]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
6.11-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 3 Dec 2024 11:02:47 +0000 (12:02 +0100)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 3 Dec 2024 11:02:47 +0000 (12:02 +0100)
added patches:
counter-stm32-timer-cnt-fix-device_node-handling-in-probe_encoder.patch
f2fs-fix-to-do-sanity-check-on-node-blkaddr-in-truncate_node.patch
input-cs40l50-fix-wrong-usage-of-init_work.patch
ipc-fix-memleak-if-msg_init_ns-failed-in-create_ipc_ns.patch
lib-string_helpers-silence-snprintf-output-truncation-warning.patch
nfsd-prevent-a-potential-integer-overflow.patch
staging-vchiq_arm-fix-missing-refcount-decrement-in-error-path-for-fw_node.patch
sunrpc-make-sure-cache-entry-active-before-cache_show.patch
ublk-fix-error-code-for-unsupported-command.patch

queue-6.11/counter-stm32-timer-cnt-fix-device_node-handling-in-probe_encoder.patch [new file with mode: 0644]
queue-6.11/f2fs-fix-to-do-sanity-check-on-node-blkaddr-in-truncate_node.patch [new file with mode: 0644]
queue-6.11/input-cs40l50-fix-wrong-usage-of-init_work.patch [new file with mode: 0644]
queue-6.11/ipc-fix-memleak-if-msg_init_ns-failed-in-create_ipc_ns.patch [new file with mode: 0644]
queue-6.11/lib-string_helpers-silence-snprintf-output-truncation-warning.patch [new file with mode: 0644]
queue-6.11/nfsd-prevent-a-potential-integer-overflow.patch [new file with mode: 0644]
queue-6.11/series
queue-6.11/staging-vchiq_arm-fix-missing-refcount-decrement-in-error-path-for-fw_node.patch [new file with mode: 0644]
queue-6.11/sunrpc-make-sure-cache-entry-active-before-cache_show.patch [new file with mode: 0644]
queue-6.11/ublk-fix-error-code-for-unsupported-command.patch [new file with mode: 0644]

diff --git a/queue-6.11/counter-stm32-timer-cnt-fix-device_node-handling-in-probe_encoder.patch b/queue-6.11/counter-stm32-timer-cnt-fix-device_node-handling-in-probe_encoder.patch
new file mode 100644 (file)
index 0000000..6d41a1d
--- /dev/null
@@ -0,0 +1,37 @@
+From 147359e23e5c9652ff8c5a98a51a7323bd51c94a Mon Sep 17 00:00:00 2001
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Date: Sun, 27 Oct 2024 13:26:49 +0100
+Subject: counter: stm32-timer-cnt: fix device_node handling in probe_encoder()
+
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+
+commit 147359e23e5c9652ff8c5a98a51a7323bd51c94a upstream.
+
+Device nodes accessed via of_get_compatible_child() require
+of_node_put() to be called when the node is no longer required to avoid
+leaving a reference to the node behind, leaking the resource.
+
+In this case, the usage of 'tnode' is straightforward and there are no
+error paths, allowing for a single of_node_put() when 'tnode' is no
+longer required.
+
+Cc: stable@vger.kernel.org
+Fixes: 29646ee33cc3 ("counter: stm32-timer-cnt: add checks on quadrature encoder capability")
+Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Link: https://lore.kernel.org/r/20241027-stm32-timer-cnt-of_node_put-v1-1-ebd903cdf7ac@gmail.com
+Signed-off-by: William Breathitt Gray <wbg@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/counter/stm32-timer-cnt.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/counter/stm32-timer-cnt.c
++++ b/drivers/counter/stm32-timer-cnt.c
+@@ -700,6 +700,7 @@ static int stm32_timer_cnt_probe_encoder
+       }
+       ret = of_property_read_u32(tnode, "reg", &idx);
++      of_node_put(tnode);
+       if (ret) {
+               dev_err(dev, "Can't get index (%d)\n", ret);
+               return ret;
diff --git a/queue-6.11/f2fs-fix-to-do-sanity-check-on-node-blkaddr-in-truncate_node.patch b/queue-6.11/f2fs-fix-to-do-sanity-check-on-node-blkaddr-in-truncate_node.patch
new file mode 100644 (file)
index 0000000..79eca86
--- /dev/null
@@ -0,0 +1,69 @@
+From 6babe00ccd34fc65b78ef8b99754e32b4385f23d Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao@kernel.org>
+Date: Wed, 16 Oct 2024 16:13:37 +0800
+Subject: f2fs: fix to do sanity check on node blkaddr in truncate_node()
+
+From: Chao Yu <chao@kernel.org>
+
+commit 6babe00ccd34fc65b78ef8b99754e32b4385f23d upstream.
+
+syzbot reports a f2fs bug as below:
+
+------------[ cut here ]------------
+kernel BUG at fs/f2fs/segment.c:2534!
+RIP: 0010:f2fs_invalidate_blocks+0x35f/0x370 fs/f2fs/segment.c:2534
+Call Trace:
+ truncate_node+0x1ae/0x8c0 fs/f2fs/node.c:909
+ f2fs_remove_inode_page+0x5c2/0x870 fs/f2fs/node.c:1288
+ f2fs_evict_inode+0x879/0x15c0 fs/f2fs/inode.c:856
+ evict+0x4e8/0x9b0 fs/inode.c:723
+ f2fs_handle_failed_inode+0x271/0x2e0 fs/f2fs/inode.c:986
+ f2fs_create+0x357/0x530 fs/f2fs/namei.c:394
+ lookup_open fs/namei.c:3595 [inline]
+ open_last_lookups fs/namei.c:3694 [inline]
+ path_openat+0x1c03/0x3590 fs/namei.c:3930
+ do_filp_open+0x235/0x490 fs/namei.c:3960
+ do_sys_openat2+0x13e/0x1d0 fs/open.c:1415
+ do_sys_open fs/open.c:1430 [inline]
+ __do_sys_openat fs/open.c:1446 [inline]
+ __se_sys_openat fs/open.c:1441 [inline]
+ __x64_sys_openat+0x247/0x2a0 fs/open.c:1441
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0010:f2fs_invalidate_blocks+0x35f/0x370 fs/f2fs/segment.c:2534
+
+The root cause is: on a fuzzed image, blkaddr in nat entry may be
+corrupted, then it will cause system panic when using it in
+f2fs_invalidate_blocks(), to avoid this, let's add sanity check on
+nat blkaddr in truncate_node().
+
+Reported-by: syzbot+33379ce4ac76acf7d0c7@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-f2fs-devel/0000000000009a6cd706224ca720@google.com/
+Cc: stable@vger.kernel.org
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/node.c |   10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/fs/f2fs/node.c
++++ b/fs/f2fs/node.c
+@@ -905,6 +905,16 @@ static int truncate_node(struct dnode_of
+       if (err)
+               return err;
++      if (ni.blk_addr != NEW_ADDR &&
++              !f2fs_is_valid_blkaddr(sbi, ni.blk_addr, DATA_GENERIC_ENHANCE)) {
++              f2fs_err_ratelimited(sbi,
++                      "nat entry is corrupted, run fsck to fix it, ino:%u, "
++                      "nid:%u, blkaddr:%u", ni.ino, ni.nid, ni.blk_addr);
++              set_sbi_flag(sbi, SBI_NEED_FSCK);
++              f2fs_handle_error(sbi, ERROR_INCONSISTENT_NAT);
++              return -EFSCORRUPTED;
++      }
++
+       /* Deallocate node address */
+       f2fs_invalidate_blocks(sbi, ni.blk_addr);
+       dec_valid_node_count(sbi, dn->inode, dn->nid == dn->inode->i_ino);
diff --git a/queue-6.11/input-cs40l50-fix-wrong-usage-of-init_work.patch b/queue-6.11/input-cs40l50-fix-wrong-usage-of-init_work.patch
new file mode 100644 (file)
index 0000000..2a8543c
--- /dev/null
@@ -0,0 +1,59 @@
+From 5c822c0ce5cc83ed4cd8394f3dc46dae8d9a681d Mon Sep 17 00:00:00 2001
+From: Yuan Can <yuancan@huawei.com>
+Date: Thu, 7 Nov 2024 21:52:23 -0800
+Subject: Input: cs40l50 - fix wrong usage of INIT_WORK()
+
+From: Yuan Can <yuancan@huawei.com>
+
+commit 5c822c0ce5cc83ed4cd8394f3dc46dae8d9a681d upstream.
+
+In cs40l50_add(), the work_data is a local variable and the work_data.work
+should initialize with INIT_WORK_ONSTACK() instead of INIT_WORK().
+Small error in cs40l50_erase() also fixed in this commit.
+
+Fixes: c38fe1bb5d21 ("Input: cs40l50 - Add support for the CS40L50 haptic driver")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Reviewed-by: James Ogletree <jogletre@opensource.cirrus.com>
+Link: https://lore.kernel.org/r/20241106013549.78142-1-yuancan@huawei.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/misc/cs40l50-vibra.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/input/misc/cs40l50-vibra.c b/drivers/input/misc/cs40l50-vibra.c
+index 03bdb7c26ec0..dce3b0ec8cf3 100644
+--- a/drivers/input/misc/cs40l50-vibra.c
++++ b/drivers/input/misc/cs40l50-vibra.c
+@@ -334,11 +334,12 @@ static int cs40l50_add(struct input_dev *dev, struct ff_effect *effect,
+       work_data.custom_len = effect->u.periodic.custom_len;
+       work_data.vib = vib;
+       work_data.effect = effect;
+-      INIT_WORK(&work_data.work, cs40l50_add_worker);
++      INIT_WORK_ONSTACK(&work_data.work, cs40l50_add_worker);
+       /* Push to the workqueue to serialize with playbacks */
+       queue_work(vib->vib_wq, &work_data.work);
+       flush_work(&work_data.work);
++      destroy_work_on_stack(&work_data.work);
+       kfree(work_data.custom_data);
+@@ -467,11 +468,12 @@ static int cs40l50_erase(struct input_dev *dev, int effect_id)
+       work_data.vib = vib;
+       work_data.effect = &dev->ff->effects[effect_id];
+-      INIT_WORK(&work_data.work, cs40l50_erase_worker);
++      INIT_WORK_ONSTACK(&work_data.work, cs40l50_erase_worker);
+       /* Push to workqueue to serialize with playbacks */
+       queue_work(vib->vib_wq, &work_data.work);
+       flush_work(&work_data.work);
++      destroy_work_on_stack(&work_data.work);
+       return work_data.error;
+ }
+-- 
+2.47.1
+
diff --git a/queue-6.11/ipc-fix-memleak-if-msg_init_ns-failed-in-create_ipc_ns.patch b/queue-6.11/ipc-fix-memleak-if-msg_init_ns-failed-in-create_ipc_ns.patch
new file mode 100644 (file)
index 0000000..b6817fd
--- /dev/null
@@ -0,0 +1,62 @@
+From bc8f5921cd69188627c08041276238de222ab466 Mon Sep 17 00:00:00 2001
+From: Ma Wupeng <mawupeng1@huawei.com>
+Date: Wed, 23 Oct 2024 17:31:29 +0800
+Subject: ipc: fix memleak if msg_init_ns failed in create_ipc_ns
+
+From: Ma Wupeng <mawupeng1@huawei.com>
+
+commit bc8f5921cd69188627c08041276238de222ab466 upstream.
+
+Percpu memory allocation may failed during create_ipc_ns however this
+fail is not handled properly since ipc sysctls and mq sysctls is not
+released properly. Fix this by release these two resource when failure.
+
+Here is the kmemleak stack when percpu failed:
+
+unreferenced object 0xffff88819de2a600 (size 512):
+  comm "shmem_2nstest", pid 120711, jiffies 4300542254
+  hex dump (first 32 bytes):
+    60 aa 9d 84 ff ff ff ff fc 18 48 b2 84 88 ff ff  `.........H.....
+    04 00 00 00 a4 01 00 00 20 e4 56 81 ff ff ff ff  ........ .V.....
+  backtrace (crc be7cba35):
+    [<ffffffff81b43f83>] __kmalloc_node_track_caller_noprof+0x333/0x420
+    [<ffffffff81a52e56>] kmemdup_noprof+0x26/0x50
+    [<ffffffff821b2f37>] setup_mq_sysctls+0x57/0x1d0
+    [<ffffffff821b29cc>] copy_ipcs+0x29c/0x3b0
+    [<ffffffff815d6a10>] create_new_namespaces+0x1d0/0x920
+    [<ffffffff815d7449>] copy_namespaces+0x2e9/0x3e0
+    [<ffffffff815458f3>] copy_process+0x29f3/0x7ff0
+    [<ffffffff8154b080>] kernel_clone+0xc0/0x650
+    [<ffffffff8154b6b1>] __do_sys_clone+0xa1/0xe0
+    [<ffffffff843df8ff>] do_syscall_64+0xbf/0x1c0
+    [<ffffffff846000b0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+Link: https://lkml.kernel.org/r/20241023093129.3074301-1-mawupeng1@huawei.com
+Fixes: 72d1e611082e ("ipc/msg: mitigate the lock contention with percpu counter")
+Signed-off-by: Ma Wupeng <mawupeng1@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ ipc/namespace.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/ipc/namespace.c
++++ b/ipc/namespace.c
+@@ -83,13 +83,15 @@ static struct ipc_namespace *create_ipc_
+       err = msg_init_ns(ns);
+       if (err)
+-              goto fail_put;
++              goto fail_ipc;
+       sem_init_ns(ns);
+       shm_init_ns(ns);
+       return ns;
++fail_ipc:
++      retire_ipc_sysctls(ns);
+ fail_mq:
+       retire_mq_sysctls(ns);
diff --git a/queue-6.11/lib-string_helpers-silence-snprintf-output-truncation-warning.patch b/queue-6.11/lib-string_helpers-silence-snprintf-output-truncation-warning.patch
new file mode 100644 (file)
index 0000000..9ea7521
--- /dev/null
@@ -0,0 +1,40 @@
+From a508ef4b1dcc82227edc594ffae583874dd425d7 Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Date: Fri, 1 Nov 2024 21:54:53 +0100
+Subject: lib: string_helpers: silence snprintf() output truncation warning
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+commit a508ef4b1dcc82227edc594ffae583874dd425d7 upstream.
+
+The output of ".%03u" with the unsigned int in range [0, 4294966295] may
+get truncated if the target buffer is not 12 bytes. This can't really
+happen here as the 'remainder' variable cannot exceed 999 but the
+compiler doesn't know it. To make it happy just increase the buffer to
+where the warning goes away.
+
+Fixes: 3c9f3681d0b4 ("[SCSI] lib: add generic helper to print sizes rounded to the correct SI range")
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Reviewed-by: Andy Shevchenko <andy@kernel.org>
+Cc: James E.J. Bottomley <James.Bottomley@HansenPartnership.com>
+Cc: Kees Cook <kees@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Link: https://lore.kernel.org/r/20241101205453.9353-1-brgl@bgdev.pl
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/string_helpers.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/string_helpers.c
++++ b/lib/string_helpers.c
+@@ -57,7 +57,7 @@ int string_get_size(u64 size, u64 blk_si
+       static const unsigned int rounding[] = { 500, 50, 5 };
+       int i = 0, j;
+       u32 remainder = 0, sf_cap;
+-      char tmp[8];
++      char tmp[12];
+       const char *unit;
+       tmp[0] = '\0';
diff --git a/queue-6.11/nfsd-prevent-a-potential-integer-overflow.patch b/queue-6.11/nfsd-prevent-a-potential-integer-overflow.patch
new file mode 100644 (file)
index 0000000..5550e92
--- /dev/null
@@ -0,0 +1,50 @@
+From 7f33b92e5b18e904a481e6e208486da43e4dc841 Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Tue, 17 Sep 2024 12:15:23 -0400
+Subject: NFSD: Prevent a potential integer overflow
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit 7f33b92e5b18e904a481e6e208486da43e4dc841 upstream.
+
+If the tag length is >= U32_MAX - 3 then the "length + 4" addition
+can result in an integer overflow. Address this by splitting the
+decoding into several steps so that decode_cb_compound4res() does
+not have to perform arithmetic on the unsafe length value.
+
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Cc: stable@vger.kernel.org
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4callback.c |   14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/fs/nfsd/nfs4callback.c
++++ b/fs/nfsd/nfs4callback.c
+@@ -287,17 +287,17 @@ static int decode_cb_compound4res(struct
+       u32 length;
+       __be32 *p;
+-      p = xdr_inline_decode(xdr, 4 + 4);
++      p = xdr_inline_decode(xdr, XDR_UNIT);
+       if (unlikely(p == NULL))
+               goto out_overflow;
+-      hdr->status = be32_to_cpup(p++);
++      hdr->status = be32_to_cpup(p);
+       /* Ignore the tag */
+-      length = be32_to_cpup(p++);
+-      p = xdr_inline_decode(xdr, length + 4);
+-      if (unlikely(p == NULL))
++      if (xdr_stream_decode_u32(xdr, &length) < 0)
++              goto out_overflow;
++      if (xdr_inline_decode(xdr, length) == NULL)
++              goto out_overflow;
++      if (xdr_stream_decode_u32(xdr, &hdr->nops) < 0)
+               goto out_overflow;
+-      p += XDR_QUADLEN(length);
+-      hdr->nops = be32_to_cpup(p);
+       return 0;
+ out_overflow:
+       return -EIO;
index cfb2d8fcfae62bf7aebea60bd2381c362d197f5b..8086035820b74f47e54baa8e692ea1944cbc9ba9 100644 (file)
@@ -755,3 +755,12 @@ usb-dwc3-ep0-don-t-clear-ep0-dwc3_ep_transfer_started.patch
 usb-musb-fix-hardware-lockup-on-first-rx-endpoint-request.patch
 usb-dwc3-gadget-fix-checking-for-number-of-trbs-left.patch
 usb-dwc3-gadget-fix-looping-of-queued-sg-entries.patch
+staging-vchiq_arm-fix-missing-refcount-decrement-in-error-path-for-fw_node.patch
+counter-stm32-timer-cnt-fix-device_node-handling-in-probe_encoder.patch
+ublk-fix-error-code-for-unsupported-command.patch
+lib-string_helpers-silence-snprintf-output-truncation-warning.patch
+f2fs-fix-to-do-sanity-check-on-node-blkaddr-in-truncate_node.patch
+ipc-fix-memleak-if-msg_init_ns-failed-in-create_ipc_ns.patch
+input-cs40l50-fix-wrong-usage-of-init_work.patch
+nfsd-prevent-a-potential-integer-overflow.patch
+sunrpc-make-sure-cache-entry-active-before-cache_show.patch
diff --git a/queue-6.11/staging-vchiq_arm-fix-missing-refcount-decrement-in-error-path-for-fw_node.patch b/queue-6.11/staging-vchiq_arm-fix-missing-refcount-decrement-in-error-path-for-fw_node.patch
new file mode 100644 (file)
index 0000000..ddafa36
--- /dev/null
@@ -0,0 +1,58 @@
+From 22a3703af127e897dc7df89372b85bb9dc331c5f Mon Sep 17 00:00:00 2001
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Date: Mon, 14 Oct 2024 10:56:37 +0200
+Subject: staging: vchiq_arm: Fix missing refcount decrement in error path for fw_node
+
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+
+commit 22a3703af127e897dc7df89372b85bb9dc331c5f upstream.
+
+An error path was introduced without including the required call to
+of_node_put() to decrement the node's refcount and avoid leaking memory.
+If the call to kzalloc() for 'mgmt' fails, the probe returns without
+decrementing the refcount.
+
+Use the automatic cleanup facility to fix the bug and protect the code
+against new error paths where the call to of_node_put() might be missing
+again.
+
+Cc: stable@vger.kernel.org
+Fixes: 1c9e16b73166 ("staging: vc04_services: vchiq_arm: Split driver static and runtime data")
+Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Umang Jain <umang.jain@ideasonboard.com>
+Link: https://lore.kernel.org/r/20241014-vchiq_arm-of_node_put-v2-2-cafe0a4c2666@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c |    6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
++++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
+@@ -1715,7 +1715,6 @@ MODULE_DEVICE_TABLE(of, vchiq_of_match);
+ static int vchiq_probe(struct platform_device *pdev)
+ {
+-      struct device_node *fw_node;
+       const struct vchiq_platform_info *info;
+       struct vchiq_drv_mgmt *mgmt;
+       int ret;
+@@ -1724,8 +1723,8 @@ static int vchiq_probe(struct platform_d
+       if (!info)
+               return -EINVAL;
+-      fw_node = of_find_compatible_node(NULL, NULL,
+-                                        "raspberrypi,bcm2835-firmware");
++      struct device_node *fw_node __free(device_node) =
++              of_find_compatible_node(NULL, NULL, "raspberrypi,bcm2835-firmware");
+       if (!fw_node) {
+               dev_err(&pdev->dev, "Missing firmware node\n");
+               return -ENOENT;
+@@ -1736,7 +1735,6 @@ static int vchiq_probe(struct platform_d
+               return -ENOMEM;
+       mgmt->fw = devm_rpi_firmware_get(&pdev->dev, fw_node);
+-      of_node_put(fw_node);
+       if (!mgmt->fw)
+               return -EPROBE_DEFER;
diff --git a/queue-6.11/sunrpc-make-sure-cache-entry-active-before-cache_show.patch b/queue-6.11/sunrpc-make-sure-cache-entry-active-before-cache_show.patch
new file mode 100644 (file)
index 0000000..2e28fec
--- /dev/null
@@ -0,0 +1,57 @@
+From 2862eee078a4d2d1f584e7f24fa50dddfa5f3471 Mon Sep 17 00:00:00 2001
+From: Yang Erkun <yangerkun@huawei.com>
+Date: Mon, 21 Oct 2024 22:23:42 +0800
+Subject: SUNRPC: make sure cache entry active before cache_show
+
+From: Yang Erkun <yangerkun@huawei.com>
+
+commit 2862eee078a4d2d1f584e7f24fa50dddfa5f3471 upstream.
+
+The function `c_show` was called with protection from RCU. This only
+ensures that `cp` will not be freed. Therefore, the reference count for
+`cp` can drop to zero, which will trigger a refcount use-after-free
+warning when `cache_get` is called. To resolve this issue, use
+`cache_get_rcu` to ensure that `cp` remains active.
+
+------------[ cut here ]------------
+refcount_t: addition on 0; use-after-free.
+WARNING: CPU: 7 PID: 822 at lib/refcount.c:25
+refcount_warn_saturate+0xb1/0x120
+CPU: 7 UID: 0 PID: 822 Comm: cat Not tainted 6.12.0-rc3+ #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+1.16.1-2.fc37 04/01/2014
+RIP: 0010:refcount_warn_saturate+0xb1/0x120
+
+Call Trace:
+ <TASK>
+ c_show+0x2fc/0x380 [sunrpc]
+ seq_read_iter+0x589/0x770
+ seq_read+0x1e5/0x270
+ proc_reg_read+0xe1/0x140
+ vfs_read+0x125/0x530
+ ksys_read+0xc1/0x160
+ do_syscall_64+0x5f/0x170
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+Cc: stable@vger.kernel.org # v4.20+
+Signed-off-by: Yang Erkun <yangerkun@huawei.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sunrpc/cache.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/sunrpc/cache.c
++++ b/net/sunrpc/cache.c
+@@ -1431,7 +1431,9 @@ static int c_show(struct seq_file *m, vo
+               seq_printf(m, "# expiry=%lld refcnt=%d flags=%lx\n",
+                          convert_to_wallclock(cp->expiry_time),
+                          kref_read(&cp->ref), cp->flags);
+-      cache_get(cp);
++      if (!cache_get_rcu(cp))
++              return 0;
++
+       if (cache_check(cd, cp, NULL))
+               /* cache_check does a cache_put on failure */
+               seq_puts(m, "# ");
diff --git a/queue-6.11/ublk-fix-error-code-for-unsupported-command.patch b/queue-6.11/ublk-fix-error-code-for-unsupported-command.patch
new file mode 100644 (file)
index 0000000..801d1ff
--- /dev/null
@@ -0,0 +1,34 @@
+From 34c1227035b3ab930a1ae6ab6f22fec1af8ab09e Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@redhat.com>
+Date: Tue, 19 Nov 2024 11:06:46 +0800
+Subject: ublk: fix error code for unsupported command
+
+From: Ming Lei <ming.lei@redhat.com>
+
+commit 34c1227035b3ab930a1ae6ab6f22fec1af8ab09e upstream.
+
+ENOTSUPP is for kernel use only, and shouldn't be sent to userspace.
+
+Fix it by replacing it with EOPNOTSUPP.
+
+Cc: stable@vger.kernel.org
+Fixes: bfbcef036396 ("ublk_drv: move ublk_get_device_from_id into ublk_ctrl_uring_cmd")
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Link: https://lore.kernel.org/r/20241119030646.2319030-1-ming.lei@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/ublk_drv.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/block/ublk_drv.c
++++ b/drivers/block/ublk_drv.c
+@@ -2975,7 +2975,7 @@ static int ublk_ctrl_uring_cmd(struct io
+               ret = ublk_ctrl_end_recovery(ub, cmd);
+               break;
+       default:
+-              ret = -ENOTSUPP;
++              ret = -EOPNOTSUPP;
+               break;
+       }