From: Greg Kroah-Hartman Date: Fri, 9 May 2025 08:13:38 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v5.15.183~83 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e7cec1c812fa9856056578022214c88ca006c444;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: arm64-dts-imx8mm-verdin-link-reg_usdhc2_vqmmc-to-usdhc2.patch can-mcan-m_can_class_unregister-fix-order-of-unregistration-calls.patch can-mcp251xfd-mcp251xfd_remove-fix-order-of-unregistration-calls.patch dm-add-missing-unlock-on-in-dm_keyslot_evict.patch ksmbd-fix-uaf-in-__close_file_table_ids.patch ksmbd-prevent-out-of-bounds-stream-writes-by-validating-pos.patch series --- diff --git a/queue-6.1/arm64-dts-imx8mm-verdin-link-reg_usdhc2_vqmmc-to-usdhc2.patch b/queue-6.1/arm64-dts-imx8mm-verdin-link-reg_usdhc2_vqmmc-to-usdhc2.patch new file mode 100644 index 0000000000..c472e3256e --- /dev/null +++ b/queue-6.1/arm64-dts-imx8mm-verdin-link-reg_usdhc2_vqmmc-to-usdhc2.patch @@ -0,0 +1,112 @@ +From 5591ce0069ddda97cdbbea596bed53e698f399c2 Mon Sep 17 00:00:00 2001 +From: Wojciech Dubowik +Date: Thu, 24 Apr 2025 11:59:14 +0200 +Subject: arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2 + +From: Wojciech Dubowik + +commit 5591ce0069ddda97cdbbea596bed53e698f399c2 upstream. + +Define vqmmc regulator-gpio for usdhc2 with vin-supply +coming from LDO5. + +Without this definition LDO5 will be powered down, disabling +SD card after bootup. This has been introduced in commit +f5aab0438ef1 ("regulator: pca9450: Fix enable register for LDO5"). + +Fixes: 6a57f224f734 ("arm64: dts: freescale: add initial support for verdin imx8m mini") +Fixes: f5aab0438ef1 ("regulator: pca9450: Fix enable register for LDO5") +Tested-by: Manuel Traut +Reviewed-by: Philippe Schenker +Tested-by: Francesco Dolcini +Reviewed-by: Francesco Dolcini +Cc: stable@vger.kernel.org +Signed-off-by: Wojciech Dubowik +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 25 ++++++++++++++++++----- + 1 file changed, 20 insertions(+), 5 deletions(-) + +--- a/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi +@@ -144,6 +144,19 @@ + startup-delay-us = <20000>; + }; + ++ reg_usdhc2_vqmmc: regulator-usdhc2-vqmmc { ++ compatible = "regulator-gpio"; ++ pinctrl-names = "default"; ++ pinctrl-0 = <&pinctrl_usdhc2_vsel>; ++ gpios = <&gpio1 4 GPIO_ACTIVE_HIGH>; ++ regulator-max-microvolt = <3300000>; ++ regulator-min-microvolt = <1800000>; ++ states = <1800000 0x1>, ++ <3300000 0x0>; ++ regulator-name = "PMIC_USDHC_VSELECT"; ++ vin-supply = <®_nvcc_sd>; ++ }; ++ + reserved-memory { + #address-cells = <2>; + #size-cells = <2>; +@@ -262,7 +275,7 @@ + "SODIMM_19", + "", + "", +- "", ++ "PMIC_USDHC_VSELECT", + "", + "", + "", +@@ -788,6 +801,7 @@ + pinctrl-2 = <&pinctrl_usdhc2_200mhz>, <&pinctrl_usdhc2_cd>; + pinctrl-3 = <&pinctrl_usdhc2_sleep>, <&pinctrl_usdhc2_cd_sleep>; + vmmc-supply = <®_usdhc2_vmmc>; ++ vqmmc-supply = <®_usdhc2_vqmmc>; + }; + + &wdog1 { +@@ -1210,13 +1224,17 @@ + ; /* SODIMM 76 */ + }; + ++ pinctrl_usdhc2_vsel: usdhc2vselgrp { ++ fsl,pins = ++ ; /* PMIC_USDHC_VSELECT */ ++ }; ++ + /* + * Note: Due to ERR050080 we use discrete external on-module resistors pulling-up to the + * on-module +V3.3_1.8_SD (LDO5) rail and explicitly disable the internal pull-ups here. + */ + pinctrl_usdhc2: usdhc2grp { + fsl,pins = +- , + , /* SODIMM 78 */ + , /* SODIMM 74 */ + , /* SODIMM 80 */ +@@ -1227,7 +1245,6 @@ + + pinctrl_usdhc2_100mhz: usdhc2-100mhzgrp { + fsl,pins = +- , + , + , + , +@@ -1238,7 +1255,6 @@ + + pinctrl_usdhc2_200mhz: usdhc2-200mhzgrp { + fsl,pins = +- , + , + , + , +@@ -1250,7 +1266,6 @@ + /* Avoid backfeeding with removed card power */ + pinctrl_usdhc2_sleep: usdhc2slpgrp { + fsl,pins = +- , + , + , + , diff --git a/queue-6.1/can-mcan-m_can_class_unregister-fix-order-of-unregistration-calls.patch b/queue-6.1/can-mcan-m_can_class_unregister-fix-order-of-unregistration-calls.patch new file mode 100644 index 0000000000..106344a562 --- /dev/null +++ b/queue-6.1/can-mcan-m_can_class_unregister-fix-order-of-unregistration-calls.patch @@ -0,0 +1,45 @@ +From 0713a1b3276b98c7dafbeefef00d7bc3a9119a84 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Fri, 2 May 2025 16:13:46 +0200 +Subject: can: mcan: m_can_class_unregister(): fix order of unregistration calls + +From: Marc Kleine-Budde + +commit 0713a1b3276b98c7dafbeefef00d7bc3a9119a84 upstream. + +If a driver is removed, the driver framework invokes the driver's +remove callback. A CAN driver's remove function calls +unregister_candev(), which calls net_device_ops::ndo_stop further down +in the call stack for interfaces which are in the "up" state. + +The removal of the module causes a warning, as can_rx_offload_del() +deletes the NAPI, while it is still active, because the interface is +still up. + +To fix the warning, first unregister the network interface, which +calls net_device_ops::ndo_stop, which disables the NAPI, and then call +can_rx_offload_del(). + +Fixes: 1be37d3b0414 ("can: m_can: fix periph RX path: use rx-offload to ensure skbs are sent from softirq context") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250502-can-rx-offload-del-v1-3-59a9b131589d@pengutronix.de +Reviewed-by: Markus Schneider-Pargmann +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/m_can/m_can.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/m_can/m_can.c ++++ b/drivers/net/can/m_can/m_can.c +@@ -2047,9 +2047,9 @@ EXPORT_SYMBOL_GPL(m_can_class_register); + + void m_can_class_unregister(struct m_can_classdev *cdev) + { ++ unregister_candev(cdev->net); + if (cdev->is_peripheral) + can_rx_offload_del(&cdev->offload); +- unregister_candev(cdev->net); + } + EXPORT_SYMBOL_GPL(m_can_class_unregister); + diff --git a/queue-6.1/can-mcp251xfd-mcp251xfd_remove-fix-order-of-unregistration-calls.patch b/queue-6.1/can-mcp251xfd-mcp251xfd_remove-fix-order-of-unregistration-calls.patch new file mode 100644 index 0000000000..4f5e6475e8 --- /dev/null +++ b/queue-6.1/can-mcp251xfd-mcp251xfd_remove-fix-order-of-unregistration-calls.patch @@ -0,0 +1,47 @@ +From 84f5eb833f53ae192baed4cfb8d9eaab43481fc9 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Fri, 2 May 2025 16:13:44 +0200 +Subject: can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration calls + +From: Marc Kleine-Budde + +commit 84f5eb833f53ae192baed4cfb8d9eaab43481fc9 upstream. + +If a driver is removed, the driver framework invokes the driver's +remove callback. A CAN driver's remove function calls +unregister_candev(), which calls net_device_ops::ndo_stop further down +in the call stack for interfaces which are in the "up" state. + +With the mcp251xfd driver the removal of the module causes the +following warning: + +| WARNING: CPU: 0 PID: 352 at net/core/dev.c:7342 __netif_napi_del_locked+0xc8/0xd8 + +as can_rx_offload_del() deletes the NAPI, while it is still active, +because the interface is still up. + +To fix the warning, first unregister the network interface, which +calls net_device_ops::ndo_stop, which disables the NAPI, and then call +can_rx_offload_del(). + +Fixes: 55e5b97f003e ("can: mcp25xxfd: add driver for Microchip MCP25xxFD SPI CAN") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250502-can-rx-offload-del-v1-1-59a9b131589d@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c ++++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c +@@ -2179,8 +2179,8 @@ static void mcp251xfd_remove(struct spi_ + struct mcp251xfd_priv *priv = spi_get_drvdata(spi); + struct net_device *ndev = priv->ndev; + +- can_rx_offload_del(&priv->offload); + mcp251xfd_unregister(priv); ++ can_rx_offload_del(&priv->offload); + spi->max_speed_hz = priv->spi_max_speed_hz_orig; + free_candev(ndev); + } diff --git a/queue-6.1/dm-add-missing-unlock-on-in-dm_keyslot_evict.patch b/queue-6.1/dm-add-missing-unlock-on-in-dm_keyslot_evict.patch new file mode 100644 index 0000000000..28a2940b6e --- /dev/null +++ b/queue-6.1/dm-add-missing-unlock-on-in-dm_keyslot_evict.patch @@ -0,0 +1,40 @@ +From 650266ac4c7230c89bcd1307acf5c9c92cfa85e2 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 30 Apr 2025 11:05:54 +0300 +Subject: dm: add missing unlock on in dm_keyslot_evict() + +From: Dan Carpenter + +commit 650266ac4c7230c89bcd1307acf5c9c92cfa85e2 upstream. + +We need to call dm_put_live_table() even if dm_get_live_table() returns +NULL. + +Fixes: 9355a9eb21a5 ("dm: support key eviction from keyslot managers of underlying devices") +Cc: stable@vger.kernel.org # v5.12+ +Signed-off-by: Dan Carpenter +Signed-off-by: Mikulas Patocka +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-table.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/md/dm-table.c ++++ b/drivers/md/dm-table.c +@@ -1243,7 +1243,7 @@ static int dm_keyslot_evict(struct blk_c + + t = dm_get_live_table(md, &srcu_idx); + if (!t) +- return 0; ++ goto put_live_table; + + for (unsigned int i = 0; i < t->num_targets; i++) { + struct dm_target *ti = dm_table_get_target(t, i); +@@ -1254,6 +1254,7 @@ static int dm_keyslot_evict(struct blk_c + (void *)key); + } + ++put_live_table: + dm_put_live_table(md, srcu_idx); + return 0; + } diff --git a/queue-6.1/ksmbd-fix-uaf-in-__close_file_table_ids.patch b/queue-6.1/ksmbd-fix-uaf-in-__close_file_table_ids.patch new file mode 100644 index 0000000000..e0b2ef6403 --- /dev/null +++ b/queue-6.1/ksmbd-fix-uaf-in-__close_file_table_ids.patch @@ -0,0 +1,79 @@ +From 36991c1ccde2d5a521577c448ffe07fcccfe104d Mon Sep 17 00:00:00 2001 +From: Sean Heelan +Date: Tue, 6 May 2025 22:04:52 +0900 +Subject: ksmbd: Fix UAF in __close_file_table_ids + +From: Sean Heelan + +commit 36991c1ccde2d5a521577c448ffe07fcccfe104d upstream. + +A use-after-free is possible if one thread destroys the file +via __ksmbd_close_fd while another thread holds a reference to +it. The existing checks on fp->refcount are not sufficient to +prevent this. + +The fix takes ft->lock around the section which removes the +file from the file table. This prevents two threads acquiring the +same file pointer via __close_file_table_ids, as well as the other +functions which retrieve a file from the IDR and which already use +this same lock. + +Cc: stable@vger.kernel.org +Signed-off-by: Sean Heelan +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/vfs_cache.c | 33 ++++++++++++++++++++++++++------- + 1 file changed, 26 insertions(+), 7 deletions(-) + +--- a/fs/smb/server/vfs_cache.c ++++ b/fs/smb/server/vfs_cache.c +@@ -620,21 +620,40 @@ __close_file_table_ids(struct ksmbd_file + bool (*skip)(struct ksmbd_tree_connect *tcon, + struct ksmbd_file *fp)) + { +- unsigned int id; +- struct ksmbd_file *fp; +- int num = 0; ++ struct ksmbd_file *fp; ++ unsigned int id = 0; ++ int num = 0; + +- idr_for_each_entry(ft->idr, fp, id) { +- if (skip(tcon, fp)) ++ while (1) { ++ write_lock(&ft->lock); ++ fp = idr_get_next(ft->idr, &id); ++ if (!fp) { ++ write_unlock(&ft->lock); ++ break; ++ } ++ ++ if (skip(tcon, fp) || ++ !atomic_dec_and_test(&fp->refcount)) { ++ id++; ++ write_unlock(&ft->lock); + continue; ++ } + + set_close_state_blocked_works(fp); ++ idr_remove(ft->idr, fp->volatile_id); ++ fp->volatile_id = KSMBD_NO_FID; ++ write_unlock(&ft->lock); ++ ++ down_write(&fp->f_ci->m_lock); ++ list_del_init(&fp->node); ++ up_write(&fp->f_ci->m_lock); + +- if (!atomic_dec_and_test(&fp->refcount)) +- continue; + __ksmbd_close_fd(ft, fp); ++ + num++; ++ id++; + } ++ + return num; + } + diff --git a/queue-6.1/ksmbd-prevent-out-of-bounds-stream-writes-by-validating-pos.patch b/queue-6.1/ksmbd-prevent-out-of-bounds-stream-writes-by-validating-pos.patch new file mode 100644 index 0000000000..1fd0a6b4fa --- /dev/null +++ b/queue-6.1/ksmbd-prevent-out-of-bounds-stream-writes-by-validating-pos.patch @@ -0,0 +1,42 @@ +From 0ca6df4f40cf4c32487944aaf48319cb6c25accc Mon Sep 17 00:00:00 2001 +From: Norbert Szetei +Date: Fri, 2 May 2025 08:21:58 +0900 +Subject: ksmbd: prevent out-of-bounds stream writes by validating *pos + +From: Norbert Szetei + +commit 0ca6df4f40cf4c32487944aaf48319cb6c25accc upstream. + +ksmbd_vfs_stream_write() did not validate whether the write offset +(*pos) was within the bounds of the existing stream data length (v_len). +If *pos was greater than or equal to v_len, this could lead to an +out-of-bounds memory write. + +This patch adds a check to ensure *pos is less than v_len before +proceeding. If the condition fails, -EINVAL is returned. + +Cc: stable@vger.kernel.org +Signed-off-by: Norbert Szetei +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/vfs.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/smb/server/vfs.c ++++ b/fs/smb/server/vfs.c +@@ -440,6 +440,13 @@ static int ksmbd_vfs_stream_write(struct + goto out; + } + ++ if (v_len <= *pos) { ++ pr_err("stream write position %lld is out of bounds (stream length: %zd)\n", ++ *pos, v_len); ++ err = -EINVAL; ++ goto out; ++ } ++ + if (v_len < size) { + wbuf = kvzalloc(size, GFP_KERNEL); + if (!wbuf) { diff --git a/queue-6.1/series b/queue-6.1/series new file mode 100644 index 0000000000..0ca5d2ebaa --- /dev/null +++ b/queue-6.1/series @@ -0,0 +1,6 @@ +dm-add-missing-unlock-on-in-dm_keyslot_evict.patch +arm64-dts-imx8mm-verdin-link-reg_usdhc2_vqmmc-to-usdhc2.patch +can-mcan-m_can_class_unregister-fix-order-of-unregistration-calls.patch +can-mcp251xfd-mcp251xfd_remove-fix-order-of-unregistration-calls.patch +ksmbd-prevent-out-of-bounds-stream-writes-by-validating-pos.patch +ksmbd-fix-uaf-in-__close_file_table_ids.patch