commit b019fcc08127f9f9a50d19fe1ea1869607652838
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Fri May 17 12:18:09 2024 +0200

    Linux 6.9.1
    
    Link: https://lore.kernel.org/r/20240515082345.213796290@linuxfoundation.org
    Tested-by: Ron Economos <re@w6rz.net>
    Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
    Tested-by: Shuah Khan <skhan@linuxfoundation.org>
    Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Tested-by: Mark Brown <broonie@kernel.org>
    Tested-by: Bagas Sanjaya <bagasdotme@gmail.com>
    Tested-by: Jon Hunter <jonathanh@nvidia.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ddb02739a2be54ed922bce3cb57d5f901590ee70
Author: Ben Greear <greearb@candelatech.com>
Date:   Tue Mar 26 17:11:31 2024 -0700

    wifi: mt76: mt7915: add missing chanctx ops
    
    commit 2f7cf3b61d85228ae749b6cb8eda1e1df9d4926f upstream.
    
    Looks like this was missed in the initial patch that made
    the conversion to the emulated chanctx drivers.
    
    Fixes: 0a44dfc07074 ("wifi: mac80211: simplify non-chanctx drivers")
    Tested-by: James Courtier-Dutton <james.dutton@gmail.com>
    Signed-off-by: Ben Greear <greearb@candelatech.com>
    Signed-off-by: Felix Fietkau <nbd@nbd.name>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit cc219cb8afbc40ec100c0de941047bb29373126a
Author: Silvio Gissi <sifonsec@amazon.com>
Date:   Fri Mar 15 15:05:39 2024 -0400

    keys: Fix overwrite of key expiration on instantiation
    
    commit 9da27fb65a14c18efd4473e2e82b76b53ba60252 upstream.
    
    The expiry time of a key is unconditionally overwritten during
    instantiation, defaulting to turn it permanent. This causes a problem
    for DNS resolution as the expiration set by user-space is overwritten to
    TIME64_MAX, disabling further DNS updates. Fix this by restoring the
    condition that key_set_expiry is only called when the pre-parser sets a
    specific expiry.
    
    Fixes: 39299bdd2546 ("keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry")
    Signed-off-by: Silvio Gissi <sifonsec@amazon.com>
    cc: David Howells <dhowells@redhat.com>
    cc: Hazem Mohamed Abuelfotoh <abuehaze@amazon.com>
    cc: linux-afs@lists.infradead.org
    cc: linux-cifs@vger.kernel.org
    cc: keyrings@vger.kernel.org
    cc: netdev@vger.kernel.org
    cc: stable@vger.kernel.org
    Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
    Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 21a8f1ce35d3da4a830250f4e10a81b379807e39
Author: Nikhil Rao <nikhil.rao@intel.com>
Date:   Wed Apr 24 15:16:12 2024 +0000

    dmaengine: idxd: add a write() method for applications to submit work
    
    commit 6827738dc684a87ad54ebba3ae7f3d7c977698eb upstream.
    
    After the patch to restrict the use of mmap() to CAP_SYS_RAWIO for
    the currently existing devices, most applications can no longer make
    use of the accelerators as in production "you don't run things as root".
    
    To keep the DSA and IAA accelerators usable, hook up a write() method
    so that applications can still submit work. In the write method,
    sufficient input validation is performed to avoid the security issue
    that required the mmap CAP_SYS_RAWIO check.
    
    One complication is that the DSA device allows for indirect ("batched")
    descriptors. There is no reasonable way to do the input validation
    on these indirect descriptors so the write() method will not allow these
    to be submitted to the hardware on affected hardware, and the sysfs
    enumeration of support for the opcode is also removed.
    
    Early performance data shows that the performance delta for most common
    cases is within the noise.
    
    Signed-off-by: Nikhil Rao <nikhil.rao@intel.com>
    Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8da3a84ebb9260b70b9127c4850c9a118f1eac12
Author: Arjan van de Ven <arjan@linux.intel.com>
Date:   Wed Apr 24 14:43:22 2024 +0000

    dmaengine: idxd: add a new security check to deal with a hardware erratum
    
    commit e11452eb071b2a8e6ba52892b2e270bbdaa6640d upstream.
    
    On Sapphire Rapids and related platforms, the DSA and IAA devices have an
    erratum that causes direct access (for example, by using the ENQCMD or
    MOVDIR64 instructions) from untrusted applications to be a security problem.
    
    To solve this, add a flag to the PCI device enumeration and device structures
    to indicate the presence/absence of this security exposure. In the mmap()
    method of the device, this flag is then used to enforce that the user
    has the CAP_SYS_RAWIO capability.
    
    In a future patch, a write() based method will be added that allows untrusted
    applications submit work to the accelerator, where the kernel can do
    sanity checking on the user input to ensure secure operation of the accelerator.
    
    Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fa20fd0f9cd9748490175f58091e7d695ef675a0
Author: Arjan van de Ven <arjan@linux.intel.com>
Date:   Thu Mar 21 19:44:07 2024 +0000

    VFIO: Add the SPR_DSA and SPR_IAX devices to the denylist
    
    commit 95feb3160eef0caa6018e175a5560b816aee8e79 upstream.
    
    Due to an erratum with the SPR_DSA and SPR_IAX devices, it is not secure to assign
    these devices to virtual machines. Add the PCI IDs of these devices to the VFIO
    denylist to ensure that this is handled appropriately by the VFIO subsystem.
    
    The SPR_DSA and SPR_IAX devices are on-SOC devices for the Sapphire Rapids
    (and related) family of products that perform data movement and compression.
    
    Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>