From ed14a808d02a87aa5f183125e2294f8320745821 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 28 Dec 2022 15:35:23 +0100 Subject: [PATCH] 6.0-stable patches added patches: cifs-fix-double-fault-crash-during-ntlmssp.patch cifs-fix-memory-leaks-in-session-setup.patch cifs-fix-use-after-free-on-the-link-name.patch cifs-fix-xid-leak-in-cifs_get_file_info_unix.patch clk-renesas-r8a779f0-fix-sd0h-clock-name.patch extcon-usbc-tusb320-call-the-type-c-irq-handler-only-if-a-port-is-registered.patch --- ...ix-double-fault-crash-during-ntlmssp.patch | 52 ++++++ ...fs-fix-memory-leaks-in-session-setup.patch | 108 +++++++++++++ ...-fix-use-after-free-on-the-link-name.patch | 151 ++++++++++++++++++ ...-xid-leak-in-cifs_get_file_info_unix.patch | 36 +++++ ...renesas-r8a779f0-fix-sd0h-clock-name.patch | 31 ++++ ...handler-only-if-a-port-is-registered.patch | 42 +++++ queue-6.0/series | 6 + 7 files changed, 426 insertions(+) create mode 100644 queue-6.0/cifs-fix-double-fault-crash-during-ntlmssp.patch create mode 100644 queue-6.0/cifs-fix-memory-leaks-in-session-setup.patch create mode 100644 queue-6.0/cifs-fix-use-after-free-on-the-link-name.patch create mode 100644 queue-6.0/cifs-fix-xid-leak-in-cifs_get_file_info_unix.patch create mode 100644 queue-6.0/clk-renesas-r8a779f0-fix-sd0h-clock-name.patch create mode 100644 queue-6.0/extcon-usbc-tusb320-call-the-type-c-irq-handler-only-if-a-port-is-registered.patch diff --git a/queue-6.0/cifs-fix-double-fault-crash-during-ntlmssp.patch b/queue-6.0/cifs-fix-double-fault-crash-during-ntlmssp.patch new file mode 100644 index 00000000000..0f0226e627b --- /dev/null +++ b/queue-6.0/cifs-fix-double-fault-crash-during-ntlmssp.patch @@ -0,0 +1,52 @@ +From b854b4ee66437e6e1622fda90529c814978cb4ca Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Fri, 14 Oct 2022 17:14:54 -0300 +Subject: cifs: fix double-fault crash during ntlmssp + +From: Paulo Alcantara + +commit b854b4ee66437e6e1622fda90529c814978cb4ca upstream. + +The crash occurred because we were calling memzero_explicit() on an +already freed sess_data::iov[1] (ntlmsspblob) in sess_free_buffer(). + +Fix this by not calling memzero_explicit() on sess_data::iov[1] as +it's already by handled by callers. + +Fixes: a4e430c8c8ba ("cifs: replace kfree() with kfree_sensitive() for sensitive data") +Reviewed-by: Enzo Matsumiya +Signed-off-by: Paulo Alcantara (SUSE) +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/sess.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/fs/cifs/sess.c ++++ b/fs/cifs/sess.c +@@ -1214,16 +1214,18 @@ out_free_smb_buf: + static void + sess_free_buffer(struct sess_data *sess_data) + { +- int i; ++ struct kvec *iov = sess_data->iov; + +- /* zero the session data before freeing, as it might contain sensitive info (keys, etc) */ +- for (i = 0; i < 3; i++) +- if (sess_data->iov[i].iov_base) +- memzero_explicit(sess_data->iov[i].iov_base, sess_data->iov[i].iov_len); ++ /* ++ * Zero the session data before freeing, as it might contain sensitive info (keys, etc). ++ * Note that iov[1] is already freed by caller. ++ */ ++ if (sess_data->buf0_type != CIFS_NO_BUFFER && iov[0].iov_base) ++ memzero_explicit(iov[0].iov_base, iov[0].iov_len); + +- free_rsp_buf(sess_data->buf0_type, sess_data->iov[0].iov_base); ++ free_rsp_buf(sess_data->buf0_type, iov[0].iov_base); + sess_data->buf0_type = CIFS_NO_BUFFER; +- kfree(sess_data->iov[2].iov_base); ++ kfree_sensitive(iov[2].iov_base); + } + + static int diff --git a/queue-6.0/cifs-fix-memory-leaks-in-session-setup.patch b/queue-6.0/cifs-fix-memory-leaks-in-session-setup.patch new file mode 100644 index 00000000000..141e7558eb0 --- /dev/null +++ b/queue-6.0/cifs-fix-memory-leaks-in-session-setup.patch @@ -0,0 +1,108 @@ +From 01f2ee7e325611524078009d70392a5d5eca0945 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Wed, 19 Oct 2022 11:25:37 -0300 +Subject: cifs: fix memory leaks in session setup + +From: Paulo Alcantara + +commit 01f2ee7e325611524078009d70392a5d5eca0945 upstream. + +We were only zeroing out the ntlmssp blob but forgot to free the +allocated buffer in the end of SMB2_sess_auth_rawntlmssp_negotiate() +and SMB2_sess_auth_rawntlmssp_authenticate() functions. + +This fixes below kmemleak reports: + +unreferenced object 0xffff88800ddcfc60 (size 96): + comm "mount.cifs", pid 758, jiffies 4294696066 (age 42.967s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000d0beeb29>] __kmalloc+0x39/0xa0 + [<00000000e3834047>] build_ntlmssp_smb3_negotiate_blob+0x2c/0x110 [cifs] + [<00000000e85f5ab2>] SMB2_sess_auth_rawntlmssp_negotiate+0xd3/0x230 [cifs] + [<0000000080fdb897>] SMB2_sess_setup+0x16c/0x2a0 [cifs] + [<000000009af320a8>] cifs_setup_session+0x13b/0x370 [cifs] + [<00000000f15d5982>] cifs_get_smb_ses+0x643/0xb90 [cifs] + [<00000000fe15eb90>] mount_get_conns+0x63/0x3e0 [cifs] + [<00000000768aba03>] mount_get_dfs_conns+0x16/0xa0 [cifs] + [<00000000cf1cf146>] cifs_mount+0x1c2/0x9a0 [cifs] + [<000000000d66b51e>] cifs_smb3_do_mount+0x10e/0x710 [cifs] + [<0000000077a996c5>] smb3_get_tree+0xf4/0x200 [cifs] + [<0000000094dbd041>] vfs_get_tree+0x23/0xc0 + [<000000003a8561de>] path_mount+0x2d3/0xb50 + [<00000000ed5c86d6>] __x64_sys_mount+0x102/0x140 + [<00000000142142f3>] do_syscall_64+0x3b/0x90 + [<00000000e2b89731>] entry_SYSCALL_64_after_hwframe+0x63/0xcd +unreferenced object 0xffff88801437f000 (size 512): + comm "mount.cifs", pid 758, jiffies 4294696067 (age 42.970s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000d0beeb29>] __kmalloc+0x39/0xa0 + [<00000000004f53d2>] build_ntlmssp_auth_blob+0x4f/0x340 [cifs] + [<000000005f333084>] SMB2_sess_auth_rawntlmssp_authenticate+0xd4/0x250 [cifs] + [<0000000080fdb897>] SMB2_sess_setup+0x16c/0x2a0 [cifs] + [<000000009af320a8>] cifs_setup_session+0x13b/0x370 [cifs] + [<00000000f15d5982>] cifs_get_smb_ses+0x643/0xb90 [cifs] + [<00000000fe15eb90>] mount_get_conns+0x63/0x3e0 [cifs] + [<00000000768aba03>] mount_get_dfs_conns+0x16/0xa0 [cifs] + [<00000000cf1cf146>] cifs_mount+0x1c2/0x9a0 [cifs] + [<000000000d66b51e>] cifs_smb3_do_mount+0x10e/0x710 [cifs] + [<0000000077a996c5>] smb3_get_tree+0xf4/0x200 [cifs] + [<0000000094dbd041>] vfs_get_tree+0x23/0xc0 + [<000000003a8561de>] path_mount+0x2d3/0xb50 + [<00000000ed5c86d6>] __x64_sys_mount+0x102/0x140 + [<00000000142142f3>] do_syscall_64+0x3b/0x90 + [<00000000e2b89731>] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Fixes: a4e430c8c8ba ("cifs: replace kfree() with kfree_sensitive() for sensitive data") +Signed-off-by: Paulo Alcantara (SUSE) +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2pdu.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -1345,14 +1345,13 @@ SMB2_sess_alloc_buffer(struct SMB2_sess_ + static void + SMB2_sess_free_buffer(struct SMB2_sess_data *sess_data) + { +- int i; ++ struct kvec *iov = sess_data->iov; + +- /* zero the session data before freeing, as it might contain sensitive info (keys, etc) */ +- for (i = 0; i < 2; i++) +- if (sess_data->iov[i].iov_base) +- memzero_explicit(sess_data->iov[i].iov_base, sess_data->iov[i].iov_len); ++ /* iov[1] is already freed by caller */ ++ if (sess_data->buf0_type != CIFS_NO_BUFFER && iov[0].iov_base) ++ memzero_explicit(iov[0].iov_base, iov[0].iov_len); + +- free_rsp_buf(sess_data->buf0_type, sess_data->iov[0].iov_base); ++ free_rsp_buf(sess_data->buf0_type, iov[0].iov_base); + sess_data->buf0_type = CIFS_NO_BUFFER; + } + +@@ -1582,7 +1581,7 @@ SMB2_sess_auth_rawntlmssp_negotiate(stru + } + + out: +- memzero_explicit(ntlmssp_blob, blob_length); ++ kfree_sensitive(ntlmssp_blob); + SMB2_sess_free_buffer(sess_data); + if (!rc) { + sess_data->result = 0; +@@ -1666,7 +1665,7 @@ SMB2_sess_auth_rawntlmssp_authenticate(s + } + #endif + out: +- memzero_explicit(ntlmssp_blob, blob_length); ++ kfree_sensitive(ntlmssp_blob); + SMB2_sess_free_buffer(sess_data); + kfree_sensitive(ses->ntlmssp); + ses->ntlmssp = NULL; diff --git a/queue-6.0/cifs-fix-use-after-free-on-the-link-name.patch b/queue-6.0/cifs-fix-use-after-free-on-the-link-name.patch new file mode 100644 index 00000000000..bf1dd5d0802 --- /dev/null +++ b/queue-6.0/cifs-fix-use-after-free-on-the-link-name.patch @@ -0,0 +1,151 @@ +From 542228db2f28fdf775b301f2843e1fe486e7c797 Mon Sep 17 00:00:00 2001 +From: ChenXiaoSong +Date: Fri, 4 Nov 2022 15:44:41 +0800 +Subject: cifs: fix use-after-free on the link name + +From: ChenXiaoSong + +commit 542228db2f28fdf775b301f2843e1fe486e7c797 upstream. + +xfstests generic/011 reported use-after-free bug as follows: + + BUG: KASAN: use-after-free in __d_alloc+0x269/0x859 + Read of size 15 at addr ffff8880078933a0 by task dirstress/952 + + CPU: 1 PID: 952 Comm: dirstress Not tainted 6.1.0-rc3+ #77 + Call Trace: + __dump_stack+0x23/0x29 + dump_stack_lvl+0x51/0x73 + print_address_description+0x67/0x27f + print_report+0x3e/0x5c + kasan_report+0x7b/0xa8 + kasan_check_range+0x1b2/0x1c1 + memcpy+0x22/0x5d + __d_alloc+0x269/0x859 + d_alloc+0x45/0x20c + d_alloc_parallel+0xb2/0x8b2 + lookup_open+0x3b8/0x9f9 + open_last_lookups+0x63d/0xc26 + path_openat+0x11a/0x261 + do_filp_open+0xcc/0x168 + do_sys_openat2+0x13b/0x3f7 + do_sys_open+0x10f/0x146 + __se_sys_creat+0x27/0x2e + __x64_sys_creat+0x55/0x6a + do_syscall_64+0x40/0x96 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + + Allocated by task 952: + kasan_save_stack+0x1f/0x42 + kasan_set_track+0x21/0x2a + kasan_save_alloc_info+0x17/0x1d + __kasan_kmalloc+0x7e/0x87 + __kmalloc_node_track_caller+0x59/0x155 + kstrndup+0x60/0xe6 + parse_mf_symlink+0x215/0x30b + check_mf_symlink+0x260/0x36a + cifs_get_inode_info+0x14e1/0x1690 + cifs_revalidate_dentry_attr+0x70d/0x964 + cifs_revalidate_dentry+0x36/0x62 + cifs_d_revalidate+0x162/0x446 + lookup_open+0x36f/0x9f9 + open_last_lookups+0x63d/0xc26 + path_openat+0x11a/0x261 + do_filp_open+0xcc/0x168 + do_sys_openat2+0x13b/0x3f7 + do_sys_open+0x10f/0x146 + __se_sys_creat+0x27/0x2e + __x64_sys_creat+0x55/0x6a + do_syscall_64+0x40/0x96 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + + Freed by task 950: + kasan_save_stack+0x1f/0x42 + kasan_set_track+0x21/0x2a + kasan_save_free_info+0x1c/0x34 + ____kasan_slab_free+0x1c1/0x1d5 + __kasan_slab_free+0xe/0x13 + __kmem_cache_free+0x29a/0x387 + kfree+0xd3/0x10e + cifs_fattr_to_inode+0xb6a/0xc8c + cifs_get_inode_info+0x3cb/0x1690 + cifs_revalidate_dentry_attr+0x70d/0x964 + cifs_revalidate_dentry+0x36/0x62 + cifs_d_revalidate+0x162/0x446 + lookup_open+0x36f/0x9f9 + open_last_lookups+0x63d/0xc26 + path_openat+0x11a/0x261 + do_filp_open+0xcc/0x168 + do_sys_openat2+0x13b/0x3f7 + do_sys_open+0x10f/0x146 + __se_sys_creat+0x27/0x2e + __x64_sys_creat+0x55/0x6a + do_syscall_64+0x40/0x96 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +When opened a symlink, link name is from 'inode->i_link', but it may be +reset to a new value when revalidate the dentry. If some processes get the +link name on the race scenario, then UAF will happen on link name. + +Fix this by implementing 'get_link' interface to duplicate the link name. + +Fixes: 76894f3e2f71 ("cifs: improve symlink handling for smb2+") +Signed-off-by: ChenXiaoSong +Reviewed-by: Paulo Alcantara (SUSE) +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/cifsfs.c | 26 +++++++++++++++++++++++++- + fs/cifs/inode.c | 5 ----- + 2 files changed, 25 insertions(+), 6 deletions(-) + +--- a/fs/cifs/cifsfs.c ++++ b/fs/cifs/cifsfs.c +@@ -1143,8 +1143,32 @@ const struct inode_operations cifs_file_ + .fiemap = cifs_fiemap, + }; + ++const char *cifs_get_link(struct dentry *dentry, struct inode *inode, ++ struct delayed_call *done) ++{ ++ char *target_path; ++ ++ target_path = kmalloc(PATH_MAX, GFP_KERNEL); ++ if (!target_path) ++ return ERR_PTR(-ENOMEM); ++ ++ spin_lock(&inode->i_lock); ++ if (likely(CIFS_I(inode)->symlink_target)) { ++ strscpy(target_path, CIFS_I(inode)->symlink_target, PATH_MAX); ++ } else { ++ kfree(target_path); ++ target_path = ERR_PTR(-EOPNOTSUPP); ++ } ++ spin_unlock(&inode->i_lock); ++ ++ if (!IS_ERR(target_path)) ++ set_delayed_call(done, kfree_link, target_path); ++ ++ return target_path; ++} ++ + const struct inode_operations cifs_symlink_inode_ops = { +- .get_link = simple_get_link, ++ .get_link = cifs_get_link, + .permission = cifs_permission, + .listxattr = cifs_listxattr, + }; +--- a/fs/cifs/inode.c ++++ b/fs/cifs/inode.c +@@ -215,11 +215,6 @@ cifs_fattr_to_inode(struct inode *inode, + kfree(cifs_i->symlink_target); + cifs_i->symlink_target = fattr->cf_symlink_target; + fattr->cf_symlink_target = NULL; +- +- if (unlikely(!cifs_i->symlink_target)) +- inode->i_link = ERR_PTR(-EOPNOTSUPP); +- else +- inode->i_link = cifs_i->symlink_target; + } + spin_unlock(&inode->i_lock); + diff --git a/queue-6.0/cifs-fix-xid-leak-in-cifs_get_file_info_unix.patch b/queue-6.0/cifs-fix-xid-leak-in-cifs_get_file_info_unix.patch new file mode 100644 index 00000000000..932a2b25313 --- /dev/null +++ b/queue-6.0/cifs-fix-xid-leak-in-cifs_get_file_info_unix.patch @@ -0,0 +1,36 @@ +From 10269f13257d4eb6061d09ccce61666316df9838 Mon Sep 17 00:00:00 2001 +From: Zhang Xiaoxu +Date: Mon, 17 Oct 2022 22:45:25 +0800 +Subject: cifs: Fix xid leak in cifs_get_file_info_unix() + +From: Zhang Xiaoxu + +commit 10269f13257d4eb6061d09ccce61666316df9838 upstream. + +If stardup the symlink target failed, should free the xid, +otherwise the xid will be leaked. + +Fixes: 76894f3e2f71 ("cifs: improve symlink handling for smb2+") +Reviewed-by: Paulo Alcantara (SUSE) +Signed-off-by: Zhang Xiaoxu +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/inode.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/cifs/inode.c ++++ b/fs/cifs/inode.c +@@ -368,8 +368,10 @@ cifs_get_file_info_unix(struct file *fil + + if (cfile->symlink_target) { + fattr.cf_symlink_target = kstrdup(cfile->symlink_target, GFP_KERNEL); +- if (!fattr.cf_symlink_target) +- return -ENOMEM; ++ if (!fattr.cf_symlink_target) { ++ rc = -ENOMEM; ++ goto cifs_gfiunix_out; ++ } + } + + rc = CIFSSMBUnixQFileInfo(xid, tcon, cfile->fid.netfid, &find_data); diff --git a/queue-6.0/clk-renesas-r8a779f0-fix-sd0h-clock-name.patch b/queue-6.0/clk-renesas-r8a779f0-fix-sd0h-clock-name.patch new file mode 100644 index 00000000000..b61f1549998 --- /dev/null +++ b/queue-6.0/clk-renesas-r8a779f0-fix-sd0h-clock-name.patch @@ -0,0 +1,31 @@ +From 99c05a2b710f16ea592ccb63ef5fe5f1f6b15db9 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Wed, 12 Oct 2022 09:02:33 +0200 +Subject: clk: renesas: r8a779f0: Fix SD0H clock name + +From: Geert Uytterhoeven + +commit 99c05a2b710f16ea592ccb63ef5fe5f1f6b15db9 upstream. + +Correct the misspelled textual name of the SD0H clock. + +Fixes: 9b5dd1ff705c6854 ("clk: renesas: r8a779f0: Add SDH0 clock") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Wolfram Sang +Link: https://lore.kernel.org/r/1f682d338f133608f138ae87323707436ad8c748.1665558014.git.geert+renesas@glider.be +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/renesas/r8a779f0-cpg-mssr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/renesas/r8a779f0-cpg-mssr.c ++++ b/drivers/clk/renesas/r8a779f0-cpg-mssr.c +@@ -113,7 +113,7 @@ static const struct cpg_core_clk r8a779f + DEF_FIXED("sasyncperd2", R8A779F0_CLK_SASYNCPERD2, R8A779F0_CLK_SASYNCPERD1, 2, 1), + DEF_FIXED("sasyncperd4", R8A779F0_CLK_SASYNCPERD4, R8A779F0_CLK_SASYNCPERD1, 4, 1), + +- DEF_GEN4_SDH("sdh0", R8A779F0_CLK_SD0H, CLK_SDSRC, 0x870), ++ DEF_GEN4_SDH("sd0h", R8A779F0_CLK_SD0H, CLK_SDSRC, 0x870), + DEF_GEN4_SD("sd0", R8A779F0_CLK_SD0, R8A779F0_CLK_SD0H, 0x870), + + DEF_BASE("rpc", R8A779F0_CLK_RPC, CLK_TYPE_GEN4_RPC, CLK_RPCSRC), diff --git a/queue-6.0/extcon-usbc-tusb320-call-the-type-c-irq-handler-only-if-a-port-is-registered.patch b/queue-6.0/extcon-usbc-tusb320-call-the-type-c-irq-handler-only-if-a-port-is-registered.patch new file mode 100644 index 00000000000..76728a2ef0f --- /dev/null +++ b/queue-6.0/extcon-usbc-tusb320-call-the-type-c-irq-handler-only-if-a-port-is-registered.patch @@ -0,0 +1,42 @@ +From 341fd15e2e18c24d5c738496cfc3d7a272241201 Mon Sep 17 00:00:00 2001 +From: Yassine Oudjana +Date: Mon, 7 Nov 2022 18:33:17 +0300 +Subject: extcon: usbc-tusb320: Call the Type-C IRQ handler only if a port is registered + +From: Yassine Oudjana + +commit 341fd15e2e18c24d5c738496cfc3d7a272241201 upstream. + +Commit bf7571c00dca ("extcon: usbc-tusb320: Add USB TYPE-C support") +added an optional Type-C interface to the driver but missed to check +if it is in use when calling the IRQ handler. This causes an oops on +devices currently using the old extcon interface. Check if a Type-C +port is registered before calling the Type-C IRQ handler. + +Fixes: bf7571c00dca ("extcon: usbc-tusb320: Add USB TYPE-C support") +Signed-off-by: Yassine Oudjana +Reviewed-by: Marek Vasut +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20221107153317.657803-1-y.oudjana@protonmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/extcon/extcon-usbc-tusb320.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/extcon/extcon-usbc-tusb320.c ++++ b/drivers/extcon/extcon-usbc-tusb320.c +@@ -327,7 +327,13 @@ static irqreturn_t tusb320_state_update_ + return IRQ_NONE; + + tusb320_extcon_irq_handler(priv, reg); +- tusb320_typec_irq_handler(priv, reg); ++ ++ /* ++ * Type-C support is optional. Only call the Type-C handler if a ++ * port had been registered previously. ++ */ ++ if (priv->port) ++ tusb320_typec_irq_handler(priv, reg); + + regmap_write(priv->regmap, TUSB320_REG9, reg); + diff --git a/queue-6.0/series b/queue-6.0/series index 10a48b132b5..1f1fe27ac5d 100644 --- a/queue-6.0/series +++ b/queue-6.0/series @@ -1065,3 +1065,9 @@ net-stmmac-fix-errno-when-create_singlethread_workqueue-fails.patch media-dvbdev-fix-build-warning-due-to-comments.patch media-dvbdev-fix-refcnt-bug.patch drm-amd-display-revert-disable-drr-actions-during-state-commit.patch +clk-renesas-r8a779f0-fix-sd0h-clock-name.patch +extcon-usbc-tusb320-call-the-type-c-irq-handler-only-if-a-port-is-registered.patch +cifs-fix-double-fault-crash-during-ntlmssp.patch +cifs-fix-xid-leak-in-cifs_get_file_info_unix.patch +cifs-fix-memory-leaks-in-session-setup.patch +cifs-fix-use-after-free-on-the-link-name.patch -- 2.47.3