--- /dev/null
+From d6fd6f8280f0257ba93f16900a0d3d3912f32c79 Mon Sep 17 00:00:00 2001
+From: Max Kellermann <max.kellermann@ionos.com>
+Date: Thu, 5 Dec 2024 16:49:51 +0100
+Subject: ceph: fix memory leaks in __ceph_sync_read()
+
+From: Max Kellermann <max.kellermann@ionos.com>
+
+commit d6fd6f8280f0257ba93f16900a0d3d3912f32c79 upstream.
+
+In two `break` statements, the call to ceph_release_page_vector() was
+missing, leaking the allocation from ceph_alloc_page_vector().
+
+Instead of adding the missing ceph_release_page_vector() calls, the
+Ceph maintainers preferred to transfer page ownership to the
+`ceph_osd_request` by passing `own_pages=true` to
+osd_req_op_extent_osd_data_pages(). This requires postponing the
+ceph_osdc_put_request() call until after the block that accesses the
+`pages`.
+
+Cc: stable@vger.kernel.org
+Fixes: 03bc06c7b0bd ("ceph: add new mount option to enable sparse reads")
+Fixes: f0fe1e54cfcf ("ceph: plumb in decryption during reads")
+Signed-off-by: Max Kellermann <max.kellermann@ionos.com>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ceph/file.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/fs/ceph/file.c
++++ b/fs/ceph/file.c
+@@ -1036,7 +1036,7 @@ ssize_t __ceph_sync_read(struct inode *i
+
+ osd_req_op_extent_osd_data_pages(req, 0, pages, read_len,
+ offset_in_page(read_off),
+- false, false);
++ false, true);
+
+ op = &req->r_ops[0];
+ if (sparse) {
+@@ -1101,8 +1101,6 @@ ssize_t __ceph_sync_read(struct inode *i
+ ret = min_t(ssize_t, fret, len);
+ }
+
+- ceph_osdc_put_request(req);
+-
+ /* Short read but not EOF? Zero out the remainder. */
+ if (ret < len && (off + ret < i_size)) {
+ int zlen = min(len - ret, i_size - off - ret);
+@@ -1134,7 +1132,8 @@ ssize_t __ceph_sync_read(struct inode *i
+ break;
+ }
+ }
+- ceph_release_page_vector(pages, num_pages);
++
++ ceph_osdc_put_request(req);
+
+ if (off >= i_size || !more)
+ break;
--- /dev/null
+From 9abee475803fab6ad59d4f4fc59c6a75374a7d9d Mon Sep 17 00:00:00 2001
+From: Alex Markuze <amarkuze@redhat.com>
+Date: Wed, 27 Nov 2024 15:34:10 +0200
+Subject: ceph: improve error handling and short/overflow-read logic in __ceph_sync_read()
+
+From: Alex Markuze <amarkuze@redhat.com>
+
+commit 9abee475803fab6ad59d4f4fc59c6a75374a7d9d upstream.
+
+This patch refines the read logic in __ceph_sync_read() to ensure more
+predictable and efficient behavior in various edge cases.
+
+- Return early if the requested read length is zero or if the file size
+ (`i_size`) is zero.
+- Initialize the index variable (`idx`) where needed and reorder some
+ code to ensure it is always set before use.
+- Improve error handling by checking for negative return values earlier.
+- Remove redundant encrypted file checks after failures. Only attempt
+ filesystem-level decryption if the read succeeded.
+- Simplify leftover calculations to correctly handle cases where the
+ read extends beyond the end of the file or stops short. This can be
+ hit by continuously reading a file while, on another client, we keep
+ truncating and writing new data into it.
+- This resolves multiple issues caused by integer and consequent buffer
+ overflow (`pages` array being accessed beyond `num_pages`):
+ - https://tracker.ceph.com/issues/67524
+ - https://tracker.ceph.com/issues/68980
+ - https://tracker.ceph.com/issues/68981
+
+Cc: stable@vger.kernel.org
+Fixes: 1065da21e5df ("ceph: stop copying to iter at EOF on sync reads")
+Reported-by: Luis Henriques (SUSE) <luis.henriques@linux.dev>
+Signed-off-by: Alex Markuze <amarkuze@redhat.com>
+Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ceph/file.c | 29 ++++++++++++++---------------
+ 1 file changed, 14 insertions(+), 15 deletions(-)
+
+--- a/fs/ceph/file.c
++++ b/fs/ceph/file.c
+@@ -976,7 +976,7 @@ ssize_t __ceph_sync_read(struct inode *i
+ if (ceph_inode_is_shutdown(inode))
+ return -EIO;
+
+- if (!len)
++ if (!len || !i_size)
+ return 0;
+ /*
+ * flush any page cache pages in this range. this
+@@ -996,7 +996,7 @@ ssize_t __ceph_sync_read(struct inode *i
+ int num_pages;
+ size_t page_off;
+ bool more;
+- int idx;
++ int idx = 0;
+ size_t left;
+ struct ceph_osd_req_op *op;
+ u64 read_off = off;
+@@ -1068,7 +1068,14 @@ ssize_t __ceph_sync_read(struct inode *i
+ else if (ret == -ENOENT)
+ ret = 0;
+
+- if (ret > 0 && IS_ENCRYPTED(inode)) {
++ if (ret < 0) {
++ ceph_osdc_put_request(req);
++ if (ret == -EBLOCKLISTED)
++ fsc->blocklisted = true;
++ break;
++ }
++
++ if (IS_ENCRYPTED(inode)) {
+ int fret;
+
+ fret = ceph_fscrypt_decrypt_extents(inode, pages,
+@@ -1097,7 +1104,7 @@ ssize_t __ceph_sync_read(struct inode *i
+ ceph_osdc_put_request(req);
+
+ /* Short read but not EOF? Zero out the remainder. */
+- if (ret >= 0 && ret < len && (off + ret < i_size)) {
++ if (ret < len && (off + ret < i_size)) {
+ int zlen = min(len - ret, i_size - off - ret);
+ int zoff = page_off + ret;
+
+@@ -1107,13 +1114,11 @@ ssize_t __ceph_sync_read(struct inode *i
+ ret += zlen;
+ }
+
+- idx = 0;
+- if (ret <= 0)
+- left = 0;
+- else if (off + ret > i_size)
+- left = i_size - off;
++ if (off + ret > i_size)
++ left = (i_size > off) ? i_size - off : 0;
+ else
+ left = ret;
++
+ while (left > 0) {
+ size_t plen, copied;
+
+@@ -1131,12 +1136,6 @@ ssize_t __ceph_sync_read(struct inode *i
+ }
+ ceph_release_page_vector(pages, num_pages);
+
+- if (ret < 0) {
+- if (ret == -EBLOCKLISTED)
+- fsc->blocklisted = true;
+- break;
+- }
+-
+ if (off >= i_size || !more)
+ break;
+ }
--- /dev/null
+From 12eb22a5a609421b380c3c6ca887474fb2089b2c Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Wed, 20 Nov 2024 16:43:51 +0100
+Subject: ceph: validate snapdirname option length when mounting
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit 12eb22a5a609421b380c3c6ca887474fb2089b2c upstream.
+
+It becomes a path component, so it shouldn't exceed NAME_MAX
+characters. This was hardened in commit c152737be22b ("ceph: Use
+strscpy() instead of strcpy() in __get_snap_name()"), but no actual
+check was put in place.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Alex Markuze <amarkuze@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ceph/super.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/ceph/super.c
++++ b/fs/ceph/super.c
+@@ -427,6 +427,8 @@ static int ceph_parse_mount_param(struct
+
+ switch (token) {
+ case Opt_snapdirname:
++ if (strlen(param->string) > NAME_MAX)
++ return invalfc(fc, "snapdirname too long");
+ kfree(fsopt->snapdir_name);
+ fsopt->snapdir_name = param->string;
+ param->string = NULL;
--- /dev/null
+From 62e2a47ceab8f3f7d2e3f0e03fdd1c5e0059fd8b Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Mon, 16 Dec 2024 19:28:06 -0500
+Subject: NFS/pnfs: Fix a live lock between recalled layouts and layoutget
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 62e2a47ceab8f3f7d2e3f0e03fdd1c5e0059fd8b upstream.
+
+When the server is recalling a layout, we should ignore the count of
+outstanding layoutget calls, since the server is expected to return
+either NFS4ERR_RECALLCONFLICT or NFS4ERR_RETURNCONFLICT for as long as
+the recall is outstanding.
+Currently, we may end up livelocking, causing the layout to eventually
+be forcibly revoked.
+
+Fixes: bf0291dd2267 ("pNFS: Ensure LAYOUTGET and LAYOUTRETURN are properly serialised")
+Cc: stable@vger.kernel.org
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/pnfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -1196,7 +1196,7 @@ pnfs_prepare_layoutreturn(struct pnfs_la
+ enum pnfs_iomode *iomode)
+ {
+ /* Serialise LAYOUTGET/LAYOUTRETURN */
+- if (atomic_read(&lo->plh_outstanding) != 0)
++ if (atomic_read(&lo->plh_outstanding) != 0 && lo->plh_return_seq == 0)
+ return false;
+ if (test_and_set_bit(NFS_LAYOUT_RETURN_LOCK, &lo->plh_flags))
+ return false;
--- /dev/null
+From 6309b8ce98e9a18390b9fd8f03fc412f3c17aee9 Mon Sep 17 00:00:00 2001
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Date: Fri, 13 Dec 2024 01:43:28 +0900
+Subject: nilfs2: fix buffer head leaks in calls to truncate_inode_pages()
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+commit 6309b8ce98e9a18390b9fd8f03fc412f3c17aee9 upstream.
+
+When block_invalidatepage was converted to block_invalidate_folio, the
+fallback to block_invalidatepage in folio_invalidate() if the
+address_space_operations method invalidatepage (currently
+invalidate_folio) was not set, was removed.
+
+Unfortunately, some pseudo-inodes in nilfs2 use empty_aops set by
+inode_init_always_gfp() as is, or explicitly set it to
+address_space_operations. Therefore, with this change,
+block_invalidatepage() is no longer called from folio_invalidate(), and as
+a result, the buffer_head structures attached to these pages/folios are no
+longer freed via try_to_free_buffers().
+
+Thus, these buffer heads are now leaked by truncate_inode_pages(), which
+cleans up the page cache from inode evict(), etc.
+
+Three types of caches use empty_aops: gc inode caches and the DAT shadow
+inode used by GC, and b-tree node caches. Of these, b-tree node caches
+explicitly call invalidate_mapping_pages() during cleanup, which involves
+calling try_to_free_buffers(), so the leak was not visible during normal
+operation but worsened when GC was performed.
+
+Fix this issue by using address_space_operations with invalidate_folio set
+to block_invalidate_folio instead of empty_aops, which will ensure the
+same behavior as before.
+
+Link: https://lkml.kernel.org/r/20241212164556.21338-1-konishi.ryusuke@gmail.com
+Fixes: 7ba13abbd31e ("fs: Turn block_invalidatepage into block_invalidate_folio")
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: <stable@vger.kernel.org> [5.18+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nilfs2/btnode.c | 1 +
+ fs/nilfs2/gcinode.c | 2 +-
+ fs/nilfs2/inode.c | 5 +++++
+ fs/nilfs2/nilfs.h | 1 +
+ 4 files changed, 8 insertions(+), 1 deletion(-)
+
+--- a/fs/nilfs2/btnode.c
++++ b/fs/nilfs2/btnode.c
+@@ -35,6 +35,7 @@ void nilfs_init_btnc_inode(struct inode
+ ii->i_flags = 0;
+ memset(&ii->i_bmap_data, 0, sizeof(struct nilfs_bmap));
+ mapping_set_gfp_mask(btnc_inode->i_mapping, GFP_NOFS);
++ btnc_inode->i_mapping->a_ops = &nilfs_buffer_cache_aops;
+ }
+
+ void nilfs_btnode_cache_clear(struct address_space *btnc)
+--- a/fs/nilfs2/gcinode.c
++++ b/fs/nilfs2/gcinode.c
+@@ -163,7 +163,7 @@ int nilfs_init_gcinode(struct inode *ino
+
+ inode->i_mode = S_IFREG;
+ mapping_set_gfp_mask(inode->i_mapping, GFP_NOFS);
+- inode->i_mapping->a_ops = &empty_aops;
++ inode->i_mapping->a_ops = &nilfs_buffer_cache_aops;
+
+ ii->i_flags = 0;
+ nilfs_bmap_init_gc(ii->i_bmap);
+--- a/fs/nilfs2/inode.c
++++ b/fs/nilfs2/inode.c
+@@ -309,6 +309,10 @@ const struct address_space_operations ni
+ .is_partially_uptodate = block_is_partially_uptodate,
+ };
+
++const struct address_space_operations nilfs_buffer_cache_aops = {
++ .invalidate_folio = block_invalidate_folio,
++};
++
+ static int nilfs_insert_inode_locked(struct inode *inode,
+ struct nilfs_root *root,
+ unsigned long ino)
+@@ -748,6 +752,7 @@ struct inode *nilfs_iget_for_shadow(stru
+ NILFS_I(s_inode)->i_flags = 0;
+ memset(NILFS_I(s_inode)->i_bmap, 0, sizeof(struct nilfs_bmap));
+ mapping_set_gfp_mask(s_inode->i_mapping, GFP_NOFS);
++ s_inode->i_mapping->a_ops = &nilfs_buffer_cache_aops;
+
+ err = nilfs_attach_btree_node_cache(s_inode);
+ if (unlikely(err)) {
+--- a/fs/nilfs2/nilfs.h
++++ b/fs/nilfs2/nilfs.h
+@@ -379,6 +379,7 @@ extern const struct file_operations nilf
+ extern const struct inode_operations nilfs_file_inode_operations;
+ extern const struct file_operations nilfs_file_operations;
+ extern const struct address_space_operations nilfs_aops;
++extern const struct address_space_operations nilfs_buffer_cache_aops;
+ extern const struct inode_operations nilfs_dir_inode_operations;
+ extern const struct inode_operations nilfs_special_inode_operations;
+ extern const struct inode_operations nilfs_symlink_inode_operations;
--- /dev/null
+From 901ce9705fbb9f330ff1f19600e5daf9770b0175 Mon Sep 17 00:00:00 2001
+From: Edward Adam Davis <eadavis@qq.com>
+Date: Mon, 9 Dec 2024 15:56:52 +0900
+Subject: nilfs2: prevent use of deleted inode
+
+From: Edward Adam Davis <eadavis@qq.com>
+
+commit 901ce9705fbb9f330ff1f19600e5daf9770b0175 upstream.
+
+syzbot reported a WARNING in nilfs_rmdir. [1]
+
+Because the inode bitmap is corrupted, an inode with an inode number that
+should exist as a ".nilfs" file was reassigned by nilfs_mkdir for "file0",
+causing an inode duplication during execution. And this causes an
+underflow of i_nlink in rmdir operations.
+
+The inode is used twice by the same task to unmount and remove directories
+".nilfs" and "file0", it trigger warning in nilfs_rmdir.
+
+Avoid to this issue, check i_nlink in nilfs_iget(), if it is 0, it means
+that this inode has been deleted, and iput is executed to reclaim it.
+
+[1]
+WARNING: CPU: 1 PID: 5824 at fs/inode.c:407 drop_nlink+0xc4/0x110 fs/inode.c:407
+...
+Call Trace:
+ <TASK>
+ nilfs_rmdir+0x1b0/0x250 fs/nilfs2/namei.c:342
+ vfs_rmdir+0x3a3/0x510 fs/namei.c:4394
+ do_rmdir+0x3b5/0x580 fs/namei.c:4453
+ __do_sys_rmdir fs/namei.c:4472 [inline]
+ __se_sys_rmdir fs/namei.c:4470 [inline]
+ __x64_sys_rmdir+0x47/0x50 fs/namei.c:4470
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Link: https://lkml.kernel.org/r/20241209065759.6781-1-konishi.ryusuke@gmail.com
+Fixes: d25006523d0b ("nilfs2: pathname operations")
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Reported-by: syzbot+9260555647a5132edd48@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=9260555647a5132edd48
+Tested-by: syzbot+9260555647a5132edd48@syzkaller.appspotmail.com
+Signed-off-by: Edward Adam Davis <eadavis@qq.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nilfs2/inode.c | 8 +++++++-
+ fs/nilfs2/namei.c | 5 +++++
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+--- a/fs/nilfs2/inode.c
++++ b/fs/nilfs2/inode.c
+@@ -618,8 +618,14 @@ struct inode *nilfs_iget(struct super_bl
+ inode = nilfs_iget_locked(sb, root, ino);
+ if (unlikely(!inode))
+ return ERR_PTR(-ENOMEM);
+- if (!(inode->i_state & I_NEW))
++
++ if (!(inode->i_state & I_NEW)) {
++ if (!inode->i_nlink) {
++ iput(inode);
++ return ERR_PTR(-ESTALE);
++ }
+ return inode;
++ }
+
+ err = __nilfs_read_inode(sb, root, ino, inode);
+ if (unlikely(err)) {
+--- a/fs/nilfs2/namei.c
++++ b/fs/nilfs2/namei.c
+@@ -67,6 +67,11 @@ nilfs_lookup(struct inode *dir, struct d
+ inode = NULL;
+ } else {
+ inode = nilfs_iget(dir->i_sb, NILFS_I(dir)->i_root, ino);
++ if (inode == ERR_PTR(-ESTALE)) {
++ nilfs_error(dir->i_sb,
++ "deleted inode referenced: %lu", ino);
++ return ERR_PTR(-EIO);
++ }
+ }
+
+ return d_splice_alias(inode, dentry);
--- /dev/null
+From d7dfa7fde63dde4d2ec0083133efe2c6686c03ff Mon Sep 17 00:00:00 2001
+From: Herve Codina <herve.codina@bootlin.com>
+Date: Mon, 2 Dec 2024 17:58:19 +0100
+Subject: of: Fix error path in of_parse_phandle_with_args_map()
+
+From: Herve Codina <herve.codina@bootlin.com>
+
+commit d7dfa7fde63dde4d2ec0083133efe2c6686c03ff upstream.
+
+The current code uses some 'goto put;' to cancel the parsing operation
+and can lead to a return code value of 0 even on error cases.
+
+Indeed, some goto calls are done from a loop without setting the ret
+value explicitly before the goto call and so the ret value can be set to
+0 due to operation done in previous loop iteration. For instance match
+can be set to 0 in the previous loop iteration (leading to a new
+iteration) but ret can also be set to 0 it the of_property_read_u32()
+call succeed. In that case if no match are found or if an error is
+detected the new iteration, the return value can be wrongly 0.
+
+Avoid those cases setting the ret value explicitly before the goto
+calls.
+
+Fixes: bd6f2fd5a1d5 ("of: Support parsing phandle argument lists through a nexus node")
+Cc: stable@vger.kernel.org
+Signed-off-by: Herve Codina <herve.codina@bootlin.com>
+Link: https://lore.kernel.org/r/20241202165819.158681-1-herve.codina@bootlin.com
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/base.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/drivers/of/base.c
++++ b/drivers/of/base.c
+@@ -1415,8 +1415,10 @@ int of_parse_phandle_with_args_map(const
+ map_len--;
+
+ /* Check if not found */
+- if (!new)
++ if (!new) {
++ ret = -EINVAL;
+ goto put;
++ }
+
+ if (!of_device_is_available(new))
+ match = 0;
+@@ -1426,17 +1428,20 @@ int of_parse_phandle_with_args_map(const
+ goto put;
+
+ /* Check for malformed properties */
+- if (WARN_ON(new_size > MAX_PHANDLE_ARGS))
+- goto put;
+- if (map_len < new_size)
++ if (WARN_ON(new_size > MAX_PHANDLE_ARGS) ||
++ map_len < new_size) {
++ ret = -EINVAL;
+ goto put;
++ }
+
+ /* Move forward by new node's #<list>-cells amount */
+ map += new_size;
+ map_len -= new_size;
+ }
+- if (!match)
++ if (!match) {
++ ret = -ENOENT;
+ goto put;
++ }
+
+ /* Get the <list>-map-pass-thru property (optional) */
+ pass = of_get_property(cur, pass_name, NULL);
--- /dev/null
+From 5d009e024056ded20c5bb1583146b833b23bbd5a Mon Sep 17 00:00:00 2001
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+Date: Fri, 6 Dec 2024 08:52:30 +0800
+Subject: of: Fix refcount leakage for OF node returned by __of_get_dma_parent()
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+commit 5d009e024056ded20c5bb1583146b833b23bbd5a upstream.
+
+__of_get_dma_parent() returns OF device node @args.np, but the node's
+refcount is increased twice, by both of_parse_phandle_with_args() and
+of_node_get(), so causes refcount leakage for the node.
+
+Fix by directly returning the node got by of_parse_phandle_with_args().
+
+Fixes: f83a6e5dea6c ("of: address: Add support for the parent DMA bus")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/20241206-of_core_fix-v1-4-dc28ed56bec3@quicinc.com
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/address.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/of/address.c
++++ b/drivers/of/address.c
+@@ -653,7 +653,7 @@ struct device_node *__of_get_dma_parent(
+ if (ret < 0)
+ return of_get_parent(np);
+
+- return of_node_get(args.np);
++ return args.np;
+ }
+ #endif
+
--- /dev/null
+From fec3edc47d5cfc2dd296a5141df887bf567944db Mon Sep 17 00:00:00 2001
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+Date: Mon, 9 Dec 2024 21:24:59 +0800
+Subject: of/irq: Fix interrupt-map cell length check in of_irq_parse_imap_parent()
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+commit fec3edc47d5cfc2dd296a5141df887bf567944db upstream.
+
+On a malformed interrupt-map property which is shorter than expected by
+1 cell, we may read bogus data past the end of the property instead of
+returning an error in of_irq_parse_imap_parent().
+
+Decrement the remaining length when skipping over the interrupt parent
+phandle cell.
+
+Fixes: 935df1bd40d4 ("of/irq: Factor out parsing of interrupt-map parent phandle+args from of_irq_parse_raw()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/20241209-of_irq_fix-v1-1-782f1419c8a1@quicinc.com
+[rh: reword commit msg]
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/irq.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/of/irq.c
++++ b/drivers/of/irq.c
+@@ -111,6 +111,7 @@ const __be32 *of_irq_parse_imap_parent(c
+ else
+ np = of_find_node_by_phandle(be32_to_cpup(imap));
+ imap++;
++ len--;
+
+ /* Check if not found */
+ if (!np) {
--- /dev/null
+From 0f7ca6f69354e0c3923bbc28c92d0ecab4d50a3e Mon Sep 17 00:00:00 2001
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+Date: Mon, 9 Dec 2024 21:25:02 +0800
+Subject: of/irq: Fix using uninitialized variable @addr_len in API of_irq_parse_one()
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+commit 0f7ca6f69354e0c3923bbc28c92d0ecab4d50a3e upstream.
+
+of_irq_parse_one() may use uninitialized variable @addr_len as shown below:
+
+// @addr_len is uninitialized
+int addr_len;
+
+// This operation does not touch @addr_len if it fails.
+addr = of_get_property(device, "reg", &addr_len);
+
+// Use uninitialized @addr_len if the operation fails.
+if (addr_len > sizeof(addr_buf))
+ addr_len = sizeof(addr_buf);
+
+// Check the operation result here.
+if (addr)
+ memcpy(addr_buf, addr, addr_len);
+
+Fix by initializing @addr_len before the operation.
+
+Fixes: b739dffa5d57 ("of/irq: Prevent device address out-of-bounds read in interrupt map walk")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/20241209-of_irq_fix-v1-4-782f1419c8a1@quicinc.com
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/irq.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/of/irq.c
++++ b/drivers/of/irq.c
+@@ -355,6 +355,7 @@ int of_irq_parse_one(struct device_node
+ return of_irq_parse_oldworld(device, index, out_irq);
+
+ /* Get the reg property (if any) */
++ addr_len = 0;
+ addr = of_get_property(device, "reg", &addr_len);
+
+ /* Prevent out-of-bounds read in case of longer interrupt parent address size */
selftests-bpf-use-asm-constraint-m-for-loongarch.patch
io_uring-fix-registered-ring-file-refcount-leak.patch
io_uring-check-if-iowq-is-killed-before-queuing.patch
+nfs-pnfs-fix-a-live-lock-between-recalled-layouts-and-layoutget.patch
+of-irq-fix-interrupt-map-cell-length-check-in-of_irq_parse_imap_parent.patch
+of-irq-fix-using-uninitialized-variable-addr_len-in-api-of_irq_parse_one.patch
+nilfs2-fix-buffer-head-leaks-in-calls-to-truncate_inode_pages.patch
+nilfs2-prevent-use-of-deleted-inode.patch
+udmabuf-also-check-for-f_seal_future_write.patch
+of-fix-error-path-in-of_parse_phandle_with_args_map.patch
+of-fix-refcount-leakage-for-of-node-returned-by-__of_get_dma_parent.patch
+ceph-validate-snapdirname-option-length-when-mounting.patch
+ceph-improve-error-handling-and-short-overflow-read-logic-in-__ceph_sync_read.patch
+ceph-fix-memory-leaks-in-__ceph_sync_read.patch
--- /dev/null
+From 0a16e24e34f28210f68195259456c73462518597 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Wed, 4 Dec 2024 17:26:20 +0100
+Subject: udmabuf: also check for F_SEAL_FUTURE_WRITE
+
+From: Jann Horn <jannh@google.com>
+
+commit 0a16e24e34f28210f68195259456c73462518597 upstream.
+
+When F_SEAL_FUTURE_WRITE was introduced, it was overlooked that udmabuf
+must reject memfds with this flag, just like ones with F_SEAL_WRITE.
+Fix it by adding F_SEAL_FUTURE_WRITE to SEALS_DENIED.
+
+Fixes: ab3948f58ff8 ("mm/memfd: add an F_SEAL_FUTURE_WRITE seal to memfd")
+Cc: stable@vger.kernel.org
+Acked-by: Vivek Kasireddy <vivek.kasireddy@intel.com>
+Signed-off-by: Jann Horn <jannh@google.com>
+Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
+Signed-off-by: Vivek Kasireddy <vivek.kasireddy@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20241204-udmabuf-fixes-v2-2-23887289de1c@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma-buf/udmabuf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/dma-buf/udmabuf.c
++++ b/drivers/dma-buf/udmabuf.c
+@@ -194,7 +194,7 @@ static const struct dma_buf_ops udmabuf_
+ };
+
+ #define SEALS_WANTED (F_SEAL_SHRINK)
+-#define SEALS_DENIED (F_SEAL_WRITE)
++#define SEALS_DENIED (F_SEAL_WRITE|F_SEAL_FUTURE_WRITE)
+
+ static long udmabuf_create(struct miscdevice *device,
+ struct udmabuf_create_list *head,
projects / thirdparty / kernel / stable-queue.git / commitdiff
