--- /dev/null
+From de5afaddd5a7af6b9c48900741b410ca03e453ae Mon Sep 17 00:00:00 2001
+From: Stefan Binding <sbinding@opensource.cirrus.com>
+Date: Thu, 9 Jan 2025 16:54:48 +0000
+Subject: ALSA: hda/realtek: Add support for Ayaneo System using CS35L41 HDA
+
+From: Stefan Binding <sbinding@opensource.cirrus.com>
+
+commit de5afaddd5a7af6b9c48900741b410ca03e453ae upstream.
+
+Add support for Ayaneo Portable Game System.
+
+System use 2 CS35L41 Amps with HDA, using Internal boost, with I2C
+
+Signed-off-by: Stefan Binding <sbinding@opensource.cirrus.com>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20250109165455.645810-1-sbinding@opensource.cirrus.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10242,6 +10242,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x1d72, 0x1901, "RedmiBook 14", ALC256_FIXUP_ASUS_HEADSET_MIC),
+ SND_PCI_QUIRK(0x1d72, 0x1945, "Redmi G", ALC256_FIXUP_ASUS_HEADSET_MIC),
+ SND_PCI_QUIRK(0x1d72, 0x1947, "RedmiBook Air", ALC255_FIXUP_XIAOMI_HEADSET_MIC),
++ SND_PCI_QUIRK(0x1f66, 0x0105, "Ayaneo Portable Game Player", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x2782, 0x0214, "VAIO VJFE-CL", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
+ SND_PCI_QUIRK(0x2782, 0x0228, "Infinix ZERO BOOK 13", ALC269VB_FIXUP_INFINIX_ZERO_BOOK_13),
+ SND_PCI_QUIRK(0x2782, 0x0232, "CHUWI CoreBook XPro", ALC269VB_FIXUP_CHUWI_COREBOOK_XPRO),
--- /dev/null
+From f505e6c91e7a22d10316665a86d79f84d9f0ba76 Mon Sep 17 00:00:00 2001
+From: Marco Nelissen <marco.nelissen@gmail.com>
+Date: Thu, 2 Jan 2025 11:04:11 -0800
+Subject: filemap: avoid truncating 64-bit offset to 32 bits
+
+From: Marco Nelissen <marco.nelissen@gmail.com>
+
+commit f505e6c91e7a22d10316665a86d79f84d9f0ba76 upstream.
+
+On 32-bit kernels, folio_seek_hole_data() was inadvertently truncating a
+64-bit value to 32 bits, leading to a possible infinite loop when writing
+to an xfs filesystem.
+
+Link: https://lkml.kernel.org/r/20250102190540.1356838-1-marco.nelissen@gmail.com
+Fixes: 54fa39ac2e00 ("iomap: use mapping_seek_hole_data")
+Signed-off-by: Marco Nelissen <marco.nelissen@gmail.com>
+Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/filemap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/filemap.c
++++ b/mm/filemap.c
+@@ -2938,7 +2938,7 @@ static inline loff_t folio_seek_hole_dat
+ if (ops->is_partially_uptodate(folio, offset, bsz) ==
+ seek_data)
+ break;
+- start = (start + bsz) & ~(bsz - 1);
++ start = (start + bsz) & ~((u64)bsz - 1);
+ offset += bsz;
+ } while (offset < folio_size(folio));
+ unlock:
--- /dev/null
+From cbc5dde0a461240046e8a41c43d7c3b76d5db952 Mon Sep 17 00:00:00 2001
+From: Rik van Riel <riel@surriel.com>
+Date: Fri, 10 Jan 2025 10:28:21 -0500
+Subject: fs/proc: fix softlockup in __read_vmcore (part 2)
+
+From: Rik van Riel <riel@surriel.com>
+
+commit cbc5dde0a461240046e8a41c43d7c3b76d5db952 upstream.
+
+Since commit 5cbcb62dddf5 ("fs/proc: fix softlockup in __read_vmcore") the
+number of softlockups in __read_vmcore at kdump time have gone down, but
+they still happen sometimes.
+
+In a memory constrained environment like the kdump image, a softlockup is
+not just a harmless message, but it can interfere with things like RCU
+freeing memory, causing the crashdump to get stuck.
+
+The second loop in __read_vmcore has a lot more opportunities for natural
+sleep points, like scheduling out while waiting for a data write to
+happen, but apparently that is not always enough.
+
+Add a cond_resched() to the second loop in __read_vmcore to (hopefully)
+get rid of the softlockups.
+
+Link: https://lkml.kernel.org/r/20250110102821.2a37581b@fangorn
+Fixes: 5cbcb62dddf5 ("fs/proc: fix softlockup in __read_vmcore")
+Signed-off-by: Rik van Riel <riel@surriel.com>
+Reported-by: Breno Leitao <leitao@debian.org>
+Cc: Baoquan He <bhe@redhat.com>
+Cc: Dave Young <dyoung@redhat.com>
+Cc: Vivek Goyal <vgoyal@redhat.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/vmcore.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/proc/vmcore.c
++++ b/fs/proc/vmcore.c
+@@ -404,6 +404,8 @@ static ssize_t __read_vmcore(struct iov_
+ if (!iov_iter_count(iter))
+ return acc;
+ }
++
++ cond_resched();
+ }
+
+ return acc;
--- /dev/null
+From 02f6b0e1ec7e0e7d059dddc893645816552039da Mon Sep 17 00:00:00 2001
+From: Zhongqiu Han <quic_zhonhan@quicinc.com>
+Date: Sun, 5 May 2024 22:11:56 +0800
+Subject: gpiolib: cdev: Fix use after free in lineinfo_changed_notify
+
+From: Zhongqiu Han <quic_zhonhan@quicinc.com>
+
+commit 02f6b0e1ec7e0e7d059dddc893645816552039da upstream.
+
+The use-after-free issue occurs as follows: when the GPIO chip device file
+is being closed by invoking gpio_chrdev_release(), watched_lines is freed
+by bitmap_free(), but the unregistration of lineinfo_changed_nb notifier
+chain failed due to waiting write rwsem. Additionally, one of the GPIO
+chip's lines is also in the release process and holds the notifier chain's
+read rwsem. Consequently, a race condition leads to the use-after-free of
+watched_lines.
+
+Here is the typical stack when issue happened:
+
+[free]
+gpio_chrdev_release()
+ --> bitmap_free(cdev->watched_lines) <-- freed
+ --> blocking_notifier_chain_unregister()
+ --> down_write(&nh->rwsem) <-- waiting rwsem
+ --> __down_write_common()
+ --> rwsem_down_write_slowpath()
+ --> schedule_preempt_disabled()
+ --> schedule()
+
+[use]
+st54spi_gpio_dev_release()
+ --> gpio_free()
+ --> gpiod_free()
+ --> gpiod_free_commit()
+ --> gpiod_line_state_notify()
+ --> blocking_notifier_call_chain()
+ --> down_read(&nh->rwsem); <-- held rwsem
+ --> notifier_call_chain()
+ --> lineinfo_changed_notify()
+ --> test_bit(xxxx, cdev->watched_lines) <-- use after free
+
+The side effect of the use-after-free issue is that a GPIO line event is
+being generated for userspace where it shouldn't. However, since the chrdev
+is being closed, userspace won't have the chance to read that event anyway.
+
+To fix the issue, call the bitmap_free() function after the unregistration
+of lineinfo_changed_nb notifier chain.
+
+Fixes: 51c1064e82e7 ("gpiolib: add new ioctl() for monitoring changes in line info")
+Signed-off-by: Zhongqiu Han <quic_zhonhan@quicinc.com>
+Link: https://lore.kernel.org/r/20240505141156.2944912-1-quic_zhonhan@quicinc.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Bruno VERNAY <bruno.vernay@se.com>
+Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpiolib-cdev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpiolib-cdev.c
++++ b/drivers/gpio/gpiolib-cdev.c
+@@ -2860,9 +2860,9 @@ static int gpio_chrdev_release(struct in
+ struct gpio_chardev_data *cdev = file->private_data;
+ struct gpio_device *gdev = cdev->gdev;
+
+- bitmap_free(cdev->watched_lines);
+ blocking_notifier_chain_unregister(&gdev->notifier,
+ &cdev->lineinfo_changed_nb);
++ bitmap_free(cdev->watched_lines);
+ put_device(&gdev->dev);
+ kfree(cdev);
+
--- /dev/null
+From 2ca06a2f65310aeef30bb69b7405437a14766e4d Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Mon, 13 Jan 2025 16:44:56 +0100
+Subject: mptcp: be sure to send ack when mptcp-level window re-opens
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+commit 2ca06a2f65310aeef30bb69b7405437a14766e4d upstream.
+
+mptcp_cleanup_rbuf() is responsible to send acks when the user-space
+reads enough data to update the receive windows significantly.
+
+It tries hard to avoid acquiring the subflow sockets locks by checking
+conditions similar to the ones implemented at the TCP level.
+
+To avoid too much code duplication - the MPTCP protocol can't reuse the
+TCP helpers as part of the relevant status is maintained into the msk
+socket - and multiple costly window size computation, mptcp_cleanup_rbuf
+uses a rough estimate for the most recently advertised window size:
+the MPTCP receive free space, as recorded as at last-ack time.
+
+Unfortunately the above does not allow mptcp_cleanup_rbuf() to detect
+a zero to non-zero win change in some corner cases, skipping the
+tcp_cleanup_rbuf call and leaving the peer stuck.
+
+After commit ea66758c1795 ("tcp: allow MPTCP to update the announced
+window"), MPTCP has actually cheap access to the announced window value.
+Use it in mptcp_cleanup_rbuf() for a more accurate ack generation.
+
+Fixes: e3859603ba13 ("mptcp: better msk receive window updates")
+Cc: stable@vger.kernel.org
+Reported-by: Jakub Kicinski <kuba@kernel.org>
+Closes: https://lore.kernel.org/20250107131845.5e5de3c5@kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20250113-net-mptcp-connect-st-flakes-v1-1-0d986ee7b1b6@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/options.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/mptcp/options.c
++++ b/net/mptcp/options.c
+@@ -605,7 +605,6 @@ static bool mptcp_established_options_ds
+ }
+ opts->ext_copy.use_ack = 1;
+ opts->suboptions = OPTION_MPTCP_DSS;
+- WRITE_ONCE(msk->old_wspace, __mptcp_space((struct sock *)msk));
+
+ /* Add kind/length/subtype/flag overhead if mapping is not populated */
+ if (dss_size == 0)
+@@ -1265,7 +1264,7 @@ static void mptcp_set_rwin(struct tcp_so
+ }
+ MPTCP_INC_STATS(sock_net(ssk), MPTCP_MIB_RCVWNDCONFLICT);
+ }
+- return;
++ goto update_wspace;
+ }
+
+ if (rcv_wnd_new != rcv_wnd_old) {
+@@ -1290,6 +1289,9 @@ raise_win:
+ th->window = htons(new_win);
+ MPTCP_INC_STATS(sock_net(ssk), MPTCP_MIB_RCVWNDSHARED);
+ }
++
++update_wspace:
++ WRITE_ONCE(msk->old_wspace, tp->rcv_wnd);
+ }
+
+ __sum16 __mptcp_make_csum(u64 data_seq, u32 subflow_seq, u16 data_len, __wsum sum)
--- /dev/null
+From 6be7aca91009865d8c2b73589270224a6b6e67ab Mon Sep 17 00:00:00 2001
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Sun, 12 Jan 2025 22:59:59 +0100
+Subject: net: ethernet: xgbe: re-add aneg to supported features in PHY quirks
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+commit 6be7aca91009865d8c2b73589270224a6b6e67ab upstream.
+
+In 4.19, before the switch to linkmode bitmaps, PHY_GBIT_FEATURES
+included feature bits for aneg and TP/MII ports.
+
+ SUPPORTED_TP | \
+ SUPPORTED_MII)
+
+ SUPPORTED_10baseT_Full)
+
+ SUPPORTED_100baseT_Full)
+
+ SUPPORTED_1000baseT_Full)
+
+ PHY_100BT_FEATURES | \
+ PHY_DEFAULT_FEATURES)
+
+ PHY_1000BT_FEATURES)
+
+Referenced commit expanded PHY_GBIT_FEATURES, silently removing
+PHY_DEFAULT_FEATURES. The removed part can be re-added by using
+the new PHY_GBIT_FEATURES definition.
+Not clear to me is why nobody seems to have noticed this issue.
+
+I stumbled across this when checking what it takes to make
+phy_10_100_features_array et al private to phylib.
+
+Fixes: d0939c26c53a ("net: ethernet: xgbe: expand PHY_GBIT_FEAUTRES")
+Cc: stable@vger.kernel.org
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Link: https://patch.msgid.link/46521973-7738-4157-9f5e-0bb6f694acba@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 19 ++-----------------
+ 1 file changed, 2 insertions(+), 17 deletions(-)
+
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+@@ -856,7 +856,6 @@ static void xgbe_phy_free_phy_device(str
+
+ static bool xgbe_phy_finisar_phy_quirks(struct xgbe_prv_data *pdata)
+ {
+- __ETHTOOL_DECLARE_LINK_MODE_MASK(supported) = { 0, };
+ struct xgbe_phy_data *phy_data = pdata->phy_data;
+ unsigned int phy_id = phy_data->phydev->phy_id;
+
+@@ -878,14 +877,7 @@ static bool xgbe_phy_finisar_phy_quirks(
+ phy_write(phy_data->phydev, 0x04, 0x0d01);
+ phy_write(phy_data->phydev, 0x00, 0x9140);
+
+- linkmode_set_bit_array(phy_10_100_features_array,
+- ARRAY_SIZE(phy_10_100_features_array),
+- supported);
+- linkmode_set_bit_array(phy_gbit_features_array,
+- ARRAY_SIZE(phy_gbit_features_array),
+- supported);
+-
+- linkmode_copy(phy_data->phydev->supported, supported);
++ linkmode_copy(phy_data->phydev->supported, PHY_GBIT_FEATURES);
+
+ phy_support_asym_pause(phy_data->phydev);
+
+@@ -897,7 +889,6 @@ static bool xgbe_phy_finisar_phy_quirks(
+
+ static bool xgbe_phy_belfuse_phy_quirks(struct xgbe_prv_data *pdata)
+ {
+- __ETHTOOL_DECLARE_LINK_MODE_MASK(supported) = { 0, };
+ struct xgbe_phy_data *phy_data = pdata->phy_data;
+ struct xgbe_sfp_eeprom *sfp_eeprom = &phy_data->sfp_eeprom;
+ unsigned int phy_id = phy_data->phydev->phy_id;
+@@ -961,13 +952,7 @@ static bool xgbe_phy_belfuse_phy_quirks(
+ reg = phy_read(phy_data->phydev, 0x00);
+ phy_write(phy_data->phydev, 0x00, reg & ~0x00800);
+
+- linkmode_set_bit_array(phy_10_100_features_array,
+- ARRAY_SIZE(phy_10_100_features_array),
+- supported);
+- linkmode_set_bit_array(phy_gbit_features_array,
+- ARRAY_SIZE(phy_gbit_features_array),
+- supported);
+- linkmode_copy(phy_data->phydev->supported, supported);
++ linkmode_copy(phy_data->phydev->supported, PHY_GBIT_FEATURES);
+ phy_support_asym_pause(phy_data->phydev);
+
+ netif_dbg(pdata, drv, pdata->netdev,
--- /dev/null
+From 218cc166321fb3cc8786677ffe0d09a78778a910 Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Mon, 13 Jan 2025 16:44:58 +0100
+Subject: selftests: mptcp: avoid spurious errors on disconnect
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+commit 218cc166321fb3cc8786677ffe0d09a78778a910 upstream.
+
+The disconnect test-case generates spurious errors:
+
+ INFO: disconnect
+ INFO: extra options: -I 3 -i /tmp/tmp.r43niviyoI
+ 01 ns1 MPTCP -> ns1 (10.0.1.1:10000 ) MPTCP (duration 140ms) [FAIL]
+ file received by server does not match (in, out):
+ Unexpected revents: POLLERR/POLLNVAL(19)
+ -rw-r--r-- 1 root root 10028676 Jan 10 10:47 /tmp/tmp.r43niviyoI.disconnect
+ Trailing bytes are:
+ ��\����R���!8��u2��5N%
+ -rw------- 1 root root 9992290 Jan 10 10:47 /tmp/tmp.Os4UbnWbI1
+ Trailing bytes are:
+ ��\����R���!8��u2��5N%
+ 02 ns1 MPTCP -> ns1 (dead:beef:1::1:10001) MPTCP (duration 206ms) [ OK ]
+ 03 ns1 MPTCP -> ns1 (dead:beef:1::1:10002) TCP (duration 31ms) [ OK ]
+ 04 ns1 TCP -> ns1 (dead:beef:1::1:10003) MPTCP (duration 26ms) [ OK ]
+ [FAIL] Tests of the full disconnection have failed
+ Time: 2 seconds
+
+The root cause is actually in the user-space bits: the test program
+currently disconnects as soon as all the pending data has been spooled,
+generating an FASTCLOSE. If such option reaches the peer before the
+latter has reached the closed status, the msk socket will report an
+error to the user-space, as per protocol specification, causing the
+above failure.
+
+Address the issue explicitly waiting for all the relevant sockets to
+reach a closed status before performing the disconnect.
+
+Fixes: 05be5e273c84 ("selftests: mptcp: add disconnect tests")
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20250113-net-mptcp-connect-st-flakes-v1-3-0d986ee7b1b6@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_connect.c | 43 ++++++++++++++++------
+ 1 file changed, 32 insertions(+), 11 deletions(-)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_connect.c
++++ b/tools/testing/selftests/net/mptcp/mptcp_connect.c
+@@ -25,6 +25,8 @@
+ #include <sys/types.h>
+ #include <sys/mman.h>
+
++#include <arpa/inet.h>
++
+ #include <netdb.h>
+ #include <netinet/in.h>
+
+@@ -1131,23 +1133,42 @@ static void parse_setsock_options(const
+ exit(1);
+ }
+
+-void xdisconnect(int fd, int addrlen)
++void xdisconnect(int fd)
+ {
+- struct sockaddr_storage empty;
++ socklen_t addrlen = sizeof(struct sockaddr_storage);
++ struct sockaddr_storage addr, empty;
+ int msec_sleep = 10;
+- int queued = 1;
+- int i;
++ void *raw_addr;
++ int i, cmdlen;
++ char cmd[128];
++
++ /* get the local address and convert it to string */
++ if (getsockname(fd, (struct sockaddr *)&addr, &addrlen) < 0)
++ xerror("getsockname");
++
++ if (addr.ss_family == AF_INET)
++ raw_addr = &(((struct sockaddr_in *)&addr)->sin_addr);
++ else if (addr.ss_family == AF_INET6)
++ raw_addr = &(((struct sockaddr_in6 *)&addr)->sin6_addr);
++ else
++ xerror("bad family");
++
++ strcpy(cmd, "ss -M | grep -q ");
++ cmdlen = strlen(cmd);
++ if (!inet_ntop(addr.ss_family, raw_addr, &cmd[cmdlen],
++ sizeof(cmd) - cmdlen))
++ xerror("inet_ntop");
+
+ shutdown(fd, SHUT_WR);
+
+- /* while until the pending data is completely flushed, the later
++ /*
++ * wait until the pending data is completely flushed and all
++ * the MPTCP sockets reached the closed status.
+ * disconnect will bypass/ignore/drop any pending data.
+ */
+ for (i = 0; ; i += msec_sleep) {
+- if (ioctl(fd, SIOCOUTQ, &queued) < 0)
+- xerror("can't query out socket queue: %d", errno);
+-
+- if (!queued)
++ /* closed socket are not listed by 'ss' */
++ if (system(cmd) != 0)
+ break;
+
+ if (i > poll_timeout)
+@@ -1195,9 +1216,9 @@ again:
+ return ret;
+
+ if (cfg_truncate > 0) {
+- xdisconnect(fd, peer->ai_addrlen);
++ xdisconnect(fd);
+ } else if (--cfg_repeat > 0) {
+- xdisconnect(fd, peer->ai_addrlen);
++ xdisconnect(fd);
+
+ /* the socket could be unblocking at this point, we need the
+ * connect to be blocking
iomap-avoid-avoid-truncating-64-bit-offset-to-32-bit.patch
poll_wait-add-mb-to-fix-theoretical-race-between-wai.patch
x86-asm-make-serialize-always_inline.patch
+alsa-hda-realtek-add-support-for-ayaneo-system-using-cs35l41-hda.patch
+zram-fix-potential-uaf-of-zram-table.patch
+mptcp-be-sure-to-send-ack-when-mptcp-level-window-re-opens.patch
+selftests-mptcp-avoid-spurious-errors-on-disconnect.patch
+net-ethernet-xgbe-re-add-aneg-to-supported-features-in-phy-quirks.patch
+vsock-virtio-discard-packets-if-the-transport-changes.patch
+vsock-virtio-cancel-close-work-in-the-destructor.patch
+vsock-reset-socket-state-when-de-assigning-the-transport.patch
+vsock-prevent-null-ptr-deref-in-vsock_.patch
+filemap-avoid-truncating-64-bit-offset-to-32-bits.patch
+fs-proc-fix-softlockup-in-__read_vmcore-part-2.patch
+gpiolib-cdev-fix-use-after-free-in-lineinfo_changed_notify.patch
--- /dev/null
+From 91751e248256efc111e52e15115840c35d85abaf Mon Sep 17 00:00:00 2001
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Fri, 10 Jan 2025 09:35:11 +0100
+Subject: vsock: prevent null-ptr-deref in vsock_*[has_data|has_space]
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+commit 91751e248256efc111e52e15115840c35d85abaf upstream.
+
+Recent reports have shown how we sometimes call vsock_*_has_data()
+when a vsock socket has been de-assigned from a transport (see attached
+links), but we shouldn't.
+
+Previous commits should have solved the real problems, but we may have
+more in the future, so to avoid null-ptr-deref, we can return 0
+(no space, no data available) but with a warning.
+
+This way the code should continue to run in a nearly consistent state
+and have a warning that allows us to debug future problems.
+
+Fixes: c0cfa2d8a788 ("vsock: add multi-transports support")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/netdev/Z2K%2FI4nlHdfMRTZC@v4bel-B760M-AORUS-ELITE-AX/
+Link: https://lore.kernel.org/netdev/5ca20d4c-1017-49c2-9516-f6f75fd331e9@rbox.co/
+Link: https://lore.kernel.org/netdev/677f84a8.050a0220.25a300.01b3.GAE@google.com/
+Co-developed-by: Hyunwoo Kim <v4bel@theori.io>
+Signed-off-by: Hyunwoo Kim <v4bel@theori.io>
+Co-developed-by: Wongi Lee <qwerty@theori.io>
+Signed-off-by: Wongi Lee <qwerty@theori.io>
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Luigi Leonardi <leonardi@redhat.com>
+Reviewed-by: Hyunwoo Kim <v4bel@theori.io>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/af_vsock.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -873,6 +873,9 @@ EXPORT_SYMBOL_GPL(vsock_create_connected
+
+ s64 vsock_stream_has_data(struct vsock_sock *vsk)
+ {
++ if (WARN_ON(!vsk->transport))
++ return 0;
++
+ return vsk->transport->stream_has_data(vsk);
+ }
+ EXPORT_SYMBOL_GPL(vsock_stream_has_data);
+@@ -881,6 +884,9 @@ static s64 vsock_connectible_has_data(st
+ {
+ struct sock *sk = sk_vsock(vsk);
+
++ if (WARN_ON(!vsk->transport))
++ return 0;
++
+ if (sk->sk_type == SOCK_SEQPACKET)
+ return vsk->transport->seqpacket_has_data(vsk);
+ else
+@@ -889,6 +895,9 @@ static s64 vsock_connectible_has_data(st
+
+ s64 vsock_stream_has_space(struct vsock_sock *vsk)
+ {
++ if (WARN_ON(!vsk->transport))
++ return 0;
++
+ return vsk->transport->stream_has_space(vsk);
+ }
+ EXPORT_SYMBOL_GPL(vsock_stream_has_space);
--- /dev/null
+From a24009bc9be60242651a21702609381b5092459e Mon Sep 17 00:00:00 2001
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Fri, 10 Jan 2025 09:35:10 +0100
+Subject: vsock: reset socket state when de-assigning the transport
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+commit a24009bc9be60242651a21702609381b5092459e upstream.
+
+Transport's release() and destruct() are called when de-assigning the
+vsock transport. These callbacks can touch some socket state like
+sock flags, sk_state, and peer_shutdown.
+
+Since we are reassigning the socket to a new transport during
+vsock_connect(), let's reset these fields to have a clean state with
+the new transport.
+
+Fixes: c0cfa2d8a788 ("vsock: add multi-transports support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Luigi Leonardi <leonardi@redhat.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/af_vsock.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -485,6 +485,15 @@ int vsock_assign_transport(struct vsock_
+ */
+ vsk->transport->release(vsk);
+ vsock_deassign_transport(vsk);
++
++ /* transport's release() and destruct() can touch some socket
++ * state, since we are reassigning the socket to a new transport
++ * during vsock_connect(), let's reset these fields to have a
++ * clean state.
++ */
++ sock_reset_flag(sk, SOCK_DONE);
++ sk->sk_state = TCP_CLOSE;
++ vsk->peer_shutdown = 0;
+ }
+
+ /* We increase the module refcnt to prevent the transport unloading
--- /dev/null
+From df137da9d6d166e87e40980e36eb8e0bc90483ef Mon Sep 17 00:00:00 2001
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Fri, 10 Jan 2025 09:35:09 +0100
+Subject: vsock/virtio: cancel close work in the destructor
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+commit df137da9d6d166e87e40980e36eb8e0bc90483ef upstream.
+
+During virtio_transport_release() we can schedule a delayed work to
+perform the closing of the socket before destruction.
+
+The destructor is called either when the socket is really destroyed
+(reference counter to zero), or it can also be called when we are
+de-assigning the transport.
+
+In the former case, we are sure the delayed work has completed, because
+it holds a reference until it completes, so the destructor will
+definitely be called after the delayed work is finished.
+But in the latter case, the destructor is called by AF_VSOCK core, just
+after the release(), so there may still be delayed work scheduled.
+
+Refactor the code, moving the code to delete the close work already in
+the do_close() to a new function. Invoke it during destruction to make
+sure we don't leave any pending work.
+
+Fixes: c0cfa2d8a788 ("vsock: add multi-transports support")
+Cc: stable@vger.kernel.org
+Reported-by: Hyunwoo Kim <v4bel@theori.io>
+Closes: https://lore.kernel.org/netdev/Z37Sh+utS+iV3+eb@v4bel-B760M-AORUS-ELITE-AX/
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Luigi Leonardi <leonardi@redhat.com>
+Tested-by: Hyunwoo Kim <v4bel@theori.io>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/virtio_transport_common.c | 29 +++++++++++++++++++++--------
+ 1 file changed, 21 insertions(+), 8 deletions(-)
+
+--- a/net/vmw_vsock/virtio_transport_common.c
++++ b/net/vmw_vsock/virtio_transport_common.c
+@@ -26,6 +26,9 @@
+ /* Threshold for detecting small packets to copy */
+ #define GOOD_COPY_LEN 128
+
++static void virtio_transport_cancel_close_work(struct vsock_sock *vsk,
++ bool cancel_timeout);
++
+ static const struct virtio_transport *
+ virtio_transport_get_ops(struct vsock_sock *vsk)
+ {
+@@ -826,6 +829,8 @@ void virtio_transport_destruct(struct vs
+ {
+ struct virtio_vsock_sock *vvs = vsk->trans;
+
++ virtio_transport_cancel_close_work(vsk, true);
++
+ kfree(vvs);
+ vsk->trans = NULL;
+ }
+@@ -910,17 +915,11 @@ static void virtio_transport_wait_close(
+ }
+ }
+
+-static void virtio_transport_do_close(struct vsock_sock *vsk,
+- bool cancel_timeout)
++static void virtio_transport_cancel_close_work(struct vsock_sock *vsk,
++ bool cancel_timeout)
+ {
+ struct sock *sk = sk_vsock(vsk);
+
+- sock_set_flag(sk, SOCK_DONE);
+- vsk->peer_shutdown = SHUTDOWN_MASK;
+- if (vsock_stream_has_data(vsk) <= 0)
+- sk->sk_state = TCP_CLOSING;
+- sk->sk_state_change(sk);
+-
+ if (vsk->close_work_scheduled &&
+ (!cancel_timeout || cancel_delayed_work(&vsk->close_work))) {
+ vsk->close_work_scheduled = false;
+@@ -932,6 +931,20 @@ static void virtio_transport_do_close(st
+ }
+ }
+
++static void virtio_transport_do_close(struct vsock_sock *vsk,
++ bool cancel_timeout)
++{
++ struct sock *sk = sk_vsock(vsk);
++
++ sock_set_flag(sk, SOCK_DONE);
++ vsk->peer_shutdown = SHUTDOWN_MASK;
++ if (vsock_stream_has_data(vsk) <= 0)
++ sk->sk_state = TCP_CLOSING;
++ sk->sk_state_change(sk);
++
++ virtio_transport_cancel_close_work(vsk, cancel_timeout);
++}
++
+ static void virtio_transport_close_timeout(struct work_struct *work)
+ {
+ struct vsock_sock *vsk =
--- /dev/null
+From 2cb7c756f605ec02ffe562fb26828e4bcc5fdfc1 Mon Sep 17 00:00:00 2001
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Fri, 10 Jan 2025 09:35:07 +0100
+Subject: vsock/virtio: discard packets if the transport changes
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+commit 2cb7c756f605ec02ffe562fb26828e4bcc5fdfc1 upstream.
+
+If the socket has been de-assigned or assigned to another transport,
+we must discard any packets received because they are not expected
+and would cause issues when we access vsk->transport.
+
+A possible scenario is described by Hyunwoo Kim in the attached link,
+where after a first connect() interrupted by a signal, and a second
+connect() failed, we can find `vsk->transport` at NULL, leading to a
+NULL pointer dereference.
+
+Fixes: c0cfa2d8a788 ("vsock: add multi-transports support")
+Cc: stable@vger.kernel.org
+Reported-by: Hyunwoo Kim <v4bel@theori.io>
+Reported-by: Wongi Lee <qwerty@theori.io>
+Closes: https://lore.kernel.org/netdev/Z2LvdTTQR7dBmPb5@v4bel-B760M-AORUS-ELITE-AX/
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Hyunwoo Kim <v4bel@theori.io>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/virtio_transport_common.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/vmw_vsock/virtio_transport_common.c
++++ b/net/vmw_vsock/virtio_transport_common.c
+@@ -1334,8 +1334,11 @@ void virtio_transport_recv_pkt(struct vi
+
+ lock_sock(sk);
+
+- /* Check if sk has been closed before lock_sock */
+- if (sock_flag(sk, SOCK_DONE)) {
++ /* Check if sk has been closed or assigned to another transport before
++ * lock_sock (note: listener sockets are not assigned to any transport)
++ */
++ if (sock_flag(sk, SOCK_DONE) ||
++ (sk->sk_state != TCP_LISTEN && vsk->transport != &t->transport)) {
+ (void)virtio_transport_reset_no_sock(t, skb);
+ release_sock(sk);
+ sock_put(sk);
--- /dev/null
+From 212fe1c0df4a150fb6298db2cfff267ceaba5402 Mon Sep 17 00:00:00 2001
+From: Kairui Song <kasong@tencent.com>
+Date: Tue, 7 Jan 2025 14:54:46 +0800
+Subject: zram: fix potential UAF of zram table
+
+From: Kairui Song <kasong@tencent.com>
+
+commit 212fe1c0df4a150fb6298db2cfff267ceaba5402 upstream.
+
+If zram_meta_alloc failed early, it frees allocated zram->table without
+setting it NULL. Which will potentially cause zram_meta_free to access
+the table if user reset an failed and uninitialized device.
+
+Link: https://lkml.kernel.org/r/20250107065446.86928-1-ryncsn@gmail.com
+Fixes: 74363ec674cb ("zram: fix uninitialized ZRAM not releasing backing device")
+Signed-off-by: Kairui Song <kasong@tencent.com>
+Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/zram/zram_drv.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/block/zram/zram_drv.c
++++ b/drivers/block/zram/zram_drv.c
+@@ -1192,6 +1192,7 @@ static bool zram_meta_alloc(struct zram
+ zram->mem_pool = zs_create_pool(zram->disk->disk_name);
+ if (!zram->mem_pool) {
+ vfree(zram->table);
++ zram->table = NULL;
+ return false;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
