6.7-stable patches

added patches:
	firewire-ohci-prevent-leak-of-left-over-irq-on-unbind.patch
	init-kconfig-lower-gcc-version-check-for-warray-bounds.patch
	input-xpad-add-additional-hyperx-controller-identifiers.patch
	kvm-svm-flush-pages-under-kvm-lock-to-fix-uaf-in-svm_register_enc_region.patch
	kvm-x86-mark-target-gfn-of-emulated-atomic-instruction-as-dirty.patch

6 files changed, 315 insertions, 0 deletions

diff --git a/queue-6.7/firewire-ohci-prevent-leak-of-left-over-irq-on-unbind.patch b/queue-6.7/firewire-ohci-prevent-leak-of-left-over-irq-on-unbind.patch
new file mode 100644
index 0000000000..a562a8f9cb
--- /dev/null
+++ b/queue-6.7/firewire-ohci-prevent-leak-of-left-over-irq-on-unbind.patch
@@ -0,0 +1,72 @@
+From 575801663c7dc38f826212b39e3b91a4a8661c33 Mon Sep 17 00:00:00 2001
+From: Edmund Raile <edmund.raile@proton.me>
+Date: Thu, 29 Feb 2024 14:47:59 +0000
+Subject: firewire: ohci: prevent leak of left-over IRQ on unbind
+
+From: Edmund Raile <edmund.raile@proton.me>
+
+commit 575801663c7dc38f826212b39e3b91a4a8661c33 upstream.
+
+Commit 5a95f1ded28691e6 ("firewire: ohci: use devres for requested IRQ")
+also removed the call to free_irq() in pci_remove(), leading to a
+leftover irq of devm_request_irq() at pci_disable_msi() in pci_remove()
+when unbinding the driver from the device
+
+remove_proc_entry: removing non-empty directory 'irq/136', leaking at
+least 'firewire_ohci'
+Call Trace:
+ ? remove_proc_entry+0x19c/0x1c0
+ ? __warn+0x81/0x130
+ ? remove_proc_entry+0x19c/0x1c0
+ ? report_bug+0x171/0x1a0
+ ? console_unlock+0x78/0x120
+ ? handle_bug+0x3c/0x80
+ ? exc_invalid_op+0x17/0x70
+ ? asm_exc_invalid_op+0x1a/0x20
+ ? remove_proc_entry+0x19c/0x1c0
+ unregister_irq_proc+0xf4/0x120
+ free_desc+0x3d/0xe0
+ ? kfree+0x29f/0x2f0
+ irq_free_descs+0x47/0x70
+ msi_domain_free_locked.part.0+0x19d/0x1d0
+ msi_domain_free_irqs_all_locked+0x81/0xc0
+ pci_free_msi_irqs+0x12/0x40
+ pci_disable_msi+0x4c/0x60
+ pci_remove+0x9d/0xc0 [firewire_ohci
+     01b483699bebf9cb07a3d69df0aa2bee71db1b26]
+ pci_device_remove+0x37/0xa0
+ device_release_driver_internal+0x19f/0x200
+ unbind_store+0xa1/0xb0
+
+remove irq with devm_free_irq() before pci_disable_msi()
+also remove it in fail_msi: of pci_probe() as this would lead to
+an identical leak
+
+Cc: stable@vger.kernel.org
+Fixes: 5a95f1ded28691e6 ("firewire: ohci: use devres for requested IRQ")
+Signed-off-by: Edmund Raile <edmund.raile@proton.me>
+Link: https://lore.kernel.org/r/20240229144723.13047-2-edmund.raile@proton.me
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firewire/ohci.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/firewire/ohci.c
++++ b/drivers/firewire/ohci.c
+@@ -3773,6 +3773,7 @@ static int pci_probe(struct pci_dev *dev
+ 	return 0;
+ 
+  fail_msi:
++	devm_free_irq(&dev->dev, dev->irq, ohci);
+ 	pci_disable_msi(dev);
+ 
+ 	return err;
+@@ -3800,6 +3801,7 @@ static void pci_remove(struct pci_dev *d
+ 
+ 	software_reset(ohci);
+ 
++	devm_free_irq(&dev->dev, dev->irq, ohci);
+ 	pci_disable_msi(dev);
+ 
+ 	dev_notice(&dev->dev, "removing fw-ohci device\n");
diff --git a/queue-6.7/init-kconfig-lower-gcc-version-check-for-warray-bounds.patch b/queue-6.7/init-kconfig-lower-gcc-version-check-for-warray-bounds.patch
new file mode 100644
index 0000000000..ede87690a8
--- /dev/null
+++ b/queue-6.7/init-kconfig-lower-gcc-version-check-for-warray-bounds.patch
@@ -0,0 +1,64 @@
+From 3e00f5802fabf2f504070a591b14b648523ede13 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Fri, 23 Feb 2024 09:08:27 -0800
+Subject: init/Kconfig: lower GCC version check for -Warray-bounds
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 3e00f5802fabf2f504070a591b14b648523ede13 upstream.
+
+We continue to see false positives from -Warray-bounds even in GCC 10,
+which is getting reported in a few places[1] still:
+
+security/security.c:811:2: warning: `memcpy' offset 32 is out of the bounds [0, 0] [-Warray-bounds]
+
+Lower the GCC version check from 11 to 10.
+
+Link: https://lkml.kernel.org/r/20240223170824.work.768-kees@kernel.org
+Reported-by: Lu Yao <yaolu@kylinos.cn>
+Closes: https://lore.kernel.org/lkml/20240117014541.8887-1-yaolu@kylinos.cn/
+Link: https://lore.kernel.org/linux-next/65d84438.620a0220.7d171.81a7@mx.google.com [1]
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Paul Moore <paul@paul-moore.com>
+Cc: Ard Biesheuvel <ardb@kernel.org>
+Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Marc Aurèle La France <tsi@tuyoix.net>
+Cc: Masahiro Yamada <masahiroy@kernel.org>
+Cc: Nathan Chancellor <nathan@kernel.org>
+Cc: Nhat Pham <nphamcs@gmail.com>
+Cc: Petr Mladek <pmladek@suse.com>
+Cc: Randy Dunlap <rdunlap@infradead.org>
+Cc: Suren Baghdasaryan <surenb@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ init/Kconfig |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/init/Kconfig
++++ b/init/Kconfig
+@@ -876,14 +876,14 @@ config CC_IMPLICIT_FALLTHROUGH
+ 	default "-Wimplicit-fallthrough=5" if CC_IS_GCC && $(cc-option,-Wimplicit-fallthrough=5)
+ 	default "-Wimplicit-fallthrough" if CC_IS_CLANG && $(cc-option,-Wunreachable-code-fallthrough)
+ 
+-# Currently, disable gcc-11+ array-bounds globally.
++# Currently, disable gcc-10+ array-bounds globally.
+ # It's still broken in gcc-13, so no upper bound yet.
+-config GCC11_NO_ARRAY_BOUNDS
++config GCC10_NO_ARRAY_BOUNDS
+ 	def_bool y
+ 
+ config CC_NO_ARRAY_BOUNDS
+ 	bool
+-	default y if CC_IS_GCC && GCC_VERSION >= 110000 && GCC11_NO_ARRAY_BOUNDS
++	default y if CC_IS_GCC && GCC_VERSION >= 100000 && GCC10_NO_ARRAY_BOUNDS
+ 
+ #
+ # For architectures that know their GCC __int128 support is sound
diff --git a/queue-6.7/input-xpad-add-additional-hyperx-controller-identifiers.patch b/queue-6.7/input-xpad-add-additional-hyperx-controller-identifiers.patch
new file mode 100644
index 0000000000..ec2376d362
--- /dev/null
+++ b/queue-6.7/input-xpad-add-additional-hyperx-controller-identifiers.patch
@@ -0,0 +1,45 @@
+From dd50f771af20fb02b1aecde04fbd085c872a9139 Mon Sep 17 00:00:00 2001
+From: Max Nguyen <maxwell.nguyen@hp.com>
+Date: Sun, 3 Mar 2024 14:13:52 -0800
+Subject: Input: xpad - add additional HyperX Controller Identifiers
+
+From: Max Nguyen <maxwell.nguyen@hp.com>
+
+commit dd50f771af20fb02b1aecde04fbd085c872a9139 upstream.
+
+Add additional HyperX device identifiers to xpad_device and xpad_table.
+
+Suggested-by: Chris Toledanes<chris.toledanes@hp.com>
+Reviewed-by: Carl Ng <carl.ng@hp.com>
+Signed-off-by: Max Nguyen <maxwell.nguyen@hp.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/44ad5ffa-76d8-4046-94ee-2ef171930ed2@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/joystick/xpad.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/input/joystick/xpad.c
++++ b/drivers/input/joystick/xpad.c
+@@ -130,7 +130,12 @@ static const struct xpad_device {
+ 	{ 0x0079, 0x18d4, "GPD Win 2 X-Box Controller", 0, XTYPE_XBOX360 },
+ 	{ 0x03eb, 0xff01, "Wooting One (Legacy)", 0, XTYPE_XBOX360 },
+ 	{ 0x03eb, 0xff02, "Wooting Two (Legacy)", 0, XTYPE_XBOX360 },
++	{ 0x03f0, 0x038D, "HyperX Clutch", 0, XTYPE_XBOX360 },			/* wired */
++	{ 0x03f0, 0x048D, "HyperX Clutch", 0, XTYPE_XBOX360 },			/* wireless */
+ 	{ 0x03f0, 0x0495, "HyperX Clutch Gladiate", 0, XTYPE_XBOXONE },
++	{ 0x03f0, 0x07A0, "HyperX Clutch Gladiate RGB", 0, XTYPE_XBOXONE },
++	{ 0x03f0, 0x08B6, "HyperX Clutch Gladiate", 0, XTYPE_XBOXONE },		/* v2 */
++	{ 0x03f0, 0x09B4, "HyperX Clutch Tanto", 0, XTYPE_XBOXONE },
+ 	{ 0x044f, 0x0f00, "Thrustmaster Wheel", 0, XTYPE_XBOX },
+ 	{ 0x044f, 0x0f03, "Thrustmaster Wheel", 0, XTYPE_XBOX },
+ 	{ 0x044f, 0x0f07, "Thrustmaster, Inc. Controller", 0, XTYPE_XBOX },
+@@ -463,6 +468,7 @@ static const struct usb_device_id xpad_t
+ 	{ USB_INTERFACE_INFO('X', 'B', 0) },	/* Xbox USB-IF not-approved class */
+ 	XPAD_XBOX360_VENDOR(0x0079),		/* GPD Win 2 controller */
+ 	XPAD_XBOX360_VENDOR(0x03eb),		/* Wooting Keyboards (Legacy) */
++	XPAD_XBOX360_VENDOR(0x03f0),		/* HP HyperX Xbox 360 controllers */
+ 	XPAD_XBOXONE_VENDOR(0x03f0),		/* HP HyperX Xbox One controllers */
+ 	XPAD_XBOX360_VENDOR(0x044f),		/* Thrustmaster Xbox 360 controllers */
+ 	XPAD_XBOX360_VENDOR(0x045e),		/* Microsoft Xbox 360 controllers */
diff --git a/queue-6.7/kvm-svm-flush-pages-under-kvm-lock-to-fix-uaf-in-svm_register_enc_region.patch b/queue-6.7/kvm-svm-flush-pages-under-kvm-lock-to-fix-uaf-in-svm_register_enc_region.patch
new file mode 100644
index 0000000000..97e0a32c5e
--- /dev/null
+++ b/queue-6.7/kvm-svm-flush-pages-under-kvm-lock-to-fix-uaf-in-svm_register_enc_region.patch
@@ -0,0 +1,67 @@
+From 5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Fri, 16 Feb 2024 17:34:30 -0800
+Subject: KVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region()
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807 upstream.
+
+Do the cache flush of converted pages in svm_register_enc_region() before
+dropping kvm->lock to fix use-after-free issues where region and/or its
+array of pages could be freed by a different task, e.g. if userspace has
+__unregister_enc_region_locked() already queued up for the region.
+
+Note, the "obvious" alternative of using local variables doesn't fully
+resolve the bug, as region->pages is also dynamically allocated.  I.e. the
+region structure itself would be fine, but region->pages could be freed.
+
+Flushing multiple pages under kvm->lock is unfortunate, but the entire
+flow is a rare slow path, and the manual flush is only needed on CPUs that
+lack coherency for encrypted memory.
+
+Fixes: 19a23da53932 ("Fix unsynchronized access to sev members through svm_register_enc_region")
+Reported-by: Gabe Kirkpatrick <gkirkpatrick@google.com>
+Cc: Josh Eads <josheads@google.com>
+Cc: Peter Gonda <pgonda@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-Id: <20240217013430.2079561-1-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/svm/sev.c |   16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/arch/x86/kvm/svm/sev.c
++++ b/arch/x86/kvm/svm/sev.c
+@@ -1975,20 +1975,22 @@ int sev_mem_enc_register_region(struct k
+ 		goto e_free;
+ 	}
+ 
+-	region->uaddr = range->addr;
+-	region->size = range->size;
+-
+-	list_add_tail(&region->list, &sev->regions_list);
+-	mutex_unlock(&kvm->lock);
+-
+ 	/*
+ 	 * The guest may change the memory encryption attribute from C=0 -> C=1
+ 	 * or vice versa for this memory range. Lets make sure caches are
+ 	 * flushed to ensure that guest data gets written into memory with
+-	 * correct C-bit.
++	 * correct C-bit.  Note, this must be done before dropping kvm->lock,
++	 * as region and its array of pages can be freed by a different task
++	 * once kvm->lock is released.
+ 	 */
+ 	sev_clflush_pages(region->pages, region->npages);
+ 
++	region->uaddr = range->addr;
++	region->size = range->size;
++
++	list_add_tail(&region->list, &sev->regions_list);
++	mutex_unlock(&kvm->lock);
++
+ 	return ret;
+ 
+ e_free:
diff --git a/queue-6.7/kvm-x86-mark-target-gfn-of-emulated-atomic-instruction-as-dirty.patch b/queue-6.7/kvm-x86-mark-target-gfn-of-emulated-atomic-instruction-as-dirty.patch
new file mode 100644
index 0000000000..78125deb9a
--- /dev/null
+++ b/queue-6.7/kvm-x86-mark-target-gfn-of-emulated-atomic-instruction-as-dirty.patch
@@ -0,0 +1,62 @@
+From 910c57dfa4d113aae6571c2a8b9ae8c430975902 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Wed, 14 Feb 2024 17:00:03 -0800
+Subject: KVM: x86: Mark target gfn of emulated atomic instruction as dirty
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 910c57dfa4d113aae6571c2a8b9ae8c430975902 upstream.
+
+When emulating an atomic access on behalf of the guest, mark the target
+gfn dirty if the CMPXCHG by KVM is attempted and doesn't fault.  This
+fixes a bug where KVM effectively corrupts guest memory during live
+migration by writing to guest memory without informing userspace that the
+page is dirty.
+
+Marking the page dirty got unintentionally dropped when KVM's emulated
+CMPXCHG was converted to do a user access.  Before that, KVM explicitly
+mapped the guest page into kernel memory, and marked the page dirty during
+the unmap phase.
+
+Mark the page dirty even if the CMPXCHG fails, as the old data is written
+back on failure, i.e. the page is still written.  The value written is
+guaranteed to be the same because the operation is atomic, but KVM's ABI
+is that all writes are dirty logged regardless of the value written.  And
+more importantly, that's what KVM did before the buggy commit.
+
+Huge kudos to the folks on the Cc list (and many others), who did all the
+actual work of triaging and debugging.
+
+Fixes: 1c2361f667f3 ("KVM: x86: Use __try_cmpxchg_user() to emulate atomic accesses")
+Cc: stable@vger.kernel.org
+Cc: David Matlack <dmatlack@google.com>
+Cc: Pasha Tatashin <tatashin@google.com>
+Cc: Michael Krebs <mkrebs@google.com>
+base-commit: 6769ea8da8a93ed4630f1ce64df6aafcaabfce64
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Link: https://lore.kernel.org/r/20240215010004.1456078-2-seanjc@google.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/x86.c |   10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -7951,6 +7951,16 @@ static int emulator_cmpxchg_emulated(str
+ 
+ 	if (r < 0)
+ 		return X86EMUL_UNHANDLEABLE;
++
++	/*
++	 * Mark the page dirty _before_ checking whether or not the CMPXCHG was
++	 * successful, as the old value is written back on failure.  Note, for
++	 * live migration, this is unnecessarily conservative as CMPXCHG writes
++	 * back the original value and the access is atomic, but KVM's ABI is
++	 * that all writes are dirty logged, regardless of the value written.
++	 */
++	kvm_vcpu_mark_page_dirty(vcpu, gpa_to_gfn(gpa));
++
+ 	if (r)
+ 		return X86EMUL_CMPXCHG_FAILED;
+ 
diff --git a/queue-6.7/series b/queue-6.7/series
index 685788b82b..967def81a3 100644
--- a/queue-6.7/series
+++ b/queue-6.7/series
@@ -247,3 +247,8 @@ usb-typec-tpcm-fix-port_reset-behavior-for-self-powered-devices.patch
 thunderbolt-fix-null-pointer-dereference-in-tb_port_update_credits.patch
 cgroup-cpuset-fix-retval-in-update_cpumask.patch
 cgroup-cpuset-fix-a-memory-leak-in-update_exclusive_cpumask.patch
+input-xpad-add-additional-hyperx-controller-identifiers.patch
+init-kconfig-lower-gcc-version-check-for-warray-bounds.patch
+firewire-ohci-prevent-leak-of-left-over-irq-on-unbind.patch
+kvm-x86-mark-target-gfn-of-emulated-atomic-instruction-as-dirty.patch
+kvm-svm-flush-pages-under-kvm-lock-to-fix-uaf-in-svm_register_enc_region.patch