krd/linux
1
0
Fork 0
Code

release 6.14.6

Browse Source
This commit is contained in:
Konstantin Demin 2025-05-09 12:55:05 +03:00
parent 9d4ee668cc
commit 5c06d65ded
26 changed files with 447 additions and 275 deletions

7
debian/changelog vendored

@ -1,3 +1,10 @@
linux (6.14.6-1) sid; urgency=medium
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.14.6
-- Konstantin Demin <rockdrilla@gmail.com> Fri, 09 May 2025 12:23:42 +0300
linux (6.14.5-1) sid; urgency=medium
* New upstream stable update:

6
debian/config/amd64/config.vm vendored

@ -3567,8 +3567,10 @@ CONFIG_VBOXSF_FS=m
CONFIG_DEFAULT_HOSTNAME="debian-vm"
CONFIG_LOG_BUF_SHIFT=17
CONFIG_LOG_CPU_MAX_BUF_SHIFT=12
# CONFIG_UCLAMP_TASK is not set
# CONFIG_RT_GROUP_SCHED is not set
CONFIG_UCLAMP_TASK=y
CONFIG_UCLAMP_BUCKETS_COUNT=10
CONFIG_RT_GROUP_SCHED=y
CONFIG_UCLAMP_TASK_GROUP=y
##
## file: kernel/Kconfig.kexec

4
debian/config/config vendored

@ -573,7 +573,7 @@ CONFIG_MHI_BUS_PCI_GENERIC=m
##
CONFIG_TTY_PRINTK=m
CONFIG_TTY_PRINTK_LEVEL=6
CONFIG_VIRTIO_CONSOLE=m
CONFIG_VIRTIO_CONSOLE=y
CONFIG_DEVMEM=y
CONFIG_NVRAM=m
CONFIG_HPET=y
@ -2812,7 +2812,7 @@ CONFIG_IPV6_MROUTE_MULTIPLE_TABLES=y
CONFIG_IPV6_PIMSM_V2=y
CONFIG_IPV6_SEG6_LWTUNNEL=y
CONFIG_IPV6_SEG6_HMAC=y
# CONFIG_IPV6_RPL_LWTUNNEL is not set
CONFIG_IPV6_RPL_LWTUNNEL=y
# CONFIG_IPV6_IOAM6_LWTUNNEL is not set
##

7
debian/copyright vendored

@ -82,7 +82,7 @@ Files: fs/nls/mac-*
Copyright: 1991-2012 Unicode, Inc.
License: Unicode-data
All rights reserved. Distributed under the Terms of Use in
http://www.unicode.org/copyright.html.
https://www.unicode.org/copyright.html.
.
Permission is hereby granted, free of charge, to any person obtaining a
copy of the Unicode data files and any associated documentation (the "Data
@ -191,8 +191,7 @@ License: GPL-2
GNU General Public License for more details.
.
You should have received a copy of the GNU General Public License
along with this package; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
along with this program. If not, see <https://www.gnu.org/licenses/>.
.
On Debian systems, the complete text of the GNU General Public License version
2 can be found in `/usr/share/common-licenses/GPL-2'.
@ -209,7 +208,7 @@ License: LGPL-2.1
Lesser General Public License for more details.
.
You should have received a copy of the GNU Lesser General Public License
along with this program; If not, see <http://www.gnu.org/licenses/>.
along with this program; If not, see <https://www.gnu.org/licenses/>.
.
On Debian systems, the complete text of the GNU Lesser General Public
License version 2.1 can be found in `/usr/share/common-licenses/LGPL-2.1'.

10
debian/linux-perf.lintian-overrides.arm64 vendored Normal file

@ -0,0 +1,10 @@
# This is a test program that does not link any libraries, either
# statically or dynamically
linux-perf: statically-linked-binary [usr/lib/perf-core/tests/shell/coresight/asm_pure_loop/asm_pure_loop]
# Some of these plugins only need symbols from libtraceevent, which
# loads them and should not have a NEEDED entry
linux-perf: shared-library-lacks-prerequisites *usr/lib/traceevent/plugins/plugin_*.so*
# This transition was too complex for dh_installdeb to handle
linux-perf: maintainer-script-should-not-use-dpkg-maintscript-helper "dpkg-maintscript-helper" *

59
debian/patches/bugfix/all/Revert-rndis_host-Flag-RNDIS-modems-as-WWAN-devices.patch vendored

@ -1,59 +0,0 @@
From: Christian Heusel <christian@heusel.eu>
Date: Thu, 24 Apr 2025 16:00:28 +0200
Subject: Revert "rndis_host: Flag RNDIS modems as WWAN devices"
Origin: https://git.kernel.org/linus/765f253e28909f161b0211f85cf0431cfee7d6df
Bug-Debian: https://bugs.debian.org/1104511
This reverts commit 67d1a8956d2d62fe6b4c13ebabb57806098511d8. Since this
commit has been proven to be problematic for the setup of USB-tethered
ethernet connections and the related breakage is very noticeable for
users it should be reverted until a fixed version of the change can be
rolled out.
Closes: https://lore.kernel.org/all/e0df2d85-1296-4317-b717-bd757e3ab928@heusel.eu/
Link: https://chaos.social/@gromit/114377862699921553
Link: https://bugzilla.kernel.org/show_bug.cgi?id=220002
Link: https://bugs.gentoo.org/953555
Link: https://bbs.archlinux.org/viewtopic.php?id=304892
Cc: stable@vger.kernel.org
Acked-by: Lubomir Rintel <lkundrak@v3.sk>
Signed-off-by: Christian Heusel <christian@heusel.eu>
Link: https://patch.msgid.link/20250424-usb-tethering-fix-v1-1-b65cf97c740e@heusel.eu
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
---
drivers/net/usb/rndis_host.c | 16 ++--------------
1 file changed, 2 insertions(+), 14 deletions(-)
--- a/drivers/net/usb/rndis_host.c
+++ b/drivers/net/usb/rndis_host.c
@@ -630,16 +630,6 @@ static const struct driver_info zte_rndi
.tx_fixup = rndis_tx_fixup,
};
-static const struct driver_info wwan_rndis_info = {
- .description = "Mobile Broadband RNDIS device",
- .flags = FLAG_WWAN | FLAG_POINTTOPOINT | FLAG_FRAMING_RN | FLAG_NO_SETINT,
- .bind = rndis_bind,
- .unbind = rndis_unbind,
- .status = rndis_status,
- .rx_fixup = rndis_rx_fixup,
- .tx_fixup = rndis_tx_fixup,
-};
-
/*-------------------------------------------------------------------------*/
static const struct usb_device_id products [] = {
@@ -676,11 +666,9 @@ static const struct usb_device_id produc
USB_INTERFACE_INFO(USB_CLASS_WIRELESS_CONTROLLER, 1, 3),
.driver_info = (unsigned long) &rndis_info,
}, {
- /* Mobile Broadband Modem, seen in Novatel Verizon USB730L and
- * Telit FN990A (RNDIS)
- */
+ /* Novatel Verizon USB730L */
USB_INTERFACE_INFO(USB_CLASS_MISC, 4, 1),
- .driver_info = (unsigned long)&wwan_rndis_info,
+ .driver_info = (unsigned long) &rndis_info,
},
{ }, // END
};

2
debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch vendored

@ -1,7 +1,7 @@
From: Serge Hallyn <serge.hallyn@canonical.com>
Date: Fri, 31 May 2013 19:12:12 +0000 (+0100)
Subject: add sysctl to disallow unprivileged CLONE_NEWUSER by default
Origin: http://kernel.ubuntu.com/git?p=serge%2Fubuntu-saucy.git;a=commit;h=5c847404dcb2e3195ad0057877e1422ae90892b8
Origin: https://kernel.ubuntu.com/git?p=serge%2Fubuntu-saucy.git;a=commit;h=5c847404dcb2e3195ad0057877e1422ae90892b8
add sysctl to disallow unprivileged CLONE_NEWUSER by default

2
debian/patches/debian/tools-perf-install-python-bindings.patch vendored

@ -1,7 +1,7 @@
From: Adriaan Schmidt <adriaan.schmidt@siemens.com>
Date: Mon, 4 Apr 2022 13:38:33 +0200
Subject: tools: install perf python bindings
Bug-Debian: http://bugs.debian.org/860957
Bug-Debian: https://bugs.debian.org/860957
Forwarded: not-needed
---

2
debian/patches/mixed-arch/0001-ZEN-Add-graysky-s-more-ISA-levels-and-uarches.patch vendored

@ -121,7 +121,7 @@ REFERENCES
1. https://gcc.gnu.org/onlinedocs/gcc/x86-Options.html#index-x86-Options
2. https://bugzilla.kernel.org/show_bug.cgi?id=77461
3. https://github.com/graysky2/kernel_gcc_patch/issues/15
4. http://www.linuxforge.net/docs/linux/linux-gcc.php
4. https://www.linuxforge.net/docs/linux/linux-gcc.php
---
arch/x86/Kconfig.cpu | 367 ++++++++++++++++++++++++++++++--
arch/x86/Makefile | 89 +++++++-

2
debian/patches/patchset-pf/amd-pstate/0004-cpufreq-amd-pstate-Use-scope-based-cleanup-for-cpufr.patch vendored

@ -112,7 +112,7 @@ Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
/*
--- a/include/linux/cpufreq.h
+++ b/include/linux/cpufreq.h
@@ -210,6 +210,9 @@ static inline struct cpufreq_policy *cpu
@@ -213,6 +213,9 @@ static inline struct cpufreq_policy *cpu
static inline void cpufreq_cpu_put(struct cpufreq_policy *policy) { }
#endif

2
debian/patches/patchset-pf/crypto/0002-crypto-x86-aes-ctr-rewrite-AESNI-AVX-optimized-CTR-a.patch vendored

@ -122,7 +122,7 @@ Signed-off-by: Eric Biggers <ebiggers@google.com>
+// Licensed under the Apache License 2.0 (the "License"). You may obtain a copy
+// of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+// https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,

72
debian/patches/patchset-pf/fixes/0011-mei-vsc-Use-struct-vsc_tp_packet-as-vsc-tp-tx_buf-an.patch vendored Normal file

@ -0,0 +1,72 @@
From b41541948188c8834cda272defdcaceb6b5192d5 Mon Sep 17 00:00:00 2001
From: Hans de Goede <hdegoede@redhat.com>
Date: Tue, 18 Mar 2025 15:12:03 +0100
Subject: mei: vsc: Use struct vsc_tp_packet as vsc-tp tx_buf and rx_buf type
vsc_tp.tx_buf and vsc_tp.rx_buf point to a struct vsc_tp_packet, use
the correct type instead of "void *" and use sizeof(*ptr) when allocating
memory for these buffers.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Reviewed-by: Alexander Usyskin <alexander.usyskin@intel.com>
Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Link: https://lore.kernel.org/r/20250318141203.94342-3-hdegoede@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/mei/vsc-tp.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/drivers/misc/mei/vsc-tp.c
+++ b/drivers/misc/mei/vsc-tp.c
@@ -71,8 +71,8 @@ struct vsc_tp {
u32 seq;
/* command buffer */
- void *tx_buf;
- void *rx_buf;
+ struct vsc_tp_packet *tx_buf;
+ struct vsc_tp_packet *rx_buf;
atomic_t assert_cnt;
wait_queue_head_t xfer_wait;
@@ -164,7 +164,7 @@ static int vsc_tp_xfer_helper(struct vsc
{
int ret, offset = 0, cpy_len, src_len, dst_len = sizeof(struct vsc_tp_packet_hdr);
int next_xfer_len = VSC_TP_PACKET_SIZE(pkt) + VSC_TP_XFER_TIMEOUT_BYTES;
- u8 *src, *crc_src, *rx_buf = tp->rx_buf;
+ u8 *src, *crc_src, *rx_buf = (u8 *)tp->rx_buf;
int count_down = VSC_TP_MAX_XFER_COUNT;
u32 recv_crc = 0, crc = ~0;
struct vsc_tp_packet_hdr ack;
@@ -324,7 +324,7 @@ int vsc_tp_rom_xfer(struct vsc_tp *tp, c
guard(mutex)(&tp->mutex);
/* rom xfer is big endian */
- cpu_to_be32_array(tp->tx_buf, obuf, words);
+ cpu_to_be32_array((u32 *)tp->tx_buf, obuf, words);
ret = read_poll_timeout(gpiod_get_value_cansleep, ret,
!ret, VSC_TP_ROM_XFER_POLL_DELAY_US,
@@ -340,7 +340,7 @@ int vsc_tp_rom_xfer(struct vsc_tp *tp, c
return ret;
if (ibuf)
- be32_to_cpu_array(ibuf, tp->rx_buf, words);
+ be32_to_cpu_array(ibuf, (u32 *)tp->rx_buf, words);
return ret;
}
@@ -494,11 +494,11 @@ static int vsc_tp_probe(struct spi_devic
if (!tp)
return -ENOMEM;
- tp->tx_buf = devm_kzalloc(dev, VSC_TP_MAX_XFER_SIZE, GFP_KERNEL);
+ tp->tx_buf = devm_kzalloc(dev, sizeof(*tp->tx_buf), GFP_KERNEL);
if (!tp->tx_buf)
return -ENOMEM;
- tp->rx_buf = devm_kzalloc(dev, VSC_TP_MAX_XFER_SIZE, GFP_KERNEL);
+ tp->rx_buf = devm_kzalloc(dev, sizeof(*tp->rx_buf), GFP_KERNEL);
if (!tp->rx_buf)
return -ENOMEM;

98
debian/patches/patchset-pf/fixes/0012-Revert-drm-amd-Stop-evicting-resources-on-APUs-in-su.patch vendored Normal file

@ -0,0 +1,98 @@
From dca14df8b269f207ac834149126964039142b596 Mon Sep 17 00:00:00 2001
From: Alex Deucher <alexander.deucher@amd.com>
Date: Thu, 1 May 2025 13:00:16 -0400
Subject: Revert "drm/amd: Stop evicting resources on APUs in suspend"
This reverts commit 3a9626c816db901def438dc2513622e281186d39.
This breaks S4 because we end up setting the s3/s0ix flags
even when we are entering s4 since prepare is used by both
flows. The causes both the S3/s0ix and s4 flags to be set
which breaks several checks in the driver which assume they
are mutually exclusive.
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3634
Cc: Mario Limonciello <mario.limonciello@amd.com>
Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
---
drivers/gpu/drm/amd/amdgpu/amdgpu.h | 2 --
drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 18 ------------------
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 11 ++---------
3 files changed, 2 insertions(+), 29 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu.h
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu.h
@@ -1594,11 +1594,9 @@ static inline void amdgpu_acpi_get_backl
#if defined(CONFIG_ACPI) && defined(CONFIG_SUSPEND)
bool amdgpu_acpi_is_s3_active(struct amdgpu_device *adev);
bool amdgpu_acpi_is_s0ix_active(struct amdgpu_device *adev);
-void amdgpu_choose_low_power_state(struct amdgpu_device *adev);
#else
static inline bool amdgpu_acpi_is_s0ix_active(struct amdgpu_device *adev) { return false; }
static inline bool amdgpu_acpi_is_s3_active(struct amdgpu_device *adev) { return false; }
-static inline void amdgpu_choose_low_power_state(struct amdgpu_device *adev) { }
#endif
void amdgpu_register_gpu_instance(struct amdgpu_device *adev);
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
@@ -1533,22 +1533,4 @@ bool amdgpu_acpi_is_s0ix_active(struct a
#endif /* CONFIG_AMD_PMC */
}
-/**
- * amdgpu_choose_low_power_state
- *
- * @adev: amdgpu_device_pointer
- *
- * Choose the target low power state for the GPU
- */
-void amdgpu_choose_low_power_state(struct amdgpu_device *adev)
-{
- if (adev->in_runpm)
- return;
-
- if (amdgpu_acpi_is_s0ix_active(adev))
- adev->in_s0ix = true;
- else if (amdgpu_acpi_is_s3_active(adev))
- adev->in_s3 = true;
-}
-
#endif /* CONFIG_SUSPEND */
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
@@ -4861,15 +4861,13 @@ int amdgpu_device_prepare(struct drm_dev
struct amdgpu_device *adev = drm_to_adev(dev);
int i, r;
- amdgpu_choose_low_power_state(adev);
-
if (dev->switch_power_state == DRM_SWITCH_POWER_OFF)
return 0;
/* Evict the majority of BOs before starting suspend sequence */
r = amdgpu_device_evict_resources(adev);
if (r)
- goto unprepare;
+ return r;
flush_delayed_work(&adev->gfx.gfx_off_delay_work);
@@ -4880,15 +4878,10 @@ int amdgpu_device_prepare(struct drm_dev
continue;
r = adev->ip_blocks[i].version->funcs->prepare_suspend(&adev->ip_blocks[i]);
if (r)
- goto unprepare;
+ return r;
}
return 0;
-
-unprepare:
- adev->in_s0ix = adev->in_s3 = adev->in_s4 = false;
-
- return r;
}
/**

87
debian/patches/patchset-pf/fixes/0013-drm-amdgpu-fix-pm-notifier-handling.patch vendored Normal file

@ -0,0 +1,87 @@
From e9ee1b0a41166033eda14d11823826b79ce5131b Mon Sep 17 00:00:00 2001
From: Alex Deucher <alexander.deucher@amd.com>
Date: Thu, 1 May 2025 13:46:46 -0400
Subject: drm/amdgpu: fix pm notifier handling
Set the s3/s0ix and s4 flags in the pm notifier so that we can skip
the resource evictions properly in pm prepare based on whether
we are suspending or hibernating. Drop the eviction as processes
are not frozen at this time, we we can end up getting stuck trying
to evict VRAM while applications continue to submit work which
causes the buffers to get pulled back into VRAM.
v2: Move suspend flags out of pm notifier (Mario)
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4178
Fixes: 2965e6355dcd ("drm/amd: Add Suspend/Hibernate notification callback support")
Cc: Mario Limonciello <mario.limonciello@amd.com>
Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 18 +++++-------------
drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 10 +---------
2 files changed, 6 insertions(+), 22 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
@@ -4819,28 +4819,20 @@ static int amdgpu_device_evict_resources
* @data: data
*
* This function is called when the system is about to suspend or hibernate.
- * It is used to evict resources from the device before the system goes to
- * sleep while there is still access to swap.
+ * It is used to set the appropriate flags so that eviction can be optimized
+ * in the pm prepare callback.
*/
static int amdgpu_device_pm_notifier(struct notifier_block *nb, unsigned long mode,
void *data)
{
struct amdgpu_device *adev = container_of(nb, struct amdgpu_device, pm_nb);
- int r;
switch (mode) {
case PM_HIBERNATION_PREPARE:
adev->in_s4 = true;
- fallthrough;
- case PM_SUSPEND_PREPARE:
- r = amdgpu_device_evict_resources(adev);
- /*
- * This is considered non-fatal at this time because
- * amdgpu_device_prepare() will also fatally evict resources.
- * See https://gitlab.freedesktop.org/drm/amd/-/issues/3781
- */
- if (r)
- drm_warn(adev_to_drm(adev), "Failed to evict resources, freeze active processes if problems occur: %d\n", r);
+ break;
+ case PM_POST_HIBERNATION:
+ adev->in_s4 = false;
break;
}
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
@@ -2592,13 +2592,8 @@ static int amdgpu_pmops_freeze(struct de
static int amdgpu_pmops_thaw(struct device *dev)
{
struct drm_device *drm_dev = dev_get_drvdata(dev);
- struct amdgpu_device *adev = drm_to_adev(drm_dev);
- int r;
- r = amdgpu_device_resume(drm_dev, true);
- adev->in_s4 = false;
-
- return r;
+ return amdgpu_device_resume(drm_dev, true);
}
static int amdgpu_pmops_poweroff(struct device *dev)
@@ -2611,9 +2606,6 @@ static int amdgpu_pmops_poweroff(struct
static int amdgpu_pmops_restore(struct device *dev)
{
struct drm_device *drm_dev = dev_get_drvdata(dev);
- struct amdgpu_device *adev = drm_to_adev(drm_dev);
-
- adev->in_s4 = false;
return amdgpu_device_resume(drm_dev, true);
}

108
debian/patches/patchset-pf/smb/0001-ksmbd-fix-use-after-free-in-ksmbd_session_rpc_open.patch vendored

@ -1,108 +0,0 @@
From f9567920fca6215aed3fa0658c09ae57f3168ed0 Mon Sep 17 00:00:00 2001
From: Namjae Jeon <linkinjeon@kernel.org>
Date: Thu, 17 Apr 2025 10:10:15 +0900
Subject: ksmbd: fix use-after-free in ksmbd_session_rpc_open
A UAF issue can occur due to a race condition between
ksmbd_session_rpc_open() and __session_rpc_close().
Add rpc_lock to the session to protect it.
Cc: stable@vger.kernel.org
Reported-by: Norbert Szetei <norbert@doyensec.com>
Tested-by: Norbert Szetei <norbert@doyensec.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
---
fs/smb/server/mgmt/user_session.c | 20 ++++++++++++++------
fs/smb/server/mgmt/user_session.h | 1 +
2 files changed, 15 insertions(+), 6 deletions(-)
--- a/fs/smb/server/mgmt/user_session.c
+++ b/fs/smb/server/mgmt/user_session.c
@@ -59,10 +59,12 @@ static void ksmbd_session_rpc_clear_list
struct ksmbd_session_rpc *entry;
long index;
+ down_write(&sess->rpc_lock);
xa_for_each(&sess->rpc_handle_list, index, entry) {
xa_erase(&sess->rpc_handle_list, index);
__session_rpc_close(sess, entry);
}
+ up_write(&sess->rpc_lock);
xa_destroy(&sess->rpc_handle_list);
}
@@ -92,7 +94,7 @@ int ksmbd_session_rpc_open(struct ksmbd_
{
struct ksmbd_session_rpc *entry, *old;
struct ksmbd_rpc_command *resp;
- int method;
+ int method, id;
method = __rpc_method(rpc_name);
if (!method)
@@ -102,26 +104,29 @@ int ksmbd_session_rpc_open(struct ksmbd_
if (!entry)
return -ENOMEM;
+ down_read(&sess->rpc_lock);
entry->method = method;
- entry->id = ksmbd_ipc_id_alloc();
- if (entry->id < 0)
+ entry->id = id = ksmbd_ipc_id_alloc();
+ if (id < 0)
goto free_entry;
- old = xa_store(&sess->rpc_handle_list, entry->id, entry, KSMBD_DEFAULT_GFP);
+ old = xa_store(&sess->rpc_handle_list, id, entry, KSMBD_DEFAULT_GFP);
if (xa_is_err(old))
goto free_id;
- resp = ksmbd_rpc_open(sess, entry->id);
+ resp = ksmbd_rpc_open(sess, id);
if (!resp)
goto erase_xa;
+ up_read(&sess->rpc_lock);
kvfree(resp);
- return entry->id;
+ return id;
erase_xa:
xa_erase(&sess->rpc_handle_list, entry->id);
free_id:
ksmbd_rpc_id_free(entry->id);
free_entry:
kfree(entry);
+ up_read(&sess->rpc_lock);
return -EINVAL;
}
@@ -129,9 +134,11 @@ void ksmbd_session_rpc_close(struct ksmb
{
struct ksmbd_session_rpc *entry;
+ down_write(&sess->rpc_lock);
entry = xa_erase(&sess->rpc_handle_list, id);
if (entry)
__session_rpc_close(sess, entry);
+ up_write(&sess->rpc_lock);
}
int ksmbd_session_rpc_method(struct ksmbd_session *sess, int id)
@@ -439,6 +446,7 @@ static struct ksmbd_session *__session_c
sess->sequence_number = 1;
rwlock_init(&sess->tree_conns_lock);
atomic_set(&sess->refcnt, 2);
+ init_rwsem(&sess->rpc_lock);
ret = __init_smb2_session(sess);
if (ret)
--- a/fs/smb/server/mgmt/user_session.h
+++ b/fs/smb/server/mgmt/user_session.h
@@ -63,6 +63,7 @@ struct ksmbd_session {
rwlock_t tree_conns_lock;
atomic_t refcnt;
+ struct rw_semaphore rpc_lock;
};
static inline int test_session_flag(struct ksmbd_session *sess, int bit)

33
debian/patches/patchset-pf/smb/0001-ksmbd-prevent-rename-with-empty-string.patch vendored Normal file

@ -0,0 +1,33 @@
From 7b3f0f8d11f1b4319f593ba02d4dece890755dfa Mon Sep 17 00:00:00 2001
From: Namjae Jeon <linkinjeon@kernel.org>
Date: Wed, 30 Apr 2025 11:18:28 +0900
Subject: ksmbd: prevent rename with empty string
Client can send empty newname string to ksmbd server.
It will cause a kernel oops from d_alloc.
This patch return the error when attempting to rename
a file or directory with an empty new name string.
Cc: stable@vger.kernel.org
Reported-by: Norbert Szetei <norbert@doyensec.com>
Tested-by: Norbert Szetei <norbert@doyensec.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
---
fs/smb/server/smb2pdu.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -633,6 +633,11 @@ smb2_get_name(const char *src, const int
return name;
}
+ if (*name == '\0') {
+ kfree(name);
+ return ERR_PTR(-EINVAL);
+ }
+
if (*name == '\\') {
pr_err("not allow directory name included leading slash\n");
kfree(name);

56
debian/patches/patchset-pf/smb/0002-ksmbd-fix-use-after-free-in-kerberos-authentication.patch vendored

@ -1,56 +0,0 @@
From 6e367a428b98393cd5d0ab993983ba40dc748ca5 Mon Sep 17 00:00:00 2001
From: Sean Heelan <seanheelan@gmail.com>
Date: Sat, 19 Apr 2025 19:59:28 +0100
Subject: ksmbd: fix use-after-free in kerberos authentication
Setting sess->user = NULL was introduced to fix the dangling pointer
created by ksmbd_free_user. However, it is possible another thread could
be operating on the session and make use of sess->user after it has been
passed to ksmbd_free_user but before sess->user is set to NULL.
Cc: stable@vger.kernel.org
Signed-off-by: Sean Heelan <seanheelan@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
---
fs/smb/server/auth.c | 14 +++++++++++++-
fs/smb/server/smb2pdu.c | 5 -----
2 files changed, 13 insertions(+), 6 deletions(-)
--- a/fs/smb/server/auth.c
+++ b/fs/smb/server/auth.c
@@ -550,7 +550,19 @@ int ksmbd_krb5_authenticate(struct ksmbd
retval = -ENOMEM;
goto out;
}
- sess->user = user;
+
+ if (!sess->user) {
+ /* First successful authentication */
+ sess->user = user;
+ } else {
+ if (!ksmbd_compare_user(sess->user, user)) {
+ ksmbd_debug(AUTH, "different user tried to reuse session\n");
+ retval = -EPERM;
+ ksmbd_free_user(user);
+ goto out;
+ }
+ ksmbd_free_user(user);
+ }
memcpy(sess->sess_key, resp->payload, resp->session_key_len);
memcpy(out_blob, resp->payload + resp->session_key_len,
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -1602,11 +1602,6 @@ static int krb5_authenticate(struct ksmb
if (prev_sess_id && prev_sess_id != sess->id)
destroy_previous_session(conn, sess->user, prev_sess_id);
- if (sess->state == SMB2_SESSION_VALID) {
- ksmbd_free_user(sess->user);
- sess->user = NULL;
- }
-
retval = ksmbd_krb5_authenticate(sess, in_blob, in_len,
out_blob, &out_len);
if (retval) {

37
debian/patches/patchset-pf/smb/0002-ksmbd-prevent-out-of-bounds-stream-writes-by-validat.patch vendored Normal file

@ -0,0 +1,37 @@
From fb87d390de327c76b11ed544de83771118f7b0c5 Mon Sep 17 00:00:00 2001
From: Norbert Szetei <norbert@doyensec.com>
Date: Fri, 2 May 2025 08:21:58 +0900
Subject: ksmbd: prevent out-of-bounds stream writes by validating *pos
ksmbd_vfs_stream_write() did not validate whether the write offset
(*pos) was within the bounds of the existing stream data length (v_len).
If *pos was greater than or equal to v_len, this could lead to an
out-of-bounds memory write.
This patch adds a check to ensure *pos is less than v_len before
proceeding. If the condition fails, -EINVAL is returned.
Cc: stable@vger.kernel.org
Signed-off-by: Norbert Szetei <norbert@doyensec.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
---
fs/smb/server/vfs.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/fs/smb/server/vfs.c
+++ b/fs/smb/server/vfs.c
@@ -443,6 +443,13 @@ static int ksmbd_vfs_stream_write(struct
goto out;
}
+ if (v_len <= *pos) {
+ pr_err("stream write position %lld is out of bounds (stream length: %zd)\n",
+ *pos, v_len);
+ err = -EINVAL;
+ goto out;
+ }
+
if (v_len < size) {
wbuf = kvzalloc(size, KSMBD_DEFAULT_GFP);
if (!wbuf) {

74
debian/patches/patchset-pf/smb/0003-ksmbd-Fix-UAF-in-__close_file_table_ids.patch vendored Normal file

@ -0,0 +1,74 @@
From 67ea573ce44aeac74e659879cdeb6ac39212d0b9 Mon Sep 17 00:00:00 2001
From: Sean Heelan <seanheelan@gmail.com>
Date: Tue, 6 May 2025 22:04:52 +0900
Subject: ksmbd: Fix UAF in __close_file_table_ids
A use-after-free is possible if one thread destroys the file
via __ksmbd_close_fd while another thread holds a reference to
it. The existing checks on fp->refcount are not sufficient to
prevent this.
The fix takes ft->lock around the section which removes the
file from the file table. This prevents two threads acquiring the
same file pointer via __close_file_table_ids, as well as the other
functions which retrieve a file from the IDR and which already use
this same lock.
Cc: stable@vger.kernel.org
Signed-off-by: Sean Heelan <seanheelan@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
---
fs/smb/server/vfs_cache.c | 33 ++++++++++++++++++++++++++-------
1 file changed, 26 insertions(+), 7 deletions(-)
--- a/fs/smb/server/vfs_cache.c
+++ b/fs/smb/server/vfs_cache.c
@@ -661,21 +661,40 @@ __close_file_table_ids(struct ksmbd_file
bool (*skip)(struct ksmbd_tree_connect *tcon,
struct ksmbd_file *fp))
{
- unsigned int id;
- struct ksmbd_file *fp;
- int num = 0;
+ struct ksmbd_file *fp;
+ unsigned int id = 0;
+ int num = 0;
- idr_for_each_entry(ft->idr, fp, id) {
- if (skip(tcon, fp))
+ while (1) {
+ write_lock(&ft->lock);
+ fp = idr_get_next(ft->idr, &id);
+ if (!fp) {
+ write_unlock(&ft->lock);
+ break;
+ }
+
+ if (skip(tcon, fp) ||
+ !atomic_dec_and_test(&fp->refcount)) {
+ id++;
+ write_unlock(&ft->lock);
continue;
+ }
set_close_state_blocked_works(fp);
+ idr_remove(ft->idr, fp->volatile_id);
+ fp->volatile_id = KSMBD_NO_FID;
+ write_unlock(&ft->lock);
+
+ down_write(&fp->f_ci->m_lock);
+ list_del_init(&fp->node);
+ up_write(&fp->f_ci->m_lock);
- if (!atomic_dec_and_test(&fp->refcount))
- continue;
__ksmbd_close_fd(ft, fp);
+
num++;
+ id++;
}
+
return num;
}

31
debian/patches/patchset-pf/smb/0003-ksmbd-fix-use-after-free-in-session-logoff.patch vendored

@ -1,31 +0,0 @@
From 818b4d086f287e0a5cc6368eb72703b68b0603d0 Mon Sep 17 00:00:00 2001
From: Sean Heelan <seanheelan@gmail.com>
Date: Mon, 21 Apr 2025 15:39:29 +0000
Subject: ksmbd: fix use-after-free in session logoff
The sess->user object can currently be in use by another thread, for
example if another connection has sent a session setup request to
bind to the session being free'd. The handler for that connection could
be in the smb2_sess_setup function which makes use of sess->user.
Cc: stable@vger.kernel.org
Signed-off-by: Sean Heelan <seanheelan@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
---
fs/smb/server/smb2pdu.c | 4 ----
1 file changed, 4 deletions(-)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -2244,10 +2244,6 @@ int smb2_session_logoff(struct ksmbd_wor
sess->state = SMB2_SESSION_EXPIRED;
up_write(&conn->session_lock);
- if (sess->user) {
- ksmbd_free_user(sess->user);
- sess->user = NULL;
- }
ksmbd_all_conn_set_status(sess_id, KSMBD_SESS_NEED_SETUP);
rsp->StructureSize = cpu_to_le16(4);

2
debian/patches/patchset-xanmod/xanmod/0014-XANMOD-cpufreq-tunes-ondemand-and-conservative-gover.patch vendored

@ -51,7 +51,7 @@ Signed-off-by: Alexandre Frade <kernel@xanmod.org>
#define MIN_FREQUENCY_UP_THRESHOLD (1)
#define MAX_FREQUENCY_UP_THRESHOLD (100)
@@ -128,7 +128,7 @@ static void dbs_freq_increase(struct cpu
@@ -129,7 +129,7 @@ static void dbs_freq_increase(struct cpu
}
/*

2
debian/patches/patchset-zen/sauce/0007-ZEN-intel-pstate-Implement-enable-parameter.patch vendored

@ -42,7 +42,7 @@ selection.
governors layer of cpufreq and provides it own
--- a/drivers/cpufreq/intel_pstate.c
+++ b/drivers/cpufreq/intel_pstate.c
@@ -3827,6 +3827,8 @@ static int __init intel_pstate_setup(cha
@@ -3830,6 +3830,8 @@ static int __init intel_pstate_setup(cha
if (!strcmp(str, "disable"))
no_load = 1;

10
debian/patches/series vendored

@ -69,7 +69,6 @@ features/x86/x86-make-x32-syscall-support-conditional.patch
bugfix/all/disable-some-marvell-phys.patch
bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
bugfix/all/documentation-use-relative-source-paths-in-abi-documentation.patch
bugfix/all/Revert-rndis_host-Flag-RNDIS-modems-as-WWAN-devices.patch
# Miscellaneous features
@ -157,9 +156,9 @@ patchset-pf/cpuidle/0001-cpuidle-Prefer-teo-over-menu-governor.patch
patchset-pf/crypto/0001-crypto-x86-aes-xts-make-the-fast-path-64-bit-specifi.patch
patchset-pf/crypto/0002-crypto-x86-aes-ctr-rewrite-AESNI-AVX-optimized-CTR-a.patch
patchset-pf/smb/0001-ksmbd-fix-use-after-free-in-ksmbd_session_rpc_open.patch
patchset-pf/smb/0002-ksmbd-fix-use-after-free-in-kerberos-authentication.patch
patchset-pf/smb/0003-ksmbd-fix-use-after-free-in-session-logoff.patch
patchset-pf/smb/0001-ksmbd-prevent-rename-with-empty-string.patch
patchset-pf/smb/0002-ksmbd-prevent-out-of-bounds-stream-writes-by-validat.patch
patchset-pf/smb/0003-ksmbd-Fix-UAF-in-__close_file_table_ids.patch
patchset-pf/zstd/0001-zstd-import-upstream-v1.5.7.patch
patchset-pf/zstd/0002-lib-zstd-Refactor-intentional-wrap-around-test.patch
@ -273,6 +272,9 @@ patchset-pf/fixes/0007-Kconfig-switch-CONFIG_SYSFS_SYCALL-default-to-n.patch
patchset-pf/fixes/0008-gcc-15-make-unterminated-string-initialization-just-.patch
patchset-pf/fixes/0009-gcc-15-disable-Wunterminated-string-initialization-e.patch
patchset-pf/fixes/0010-wifi-mac80211-mark-copy_mesh_setup-as-noinline.patch
patchset-pf/fixes/0011-mei-vsc-Use-struct-vsc_tp_packet-as-vsc-tp-tx_buf-an.patch
patchset-pf/fixes/0012-Revert-drm-amd-Stop-evicting-resources-on-APUs-in-su.patch
patchset-pf/fixes/0013-drm-amdgpu-fix-pm-notifier-handling.patch
patchset-zen/fixes/0001-arch-Kconfig-Default-to-maximum-amount-of-ASLR-bits.patch
patchset-zen/fixes/0002-drivers-firmware-skip-simpledrm-if-nvidia-drm.modese.patch

2
debian/rules.real vendored

@ -229,7 +229,7 @@ define dh_binary_post
dh_fixperms
dh_missing
dh_strip $(DH_STRIP_ARGS) -Xvmlinux -Xvmlinuz
dh_makeshlibs -Xvmlinux -Xvmlinuz
dh_makeshlibs -Xvdso -Xvmlinux -Xvmlinuz
dh_shlibdeps $(DH_SHLIBDEPS_ARGS)
dh_installdeb
if command -v dh_movetousr >/dev/null ; then dh_movetousr ; fi

5
debian/templates/headers.lintian-overrides.j2 vendored

@ -1 +1,6 @@
# This 'executable' file intentionally contains only BTF sections
{{package}}: statically-linked-binary [usr/src/*/vmlinux]
{{package}}: unstripped-binary-or-object [usr/src/*/vmlinux]
{% if arch in ['arm64'] %}
{{package}}: shared-library-lacks-prerequisites [usr/src/*/vmlinux]
{% endif %}

2
debian/templates/sourcebin.control.in vendored

@ -6,7 +6,7 @@ Section: kernel
Build-Depends: patchutils, xz-utils
Depends: binutils, xz-utils, ${misc:Depends}
Recommends: build-essential, bc, rsync, kmod, cpio, bison, flex, libelf-dev, libssl-dev, krd-linux-config-@version@
Suggests: libncurses-dev | ncurses-dev, qtbase5-dev, pkg-config
Suggests: libncurses-dev | ncurses-dev, qtbase5-dev, pkgconf
Multi-Arch: foreign
Description: KrD's Linux kernel source for version @version@ with patches
This package provides source code for the Linux kernel version @version@.