From: Greg Kroah-Hartman Date: Fri, 9 May 2025 08:14:00 +0000 (+0200) Subject: 6.12-stable patches X-Git-Tag: v5.15.183~81 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=48428a8e902d7cce7293191805b01106366ddec9;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: arm64-dts-imx8mm-verdin-link-reg_usdhc2_vqmmc-to-usdhc2.patch can-mcan-m_can_class_unregister-fix-order-of-unregistration-calls.patch can-mcp251xfd-mcp251xfd_remove-fix-order-of-unregistration-calls.patch can-rockchip_canfd-rkcanfd_remove-fix-order-of-unregistration-calls.patch dm-add-missing-unlock-on-in-dm_keyslot_evict.patch firmware-arm_scmi-fix-timeout-checks-on-polling-path.patch fs-erofs-fileio-call-erofs_onlinefolio_split-after-bio_add_folio.patch ksmbd-fix-uaf-in-__close_file_table_ids.patch ksmbd-prevent-out-of-bounds-stream-writes-by-validating-pos.patch ksmbd-prevent-rename-with-empty-string.patch revert-btrfs-canonicalize-the-device-path-before-adding-it.patch s390-pci-fix-duplicate-pci_dev_put-in-disable_slot-when-pf-has-child-vfs.patch s390-pci-fix-missing-check-for-zpci_create_device-error-return.patch series vfio-pci-align-huge-faults-to-order.patch wifi-cfg80211-fix-out-of-bounds-access-during-multi-link-element-defragmentation.patch --- diff --git a/queue-6.12/arm64-dts-imx8mm-verdin-link-reg_usdhc2_vqmmc-to-usdhc2.patch b/queue-6.12/arm64-dts-imx8mm-verdin-link-reg_usdhc2_vqmmc-to-usdhc2.patch new file mode 100644 index 0000000000..3af3786a15 --- /dev/null +++ b/queue-6.12/arm64-dts-imx8mm-verdin-link-reg_usdhc2_vqmmc-to-usdhc2.patch @@ -0,0 +1,112 @@ +From 5591ce0069ddda97cdbbea596bed53e698f399c2 Mon Sep 17 00:00:00 2001 +From: Wojciech Dubowik +Date: Thu, 24 Apr 2025 11:59:14 +0200 +Subject: arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2 + +From: Wojciech Dubowik + +commit 5591ce0069ddda97cdbbea596bed53e698f399c2 upstream. + +Define vqmmc regulator-gpio for usdhc2 with vin-supply +coming from LDO5. + +Without this definition LDO5 will be powered down, disabling +SD card after bootup. This has been introduced in commit +f5aab0438ef1 ("regulator: pca9450: Fix enable register for LDO5"). + +Fixes: 6a57f224f734 ("arm64: dts: freescale: add initial support for verdin imx8m mini") +Fixes: f5aab0438ef1 ("regulator: pca9450: Fix enable register for LDO5") +Tested-by: Manuel Traut +Reviewed-by: Philippe Schenker +Tested-by: Francesco Dolcini +Reviewed-by: Francesco Dolcini +Cc: stable@vger.kernel.org +Signed-off-by: Wojciech Dubowik +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 25 ++++++++++++++++++----- + 1 file changed, 20 insertions(+), 5 deletions(-) + +--- a/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi +@@ -165,6 +165,19 @@ + startup-delay-us = <20000>; + }; + ++ reg_usdhc2_vqmmc: regulator-usdhc2-vqmmc { ++ compatible = "regulator-gpio"; ++ pinctrl-names = "default"; ++ pinctrl-0 = <&pinctrl_usdhc2_vsel>; ++ gpios = <&gpio1 4 GPIO_ACTIVE_HIGH>; ++ regulator-max-microvolt = <3300000>; ++ regulator-min-microvolt = <1800000>; ++ states = <1800000 0x1>, ++ <3300000 0x0>; ++ regulator-name = "PMIC_USDHC_VSELECT"; ++ vin-supply = <®_nvcc_sd>; ++ }; ++ + reserved-memory { + #address-cells = <2>; + #size-cells = <2>; +@@ -290,7 +303,7 @@ + "SODIMM_19", + "", + "", +- "", ++ "PMIC_USDHC_VSELECT", + "", + "", + "", +@@ -801,6 +814,7 @@ + pinctrl-2 = <&pinctrl_usdhc2_200mhz>, <&pinctrl_usdhc2_cd>; + pinctrl-3 = <&pinctrl_usdhc2_sleep>, <&pinctrl_usdhc2_cd_sleep>; + vmmc-supply = <®_usdhc2_vmmc>; ++ vqmmc-supply = <®_usdhc2_vqmmc>; + }; + + &wdog1 { +@@ -1222,13 +1236,17 @@ + ; /* SODIMM 76 */ + }; + ++ pinctrl_usdhc2_vsel: usdhc2vselgrp { ++ fsl,pins = ++ ; /* PMIC_USDHC_VSELECT */ ++ }; ++ + /* + * Note: Due to ERR050080 we use discrete external on-module resistors pulling-up to the + * on-module +V3.3_1.8_SD (LDO5) rail and explicitly disable the internal pull-ups here. + */ + pinctrl_usdhc2: usdhc2grp { + fsl,pins = +- , + , /* SODIMM 78 */ + , /* SODIMM 74 */ + , /* SODIMM 80 */ +@@ -1239,7 +1257,6 @@ + + pinctrl_usdhc2_100mhz: usdhc2-100mhzgrp { + fsl,pins = +- , + , + , + , +@@ -1250,7 +1267,6 @@ + + pinctrl_usdhc2_200mhz: usdhc2-200mhzgrp { + fsl,pins = +- , + , + , + , +@@ -1262,7 +1278,6 @@ + /* Avoid backfeeding with removed card power */ + pinctrl_usdhc2_sleep: usdhc2slpgrp { + fsl,pins = +- , + , + , + , diff --git a/queue-6.12/can-mcan-m_can_class_unregister-fix-order-of-unregistration-calls.patch b/queue-6.12/can-mcan-m_can_class_unregister-fix-order-of-unregistration-calls.patch new file mode 100644 index 0000000000..918340d3e1 --- /dev/null +++ b/queue-6.12/can-mcan-m_can_class_unregister-fix-order-of-unregistration-calls.patch @@ -0,0 +1,45 @@ +From 0713a1b3276b98c7dafbeefef00d7bc3a9119a84 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Fri, 2 May 2025 16:13:46 +0200 +Subject: can: mcan: m_can_class_unregister(): fix order of unregistration calls + +From: Marc Kleine-Budde + +commit 0713a1b3276b98c7dafbeefef00d7bc3a9119a84 upstream. + +If a driver is removed, the driver framework invokes the driver's +remove callback. A CAN driver's remove function calls +unregister_candev(), which calls net_device_ops::ndo_stop further down +in the call stack for interfaces which are in the "up" state. + +The removal of the module causes a warning, as can_rx_offload_del() +deletes the NAPI, while it is still active, because the interface is +still up. + +To fix the warning, first unregister the network interface, which +calls net_device_ops::ndo_stop, which disables the NAPI, and then call +can_rx_offload_del(). + +Fixes: 1be37d3b0414 ("can: m_can: fix periph RX path: use rx-offload to ensure skbs are sent from softirq context") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250502-can-rx-offload-del-v1-3-59a9b131589d@pengutronix.de +Reviewed-by: Markus Schneider-Pargmann +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/m_can/m_can.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/m_can/m_can.c ++++ b/drivers/net/can/m_can/m_can.c +@@ -2456,9 +2456,9 @@ EXPORT_SYMBOL_GPL(m_can_class_register); + + void m_can_class_unregister(struct m_can_classdev *cdev) + { ++ unregister_candev(cdev->net); + if (cdev->is_peripheral) + can_rx_offload_del(&cdev->offload); +- unregister_candev(cdev->net); + } + EXPORT_SYMBOL_GPL(m_can_class_unregister); + diff --git a/queue-6.12/can-mcp251xfd-mcp251xfd_remove-fix-order-of-unregistration-calls.patch b/queue-6.12/can-mcp251xfd-mcp251xfd_remove-fix-order-of-unregistration-calls.patch new file mode 100644 index 0000000000..f052272d9e --- /dev/null +++ b/queue-6.12/can-mcp251xfd-mcp251xfd_remove-fix-order-of-unregistration-calls.patch @@ -0,0 +1,47 @@ +From 84f5eb833f53ae192baed4cfb8d9eaab43481fc9 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Fri, 2 May 2025 16:13:44 +0200 +Subject: can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration calls + +From: Marc Kleine-Budde + +commit 84f5eb833f53ae192baed4cfb8d9eaab43481fc9 upstream. + +If a driver is removed, the driver framework invokes the driver's +remove callback. A CAN driver's remove function calls +unregister_candev(), which calls net_device_ops::ndo_stop further down +in the call stack for interfaces which are in the "up" state. + +With the mcp251xfd driver the removal of the module causes the +following warning: + +| WARNING: CPU: 0 PID: 352 at net/core/dev.c:7342 __netif_napi_del_locked+0xc8/0xd8 + +as can_rx_offload_del() deletes the NAPI, while it is still active, +because the interface is still up. + +To fix the warning, first unregister the network interface, which +calls net_device_ops::ndo_stop, which disables the NAPI, and then call +can_rx_offload_del(). + +Fixes: 55e5b97f003e ("can: mcp25xxfd: add driver for Microchip MCP25xxFD SPI CAN") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250502-can-rx-offload-del-v1-1-59a9b131589d@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c ++++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c +@@ -2174,8 +2174,8 @@ static void mcp251xfd_remove(struct spi_ + struct mcp251xfd_priv *priv = spi_get_drvdata(spi); + struct net_device *ndev = priv->ndev; + +- can_rx_offload_del(&priv->offload); + mcp251xfd_unregister(priv); ++ can_rx_offload_del(&priv->offload); + spi->max_speed_hz = priv->spi_max_speed_hz_orig; + free_candev(ndev); + } diff --git a/queue-6.12/can-rockchip_canfd-rkcanfd_remove-fix-order-of-unregistration-calls.patch b/queue-6.12/can-rockchip_canfd-rkcanfd_remove-fix-order-of-unregistration-calls.patch new file mode 100644 index 0000000000..0693a8394f --- /dev/null +++ b/queue-6.12/can-rockchip_canfd-rkcanfd_remove-fix-order-of-unregistration-calls.patch @@ -0,0 +1,44 @@ +From 037ada7a3181300218e4fd78bef6a741cfa7f808 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Fri, 2 May 2025 16:13:45 +0200 +Subject: can: rockchip_canfd: rkcanfd_remove(): fix order of unregistration calls + +From: Marc Kleine-Budde + +commit 037ada7a3181300218e4fd78bef6a741cfa7f808 upstream. + +If a driver is removed, the driver framework invokes the driver's +remove callback. A CAN driver's remove function calls +unregister_candev(), which calls net_device_ops::ndo_stop further down +in the call stack for interfaces which are in the "up" state. + +The removal of the module causes a warning, as can_rx_offload_del() +deletes the NAPI, while it is still active, because the interface is +still up. + +To fix the warning, first unregister the network interface, which +calls net_device_ops::ndo_stop, which disables the NAPI, and then call +can_rx_offload_del(). + +Fixes: ff60bfbaf67f ("can: rockchip_canfd: add driver for Rockchip CAN-FD controller") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250502-can-rx-offload-del-v1-2-59a9b131589d@pengutronix.de +Reviewed-by: Markus Schneider-Pargmann +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/rockchip/rockchip_canfd-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/rockchip/rockchip_canfd-core.c ++++ b/drivers/net/can/rockchip/rockchip_canfd-core.c +@@ -942,8 +942,8 @@ static void rkcanfd_remove(struct platfo + struct rkcanfd_priv *priv = platform_get_drvdata(pdev); + struct net_device *ndev = priv->ndev; + +- can_rx_offload_del(&priv->offload); + rkcanfd_unregister(priv); ++ can_rx_offload_del(&priv->offload); + free_candev(ndev); + } + diff --git a/queue-6.12/dm-add-missing-unlock-on-in-dm_keyslot_evict.patch b/queue-6.12/dm-add-missing-unlock-on-in-dm_keyslot_evict.patch new file mode 100644 index 0000000000..aed7119f1e --- /dev/null +++ b/queue-6.12/dm-add-missing-unlock-on-in-dm_keyslot_evict.patch @@ -0,0 +1,40 @@ +From 650266ac4c7230c89bcd1307acf5c9c92cfa85e2 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 30 Apr 2025 11:05:54 +0300 +Subject: dm: add missing unlock on in dm_keyslot_evict() + +From: Dan Carpenter + +commit 650266ac4c7230c89bcd1307acf5c9c92cfa85e2 upstream. + +We need to call dm_put_live_table() even if dm_get_live_table() returns +NULL. + +Fixes: 9355a9eb21a5 ("dm: support key eviction from keyslot managers of underlying devices") +Cc: stable@vger.kernel.org # v5.12+ +Signed-off-by: Dan Carpenter +Signed-off-by: Mikulas Patocka +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-table.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/md/dm-table.c ++++ b/drivers/md/dm-table.c +@@ -1183,7 +1183,7 @@ static int dm_keyslot_evict(struct blk_c + + t = dm_get_live_table(md, &srcu_idx); + if (!t) +- return 0; ++ goto put_live_table; + + for (unsigned int i = 0; i < t->num_targets; i++) { + struct dm_target *ti = dm_table_get_target(t, i); +@@ -1194,6 +1194,7 @@ static int dm_keyslot_evict(struct blk_c + (void *)key); + } + ++put_live_table: + dm_put_live_table(md, srcu_idx); + return 0; + } diff --git a/queue-6.12/firmware-arm_scmi-fix-timeout-checks-on-polling-path.patch b/queue-6.12/firmware-arm_scmi-fix-timeout-checks-on-polling-path.patch new file mode 100644 index 0000000000..53e6bb39fb --- /dev/null +++ b/queue-6.12/firmware-arm_scmi-fix-timeout-checks-on-polling-path.patch @@ -0,0 +1,73 @@ +From c23c03bf1faa1e76be1eba35bad6da6a2a7c95ee Mon Sep 17 00:00:00 2001 +From: Cristian Marussi +Date: Mon, 10 Mar 2025 17:58:00 +0000 +Subject: firmware: arm_scmi: Fix timeout checks on polling path + +From: Cristian Marussi + +commit c23c03bf1faa1e76be1eba35bad6da6a2a7c95ee upstream. + +Polling mode transactions wait for a reply busy-looping without holding a +spinlock, but currently the timeout checks are based only on elapsed time: +as a result we could hit a false positive whenever our busy-looping thread +is pre-empted and scheduled out for a time greater than the polling +timeout. + +Change the checks at the end of the busy-loop to make sure that the polling +wasn't indeed successful or an out-of-order reply caused the polling to be +forcibly terminated. + +Fixes: 31d2f803c19c ("firmware: arm_scmi: Add sync_cmds_completed_on_ret transport flag") +Reported-by: Huangjie +Closes: https://lore.kernel.org/arm-scmi/20250123083323.2363749-1-jackhuang021@gmail.com/ +Signed-off-by: Cristian Marussi +Cc: stable@vger.kernel.org # 5.18.x +Message-Id: <20250310175800.1444293-1-cristian.marussi@arm.com> +Signed-off-by: Sudeep Holla +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/arm_scmi/driver.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/firmware/arm_scmi/driver.c ++++ b/drivers/firmware/arm_scmi/driver.c +@@ -1219,7 +1219,8 @@ static void xfer_put(const struct scmi_p + } + + static bool scmi_xfer_done_no_timeout(struct scmi_chan_info *cinfo, +- struct scmi_xfer *xfer, ktime_t stop) ++ struct scmi_xfer *xfer, ktime_t stop, ++ bool *ooo) + { + struct scmi_info *info = handle_to_scmi_info(cinfo->handle); + +@@ -1228,7 +1229,7 @@ static bool scmi_xfer_done_no_timeout(st + * in case of out-of-order receptions of delayed responses + */ + return info->desc->ops->poll_done(cinfo, xfer) || +- try_wait_for_completion(&xfer->done) || ++ (*ooo = try_wait_for_completion(&xfer->done)) || + ktime_after(ktime_get(), stop); + } + +@@ -1245,15 +1246,17 @@ static int scmi_wait_for_reply(struct de + * itself to support synchronous commands replies. + */ + if (!desc->sync_cmds_completed_on_ret) { ++ bool ooo = false; ++ + /* + * Poll on xfer using transport provided .poll_done(); + * assumes no completion interrupt was available. + */ + ktime_t stop = ktime_add_ms(ktime_get(), timeout_ms); + +- spin_until_cond(scmi_xfer_done_no_timeout(cinfo, +- xfer, stop)); +- if (ktime_after(ktime_get(), stop)) { ++ spin_until_cond(scmi_xfer_done_no_timeout(cinfo, xfer, ++ stop, &ooo)); ++ if (!ooo && !info->desc->ops->poll_done(cinfo, xfer)) { + dev_err(dev, + "timed out in resp(caller: %pS) - polling\n", + (void *)_RET_IP_); diff --git a/queue-6.12/fs-erofs-fileio-call-erofs_onlinefolio_split-after-bio_add_folio.patch b/queue-6.12/fs-erofs-fileio-call-erofs_onlinefolio_split-after-bio_add_folio.patch new file mode 100644 index 0000000000..9febdc6fa2 --- /dev/null +++ b/queue-6.12/fs-erofs-fileio-call-erofs_onlinefolio_split-after-bio_add_folio.patch @@ -0,0 +1,70 @@ +From bbfe756dc3062c1e934f06e5ba39c239aa953b92 Mon Sep 17 00:00:00 2001 +From: Max Kellermann +Date: Tue, 29 Apr 2025 01:09:33 +0200 +Subject: fs/erofs/fileio: call erofs_onlinefolio_split() after bio_add_folio() + +From: Max Kellermann + +commit bbfe756dc3062c1e934f06e5ba39c239aa953b92 upstream. + +If bio_add_folio() fails (because it is full), +erofs_fileio_scan_folio() needs to submit the I/O request via +erofs_fileio_rq_submit() and allocate a new I/O request with an empty +`struct bio`. Then it retries the bio_add_folio() call. + +However, at this point, erofs_onlinefolio_split() has already been +called which increments `folio->private`; the retry will call +erofs_onlinefolio_split() again, but there will never be a matching +erofs_onlinefolio_end() call. This leaves the folio locked forever +and all waiters will be stuck in folio_wait_bit_common(). + +This bug has been added by commit ce63cb62d794 ("erofs: support +unencoded inodes for fileio"), but was practically unreachable because +there was room for 256 folios in the `struct bio` - until commit +9f74ae8c9ac9 ("erofs: shorten bvecs[] for file-backed mounts") which +reduced the array capacity to 16 folios. + +It was now trivial to trigger the bug by manually invoking readahead +from userspace, e.g.: + + posix_fadvise(fd, 0, st.st_size, POSIX_FADV_WILLNEED); + +This should be fixed by invoking erofs_onlinefolio_split() only after +bio_add_folio() has succeeded. This is safe: asynchronous completions +invoking erofs_onlinefolio_end() will not unlock the folio because +erofs_fileio_scan_folio() is still holding a reference to be released +by erofs_onlinefolio_end() at the end. + +Fixes: ce63cb62d794 ("erofs: support unencoded inodes for fileio") +Fixes: 9f74ae8c9ac9 ("erofs: shorten bvecs[] for file-backed mounts") +Cc: stable@vger.kernel.org +Signed-off-by: Max Kellermann +Reviewed-by: Gao Xiang +Tested-by: Hongbo Li +Link: https://lore.kernel.org/r/20250428230933.3422273-1-max.kellermann@ionos.com +Signed-off-by: Gao Xiang +Signed-off-by: Greg Kroah-Hartman +--- + fs/erofs/fileio.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/erofs/fileio.c b/fs/erofs/fileio.c +index 4fa0a0121288..60c7cc4c105c 100644 +--- a/fs/erofs/fileio.c ++++ b/fs/erofs/fileio.c +@@ -150,10 +150,10 @@ static int erofs_fileio_scan_folio(struct erofs_fileio *io, struct folio *folio) + io->rq->bio.bi_iter.bi_sector = io->dev.m_pa >> 9; + attached = 0; + } +- if (!attached++) +- erofs_onlinefolio_split(folio); + if (!bio_add_folio(&io->rq->bio, folio, len, cur)) + goto io_retry; ++ if (!attached++) ++ erofs_onlinefolio_split(folio); + io->dev.m_pa += len; + } + cur += len; +-- +2.49.0 + diff --git a/queue-6.12/ksmbd-fix-uaf-in-__close_file_table_ids.patch b/queue-6.12/ksmbd-fix-uaf-in-__close_file_table_ids.patch new file mode 100644 index 0000000000..49fcfee475 --- /dev/null +++ b/queue-6.12/ksmbd-fix-uaf-in-__close_file_table_ids.patch @@ -0,0 +1,79 @@ +From 36991c1ccde2d5a521577c448ffe07fcccfe104d Mon Sep 17 00:00:00 2001 +From: Sean Heelan +Date: Tue, 6 May 2025 22:04:52 +0900 +Subject: ksmbd: Fix UAF in __close_file_table_ids + +From: Sean Heelan + +commit 36991c1ccde2d5a521577c448ffe07fcccfe104d upstream. + +A use-after-free is possible if one thread destroys the file +via __ksmbd_close_fd while another thread holds a reference to +it. The existing checks on fp->refcount are not sufficient to +prevent this. + +The fix takes ft->lock around the section which removes the +file from the file table. This prevents two threads acquiring the +same file pointer via __close_file_table_ids, as well as the other +functions which retrieve a file from the IDR and which already use +this same lock. + +Cc: stable@vger.kernel.org +Signed-off-by: Sean Heelan +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/vfs_cache.c | 33 ++++++++++++++++++++++++++------- + 1 file changed, 26 insertions(+), 7 deletions(-) + +--- a/fs/smb/server/vfs_cache.c ++++ b/fs/smb/server/vfs_cache.c +@@ -661,21 +661,40 @@ __close_file_table_ids(struct ksmbd_file + bool (*skip)(struct ksmbd_tree_connect *tcon, + struct ksmbd_file *fp)) + { +- unsigned int id; +- struct ksmbd_file *fp; +- int num = 0; ++ struct ksmbd_file *fp; ++ unsigned int id = 0; ++ int num = 0; + +- idr_for_each_entry(ft->idr, fp, id) { +- if (skip(tcon, fp)) ++ while (1) { ++ write_lock(&ft->lock); ++ fp = idr_get_next(ft->idr, &id); ++ if (!fp) { ++ write_unlock(&ft->lock); ++ break; ++ } ++ ++ if (skip(tcon, fp) || ++ !atomic_dec_and_test(&fp->refcount)) { ++ id++; ++ write_unlock(&ft->lock); + continue; ++ } + + set_close_state_blocked_works(fp); ++ idr_remove(ft->idr, fp->volatile_id); ++ fp->volatile_id = KSMBD_NO_FID; ++ write_unlock(&ft->lock); ++ ++ down_write(&fp->f_ci->m_lock); ++ list_del_init(&fp->node); ++ up_write(&fp->f_ci->m_lock); + +- if (!atomic_dec_and_test(&fp->refcount)) +- continue; + __ksmbd_close_fd(ft, fp); ++ + num++; ++ id++; + } ++ + return num; + } + diff --git a/queue-6.12/ksmbd-prevent-out-of-bounds-stream-writes-by-validating-pos.patch b/queue-6.12/ksmbd-prevent-out-of-bounds-stream-writes-by-validating-pos.patch new file mode 100644 index 0000000000..3cbd6d5d12 --- /dev/null +++ b/queue-6.12/ksmbd-prevent-out-of-bounds-stream-writes-by-validating-pos.patch @@ -0,0 +1,42 @@ +From 0ca6df4f40cf4c32487944aaf48319cb6c25accc Mon Sep 17 00:00:00 2001 +From: Norbert Szetei +Date: Fri, 2 May 2025 08:21:58 +0900 +Subject: ksmbd: prevent out-of-bounds stream writes by validating *pos + +From: Norbert Szetei + +commit 0ca6df4f40cf4c32487944aaf48319cb6c25accc upstream. + +ksmbd_vfs_stream_write() did not validate whether the write offset +(*pos) was within the bounds of the existing stream data length (v_len). +If *pos was greater than or equal to v_len, this could lead to an +out-of-bounds memory write. + +This patch adds a check to ensure *pos is less than v_len before +proceeding. If the condition fails, -EINVAL is returned. + +Cc: stable@vger.kernel.org +Signed-off-by: Norbert Szetei +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/vfs.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/smb/server/vfs.c ++++ b/fs/smb/server/vfs.c +@@ -443,6 +443,13 @@ static int ksmbd_vfs_stream_write(struct + goto out; + } + ++ if (v_len <= *pos) { ++ pr_err("stream write position %lld is out of bounds (stream length: %zd)\n", ++ *pos, v_len); ++ err = -EINVAL; ++ goto out; ++ } ++ + if (v_len < size) { + wbuf = kvzalloc(size, KSMBD_DEFAULT_GFP); + if (!wbuf) { diff --git a/queue-6.12/ksmbd-prevent-rename-with-empty-string.patch b/queue-6.12/ksmbd-prevent-rename-with-empty-string.patch new file mode 100644 index 0000000000..8fe2ddee14 --- /dev/null +++ b/queue-6.12/ksmbd-prevent-rename-with-empty-string.patch @@ -0,0 +1,38 @@ +From 53e3e5babc0963a92d856a5ec0ce92c59f54bc12 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Wed, 30 Apr 2025 11:18:28 +0900 +Subject: ksmbd: prevent rename with empty string + +From: Namjae Jeon + +commit 53e3e5babc0963a92d856a5ec0ce92c59f54bc12 upstream. + +Client can send empty newname string to ksmbd server. +It will cause a kernel oops from d_alloc. +This patch return the error when attempting to rename +a file or directory with an empty new name string. + +Cc: stable@vger.kernel.org +Reported-by: Norbert Szetei +Tested-by: Norbert Szetei +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -633,6 +633,11 @@ smb2_get_name(const char *src, const int + return name; + } + ++ if (*name == '\0') { ++ kfree(name); ++ return ERR_PTR(-EINVAL); ++ } ++ + if (*name == '\\') { + pr_err("not allow directory name included leading slash\n"); + kfree(name); diff --git a/queue-6.12/revert-btrfs-canonicalize-the-device-path-before-adding-it.patch b/queue-6.12/revert-btrfs-canonicalize-the-device-path-before-adding-it.patch new file mode 100644 index 0000000000..88563430c7 --- /dev/null +++ b/queue-6.12/revert-btrfs-canonicalize-the-device-path-before-adding-it.patch @@ -0,0 +1,170 @@ +From 8fb1dcbbcc1ffe6ed7cf3f0f96d2737491dd1fbf Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Fri, 17 Jan 2025 09:09:34 +1030 +Subject: Revert "btrfs: canonicalize the device path before adding it" + +From: Qu Wenruo + +commit 8fb1dcbbcc1ffe6ed7cf3f0f96d2737491dd1fbf upstream. + +This reverts commit 7e06de7c83a746e58d4701e013182af133395188. + +Commit 7e06de7c83a7 ("btrfs: canonicalize the device path before adding +it") tries to make btrfs to use "/dev/mapper/*" name first, then any +filename inside "/dev/" as the device path. + +This is mostly fine when there is only the root namespace involved, but +when multiple namespace are involved, things can easily go wrong for the +d_path() usage. + +As d_path() returns a file path that is namespace dependent, the +resulted string may not make any sense in another namespace. + +Furthermore, the "/dev/" prefix checks itself is not reliable, one can +still make a valid initramfs without devtmpfs, and fill all needed +device nodes manually. + +Overall the userspace has all its might to pass whatever device path for +mount, and we are not going to win the war trying to cover every corner +case. + +So just revert that commit, and do no extra d_path() based file path +sanity check. + +CC: stable@vger.kernel.org # 6.12+ +Link: https://lore.kernel.org/linux-fsdevel/20250115185608.GA2223535@zen.localdomain/ +Reviewed-by: Boris Burkov +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/volumes.c | 91 ----------------------------------------------------- + 1 file changed, 1 insertion(+), 90 deletions(-) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -732,82 +732,6 @@ const u8 *btrfs_sb_fsid_ptr(const struct + return has_metadata_uuid ? sb->metadata_uuid : sb->fsid; + } + +-/* +- * We can have very weird soft links passed in. +- * One example is "/proc/self/fd/", which can be a soft link to +- * a block device. +- * +- * But it's never a good idea to use those weird names. +- * Here we check if the path (not following symlinks) is a good one inside +- * "/dev/". +- */ +-static bool is_good_dev_path(const char *dev_path) +-{ +- struct path path = { .mnt = NULL, .dentry = NULL }; +- char *path_buf = NULL; +- char *resolved_path; +- bool is_good = false; +- int ret; +- +- if (!dev_path) +- goto out; +- +- path_buf = kmalloc(PATH_MAX, GFP_KERNEL); +- if (!path_buf) +- goto out; +- +- /* +- * Do not follow soft link, just check if the original path is inside +- * "/dev/". +- */ +- ret = kern_path(dev_path, 0, &path); +- if (ret) +- goto out; +- resolved_path = d_path(&path, path_buf, PATH_MAX); +- if (IS_ERR(resolved_path)) +- goto out; +- if (strncmp(resolved_path, "/dev/", strlen("/dev/"))) +- goto out; +- is_good = true; +-out: +- kfree(path_buf); +- path_put(&path); +- return is_good; +-} +- +-static int get_canonical_dev_path(const char *dev_path, char *canonical) +-{ +- struct path path = { .mnt = NULL, .dentry = NULL }; +- char *path_buf = NULL; +- char *resolved_path; +- int ret; +- +- if (!dev_path) { +- ret = -EINVAL; +- goto out; +- } +- +- path_buf = kmalloc(PATH_MAX, GFP_KERNEL); +- if (!path_buf) { +- ret = -ENOMEM; +- goto out; +- } +- +- ret = kern_path(dev_path, LOOKUP_FOLLOW, &path); +- if (ret) +- goto out; +- resolved_path = d_path(&path, path_buf, PATH_MAX); +- if (IS_ERR(resolved_path)) { +- ret = PTR_ERR(resolved_path); +- goto out; +- } +- ret = strscpy(canonical, resolved_path, PATH_MAX); +-out: +- kfree(path_buf); +- path_put(&path); +- return ret; +-} +- + static bool is_same_device(struct btrfs_device *device, const char *new_path) + { + struct path old = { .mnt = NULL, .dentry = NULL }; +@@ -1495,23 +1419,12 @@ struct btrfs_device *btrfs_scan_one_devi + bool new_device_added = false; + struct btrfs_device *device = NULL; + struct file *bdev_file; +- char *canonical_path = NULL; + u64 bytenr; + dev_t devt; + int ret; + + lockdep_assert_held(&uuid_mutex); + +- if (!is_good_dev_path(path)) { +- canonical_path = kmalloc(PATH_MAX, GFP_KERNEL); +- if (canonical_path) { +- ret = get_canonical_dev_path(path, canonical_path); +- if (ret < 0) { +- kfree(canonical_path); +- canonical_path = NULL; +- } +- } +- } + /* + * Avoid an exclusive open here, as the systemd-udev may initiate the + * device scan which may race with the user's mount or mkfs command, +@@ -1556,8 +1469,7 @@ struct btrfs_device *btrfs_scan_one_devi + goto free_disk_super; + } + +- device = device_list_add(canonical_path ? : path, disk_super, +- &new_device_added); ++ device = device_list_add(path, disk_super, &new_device_added); + if (!IS_ERR(device) && new_device_added) + btrfs_free_stale_devices(device->devt, device); + +@@ -1566,7 +1478,6 @@ free_disk_super: + + error_bdev_put: + fput(bdev_file); +- kfree(canonical_path); + + return device; + } diff --git a/queue-6.12/s390-pci-fix-duplicate-pci_dev_put-in-disable_slot-when-pf-has-child-vfs.patch b/queue-6.12/s390-pci-fix-duplicate-pci_dev_put-in-disable_slot-when-pf-has-child-vfs.patch new file mode 100644 index 0000000000..a6d1eaed6b --- /dev/null +++ b/queue-6.12/s390-pci-fix-duplicate-pci_dev_put-in-disable_slot-when-pf-has-child-vfs.patch @@ -0,0 +1,37 @@ +From 05a2538f2b48500cf4e8a0a0ce76623cc5bafcf1 Mon Sep 17 00:00:00 2001 +From: Niklas Schnelle +Date: Wed, 30 Apr 2025 15:26:19 +0200 +Subject: s390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has child VFs + +From: Niklas Schnelle + +commit 05a2538f2b48500cf4e8a0a0ce76623cc5bafcf1 upstream. + +With commit bcb5d6c76903 ("s390/pci: introduce lock to synchronize state +of zpci_dev's") the code to ignore power off of a PF that has child VFs +was changed from a direct return to a goto to the unlock and +pci_dev_put() section. The change however left the existing pci_dev_put() +untouched resulting in a doubple put. This can subsequently cause a use +after free if the struct pci_dev is released in an unexpected state. +Fix this by removing the extra pci_dev_put(). + +Cc: stable@vger.kernel.org +Fixes: bcb5d6c76903 ("s390/pci: introduce lock to synchronize state of zpci_dev's") +Signed-off-by: Niklas Schnelle +Reviewed-by: Gerd Bayer +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/hotplug/s390_pci_hpc.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/pci/hotplug/s390_pci_hpc.c ++++ b/drivers/pci/hotplug/s390_pci_hpc.c +@@ -59,7 +59,6 @@ static int disable_slot(struct hotplug_s + + pdev = pci_get_slot(zdev->zbus->bus, zdev->devfn); + if (pdev && pci_num_vf(pdev)) { +- pci_dev_put(pdev); + rc = -EBUSY; + goto out; + } diff --git a/queue-6.12/s390-pci-fix-missing-check-for-zpci_create_device-error-return.patch b/queue-6.12/s390-pci-fix-missing-check-for-zpci_create_device-error-return.patch new file mode 100644 index 0000000000..23f06fb923 --- /dev/null +++ b/queue-6.12/s390-pci-fix-missing-check-for-zpci_create_device-error-return.patch @@ -0,0 +1,36 @@ +From 42420c50c68f3e95e90de2479464f420602229fc Mon Sep 17 00:00:00 2001 +From: Niklas Schnelle +Date: Wed, 30 Apr 2025 15:26:18 +0200 +Subject: s390/pci: Fix missing check for zpci_create_device() error return + +From: Niklas Schnelle + +commit 42420c50c68f3e95e90de2479464f420602229fc upstream. + +The zpci_create_device() function returns an error pointer that needs to +be checked before dereferencing it as a struct zpci_dev pointer. Add the +missing check in __clp_add() where it was missed when adding the +scan_list in the fixed commit. Simply not adding the device to the scan +list results in the previous behavior. + +Cc: stable@vger.kernel.org +Fixes: 0467cdde8c43 ("s390/pci: Sort PCI functions prior to creating virtual busses") +Signed-off-by: Niklas Schnelle +Reviewed-by: Gerd Bayer +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/pci/pci_clp.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/s390/pci/pci_clp.c ++++ b/arch/s390/pci/pci_clp.c +@@ -422,6 +422,8 @@ static void __clp_add(struct clp_fh_list + return; + } + zdev = zpci_create_device(entry->fid, entry->fh, entry->config_state); ++ if (IS_ERR(zdev)) ++ return; + list_add_tail(&zdev->entry, scan_list); + } + diff --git a/queue-6.12/series b/queue-6.12/series new file mode 100644 index 0000000000..dfb8b17172 --- /dev/null +++ b/queue-6.12/series @@ -0,0 +1,15 @@ +dm-add-missing-unlock-on-in-dm_keyslot_evict.patch +fs-erofs-fileio-call-erofs_onlinefolio_split-after-bio_add_folio.patch +revert-btrfs-canonicalize-the-device-path-before-adding-it.patch +arm64-dts-imx8mm-verdin-link-reg_usdhc2_vqmmc-to-usdhc2.patch +firmware-arm_scmi-fix-timeout-checks-on-polling-path.patch +can-mcan-m_can_class_unregister-fix-order-of-unregistration-calls.patch +s390-pci-fix-missing-check-for-zpci_create_device-error-return.patch +wifi-cfg80211-fix-out-of-bounds-access-during-multi-link-element-defragmentation.patch +vfio-pci-align-huge-faults-to-order.patch +s390-pci-fix-duplicate-pci_dev_put-in-disable_slot-when-pf-has-child-vfs.patch +can-mcp251xfd-mcp251xfd_remove-fix-order-of-unregistration-calls.patch +can-rockchip_canfd-rkcanfd_remove-fix-order-of-unregistration-calls.patch +ksmbd-prevent-rename-with-empty-string.patch +ksmbd-prevent-out-of-bounds-stream-writes-by-validating-pos.patch +ksmbd-fix-uaf-in-__close_file_table_ids.patch diff --git a/queue-6.12/vfio-pci-align-huge-faults-to-order.patch b/queue-6.12/vfio-pci-align-huge-faults-to-order.patch new file mode 100644 index 0000000000..5e28cad17c --- /dev/null +++ b/queue-6.12/vfio-pci-align-huge-faults-to-order.patch @@ -0,0 +1,76 @@ +From c1d9dac0db168198b6f63f460665256dedad9b6e Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Fri, 2 May 2025 16:40:31 -0600 +Subject: vfio/pci: Align huge faults to order + +From: Alex Williamson + +commit c1d9dac0db168198b6f63f460665256dedad9b6e upstream. + +The vfio-pci huge_fault handler doesn't make any attempt to insert a +mapping containing the faulting address, it only inserts mappings if the +faulting address and resulting pfn are aligned. This works in a lot of +cases, particularly in conjunction with QEMU where DMA mappings linearly +fault the mmap. However, there are configurations where we don't get +that linear faulting and pages are faulted on-demand. + +The scenario reported in the bug below is such a case, where the physical +address width of the CPU is greater than that of the IOMMU, resulting in a +VM where guest firmware has mapped device MMIO beyond the address width of +the IOMMU. In this configuration, the MMIO is faulted on demand and +tracing indicates that occasionally the faults generate a VM_FAULT_OOM. +Given the use case, this results in a "error: kvm run failed Bad address", +killing the VM. + +The host is not under memory pressure in this test, therefore it's +suspected that VM_FAULT_OOM is actually the result of a NULL return from +__pte_offset_map_lock() in the get_locked_pte() path from insert_pfn(). +This suggests a potential race inserting a pte concurrent to a pmd, and +maybe indicates some deficiency in the mm layer properly handling such a +case. + +Nevertheless, Peter noted the inconsistency of vfio-pci's huge_fault +handler where our mapping granularity depends on the alignment of the +faulting address relative to the order rather than aligning the faulting +address to the order to more consistently insert huge mappings. This +change not only uses the page tables more consistently and efficiently, but +as any fault to an aligned page results in the same mapping, the race +condition suspected in the VM_FAULT_OOM is avoided. + +Reported-by: Adolfo +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220057 +Fixes: 09dfc8a5f2ce ("vfio/pci: Fallback huge faults for unaligned pfn") +Cc: stable@vger.kernel.org +Tested-by: Adolfo +Co-developed-by: Peter Xu +Signed-off-by: Peter Xu +Link: https://lore.kernel.org/r/20250502224035.3183451-1-alex.williamson@redhat.com +Signed-off-by: Alex Williamson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vfio/pci/vfio_pci_core.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/vfio/pci/vfio_pci_core.c ++++ b/drivers/vfio/pci/vfio_pci_core.c +@@ -1658,14 +1658,14 @@ static vm_fault_t vfio_pci_mmap_huge_fau + { + struct vm_area_struct *vma = vmf->vma; + struct vfio_pci_core_device *vdev = vma->vm_private_data; +- unsigned long pfn, pgoff = vmf->pgoff - vma->vm_pgoff; ++ unsigned long addr = vmf->address & ~((PAGE_SIZE << order) - 1); ++ unsigned long pgoff = (addr - vma->vm_start) >> PAGE_SHIFT; ++ unsigned long pfn = vma_to_pfn(vma) + pgoff; + vm_fault_t ret = VM_FAULT_SIGBUS; + +- pfn = vma_to_pfn(vma) + pgoff; +- +- if (order && (pfn & ((1 << order) - 1) || +- vmf->address & ((PAGE_SIZE << order) - 1) || +- vmf->address + (PAGE_SIZE << order) > vma->vm_end)) { ++ if (order && (addr < vma->vm_start || ++ addr + (PAGE_SIZE << order) > vma->vm_end || ++ pfn & ((1 << order) - 1))) { + ret = VM_FAULT_FALLBACK; + goto out; + } diff --git a/queue-6.12/wifi-cfg80211-fix-out-of-bounds-access-during-multi-link-element-defragmentation.patch b/queue-6.12/wifi-cfg80211-fix-out-of-bounds-access-during-multi-link-element-defragmentation.patch new file mode 100644 index 0000000000..7e8a681f13 --- /dev/null +++ b/queue-6.12/wifi-cfg80211-fix-out-of-bounds-access-during-multi-link-element-defragmentation.patch @@ -0,0 +1,40 @@ +From 023c1f2f0609218103cbcb48e0104b144d4a16dc Mon Sep 17 00:00:00 2001 +From: Veerendranath Jakkam +Date: Thu, 24 Apr 2025 18:01:42 +0530 +Subject: wifi: cfg80211: fix out-of-bounds access during multi-link element defragmentation + +From: Veerendranath Jakkam + +commit 023c1f2f0609218103cbcb48e0104b144d4a16dc upstream. + +Currently during the multi-link element defragmentation process, the +multi-link element length added to the total IEs length when calculating +the length of remaining IEs after the multi-link element in +cfg80211_defrag_mle(). This could lead to out-of-bounds access if the +multi-link element or its corresponding fragment elements are the last +elements in the IEs buffer. + +To address this issue, correctly calculate the remaining IEs length by +deducting the multi-link element end offset from total IEs end offset. + +Cc: stable@vger.kernel.org +Fixes: 2481b5da9c6b ("wifi: cfg80211: handle BSS data contained in ML probe responses") +Signed-off-by: Veerendranath Jakkam +Link: https://patch.msgid.link/20250424-fix_mle_defragmentation_oob_access-v1-1-84412a1743fa@quicinc.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/scan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -2644,7 +2644,7 @@ cfg80211_defrag_mle(const struct element + /* Required length for first defragmentation */ + buf_len = mle->datalen - 1; + for_each_element(elem, mle->data + mle->datalen, +- ielen - sizeof(*mle) + mle->datalen) { ++ ie + ielen - mle->data - mle->datalen) { + if (elem->id != WLAN_EID_FRAGMENT) + break; +