From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 27 May 2026 08:11:44 +0000 (+0200)
Subject: 6.18-stable patches
X-Git-Tag: v5.10.258~55
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=c43993178a76492955569ff60a2df859069bddcc;p=thirdparty%2Fkernel%2Fstable-queue.git

6.18-stable patches

added patches:
	arm64-dts-broadcom-bcm2712-add-watchdog-dt-node.patch
	dt-bindings-soc-bcm-add-bcm2712-compatible.patch
	mfd-bcm2835-pm-add-support-for-bcm2712.patch
	smb-client-reject-userspace-cifs.spnego-descriptions.patch
---

diff --git a/queue-6.18/arm64-dts-broadcom-bcm2712-add-watchdog-dt-node.patch b/queue-6.18/arm64-dts-broadcom-bcm2712-add-watchdog-dt-node.patch
new file mode 100644
index 0000000000..4376e6110e
--- /dev/null
+++ b/queue-6.18/arm64-dts-broadcom-bcm2712-add-watchdog-dt-node.patch
@@ -0,0 +1,37 @@
+From 37c3a91e9730e274fe2eca9703033ae0f154cb62 Mon Sep 17 00:00:00 2001
+From: Stanimir Varbanov <svarbanov@suse.de>
+Date: Fri, 31 Oct 2025 20:33:09 +0200
+Subject: arm64: dts: broadcom: bcm2712: Add watchdog DT node
+
+From: Stanimir Varbanov <svarbanov@suse.de>
+
+commit 37c3a91e9730e274fe2eca9703033ae0f154cb62 upstream.
+
+Add watchdog device-tree node for bcm2712 SoC.
+
+Signed-off-by: Stanimir Varbanov <svarbanov@suse.de>
+Link: https://lore.kernel.org/r/20251031183309.1163384-5-svarbanov@suse.de
+Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/broadcom/bcm2712.dtsi |    9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/arch/arm64/boot/dts/broadcom/bcm2712.dtsi
++++ b/arch/arm64/boot/dts/broadcom/bcm2712.dtsi
+@@ -250,6 +250,15 @@
+ 			status = "disabled";
+ 		};
+ 
++		pm: watchdog@7d200000 {
++			compatible = "brcm,bcm2712-pm", "brcm,bcm2835-pm-wdt";
++			reg = <0x7d200000 0x604>;
++			reg-names = "pm";
++			#power-domain-cells = <1>;
++			#reset-cells = <1>;
++			system-power-controller;
++		};
++
+ 		pinctrl: pinctrl@7d504100 {
+ 			compatible = "brcm,bcm2712c0-pinctrl";
+ 			reg = <0x7d504100 0x30>;
diff --git a/queue-6.18/dt-bindings-soc-bcm-add-bcm2712-compatible.patch b/queue-6.18/dt-bindings-soc-bcm-add-bcm2712-compatible.patch
new file mode 100644
index 0000000000..7e92c07794
--- /dev/null
+++ b/queue-6.18/dt-bindings-soc-bcm-add-bcm2712-compatible.patch
@@ -0,0 +1,89 @@
+From 34194cb385033656d347ebe45c241e4739a58125 Mon Sep 17 00:00:00 2001
+From: Stanimir Varbanov <svarbanov@suse.de>
+Date: Fri, 31 Oct 2025 20:33:07 +0200
+Subject: dt-bindings: soc: bcm: Add bcm2712 compatible
+
+From: Stanimir Varbanov <svarbanov@suse.de>
+
+commit 34194cb385033656d347ebe45c241e4739a58125 upstream.
+
+Add bcm2712-pm compatible and update the bindings to satisfy it's
+requirements. The PM hardware block inside bcm2712 lacks the "asb"
+and "rpivid_asb" register ranges and also does not have clocks, update
+the bindings accordingly.
+
+Signed-off-by: Stanimir Varbanov <svarbanov@suse.de>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Acked-by: Conor Dooley <conor.dooley@microchip.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/soc/bcm/brcm,bcm2835-pm.yaml |   38 ++++++++--
+ 1 file changed, 32 insertions(+), 6 deletions(-)
+
+--- a/Documentation/devicetree/bindings/soc/bcm/brcm,bcm2835-pm.yaml
++++ b/Documentation/devicetree/bindings/soc/bcm/brcm,bcm2835-pm.yaml
+@@ -13,23 +13,21 @@ description: |
+ maintainers:
+   - Nicolas Saenz Julienne <nsaenz@kernel.org>
+ 
+-allOf:
+-  - $ref: /schemas/watchdog/watchdog.yaml#
+-
+ properties:
+   compatible:
+     items:
+       - enum:
+           - brcm,bcm2835-pm
+           - brcm,bcm2711-pm
++          - brcm,bcm2712-pm
+       - const: brcm,bcm2835-pm-wdt
+ 
+   reg:
+-    minItems: 2
++    minItems: 1
+     maxItems: 3
+ 
+   reg-names:
+-    minItems: 2
++    minItems: 1
+     items:
+       - const: pm
+       - const: asb
+@@ -62,7 +60,35 @@ required:
+   - reg
+   - "#power-domain-cells"
+   - "#reset-cells"
+-  - clocks
++
++allOf:
++  - $ref: /schemas/watchdog/watchdog.yaml#
++
++  - if:
++      properties:
++        compatible:
++          contains:
++            enum:
++              - brcm,bcm2835-pm
++              - brcm,bcm2711-pm
++    then:
++      required:
++        - clocks
++
++      properties:
++        reg:
++          minItems: 2
++
++        reg-names:
++          minItems: 2
++
++    else:
++      properties:
++        reg:
++          maxItems: 1
++
++        reg-names:
++          maxItems: 1
+ 
+ additionalProperties: false
+ 
diff --git a/queue-6.18/mfd-bcm2835-pm-add-support-for-bcm2712.patch b/queue-6.18/mfd-bcm2835-pm-add-support-for-bcm2712.patch
new file mode 100644
index 0000000000..100e9fc7ac
--- /dev/null
+++ b/queue-6.18/mfd-bcm2835-pm-add-support-for-bcm2712.patch
@@ -0,0 +1,33 @@
+From 30ed024fb0768e9353f21d1d9e6960b7028acdfa Mon Sep 17 00:00:00 2001
+From: Stanimir Varbanov <svarbanov@suse.de>
+Date: Wed, 17 Sep 2025 09:32:32 +0300
+Subject: mfd: bcm2835-pm: Add support for BCM2712
+
+From: Stanimir Varbanov <svarbanov@suse.de>
+
+commit 30ed024fb0768e9353f21d1d9e6960b7028acdfa upstream.
+
+The BCM2712 SoC has PM block but lacks the "asb" and "rpivid_asb"
+register spaces, and doesn't need clock(s).  Add a compatible
+string for bcm2712 to allow probe of bcm2835-wdt and
+bcm2835-power drivers.
+
+Signed-off-by: Stanimir Varbanov <svarbanov@suse.de>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20250917063233.1270-4-svarbanov@suse.de
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mfd/bcm2835-pm.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mfd/bcm2835-pm.c
++++ b/drivers/mfd/bcm2835-pm.c
+@@ -108,6 +108,7 @@ static const struct of_device_id bcm2835
+ 	{ .compatible = "brcm,bcm2835-pm-wdt", },
+ 	{ .compatible = "brcm,bcm2835-pm", },
+ 	{ .compatible = "brcm,bcm2711-pm", },
++	{ .compatible = "brcm,bcm2712-pm", },
+ 	{},
+ };
+ MODULE_DEVICE_TABLE(of, bcm2835_pm_of_match);
diff --git a/queue-6.18/series b/queue-6.18/series
index 1a26a0def3..457591bdd4 100644
--- a/queue-6.18/series
+++ b/queue-6.18/series
@@ -8,3 +8,7 @@ sched-deadline-fix-missing-enqueue_replenish-during-.patch
 bridge-mrp-reject-zero-test-interval-to-avoid-oom-pa.patch
 spi-spi-dw-dma-fix-print-error-log-when-wait-finish-.patch
 ksmbd-close-durable-scavenger-races-against-m_fp_lis.patch
+smb-client-reject-userspace-cifs.spnego-descriptions.patch
+dt-bindings-soc-bcm-add-bcm2712-compatible.patch
+arm64-dts-broadcom-bcm2712-add-watchdog-dt-node.patch
+mfd-bcm2835-pm-add-support-for-bcm2712.patch
diff --git a/queue-6.18/smb-client-reject-userspace-cifs.spnego-descriptions.patch b/queue-6.18/smb-client-reject-userspace-cifs.spnego-descriptions.patch
new file mode 100644
index 0000000000..6c243994dd
--- /dev/null
+++ b/queue-6.18/smb-client-reject-userspace-cifs.spnego-descriptions.patch
@@ -0,0 +1,66 @@
+From 3da1fdf4efbc490041eb4f836bf596201203f8f2 Mon Sep 17 00:00:00 2001
+From: Asim Viladi Oglu Manizada <manizada@pm.me>
+Date: Sat, 16 May 2026 21:15:39 +0000
+Subject: smb: client: reject userspace cifs.spnego descriptions
+
+From: Asim Viladi Oglu Manizada <manizada@pm.me>
+
+commit 3da1fdf4efbc490041eb4f836bf596201203f8f2 upstream.
+
+cifs.spnego key descriptions contain authority-bearing fields such as
+pid, uid, creduid, and upcall_target that cifs.upcall treats as
+kernel-originating inputs. However, userspace can also create keys of
+this type through request_key(2) or add_key(2), allowing those fields to
+be supplied without CIFS origin.
+
+Only accept cifs.spnego descriptions while CIFS is using its private
+spnego_cred to request the key.
+
+Fixes: f1d662a7d5e5 ("[CIFS] Add upcall files for cifs to use spnego/kerberos")
+Assisted-by: avom-custom-harness:gpt-5.5-qwen3.6-mod-mix
+Reviewed-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Asim Viladi Oglu Manizada <manizada@pm.me>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/cifs_spnego.c |   16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/fs/smb/client/cifs_spnego.c
++++ b/fs/smb/client/cifs_spnego.c
+@@ -8,6 +8,7 @@
+  */
+ 
+ #include <linux/list.h>
++#include <linux/cred.h>
+ #include <linux/slab.h>
+ #include <linux/string.h>
+ #include <keys/user-type.h>
+@@ -40,12 +41,27 @@ cifs_spnego_key_destroy(struct key *key)
+ 	kfree(key->payload.data[0]);
+ }
+ 
++static int
++cifs_spnego_key_vet_description(const char *description)
++{
++	/*
++	 * cifs.spnego descriptions are authority-bearing inputs to cifs.upcall.
++	 * They are only valid when produced by CIFS while using the private
++	 * spnego_cred installed below.  Do not let userspace create this type
++	 * of key through request_key(2)/add_key(2), since the helper treats
++	 * pid/uid/creduid/upcall_target as kernel-originating fields.
++	 */
++	if (current_cred() != spnego_cred)
++		return -EPERM;
++	return 0;
++}
+ 
+ /*
+  * keytype for CIFS spnego keys
+  */
+ struct key_type cifs_spnego_key_type = {
+ 	.name		= "cifs.spnego",
++	.vet_description = cifs_spnego_key_vet_description,
+ 	.instantiate	= cifs_spnego_key_instantiate,
+ 	.destroy	= cifs_spnego_key_destroy,
+ 	.describe	= user_describe,