--- /dev/null
+From 5cd474e57368f0957c343bb21e309cf82826b1ef Mon Sep 17 00:00:00 2001
+From: D Scott Phillips <scott@os.amperecomputing.com>
+Date: Mon, 26 Jun 2023 17:29:39 -0700
+Subject: arm64: sdei: abort running SDEI handlers during crash
+
+From: D Scott Phillips <scott@os.amperecomputing.com>
+
+commit 5cd474e57368f0957c343bb21e309cf82826b1ef upstream.
+
+Interrupts are blocked in SDEI context, per the SDEI spec: "The client
+interrupts cannot preempt the event handler." If we crashed in the SDEI
+handler-running context (as with ACPI's AGDI) then we need to clean up the
+SDEI state before proceeding to the crash kernel so that the crash kernel
+can have working interrupts.
+
+Track the active SDEI handler per-cpu so that we can COMPLETE_AND_RESUME
+the handler, discarding the interrupted context.
+
+Fixes: f5df26961853 ("arm64: kernel: Add arch-specific SDEI entry code and CPU masking")
+Signed-off-by: D Scott Phillips <scott@os.amperecomputing.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: James Morse <james.morse@arm.com>
+Tested-by: Mihai Carabas <mihai.carabas@oracle.com>
+Link: https://lore.kernel.org/r/20230627002939.2758-1-scott@os.amperecomputing.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/sdei.h | 6 ++++++
+ arch/arm64/kernel/entry.S | 27 +++++++++++++++++++++++++--
+ arch/arm64/kernel/sdei.c | 3 +++
+ arch/arm64/kernel/smp.c | 8 ++++----
+ drivers/firmware/arm_sdei.c | 19 +++++++++++++++++++
+ include/linux/arm_sdei.h | 2 ++
+ 6 files changed, 59 insertions(+), 6 deletions(-)
+
+--- a/arch/arm64/include/asm/sdei.h
++++ b/arch/arm64/include/asm/sdei.h
+@@ -17,6 +17,9 @@
+
+ #include <asm/virt.h>
+
++DECLARE_PER_CPU(struct sdei_registered_event *, sdei_active_normal_event);
++DECLARE_PER_CPU(struct sdei_registered_event *, sdei_active_critical_event);
++
+ extern unsigned long sdei_exit_mode;
+
+ /* Software Delegated Exception entry point from firmware*/
+@@ -29,6 +32,9 @@ asmlinkage void __sdei_asm_entry_trampol
+ unsigned long pc,
+ unsigned long pstate);
+
++/* Abort a running handler. Context is discarded. */
++void __sdei_handler_abort(void);
++
+ /*
+ * The above entry point does the minimum to call C code. This function does
+ * anything else, before calling the driver.
+--- a/arch/arm64/kernel/entry.S
++++ b/arch/arm64/kernel/entry.S
+@@ -993,9 +993,13 @@ SYM_CODE_START(__sdei_asm_handler)
+
+ mov x19, x1
+
+-#if defined(CONFIG_VMAP_STACK) || defined(CONFIG_SHADOW_CALL_STACK)
++ /* Store the registered-event for crash_smp_send_stop() */
+ ldrb w4, [x19, #SDEI_EVENT_PRIORITY]
+-#endif
++ cbnz w4, 1f
++ adr_this_cpu dst=x5, sym=sdei_active_normal_event, tmp=x6
++ b 2f
++1: adr_this_cpu dst=x5, sym=sdei_active_critical_event, tmp=x6
++2: str x19, [x5]
+
+ #ifdef CONFIG_VMAP_STACK
+ /*
+@@ -1062,6 +1066,14 @@ SYM_CODE_START(__sdei_asm_handler)
+
+ ldr_l x2, sdei_exit_mode
+
++ /* Clear the registered-event seen by crash_smp_send_stop() */
++ ldrb w3, [x4, #SDEI_EVENT_PRIORITY]
++ cbnz w3, 1f
++ adr_this_cpu dst=x5, sym=sdei_active_normal_event, tmp=x6
++ b 2f
++1: adr_this_cpu dst=x5, sym=sdei_active_critical_event, tmp=x6
++2: str xzr, [x5]
++
+ alternative_if_not ARM64_UNMAP_KERNEL_AT_EL0
+ sdei_handler_exit exit_mode=x2
+ alternative_else_nop_endif
+@@ -1072,4 +1084,15 @@ alternative_else_nop_endif
+ #endif
+ SYM_CODE_END(__sdei_asm_handler)
+ NOKPROBE(__sdei_asm_handler)
++
++SYM_CODE_START(__sdei_handler_abort)
++ mov_q x0, SDEI_1_0_FN_SDEI_EVENT_COMPLETE_AND_RESUME
++ adr x1, 1f
++ ldr_l x2, sdei_exit_mode
++ sdei_handler_exit exit_mode=x2
++ // exit the handler and jump to the next instruction.
++ // Exit will stomp x0-x17, PSTATE, ELR_ELx, and SPSR_ELx.
++1: ret
++SYM_CODE_END(__sdei_handler_abort)
++NOKPROBE(__sdei_handler_abort)
+ #endif /* CONFIG_ARM_SDE_INTERFACE */
+--- a/arch/arm64/kernel/sdei.c
++++ b/arch/arm64/kernel/sdei.c
+@@ -47,6 +47,9 @@ DEFINE_PER_CPU(unsigned long *, sdei_sha
+ DEFINE_PER_CPU(unsigned long *, sdei_shadow_call_stack_critical_ptr);
+ #endif
+
++DEFINE_PER_CPU(struct sdei_registered_event *, sdei_active_normal_event);
++DEFINE_PER_CPU(struct sdei_registered_event *, sdei_active_critical_event);
++
+ static void _free_sdei_stack(unsigned long * __percpu *ptr, int cpu)
+ {
+ unsigned long *p;
+--- a/arch/arm64/kernel/smp.c
++++ b/arch/arm64/kernel/smp.c
+@@ -1047,10 +1047,8 @@ void crash_smp_send_stop(void)
+ * If this cpu is the only one alive at this point in time, online or
+ * not, there are no stop messages to be sent around, so just back out.
+ */
+- if (num_other_online_cpus() == 0) {
+- sdei_mask_local_cpu();
+- return;
+- }
++ if (num_other_online_cpus() == 0)
++ goto skip_ipi;
+
+ cpumask_copy(&mask, cpu_online_mask);
+ cpumask_clear_cpu(smp_processor_id(), &mask);
+@@ -1069,7 +1067,9 @@ void crash_smp_send_stop(void)
+ pr_warn("SMP: failed to stop secondary CPUs %*pbl\n",
+ cpumask_pr_args(&mask));
+
++skip_ipi:
+ sdei_mask_local_cpu();
++ sdei_handler_abort();
+ }
+
+ bool smp_crash_stop_failed(void)
+--- a/drivers/firmware/arm_sdei.c
++++ b/drivers/firmware/arm_sdei.c
+@@ -1095,3 +1095,22 @@ int sdei_event_handler(struct pt_regs *r
+ return err;
+ }
+ NOKPROBE_SYMBOL(sdei_event_handler);
++
++void sdei_handler_abort(void)
++{
++ /*
++ * If the crash happened in an SDEI event handler then we need to
++ * finish the handler with the firmware so that we can have working
++ * interrupts in the crash kernel.
++ */
++ if (__this_cpu_read(sdei_active_critical_event)) {
++ pr_warn("still in SDEI critical event context, attempting to finish handler.\n");
++ __sdei_handler_abort();
++ __this_cpu_write(sdei_active_critical_event, NULL);
++ }
++ if (__this_cpu_read(sdei_active_normal_event)) {
++ pr_warn("still in SDEI normal event context, attempting to finish handler.\n");
++ __sdei_handler_abort();
++ __this_cpu_write(sdei_active_normal_event, NULL);
++ }
++}
+--- a/include/linux/arm_sdei.h
++++ b/include/linux/arm_sdei.h
+@@ -47,10 +47,12 @@ int sdei_unregister_ghes(struct ghes *gh
+ int sdei_mask_local_cpu(void);
+ int sdei_unmask_local_cpu(void);
+ void __init sdei_init(void);
++void sdei_handler_abort(void);
+ #else
+ static inline int sdei_mask_local_cpu(void) { return 0; }
+ static inline int sdei_unmask_local_cpu(void) { return 0; }
+ static inline void sdei_init(void) { }
++static inline void sdei_handler_abort(void) { }
+ #endif /* CONFIG_ARM_SDE_INTERFACE */
+
+
--- /dev/null
+From 977ad86c2a1bcaf58f01ab98df5cc145083c489c Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Fri, 25 Aug 2023 15:32:41 +0200
+Subject: dccp: Fix out of bounds access in DCCP error handler
+
+From: Jann Horn <jannh@google.com>
+
+commit 977ad86c2a1bcaf58f01ab98df5cc145083c489c upstream.
+
+There was a previous attempt to fix an out-of-bounds access in the DCCP
+error handlers, but that fix assumed that the error handlers only want
+to access the first 8 bytes of the DCCP header. Actually, they also look
+at the DCCP sequence number, which is stored beyond 8 bytes, so an
+explicit pskb_may_pull() is required.
+
+Fixes: 6706a97fec96 ("dccp: fix out of bound access in dccp_v4_err()")
+Fixes: 1aa9d1a0e7ee ("ipv6: dccp: fix out of bound access in dccp_v6_err()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dccp/ipv4.c | 13 +++++++++----
+ net/dccp/ipv6.c | 15 ++++++++++-----
+ 2 files changed, 19 insertions(+), 9 deletions(-)
+
+--- a/net/dccp/ipv4.c
++++ b/net/dccp/ipv4.c
+@@ -255,12 +255,17 @@ static int dccp_v4_err(struct sk_buff *s
+ int err;
+ struct net *net = dev_net(skb->dev);
+
+- /* Only need dccph_dport & dccph_sport which are the first
+- * 4 bytes in dccp header.
++ /* For the first __dccp_basic_hdr_len() check, we only need dh->dccph_x,
++ * which is in byte 7 of the dccp header.
+ * Our caller (icmp_socket_deliver()) already pulled 8 bytes for us.
++ *
++ * Later on, we want to access the sequence number fields, which are
++ * beyond 8 bytes, so we have to pskb_may_pull() ourselves.
+ */
+- BUILD_BUG_ON(offsetofend(struct dccp_hdr, dccph_sport) > 8);
+- BUILD_BUG_ON(offsetofend(struct dccp_hdr, dccph_dport) > 8);
++ dh = (struct dccp_hdr *)(skb->data + offset);
++ if (!pskb_may_pull(skb, offset + __dccp_basic_hdr_len(dh)))
++ return -EINVAL;
++ iph = (struct iphdr *)skb->data;
+ dh = (struct dccp_hdr *)(skb->data + offset);
+
+ sk = __inet_lookup_established(net, &dccp_hashinfo,
+--- a/net/dccp/ipv6.c
++++ b/net/dccp/ipv6.c
+@@ -74,7 +74,7 @@ static inline __u64 dccp_v6_init_sequenc
+ static int dccp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
+ u8 type, u8 code, int offset, __be32 info)
+ {
+- const struct ipv6hdr *hdr = (const struct ipv6hdr *)skb->data;
++ const struct ipv6hdr *hdr;
+ const struct dccp_hdr *dh;
+ struct dccp_sock *dp;
+ struct ipv6_pinfo *np;
+@@ -83,12 +83,17 @@ static int dccp_v6_err(struct sk_buff *s
+ __u64 seq;
+ struct net *net = dev_net(skb->dev);
+
+- /* Only need dccph_dport & dccph_sport which are the first
+- * 4 bytes in dccp header.
++ /* For the first __dccp_basic_hdr_len() check, we only need dh->dccph_x,
++ * which is in byte 7 of the dccp header.
+ * Our caller (icmpv6_notify()) already pulled 8 bytes for us.
++ *
++ * Later on, we want to access the sequence number fields, which are
++ * beyond 8 bytes, so we have to pskb_may_pull() ourselves.
+ */
+- BUILD_BUG_ON(offsetofend(struct dccp_hdr, dccph_sport) > 8);
+- BUILD_BUG_ON(offsetofend(struct dccp_hdr, dccph_dport) > 8);
++ dh = (struct dccp_hdr *)(skb->data + offset);
++ if (!pskb_may_pull(skb, offset + __dccp_basic_hdr_len(dh)))
++ return -EINVAL;
++ hdr = (const struct ipv6hdr *)skb->data;
+ dh = (struct dccp_hdr *)(skb->data + offset);
+
+ sk = __inet6_lookup_established(net, &dccp_hashinfo,
--- /dev/null
+From 7c53e847ff5e97f033fdd31f71949807633d506b Mon Sep 17 00:00:00 2001
+From: Alexander Aring <aahringo@redhat.com>
+Date: Thu, 24 Aug 2023 16:51:42 -0400
+Subject: dlm: fix plock lookup when using multiple lockspaces
+
+From: Alexander Aring <aahringo@redhat.com>
+
+commit 7c53e847ff5e97f033fdd31f71949807633d506b upstream.
+
+All posix lock ops, for all lockspaces (gfs2 file systems) are
+sent to userspace (dlm_controld) through a single misc device.
+The dlm_controld daemon reads the ops from the misc device
+and sends them to other cluster nodes using separate, per-lockspace
+cluster api communication channels. The ops for a single lockspace
+are ordered at this level, so that the results are received in
+the same sequence that the requests were sent. When the results
+are sent back to the kernel via the misc device, they are again
+funneled through the single misc device for all lockspaces. When
+the dlm code in the kernel processes the results from the misc
+device, these results will be returned in the same sequence that
+the requests were sent, on a per-lockspace basis. A recent change
+in this request/reply matching code missed the "per-lockspace"
+check (fsid comparison) when matching request and reply, so replies
+could be incorrectly matched to requests from other lockspaces.
+
+Cc: stable@vger.kernel.org
+Reported-by: Barry Marson <bmarson@redhat.com>
+Fixes: 57e2c2f2d94c ("fs: dlm: fix mismatch of plock results from userspace")
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/dlm/plock.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/dlm/plock.c
++++ b/fs/dlm/plock.c
+@@ -455,7 +455,8 @@ static ssize_t dev_write(struct file *fi
+ }
+ } else {
+ list_for_each_entry(iter, &recv_list, list) {
+- if (!iter->info.wait) {
++ if (!iter->info.wait &&
++ iter->info.fsid == info.fsid) {
+ op = iter;
+ break;
+ }
+@@ -467,8 +468,7 @@ static ssize_t dev_write(struct file *fi
+ if (info.wait)
+ WARN_ON(op->info.optype != DLM_PLOCK_OP_LOCK);
+ else
+- WARN_ON(op->info.fsid != info.fsid ||
+- op->info.number != info.number ||
++ WARN_ON(op->info.number != info.number ||
+ op->info.owner != info.owner ||
+ op->info.optype != info.optype);
+
--- /dev/null
+From 919dc320956ea353a7fb2d84265195ad5ef525ac Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Tue, 1 Aug 2023 21:03:53 -0700
+Subject: fsverity: skip PKCS#7 parser when keyring is empty
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 919dc320956ea353a7fb2d84265195ad5ef525ac upstream.
+
+If an fsverity builtin signature is given for a file but the
+".fs-verity" keyring is empty, there's no real reason to run the PKCS#7
+parser. Skip this to avoid the PKCS#7 attack surface when builtin
+signature support is configured into the kernel but is not being used.
+
+This is a hardening improvement, not a fix per se, but I've added
+Fixes and Cc stable to get it out to more users.
+
+Fixes: 432434c9f8e1 ("fs-verity: support builtin file signatures")
+Cc: stable@vger.kernel.org
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Link: https://lore.kernel.org/r/20230820173237.2579-1-ebiggers@kernel.org
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/verity/signature.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/fs/verity/signature.c
++++ b/fs/verity/signature.c
+@@ -54,6 +54,22 @@ int fsverity_verify_signature(const stru
+ return 0;
+ }
+
++ if (fsverity_keyring->keys.nr_leaves_on_tree == 0) {
++ /*
++ * The ".fs-verity" keyring is empty, due to builtin signatures
++ * being supported by the kernel but not actually being used.
++ * In this case, verify_pkcs7_signature() would always return an
++ * error, usually ENOKEY. It could also be EBADMSG if the
++ * PKCS#7 is malformed, but that isn't very important to
++ * distinguish. So, just skip to ENOKEY to avoid the attack
++ * surface of the PKCS#7 parser, which would otherwise be
++ * reachable by any task able to execute FS_IOC_ENABLE_VERITY.
++ */
++ fsverity_err(inode,
++ "fs-verity keyring is empty, rejecting signed file!");
++ return -ENOKEY;
++ }
++
+ d = kzalloc(sizeof(*d) + hash_alg->digest_size, GFP_KERNEL);
+ if (!d)
+ return -ENOMEM;
--- /dev/null
+From 74f45de394d979cc7770271f92fafa53e1ed3119 Mon Sep 17 00:00:00 2001
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Date: Wed, 12 Jul 2023 16:00:11 +0200
+Subject: mmc: renesas_sdhi: register irqs before registering controller
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+commit 74f45de394d979cc7770271f92fafa53e1ed3119 upstream.
+
+IRQs should be ready to serve when we call mmc_add_host() via
+tmio_mmc_host_probe(). To achieve that, ensure that all irqs are masked
+before registering the handlers.
+
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Tested-by: Biju Das <biju.das.jz@bp.renesas.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20230712140011.18602-1-wsa+renesas@sang-engineering.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/renesas_sdhi_core.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/mmc/host/renesas_sdhi_core.c
++++ b/drivers/mmc/host/renesas_sdhi_core.c
+@@ -1006,6 +1006,8 @@ int renesas_sdhi_probe(struct platform_d
+ host->sdcard_irq_setbit_mask = TMIO_STAT_ALWAYS_SET_27;
+ host->sdcard_irq_mask_all = TMIO_MASK_ALL_RCAR2;
+ host->reset = renesas_sdhi_reset;
++ } else {
++ host->sdcard_irq_mask_all = TMIO_MASK_ALL;
+ }
+
+ /* Orginally registers were 16 bit apart, could be 32 or 64 nowadays */
+@@ -1102,9 +1104,7 @@ int renesas_sdhi_probe(struct platform_d
+ host->ops.hs400_complete = renesas_sdhi_hs400_complete;
+ }
+
+- ret = tmio_mmc_host_probe(host);
+- if (ret < 0)
+- goto edisclk;
++ sd_ctrl_write32_as_16_and_16(host, CTL_IRQ_MASK, host->sdcard_irq_mask_all);
+
+ num_irqs = platform_irq_count(pdev);
+ if (num_irqs < 0) {
+@@ -1131,6 +1131,10 @@ int renesas_sdhi_probe(struct platform_d
+ goto eirq;
+ }
+
++ ret = tmio_mmc_host_probe(host);
++ if (ret < 0)
++ goto edisclk;
++
+ dev_info(&pdev->dev, "%s base at %pa, max clock rate %u MHz\n",
+ mmc_hostname(host->mmc), &res->start, host->mmc->f_max / 1000000);
+
--- /dev/null
+From a4f39c9f14a634e4cd35fcd338c239d11fcc73fc Mon Sep 17 00:00:00 2001
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Date: Wed, 23 Aug 2023 15:41:02 +0200
+Subject: net: handle ARPHRD_PPP in dev_is_mac_header_xmit()
+
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+
+commit a4f39c9f14a634e4cd35fcd338c239d11fcc73fc upstream.
+
+The goal is to support a bpf_redirect() from an ethernet device (ingress)
+to a ppp device (egress).
+The l2 header is added automatically by the ppp driver, thus the ethernet
+header should be removed.
+
+CC: stable@vger.kernel.org
+Fixes: 27b29f63058d ("bpf: add bpf_redirect() helper")
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Tested-by: Siwar Zitouni <siwar.zitouni@6wind.com>
+Reviewed-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/if_arp.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/include/linux/if_arp.h
++++ b/include/linux/if_arp.h
+@@ -53,6 +53,10 @@ static inline bool dev_is_mac_header_xmi
+ case ARPHRD_NONE:
+ case ARPHRD_RAWIP:
+ case ARPHRD_PIMREG:
++ /* PPP adds its l2 header automatically in ppp_start_xmit().
++ * This makes it look like an l3 device to __bpf_redirect() and tcf_mirred_init().
++ */
++ case ARPHRD_PPP:
+ return false;
+ default:
+ return true;
--- /dev/null
+From 0820debb7d489e9eb1f68b7bb69e6ae210699b3f Mon Sep 17 00:00:00 2001
+From: Tzung-Bi Shih <tzungbi@kernel.org>
+Date: Thu, 3 Aug 2023 09:12:45 +0800
+Subject: platform/chrome: chromeos_acpi: print hex string for ACPI_TYPE_BUFFER
+
+From: Tzung-Bi Shih <tzungbi@kernel.org>
+
+commit 0820debb7d489e9eb1f68b7bb69e6ae210699b3f upstream.
+
+`element->buffer.pointer` should be binary blob. `%s` doesn't work
+perfect for them.
+
+Print hex string for ACPI_TYPE_BUFFER. Also update the documentation
+to reflect this.
+
+Fixes: 0a4cad9c11ad ("platform/chrome: Add ChromeOS ACPI device driver")
+Cc: stable@vger.kernel.org
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20230803011245.3773756-1-tzungbi@kernel.org
+Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/ABI/testing/sysfs-driver-chromeos-acpi | 2 -
+ drivers/platform/chrome/chromeos_acpi.c | 31 ++++++++++++++++++-
+ 2 files changed, 31 insertions(+), 2 deletions(-)
+
+--- a/Documentation/ABI/testing/sysfs-driver-chromeos-acpi
++++ b/Documentation/ABI/testing/sysfs-driver-chromeos-acpi
+@@ -134,4 +134,4 @@ KernelVersion: 5.19
+ Description:
+ Returns the verified boot data block shared between the
+ firmware verification step and the kernel verification step
+- (binary).
++ (hex dump).
+--- a/drivers/platform/chrome/chromeos_acpi.c
++++ b/drivers/platform/chrome/chromeos_acpi.c
+@@ -90,7 +90,36 @@ static int chromeos_acpi_handle_package(
+ case ACPI_TYPE_STRING:
+ return sysfs_emit(buf, "%s\n", element->string.pointer);
+ case ACPI_TYPE_BUFFER:
+- return sysfs_emit(buf, "%s\n", element->buffer.pointer);
++ {
++ int i, r, at, room_left;
++ const int byte_per_line = 16;
++
++ at = 0;
++ room_left = PAGE_SIZE - 1;
++ for (i = 0; i < element->buffer.length && room_left; i += byte_per_line) {
++ r = hex_dump_to_buffer(element->buffer.pointer + i,
++ element->buffer.length - i,
++ byte_per_line, 1, buf + at, room_left,
++ false);
++ if (r > room_left)
++ goto truncating;
++ at += r;
++ room_left -= r;
++
++ r = sysfs_emit_at(buf, at, "\n");
++ if (!r)
++ goto truncating;
++ at += r;
++ room_left -= r;
++ }
++
++ buf[at] = 0;
++ return at;
++truncating:
++ dev_info_once(dev, "truncating sysfs content for %s\n", name);
++ sysfs_emit_at(buf, PAGE_SIZE - 4, "..\n");
++ return PAGE_SIZE - 1;
++ }
+ default:
+ dev_err(dev, "element type %d not supported\n", element->type);
+ return -EINVAL;
--- /dev/null
+From fe8c3623ab06603eb760444a032d426542212021 Mon Sep 17 00:00:00 2001
+From: Enlin Mu <enlin.mu@unisoc.com>
+Date: Tue, 1 Aug 2023 14:04:32 +0800
+Subject: pstore/ram: Check start of empty przs during init
+
+From: Enlin Mu <enlin.mu@unisoc.com>
+
+commit fe8c3623ab06603eb760444a032d426542212021 upstream.
+
+After commit 30696378f68a ("pstore/ram: Do not treat empty buffers as
+valid"), initialization would assume a prz was valid after seeing that
+the buffer_size is zero (regardless of the buffer start position). This
+unchecked start value means it could be outside the bounds of the buffer,
+leading to future access panics when written to:
+
+ sysdump_panic_event+0x3b4/0x5b8
+ atomic_notifier_call_chain+0x54/0x90
+ panic+0x1c8/0x42c
+ die+0x29c/0x2a8
+ die_kernel_fault+0x68/0x78
+ __do_kernel_fault+0x1c4/0x1e0
+ do_bad_area+0x40/0x100
+ do_translation_fault+0x68/0x80
+ do_mem_abort+0x68/0xf8
+ el1_da+0x1c/0xc0
+ __raw_writeb+0x38/0x174
+ __memcpy_toio+0x40/0xac
+ persistent_ram_update+0x44/0x12c
+ persistent_ram_write+0x1a8/0x1b8
+ ramoops_pstore_write+0x198/0x1e8
+ pstore_console_write+0x94/0xe0
+ ...
+
+To avoid this, also check if the prz start is 0 during the initialization
+phase. If not, the next prz sanity check case will discover it (start >
+size) and zap the buffer back to a sane state.
+
+Fixes: 30696378f68a ("pstore/ram: Do not treat empty buffers as valid")
+Cc: Yunlong Xing <yunlong.xing@unisoc.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Enlin Mu <enlin.mu@unisoc.com>
+Link: https://lore.kernel.org/r/20230801060432.1307717-1-yunlong.xing@unisoc.com
+[kees: update commit log with backtrace and clarifications]
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/pstore/ram_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/pstore/ram_core.c
++++ b/fs/pstore/ram_core.c
+@@ -518,7 +518,7 @@ static int persistent_ram_post_init(stru
+ sig ^= PERSISTENT_RAM_SIG;
+
+ if (prz->buffer->sig == sig) {
+- if (buffer_size(prz) == 0) {
++ if (buffer_size(prz) == 0 && buffer_start(prz) == 0) {
+ pr_debug("found existing empty buffer\n");
+ return 0;
+ }
--- /dev/null
+From 90ca51e8c654699b672ba61aeaa418dfb3252e5e Mon Sep 17 00:00:00 2001
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Fri, 25 Aug 2023 21:44:01 +0200
+Subject: r8169: fix ASPM-related issues on a number of systems with NIC version from RTL8168h
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+commit 90ca51e8c654699b672ba61aeaa418dfb3252e5e upstream.
+
+This effectively reverts 4b5f82f6aaef. On a number of systems ASPM L1
+causes tx timeouts with RTL8168h, see referenced bug report.
+
+Fixes: 4b5f82f6aaef ("r8169: enable ASPM L1/L1.1 from RTL8168h")
+Cc: stable@vger.kernel.org
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217814
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/realtek/r8169_main.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/drivers/net/ethernet/realtek/r8169_main.c
++++ b/drivers/net/ethernet/realtek/r8169_main.c
+@@ -5201,13 +5201,9 @@ static int rtl_init_one(struct pci_dev *
+
+ /* Disable ASPM L1 as that cause random device stop working
+ * problems as well as full system hangs for some PCIe devices users.
+- * Chips from RTL8168h partially have issues with L1.2, but seem
+- * to work fine with L1 and L1.1.
+ */
+ if (rtl_aspm_is_safe(tp))
+ rc = 0;
+- else if (tp->mac_version >= RTL_GIGA_MAC_VER_46)
+- rc = pci_disable_link_state(pdev, PCIE_LINK_STATE_L1_2);
+ else
+ rc = pci_disable_link_state(pdev, PCIE_LINK_STATE_L1);
+ tp->aspm_manageable = !rc;
parisc-fix-proc-cpuinfo-output-for-lscpu.patch
drm-amd-display-add-smu-write-msg-id-fail-retry-process.patch
bpf-fix-issue-in-verifying-allow_ptr_leaks.patch
+dlm-fix-plock-lookup-when-using-multiple-lockspaces.patch
+dccp-fix-out-of-bounds-access-in-dccp-error-handler.patch
+x86-sev-make-enc_dec_hypercall-accept-a-size-instead-of-npages.patch
+r8169-fix-aspm-related-issues-on-a-number-of-systems-with-nic-version-from-rtl8168h.patch
+x.509-if-signature-is-unsupported-skip-validation.patch
+net-handle-arphrd_ppp-in-dev_is_mac_header_xmit.patch
+fsverity-skip-pkcs-7-parser-when-keyring-is-empty.patch
+x86-mce-always-save-cs-register-on-amd-zen-if-poison-errors.patch
+platform-chrome-chromeos_acpi-print-hex-string-for-acpi_type_buffer.patch
+mmc-renesas_sdhi-register-irqs-before-registering-controller.patch
+pstore-ram-check-start-of-empty-przs-during-init.patch
+arm64-sdei-abort-running-sdei-handlers-during-crash.patch
--- /dev/null
+From ef5b52a631f8c18353e80ccab8408b963305510c Mon Sep 17 00:00:00 2001
+From: Thore Sommer <public@thson.de>
+Date: Tue, 15 Aug 2023 14:29:42 +0300
+Subject: X.509: if signature is unsupported skip validation
+
+From: Thore Sommer <public@thson.de>
+
+commit ef5b52a631f8c18353e80ccab8408b963305510c upstream.
+
+When the hash algorithm for the signature is not available the digest size
+is 0 and the signature in the certificate is marked as unsupported.
+
+When validating a self-signed certificate, this needs to be checked,
+because otherwise trying to validate the signature will fail with an
+warning:
+
+Loading compiled-in X.509 certificates
+WARNING: CPU: 0 PID: 1 at crypto/rsa-pkcs1pad.c:537 \
+pkcs1pad_verify+0x46/0x12c
+...
+Problem loading in-kernel X.509 certificate (-22)
+
+Signed-off-by: Thore Sommer <public@thson.de>
+Cc: stable@vger.kernel.org # v4.7+
+Fixes: 6c2dc5ae4ab7 ("X.509: Extract signature digest and make self-signed cert checks earlier")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/asymmetric_keys/x509_public_key.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/crypto/asymmetric_keys/x509_public_key.c
++++ b/crypto/asymmetric_keys/x509_public_key.c
+@@ -117,6 +117,11 @@ int x509_check_for_self_signed(struct x5
+ goto out;
+ }
+
++ if (cert->unsupported_sig) {
++ ret = 0;
++ goto out;
++ }
++
+ ret = public_key_verify_signature(cert->pub, cert->sig);
+ if (ret < 0) {
+ if (ret == -ENOPKG) {
--- /dev/null
+From 4240e2ebe67941ce2c4f5c866c3af4b5ac7a0c67 Mon Sep 17 00:00:00 2001
+From: Yazen Ghannam <yazen.ghannam@amd.com>
+Date: Mon, 14 Aug 2023 15:08:53 -0500
+Subject: x86/MCE: Always save CS register on AMD Zen IF Poison errors
+
+From: Yazen Ghannam <yazen.ghannam@amd.com>
+
+commit 4240e2ebe67941ce2c4f5c866c3af4b5ac7a0c67 upstream.
+
+The Instruction Fetch (IF) units on current AMD Zen-based systems do not
+guarantee a synchronous #MC is delivered for poison consumption errors.
+Therefore, MCG_STATUS[EIPV|RIPV] will not be set. However, the
+microarchitecture does guarantee that the exception is delivered within
+the same context. In other words, the exact rIP is not known, but the
+context is known to not have changed.
+
+There is no architecturally-defined method to determine this behavior.
+
+The Code Segment (CS) register is always valid on such IF unit poison
+errors regardless of the value of MCG_STATUS[EIPV|RIPV].
+
+Add a quirk to save the CS register for poison consumption from the IF
+unit banks.
+
+This is needed to properly determine the context of the error.
+Otherwise, the severity grading function will assume the context is
+IN_KERNEL due to the m->cs value being 0 (the initialized value). This
+leads to unnecessary kernel panics on data poison errors due to the
+kernel believing the poison consumption occurred in kernel context.
+
+Signed-off-by: Yazen Ghannam <yazen.ghannam@amd.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20230814200853.29258-1-yazen.ghannam@amd.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/cpu/mce/core.c | 26 ++++++++++++++++++++++++++
+ arch/x86/kernel/cpu/mce/internal.h | 5 ++++-
+ 2 files changed, 30 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/cpu/mce/core.c
++++ b/arch/x86/kernel/cpu/mce/core.c
+@@ -857,6 +857,26 @@ static noinstr bool quirk_skylake_repmov
+ }
+
+ /*
++ * Some Zen-based Instruction Fetch Units set EIPV=RIPV=0 on poison consumption
++ * errors. This means mce_gather_info() will not save the "ip" and "cs" registers.
++ *
++ * However, the context is still valid, so save the "cs" register for later use.
++ *
++ * The "ip" register is truly unknown, so don't save it or fixup EIPV/RIPV.
++ *
++ * The Instruction Fetch Unit is at MCA bank 1 for all affected systems.
++ */
++static __always_inline void quirk_zen_ifu(int bank, struct mce *m, struct pt_regs *regs)
++{
++ if (bank != 1)
++ return;
++ if (!(m->status & MCI_STATUS_POISON))
++ return;
++
++ m->cs = regs->cs;
++}
++
++/*
+ * Do a quick check if any of the events requires a panic.
+ * This decides if we keep the events around or clear them.
+ */
+@@ -875,6 +895,9 @@ static __always_inline int mce_no_way_ou
+ if (mce_flags.snb_ifu_quirk)
+ quirk_sandybridge_ifu(i, m, regs);
+
++ if (mce_flags.zen_ifu_quirk)
++ quirk_zen_ifu(i, m, regs);
++
+ m->bank = i;
+ if (mce_severity(m, regs, &tmp, true) >= MCE_PANIC_SEVERITY) {
+ mce_read_aux(m, i);
+@@ -1852,6 +1875,9 @@ static int __mcheck_cpu_apply_quirks(str
+ if (c->x86 == 0x15 && c->x86_model <= 0xf)
+ mce_flags.overflow_recov = 1;
+
++ if (c->x86 >= 0x17 && c->x86 <= 0x1A)
++ mce_flags.zen_ifu_quirk = 1;
++
+ }
+
+ if (c->x86_vendor == X86_VENDOR_INTEL) {
+--- a/arch/x86/kernel/cpu/mce/internal.h
++++ b/arch/x86/kernel/cpu/mce/internal.h
+@@ -157,6 +157,9 @@ struct mce_vendor_flags {
+ */
+ smca : 1,
+
++ /* Zen IFU quirk */
++ zen_ifu_quirk : 1,
++
+ /* AMD-style error thresholding banks present. */
+ amd_threshold : 1,
+
+@@ -172,7 +175,7 @@ struct mce_vendor_flags {
+ /* Skylake, Cascade Lake, Cooper Lake REP;MOVS* quirk */
+ skx_repmov_quirk : 1,
+
+- __reserved_0 : 56;
++ __reserved_0 : 55;
+ };
+
+ extern struct mce_vendor_flags mce_flags;
--- /dev/null
+From ac3f9c9f1b37edaa7d1a9b908bc79d843955a1a2 Mon Sep 17 00:00:00 2001
+From: Steve Rutherford <srutherford@google.com>
+Date: Thu, 24 Aug 2023 15:37:31 -0700
+Subject: x86/sev: Make enc_dec_hypercall() accept a size instead of npages
+
+From: Steve Rutherford <srutherford@google.com>
+
+commit ac3f9c9f1b37edaa7d1a9b908bc79d843955a1a2 upstream.
+
+enc_dec_hypercall() accepted a page count instead of a size, which
+forced its callers to round up. As a result, non-page aligned
+vaddrs caused pages to be spuriously marked as decrypted via the
+encryption status hypercall, which in turn caused consistent
+corruption of pages during live migration. Live migration requires
+accurate encryption status information to avoid migrating pages
+from the wrong perspective.
+
+Fixes: 064ce6c550a0 ("mm: x86: Invoke hypercall when page encryption status is changed")
+Signed-off-by: Steve Rutherford <srutherford@google.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
+Reviewed-by: Pankaj Gupta <pankaj.gupta@amd.com>
+Tested-by: Ben Hillier <bhillier@google.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20230824223731.2055016-1-srutherford@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/mem_encrypt.h | 6 +++---
+ arch/x86/kernel/kvm.c | 4 +---
+ arch/x86/mm/mem_encrypt_amd.c | 13 ++++++-------
+ 3 files changed, 10 insertions(+), 13 deletions(-)
+
+--- a/arch/x86/include/asm/mem_encrypt.h
++++ b/arch/x86/include/asm/mem_encrypt.h
+@@ -50,8 +50,8 @@ void __init sme_enable(struct boot_param
+
+ int __init early_set_memory_decrypted(unsigned long vaddr, unsigned long size);
+ int __init early_set_memory_encrypted(unsigned long vaddr, unsigned long size);
+-void __init early_set_mem_enc_dec_hypercall(unsigned long vaddr, int npages,
+- bool enc);
++void __init early_set_mem_enc_dec_hypercall(unsigned long vaddr,
++ unsigned long size, bool enc);
+
+ void __init mem_encrypt_free_decrypted_mem(void);
+
+@@ -84,7 +84,7 @@ early_set_memory_decrypted(unsigned long
+ static inline int __init
+ early_set_memory_encrypted(unsigned long vaddr, unsigned long size) { return 0; }
+ static inline void __init
+-early_set_mem_enc_dec_hypercall(unsigned long vaddr, int npages, bool enc) {}
++early_set_mem_enc_dec_hypercall(unsigned long vaddr, unsigned long size, bool enc) {}
+
+ static inline void mem_encrypt_free_decrypted_mem(void) { }
+
+--- a/arch/x86/kernel/kvm.c
++++ b/arch/x86/kernel/kvm.c
+@@ -972,10 +972,8 @@ static void __init kvm_init_platform(voi
+ * Ensure that _bss_decrypted section is marked as decrypted in the
+ * shared pages list.
+ */
+- nr_pages = DIV_ROUND_UP(__end_bss_decrypted - __start_bss_decrypted,
+- PAGE_SIZE);
+ early_set_mem_enc_dec_hypercall((unsigned long)__start_bss_decrypted,
+- nr_pages, 0);
++ __end_bss_decrypted - __start_bss_decrypted, 0);
+
+ /*
+ * If not booted using EFI, enable Live migration support.
+--- a/arch/x86/mm/mem_encrypt_amd.c
++++ b/arch/x86/mm/mem_encrypt_amd.c
+@@ -288,11 +288,10 @@ static bool amd_enc_cache_flush_required
+ return !cpu_feature_enabled(X86_FEATURE_SME_COHERENT);
+ }
+
+-static void enc_dec_hypercall(unsigned long vaddr, int npages, bool enc)
++static void enc_dec_hypercall(unsigned long vaddr, unsigned long size, bool enc)
+ {
+ #ifdef CONFIG_PARAVIRT
+- unsigned long sz = npages << PAGE_SHIFT;
+- unsigned long vaddr_end = vaddr + sz;
++ unsigned long vaddr_end = vaddr + size;
+
+ while (vaddr < vaddr_end) {
+ int psize, pmask, level;
+@@ -342,7 +341,7 @@ static bool amd_enc_status_change_finish
+ snp_set_memory_private(vaddr, npages);
+
+ if (!cc_platform_has(CC_ATTR_HOST_MEM_ENCRYPT))
+- enc_dec_hypercall(vaddr, npages, enc);
++ enc_dec_hypercall(vaddr, npages << PAGE_SHIFT, enc);
+
+ return true;
+ }
+@@ -466,7 +465,7 @@ static int __init early_set_memory_enc_d
+
+ ret = 0;
+
+- early_set_mem_enc_dec_hypercall(start, PAGE_ALIGN(size) >> PAGE_SHIFT, enc);
++ early_set_mem_enc_dec_hypercall(start, size, enc);
+ out:
+ __flush_tlb_all();
+ return ret;
+@@ -482,9 +481,9 @@ int __init early_set_memory_encrypted(un
+ return early_set_memory_enc_dec(vaddr, size, true);
+ }
+
+-void __init early_set_mem_enc_dec_hypercall(unsigned long vaddr, int npages, bool enc)
++void __init early_set_mem_enc_dec_hypercall(unsigned long vaddr, unsigned long size, bool enc)
+ {
+- enc_dec_hypercall(vaddr, npages, enc);
++ enc_dec_hypercall(vaddr, size, enc);
+ }
+
+ void __init sme_early_init(void)
projects / thirdparty / kernel / stable-queue.git / commitdiff
