release 6.14.1

debian/bin/genpatch-pfkernel

@@ -7,7 +7,7 @@ w=$(git rev-parse --path-format=absolute --show-toplevel) ; : "${w:?}" ; cd "$w"
 
 dst='debian/patches/pf-tmp'
 src='../linux-extras'
-branches='amd-pstate cpuidle crypto fixes kbuild zstd'
+branches='amd-pstate btrfs cpuidle crypto exfat fixes fuse kbuild nfs smb zstd'
 
 if [ -d "${dst}" ] ; then rm -rf "${dst}" ; fi
 mkdir -p "${dst}"

debian/changelog

@@ -1,3 +1,10 @@
+linux (6.14.1-1) sid; urgency=medium
+
+  * New upstream stable update:
+    https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.14.1
+
+ -- Konstantin Demin <rockdrilla@gmail.com>  Mon, 07 Apr 2025 12:41:44 +0300
+
 linux (6.14-1) sid; urgency=medium
 
   * Sync with Debian.

debian/config/config

@@ -1854,6 +1854,7 @@ CONFIG_NFSD_BLOCKLAYOUT=y
 # CONFIG_NFSD_V4_2_INTER_SSC is not set
 CONFIG_NFSD_V4_SECURITY_LABEL=y
 # CONFIG_NFSD_LEGACY_CLIENT_TRACKING is not set
+# CONFIG_NFSD_V4_DELEG_TIMESTAMPS is not set
 
 ##
 ## file: fs/nls/Kconfig

debian/patches/bugfix/all/ALSA-hda-realtek-Fix-built-in-mic-on-another-ASUS-Vi.patch

@@ -17,11 +17,9 @@ Signed-off-by: Takashi Iwai <tiwai@suse.de>
  sound/pci/hda/patch_realtek.c | 1 +
  1 file changed, 1 insertion(+)
 
-diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
-index eec3ea1a7e08..79004bc8107b 100644
 --- a/sound/pci/hda/patch_realtek.c
 +++ b/sound/pci/hda/patch_realtek.c
-@@ -10889,6 +10889,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
+@@ -10772,6 +10772,7 @@ static const struct hda_quirk alc269_fix
  	SND_PCI_QUIRK(0x1043, 0x1c43, "ASUS UX8406MA", ALC245_FIXUP_CS35L41_SPI_2),
  	SND_PCI_QUIRK(0x1043, 0x1c62, "ASUS GU603", ALC289_FIXUP_ASUS_GA401),
  	SND_PCI_QUIRK(0x1043, 0x1c63, "ASUS GU605M", ALC285_FIXUP_ASUS_GU605_SPI_SPEAKER2_TO_DAC1),
@@ -29,6 +27,3 @@ index eec3ea1a7e08..79004bc8107b 100644
  	SND_PCI_QUIRK(0x1043, 0x1c92, "ASUS ROG Strix G15", ALC285_FIXUP_ASUS_G533Z_PINS),
  	SND_PCI_QUIRK(0x1043, 0x1c9f, "ASUS G614JU/JV/JI", ALC285_FIXUP_ASUS_HEADSET_MIC),
  	SND_PCI_QUIRK(0x1043, 0x1caf, "ASUS G634JY/JZ/JI/JG", ALC285_FIXUP_ASUS_SPI_REAR_SPEAKERS),
--- 
-2.49.0
-

debian/patches/patchset-pf/amd-pstate/0001-cpufreq-amd-pstate-Modify-the-min_perf-calculation-i.patch

@@ -1,4 +1,4 @@
-From b6c0305214154bc26d20b130266fc1ba8341b58c Mon Sep 17 00:00:00 2001
+From c8c9ab8ff5cc5c0809cd958679614ade200a6ab3 Mon Sep 17 00:00:00 2001
 From: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com>
 Date: Wed, 5 Feb 2025 11:25:14 +0000
 Subject: cpufreq/amd-pstate: Modify the min_perf calculation in adjust_perf

debian/patches/patchset-pf/amd-pstate/0002-cpufreq-amd-pstate-Remove-the-redundant-des_perf-cla.patch

@@ -1,4 +1,4 @@
-From 6e51c53b5e940312c71ce5ea68cf94a000beab01 Mon Sep 17 00:00:00 2001
+From 16466d169a187b4c650771234de119279346f523 Mon Sep 17 00:00:00 2001
 From: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com>
 Date: Wed, 5 Feb 2025 11:25:15 +0000
 Subject: cpufreq/amd-pstate: Remove the redundant des_perf clamping in

debian/patches/patchset-pf/amd-pstate/0003-cpufreq-amd-pstate-Pass-min-max_limit_perf-as-min-ma.patch

@@ -1,4 +1,4 @@
-From ad3fffe8ff1f18ad437d8b0d0bb602ba3c24adf7 Mon Sep 17 00:00:00 2001
+From 0dfebf0094ea7c512cf3db1013cf82124d4bbc3a Mon Sep 17 00:00:00 2001
 From: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com>
 Date: Wed, 5 Feb 2025 11:25:16 +0000
 Subject: cpufreq/amd-pstate: Pass min/max_limit_perf as min/max_perf to

debian/patches/patchset-pf/amd-pstate/0004-cpufreq-amd-pstate-Convert-all-perf-values-to-u8.patch

@@ -1,4 +1,4 @@
-From 300686c32b77583f45c6763535da85f2242bf820 Mon Sep 17 00:00:00 2001
+From 3daf64b383bc41feb0bf23790939b4512ba9170d Mon Sep 17 00:00:00 2001
 From: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com>
 Date: Wed, 5 Feb 2025 11:25:17 +0000
 Subject: cpufreq/amd-pstate: Convert all perf values to u8

debian/patches/patchset-pf/amd-pstate/0005-cpufreq-amd-pstate-Modularize-perf-freq-conversion.patch

@@ -1,4 +1,4 @@
-From 8b87350a2e336e54b4d2638ac042bb2f7416312a Mon Sep 17 00:00:00 2001
+From b132b889dc7aa398a789e02dd6fbd5a512b4a9e0 Mon Sep 17 00:00:00 2001
 From: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com>
 Date: Wed, 5 Feb 2025 11:25:18 +0000
 Subject: cpufreq/amd-pstate: Modularize perf<->freq conversion

debian/patches/patchset-pf/amd-pstate/0006-cpufreq-amd-pstate-Remove-the-unnecessary-cpufreq_up.patch

@@ -1,4 +1,4 @@
-From b638a74c3b16e0781bb25478c135726862c9271d Mon Sep 17 00:00:00 2001
+From 6c284985cc268da10f0e38f1f3b9af62ecfc3998 Mon Sep 17 00:00:00 2001
 From: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com>
 Date: Wed, 5 Feb 2025 11:25:19 +0000
 Subject: cpufreq/amd-pstate: Remove the unnecessary cpufreq_update_policy call

debian/patches/patchset-pf/amd-pstate/0007-cpufreq-amd-pstate-Add-missing-NULL-ptr-check-in-amd.patch

@@ -1,4 +1,4 @@
-From 156278367fd2c0863dc06f9a7df0a654ae336726 Mon Sep 17 00:00:00 2001
+From f50ac94149bc07092ecf5b68558f02920436f77c Mon Sep 17 00:00:00 2001
 From: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com>
 Date: Wed, 5 Feb 2025 11:25:21 +0000
 Subject: cpufreq/amd-pstate: Add missing NULL ptr check in amd_pstate_update

debian/patches/patchset-pf/amd-pstate/0008-cpufreq-amd-pstate-Use-scope-based-cleanup-for-cpufr.patch

@@ -1,4 +1,4 @@
-From e36868a11daa43eff94abd32f19b1783e89298d4 Mon Sep 17 00:00:00 2001
+From b5b334f66595052e69ecaa501b8a6ebdb0fd6eed Mon Sep 17 00:00:00 2001
 From: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com>
 Date: Wed, 5 Feb 2025 11:25:22 +0000
 Subject: cpufreq/amd-pstate: Use scope based cleanup for cpufreq_policy refs

debian/patches/patchset-pf/amd-pstate/0009-cpufreq-amd-pstate-Remove-the-unncecessary-driver_lo.patch

@@ -1,4 +1,4 @@
-From 9b7b7d59c5425246ffda281e761ef3ec3b0e4fbc Mon Sep 17 00:00:00 2001
+From eff2c5a3f292e822968919a9792010de65b417b5 Mon Sep 17 00:00:00 2001
 From: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com>
 Date: Wed, 5 Feb 2025 11:25:23 +0000
 Subject: cpufreq/amd-pstate: Remove the unncecessary driver_lock in

debian/patches/patchset-pf/amd-pstate/0010-cpufreq-amd-pstate-Fix-the-clamping-of-perf-values.patch

@@ -1,4 +1,4 @@
-From f09ef5b8aacd5b16ac1ea93103b41a7e88b174ed Mon Sep 17 00:00:00 2001
+From e836285ca35390d656adffee520d48cd7bedd5b3 Mon Sep 17 00:00:00 2001
 From: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com>
 Date: Sat, 22 Feb 2025 03:32:22 +0000
 Subject: cpufreq/amd-pstate: Fix the clamping of perf values

debian/patches/patchset-pf/amd-pstate/0011-cpufreq-amd-pstate-Invalidate-cppc_req_cached-during.patch

@@ -1,4 +1,4 @@
-From 210d043d7b244588c911e355f2d5339bda9c8209 Mon Sep 17 00:00:00 2001
+From 0a417434299b27aebbb444e7545a7d668c40d288 Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:16 -0600
 Subject: cpufreq/amd-pstate: Invalidate cppc_req_cached during suspend

debian/patches/patchset-pf/amd-pstate/0012-cpufreq-amd-pstate-Show-a-warning-when-a-CPU-fails-t.patch

@@ -1,4 +1,4 @@
-From a0233b8c2c01e98ddeb2e80768d4c7172311b200 Mon Sep 17 00:00:00 2001
+From ea1821eae465dfff9a9ef90662c2ce79e5abfe6e Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:17 -0600
 Subject: cpufreq/amd-pstate: Show a warning when a CPU fails to setup

debian/patches/patchset-pf/amd-pstate/0013-cpufreq-amd-pstate-Drop-min-and-max-cached-frequenci.patch

@@ -1,4 +1,4 @@
-From ad672c3336331cab028c27e4a73153f517bb1844 Mon Sep 17 00:00:00 2001
+From 72016df62985637e59f075e25233d8ca942eb391 Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:18 -0600
 Subject: cpufreq/amd-pstate: Drop min and max cached frequencies

debian/patches/patchset-pf/amd-pstate/0014-cpufreq-amd-pstate-Move-perf-values-into-a-union.patch

@@ -1,4 +1,4 @@
-From b96076ada115f25a4944f6f111b22c44a5d1a3cf Mon Sep 17 00:00:00 2001
+From 289c4432443c54497bfe75410a516ca24475504d Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:19 -0600
 Subject: cpufreq/amd-pstate: Move perf values into a union

debian/patches/patchset-pf/amd-pstate/0015-cpufreq-amd-pstate-Overhaul-locking.patch

@@ -1,4 +1,4 @@
-From 6c0b59640cce68d7574078d7d1e549bdb8f0128d Mon Sep 17 00:00:00 2001
+From 34925ac1038d19197f0a2ac8574496e77645fdf5 Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:20 -0600
 Subject: cpufreq/amd-pstate: Overhaul locking

debian/patches/patchset-pf/amd-pstate/0016-cpufreq-amd-pstate-Drop-cppc_cap1_cached.patch

@@ -1,4 +1,4 @@
-From 7c9409faeb921c76988b4cd2294ca0a959775f35 Mon Sep 17 00:00:00 2001
+From 33c2b6f10f140e35f44d2be9bd8dc9eb459fb29a Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:21 -0600
 Subject: cpufreq/amd-pstate: Drop `cppc_cap1_cached`

debian/patches/patchset-pf/amd-pstate/0017-cpufreq-amd-pstate-ut-Use-_free-macro-to-free-put-po.patch

@@ -1,4 +1,4 @@
-From 346b2824b742a8f5943db8c8200ba4a7492bb3cf Mon Sep 17 00:00:00 2001
+From 22a3d411de53a42057ab0dc45bb00306fd855807 Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:22 -0600
 Subject: cpufreq/amd-pstate-ut: Use _free macro to free put policy

debian/patches/patchset-pf/amd-pstate/0018-cpufreq-amd-pstate-ut-Allow-lowest-nonlinear-and-low.patch

@@ -1,4 +1,4 @@
-From 310f8a994f55561902e5a75ff8623988921e3908 Mon Sep 17 00:00:00 2001
+From e42e4d9ee2e953137488e531be82c4d2d1c10d1c Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:23 -0600
 Subject: cpufreq/amd-pstate-ut: Allow lowest nonlinear and lowest to be the

debian/patches/patchset-pf/amd-pstate/0019-cpufreq-amd-pstate-ut-Drop-SUCCESS-and-FAIL-enums.patch

@@ -1,4 +1,4 @@
-From bc4a683dbfcc306851bbfec33f9c857c523d4848 Mon Sep 17 00:00:00 2001
+From 141c02d0bbbca11a1fceae703a6b7dbfe6315b18 Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:24 -0600
 Subject: cpufreq/amd-pstate-ut: Drop SUCCESS and FAIL enums

debian/patches/patchset-pf/amd-pstate/0020-cpufreq-amd-pstate-ut-Run-on-all-of-the-correct-CPUs.patch

@@ -1,4 +1,4 @@
-From 3651a3bd2d07f627d5382ec9e9b980c689d0eb98 Mon Sep 17 00:00:00 2001
+From 2fe00ce7f79ef57185bdd84e736d8bf47286eb8f Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:25 -0600
 Subject: cpufreq/amd-pstate-ut: Run on all of the correct CPUs

debian/patches/patchset-pf/amd-pstate/0021-cpufreq-amd-pstate-ut-Adjust-variable-scope.patch

@@ -1,4 +1,4 @@
-From 4ec612c9d5de9620b8f0ad4463db5d08c2d68222 Mon Sep 17 00:00:00 2001
+From 95bbcd16b467dceea295dbd97c7347e7dd15dabc Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:26 -0600
 Subject: cpufreq/amd-pstate-ut: Adjust variable scope

debian/patches/patchset-pf/amd-pstate/0022-cpufreq-amd-pstate-Replace-all-AMD_CPPC_-macros-with.patch

@@ -1,4 +1,4 @@
-From 1512ed2a741a0df98972679da6177df4998fd8ce Mon Sep 17 00:00:00 2001
+From 98519671cd3691a45f23a7de4862ec0642b5921e Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:27 -0600
 Subject: cpufreq/amd-pstate: Replace all AMD_CPPC_* macros with masks

debian/patches/patchset-pf/amd-pstate/0023-cpufreq-amd-pstate-Cache-CPPC-request-in-shared-mem-.patch

@@ -1,4 +1,4 @@
-From bf6e8073cc7f17d6be40e16a04b5a277d7217f39 Mon Sep 17 00:00:00 2001
+From fc5fe86b4f63ed2ff8230c48e737185451e9c3a4 Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:28 -0600
 Subject: cpufreq/amd-pstate: Cache CPPC request in shared mem case too

debian/patches/patchset-pf/amd-pstate/0024-cpufreq-amd-pstate-Move-all-EPP-tracing-into-_update.patch

@@ -1,4 +1,4 @@
-From 1a3ff33ff2fbe3ecc2d86addd115329fddb28ea1 Mon Sep 17 00:00:00 2001
+From e1b5c43aa7bf8d75d2043809ff38fee0b7d26259 Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:29 -0600
 Subject: cpufreq/amd-pstate: Move all EPP tracing into *_update_perf and

debian/patches/patchset-pf/amd-pstate/0025-cpufreq-amd-pstate-Update-cppc_req_cached-for-shared.patch

@@ -1,4 +1,4 @@
-From eaf7b28995ee0346be8ac59869645e975eb6a91c Mon Sep 17 00:00:00 2001
+From d53216c4c9f67163c9dec656862f1135d6f4af63 Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:30 -0600
 Subject: cpufreq/amd-pstate: Update cppc_req_cached for shared mem EPP writes

debian/patches/patchset-pf/amd-pstate/0026-cpufreq-amd-pstate-Drop-debug-statements-for-policy-.patch

@@ -1,4 +1,4 @@
-From a2ec1d51a050afc3a6d3ce35412d082e916e7eef Mon Sep 17 00:00:00 2001
+From cecd79d237f4b5d19adac7fb9d57c59c77e40547 Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:31 -0600
 Subject: cpufreq/amd-pstate: Drop debug statements for policy setting

debian/patches/patchset-pf/amd-pstate/0027-cpufreq-amd-pstate-Rework-CPPC-enabling.patch

@@ -1,4 +1,4 @@
-From 3a840f6d42aba96e1974857c157cab2f9c220045 Mon Sep 17 00:00:00 2001
+From bbb0d5ec2d1d757fc7b71086f505113845cc2aab Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:32 -0600
 Subject: cpufreq/amd-pstate: Rework CPPC enabling

debian/patches/patchset-pf/amd-pstate/0028-cpufreq-amd-pstate-Stop-caching-EPP.patch

@@ -1,4 +1,4 @@
-From 5fda2a5a547244c99bce9327e77e2ff253f77add Mon Sep 17 00:00:00 2001
+From f11b0be50d2c87af1a401397f8918015e15199c6 Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:33 -0600
 Subject: cpufreq/amd-pstate: Stop caching EPP

debian/patches/patchset-pf/amd-pstate/0029-cpufreq-amd-pstate-Drop-actions-in-amd_pstate_epp_cp.patch

@@ -1,4 +1,4 @@
-From 7757237a6ee08403e9a0e58eebf53ae2203f65ae Mon Sep 17 00:00:00 2001
+From 509a6a82d6558983a84407e77aa398501b5c814a Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Wed, 26 Feb 2025 01:49:34 -0600
 Subject: cpufreq/amd-pstate: Drop actions in amd_pstate_epp_cpu_offline()

debian/patches/patchset-pf/amd-pstate/0030-cpufreq-amd-pstate-fix-warning-noticed-by-kernel-tes.patch

@@ -1,4 +1,4 @@
-From f25d506d1e54b7d0a5fe42284cd5f2ca5c21cef7 Mon Sep 17 00:00:00 2001
+From 476817b414eddbf798161c3b33ef1209098bdf50 Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <superm1@kernel.org>
 Date: Thu, 27 Feb 2025 14:09:08 -0600
 Subject: cpufreq/amd-pstate: fix warning noticed by kernel test robot

debian/patches/patchset-pf/btrfs/0001-btrfs-fix-non-empty-delayed-iputs-list-on-unmount-du.patch

@@ -0,0 +1,76 @@
+From 361b73ca6606d8bace6fe78b63d508d747c6689a Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Wed, 5 Mar 2025 16:52:26 +0000
+Subject: btrfs: fix non-empty delayed iputs list on unmount due to compressed
+ write workers
+
+At close_ctree() after we have ran delayed iputs either through explicitly
+calling btrfs_run_delayed_iputs() or later during the call to
+btrfs_commit_super() or btrfs_error_commit_super(), we assert that the
+delayed iputs list is empty.
+
+When we have compressed writes this assertion may fail because delayed
+iputs may have been added to the list after we last ran delayed iputs.
+This happens like this:
+
+1) We have a compressed write bio executing;
+
+2) We enter close_ctree() and flush the fs_info->endio_write_workers
+   queue which is the queue used for running ordered extent completion;
+
+3) The compressed write bio finishes and enters
+   btrfs_finish_compressed_write_work(), where it calls
+   btrfs_finish_ordered_extent() which in turn calls
+   btrfs_queue_ordered_fn(), which queues a work item in the
+   fs_info->endio_write_workers queue that we have flushed before;
+
+4) At close_ctree() we proceed, run all existing delayed iputs and
+   call btrfs_commit_super() (which also runs delayed iputs), but before
+   we run the following assertion below:
+
+      ASSERT(list_empty(&fs_info->delayed_iputs))
+
+   A delayed iput is added by the step below...
+
+5) The ordered extent completion job queued in step 3 runs and results in
+   creating a delayed iput when dropping the last reference of the ordered
+   extent (a call to btrfs_put_ordered_extent() made from
+   btrfs_finish_one_ordered());
+
+6) At this point the delayed iputs list is not empty, so the assertion at
+   close_ctree() fails.
+
+Fix this by flushing the fs_info->compressed_write_workers queue at
+close_ctree() before flushing the fs_info->endio_write_workers queue,
+respecting the queue dependency as the later is responsible for the
+execution of ordered extent completion.
+
+CC: stable@vger.kernel.org # 5.15+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+---
+ fs/btrfs/disk-io.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -4346,6 +4346,18 @@ void __cold close_ctree(struct btrfs_fs_
+ 	btrfs_flush_workqueue(fs_info->delalloc_workers);
+ 
+ 	/*
++	 * When finishing a compressed write bio we schedule a work queue item
++	 * to finish an ordered extent - btrfs_finish_compressed_write_work()
++	 * calls btrfs_finish_ordered_extent() which in turns does a call to
++	 * btrfs_queue_ordered_fn(), and that queues the ordered extent
++	 * completion either in the endio_write_workers work queue or in the
++	 * fs_info->endio_freespace_worker work queue. We flush those queues
++	 * below, so before we flush them we must flush this queue for the
++	 * workers of compressed writes.
++	 */
++	flush_workqueue(fs_info->compressed_write_workers);
++
++	/*
+ 	 * After we parked the cleaner kthread, ordered extents may have
+ 	 * completed and created new delayed iputs. If one of the async reclaim
+ 	 * tasks is running and in the RUN_DELAYED_IPUTS flush state, then we

debian/patches/patchset-pf/btrfs/0002-btrfs-tests-fix-chunk-map-leak-after-failure-to-add-.patch

@@ -0,0 +1,30 @@
+From 9ac804f2001675a05f01a2f74af0c85861801e59 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Tue, 11 Mar 2025 15:50:50 +0000
+Subject: btrfs: tests: fix chunk map leak after failure to add it to the tree
+
+If we fail to add the chunk map to the fs mapping tree we exit
+test_rmap_block() without freeing the chunk map. Fix this by adding a
+call to btrfs_free_chunk_map() before exiting the test function if the
+call to btrfs_add_chunk_map() failed.
+
+Fixes: 7dc66abb5a47 ("btrfs: use a dedicated data structure for chunk maps")
+CC: stable@vger.kernel.org # 6.12+
+Reviewed-by: Boris Burkov <boris@bur.io>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+---
+ fs/btrfs/tests/extent-map-tests.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/btrfs/tests/extent-map-tests.c
++++ b/fs/btrfs/tests/extent-map-tests.c
+@@ -1045,6 +1045,7 @@ static int test_rmap_block(struct btrfs_
+ 	ret = btrfs_add_chunk_map(fs_info, map);
+ 	if (ret) {
+ 		test_err("error adding chunk map to mapping tree");
++		btrfs_free_chunk_map(map);
+ 		goto out_free;
+ 	}
+ 

debian/patches/patchset-pf/btrfs/0003-btrfs-zoned-fix-zone-activation-with-missing-devices.patch

@@ -0,0 +1,36 @@
+From 2d168cd506ec0b7a7619433aa0299b0be05ce655 Mon Sep 17 00:00:00 2001
+From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Date: Mon, 17 Mar 2025 12:24:58 +0100
+Subject: btrfs: zoned: fix zone activation with missing devices
+
+If btrfs_zone_activate() is called with a filesystem that has missing
+devices (e.g. a RAID file system mounted in degraded mode) it is accessing
+the btrfs_device::zone_info pointer, which will not be set if the device in
+question is missing.
+
+Check if the device is present (by checking if it has a valid block
+device pointer associated) and if not, skip zone activation for it.
+
+Fixes: f9a912a3c45f ("btrfs: zoned: make zone activation multi stripe capable")
+CC: stable@vger.kernel.org # 6.1+
+Reviewed-by: Naohiro Aota <naohiro.aota@wdc.com>
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+---
+ fs/btrfs/zoned.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/btrfs/zoned.c
++++ b/fs/btrfs/zoned.c
+@@ -2111,6 +2111,9 @@ bool btrfs_zone_activate(struct btrfs_bl
+ 		physical = map->stripes[i].physical;
+ 		zinfo = device->zone_info;
+ 
++		if (!device->bdev)
++			continue;
++
+ 		if (zinfo->max_active_zones == 0)
+ 			continue;
+ 

debian/patches/patchset-pf/btrfs/0004-btrfs-zoned-fix-zone-finishing-with-missing-devices.patch

@@ -0,0 +1,36 @@
+From 5d05bf549f00ac4b04476b749847a7fcb019a73f Mon Sep 17 00:00:00 2001
+From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Date: Mon, 17 Mar 2025 12:24:59 +0100
+Subject: btrfs: zoned: fix zone finishing with missing devices
+
+If do_zone_finish() is called with a filesystem that has missing devices
+(e.g. a RAID file system mounted in degraded mode) it is accessing the
+btrfs_device::zone_info pointer, which will not be set if the device
+in question is missing.
+
+Check if the device is present (by checking if it has a valid block device
+pointer associated) and if not, skip zone finishing for it.
+
+Fixes: 4dcbb8ab31c1 ("btrfs: zoned: make zone finishing multi stripe capable")
+CC: stable@vger.kernel.org # 6.1+
+Reviewed-by: Naohiro Aota <naohiro.aota@wdc.com>
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+---
+ fs/btrfs/zoned.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/btrfs/zoned.c
++++ b/fs/btrfs/zoned.c
+@@ -2275,6 +2275,9 @@ static int do_zone_finish(struct btrfs_b
+ 		struct btrfs_zoned_device_info *zinfo = device->zone_info;
+ 		unsigned int nofs_flags;
+ 
++		if (!device->bdev)
++			continue;
++
+ 		if (zinfo->max_active_zones == 0)
+ 			continue;
+ 

debian/patches/patchset-pf/cpuidle/0001-cpuidle-Prefer-teo-over-menu-governor.patch

@@ -1,4 +1,4 @@
-From 7a0fbf076914b2b0e55feddd839212af92bdffb3 Mon Sep 17 00:00:00 2001
+From 247749c27f92a789d4f1727aa870167c25ca3c5e Mon Sep 17 00:00:00 2001
 From: Christian Loehle <christian.loehle@arm.com>
 Date: Thu, 5 Sep 2024 10:26:39 +0100
 Subject: cpuidle: Prefer teo over menu governor

debian/patches/patchset-pf/crypto/0001-crypto-x86-aes-xts-make-the-fast-path-64-bit-specifi.patch

@@ -1,4 +1,4 @@
-From 594316efc465f1408482e0d1dd379f4e3a6a5c7c Mon Sep 17 00:00:00 2001
+From 5e5a835c50afc3b9bb2b8b9175d0924abb5a7f3c Mon Sep 17 00:00:00 2001
 From: Eric Biggers <ebiggers@google.com>
 Date: Mon, 27 Jan 2025 13:16:09 -0800
 Subject: crypto: x86/aes-xts - make the fast path 64-bit specific

debian/patches/patchset-pf/crypto/0002-crypto-x86-aes-ctr-rewrite-AESNI-AVX-optimized-CTR-a.patch

@@ -1,4 +1,4 @@
-From b988178e5a6498eea32891a711f065cfbe4cedf4 Mon Sep 17 00:00:00 2001
+From 9564bcf085acd0bdea688cb6165302a6871a7c08 Mon Sep 17 00:00:00 2001
 From: Eric Biggers <ebiggers@google.com>
 Date: Mon, 10 Feb 2025 08:50:20 -0800
 Subject: crypto: x86/aes-ctr - rewrite AESNI+AVX optimized CTR and add VAES

debian/patches/patchset-pf/exfat/0001-exfat-fix-random-stack-corruption-after-get_block.patch

@@ -0,0 +1,122 @@
+From 99d63b3e3be79190d3bb4759bfb3a47fd00cfdbe Mon Sep 17 00:00:00 2001
+From: Sungjong Seo <sj1557.seo@samsung.com>
+Date: Fri, 21 Mar 2025 15:34:42 +0900
+Subject: exfat: fix random stack corruption after get_block
+
+When get_block is called with a buffer_head allocated on the stack, such
+as do_mpage_readpage, stack corruption due to buffer_head UAF may occur in
+the following race condition situation.
+
+     <CPU 0>                      <CPU 1>
+mpage_read_folio
+  <<bh on stack>>
+  do_mpage_readpage
+    exfat_get_block
+      bh_read
+        __bh_read
+	  get_bh(bh)
+          submit_bh
+          wait_on_buffer
+                              ...
+                              end_buffer_read_sync
+                                __end_buffer_read_notouch
+                                   unlock_buffer
+          <<keep going>>
+        ...
+      ...
+    ...
+  ...
+<<bh is not valid out of mpage_read_folio>>
+   .
+   .
+another_function
+  <<variable A on stack>>
+                                   put_bh(bh)
+                                     atomic_dec(bh->b_count)
+  * stack corruption here *
+
+This patch returns -EAGAIN if a folio does not have buffers when bh_read
+needs to be called. By doing this, the caller can fallback to functions
+like block_read_full_folio(), create a buffer_head in the folio, and then
+call get_block again.
+
+Let's do not call bh_read() with on-stack buffer_head.
+
+Fixes: 11a347fb6cef ("exfat: change to get file size from DataLength")
+Cc: stable@vger.kernel.org
+Tested-by: Yeongjin Gil <youngjin.gil@samsung.com>
+Signed-off-by: Sungjong Seo <sj1557.seo@samsung.com>
+Reviewed-by: Yuezhang Mo <Yuezhang.Mo@sony.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+---
+ fs/exfat/inode.c | 39 +++++++++++++++++++++++++++++++++------
+ 1 file changed, 33 insertions(+), 6 deletions(-)
+
+--- a/fs/exfat/inode.c
++++ b/fs/exfat/inode.c
+@@ -344,7 +344,8 @@ static int exfat_get_block(struct inode
+ 			 * The block has been partially written,
+ 			 * zero the unwritten part and map the block.
+ 			 */
+-			loff_t size, off, pos;
++			loff_t size, pos;
++			void *addr;
+ 
+ 			max_blocks = 1;
+ 
+@@ -355,17 +356,41 @@ static int exfat_get_block(struct inode
+ 			if (!bh_result->b_folio)
+ 				goto done;
+ 
++			/*
++			 * No buffer_head is allocated.
++			 * (1) bmap: It's enough to fill bh_result without I/O.
++			 * (2) read: The unwritten part should be filled with 0
++			 *           If a folio does not have any buffers,
++			 *           let's returns -EAGAIN to fallback to
++			 *           per-bh IO like block_read_full_folio().
++			 */
++			if (!folio_buffers(bh_result->b_folio)) {
++				err = -EAGAIN;
++				goto done;
++			}
++
+ 			pos = EXFAT_BLK_TO_B(iblock, sb);
+ 			size = ei->valid_size - pos;
+-			off = pos & (PAGE_SIZE - 1);
++			addr = folio_address(bh_result->b_folio) +
++			       offset_in_folio(bh_result->b_folio, pos);
+ 
+-			folio_set_bh(bh_result, bh_result->b_folio, off);
++			/* Check if bh->b_data points to proper addr in folio */
++			if (bh_result->b_data != addr) {
++				exfat_fs_error_ratelimit(sb,
++					"b_data(%p) != folio_addr(%p)",
++					bh_result->b_data, addr);
++				err = -EINVAL;
++				goto done;
++			}
++
++			/* Read a block */
+ 			err = bh_read(bh_result, 0);
+ 			if (err < 0)
+-				goto unlock_ret;
++				goto done;
+ 
+-			folio_zero_segment(bh_result->b_folio, off + size,
+-					off + sb->s_blocksize);
++			/* Zero unwritten part of a block */
++			memset(bh_result->b_data + size, 0,
++			       bh_result->b_size - size);
+ 		} else {
+ 			/*
+ 			 * The range has not been written, clear the mapped flag
+@@ -376,6 +401,8 @@ static int exfat_get_block(struct inode
+ 	}
+ done:
+ 	bh_result->b_size = EXFAT_BLK_TO_B(max_blocks, sb);
++	if (err < 0)
++		clear_buffer_mapped(bh_result);
+ unlock_ret:
+ 	mutex_unlock(&sbi->s_lock);
+ 	return err;

debian/patches/patchset-pf/exfat/0002-exfat-fix-potential-wrong-error-return-from-get_bloc.patch

@@ -0,0 +1,30 @@
+From 8a19bb487633ff4dcf9c247cd3913ea4db26abca Mon Sep 17 00:00:00 2001
+From: Sungjong Seo <sj1557.seo@samsung.com>
+Date: Wed, 26 Mar 2025 23:48:48 +0900
+Subject: exfat: fix potential wrong error return from get_block
+
+If there is no error, get_block() should return 0. However, when bh_read()
+returns 1, get_block() also returns 1 in the same manner.
+
+Let's set err to 0, if there is no error from bh_read()
+
+Fixes: 11a347fb6cef ("exfat: change to get file size from DataLength")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sungjong Seo <sj1557.seo@samsung.com>
+Reviewed-by: Yuezhang Mo <Yuezhang.Mo@sony.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+---
+ fs/exfat/inode.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/exfat/inode.c
++++ b/fs/exfat/inode.c
+@@ -391,6 +391,8 @@ static int exfat_get_block(struct inode
+ 			/* Zero unwritten part of a block */
+ 			memset(bh_result->b_data + size, 0,
+ 			       bh_result->b_size - size);
++
++			err = 0;
+ 		} else {
+ 			/*
+ 			 * The range has not been written, clear the mapped flag

debian/patches/patchset-pf/fixes/0001-tpm-do-not-start-chip-while-suspended.patch

@@ -1,4 +1,4 @@
-From 52af8f543922b47a31ddbb6ffb81f40ad9993309 Mon Sep 17 00:00:00 2001
+From 9efac88375330a6f29f091e9dd5fd6154670ba56 Mon Sep 17 00:00:00 2001
 From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
 Date: Fri, 7 Feb 2025 15:07:46 -0300
 Subject: tpm: do not start chip while suspended

debian/patches/patchset-pf/fixes/0003-EDAC-igen6-Fix-the-flood-of-invalid-error-reports.patch

@@ -1,4 +1,4 @@
-From 69907adec3041a6a89d192441a61481d80ee5806 Mon Sep 17 00:00:00 2001
+From 8886788eed16c79124bc530950f09c3f2fa881a8 Mon Sep 17 00:00:00 2001
 From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
 Date: Wed, 12 Feb 2025 16:33:54 +0800
 Subject: EDAC/igen6: Fix the flood of invalid error reports

debian/patches/patchset-pf/fixes/0004-x86-tools-Drop-duplicate-unlikely-definition-in-insn.patch

@@ -0,0 +1,36 @@
+From b40bdfdcffa333ad169327c5b8fe1b93542c7e0a Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Tue, 18 Mar 2025 15:32:30 -0700
+Subject: x86/tools: Drop duplicate unlikely() definition in
+ insn_decoder_test.c
+
+After commit c104c16073b7 ("Kunit to check the longest symbol length"),
+there is a warning when building with clang because there is now a
+definition of unlikely from compiler.h in tools/include/linux, which
+conflicts with the one in the instruction decoder selftest:
+
+  arch/x86/tools/insn_decoder_test.c:15:9: warning: 'unlikely' macro redefined [-Wmacro-redefined]
+
+Remove the second unlikely() definition, as it is no longer necessary,
+clearing up the warning.
+
+Fixes: c104c16073b7 ("Kunit to check the longest symbol length")
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Acked-by: Shuah Khan <skhan@linuxfoundation.org>
+Link: https://lore.kernel.org/r/20250318-x86-decoder-test-fix-unlikely-redef-v1-1-74c84a7bf05b@kernel.org
+---
+ arch/x86/tools/insn_decoder_test.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/arch/x86/tools/insn_decoder_test.c
++++ b/arch/x86/tools/insn_decoder_test.c
+@@ -11,8 +11,6 @@
+ #include <unistd.h>
+ #include <stdarg.h>
+ 
+-#define unlikely(cond) (cond)
+-
+ #include <asm/insn.h>
+ #include <inat.c>
+ #include <insn.c>

debian/patches/patchset-pf/fixes/0005-tpm-tpm_tis-Fix-timeout-handling-when-waiting-for-TP.patch

@@ -0,0 +1,44 @@
+From 073fb5ff9a001882fa884a0a8efddc88860ad791 Mon Sep 17 00:00:00 2001
+From: Jonathan McDowell <noodles@meta.com>
+Date: Wed, 12 Mar 2025 07:31:57 +0200
+Subject: tpm, tpm_tis: Fix timeout handling when waiting for TPM status
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The change to only use interrupts to handle supported status changes
+introduced an issue when it is necessary to poll for the status. Rather
+than checking for the status after sleeping the code now sleeps after
+the check. This means a correct, but slower, status change on the part
+of the TPM can be missed, resulting in a spurious timeout error,
+especially on a more loaded system. Switch back to sleeping *then*
+checking. An up front check of the status has been done at the start of
+the function, so this does not cause an additional delay when the status
+is already what we're looking for.
+
+Cc: stable@vger.kernel.org # v6.4+
+Fixes: e87fcf0dc2b4 ("tpm, tpm_tis: Only handle supported interrupts")
+Signed-off-by: Jonathan McDowell <noodles@meta.com>
+Reviewed-by: Michal Suchánek <msuchanek@suse.de>
+Reviewed-by: Lino Sanfilippo <l.sanfilippo@kunbus.com>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+---
+ drivers/char/tpm/tpm_tis_core.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/char/tpm/tpm_tis_core.c
++++ b/drivers/char/tpm/tpm_tis_core.c
+@@ -114,11 +114,10 @@ again:
+ 		return 0;
+ 	/* process status changes without irq support */
+ 	do {
++		usleep_range(priv->timeout_min, priv->timeout_max);
+ 		status = chip->ops->status(chip);
+ 		if ((status & mask) == mask)
+ 			return 0;
+-		usleep_range(priv->timeout_min,
+-			     priv->timeout_max);
+ 	} while (time_before(jiffies, stop));
+ 	return -ETIME;
+ }

debian/patches/patchset-pf/fixes/0006-x86-mm-Fix-flush_tlb_range-when-used-for-zapping-nor.patch

@@ -0,0 +1,50 @@
+From e24882a961e2d85cc4c8319a56734a0d7c7867fc Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Fri, 3 Jan 2025 19:39:38 +0100
+Subject: x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs
+
+On the following path, flush_tlb_range() can be used for zapping normal
+PMD entries (PMD entries that point to page tables) together with the PTE
+entries in the pointed-to page table:
+
+    collapse_pte_mapped_thp
+      pmdp_collapse_flush
+        flush_tlb_range
+
+The arm64 version of flush_tlb_range() has a comment describing that it can
+be used for page table removal, and does not use any last-level
+invalidation optimizations. Fix the X86 version by making it behave the
+same way.
+
+Currently, X86 only uses this information for the following two purposes,
+which I think means the issue doesn't have much impact:
+
+ - In native_flush_tlb_multi() for checking if lazy TLB CPUs need to be
+   IPI'd to avoid issues with speculative page table walks.
+ - In Hyper-V TLB paravirtualization, again for lazy TLB stuff.
+
+The patch "x86/mm: only invalidate final translations with INVLPGB" which
+is currently under review (see
+<https://lore.kernel.org/all/20241230175550.4046587-13-riel@surriel.com/>)
+would probably be making the impact of this a lot worse.
+
+Fixes: 016c4d92cd16 ("x86/mm/tlb: Add freed_tables argument to flush_tlb_mm_range")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20250103-x86-collapse-flush-fix-v1-1-3c521856cfa6@google.com
+---
+ arch/x86/include/asm/tlbflush.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/include/asm/tlbflush.h
++++ b/arch/x86/include/asm/tlbflush.h
+@@ -311,7 +311,7 @@ static inline bool mm_in_asid_transition
+ 	flush_tlb_mm_range((vma)->vm_mm, start, end,			\
+ 			   ((vma)->vm_flags & VM_HUGETLB)		\
+ 				? huge_page_shift(hstate_vma(vma))	\
+-				: PAGE_SHIFT, false)
++				: PAGE_SHIFT, true)
+ 
+ extern void flush_tlb_all(void);
+ extern void flush_tlb_mm_range(struct mm_struct *mm, unsigned long start,

debian/patches/patchset-pf/fixes/0007-x86-tsc-Always-save-restore-TSC-sched_clock-on-suspe.patch

@@ -0,0 +1,68 @@
+From 7a0abf17cceb511425b7af34291243b4a270e770 Mon Sep 17 00:00:00 2001
+From: "Guilherme G. Piccoli" <gpiccoli@igalia.com>
+Date: Sat, 15 Feb 2025 17:58:16 -0300
+Subject: x86/tsc: Always save/restore TSC sched_clock() on suspend/resume
+
+TSC could be reset in deep ACPI sleep states, even with invariant TSC.
+
+That's the reason we have sched_clock() save/restore functions, to deal
+with this situation. But what happens is that such functions are guarded
+with a check for the stability of sched_clock - if not considered stable,
+the save/restore routines aren't executed.
+
+On top of that, we have a clear comment in native_sched_clock() saying
+that *even* with TSC unstable, we continue using TSC for sched_clock due
+to its speed.
+
+In other words, if we have a situation of TSC getting detected as unstable,
+it marks the sched_clock as unstable as well, so subsequent S3 sleep cycles
+could bring bogus sched_clock values due to the lack of the save/restore
+mechanism, causing warnings like this:
+
+  [22.954918] ------------[ cut here ]------------
+  [22.954923] Delta way too big! 18446743750843854390 ts=18446744072977390405 before=322133536015 after=322133536015 write stamp=18446744072977390405
+  [22.954923] If you just came from a suspend/resume,
+  [22.954923] please switch to the trace global clock:
+  [22.954923]   echo global > /sys/kernel/tracing/trace_clock
+  [22.954923] or add trace_clock=global to the kernel command line
+  [22.954937] WARNING: CPU: 2 PID: 5728 at kernel/trace/ring_buffer.c:2890 rb_add_timestamp+0x193/0x1c0
+
+Notice that the above was reproduced even with "trace_clock=global".
+
+The fix for that is to _always_ save/restore the sched_clock on suspend
+cycle _if TSC is used_ as sched_clock - only if we fallback to jiffies
+the sched_clock_stable() check becomes relevant to save/restore the
+sched_clock.
+
+Debugged-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Signed-off-by: Guilherme G. Piccoli <gpiccoli@igalia.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: stable@vger.kernel.org
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lore.kernel.org/r/20250215210314.351480-1-gpiccoli@igalia.com
+---
+ arch/x86/kernel/tsc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/tsc.c
++++ b/arch/x86/kernel/tsc.c
+@@ -959,7 +959,7 @@ static unsigned long long cyc2ns_suspend
+ 
+ void tsc_save_sched_clock_state(void)
+ {
+-	if (!sched_clock_stable())
++	if (!static_branch_likely(&__use_tsc) && !sched_clock_stable())
+ 		return;
+ 
+ 	cyc2ns_suspend = sched_clock();
+@@ -979,7 +979,7 @@ void tsc_restore_sched_clock_state(void)
+ 	unsigned long flags;
+ 	int cpu;
+ 
+-	if (!sched_clock_stable())
++	if (!static_branch_likely(&__use_tsc) && !sched_clock_stable())
+ 		return;
+ 
+ 	local_irq_save(flags);

debian/patches/patchset-pf/fixes/0008-uprobes-x86-Harden-uretprobe-syscall-trampoline-chec.patch

@@ -0,0 +1,87 @@
+From bbbc88e65bb8036be1fe3386c0061d9be4c5a442 Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@kernel.org>
+Date: Wed, 12 Feb 2025 23:04:33 +0100
+Subject: uprobes/x86: Harden uretprobe syscall trampoline check
+
+Jann reported a possible issue when trampoline_check_ip returns
+address near the bottom of the address space that is allowed to
+call into the syscall if uretprobes are not set up:
+
+   https://lore.kernel.org/bpf/202502081235.5A6F352985@keescook/T/#m9d416df341b8fbc11737dacbcd29f0054413cbbf
+
+Though the mmap minimum address restrictions will typically prevent
+creating mappings there, let's make sure uretprobe syscall checks
+for that.
+
+Fixes: ff474a78cef5 ("uprobe: Add uretprobe syscall to speed up return probe")
+Reported-by: Jann Horn <jannh@google.com>
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Reviewed-by: Oleg Nesterov <oleg@redhat.com>
+Reviewed-by: Kees Cook <kees@kernel.org>
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Acked-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250212220433.3624297-1-jolsa@kernel.org
+---
+ arch/x86/kernel/uprobes.c | 14 +++++++++-----
+ include/linux/uprobes.h   |  2 ++
+ kernel/events/uprobes.c   |  2 +-
+ 3 files changed, 12 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/kernel/uprobes.c
++++ b/arch/x86/kernel/uprobes.c
+@@ -357,19 +357,23 @@ void *arch_uprobe_trampoline(unsigned lo
+ 	return &insn;
+ }
+ 
+-static unsigned long trampoline_check_ip(void)
++static unsigned long trampoline_check_ip(unsigned long tramp)
+ {
+-	unsigned long tramp = uprobe_get_trampoline_vaddr();
+-
+ 	return tramp + (uretprobe_syscall_check - uretprobe_trampoline_entry);
+ }
+ 
+ SYSCALL_DEFINE0(uretprobe)
+ {
+ 	struct pt_regs *regs = task_pt_regs(current);
+-	unsigned long err, ip, sp, r11_cx_ax[3];
++	unsigned long err, ip, sp, r11_cx_ax[3], tramp;
++
++	/* If there's no trampoline, we are called from wrong place. */
++	tramp = uprobe_get_trampoline_vaddr();
++	if (unlikely(tramp == UPROBE_NO_TRAMPOLINE_VADDR))
++		goto sigill;
+ 
+-	if (regs->ip != trampoline_check_ip())
++	/* Make sure the ip matches the only allowed sys_uretprobe caller. */
++	if (unlikely(regs->ip != trampoline_check_ip(tramp)))
+ 		goto sigill;
+ 
+ 	err = copy_from_user(r11_cx_ax, (void __user *)regs->sp, sizeof(r11_cx_ax));
+--- a/include/linux/uprobes.h
++++ b/include/linux/uprobes.h
+@@ -39,6 +39,8 @@ struct page;
+ 
+ #define MAX_URETPROBE_DEPTH		64
+ 
++#define UPROBE_NO_TRAMPOLINE_VADDR	(~0UL)
++
+ struct uprobe_consumer {
+ 	/*
+ 	 * handler() can return UPROBE_HANDLER_REMOVE to signal the need to
+--- a/kernel/events/uprobes.c
++++ b/kernel/events/uprobes.c
+@@ -2169,8 +2169,8 @@ void uprobe_copy_process(struct task_str
+  */
+ unsigned long uprobe_get_trampoline_vaddr(void)
+ {
++	unsigned long trampoline_vaddr = UPROBE_NO_TRAMPOLINE_VADDR;
+ 	struct xol_area *area;
+-	unsigned long trampoline_vaddr = -1;
+ 
+ 	/* Pairs with xol_add_vma() smp_store_release() */
+ 	area = READ_ONCE(current->mm->uprobes_state.xol_area); /* ^^^ */

debian/patches/patchset-pf/fixes/0009-block-make-sure-nr_integrity_segments-is-cloned-in-b.patch

@@ -0,0 +1,32 @@
+From f4511f63677bd3e7831561b1407a69a71cb519bc Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@redhat.com>
+Date: Mon, 10 Mar 2025 19:54:53 +0800
+Subject: block: make sure ->nr_integrity_segments is cloned in
+ blk_rq_prep_clone
+
+Make sure ->nr_integrity_segments is cloned in blk_rq_prep_clone(),
+otherwise requests cloned by device-mapper multipath will not have the
+proper nr_integrity_segments values set, then BUG() is hit from
+sg_alloc_table_chained().
+
+Fixes: b0fd271d5fba ("block: add request clone interface (v2)")
+Cc: stable@vger.kernel.org
+Cc: Christoph Hellwig <hch@infradead.org>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20250310115453.2271109-1-ming.lei@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+---
+ block/blk-mq.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -3314,6 +3314,7 @@ int blk_rq_prep_clone(struct request *rq
+ 		rq->special_vec = rq_src->special_vec;
+ 	}
+ 	rq->nr_phys_segments = rq_src->nr_phys_segments;
++	rq->nr_integrity_segments = rq_src->nr_integrity_segments;
+ 
+ 	if (rq->bio && blk_crypto_rq_bio_prep(rq, rq->bio, gfp_mask) < 0)
+ 		goto free_and_out;

debian/patches/patchset-pf/fixes/0010-PCI-Fix-wrong-length-of-devres-array.patch

@@ -0,0 +1,40 @@
+From 46b8c87f1aa08a0794b45b394c5462f33bec54b0 Mon Sep 17 00:00:00 2001
+From: Philipp Stanner <phasta@kernel.org>
+Date: Wed, 12 Mar 2025 09:06:34 +0100
+Subject: PCI: Fix wrong length of devres array
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The array for the iomapping cookie addresses has a length of
+PCI_STD_NUM_BARS. This constant, however, only describes standard BARs;
+while PCI can allow for additional, special BARs.
+
+The total number of PCI resources is described by constant
+PCI_NUM_RESOURCES, which is also used in, e.g., pci_select_bars().
+
+Thus, the devres array has so far been too small.
+
+Change the length of the devres array to PCI_NUM_RESOURCES.
+
+Link: https://lore.kernel.org/r/20250312080634.13731-3-phasta@kernel.org
+Fixes: bbaff68bf4a4 ("PCI: Add managed partial-BAR request and map infrastructure")
+Signed-off-by: Philipp Stanner <phasta@kernel.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Cc: stable@vger.kernel.org	# v6.11+
+---
+ drivers/pci/devres.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pci/devres.c
++++ b/drivers/pci/devres.c
+@@ -40,7 +40,7 @@
+  * Legacy struct storing addresses to whole mapped BARs.
+  */
+ struct pcim_iomap_devres {
+-	void __iomem *table[PCI_STD_NUM_BARS];
++	void __iomem *table[PCI_NUM_RESOURCES];
+ };
+ 
+ /* Used to restore the old INTx state on driver detach. */

debian/patches/patchset-pf/fixes/0011-exec-fix-the-racy-usage-of-fs_struct-in_exec.patch

@@ -0,0 +1,84 @@
+From 9741b8592433f51ed477c9dba6d304562aa7de18 Mon Sep 17 00:00:00 2001
+From: Oleg Nesterov <oleg@redhat.com>
+Date: Mon, 24 Mar 2025 17:00:03 +0100
+Subject: exec: fix the racy usage of fs_struct->in_exec
+
+check_unsafe_exec() sets fs->in_exec under cred_guard_mutex, then execve()
+paths clear fs->in_exec lockless. This is fine if exec succeeds, but if it
+fails we have the following race:
+
+	T1 sets fs->in_exec = 1, fails, drops cred_guard_mutex
+
+	T2 sets fs->in_exec = 1
+
+	T1 clears fs->in_exec
+
+	T2 continues with fs->in_exec == 0
+
+Change fs/exec.c to clear fs->in_exec with cred_guard_mutex held.
+
+Reported-by: syzbot+1c486d0b62032c82a968@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/67dc67f0.050a0220.25ae54.001f.GAE@google.com/
+Cc: stable@vger.kernel.org
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Link: https://lore.kernel.org/r/20250324160003.GA8878@redhat.com
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+---
+ fs/exec.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -1229,13 +1229,12 @@ int begin_new_exec(struct linux_binprm *
+ 	 */
+ 	bprm->point_of_no_return = true;
+ 
+-	/*
+-	 * Make this the only thread in the thread group.
+-	 */
++	/* Make this the only thread in the thread group */
+ 	retval = de_thread(me);
+ 	if (retval)
+ 		goto out;
+-
++	/* see the comment in check_unsafe_exec() */
++	current->fs->in_exec = 0;
+ 	/*
+ 	 * Cancel any io_uring activity across execve
+ 	 */
+@@ -1497,6 +1496,8 @@ static void free_bprm(struct linux_binpr
+ 	}
+ 	free_arg_pages(bprm);
+ 	if (bprm->cred) {
++		/* in case exec fails before de_thread() succeeds */
++		current->fs->in_exec = 0;
+ 		mutex_unlock(&current->signal->cred_guard_mutex);
+ 		abort_creds(bprm->cred);
+ 	}
+@@ -1618,6 +1619,10 @@ static void check_unsafe_exec(struct lin
+ 	 * suid exec because the differently privileged task
+ 	 * will be able to manipulate the current directory, etc.
+ 	 * It would be nice to force an unshare instead...
++	 *
++	 * Otherwise we set fs->in_exec = 1 to deny clone(CLONE_FS)
++	 * from another sub-thread until de_thread() succeeds, this
++	 * state is protected by cred_guard_mutex we hold.
+ 	 */
+ 	n_fs = 1;
+ 	spin_lock(&p->fs->lock);
+@@ -1862,7 +1867,6 @@ static int bprm_execve(struct linux_binp
+ 
+ 	sched_mm_cid_after_execve(current);
+ 	/* execve succeeded */
+-	current->fs->in_exec = 0;
+ 	current->in_execve = 0;
+ 	rseq_execve(current);
+ 	user_events_execve(current);
+@@ -1881,7 +1885,6 @@ out:
+ 		force_fatal_sig(SIGSEGV);
+ 
+ 	sched_mm_cid_after_execve(current);
+-	current->fs->in_exec = 0;
+ 	current->in_execve = 0;
+ 
+ 	return retval;

debian/patches/patchset-pf/fuse/0001-fuse-io-uring-Fix-a-possible-req-cancellation-race.patch

@@ -0,0 +1,207 @@
+From 6e7ac63c4c4a8fe7c66f856f4091d9b20899f167 Mon Sep 17 00:00:00 2001
+From: Bernd Schubert <bschubert@ddn.com>
+Date: Tue, 25 Mar 2025 18:29:31 +0100
+Subject: fuse: {io-uring} Fix a possible req cancellation race
+
+task-A (application) might be in request_wait_answer and
+try to remove the request when it has FR_PENDING set.
+
+task-B (a fuse-server io-uring task) might handle this
+request with FUSE_IO_URING_CMD_COMMIT_AND_FETCH, when
+fetching the next request and accessed the req from
+the pending list in fuse_uring_ent_assign_req().
+That code path was not protected by fiq->lock and so
+might race with task-A.
+
+For scaling reasons we better don't use fiq->lock, but
+add a handler to remove canceled requests from the queue.
+
+This also removes usage of fiq->lock from
+fuse_uring_add_req_to_ring_ent() altogether, as it was
+there just to protect against this race and incomplete.
+
+Also added is a comment why FR_PENDING is not cleared.
+
+Fixes: c090c8abae4b ("fuse: Add io-uring sqe commit and fetch support")
+Cc: <stable@vger.kernel.org> # v6.14
+Reported-by: Joanne Koong <joannelkoong@gmail.com>
+Closes: https://lore.kernel.org/all/CAJnrk1ZgHNb78dz-yfNTpxmW7wtT88A=m-zF0ZoLXKLUHRjNTw@mail.gmail.com/
+Signed-off-by: Bernd Schubert <bschubert@ddn.com>
+Reviewed-by: Joanne Koong <joannelkoong@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+---
+ fs/fuse/dev.c         | 34 +++++++++++++++++++++++++---------
+ fs/fuse/dev_uring.c   | 15 +++++++++++----
+ fs/fuse/dev_uring_i.h |  6 ++++++
+ fs/fuse/fuse_dev_i.h  |  1 +
+ fs/fuse/fuse_i.h      |  3 +++
+ 5 files changed, 46 insertions(+), 13 deletions(-)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -407,6 +407,24 @@ static int queue_interrupt(struct fuse_r
+ 	return 0;
+ }
+ 
++bool fuse_remove_pending_req(struct fuse_req *req, spinlock_t *lock)
++{
++	spin_lock(lock);
++	if (test_bit(FR_PENDING, &req->flags)) {
++		/*
++		 * FR_PENDING does not get cleared as the request will end
++		 * up in destruction anyway.
++		 */
++		list_del(&req->list);
++		spin_unlock(lock);
++		__fuse_put_request(req);
++		req->out.h.error = -EINTR;
++		return true;
++	}
++	spin_unlock(lock);
++	return false;
++}
++
+ static void request_wait_answer(struct fuse_req *req)
+ {
+ 	struct fuse_conn *fc = req->fm->fc;
+@@ -428,22 +446,20 @@ static void request_wait_answer(struct f
+ 	}
+ 
+ 	if (!test_bit(FR_FORCE, &req->flags)) {
++		bool removed;
++
+ 		/* Only fatal signals may interrupt this */
+ 		err = wait_event_killable(req->waitq,
+ 					test_bit(FR_FINISHED, &req->flags));
+ 		if (!err)
+ 			return;
+ 
+-		spin_lock(&fiq->lock);
+-		/* Request is not yet in userspace, bail out */
+-		if (test_bit(FR_PENDING, &req->flags)) {
+-			list_del(&req->list);
+-			spin_unlock(&fiq->lock);
+-			__fuse_put_request(req);
+-			req->out.h.error = -EINTR;
++		if (test_bit(FR_URING, &req->flags))
++			removed = fuse_uring_remove_pending_req(req);
++		else
++			removed = fuse_remove_pending_req(req, &fiq->lock);
++		if (removed)
+ 			return;
+-		}
+-		spin_unlock(&fiq->lock);
+ 	}
+ 
+ 	/*
+--- a/fs/fuse/dev_uring.c
++++ b/fs/fuse/dev_uring.c
+@@ -726,8 +726,6 @@ static void fuse_uring_add_req_to_ring_e
+ 					   struct fuse_req *req)
+ {
+ 	struct fuse_ring_queue *queue = ent->queue;
+-	struct fuse_conn *fc = req->fm->fc;
+-	struct fuse_iqueue *fiq = &fc->iq;
+ 
+ 	lockdep_assert_held(&queue->lock);
+ 
+@@ -737,9 +735,7 @@ static void fuse_uring_add_req_to_ring_e
+ 			ent->state);
+ 	}
+ 
+-	spin_lock(&fiq->lock);
+ 	clear_bit(FR_PENDING, &req->flags);
+-	spin_unlock(&fiq->lock);
+ 	ent->fuse_req = req;
+ 	ent->state = FRRS_FUSE_REQ;
+ 	list_move(&ent->list, &queue->ent_w_req_queue);
+@@ -1238,6 +1234,8 @@ void fuse_uring_queue_fuse_req(struct fu
+ 	if (unlikely(queue->stopped))
+ 		goto err_unlock;
+ 
++	set_bit(FR_URING, &req->flags);
++	req->ring_queue = queue;
+ 	ent = list_first_entry_or_null(&queue->ent_avail_queue,
+ 				       struct fuse_ring_ent, list);
+ 	if (ent)
+@@ -1276,6 +1274,8 @@ bool fuse_uring_queue_bq_req(struct fuse
+ 		return false;
+ 	}
+ 
++	set_bit(FR_URING, &req->flags);
++	req->ring_queue = queue;
+ 	list_add_tail(&req->list, &queue->fuse_req_bg_queue);
+ 
+ 	ent = list_first_entry_or_null(&queue->ent_avail_queue,
+@@ -1306,6 +1306,13 @@ bool fuse_uring_queue_bq_req(struct fuse
+ 	return true;
+ }
+ 
++bool fuse_uring_remove_pending_req(struct fuse_req *req)
++{
++	struct fuse_ring_queue *queue = req->ring_queue;
++
++	return fuse_remove_pending_req(req, &queue->lock);
++}
++
+ static const struct fuse_iqueue_ops fuse_io_uring_ops = {
+ 	/* should be send over io-uring as enhancement */
+ 	.send_forget = fuse_dev_queue_forget,
+--- a/fs/fuse/dev_uring_i.h
++++ b/fs/fuse/dev_uring_i.h
+@@ -142,6 +142,7 @@ void fuse_uring_abort_end_requests(struc
+ int fuse_uring_cmd(struct io_uring_cmd *cmd, unsigned int issue_flags);
+ void fuse_uring_queue_fuse_req(struct fuse_iqueue *fiq, struct fuse_req *req);
+ bool fuse_uring_queue_bq_req(struct fuse_req *req);
++bool fuse_uring_remove_pending_req(struct fuse_req *req);
+ 
+ static inline void fuse_uring_abort(struct fuse_conn *fc)
+ {
+@@ -199,6 +200,11 @@ static inline bool fuse_uring_ready(stru
+ {
+ 	return false;
+ }
++
++static inline bool fuse_uring_remove_pending_req(struct fuse_req *req)
++{
++	return false;
++}
+ 
+ #endif /* CONFIG_FUSE_IO_URING */
+ 
+--- a/fs/fuse/fuse_dev_i.h
++++ b/fs/fuse/fuse_dev_i.h
+@@ -61,6 +61,7 @@ int fuse_copy_out_args(struct fuse_copy_
+ void fuse_dev_queue_forget(struct fuse_iqueue *fiq,
+ 			   struct fuse_forget_link *forget);
+ void fuse_dev_queue_interrupt(struct fuse_iqueue *fiq, struct fuse_req *req);
++bool fuse_remove_pending_req(struct fuse_req *req, spinlock_t *lock);
+ 
+ #endif
+ 
+--- a/fs/fuse/fuse_i.h
++++ b/fs/fuse/fuse_i.h
+@@ -378,6 +378,7 @@ struct fuse_io_priv {
+  * FR_FINISHED:		request is finished
+  * FR_PRIVATE:		request is on private list
+  * FR_ASYNC:		request is asynchronous
++ * FR_URING:		request is handled through fuse-io-uring
+  */
+ enum fuse_req_flag {
+ 	FR_ISREPLY,
+@@ -392,6 +393,7 @@ enum fuse_req_flag {
+ 	FR_FINISHED,
+ 	FR_PRIVATE,
+ 	FR_ASYNC,
++	FR_URING,
+ };
+ 
+ /**
+@@ -441,6 +443,7 @@ struct fuse_req {
+ 
+ #ifdef CONFIG_FUSE_IO_URING
+ 	void *ring_entry;
++	void *ring_queue;
+ #endif
+ };
+ 

debian/patches/patchset-pf/nfs/0001-nfsd-fix-management-of-listener-transports.patch

@@ -0,0 +1,128 @@
+From ae5d3e4f701948dd6241451d41d9dfa0f0f703cd Mon Sep 17 00:00:00 2001
+From: Olga Kornievskaia <okorniev@redhat.com>
+Date: Fri, 17 Jan 2025 11:32:58 -0500
+Subject: nfsd: fix management of listener transports
+
+Currently, when no active threads are running, a root user using nfsdctl
+command can try to remove a particular listener from the list of previously
+added ones, then start the server by increasing the number of threads,
+it leads to the following problem:
+
+[  158.835354] refcount_t: addition on 0; use-after-free.
+[  158.835603] WARNING: CPU: 2 PID: 9145 at lib/refcount.c:25 refcount_warn_saturate+0x160/0x1a0
+[  158.836017] Modules linked in: rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd auth_rpcgss nfs_acl lockd grace overlay isofs uinput snd_seq_dummy snd_hrtimer nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 rfkill ip_set nf_tables qrtr sunrpc vfat fat uvcvideo videobuf2_vmalloc videobuf2_memops uvc videobuf2_v4l2 videodev videobuf2_common snd_hda_codec_generic mc e1000e snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm snd_timer snd soundcore sg loop dm_multipath dm_mod nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs libcrc32c crct10dif_ce ghash_ce vmwgfx sha2_ce sha256_arm64 sr_mod sha1_ce cdrom nvme drm_client_lib drm_ttm_helper ttm nvme_core drm_kms_helper nvme_auth drm fuse
+[  158.840093] CPU: 2 UID: 0 PID: 9145 Comm: nfsd Kdump: loaded Tainted: G    B   W          6.13.0-rc6+ #7
+[  158.840624] Tainted: [B]=BAD_PAGE, [W]=WARN
+[  158.840802] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024
+[  158.841220] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
+[  158.841563] pc : refcount_warn_saturate+0x160/0x1a0
+[  158.841780] lr : refcount_warn_saturate+0x160/0x1a0
+[  158.842000] sp : ffff800089be7d80
+[  158.842147] x29: ffff800089be7d80 x28: ffff00008e68c148 x27: ffff00008e68c148
+[  158.842492] x26: ffff0002e3b5c000 x25: ffff600011cd1829 x24: ffff00008653c010
+[  158.842832] x23: ffff00008653c000 x22: 1fffe00011cd1829 x21: ffff00008653c028
+[  158.843175] x20: 0000000000000002 x19: ffff00008653c010 x18: 0000000000000000
+[  158.843505] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
+[  158.843836] x14: 0000000000000000 x13: 0000000000000001 x12: ffff600050a26493
+[  158.844143] x11: 1fffe00050a26492 x10: ffff600050a26492 x9 : dfff800000000000
+[  158.844475] x8 : 00009fffaf5d9b6e x7 : ffff000285132493 x6 : 0000000000000001
+[  158.844823] x5 : ffff000285132490 x4 : ffff600050a26493 x3 : ffff8000805e72bc
+[  158.845174] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000098588000
+[  158.845528] Call trace:
+[  158.845658]  refcount_warn_saturate+0x160/0x1a0 (P)
+[  158.845894]  svc_recv+0x58c/0x680 [sunrpc]
+[  158.846183]  nfsd+0x1fc/0x348 [nfsd]
+[  158.846390]  kthread+0x274/0x2f8
+[  158.846546]  ret_from_fork+0x10/0x20
+[  158.846714] ---[ end trace 0000000000000000 ]---
+
+nfsd_nl_listener_set_doit() would manipulate the list of transports of
+server's sv_permsocks and close the specified listener but the other
+list of transports (server's sp_xprts list) would not be changed leading
+to the problem above.
+
+Instead, determined if the nfsdctl is trying to remove a listener, in
+which case, delete all the existing listener transports and re-create
+all-but-the-removed ones.
+
+Fixes: 16a471177496 ("NFSD: add listener-{set,get} netlink command")
+Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+---
+ fs/nfsd/nfsctl.c | 44 +++++++++++++++++++++-----------------------
+ 1 file changed, 21 insertions(+), 23 deletions(-)
+
+--- a/fs/nfsd/nfsctl.c
++++ b/fs/nfsd/nfsctl.c
+@@ -1917,6 +1917,7 @@ int nfsd_nl_listener_set_doit(struct sk_
+ 	struct svc_serv *serv;
+ 	LIST_HEAD(permsocks);
+ 	struct nfsd_net *nn;
++	bool delete = false;
+ 	int err, rem;
+ 
+ 	mutex_lock(&nfsd_mutex);
+@@ -1977,34 +1978,28 @@ int nfsd_nl_listener_set_doit(struct sk_
+ 		}
+ 	}
+ 
+-	/* For now, no removing old sockets while server is running */
+-	if (serv->sv_nrthreads && !list_empty(&permsocks)) {
++	/*
++	 * If there are listener transports remaining on the permsocks list,
++	 * it means we were asked to remove a listener.
++	 */
++	if (!list_empty(&permsocks)) {
+ 		list_splice_init(&permsocks, &serv->sv_permsocks);
+-		spin_unlock_bh(&serv->sv_lock);
+-		err = -EBUSY;
+-		goto out_unlock_mtx;
++		delete = true;
+ 	}
++	spin_unlock_bh(&serv->sv_lock);
+ 
+-	/* Close the remaining sockets on the permsocks list */
+-	while (!list_empty(&permsocks)) {
+-		xprt = list_first_entry(&permsocks, struct svc_xprt, xpt_list);
+-		list_move(&xprt->xpt_list, &serv->sv_permsocks);
+-
+-		/*
+-		 * Newly-created sockets are born with the BUSY bit set. Clear
+-		 * it if there are no threads, since nothing can pick it up
+-		 * in that case.
+-		 */
+-		if (!serv->sv_nrthreads)
+-			clear_bit(XPT_BUSY, &xprt->xpt_flags);
+-
+-		set_bit(XPT_CLOSE, &xprt->xpt_flags);
+-		spin_unlock_bh(&serv->sv_lock);
+-		svc_xprt_close(xprt);
+-		spin_lock_bh(&serv->sv_lock);
++	/* Do not remove listeners while there are active threads. */
++	if (serv->sv_nrthreads) {
++		err = -EBUSY;
++		goto out_unlock_mtx;
+ 	}
+ 
+-	spin_unlock_bh(&serv->sv_lock);
++	/*
++	 * Since we can't delete an arbitrary llist entry, destroy the
++	 * remaining listeners and recreate the list.
++	 */
++	if (delete)
++		svc_xprt_destroy_all(serv, net);
+ 
+ 	/* walk list of addrs again, open any that still don't exist */
+ 	nlmsg_for_each_attr(attr, info->nlhdr, GENL_HDRLEN, rem) {
+@@ -2031,6 +2026,9 @@ int nfsd_nl_listener_set_doit(struct sk_
+ 
+ 		xprt = svc_find_listener(serv, xcl_name, net, sa);
+ 		if (xprt) {
++			if (delete)
++				WARN_ONCE(1, "Transport type=%s already exists\n",
++					  xcl_name);
+ 			svc_xprt_put(xprt);
+ 			continue;
+ 		}

debian/patches/patchset-pf/nfs/0002-NFSD-Skip-sending-CB_RECALL_ANY-when-the-backchannel.patch

@@ -0,0 +1,55 @@
+From 71e2b1f41ebbead746c5b99384ebb9fb7c73a079 Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Tue, 14 Jan 2025 17:09:24 -0500
+Subject: NFSD: Skip sending CB_RECALL_ANY when the backchannel isn't up
+
+NFSD sends CB_RECALL_ANY to clients when the server is low on
+memory or that client has a large number of delegations outstanding.
+
+We've seen cases where NFSD attempts to send CB_RECALL_ANY requests
+to disconnected clients, and gets confused. These calls never go
+anywhere if a backchannel transport to the target client isn't
+available. Before the server can send any backchannel operation, the
+client has to connect first and then do a BIND_CONN_TO_SESSION.
+
+This patch doesn't address the root cause of the confusion, but
+there's no need to queue up these optional operations if they can't
+go anywhere.
+
+Fixes: 44df6f439a17 ("NFSD: add delegation reaper to react to low memory condition")
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+---
+ fs/nfsd/nfs4state.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -6860,14 +6860,19 @@ deleg_reaper(struct nfsd_net *nn)
+ 	spin_lock(&nn->client_lock);
+ 	list_for_each_safe(pos, next, &nn->client_lru) {
+ 		clp = list_entry(pos, struct nfs4_client, cl_lru);
+-		if (clp->cl_state != NFSD4_ACTIVE ||
+-			list_empty(&clp->cl_delegations) ||
+-			atomic_read(&clp->cl_delegs_in_recall) ||
+-			test_bit(NFSD4_CLIENT_CB_RECALL_ANY, &clp->cl_flags) ||
+-			(ktime_get_boottime_seconds() -
+-				clp->cl_ra_time < 5)) {
++
++		if (clp->cl_state != NFSD4_ACTIVE)
++			continue;
++		if (list_empty(&clp->cl_delegations))
++			continue;
++		if (atomic_read(&clp->cl_delegs_in_recall))
++			continue;
++		if (test_bit(NFSD4_CLIENT_CB_RECALL_ANY, &clp->cl_flags))
++			continue;
++		if (ktime_get_boottime_seconds() - clp->cl_ra_time < 5)
++			continue;
++		if (clp->cl_cb_state != NFSD4_CB_UP)
+ 			continue;
+-		}
+ 		list_add(&clp->cl_ra_cblist, &cblist);
+ 
+ 		/* release in nfsd4_cb_recall_any_release */

debian/patches/patchset-pf/nfs/0003-NFSD-nfsd_unlink-clobbers-non-zero-status-returned-f.patch

@@ -0,0 +1,35 @@
+From e9976f5c50b6513c156c4f5a1d9fde96efb50d29 Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Sun, 26 Jan 2025 16:50:17 -0500
+Subject: NFSD: nfsd_unlink() clobbers non-zero status returned from
+ fh_fill_pre_attrs()
+
+If fh_fill_pre_attrs() returns a non-zero status, the error flow
+takes it through out_unlock, which then overwrites the returned
+status code with
+
+	err = nfserrno(host_err);
+
+Fixes: a332018a91c4 ("nfsd: handle failure to collect pre/post-op attrs more sanely")
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+---
+ fs/nfsd/vfs.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/fs/nfsd/vfs.c
++++ b/fs/nfsd/vfs.c
+@@ -2011,11 +2011,9 @@ out_nfserr:
+ 		 * error status.
+ 		 */
+ 		err = nfserr_file_open;
+-	} else {
+-		err = nfserrno(host_err);
+ 	}
+ out:
+-	return err;
++	return err != nfs_ok ? err : nfserrno(host_err);
+ out_unlock:
+ 	inode_unlock(dirp);
+ 	goto out_drop_write;

debian/patches/patchset-pf/nfs/0004-NFSD-Never-return-NFS4ERR_FILE_OPEN-when-removing-a-.patch

@@ -0,0 +1,68 @@
+From c6e51270335aa72d7f255051119792629ed2ad2d Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Sun, 26 Jan 2025 16:50:18 -0500
+Subject: NFSD: Never return NFS4ERR_FILE_OPEN when removing a directory
+
+RFC 8881 Section 18.25.4 paragraph 5 tells us that the server
+should return NFS4ERR_FILE_OPEN only if the target object is an
+opened file. This suggests that returning this status when removing
+a directory will confuse NFS clients.
+
+This is a version-specific issue; nfsd_proc_remove/rmdir() and
+nfsd3_proc_remove/rmdir() already return nfserr_access as
+appropriate.
+
+Unfortunately there is no quick way for nfsd4_remove() to determine
+whether the target object is a file or not, so the check is done in
+in nfsd_unlink() for now.
+
+Reported-by: Trond Myklebust <trondmy@hammerspace.com>
+Fixes: 466e16f0920f ("nfsd: check for EBUSY from vfs_rmdir/vfs_unink.")
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+---
+ fs/nfsd/vfs.c | 24 ++++++++++++++++++------
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+--- a/fs/nfsd/vfs.c
++++ b/fs/nfsd/vfs.c
+@@ -1931,9 +1931,17 @@ out:
+ 	return err;
+ }
+ 
+-/*
+- * Unlink a file or directory
+- * N.B. After this call fhp needs an fh_put
++/**
++ * nfsd_unlink - remove a directory entry
++ * @rqstp: RPC transaction context
++ * @fhp: the file handle of the parent directory to be modified
++ * @type: enforced file type of the object to be removed
++ * @fname: the name of directory entry to be removed
++ * @flen: length of @fname in octets
++ *
++ * After this call fhp needs an fh_put.
++ *
++ * Returns a generic NFS status code in network byte-order.
+  */
+ __be32
+ nfsd_unlink(struct svc_rqst *rqstp, struct svc_fh *fhp, int type,
+@@ -2007,10 +2015,14 @@ out_drop_write:
+ 	fh_drop_write(fhp);
+ out_nfserr:
+ 	if (host_err == -EBUSY) {
+-		/* name is mounted-on. There is no perfect
+-		 * error status.
++		/*
++		 * See RFC 8881 Section 18.25.4 para 4: NFSv4 REMOVE
++		 * wants a status unique to the object type.
+ 		 */
+-		err = nfserr_file_open;
++		if (type != S_IFDIR)
++			err = nfserr_file_open;
++		else
++			err = nfserr_acces;
+ 	}
+ out:
+ 	return err != nfs_ok ? err : nfserrno(host_err);

debian/patches/patchset-pf/nfs/0005-nfsd-don-t-ignore-the-return-code-of-svc_proc_regist.patch

@@ -0,0 +1,88 @@
+From be9eb38c29f63437120c1b4c5d1e7df98851e05e Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@kernel.org>
+Date: Thu, 6 Feb 2025 13:12:13 -0500
+Subject: nfsd: don't ignore the return code of svc_proc_register()
+
+Currently, nfsd_proc_stat_init() ignores the return value of
+svc_proc_register(). If the procfile creation fails, then the kernel
+will WARN when it tries to remove the entry later.
+
+Fix nfsd_proc_stat_init() to return the same type of pointer as
+svc_proc_register(), and fix up nfsd_net_init() to check that and fail
+the nfsd_net construction if it occurs.
+
+svc_proc_register() can fail if the dentry can't be allocated, or if an
+identical dentry already exists. The second case is pretty unlikely in
+the nfsd_net construction codepath, so if this happens, return -ENOMEM.
+
+Reported-by: syzbot+e34ad04f27991521104c@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-nfs/67a47501.050a0220.19061f.05f9.GAE@google.com/
+Cc: stable@vger.kernel.org # v6.9
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+---
+ fs/nfsd/nfsctl.c | 9 ++++++++-
+ fs/nfsd/stats.c  | 4 ++--
+ fs/nfsd/stats.h  | 2 +-
+ 3 files changed, 11 insertions(+), 4 deletions(-)
+
+--- a/fs/nfsd/nfsctl.c
++++ b/fs/nfsd/nfsctl.c
+@@ -2202,8 +2202,14 @@ static __net_init int nfsd_net_init(stru
+ 					  NFSD_STATS_COUNTERS_NUM);
+ 	if (retval)
+ 		goto out_repcache_error;
++
+ 	memset(&nn->nfsd_svcstats, 0, sizeof(nn->nfsd_svcstats));
+ 	nn->nfsd_svcstats.program = &nfsd_programs[0];
++	if (!nfsd_proc_stat_init(net)) {
++		retval = -ENOMEM;
++		goto out_proc_error;
++	}
++
+ 	for (i = 0; i < sizeof(nn->nfsd_versions); i++)
+ 		nn->nfsd_versions[i] = nfsd_support_version(i);
+ 	for (i = 0; i < sizeof(nn->nfsd4_minorversions); i++)
+@@ -2213,13 +2219,14 @@ static __net_init int nfsd_net_init(stru
+ 	nfsd4_init_leases_net(nn);
+ 	get_random_bytes(&nn->siphash_key, sizeof(nn->siphash_key));
+ 	seqlock_init(&nn->writeverf_lock);
+-	nfsd_proc_stat_init(net);
+ #if IS_ENABLED(CONFIG_NFS_LOCALIO)
+ 	spin_lock_init(&nn->local_clients_lock);
+ 	INIT_LIST_HEAD(&nn->local_clients);
+ #endif
+ 	return 0;
+ 
++out_proc_error:
++	percpu_counter_destroy_many(nn->counter, NFSD_STATS_COUNTERS_NUM);
+ out_repcache_error:
+ 	nfsd_idmap_shutdown(net);
+ out_idmap_error:
+--- a/fs/nfsd/stats.c
++++ b/fs/nfsd/stats.c
+@@ -73,11 +73,11 @@ static int nfsd_show(struct seq_file *se
+ 
+ DEFINE_PROC_SHOW_ATTRIBUTE(nfsd);
+ 
+-void nfsd_proc_stat_init(struct net *net)
++struct proc_dir_entry *nfsd_proc_stat_init(struct net *net)
+ {
+ 	struct nfsd_net *nn = net_generic(net, nfsd_net_id);
+ 
+-	svc_proc_register(net, &nn->nfsd_svcstats, &nfsd_proc_ops);
++	return svc_proc_register(net, &nn->nfsd_svcstats, &nfsd_proc_ops);
+ }
+ 
+ void nfsd_proc_stat_shutdown(struct net *net)
+--- a/fs/nfsd/stats.h
++++ b/fs/nfsd/stats.h
+@@ -10,7 +10,7 @@
+ #include <uapi/linux/nfsd/stats.h>
+ #include <linux/percpu_counter.h>
+ 
+-void nfsd_proc_stat_init(struct net *net);
++struct proc_dir_entry *nfsd_proc_stat_init(struct net *net);
+ void nfsd_proc_stat_shutdown(struct net *net);
+ 
+ static inline void nfsd_stats_rc_hits_inc(struct nfsd_net *nn)

debian/patches/patchset-pf/nfs/0006-nfsd-allow-SC_STATUS_FREEABLE-when-searching-via-nfs.patch

@@ -0,0 +1,54 @@
+From 8ae7239f6e86e8eaf9b2d95164b9d88b0af1c9c7 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@kernel.org>
+Date: Thu, 13 Feb 2025 09:08:29 -0500
+Subject: nfsd: allow SC_STATUS_FREEABLE when searching via
+ nfs4_lookup_stateid()
+
+The pynfs DELEG8 test fails when run against nfsd. It acquires a
+delegation and then lets the lease time out. It then tries to use the
+deleg stateid and expects to see NFS4ERR_DELEG_REVOKED, but it gets
+bad NFS4ERR_BAD_STATEID instead.
+
+When a delegation is revoked, it's initially marked with
+SC_STATUS_REVOKED, or SC_STATUS_ADMIN_REVOKED and later, it's marked
+with the SC_STATUS_FREEABLE flag, which denotes that it is waiting for
+s FREE_STATEID call.
+
+nfs4_lookup_stateid() accepts a statusmask that includes the status
+flags that a found stateid is allowed to have. Currently, that mask
+never includes SC_STATUS_FREEABLE, which means that revoked delegations
+are (almost) never found.
+
+Add SC_STATUS_FREEABLE to the always-allowed status flags, and remove it
+from nfsd4_delegreturn() since it's now always implied.
+
+Fixes: 8dd91e8d31fe ("nfsd: fix race between laundromat and free_stateid")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+---
+ fs/nfsd/nfs4state.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -7056,7 +7056,7 @@ nfsd4_lookup_stateid(struct nfsd4_compou
+ 		 */
+ 		statusmask |= SC_STATUS_REVOKED;
+ 
+-	statusmask |= SC_STATUS_ADMIN_REVOKED;
++	statusmask |= SC_STATUS_ADMIN_REVOKED | SC_STATUS_FREEABLE;
+ 
+ 	if (ZERO_STATEID(stateid) || ONE_STATEID(stateid) ||
+ 		CLOSE_STATEID(stateid))
+@@ -7711,9 +7711,7 @@ nfsd4_delegreturn(struct svc_rqst *rqstp
+ 	if ((status = fh_verify(rqstp, &cstate->current_fh, S_IFREG, 0)))
+ 		return status;
+ 
+-	status = nfsd4_lookup_stateid(cstate, stateid, SC_TYPE_DELEG,
+-				      SC_STATUS_REVOKED | SC_STATUS_FREEABLE,
+-				      &s, nn);
++	status = nfsd4_lookup_stateid(cstate, stateid, SC_TYPE_DELEG, SC_STATUS_REVOKED, &s, nn);
+ 	if (status)
+ 		goto out;
+ 	dp = delegstateid(s);

debian/patches/patchset-pf/nfs/0007-nfsd-put-dl_stid-if-fail-to-queue-dl_recall.patch

@@ -0,0 +1,97 @@
+From e5747c32073db3e624d454b80c94f5cb9b362370 Mon Sep 17 00:00:00 2001
+From: Li Lingfeng <lilingfeng3@huawei.com>
+Date: Thu, 13 Feb 2025 22:42:20 +0800
+Subject: nfsd: put dl_stid if fail to queue dl_recall
+
+Before calling nfsd4_run_cb to queue dl_recall to the callback_wq, we
+increment the reference count of dl_stid.
+We expect that after the corresponding work_struct is processed, the
+reference count of dl_stid will be decremented through the callback
+function nfsd4_cb_recall_release.
+However, if the call to nfsd4_run_cb fails, the incremented reference
+count of dl_stid will not be decremented correspondingly, leading to the
+following nfs4_stid leak:
+unreferenced object 0xffff88812067b578 (size 344):
+  comm "nfsd", pid 2761, jiffies 4295044002 (age 5541.241s)
+  hex dump (first 32 bytes):
+    01 00 00 00 6b 6b 6b 6b b8 02 c0 e2 81 88 ff ff  ....kkkk........
+    00 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 ad 4e ad de  .kkkkkkk.....N..
+  backtrace:
+    kmem_cache_alloc+0x4b9/0x700
+    nfsd4_process_open1+0x34/0x300
+    nfsd4_open+0x2d1/0x9d0
+    nfsd4_proc_compound+0x7a2/0xe30
+    nfsd_dispatch+0x241/0x3e0
+    svc_process_common+0x5d3/0xcc0
+    svc_process+0x2a3/0x320
+    nfsd+0x180/0x2e0
+    kthread+0x199/0x1d0
+    ret_from_fork+0x30/0x50
+    ret_from_fork_asm+0x1b/0x30
+unreferenced object 0xffff8881499f4d28 (size 368):
+  comm "nfsd", pid 2761, jiffies 4295044005 (age 5541.239s)
+  hex dump (first 32 bytes):
+    01 00 00 00 00 00 00 00 30 4d 9f 49 81 88 ff ff  ........0M.I....
+    30 4d 9f 49 81 88 ff ff 20 00 00 00 01 00 00 00  0M.I.... .......
+  backtrace:
+    kmem_cache_alloc+0x4b9/0x700
+    nfs4_alloc_stid+0x29/0x210
+    alloc_init_deleg+0x92/0x2e0
+    nfs4_set_delegation+0x284/0xc00
+    nfs4_open_delegation+0x216/0x3f0
+    nfsd4_process_open2+0x2b3/0xee0
+    nfsd4_open+0x770/0x9d0
+    nfsd4_proc_compound+0x7a2/0xe30
+    nfsd_dispatch+0x241/0x3e0
+    svc_process_common+0x5d3/0xcc0
+    svc_process+0x2a3/0x320
+    nfsd+0x180/0x2e0
+    kthread+0x199/0x1d0
+    ret_from_fork+0x30/0x50
+    ret_from_fork_asm+0x1b/0x30
+Fix it by checking the result of nfsd4_run_cb and call nfs4_put_stid if
+fail to queue dl_recall.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+---
+ fs/nfsd/nfs4state.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -1050,6 +1050,12 @@ static struct nfs4_ol_stateid * nfs4_all
+ 	return openlockstateid(stid);
+ }
+ 
++/*
++ * As the sc_free callback of deleg, this may be called by nfs4_put_stid
++ * in nfsd_break_one_deleg.
++ * Considering nfsd_break_one_deleg is called with the flc->flc_lock held,
++ * this function mustn't ever sleep.
++ */
+ static void nfs4_free_deleg(struct nfs4_stid *stid)
+ {
+ 	struct nfs4_delegation *dp = delegstateid(stid);
+@@ -5414,6 +5420,7 @@ static const struct nfsd4_callback_ops n
+ 
+ static void nfsd_break_one_deleg(struct nfs4_delegation *dp)
+ {
++	bool queued;
+ 	/*
+ 	 * We're assuming the state code never drops its reference
+ 	 * without first removing the lease.  Since we're in this lease
+@@ -5422,7 +5429,10 @@ static void nfsd_break_one_deleg(struct
+ 	 * we know it's safe to take a reference.
+ 	 */
+ 	refcount_inc(&dp->dl_stid.sc_count);
+-	WARN_ON_ONCE(!nfsd4_run_cb(&dp->dl_recall));
++	queued = nfsd4_run_cb(&dp->dl_recall);
++	WARN_ON_ONCE(!queued);
++	if (!queued)
++		nfs4_put_stid(&dp->dl_stid);
+ }
+ 
+ /* Called from break_lease() with flc_lock held. */

debian/patches/patchset-pf/nfs/0008-NFSD-Add-a-Kconfig-setting-to-enable-delegated-times.patch

@@ -0,0 +1,74 @@
+From 26d356ebfcd275f01c22349404676755dd36a4c4 Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Tue, 11 Mar 2025 23:06:38 -0400
+Subject: NFSD: Add a Kconfig setting to enable delegated timestamps
+
+After three tries, we still see test failures with delegated
+timestamps. Disable them by default, but leave the implementation
+intact so that development can continue.
+
+Cc: stable@vger.kernel.org # v6.14
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+---
+ fs/nfsd/Kconfig     | 12 +++++++++++-
+ fs/nfsd/nfs4state.c | 16 ++++++++++++++--
+ 2 files changed, 25 insertions(+), 3 deletions(-)
+
+--- a/fs/nfsd/Kconfig
++++ b/fs/nfsd/Kconfig
+@@ -172,6 +172,16 @@ config NFSD_LEGACY_CLIENT_TRACKING
+ 	  recoverydir, or spawn a process directly using a usermodehelper
+ 	  upcall.
+ 
+-	  These legacy client tracking methods have proven to be probelmatic
++	  These legacy client tracking methods have proven to be problematic
+ 	  and will be removed in the future. Say Y here if you need support
+ 	  for them in the interim.
++
++config NFSD_V4_DELEG_TIMESTAMPS
++	bool "Support delegated timestamps"
++	depends on NFSD_V4
++	default n
++	help
++	  NFSD implements delegated timestamps according to
++	  draft-ietf-nfsv4-delstid-08 "Extending the Opening of Files". This
++	  is currently an experimental feature and is therefore left disabled
++	  by default.
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -5958,11 +5958,23 @@ nfsd4_verify_setuid_write(struct nfsd4_o
+ 	return 0;
+ }
+ 
++#ifdef CONFIG_NFSD_V4_DELEG_TIMESTAMPS
++static bool nfsd4_want_deleg_timestamps(const struct nfsd4_open *open)
++{
++	return open->op_deleg_want & OPEN4_SHARE_ACCESS_WANT_DELEG_TIMESTAMPS;
++}
++#else /* CONFIG_NFSD_V4_DELEG_TIMESTAMPS */
++static bool nfsd4_want_deleg_timestamps(const struct nfsd4_open *open)
++{
++	return false;
++}
++#endif /* CONFIG NFSD_V4_DELEG_TIMESTAMPS */
++
+ static struct nfs4_delegation *
+ nfs4_set_delegation(struct nfsd4_open *open, struct nfs4_ol_stateid *stp,
+ 		    struct svc_fh *parent)
+ {
+-	bool deleg_ts = open->op_deleg_want & OPEN4_SHARE_ACCESS_WANT_DELEG_TIMESTAMPS;
++	bool deleg_ts = nfsd4_want_deleg_timestamps(open);
+ 	struct nfs4_client *clp = stp->st_stid.sc_client;
+ 	struct nfs4_file *fp = stp->st_stid.sc_file;
+ 	struct nfs4_clnt_odstate *odstate = stp->st_clnt_odstate;
+@@ -6161,8 +6173,8 @@ static void
+ nfs4_open_delegation(struct nfsd4_open *open, struct nfs4_ol_stateid *stp,
+ 		     struct svc_fh *currentfh)
+ {
+-	bool deleg_ts = open->op_deleg_want & OPEN4_SHARE_ACCESS_WANT_DELEG_TIMESTAMPS;
+ 	struct nfs4_openowner *oo = openowner(stp->st_stateowner);
++	bool deleg_ts = nfsd4_want_deleg_timestamps(open);
+ 	struct nfs4_client *clp = stp->st_stid.sc_client;
+ 	struct svc_fh *parent = NULL;
+ 	struct nfs4_delegation *dp;

debian/patches/patchset-pf/smb/0001-cifs-avoid-NULL-pointer-dereference-in-dbg-call.patch

@@ -0,0 +1,37 @@
+From c1a019d5fef8266e444159bc2bdaf9a5c9c7ef76 Mon Sep 17 00:00:00 2001
+From: Alexandra Diupina <adiupina@astralinux.ru>
+Date: Wed, 19 Mar 2025 17:28:58 +0300
+Subject: cifs: avoid NULL pointer dereference in dbg call
+
+cifs_server_dbg() implies server to be non-NULL so
+move call under condition to avoid NULL pointer dereference.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: e79b0332ae06 ("cifs: ignore cached share root handle closing errors")
+Cc: stable@vger.kernel.org
+Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+---
+ fs/smb/client/smb2misc.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/fs/smb/client/smb2misc.c
++++ b/fs/smb/client/smb2misc.c
+@@ -816,11 +816,12 @@ smb2_handle_cancelled_close(struct cifs_
+ 		WARN_ONCE(tcon->tc_count < 0, "tcon refcount is negative");
+ 		spin_unlock(&cifs_tcp_ses_lock);
+ 
+-		if (tcon->ses)
++		if (tcon->ses) {
+ 			server = tcon->ses->server;
+-
+-		cifs_server_dbg(FYI, "tid=0x%x: tcon is closing, skipping async close retry of fid %llu %llu\n",
+-				tcon->tid, persistent_fid, volatile_fid);
++			cifs_server_dbg(FYI,
++					"tid=0x%x: tcon is closing, skipping async close retry of fid %llu %llu\n",
++					tcon->tid, persistent_fid, volatile_fid);
++		}
+ 
+ 		return 0;
+ 	}

debian/patches/patchset-pf/smb/0002-ksmbd-add-bounds-check-for-durable-handle-context.patch

@@ -0,0 +1,60 @@
+From 750b72183e7f3d9dc775540cee41c0c06d2c1da4 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Fri, 14 Mar 2025 18:21:47 +0900
+Subject: ksmbd: add bounds check for durable handle context
+
+Add missing bounds check for durable handle context.
+
+Cc: stable@vger.kernel.org
+Reported-by: Norbert Szetei <norbert@doyensec.com>
+Tested-by: Norbert Szetei <norbert@doyensec.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+---
+ fs/smb/server/smb2pdu.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -2708,6 +2708,13 @@ static int parse_durable_handle_context(
+ 				goto out;
+ 			}
+ 
++			if (le16_to_cpu(context->DataOffset) +
++				le32_to_cpu(context->DataLength) <
++			    sizeof(struct create_durable_reconn_v2_req)) {
++				err = -EINVAL;
++				goto out;
++			}
++
+ 			recon_v2 = (struct create_durable_reconn_v2_req *)context;
+ 			persistent_id = recon_v2->Fid.PersistentFileId;
+ 			dh_info->fp = ksmbd_lookup_durable_fd(persistent_id);
+@@ -2741,6 +2748,13 @@ static int parse_durable_handle_context(
+ 				goto out;
+ 			}
+ 
++			if (le16_to_cpu(context->DataOffset) +
++				le32_to_cpu(context->DataLength) <
++			    sizeof(struct create_durable_reconn_req)) {
++				err = -EINVAL;
++				goto out;
++			}
++
+ 			recon = (struct create_durable_reconn_req *)context;
+ 			persistent_id = recon->Data.Fid.PersistentFileId;
+ 			dh_info->fp = ksmbd_lookup_durable_fd(persistent_id);
+@@ -2765,6 +2779,13 @@ static int parse_durable_handle_context(
+ 				err = -EINVAL;
+ 				goto out;
+ 			}
++
++			if (le16_to_cpu(context->DataOffset) +
++				le32_to_cpu(context->DataLength) <
++			    sizeof(struct create_durable_req_v2)) {
++				err = -EINVAL;
++				goto out;
++			}
+ 
+ 			durable_v2_blob =
+ 				(struct create_durable_req_v2 *)context;

debian/patches/patchset-pf/smb/0003-CIFS-Propagate-min-offload-along-with-other-paramete.patch

@@ -0,0 +1,59 @@
+From 419b06f0ca7662c17a026ab0117ba9887dbd0477 Mon Sep 17 00:00:00 2001
+From: Aman <aman1@microsoft.com>
+Date: Thu, 6 Mar 2025 17:46:43 +0000
+Subject: CIFS: Propagate min offload along with other parameters from primary
+ to secondary channels.
+
+In a multichannel setup, it was observed that a few fields were not being
+copied over to the secondary channels, which impacted performance in cases
+where these options were relevant but not properly synchronized. To address
+this, this patch introduces copying the following parameters from the
+primary channel to the secondary channels:
+
+- min_offload
+- compression.requested
+- dfs_conn
+- ignore_signature
+- leaf_fullpath
+- noblockcnt
+- retrans
+- sign
+
+By copying these parameters, we ensure consistency across channels and
+prevent performance degradation due to missing or outdated settings.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Aman <aman1@microsoft.com>
+Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+---
+ fs/smb/client/connect.c | 1 +
+ fs/smb/client/sess.c    | 7 +++++++
+ 2 files changed, 8 insertions(+)
+
+--- a/fs/smb/client/connect.c
++++ b/fs/smb/client/connect.c
+@@ -1676,6 +1676,7 @@ cifs_get_tcp_session(struct smb3_fs_cont
+ 	/* Grab netns reference for this server. */
+ 	cifs_set_net_ns(tcp_ses, get_net(current->nsproxy->net_ns));
+ 
++	tcp_ses->sign = ctx->sign;
+ 	tcp_ses->conn_id = atomic_inc_return(&tcpSesNextId);
+ 	tcp_ses->noblockcnt = ctx->rootfs;
+ 	tcp_ses->noblocksnd = ctx->noblocksnd || ctx->rootfs;
+--- a/fs/smb/client/sess.c
++++ b/fs/smb/client/sess.c
+@@ -522,6 +522,13 @@ cifs_ses_add_channel(struct cifs_ses *se
+ 	ctx->sockopt_tcp_nodelay = ses->server->tcp_nodelay;
+ 	ctx->echo_interval = ses->server->echo_interval / HZ;
+ 	ctx->max_credits = ses->server->max_credits;
++	ctx->min_offload = ses->server->min_offload;
++	ctx->compress = ses->server->compression.requested;
++	ctx->dfs_conn = ses->server->dfs_conn;
++	ctx->ignore_signature = ses->server->ignore_signature;
++	ctx->leaf_fullpath = ses->server->leaf_fullpath;
++	ctx->rootfs = ses->server->noblockcnt;
++	ctx->retrans = ses->server->retrans;
+ 
+ 	/*
+ 	 * This will be used for encoding/decoding user/domain/pw

debian/patches/patchset-pf/smb/0004-ksmbd-add-bounds-check-for-create-lease-context.patch

@@ -0,0 +1,41 @@
+From df179d4868b57eb8bcd7587559164178f17f0747 Mon Sep 17 00:00:00 2001
+From: Norbert Szetei <norbert@doyensec.com>
+Date: Sat, 15 Mar 2025 12:19:28 +0900
+Subject: ksmbd: add bounds check for create lease context
+
+Add missing bounds check for create lease context.
+
+Cc: stable@vger.kernel.org
+Reported-by: Norbert Szetei <norbert@doyensec.com>
+Tested-by: Norbert Szetei <norbert@doyensec.com>
+Signed-off-by: Norbert Szetei <norbert@doyensec.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+---
+ fs/smb/server/oplock.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/smb/server/oplock.c
++++ b/fs/smb/server/oplock.c
+@@ -1505,6 +1505,10 @@ struct lease_ctx_info *parse_lease_state
+ 	if (sizeof(struct lease_context_v2) == le32_to_cpu(cc->DataLength)) {
+ 		struct create_lease_v2 *lc = (struct create_lease_v2 *)cc;
+ 
++		if (le16_to_cpu(cc->DataOffset) + le32_to_cpu(cc->DataLength) <
++		    sizeof(struct create_lease_v2) - 4)
++			return NULL;
++
+ 		memcpy(lreq->lease_key, lc->lcontext.LeaseKey, SMB2_LEASE_KEY_SIZE);
+ 		lreq->req_state = lc->lcontext.LeaseState;
+ 		lreq->flags = lc->lcontext.LeaseFlags;
+@@ -1517,6 +1521,10 @@ struct lease_ctx_info *parse_lease_state
+ 	} else {
+ 		struct create_lease *lc = (struct create_lease *)cc;
+ 
++		if (le16_to_cpu(cc->DataOffset) + le32_to_cpu(cc->DataLength) <
++		    sizeof(struct create_lease))
++			return NULL;
++
+ 		memcpy(lreq->lease_key, lc->lcontext.LeaseKey, SMB2_LEASE_KEY_SIZE);
+ 		lreq->req_state = lc->lcontext.LeaseState;
+ 		lreq->flags = lc->lcontext.LeaseFlags;

debian/patches/patchset-pf/smb/0005-ksmbd-fix-use-after-free-in-ksmbd_sessions_deregiste.patch

@@ -0,0 +1,31 @@
+From d72853120541d47779616db780a15a42afe4ad9b Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Sat, 22 Mar 2025 09:20:19 +0900
+Subject: ksmbd: fix use-after-free in ksmbd_sessions_deregister()
+
+In multichannel mode, UAF issue can occur in session_deregister
+when the second channel sets up a session through the connection of
+the first channel. session that is freed through the global session
+table can be accessed again through ->sessions of connection.
+
+Cc: stable@vger.kernel.org
+Reported-by: Norbert Szetei <norbert@doyensec.com>
+Tested-by: Norbert Szetei <norbert@doyensec.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+---
+ fs/smb/server/mgmt/user_session.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/smb/server/mgmt/user_session.c
++++ b/fs/smb/server/mgmt/user_session.c
+@@ -230,6 +230,9 @@ void ksmbd_sessions_deregister(struct ks
+ 			if (!ksmbd_chann_del(conn, sess) &&
+ 			    xa_empty(&sess->ksmbd_chann_list)) {
+ 				hash_del(&sess->hlist);
++				down_write(&conn->session_lock);
++				xa_erase(&conn->sessions, sess->id);
++				up_write(&conn->session_lock);
+ 				ksmbd_session_destroy(sess);
+ 			}
+ 		}

debian/patches/patchset-pf/smb/0006-cifs-fix-integer-overflow-in-match_server.patch

@@ -0,0 +1,36 @@
+From 87a17042db9d288d1c5bf3eac2a31bd3315a8cd0 Mon Sep 17 00:00:00 2001
+From: Roman Smirnov <r.smirnov@omp.ru>
+Date: Mon, 31 Mar 2025 11:22:49 +0300
+Subject: cifs: fix integer overflow in match_server()
+
+The echo_interval is not limited in any way during mounting,
+which makes it possible to write a large number to it. This can
+cause an overflow when multiplying ctx->echo_interval by HZ in
+match_server().
+
+Add constraints for echo_interval to smb3_fs_context_parse_param().
+
+Found by Linux Verification Center (linuxtesting.org) with Svace.
+
+Fixes: adfeb3e00e8e1 ("cifs: Make echo interval tunable")
+Cc: stable@vger.kernel.org
+Signed-off-by: Roman Smirnov <r.smirnov@omp.ru>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+---
+ fs/smb/client/fs_context.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/smb/client/fs_context.c
++++ b/fs/smb/client/fs_context.c
+@@ -1377,6 +1377,11 @@ static int smb3_fs_context_parse_param(s
+ 		ctx->closetimeo = HZ * result.uint_32;
+ 		break;
+ 	case Opt_echo_interval:
++		if (result.uint_32 < SMB_ECHO_INTERVAL_MIN ||
++		    result.uint_32 > SMB_ECHO_INTERVAL_MAX) {
++			cifs_errorf(fc, "echo interval is out of bounds\n");
++			goto cifs_parse_mount_err;
++		}
+ 		ctx->echo_interval = result.uint_32;
+ 		break;
+ 	case Opt_snapshot:

debian/patches/patchset-pf/smb/0007-ksmbd-fix-session-use-after-free-in-multichannel-con.patch

@@ -0,0 +1,105 @@
+From 13cf611fba8e4bcb60b66abb0c2a2456d7863c18 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Thu, 27 Mar 2025 21:22:51 +0900
+Subject: ksmbd: fix session use-after-free in multichannel connection
+
+There is a race condition between session setup and
+ksmbd_sessions_deregister. The session can be freed before the connection
+is added to channel list of session.
+This patch check reference count of session before freeing it.
+
+Cc: stable@vger.kernel.org
+Reported-by: Sean Heelan <seanheelan@gmail.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+---
+ fs/smb/server/auth.c              |  4 ++--
+ fs/smb/server/mgmt/user_session.c | 14 ++++++++------
+ fs/smb/server/smb2pdu.c           |  7 ++++---
+ 3 files changed, 14 insertions(+), 11 deletions(-)
+
+--- a/fs/smb/server/auth.c
++++ b/fs/smb/server/auth.c
+@@ -1016,9 +1016,9 @@ static int ksmbd_get_encryption_key(stru
+ 
+ 	ses_enc_key = enc ? sess->smb3encryptionkey :
+ 		sess->smb3decryptionkey;
+-	if (enc)
+-		ksmbd_user_session_get(sess);
+ 	memcpy(key, ses_enc_key, SMB3_ENC_DEC_KEY_SIZE);
++	if (!enc)
++		ksmbd_user_session_put(sess);
+ 
+ 	return 0;
+ }
+--- a/fs/smb/server/mgmt/user_session.c
++++ b/fs/smb/server/mgmt/user_session.c
+@@ -181,7 +181,7 @@ static void ksmbd_expire_session(struct
+ 	down_write(&sessions_table_lock);
+ 	down_write(&conn->session_lock);
+ 	xa_for_each(&conn->sessions, id, sess) {
+-		if (atomic_read(&sess->refcnt) == 0 &&
++		if (atomic_read(&sess->refcnt) <= 1 &&
+ 		    (sess->state != SMB2_SESSION_VALID ||
+ 		     time_after(jiffies,
+ 			       sess->last_active + SMB2_SESSION_TIMEOUT))) {
+@@ -233,7 +233,8 @@ void ksmbd_sessions_deregister(struct ks
+ 				down_write(&conn->session_lock);
+ 				xa_erase(&conn->sessions, sess->id);
+ 				up_write(&conn->session_lock);
+-				ksmbd_session_destroy(sess);
++				if (atomic_dec_and_test(&sess->refcnt))
++					ksmbd_session_destroy(sess);
+ 			}
+ 		}
+ 	}
+@@ -252,7 +253,8 @@ void ksmbd_sessions_deregister(struct ks
+ 		if (xa_empty(&sess->ksmbd_chann_list)) {
+ 			xa_erase(&conn->sessions, sess->id);
+ 			hash_del(&sess->hlist);
+-			ksmbd_session_destroy(sess);
++			if (atomic_dec_and_test(&sess->refcnt))
++				ksmbd_session_destroy(sess);
+ 		}
+ 	}
+ 	up_write(&conn->session_lock);
+@@ -312,8 +314,8 @@ void ksmbd_user_session_put(struct ksmbd
+ 
+ 	if (atomic_read(&sess->refcnt) <= 0)
+ 		WARN_ON(1);
+-	else
+-		atomic_dec(&sess->refcnt);
++	else if (atomic_dec_and_test(&sess->refcnt))
++		ksmbd_session_destroy(sess);
+ }
+ 
+ struct preauth_session *ksmbd_preauth_session_alloc(struct ksmbd_conn *conn,
+@@ -420,7 +422,7 @@ static struct ksmbd_session *__session_c
+ 	xa_init(&sess->rpc_handle_list);
+ 	sess->sequence_number = 1;
+ 	rwlock_init(&sess->tree_conns_lock);
+-	atomic_set(&sess->refcnt, 1);
++	atomic_set(&sess->refcnt, 2);
+ 
+ 	ret = __init_smb2_session(sess);
+ 	if (ret)
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -2239,13 +2239,14 @@ int smb2_session_logoff(struct ksmbd_wor
+ 		return -ENOENT;
+ 	}
+ 
+-	ksmbd_destroy_file_table(&sess->file_table);
+ 	down_write(&conn->session_lock);
+ 	sess->state = SMB2_SESSION_EXPIRED;
+ 	up_write(&conn->session_lock);
+ 
+-	ksmbd_free_user(sess->user);
+-	sess->user = NULL;
++	if (sess->user) {
++		ksmbd_free_user(sess->user);
++		sess->user = NULL;
++	}
+ 	ksmbd_all_conn_set_status(sess_id, KSMBD_SESS_NEED_NEGOTIATE);
+ 
+ 	rsp->StructureSize = cpu_to_le16(4);

debian/patches/patchset-pf/smb/0008-ksmbd-fix-overflow-in-dacloffset-bounds-check.patch

@@ -0,0 +1,70 @@
+From 3fe0cc7e4d24b0a152798ec17ceed4156fe96033 Mon Sep 17 00:00:00 2001
+From: Norbert Szetei <norbert@doyensec.com>
+Date: Sat, 29 Mar 2025 06:58:15 +0000
+Subject: ksmbd: fix overflow in dacloffset bounds check
+
+The dacloffset field was originally typed as int and used in an
+unchecked addition, which could overflow and bypass the existing
+bounds check in both smb_check_perm_dacl() and smb_inherit_dacl().
+
+This could result in out-of-bounds memory access and a kernel crash
+when dereferencing the DACL pointer.
+
+This patch converts dacloffset to unsigned int and uses
+check_add_overflow() to validate access to the DACL.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Norbert Szetei <norbert@doyensec.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+---
+ fs/smb/server/smbacl.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/fs/smb/server/smbacl.c
++++ b/fs/smb/server/smbacl.c
+@@ -1026,7 +1026,9 @@ int smb_inherit_dacl(struct ksmbd_conn *
+ 	struct dentry *parent = path->dentry->d_parent;
+ 	struct mnt_idmap *idmap = mnt_idmap(path->mnt);
+ 	int inherited_flags = 0, flags = 0, i, nt_size = 0, pdacl_size;
+-	int rc = 0, dacloffset, pntsd_type, pntsd_size, acl_len, aces_size;
++	int rc = 0, pntsd_type, pntsd_size, acl_len, aces_size;
++	unsigned int dacloffset;
++	size_t dacl_struct_end;
+ 	u16 num_aces, ace_cnt = 0;
+ 	char *aces_base;
+ 	bool is_dir = S_ISDIR(d_inode(path->dentry)->i_mode);
+@@ -1035,8 +1037,11 @@ int smb_inherit_dacl(struct ksmbd_conn *
+ 					    parent, &parent_pntsd);
+ 	if (pntsd_size <= 0)
+ 		return -ENOENT;
++
+ 	dacloffset = le32_to_cpu(parent_pntsd->dacloffset);
+-	if (!dacloffset || (dacloffset + sizeof(struct smb_acl) > pntsd_size)) {
++	if (!dacloffset ||
++	    check_add_overflow(dacloffset, sizeof(struct smb_acl), &dacl_struct_end) ||
++	    dacl_struct_end > (size_t)pntsd_size) {
+ 		rc = -EINVAL;
+ 		goto free_parent_pntsd;
+ 	}
+@@ -1240,7 +1245,9 @@ int smb_check_perm_dacl(struct ksmbd_con
+ 	struct smb_ntsd *pntsd = NULL;
+ 	struct smb_acl *pdacl;
+ 	struct posix_acl *posix_acls;
+-	int rc = 0, pntsd_size, acl_size, aces_size, pdacl_size, dacl_offset;
++	int rc = 0, pntsd_size, acl_size, aces_size, pdacl_size;
++	unsigned int dacl_offset;
++	size_t dacl_struct_end;
+ 	struct smb_sid sid;
+ 	int granted = le32_to_cpu(*pdaccess & ~FILE_MAXIMAL_ACCESS_LE);
+ 	struct smb_ace *ace;
+@@ -1259,7 +1266,8 @@ int smb_check_perm_dacl(struct ksmbd_con
+ 
+ 	dacl_offset = le32_to_cpu(pntsd->dacloffset);
+ 	if (!dacl_offset ||
+-	    (dacl_offset + sizeof(struct smb_acl) > pntsd_size))
++	    check_add_overflow(dacl_offset, sizeof(struct smb_acl), &dacl_struct_end) ||
++	    dacl_struct_end > (size_t)pntsd_size)
+ 		goto err_out;
+ 
+ 	pdacl = (struct smb_acl *)((char *)pntsd + le32_to_cpu(pntsd->dacloffset));

debian/patches/patchset-pf/smb/0009-ksmbd-validate-zero-num_subauth-before-sub_auth-is-a.patch

@@ -0,0 +1,32 @@
+From 0cf6aa54e0b5dbd9b1835a3b9f13a154216a7422 Mon Sep 17 00:00:00 2001
+From: Norbert Szetei <norbert@doyensec.com>
+Date: Sat, 29 Mar 2025 16:06:01 +0000
+Subject: ksmbd: validate zero num_subauth before sub_auth is accessed
+
+Access psid->sub_auth[psid->num_subauth - 1] without checking
+if num_subauth is non-zero leads to an out-of-bounds read.
+This patch adds a validation step to ensure num_subauth != 0
+before sub_auth is accessed.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Norbert Szetei <norbert@doyensec.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+---
+ fs/smb/server/smbacl.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/smb/server/smbacl.c
++++ b/fs/smb/server/smbacl.c
+@@ -270,6 +270,11 @@ static int sid_to_id(struct mnt_idmap *i
+ 		return -EIO;
+ 	}
+ 
++	if (psid->num_subauth == 0) {
++		pr_err("%s: zero subauthorities!\n", __func__);
++		return -EIO;
++	}
++
+ 	if (sidtype == SIDOWNER) {
+ 		kuid_t uid;
+ 		uid_t id;

debian/patches/patchset-pf/smb/0010-ksmbd-fix-null-pointer-dereference-in-alloc_preauth_.patch

@@ -0,0 +1,125 @@
+From 21715f2a6462476a4196725e436c4b0d968390ce Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Wed, 2 Apr 2025 09:11:23 +0900
+Subject: ksmbd: fix null pointer dereference in alloc_preauth_hash()
+
+The Client send malformed smb2 negotiate request. ksmbd return error
+response. Subsequently, the client can send smb2 session setup even
+thought conn->preauth_info is not allocated.
+This patch add KSMBD_SESS_NEED_SETUP status of connection to ignore
+session setup request if smb2 negotiate phase is not complete.
+
+Cc: stable@vger.kernel.org
+Tested-by: Steve French <stfrench@microsoft.com>
+Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-26505
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+---
+ fs/smb/server/connection.h        | 11 +++++++++++
+ fs/smb/server/mgmt/user_session.c |  4 ++--
+ fs/smb/server/smb2pdu.c           | 14 +++++++++++---
+ 3 files changed, 24 insertions(+), 5 deletions(-)
+
+--- a/fs/smb/server/connection.h
++++ b/fs/smb/server/connection.h
+@@ -27,6 +27,7 @@ enum {
+ 	KSMBD_SESS_EXITING,
+ 	KSMBD_SESS_NEED_RECONNECT,
+ 	KSMBD_SESS_NEED_NEGOTIATE,
++	KSMBD_SESS_NEED_SETUP,
+ 	KSMBD_SESS_RELEASING
+ };
+ 
+@@ -187,6 +188,11 @@ static inline bool ksmbd_conn_need_negot
+ 	return READ_ONCE(conn->status) == KSMBD_SESS_NEED_NEGOTIATE;
+ }
+ 
++static inline bool ksmbd_conn_need_setup(struct ksmbd_conn *conn)
++{
++	return READ_ONCE(conn->status) == KSMBD_SESS_NEED_SETUP;
++}
++
+ static inline bool ksmbd_conn_need_reconnect(struct ksmbd_conn *conn)
+ {
+ 	return READ_ONCE(conn->status) == KSMBD_SESS_NEED_RECONNECT;
+@@ -217,6 +223,11 @@ static inline void ksmbd_conn_set_need_n
+ 	WRITE_ONCE(conn->status, KSMBD_SESS_NEED_NEGOTIATE);
+ }
+ 
++static inline void ksmbd_conn_set_need_setup(struct ksmbd_conn *conn)
++{
++	WRITE_ONCE(conn->status, KSMBD_SESS_NEED_SETUP);
++}
++
+ static inline void ksmbd_conn_set_need_reconnect(struct ksmbd_conn *conn)
+ {
+ 	WRITE_ONCE(conn->status, KSMBD_SESS_NEED_RECONNECT);
+--- a/fs/smb/server/mgmt/user_session.c
++++ b/fs/smb/server/mgmt/user_session.c
+@@ -358,13 +358,13 @@ void destroy_previous_session(struct ksm
+ 	ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_RECONNECT);
+ 	err = ksmbd_conn_wait_idle_sess_id(conn, id);
+ 	if (err) {
+-		ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_NEGOTIATE);
++		ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_SETUP);
+ 		goto out;
+ 	}
+ 
+ 	ksmbd_destroy_file_table(&prev_sess->file_table);
+ 	prev_sess->state = SMB2_SESSION_EXPIRED;
+-	ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_NEGOTIATE);
++	ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_SETUP);
+ 	ksmbd_launch_ksmbd_durable_scavenger();
+ out:
+ 	up_write(&conn->session_lock);
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -1249,7 +1249,7 @@ int smb2_handle_negotiate(struct ksmbd_w
+ 	}
+ 
+ 	conn->srv_sec_mode = le16_to_cpu(rsp->SecurityMode);
+-	ksmbd_conn_set_need_negotiate(conn);
++	ksmbd_conn_set_need_setup(conn);
+ 
+ err_out:
+ 	ksmbd_conn_unlock(conn);
+@@ -1271,6 +1271,9 @@ static int alloc_preauth_hash(struct ksm
+ 	if (sess->Preauth_HashValue)
+ 		return 0;
+ 
++	if (!conn->preauth_info)
++		return -ENOMEM;
++
+ 	sess->Preauth_HashValue = kmemdup(conn->preauth_info->Preauth_HashValue,
+ 					  PREAUTH_HASHVALUE_SIZE, KSMBD_DEFAULT_GFP);
+ 	if (!sess->Preauth_HashValue)
+@@ -1674,6 +1677,11 @@ int smb2_sess_setup(struct ksmbd_work *w
+ 
+ 	ksmbd_debug(SMB, "Received smb2 session setup request\n");
+ 
++	if (!ksmbd_conn_need_setup(conn) && !ksmbd_conn_good(conn)) {
++		work->send_no_response = 1;
++		return rc;
++	}
++
+ 	WORK_BUFFERS(work, req, rsp);
+ 
+ 	rsp->StructureSize = cpu_to_le16(9);
+@@ -1913,7 +1921,7 @@ out_err:
+ 			if (try_delay) {
+ 				ksmbd_conn_set_need_reconnect(conn);
+ 				ssleep(5);
+-				ksmbd_conn_set_need_negotiate(conn);
++				ksmbd_conn_set_need_setup(conn);
+ 			}
+ 		}
+ 		smb2_set_err_rsp(work);
+@@ -2247,7 +2255,7 @@ int smb2_session_logoff(struct ksmbd_wor
+ 		ksmbd_free_user(sess->user);
+ 		sess->user = NULL;
+ 	}
+-	ksmbd_all_conn_set_status(sess_id, KSMBD_SESS_NEED_NEGOTIATE);
++	ksmbd_all_conn_set_status(sess_id, KSMBD_SESS_NEED_SETUP);
+ 
+ 	rsp->StructureSize = cpu_to_le16(4);
+ 	err = ksmbd_iov_pin_rsp(work, rsp, sizeof(struct smb2_logoff_rsp));

debian/patches/patchset-pf/zstd/0001-zstd-import-upstream-v1.5.7.patch

@@ -1,4 +1,4 @@
-From ce390f13283adf62f17365d2f55e65e442e2edd8 Mon Sep 17 00:00:00 2001
+From 7aa936e7a4feef1256c1bae5caf02db3074766af Mon Sep 17 00:00:00 2001
 From: Oleksandr Natalenko <oleksandr@natalenko.name>
 Date: Thu, 20 Feb 2025 09:03:32 +0100
 Subject: zstd: import upstream v1.5.7

debian/patches/patchset-pf/zstd/0002-lib-zstd-Refactor-intentional-wrap-around-test.patch

@@ -1,4 +1,4 @@
-From 0df7cc91ac0a3e84f2e0aeec1a71cd737de41b8a Mon Sep 17 00:00:00 2001
+From 70dad0dd41069fbb2c4a85b548e7adc79121a020 Mon Sep 17 00:00:00 2001
 From: Kees Cook <keescook@chromium.org>
 Date: Mon, 22 Jan 2024 16:27:56 -0800
 Subject: lib: zstd: Refactor intentional wrap-around test

debian/patches/patchset-zen/sauce/0001-ZEN-Add-VHBA-driver.patch

@@ -50,7 +50,7 @@ tag    vhba-module-20240917
 --- /dev/null
 +++ b/drivers/scsi/vhba/Makefile
 @@ -0,0 +1,4 @@
-+VHBA_VERSION := 20240917
++VHBA_VERSION := 20250329
 +
 +obj-$(CONFIG_VHBA)		+= vhba.o
 +ccflags-y := -DVHBA_VERSION=\"$(VHBA_VERSION)\" -Werror

debian/patches/series

@@ -151,11 +151,41 @@ patchset-pf/amd-pstate/0028-cpufreq-amd-pstate-Stop-caching-EPP.patch
 patchset-pf/amd-pstate/0029-cpufreq-amd-pstate-Drop-actions-in-amd_pstate_epp_cp.patch
 patchset-pf/amd-pstate/0030-cpufreq-amd-pstate-fix-warning-noticed-by-kernel-tes.patch
 
+patchset-pf/btrfs/0001-btrfs-fix-non-empty-delayed-iputs-list-on-unmount-du.patch
+patchset-pf/btrfs/0002-btrfs-tests-fix-chunk-map-leak-after-failure-to-add-.patch
+patchset-pf/btrfs/0003-btrfs-zoned-fix-zone-activation-with-missing-devices.patch
+patchset-pf/btrfs/0004-btrfs-zoned-fix-zone-finishing-with-missing-devices.patch
+
 patchset-pf/cpuidle/0001-cpuidle-Prefer-teo-over-menu-governor.patch
 
 patchset-pf/crypto/0001-crypto-x86-aes-xts-make-the-fast-path-64-bit-specifi.patch
 patchset-pf/crypto/0002-crypto-x86-aes-ctr-rewrite-AESNI-AVX-optimized-CTR-a.patch
 
+patchset-pf/exfat/0001-exfat-fix-random-stack-corruption-after-get_block.patch
+patchset-pf/exfat/0002-exfat-fix-potential-wrong-error-return-from-get_bloc.patch
+
+patchset-pf/fuse/0001-fuse-io-uring-Fix-a-possible-req-cancellation-race.patch
+
+patchset-pf/nfs/0001-nfsd-fix-management-of-listener-transports.patch
+patchset-pf/nfs/0002-NFSD-Skip-sending-CB_RECALL_ANY-when-the-backchannel.patch
+patchset-pf/nfs/0003-NFSD-nfsd_unlink-clobbers-non-zero-status-returned-f.patch
+patchset-pf/nfs/0004-NFSD-Never-return-NFS4ERR_FILE_OPEN-when-removing-a-.patch
+patchset-pf/nfs/0005-nfsd-don-t-ignore-the-return-code-of-svc_proc_regist.patch
+patchset-pf/nfs/0006-nfsd-allow-SC_STATUS_FREEABLE-when-searching-via-nfs.patch
+patchset-pf/nfs/0007-nfsd-put-dl_stid-if-fail-to-queue-dl_recall.patch
+patchset-pf/nfs/0008-NFSD-Add-a-Kconfig-setting-to-enable-delegated-times.patch
+
+patchset-pf/smb/0001-cifs-avoid-NULL-pointer-dereference-in-dbg-call.patch
+patchset-pf/smb/0002-ksmbd-add-bounds-check-for-durable-handle-context.patch
+patchset-pf/smb/0003-CIFS-Propagate-min-offload-along-with-other-paramete.patch
+patchset-pf/smb/0004-ksmbd-add-bounds-check-for-create-lease-context.patch
+patchset-pf/smb/0005-ksmbd-fix-use-after-free-in-ksmbd_sessions_deregiste.patch
+patchset-pf/smb/0006-cifs-fix-integer-overflow-in-match_server.patch
+patchset-pf/smb/0007-ksmbd-fix-session-use-after-free-in-multichannel-con.patch
+patchset-pf/smb/0008-ksmbd-fix-overflow-in-dacloffset-bounds-check.patch
+patchset-pf/smb/0009-ksmbd-validate-zero-num_subauth-before-sub_auth-is-a.patch
+patchset-pf/smb/0010-ksmbd-fix-null-pointer-dereference-in-alloc_preauth_.patch
+
 patchset-pf/zstd/0001-zstd-import-upstream-v1.5.7.patch
 patchset-pf/zstd/0002-lib-zstd-Refactor-intentional-wrap-around-test.patch
 
@@ -262,7 +292,15 @@ patchset-zen/sauce/0023-ZEN-INTERACTIVE-Document-PDS-BMQ-configuration.patch
 
 patchset-pf/fixes/0001-tpm-do-not-start-chip-while-suspended.patch
 patchset-pf/fixes/0002-x86-insn_decoder_test-allow-longer-symbol-names.patch
+patchset-pf/fixes/0003-EDAC-igen6-Fix-the-flood-of-invalid-error-reports.patch
+patchset-pf/fixes/0004-x86-tools-Drop-duplicate-unlikely-definition-in-insn.patch
+patchset-pf/fixes/0005-tpm-tpm_tis-Fix-timeout-handling-when-waiting-for-TP.patch
+patchset-pf/fixes/0006-x86-mm-Fix-flush_tlb_range-when-used-for-zapping-nor.patch
+patchset-pf/fixes/0007-x86-tsc-Always-save-restore-TSC-sched_clock-on-suspe.patch
+patchset-pf/fixes/0008-uprobes-x86-Harden-uretprobe-syscall-trampoline-chec.patch
+patchset-pf/fixes/0009-block-make-sure-nr_integrity_segments-is-cloned-in-b.patch
+patchset-pf/fixes/0010-PCI-Fix-wrong-length-of-devres-array.patch
+patchset-pf/fixes/0011-exec-fix-the-racy-usage-of-fs_struct-in_exec.patch
 
 patchset-zen/fixes/0001-arch-Kconfig-Default-to-maximum-amount-of-ASLR-bits.patch
 patchset-zen/fixes/0002-drivers-firmware-skip-simpledrm-if-nvidia-drm.modese.patch
-patchset-zen/fixes/0003-EDAC-igen6-Fix-the-flood-of-invalid-error-reports.patch