release 6.14.5

2025-05-02 16:53:38 +03:00
parent 23be27fbba
commit 9d4ee668cc
15 changed files with 475 additions and 95 deletions
--- a/debian/bin/genpatch-pfkernel
+++ b/debian/bin/genpatch-pfkernel
@@ -7,7 +7,7 @@ w=$(git rev-parse --path-format=absolute --show-toplevel) ; : "${w:?}" ; cd "$w"
 dst='debian/patches/pf-tmp'
 src='../linux-extras'
-branches='amd-pstate btrfs cpuidle crypto fixes kbuild zstd'
+branches='amd-pstate cpuidle crypto fixes kbuild smb zstd'
 if [ -d "${dst}" ] ; then rm -rf "${dst}" ; fi
 mkdir -p "${dst}"
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
 linux (6.14.5-1) sid; urgency=medium
  * New upstream stable update:
    https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.14.5
 -- Konstantin Demin <rockdrilla@gmail.com>  Fri, 02 May 2025 16:25:21 +0300
 linux (6.14.4-1) sid; urgency=medium
  * New upstream stable update:
--- a/debian/config/config
+++ b/debian/config/config
@@ -197,7 +197,6 @@ CONFIG_UNWINDER_ORC=y
 ##
 ## file: arch/x86/crypto/Kconfig
 ##
 CONFIG_CRYPTO_CURVE25519_X86=m
 CONFIG_CRYPTO_AES_NI_INTEL=m
 CONFIG_CRYPTO_BLOWFISH_X86_64=m
 CONFIG_CRYPTO_CAMELLIA_X86_64=m
@@ -217,13 +216,11 @@ CONFIG_CRYPTO_TWOFISH_AVX_X86_64=m
 CONFIG_CRYPTO_ARIA_AESNI_AVX_X86_64=m
 CONFIG_CRYPTO_ARIA_AESNI_AVX2_X86_64=m
 CONFIG_CRYPTO_ARIA_GFNI_AVX512_X86_64=m
 CONFIG_CRYPTO_CHACHA20_X86_64=m
 CONFIG_CRYPTO_AEGIS128_AESNI_SSE2=m
 CONFIG_CRYPTO_NHPOLY1305_SSE2=m
 CONFIG_CRYPTO_NHPOLY1305_AVX2=m
 CONFIG_CRYPTO_BLAKE2S_X86=y
 CONFIG_CRYPTO_POLYVAL_CLMUL_NI=m
 CONFIG_CRYPTO_POLY1305_X86_64=m
 CONFIG_CRYPTO_SHA1_SSSE3=m
 CONFIG_CRYPTO_SHA256_SSSE3=m
 CONFIG_CRYPTO_SHA512_SSSE3=m
@@ -3546,11 +3543,13 @@ CONFIG_CRYPTO_AKCIPHER2=y
 CONFIG_CRYPTO_ALGAPI=y
 CONFIG_CRYPTO_ALGAPI2=y
 CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S=y
-CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA=m
+CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA=y
-CONFIG_CRYPTO_ARCH_HAVE_LIB_CURVE25519=m
+CONFIG_CRYPTO_ARCH_HAVE_LIB_CURVE25519=y
-CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305=m
+CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305=y
 CONFIG_CRYPTO_BLOWFISH_COMMON=m
 CONFIG_CRYPTO_CAST_COMMON=m
 CONFIG_CRYPTO_CHACHA20_X86_64=m
 CONFIG_CRYPTO_CURVE25519_X86=m
 CONFIG_CRYPTO_DRBG=y
 CONFIG_CRYPTO_DRBG_HMAC=y
 CONFIG_CRYPTO_ECC=y
@@ -3568,10 +3567,13 @@ CONFIG_CRYPTO_LIB_AES=y
 CONFIG_CRYPTO_LIB_AESGCM=y
 CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y
 CONFIG_CRYPTO_LIB_CHACHA_GENERIC=m
 CONFIG_CRYPTO_LIB_CHACHA_INTERNAL=m
 CONFIG_CRYPTO_LIB_CURVE25519_GENERIC=m
 CONFIG_CRYPTO_LIB_CURVE25519_INTERNAL=m
 CONFIG_CRYPTO_LIB_DES=m
 CONFIG_CRYPTO_LIB_GF128MUL=y
 CONFIG_CRYPTO_LIB_POLY1305_GENERIC=m
 CONFIG_CRYPTO_LIB_POLY1305_INTERNAL=m
 CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11
 CONFIG_CRYPTO_LIB_SHA1=y
 CONFIG_CRYPTO_LIB_SHA256=y
@@ -3579,6 +3581,7 @@ CONFIG_CRYPTO_LIB_UTILS=y
 CONFIG_CRYPTO_MANAGER2=y
 CONFIG_CRYPTO_NHPOLY1305=m
 CONFIG_CRYPTO_NULL2=y
 CONFIG_CRYPTO_POLY1305_X86_64=m
 CONFIG_CRYPTO_POLYVAL=m
 CONFIG_CRYPTO_RNG=y
 CONFIG_CRYPTO_RNG2=y
--- a/debian/patches/bugfix/all/Revert-rndis_host-Flag-RNDIS-modems-as-WWAN-devices.patch
+++ b/debian/patches/bugfix/all/Revert-rndis_host-Flag-RNDIS-modems-as-WWAN-devices.patch
@@ -0,0 +1,59 @@
 From: Christian Heusel <christian@heusel.eu>
 Date: Thu, 24 Apr 2025 16:00:28 +0200
 Subject: Revert "rndis_host: Flag RNDIS modems as WWAN devices"
 Origin: https://git.kernel.org/linus/765f253e28909f161b0211f85cf0431cfee7d6df
 Bug-Debian: https://bugs.debian.org/1104511
 This reverts commit 67d1a8956d2d62fe6b4c13ebabb57806098511d8. Since this
 commit has been proven to be problematic for the setup of USB-tethered
 ethernet connections and the related breakage is very noticeable for
 users it should be reverted until a fixed version of the change can be
 rolled out.
 Closes: https://lore.kernel.org/all/e0df2d85-1296-4317-b717-bd757e3ab928@heusel.eu/
 Link: https://chaos.social/@gromit/114377862699921553
 Link: https://bugzilla.kernel.org/show_bug.cgi?id=220002
 Link: https://bugs.gentoo.org/953555
 Link: https://bbs.archlinux.org/viewtopic.php?id=304892
 Cc: stable@vger.kernel.org
 Acked-by: Lubomir Rintel <lkundrak@v3.sk>
 Signed-off-by: Christian Heusel <christian@heusel.eu>
 Link: https://patch.msgid.link/20250424-usb-tethering-fix-v1-1-b65cf97c740e@heusel.eu
 Signed-off-by: Jakub Kicinski <kuba@kernel.org>
 ---
 drivers/net/usb/rndis_host.c | 16 ++--------------
 1 file changed, 2 insertions(+), 14 deletions(-)
 --- a/drivers/net/usb/rndis_host.c
 +++ b/drivers/net/usb/rndis_host.c
@@ -630,16 +630,6 @@ static const struct driver_info	zte_rndi
 	.tx_fixup =	rndis_tx_fixup,
 };
 -static const struct driver_info	wwan_rndis_info = {
 -	.description =	"Mobile Broadband RNDIS device",
 -	.flags =	FLAG_WWAN | FLAG_POINTTOPOINT | FLAG_FRAMING_RN | FLAG_NO_SETINT,
 -	.bind =		rndis_bind,
 -	.unbind =	rndis_unbind,
 -	.status =	rndis_status,
 -	.rx_fixup =	rndis_rx_fixup,
 -	.tx_fixup =	rndis_tx_fixup,
 -};
 -
 /*-------------------------------------------------------------------------*/
 static const struct usb_device_id	products [] = {
@@ -676,11 +666,9 @@ static const struct usb_device_id	produc
 	USB_INTERFACE_INFO(USB_CLASS_WIRELESS_CONTROLLER, 1, 3),
 	.driver_info = (unsigned long) &rndis_info,
 }, {
 -	/* Mobile Broadband Modem, seen in Novatel Verizon USB730L and
 -	 * Telit FN990A (RNDIS)
 -	 */
 +	/* Novatel Verizon USB730L */
 	USB_INTERFACE_INFO(USB_CLASS_MISC, 4, 1),
 -	.driver_info = (unsigned long)&wwan_rndis_info,
 +	.driver_info = (unsigned long) &rndis_info,
 },
 	{ },		// END
 };
--- a/debian/patches/debian/makefile-make-compiler-version-comparison-optional.patch
+++ b/debian/patches/debian/makefile-make-compiler-version-comparison-optional.patch
@@ -20,7 +20,7 @@ is non-empty.
 ---
 --- a/Makefile
 +++ b/Makefile
-@@ -1875,7 +1875,7 @@ PHONY += prepare
+@@ -1876,7 +1876,7 @@ PHONY += prepare
 # now expand this into a simple variable to reduce the cost of shell evaluations
 prepare: CC_VERSION_TEXT := $(CC_VERSION_TEXT)
 prepare:
--- a/debian/patches/krd/0001-Revert-objtool-dont-fail-the-kernel-build-on-fatal-errors.patch
+++ b/debian/patches/krd/0001-Revert-objtool-dont-fail-the-kernel-build-on-fatal-errors.patch
@@ -30,7 +30,7 @@ this reverts following commit:
 --- a/tools/objtool/check.c
 +++ b/tools/objtool/check.c
-@@ -4751,10 +4751,14 @@ int check(struct objtool_file *file)
+@@ -4773,10 +4773,14 @@ int check(struct objtool_file *file)
 	}
 out:
--- a/debian/patches/patchset-pf/fixes/0008-gcc-15-make-unterminated-string-initialization-just-.patch
+++ b/debian/patches/patchset-pf/fixes/0008-gcc-15-make-unterminated-string-initialization-just-.patch
@@ -0,0 +1,80 @@
 From 45a91b33b7de48d4ee8875d2fcc6be04d7e3919c Mon Sep 17 00:00:00 2001
 From: Linus Torvalds <torvalds@linux-foundation.org>
 Date: Sun, 20 Apr 2025 10:33:23 -0700
 Subject: gcc-15: make 'unterminated string initialization' just a warning
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 gcc-15 enabling -Wunterminated-string-initialization in -Wextra by
 default was done with the best intentions, but the warning is still
 quite broken.
 What annoys me about the warning is that this is a very traditional AND
 CORRECT way to initialize fixed byte arrays in C:
 	unsigned char hex[16] = "0123456789abcdef";
 and we use this all over the kernel.  And the warning is fine, but gcc
 developers apparently never made a reasonable way to disable it.  As is
 (sadly) tradition with these things.
 Yes, there's "__attribute__((nonstring))", and we have a macro to make
 that absolutely disgusting syntax more palatable (ie the kernel syntax
 for that monstrosity is just "__nonstring").
 But that attribute is misdesigned.  What you'd typically want to do is
 tell the compiler that you are using a type that isn't a string but a
 byte array, but that doesn't work at all:
 	warning: ‘nonstring’ attribute does not apply to types [-Wattributes]
 and because of this fundamental mis-design, you then have to mark each
 instance of that pattern.
 This is particularly noticeable in our ACPI code, because ACPI has this
 notion of a 4-byte "type name" that gets used all over, and is exactly
 this kind of byte array.
 This is a sad oversight, because the warning is useful, but really would
 be so much better if gcc had also given a sane way to indicate that we
 really just want a byte array type at a type level, not the broken "each
 and every array definition" level.
 So now instead of creating a nice "ACPI name" type using something like
 	typedef char acpi_name_t[4] __nonstring;
 we have to do things like
 	char name[ACPI_NAMESEG_SIZE] __nonstring;
 in every place that uses this concept and then happens to have the
 typical initializers.
 This is annoying me mainly because I think the warning _is_ a good
 warning, which is why I'm not just turning it off in disgust.  But it is
 hampered by this bad implementation detail.
 [ And obviously I'm doing this now because system upgrades for me are
  something that happen in the middle of the release cycle: don't do it
  before or during travel, or just before or during the busy merge
  window period. ]
 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
 ---
 Makefile | 3 +++
 1 file changed, 3 insertions(+)
 --- a/Makefile
 +++ b/Makefile
@@ -1071,6 +1071,9 @@ KBUILD_CFLAGS += $(call cc-option, -fstr
 KBUILD_CFLAGS-$(CONFIG_CC_NO_STRINGOP_OVERFLOW) += $(call cc-option, -Wno-stringop-overflow)
 KBUILD_CFLAGS-$(CONFIG_CC_STRINGOP_OVERFLOW) += $(call cc-option, -Wstringop-overflow)
 +#Currently, disable -Wunterminated-string-initialization as an error
 +KBUILD_CFLAGS += $(call cc-option, -Wno-error=unterminated-string-initialization)
 +
 # disable invalid "can't wrap" optimizations for signed / pointers
 KBUILD_CFLAGS	+= -fno-strict-overflow
--- a/debian/patches/patchset-pf/fixes/0008-sched-eevdf-Fix-se-slice-being-set-to-U64_MAX-and-re.patch
+++ b/debian/patches/patchset-pf/fixes/0008-sched-eevdf-Fix-se-slice-being-set-to-U64_MAX-and-re.patch
@@ -1,80 +0,0 @@
 From ea3ec10cacc746176a25dbd74c8d168e1c096a62 Mon Sep 17 00:00:00 2001
 From: Omar Sandoval <osandov@fb.com>
 Date: Fri, 25 Apr 2025 01:51:24 -0700
 Subject: sched/eevdf: Fix se->slice being set to U64_MAX and resulting crash
 There is a code path in dequeue_entities() that can set the slice of a
 sched_entity to U64_MAX, which sometimes results in a crash.
 The offending case is when dequeue_entities() is called to dequeue a
 delayed group entity, and then the entity's parent's dequeue is delayed.
 In that case:
 1. In the if (entity_is_task(se)) else block at the beginning of
   dequeue_entities(), slice is set to
   cfs_rq_min_slice(group_cfs_rq(se)). If the entity was delayed, then
   it has no queued tasks, so cfs_rq_min_slice() returns U64_MAX.
 2. The first for_each_sched_entity() loop dequeues the entity.
 3. If the entity was its parent's only child, then the next iteration
   tries to dequeue the parent.
 4. If the parent's dequeue needs to be delayed, then it breaks from the
   first for_each_sched_entity() loop _without updating slice_.
 5. The second for_each_sched_entity() loop sets the parent's ->slice to
   the saved slice, which is still U64_MAX.
 This throws off subsequent calculations with potentially catastrophic
 results. A manifestation we saw in production was:
 6. In update_entity_lag(), se->slice is used to calculate limit, which
   ends up as a huge negative number.
 7. limit is used in se->vlag = clamp(vlag, -limit, limit). Because limit
   is negative, vlag > limit, so se->vlag is set to the same huge
   negative number.
 8. In place_entity(), se->vlag is scaled, which overflows and results in
   another huge (positive or negative) number.
 9. The adjusted lag is subtracted from se->vruntime, which increases or
   decreases se->vruntime by a huge number.
 10. pick_eevdf() calls entity_eligible()/vruntime_eligible(), which
    incorrectly returns false because the vruntime is so far from the
    other vruntimes on the queue, causing the
    (vruntime - cfs_rq->min_vruntime) * load calulation to overflow.
 11. Nothing appears to be eligible, so pick_eevdf() returns NULL.
 12. pick_next_entity() tries to dereference the return value of
    pick_eevdf() and crashes.
 Dumping the cfs_rq states from the core dumps with drgn showed tell-tale
 huge vruntime ranges and bogus vlag values, and I also traced se->slice
 being set to U64_MAX on live systems (which was usually "benign" since
 the rest of the runqueue needed to be in a particular state to crash).
 Fix it in dequeue_entities() by always setting slice from the first
 non-empty cfs_rq.
 Fixes: aef6987d8954 ("sched/eevdf: Propagate min_slice up the cgroup hierarchy")
 Signed-off-by: Omar Sandoval <osandov@fb.com>
 Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
 Link: https://lkml.kernel.org/r/f0c2d1072be229e1bdddc73c0703919a8b00c652.1745570998.git.osandov@fb.com
 ---
 kernel/sched/fair.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)
 --- a/kernel/sched/fair.c
 +++ b/kernel/sched/fair.c
@@ -7096,9 +7096,6 @@ static int dequeue_entities(struct rq *r
 		h_nr_idle = task_has_idle_policy(p);
 		if (task_sleep || task_delayed || !se->sched_delayed)
 			h_nr_runnable = 1;
 -	} else {
 -		cfs_rq = group_cfs_rq(se);
 -		slice = cfs_rq_min_slice(cfs_rq);
 	}
 	for_each_sched_entity(se) {
@@ -7108,6 +7105,7 @@ static int dequeue_entities(struct rq *r
 			if (p && &p->se == se)
 				return -1;
 +			slice = cfs_rq_min_slice(cfs_rq);
 			break;
 		}
--- a/debian/patches/patchset-pf/fixes/0009-gcc-15-disable-Wunterminated-string-initialization-e.patch
+++ b/debian/patches/patchset-pf/fixes/0009-gcc-15-disable-Wunterminated-string-initialization-e.patch
@@ -0,0 +1,74 @@
 From 4018bbbaed061f15e0b84ea36b4aa95784934a33 Mon Sep 17 00:00:00 2001
 From: Linus Torvalds <torvalds@linux-foundation.org>
 Date: Sun, 20 Apr 2025 15:30:53 -0700
 Subject: gcc-15: disable '-Wunterminated-string-initialization' entirely for
 now
 I had left the warning around but as a non-fatal error to get my gcc-15
 builds going, but fixed up some of the most annoying warning cases so
 that it wouldn't be *too* verbose.
 Because I like the _concept_ of the warning, even if I detested the
 implementation to shut it up.
 It turns out the implementation to shut it up is even more broken than I
 thought, and my "shut up most of the warnings" patch just caused fatal
 errors on gcc-14 instead.
 I had tested with clang, but when I upgrade my development environment,
 I try to do it on all machines because I hate having different systems
 to maintain, and hadn't realized that gcc-14 now had issues.
 The ACPI case is literally why I wanted to have a *type* that doesn't
 trigger the warning (see commit d5d45a7f2619: "gcc-15: make
 'unterminated string initialization' just a warning"), instead of
 marking individual places as "__nonstring".
 But gcc-14 doesn't like that __nonstring location that shut gcc-15 up,
 because it's on an array of char arrays, not on one single array:
  drivers/acpi/tables.c:399:1: error: 'nonstring' attribute ignored on objects of type 'const char[][4]' [-Werror=attributes]
    399 | static const char table_sigs[][ACPI_NAMESEG_SIZE] __initconst __nonstring = {
        | ^~~~~~
 and my attempts to nest it properly with a type had failed, because of
 how gcc doesn't like marking the types as having attributes, only
 symbols.
 There may be some trick to it, but I was already annoyed by the bad
 attribute design, now I'm just entirely fed up with it.
 I wish gcc had a proper way to say "this type is a *byte* array, not a
 string".
 The obvious thing would be to distinguish between "char []" and an
 explicitly signed "unsigned char []" (as opposed to an implicitly
 unsigned char, which is typically an architecture-specific default, but
 for the kernel is universal thanks to '-funsigned-char').
 But any "we can typedef a 8-bit type to not become a string just because
 it's an array" model would be fine.
 But "__attribute__((nonstring))" is sadly not that sane model.
 Reported-by: Chris Clayton <chris2553@googlemail.com>
 Fixes: 4b4bd8c50f48 ("gcc-15: acpi: sprinkle random '__nonstring' crumbles around")
 Fixes: d5d45a7f2619 ("gcc-15: make 'unterminated string initialization' just a warning")
 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
 ---
 Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 --- a/Makefile
 +++ b/Makefile
@@ -1071,8 +1071,8 @@ KBUILD_CFLAGS += $(call cc-option, -fstr
 KBUILD_CFLAGS-$(CONFIG_CC_NO_STRINGOP_OVERFLOW) += $(call cc-option, -Wno-stringop-overflow)
 KBUILD_CFLAGS-$(CONFIG_CC_STRINGOP_OVERFLOW) += $(call cc-option, -Wstringop-overflow)
 -#Currently, disable -Wunterminated-string-initialization as an error
 -KBUILD_CFLAGS += $(call cc-option, -Wno-error=unterminated-string-initialization)
 +#Currently, disable -Wunterminated-string-initialization as broken
 +KBUILD_CFLAGS += $(call cc-option, -Wno-unterminated-string-initialization)
 # disable invalid "can't wrap" optimizations for signed / pointers
 KBUILD_CFLAGS	+= -fno-strict-overflow
--- a/debian/patches/patchset-pf/fixes/0010-wifi-mac80211-mark-copy_mesh_setup-as-noinline.patch
+++ b/debian/patches/patchset-pf/fixes/0010-wifi-mac80211-mark-copy_mesh_setup-as-noinline.patch
@@ -0,0 +1,35 @@
 From f762c206076d274ecb0e2f3d9b6cbca361ebb246 Mon Sep 17 00:00:00 2001
 From: Oleksandr Natalenko <oleksandr@natalenko.name>
 Date: Thu, 1 May 2025 20:22:53 +0200
 Subject: wifi: mac80211: mark copy_mesh_setup() as noinline
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 With -O3 and GCC v15.1, the following happens:
 ```
 In function ‘fortify_memcpy_chk’,
    inlined from ‘copy_mesh_setup’ at net/mac80211/cfg.c:2541:2,
    inlined from ‘ieee80211_join_mesh’ at net/mac80211/cfg.c:2694:8:
 ./include/linux/fortify-string.h:571:25: warning: call to ‘__write_overflow_field’ declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wattribute-warning]
 ```
 Maybe, it's time to abandon -O3 altogether?
 Signed-off-by: Oleksandr Natalenko <oleksandr@natalenko.name>
 ---
 net/mac80211/cfg.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 --- a/net/mac80211/cfg.c
 +++ b/net/mac80211/cfg.c
@@ -2502,7 +2502,7 @@ static inline bool _chg_mesh_attr(enum n
 	return (mask >> (parm-1)) & 0x1;
 }
 -static int copy_mesh_setup(struct ieee80211_if_mesh *ifmsh,
 +static noinline int copy_mesh_setup(struct ieee80211_if_mesh *ifmsh,
 		const struct mesh_setup *setup)
 {
 	u8 *new_ie;
--- a/debian/patches/patchset-pf/smb/0001-ksmbd-fix-use-after-free-in-ksmbd_session_rpc_open.patch
+++ b/debian/patches/patchset-pf/smb/0001-ksmbd-fix-use-after-free-in-ksmbd_session_rpc_open.patch
@@ -0,0 +1,108 @@
 From f9567920fca6215aed3fa0658c09ae57f3168ed0 Mon Sep 17 00:00:00 2001
 From: Namjae Jeon <linkinjeon@kernel.org>
 Date: Thu, 17 Apr 2025 10:10:15 +0900
 Subject: ksmbd: fix use-after-free in ksmbd_session_rpc_open
 A UAF issue can occur due to a race condition between
 ksmbd_session_rpc_open() and __session_rpc_close().
 Add rpc_lock to the session to protect it.
 Cc: stable@vger.kernel.org
 Reported-by: Norbert Szetei <norbert@doyensec.com>
 Tested-by: Norbert Szetei <norbert@doyensec.com>
 Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
 Signed-off-by: Steve French <stfrench@microsoft.com>
 ---
 fs/smb/server/mgmt/user_session.c | 20 ++++++++++++++------
 fs/smb/server/mgmt/user_session.h |  1 +
 2 files changed, 15 insertions(+), 6 deletions(-)
 --- a/fs/smb/server/mgmt/user_session.c
 +++ b/fs/smb/server/mgmt/user_session.c
@@ -59,10 +59,12 @@ static void ksmbd_session_rpc_clear_list
 	struct ksmbd_session_rpc *entry;
 	long index;
 +	down_write(&sess->rpc_lock);
 	xa_for_each(&sess->rpc_handle_list, index, entry) {
 		xa_erase(&sess->rpc_handle_list, index);
 		__session_rpc_close(sess, entry);
 	}
 +	up_write(&sess->rpc_lock);
 	xa_destroy(&sess->rpc_handle_list);
 }
@@ -92,7 +94,7 @@ int ksmbd_session_rpc_open(struct ksmbd_
 {
 	struct ksmbd_session_rpc *entry, *old;
 	struct ksmbd_rpc_command *resp;
 -	int method;
 +	int method, id;
 	method = __rpc_method(rpc_name);
 	if (!method)
@@ -102,26 +104,29 @@ int ksmbd_session_rpc_open(struct ksmbd_
 	if (!entry)
 		return -ENOMEM;
 +	down_read(&sess->rpc_lock);
 	entry->method = method;
 -	entry->id = ksmbd_ipc_id_alloc();
 -	if (entry->id < 0)
 +	entry->id = id = ksmbd_ipc_id_alloc();
 +	if (id < 0)
 		goto free_entry;
 -	old = xa_store(&sess->rpc_handle_list, entry->id, entry, KSMBD_DEFAULT_GFP);
 +	old = xa_store(&sess->rpc_handle_list, id, entry, KSMBD_DEFAULT_GFP);
 	if (xa_is_err(old))
 		goto free_id;
 -	resp = ksmbd_rpc_open(sess, entry->id);
 +	resp = ksmbd_rpc_open(sess, id);
 	if (!resp)
 		goto erase_xa;
 +	up_read(&sess->rpc_lock);
 	kvfree(resp);
 -	return entry->id;
 +	return id;
 erase_xa:
 	xa_erase(&sess->rpc_handle_list, entry->id);
 free_id:
 	ksmbd_rpc_id_free(entry->id);
 free_entry:
 	kfree(entry);
 +	up_read(&sess->rpc_lock);
 	return -EINVAL;
 }
@@ -129,9 +134,11 @@ void ksmbd_session_rpc_close(struct ksmb
 {
 	struct ksmbd_session_rpc *entry;
 +	down_write(&sess->rpc_lock);
 	entry = xa_erase(&sess->rpc_handle_list, id);
 	if (entry)
 		__session_rpc_close(sess, entry);
 +	up_write(&sess->rpc_lock);
 }
 int ksmbd_session_rpc_method(struct ksmbd_session *sess, int id)
@@ -439,6 +446,7 @@ static struct ksmbd_session *__session_c
 	sess->sequence_number = 1;
 	rwlock_init(&sess->tree_conns_lock);
 	atomic_set(&sess->refcnt, 2);
 +	init_rwsem(&sess->rpc_lock);
 	ret = __init_smb2_session(sess);
 	if (ret)
 --- a/fs/smb/server/mgmt/user_session.h
 +++ b/fs/smb/server/mgmt/user_session.h
@@ -63,6 +63,7 @@ struct ksmbd_session {
 	rwlock_t			tree_conns_lock;
 	atomic_t			refcnt;
 +	struct rw_semaphore		rpc_lock;
 };
 static inline int test_session_flag(struct ksmbd_session *sess, int bit)
--- a/debian/patches/patchset-pf/smb/0002-ksmbd-fix-use-after-free-in-kerberos-authentication.patch
+++ b/debian/patches/patchset-pf/smb/0002-ksmbd-fix-use-after-free-in-kerberos-authentication.patch
@@ -0,0 +1,56 @@
 From 6e367a428b98393cd5d0ab993983ba40dc748ca5 Mon Sep 17 00:00:00 2001
 From: Sean Heelan <seanheelan@gmail.com>
 Date: Sat, 19 Apr 2025 19:59:28 +0100
 Subject: ksmbd: fix use-after-free in kerberos authentication
 Setting sess->user = NULL was introduced to fix the dangling pointer
 created by ksmbd_free_user. However, it is possible another thread could
 be operating on the session and make use of sess->user after it has been
 passed to ksmbd_free_user but before sess->user is set to NULL.
 Cc: stable@vger.kernel.org
 Signed-off-by: Sean Heelan <seanheelan@gmail.com>
 Acked-by: Namjae Jeon <linkinjeon@kernel.org>
 Signed-off-by: Steve French <stfrench@microsoft.com>
 ---
 fs/smb/server/auth.c    | 14 +++++++++++++-
 fs/smb/server/smb2pdu.c |  5 -----
 2 files changed, 13 insertions(+), 6 deletions(-)
 --- a/fs/smb/server/auth.c
 +++ b/fs/smb/server/auth.c
@@ -550,7 +550,19 @@ int ksmbd_krb5_authenticate(struct ksmbd
 		retval = -ENOMEM;
 		goto out;
 	}
 -	sess->user = user;
 +
 +	if (!sess->user) {
 +		/* First successful authentication */
 +		sess->user = user;
 +	} else {
 +		if (!ksmbd_compare_user(sess->user, user)) {
 +			ksmbd_debug(AUTH, "different user tried to reuse session\n");
 +			retval = -EPERM;
 +			ksmbd_free_user(user);
 +			goto out;
 +		}
 +		ksmbd_free_user(user);
 +	}
 	memcpy(sess->sess_key, resp->payload, resp->session_key_len);
 	memcpy(out_blob, resp->payload + resp->session_key_len,
 --- a/fs/smb/server/smb2pdu.c
 +++ b/fs/smb/server/smb2pdu.c
@@ -1602,11 +1602,6 @@ static int krb5_authenticate(struct ksmb
 	if (prev_sess_id && prev_sess_id != sess->id)
 		destroy_previous_session(conn, sess->user, prev_sess_id);
 -	if (sess->state == SMB2_SESSION_VALID) {
 -		ksmbd_free_user(sess->user);
 -		sess->user = NULL;
 -	}
 -
 	retval = ksmbd_krb5_authenticate(sess, in_blob, in_len,
 					 out_blob, &out_len);
 	if (retval) {
--- a/debian/patches/patchset-pf/smb/0003-ksmbd-fix-use-after-free-in-session-logoff.patch
+++ b/debian/patches/patchset-pf/smb/0003-ksmbd-fix-use-after-free-in-session-logoff.patch
@@ -0,0 +1,31 @@
 From 818b4d086f287e0a5cc6368eb72703b68b0603d0 Mon Sep 17 00:00:00 2001
 From: Sean Heelan <seanheelan@gmail.com>
 Date: Mon, 21 Apr 2025 15:39:29 +0000
 Subject: ksmbd: fix use-after-free in session logoff
 The sess->user object can currently be in use by another thread, for
 example if another connection has sent a session setup request to
 bind to the session being free'd. The handler for that connection could
 be in the smb2_sess_setup function which makes use of sess->user.
 Cc: stable@vger.kernel.org
 Signed-off-by: Sean Heelan <seanheelan@gmail.com>
 Acked-by: Namjae Jeon <linkinjeon@kernel.org>
 Signed-off-by: Steve French <stfrench@microsoft.com>
 ---
 fs/smb/server/smb2pdu.c | 4 ----
 1 file changed, 4 deletions(-)
 --- a/fs/smb/server/smb2pdu.c
 +++ b/fs/smb/server/smb2pdu.c
@@ -2244,10 +2244,6 @@ int smb2_session_logoff(struct ksmbd_wor
 	sess->state = SMB2_SESSION_EXPIRED;
 	up_write(&conn->session_lock);
 -	if (sess->user) {
 -		ksmbd_free_user(sess->user);
 -		sess->user = NULL;
 -	}
 	ksmbd_all_conn_set_status(sess_id, KSMBD_SESS_NEED_SETUP);
 	rsp->StructureSize = cpu_to_le16(4);
--- a/debian/patches/patchset-zen/sauce/0009-ZEN-mm-Stop-kswapd-early-when-nothing-s-waiting-for-.patch
+++ b/debian/patches/patchset-zen/sauce/0009-ZEN-mm-Stop-kswapd-early-when-nothing-s-waiting-for-.patch
@@ -102,7 +102,7 @@ Contains:
 --- a/mm/vmscan.c
 +++ b/mm/vmscan.c
-@@ -6382,7 +6382,7 @@ retry:
+@@ -6389,7 +6389,7 @@ retry:
 	return 0;
 }
@@ -111,7 +111,7 @@ Contains:
 {
 	struct zone *zone;
 	unsigned long pfmemalloc_reserve = 0;
-@@ -6411,6 +6411,10 @@ static bool allow_direct_reclaim(pg_data
+@@ -6418,6 +6418,10 @@ static bool allow_direct_reclaim(pg_data
 	wmark_ok = free_pages > pfmemalloc_reserve / 2;
@@ -122,7 +122,7 @@ Contains:
 	/* kswapd must be awake if processes are being throttled */
 	if (!wmark_ok && waitqueue_active(&pgdat->kswapd_wait)) {
 		if (READ_ONCE(pgdat->kswapd_highest_zoneidx) > ZONE_NORMAL)
-@@ -6476,7 +6480,7 @@ static bool throttle_direct_reclaim(gfp_
+@@ -6483,7 +6487,7 @@ static bool throttle_direct_reclaim(gfp_
 		/* Throttle based on the first usable node */
 		pgdat = zone->zone_pgdat;
@@ -131,7 +131,7 @@ Contains:
 			goto out;
 		break;
 	}
-@@ -6498,11 +6502,14 @@ static bool throttle_direct_reclaim(gfp_
+@@ -6505,11 +6509,14 @@ static bool throttle_direct_reclaim(gfp_
 	 */
 	if (!(gfp_mask & __GFP_FS))
 		wait_event_interruptible_timeout(pgdat->pfmemalloc_wait,
@@ -148,7 +148,7 @@ Contains:
 	if (fatal_signal_pending(current))
 		return true;
-@@ -7005,14 +7012,14 @@ restart:
+@@ -7012,14 +7019,14 @@ restart:
 		 * able to safely make forward progress. Wake them
 		 */
 		if (waitqueue_active(&pgdat->pfmemalloc_wait) &&
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -69,6 +69,7 @@ features/x86/x86-make-x32-syscall-support-conditional.patch
 bugfix/all/disable-some-marvell-phys.patch
 bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
 bugfix/all/documentation-use-relative-source-paths-in-abi-documentation.patch
 bugfix/all/Revert-rndis_host-Flag-RNDIS-modems-as-WWAN-devices.patch
 # Miscellaneous features
@@ -156,6 +157,10 @@ patchset-pf/cpuidle/0001-cpuidle-Prefer-teo-over-menu-governor.patch
 patchset-pf/crypto/0001-crypto-x86-aes-xts-make-the-fast-path-64-bit-specifi.patch
 patchset-pf/crypto/0002-crypto-x86-aes-ctr-rewrite-AESNI-AVX-optimized-CTR-a.patch
 patchset-pf/smb/0001-ksmbd-fix-use-after-free-in-ksmbd_session_rpc_open.patch
 patchset-pf/smb/0002-ksmbd-fix-use-after-free-in-kerberos-authentication.patch
 patchset-pf/smb/0003-ksmbd-fix-use-after-free-in-session-logoff.patch
 patchset-pf/zstd/0001-zstd-import-upstream-v1.5.7.patch
 patchset-pf/zstd/0002-lib-zstd-Refactor-intentional-wrap-around-test.patch
@@ -265,7 +270,9 @@ patchset-pf/fixes/0004-ice-mark-ice_write_prof_mask_reg-as-noinline.patch
 patchset-pf/fixes/0005-fixes-6.14-update-tpm2_start_auth_session-fix.patch
 patchset-pf/fixes/0006-wifi-ath12k-Abort-scan-before-removing-link-interfac.patch
 patchset-pf/fixes/0007-Kconfig-switch-CONFIG_SYSFS_SYCALL-default-to-n.patch
-patchset-pf/fixes/0008-sched-eevdf-Fix-se-slice-being-set-to-U64_MAX-and-re.patch
+patchset-pf/fixes/0008-gcc-15-make-unterminated-string-initialization-just-.patch
 patchset-pf/fixes/0009-gcc-15-disable-Wunterminated-string-initialization-e.patch
 patchset-pf/fixes/0010-wifi-mac80211-mark-copy_mesh_setup-as-noinline.patch
 patchset-zen/fixes/0001-arch-Kconfig-Default-to-maximum-amount-of-ASLR-bits.patch
 patchset-zen/fixes/0002-drivers-firmware-skip-simpledrm-if-nvidia-drm.modese.patch