--- /dev/null
+From b2d99376c5d61eb60ffdb6c503e4b6c8f9712ddd Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Fri, 10 Jan 2025 13:37:05 +0900
+Subject: ksmbd: browse interfaces list on FSCTL_QUERY_INTERFACE_INFO IOCTL
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit b2d99376c5d61eb60ffdb6c503e4b6c8f9712ddd upstream.
+
+ksmbd.mount will give each interfaces list and bind_interfaces_only flags
+to ksmbd server. Previously, the interfaces list was sent only
+when bind_interfaces_only was enabled.
+ksmbd server browse only interfaces list given from ksmbd.conf on
+FSCTL_QUERY_INTERFACE_INFO IOCTL.
+
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/ksmbd_netlink.h | 3 +
+ fs/smb/server/server.h | 1
+ fs/smb/server/smb2pdu.c | 4 ++
+ fs/smb/server/transport_ipc.c | 1
+ fs/smb/server/transport_tcp.c | 67 +++++++++++++++++++-----------------------
+ fs/smb/server/transport_tcp.h | 1
+ 6 files changed, 40 insertions(+), 37 deletions(-)
+
+--- a/fs/smb/server/ksmbd_netlink.h
++++ b/fs/smb/server/ksmbd_netlink.h
+@@ -108,8 +108,9 @@ struct ksmbd_startup_request {
+ __u32 smb2_max_credits; /* MAX credits */
+ __u32 smbd_max_io_size; /* smbd read write size */
+ __u32 max_connections; /* Number of maximum simultaneous connections */
++ __s8 bind_interfaces_only;
+ __u32 max_ip_connections; /* Number of maximum connection per ip address */
+- __u32 reserved[125]; /* Reserved room */
++ __s8 reserved[499]; /* Reserved room */
+ __u32 ifc_list_sz; /* interfaces list size */
+ __s8 ____payload[];
+ } __packed;
+--- a/fs/smb/server/server.h
++++ b/fs/smb/server/server.h
+@@ -46,6 +46,7 @@ struct ksmbd_server_config {
+ unsigned int max_ip_connections;
+
+ char *conf[SERVER_CONF_WORK_GROUP + 1];
++ bool bind_interfaces_only;
+ };
+
+ extern struct ksmbd_server_config server_conf;
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -38,6 +38,7 @@
+ #include "mgmt/user_session.h"
+ #include "mgmt/ksmbd_ida.h"
+ #include "ndr.h"
++#include "transport_tcp.h"
+
+ static void __wbuf(struct ksmbd_work *work, void **req, void **rsp)
+ {
+@@ -7790,6 +7791,9 @@ static int fsctl_query_iface_info_ioctl(
+ if (netdev->type == ARPHRD_LOOPBACK)
+ continue;
+
++ if (!ksmbd_find_netdev_name_iface_list(netdev->name))
++ continue;
++
+ flags = dev_get_flags(netdev);
+ if (!(flags & IFF_RUNNING))
+ continue;
+--- a/fs/smb/server/transport_ipc.c
++++ b/fs/smb/server/transport_ipc.c
+@@ -327,6 +327,7 @@ static int ipc_server_config_on_startup(
+ ret = ksmbd_set_netbios_name(req->netbios_name);
+ ret |= ksmbd_set_server_string(req->server_string);
+ ret |= ksmbd_set_work_group(req->work_group);
++ server_conf.bind_interfaces_only = req->bind_interfaces_only;
+ ret |= ksmbd_tcp_set_interfaces(KSMBD_STARTUP_CONFIG_INTERFACES(req),
+ req->ifc_list_sz);
+ out:
+--- a/fs/smb/server/transport_tcp.c
++++ b/fs/smb/server/transport_tcp.c
+@@ -551,30 +551,37 @@ out_clear:
+ return ret;
+ }
+
++struct interface *ksmbd_find_netdev_name_iface_list(char *netdev_name)
++{
++ struct interface *iface;
++
++ list_for_each_entry(iface, &iface_list, entry)
++ if (!strcmp(iface->name, netdev_name))
++ return iface;
++ return NULL;
++}
++
+ static int ksmbd_netdev_event(struct notifier_block *nb, unsigned long event,
+ void *ptr)
+ {
+ struct net_device *netdev = netdev_notifier_info_to_dev(ptr);
+ struct interface *iface;
+- int ret, found = 0;
++ int ret;
+
+ switch (event) {
+ case NETDEV_UP:
+ if (netif_is_bridge_port(netdev))
+ return NOTIFY_OK;
+
+- list_for_each_entry(iface, &iface_list, entry) {
+- if (!strcmp(iface->name, netdev->name)) {
+- found = 1;
+- if (iface->state != IFACE_STATE_DOWN)
+- break;
+- ret = create_socket(iface);
+- if (ret)
+- return NOTIFY_OK;
+- break;
+- }
++ iface = ksmbd_find_netdev_name_iface_list(netdev->name);
++ if (iface && iface->state == IFACE_STATE_DOWN) {
++ ksmbd_debug(CONN, "netdev-up event: netdev(%s) is going up\n",
++ iface->name);
++ ret = create_socket(iface);
++ if (ret)
++ return NOTIFY_OK;
+ }
+- if (!found && bind_additional_ifaces) {
++ if (!iface && bind_additional_ifaces) {
+ iface = alloc_iface(kstrdup(netdev->name, GFP_KERNEL));
+ if (!iface)
+ return NOTIFY_OK;
+@@ -584,19 +591,19 @@ static int ksmbd_netdev_event(struct not
+ }
+ break;
+ case NETDEV_DOWN:
+- list_for_each_entry(iface, &iface_list, entry) {
+- if (!strcmp(iface->name, netdev->name) &&
+- iface->state == IFACE_STATE_CONFIGURED) {
+- tcp_stop_kthread(iface->ksmbd_kthread);
+- iface->ksmbd_kthread = NULL;
+- mutex_lock(&iface->sock_release_lock);
+- tcp_destroy_socket(iface->ksmbd_socket);
+- iface->ksmbd_socket = NULL;
+- mutex_unlock(&iface->sock_release_lock);
++ iface = ksmbd_find_netdev_name_iface_list(netdev->name);
++ if (iface && iface->state == IFACE_STATE_CONFIGURED) {
++ ksmbd_debug(CONN, "netdev-down event: netdev(%s) is going down\n",
++ iface->name);
++ tcp_stop_kthread(iface->ksmbd_kthread);
++ iface->ksmbd_kthread = NULL;
++ mutex_lock(&iface->sock_release_lock);
++ tcp_destroy_socket(iface->ksmbd_socket);
++ iface->ksmbd_socket = NULL;
++ mutex_unlock(&iface->sock_release_lock);
+
+- iface->state = IFACE_STATE_DOWN;
+- break;
+- }
++ iface->state = IFACE_STATE_DOWN;
++ break;
+ }
+ break;
+ }
+@@ -665,18 +672,6 @@ int ksmbd_tcp_set_interfaces(char *ifc_l
+ int sz = 0;
+
+ if (!ifc_list_sz) {
+- struct net_device *netdev;
+-
+- rtnl_lock();
+- for_each_netdev(&init_net, netdev) {
+- if (netif_is_bridge_port(netdev))
+- continue;
+- if (!alloc_iface(kstrdup(netdev->name, GFP_KERNEL))) {
+- rtnl_unlock();
+- return -ENOMEM;
+- }
+- }
+- rtnl_unlock();
+ bind_additional_ifaces = 1;
+ return 0;
+ }
+--- a/fs/smb/server/transport_tcp.h
++++ b/fs/smb/server/transport_tcp.h
+@@ -8,6 +8,7 @@
+
+ int ksmbd_tcp_set_interfaces(char *ifc_list, int ifc_list_sz);
+ void ksmbd_free_transport(struct ksmbd_transport *kt);
++struct interface *ksmbd_find_netdev_name_iface_list(char *netdev_name);
+ int ksmbd_tcp_init(void);
+ void ksmbd_tcp_destroy(void);
+
--- /dev/null
+From f04aad36a07cc17b7a5d5b9a2d386ce6fae63e93 Mon Sep 17 00:00:00 2001
+From: Jakub Acs <acsjakub@amazon.de>
+Date: Wed, 1 Oct 2025 09:03:52 +0000
+Subject: mm/ksm: fix flag-dropping behavior in ksm_madvise
+
+From: Jakub Acs <acsjakub@amazon.de>
+
+commit f04aad36a07cc17b7a5d5b9a2d386ce6fae63e93 upstream.
+
+syzkaller discovered the following crash: (kernel BUG)
+
+[ 44.607039] ------------[ cut here ]------------
+[ 44.607422] kernel BUG at mm/userfaultfd.c:2067!
+[ 44.608148] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI
+[ 44.608814] CPU: 1 UID: 0 PID: 2475 Comm: reproducer Not tainted 6.16.0-rc6 #1 PREEMPT(none)
+[ 44.609635] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
+[ 44.610695] RIP: 0010:userfaultfd_release_all+0x3a8/0x460
+
+<snip other registers, drop unreliable trace>
+
+[ 44.617726] Call Trace:
+[ 44.617926] <TASK>
+[ 44.619284] userfaultfd_release+0xef/0x1b0
+[ 44.620976] __fput+0x3f9/0xb60
+[ 44.621240] fput_close_sync+0x110/0x210
+[ 44.622222] __x64_sys_close+0x8f/0x120
+[ 44.622530] do_syscall_64+0x5b/0x2f0
+[ 44.622840] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+[ 44.623244] RIP: 0033:0x7f365bb3f227
+
+Kernel panics because it detects UFFD inconsistency during
+userfaultfd_release_all(). Specifically, a VMA which has a valid pointer
+to vma->vm_userfaultfd_ctx, but no UFFD flags in vma->vm_flags.
+
+The inconsistency is caused in ksm_madvise(): when user calls madvise()
+with MADV_UNMEARGEABLE on a VMA that is registered for UFFD in MINOR mode,
+it accidentally clears all flags stored in the upper 32 bits of
+vma->vm_flags.
+
+Assuming x86_64 kernel build, unsigned long is 64-bit and unsigned int and
+int are 32-bit wide. This setup causes the following mishap during the &=
+~VM_MERGEABLE assignment.
+
+VM_MERGEABLE is a 32-bit constant of type unsigned int, 0x8000'0000.
+After ~ is applied, it becomes 0x7fff'ffff unsigned int, which is then
+promoted to unsigned long before the & operation. This promotion fills
+upper 32 bits with leading 0s, as we're doing unsigned conversion (and
+even for a signed conversion, this wouldn't help as the leading bit is 0).
+& operation thus ends up AND-ing vm_flags with 0x0000'0000'7fff'ffff
+instead of intended 0xffff'ffff'7fff'ffff and hence accidentally clears
+the upper 32-bits of its value.
+
+Fix it by changing `VM_MERGEABLE` constant to unsigned long, using the
+BIT() macro.
+
+Note: other VM_* flags are not affected: This only happens to the
+VM_MERGEABLE flag, as the other VM_* flags are all constants of type int
+and after ~ operation, they end up with leading 1 and are thus converted
+to unsigned long with leading 1s.
+
+Note 2:
+After commit 31defc3b01d9 ("userfaultfd: remove (VM_)BUG_ON()s"), this is
+no longer a kernel BUG, but a WARNING at the same place:
+
+[ 45.595973] WARNING: CPU: 1 PID: 2474 at mm/userfaultfd.c:2067
+
+but the root-cause (flag-drop) remains the same.
+
+[akpm@linux-foundation.org: rust bindgen wasn't able to handle BIT(), from Miguel]
+ Link: https://lore.kernel.org/oe-kbuild-all/202510030449.VfSaAjvd-lkp@intel.com/
+Link: https://lkml.kernel.org/r/20251001090353.57523-2-acsjakub@amazon.de
+Fixes: 7677f7fd8be7 ("userfaultfd: add minor fault registration mode")
+Signed-off-by: Jakub Acs <acsjakub@amazon.de>
+Signed-off-by: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
+Acked-by: David Hildenbrand <david@redhat.com>
+Acked-by: SeongJae Park <sj@kernel.org>
+Tested-by: Alice Ryhl <aliceryhl@google.com>
+Tested-by: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
+Cc: Xu Xin <xu.xin16@zte.com.cn>
+Cc: Chengming Zhou <chengming.zhou@linux.dev>
+Cc: Peter Xu <peterx@redhat.com>
+Cc: Axel Rasmussen <axelrasmussen@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+[acsjakub@amazon.de: adapt rust bindgen const to older versions]
+Signed-off-by: Jakub Acs <acsjakub@amazon.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/mm.h | 2 +-
+ rust/bindings/bindings_helper.h | 2 ++
+ rust/bindings/lib.rs | 1 +
+ 3 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -315,7 +315,7 @@ extern unsigned int kobjsize(const void
+ #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */
+ #define VM_HUGEPAGE 0x20000000 /* MADV_HUGEPAGE marked this vma */
+ #define VM_NOHUGEPAGE 0x40000000 /* MADV_NOHUGEPAGE marked this vma */
+-#define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */
++#define VM_MERGEABLE BIT(31) /* KSM may merge identical pages */
+
+ #ifdef CONFIG_ARCH_USES_HIGH_VMA_FLAGS
+ #define VM_HIGH_ARCH_BIT_0 32 /* bit only usable on 64-bit architectures */
+--- a/rust/bindings/bindings_helper.h
++++ b/rust/bindings/bindings_helper.h
+@@ -12,8 +12,10 @@
+ #include <linux/refcount.h>
+ #include <linux/wait.h>
+ #include <linux/sched.h>
++#include <linux/mm.h>
+
+ /* `bindgen` gets confused at certain things. */
+ const size_t BINDINGS_ARCH_SLAB_MINALIGN = ARCH_SLAB_MINALIGN;
+ const gfp_t BINDINGS_GFP_KERNEL = GFP_KERNEL;
+ const gfp_t BINDINGS___GFP_ZERO = __GFP_ZERO;
++const vm_flags_t BINDINGS_VM_MERGEABLE = VM_MERGEABLE;
+--- a/rust/bindings/lib.rs
++++ b/rust/bindings/lib.rs
+@@ -51,3 +51,4 @@ pub use bindings_raw::*;
+
+ pub const GFP_KERNEL: gfp_t = BINDINGS_GFP_KERNEL;
+ pub const __GFP_ZERO: gfp_t = BINDINGS___GFP_ZERO;
++pub const VM_MERGEABLE: vm_flags_t = BINDINGS_VM_MERGEABLE;
--- /dev/null
+From smayhew@redhat.com Tue Oct 21 20:11:20 2025
+From: Scott Mayhew <smayhew@redhat.com>
+Date: Mon, 20 Oct 2025 16:50:04 -0400
+Subject: nfsd: decouple the xprtsec policy check from check_nfsd_access()
+To: stable@vger.kernel.org
+Cc: chuck.lever@oracle.com
+Message-ID: <20251020205004.1034718-1-smayhew@redhat.com>
+
+From: Scott Mayhew <smayhew@redhat.com>
+
+[ Upstream commit e4f574ca9c6dfa66695bb054ff5df43ecea873ec ]
+
+This is a backport of e4f574ca9c6d specifically for the 6.6-stable
+kernel. It differs from the upstream version mainly in that it's
+working around the absence of some 6.12-era commits:
+- 1459ad57673b nfsd: Move error code mapping to per-version proc code.
+- 0a183f24a7ae NFSD: Handle @rqstp == NULL in check_nfsd_access()
+- 5e66d2d92a1c nfsd: factor out __fh_verify to allow NULL rqstp to be
+ passed
+
+A while back I had reported that an NFSv3 client could successfully
+mount using '-o xprtsec=none' an export that had been exported with
+'xprtsec=tls:mtls'. By "successfully" I mean that the mount command
+would succeed and the mount would show up in /proc/mount. Attempting
+to do anything futher with the mount would be met with NFS3ERR_ACCES.
+
+Transport Layer Security isn't an RPC security flavor or pseudo-flavor,
+so we shouldn't be conflating them when determining whether the access
+checks can be bypassed. Split check_nfsd_access() into two helpers, and
+have fh_verify() call the helpers directly since fh_verify() has
+logic that allows one or both of the checks to be skipped. All other
+sites will continue to call check_nfsd_access().
+
+Link: https://lore.kernel.org/linux-nfs/ZjO3Qwf_G87yNXb2@aion/
+Fixes: 9280c5774314 ("NFSD: Handle new xprtsec= export option")
+Signed-off-by: Scott Mayhew <smayhew@redhat.com>
+Acked-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/export.c | 60 +++++++++++++++++++++++++++++++++++++++++++++++--------
+ fs/nfsd/export.h | 2 +
+ fs/nfsd/nfsfh.c | 12 ++++++++++-
+ 3 files changed, 65 insertions(+), 9 deletions(-)
+
+--- a/fs/nfsd/export.c
++++ b/fs/nfsd/export.c
+@@ -1071,28 +1071,62 @@ static struct svc_export *exp_find(struc
+ return exp;
+ }
+
+-__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp)
++/**
++ * check_xprtsec_policy - check if access to export is allowed by the
++ * xprtsec policy
++ * @exp: svc_export that is being accessed.
++ * @rqstp: svc_rqst attempting to access @exp.
++ *
++ * Helper function for check_nfsd_access(). Note that callers should be
++ * using check_nfsd_access() instead of calling this function directly. The
++ * one exception is fh_verify() since it has logic that may result in one
++ * or both of the helpers being skipped.
++ *
++ * Return values:
++ * %nfs_ok if access is granted, or
++ * %nfserr_acces or %nfserr_wrongsec if access is denied
++ */
++__be32 check_xprtsec_policy(struct svc_export *exp, struct svc_rqst *rqstp)
+ {
+- struct exp_flavor_info *f, *end = exp->ex_flavors + exp->ex_nflavors;
+ struct svc_xprt *xprt = rqstp->rq_xprt;
+
+ if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_NONE) {
+ if (!test_bit(XPT_TLS_SESSION, &xprt->xpt_flags))
+- goto ok;
++ return nfs_ok;
+ }
+ if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_TLS) {
+ if (test_bit(XPT_TLS_SESSION, &xprt->xpt_flags) &&
+ !test_bit(XPT_PEER_AUTH, &xprt->xpt_flags))
+- goto ok;
++ return nfs_ok;
+ }
+ if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_MTLS) {
+ if (test_bit(XPT_TLS_SESSION, &xprt->xpt_flags) &&
+ test_bit(XPT_PEER_AUTH, &xprt->xpt_flags))
+- goto ok;
++ return nfs_ok;
+ }
+- goto denied;
+
+-ok:
++ return rqstp->rq_vers < 4 ? nfserr_acces : nfserr_wrongsec;
++}
++
++/**
++ * check_security_flavor - check if access to export is allowed by the
++ * xprtsec policy
++ * @exp: svc_export that is being accessed.
++ * @rqstp: svc_rqst attempting to access @exp.
++ *
++ * Helper function for check_nfsd_access(). Note that callers should be
++ * using check_nfsd_access() instead of calling this function directly. The
++ * one exception is fh_verify() since it has logic that may result in one
++ * or both of the helpers being skipped.
++ *
++ * Return values:
++ * %nfs_ok if access is granted, or
++ * %nfserr_acces or %nfserr_wrongsec if access is denied
++ */
++__be32 check_security_flavor(struct svc_export *exp, struct svc_rqst *rqstp)
++{
++ struct exp_flavor_info *f, *end = exp->ex_flavors + exp->ex_nflavors;
++
+ /* legacy gss-only clients are always OK: */
+ if (exp->ex_client == rqstp->rq_gssclient)
+ return 0;
+@@ -1117,10 +1151,20 @@ ok:
+ if (nfsd4_spo_must_allow(rqstp))
+ return 0;
+
+-denied:
+ return rqstp->rq_vers < 4 ? nfserr_acces : nfserr_wrongsec;
+ }
+
++__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp)
++{
++ __be32 status;
++
++ status = check_xprtsec_policy(exp, rqstp);
++ if (status != nfs_ok)
++ return status;
++
++ return check_security_flavor(exp, rqstp);
++}
++
+ /*
+ * Uses rq_client and rq_gssclient to find an export; uses rq_client (an
+ * auth_unix client) if it's available and has secinfo information;
+--- a/fs/nfsd/export.h
++++ b/fs/nfsd/export.h
+@@ -100,6 +100,8 @@ struct svc_expkey {
+ #define EX_WGATHER(exp) ((exp)->ex_flags & NFSEXP_GATHERED_WRITES)
+
+ int nfsexp_flags(struct svc_rqst *rqstp, struct svc_export *exp);
++__be32 check_xprtsec_policy(struct svc_export *exp, struct svc_rqst *rqstp);
++__be32 check_security_flavor(struct svc_export *exp, struct svc_rqst *rqstp);
+ __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp);
+
+ /*
+--- a/fs/nfsd/nfsfh.c
++++ b/fs/nfsd/nfsfh.c
+@@ -371,6 +371,16 @@ fh_verify(struct svc_rqst *rqstp, struct
+ goto out;
+
+ /*
++ * NLM is allowed to bypass the xprtsec policy check because lockd
++ * doesn't support xprtsec.
++ */
++ if (!(access & NFSD_MAY_LOCK)) {
++ error = check_xprtsec_policy(exp, rqstp);
++ if (error)
++ goto out;
++ }
++
++ /*
+ * pseudoflavor restrictions are not enforced on NLM,
+ * which clients virtually always use auth_sys for,
+ * even while using RPCSEC_GSS for NFS.
+@@ -386,7 +396,7 @@ fh_verify(struct svc_rqst *rqstp, struct
+ && exp->ex_path.dentry == dentry)
+ goto skip_pseudoflavor_check;
+
+- error = check_nfsd_access(exp, rqstp);
++ error = check_security_flavor(exp, rqstp);
+ if (error)
+ goto out;
+
--- /dev/null
+From briannorris@chromium.org Tue Oct 21 20:12:10 2025
+From: Brian Norris <briannorris@chromium.org>
+Date: Mon, 20 Oct 2025 13:41:36 -0700
+Subject: PCI/sysfs: Ensure devices are powered for config reads (part 2)
+To: stable@vger.kernel.org
+Cc: bhelgaas@google.com, Brian Norris <briannorris@google.com>, Brian Norris <briannorris@chromium.org>
+Message-ID: <20251020204146.3193844-1-briannorris@chromium.org>
+
+From: Brian Norris <briannorris@google.com>
+
+Commit 48991e493507 ("PCI/sysfs: Ensure devices are powered for config
+reads") was applied to various linux-stable trees. However, prior to
+6.12.y, we do not have commit d2bd39c0456b ("PCI: Store all PCIe
+Supported Link Speeds"). Therefore, we also need to apply the change to
+max_link_speed_show().
+
+This was pointed out here:
+
+ Re: Patch "PCI/sysfs: Ensure devices are powered for config reads" has been added to the 6.6-stable tree
+ https://lore.kernel.org/all/aPEMIreBYZ7yk3cm@google.com/
+
+Original change description follows:
+
+ The "max_link_width", "current_link_speed", "current_link_width",
+ "secondary_bus_number", and "subordinate_bus_number" sysfs files all access
+ config registers, but they don't check the runtime PM state. If the device
+ is in D3cold or a parent bridge is suspended, we may see -EINVAL, bogus
+ values, or worse, depending on implementation details.
+
+ Wrap these access in pci_config_pm_runtime_{get,put}() like most of the
+ rest of the similar sysfs attributes.
+
+ Notably, "max_link_speed" does not access config registers; it returns a
+ cached value since d2bd39c0456b ("PCI: Store all PCIe Supported Link
+ Speeds").
+
+Fixes: 56c1af4606f0 ("PCI: Add sysfs max_link_speed/width, current_link_speed/width, etc")
+Link: https://lore.kernel.org/all/aPEMIreBYZ7yk3cm@google.com/
+Signed-off-by: Brian Norris <briannorris@google.com>
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/pci-sysfs.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/pci/pci-sysfs.c
++++ b/drivers/pci/pci-sysfs.c
+@@ -186,9 +186,15 @@ static ssize_t max_link_speed_show(struc
+ struct device_attribute *attr, char *buf)
+ {
+ struct pci_dev *pdev = to_pci_dev(dev);
++ ssize_t ret;
+
+- return sysfs_emit(buf, "%s\n",
+- pci_speed_string(pcie_get_speed_cap(pdev)));
++ /* We read PCI_EXP_LNKCAP, so we need the device to be accessible. */
++ pci_config_pm_runtime_get(pdev);
++ ret = sysfs_emit(buf, "%s\n",
++ pci_speed_string(pcie_get_speed_cap(pdev)));
++ pci_config_pm_runtime_put(pdev);
++
++ return ret;
+ }
+ static DEVICE_ATTR_RO(max_link_speed);
+
ixgbevf-add-support-for-intel-r-e610-device.patch
ixgbevf-fix-getting-link-speed-data-for-e610-devices.patch
ixgbevf-fix-mailbox-api-compatibility-by-negotiating-supported-features.patch
+nfsd-decouple-the-xprtsec-policy-check-from-check_nfsd_access.patch
+pci-sysfs-ensure-devices-are-powered-for-config-reads-part-2.patch
+ksmbd-browse-interfaces-list-on-fsctl_query_interface_info-ioctl.patch
+mm-ksm-fix-flag-dropping-behavior-in-ksm_madvise.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
