The patch below does not apply to the 5.13-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to stable@vger.kernel.org.

thanks,

greg k-h

------------------ original commit in Linus's tree ------------------

From 9e56614c44b994b78fc9fcb2070bcbe3f5df0d7b Mon Sep 17 00:00:00 2001

From: Dan Williams dan.j.williams@intel.com Date: Fri, 3 Sep 2021 19:20:45 -0700 Subject: [PATCH] cxl/pci: Fix lockdown level

A proposed rework of security_locked_down() users identified that the cxl_pci driver was passing the wrong lockdown_reason. Update cxl_mem_raw_command_allowed() to fail raw command access when raw pci access is also disabled.

Fixes: 13237183c735 ("cxl/mem: Add a "RAW" send command") Cc: Ben Widawsky ben.widawsky@intel.com Cc: Jonathan Cameron Jonathan.Cameron@huawei.com Cc: stable@vger.kernel.org Cc: Ondrej Mosnacek omosnace@redhat.com Cc: Paul Moore paul@paul-moore.com Link: https://lore.kernel.org/r/163072204525.2250120.16615792476976546735.stgit@dw... Signed-off-by: Dan Williams dan.j.williams@intel.com

diff --git a/drivers/cxl/pci.c b/drivers/cxl/pci.c index 651e8d4ec974..37903259ee79 100644 --- a/drivers/cxl/pci.c +++ b/drivers/cxl/pci.c @@ -575,7 +575,7 @@ static bool cxl_mem_raw_command_allowed(u16 opcode) if (!IS_ENABLED(CONFIG_CXL_MEM_RAW_COMMANDS)) return false;

- if (security_locked_down(LOCKDOWN_NONE)) + if (security_locked_down(LOCKDOWN_PCI_ACCESS)) return false;

if (cxl_raw_allow_all)