--- /dev/null
+From 5591ce0069ddda97cdbbea596bed53e698f399c2 Mon Sep 17 00:00:00 2001
+From: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
+Date: Thu, 24 Apr 2025 11:59:14 +0200
+Subject: arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2
+
+From: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
+
+commit 5591ce0069ddda97cdbbea596bed53e698f399c2 upstream.
+
+Define vqmmc regulator-gpio for usdhc2 with vin-supply
+coming from LDO5.
+
+Without this definition LDO5 will be powered down, disabling
+SD card after bootup. This has been introduced in commit
+f5aab0438ef1 ("regulator: pca9450: Fix enable register for LDO5").
+
+Fixes: 6a57f224f734 ("arm64: dts: freescale: add initial support for verdin imx8m mini")
+Fixes: f5aab0438ef1 ("regulator: pca9450: Fix enable register for LDO5")
+Tested-by: Manuel Traut <manuel.traut@mt.com>
+Reviewed-by: Philippe Schenker <philippe.schenker@impulsing.ch>
+Tested-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Reviewed-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 25 ++++++++++++++++++-----
+ 1 file changed, 20 insertions(+), 5 deletions(-)
+
+--- a/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi
+@@ -144,6 +144,19 @@
+ startup-delay-us = <20000>;
+ };
+
++ reg_usdhc2_vqmmc: regulator-usdhc2-vqmmc {
++ compatible = "regulator-gpio";
++ pinctrl-names = "default";
++ pinctrl-0 = <&pinctrl_usdhc2_vsel>;
++ gpios = <&gpio1 4 GPIO_ACTIVE_HIGH>;
++ regulator-max-microvolt = <3300000>;
++ regulator-min-microvolt = <1800000>;
++ states = <1800000 0x1>,
++ <3300000 0x0>;
++ regulator-name = "PMIC_USDHC_VSELECT";
++ vin-supply = <®_nvcc_sd>;
++ };
++
+ reserved-memory {
+ #address-cells = <2>;
+ #size-cells = <2>;
+@@ -262,7 +275,7 @@
+ "SODIMM_19",
+ "",
+ "",
+- "",
++ "PMIC_USDHC_VSELECT",
+ "",
+ "",
+ "",
+@@ -788,6 +801,7 @@
+ pinctrl-2 = <&pinctrl_usdhc2_200mhz>, <&pinctrl_usdhc2_cd>;
+ pinctrl-3 = <&pinctrl_usdhc2_sleep>, <&pinctrl_usdhc2_cd_sleep>;
+ vmmc-supply = <®_usdhc2_vmmc>;
++ vqmmc-supply = <®_usdhc2_vqmmc>;
+ };
+
+ &wdog1 {
+@@ -1210,13 +1224,17 @@
+ <MX8MM_IOMUXC_NAND_CLE_GPIO3_IO5 0x6>; /* SODIMM 76 */
+ };
+
++ pinctrl_usdhc2_vsel: usdhc2vselgrp {
++ fsl,pins =
++ <MX8MM_IOMUXC_GPIO1_IO04_GPIO1_IO4 0x10>; /* PMIC_USDHC_VSELECT */
++ };
++
+ /*
+ * Note: Due to ERR050080 we use discrete external on-module resistors pulling-up to the
+ * on-module +V3.3_1.8_SD (LDO5) rail and explicitly disable the internal pull-ups here.
+ */
+ pinctrl_usdhc2: usdhc2grp {
+ fsl,pins =
+- <MX8MM_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x10>,
+ <MX8MM_IOMUXC_SD2_CLK_USDHC2_CLK 0x90>, /* SODIMM 78 */
+ <MX8MM_IOMUXC_SD2_CMD_USDHC2_CMD 0x90>, /* SODIMM 74 */
+ <MX8MM_IOMUXC_SD2_DATA0_USDHC2_DATA0 0x90>, /* SODIMM 80 */
+@@ -1227,7 +1245,6 @@
+
+ pinctrl_usdhc2_100mhz: usdhc2-100mhzgrp {
+ fsl,pins =
+- <MX8MM_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x10>,
+ <MX8MM_IOMUXC_SD2_CLK_USDHC2_CLK 0x94>,
+ <MX8MM_IOMUXC_SD2_CMD_USDHC2_CMD 0x94>,
+ <MX8MM_IOMUXC_SD2_DATA0_USDHC2_DATA0 0x94>,
+@@ -1238,7 +1255,6 @@
+
+ pinctrl_usdhc2_200mhz: usdhc2-200mhzgrp {
+ fsl,pins =
+- <MX8MM_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x10>,
+ <MX8MM_IOMUXC_SD2_CLK_USDHC2_CLK 0x96>,
+ <MX8MM_IOMUXC_SD2_CMD_USDHC2_CMD 0x96>,
+ <MX8MM_IOMUXC_SD2_DATA0_USDHC2_DATA0 0x96>,
+@@ -1250,7 +1266,6 @@
+ /* Avoid backfeeding with removed card power */
+ pinctrl_usdhc2_sleep: usdhc2slpgrp {
+ fsl,pins =
+- <MX8MM_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x0>,
+ <MX8MM_IOMUXC_SD2_CLK_USDHC2_CLK 0x0>,
+ <MX8MM_IOMUXC_SD2_CMD_USDHC2_CMD 0x0>,
+ <MX8MM_IOMUXC_SD2_DATA0_USDHC2_DATA0 0x0>,
--- /dev/null
+From 0713a1b3276b98c7dafbeefef00d7bc3a9119a84 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Fri, 2 May 2025 16:13:46 +0200
+Subject: can: mcan: m_can_class_unregister(): fix order of unregistration calls
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 0713a1b3276b98c7dafbeefef00d7bc3a9119a84 upstream.
+
+If a driver is removed, the driver framework invokes the driver's
+remove callback. A CAN driver's remove function calls
+unregister_candev(), which calls net_device_ops::ndo_stop further down
+in the call stack for interfaces which are in the "up" state.
+
+The removal of the module causes a warning, as can_rx_offload_del()
+deletes the NAPI, while it is still active, because the interface is
+still up.
+
+To fix the warning, first unregister the network interface, which
+calls net_device_ops::ndo_stop, which disables the NAPI, and then call
+can_rx_offload_del().
+
+Fixes: 1be37d3b0414 ("can: m_can: fix periph RX path: use rx-offload to ensure skbs are sent from softirq context")
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250502-can-rx-offload-del-v1-3-59a9b131589d@pengutronix.de
+Reviewed-by: Markus Schneider-Pargmann <msp@baylibre.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/m_can/m_can.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/can/m_can/m_can.c
++++ b/drivers/net/can/m_can/m_can.c
+@@ -2047,9 +2047,9 @@ EXPORT_SYMBOL_GPL(m_can_class_register);
+
+ void m_can_class_unregister(struct m_can_classdev *cdev)
+ {
++ unregister_candev(cdev->net);
+ if (cdev->is_peripheral)
+ can_rx_offload_del(&cdev->offload);
+- unregister_candev(cdev->net);
+ }
+ EXPORT_SYMBOL_GPL(m_can_class_unregister);
+
--- /dev/null
+From 84f5eb833f53ae192baed4cfb8d9eaab43481fc9 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Fri, 2 May 2025 16:13:44 +0200
+Subject: can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration calls
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 84f5eb833f53ae192baed4cfb8d9eaab43481fc9 upstream.
+
+If a driver is removed, the driver framework invokes the driver's
+remove callback. A CAN driver's remove function calls
+unregister_candev(), which calls net_device_ops::ndo_stop further down
+in the call stack for interfaces which are in the "up" state.
+
+With the mcp251xfd driver the removal of the module causes the
+following warning:
+
+| WARNING: CPU: 0 PID: 352 at net/core/dev.c:7342 __netif_napi_del_locked+0xc8/0xd8
+
+as can_rx_offload_del() deletes the NAPI, while it is still active,
+because the interface is still up.
+
+To fix the warning, first unregister the network interface, which
+calls net_device_ops::ndo_stop, which disables the NAPI, and then call
+can_rx_offload_del().
+
+Fixes: 55e5b97f003e ("can: mcp25xxfd: add driver for Microchip MCP25xxFD SPI CAN")
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250502-can-rx-offload-del-v1-1-59a9b131589d@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c
++++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c
+@@ -2179,8 +2179,8 @@ static void mcp251xfd_remove(struct spi_
+ struct mcp251xfd_priv *priv = spi_get_drvdata(spi);
+ struct net_device *ndev = priv->ndev;
+
+- can_rx_offload_del(&priv->offload);
+ mcp251xfd_unregister(priv);
++ can_rx_offload_del(&priv->offload);
+ spi->max_speed_hz = priv->spi_max_speed_hz_orig;
+ free_candev(ndev);
+ }
--- /dev/null
+From 650266ac4c7230c89bcd1307acf5c9c92cfa85e2 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Wed, 30 Apr 2025 11:05:54 +0300
+Subject: dm: add missing unlock on in dm_keyslot_evict()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit 650266ac4c7230c89bcd1307acf5c9c92cfa85e2 upstream.
+
+We need to call dm_put_live_table() even if dm_get_live_table() returns
+NULL.
+
+Fixes: 9355a9eb21a5 ("dm: support key eviction from keyslot managers of underlying devices")
+Cc: stable@vger.kernel.org # v5.12+
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-table.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/dm-table.c
++++ b/drivers/md/dm-table.c
+@@ -1243,7 +1243,7 @@ static int dm_keyslot_evict(struct blk_c
+
+ t = dm_get_live_table(md, &srcu_idx);
+ if (!t)
+- return 0;
++ goto put_live_table;
+
+ for (unsigned int i = 0; i < t->num_targets; i++) {
+ struct dm_target *ti = dm_table_get_target(t, i);
+@@ -1254,6 +1254,7 @@ static int dm_keyslot_evict(struct blk_c
+ (void *)key);
+ }
+
++put_live_table:
+ dm_put_live_table(md, srcu_idx);
+ return 0;
+ }
--- /dev/null
+From 36991c1ccde2d5a521577c448ffe07fcccfe104d Mon Sep 17 00:00:00 2001
+From: Sean Heelan <seanheelan@gmail.com>
+Date: Tue, 6 May 2025 22:04:52 +0900
+Subject: ksmbd: Fix UAF in __close_file_table_ids
+
+From: Sean Heelan <seanheelan@gmail.com>
+
+commit 36991c1ccde2d5a521577c448ffe07fcccfe104d upstream.
+
+A use-after-free is possible if one thread destroys the file
+via __ksmbd_close_fd while another thread holds a reference to
+it. The existing checks on fp->refcount are not sufficient to
+prevent this.
+
+The fix takes ft->lock around the section which removes the
+file from the file table. This prevents two threads acquiring the
+same file pointer via __close_file_table_ids, as well as the other
+functions which retrieve a file from the IDR and which already use
+this same lock.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Heelan <seanheelan@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/vfs_cache.c | 33 ++++++++++++++++++++++++++-------
+ 1 file changed, 26 insertions(+), 7 deletions(-)
+
+--- a/fs/smb/server/vfs_cache.c
++++ b/fs/smb/server/vfs_cache.c
+@@ -620,21 +620,40 @@ __close_file_table_ids(struct ksmbd_file
+ bool (*skip)(struct ksmbd_tree_connect *tcon,
+ struct ksmbd_file *fp))
+ {
+- unsigned int id;
+- struct ksmbd_file *fp;
+- int num = 0;
++ struct ksmbd_file *fp;
++ unsigned int id = 0;
++ int num = 0;
+
+- idr_for_each_entry(ft->idr, fp, id) {
+- if (skip(tcon, fp))
++ while (1) {
++ write_lock(&ft->lock);
++ fp = idr_get_next(ft->idr, &id);
++ if (!fp) {
++ write_unlock(&ft->lock);
++ break;
++ }
++
++ if (skip(tcon, fp) ||
++ !atomic_dec_and_test(&fp->refcount)) {
++ id++;
++ write_unlock(&ft->lock);
+ continue;
++ }
+
+ set_close_state_blocked_works(fp);
++ idr_remove(ft->idr, fp->volatile_id);
++ fp->volatile_id = KSMBD_NO_FID;
++ write_unlock(&ft->lock);
++
++ down_write(&fp->f_ci->m_lock);
++ list_del_init(&fp->node);
++ up_write(&fp->f_ci->m_lock);
+
+- if (!atomic_dec_and_test(&fp->refcount))
+- continue;
+ __ksmbd_close_fd(ft, fp);
++
+ num++;
++ id++;
+ }
++
+ return num;
+ }
+
--- /dev/null
+From 0ca6df4f40cf4c32487944aaf48319cb6c25accc Mon Sep 17 00:00:00 2001
+From: Norbert Szetei <norbert@doyensec.com>
+Date: Fri, 2 May 2025 08:21:58 +0900
+Subject: ksmbd: prevent out-of-bounds stream writes by validating *pos
+
+From: Norbert Szetei <norbert@doyensec.com>
+
+commit 0ca6df4f40cf4c32487944aaf48319cb6c25accc upstream.
+
+ksmbd_vfs_stream_write() did not validate whether the write offset
+(*pos) was within the bounds of the existing stream data length (v_len).
+If *pos was greater than or equal to v_len, this could lead to an
+out-of-bounds memory write.
+
+This patch adds a check to ensure *pos is less than v_len before
+proceeding. If the condition fails, -EINVAL is returned.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Norbert Szetei <norbert@doyensec.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/vfs.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/smb/server/vfs.c
++++ b/fs/smb/server/vfs.c
+@@ -440,6 +440,13 @@ static int ksmbd_vfs_stream_write(struct
+ goto out;
+ }
+
++ if (v_len <= *pos) {
++ pr_err("stream write position %lld is out of bounds (stream length: %zd)\n",
++ *pos, v_len);
++ err = -EINVAL;
++ goto out;
++ }
++
+ if (v_len < size) {
+ wbuf = kvzalloc(size, GFP_KERNEL);
+ if (!wbuf) {
--- /dev/null
+dm-add-missing-unlock-on-in-dm_keyslot_evict.patch
+arm64-dts-imx8mm-verdin-link-reg_usdhc2_vqmmc-to-usdhc2.patch
+can-mcan-m_can_class_unregister-fix-order-of-unregistration-calls.patch
+can-mcp251xfd-mcp251xfd_remove-fix-order-of-unregistration-calls.patch
+ksmbd-prevent-out-of-bounds-stream-writes-by-validating-pos.patch
+ksmbd-fix-uaf-in-__close_file_table_ids.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
