--- /dev/null
+From 0ee4736c003daded513de0ff112d4a1e9c85bbab Mon Sep 17 00:00:00 2001
+From: Mikhail Zaslonko <zaslonko@linux.ibm.com>
+Date: Wed, 18 Dec 2024 11:32:51 +0100
+Subject: btrfs: zlib: fix avail_in bytes for s390 zlib HW compression path
+
+From: Mikhail Zaslonko <zaslonko@linux.ibm.com>
+
+commit 0ee4736c003daded513de0ff112d4a1e9c85bbab upstream.
+
+Since the input data length passed to zlib_compress_folios() can be
+arbitrary, always setting strm.avail_in to a multiple of PAGE_SIZE may
+cause read-in bytes to exceed the input range. Currently this triggers
+an assert in btrfs_compress_folios() on the debug kernel (see below).
+Fix strm.avail_in calculation for S390 hardware acceleration path.
+
+ assertion failed: *total_in <= orig_len, in fs/btrfs/compression.c:1041
+ ------------[ cut here ]------------
+ kernel BUG at fs/btrfs/compression.c:1041!
+ monitor event: 0040 ilc:2 [#1] PREEMPT SMP
+ CPU: 16 UID: 0 PID: 325 Comm: kworker/u273:3 Not tainted 6.13.0-20241204.rc1.git6.fae3b21430ca.300.fc41.s390x+debug #1
+ Hardware name: IBM 3931 A01 703 (z/VM 7.4.0)
+ Workqueue: btrfs-delalloc btrfs_work_helper
+ Krnl PSW : 0704d00180000000 0000021761df6538 (btrfs_compress_folios+0x198/0x1a0)
+ R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0 RI:0 EA:3
+ Krnl GPRS: 0000000080000000 0000000000000001 0000000000000047 0000000000000000
+ 0000000000000006 ffffff01757bb000 000001976232fcc0 000000000000130c
+ 000001976232fcd0 000001976232fcc8 00000118ff4a0e30 0000000000000001
+ 00000111821ab400 0000011100000000 0000021761df6534 000001976232fb58
+ Krnl Code: 0000021761df6528: c020006f5ef4 larl %r2,0000021762be2310
+ 0000021761df652e: c0e5ffbd09d5 brasl %r14,00000217615978d8
+ #0000021761df6534: af000000 mc 0,0
+ >0000021761df6538: 0707 bcr 0,%r7
+ 0000021761df653a: 0707 bcr 0,%r7
+ 0000021761df653c: 0707 bcr 0,%r7
+ 0000021761df653e: 0707 bcr 0,%r7
+ 0000021761df6540: c004004bb7ec brcl 0,000002176276d518
+ Call Trace:
+ [<0000021761df6538>] btrfs_compress_folios+0x198/0x1a0
+ ([<0000021761df6534>] btrfs_compress_folios+0x194/0x1a0)
+ [<0000021761d97788>] compress_file_range+0x3b8/0x6d0
+ [<0000021761dcee7c>] btrfs_work_helper+0x10c/0x160
+ [<0000021761645760>] process_one_work+0x2b0/0x5d0
+ [<000002176164637e>] worker_thread+0x20e/0x3e0
+ [<000002176165221a>] kthread+0x15a/0x170
+ [<00000217615b859c>] __ret_from_fork+0x3c/0x60
+ [<00000217626e72d2>] ret_from_fork+0xa/0x38
+ INFO: lockdep is turned off.
+ Last Breaking-Event-Address:
+ [<0000021761597924>] _printk+0x4c/0x58
+ Kernel panic - not syncing: Fatal exception: panic_on_oops
+
+Fixes: fd1e75d0105d ("btrfs: make compression path to be subpage compatible")
+CC: stable@vger.kernel.org # 6.12+
+Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Mikhail Zaslonko <zaslonko@linux.ibm.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/zlib.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/zlib.c b/fs/btrfs/zlib.c
+index ddf0d5a448a7..c9e92c6941ec 100644
+--- a/fs/btrfs/zlib.c
++++ b/fs/btrfs/zlib.c
+@@ -174,10 +174,10 @@ int zlib_compress_folios(struct list_head *ws, struct address_space *mapping,
+ copy_page(workspace->buf + i * PAGE_SIZE,
+ data_in);
+ start += PAGE_SIZE;
+- workspace->strm.avail_in =
+- (in_buf_folios << PAGE_SHIFT);
+ }
+ workspace->strm.next_in = workspace->buf;
++ workspace->strm.avail_in = min(bytes_left,
++ in_buf_folios << PAGE_SHIFT);
+ } else {
+ unsigned int pg_off;
+ unsigned int cur_len;
+--
+2.48.0
+
--- /dev/null
+From 47f33c27fc9565fb0bc7dfb76be08d445cd3d236 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Tue, 7 Jan 2025 17:47:01 +0100
+Subject: dm-ebs: don't set the flag DM_TARGET_PASSES_INTEGRITY
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 47f33c27fc9565fb0bc7dfb76be08d445cd3d236 upstream.
+
+dm-ebs uses dm-bufio to process requests that are not aligned on logical
+sector size. dm-bufio doesn't support passing integrity data (and it is
+unclear how should it do it), so we shouldn't set the
+DM_TARGET_PASSES_INTEGRITY flag.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Fixes: d3c7b35c20d6 ("dm: add emulated block size target")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-ebs-target.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/dm-ebs-target.c
++++ b/drivers/md/dm-ebs-target.c
+@@ -442,7 +442,7 @@ static int ebs_iterate_devices(struct dm
+ static struct target_type ebs_target = {
+ .name = "ebs",
+ .version = {1, 0, 1},
+- .features = DM_TARGET_PASSES_INTEGRITY,
++ .features = 0,
+ .module = THIS_MODULE,
+ .ctr = ebs_ctr,
+ .dtr = ebs_dtr,
--- /dev/null
+From 80f130bfad1dab93b95683fc39b87235682b8f72 Mon Sep 17 00:00:00 2001
+From: Krister Johansen <kjlx@templeofstupid.com>
+Date: Tue, 7 Jan 2025 15:24:58 -0800
+Subject: dm thin: make get_first_thin use rcu-safe list first function
+
+From: Krister Johansen <kjlx@templeofstupid.com>
+
+commit 80f130bfad1dab93b95683fc39b87235682b8f72 upstream.
+
+The documentation in rculist.h explains the absence of list_empty_rcu()
+and cautions programmers against relying on a list_empty() ->
+list_first() sequence in RCU safe code. This is because each of these
+functions performs its own READ_ONCE() of the list head. This can lead
+to a situation where the list_empty() sees a valid list entry, but the
+subsequent list_first() sees a different view of list head state after a
+modification.
+
+In the case of dm-thin, this author had a production box crash from a GP
+fault in the process_deferred_bios path. This function saw a valid list
+head in get_first_thin() but when it subsequently dereferenced that and
+turned it into a thin_c, it got the inside of the struct pool, since the
+list was now empty and referring to itself. The kernel on which this
+occurred printed both a warning about a refcount_t being saturated, and
+a UBSAN error for an out-of-bounds cpuid access in the queued spinlock,
+prior to the fault itself. When the resulting kdump was examined, it
+was possible to see another thread patiently waiting in thin_dtr's
+synchronize_rcu.
+
+The thin_dtr call managed to pull the thin_c out of the active thins
+list (and have it be the last entry in the active_thins list) at just
+the wrong moment which lead to this crash.
+
+Fortunately, the fix here is straight forward. Switch get_first_thin()
+function to use list_first_or_null_rcu() which performs just a single
+READ_ONCE() and returns NULL if the list is already empty.
+
+This was run against the devicemapper test suite's thin-provisioning
+suites for delete and suspend and no regressions were observed.
+
+Signed-off-by: Krister Johansen <kjlx@templeofstupid.com>
+Fixes: b10ebd34ccca ("dm thin: fix rcu_read_lock being held in code that can sleep")
+Cc: stable@vger.kernel.org
+Acked-by: Ming-Hung Tsai <mtsai@redhat.com>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-thin.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/md/dm-thin.c
++++ b/drivers/md/dm-thin.c
+@@ -2332,10 +2332,9 @@ static struct thin_c *get_first_thin(str
+ struct thin_c *tc = NULL;
+
+ rcu_read_lock();
+- if (!list_empty(&pool->active_thins)) {
+- tc = list_entry_rcu(pool->active_thins.next, struct thin_c, list);
++ tc = list_first_or_null_rcu(&pool->active_thins, struct thin_c, list);
++ if (tc)
+ thin_get(tc);
+- }
+ rcu_read_unlock();
+
+ return tc;
--- /dev/null
+From 6df90c02bae468a3a6110bafbc659884d0c4966c Mon Sep 17 00:00:00 2001
+From: Milan Broz <gmazyland@gmail.com>
+Date: Wed, 18 Dec 2024 13:56:58 +0100
+Subject: dm-verity FEC: Fix RS FEC repair for roots unaligned to block size (take 2)
+
+From: Milan Broz <gmazyland@gmail.com>
+
+commit 6df90c02bae468a3a6110bafbc659884d0c4966c upstream.
+
+This patch fixes an issue that was fixed in the commit
+ df7b59ba9245 ("dm verity: fix FEC for RS roots unaligned to block size")
+but later broken again in the commit
+ 8ca7cab82bda ("dm verity fec: fix misaligned RS roots IO")
+
+If the Reed-Solomon roots setting spans multiple blocks, the code does not
+use proper parity bytes and randomly fails to repair even trivial errors.
+
+This bug cannot happen if the sector size is multiple of RS roots
+setting (Android case with roots 2).
+
+The previous solution was to find a dm-bufio block size that is multiple
+of the device sector size and roots size. Unfortunately, the optimization
+in commit 8ca7cab82bda ("dm verity fec: fix misaligned RS roots IO")
+is incorrect and uses data block size for some roots (for example, it uses
+4096 block size for roots = 20).
+
+This patch uses a different approach:
+
+ - It always uses a configured data block size for dm-bufio to avoid
+ possible misaligned IOs.
+
+ - and it caches the processed parity bytes, so it can join it
+ if it spans two blocks.
+
+As the RS calculation is called only if an error is detected and
+the process is computationally intensive, copying a few more bytes
+should not introduce performance issues.
+
+The issue was reported to cryptsetup with trivial reproducer
+ https://gitlab.com/cryptsetup/cryptsetup/-/issues/923
+
+Reproducer (with roots=20):
+
+ # create verity device with RS FEC
+ dd if=/dev/urandom of=data.img bs=4096 count=8 status=none
+ veritysetup format data.img hash.img --fec-device=fec.img --fec-roots=20 | \
+ awk '/^Root hash/{ print $3 }' >roothash
+
+ # create an erasure that should always be repairable with this roots setting
+ dd if=/dev/zero of=data.img conv=notrunc bs=1 count=4 seek=4 status=none
+
+ # try to read it through dm-verity
+ veritysetup open data.img test hash.img --fec-device=fec.img --fec-roots=20 $(cat roothash)
+ dd if=/dev/mapper/test of=/dev/null bs=4096 status=noxfer
+
+ Even now the log says it cannot repair it:
+ : verity-fec: 7:1: FEC 0: failed to correct: -74
+ : device-mapper: verity: 7:1: data block 0 is corrupted
+ ...
+
+With this fix, errors are properly repaired.
+ : verity-fec: 7:1: FEC 0: corrected 4 errors
+
+Signed-off-by: Milan Broz <gmazyland@gmail.com>
+Fixes: 8ca7cab82bda ("dm verity fec: fix misaligned RS roots IO")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-verity-fec.c | 40 ++++++++++++++++++++++++++--------------
+ 1 file changed, 26 insertions(+), 14 deletions(-)
+
+--- a/drivers/md/dm-verity-fec.c
++++ b/drivers/md/dm-verity-fec.c
+@@ -60,15 +60,19 @@ static int fec_decode_rs8(struct dm_veri
+ * to the data block. Caller is responsible for releasing buf.
+ */
+ static u8 *fec_read_parity(struct dm_verity *v, u64 rsb, int index,
+- unsigned int *offset, struct dm_buffer **buf,
+- unsigned short ioprio)
++ unsigned int *offset, unsigned int par_buf_offset,
++ struct dm_buffer **buf, unsigned short ioprio)
+ {
+ u64 position, block, rem;
+ u8 *res;
+
++ /* We have already part of parity bytes read, skip to the next block */
++ if (par_buf_offset)
++ index++;
++
+ position = (index + rsb) * v->fec->roots;
+ block = div64_u64_rem(position, v->fec->io_size, &rem);
+- *offset = (unsigned int)rem;
++ *offset = par_buf_offset ? 0 : (unsigned int)rem;
+
+ res = dm_bufio_read_with_ioprio(v->fec->bufio, block, buf, ioprio);
+ if (IS_ERR(res)) {
+@@ -128,11 +132,12 @@ static int fec_decode_bufs(struct dm_ver
+ {
+ int r, corrected = 0, res;
+ struct dm_buffer *buf;
+- unsigned int n, i, offset;
+- u8 *par, *block;
++ unsigned int n, i, offset, par_buf_offset = 0;
++ u8 *par, *block, par_buf[DM_VERITY_FEC_RSM - DM_VERITY_FEC_MIN_RSN];
+ struct bio *bio = dm_bio_from_per_bio_data(io, v->ti->per_io_data_size);
+
+- par = fec_read_parity(v, rsb, block_offset, &offset, &buf, bio_prio(bio));
++ par = fec_read_parity(v, rsb, block_offset, &offset,
++ par_buf_offset, &buf, bio_prio(bio));
+ if (IS_ERR(par))
+ return PTR_ERR(par);
+
+@@ -142,7 +147,8 @@ static int fec_decode_bufs(struct dm_ver
+ */
+ fec_for_each_buffer_rs_block(fio, n, i) {
+ block = fec_buffer_rs_block(v, fio, n, i);
+- res = fec_decode_rs8(v, fio, block, &par[offset], neras);
++ memcpy(&par_buf[par_buf_offset], &par[offset], v->fec->roots - par_buf_offset);
++ res = fec_decode_rs8(v, fio, block, par_buf, neras);
+ if (res < 0) {
+ r = res;
+ goto error;
+@@ -155,12 +161,21 @@ static int fec_decode_bufs(struct dm_ver
+ if (block_offset >= 1 << v->data_dev_block_bits)
+ goto done;
+
+- /* read the next block when we run out of parity bytes */
+- offset += v->fec->roots;
++ /* Read the next block when we run out of parity bytes */
++ offset += (v->fec->roots - par_buf_offset);
++ /* Check if parity bytes are split between blocks */
++ if (offset < v->fec->io_size && (offset + v->fec->roots) > v->fec->io_size) {
++ par_buf_offset = v->fec->io_size - offset;
++ memcpy(par_buf, &par[offset], par_buf_offset);
++ offset += par_buf_offset;
++ } else
++ par_buf_offset = 0;
++
+ if (offset >= v->fec->io_size) {
+ dm_bufio_release(buf);
+
+- par = fec_read_parity(v, rsb, block_offset, &offset, &buf, bio_prio(bio));
++ par = fec_read_parity(v, rsb, block_offset, &offset,
++ par_buf_offset, &buf, bio_prio(bio));
+ if (IS_ERR(par))
+ return PTR_ERR(par);
+ }
+@@ -724,10 +739,7 @@ int verity_fec_ctr(struct dm_verity *v)
+ return -E2BIG;
+ }
+
+- if ((f->roots << SECTOR_SHIFT) & ((1 << v->data_dev_block_bits) - 1))
+- f->io_size = 1 << v->data_dev_block_bits;
+- else
+- f->io_size = v->fec->roots << SECTOR_SHIFT;
++ f->io_size = 1 << v->data_dev_block_bits;
+
+ f->bufio = dm_bufio_client_create(f->dev->bdev,
+ f->io_size,
--- /dev/null
+From 0881fbc4fd62e00a2b8e102725f76d10351b2ea8 Mon Sep 17 00:00:00 2001
+From: Roman Li <Roman.Li@amd.com>
+Date: Fri, 13 Dec 2024 13:51:07 -0500
+Subject: drm/amd/display: Add check for granularity in dml ceil/floor helpers
+
+From: Roman Li <Roman.Li@amd.com>
+
+commit 0881fbc4fd62e00a2b8e102725f76d10351b2ea8 upstream.
+
+[Why]
+Wrapper functions for dcn_bw_ceil2() and dcn_bw_floor2()
+should check for granularity is non zero to avoid assert and
+divide-by-zero error in dcn_bw_ functions.
+
+[How]
+Add check for granularity 0.
+
+Cc: Mario Limonciello <mario.limonciello@amd.com>
+Reviewed-by: Alvin Lee <alvin.lee2@amd.com>
+Signed-off-by: Roman Li <Roman.Li@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit f6e09701c3eb2ccb8cb0518e0b67f1c69742a4ec)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/dml/dml_inline_defs.h | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/gpu/drm/amd/display/dc/dml/dml_inline_defs.h
++++ b/drivers/gpu/drm/amd/display/dc/dml/dml_inline_defs.h
+@@ -66,11 +66,15 @@ static inline double dml_max5(double a,
+
+ static inline double dml_ceil(double a, double granularity)
+ {
++ if (granularity == 0)
++ return 0;
+ return (double) dcn_bw_ceil2(a, granularity);
+ }
+
+ static inline double dml_floor(double a, double granularity)
+ {
++ if (granularity == 0)
++ return 0;
+ return (double) dcn_bw_floor2(a, granularity);
+ }
+
+@@ -114,11 +118,15 @@ static inline double dml_ceil_2(double f
+
+ static inline double dml_ceil_ex(double x, double granularity)
+ {
++ if (granularity == 0)
++ return 0;
+ return (double) dcn_bw_ceil2(x, granularity);
+ }
+
+ static inline double dml_floor_ex(double x, double granularity)
+ {
++ if (granularity == 0)
++ return 0;
+ return (double) dcn_bw_floor2(x, granularity);
+ }
+
--- /dev/null
+From 5009628d8509dbb90e1b88e01eda00430fa24b4b Mon Sep 17 00:00:00 2001
+From: Alex Hung <alex.hung@amd.com>
+Date: Tue, 17 Dec 2024 14:03:50 -0700
+Subject: drm/amd/display: Remove unnecessary amdgpu_irq_get/put
+
+From: Alex Hung <alex.hung@amd.com>
+
+commit 5009628d8509dbb90e1b88e01eda00430fa24b4b upstream.
+
+[WHY & HOW]
+commit 7fb363c57522 ("drm/amd/display: Let drm_crtc_vblank_on/off manage interrupts")
+lets drm_crtc_vblank_* to manage interrupts in amdgpu_dm_crtc_set_vblank,
+and amdgpu_irq_get/put do not need to be called here. Part of that
+patch got lost somehow, so fix it up.
+
+Fixes: 7fb363c57522 ("drm/amd/display: Let drm_crtc_vblank_on/off manage interrupts")
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Reviewed-by: Leo Li <sunpeng.li@amd.com>
+Signed-off-by: Alex Hung <alex.hung@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 3782305ce5807c18fbf092124b9e8303cf1723ae)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 31 ----------------------
+ 1 file changed, 31 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -8393,16 +8393,6 @@ static void manage_dm_interrupts(struct
+ struct amdgpu_crtc *acrtc,
+ struct dm_crtc_state *acrtc_state)
+ {
+- /*
+- * We have no guarantee that the frontend index maps to the same
+- * backend index - some even map to more than one.
+- *
+- * TODO: Use a different interrupt or check DC itself for the mapping.
+- */
+- int irq_type =
+- amdgpu_display_crtc_idx_to_irq_type(
+- adev,
+- acrtc->crtc_id);
+ struct drm_vblank_crtc_config config = {0};
+ struct dc_crtc_timing *timing;
+ int offdelay;
+@@ -8428,28 +8418,7 @@ static void manage_dm_interrupts(struct
+
+ drm_crtc_vblank_on_config(&acrtc->base,
+ &config);
+-
+- amdgpu_irq_get(
+- adev,
+- &adev->pageflip_irq,
+- irq_type);
+-#if defined(CONFIG_DRM_AMD_SECURE_DISPLAY)
+- amdgpu_irq_get(
+- adev,
+- &adev->vline0_irq,
+- irq_type);
+-#endif
+ } else {
+-#if defined(CONFIG_DRM_AMD_SECURE_DISPLAY)
+- amdgpu_irq_put(
+- adev,
+- &adev->vline0_irq,
+- irq_type);
+-#endif
+- amdgpu_irq_put(
+- adev,
+- &adev->pageflip_irq,
+- irq_type);
+ drm_crtc_vblank_off(&acrtc->base);
+ }
+ }
--- /dev/null
+From aa21f333c86c8a09d39189de87abb0153d338190 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Wed, 11 Dec 2024 13:11:17 +0100
+Subject: fs: fix is_mnt_ns_file()
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit aa21f333c86c8a09d39189de87abb0153d338190 upstream.
+
+Commit 1fa08aece425 ("nsfs: convert to path_from_stashed() helper") reused
+nsfs dentry's d_fsdata, which no longer contains a pointer to
+proc_ns_operations.
+
+Fix the remaining use in is_mnt_ns_file().
+
+Fixes: 1fa08aece425 ("nsfs: convert to path_from_stashed() helper")
+Cc: stable@vger.kernel.org # v6.9
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Link: https://lore.kernel.org/r/20241211121118.85268-1-mszeredi@redhat.com
+Acked-by: Al Viro <viro@zeniv.linux.org.uk>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/namespace.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -2055,9 +2055,15 @@ SYSCALL_DEFINE1(oldumount, char __user *
+
+ static bool is_mnt_ns_file(struct dentry *dentry)
+ {
++ struct ns_common *ns;
++
+ /* Is this a proxy for a mount namespace? */
+- return dentry->d_op == &ns_dentry_operations &&
+- dentry->d_fsdata == &mntns_operations;
++ if (dentry->d_op != &ns_dentry_operations)
++ return false;
++
++ ns = d_inode(dentry)->i_private;
++
++ return ns->ops == &mntns_operations;
+ }
+
+ struct ns_common *from_mnt_ns(struct mnt_namespace *mnt)
--- /dev/null
+From 974e3fe0ac61de85015bbe5a4990cf4127b304b2 Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Thu, 19 Dec 2024 12:53:01 +0100
+Subject: fs: relax assertions on failure to encode file handles
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+commit 974e3fe0ac61de85015bbe5a4990cf4127b304b2 upstream.
+
+Encoding file handles is usually performed by a filesystem >encode_fh()
+method that may fail for various reasons.
+
+The legacy users of exportfs_encode_fh(), namely, nfsd and
+name_to_handle_at(2) syscall are ready to cope with the possibility
+of failure to encode a file handle.
+
+There are a few other users of exportfs_encode_{fh,fid}() that
+currently have a WARN_ON() assertion when ->encode_fh() fails.
+Relax those assertions because they are wrong.
+
+The second linked bug report states commit 16aac5ad1fa9 ("ovl: support
+encoding non-decodable file handles") in v6.6 as the regressing commit,
+but this is not accurate.
+
+The aforementioned commit only increases the chances of the assertion
+and allows triggering the assertion with the reproducer using overlayfs,
+inotify and drop_caches.
+
+Triggering this assertion was always possible with other filesystems and
+other reasons of ->encode_fh() failures and more particularly, it was
+also possible with the exact same reproducer using overlayfs that is
+mounted with options index=on,nfs_export=on also on kernels < v6.6.
+Therefore, I am not listing the aforementioned commit as a Fixes commit.
+
+Backport hint: this patch will have a trivial conflict applying to
+v6.6.y, and other trivial conflicts applying to stable kernels < v6.6.
+
+Reported-by: syzbot+ec07f6f5ce62b858579f@syzkaller.appspotmail.com
+Tested-by: syzbot+ec07f6f5ce62b858579f@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-unionfs/671fd40c.050a0220.4735a.024f.GAE@google.com/
+Reported-by: Dmitry Safonov <dima@arista.com>
+Closes: https://lore.kernel.org/linux-fsdevel/CAGrbwDTLt6drB9eaUagnQVgdPBmhLfqqxAf3F+Juqy_o6oP8uw@mail.gmail.com/
+Cc: stable@vger.kernel.org
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Link: https://lore.kernel.org/r/20241219115301.465396-1-amir73il@gmail.com
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/notify/fdinfo.c | 4 +---
+ fs/overlayfs/copy_up.c | 5 ++---
+ 2 files changed, 3 insertions(+), 6 deletions(-)
+
+--- a/fs/notify/fdinfo.c
++++ b/fs/notify/fdinfo.c
+@@ -47,10 +47,8 @@ static void show_mark_fhandle(struct seq
+ size = f->handle_bytes >> 2;
+
+ ret = exportfs_encode_fid(inode, (struct fid *)f->f_handle, &size);
+- if ((ret == FILEID_INVALID) || (ret < 0)) {
+- WARN_ONCE(1, "Can't encode file handler for inotify: %d\n", ret);
++ if ((ret == FILEID_INVALID) || (ret < 0))
+ return;
+- }
+
+ f->handle_type = ret;
+ f->handle_bytes = size * sizeof(u32);
+--- a/fs/overlayfs/copy_up.c
++++ b/fs/overlayfs/copy_up.c
+@@ -444,9 +444,8 @@ struct ovl_fh *ovl_encode_real_fh(struct
+ buflen = (dwords << 2);
+
+ err = -EIO;
+- if (WARN_ON(fh_type < 0) ||
+- WARN_ON(buflen > MAX_HANDLE_SZ) ||
+- WARN_ON(fh_type == FILEID_INVALID))
++ if (fh_type < 0 || fh_type == FILEID_INVALID ||
++ WARN_ON(buflen > MAX_HANDLE_SZ))
+ goto out_err;
+
+ fh->fb.version = OVL_FH_VERSION;
--- /dev/null
+From e8580b4c600e085b3c8e6404392de2f822d4c132 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Tue, 7 Jan 2025 17:41:21 +0900
+Subject: ksmbd: Implement new SMB3 POSIX type
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit e8580b4c600e085b3c8e6404392de2f822d4c132 upstream.
+
+As SMB3 posix extension specification, Give posix file type to posix
+mode.
+
+https://www.samba.org/~slow/SMB3_POSIX/fscc_posix_extensions.html#posix-file-type-definition
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 40 ++++++++++++++++++++++++++++++++++++++++
+ fs/smb/server/smb2pdu.h | 10 ++++++++++
+ 2 files changed, 50 insertions(+)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -3988,6 +3988,26 @@ static int smb2_populate_readdir_entry(s
+ posix_info->DeviceId = cpu_to_le32(ksmbd_kstat->kstat->rdev);
+ posix_info->HardLinks = cpu_to_le32(ksmbd_kstat->kstat->nlink);
+ posix_info->Mode = cpu_to_le32(ksmbd_kstat->kstat->mode & 0777);
++ switch (ksmbd_kstat->kstat->mode & S_IFMT) {
++ case S_IFDIR:
++ posix_info->Mode |= cpu_to_le32(POSIX_TYPE_DIR << POSIX_FILETYPE_SHIFT);
++ break;
++ case S_IFLNK:
++ posix_info->Mode |= cpu_to_le32(POSIX_TYPE_SYMLINK << POSIX_FILETYPE_SHIFT);
++ break;
++ case S_IFCHR:
++ posix_info->Mode |= cpu_to_le32(POSIX_TYPE_CHARDEV << POSIX_FILETYPE_SHIFT);
++ break;
++ case S_IFBLK:
++ posix_info->Mode |= cpu_to_le32(POSIX_TYPE_BLKDEV << POSIX_FILETYPE_SHIFT);
++ break;
++ case S_IFIFO:
++ posix_info->Mode |= cpu_to_le32(POSIX_TYPE_FIFO << POSIX_FILETYPE_SHIFT);
++ break;
++ case S_IFSOCK:
++ posix_info->Mode |= cpu_to_le32(POSIX_TYPE_SOCKET << POSIX_FILETYPE_SHIFT);
++ }
++
+ posix_info->Inode = cpu_to_le64(ksmbd_kstat->kstat->ino);
+ posix_info->DosAttributes =
+ S_ISDIR(ksmbd_kstat->kstat->mode) ?
+@@ -5176,6 +5196,26 @@ static int find_file_posix_info(struct s
+ file_info->AllocationSize = cpu_to_le64(stat.blocks << 9);
+ file_info->HardLinks = cpu_to_le32(stat.nlink);
+ file_info->Mode = cpu_to_le32(stat.mode & 0777);
++ switch (stat.mode & S_IFMT) {
++ case S_IFDIR:
++ file_info->Mode |= cpu_to_le32(POSIX_TYPE_DIR << POSIX_FILETYPE_SHIFT);
++ break;
++ case S_IFLNK:
++ file_info->Mode |= cpu_to_le32(POSIX_TYPE_SYMLINK << POSIX_FILETYPE_SHIFT);
++ break;
++ case S_IFCHR:
++ file_info->Mode |= cpu_to_le32(POSIX_TYPE_CHARDEV << POSIX_FILETYPE_SHIFT);
++ break;
++ case S_IFBLK:
++ file_info->Mode |= cpu_to_le32(POSIX_TYPE_BLKDEV << POSIX_FILETYPE_SHIFT);
++ break;
++ case S_IFIFO:
++ file_info->Mode |= cpu_to_le32(POSIX_TYPE_FIFO << POSIX_FILETYPE_SHIFT);
++ break;
++ case S_IFSOCK:
++ file_info->Mode |= cpu_to_le32(POSIX_TYPE_SOCKET << POSIX_FILETYPE_SHIFT);
++ }
++
+ file_info->DeviceId = cpu_to_le32(stat.rdev);
+
+ /*
+--- a/fs/smb/server/smb2pdu.h
++++ b/fs/smb/server/smb2pdu.h
+@@ -502,4 +502,14 @@ static inline void *smb2_get_msg(void *b
+ return buf + 4;
+ }
+
++#define POSIX_TYPE_FILE 0
++#define POSIX_TYPE_DIR 1
++#define POSIX_TYPE_SYMLINK 2
++#define POSIX_TYPE_CHARDEV 3
++#define POSIX_TYPE_BLKDEV 4
++#define POSIX_TYPE_FIFO 5
++#define POSIX_TYPE_SOCKET 6
++
++#define POSIX_FILETYPE_SHIFT 12
++
+ #endif /* _SMB2PDU_H */
--- /dev/null
+From 771ec78dc8b48d562e6015bb535ed3cd37043d78 Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Wed, 8 Jan 2025 16:34:29 +0100
+Subject: mptcp: sysctl: avail sched: remove write access
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit 771ec78dc8b48d562e6015bb535ed3cd37043d78 upstream.
+
+'net.mptcp.available_schedulers' sysctl knob is there to list available
+schedulers, not to modify this list.
+
+There are then no reasons to give write access to it.
+
+Nothing would have been written anyway, but no errors would have been
+returned, which is unexpected.
+
+Fixes: 73c900aa3660 ("mptcp: add net.mptcp.available_schedulers")
+Cc: stable@vger.kernel.org
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-1-5df34b2083e8@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/ctrl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mptcp/ctrl.c b/net/mptcp/ctrl.c
+index 38d8121331d4..d9b57fab2a13 100644
+--- a/net/mptcp/ctrl.c
++++ b/net/mptcp/ctrl.c
+@@ -228,7 +228,7 @@ static struct ctl_table mptcp_sysctl_table[] = {
+ {
+ .procname = "available_schedulers",
+ .maxlen = MPTCP_SCHED_BUF_MAX,
+- .mode = 0644,
++ .mode = 0444,
+ .proc_handler = proc_available_schedulers,
+ },
+ {
+--
+2.48.0
+
--- /dev/null
+From 92cf7a51bdae24a32c592adcdd59a773ae149289 Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Wed, 8 Jan 2025 16:34:31 +0100
+Subject: mptcp: sysctl: blackhole timeout: avoid using current->nsproxy
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit 92cf7a51bdae24a32c592adcdd59a773ae149289 upstream.
+
+As mentioned in the previous commit, using the 'net' structure via
+'current' is not recommended for different reasons:
+
+- Inconsistency: getting info from the reader's/writer's netns vs only
+ from the opener's netns.
+
+- current->nsproxy can be NULL in some cases, resulting in an 'Oops'
+ (null-ptr-deref), e.g. when the current task is exiting, as spotted by
+ syzbot [1] using acct(2).
+
+The 'pernet' structure can be obtained from the table->data using
+container_of().
+
+Fixes: 27069e7cb3d1 ("mptcp: disable active MPTCP in case of blackhole")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1]
+Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-3-5df34b2083e8@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/ctrl.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/mptcp/ctrl.c b/net/mptcp/ctrl.c
+index 81c30aa02196..b0dd008e2114 100644
+--- a/net/mptcp/ctrl.c
++++ b/net/mptcp/ctrl.c
+@@ -160,7 +160,9 @@ static int proc_blackhole_detect_timeout(const struct ctl_table *table,
+ int write, void *buffer, size_t *lenp,
+ loff_t *ppos)
+ {
+- struct mptcp_pernet *pernet = mptcp_get_pernet(current->nsproxy->net_ns);
++ struct mptcp_pernet *pernet = container_of(table->data,
++ struct mptcp_pernet,
++ blackhole_timeout);
+ int ret;
+
+ ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
+--
+2.48.0
+
--- /dev/null
+From d38e26e36206ae3d544d496513212ae931d1da0a Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Wed, 8 Jan 2025 16:34:30 +0100
+Subject: mptcp: sysctl: sched: avoid using current->nsproxy
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit d38e26e36206ae3d544d496513212ae931d1da0a upstream.
+
+Using the 'net' structure via 'current' is not recommended for different
+reasons.
+
+First, if the goal is to use it to read or write per-netns data, this is
+inconsistent with how the "generic" sysctl entries are doing: directly
+by only using pointers set to the table entry, e.g. table->data. Linked
+to that, the per-netns data should always be obtained from the table
+linked to the netns it had been created for, which may not coincide with
+the reader's or writer's netns.
+
+Another reason is that access to current->nsproxy->netns can oops if
+attempted when current->nsproxy had been dropped when the current task
+is exiting. This is what syzbot found, when using acct(2):
+
+ Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN PTI
+ KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
+ CPU: 1 UID: 0 PID: 5924 Comm: syz-executor Not tainted 6.13.0-rc5-syzkaller-00004-gccb98ccef0e5 #0
+ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
+ RIP: 0010:proc_scheduler+0xc6/0x3c0 net/mptcp/ctrl.c:125
+ Code: 03 42 80 3c 38 00 0f 85 fe 02 00 00 4d 8b a4 24 08 09 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 7c 24 28 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 cc 02 00 00 4d 8b 7c 24 28 48 8d 84 24 c8 00 00
+ RSP: 0018:ffffc900034774e8 EFLAGS: 00010206
+
+ RAX: dffffc0000000000 RBX: 1ffff9200068ee9e RCX: ffffc90003477620
+ RDX: 0000000000000005 RSI: ffffffff8b08f91e RDI: 0000000000000028
+ RBP: 0000000000000001 R08: ffffc90003477710 R09: 0000000000000040
+ R10: 0000000000000040 R11: 00000000726f7475 R12: 0000000000000000
+ R13: ffffc90003477620 R14: ffffc90003477710 R15: dffffc0000000000
+ FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007fee3cd452d8 CR3: 000000007d116000 CR4: 00000000003526f0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ Call Trace:
+ <TASK>
+ proc_sys_call_handler+0x403/0x5d0 fs/proc/proc_sysctl.c:601
+ __kernel_write_iter+0x318/0xa80 fs/read_write.c:612
+ __kernel_write+0xf6/0x140 fs/read_write.c:632
+ do_acct_process+0xcb0/0x14a0 kernel/acct.c:539
+ acct_pin_kill+0x2d/0x100 kernel/acct.c:192
+ pin_kill+0x194/0x7c0 fs/fs_pin.c:44
+ mnt_pin_kill+0x61/0x1e0 fs/fs_pin.c:81
+ cleanup_mnt+0x3ac/0x450 fs/namespace.c:1366
+ task_work_run+0x14e/0x250 kernel/task_work.c:239
+ exit_task_work include/linux/task_work.h:43 [inline]
+ do_exit+0xad8/0x2d70 kernel/exit.c:938
+ do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
+ get_signal+0x2576/0x2610 kernel/signal.c:3017
+ arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
+ exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
+ exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
+ syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
+ do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ RIP: 0033:0x7fee3cb87a6a
+ Code: Unable to access opcode bytes at 0x7fee3cb87a40.
+ RSP: 002b:00007fffcccac688 EFLAGS: 00000202 ORIG_RAX: 0000000000000037
+ RAX: 0000000000000000 RBX: 00007fffcccac710 RCX: 00007fee3cb87a6a
+ RDX: 0000000000000041 RSI: 0000000000000000 RDI: 0000000000000003
+ RBP: 0000000000000003 R08: 00007fffcccac6ac R09: 00007fffcccacac7
+ R10: 00007fffcccac710 R11: 0000000000000202 R12: 00007fee3cd49500
+ R13: 00007fffcccac6ac R14: 0000000000000000 R15: 00007fee3cd4b000
+ </TASK>
+ Modules linked in:
+ ---[ end trace 0000000000000000 ]---
+ RIP: 0010:proc_scheduler+0xc6/0x3c0 net/mptcp/ctrl.c:125
+ Code: 03 42 80 3c 38 00 0f 85 fe 02 00 00 4d 8b a4 24 08 09 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 7c 24 28 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 cc 02 00 00 4d 8b 7c 24 28 48 8d 84 24 c8 00 00
+ RSP: 0018:ffffc900034774e8 EFLAGS: 00010206
+ RAX: dffffc0000000000 RBX: 1ffff9200068ee9e RCX: ffffc90003477620
+ RDX: 0000000000000005 RSI: ffffffff8b08f91e RDI: 0000000000000028
+ RBP: 0000000000000001 R08: ffffc90003477710 R09: 0000000000000040
+ R10: 0000000000000040 R11: 00000000726f7475 R12: 0000000000000000
+ R13: ffffc90003477620 R14: ffffc90003477710 R15: dffffc0000000000
+ FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007fee3cd452d8 CR3: 000000007d116000 CR4: 00000000003526f0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ ----------------
+ Code disassembly (best guess), 1 bytes skipped:
+ 0: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1)
+ 5: 0f 85 fe 02 00 00 jne 0x309
+ b: 4d 8b a4 24 08 09 00 mov 0x908(%r12),%r12
+ 12: 00
+ 13: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
+ 1a: fc ff df
+ 1d: 49 8d 7c 24 28 lea 0x28(%r12),%rdi
+ 22: 48 89 fa mov %rdi,%rdx
+ 25: 48 c1 ea 03 shr $0x3,%rdx
+ * 29: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
+ 2d: 0f 85 cc 02 00 00 jne 0x2ff
+ 33: 4d 8b 7c 24 28 mov 0x28(%r12),%r15
+ 38: 48 rex.W
+ 39: 8d .byte 0x8d
+ 3a: 84 24 c8 test %ah,(%rax,%rcx,8)
+
+Here with 'net.mptcp.scheduler', the 'net' structure is not really
+needed, because the table->data already has a pointer to the current
+scheduler, the only thing needed from the per-netns data.
+Simply use 'data', instead of getting (most of the time) the same thing,
+but from a longer and indirect way.
+
+Fixes: 6963c508fd7a ("mptcp: only allow set existing scheduler for net.mptcp.scheduler")
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+e364f774c6f57f2c86d1@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com
+Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-2-5df34b2083e8@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/ctrl.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+--- a/net/mptcp/ctrl.c
++++ b/net/mptcp/ctrl.c
+@@ -102,16 +102,15 @@ static void mptcp_pernet_set_defaults(st
+ }
+
+ #ifdef CONFIG_SYSCTL
+-static int mptcp_set_scheduler(const struct net *net, const char *name)
++static int mptcp_set_scheduler(char *scheduler, const char *name)
+ {
+- struct mptcp_pernet *pernet = mptcp_get_pernet(net);
+ struct mptcp_sched_ops *sched;
+ int ret = 0;
+
+ rcu_read_lock();
+ sched = mptcp_sched_find(name);
+ if (sched)
+- strscpy(pernet->scheduler, name, MPTCP_SCHED_NAME_MAX);
++ strscpy(scheduler, name, MPTCP_SCHED_NAME_MAX);
+ else
+ ret = -ENOENT;
+ rcu_read_unlock();
+@@ -122,7 +121,7 @@ static int mptcp_set_scheduler(const str
+ static int proc_scheduler(const struct ctl_table *ctl, int write,
+ void *buffer, size_t *lenp, loff_t *ppos)
+ {
+- const struct net *net = current->nsproxy->net_ns;
++ char (*scheduler)[MPTCP_SCHED_NAME_MAX] = ctl->data;
+ char val[MPTCP_SCHED_NAME_MAX];
+ struct ctl_table tbl = {
+ .data = val,
+@@ -130,11 +129,11 @@ static int proc_scheduler(const struct c
+ };
+ int ret;
+
+- strscpy(val, mptcp_get_scheduler(net), MPTCP_SCHED_NAME_MAX);
++ strscpy(val, *scheduler, MPTCP_SCHED_NAME_MAX);
+
+ ret = proc_dostring(&tbl, write, buffer, lenp, ppos);
+ if (write && ret == 0)
+- ret = mptcp_set_scheduler(net, val);
++ ret = mptcp_set_scheduler(*scheduler, val);
+
+ return ret;
+ }
--- /dev/null
+From 7f5611cbc4871c7fb1ad36c2e5a9edad63dca95c Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Wed, 8 Jan 2025 16:34:37 +0100
+Subject: rds: sysctl: rds_tcp_{rcv,snd}buf: avoid using current->nsproxy
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit 7f5611cbc4871c7fb1ad36c2e5a9edad63dca95c upstream.
+
+As mentioned in a previous commit of this series, using the 'net'
+structure via 'current' is not recommended for different reasons:
+
+- Inconsistency: getting info from the reader's/writer's netns vs only
+ from the opener's netns.
+
+- current->nsproxy can be NULL in some cases, resulting in an 'Oops'
+ (null-ptr-deref), e.g. when the current task is exiting, as spotted by
+ syzbot [1] using acct(2).
+
+The per-netns structure can be obtained from the table->data using
+container_of(), then the 'net' one can be retrieved from the listen
+socket (if available).
+
+Fixes: c6a58ffed536 ("RDS: TCP: Add sysctl tunables for sndbuf/rcvbuf on rds-tcp socket")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1]
+Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-9-5df34b2083e8@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/tcp.c | 39 ++++++++++++++++++++++++++++++++-------
+ 1 file changed, 32 insertions(+), 7 deletions(-)
+
+--- a/net/rds/tcp.c
++++ b/net/rds/tcp.c
+@@ -61,8 +61,10 @@ static atomic_t rds_tcp_unloading = ATOM
+
+ static struct kmem_cache *rds_tcp_conn_slab;
+
+-static int rds_tcp_skbuf_handler(const struct ctl_table *ctl, int write,
+- void *buffer, size_t *lenp, loff_t *fpos);
++static int rds_tcp_sndbuf_handler(const struct ctl_table *ctl, int write,
++ void *buffer, size_t *lenp, loff_t *fpos);
++static int rds_tcp_rcvbuf_handler(const struct ctl_table *ctl, int write,
++ void *buffer, size_t *lenp, loff_t *fpos);
+
+ static int rds_tcp_min_sndbuf = SOCK_MIN_SNDBUF;
+ static int rds_tcp_min_rcvbuf = SOCK_MIN_RCVBUF;
+@@ -74,7 +76,7 @@ static struct ctl_table rds_tcp_sysctl_t
+ /* data is per-net pointer */
+ .maxlen = sizeof(int),
+ .mode = 0644,
+- .proc_handler = rds_tcp_skbuf_handler,
++ .proc_handler = rds_tcp_sndbuf_handler,
+ .extra1 = &rds_tcp_min_sndbuf,
+ },
+ #define RDS_TCP_RCVBUF 1
+@@ -83,7 +85,7 @@ static struct ctl_table rds_tcp_sysctl_t
+ /* data is per-net pointer */
+ .maxlen = sizeof(int),
+ .mode = 0644,
+- .proc_handler = rds_tcp_skbuf_handler,
++ .proc_handler = rds_tcp_rcvbuf_handler,
+ .extra1 = &rds_tcp_min_rcvbuf,
+ },
+ };
+@@ -682,10 +684,10 @@ static void rds_tcp_sysctl_reset(struct
+ spin_unlock_irq(&rds_tcp_conn_lock);
+ }
+
+-static int rds_tcp_skbuf_handler(const struct ctl_table *ctl, int write,
++static int rds_tcp_skbuf_handler(struct rds_tcp_net *rtn,
++ const struct ctl_table *ctl, int write,
+ void *buffer, size_t *lenp, loff_t *fpos)
+ {
+- struct net *net = current->nsproxy->net_ns;
+ int err;
+
+ err = proc_dointvec_minmax(ctl, write, buffer, lenp, fpos);
+@@ -694,11 +696,34 @@ static int rds_tcp_skbuf_handler(const s
+ *(int *)(ctl->extra1));
+ return err;
+ }
+- if (write)
++
++ if (write && rtn->rds_tcp_listen_sock && rtn->rds_tcp_listen_sock->sk) {
++ struct net *net = sock_net(rtn->rds_tcp_listen_sock->sk);
++
+ rds_tcp_sysctl_reset(net);
++ }
++
+ return 0;
+ }
+
++static int rds_tcp_sndbuf_handler(const struct ctl_table *ctl, int write,
++ void *buffer, size_t *lenp, loff_t *fpos)
++{
++ struct rds_tcp_net *rtn = container_of(ctl->data, struct rds_tcp_net,
++ sndbuf_size);
++
++ return rds_tcp_skbuf_handler(rtn, ctl, write, buffer, lenp, fpos);
++}
++
++static int rds_tcp_rcvbuf_handler(const struct ctl_table *ctl, int write,
++ void *buffer, size_t *lenp, loff_t *fpos)
++{
++ struct rds_tcp_net *rtn = container_of(ctl->data, struct rds_tcp_net,
++ rcvbuf_size);
++
++ return rds_tcp_skbuf_handler(rtn, ctl, write, buffer, lenp, fpos);
++}
++
+ static void rds_tcp_exit(void)
+ {
+ rds_tcp_set_unloading();
--- /dev/null
+From d08555758fb1dbfb48f0cb58176fdc98009e6070 Mon Sep 17 00:00:00 2001
+From: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Date: Thu, 12 Dec 2024 00:19:08 +0000
+Subject: Revert "drm/mediatek: dsi: Correct calculation formula of PHY Timing"
+
+From: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+
+commit d08555758fb1dbfb48f0cb58176fdc98009e6070 upstream.
+
+This reverts commit 417d8c47271d5cf1a705e997065873b2a9a36fd4.
+
+With that patch the panel in the Tentacruel ASUS Chromebook CM14
+(CM1402F) flickers. There are 1 or 2 times per second a black panel.
+Stable Kernel 6.11.5 and mainline 6.12-rc4 works only when reverse
+that patch.
+
+Fixes: 417d8c47271d ("drm/mediatek: dsi: Correct calculation formula of PHY Timing")
+Cc: stable@vger.kernel.org
+Cc: Shuijing Li <shuijing.li@mediatek.com>
+Reported-by: Jens Ziller <zillerbaer@gmx.de>
+Closes: https://patchwork.kernel.org/project/dri-devel/patch/20240412031208.30688-1-shuijing.li@mediatek.com/
+Link: https://patchwork.kernel.org/project/dri-devel/patch/20241212001908.6056-1-chunkuang.hu@kernel.org/
+Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/mediatek/mtk_dsi.c | 27 +++++++++++++--------------
+ 1 file changed, 13 insertions(+), 14 deletions(-)
+
+--- a/drivers/gpu/drm/mediatek/mtk_dsi.c
++++ b/drivers/gpu/drm/mediatek/mtk_dsi.c
+@@ -248,23 +248,22 @@ static void mtk_dsi_phy_timconfig(struct
+ u32 data_rate_mhz = DIV_ROUND_UP(dsi->data_rate, HZ_PER_MHZ);
+ struct mtk_phy_timing *timing = &dsi->phy_timing;
+
+- timing->lpx = (80 * data_rate_mhz / (8 * 1000)) + 1;
+- timing->da_hs_prepare = (59 * data_rate_mhz + 4 * 1000) / 8000 + 1;
+- timing->da_hs_zero = (163 * data_rate_mhz + 11 * 1000) / 8000 + 1 -
++ timing->lpx = (60 * data_rate_mhz / (8 * 1000)) + 1;
++ timing->da_hs_prepare = (80 * data_rate_mhz + 4 * 1000) / 8000;
++ timing->da_hs_zero = (170 * data_rate_mhz + 10 * 1000) / 8000 + 1 -
+ timing->da_hs_prepare;
+- timing->da_hs_trail = (78 * data_rate_mhz + 7 * 1000) / 8000 + 1;
++ timing->da_hs_trail = timing->da_hs_prepare + 1;
+
+- timing->ta_go = 4 * timing->lpx;
+- timing->ta_sure = 3 * timing->lpx / 2;
+- timing->ta_get = 5 * timing->lpx;
+- timing->da_hs_exit = (118 * data_rate_mhz / (8 * 1000)) + 1;
++ timing->ta_go = 4 * timing->lpx - 2;
++ timing->ta_sure = timing->lpx + 2;
++ timing->ta_get = 4 * timing->lpx;
++ timing->da_hs_exit = 2 * timing->lpx + 1;
+
+- timing->clk_hs_prepare = (57 * data_rate_mhz / (8 * 1000)) + 1;
+- timing->clk_hs_post = (65 * data_rate_mhz + 53 * 1000) / 8000 + 1;
+- timing->clk_hs_trail = (78 * data_rate_mhz + 7 * 1000) / 8000 + 1;
+- timing->clk_hs_zero = (330 * data_rate_mhz / (8 * 1000)) + 1 -
+- timing->clk_hs_prepare;
+- timing->clk_hs_exit = (118 * data_rate_mhz / (8 * 1000)) + 1;
++ timing->clk_hs_prepare = 70 * data_rate_mhz / (8 * 1000);
++ timing->clk_hs_post = timing->clk_hs_prepare + 8;
++ timing->clk_hs_trail = timing->clk_hs_prepare;
++ timing->clk_hs_zero = timing->clk_hs_trail * 4;
++ timing->clk_hs_exit = 2 * timing->clk_hs_trail;
+
+ timcon0 = FIELD_PREP(LPX, timing->lpx) |
+ FIELD_PREP(HS_PREP, timing->da_hs_prepare) |
--- /dev/null
+From 7bac65687510038390a0a54cbe14fba08d037e46 Mon Sep 17 00:00:00 2001
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Date: Thu, 19 Dec 2024 22:20:41 +0530
+Subject: scsi: ufs: qcom: Power off the PHY if it was already powered on in ufs_qcom_power_up_sequence()
+
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+
+commit 7bac65687510038390a0a54cbe14fba08d037e46 upstream.
+
+PHY might already be powered on during ufs_qcom_power_up_sequence() in a
+couple of cases:
+
+ 1. During UFSHCD_QUIRK_REINIT_AFTER_MAX_GEAR_SWITCH quirk
+
+ 2. Resuming from spm_lvl = 5 suspend
+
+In those cases, it is necessary to call phy_power_off() and phy_exit() in
+ufs_qcom_power_up_sequence() function to power off the PHY before calling
+phy_init() and phy_power_on().
+
+Case (1) is doing it via ufs_qcom_reinit_notify() callback, but case (2) is
+not handled. So to satisfy both cases, call phy_power_off() and phy_exit()
+if the phy_count is non-zero. And with this change, the reinit_notify()
+callback is no longer needed.
+
+This fixes the below UFS resume failure with spm_lvl = 5:
+
+ufshcd-qcom 1d84000.ufshc: Enabling the controller failed
+ufshcd-qcom 1d84000.ufshc: Enabling the controller failed
+ufshcd-qcom 1d84000.ufshc: Enabling the controller failed
+ufshcd-qcom 1d84000.ufshc: ufshcd_host_reset_and_restore: Host init failed -5
+ufshcd-qcom 1d84000.ufshc: Enabling the controller failed
+ufshcd-qcom 1d84000.ufshc: Enabling the controller failed
+ufshcd-qcom 1d84000.ufshc: Enabling the controller failed
+ufshcd-qcom 1d84000.ufshc: ufshcd_host_reset_and_restore: Host init failed -5
+ufshcd-qcom 1d84000.ufshc: Enabling the controller failed
+ufshcd-qcom 1d84000.ufshc: Enabling the controller failed
+ufshcd-qcom 1d84000.ufshc: Enabling the controller failed
+ufshcd-qcom 1d84000.ufshc: ufshcd_host_reset_and_restore: Host init failed -5
+ufshcd-qcom 1d84000.ufshc: Enabling the controller failed
+ufshcd-qcom 1d84000.ufshc: Enabling the controller failed
+ufshcd-qcom 1d84000.ufshc: Enabling the controller failed
+ufshcd-qcom 1d84000.ufshc: ufshcd_host_reset_and_restore: Host init failed -5
+ufshcd-qcom 1d84000.ufshc: Enabling the controller failed
+ufshcd-qcom 1d84000.ufshc: Enabling the controller failed
+ufshcd-qcom 1d84000.ufshc: Enabling the controller failed
+ufshcd-qcom 1d84000.ufshc: ufshcd_host_reset_and_restore: Host init failed -5
+ufs_device_wlun 0:0:0:49488: ufshcd_wl_resume failed: -5
+ufs_device_wlun 0:0:0:49488: PM: dpm_run_callback(): scsi_bus_resume returns -5
+ufs_device_wlun 0:0:0:49488: PM: failed to resume async: error -5
+
+Cc: stable@vger.kernel.org # 6.3
+Fixes: baf5ddac90dc ("scsi: ufs: ufs-qcom: Add support for reinitializing the UFS device")
+Reported-by: Ram Kumar Dwivedi <quic_rdwivedi@quicinc.com>
+Tested-by: Amit Pundir <amit.pundir@linaro.org> # on SM8550-HDK
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on SM8550-QRD
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Link: https://lore.kernel.org/r/20241219-ufs-qcom-suspend-fix-v3-1-63c4b95a70b9@linaro.org
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ufs/core/ufshcd-priv.h | 6 ------
+ drivers/ufs/core/ufshcd.c | 1 -
+ drivers/ufs/host/ufs-qcom.c | 13 +++++--------
+ include/ufs/ufshcd.h | 2 --
+ 4 files changed, 5 insertions(+), 17 deletions(-)
+
+--- a/drivers/ufs/core/ufshcd-priv.h
++++ b/drivers/ufs/core/ufshcd-priv.h
+@@ -237,12 +237,6 @@ static inline void ufshcd_vops_config_sc
+ hba->vops->config_scaling_param(hba, p, data);
+ }
+
+-static inline void ufshcd_vops_reinit_notify(struct ufs_hba *hba)
+-{
+- if (hba->vops && hba->vops->reinit_notify)
+- hba->vops->reinit_notify(hba);
+-}
+-
+ static inline int ufshcd_vops_mcq_config_resource(struct ufs_hba *hba)
+ {
+ if (hba->vops && hba->vops->mcq_config_resource)
+--- a/drivers/ufs/core/ufshcd.c
++++ b/drivers/ufs/core/ufshcd.c
+@@ -8881,7 +8881,6 @@ static int ufshcd_probe_hba(struct ufs_h
+ ufshcd_device_reset(hba);
+ ufs_put_device_desc(hba);
+ ufshcd_hba_stop(hba);
+- ufshcd_vops_reinit_notify(hba);
+ ret = ufshcd_hba_enable(hba);
+ if (ret) {
+ dev_err(hba->dev, "Host controller enable failed\n");
+--- a/drivers/ufs/host/ufs-qcom.c
++++ b/drivers/ufs/host/ufs-qcom.c
+@@ -368,6 +368,11 @@ static int ufs_qcom_power_up_sequence(st
+ if (ret)
+ return ret;
+
++ if (phy->power_count) {
++ phy_power_off(phy);
++ phy_exit(phy);
++ }
++
+ /* phy initialization - calibrate the phy */
+ ret = phy_init(phy);
+ if (ret) {
+@@ -1562,13 +1567,6 @@ static void ufs_qcom_config_scaling_para
+ }
+ #endif
+
+-static void ufs_qcom_reinit_notify(struct ufs_hba *hba)
+-{
+- struct ufs_qcom_host *host = ufshcd_get_variant(hba);
+-
+- phy_power_off(host->generic_phy);
+-}
+-
+ /* Resources */
+ static const struct ufshcd_res_info ufs_res_info[RES_MAX] = {
+ {.name = "ufs_mem",},
+@@ -1807,7 +1805,6 @@ static const struct ufs_hba_variant_ops
+ .device_reset = ufs_qcom_device_reset,
+ .config_scaling_param = ufs_qcom_config_scaling_param,
+ .program_key = ufs_qcom_ice_program_key,
+- .reinit_notify = ufs_qcom_reinit_notify,
+ .mcq_config_resource = ufs_qcom_mcq_config_resource,
+ .get_hba_mac = ufs_qcom_get_hba_mac,
+ .op_runtime_config = ufs_qcom_op_runtime_config,
+--- a/include/ufs/ufshcd.h
++++ b/include/ufs/ufshcd.h
+@@ -329,7 +329,6 @@ struct ufs_pwr_mode_info {
+ * @program_key: program or evict an inline encryption key
+ * @fill_crypto_prdt: initialize crypto-related fields in the PRDT
+ * @event_notify: called to notify important events
+- * @reinit_notify: called to notify reinit of UFSHCD during max gear switch
+ * @mcq_config_resource: called to configure MCQ platform resources
+ * @get_hba_mac: reports maximum number of outstanding commands supported by
+ * the controller. Should be implemented for UFSHCI 4.0 or later
+@@ -381,7 +380,6 @@ struct ufs_hba_variant_ops {
+ void *prdt, unsigned int num_segments);
+ void (*event_notify)(struct ufs_hba *hba,
+ enum ufs_event_type evt, void *data);
+- void (*reinit_notify)(struct ufs_hba *);
+ int (*mcq_config_resource)(struct ufs_hba *hba);
+ int (*get_hba_mac)(struct ufs_hba *hba);
+ int (*op_runtime_config)(struct ufs_hba *hba);
--- /dev/null
+From 15649fd5415eda664ef35780c2013adeb5d9c695 Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Wed, 8 Jan 2025 16:34:34 +0100
+Subject: sctp: sysctl: auth_enable: avoid using current->nsproxy
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit 15649fd5415eda664ef35780c2013adeb5d9c695 upstream.
+
+As mentioned in a previous commit of this series, using the 'net'
+structure via 'current' is not recommended for different reasons:
+
+- Inconsistency: getting info from the reader's/writer's netns vs only
+ from the opener's netns.
+
+- current->nsproxy can be NULL in some cases, resulting in an 'Oops'
+ (null-ptr-deref), e.g. when the current task is exiting, as spotted by
+ syzbot [1] using acct(2).
+
+The 'net' structure can be obtained from the table->data using
+container_of().
+
+Note that table->data could also be used directly, but that would
+increase the size of this fix, while 'sctp.ctl_sock' still needs to be
+retrieved from 'net' structure.
+
+Fixes: b14878ccb7fa ("net: sctp: cache auth_enable per endpoint")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1]
+Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-6-5df34b2083e8@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/sysctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sctp/sysctl.c
++++ b/net/sctp/sysctl.c
+@@ -499,7 +499,7 @@ static int proc_sctp_do_alpha_beta(const
+ static int proc_sctp_do_auth(const struct ctl_table *ctl, int write,
+ void *buffer, size_t *lenp, loff_t *ppos)
+ {
+- struct net *net = current->nsproxy->net_ns;
++ struct net *net = container_of(ctl->data, struct net, sctp.auth_enable);
+ struct ctl_table tbl;
+ int new_value, ret;
+
--- /dev/null
+From ea62dd1383913b5999f3d16ae99d411f41b528d4 Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Wed, 8 Jan 2025 16:34:32 +0100
+Subject: sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit ea62dd1383913b5999f3d16ae99d411f41b528d4 upstream.
+
+As mentioned in a previous commit of this series, using the 'net'
+structure via 'current' is not recommended for different reasons:
+
+- Inconsistency: getting info from the reader's/writer's netns vs only
+ from the opener's netns.
+
+- current->nsproxy can be NULL in some cases, resulting in an 'Oops'
+ (null-ptr-deref), e.g. when the current task is exiting, as spotted by
+ syzbot [1] using acct(2).
+
+The 'net' structure can be obtained from the table->data using
+container_of().
+
+Note that table->data could also be used directly, as this is the only
+member needed from the 'net' structure, but that would increase the size
+of this fix, to use '*data' everywhere 'net->sctp.sctp_hmac_alg' is
+used.
+
+Fixes: 3c68198e7511 ("sctp: Make hmac algorithm selection for cookie generation dynamic")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1]
+Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-4-5df34b2083e8@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/sysctl.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/sctp/sysctl.c
++++ b/net/sctp/sysctl.c
+@@ -387,7 +387,8 @@ static struct ctl_table sctp_net_table[]
+ static int proc_sctp_do_hmac_alg(const struct ctl_table *ctl, int write,
+ void *buffer, size_t *lenp, loff_t *ppos)
+ {
+- struct net *net = current->nsproxy->net_ns;
++ struct net *net = container_of(ctl->data, struct net,
++ sctp.sctp_hmac_alg);
+ struct ctl_table tbl;
+ bool changed = false;
+ char *none = "none";
--- /dev/null
+From 6259d2484d0ceff42245d1f09cc8cb6ee72d847a Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Wed, 8 Jan 2025 16:34:36 +0100
+Subject: sctp: sysctl: plpmtud_probe_interval: avoid using current->nsproxy
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit 6259d2484d0ceff42245d1f09cc8cb6ee72d847a upstream.
+
+As mentioned in a previous commit of this series, using the 'net'
+structure via 'current' is not recommended for different reasons:
+
+- Inconsistency: getting info from the reader's/writer's netns vs only
+ from the opener's netns.
+
+- current->nsproxy can be NULL in some cases, resulting in an 'Oops'
+ (null-ptr-deref), e.g. when the current task is exiting, as spotted by
+ syzbot [1] using acct(2).
+
+The 'net' structure can be obtained from the table->data using
+container_of().
+
+Note that table->data could also be used directly, as this is the only
+member needed from the 'net' structure, but that would increase the size
+of this fix, to use '*data' everywhere 'net->sctp.probe_interval' is
+used.
+
+Fixes: d1e462a7a5f3 ("sctp: add probe_interval in sysctl and sock/asoc/transport")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1]
+Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-8-5df34b2083e8@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/sysctl.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/sctp/sysctl.c
++++ b/net/sctp/sysctl.c
+@@ -569,7 +569,8 @@ static int proc_sctp_do_udp_port(const s
+ static int proc_sctp_do_probe_interval(const struct ctl_table *ctl, int write,
+ void *buffer, size_t *lenp, loff_t *ppos)
+ {
+- struct net *net = current->nsproxy->net_ns;
++ struct net *net = container_of(ctl->data, struct net,
++ sctp.probe_interval);
+ struct ctl_table tbl;
+ int ret, new_value;
+
--- /dev/null
+From 9fc17b76fc70763780aa78b38fcf4742384044a5 Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Wed, 8 Jan 2025 16:34:33 +0100
+Subject: sctp: sysctl: rto_min/max: avoid using current->nsproxy
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit 9fc17b76fc70763780aa78b38fcf4742384044a5 upstream.
+
+As mentioned in a previous commit of this series, using the 'net'
+structure via 'current' is not recommended for different reasons:
+
+- Inconsistency: getting info from the reader's/writer's netns vs only
+ from the opener's netns.
+
+- current->nsproxy can be NULL in some cases, resulting in an 'Oops'
+ (null-ptr-deref), e.g. when the current task is exiting, as spotted by
+ syzbot [1] using acct(2).
+
+The 'net' structure can be obtained from the table->data using
+container_of().
+
+Note that table->data could also be used directly, as this is the only
+member needed from the 'net' structure, but that would increase the size
+of this fix, to use '*data' everywhere 'net->sctp.rto_min/max' is used.
+
+Fixes: 4f3fdf3bc59c ("sctp: add check rto_min and rto_max in sysctl")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1]
+Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-5-5df34b2083e8@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/sysctl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/sctp/sysctl.c
++++ b/net/sctp/sysctl.c
+@@ -433,7 +433,7 @@ static int proc_sctp_do_hmac_alg(const s
+ static int proc_sctp_do_rto_min(const struct ctl_table *ctl, int write,
+ void *buffer, size_t *lenp, loff_t *ppos)
+ {
+- struct net *net = current->nsproxy->net_ns;
++ struct net *net = container_of(ctl->data, struct net, sctp.rto_min);
+ unsigned int min = *(unsigned int *) ctl->extra1;
+ unsigned int max = *(unsigned int *) ctl->extra2;
+ struct ctl_table tbl;
+@@ -461,7 +461,7 @@ static int proc_sctp_do_rto_min(const st
+ static int proc_sctp_do_rto_max(const struct ctl_table *ctl, int write,
+ void *buffer, size_t *lenp, loff_t *ppos)
+ {
+- struct net *net = current->nsproxy->net_ns;
++ struct net *net = container_of(ctl->data, struct net, sctp.rto_max);
+ unsigned int min = *(unsigned int *) ctl->extra1;
+ unsigned int max = *(unsigned int *) ctl->extra2;
+ struct ctl_table tbl;
--- /dev/null
+From c10377bbc1972d858eaf0ab366a311b39f8ef1b6 Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Wed, 8 Jan 2025 16:34:35 +0100
+Subject: sctp: sysctl: udp_port: avoid using current->nsproxy
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit c10377bbc1972d858eaf0ab366a311b39f8ef1b6 upstream.
+
+As mentioned in a previous commit of this series, using the 'net'
+structure via 'current' is not recommended for different reasons:
+
+- Inconsistency: getting info from the reader's/writer's netns vs only
+ from the opener's netns.
+
+- current->nsproxy can be NULL in some cases, resulting in an 'Oops'
+ (null-ptr-deref), e.g. when the current task is exiting, as spotted by
+ syzbot [1] using acct(2).
+
+The 'net' structure can be obtained from the table->data using
+container_of().
+
+Note that table->data could also be used directly, but that would
+increase the size of this fix, while 'sctp.ctl_sock' still needs to be
+retrieved from 'net' structure.
+
+Fixes: 046c052b475e ("sctp: enable udp tunneling socks")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1]
+Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-7-5df34b2083e8@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/sysctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sctp/sysctl.c
++++ b/net/sctp/sysctl.c
+@@ -528,7 +528,7 @@ static int proc_sctp_do_auth(const struc
+ static int proc_sctp_do_udp_port(const struct ctl_table *ctl, int write,
+ void *buffer, size_t *lenp, loff_t *ppos)
+ {
+- struct net *net = current->nsproxy->net_ns;
++ struct net *net = container_of(ctl->data, struct net, sctp.udp_port);
+ unsigned int min = *(unsigned int *)ctl->extra1;
+ unsigned int max = *(unsigned int *)ctl->extra2;
+ struct ctl_table tbl;
netfs-fix-read-retry-for-fs-with-no-prepare_read.patch
drivers-perf-riscv-fix-platform-firmware-event-data.patch
drivers-perf-riscv-return-error-for-default-case.patch
+dm-thin-make-get_first_thin-use-rcu-safe-list-first-function.patch
+scsi-ufs-qcom-power-off-the-phy-if-it-was-already-powered-on-in-ufs_qcom_power_up_sequence.patch
+vfio-pci-fallback-huge-faults-for-unaligned-pfn.patch
+fs-relax-assertions-on-failure-to-encode-file-handles.patch
+fs-fix-is_mnt_ns_file.patch
+dm-ebs-don-t-set-the-flag-dm_target_passes_integrity.patch
+dm-verity-fec-fix-rs-fec-repair-for-roots-unaligned-to-block-size-take-2.patch
+mptcp-sysctl-avail-sched-remove-write-access.patch
+mptcp-sysctl-sched-avoid-using-current-nsproxy.patch
+mptcp-sysctl-blackhole-timeout-avoid-using-current-nsproxy.patch
+sctp-sysctl-cookie_hmac_alg-avoid-using-current-nsproxy.patch
+sctp-sysctl-rto_min-max-avoid-using-current-nsproxy.patch
+sctp-sysctl-auth_enable-avoid-using-current-nsproxy.patch
+sctp-sysctl-udp_port-avoid-using-current-nsproxy.patch
+sctp-sysctl-plpmtud_probe_interval-avoid-using-current-nsproxy.patch
+rds-sysctl-rds_tcp_-rcv-snd-buf-avoid-using-current-nsproxy.patch
+ksmbd-implement-new-smb3-posix-type.patch
+btrfs-zlib-fix-avail_in-bytes-for-s390-zlib-hw-compression-path.patch
+revert-drm-mediatek-dsi-correct-calculation-formula-of-phy-timing.patch
+drm-amd-display-remove-unnecessary-amdgpu_irq_get-put.patch
+drm-amd-display-add-check-for-granularity-in-dml-ceil-floor-helpers.patch
--- /dev/null
+From 09dfc8a5f2ce897005a94bf66cca4f91e4e03700 Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Thu, 2 Jan 2025 11:32:54 -0700
+Subject: vfio/pci: Fallback huge faults for unaligned pfn
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+commit 09dfc8a5f2ce897005a94bf66cca4f91e4e03700 upstream.
+
+The PFN must also be aligned to the fault order to insert a huge
+pfnmap. Test the alignment and fallback when unaligned.
+
+Fixes: f9e54c3a2f5b ("vfio/pci: implement huge_fault support")
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=219619
+Reported-by: Athul Krishna <athul.krishna.kr@protonmail.com>
+Reported-by: Precific <precification@posteo.de>
+Reviewed-by: Peter Xu <peterx@redhat.com>
+Tested-by: Precific <precification@posteo.de>
+Link: https://lore.kernel.org/r/20250102183416.1841878-1-alex.williamson@redhat.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vfio/pci/vfio_pci_core.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+--- a/drivers/vfio/pci/vfio_pci_core.c
++++ b/drivers/vfio/pci/vfio_pci_core.c
+@@ -1661,14 +1661,15 @@ static vm_fault_t vfio_pci_mmap_huge_fau
+ unsigned long pfn, pgoff = vmf->pgoff - vma->vm_pgoff;
+ vm_fault_t ret = VM_FAULT_SIGBUS;
+
+- if (order && (vmf->address & ((PAGE_SIZE << order) - 1) ||
++ pfn = vma_to_pfn(vma) + pgoff;
++
++ if (order && (pfn & ((1 << order) - 1) ||
++ vmf->address & ((PAGE_SIZE << order) - 1) ||
+ vmf->address + (PAGE_SIZE << order) > vma->vm_end)) {
+ ret = VM_FAULT_FALLBACK;
+ goto out;
+ }
+
+- pfn = vma_to_pfn(vma);
+-
+ down_read(&vdev->memory_lock);
+
+ if (vdev->pm_runtime_engaged || !__vfio_pci_memory_enabled(vdev))
+@@ -1676,18 +1677,18 @@ static vm_fault_t vfio_pci_mmap_huge_fau
+
+ switch (order) {
+ case 0:
+- ret = vmf_insert_pfn(vma, vmf->address, pfn + pgoff);
++ ret = vmf_insert_pfn(vma, vmf->address, pfn);
+ break;
+ #ifdef CONFIG_ARCH_SUPPORTS_PMD_PFNMAP
+ case PMD_ORDER:
+- ret = vmf_insert_pfn_pmd(vmf, __pfn_to_pfn_t(pfn + pgoff,
+- PFN_DEV), false);
++ ret = vmf_insert_pfn_pmd(vmf,
++ __pfn_to_pfn_t(pfn, PFN_DEV), false);
+ break;
+ #endif
+ #ifdef CONFIG_ARCH_SUPPORTS_PUD_PFNMAP
+ case PUD_ORDER:
+- ret = vmf_insert_pfn_pud(vmf, __pfn_to_pfn_t(pfn + pgoff,
+- PFN_DEV), false);
++ ret = vmf_insert_pfn_pud(vmf,
++ __pfn_to_pfn_t(pfn, PFN_DEV), false);
+ break;
+ #endif
+ default:
projects / thirdparty / kernel / stable-queue.git / commitdiff
