R08: 0000000000000064 R09: 00000000ffffff7f
+[ 32.989994] R10: 0000000000000007 R11: ffff956983c760e8 R12: ffff95698225e000
+[ 32.990415] R13: 0000000000000000 R14: ffffba15c06a7cd8 R15: ffff95698225e170
+[ 32.991011] FS: 00007fdab8189e40(0000) GS:ffff9569fdc00000(0000) knlGS:0000000000000000
+[ 32.991524] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 32.991936] CR2: ffff956a83c76067 CR3: 0000000002c58000 CR4: 00000000000006f0
+
+This patch adds an overflow check
+
+Signed-off-by: edward lo <edward.lo@ambergroup.io>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/record.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/fs/ntfs3/record.c b/fs/ntfs3/record.c
+index 861e35791506..30751fd618df 100644
+--- a/fs/ntfs3/record.c
++++ b/fs/ntfs3/record.c
+@@ -220,6 +220,11 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr)
+ return NULL;
+ }
+
++ if (off + asize < off) {
++ /* overflow check */
++ return NULL;
++ }
++
+ attr = Add2Ptr(attr, asize);
+ off += asize;
+ }
+--
+2.35.1
+
--- /dev/null
+From 0d1683fd4e89c5cb99e8e109e77bb08db866f6b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 Oct 2022 11:28:55 +0300
+Subject: fs/ntfs3: Delete duplicate condition in ntfs_read_mft()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 658015167a8432b88f5d032e9d85d8fd50e5bf2c ]
+
+There were two patches which addressed the same bug and added the same
+condition:
+
+commit 6db620863f85 ("fs/ntfs3: Validate data run offset")
+commit 887bfc546097 ("fs/ntfs3: Fix slab-out-of-bounds read in run_unpack")
+
+Delete one condition.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/inode.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c
+index 00fd368e7b4a..ed640e4e3fac 100644
+--- a/fs/ntfs3/inode.c
++++ b/fs/ntfs3/inode.c
+@@ -374,12 +374,6 @@ static struct inode *ntfs_read_mft(struct inode *inode,
+
+ t64 = le64_to_cpu(attr->nres.svcn);
+
+- /* offset to packed runs is out-of-bounds */
+- if (roff > asize) {
+- err = -EINVAL;
+- goto out;
+- }
+-
+ err = run_unpack_ex(run, sbi, ino, t64, le64_to_cpu(attr->nres.evcn),
+ t64, Add2Ptr(attr, roff), asize - roff);
+ if (err < 0)
+--
+2.35.1
+
--- /dev/null
+From 2c224b6435e8ff7a562e5a63843ee03f7add60a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Aug 2022 19:32:05 +0900
+Subject: fs/ntfs3: Fix memory leak on ntfs_fill_super() error path
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+[ Upstream commit 51e76a232f8c037f1d9e9922edc25b003d5f3414 ]
+
+syzbot reported kmemleak as below:
+
+BUG: memory leak
+unreferenced object 0xffff8880122f1540 (size 32):
+ comm "a.out", pid 6664, jiffies 4294939771 (age 25.500s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 ed ff ed ff 00 00 00 00 ................
+ backtrace:
+ [<ffffffff81b16052>] ntfs_init_fs_context+0x22/0x1c0
+ [<ffffffff8164aaa7>] alloc_fs_context+0x217/0x430
+ [<ffffffff81626dd4>] path_mount+0x704/0x1080
+ [<ffffffff81627e7c>] __x64_sys_mount+0x18c/0x1d0
+ [<ffffffff84593e14>] do_syscall_64+0x34/0xb0
+ [<ffffffff84600087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+This patch fixes this issue by freeing mount options on error path of
+ntfs_fill_super().
+
+Reported-by: syzbot+9d67170b20e8f94351c8@syzkaller.appspotmail.com
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/super.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c
+index c321f621464b..4ff0d2c9507c 100644
+--- a/fs/ntfs3/super.c
++++ b/fs/ntfs3/super.c
+@@ -1276,6 +1276,7 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc)
+ * Free resources here.
+ * ntfs_fs_free will be called with fc->s_fs_info = NULL
+ */
++ put_mount_options(sbi->options);
+ put_ntfs(sbi);
+ sb->s_fs_info = NULL;
+
+--
+2.35.1
+
--- /dev/null
+From ce05c3ed4dc63abefac01c11383e4ba6f045f48a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Dec 2021 10:40:45 +0800
+Subject: fs/ntfs3: Fix slab-out-of-bounds in r_page
+
+From: Yin Xiujiang <yinxiujiang@kylinos.cn>
+
+[ Upstream commit ecfbd57cf9c5ca225184ae266ce44ae473792132 ]
+
+When PAGE_SIZE is 64K, if read_log_page is called by log_read_rst for
+the first time, the size of *buffer would be equal to
+DefaultLogPageSize(4K).But for *buffer operations like memcpy,
+if the memory area size(n) which being assigned to buffer is larger
+than 4K (log->page_size(64K) or bytes(64K-page_off)), it will cause
+an out of boundary error.
+ Call trace:
+ [...]
+ kasan_report+0x44/0x130
+ check_memory_region+0xf8/0x1a0
+ memcpy+0xc8/0x100
+ ntfs_read_run_nb+0x20c/0x460
+ read_log_page+0xd0/0x1f4
+ log_read_rst+0x110/0x75c
+ log_replay+0x1e8/0x4aa0
+ ntfs_loadlog_and_replay+0x290/0x2d0
+ ntfs_fill_super+0x508/0xec0
+ get_tree_bdev+0x1fc/0x34c
+ [...]
+
+Fix this by setting variable r_page to NULL in log_read_rst.
+
+Signed-off-by: Yin Xiujiang <yinxiujiang@kylinos.cn>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/fslog.c | 26 ++------------------------
+ 1 file changed, 2 insertions(+), 24 deletions(-)
+
+diff --git a/fs/ntfs3/fslog.c b/fs/ntfs3/fslog.c
+index bcdddcd7bc79..20abdb268286 100644
+--- a/fs/ntfs3/fslog.c
++++ b/fs/ntfs3/fslog.c
+@@ -1132,7 +1132,7 @@ static int read_log_page(struct ntfs_log *log, u32 vbo,
+ return -EINVAL;
+
+ if (!*buffer) {
+- to_free = kmalloc(bytes, GFP_NOFS);
++ to_free = kmalloc(log->page_size, GFP_NOFS);
+ if (!to_free)
+ return -ENOMEM;
+ *buffer = to_free;
+@@ -1180,10 +1180,7 @@ static int log_read_rst(struct ntfs_log *log, u32 l_size, bool first,
+ struct restart_info *info)
+ {
+ u32 skip, vbo;
+- struct RESTART_HDR *r_page = kmalloc(DefaultLogPageSize, GFP_NOFS);
+-
+- if (!r_page)
+- return -ENOMEM;
++ struct RESTART_HDR *r_page = NULL;
+
+ /* Determine which restart area we are looking for. */
+ if (first) {
+@@ -1197,7 +1194,6 @@ static int log_read_rst(struct ntfs_log *log, u32 l_size, bool first,
+ /* Loop continuously until we succeed. */
+ for (; vbo < l_size; vbo = 2 * vbo + skip, skip = 0) {
+ bool usa_error;
+- u32 sys_page_size;
+ bool brst, bchk;
+ struct RESTART_AREA *ra;
+
+@@ -1251,24 +1247,6 @@ static int log_read_rst(struct ntfs_log *log, u32 l_size, bool first,
+ goto check_result;
+ }
+
+- /* Read the entire restart area. */
+- sys_page_size = le32_to_cpu(r_page->sys_page_size);
+- if (DefaultLogPageSize != sys_page_size) {
+- kfree(r_page);
+- r_page = kzalloc(sys_page_size, GFP_NOFS);
+- if (!r_page)
+- return -ENOMEM;
+-
+- if (read_log_page(log, vbo,
+- (struct RECORD_PAGE_HDR **)&r_page,
+- &usa_error)) {
+- /* Ignore any errors. */
+- kfree(r_page);
+- r_page = NULL;
+- continue;
+- }
+- }
+-
+ if (is_client_area_valid(r_page, usa_error)) {
+ info->valid_page = true;
+ ra = Add2Ptr(r_page, le16_to_cpu(r_page->ra_off));
+--
+2.35.1
+
--- /dev/null
+From 4d4341c2c1014bdd39586d16147aabbca7caf6f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Sep 2022 19:09:04 +0800
+Subject: fs/ntfs3: Fix slab-out-of-bounds read in run_unpack
+
+From: Hawkins Jiawei <yin31149@gmail.com>
+
+[ Upstream commit 887bfc546097fbe8071dac13b2fef73b77920899 ]
+
+Syzkaller reports slab-out-of-bounds bug as follows:
+==================================================================
+BUG: KASAN: slab-out-of-bounds in run_unpack+0x8b7/0x970 fs/ntfs3/run.c:944
+Read of size 1 at addr ffff88801bbdff02 by task syz-executor131/3611
+
+[...]
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
+ print_address_description mm/kasan/report.c:317 [inline]
+ print_report.cold+0x2ba/0x719 mm/kasan/report.c:433
+ kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
+ run_unpack+0x8b7/0x970 fs/ntfs3/run.c:944
+ run_unpack_ex+0xb0/0x7c0 fs/ntfs3/run.c:1057
+ ntfs_read_mft fs/ntfs3/inode.c:368 [inline]
+ ntfs_iget5+0xc20/0x3280 fs/ntfs3/inode.c:501
+ ntfs_loadlog_and_replay+0x124/0x5d0 fs/ntfs3/fsntfs.c:272
+ ntfs_fill_super+0x1eff/0x37f0 fs/ntfs3/super.c:1018
+ get_tree_bdev+0x440/0x760 fs/super.c:1323
+ vfs_get_tree+0x89/0x2f0 fs/super.c:1530
+ do_new_mount fs/namespace.c:3040 [inline]
+ path_mount+0x1326/0x1e20 fs/namespace.c:3370
+ do_mount fs/namespace.c:3383 [inline]
+ __do_sys_mount fs/namespace.c:3591 [inline]
+ __se_sys_mount fs/namespace.c:3568 [inline]
+ __x64_sys_mount+0x27f/0x300 fs/namespace.c:3568
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+ [...]
+ </TASK>
+
+The buggy address belongs to the physical page:
+page:ffffea00006ef600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1bbd8
+head:ffffea00006ef600 order:3 compound_mapcount:0 compound_pincount:0
+flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff88801bbdfe00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff88801bbdfe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+>ffff88801bbdff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ^
+ ffff88801bbdff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff88801bbe0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+==================================================================
+
+Kernel will tries to read record and parse MFT from disk in
+ntfs_read_mft().
+
+Yet the problem is that during enumerating attributes in record,
+kernel doesn't check whether run_off field loading from the disk
+is a valid value.
+
+To be more specific, if attr->nres.run_off is larger than attr->size,
+kernel will passes an invalid argument run_buf_size in
+run_unpack_ex(), which having an integer overflow. Then this invalid
+argument will triggers the slab-out-of-bounds Read bug as above.
+
+This patch solves it by adding the sanity check between
+the offset to packed runs and attribute size.
+
+link: https://lore.kernel.org/all/0000000000009145fc05e94bd5c3@google.com/#t
+Reported-and-tested-by: syzbot+8d6fbb27a6aded64b25b@syzkaller.appspotmail.com
+Signed-off-by: Hawkins Jiawei <yin31149@gmail.com>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/inode.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c
+index 66afa3db753a..00fd368e7b4a 100644
+--- a/fs/ntfs3/inode.c
++++ b/fs/ntfs3/inode.c
+@@ -373,6 +373,13 @@ static struct inode *ntfs_read_mft(struct inode *inode,
+ }
+
+ t64 = le64_to_cpu(attr->nres.svcn);
++
++ /* offset to packed runs is out-of-bounds */
++ if (roff > asize) {
++ err = -EINVAL;
++ goto out;
++ }
++
+ err = run_unpack_ex(run, sbi, ino, t64, le64_to_cpu(attr->nres.evcn),
+ t64, Add2Ptr(attr, roff), asize - roff);
+ if (err < 0)
+--
+2.35.1
+
--- /dev/null
+From e994aedcb88f13fe99ef73ee3c5ff595d58c59ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 Oct 2022 23:54:11 +0900
+Subject: fs/ntfs3: Use __GFP_NOWARN allocation at ntfs_fill_super()
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+[ Upstream commit 59bfd7a483da36bd202532a3d9ea1f14f3bf3aaf ]
+
+syzbot is reporting too large allocation at ntfs_fill_super() [1], for a
+crafted filesystem can contain bogus inode->i_size. Add __GFP_NOWARN in
+order to avoid too large allocation warning, than exhausting memory by
+using kvmalloc().
+
+Link: https://syzkaller.appspot.com/bug?extid=33f3faaa0c08744f7d40 [1]
+Reported-by: syzot <syzbot+33f3faaa0c08744f7d40@syzkaller.appspotmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c
+index a18fb431abbe..33b1833ad525 100644
+--- a/fs/ntfs3/super.c
++++ b/fs/ntfs3/super.c
+@@ -1136,7 +1136,7 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc)
+ goto put_inode_out;
+ }
+ bytes = inode->i_size;
+- sbi->def_table = t = kmalloc(bytes, GFP_NOFS);
++ sbi->def_table = t = kmalloc(bytes, GFP_NOFS | __GFP_NOWARN);
+ if (!t) {
+ err = -ENOMEM;
+ goto put_inode_out;
+--
+2.35.1
+
--- /dev/null
+From 8448327fb565365fb90b72b44202c3124e2a593f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 Oct 2022 23:39:15 +0900
+Subject: fs/ntfs3: Use __GFP_NOWARN allocation at wnd_init()
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+[ Upstream commit 0d0f659bf713662fabed973f9996b8f23c59ca51 ]
+
+syzbot is reporting too large allocation at wnd_init() [1], for a crafted
+filesystem can become wnd->nwnd close to UINT_MAX. Add __GFP_NOWARN in
+order to avoid too large allocation warning, than exhausting memory by
+using kvcalloc().
+
+Link: https://syzkaller.appspot.com/bug?extid=fa4648a5446460b7b963 [1]
+Reported-by: syzot <syzbot+fa4648a5446460b7b963@syzkaller.appspotmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/bitmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ntfs3/bitmap.c b/fs/ntfs3/bitmap.c
+index 7f2055b7427a..2a63793f522d 100644
+--- a/fs/ntfs3/bitmap.c
++++ b/fs/ntfs3/bitmap.c
+@@ -666,7 +666,7 @@ int wnd_init(struct wnd_bitmap *wnd, struct super_block *sb, size_t nbits)
+ if (!wnd->bits_last)
+ wnd->bits_last = wbits;
+
+- wnd->free_bits = kcalloc(wnd->nwnd, sizeof(u16), GFP_NOFS);
++ wnd->free_bits = kcalloc(wnd->nwnd, sizeof(u16), GFP_NOFS | __GFP_NOWARN);
+ if (!wnd->free_bits)
+ return -ENOMEM;
+
+--
+2.35.1
+
--- /dev/null
+From d83288f8bdffbbaf9bfbcc38dd5a827621e08900 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Sep 2022 09:04:00 +0800
+Subject: fs/ntfs3: Validate attribute name offset
+
+From: Edward Lo <edward.lo@ambergroup.io>
+
+[ Upstream commit 4f1dc7d9756e66f3f876839ea174df2e656b7f79 ]
+
+Although the attribute name length is checked before comparing it to
+some common names (e.g., $I30), the offset isn't. This adds a sanity
+check for the attribute name offset, guarantee the validity and prevent
+possible out-of-bound memory accesses.
+
+[ 191.720056] BUG: unable to handle page fault for address: ffffebde00000008
+[ 191.721060] #PF: supervisor read access in kernel mode
+[ 191.721586] #PF: error_code(0x0000) - not-present page
+[ 191.722079] PGD 0 P4D 0
+[ 191.722571] Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI
+[ 191.723179] CPU: 0 PID: 244 Comm: mount Not tainted 6.0.0-rc4 #28
+[ 191.723749] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
+[ 191.724832] RIP: 0010:kfree+0x56/0x3b0
+[ 191.725870] Code: 80 48 01 d8 0f 82 65 03 00 00 48 c7 c2 00 00 00 80 48 2b 15 2c 06 dd 01 48 01 d0 48 c1 e8 0c 48 c1 e0 06 48 03 05 0a 069
+[ 191.727375] RSP: 0018:ffff8880076f7878 EFLAGS: 00000286
+[ 191.727897] RAX: ffffebde00000000 RBX: 0000000000000040 RCX: ffffffff8528d5b9
+[ 191.728531] RDX: 0000777f80000000 RSI: ffffffff8522d49c RDI: 0000000000000040
+[ 191.729183] RBP: ffff8880076f78a0 R08: 0000000000000000 R09: 0000000000000000
+[ 191.729628] R10: ffff888008949fd8 R11: ffffed10011293fd R12: 0000000000000040
+[ 191.730158] R13: ffff888008949f98 R14: ffff888008949ec0 R15: ffff888008949fb0
+[ 191.730645] FS: 00007f3520cd7e40(0000) GS:ffff88805ba00000(0000) knlGS:0000000000000000
+[ 191.731328] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 191.731667] CR2: ffffebde00000008 CR3: 0000000009704000 CR4: 00000000000006f0
+[ 191.732568] Call Trace:
+[ 191.733231] <TASK>
+[ 191.733860] kvfree+0x2c/0x40
+[ 191.734632] ni_clear+0x180/0x290
+[ 191.735085] ntfs_evict_inode+0x45/0x70
+[ 191.735495] evict+0x199/0x280
+[ 191.735996] iput.part.0+0x286/0x320
+[ 191.736438] iput+0x32/0x50
+[ 191.736811] iget_failed+0x23/0x30
+[ 191.737270] ntfs_iget5+0x337/0x1890
+[ 191.737629] ? ntfs_clear_mft_tail+0x20/0x260
+[ 191.738201] ? ntfs_get_block_bmap+0x70/0x70
+[ 191.738482] ? ntfs_objid_init+0xf6/0x140
+[ 191.738779] ? ntfs_reparse_init+0x140/0x140
+[ 191.739266] ntfs_fill_super+0x121b/0x1b50
+[ 191.739623] ? put_ntfs+0x1d0/0x1d0
+[ 191.739984] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20
+[ 191.740466] ? put_ntfs+0x1d0/0x1d0
+[ 191.740787] ? sb_set_blocksize+0x6a/0x80
+[ 191.741272] get_tree_bdev+0x232/0x370
+[ 191.741829] ? put_ntfs+0x1d0/0x1d0
+[ 191.742669] ntfs_fs_get_tree+0x15/0x20
+[ 191.743132] vfs_get_tree+0x4c/0x130
+[ 191.743457] path_mount+0x654/0xfe0
+[ 191.743938] ? putname+0x80/0xa0
+[ 191.744271] ? finish_automount+0x2e0/0x2e0
+[ 191.744582] ? putname+0x80/0xa0
+[ 191.745053] ? kmem_cache_free+0x1c4/0x440
+[ 191.745403] ? putname+0x80/0xa0
+[ 191.745616] do_mount+0xd6/0xf0
+[ 191.745887] ? path_mount+0xfe0/0xfe0
+[ 191.746287] ? __kasan_check_write+0x14/0x20
+[ 191.746582] __x64_sys_mount+0xca/0x110
+[ 191.746850] do_syscall_64+0x3b/0x90
+[ 191.747122] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+[ 191.747517] RIP: 0033:0x7f351fee948a
+[ 191.748332] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008
+[ 191.749341] RSP: 002b:00007ffd51cf3af8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
+[ 191.749960] RAX: ffffffffffffffda RBX: 000055b903733060 RCX: 00007f351fee948a
+[ 191.750589] RDX: 000055b903733260 RSI: 000055b9037332e0 RDI: 000055b90373bce0
+[ 191.751115] RBP: 0000000000000000 R08: 000055b903733280 R09: 0000000000000020
+[ 191.751537] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 000055b90373bce0
+[ 191.751946] R13: 000055b903733260 R14: 0000000000000000 R15: 00000000ffffffff
+[ 191.752519] </TASK>
+[ 191.752782] Modules linked in:
+[ 191.753785] CR2: ffffebde00000008
+[ 191.754937] ---[ end trace 0000000000000000 ]---
+[ 191.755429] RIP: 0010:kfree+0x56/0x3b0
+[ 191.755725] Code: 80 48 01 d8 0f 82 65 03 00 00 48 c7 c2 00 00 00 80 48 2b 15 2c 06 dd 01 48 01 d0 48 c1 e8 0c 48 c1 e0 06 48 03 05 0a 069
+[ 191.756744] RSP: 0018:ffff8880076f7878 EFLAGS: 00000286
+[ 191.757218] RAX: ffffebde00000000 RBX: 0000000000000040 RCX: ffffffff8528d5b9
+[ 191.757580] RDX: 0000777f80000000 RSI: ffffffff8522d49c RDI: 0000000000000040
+[ 191.758016] RBP: ffff8880076f78a0 R08: 0000000000000000 R09: 0000000000000000
+[ 191.758570] R10: ffff888008949fd8 R11: ffffed10011293fd R12: 0000000000000040
+[ 191.758957] R13: ffff888008949f98 R14: ffff888008949ec0 R15: ffff888008949fb0
+[ 191.759317] FS: 00007f3520cd7e40(0000) GS:ffff88805ba00000(0000) knlGS:0000000000000000
+[ 191.759711] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 191.760118] CR2: ffffebde00000008 CR3: 0000000009704000 CR4: 00000000000006f0
+
+Signed-off-by: Edward Lo <edward.lo@ambergroup.io>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/inode.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c
+index 83d4c9f42d9c..66afa3db753a 100644
+--- a/fs/ntfs3/inode.c
++++ b/fs/ntfs3/inode.c
+@@ -129,6 +129,9 @@ static struct inode *ntfs_read_mft(struct inode *inode,
+ rsize = attr->non_res ? 0 : le32_to_cpu(attr->res.data_size);
+ asize = le32_to_cpu(attr->size);
+
++ if (le16_to_cpu(attr->name_off) + attr->name_len > asize)
++ goto out;
++
+ switch (attr->type) {
+ case ATTR_STD:
+ if (attr->non_res ||
+--
+2.35.1
+
--- /dev/null
+From 57e3d384744280c9eb3c35b10d24f27a98c54cd9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Aug 2022 15:37:31 +0800
+Subject: fs/ntfs3: Validate BOOT record_size
+
+From: edward lo <edward.lo@ambergroup.io>
+
+[ Upstream commit 0b66046266690454dc04e6307bcff4a5605b42a1 ]
+
+When the NTFS BOOT record_size field < 0, it represents a
+shift value. However, there is no sanity check on the shift result
+and the sbi->record_bits calculation through blksize_bits() assumes
+the size always > 256, which could lead to NPD while mounting a
+malformed NTFS image.
+
+[ 318.675159] BUG: kernel NULL pointer dereference, address: 0000000000000158
+[ 318.675682] #PF: supervisor read access in kernel mode
+[ 318.675869] #PF: error_code(0x0000) - not-present page
+[ 318.676246] PGD 0 P4D 0
+[ 318.676502] Oops: 0000 [#1] PREEMPT SMP NOPTI
+[ 318.676934] CPU: 0 PID: 259 Comm: mount Not tainted 5.19.0 #5
+[ 318.677289] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
+[ 318.678136] RIP: 0010:ni_find_attr+0x2d/0x1c0
+[ 318.678656] Code: 89 ca 4d 89 c7 41 56 41 55 41 54 41 89 cc 55 48 89 fd 53 48 89 d3 48 83 ec 20 65 48 8b 04 25 28 00 00 00 48 89 44 24 180
+[ 318.679848] RSP: 0018:ffffa6c8c0297bd8 EFLAGS: 00000246
+[ 318.680104] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000080
+[ 318.680790] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
+[ 318.681679] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+[ 318.682577] R10: 0000000000000000 R11: 0000000000000005 R12: 0000000000000080
+[ 318.683015] R13: ffff8d5582e68400 R14: 0000000000000100 R15: 0000000000000000
+[ 318.683618] FS: 00007fd9e1c81e40(0000) GS:ffff8d55fdc00000(0000) knlGS:0000000000000000
+[ 318.684280] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 318.684651] CR2: 0000000000000158 CR3: 0000000002e1a000 CR4: 00000000000006f0
+[ 318.685623] Call Trace:
+[ 318.686607] <TASK>
+[ 318.686872] ? ntfs_alloc_inode+0x1a/0x60
+[ 318.687235] attr_load_runs_vcn+0x2b/0xa0
+[ 318.687468] mi_read+0xbb/0x250
+[ 318.687576] ntfs_iget5+0x114/0xd90
+[ 318.687750] ntfs_fill_super+0x588/0x11b0
+[ 318.687953] ? put_ntfs+0x130/0x130
+[ 318.688065] ? snprintf+0x49/0x70
+[ 318.688164] ? put_ntfs+0x130/0x130
+[ 318.688256] get_tree_bdev+0x16a/0x260
+[ 318.688407] vfs_get_tree+0x20/0xb0
+[ 318.688519] path_mount+0x2dc/0x9b0
+[ 318.688877] do_mount+0x74/0x90
+[ 318.689142] __x64_sys_mount+0x89/0xd0
+[ 318.689636] do_syscall_64+0x3b/0x90
+[ 318.689998] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+[ 318.690318] RIP: 0033:0x7fd9e133c48a
+[ 318.690687] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008
+[ 318.691357] RSP: 002b:00007ffd374406c8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
+[ 318.691632] RAX: ffffffffffffffda RBX: 0000564d0b051080 RCX: 00007fd9e133c48a
+[ 318.691920] RDX: 0000564d0b051280 RSI: 0000564d0b051300 RDI: 0000564d0b0596a0
+[ 318.692123] RBP: 0000000000000000 R08: 0000564d0b0512a0 R09: 0000000000000020
+[ 318.692349] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000564d0b0596a0
+[ 318.692673] R13: 0000564d0b051280 R14: 0000000000000000 R15: 00000000ffffffff
+[ 318.693007] </TASK>
+[ 318.693271] Modules linked in:
+[ 318.693614] CR2: 0000000000000158
+[ 318.694446] ---[ end trace 0000000000000000 ]---
+[ 318.694779] RIP: 0010:ni_find_attr+0x2d/0x1c0
+[ 318.694952] Code: 89 ca 4d 89 c7 41 56 41 55 41 54 41 89 cc 55 48 89 fd 53 48 89 d3 48 83 ec 20 65 48 8b 04 25 28 00 00 00 48 89 44 24 180
+[ 318.696042] RSP: 0018:ffffa6c8c0297bd8 EFLAGS: 00000246
+[ 318.696531] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000080
+[ 318.698114] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
+[ 318.699286] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+[ 318.699795] R10: 0000000000000000 R11: 0000000000000005 R12: 0000000000000080
+[ 318.700236] R13: ffff8d5582e68400 R14: 0000000000000100 R15: 0000000000000000
+[ 318.700973] FS: 00007fd9e1c81e40(0000) GS:ffff8d55fdc00000(0000) knlGS:0000000000000000
+[ 318.701688] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 318.702190] CR2: 0000000000000158 CR3: 0000000002e1a000 CR4: 00000000000006f0
+[ 318.726510] mount (259) used greatest stack depth: 13320 bytes left
+
+This patch adds a sanity check.
+
+Signed-off-by: edward lo <edward.lo@ambergroup.io>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c
+index 39b09f32f4db..c321f621464b 100644
+--- a/fs/ntfs3/super.c
++++ b/fs/ntfs3/super.c
+@@ -789,7 +789,7 @@ static int ntfs_init_from_boot(struct super_block *sb, u32 sector_size,
+ : (u32)boot->record_size
+ << sbi->cluster_bits;
+
+- if (record_size > MAXIMUM_BYTES_PER_MFT)
++ if (record_size > MAXIMUM_BYTES_PER_MFT || record_size < SECTOR_SIZE)
+ goto out;
+
+ sbi->record_bits = blksize_bits(record_size);
+--
+2.35.1
+
--- /dev/null
+From 5a45e1d684914b92622ddc4de014cc3f3916dbff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Sep 2022 15:30:44 +0800
+Subject: fs/ntfs3: Validate buffer length while parsing index
+
+From: Edward Lo <edward.lo@ambergroup.io>
+
+[ Upstream commit 4d42ecda239cc13738d6fd84d098a32e67b368b9 ]
+
+indx_read is called when we have some NTFS directory operations that
+need more information from the index buffers. This adds a sanity check
+to make sure the returned index buffer length is legit, or we may have
+some out-of-bound memory accesses.
+
+[ 560.897595] BUG: KASAN: slab-out-of-bounds in hdr_find_e.isra.0+0x10c/0x320
+[ 560.898321] Read of size 2 at addr ffff888009497238 by task exp/245
+[ 560.898760]
+[ 560.899129] CPU: 0 PID: 245 Comm: exp Not tainted 6.0.0-rc6 #37
+[ 560.899505] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
+[ 560.900170] Call Trace:
+[ 560.900407] <TASK>
+[ 560.900732] dump_stack_lvl+0x49/0x63
+[ 560.901108] print_report.cold+0xf5/0x689
+[ 560.901395] ? hdr_find_e.isra.0+0x10c/0x320
+[ 560.901716] kasan_report+0xa7/0x130
+[ 560.901950] ? hdr_find_e.isra.0+0x10c/0x320
+[ 560.902208] __asan_load2+0x68/0x90
+[ 560.902427] hdr_find_e.isra.0+0x10c/0x320
+[ 560.902846] ? cmp_uints+0xe0/0xe0
+[ 560.903363] ? cmp_sdh+0x90/0x90
+[ 560.903883] ? ntfs_bread_run+0x190/0x190
+[ 560.904196] ? rwsem_down_read_slowpath+0x750/0x750
+[ 560.904969] ? ntfs_fix_post_read+0xe0/0x130
+[ 560.905259] ? __kasan_check_write+0x14/0x20
+[ 560.905599] ? up_read+0x1a/0x90
+[ 560.905853] ? indx_read+0x22c/0x380
+[ 560.906096] indx_find+0x2ef/0x470
+[ 560.906352] ? indx_find_buffer+0x2d0/0x2d0
+[ 560.906692] ? __kasan_kmalloc+0x88/0xb0
+[ 560.906977] dir_search_u+0x196/0x2f0
+[ 560.907220] ? ntfs_nls_to_utf16+0x450/0x450
+[ 560.907464] ? __kasan_check_write+0x14/0x20
+[ 560.907747] ? mutex_lock+0x8f/0xe0
+[ 560.907970] ? __mutex_lock_slowpath+0x20/0x20
+[ 560.908214] ? kmem_cache_alloc+0x143/0x4b0
+[ 560.908459] ntfs_lookup+0xe0/0x100
+[ 560.908788] __lookup_slow+0x116/0x220
+[ 560.909050] ? lookup_fast+0x1b0/0x1b0
+[ 560.909309] ? lookup_fast+0x13f/0x1b0
+[ 560.909601] walk_component+0x187/0x230
+[ 560.909944] link_path_walk.part.0+0x3f0/0x660
+[ 560.910285] ? handle_lookup_down+0x90/0x90
+[ 560.910618] ? path_init+0x642/0x6e0
+[ 560.911084] ? percpu_counter_add_batch+0x6e/0xf0
+[ 560.912559] ? __alloc_file+0x114/0x170
+[ 560.913008] path_openat+0x19c/0x1d10
+[ 560.913419] ? getname_flags+0x73/0x2b0
+[ 560.913815] ? kasan_save_stack+0x3a/0x50
+[ 560.914125] ? kasan_save_stack+0x26/0x50
+[ 560.914542] ? __kasan_slab_alloc+0x6d/0x90
+[ 560.914924] ? kmem_cache_alloc+0x143/0x4b0
+[ 560.915339] ? getname_flags+0x73/0x2b0
+[ 560.915647] ? getname+0x12/0x20
+[ 560.916114] ? __x64_sys_open+0x4c/0x60
+[ 560.916460] ? path_lookupat.isra.0+0x230/0x230
+[ 560.916867] ? __isolate_free_page+0x2e0/0x2e0
+[ 560.917194] do_filp_open+0x15c/0x1f0
+[ 560.917448] ? may_open_dev+0x60/0x60
+[ 560.917696] ? expand_files+0xa4/0x3a0
+[ 560.917923] ? __kasan_check_write+0x14/0x20
+[ 560.918185] ? _raw_spin_lock+0x88/0xdb
+[ 560.918409] ? _raw_spin_lock_irqsave+0x100/0x100
+[ 560.918783] ? _find_next_bit+0x4a/0x130
+[ 560.919026] ? _raw_spin_unlock+0x19/0x40
+[ 560.919276] ? alloc_fd+0x14b/0x2d0
+[ 560.919635] do_sys_openat2+0x32a/0x4b0
+[ 560.920035] ? file_open_root+0x230/0x230
+[ 560.920336] ? __rcu_read_unlock+0x5b/0x280
+[ 560.920813] do_sys_open+0x99/0xf0
+[ 560.921208] ? filp_open+0x60/0x60
+[ 560.921482] ? exit_to_user_mode_prepare+0x49/0x180
+[ 560.921867] __x64_sys_open+0x4c/0x60
+[ 560.922128] do_syscall_64+0x3b/0x90
+[ 560.922369] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+[ 560.923030] RIP: 0033:0x7f7dff2e4469
+[ 560.923681] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 088
+[ 560.924451] RSP: 002b:00007ffd41a210b8 EFLAGS: 00000206 ORIG_RAX: 0000000000000002
+[ 560.925168] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7dff2e4469
+[ 560.925655] RDX: 0000000000000000 RSI: 0000000000000002 RDI: 00007ffd41a211f0
+[ 560.926085] RBP: 00007ffd41a252a0 R08: 00007f7dff60fba0 R09: 00007ffd41a25388
+[ 560.926405] R10: 0000000000400b80 R11: 0000000000000206 R12: 00000000004004e0
+[ 560.926867] R13: 00007ffd41a25380 R14: 0000000000000000 R15: 0000000000000000
+[ 560.927241] </TASK>
+[ 560.927491]
+[ 560.927755] Allocated by task 245:
+[ 560.928409] kasan_save_stack+0x26/0x50
+[ 560.929271] __kasan_kmalloc+0x88/0xb0
+[ 560.929778] __kmalloc+0x192/0x320
+[ 560.930023] indx_read+0x249/0x380
+[ 560.930224] indx_find+0x2a2/0x470
+[ 560.930695] dir_search_u+0x196/0x2f0
+[ 560.930892] ntfs_lookup+0xe0/0x100
+[ 560.931115] __lookup_slow+0x116/0x220
+[ 560.931323] walk_component+0x187/0x230
+[ 560.931570] link_path_walk.part.0+0x3f0/0x660
+[ 560.931791] path_openat+0x19c/0x1d10
+[ 560.932008] do_filp_open+0x15c/0x1f0
+[ 560.932226] do_sys_openat2+0x32a/0x4b0
+[ 560.932413] do_sys_open+0x99/0xf0
+[ 560.932709] __x64_sys_open+0x4c/0x60
+[ 560.933417] do_syscall_64+0x3b/0x90
+[ 560.933776] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+[ 560.934235]
+[ 560.934486] The buggy address belongs to the object at ffff888009497000
+[ 560.934486] which belongs to the cache kmalloc-512 of size 512
+[ 560.935239] The buggy address is located 56 bytes to the right of
+[ 560.935239] 512-byte region [ffff888009497000, ffff888009497200)
+[ 560.936153]
+[ 560.937326] The buggy address belongs to the physical page:
+[ 560.938228] page:0000000062a3dfae refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9496
+[ 560.939616] head:0000000062a3dfae order:1 compound_mapcount:0 compound_pincount:0
+[ 560.940219] flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
+[ 560.942702] raw: 000fffffc0010200 ffffea0000164f80 dead000000000005 ffff888001041c80
+[ 560.943932] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
+[ 560.944568] page dumped because: kasan: bad access detected
+[ 560.945735]
+[ 560.946112] Memory state around the buggy address:
+[ 560.946870] ffff888009497100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 560.947242] ffff888009497180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 560.947611] >ffff888009497200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 560.947915] ^
+[ 560.948249] ffff888009497280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 560.948687] ffff888009497300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+
+Signed-off-by: Edward Lo <edward.lo@ambergroup.io>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/index.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c
+index 76ebea253fa2..99f8a57e9f7a 100644
+--- a/fs/ntfs3/index.c
++++ b/fs/ntfs3/index.c
+@@ -1017,6 +1017,12 @@ int indx_read(struct ntfs_index *indx, struct ntfs_inode *ni, CLST vbn,
+ err = 0;
+ }
+
++ /* check for index header length */
++ if (offsetof(struct INDEX_BUFFER, ihdr) + ib->ihdr.used > bytes) {
++ err = -EINVAL;
++ goto out;
++ }
++
+ in->index = ib;
+ *node = in;
+
+--
+2.35.1
+
--- /dev/null
+From 31d45a3f29d1ffd62366bde259114cb67190e8d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 Aug 2022 00:47:27 +0800
+Subject: fs/ntfs3: Validate data run offset
+
+From: Edward Lo <edward.lo@ambergroup.io>
+
+[ Upstream commit 6db620863f8528ed9a9aa5ad323b26554a17881d ]
+
+This adds sanity checks for data run offset. We should make sure data
+run offset is legit before trying to unpack them, otherwise we may
+encounter use-after-free or some unexpected memory access behaviors.
+
+[ 82.940342] BUG: KASAN: use-after-free in run_unpack+0x2e3/0x570
+[ 82.941180] Read of size 1 at addr ffff888008a8487f by task mount/240
+[ 82.941670]
+[ 82.942069] CPU: 0 PID: 240 Comm: mount Not tainted 5.19.0+ #15
+[ 82.942482] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
+[ 82.943720] Call Trace:
+[ 82.944204] <TASK>
+[ 82.944471] dump_stack_lvl+0x49/0x63
+[ 82.944908] print_report.cold+0xf5/0x67b
+[ 82.945141] ? __wait_on_bit+0x106/0x120
+[ 82.945750] ? run_unpack+0x2e3/0x570
+[ 82.946626] kasan_report+0xa7/0x120
+[ 82.947046] ? run_unpack+0x2e3/0x570
+[ 82.947280] __asan_load1+0x51/0x60
+[ 82.947483] run_unpack+0x2e3/0x570
+[ 82.947709] ? memcpy+0x4e/0x70
+[ 82.947927] ? run_pack+0x7a0/0x7a0
+[ 82.948158] run_unpack_ex+0xad/0x3f0
+[ 82.948399] ? mi_enum_attr+0x14a/0x200
+[ 82.948717] ? run_unpack+0x570/0x570
+[ 82.949072] ? ni_enum_attr_ex+0x1b2/0x1c0
+[ 82.949332] ? ni_fname_type.part.0+0xd0/0xd0
+[ 82.949611] ? mi_read+0x262/0x2c0
+[ 82.949970] ? ntfs_cmp_names_cpu+0x125/0x180
+[ 82.950249] ntfs_iget5+0x632/0x1870
+[ 82.950621] ? ntfs_get_block_bmap+0x70/0x70
+[ 82.951192] ? evict+0x223/0x280
+[ 82.951525] ? iput.part.0+0x286/0x320
+[ 82.951969] ntfs_fill_super+0x1321/0x1e20
+[ 82.952436] ? put_ntfs+0x1d0/0x1d0
+[ 82.952822] ? vsprintf+0x20/0x20
+[ 82.953188] ? mutex_unlock+0x81/0xd0
+[ 82.953379] ? set_blocksize+0x95/0x150
+[ 82.954001] get_tree_bdev+0x232/0x370
+[ 82.954438] ? put_ntfs+0x1d0/0x1d0
+[ 82.954700] ntfs_fs_get_tree+0x15/0x20
+[ 82.955049] vfs_get_tree+0x4c/0x130
+[ 82.955292] path_mount+0x645/0xfd0
+[ 82.955615] ? putname+0x80/0xa0
+[ 82.955955] ? finish_automount+0x2e0/0x2e0
+[ 82.956310] ? kmem_cache_free+0x110/0x390
+[ 82.956723] ? putname+0x80/0xa0
+[ 82.957023] do_mount+0xd6/0xf0
+[ 82.957411] ? path_mount+0xfd0/0xfd0
+[ 82.957638] ? __kasan_check_write+0x14/0x20
+[ 82.957948] __x64_sys_mount+0xca/0x110
+[ 82.958310] do_syscall_64+0x3b/0x90
+[ 82.958719] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+[ 82.959341] RIP: 0033:0x7fd0d1ce948a
+[ 82.960193] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008
+[ 82.961532] RSP: 002b:00007ffe59ff69a8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
+[ 82.962527] RAX: ffffffffffffffda RBX: 0000564dcc107060 RCX: 00007fd0d1ce948a
+[ 82.963266] RDX: 0000564dcc107260 RSI: 0000564dcc1072e0 RDI: 0000564dcc10fce0
+[ 82.963686] RBP: 0000000000000000 R08: 0000564dcc107280 R09: 0000000000000020
+[ 82.964272] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000564dcc10fce0
+[ 82.964785] R13: 0000564dcc107260 R14: 0000000000000000 R15: 00000000ffffffff
+
+Signed-off-by: Edward Lo <edward.lo@ambergroup.io>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/attrib.c | 13 +++++++++++++
+ fs/ntfs3/attrlist.c | 5 +++++
+ fs/ntfs3/frecord.c | 14 ++++++++++++++
+ fs/ntfs3/fslog.c | 9 +++++++++
+ fs/ntfs3/inode.c | 5 +++++
+ 5 files changed, 46 insertions(+)
+
+diff --git a/fs/ntfs3/attrib.c b/fs/ntfs3/attrib.c
+index e8c00dda42ad..43e85c493c05 100644
+--- a/fs/ntfs3/attrib.c
++++ b/fs/ntfs3/attrib.c
+@@ -101,6 +101,10 @@ int attr_load_runs(struct ATTRIB *attr, struct ntfs_inode *ni,
+
+ asize = le32_to_cpu(attr->size);
+ run_off = le16_to_cpu(attr->nres.run_off);
++
++ if (run_off > asize)
++ return -EINVAL;
++
+ err = run_unpack_ex(run, ni->mi.sbi, ni->mi.rno, svcn, evcn,
+ vcn ? *vcn : svcn, Add2Ptr(attr, run_off),
+ asize - run_off);
+@@ -1157,6 +1161,10 @@ int attr_load_runs_vcn(struct ntfs_inode *ni, enum ATTR_TYPE type,
+ }
+
+ ro = le16_to_cpu(attr->nres.run_off);
++
++ if (ro > le32_to_cpu(attr->size))
++ return -EINVAL;
++
+ err = run_unpack_ex(run, ni->mi.sbi, ni->mi.rno, svcn, evcn, svcn,
+ Add2Ptr(attr, ro), le32_to_cpu(attr->size) - ro);
+ if (err < 0)
+@@ -1832,6 +1840,11 @@ int attr_collapse_range(struct ntfs_inode *ni, u64 vbo, u64 bytes)
+ u16 le_sz;
+ u16 roff = le16_to_cpu(attr->nres.run_off);
+
++ if (roff > le32_to_cpu(attr->size)) {
++ err = -EINVAL;
++ goto out;
++ }
++
+ run_unpack_ex(RUN_DEALLOCATE, sbi, ni->mi.rno, svcn,
+ evcn1 - 1, svcn, Add2Ptr(attr, roff),
+ le32_to_cpu(attr->size) - roff);
+diff --git a/fs/ntfs3/attrlist.c b/fs/ntfs3/attrlist.c
+index bad6d8a849a2..c0c6bcbc8c05 100644
+--- a/fs/ntfs3/attrlist.c
++++ b/fs/ntfs3/attrlist.c
+@@ -68,6 +68,11 @@ int ntfs_load_attr_list(struct ntfs_inode *ni, struct ATTRIB *attr)
+
+ run_init(&ni->attr_list.run);
+
++ if (run_off > le32_to_cpu(attr->size)) {
++ err = -EINVAL;
++ goto out;
++ }
++
+ err = run_unpack_ex(&ni->attr_list.run, ni->mi.sbi, ni->mi.rno,
+ 0, le64_to_cpu(attr->nres.evcn), 0,
+ Add2Ptr(attr, run_off),
+diff --git a/fs/ntfs3/frecord.c b/fs/ntfs3/frecord.c
+index 18842998c8fa..cdeb0b51f0ba 100644
+--- a/fs/ntfs3/frecord.c
++++ b/fs/ntfs3/frecord.c
+@@ -567,6 +567,12 @@ static int ni_repack(struct ntfs_inode *ni)
+ }
+
+ roff = le16_to_cpu(attr->nres.run_off);
++
++ if (roff > le32_to_cpu(attr->size)) {
++ err = -EINVAL;
++ break;
++ }
++
+ err = run_unpack(&run, sbi, ni->mi.rno, svcn, evcn, svcn,
+ Add2Ptr(attr, roff),
+ le32_to_cpu(attr->size) - roff);
+@@ -1541,6 +1547,9 @@ int ni_delete_all(struct ntfs_inode *ni)
+ asize = le32_to_cpu(attr->size);
+ roff = le16_to_cpu(attr->nres.run_off);
+
++ if (roff > asize)
++ return -EINVAL;
++
+ /* run==1 means unpack and deallocate. */
+ run_unpack_ex(RUN_DEALLOCATE, sbi, ni->mi.rno, svcn, evcn, svcn,
+ Add2Ptr(attr, roff), asize - roff);
+@@ -2242,6 +2251,11 @@ int ni_decompress_file(struct ntfs_inode *ni)
+ asize = le32_to_cpu(attr->size);
+ roff = le16_to_cpu(attr->nres.run_off);
+
++ if (roff > asize) {
++ err = -EINVAL;
++ goto out;
++ }
++
+ /*run==1 Means unpack and deallocate. */
+ run_unpack_ex(RUN_DEALLOCATE, sbi, ni->mi.rno, svcn, evcn, svcn,
+ Add2Ptr(attr, roff), asize - roff);
+diff --git a/fs/ntfs3/fslog.c b/fs/ntfs3/fslog.c
+index 614513460b8e..bcdddcd7bc79 100644
+--- a/fs/ntfs3/fslog.c
++++ b/fs/ntfs3/fslog.c
+@@ -2727,6 +2727,9 @@ static inline bool check_attr(const struct MFT_REC *rec,
+ return false;
+ }
+
++ if (run_off > asize)
++ return false;
++
+ if (run_unpack(NULL, sbi, 0, svcn, evcn, svcn,
+ Add2Ptr(attr, run_off), asize - run_off) < 0) {
+ return false;
+@@ -4769,6 +4772,12 @@ int log_replay(struct ntfs_inode *ni, bool *initialized)
+ u16 roff = le16_to_cpu(attr->nres.run_off);
+ CLST svcn = le64_to_cpu(attr->nres.svcn);
+
++ if (roff > t32) {
++ kfree(oa->attr);
++ oa->attr = NULL;
++ goto fake_attr;
++ }
++
+ err = run_unpack(&oa->run0, sbi, inode->i_ino, svcn,
+ le64_to_cpu(attr->nres.evcn), svcn,
+ Add2Ptr(attr, roff), t32 - roff);
+diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c
+index 64b4a3c29878..83d4c9f42d9c 100644
+--- a/fs/ntfs3/inode.c
++++ b/fs/ntfs3/inode.c
+@@ -364,6 +364,11 @@ static struct inode *ntfs_read_mft(struct inode *inode,
+ attr_unpack_run:
+ roff = le16_to_cpu(attr->nres.run_off);
+
++ if (roff > asize) {
++ err = -EINVAL;
++ goto out;
++ }
++
+ t64 = le64_to_cpu(attr->nres.svcn);
+ err = run_unpack_ex(run, sbi, ino, t64, le64_to_cpu(attr->nres.evcn),
+ t64, Add2Ptr(attr, roff), asize - roff);
+--
+2.35.1
+
--- /dev/null
+From 1ddb583e4bc97fd9f1c9cf894cb630acce9fc8a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Sep 2022 09:58:40 +0800
+Subject: fs/ntfs3: Validate index root when initialize NTFS security
+
+From: Edward Lo <edward.lo@ambergroup.io>
+
+[ Upstream commit bfcdbae0523bd95eb75a739ffb6221a37109881e ]
+
+This enhances the sanity check for $SDH and $SII while initializing NTFS
+security, guarantees these index root are legit.
+
+[ 162.459513] BUG: KASAN: use-after-free in hdr_find_e.isra.0+0x10c/0x320
+[ 162.460176] Read of size 2 at addr ffff8880037bca99 by task mount/243
+[ 162.460851]
+[ 162.461252] CPU: 0 PID: 243 Comm: mount Not tainted 6.0.0-rc7 #42
+[ 162.461744] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
+[ 162.462609] Call Trace:
+[ 162.462954] <TASK>
+[ 162.463276] dump_stack_lvl+0x49/0x63
+[ 162.463822] print_report.cold+0xf5/0x689
+[ 162.464608] ? unwind_get_return_address+0x3a/0x60
+[ 162.465766] ? hdr_find_e.isra.0+0x10c/0x320
+[ 162.466975] kasan_report+0xa7/0x130
+[ 162.467506] ? _raw_spin_lock_irq+0xc0/0xf0
+[ 162.467998] ? hdr_find_e.isra.0+0x10c/0x320
+[ 162.468536] __asan_load2+0x68/0x90
+[ 162.468923] hdr_find_e.isra.0+0x10c/0x320
+[ 162.469282] ? cmp_uints+0xe0/0xe0
+[ 162.469557] ? cmp_sdh+0x90/0x90
+[ 162.469864] ? ni_find_attr+0x214/0x300
+[ 162.470217] ? ni_load_mi+0x80/0x80
+[ 162.470479] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd
+[ 162.470931] ? ntfs_bread_run+0x190/0x190
+[ 162.471307] ? indx_get_root+0xe4/0x190
+[ 162.471556] ? indx_get_root+0x140/0x190
+[ 162.471833] ? indx_init+0x1e0/0x1e0
+[ 162.472069] ? fnd_clear+0x115/0x140
+[ 162.472363] ? _raw_spin_lock_irqsave+0x100/0x100
+[ 162.472731] indx_find+0x184/0x470
+[ 162.473461] ? sysvec_apic_timer_interrupt+0x57/0xc0
+[ 162.474429] ? indx_find_buffer+0x2d0/0x2d0
+[ 162.474704] ? do_syscall_64+0x3b/0x90
+[ 162.474962] dir_search_u+0x196/0x2f0
+[ 162.475381] ? ntfs_nls_to_utf16+0x450/0x450
+[ 162.475661] ? ntfs_security_init+0x3d6/0x440
+[ 162.475906] ? is_sd_valid+0x180/0x180
+[ 162.476191] ntfs_extend_init+0x13f/0x2c0
+[ 162.476496] ? ntfs_fix_post_read+0x130/0x130
+[ 162.476861] ? iput.part.0+0x286/0x320
+[ 162.477325] ntfs_fill_super+0x11e0/0x1b50
+[ 162.477709] ? put_ntfs+0x1d0/0x1d0
+[ 162.477970] ? vsprintf+0x20/0x20
+[ 162.478258] ? set_blocksize+0x95/0x150
+[ 162.478538] get_tree_bdev+0x232/0x370
+[ 162.478789] ? put_ntfs+0x1d0/0x1d0
+[ 162.479038] ntfs_fs_get_tree+0x15/0x20
+[ 162.479374] vfs_get_tree+0x4c/0x130
+[ 162.479729] path_mount+0x654/0xfe0
+[ 162.480124] ? putname+0x80/0xa0
+[ 162.480484] ? finish_automount+0x2e0/0x2e0
+[ 162.480894] ? putname+0x80/0xa0
+[ 162.481467] ? kmem_cache_free+0x1c4/0x440
+[ 162.482280] ? putname+0x80/0xa0
+[ 162.482714] do_mount+0xd6/0xf0
+[ 162.483264] ? path_mount+0xfe0/0xfe0
+[ 162.484782] ? __kasan_check_write+0x14/0x20
+[ 162.485593] __x64_sys_mount+0xca/0x110
+[ 162.486024] do_syscall_64+0x3b/0x90
+[ 162.486543] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+[ 162.487141] RIP: 0033:0x7f9d374e948a
+[ 162.488324] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008
+[ 162.489728] RSP: 002b:00007ffe30e73d18 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
+[ 162.490971] RAX: ffffffffffffffda RBX: 0000561cdb43a060 RCX: 00007f9d374e948a
+[ 162.491669] RDX: 0000561cdb43a260 RSI: 0000561cdb43a2e0 RDI: 0000561cdb442af0
+[ 162.492050] RBP: 0000000000000000 R08: 0000561cdb43a280 R09: 0000000000000020
+[ 162.492459] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000561cdb442af0
+[ 162.493183] R13: 0000561cdb43a260 R14: 0000000000000000 R15: 00000000ffffffff
+[ 162.493644] </TASK>
+[ 162.493908]
+[ 162.494214] The buggy address belongs to the physical page:
+[ 162.494761] page:000000003e38a3d5 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x37bc
+[ 162.496064] flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff)
+[ 162.497278] raw: 000fffffc0000000 ffffea00000df1c8 ffffea00000df008 0000000000000000
+[ 162.498928] raw: 0000000000000000 0000000000240000 00000000ffffffff 0000000000000000
+[ 162.500542] page dumped because: kasan: bad access detected
+[ 162.501057]
+[ 162.501242] Memory state around the buggy address:
+[ 162.502230] ffff8880037bc980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 162.502977] ffff8880037bca00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 162.503522] >ffff8880037bca80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 162.503963] ^
+[ 162.504370] ffff8880037bcb00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 162.504766] ffff8880037bcb80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+
+Signed-off-by: Edward Lo <edward.lo@ambergroup.io>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/fsntfs.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/fs/ntfs3/fsntfs.c b/fs/ntfs3/fsntfs.c
+index 24b57c3cc625..4a97a28cb8f2 100644
+--- a/fs/ntfs3/fsntfs.c
++++ b/fs/ntfs3/fsntfs.c
+@@ -1878,9 +1878,10 @@ int ntfs_security_init(struct ntfs_sb_info *sbi)
+ goto out;
+ }
+
+- root_sdh = resident_data(attr);
++ root_sdh = resident_data_ex(attr, sizeof(struct INDEX_ROOT));
+ if (root_sdh->type != ATTR_ZERO ||
+- root_sdh->rule != NTFS_COLLATION_TYPE_SECURITY_HASH) {
++ root_sdh->rule != NTFS_COLLATION_TYPE_SECURITY_HASH ||
++ offsetof(struct INDEX_ROOT, ihdr) + root_sdh->ihdr.used > attr->res.data_size) {
+ err = -EINVAL;
+ goto out;
+ }
+@@ -1896,9 +1897,10 @@ int ntfs_security_init(struct ntfs_sb_info *sbi)
+ goto out;
+ }
+
+- root_sii = resident_data(attr);
++ root_sii = resident_data_ex(attr, sizeof(struct INDEX_ROOT));
+ if (root_sii->type != ATTR_ZERO ||
+- root_sii->rule != NTFS_COLLATION_TYPE_UINT) {
++ root_sii->rule != NTFS_COLLATION_TYPE_UINT ||
++ offsetof(struct INDEX_ROOT, ihdr) + root_sii->ihdr.used > attr->res.data_size) {
+ err = -EINVAL;
+ goto out;
+ }
+--
+2.35.1
+
--- /dev/null
+From 8e834bf9df95f7db2164ca92026fab582b865d31 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Sep 2022 00:50:23 +0800
+Subject: fs/ntfs3: Validate resident attribute name
+
+From: Edward Lo <edward.lo@ambergroup.io>
+
+[ Upstream commit 54e45702b648b7c0000e90b3e9b890e367e16ea8 ]
+
+Though we already have some sanity checks while enumerating attributes,
+resident attribute names aren't included. This patch checks the resident
+attribute names are in the valid ranges.
+
+[ 259.209031] BUG: KASAN: slab-out-of-bounds in ni_create_attr_list+0x1e1/0x850
+[ 259.210770] Write of size 426 at addr ffff88800632f2b2 by task exp/255
+[ 259.211551]
+[ 259.212035] CPU: 0 PID: 255 Comm: exp Not tainted 6.0.0-rc6 #37
+[ 259.212955] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
+[ 259.214387] Call Trace:
+[ 259.214640] <TASK>
+[ 259.214895] dump_stack_lvl+0x49/0x63
+[ 259.215284] print_report.cold+0xf5/0x689
+[ 259.215565] ? kasan_poison+0x3c/0x50
+[ 259.215778] ? kasan_unpoison+0x28/0x60
+[ 259.215991] ? ni_create_attr_list+0x1e1/0x850
+[ 259.216270] kasan_report+0xa7/0x130
+[ 259.216481] ? ni_create_attr_list+0x1e1/0x850
+[ 259.216719] kasan_check_range+0x15a/0x1d0
+[ 259.216939] memcpy+0x3c/0x70
+[ 259.217136] ni_create_attr_list+0x1e1/0x850
+[ 259.217945] ? __rcu_read_unlock+0x5b/0x280
+[ 259.218384] ? ni_remove_attr+0x2e0/0x2e0
+[ 259.218712] ? kernel_text_address+0xcf/0xe0
+[ 259.219064] ? __kernel_text_address+0x12/0x40
+[ 259.219434] ? arch_stack_walk+0x9e/0xf0
+[ 259.219668] ? __this_cpu_preempt_check+0x13/0x20
+[ 259.219904] ? sysvec_apic_timer_interrupt+0x57/0xc0
+[ 259.220140] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20
+[ 259.220561] ni_ins_attr_ext+0x52c/0x5c0
+[ 259.220984] ? ni_create_attr_list+0x850/0x850
+[ 259.221532] ? run_deallocate+0x120/0x120
+[ 259.221972] ? vfs_setxattr+0x128/0x300
+[ 259.222688] ? setxattr+0x126/0x140
+[ 259.222921] ? path_setxattr+0x164/0x180
+[ 259.223431] ? __x64_sys_setxattr+0x6d/0x80
+[ 259.223828] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd
+[ 259.224417] ? mi_find_attr+0x3c/0xf0
+[ 259.224772] ni_insert_attr+0x1ba/0x420
+[ 259.225216] ? ni_ins_attr_ext+0x5c0/0x5c0
+[ 259.225504] ? ntfs_read_ea+0x119/0x450
+[ 259.225775] ni_insert_resident+0xc0/0x1c0
+[ 259.226316] ? ni_insert_nonresident+0x400/0x400
+[ 259.227001] ? __kasan_kmalloc+0x88/0xb0
+[ 259.227468] ? __kmalloc+0x192/0x320
+[ 259.227773] ntfs_set_ea+0x6bf/0xb30
+[ 259.228216] ? ftrace_graph_ret_addr+0x2a/0xb0
+[ 259.228494] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd
+[ 259.228838] ? ntfs_read_ea+0x450/0x450
+[ 259.229098] ? is_bpf_text_address+0x24/0x40
+[ 259.229418] ? kernel_text_address+0xcf/0xe0
+[ 259.229681] ? __kernel_text_address+0x12/0x40
+[ 259.229948] ? unwind_get_return_address+0x3a/0x60
+[ 259.230271] ? write_profile+0x270/0x270
+[ 259.230537] ? arch_stack_walk+0x9e/0xf0
+[ 259.230836] ntfs_setxattr+0x114/0x5c0
+[ 259.231099] ? ntfs_set_acl_ex+0x2e0/0x2e0
+[ 259.231529] ? evm_protected_xattr_common+0x6d/0x100
+[ 259.231817] ? posix_xattr_acl+0x13/0x80
+[ 259.232073] ? evm_protect_xattr+0x1f7/0x440
+[ 259.232351] __vfs_setxattr+0xda/0x120
+[ 259.232635] ? xattr_resolve_name+0x180/0x180
+[ 259.232912] __vfs_setxattr_noperm+0x93/0x300
+[ 259.233219] __vfs_setxattr_locked+0x141/0x160
+[ 259.233492] ? kasan_poison+0x3c/0x50
+[ 259.233744] vfs_setxattr+0x128/0x300
+[ 259.234002] ? __vfs_setxattr_locked+0x160/0x160
+[ 259.234837] do_setxattr+0xb8/0x170
+[ 259.235567] ? vmemdup_user+0x53/0x90
+[ 259.236212] setxattr+0x126/0x140
+[ 259.236491] ? do_setxattr+0x170/0x170
+[ 259.236791] ? debug_smp_processor_id+0x17/0x20
+[ 259.237232] ? kasan_quarantine_put+0x57/0x180
+[ 259.237605] ? putname+0x80/0xa0
+[ 259.237870] ? __kasan_slab_free+0x11c/0x1b0
+[ 259.238234] ? putname+0x80/0xa0
+[ 259.238500] ? preempt_count_sub+0x18/0xc0
+[ 259.238775] ? __mnt_want_write+0xaa/0x100
+[ 259.238990] ? mnt_want_write+0x8b/0x150
+[ 259.239290] path_setxattr+0x164/0x180
+[ 259.239605] ? setxattr+0x140/0x140
+[ 259.239849] ? debug_smp_processor_id+0x17/0x20
+[ 259.240174] ? fpregs_assert_state_consistent+0x67/0x80
+[ 259.240411] __x64_sys_setxattr+0x6d/0x80
+[ 259.240715] do_syscall_64+0x3b/0x90
+[ 259.240934] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+[ 259.241697] RIP: 0033:0x7fc6b26e4469
+[ 259.242647] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 088
+[ 259.244512] RSP: 002b:00007ffc3c7841f8 EFLAGS: 00000217 ORIG_RAX: 00000000000000bc
+[ 259.245086] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc6b26e4469
+[ 259.246025] RDX: 00007ffc3c784380 RSI: 00007ffc3c7842e0 RDI: 00007ffc3c784238
+[ 259.246961] RBP: 00007ffc3c788410 R08: 0000000000000001 R09: 00007ffc3c7884f8
+[ 259.247775] R10: 000000000000007f R11: 0000000000000217 R12: 00000000004004e0
+[ 259.248534] R13: 00007ffc3c7884f0 R14: 0000000000000000 R15: 0000000000000000
+[ 259.249368] </TASK>
+[ 259.249644]
+[ 259.249888] Allocated by task 255:
+[ 259.250283] kasan_save_stack+0x26/0x50
+[ 259.250957] __kasan_kmalloc+0x88/0xb0
+[ 259.251826] __kmalloc+0x192/0x320
+[ 259.252745] ni_create_attr_list+0x11e/0x850
+[ 259.253298] ni_ins_attr_ext+0x52c/0x5c0
+[ 259.253685] ni_insert_attr+0x1ba/0x420
+[ 259.253974] ni_insert_resident+0xc0/0x1c0
+[ 259.254311] ntfs_set_ea+0x6bf/0xb30
+[ 259.254629] ntfs_setxattr+0x114/0x5c0
+[ 259.254859] __vfs_setxattr+0xda/0x120
+[ 259.255155] __vfs_setxattr_noperm+0x93/0x300
+[ 259.255445] __vfs_setxattr_locked+0x141/0x160
+[ 259.255862] vfs_setxattr+0x128/0x300
+[ 259.256251] do_setxattr+0xb8/0x170
+[ 259.256522] setxattr+0x126/0x140
+[ 259.256911] path_setxattr+0x164/0x180
+[ 259.257308] __x64_sys_setxattr+0x6d/0x80
+[ 259.257637] do_syscall_64+0x3b/0x90
+[ 259.257970] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+[ 259.258550]
+[ 259.258772] The buggy address belongs to the object at ffff88800632f000
+[ 259.258772] which belongs to the cache kmalloc-1k of size 1024
+[ 259.260190] The buggy address is located 690 bytes inside of
+[ 259.260190] 1024-byte region [ffff88800632f000, ffff88800632f400)
+[ 259.261412]
+[ 259.261743] The buggy address belongs to the physical page:
+[ 259.262354] page:0000000081e8cac9 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x632c
+[ 259.263722] head:0000000081e8cac9 order:2 compound_mapcount:0 compound_pincount:0
+[ 259.264284] flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
+[ 259.265312] raw: 000fffffc0010200 ffffea0000060d00 dead000000000004 ffff888001041dc0
+[ 259.265772] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
+[ 259.266305] page dumped because: kasan: bad access detected
+[ 259.266588]
+[ 259.266728] Memory state around the buggy address:
+[ 259.267225] ffff88800632f300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 259.267841] ffff88800632f380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 259.269111] >ffff88800632f400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 259.269626] ^
+[ 259.270162] ffff88800632f480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 259.270810] ffff88800632f500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+
+Signed-off-by: Edward Lo <edward.lo@ambergroup.io>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/record.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/fs/ntfs3/record.c b/fs/ntfs3/record.c
+index 30751fd618df..fd342da398be 100644
+--- a/fs/ntfs3/record.c
++++ b/fs/ntfs3/record.c
+@@ -265,6 +265,11 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr)
+ if (t16 + t32 > asize)
+ return NULL;
+
++ if (attr->name_len &&
++ le16_to_cpu(attr->name_off) + sizeof(short) * attr->name_len > t16) {
++ return NULL;
++ }
++
+ return attr;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From f896480649e04f64a7d5b8e3e8dc21872708fd2e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Nov 2022 17:57:05 +0100
+Subject: HID: multitouch: fix Asus ExpertBook P2 P2451FA trackpoint
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: José Expósito <jose.exposito89@gmail.com>
+
+[ Upstream commit 4eab1c2fe06c98a4dff258dd64800b6986c101e9 ]
+
+The HID descriptor of this device contains two mouse collections, one
+for mouse emulation and the other for the trackpoint.
+
+Both collections get merged and, because the first one defines X and Y,
+the movemenent events reported by the trackpoint collection are
+ignored.
+
+Set the MT_CLS_WIN_8_FORCE_MULTI_INPUT class for this device to be able
+to receive its reports.
+
+This fix is similar to/based on commit 40d5bb87377a ("HID: multitouch:
+enable multi-input as a quirk for some devices").
+
+Link: https://gitlab.freedesktop.org/libinput/libinput/-/issues/825
+Reported-by: Akito <the@akito.ooo>
+Tested-by: Akito <the@akito.ooo>
+Signed-off-by: José Expósito <jose.exposito89@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-multitouch.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
+index 08462ac72b89..6b86d368d5e7 100644
+--- a/drivers/hid/hid-multitouch.c
++++ b/drivers/hid/hid-multitouch.c
+@@ -1965,6 +1965,10 @@ static const struct hid_device_id mt_devices[] = {
+ HID_DEVICE(BUS_I2C, HID_GROUP_MULTITOUCH_WIN_8,
+ USB_VENDOR_ID_ELAN, 0x313a) },
+
++ { .driver_data = MT_CLS_WIN_8_FORCE_MULTI_INPUT,
++ HID_DEVICE(BUS_I2C, HID_GROUP_MULTITOUCH_WIN_8,
++ USB_VENDOR_ID_ELAN, 0x3148) },
++
+ /* Elitegroup panel */
+ { .driver_data = MT_CLS_SERIAL,
+ MT_USB_DEVICE(USB_VENDOR_ID_ELITEGROUP,
+--
+2.35.1
+
--- /dev/null
+From 300941435fc121be1db6062613bed22901d71154 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Dec 2022 15:05:06 -0800
+Subject: HID: plantronics: Additional PIDs for double volume key presses quirk
+
+From: Terry Junge <linuxhid@cosmicgizmosystems.com>
+
+[ Upstream commit 3d57f36c89d8ba32b2c312f397a37fd1a2dc7cfc ]
+
+I no longer work for Plantronics (aka Poly, aka HP) and do not have
+access to the headsets in order to test. However, as noted by Maxim,
+the other 32xx models that share the same base code set as the 3220
+would need the same quirk. This patch adds the PIDs for the rest of
+the Blackwire 32XX product family that require the quirk.
+
+Plantronics Blackwire 3210 Series (047f:c055)
+Plantronics Blackwire 3215 Series (047f:c057)
+Plantronics Blackwire 3225 Series (047f:c058)
+
+Quote from previous patch by Maxim Mikityanskiy
+Plantronics Blackwire 3220 Series (047f:c056) sends HID reports twice
+for each volume key press. This patch adds a quirk to hid-plantronics
+for this product ID, which will ignore the second volume key press if
+it happens within 5 ms from the last one that was handled.
+
+The patch was tested on the mentioned model only, it shouldn't affect
+other models, however, this quirk might be needed for them too.
+Auto-repeat (when a key is held pressed) is not affected, because the
+rate is about 3 times per second, which is far less frequent than once
+in 5 ms.
+End quote
+
+Signed-off-by: Terry Junge <linuxhid@cosmicgizmosystems.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-ids.h | 3 +++
+ drivers/hid/hid-plantronics.c | 9 +++++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index 78b55f845d2d..8698d49edaa3 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -966,7 +966,10 @@
+ #define USB_DEVICE_ID_ORTEK_IHOME_IMAC_A210S 0x8003
+
+ #define USB_VENDOR_ID_PLANTRONICS 0x047f
++#define USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3210_SERIES 0xc055
+ #define USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3220_SERIES 0xc056
++#define USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3215_SERIES 0xc057
++#define USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3225_SERIES 0xc058
+
+ #define USB_VENDOR_ID_PANASONIC 0x04da
+ #define USB_DEVICE_ID_PANABOARD_UBT780 0x1044
+diff --git a/drivers/hid/hid-plantronics.c b/drivers/hid/hid-plantronics.c
+index e81b7cec2d12..3d414ae194ac 100644
+--- a/drivers/hid/hid-plantronics.c
++++ b/drivers/hid/hid-plantronics.c
+@@ -198,9 +198,18 @@ static int plantronics_probe(struct hid_device *hdev,
+ }
+
+ static const struct hid_device_id plantronics_devices[] = {
++ { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS,
++ USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3210_SERIES),
++ .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS },
+ { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS,
+ USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3220_SERIES),
+ .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS },
++ { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS,
++ USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3215_SERIES),
++ .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS },
++ { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS,
++ USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3225_SERIES),
++ .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS },
+ { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, HID_ANY_ID) },
+ { }
+ };
+--
+2.35.1
+
--- /dev/null
+From b45d2fa44e40654e92758296177315f92d0773b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Dec 2022 10:30:45 +0100
+Subject: nvme: fix the NVME_CMD_EFFECTS_CSE_MASK definition
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 685e6311637e46f3212439ce2789f8a300e5050f ]
+
+3 << 16 does not generate the correct mask for bits 16, 17 and 18.
+Use the GENMASK macro to generate the correct mask instead.
+
+Fixes: 84fef62d135b ("nvme: check admin passthru command effects")
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Keith Busch <kbusch@kernel.org>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Kanchan Joshi <joshi.k@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/nvme.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/nvme.h b/include/linux/nvme.h
+index 039f59ee8f43..de235916c31c 100644
+--- a/include/linux/nvme.h
++++ b/include/linux/nvme.h
+@@ -7,6 +7,7 @@
+ #ifndef _LINUX_NVME_H
+ #define _LINUX_NVME_H
+
++#include <linux/bits.h>
+ #include <linux/types.h>
+ #include <linux/uuid.h>
+
+@@ -539,7 +540,7 @@ enum {
+ NVME_CMD_EFFECTS_NCC = 1 << 2,
+ NVME_CMD_EFFECTS_NIC = 1 << 3,
+ NVME_CMD_EFFECTS_CCC = 1 << 4,
+- NVME_CMD_EFFECTS_CSE_MASK = 3 << 16,
++ NVME_CMD_EFFECTS_CSE_MASK = GENMASK(18, 16),
+ NVME_CMD_EFFECTS_UUID_SEL = 1 << 19,
+ };
+
+--
+2.35.1
+
--- /dev/null
+From b4e340a04b5d5b7c1bbe409ac1c1956bf093039e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Dec 2022 09:58:07 +0100
+Subject: nvme-pci: fix doorbell buffer value endianness
+
+From: Klaus Jensen <k.jensen@samsung.com>
+
+[ Upstream commit b5f96cb719d8ba220b565ddd3ba4ac0d8bcfb130 ]
+
+When using shadow doorbells, the event index and the doorbell values are
+written to host memory. Prior to this patch, the values written would
+erroneously be written in host endianness. This causes trouble on
+big-endian platforms. Fix this by adding missing endian conversions.
+
+This issue was noticed by Guenter while testing various big-endian
+platforms under QEMU[1]. A similar fix required for hw/nvme in QEMU is
+up for review as well[2].
+
+ [1]: https://lore.kernel.org/qemu-devel/20221209110022.GA3396194@roeck-us.net/
+ [2]: https://lore.kernel.org/qemu-devel/20221212114409.34972-4-its@irrelevant.dk/
+
+Fixes: f9f38e33389c ("nvme: improve performance for virtual NVMe devices")
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 25 +++++++++++++------------
+ 1 file changed, 13 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index d49df7123677..ab038dbafc06 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -142,9 +142,9 @@ struct nvme_dev {
+ mempool_t *iod_mempool;
+
+ /* shadow doorbell buffer support: */
+- u32 *dbbuf_dbs;
++ __le32 *dbbuf_dbs;
+ dma_addr_t dbbuf_dbs_dma_addr;
+- u32 *dbbuf_eis;
++ __le32 *dbbuf_eis;
+ dma_addr_t dbbuf_eis_dma_addr;
+
+ /* host memory buffer support: */
+@@ -208,10 +208,10 @@ struct nvme_queue {
+ #define NVMEQ_SQ_CMB 1
+ #define NVMEQ_DELETE_ERROR 2
+ #define NVMEQ_POLLED 3
+- u32 *dbbuf_sq_db;
+- u32 *dbbuf_cq_db;
+- u32 *dbbuf_sq_ei;
+- u32 *dbbuf_cq_ei;
++ __le32 *dbbuf_sq_db;
++ __le32 *dbbuf_cq_db;
++ __le32 *dbbuf_sq_ei;
++ __le32 *dbbuf_cq_ei;
+ struct completion delete_done;
+ };
+
+@@ -332,11 +332,11 @@ static inline int nvme_dbbuf_need_event(u16 event_idx, u16 new_idx, u16 old)
+ }
+
+ /* Update dbbuf and return true if an MMIO is required */
+-static bool nvme_dbbuf_update_and_check_event(u16 value, u32 *dbbuf_db,
+- volatile u32 *dbbuf_ei)
++static bool nvme_dbbuf_update_and_check_event(u16 value, __le32 *dbbuf_db,
++ volatile __le32 *dbbuf_ei)
+ {
+ if (dbbuf_db) {
+- u16 old_value;
++ u16 old_value, event_idx;
+
+ /*
+ * Ensure that the queue is written before updating
+@@ -344,8 +344,8 @@ static bool nvme_dbbuf_update_and_check_event(u16 value, u32 *dbbuf_db,
+ */
+ wmb();
+
+- old_value = *dbbuf_db;
+- *dbbuf_db = value;
++ old_value = le32_to_cpu(*dbbuf_db);
++ *dbbuf_db = cpu_to_le32(value);
+
+ /*
+ * Ensure that the doorbell is updated before reading the event
+@@ -355,7 +355,8 @@ static bool nvme_dbbuf_update_and_check_event(u16 value, u32 *dbbuf_db,
+ */
+ mb();
+
+- if (!nvme_dbbuf_need_event(*dbbuf_ei, value, old_value))
++ event_idx = le32_to_cpu(*dbbuf_ei);
++ if (!nvme_dbbuf_need_event(event_idx, value, old_value))
+ return false;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From a6289990cad1edf8d1c989e248d435d169e8c8e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Dec 2022 10:59:06 -0800
+Subject: nvme-pci: fix mempool alloc size
+
+From: Keith Busch <kbusch@kernel.org>
+
+[ Upstream commit c89a529e823d51dd23c7ec0c047c7a454a428541 ]
+
+Convert the max size to bytes to match the units of the divisor that
+calculates the worst-case number of PRP entries.
+
+The result is used to determine how many PRP Lists are required. The
+code was previously rounding this to 1 list, but we can require 2 in the
+worst case. In that scenario, the driver would corrupt memory beyond the
+size provided by the mempool.
+
+While unlikely to occur (you'd need a 4MB in exactly 127 phys segments
+on a queue that doesn't support SGLs), this memory corruption has been
+observed by kfence.
+
+Cc: Jens Axboe <axboe@kernel.dk>
+Fixes: 943e942e6266f ("nvme-pci: limit max IO size and segments to avoid high order allocations")
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Reviewed-by: Jens Axboe <axboe@kernel.dk>
+Reviewed-by: Kanchan Joshi <joshi.k@samsung.com>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index ab038dbafc06..7a96cbbfdabb 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -370,8 +370,8 @@ static bool nvme_dbbuf_update_and_check_event(u16 value, __le32 *dbbuf_db,
+ */
+ static int nvme_pci_npages_prp(void)
+ {
+- unsigned nprps = DIV_ROUND_UP(NVME_MAX_KB_SZ + NVME_CTRL_PAGE_SIZE,
+- NVME_CTRL_PAGE_SIZE);
++ unsigned max_bytes = (NVME_MAX_KB_SZ * 1024) + NVME_CTRL_PAGE_SIZE;
++ unsigned nprps = DIV_ROUND_UP(max_bytes, NVME_CTRL_PAGE_SIZE);
+ return DIV_ROUND_UP(8 * nprps, PAGE_SIZE - 8);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 2a3f9747032b5035cf06abb0aaef8807bb15456d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Dec 2022 13:54:55 -0800
+Subject: nvme-pci: fix page size checks
+
+From: Keith Busch <kbusch@kernel.org>
+
+[ Upstream commit 841734234a28fd5cd0889b84bd4d93a0988fa11e ]
+
+The size allocated out of the dma pool is at most NVME_CTRL_PAGE_SIZE,
+which may be smaller than the PAGE_SIZE.
+
+Fixes: c61b82c7b7134 ("nvme-pci: fix PRP pool size")
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 7a96cbbfdabb..0165e65cf548 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -33,7 +33,7 @@
+ #define SQ_SIZE(q) ((q)->q_depth << (q)->sqes)
+ #define CQ_SIZE(q) ((q)->q_depth * sizeof(struct nvme_completion))
+
+-#define SGES_PER_PAGE (PAGE_SIZE / sizeof(struct nvme_sgl_desc))
++#define SGES_PER_PAGE (NVME_CTRL_PAGE_SIZE / sizeof(struct nvme_sgl_desc))
+
+ /*
+ * These can be higher, but we need to ensure that any command doesn't
+@@ -372,7 +372,7 @@ static int nvme_pci_npages_prp(void)
+ {
+ unsigned max_bytes = (NVME_MAX_KB_SZ * 1024) + NVME_CTRL_PAGE_SIZE;
+ unsigned nprps = DIV_ROUND_UP(max_bytes, NVME_CTRL_PAGE_SIZE);
+- return DIV_ROUND_UP(8 * nprps, PAGE_SIZE - 8);
++ return DIV_ROUND_UP(8 * nprps, NVME_CTRL_PAGE_SIZE - 8);
+ }
+
+ /*
+@@ -382,7 +382,7 @@ static int nvme_pci_npages_prp(void)
+ static int nvme_pci_npages_sgl(void)
+ {
+ return DIV_ROUND_UP(NVME_MAX_SEGS * sizeof(struct nvme_sgl_desc),
+- PAGE_SIZE);
++ NVME_CTRL_PAGE_SIZE);
+ }
+
+ static size_t nvme_pci_iod_alloc_size(void)
+@@ -732,7 +732,7 @@ static void nvme_pci_sgl_set_seg(struct nvme_sgl_desc *sge,
+ sge->length = cpu_to_le32(entries * sizeof(*sge));
+ sge->type = NVME_SGL_FMT_LAST_SEG_DESC << 4;
+ } else {
+- sge->length = cpu_to_le32(PAGE_SIZE);
++ sge->length = cpu_to_le32(NVME_CTRL_PAGE_SIZE);
+ sge->type = NVME_SGL_FMT_SEG_DESC << 4;
+ }
+ }
+--
+2.35.1
+
--- /dev/null
+From f17ad39a0b2f68cf4ab60c4efbcea859305fb497 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Dec 2022 09:51:19 +0100
+Subject: nvmet: don't defer passthrough commands with trivial effects to the
+ workqueue
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 2a459f6933e1c459bffb7cc73fd6c900edc714bd ]
+
+Mask out the "Command Supported" and "Logical Block Content Change" bits
+and only defer execution of commands that have non-trivial effects to
+the workqueue for synchronous execution. This allows to execute admin
+commands asynchronously on controllers that provide a Command Supported
+and Effects log page, and will keep allowing to execute Write commands
+asynchronously once command effects on I/O commands are taken into
+account.
+
+Fixes: c1fef73f793b ("nvmet: add passthru code to process commands")
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Keith Busch <kbusch@kernel.org>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Kanchan Joshi <joshi.k@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/passthru.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/nvme/target/passthru.c b/drivers/nvme/target/passthru.c
+index 6220e1dd961a..9b5929754195 100644
+--- a/drivers/nvme/target/passthru.c
++++ b/drivers/nvme/target/passthru.c
+@@ -271,14 +271,13 @@ static void nvmet_passthru_execute_cmd(struct nvmet_req *req)
+ }
+
+ /*
+- * If there are effects for the command we are about to execute, or
+- * an end_req function we need to use nvme_execute_passthru_rq()
+- * synchronously in a work item seeing the end_req function and
+- * nvme_passthru_end() can't be called in the request done callback
+- * which is typically in interrupt context.
++ * If a command needs post-execution fixups, or there are any
++ * non-trivial effects, make sure to execute the command synchronously
++ * in a workqueue so that nvme_passthru_end gets called.
+ */
+ effects = nvme_command_effects(ctrl, ns, req->cmd->common.opcode);
+- if (req->p.use_workqueue || effects) {
++ if (req->p.use_workqueue ||
++ (effects & ~(NVME_CMD_EFFECTS_CSUPP | NVME_CMD_EFFECTS_LBCC))) {
+ INIT_WORK(&req->p.work, nvmet_passthru_execute_cmd_work);
+ req->p.rq = rq;
+ queue_work(nvmet_wq, &req->p.work);
+--
+2.35.1
+
--- /dev/null
+From a972ec86529743aa9191d5884dec9fdf3e93a03d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 23:27:46 +0530
+Subject: objtool: Fix SEGFAULT
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit efb11fdb3e1a9f694fa12b70b21e69e55ec59c36 ]
+
+find_insn() will return NULL in case of failure. Check insn in order
+to avoid a kernel Oops for NULL pointer dereference.
+
+Tested-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Reviewed-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20221114175754.1131267-9-sv@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/objtool/check.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/objtool/check.c b/tools/objtool/check.c
+index edac5aaa2802..308c8806ad94 100644
+--- a/tools/objtool/check.c
++++ b/tools/objtool/check.c
+@@ -197,7 +197,7 @@ static bool __dead_end_function(struct objtool_file *file, struct symbol *func,
+ return false;
+
+ insn = find_insn(file, func->sec, func->offset);
+- if (!insn->func)
++ if (!insn || !insn->func)
+ return false;
+
+ func_for_each_insn(file, func, insn) {
+--
+2.35.1
+
--- /dev/null
+From 4cf3d1ee046537cbcbcb6690c4913dd7406c3b8b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Dec 2022 10:46:44 +0000
+Subject: powerpc/msi: Fix deassociation of MSI descriptors
+
+From: Marc Zyngier <maz@kernel.org>
+
+[ Upstream commit 4545c6a3d6ba71747eaa984c338ddd745e56e23f ]
+
+Since 2f2940d16823 ("genirq/msi: Remove filter from
+msi_free_descs_free_range()"), the core MSI code relies on the
+msi_desc->irq field to have been cleared before the descriptor
+can be freed, as it indicates that there is no association with
+a device anymore.
+
+The irq domain code provides this guarantee, and so does s390,
+which is one of the two architectures not using irq domains for
+MSIs.
+
+Powerpc, however, is missing this particular requirements,
+leading in a splat and leaked MSI descriptors.
+
+Adding the now required irq reset to the handful of powerpc backends
+that implement MSIs fixes that particular problem.
+
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/70dab88e-6119-0c12-7c6a-61bcbe239f66@roeck-us.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/4xx/hsta_msi.c | 1 +
+ arch/powerpc/platforms/cell/axon_msi.c | 1 +
+ arch/powerpc/platforms/pasemi/msi.c | 1 +
+ arch/powerpc/sysdev/fsl_msi.c | 1 +
+ arch/powerpc/sysdev/mpic_u3msi.c | 1 +
+ 5 files changed, 5 insertions(+)
+
+diff --git a/arch/powerpc/platforms/4xx/hsta_msi.c b/arch/powerpc/platforms/4xx/hsta_msi.c
+index c950fed43b32..4f65bd0cf111 100644
+--- a/arch/powerpc/platforms/4xx/hsta_msi.c
++++ b/arch/powerpc/platforms/4xx/hsta_msi.c
+@@ -117,6 +117,7 @@ static void hsta_teardown_msi_irqs(struct pci_dev *dev)
+ msi_bitmap_free_hwirqs(&ppc4xx_hsta_msi.bmp, irq, 1);
+ pr_debug("%s: Teardown IRQ %u (index %u)\n", __func__,
+ entry->irq, irq);
++ entry->irq = 0;
+ }
+ }
+
+diff --git a/arch/powerpc/platforms/cell/axon_msi.c b/arch/powerpc/platforms/cell/axon_msi.c
+index f630693c8de7..2bcd9c54bce3 100644
+--- a/arch/powerpc/platforms/cell/axon_msi.c
++++ b/arch/powerpc/platforms/cell/axon_msi.c
+@@ -295,6 +295,7 @@ static void axon_msi_teardown_msi_irqs(struct pci_dev *dev)
+
+ irq_set_msi_desc(entry->irq, NULL);
+ irq_dispose_mapping(entry->irq);
++ entry->irq = 0;
+ }
+ }
+
+diff --git a/arch/powerpc/platforms/pasemi/msi.c b/arch/powerpc/platforms/pasemi/msi.c
+index d38944a1e258..76393c158ada 100644
+--- a/arch/powerpc/platforms/pasemi/msi.c
++++ b/arch/powerpc/platforms/pasemi/msi.c
+@@ -69,6 +69,7 @@ static void pasemi_msi_teardown_msi_irqs(struct pci_dev *pdev)
+ hwirq = virq_to_hw(entry->irq);
+ irq_set_msi_desc(entry->irq, NULL);
+ irq_dispose_mapping(entry->irq);
++ entry->irq = 0;
+ msi_bitmap_free_hwirqs(&msi_mpic->msi_bitmap, hwirq, ALLOC_CHUNK);
+ }
+
+diff --git a/arch/powerpc/sysdev/fsl_msi.c b/arch/powerpc/sysdev/fsl_msi.c
+index c55ccec0a169..173d585c1be8 100644
+--- a/arch/powerpc/sysdev/fsl_msi.c
++++ b/arch/powerpc/sysdev/fsl_msi.c
+@@ -132,6 +132,7 @@ static void fsl_teardown_msi_irqs(struct pci_dev *pdev)
+ msi_data = irq_get_chip_data(entry->irq);
+ irq_set_msi_desc(entry->irq, NULL);
+ irq_dispose_mapping(entry->irq);
++ entry->irq = 0;
+ msi_bitmap_free_hwirqs(&msi_data->bitmap, hwirq, 1);
+ }
+
+diff --git a/arch/powerpc/sysdev/mpic_u3msi.c b/arch/powerpc/sysdev/mpic_u3msi.c
+index 3861023d378a..43686c82e483 100644
+--- a/arch/powerpc/sysdev/mpic_u3msi.c
++++ b/arch/powerpc/sysdev/mpic_u3msi.c
+@@ -111,6 +111,7 @@ static void u3msi_teardown_msi_irqs(struct pci_dev *pdev)
+ hwirq = virq_to_hw(entry->irq);
+ irq_set_msi_desc(entry->irq, NULL);
+ irq_dispose_mapping(entry->irq);
++ entry->irq = 0;
+ msi_bitmap_free_hwirqs(&msi_mpic->msi_bitmap, hwirq, 1);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 8833390796102fb1905d1c1a1e4990a731dadbca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 09:07:41 -0600
+Subject: powerpc/rtas: avoid device tree lookups in rtas_os_term()
+
+From: Nathan Lynch <nathanl@linux.ibm.com>
+
+[ Upstream commit ed2213bfb192ab51f09f12e9b49b5d482c6493f3 ]
+
+rtas_os_term() is called during panic. Its behavior depends on a couple
+of conditions in the /rtas node of the device tree, the traversal of
+which entails locking and local IRQ state changes. If the kernel panics
+while devtree_lock is held, rtas_os_term() as currently written could
+hang.
+
+Instead of discovering the relevant characteristics at panic time,
+cache them in file-static variables at boot. Note the lookup for
+"ibm,extended-os-term" is converted to of_property_read_bool() since it
+is a boolean property, not an RTAS function token.
+
+Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
+Reviewed-by: Nicholas Piggin <npiggin@gmail.com>
+Reviewed-by: Andrew Donnellan <ajd@linux.ibm.com>
+[mpe: Incorporate suggested change from Nick]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20221118150751.469393-4-nathanl@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/rtas.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c
+index 7834ce3aa7f1..4d8de49c9d4b 100644
+--- a/arch/powerpc/kernel/rtas.c
++++ b/arch/powerpc/kernel/rtas.c
+@@ -788,6 +788,7 @@ void __noreturn rtas_halt(void)
+
+ /* Must be in the RMO region, so we place it here */
+ static char rtas_os_term_buf[2048];
++static s32 ibm_os_term_token = RTAS_UNKNOWN_SERVICE;
+
+ void rtas_os_term(char *str)
+ {
+@@ -799,14 +800,13 @@ void rtas_os_term(char *str)
+ * this property may terminate the partition which we want to avoid
+ * since it interferes with panic_timeout.
+ */
+- if (RTAS_UNKNOWN_SERVICE == rtas_token("ibm,os-term") ||
+- RTAS_UNKNOWN_SERVICE == rtas_token("ibm,extended-os-term"))
++ if (ibm_os_term_token == RTAS_UNKNOWN_SERVICE)
+ return;
+
+ snprintf(rtas_os_term_buf, 2048, "OS panic: %s", str);
+
+ do {
+- status = rtas_call(rtas_token("ibm,os-term"), 1, 1, NULL,
++ status = rtas_call(ibm_os_term_token, 1, 1, NULL,
+ __pa(rtas_os_term_buf));
+ } while (rtas_busy_delay(status));
+
+@@ -1167,6 +1167,13 @@ void __init rtas_initialize(void)
+ no_entry = of_property_read_u32(rtas.dev, "linux,rtas-entry", &entry);
+ rtas.entry = no_entry ? rtas.base : entry;
+
++ /*
++ * Discover these now to avoid device tree lookups in the
++ * panic path.
++ */
++ if (of_property_read_bool(rtas.dev, "ibm,extended-os-term"))
++ ibm_os_term_token = rtas_token("ibm,os-term");
++
+ /* If RTAS was found, allocate the RMO buffer for it and look for
+ * the stop-self token if any
+ */
+--
+2.35.1
+
--- /dev/null
+From 796afef8535ed498392cd5842a4fc85eb265b9a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 09:07:42 -0600
+Subject: powerpc/rtas: avoid scheduling in rtas_os_term()
+
+From: Nathan Lynch <nathanl@linux.ibm.com>
+
+[ Upstream commit 6c606e57eecc37d6b36d732b1ff7e55b7dc32dd4 ]
+
+It's unsafe to use rtas_busy_delay() to handle a busy status from
+the ibm,os-term RTAS function in rtas_os_term():
+
+Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
+BUG: sleeping function called from invalid context at arch/powerpc/kernel/rtas.c:618
+in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 1, name: swapper/0
+preempt_count: 2, expected: 0
+CPU: 7 PID: 1 Comm: swapper/0 Tainted: G D 6.0.0-rc5-02182-gf8553a572277-dirty #9
+Call Trace:
+[c000000007b8f000] [c000000001337110] dump_stack_lvl+0xb4/0x110 (unreliable)
+[c000000007b8f040] [c0000000002440e4] __might_resched+0x394/0x3c0
+[c000000007b8f0e0] [c00000000004f680] rtas_busy_delay+0x120/0x1b0
+[c000000007b8f100] [c000000000052d04] rtas_os_term+0xb8/0xf4
+[c000000007b8f180] [c0000000001150fc] pseries_panic+0x50/0x68
+[c000000007b8f1f0] [c000000000036354] ppc_panic_platform_handler+0x34/0x50
+[c000000007b8f210] [c0000000002303c4] notifier_call_chain+0xd4/0x1c0
+[c000000007b8f2b0] [c0000000002306cc] atomic_notifier_call_chain+0xac/0x1c0
+[c000000007b8f2f0] [c0000000001d62b8] panic+0x228/0x4d0
+[c000000007b8f390] [c0000000001e573c] do_exit+0x140c/0x1420
+[c000000007b8f480] [c0000000001e586c] make_task_dead+0xdc/0x200
+
+Use rtas_busy_delay_time() instead, which signals without side effects
+whether to attempt the ibm,os-term RTAS call again.
+
+Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
+Reviewed-by: Nicholas Piggin <npiggin@gmail.com>
+Reviewed-by: Andrew Donnellan <ajd@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20221118150751.469393-5-nathanl@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/rtas.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c
+index 4d8de49c9d4b..2dae702e7a5a 100644
+--- a/arch/powerpc/kernel/rtas.c
++++ b/arch/powerpc/kernel/rtas.c
+@@ -805,10 +805,15 @@ void rtas_os_term(char *str)
+
+ snprintf(rtas_os_term_buf, 2048, "OS panic: %s", str);
+
++ /*
++ * Keep calling as long as RTAS returns a "try again" status,
++ * but don't use rtas_busy_delay(), which potentially
++ * schedules.
++ */
+ do {
+ status = rtas_call(ibm_os_term_token, 1, 1, NULL,
+ __pa(rtas_os_term_buf));
+- } while (rtas_busy_delay(status));
++ } while (rtas_busy_delay_time(status));
+
+ if (status != 0)
+ printk(KERN_EMERG "ibm,os-term call failed %d\n", status);
+--
+2.35.1
+
usb-dwc3-qcom-fix-memory-leak-in-dwc3_qcom_interconn.patch
cifs-fix-oops-during-encryption.patch
revert-selftests-bpf-add-test-for-unstable-ct-lookup.patch
+nvme-pci-fix-doorbell-buffer-value-endianness.patch
+nvme-pci-fix-mempool-alloc-size.patch
+nvme-pci-fix-page-size-checks.patch
+acpi-resource-skip-irq-override-on-asus-vivobook-k34.patch
+acpi-resource-do-irq-override-on-lenovo-ideapad.patch
+acpi-resource-do-irq-override-on-xmg-core-15.patch
+acpi-resource-do-irq-override-on-lenovo-14alc7.patch
+block-bfq-fix-uaf-for-bfqq-in-bfq_exit_icq_bfqq.patch
+ata-ahci-fix-pcs-quirk-application-for-suspend.patch
+nvme-fix-the-nvme_cmd_effects_cse_mask-definition.patch
+nvmet-don-t-defer-passthrough-commands-with-trivial-.patch
+fs-ntfs3-validate-boot-record_size.patch
+fs-ntfs3-add-overflow-check-for-attribute-size.patch
+fs-ntfs3-validate-data-run-offset.patch
+fs-ntfs3-add-null-pointer-check-to-attr_load_runs_vc.patch
+fs-ntfs3-fix-memory-leak-on-ntfs_fill_super-error-pa.patch
+fs-ntfs3-add-null-pointer-check-for-inode-operations.patch
+fs-ntfs3-validate-attribute-name-offset.patch
+fs-ntfs3-validate-buffer-length-while-parsing-index.patch
+fs-ntfs3-validate-resident-attribute-name.patch
+fs-ntfs3-fix-slab-out-of-bounds-read-in-run_unpack.patch
+soundwire-dmi-quirks-add-quirk-variant-for-lapbc710-.patch
+fs-ntfs3-validate-index-root-when-initialize-ntfs-se.patch
+fs-ntfs3-use-__gfp_nowarn-allocation-at-wnd_init.patch
+fs-ntfs3-use-__gfp_nowarn-allocation-at-ntfs_fill_su.patch
+fs-ntfs3-delete-duplicate-condition-in-ntfs_read_mft.patch
+fs-ntfs3-fix-slab-out-of-bounds-in-r_page.patch
+objtool-fix-segfault.patch
+powerpc-rtas-avoid-device-tree-lookups-in-rtas_os_te.patch
+powerpc-rtas-avoid-scheduling-in-rtas_os_term.patch
+powerpc-msi-fix-deassociation-of-msi-descriptors.patch
+hid-multitouch-fix-asus-expertbook-p2-p2451fa-trackp.patch
+hid-plantronics-additional-pids-for-double-volume-ke.patch
--- /dev/null
+From 223d42f20c1088b6358d1959029cacf1d2a1dbfa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Oct 2022 09:25:00 +0800
+Subject: soundwire: dmi-quirks: add quirk variant for LAPBC710 NUC15
+
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+
+[ Upstream commit f74495761df10c25a98256d16ea7465191b6e2cd ]
+
+Some NUC15 LAPBC710 devices don't expose the same DMI information as
+the Intel reference, add additional entry in the match table.
+
+BugLink: https://github.com/thesofproject/linux/issues/3885
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Signed-off-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Link: https://lore.kernel.org/r/20221018012500.1592994-1-yung-chuan.liao@linux.intel.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soundwire/dmi-quirks.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/soundwire/dmi-quirks.c b/drivers/soundwire/dmi-quirks.c
+index 747983743a14..2bf534632f64 100644
+--- a/drivers/soundwire/dmi-quirks.c
++++ b/drivers/soundwire/dmi-quirks.c
+@@ -71,6 +71,14 @@ static const struct dmi_system_id adr_remap_quirk_table[] = {
+ },
+ .driver_data = (void *)intel_tgl_bios,
+ },
++ {
++ /* quirk used for NUC15 LAPBC710 skew */
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "Intel Corporation"),
++ DMI_MATCH(DMI_BOARD_NAME, "LAPBC710"),
++ },
++ .driver_data = (void *)intel_tgl_bios,
++ },
+ {
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc"),
+--
+2.35.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
