From: Greg Kroah-Hartman Date: Sat, 21 Mar 2026 14:43:43 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v6.1.167~53 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e35775ec9ae8ccdfee281aba329deb8108a4def5;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: alsa-usb-audio-kill-timer-properly-at-removal.patch drm-amdgpu-unmap-and-remove-csa_va-properly.patch gfs2-no-more-self-recovery.patch ice-reintroduce-retry-mechanism-for-indirect-aq.patch ice-remove-unused-buffer-copy-code-in-ice_sq_send_cmd_retry.patch ice-sleep-don-t-busy-wait-in-the-sq-send-retry-loop.patch iio-imu-inv_icm42600-fix-odr-switch-when-turning-buffer-off.patch ksmbd-compare-macs-in-constant-time.patch mtd-spinand-macronix-use-scratch-buffer-for-dma-operation.patch net-dsa-improve-shutdown-sequence.patch net-fec-handle-page_pool_dev_alloc_pages-error.patch net-tcp-md5-fix-mac-comparison-to-be-constant-time.patch smb-client-compare-macs-in-constant-time.patch --- diff --git a/queue-6.1/alsa-usb-audio-kill-timer-properly-at-removal.patch b/queue-6.1/alsa-usb-audio-kill-timer-properly-at-removal.patch new file mode 100644 index 0000000000..bf2fe87e84 --- /dev/null +++ b/queue-6.1/alsa-usb-audio-kill-timer-properly-at-removal.patch @@ -0,0 +1,56 @@ +From stable+bounces-225734-greg=kroah.com@vger.kernel.org Tue Mar 17 03:51:58 2026 +From: Johnny Hao +Date: Tue, 17 Mar 2026 10:51:33 +0800 +Subject: ALSA: usb-audio: Kill timer properly at removal +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: linux-kernel@vger.kernel.org, Takashi Iwai , syzbot+d8f72178ab6783a7daea@syzkaller.appspotmail.com, Johnny Hao +Message-ID: <20260317025133.554973-1-johnny_haocn@sina.com> + +From: Takashi Iwai + +[ Upstream commit 0718a78f6a9f04b88d0dc9616cc216b31c5f3cf1 ] + +The USB-audio MIDI code initializes the timer, but in a rare case, the +driver might be freed without the disconnect call. This leaves the +timer in an active state while the assigned object is released via +snd_usbmidi_free(), which ends up with a kernel warning when the debug +configuration is enabled, as spotted by fuzzer. + +For avoiding the problem, put timer_shutdown_sync() at +snd_usbmidi_free(), so that the timer can be killed properly. +While we're at it, replace the existing timer_delete_sync() at the +disconnect callback with timer_shutdown_sync(), too. + +Reported-by: syzbot+d8f72178ab6783a7daea@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/681c70d7.050a0220.a19a9.00c6.GAE@google.com +Cc: +Link: https://patch.msgid.link/20250519212031.14436-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +[ The context change is due to the commit 8fa7292fee5c +("treewide: Switch/rename to timer_delete[_sync]()") +in v6.15 which is irrelevant to the logic of this patch. ] +Signed-off-by: Johnny Hao +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/midi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/usb/midi.c ++++ b/sound/usb/midi.c +@@ -1530,6 +1530,7 @@ static void snd_usbmidi_free(struct snd_ + snd_usbmidi_in_endpoint_delete(ep->in); + } + mutex_destroy(&umidi->mutex); ++ timer_shutdown_sync(&umidi->error_timer); + kfree(umidi); + } + +@@ -1553,7 +1554,7 @@ void snd_usbmidi_disconnect(struct list_ + spin_unlock_irq(&umidi->disc_lock); + up_write(&umidi->disc_rwsem); + +- del_timer_sync(&umidi->error_timer); ++ timer_shutdown_sync(&umidi->error_timer); + + for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) { + struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i]; diff --git a/queue-6.1/drm-amdgpu-unmap-and-remove-csa_va-properly.patch b/queue-6.1/drm-amdgpu-unmap-and-remove-csa_va-properly.patch new file mode 100644 index 0000000000..6c74b042b5 --- /dev/null +++ b/queue-6.1/drm-amdgpu-unmap-and-remove-csa_va-properly.patch @@ -0,0 +1,122 @@ +From stable+bounces-225271-greg=kroah.com@vger.kernel.org Fri Mar 13 10:42:59 2026 +From: Johnny Hao +Date: Fri, 13 Mar 2026 17:41:50 +0800 +Subject: drm/amdgpu: unmap and remove csa_va properly +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: linux-kernel@vger.kernel.org, "Lang Yu" , "Christian König" , "Alex Deucher" , "Johnny Hao" +Message-ID: <20260313094150.291659-1-johnny_haocn@sina.com> + +From: Lang Yu + +[ Upstream commit 5daff15cd013422bc6d1efcfe82b586800025384 ] + +Root PD BO should be reserved before unmap and remove +a bo_va from VM otherwise lockdep will complain. + +v2: check fpriv->csa_va is not NULL instead of amdgpu_mcbp (christian) + +[14616.936827] WARNING: CPU: 6 PID: 1711 at drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c:1762 amdgpu_vm_bo_del+0x399/0x3f0 [amdgpu] +[14616.937096] Call Trace: +[14616.937097] +[14616.937102] amdgpu_driver_postclose_kms+0x249/0x2f0 [amdgpu] +[14616.937187] drm_file_free+0x1d6/0x300 [drm] +[14616.937207] drm_close_helper.isra.0+0x62/0x70 [drm] +[14616.937220] drm_release+0x5e/0x100 [drm] +[14616.937234] __fput+0x9f/0x280 +[14616.937239] ____fput+0xe/0x20 +[14616.937241] task_work_run+0x61/0x90 +[14616.937246] exit_to_user_mode_prepare+0x215/0x220 +[14616.937251] syscall_exit_to_user_mode+0x2a/0x60 +[14616.937254] do_syscall_64+0x48/0x90 +[14616.937257] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Signed-off-by: Lang Yu +Acked-by: Christian König +Signed-off-by: Alex Deucher +[ The context change is due to the commit 8a1fbb4a5ec2 +("drm/amdgpu: Disable MCBP from soc21 for SRIOV") +in v6.2 which is irrelevant to the logic of this patch. ] +Signed-off-by: Johnny Hao +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c | 38 ++++++++++++++++++++++++++++++++ + drivers/gpu/drm/amd/amdgpu/amdgpu_csa.h | 3 ++ + drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 10 ++++---- + 3 files changed, 46 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c +@@ -106,3 +106,41 @@ int amdgpu_map_static_csa(struct amdgpu_ + ttm_eu_backoff_reservation(&ticket, &list); + return 0; + } ++ ++int amdgpu_unmap_static_csa(struct amdgpu_device *adev, struct amdgpu_vm *vm, ++ struct amdgpu_bo *bo, struct amdgpu_bo_va *bo_va, ++ uint64_t csa_addr) ++{ ++ struct ww_acquire_ctx ticket; ++ struct list_head list; ++ struct amdgpu_bo_list_entry pd; ++ struct ttm_validate_buffer csa_tv; ++ int r; ++ ++ INIT_LIST_HEAD(&list); ++ INIT_LIST_HEAD(&csa_tv.head); ++ csa_tv.bo = &bo->tbo; ++ csa_tv.num_shared = 1; ++ ++ list_add(&csa_tv.head, &list); ++ amdgpu_vm_get_pd_bo(vm, &list, &pd); ++ ++ r = ttm_eu_reserve_buffers(&ticket, &list, true, NULL); ++ if (r) { ++ DRM_ERROR("failed to reserve CSA,PD BOs: err=%d\n", r); ++ return r; ++ } ++ ++ r = amdgpu_vm_bo_unmap(adev, bo_va, csa_addr); ++ if (r) { ++ DRM_ERROR("failed to do bo_unmap on static CSA, err=%d\n", r); ++ ttm_eu_backoff_reservation(&ticket, &list); ++ return r; ++ } ++ ++ amdgpu_vm_bo_del(adev, bo_va); ++ ++ ttm_eu_backoff_reservation(&ticket, &list); ++ ++ return 0; ++} +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_csa.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_csa.h +@@ -34,6 +34,9 @@ int amdgpu_allocate_static_csa(struct am + int amdgpu_map_static_csa(struct amdgpu_device *adev, struct amdgpu_vm *vm, + struct amdgpu_bo *bo, struct amdgpu_bo_va **bo_va, + uint64_t csa_addr, uint32_t size); ++int amdgpu_unmap_static_csa(struct amdgpu_device *adev, struct amdgpu_vm *vm, ++ struct amdgpu_bo *bo, struct amdgpu_bo_va *bo_va, ++ uint64_t csa_addr); + void amdgpu_free_static_csa(struct amdgpu_bo **bo); + + #endif +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c +@@ -1244,12 +1244,12 @@ void amdgpu_driver_postclose_kms(struct + if (amdgpu_device_ip_get_ip_block(adev, AMD_IP_BLOCK_TYPE_VCE) != NULL) + amdgpu_vce_free_handles(adev, file_priv); + +- if (amdgpu_mcbp || amdgpu_sriov_vf(adev)) { +- /* TODO: how to handle reserve failure */ +- BUG_ON(amdgpu_bo_reserve(adev->virt.csa_obj, true)); +- amdgpu_vm_bo_del(adev, fpriv->csa_va); ++ if (fpriv->csa_va) { ++ uint64_t csa_addr = amdgpu_csa_vaddr(adev) & AMDGPU_GMC_HOLE_MASK; ++ ++ WARN_ON(amdgpu_unmap_static_csa(adev, &fpriv->vm, adev->virt.csa_obj, ++ fpriv->csa_va, csa_addr)); + fpriv->csa_va = NULL; +- amdgpu_bo_unreserve(adev->virt.csa_obj); + } + + pasid = fpriv->vm.pasid; diff --git a/queue-6.1/gfs2-no-more-self-recovery.patch b/queue-6.1/gfs2-no-more-self-recovery.patch new file mode 100644 index 0000000000..9d4b290d34 --- /dev/null +++ b/queue-6.1/gfs2-no-more-self-recovery.patch @@ -0,0 +1,83 @@ +From stable+bounces-224619-greg=kroah.com@vger.kernel.org Wed Mar 11 02:31:25 2026 +From: Johnny Hao +Date: Wed, 11 Mar 2026 09:31:01 +0800 +Subject: gfs2: No more self recovery +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: linux-kernel@vger.kernel.org, Andreas Gruenbacher , Chunjie Zhu , Johnny Hao +Message-ID: <20260311013101.3006924-1-johnny_haocn@sina.com> + +From: Andreas Gruenbacher + +[ Upstream commit deb016c1669002e48c431d6fd32ea1c20ef41756 ] + +When a node withdraws and it turns out that it is the only node that has +the filesystem mounted, gfs2 currently tries to replay the local journal +to bring the filesystem back into a consistent state. Not only is that +a very bad idea, it has also never worked because gfs2_recover_func() +will refuse to do anything during a withdraw. + +However, before even getting to this point, gfs2_recover_func() +dereferences sdp->sd_jdesc->jd_inode. This was a use-after-free before +commit 04133b607a78 ("gfs2: Prevent double iput for journal on error") +and is a NULL pointer dereference since then. + +Simply get rid of self recovery to fix that. + +Fixes: 601ef0d52e96 ("gfs2: Force withdraw to replay journals and wait for it to finish") +Reported-by: Chunjie Zhu +Signed-off-by: Andreas Gruenbacher +[ The context change is due to the commit f80d882edcf2 +("gfs2: Get rid of gfs2_glock_queue_put in signal_our_withdraw") +in v6.10 which is irrelevant to the logic of this patch. ] +Signed-off-by: Johnny Hao +Signed-off-by: Greg Kroah-Hartman +--- + fs/gfs2/util.c | 31 +++++++++++-------------------- + 1 file changed, 11 insertions(+), 20 deletions(-) + +--- a/fs/gfs2/util.c ++++ b/fs/gfs2/util.c +@@ -244,32 +244,23 @@ static void signal_our_withdraw(struct g + */ + ret = gfs2_glock_nq(&sdp->sd_live_gh); + ++ gfs2_glock_put(live_gl); /* drop extra reference we acquired */ ++ clear_bit(SDF_WITHDRAW_RECOVERY, &sdp->sd_flags); ++ + /* + * If we actually got the "live" lock in EX mode, there are no other +- * nodes available to replay our journal. So we try to replay it +- * ourselves. We hold the "live" glock to prevent other mounters +- * during recovery, then just dequeue it and reacquire it in our +- * normal SH mode. Just in case the problem that caused us to +- * withdraw prevents us from recovering our journal (e.g. io errors +- * and such) we still check if the journal is clean before proceeding +- * but we may wait forever until another mounter does the recovery. ++ * nodes available to replay our journal. + */ + if (ret == 0) { +- fs_warn(sdp, "No other mounters found. Trying to recover our " +- "own journal jid %d.\n", sdp->sd_lockstruct.ls_jid); +- if (gfs2_recover_journal(sdp->sd_jdesc, 1)) +- fs_warn(sdp, "Unable to recover our journal jid %d.\n", +- sdp->sd_lockstruct.ls_jid); +- gfs2_glock_dq_wait(&sdp->sd_live_gh); +- gfs2_holder_reinit(LM_ST_SHARED, +- LM_FLAG_NOEXP | GL_EXACT | GL_NOPID, +- &sdp->sd_live_gh); +- gfs2_glock_nq(&sdp->sd_live_gh); ++ fs_warn(sdp, "No other mounters found.\n"); ++ /* ++ * We are about to release the lockspace. By keeping live_gl ++ * locked here, we ensure that the next mounter coming along ++ * will be a "first" mounter which will perform recovery. ++ */ ++ goto skip_recovery; + } + +- gfs2_glock_queue_put(live_gl); /* drop extra reference we acquired */ +- clear_bit(SDF_WITHDRAW_RECOVERY, &sdp->sd_flags); +- + /* + * At this point our journal is evicted, so we need to get a new inode + * for it. Once done, we need to call gfs2_find_jhead which diff --git a/queue-6.1/ice-reintroduce-retry-mechanism-for-indirect-aq.patch b/queue-6.1/ice-reintroduce-retry-mechanism-for-indirect-aq.patch new file mode 100644 index 0000000000..a0728d46aa --- /dev/null +++ b/queue-6.1/ice-reintroduce-retry-mechanism-for-indirect-aq.patch @@ -0,0 +1,78 @@ +From stable+bounces-226932-greg=kroah.com@vger.kernel.org Wed Mar 18 01:10:12 2026 +From: Sasha Levin +Date: Tue, 17 Mar 2026 20:09:47 -0400 +Subject: ice: reintroduce retry mechanism for indirect AQ +To: stable@vger.kernel.org +Cc: Jakub Staniszewski , Michal Schmidt , Dawid Osuchowski , Aleksandr Loktionov , Przemek Kitszel , Paul Menzel , Rinitha S , Tony Nguyen , Sasha Levin +Message-ID: <20260318000947.379271-3-sashal@kernel.org> + +From: Jakub Staniszewski + +[ Upstream commit 326256c0a72d4877cec1d4df85357da106233128 ] + +Add retry mechanism for indirect Admin Queue (AQ) commands. To do so we +need to keep the command buffer. + +This technically reverts commit 43a630e37e25 +("ice: remove unused buffer copy code in ice_sq_send_cmd_retry()"), +but combines it with a fix in the logic by using a kmemdup() call, +making it more robust and less likely to break in the future due to +programmer error. + +Cc: Michal Schmidt +Cc: stable@vger.kernel.org +Fixes: 3056df93f7a8 ("ice: Re-send some AQ commands, as result of EBUSY AQ error") +Signed-off-by: Jakub Staniszewski +Co-developed-by: Dawid Osuchowski +Signed-off-by: Dawid Osuchowski +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Przemek Kitszel +Reviewed-by: Paul Menzel +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ice/ice_common.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/intel/ice/ice_common.c ++++ b/drivers/net/ethernet/intel/ice/ice_common.c +@@ -1596,6 +1596,7 @@ ice_sq_send_cmd_retry(struct ice_hw *hw, + { + struct ice_aq_desc desc_cpy; + bool is_cmd_for_retry; ++ u8 *buf_cpy = NULL; + u8 idx = 0; + u16 opcode; + int status; +@@ -1605,8 +1606,11 @@ ice_sq_send_cmd_retry(struct ice_hw *hw, + memset(&desc_cpy, 0, sizeof(desc_cpy)); + + if (is_cmd_for_retry) { +- /* All retryable cmds are direct, without buf. */ +- WARN_ON(buf); ++ if (buf) { ++ buf_cpy = kmemdup(buf, buf_size, GFP_KERNEL); ++ if (!buf_cpy) ++ return -ENOMEM; ++ } + + memcpy(&desc_cpy, desc, sizeof(desc_cpy)); + } +@@ -1618,12 +1622,14 @@ ice_sq_send_cmd_retry(struct ice_hw *hw, + hw->adminq.sq_last_status != ICE_AQ_RC_EBUSY) + break; + ++ if (buf_cpy) ++ memcpy(buf, buf_cpy, buf_size); + memcpy(desc, &desc_cpy, sizeof(desc_cpy)); +- + msleep(ICE_SQ_SEND_DELAY_TIME_MS); + + } while (++idx < ICE_SQ_SEND_MAX_EXECUTE); + ++ kfree(buf_cpy); + return status; + } + diff --git a/queue-6.1/ice-remove-unused-buffer-copy-code-in-ice_sq_send_cmd_retry.patch b/queue-6.1/ice-remove-unused-buffer-copy-code-in-ice_sq_send_cmd_retry.patch new file mode 100644 index 0000000000..b43e8de8b2 --- /dev/null +++ b/queue-6.1/ice-remove-unused-buffer-copy-code-in-ice_sq_send_cmd_retry.patch @@ -0,0 +1,75 @@ +From stable+bounces-226930-greg=kroah.com@vger.kernel.org Wed Mar 18 01:10:06 2026 +From: Sasha Levin +Date: Tue, 17 Mar 2026 20:09:45 -0400 +Subject: ice: remove unused buffer copy code in ice_sq_send_cmd_retry() +To: stable@vger.kernel.org +Cc: Michal Schmidt , Arkadiusz Kubalewski , Simon Horman , Sunitha Mekala , Tony Nguyen , Sasha Levin +Message-ID: <20260318000947.379271-1-sashal@kernel.org> + +From: Michal Schmidt + +[ Upstream commit 43a630e37e259fee83ab3fd769c42e2fed97ca81 ] + +The 'buf_cpy'-related code in ice_sq_send_cmd_retry() looks broken. +'buf' is nowhere copied into 'buf_cpy'. + +The reason this does not cause problems is that all commands for which +'is_cmd_for_retry' is true go with a NULL buf. + +Let's remove 'buf_cpy'. Add a WARN_ON in case the assumption no longer +holds in the future. + +Signed-off-by: Michal Schmidt +Reviewed-by: Arkadiusz Kubalewski +Reviewed-by: Simon Horman +Tested-by: Sunitha Mekala (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Stable-dep-of: 326256c0a72d ("ice: reintroduce retry mechanism for indirect AQ") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ice/ice_common.c | 13 ++----------- + 1 file changed, 2 insertions(+), 11 deletions(-) + +--- a/drivers/net/ethernet/intel/ice/ice_common.c ++++ b/drivers/net/ethernet/intel/ice/ice_common.c +@@ -1596,7 +1596,6 @@ ice_sq_send_cmd_retry(struct ice_hw *hw, + { + struct ice_aq_desc desc_cpy; + bool is_cmd_for_retry; +- u8 *buf_cpy = NULL; + u8 idx = 0; + u16 opcode; + int status; +@@ -1606,11 +1605,8 @@ ice_sq_send_cmd_retry(struct ice_hw *hw, + memset(&desc_cpy, 0, sizeof(desc_cpy)); + + if (is_cmd_for_retry) { +- if (buf) { +- buf_cpy = kzalloc(buf_size, GFP_KERNEL); +- if (!buf_cpy) +- return -ENOMEM; +- } ++ /* All retryable cmds are direct, without buf. */ ++ WARN_ON(buf); + + memcpy(&desc_cpy, desc, sizeof(desc_cpy)); + } +@@ -1622,17 +1618,12 @@ ice_sq_send_cmd_retry(struct ice_hw *hw, + hw->adminq.sq_last_status != ICE_AQ_RC_EBUSY) + break; + +- if (buf_cpy) +- memcpy(buf, buf_cpy, buf_size); +- + memcpy(desc, &desc_cpy, sizeof(desc_cpy)); + + mdelay(ICE_SQ_SEND_DELAY_TIME_MS); + + } while (++idx < ICE_SQ_SEND_MAX_EXECUTE); + +- kfree(buf_cpy); +- + return status; + } + diff --git a/queue-6.1/ice-sleep-don-t-busy-wait-in-the-sq-send-retry-loop.patch b/queue-6.1/ice-sleep-don-t-busy-wait-in-the-sq-send-retry-loop.patch new file mode 100644 index 0000000000..6647cb6549 --- /dev/null +++ b/queue-6.1/ice-sleep-don-t-busy-wait-in-the-sq-send-retry-loop.patch @@ -0,0 +1,43 @@ +From stable+bounces-226931-greg=kroah.com@vger.kernel.org Wed Mar 18 01:10:08 2026 +From: Sasha Levin +Date: Tue, 17 Mar 2026 20:09:46 -0400 +Subject: ice: sleep, don't busy-wait, in the SQ send retry loop +To: stable@vger.kernel.org +Cc: Michal Schmidt , Arkadiusz Kubalewski , Simon Horman , Sunitha Mekala , Tony Nguyen , Sasha Levin +Message-ID: <20260318000947.379271-2-sashal@kernel.org> + +From: Michal Schmidt + +[ Upstream commit b488ae52ef9f74155ab358f8c68e74327b45e0e1 ] + +10 ms is a lot of time to spend busy-waiting. Sleeping is clearly +allowed here, because we have just returned from ice_sq_send_cmd(), +which takes a mutex. + +On kernels with HZ=100, this msleep may be twice as long, but I don't +think it matters. +I did not actually observe any retries happening here. + +Signed-off-by: Michal Schmidt +Reviewed-by: Arkadiusz Kubalewski +Reviewed-by: Simon Horman +Tested-by: Sunitha Mekala (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Stable-dep-of: 326256c0a72d ("ice: reintroduce retry mechanism for indirect AQ") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ice/ice_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/ice/ice_common.c ++++ b/drivers/net/ethernet/intel/ice/ice_common.c +@@ -1620,7 +1620,7 @@ ice_sq_send_cmd_retry(struct ice_hw *hw, + + memcpy(desc, &desc_cpy, sizeof(desc_cpy)); + +- mdelay(ICE_SQ_SEND_DELAY_TIME_MS); ++ msleep(ICE_SQ_SEND_DELAY_TIME_MS); + + } while (++idx < ICE_SQ_SEND_MAX_EXECUTE); + diff --git a/queue-6.1/iio-imu-inv_icm42600-fix-odr-switch-when-turning-buffer-off.patch b/queue-6.1/iio-imu-inv_icm42600-fix-odr-switch-when-turning-buffer-off.patch new file mode 100644 index 0000000000..3972b55780 --- /dev/null +++ b/queue-6.1/iio-imu-inv_icm42600-fix-odr-switch-when-turning-buffer-off.patch @@ -0,0 +1,48 @@ +From stable+bounces-226516-greg=kroah.com@vger.kernel.org Tue Mar 17 18:17:01 2026 +From: inv.git-commit@tdk.com +Date: Tue, 17 Mar 2026 17:03:43 +0000 +Subject: iio: imu: inv_icm42600: fix odr switch when turning buffer off +To: stable@vger.kernel.org +Cc: Jean-Baptiste Maneyrol , Jonathan Cameron +Message-ID: <20260317170343.745772-1-inv.git-commit@tdk.com> + +From: Jean-Baptiste Maneyrol + +[ Upstream commit ffd32db8263d2d785a2c419486a450dc80693235 ] + +ODR switch is done in 2 steps when FIFO is on : change the ODR register +value and acknowledge change when reading the FIFO ODR change flag. +When we are switching odr and turning buffer off just afterward, we are +losing the FIFO ODR change flag and ODR switch is blocked. + +Fix the issue by force applying any waiting ODR change when turning +buffer off. + +Fixes: ec74ae9fd37c ("iio: imu: inv_icm42600: add accurate timestamping") +Signed-off-by: Jean-Baptiste Maneyrol +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.c ++++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.c +@@ -377,6 +377,7 @@ out_unlock: + static int inv_icm42600_buffer_postdisable(struct iio_dev *indio_dev) + { + struct inv_icm42600_state *st = iio_device_get_drvdata(indio_dev); ++ struct inv_icm42600_timestamp *ts = iio_priv(indio_dev); + struct device *dev = regmap_get_device(st->map); + unsigned int sensor; + unsigned int *watermark; +@@ -398,6 +399,8 @@ static int inv_icm42600_buffer_postdisab + + mutex_lock(&st->lock); + ++ inv_icm42600_timestamp_apply_odr(ts, 0, 0, 0); ++ + ret = inv_icm42600_buffer_set_fifo_en(st, st->fifo.en & ~sensor); + if (ret) + goto out_unlock; diff --git a/queue-6.1/ksmbd-compare-macs-in-constant-time.patch b/queue-6.1/ksmbd-compare-macs-in-constant-time.patch new file mode 100644 index 0000000000..8eaa75f272 --- /dev/null +++ b/queue-6.1/ksmbd-compare-macs-in-constant-time.patch @@ -0,0 +1,74 @@ +From stable+bounces-224562-greg=kroah.com@vger.kernel.org Tue Mar 10 20:54:07 2026 +From: Eric Biggers +Date: Tue, 10 Mar 2026 12:52:56 -0700 +Subject: ksmbd: Compare MACs in constant time +To: stable@vger.kernel.org +Cc: linux-crypto@vger.kernel.org, linux-cifs@vger.kernel.org, Eric Biggers , Namjae Jeon , Steve French +Message-ID: <20260310195256.70926-1-ebiggers@kernel.org> + +From: Eric Biggers + +commit c5794709bc9105935dbedef8b9cf9c06f2b559fa upstream. + +To prevent timing attacks, MAC comparisons need to be constant-time. +Replace the memcmp() with the correct function, crypto_memneq(). + +Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/auth.c | 4 +++- + fs/smb/server/smb2pdu.c | 5 +++-- + 2 files changed, 6 insertions(+), 3 deletions(-) + +--- a/fs/smb/server/auth.c ++++ b/fs/smb/server/auth.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -281,7 +282,8 @@ int ksmbd_auth_ntlmv2(struct ksmbd_conn + goto out; + } + +- if (memcmp(ntlmv2->ntlmv2_hash, ntlmv2_rsp, CIFS_HMAC_MD5_HASH_SIZE) != 0) ++ if (crypto_memneq(ntlmv2->ntlmv2_hash, ntlmv2_rsp, ++ CIFS_HMAC_MD5_HASH_SIZE)) + rc = -EINVAL; + out: + if (ctx) +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -4,6 +4,7 @@ + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + ++#include + #include + #include + #include +@@ -8430,7 +8431,7 @@ int smb2_check_sign_req(struct ksmbd_wor + signature)) + return 0; + +- if (memcmp(signature, signature_req, SMB2_SIGNATURE_SIZE)) { ++ if (crypto_memneq(signature, signature_req, SMB2_SIGNATURE_SIZE)) { + pr_err("bad smb2 signature\n"); + return 0; + } +@@ -8518,7 +8519,7 @@ int smb3_check_sign_req(struct ksmbd_wor + if (ksmbd_sign_smb3_pdu(conn, signing_key, iov, 1, signature)) + return 0; + +- if (memcmp(signature, signature_req, SMB2_SIGNATURE_SIZE)) { ++ if (crypto_memneq(signature, signature_req, SMB2_SIGNATURE_SIZE)) { + pr_err("bad smb2 signature\n"); + return 0; + } diff --git a/queue-6.1/mtd-spinand-macronix-use-scratch-buffer-for-dma-operation.patch b/queue-6.1/mtd-spinand-macronix-use-scratch-buffer-for-dma-operation.patch new file mode 100644 index 0000000000..16717bd659 --- /dev/null +++ b/queue-6.1/mtd-spinand-macronix-use-scratch-buffer-for-dma-operation.patch @@ -0,0 +1,44 @@ +From stable+bounces-224526-greg=kroah.com@vger.kernel.org Tue Mar 10 18:16:43 2026 +From: Frieder Schrempf +Date: Tue, 10 Mar 2026 18:15:44 +0100 +Subject: mtd: spinand: macronix: use scratch buffer for DMA operation +To: Greg Kroah-Hartman , Sasha Levin , stable@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mtd@lists.infradead.org, Miquel Raynal , Richard Weinberger , Vignesh Raghavendra +Cc: Daniel Golle , Dhruva Gole , Frieder Schrempf +Message-ID: <20260310171544.1568499-1-frieder@fris.de> + +From: Daniel Golle + +[ Upstream commit ebed787a0becb9354f0a23620a5130cccd6c730c ] + +The mx35lf1ge4ab_get_eccsr() function uses an SPI DMA operation to +read the eccsr, hence the buffer should not be on stack. Since commit +380583227c0c7f ("spi: spi-mem: Add extra sanity checks on the op param") +the kernel emmits a warning and blocks such operations. + +Use the scratch buffer to get eccsr instead of trying to directly read +into a stack-allocated variable. + +Signed-off-by: Daniel Golle +Reviewed-by: Dhruva Gole +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/Y8i85zM0u4XdM46z@makrotopia.org +Signed-off-by: Frieder Schrempf +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/spi/macronix.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/mtd/nand/spi/macronix.c ++++ b/drivers/mtd/nand/spi/macronix.c +@@ -83,9 +83,10 @@ static int mx35lf1ge4ab_ecc_get_status(s + * in order to avoid forcing the wear-leveling layer to move + * data around if it's not necessary. + */ +- if (mx35lf1ge4ab_get_eccsr(spinand, &eccsr)) ++ if (mx35lf1ge4ab_get_eccsr(spinand, spinand->scratchbuf)) + return nanddev_get_ecc_conf(nand)->strength; + ++ eccsr = *spinand->scratchbuf; + if (WARN_ON(eccsr > nanddev_get_ecc_conf(nand)->strength || + !eccsr)) + return nanddev_get_ecc_conf(nand)->strength; diff --git a/queue-6.1/net-dsa-improve-shutdown-sequence.patch b/queue-6.1/net-dsa-improve-shutdown-sequence.patch new file mode 100644 index 0000000000..4982624888 --- /dev/null +++ b/queue-6.1/net-dsa-improve-shutdown-sequence.patch @@ -0,0 +1,122 @@ +From stable+bounces-225264-greg=kroah.com@vger.kernel.org Fri Mar 13 09:08:12 2026 +From: Rajani Kantha <681739313@139.com> +Date: Fri, 13 Mar 2026 16:07:32 +0800 +Subject: net: dsa: improve shutdown sequence +To: alexander.sverdlin@siemens.com, vladimir.oltean@nxp.com, pabeni@redhat.com +Cc: stable@vger.kernel.org +Message-ID: <20260313080732.1743-1-681739313@139.com> + +From: Vladimir Oltean + +[ Upstream commit 6c24a03a61a245fe34d47582898331fa034b6ccd ] + +Alexander Sverdlin presents 2 problems during shutdown with the +lan9303 driver. One is specific to lan9303 and the other just happens +to reproduce there. + +The first problem is that lan9303 is unique among DSA drivers in that it +calls dev_get_drvdata() at "arbitrary runtime" (not probe, not shutdown, +not remove): + +phy_state_machine() +-> ... + -> dsa_user_phy_read() + -> ds->ops->phy_read() + -> lan9303_phy_read() + -> chip->ops->phy_read() + -> lan9303_mdio_phy_read() + -> dev_get_drvdata() + +But we never stop the phy_state_machine(), so it may continue to run +after dsa_switch_shutdown(). Our common pattern in all DSA drivers is +to set drvdata to NULL to suppress the remove() method that may come +afterwards. But in this case it will result in an NPD. + +The second problem is that the way in which we set +dp->master->dsa_ptr = NULL; is concurrent with receive packet +processing. dsa_switch_rcv() checks once whether dev->dsa_ptr is NULL, +but afterwards, rather than continuing to use that non-NULL value, +dev->dsa_ptr is dereferenced again and again without NULL checks: +dsa_master_find_slave() and many other places. In between dereferences, +there is no locking to ensure that what was valid once continues to be +valid. + +Both problems have the common aspect that closing the master interface +solves them. + +In the first case, dev_close(master) triggers the NETDEV_GOING_DOWN +event in dsa_slave_netdevice_event() which closes slave ports as well. +dsa_port_disable_rt() calls phylink_stop(), which synchronously stops +the phylink state machine, and ds->ops->phy_read() will thus no longer +call into the driver after this point. + +In the second case, dev_close(master) should do this, as per +Documentation/networking/driver.rst: + +| Quiescence +| ---------- +| +| After the ndo_stop routine has been called, the hardware must +| not receive or transmit any data. All in flight packets must +| be aborted. If necessary, poll or wait for completion of +| any reset commands. + +So it should be sufficient to ensure that later, when we zeroize +master->dsa_ptr, there will be no concurrent dsa_switch_rcv() call +on this master. + +The addition of the netif_device_detach() function is to ensure that +ioctls, rtnetlinks and ethtool requests on the slave ports no longer +propagate down to the driver - we're no longer prepared to handle them. + +The race condition actually did not exist when commit 0650bf52b31f +("net: dsa: be compatible with masters which unregister on shutdown") +first introduced dsa_switch_shutdown(). It was created later, when we +stopped unregistering the slave interfaces from a bad spot, and we just +replaced that sequence with a racy zeroization of master->dsa_ptr +(one which doesn't ensure that the interfaces aren't up). + +Reported-by: Alexander Sverdlin +Closes: https://lore.kernel.org/netdev/2d2e3bba17203c14a5ffdabc174e3b6bbb9ad438.camel@siemens.com/ +Closes: https://lore.kernel.org/netdev/c1bf4de54e829111e0e4a70e7bd1cf523c9550ff.camel@siemens.com/ +Fixes: ee534378f005 ("net: dsa: fix panic when DSA master device unbinds on shutdown") +Reviewed-by: Alexander Sverdlin +Tested-by: Alexander Sverdlin +Signed-off-by: Vladimir Oltean +Link: https://patch.msgid.link/20240913203549.3081071-1-vladimir.oltean@nxp.com +Signed-off-by: Paolo Abeni +[ Modification: dsa.c -> dsa2.c to line up the source path in kernel 6.1 +Using dp->master and dp->slave instead of dp->conduit and dp->user ] +Signed-off-by: Rajani Kantha <681739313@139.com> +Signed-off-by: Greg Kroah-Hartman +--- + net/dsa/dsa2.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/dsa/dsa2.c ++++ b/net/dsa/dsa2.c +@@ -1829,6 +1829,7 @@ EXPORT_SYMBOL_GPL(dsa_unregister_switch) + void dsa_switch_shutdown(struct dsa_switch *ds) + { + struct net_device *master, *slave_dev; ++ LIST_HEAD(close_list); + struct dsa_port *dp; + + mutex_lock(&dsa2_mutex); +@@ -1838,10 +1839,16 @@ void dsa_switch_shutdown(struct dsa_swit + + rtnl_lock(); + ++ dsa_switch_for_each_cpu_port(dp, ds) ++ list_add(&dp->master->close_list, &close_list); ++ ++ dev_close_many(&close_list, true); ++ + dsa_switch_for_each_user_port(dp, ds) { + master = dsa_port_to_master(dp); + slave_dev = dp->slave; + ++ netif_device_detach(slave_dev); + netdev_upper_dev_unlink(master, slave_dev); + } + diff --git a/queue-6.1/net-fec-handle-page_pool_dev_alloc_pages-error.patch b/queue-6.1/net-fec-handle-page_pool_dev_alloc_pages-error.patch new file mode 100644 index 0000000000..175485dac7 --- /dev/null +++ b/queue-6.1/net-fec-handle-page_pool_dev_alloc_pages-error.patch @@ -0,0 +1,98 @@ +From johnny_haocn@sina.com Fri Mar 13 04:20:17 2026 +From: Johnny Hao +Date: Fri, 13 Mar 2026 11:20:09 +0800 +Subject: net: fec: handle page_pool_dev_alloc_pages error +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: linux-kernel@vger.kernel.org, Kevin Groeneveld , Jacob Keller , Wei Fang , Jakub Kicinski , Johnny Hao +Message-ID: <20260313032009.2181924-1-johnny_haocn@sina.com> + +From: Kevin Groeneveld + +[ Upstream commit 001ba0902046cb6c352494df610718c0763e77a5 ] + +The fec_enet_update_cbd function calls page_pool_dev_alloc_pages but did +not handle the case when it returned NULL. There was a WARN_ON(!new_page) +but it would still proceed to use the NULL pointer and then crash. + +This case does seem somewhat rare but when the system is under memory +pressure it can happen. One case where I can duplicate this with some +frequency is when writing over a smbd share to a SATA HDD attached to an +imx6q. + +Setting /proc/sys/vm/min_free_kbytes to higher values also seems to solve +the problem for my test case. But it still seems wrong that the fec driver +ignores the memory allocation error and can crash. + +This commit handles the allocation error by dropping the current packet. + +Fixes: 95698ff6177b5 ("net: fec: using page pool to manage RX buffers") +Signed-off-by: Kevin Groeneveld +Reviewed-by: Jacob Keller +Reviewed-by: Wei Fang +Link: https://patch.msgid.link/20250113154846.1765414-1-kgroeneveld@lenbrook.com +Signed-off-by: Jakub Kicinski +[ The context change is due to the commit 6c8fae0caf5d +(net: fec: simplify the code logic of quirks") +in v6.2 which is irrelevant to the logic of this patch. ] +Signed-off-by: Johnny Hao +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/fec_main.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -1595,19 +1595,22 @@ fec_enet_copybreak(struct net_device *nd + return true; + } + +-static void fec_enet_update_cbd(struct fec_enet_priv_rx_q *rxq, ++static int fec_enet_update_cbd(struct fec_enet_priv_rx_q *rxq, + struct bufdesc *bdp, int index) + { + struct page *new_page; + dma_addr_t phys_addr; + + new_page = page_pool_dev_alloc_pages(rxq->page_pool); +- WARN_ON(!new_page); +- rxq->rx_skb_info[index].page = new_page; ++ if (unlikely(!new_page)) ++ return -ENOMEM; + ++ rxq->rx_skb_info[index].page = new_page; + rxq->rx_skb_info[index].offset = FEC_ENET_XDP_HEADROOM; + phys_addr = page_pool_get_dma_addr(new_page) + FEC_ENET_XDP_HEADROOM; + bdp->cbd_bufaddr = cpu_to_fec32(phys_addr); ++ ++ return 0; + } + + /* During a receive, the bd_rx.cur points to the current incoming buffer. +@@ -1632,6 +1635,7 @@ fec_enet_rx_queue(struct net_device *nde + int index = 0; + bool need_swap = fep->quirks & FEC_QUIRK_SWAP_FRAME; + struct page *page; ++ __fec32 cbd_bufaddr; + + #ifdef CONFIG_M532x + flush_cache_all(); +@@ -1686,12 +1690,17 @@ fec_enet_rx_queue(struct net_device *nde + + index = fec_enet_get_bd_index(bdp, &rxq->bd); + page = rxq->rx_skb_info[index].page; ++ cbd_bufaddr = bdp->cbd_bufaddr; ++ if (fec_enet_update_cbd(rxq, bdp, index)) { ++ ndev->stats.rx_dropped++; ++ goto rx_processing_done; ++ } ++ + dma_sync_single_for_cpu(&fep->pdev->dev, +- fec32_to_cpu(bdp->cbd_bufaddr), ++ fec32_to_cpu(cbd_bufaddr), + pkt_len, + DMA_FROM_DEVICE); + prefetch(page_address(page)); +- fec_enet_update_cbd(rxq, bdp, index); + + /* The packet length includes FCS, but we don't want to + * include that when passing upstream as it messes up diff --git a/queue-6.1/net-tcp-md5-fix-mac-comparison-to-be-constant-time.patch b/queue-6.1/net-tcp-md5-fix-mac-comparison-to-be-constant-time.patch new file mode 100644 index 0000000000..53403d960f --- /dev/null +++ b/queue-6.1/net-tcp-md5-fix-mac-comparison-to-be-constant-time.patch @@ -0,0 +1,85 @@ +From stable+bounces-224568-greg=kroah.com@vger.kernel.org Tue Mar 10 21:18:10 2026 +From: Eric Biggers +Date: Tue, 10 Mar 2026 13:17:04 -0700 +Subject: net/tcp-md5: Fix MAC comparison to be constant-time +To: stable@vger.kernel.org +Cc: linux-crypto@vger.kernel.org, netdev@vger.kernel.org, Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , Jakub Kicinski +Message-ID: <20260310201704.120040-1-ebiggers@kernel.org> + +From: Eric Biggers + +commit 46d0d6f50dab706637f4c18a470aac20a21900d3 upstream. + +To prevent timing attacks, MACs need to be compared in constant +time. Use the appropriate helper function for this. + +Fixes: cfb6eeb4c860 ("[TCP]: MD5 Signature Option (RFC2385) support.") +Fixes: 658ddaaf6694 ("tcp: md5: RST: getting md5 key from listener") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Link: https://patch.msgid.link/20260302203409.13388-1-ebiggers@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp.c | 3 ++- + net/ipv4/tcp_ipv4.c | 3 ++- + net/ipv6/tcp_ipv6.c | 3 ++- + 3 files changed, 6 insertions(+), 3 deletions(-) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -243,6 +243,7 @@ + + #define pr_fmt(fmt) "TCP: " fmt + ++#include + #include + #include + #include +@@ -4680,7 +4681,7 @@ tcp_inbound_md5_hash(const struct sock * + hash_expected, + NULL, skb); + +- if (genhash || memcmp(hash_location, newhash, 16) != 0) { ++ if (genhash || crypto_memneq(hash_location, newhash, 16)) { + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMD5FAILURE); + if (family == AF_INET) { + net_info_ratelimited("MD5 Hash failed for (%pI4, %d)->(%pI4, %d)%s L3 index %d\n", +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -78,6 +78,7 @@ + #include + #include + ++#include + #include + #include + +@@ -776,7 +777,7 @@ static void tcp_v4_send_reset(const stru + + + genhash = tcp_v4_md5_hash_skb(newhash, key, NULL, skb); +- if (genhash || memcmp(hash_location, newhash, 16) != 0) ++ if (genhash || crypto_memneq(hash_location, newhash, 16)) + goto out; + + } +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -63,6 +63,7 @@ + #include + #include + ++#include + #include + #include + +@@ -1042,7 +1043,7 @@ static void tcp_v6_send_reset(const stru + goto out; + + genhash = tcp_v6_md5_hash_skb(newhash, key, NULL, skb); +- if (genhash || memcmp(hash_location, newhash, 16) != 0) ++ if (genhash || crypto_memneq(hash_location, newhash, 16)) + goto out; + } + #endif diff --git a/queue-6.1/series b/queue-6.1/series index ed170167b1..3a00fbb07c 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -362,3 +362,16 @@ net-macb-queue-tie-off-or-disable-during-wol-suspend.patch net-macb-introduce-gem_init_rx_ring.patch net-macb-reinitialize-tx-rx-queue-pointer-registers-and-rx-ring-during-resume.patch pmdomain-bcm-bcm2835-power-increase-asb-control-timeout.patch +ice-remove-unused-buffer-copy-code-in-ice_sq_send_cmd_retry.patch +ice-sleep-don-t-busy-wait-in-the-sq-send-retry-loop.patch +ice-reintroduce-retry-mechanism-for-indirect-aq.patch +iio-imu-inv_icm42600-fix-odr-switch-when-turning-buffer-off.patch +alsa-usb-audio-kill-timer-properly-at-removal.patch +drm-amdgpu-unmap-and-remove-csa_va-properly.patch +net-dsa-improve-shutdown-sequence.patch +net-fec-handle-page_pool_dev_alloc_pages-error.patch +gfs2-no-more-self-recovery.patch +smb-client-compare-macs-in-constant-time.patch +ksmbd-compare-macs-in-constant-time.patch +net-tcp-md5-fix-mac-comparison-to-be-constant-time.patch +mtd-spinand-macronix-use-scratch-buffer-for-dma-operation.patch diff --git a/queue-6.1/smb-client-compare-macs-in-constant-time.patch b/queue-6.1/smb-client-compare-macs-in-constant-time.patch new file mode 100644 index 0000000000..b181f91b53 --- /dev/null +++ b/queue-6.1/smb-client-compare-macs-in-constant-time.patch @@ -0,0 +1,65 @@ +From stable+bounces-224556-greg=kroah.com@vger.kernel.org Tue Mar 10 20:51:36 2026 +From: Eric Biggers +Date: Tue, 10 Mar 2026 12:51:03 -0700 +Subject: smb: client: Compare MACs in constant time +To: stable@vger.kernel.org +Cc: linux-crypto@vger.kernel.org, linux-cifs@vger.kernel.org, Eric Biggers , "Paulo Alcantara (Red Hat)" , Steve French +Message-ID: <20260310195103.70705-1-ebiggers@kernel.org> + +From: Eric Biggers + +commit 26bc83b88bbbf054f0980a4a42047a8d1e210e4c upstream. + +To prevent timing attacks, MAC comparisons need to be constant-time. +Replace the memcmp() with the correct function, crypto_memneq(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Acked-by: Paulo Alcantara (Red Hat) +Signed-off-by: Eric Biggers +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cifsencrypt.c | 3 ++- + fs/smb/client/smb2transport.c | 4 +++- + 2 files changed, 5 insertions(+), 2 deletions(-) + +--- a/fs/smb/client/cifsencrypt.c ++++ b/fs/smb/client/cifsencrypt.c +@@ -23,6 +23,7 @@ + #include + #include "../common/arc4.h" + #include ++#include + + int __cifs_calc_signature(struct smb_rqst *rqst, + struct TCP_Server_Info *server, char *signature, +@@ -243,7 +244,7 @@ int cifs_verify_signature(struct smb_rqs + /* cifs_dump_mem("what we think it should be: ", + what_we_think_sig_should_be, 16); */ + +- if (memcmp(server_response_sig, what_we_think_sig_should_be, 8)) ++ if (crypto_memneq(server_response_sig, what_we_think_sig_should_be, 8)) + return -EACCES; + else + return 0; +--- a/fs/smb/client/smb2transport.c ++++ b/fs/smb/client/smb2transport.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + #include "cifsglob.h" + #include "cifsproto.h" + #include "smb2proto.h" +@@ -699,7 +700,8 @@ smb2_verify_signature(struct smb_rqst *r + if (rc) + return rc; + +- if (memcmp(server_response_sig, shdr->Signature, SMB2_SIGNATURE_SIZE)) { ++ if (crypto_memneq(server_response_sig, shdr->Signature, ++ SMB2_SIGNATURE_SIZE)) { + cifs_dbg(VFS, "sign fail cmd 0x%x message id 0x%llx\n", + shdr->Command, shdr->MessageId); + return -EACCES;