--- /dev/null
+From 5591ce0069ddda97cdbbea596bed53e698f399c2 Mon Sep 17 00:00:00 2001
+From: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
+Date: Thu, 24 Apr 2025 11:59:14 +0200
+Subject: arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2
+
+From: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
+
+commit 5591ce0069ddda97cdbbea596bed53e698f399c2 upstream.
+
+Define vqmmc regulator-gpio for usdhc2 with vin-supply
+coming from LDO5.
+
+Without this definition LDO5 will be powered down, disabling
+SD card after bootup. This has been introduced in commit
+f5aab0438ef1 ("regulator: pca9450: Fix enable register for LDO5").
+
+Fixes: 6a57f224f734 ("arm64: dts: freescale: add initial support for verdin imx8m mini")
+Fixes: f5aab0438ef1 ("regulator: pca9450: Fix enable register for LDO5")
+Tested-by: Manuel Traut <manuel.traut@mt.com>
+Reviewed-by: Philippe Schenker <philippe.schenker@impulsing.ch>
+Tested-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Reviewed-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 25 ++++++++++++++++++-----
+ 1 file changed, 20 insertions(+), 5 deletions(-)
+
+--- a/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi
+@@ -165,6 +165,19 @@
+ startup-delay-us = <20000>;
+ };
+
++ reg_usdhc2_vqmmc: regulator-usdhc2-vqmmc {
++ compatible = "regulator-gpio";
++ pinctrl-names = "default";
++ pinctrl-0 = <&pinctrl_usdhc2_vsel>;
++ gpios = <&gpio1 4 GPIO_ACTIVE_HIGH>;
++ regulator-max-microvolt = <3300000>;
++ regulator-min-microvolt = <1800000>;
++ states = <1800000 0x1>,
++ <3300000 0x0>;
++ regulator-name = "PMIC_USDHC_VSELECT";
++ vin-supply = <®_nvcc_sd>;
++ };
++
+ reserved-memory {
+ #address-cells = <2>;
+ #size-cells = <2>;
+@@ -290,7 +303,7 @@
+ "SODIMM_19",
+ "",
+ "",
+- "",
++ "PMIC_USDHC_VSELECT",
+ "",
+ "",
+ "",
+@@ -801,6 +814,7 @@
+ pinctrl-2 = <&pinctrl_usdhc2_200mhz>, <&pinctrl_usdhc2_cd>;
+ pinctrl-3 = <&pinctrl_usdhc2_sleep>, <&pinctrl_usdhc2_cd_sleep>;
+ vmmc-supply = <®_usdhc2_vmmc>;
++ vqmmc-supply = <®_usdhc2_vqmmc>;
+ };
+
+ &wdog1 {
+@@ -1222,13 +1236,17 @@
+ <MX8MM_IOMUXC_NAND_CLE_GPIO3_IO5 0x6>; /* SODIMM 76 */
+ };
+
++ pinctrl_usdhc2_vsel: usdhc2vselgrp {
++ fsl,pins =
++ <MX8MM_IOMUXC_GPIO1_IO04_GPIO1_IO4 0x10>; /* PMIC_USDHC_VSELECT */
++ };
++
+ /*
+ * Note: Due to ERR050080 we use discrete external on-module resistors pulling-up to the
+ * on-module +V3.3_1.8_SD (LDO5) rail and explicitly disable the internal pull-ups here.
+ */
+ pinctrl_usdhc2: usdhc2grp {
+ fsl,pins =
+- <MX8MM_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x10>,
+ <MX8MM_IOMUXC_SD2_CLK_USDHC2_CLK 0x90>, /* SODIMM 78 */
+ <MX8MM_IOMUXC_SD2_CMD_USDHC2_CMD 0x90>, /* SODIMM 74 */
+ <MX8MM_IOMUXC_SD2_DATA0_USDHC2_DATA0 0x90>, /* SODIMM 80 */
+@@ -1239,7 +1257,6 @@
+
+ pinctrl_usdhc2_100mhz: usdhc2-100mhzgrp {
+ fsl,pins =
+- <MX8MM_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x10>,
+ <MX8MM_IOMUXC_SD2_CLK_USDHC2_CLK 0x94>,
+ <MX8MM_IOMUXC_SD2_CMD_USDHC2_CMD 0x94>,
+ <MX8MM_IOMUXC_SD2_DATA0_USDHC2_DATA0 0x94>,
+@@ -1250,7 +1267,6 @@
+
+ pinctrl_usdhc2_200mhz: usdhc2-200mhzgrp {
+ fsl,pins =
+- <MX8MM_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x10>,
+ <MX8MM_IOMUXC_SD2_CLK_USDHC2_CLK 0x96>,
+ <MX8MM_IOMUXC_SD2_CMD_USDHC2_CMD 0x96>,
+ <MX8MM_IOMUXC_SD2_DATA0_USDHC2_DATA0 0x96>,
+@@ -1262,7 +1278,6 @@
+ /* Avoid backfeeding with removed card power */
+ pinctrl_usdhc2_sleep: usdhc2slpgrp {
+ fsl,pins =
+- <MX8MM_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x0>,
+ <MX8MM_IOMUXC_SD2_CLK_USDHC2_CLK 0x0>,
+ <MX8MM_IOMUXC_SD2_CMD_USDHC2_CMD 0x0>,
+ <MX8MM_IOMUXC_SD2_DATA0_USDHC2_DATA0 0x0>,
--- /dev/null
+From 0713a1b3276b98c7dafbeefef00d7bc3a9119a84 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Fri, 2 May 2025 16:13:46 +0200
+Subject: can: mcan: m_can_class_unregister(): fix order of unregistration calls
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 0713a1b3276b98c7dafbeefef00d7bc3a9119a84 upstream.
+
+If a driver is removed, the driver framework invokes the driver's
+remove callback. A CAN driver's remove function calls
+unregister_candev(), which calls net_device_ops::ndo_stop further down
+in the call stack for interfaces which are in the "up" state.
+
+The removal of the module causes a warning, as can_rx_offload_del()
+deletes the NAPI, while it is still active, because the interface is
+still up.
+
+To fix the warning, first unregister the network interface, which
+calls net_device_ops::ndo_stop, which disables the NAPI, and then call
+can_rx_offload_del().
+
+Fixes: 1be37d3b0414 ("can: m_can: fix periph RX path: use rx-offload to ensure skbs are sent from softirq context")
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250502-can-rx-offload-del-v1-3-59a9b131589d@pengutronix.de
+Reviewed-by: Markus Schneider-Pargmann <msp@baylibre.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/m_can/m_can.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/can/m_can/m_can.c
++++ b/drivers/net/can/m_can/m_can.c
+@@ -2456,9 +2456,9 @@ EXPORT_SYMBOL_GPL(m_can_class_register);
+
+ void m_can_class_unregister(struct m_can_classdev *cdev)
+ {
++ unregister_candev(cdev->net);
+ if (cdev->is_peripheral)
+ can_rx_offload_del(&cdev->offload);
+- unregister_candev(cdev->net);
+ }
+ EXPORT_SYMBOL_GPL(m_can_class_unregister);
+
--- /dev/null
+From 84f5eb833f53ae192baed4cfb8d9eaab43481fc9 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Fri, 2 May 2025 16:13:44 +0200
+Subject: can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration calls
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 84f5eb833f53ae192baed4cfb8d9eaab43481fc9 upstream.
+
+If a driver is removed, the driver framework invokes the driver's
+remove callback. A CAN driver's remove function calls
+unregister_candev(), which calls net_device_ops::ndo_stop further down
+in the call stack for interfaces which are in the "up" state.
+
+With the mcp251xfd driver the removal of the module causes the
+following warning:
+
+| WARNING: CPU: 0 PID: 352 at net/core/dev.c:7342 __netif_napi_del_locked+0xc8/0xd8
+
+as can_rx_offload_del() deletes the NAPI, while it is still active,
+because the interface is still up.
+
+To fix the warning, first unregister the network interface, which
+calls net_device_ops::ndo_stop, which disables the NAPI, and then call
+can_rx_offload_del().
+
+Fixes: 55e5b97f003e ("can: mcp25xxfd: add driver for Microchip MCP25xxFD SPI CAN")
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250502-can-rx-offload-del-v1-1-59a9b131589d@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c
++++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c
+@@ -2174,8 +2174,8 @@ static void mcp251xfd_remove(struct spi_
+ struct mcp251xfd_priv *priv = spi_get_drvdata(spi);
+ struct net_device *ndev = priv->ndev;
+
+- can_rx_offload_del(&priv->offload);
+ mcp251xfd_unregister(priv);
++ can_rx_offload_del(&priv->offload);
+ spi->max_speed_hz = priv->spi_max_speed_hz_orig;
+ free_candev(ndev);
+ }
--- /dev/null
+From 037ada7a3181300218e4fd78bef6a741cfa7f808 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Fri, 2 May 2025 16:13:45 +0200
+Subject: can: rockchip_canfd: rkcanfd_remove(): fix order of unregistration calls
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 037ada7a3181300218e4fd78bef6a741cfa7f808 upstream.
+
+If a driver is removed, the driver framework invokes the driver's
+remove callback. A CAN driver's remove function calls
+unregister_candev(), which calls net_device_ops::ndo_stop further down
+in the call stack for interfaces which are in the "up" state.
+
+The removal of the module causes a warning, as can_rx_offload_del()
+deletes the NAPI, while it is still active, because the interface is
+still up.
+
+To fix the warning, first unregister the network interface, which
+calls net_device_ops::ndo_stop, which disables the NAPI, and then call
+can_rx_offload_del().
+
+Fixes: ff60bfbaf67f ("can: rockchip_canfd: add driver for Rockchip CAN-FD controller")
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250502-can-rx-offload-del-v1-2-59a9b131589d@pengutronix.de
+Reviewed-by: Markus Schneider-Pargmann <msp@baylibre.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/rockchip/rockchip_canfd-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/can/rockchip/rockchip_canfd-core.c
++++ b/drivers/net/can/rockchip/rockchip_canfd-core.c
+@@ -942,8 +942,8 @@ static void rkcanfd_remove(struct platfo
+ struct rkcanfd_priv *priv = platform_get_drvdata(pdev);
+ struct net_device *ndev = priv->ndev;
+
+- can_rx_offload_del(&priv->offload);
+ rkcanfd_unregister(priv);
++ can_rx_offload_del(&priv->offload);
+ free_candev(ndev);
+ }
+
--- /dev/null
+From 650266ac4c7230c89bcd1307acf5c9c92cfa85e2 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Wed, 30 Apr 2025 11:05:54 +0300
+Subject: dm: add missing unlock on in dm_keyslot_evict()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit 650266ac4c7230c89bcd1307acf5c9c92cfa85e2 upstream.
+
+We need to call dm_put_live_table() even if dm_get_live_table() returns
+NULL.
+
+Fixes: 9355a9eb21a5 ("dm: support key eviction from keyslot managers of underlying devices")
+Cc: stable@vger.kernel.org # v5.12+
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-table.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/dm-table.c
++++ b/drivers/md/dm-table.c
+@@ -1183,7 +1183,7 @@ static int dm_keyslot_evict(struct blk_c
+
+ t = dm_get_live_table(md, &srcu_idx);
+ if (!t)
+- return 0;
++ goto put_live_table;
+
+ for (unsigned int i = 0; i < t->num_targets; i++) {
+ struct dm_target *ti = dm_table_get_target(t, i);
+@@ -1194,6 +1194,7 @@ static int dm_keyslot_evict(struct blk_c
+ (void *)key);
+ }
+
++put_live_table:
+ dm_put_live_table(md, srcu_idx);
+ return 0;
+ }
--- /dev/null
+From c23c03bf1faa1e76be1eba35bad6da6a2a7c95ee Mon Sep 17 00:00:00 2001
+From: Cristian Marussi <cristian.marussi@arm.com>
+Date: Mon, 10 Mar 2025 17:58:00 +0000
+Subject: firmware: arm_scmi: Fix timeout checks on polling path
+
+From: Cristian Marussi <cristian.marussi@arm.com>
+
+commit c23c03bf1faa1e76be1eba35bad6da6a2a7c95ee upstream.
+
+Polling mode transactions wait for a reply busy-looping without holding a
+spinlock, but currently the timeout checks are based only on elapsed time:
+as a result we could hit a false positive whenever our busy-looping thread
+is pre-empted and scheduled out for a time greater than the polling
+timeout.
+
+Change the checks at the end of the busy-loop to make sure that the polling
+wasn't indeed successful or an out-of-order reply caused the polling to be
+forcibly terminated.
+
+Fixes: 31d2f803c19c ("firmware: arm_scmi: Add sync_cmds_completed_on_ret transport flag")
+Reported-by: Huangjie <huangjie1663@phytium.com.cn>
+Closes: https://lore.kernel.org/arm-scmi/20250123083323.2363749-1-jackhuang021@gmail.com/
+Signed-off-by: Cristian Marussi <cristian.marussi@arm.com>
+Cc: stable@vger.kernel.org # 5.18.x
+Message-Id: <20250310175800.1444293-1-cristian.marussi@arm.com>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/arm_scmi/driver.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/drivers/firmware/arm_scmi/driver.c
++++ b/drivers/firmware/arm_scmi/driver.c
+@@ -1219,7 +1219,8 @@ static void xfer_put(const struct scmi_p
+ }
+
+ static bool scmi_xfer_done_no_timeout(struct scmi_chan_info *cinfo,
+- struct scmi_xfer *xfer, ktime_t stop)
++ struct scmi_xfer *xfer, ktime_t stop,
++ bool *ooo)
+ {
+ struct scmi_info *info = handle_to_scmi_info(cinfo->handle);
+
+@@ -1228,7 +1229,7 @@ static bool scmi_xfer_done_no_timeout(st
+ * in case of out-of-order receptions of delayed responses
+ */
+ return info->desc->ops->poll_done(cinfo, xfer) ||
+- try_wait_for_completion(&xfer->done) ||
++ (*ooo = try_wait_for_completion(&xfer->done)) ||
+ ktime_after(ktime_get(), stop);
+ }
+
+@@ -1245,15 +1246,17 @@ static int scmi_wait_for_reply(struct de
+ * itself to support synchronous commands replies.
+ */
+ if (!desc->sync_cmds_completed_on_ret) {
++ bool ooo = false;
++
+ /*
+ * Poll on xfer using transport provided .poll_done();
+ * assumes no completion interrupt was available.
+ */
+ ktime_t stop = ktime_add_ms(ktime_get(), timeout_ms);
+
+- spin_until_cond(scmi_xfer_done_no_timeout(cinfo,
+- xfer, stop));
+- if (ktime_after(ktime_get(), stop)) {
++ spin_until_cond(scmi_xfer_done_no_timeout(cinfo, xfer,
++ stop, &ooo));
++ if (!ooo && !info->desc->ops->poll_done(cinfo, xfer)) {
+ dev_err(dev,
+ "timed out in resp(caller: %pS) - polling\n",
+ (void *)_RET_IP_);
--- /dev/null
+From bbfe756dc3062c1e934f06e5ba39c239aa953b92 Mon Sep 17 00:00:00 2001
+From: Max Kellermann <max.kellermann@ionos.com>
+Date: Tue, 29 Apr 2025 01:09:33 +0200
+Subject: fs/erofs/fileio: call erofs_onlinefolio_split() after bio_add_folio()
+
+From: Max Kellermann <max.kellermann@ionos.com>
+
+commit bbfe756dc3062c1e934f06e5ba39c239aa953b92 upstream.
+
+If bio_add_folio() fails (because it is full),
+erofs_fileio_scan_folio() needs to submit the I/O request via
+erofs_fileio_rq_submit() and allocate a new I/O request with an empty
+`struct bio`. Then it retries the bio_add_folio() call.
+
+However, at this point, erofs_onlinefolio_split() has already been
+called which increments `folio->private`; the retry will call
+erofs_onlinefolio_split() again, but there will never be a matching
+erofs_onlinefolio_end() call. This leaves the folio locked forever
+and all waiters will be stuck in folio_wait_bit_common().
+
+This bug has been added by commit ce63cb62d794 ("erofs: support
+unencoded inodes for fileio"), but was practically unreachable because
+there was room for 256 folios in the `struct bio` - until commit
+9f74ae8c9ac9 ("erofs: shorten bvecs[] for file-backed mounts") which
+reduced the array capacity to 16 folios.
+
+It was now trivial to trigger the bug by manually invoking readahead
+from userspace, e.g.:
+
+ posix_fadvise(fd, 0, st.st_size, POSIX_FADV_WILLNEED);
+
+This should be fixed by invoking erofs_onlinefolio_split() only after
+bio_add_folio() has succeeded. This is safe: asynchronous completions
+invoking erofs_onlinefolio_end() will not unlock the folio because
+erofs_fileio_scan_folio() is still holding a reference to be released
+by erofs_onlinefolio_end() at the end.
+
+Fixes: ce63cb62d794 ("erofs: support unencoded inodes for fileio")
+Fixes: 9f74ae8c9ac9 ("erofs: shorten bvecs[] for file-backed mounts")
+Cc: stable@vger.kernel.org
+Signed-off-by: Max Kellermann <max.kellermann@ionos.com>
+Reviewed-by: Gao Xiang <xiang@kernel.org>
+Tested-by: Hongbo Li <lihongbo22@huawei.com>
+Link: https://lore.kernel.org/r/20250428230933.3422273-1-max.kellermann@ionos.com
+Signed-off-by: Gao Xiang <xiang@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/erofs/fileio.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/erofs/fileio.c b/fs/erofs/fileio.c
+index 4fa0a0121288..60c7cc4c105c 100644
+--- a/fs/erofs/fileio.c
++++ b/fs/erofs/fileio.c
+@@ -150,10 +150,10 @@ static int erofs_fileio_scan_folio(struct erofs_fileio *io, struct folio *folio)
+ io->rq->bio.bi_iter.bi_sector = io->dev.m_pa >> 9;
+ attached = 0;
+ }
+- if (!attached++)
+- erofs_onlinefolio_split(folio);
+ if (!bio_add_folio(&io->rq->bio, folio, len, cur))
+ goto io_retry;
++ if (!attached++)
++ erofs_onlinefolio_split(folio);
+ io->dev.m_pa += len;
+ }
+ cur += len;
+--
+2.49.0
+
--- /dev/null
+From 36991c1ccde2d5a521577c448ffe07fcccfe104d Mon Sep 17 00:00:00 2001
+From: Sean Heelan <seanheelan@gmail.com>
+Date: Tue, 6 May 2025 22:04:52 +0900
+Subject: ksmbd: Fix UAF in __close_file_table_ids
+
+From: Sean Heelan <seanheelan@gmail.com>
+
+commit 36991c1ccde2d5a521577c448ffe07fcccfe104d upstream.
+
+A use-after-free is possible if one thread destroys the file
+via __ksmbd_close_fd while another thread holds a reference to
+it. The existing checks on fp->refcount are not sufficient to
+prevent this.
+
+The fix takes ft->lock around the section which removes the
+file from the file table. This prevents two threads acquiring the
+same file pointer via __close_file_table_ids, as well as the other
+functions which retrieve a file from the IDR and which already use
+this same lock.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Heelan <seanheelan@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/vfs_cache.c | 33 ++++++++++++++++++++++++++-------
+ 1 file changed, 26 insertions(+), 7 deletions(-)
+
+--- a/fs/smb/server/vfs_cache.c
++++ b/fs/smb/server/vfs_cache.c
+@@ -661,21 +661,40 @@ __close_file_table_ids(struct ksmbd_file
+ bool (*skip)(struct ksmbd_tree_connect *tcon,
+ struct ksmbd_file *fp))
+ {
+- unsigned int id;
+- struct ksmbd_file *fp;
+- int num = 0;
++ struct ksmbd_file *fp;
++ unsigned int id = 0;
++ int num = 0;
+
+- idr_for_each_entry(ft->idr, fp, id) {
+- if (skip(tcon, fp))
++ while (1) {
++ write_lock(&ft->lock);
++ fp = idr_get_next(ft->idr, &id);
++ if (!fp) {
++ write_unlock(&ft->lock);
++ break;
++ }
++
++ if (skip(tcon, fp) ||
++ !atomic_dec_and_test(&fp->refcount)) {
++ id++;
++ write_unlock(&ft->lock);
+ continue;
++ }
+
+ set_close_state_blocked_works(fp);
++ idr_remove(ft->idr, fp->volatile_id);
++ fp->volatile_id = KSMBD_NO_FID;
++ write_unlock(&ft->lock);
++
++ down_write(&fp->f_ci->m_lock);
++ list_del_init(&fp->node);
++ up_write(&fp->f_ci->m_lock);
+
+- if (!atomic_dec_and_test(&fp->refcount))
+- continue;
+ __ksmbd_close_fd(ft, fp);
++
+ num++;
++ id++;
+ }
++
+ return num;
+ }
+
--- /dev/null
+From 0ca6df4f40cf4c32487944aaf48319cb6c25accc Mon Sep 17 00:00:00 2001
+From: Norbert Szetei <norbert@doyensec.com>
+Date: Fri, 2 May 2025 08:21:58 +0900
+Subject: ksmbd: prevent out-of-bounds stream writes by validating *pos
+
+From: Norbert Szetei <norbert@doyensec.com>
+
+commit 0ca6df4f40cf4c32487944aaf48319cb6c25accc upstream.
+
+ksmbd_vfs_stream_write() did not validate whether the write offset
+(*pos) was within the bounds of the existing stream data length (v_len).
+If *pos was greater than or equal to v_len, this could lead to an
+out-of-bounds memory write.
+
+This patch adds a check to ensure *pos is less than v_len before
+proceeding. If the condition fails, -EINVAL is returned.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Norbert Szetei <norbert@doyensec.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/vfs.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/smb/server/vfs.c
++++ b/fs/smb/server/vfs.c
+@@ -443,6 +443,13 @@ static int ksmbd_vfs_stream_write(struct
+ goto out;
+ }
+
++ if (v_len <= *pos) {
++ pr_err("stream write position %lld is out of bounds (stream length: %zd)\n",
++ *pos, v_len);
++ err = -EINVAL;
++ goto out;
++ }
++
+ if (v_len < size) {
+ wbuf = kvzalloc(size, KSMBD_DEFAULT_GFP);
+ if (!wbuf) {
--- /dev/null
+From 53e3e5babc0963a92d856a5ec0ce92c59f54bc12 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Wed, 30 Apr 2025 11:18:28 +0900
+Subject: ksmbd: prevent rename with empty string
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 53e3e5babc0963a92d856a5ec0ce92c59f54bc12 upstream.
+
+Client can send empty newname string to ksmbd server.
+It will cause a kernel oops from d_alloc.
+This patch return the error when attempting to rename
+a file or directory with an empty new name string.
+
+Cc: stable@vger.kernel.org
+Reported-by: Norbert Szetei <norbert@doyensec.com>
+Tested-by: Norbert Szetei <norbert@doyensec.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -633,6 +633,11 @@ smb2_get_name(const char *src, const int
+ return name;
+ }
+
++ if (*name == '\0') {
++ kfree(name);
++ return ERR_PTR(-EINVAL);
++ }
++
+ if (*name == '\\') {
+ pr_err("not allow directory name included leading slash\n");
+ kfree(name);
--- /dev/null
+From 8fb1dcbbcc1ffe6ed7cf3f0f96d2737491dd1fbf Mon Sep 17 00:00:00 2001
+From: Qu Wenruo <wqu@suse.com>
+Date: Fri, 17 Jan 2025 09:09:34 +1030
+Subject: Revert "btrfs: canonicalize the device path before adding it"
+
+From: Qu Wenruo <wqu@suse.com>
+
+commit 8fb1dcbbcc1ffe6ed7cf3f0f96d2737491dd1fbf upstream.
+
+This reverts commit 7e06de7c83a746e58d4701e013182af133395188.
+
+Commit 7e06de7c83a7 ("btrfs: canonicalize the device path before adding
+it") tries to make btrfs to use "/dev/mapper/*" name first, then any
+filename inside "/dev/" as the device path.
+
+This is mostly fine when there is only the root namespace involved, but
+when multiple namespace are involved, things can easily go wrong for the
+d_path() usage.
+
+As d_path() returns a file path that is namespace dependent, the
+resulted string may not make any sense in another namespace.
+
+Furthermore, the "/dev/" prefix checks itself is not reliable, one can
+still make a valid initramfs without devtmpfs, and fill all needed
+device nodes manually.
+
+Overall the userspace has all its might to pass whatever device path for
+mount, and we are not going to win the war trying to cover every corner
+case.
+
+So just revert that commit, and do no extra d_path() based file path
+sanity check.
+
+CC: stable@vger.kernel.org # 6.12+
+Link: https://lore.kernel.org/linux-fsdevel/20250115185608.GA2223535@zen.localdomain/
+Reviewed-by: Boris Burkov <boris@bur.io>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/volumes.c | 91 -----------------------------------------------------
+ 1 file changed, 1 insertion(+), 90 deletions(-)
+
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -732,82 +732,6 @@ const u8 *btrfs_sb_fsid_ptr(const struct
+ return has_metadata_uuid ? sb->metadata_uuid : sb->fsid;
+ }
+
+-/*
+- * We can have very weird soft links passed in.
+- * One example is "/proc/self/fd/<fd>", which can be a soft link to
+- * a block device.
+- *
+- * But it's never a good idea to use those weird names.
+- * Here we check if the path (not following symlinks) is a good one inside
+- * "/dev/".
+- */
+-static bool is_good_dev_path(const char *dev_path)
+-{
+- struct path path = { .mnt = NULL, .dentry = NULL };
+- char *path_buf = NULL;
+- char *resolved_path;
+- bool is_good = false;
+- int ret;
+-
+- if (!dev_path)
+- goto out;
+-
+- path_buf = kmalloc(PATH_MAX, GFP_KERNEL);
+- if (!path_buf)
+- goto out;
+-
+- /*
+- * Do not follow soft link, just check if the original path is inside
+- * "/dev/".
+- */
+- ret = kern_path(dev_path, 0, &path);
+- if (ret)
+- goto out;
+- resolved_path = d_path(&path, path_buf, PATH_MAX);
+- if (IS_ERR(resolved_path))
+- goto out;
+- if (strncmp(resolved_path, "/dev/", strlen("/dev/")))
+- goto out;
+- is_good = true;
+-out:
+- kfree(path_buf);
+- path_put(&path);
+- return is_good;
+-}
+-
+-static int get_canonical_dev_path(const char *dev_path, char *canonical)
+-{
+- struct path path = { .mnt = NULL, .dentry = NULL };
+- char *path_buf = NULL;
+- char *resolved_path;
+- int ret;
+-
+- if (!dev_path) {
+- ret = -EINVAL;
+- goto out;
+- }
+-
+- path_buf = kmalloc(PATH_MAX, GFP_KERNEL);
+- if (!path_buf) {
+- ret = -ENOMEM;
+- goto out;
+- }
+-
+- ret = kern_path(dev_path, LOOKUP_FOLLOW, &path);
+- if (ret)
+- goto out;
+- resolved_path = d_path(&path, path_buf, PATH_MAX);
+- if (IS_ERR(resolved_path)) {
+- ret = PTR_ERR(resolved_path);
+- goto out;
+- }
+- ret = strscpy(canonical, resolved_path, PATH_MAX);
+-out:
+- kfree(path_buf);
+- path_put(&path);
+- return ret;
+-}
+-
+ static bool is_same_device(struct btrfs_device *device, const char *new_path)
+ {
+ struct path old = { .mnt = NULL, .dentry = NULL };
+@@ -1495,23 +1419,12 @@ struct btrfs_device *btrfs_scan_one_devi
+ bool new_device_added = false;
+ struct btrfs_device *device = NULL;
+ struct file *bdev_file;
+- char *canonical_path = NULL;
+ u64 bytenr;
+ dev_t devt;
+ int ret;
+
+ lockdep_assert_held(&uuid_mutex);
+
+- if (!is_good_dev_path(path)) {
+- canonical_path = kmalloc(PATH_MAX, GFP_KERNEL);
+- if (canonical_path) {
+- ret = get_canonical_dev_path(path, canonical_path);
+- if (ret < 0) {
+- kfree(canonical_path);
+- canonical_path = NULL;
+- }
+- }
+- }
+ /*
+ * Avoid an exclusive open here, as the systemd-udev may initiate the
+ * device scan which may race with the user's mount or mkfs command,
+@@ -1556,8 +1469,7 @@ struct btrfs_device *btrfs_scan_one_devi
+ goto free_disk_super;
+ }
+
+- device = device_list_add(canonical_path ? : path, disk_super,
+- &new_device_added);
++ device = device_list_add(path, disk_super, &new_device_added);
+ if (!IS_ERR(device) && new_device_added)
+ btrfs_free_stale_devices(device->devt, device);
+
+@@ -1566,7 +1478,6 @@ free_disk_super:
+
+ error_bdev_put:
+ fput(bdev_file);
+- kfree(canonical_path);
+
+ return device;
+ }
--- /dev/null
+From 05a2538f2b48500cf4e8a0a0ce76623cc5bafcf1 Mon Sep 17 00:00:00 2001
+From: Niklas Schnelle <schnelle@linux.ibm.com>
+Date: Wed, 30 Apr 2025 15:26:19 +0200
+Subject: s390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has child VFs
+
+From: Niklas Schnelle <schnelle@linux.ibm.com>
+
+commit 05a2538f2b48500cf4e8a0a0ce76623cc5bafcf1 upstream.
+
+With commit bcb5d6c76903 ("s390/pci: introduce lock to synchronize state
+of zpci_dev's") the code to ignore power off of a PF that has child VFs
+was changed from a direct return to a goto to the unlock and
+pci_dev_put() section. The change however left the existing pci_dev_put()
+untouched resulting in a doubple put. This can subsequently cause a use
+after free if the struct pci_dev is released in an unexpected state.
+Fix this by removing the extra pci_dev_put().
+
+Cc: stable@vger.kernel.org
+Fixes: bcb5d6c76903 ("s390/pci: introduce lock to synchronize state of zpci_dev's")
+Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
+Reviewed-by: Gerd Bayer <gbayer@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/hotplug/s390_pci_hpc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/pci/hotplug/s390_pci_hpc.c
++++ b/drivers/pci/hotplug/s390_pci_hpc.c
+@@ -59,7 +59,6 @@ static int disable_slot(struct hotplug_s
+
+ pdev = pci_get_slot(zdev->zbus->bus, zdev->devfn);
+ if (pdev && pci_num_vf(pdev)) {
+- pci_dev_put(pdev);
+ rc = -EBUSY;
+ goto out;
+ }
--- /dev/null
+From 42420c50c68f3e95e90de2479464f420602229fc Mon Sep 17 00:00:00 2001
+From: Niklas Schnelle <schnelle@linux.ibm.com>
+Date: Wed, 30 Apr 2025 15:26:18 +0200
+Subject: s390/pci: Fix missing check for zpci_create_device() error return
+
+From: Niklas Schnelle <schnelle@linux.ibm.com>
+
+commit 42420c50c68f3e95e90de2479464f420602229fc upstream.
+
+The zpci_create_device() function returns an error pointer that needs to
+be checked before dereferencing it as a struct zpci_dev pointer. Add the
+missing check in __clp_add() where it was missed when adding the
+scan_list in the fixed commit. Simply not adding the device to the scan
+list results in the previous behavior.
+
+Cc: stable@vger.kernel.org
+Fixes: 0467cdde8c43 ("s390/pci: Sort PCI functions prior to creating virtual busses")
+Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
+Reviewed-by: Gerd Bayer <gbayer@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/pci/pci_clp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/s390/pci/pci_clp.c
++++ b/arch/s390/pci/pci_clp.c
+@@ -422,6 +422,8 @@ static void __clp_add(struct clp_fh_list
+ return;
+ }
+ zdev = zpci_create_device(entry->fid, entry->fh, entry->config_state);
++ if (IS_ERR(zdev))
++ return;
+ list_add_tail(&zdev->entry, scan_list);
+ }
+
--- /dev/null
+dm-add-missing-unlock-on-in-dm_keyslot_evict.patch
+fs-erofs-fileio-call-erofs_onlinefolio_split-after-bio_add_folio.patch
+revert-btrfs-canonicalize-the-device-path-before-adding-it.patch
+arm64-dts-imx8mm-verdin-link-reg_usdhc2_vqmmc-to-usdhc2.patch
+firmware-arm_scmi-fix-timeout-checks-on-polling-path.patch
+can-mcan-m_can_class_unregister-fix-order-of-unregistration-calls.patch
+s390-pci-fix-missing-check-for-zpci_create_device-error-return.patch
+wifi-cfg80211-fix-out-of-bounds-access-during-multi-link-element-defragmentation.patch
+vfio-pci-align-huge-faults-to-order.patch
+s390-pci-fix-duplicate-pci_dev_put-in-disable_slot-when-pf-has-child-vfs.patch
+can-mcp251xfd-mcp251xfd_remove-fix-order-of-unregistration-calls.patch
+can-rockchip_canfd-rkcanfd_remove-fix-order-of-unregistration-calls.patch
+ksmbd-prevent-rename-with-empty-string.patch
+ksmbd-prevent-out-of-bounds-stream-writes-by-validating-pos.patch
+ksmbd-fix-uaf-in-__close_file_table_ids.patch
--- /dev/null
+From c1d9dac0db168198b6f63f460665256dedad9b6e Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Fri, 2 May 2025 16:40:31 -0600
+Subject: vfio/pci: Align huge faults to order
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+commit c1d9dac0db168198b6f63f460665256dedad9b6e upstream.
+
+The vfio-pci huge_fault handler doesn't make any attempt to insert a
+mapping containing the faulting address, it only inserts mappings if the
+faulting address and resulting pfn are aligned. This works in a lot of
+cases, particularly in conjunction with QEMU where DMA mappings linearly
+fault the mmap. However, there are configurations where we don't get
+that linear faulting and pages are faulted on-demand.
+
+The scenario reported in the bug below is such a case, where the physical
+address width of the CPU is greater than that of the IOMMU, resulting in a
+VM where guest firmware has mapped device MMIO beyond the address width of
+the IOMMU. In this configuration, the MMIO is faulted on demand and
+tracing indicates that occasionally the faults generate a VM_FAULT_OOM.
+Given the use case, this results in a "error: kvm run failed Bad address",
+killing the VM.
+
+The host is not under memory pressure in this test, therefore it's
+suspected that VM_FAULT_OOM is actually the result of a NULL return from
+__pte_offset_map_lock() in the get_locked_pte() path from insert_pfn().
+This suggests a potential race inserting a pte concurrent to a pmd, and
+maybe indicates some deficiency in the mm layer properly handling such a
+case.
+
+Nevertheless, Peter noted the inconsistency of vfio-pci's huge_fault
+handler where our mapping granularity depends on the alignment of the
+faulting address relative to the order rather than aligning the faulting
+address to the order to more consistently insert huge mappings. This
+change not only uses the page tables more consistently and efficiently, but
+as any fault to an aligned page results in the same mapping, the race
+condition suspected in the VM_FAULT_OOM is avoided.
+
+Reported-by: Adolfo <adolfotregosa@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220057
+Fixes: 09dfc8a5f2ce ("vfio/pci: Fallback huge faults for unaligned pfn")
+Cc: stable@vger.kernel.org
+Tested-by: Adolfo <adolfotregosa@gmail.com>
+Co-developed-by: Peter Xu <peterx@redhat.com>
+Signed-off-by: Peter Xu <peterx@redhat.com>
+Link: https://lore.kernel.org/r/20250502224035.3183451-1-alex.williamson@redhat.com
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vfio/pci/vfio_pci_core.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/vfio/pci/vfio_pci_core.c
++++ b/drivers/vfio/pci/vfio_pci_core.c
+@@ -1658,14 +1658,14 @@ static vm_fault_t vfio_pci_mmap_huge_fau
+ {
+ struct vm_area_struct *vma = vmf->vma;
+ struct vfio_pci_core_device *vdev = vma->vm_private_data;
+- unsigned long pfn, pgoff = vmf->pgoff - vma->vm_pgoff;
++ unsigned long addr = vmf->address & ~((PAGE_SIZE << order) - 1);
++ unsigned long pgoff = (addr - vma->vm_start) >> PAGE_SHIFT;
++ unsigned long pfn = vma_to_pfn(vma) + pgoff;
+ vm_fault_t ret = VM_FAULT_SIGBUS;
+
+- pfn = vma_to_pfn(vma) + pgoff;
+-
+- if (order && (pfn & ((1 << order) - 1) ||
+- vmf->address & ((PAGE_SIZE << order) - 1) ||
+- vmf->address + (PAGE_SIZE << order) > vma->vm_end)) {
++ if (order && (addr < vma->vm_start ||
++ addr + (PAGE_SIZE << order) > vma->vm_end ||
++ pfn & ((1 << order) - 1))) {
+ ret = VM_FAULT_FALLBACK;
+ goto out;
+ }
--- /dev/null
+From 023c1f2f0609218103cbcb48e0104b144d4a16dc Mon Sep 17 00:00:00 2001
+From: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
+Date: Thu, 24 Apr 2025 18:01:42 +0530
+Subject: wifi: cfg80211: fix out-of-bounds access during multi-link element defragmentation
+
+From: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
+
+commit 023c1f2f0609218103cbcb48e0104b144d4a16dc upstream.
+
+Currently during the multi-link element defragmentation process, the
+multi-link element length added to the total IEs length when calculating
+the length of remaining IEs after the multi-link element in
+cfg80211_defrag_mle(). This could lead to out-of-bounds access if the
+multi-link element or its corresponding fragment elements are the last
+elements in the IEs buffer.
+
+To address this issue, correctly calculate the remaining IEs length by
+deducting the multi-link element end offset from total IEs end offset.
+
+Cc: stable@vger.kernel.org
+Fixes: 2481b5da9c6b ("wifi: cfg80211: handle BSS data contained in ML probe responses")
+Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
+Link: https://patch.msgid.link/20250424-fix_mle_defragmentation_oob_access-v1-1-84412a1743fa@quicinc.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/scan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -2644,7 +2644,7 @@ cfg80211_defrag_mle(const struct element
+ /* Required length for first defragmentation */
+ buf_len = mle->datalen - 1;
+ for_each_element(elem, mle->data + mle->datalen,
+- ielen - sizeof(*mle) + mle->datalen) {
++ ie + ielen - mle->data - mle->datalen) {
+ if (elem->id != WLAN_EID_FRAGMENT)
+ break;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
