--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
-@@ -4928,6 +4928,7 @@ static const struct {
+@@ -4930,6 +4930,7 @@ static const struct {
*/
static int hci_dev_setup_sync(struct hci_dev *hdev)
{
int ret = 0;
bool invalid_bdaddr;
size_t i;
-@@ -4956,7 +4957,8 @@ static int hci_dev_setup_sync(struct hci
+@@ -4958,7 +4959,8 @@ static int hci_dev_setup_sync(struct hci
test_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks);
if (!ret) {
if (test_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks) &&
if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA &&
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
-@@ -3664,6 +3664,48 @@ static int xhci_align_td(struct xhci_hcd
+@@ -3661,6 +3661,48 @@ static int xhci_align_td(struct xhci_hcd
return 1;
}
/* This is very similar to what ehci-q.c qtd_fill() does */
int xhci_queue_bulk_tx(struct xhci_hcd *xhci, gfp_t mem_flags,
struct urb *urb, int slot_id, unsigned int ep_index)
-@@ -3818,6 +3860,8 @@ int xhci_queue_bulk_tx(struct xhci_hcd *
+@@ -3815,6 +3857,8 @@ int xhci_queue_bulk_tx(struct xhci_hcd *
}
check_trb_math(urb, enqd_len);
giveback_first_trb(xhci, slot_id, ep_index, urb->stream_id,
start_cycle, start_trb);
return 0;
-@@ -3966,6 +4010,8 @@ int xhci_queue_ctrl_tx(struct xhci_hcd *
+@@ -3963,6 +4007,8 @@ int xhci_queue_ctrl_tx(struct xhci_hcd *
/* Event on completion */
field | TRB_IOC | TRB_TYPE(TRB_STATUS) | ep_ring->cycle_state);
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
-@@ -4928,7 +4928,8 @@ static const struct {
+@@ -4930,7 +4930,8 @@ static const struct {
*/
static int hci_dev_setup_sync(struct hci_dev *hdev)
{
--- /dev/null
+From 88f170814fea74911ceab798a43cbd7c5599bed4 Mon Sep 17 00:00:00 2001
+From: Marios Makassikis <mmakassikis@freebox.fr>
+Date: Wed, 15 Oct 2025 09:25:46 +0200
+Subject: [PATCH] ksmbd: fix recursive locking in RPC handle list access
+
+Since commit 305853cce3794 ("ksmbd: Fix race condition in RPC handle list
+access"), ksmbd_session_rpc_method() attempts to lock sess->rpc_lock.
+
+This causes hung connections / tasks when a client attempts to open
+a named pipe. Using Samba's rpcclient tool:
+
+ $ rpcclient //192.168.1.254 -U user%password
+ $ rpcclient $> srvinfo
+ <connection hung here>
+
+Kernel side:
+ "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+ task:kworker/0:0 state:D stack:0 pid:5021 tgid:5021 ppid:2 flags:0x00200000
+ Workqueue: ksmbd-io handle_ksmbd_work
+ Call trace:
+ __schedule from schedule+0x3c/0x58
+ schedule from schedule_preempt_disabled+0xc/0x10
+ schedule_preempt_disabled from rwsem_down_read_slowpath+0x1b0/0x1d8
+ rwsem_down_read_slowpath from down_read+0x28/0x30
+ down_read from ksmbd_session_rpc_method+0x18/0x3c
+ ksmbd_session_rpc_method from ksmbd_rpc_open+0x34/0x68
+ ksmbd_rpc_open from ksmbd_session_rpc_open+0x194/0x228
+ ksmbd_session_rpc_open from create_smb2_pipe+0x8c/0x2c8
+ create_smb2_pipe from smb2_open+0x10c/0x27ac
+ smb2_open from handle_ksmbd_work+0x238/0x3dc
+ handle_ksmbd_work from process_scheduled_works+0x160/0x25c
+ process_scheduled_works from worker_thread+0x16c/0x1e8
+ worker_thread from kthread+0xa8/0xb8
+ kthread from ret_from_fork+0x14/0x38
+ Exception stack(0x8529ffb0 to 0x8529fff8)
+
+The task deadlocks because the lock is already held:
+ ksmbd_session_rpc_open
+ down_write(&sess->rpc_lock)
+ ksmbd_rpc_open
+ ksmbd_session_rpc_method
+ down_read(&sess->rpc_lock) <-- deadlock
+
+Adjust ksmbd_session_rpc_method() callers to take the lock when necessary.
+
+Fixes: 305853cce3794 ("ksmbd: Fix race condition in RPC handle list access")
+Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+---
+ fs/smb/server/mgmt/user_session.c | 7 ++-----
+ fs/smb/server/smb2pdu.c | 9 ++++++++-
+ fs/smb/server/transport_ipc.c | 12 ++++++++++++
+ 3 files changed, 22 insertions(+), 6 deletions(-)
+
+--- a/fs/smb/server/mgmt/user_session.c
++++ b/fs/smb/server/mgmt/user_session.c
+@@ -147,14 +147,11 @@ void ksmbd_session_rpc_close(struct ksmb
+ int ksmbd_session_rpc_method(struct ksmbd_session *sess, int id)
+ {
+ struct ksmbd_session_rpc *entry;
+- int method;
+
+- down_read(&sess->rpc_lock);
++ lockdep_assert_held(&sess->rpc_lock);
+ entry = xa_load(&sess->rpc_handle_list, id);
+- method = entry ? entry->method : 0;
+- up_read(&sess->rpc_lock);
+
+- return method;
++ return entry ? entry->method : 0;
+ }
+
+ void ksmbd_session_destroy(struct ksmbd_session *sess)
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -4623,8 +4623,15 @@ static int smb2_get_info_file_pipe(struc
+ * pipe without opening it, checking error condition here
+ */
+ id = req->VolatileFileId;
+- if (!ksmbd_session_rpc_method(sess, id))
++
++ lockdep_assert_not_held(&sess->rpc_lock);
++
++ down_read(&sess->rpc_lock);
++ if (!ksmbd_session_rpc_method(sess, id)) {
++ up_read(&sess->rpc_lock);
+ return -ENOENT;
++ }
++ up_read(&sess->rpc_lock);
+
+ ksmbd_debug(SMB, "FileInfoClass %u, FileId 0x%llx\n",
+ req->FileInfoClass, req->VolatileFileId);
+--- a/fs/smb/server/transport_ipc.c
++++ b/fs/smb/server/transport_ipc.c
+@@ -825,6 +825,9 @@ struct ksmbd_rpc_command *ksmbd_rpc_writ
+ if (!msg)
+ return NULL;
+
++ lockdep_assert_not_held(&sess->rpc_lock);
++
++ down_read(&sess->rpc_lock);
+ msg->type = KSMBD_EVENT_RPC_REQUEST;
+ req = (struct ksmbd_rpc_command *)msg->payload;
+ req->handle = handle;
+@@ -833,6 +836,7 @@ struct ksmbd_rpc_command *ksmbd_rpc_writ
+ req->flags |= KSMBD_RPC_WRITE_METHOD;
+ req->payload_sz = payload_sz;
+ memcpy(req->payload, payload, payload_sz);
++ up_read(&sess->rpc_lock);
+
+ resp = ipc_msg_send_request(msg, req->handle);
+ ipc_msg_free(msg);
+@@ -849,6 +853,9 @@ struct ksmbd_rpc_command *ksmbd_rpc_read
+ if (!msg)
+ return NULL;
+
++ lockdep_assert_not_held(&sess->rpc_lock);
++
++ down_read(&sess->rpc_lock);
+ msg->type = KSMBD_EVENT_RPC_REQUEST;
+ req = (struct ksmbd_rpc_command *)msg->payload;
+ req->handle = handle;
+@@ -856,6 +863,7 @@ struct ksmbd_rpc_command *ksmbd_rpc_read
+ req->flags |= rpc_context_flags(sess);
+ req->flags |= KSMBD_RPC_READ_METHOD;
+ req->payload_sz = 0;
++ up_read(&sess->rpc_lock);
+
+ resp = ipc_msg_send_request(msg, req->handle);
+ ipc_msg_free(msg);
+@@ -876,6 +884,9 @@ struct ksmbd_rpc_command *ksmbd_rpc_ioct
+ if (!msg)
+ return NULL;
+
++ lockdep_assert_not_held(&sess->rpc_lock);
++
++ down_read(&sess->rpc_lock);
+ msg->type = KSMBD_EVENT_RPC_REQUEST;
+ req = (struct ksmbd_rpc_command *)msg->payload;
+ req->handle = handle;
+@@ -884,6 +895,7 @@ struct ksmbd_rpc_command *ksmbd_rpc_ioct
+ req->flags |= KSMBD_RPC_IOCTL_METHOD;
+ req->payload_sz = payload_sz;
+ memcpy(req->payload, payload, payload_sz);
++ up_read(&sess->rpc_lock);
+
+ resp = ipc_msg_send_request(msg, req->handle);
+ ipc_msg_free(msg);
+++ /dev/null
-From d8b6dc9256762293048bf122fc11c4e612d0ef5d Mon Sep 17 00:00:00 2001
-From: Namjae Jeon <linkinjeon@kernel.org>
-Date: Wed, 1 Oct 2025 09:25:35 +0900
-Subject: ksmbd: add max ip connections parameter
-
-This parameter set the maximum number of connections per ip address.
-The default is 8.
-
-Cc: stable@vger.kernel.org
-Fixes: c0d41112f1a5 ("ksmbd: extend the connection limiting mechanism to support IPv6")
-Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
-Signed-off-by: Steve French <stfrench@microsoft.com>
----
- fs/smb/server/ksmbd_netlink.h | 5 +++--
- fs/smb/server/server.h | 1 +
- fs/smb/server/transport_ipc.c | 3 +++
- fs/smb/server/transport_tcp.c | 27 ++++++++++++++++-----------
- 4 files changed, 23 insertions(+), 13 deletions(-)
-
-(limited to 'fs/smb')
-
---- a/fs/smb/server/ksmbd_netlink.h
-+++ b/fs/smb/server/ksmbd_netlink.h
-@@ -112,10 +112,11 @@ struct ksmbd_startup_request {
- __u32 smbd_max_io_size; /* smbd read write size */
- __u32 max_connections; /* Number of maximum simultaneous connections */
- __s8 bind_interfaces_only;
-- __s8 reserved[503]; /* Reserved room */
-+ __u32 max_ip_connections; /* Number of maximum connection per ip address */
-+ __s8 reserved[499]; /* Reserved room */
- __u32 ifc_list_sz; /* interfaces list size */
- __s8 ____payload[];
--};
-+} __packed;
-
- #define KSMBD_STARTUP_CONFIG_INTERFACES(s) ((s)->____payload)
-
---- a/fs/smb/server/server.h
-+++ b/fs/smb/server/server.h
-@@ -43,6 +43,7 @@ struct ksmbd_server_config {
- unsigned int auth_mechs;
- unsigned int max_connections;
- unsigned int max_inflight_req;
-+ unsigned int max_ip_connections;
-
- char *conf[SERVER_CONF_WORK_GROUP + 1];
- struct task_struct *dh_task;
---- a/fs/smb/server/transport_ipc.c
-+++ b/fs/smb/server/transport_ipc.c
-@@ -335,6 +335,9 @@ static int ipc_server_config_on_startup(
- if (req->max_connections)
- server_conf.max_connections = req->max_connections;
-
-+ if (req->max_ip_connections)
-+ server_conf.max_ip_connections = req->max_ip_connections;
-+
- ret = ksmbd_set_netbios_name(req->netbios_name);
- ret |= ksmbd_set_server_string(req->server_string);
- ret |= ksmbd_set_work_group(req->work_group);
---- a/fs/smb/server/transport_tcp.c
-+++ b/fs/smb/server/transport_tcp.c
-@@ -240,6 +240,7 @@ static int ksmbd_kthread_fn(void *p)
- struct interface *iface = (struct interface *)p;
- struct ksmbd_conn *conn;
- int ret;
-+ unsigned int max_ip_conns;
-
- while (!kthread_should_stop()) {
- mutex_lock(&iface->sock_release_lock);
-@@ -257,34 +258,38 @@ static int ksmbd_kthread_fn(void *p)
- continue;
- }
-
-+ if (!server_conf.max_ip_connections)
-+ goto skip_max_ip_conns_limit;
-+
- /*
- * Limits repeated connections from clients with the same IP.
- */
-+ max_ip_conns = 0;
- down_read(&conn_list_lock);
-- list_for_each_entry(conn, &conn_list, conns_list)
-+ list_for_each_entry(conn, &conn_list, conns_list) {
- #if IS_ENABLED(CONFIG_IPV6)
- if (client_sk->sk->sk_family == AF_INET6) {
- if (memcmp(&client_sk->sk->sk_v6_daddr,
-- &conn->inet6_addr, 16) == 0) {
-- ret = -EAGAIN;
-- break;
-- }
-+ &conn->inet6_addr, 16) == 0)
-+ max_ip_conns++;
- } else if (inet_sk(client_sk->sk)->inet_daddr ==
-- conn->inet_addr) {
-- ret = -EAGAIN;
-- break;
-- }
-+ conn->inet_addr)
-+ max_ip_conns++;
- #else
- if (inet_sk(client_sk->sk)->inet_daddr ==
-- conn->inet_addr) {
-+ conn->inet_addr)
-+ max_ip_conns++;
-+#endif
-+ if (server_conf.max_ip_connections <= max_ip_conns) {
- ret = -EAGAIN;
- break;
- }
--#endif
-+ }
- up_read(&conn_list_lock);
- if (ret == -EAGAIN)
- continue;
-
-+skip_max_ip_conns_limit:
- if (server_conf.max_connections &&
- atomic_inc_return(&active_num_conn) >= server_conf.max_connections) {
- pr_info_ratelimited("Limit the maximum number of connections(%u)\n",
--- a/init/Kconfig
+++ b/init/Kconfig
-@@ -2062,7 +2062,7 @@ config PADATA
+@@ -2063,7 +2063,7 @@ config PADATA
bool
config ASN1
-LINUX_VERSION-6.12 = .52
-LINUX_KERNEL_HASH-6.12.52 = b4850cf670a032c70f38b713a27d62046c5f747caf028c5f50b18f98606a9eb1
+LINUX_VERSION-6.12 = .53
+LINUX_KERNEL_HASH-6.12.53 = 663507accae673afcf4e210b4ae8d4352e61d926202e5da3f04bf71ca1d2c0b5
--- a/init/Kconfig
+++ b/init/Kconfig
-@@ -1533,6 +1533,17 @@ config SYSCTL_ARCH_UNALIGN_ALLOW
+@@ -1534,6 +1534,17 @@ config SYSCTL_ARCH_UNALIGN_ALLOW
the unaligned access emulation.
see arch/parisc/kernel/unaligned.c for reference
--- a/init/Kconfig
+++ b/init/Kconfig
-@@ -1887,6 +1887,15 @@ config ARCH_HAS_MEMBARRIER_CALLBACKS
+@@ -1888,6 +1888,15 @@ config ARCH_HAS_MEMBARRIER_CALLBACKS
config ARCH_HAS_MEMBARRIER_SYNC_CORE
bool
--- a/drivers/char/hw_random/Kconfig
+++ b/drivers/char/hw_random/Kconfig
-@@ -451,6 +451,23 @@ config HW_RANDOM_MTK
+@@ -452,6 +452,23 @@ config HW_RANDOM_MTK
If unsure, say Y.
/**
* qcom_q6v5_wait_for_start() - wait for remote processor start signal
-@@ -177,7 +179,17 @@ static irqreturn_t q6v5_handover_interru
+@@ -174,7 +176,17 @@ static irqreturn_t q6v5_handover_interru
return IRQ_HANDLED;
}
{
struct qcom_q6v5 *q6v5 = data;
-@@ -185,6 +197,7 @@ static irqreturn_t q6v5_stop_interrupt(i
+@@ -182,6 +194,7 @@ static irqreturn_t q6v5_stop_interrupt(i
return IRQ_HANDLED;
}
/**
* qcom_q6v5_request_stop() - request the remote processor to stop
-@@ -215,6 +228,28 @@ int qcom_q6v5_request_stop(struct qcom_q
+@@ -212,6 +225,28 @@ int qcom_q6v5_request_stop(struct qcom_q
EXPORT_SYMBOL_GPL(qcom_q6v5_request_stop);
/**
--- a/drivers/char/hw_random/Kconfig
+++ b/drivers/char/hw_random/Kconfig
-@@ -580,7 +580,8 @@ config HW_RANDOM_ROCKCHIP
+@@ -581,7 +581,8 @@ config HW_RANDOM_ROCKCHIP
default HW_RANDOM
help
This driver provides kernel-side support for the True Random Number
struct combphy_reg pipe_clk_25m;
struct combphy_reg pipe_clk_100m;
struct combphy_reg pipe_phymode_sel;
-@@ -587,6 +602,266 @@ static const struct rockchip_combphy_cfg
+@@ -599,6 +614,266 @@ static const struct rockchip_combphy_cfg
.combphy_cfg = rk3568_combphy_cfg,
};
static int rk3588_combphy_cfg(struct rockchip_combphy_priv *priv)
{
const struct rockchip_combphy_grfcfg *cfg = priv->cfg->grfcfg;
-@@ -779,6 +1054,10 @@ static const struct of_device_id rockchi
+@@ -791,6 +1066,10 @@ static const struct of_device_id rockchi
.data = &rk3568_combphy_cfgs,
},
{
--- a/drivers/char/hw_random/Kconfig
+++ b/drivers/char/hw_random/Kconfig
-@@ -322,6 +322,19 @@ config HW_RANDOM_POWERNV
+@@ -323,6 +323,19 @@ config HW_RANDOM_POWERNV
If unsure, say Y.
projects / thirdparty / openwrt.git / commitdiff
