public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
* [rpms/kernel] f44: kernel-7.0.11-200
@ 2026-06-01 22:00 Justin M. Forbes
0 siblings, 0 replies; only message in thread
From: Justin M. Forbes @ 2026-06-01 22:00 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : rpms/kernel
Branch : f44
Commit : 1b994cb66da8c164864d79aceaebbf8131b041b1
Author : Justin M. Forbes <jforbes@fedoraproject.org>
Date : 2026-06-01T16:00:30-06:00
Stats : +40/-1909 in 5 file(s)
URL : https://src.fedoraproject.org/rpms/kernel/c/1b994cb66da8c164864d79aceaebbf8131b041b1?branch=f44
Log:
kernel-7.0.11-200
* Mon Jun 01 2026 Justin M. Forbes <jforbes@fedoraproject.org> [7.0.11-1]
- Revert "crypto/krb5, rxrpc: Fix lack of pre-decrypt/pre-verify length checks" (Justin M. Forbes)
- Revert "rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg" (Justin M. Forbes)
- Revert "rxrpc: Fix RESPONSE packet verification to extract skb to a linear buffer" (Justin M. Forbes)
- Linux v7.0.11
Resolves:
Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
---
diff --git a/Patchlist.changelog b/Patchlist.changelog
index c36086b..40158f1 100644
--- a/Patchlist.changelog
+++ b/Patchlist.changelog
@@ -1,3 +1,12 @@
+https://gitlab.com/cki-project/kernel-ark/-/commit/9a0b5572ccfd1b7c79dfb9c683e89758893ecf0a
+ 9a0b5572ccfd1b7c79dfb9c683e89758893ecf0a Revert "crypto/krb5, rxrpc: Fix lack of pre-decrypt/pre-verify length checks"
+
+https://gitlab.com/cki-project/kernel-ark/-/commit/92fc56ac678ac274ab0237bfa037b66bbd55b48c
+ 92fc56ac678ac274ab0237bfa037b66bbd55b48c Revert "rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg"
+
+https://gitlab.com/cki-project/kernel-ark/-/commit/703c1c4d9d6e52276954a909aa59a1fc33cbc2b8
+ 703c1c4d9d6e52276954a909aa59a1fc33cbc2b8 Revert "rxrpc: Fix RESPONSE packet verification to extract skb to a linear buffer"
+
https://gitlab.com/cki-project/kernel-ark/-/commit/d82d5fbd2b0d6b36f3e2eb180bec55ebee49f64a
d82d5fbd2b0d6b36f3e2eb180bec55ebee49f64a ata: libata-scsi: do not needlessly defer commands when using PMP with FBS
diff --git a/kernel.changelog b/kernel.changelog
index fb3d4ec..54f1aa6 100644
--- a/kernel.changelog
+++ b/kernel.changelog
@@ -1,3 +1,10 @@
+* Mon Jun 01 2026 Justin M. Forbes <jforbes@fedoraproject.org> [7.0.11-1]
+- Revert "crypto/krb5, rxrpc: Fix lack of pre-decrypt/pre-verify length checks" (Justin M. Forbes)
+- Revert "rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg" (Justin M. Forbes)
+- Revert "rxrpc: Fix RESPONSE packet verification to extract skb to a linear buffer" (Justin M. Forbes)
+- Linux v7.0.11
+Resolves:
+
* Wed May 27 2026 Justin M. Forbes <jforbes@fedoraproject.org> [7.0.10-1]
- ata: libata-scsi: do not needlessly defer commands when using PMP with FBS (Niklas Cassel)
- ata: libata-scsi: do not use the deferred QC feature on PMPs with CBS (Niklas Cassel)
diff --git a/kernel.spec b/kernel.spec
index cf7d370..bfdca54 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -187,18 +187,18 @@ Summary: The Linux kernel
# the --with-release option overrides this setting.)
%define debugbuildsenabled 1
# define buildid .local
-%define specrpmversion 7.0.10
-%define specversion 7.0.10
+%define specrpmversion 7.0.11
+%define specversion 7.0.11
%define patchversion 7.0
-%define pkgrelease 201
+%define pkgrelease 200
%define kversion 7
-%define tarfile_release 7.0.10
+%define tarfile_release 7.0.11
# This is needed to do merge window version magic
%define patchlevel 0
# This allows pkg_release to have configurable %%{?dist} tag
-%define specrelease 201%{?buildid}%{?dist}
+%define specrelease 200%{?buildid}%{?dist}
# This defines the kabi tarball version
-%define kabiversion 7.0.10
+%define kabiversion 7.0.11
# If this variable is set to 1, a bpf selftests build failure will cause a
# fatal kernel package build error
@@ -4825,6 +4825,12 @@ fi\
#
#
%changelog
+* Mon Jun 01 2026 Justin M. Forbes <jforbes@fedoraproject.org> [7.0.11-1]
+- Revert "crypto/krb5, rxrpc: Fix lack of pre-decrypt/pre-verify length checks" (Justin M. Forbes)
+- Revert "rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg" (Justin M. Forbes)
+- Revert "rxrpc: Fix RESPONSE packet verification to extract skb to a linear buffer" (Justin M. Forbes)
+- Linux v7.0.11
+
* Wed May 27 2026 Justin M. Forbes <jforbes@fedoraproject.org> [7.0.10-1]
- ata: libata-scsi: do not needlessly defer commands when using PMP with FBS (Niklas Cassel)
- ata: libata-scsi: do not use the deferred QC feature on PMPs with CBS (Niklas Cassel)
diff --git a/patch-7.0-redhat.patch b/patch-7.0-redhat.patch
index 4e977dd..a5c9938 100644
--- a/patch-7.0-redhat.patch
+++ b/patch-7.0-redhat.patch
@@ -1,7 +1,6 @@
Documentation/admin-guide/media/amdisp4-1.rst | 63 ++
Documentation/admin-guide/media/amdisp4.dot | 6 +
Documentation/admin-guide/media/v4l-drivers.rst | 1 +
- Documentation/crypto/krb5.rst | 17 +-
MAINTAINERS | 25 +
Makefile | 30 +
arch/arm/Kconfig | 4 +-
@@ -18,18 +17,12 @@
arch/s390/kernel/ipl.c | 5 +
arch/s390/kernel/setup.c | 4 +
arch/x86/kernel/setup.c | 22 +-
- crypto/krb5/krb5_api.c | 54 +-
crypto/sig.c | 3 +-
crypto/testmgr.c | 2 +-
drivers/acpi/apei/hest.c | 8 +
drivers/acpi/irq.c | 17 +-
drivers/acpi/scan.c | 9 +
drivers/ata/libahci.c | 18 +
- drivers/ata/libata-core.c | 9 +-
- drivers/ata/libata-eh.c | 8 +-
- drivers/ata/libata-pmp.c | 18 +-
- drivers/ata/libata-scsi.c | 100 +-
- drivers/ata/sata_sil24.c | 6 +-
drivers/char/ipmi/ipmi_dmi.c | 15 +
drivers/char/ipmi/ipmi_msghandler.c | 16 +-
drivers/firmware/efi/Makefile | 1 +
@@ -46,7 +39,6 @@
drivers/hid/hid-rmi.c | 66 --
drivers/hwtracing/coresight/coresight-etm4x-core.c | 19 +
drivers/input/rmi4/rmi_driver.c | 124 ++-
- drivers/iommu/amd/debugfs.c | 43 +-
drivers/iommu/iommu.c | 22 +
drivers/media/platform/Kconfig | 1 +
drivers/media/platform/Makefile | 1 +
@@ -72,30 +64,15 @@
drivers/nfc/nxp-nci/i2c.c | 21 +-
drivers/pci/quirks.c | 24 +
drivers/usb/core/hub.c | 7 +
- fs/smb/client/cifs_spnego.c | 16 +
- fs/smb/server/vfs_cache.c | 102 +-
- include/crypto/krb5.h | 9 +-
include/linux/efi.h | 22 +-
- include/linux/libata.h | 7 +-
include/linux/lsm_hook_defs.h | 1 +
include/linux/mfd/bcm2835-pm.h | 7 +
include/linux/rmi.h | 1 +
include/linux/security.h | 9 +
- include/trace/events/rxrpc.h | 1 +
kernel/module/signing.c | 9 +-
net/core/gro.c | 3 +
net/ipv4/esp4.c | 5 +-
net/ipv6/esp6.c | 5 +-
- net/rxrpc/ar-internal.h | 14 +-
- net/rxrpc/call_event.c | 22 +-
- net/rxrpc/call_object.c | 2 +
- net/rxrpc/conn_event.c | 32 +-
- net/rxrpc/insecure.c | 8 +-
- net/rxrpc/recvmsg.c | 68 +-
- net/rxrpc/rxgk.c | 160 ++-
- net/rxrpc/rxgk_app.c | 46 +-
- net/rxrpc/rxgk_common.h | 66 +-
- net/rxrpc/rxkad.c | 115 +--
net/sched/act_pedit.c | 72 +-
scripts/Makefile.lib | 3 +
scripts/tags.sh | 2 +
@@ -107,7 +84,7 @@
sound/soc/codecs/rt722-sdca.h | 4 +
tools/testing/selftests/bpf/Makefile | 2 +-
tools/testing/selftests/bpf/prog_tests/ksyms_btf.c | 31 -
- 109 files changed, 6097 insertions(+), 1003 deletions(-)
+ 86 files changed, 5584 insertions(+), 593 deletions(-)
diff --git a/Documentation/admin-guide/media/amdisp4-1.rst b/Documentation/admin-guide/media/amdisp4-1.rst
new file mode 100644
@@ -202,37 +179,6 @@ index 393f83e8dc4d..0fb88449fffd 100644
bttv
c3-isp
cafe_ccic
-diff --git a/Documentation/crypto/krb5.rst b/Documentation/crypto/krb5.rst
-index beffa0133446..f62e07ac6811 100644
---- a/Documentation/crypto/krb5.rst
-+++ b/Documentation/crypto/krb5.rst
-@@ -158,13 +158,22 @@ returned.
- When a message has been received, the location and size of the data with the
- message can be determined by calling::
-
-- void crypto_krb5_where_is_the_data(const struct krb5_enctype *krb5,
-- enum krb5_crypto_mode mode,
-- size_t *_offset, size_t *_len);
-+ int crypto_krb5_where_is_the_data(const struct krb5_enctype *krb5,
-+ enum krb5_crypto_mode mode,
-+ size_t *_offset, size_t *_len);
-
- The caller provides the offset and length of the message to the function, which
- then alters those values to indicate the region containing the data (plus any
--padding). It is up to the caller to determine how much padding there is.
-+padding). It is up to the caller to determine how much padding there is. The
-+function returns an error if the length is too small or if the mode is
-+unsupported. An additional function::
-+
-+ int crypto_krb5_check_data_len(const struct krb5_enctype *krb5,
-+ enum krb5_crypto_mode mode,
-+ size_t len, size_t min_content);
-+
-+is provided to just do a basic check that the decrypted/verified message would
-+have a sufficient minimum payload.
-
- Preparation Functions
- ---------------------
diff --git a/MAINTAINERS b/MAINTAINERS
index d1cc0e12fe1f..985c66951475 100644
--- a/MAINTAINERS
@@ -270,7 +216,7 @@ index d1cc0e12fe1f..985c66951475 100644
M: Felix Kuehling <Felix.Kuehling@amd.com>
L: amd-gfx@lists.freedesktop.org
diff --git a/Makefile b/Makefile
-index a95f0b3d26bf..99b2c764c4c9 100644
+index d2a1c3a1ab44..5343e34c0fb1 100644
--- a/Makefile
+++ b/Makefile
@@ -356,6 +356,17 @@ ifneq ($(filter install,$(MAKECMDGOALS)),)
@@ -877,86 +823,6 @@ index eebcc9db1a1b..779aca6969df 100644
reserve_initrd();
-diff --git a/crypto/krb5/krb5_api.c b/crypto/krb5/krb5_api.c
-index 23026d4206c8..c7ea40f900a7 100644
---- a/crypto/krb5/krb5_api.c
-+++ b/crypto/krb5/krb5_api.c
-@@ -134,27 +134,69 @@ EXPORT_SYMBOL(crypto_krb5_how_much_data);
- * Find the offset and size of the data in a secure message so that this
- * information can be used in the metadata buffer which will get added to the
- * digest by crypto_krb5_verify_mic().
-+ *
-+ * Return: 0 if successful, -EBADMSG if the message is too short or -EINVAL if
-+ * the mode is unsupported.
- */
--void crypto_krb5_where_is_the_data(const struct krb5_enctype *krb5,
-- enum krb5_crypto_mode mode,
-- size_t *_offset, size_t *_len)
-+int crypto_krb5_where_is_the_data(const struct krb5_enctype *krb5,
-+ enum krb5_crypto_mode mode,
-+ size_t *_offset, size_t *_len)
- {
- switch (mode) {
- case KRB5_CHECKSUM_MODE:
-+ if (*_len < krb5->cksum_len)
-+ return -EBADMSG;
- *_offset += krb5->cksum_len;
- *_len -= krb5->cksum_len;
-- return;
-+ return 0;
- case KRB5_ENCRYPT_MODE:
-+ if (*_len < krb5->conf_len + krb5->cksum_len)
-+ return -EBADMSG;
- *_offset += krb5->conf_len;
- *_len -= krb5->conf_len + krb5->cksum_len;
-- return;
-+ return 0;
- default:
- WARN_ON_ONCE(1);
-- return;
-+ return -EINVAL;
- }
- }
- EXPORT_SYMBOL(crypto_krb5_where_is_the_data);
-
-+/**
-+ * crypto_krb5_check_data_len - Check a message is big enough
-+ * @krb5: The encoding to use.
-+ * @mode: Mode of operation.
-+ * @len: The length of the secure blob.
-+ * @min_content: Minimum length of the content inside the blob.
-+ *
-+ * Check that a message is large enough to hold whatever bits the encryption
-+ * type wants to glue on (nonce, checksum) plus a minimum amount of content.
-+ *
-+ * Return: 0 if successful, -EBADMSG if the message is too short or -EINVAL if
-+ * the mode is unsupported.
-+ */
-+int crypto_krb5_check_data_len(const struct krb5_enctype *krb5,
-+ enum krb5_crypto_mode mode,
-+ size_t len, size_t min_content)
-+{
-+ switch (mode) {
-+ case KRB5_CHECKSUM_MODE:
-+ if (len < krb5->cksum_len ||
-+ len - krb5->cksum_len < min_content)
-+ return -EBADMSG;
-+ return 0;
-+ case KRB5_ENCRYPT_MODE:
-+ if (len < krb5->conf_len + krb5->cksum_len ||
-+ len - (krb5->conf_len + krb5->cksum_len) < min_content)
-+ return -EBADMSG;
-+ return 0;
-+ default:
-+ WARN_ON_ONCE(1);
-+ return -EINVAL;
-+ }
-+}
-+EXPORT_SYMBOL(crypto_krb5_check_data_len);
-+
- /*
- * Prepare the encryption with derived key data.
- */
diff --git a/crypto/sig.c b/crypto/sig.c
index beba745b6405..fd41f6d3abf9 100644
--- a/crypto/sig.c
@@ -1095,326 +961,6 @@ index c79abdfcd7a9..e23bfb7f94c7 100644
/* wait for engine to stop. This could be as long as 500 msec */
tmp = ata_wait_register(ap, port_mmio + PORT_CMD,
PORT_CMD_LIST_ON, PORT_CMD_LIST_ON, 1, 500);
-diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
-index 374993031895..f8c2e3192a70 100644
---- a/drivers/ata/libata-core.c
-+++ b/drivers/ata/libata-core.c
-@@ -5579,6 +5579,7 @@ void ata_link_init(struct ata_port *ap, struct ata_link *link, int pmp)
- link->pmp = pmp;
- link->active_tag = ATA_TAG_POISON;
- link->hw_sata_spd_limit = UINT_MAX;
-+ INIT_WORK(&link->deferred_qc_work, ata_scsi_deferred_qc_work);
-
- /* can't use iterator, ap isn't initialized yet */
- for (i = 0; i < ATA_MAX_DEVICES; i++) {
-@@ -5661,7 +5662,6 @@ struct ata_port *ata_port_alloc(struct ata_host *host)
- mutex_init(&ap->scsi_scan_mutex);
- INIT_DELAYED_WORK(&ap->hotplug_task, ata_scsi_hotplug);
- INIT_DELAYED_WORK(&ap->scsi_rescan_task, ata_scsi_dev_rescan);
-- INIT_WORK(&ap->deferred_qc_work, ata_scsi_deferred_qc_work);
- INIT_LIST_HEAD(&ap->eh_done_q);
- init_waitqueue_head(&ap->eh_wait_q);
- init_completion(&ap->park_req_pending);
-@@ -6286,12 +6286,15 @@ static void ata_port_detach(struct ata_port *ap)
-
- /* It better be dead now and not have any remaining deferred qc. */
- WARN_ON(!(ap->pflags & ATA_PFLAG_UNLOADED));
-- WARN_ON(ap->deferred_qc);
-
-- cancel_work_sync(&ap->deferred_qc_work);
- cancel_delayed_work_sync(&ap->hotplug_task);
- cancel_delayed_work_sync(&ap->scsi_rescan_task);
-
-+ ata_for_each_link(link, ap, PMP_FIRST) {
-+ WARN_ON(link->deferred_qc);
-+ cancel_work_sync(&link->deferred_qc_work);
-+ }
-+
- /* Delete port multiplier link transport devices */
- if (ap->pmp_link) {
- int i;
-diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c
-index 23be85418b3b..5e8a63206108 100644
---- a/drivers/ata/libata-eh.c
-+++ b/drivers/ata/libata-eh.c
-@@ -643,11 +643,11 @@ void ata_scsi_cmd_error_handler(struct Scsi_Host *host, struct ata_port *ap,
- if (qc->scsicmd != scmd)
- continue;
- if ((qc->flags & ATA_QCFLAG_ACTIVE) ||
-- qc == ap->deferred_qc)
-+ qc == qc->dev->link->deferred_qc)
- break;
- }
-
-- if (i < ATA_MAX_QUEUE && qc == ap->deferred_qc) {
-+ if (i < ATA_MAX_QUEUE && qc == qc->dev->link->deferred_qc) {
- /*
- * This is a deferred command that timed out while
- * waiting for the command queue to drain. Since the qc
-@@ -658,8 +658,8 @@ void ata_scsi_cmd_error_handler(struct Scsi_Host *host, struct ata_port *ap,
- * deferred qc work from issuing this qc.
- */
- WARN_ON_ONCE(qc->flags & ATA_QCFLAG_ACTIVE);
-- ap->deferred_qc = NULL;
-- cancel_work(&ap->deferred_qc_work);
-+ qc->dev->link->deferred_qc = NULL;
-+ cancel_work(&qc->dev->link->deferred_qc_work);
- set_host_byte(scmd, DID_TIME_OUT);
- scsi_eh_finish_cmd(scmd, &ap->eh_done_q);
- } else if (i < ATA_MAX_QUEUE) {
-diff --git a/drivers/ata/libata-pmp.c b/drivers/ata/libata-pmp.c
-index e3adc008fed1..e8540931b4a1 100644
---- a/drivers/ata/libata-pmp.c
-+++ b/drivers/ata/libata-pmp.c
-@@ -110,13 +110,24 @@ int sata_pmp_qc_defer_cmd_switch(struct ata_queued_cmd *qc)
- {
- struct ata_link *link = qc->dev->link;
- struct ata_port *ap = link->ap;
-+ int ret;
-
- if (ap->excl_link == NULL || ap->excl_link == link) {
- if (ap->nr_active_links == 0 || ata_link_active(link)) {
- qc->flags |= ATA_QCFLAG_CLEAR_EXCL;
-- return ata_std_qc_defer(qc);
-+ ret = ata_std_qc_defer(qc);
-+ if (ret == ATA_DEFER_LINK)
-+ return ATA_DEFER_LINK_EXCL;
-+ return ret;
- }
-
-+ /*
-+ * Note: ap->excl_link contains the link that is next in line,
-+ * i.e. implicit round robin. If there is only one link
-+ * dispatching, ap->excl_link will be left unclaimed, allowing
-+ * other links to set ap->excl_link, ensuring that the currently
-+ * active link cannot queue any more.
-+ */
- ap->excl_link = link;
- }
-
-@@ -571,8 +582,11 @@ static void sata_pmp_detach(struct ata_device *dev)
- if (ap->ops->pmp_detach)
- ap->ops->pmp_detach(ap);
-
-- ata_for_each_link(tlink, ap, EDGE)
-+ ata_for_each_link(tlink, ap, EDGE) {
-+ WARN_ON(tlink->deferred_qc);
-+ cancel_work_sync(&tlink->deferred_qc_work);
- ata_eh_detach_dev(tlink->device);
-+ }
-
- spin_lock_irqsave(ap->lock, flags);
- ap->nr_pmp_links = 0;
-diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c
-index cd607911d724..0b4adfc8dc84 100644
---- a/drivers/ata/libata-scsi.c
-+++ b/drivers/ata/libata-scsi.c
-@@ -1660,8 +1660,9 @@ static void ata_qc_done(struct ata_queued_cmd *qc)
-
- void ata_scsi_deferred_qc_work(struct work_struct *work)
- {
-- struct ata_port *ap =
-- container_of(work, struct ata_port, deferred_qc_work);
-+ struct ata_link *link =
-+ container_of(work, struct ata_link, deferred_qc_work);
-+ struct ata_port *ap = link->ap;
- struct ata_queued_cmd *qc;
- unsigned long flags;
-
-@@ -1672,10 +1673,10 @@ void ata_scsi_deferred_qc_work(struct work_struct *work)
- * such case, we should not need any more deferring the qc, so warn if
- * qc_defer() says otherwise.
- */
-- qc = ap->deferred_qc;
-+ qc = link->deferred_qc;
- if (qc && !ata_port_eh_scheduled(ap)) {
- WARN_ON_ONCE(ap->ops->qc_defer(qc));
-- ap->deferred_qc = NULL;
-+ link->deferred_qc = NULL;
- ata_qc_issue(qc);
- }
-
-@@ -1684,8 +1685,7 @@ void ata_scsi_deferred_qc_work(struct work_struct *work)
-
- void ata_scsi_requeue_deferred_qc(struct ata_port *ap)
- {
-- struct ata_queued_cmd *qc = ap->deferred_qc;
-- struct scsi_cmnd *scmd;
-+ struct ata_link *link;
-
- lockdep_assert_held(ap->lock);
-
-@@ -1694,20 +1694,25 @@ void ata_scsi_requeue_deferred_qc(struct ata_port *ap)
- * do not try to be smart about what to do with this deferred command
- * and simply requeue it by completing it with DID_REQUEUE.
- */
-- if (!qc)
-- return;
--
-- scmd = qc->scsicmd;
-- ap->deferred_qc = NULL;
-- cancel_work(&ap->deferred_qc_work);
-- ata_qc_free(qc);
-- scmd->result = (DID_REQUEUE << 16);
-- scsi_done(scmd);
-+ ata_for_each_link(link, ap, PMP_FIRST) {
-+ struct ata_queued_cmd *qc = link->deferred_qc;
-+ struct scsi_cmnd *scmd;
-+
-+ if (qc) {
-+ scmd = qc->scsicmd;
-+ link->deferred_qc = NULL;
-+ cancel_work(&link->deferred_qc_work);
-+ ata_qc_free(qc);
-+ scmd->result = (DID_REQUEUE << 16);
-+ scsi_done(scmd);
-+ }
-+ }
- }
-
--static void ata_scsi_schedule_deferred_qc(struct ata_port *ap)
-+static void ata_scsi_schedule_deferred_qc(struct ata_link *link)
- {
-- struct ata_queued_cmd *qc = ap->deferred_qc;
-+ struct ata_queued_cmd *qc = link->deferred_qc;
-+ struct ata_port *ap = link->ap;
-
- lockdep_assert_held(ap->lock);
-
-@@ -1724,12 +1729,12 @@ static void ata_scsi_schedule_deferred_qc(struct ata_port *ap)
- return;
- }
- if (!ap->ops->qc_defer(qc))
-- queue_work(system_highpri_wq, &ap->deferred_qc_work);
-+ queue_work(system_highpri_wq, &link->deferred_qc_work);
- }
-
- static void ata_scsi_qc_complete(struct ata_queued_cmd *qc)
- {
-- struct ata_port *ap = qc->ap;
-+ struct ata_link *link = qc->dev->link;
- struct scsi_cmnd *cmd = qc->scsicmd;
- u8 *cdb = cmd->cmnd;
- bool have_sense = qc->flags & ATA_QCFLAG_SENSE_VALID;
-@@ -1760,22 +1765,23 @@ static void ata_scsi_qc_complete(struct ata_queued_cmd *qc)
-
- ata_qc_done(qc);
-
-- ata_scsi_schedule_deferred_qc(ap);
-+ ata_scsi_schedule_deferred_qc(link);
- }
-
- static int ata_scsi_qc_issue(struct ata_port *ap, struct ata_queued_cmd *qc)
- {
-+ struct ata_link *link = qc->dev->link;
- int ret;
-
- if (!ap->ops->qc_defer)
-- goto issue;
-+ goto issue_qc;
-
- /*
- * If we already have a deferred qc, then rely on the SCSI layer to
- * requeue and defer all incoming commands until the deferred qc is
- * processed, once all on-going commands complete.
- */
-- if (ap->deferred_qc) {
-+ if (link->deferred_qc) {
- ata_qc_free(qc);
- return SCSI_MLQUEUE_DEVICE_BUSY;
- }
-@@ -1787,38 +1793,46 @@ static int ata_scsi_qc_issue(struct ata_port *ap, struct ata_queued_cmd *qc)
- break;
- case ATA_DEFER_LINK:
- ret = SCSI_MLQUEUE_DEVICE_BUSY;
-- break;
-+ goto defer_qc;
-+ case ATA_DEFER_LINK_EXCL:
-+ /*
-+ * Drivers making use of ap->excl_link cannot store the QC in
-+ * link->deferred_qc, because the ap->excl_link handling is
-+ * incompatible with the link->deferred_qc workqueue handling.
-+ */
-+ ret = SCSI_MLQUEUE_DEVICE_BUSY;
-+ goto free_qc;
- case ATA_DEFER_PORT:
- ret = SCSI_MLQUEUE_HOST_BUSY;
-- break;
-+ goto free_qc;
- default:
- WARN_ON_ONCE(1);
- ret = SCSI_MLQUEUE_HOST_BUSY;
-- break;
-+ goto free_qc;
- }
-
-- if (ret) {
-- /*
-- * We must defer this qc: if this is not an NCQ command, keep
-- * this qc as a deferred one and report to the SCSI layer that
-- * we issued it so that it is not requeued. The deferred qc will
-- * be issued with the port deferred_qc_work once all on-going
-- * commands complete.
-- */
-- if (!ata_is_ncq(qc->tf.protocol)) {
-- ap->deferred_qc = qc;
-- return 0;
-- }
-+issue_qc:
-+ ata_qc_issue(qc);
-+ return 0;
-
-- /* Force a requeue of the command to defer its execution. */
-- ata_qc_free(qc);
-- return ret;
-+defer_qc:
-+ /*
-+ * We must defer this qc: if this is not an NCQ command, keep
-+ * this qc as a deferred one and report to the SCSI layer that
-+ * we issued it so that it is not requeued. The deferred qc will
-+ * be issued with the port deferred_qc_work once all on-going
-+ * commands complete.
-+ */
-+ if (!ata_is_ncq(qc->tf.protocol)) {
-+ link->deferred_qc = qc;
-+ return 0;
- }
-
--issue:
-- ata_qc_issue(qc);
-+free_qc:
-+ /* Force a requeue of the command to defer its execution. */
-+ ata_qc_free(qc);
-
-- return 0;
-+ return ret;
- }
-
- /**
-diff --git a/drivers/ata/sata_sil24.c b/drivers/ata/sata_sil24.c
-index d642ece9f07a..57f1081b86db 100644
---- a/drivers/ata/sata_sil24.c
-+++ b/drivers/ata/sata_sil24.c
-@@ -789,6 +789,7 @@ static int sil24_qc_defer(struct ata_queued_cmd *qc)
- struct ata_link *link = qc->dev->link;
- struct ata_port *ap = link->ap;
- u8 prot = qc->tf.protocol;
-+ int ret;
-
- /*
- * There is a bug in the chip:
-@@ -826,7 +827,10 @@ static int sil24_qc_defer(struct ata_queued_cmd *qc)
- qc->flags |= ATA_QCFLAG_CLEAR_EXCL;
- }
-
-- return ata_std_qc_defer(qc);
-+ ret = ata_std_qc_defer(qc);
-+ if (ret == ATA_DEFER_LINK)
-+ return ATA_DEFER_LINK_EXCL;
-+ return ret;
- }
-
- static enum ata_completion_errors sil24_qc_prep(struct ata_queued_cmd *qc)
diff --git a/drivers/char/ipmi/ipmi_dmi.c b/drivers/char/ipmi/ipmi_dmi.c
index 505e32911c34..26f7ee0ccf40 100644
--- a/drivers/char/ipmi/ipmi_dmi.c
@@ -1489,7 +1035,7 @@ index 8efbcf699e4f..96d5a1ca981d 100644
obj-$(CONFIG_EFI_RCI2_TABLE) += rci2-table.o
obj-$(CONFIG_EFI_EMBEDDED_FIRMWARE) += embedded-firmware.o
diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
-index b2fb92a4bbd1..533e132e1bd8 100644
+index 6b961c9b08b7..2187f1346f97 100644
--- a/drivers/firmware/efi/efi.c
+++ b/drivers/firmware/efi/efi.c
@@ -33,6 +33,7 @@
@@ -1500,7 +1046,7 @@ index b2fb92a4bbd1..533e132e1bd8 100644
#include <asm/early_ioremap.h>
-@@ -1021,40 +1022,101 @@ int efi_mem_type(unsigned long phys_addr)
+@@ -1025,40 +1026,101 @@ int efi_mem_type(unsigned long phys_addr)
return -EINVAL;
}
@@ -2235,116 +1781,8 @@ index ccd9338a44db..5c54e522e8a4 100644
if (data->f01_container->dev.driver) {
/* Driver already bound, so enable ATTN now. */
-diff --git a/drivers/iommu/amd/debugfs.c b/drivers/iommu/amd/debugfs.c
-index 20b04996441d..3909a1fb218e 100644
---- a/drivers/iommu/amd/debugfs.c
-+++ b/drivers/iommu/amd/debugfs.c
-@@ -26,22 +26,20 @@ static ssize_t iommu_mmio_write(struct file *filp, const char __user *ubuf,
- {
- struct seq_file *m = filp->private_data;
- struct amd_iommu *iommu = m->private;
-- int ret;
--
-- iommu->dbg_mmio_offset = -1;
-+ int ret, dbg_mmio_offset = iommu->dbg_mmio_offset = -1;
-
- if (cnt > OFS_IN_SZ)
- return -EINVAL;
-
-- ret = kstrtou32_from_user(ubuf, cnt, 0, &iommu->dbg_mmio_offset);
-+ ret = kstrtos32_from_user(ubuf, cnt, 0, &dbg_mmio_offset);
- if (ret)
- return ret;
-
-- if (iommu->dbg_mmio_offset > iommu->mmio_phys_end - sizeof(u64)) {
-- iommu->dbg_mmio_offset = -1;
-- return -EINVAL;
-- }
-+ if (dbg_mmio_offset < 0 || dbg_mmio_offset >
-+ iommu->mmio_phys_end - sizeof(u64))
-+ return -EINVAL;
-
-+ iommu->dbg_mmio_offset = dbg_mmio_offset;
- return cnt;
- }
-
-@@ -49,14 +47,16 @@ static int iommu_mmio_show(struct seq_file *m, void *unused)
- {
- struct amd_iommu *iommu = m->private;
- u64 value;
-+ int dbg_mmio_offset = iommu->dbg_mmio_offset;
-
-- if (iommu->dbg_mmio_offset < 0) {
-+ if (dbg_mmio_offset < 0 || dbg_mmio_offset >
-+ iommu->mmio_phys_end - sizeof(u64)) {
- seq_puts(m, "Please provide mmio register's offset\n");
- return 0;
- }
-
-- value = readq(iommu->mmio_base + iommu->dbg_mmio_offset);
-- seq_printf(m, "Offset:0x%x Value:0x%016llx\n", iommu->dbg_mmio_offset, value);
-+ value = readq(iommu->mmio_base + dbg_mmio_offset);
-+ seq_printf(m, "Offset:0x%x Value:0x%016llx\n", dbg_mmio_offset, value);
-
- return 0;
- }
-@@ -67,23 +67,20 @@ static ssize_t iommu_capability_write(struct file *filp, const char __user *ubuf
- {
- struct seq_file *m = filp->private_data;
- struct amd_iommu *iommu = m->private;
-- int ret;
--
-- iommu->dbg_cap_offset = -1;
-+ int ret, dbg_cap_offset = iommu->dbg_cap_offset = -1;
-
- if (cnt > OFS_IN_SZ)
- return -EINVAL;
-
-- ret = kstrtou32_from_user(ubuf, cnt, 0, &iommu->dbg_cap_offset);
-+ ret = kstrtos32_from_user(ubuf, cnt, 0, &dbg_cap_offset);
- if (ret)
- return ret;
-
- /* Capability register at offset 0x14 is the last IOMMU capability register. */
-- if (iommu->dbg_cap_offset > 0x14) {
-- iommu->dbg_cap_offset = -1;
-+ if (dbg_cap_offset < 0 || dbg_cap_offset > 0x14)
- return -EINVAL;
-- }
-
-+ iommu->dbg_cap_offset = dbg_cap_offset;
- return cnt;
- }
-
-@@ -91,21 +88,21 @@ static int iommu_capability_show(struct seq_file *m, void *unused)
- {
- struct amd_iommu *iommu = m->private;
- u32 value;
-- int err;
-+ int err, dbg_cap_offset = iommu->dbg_cap_offset;
-
-- if (iommu->dbg_cap_offset < 0) {
-+ if (dbg_cap_offset < 0 || dbg_cap_offset > 0x14) {
- seq_puts(m, "Please provide capability register's offset in the range [0x00 - 0x14]\n");
- return 0;
- }
-
-- err = pci_read_config_dword(iommu->dev, iommu->cap_ptr + iommu->dbg_cap_offset, &value);
-+ err = pci_read_config_dword(iommu->dev, iommu->cap_ptr + dbg_cap_offset, &value);
- if (err) {
- seq_printf(m, "Not able to read capability register at 0x%x\n",
-- iommu->dbg_cap_offset);
-+ dbg_cap_offset);
- return 0;
- }
-
-- seq_printf(m, "Offset:0x%x Value:0x%08x\n", iommu->dbg_cap_offset, value);
-+ seq_printf(m, "Offset:0x%x Value:0x%08x\n", dbg_cap_offset, value);
-
- return 0;
- }
diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
-index ef08c2c4ec95..c22d02658ea4 100644
+index 93c908170740..428b0c3b2519 100644
--- a/drivers/iommu/iommu.c
+++ b/drivers/iommu/iommu.c
@@ -8,6 +8,7 @@
@@ -2355,7 +1793,7 @@ index ef08c2c4ec95..c22d02658ea4 100644
#include <linux/kernel.h>
#include <linux/bits.h>
#include <linux/bug.h>
-@@ -3108,6 +3109,27 @@ int iommu_fwspec_add_ids(struct device *dev, const u32 *ids, int num_ids)
+@@ -3136,6 +3137,27 @@ int iommu_fwspec_add_ids(struct device *dev, const u32 *ids, int num_ids)
}
EXPORT_SYMBOL_GPL(iommu_fwspec_add_ids);
@@ -8060,229 +7498,6 @@ index 24960ba9caa9..32597cdb72ef 100644
/* Lock the device, then check to see if we were
* disconnected while waiting for the lock to succeed. */
usb_lock_device(hdev);
-diff --git a/fs/smb/client/cifs_spnego.c b/fs/smb/client/cifs_spnego.c
-index 3a41bbada04c..44c407275680 100644
---- a/fs/smb/client/cifs_spnego.c
-+++ b/fs/smb/client/cifs_spnego.c
-@@ -8,6 +8,7 @@
- */
-
- #include <linux/list.h>
-+#include <linux/cred.h>
- #include <linux/slab.h>
- #include <linux/string.h>
- #include <keys/user-type.h>
-@@ -40,12 +41,27 @@ cifs_spnego_key_destroy(struct key *key)
- kfree(key->payload.data[0]);
- }
-
-+static int
-+cifs_spnego_key_vet_description(const char *description)
-+{
-+ /*
-+ * cifs.spnego descriptions are authority-bearing inputs to cifs.upcall.
-+ * They are only valid when produced by CIFS while using the private
-+ * spnego_cred installed below. Do not let userspace create this type
-+ * of key through request_key(2)/add_key(2), since the helper treats
-+ * pid/uid/creduid/upcall_target as kernel-originating fields.
-+ */
-+ if (current_cred() != spnego_cred)
-+ return -EPERM;
-+ return 0;
-+}
-
- /*
- * keytype for CIFS spnego keys
- */
- struct key_type cifs_spnego_key_type = {
- .name = "cifs.spnego",
-+ .vet_description = cifs_spnego_key_vet_description,
- .instantiate = cifs_spnego_key_instantiate,
- .destroy = cifs_spnego_key_destroy,
- .describe = user_describe,
-diff --git a/fs/smb/server/vfs_cache.c b/fs/smb/server/vfs_cache.c
-index 3551f01a3fa0..60b7a2d60238 100644
---- a/fs/smb/server/vfs_cache.c
-+++ b/fs/smb/server/vfs_cache.c
-@@ -418,6 +418,14 @@ static void __ksmbd_remove_durable_fd(struct ksmbd_file *fp)
- return;
-
- idr_remove(global_ft.idr, fp->persistent_id);
-+ /*
-+ * Clear persistent_id so a later __ksmbd_close_fd() that runs from a
-+ * delayed putter (e.g. when a concurrent ksmbd_lookup_fd_inode()
-+ * walker held the final reference) does not re-issue idr_remove() on
-+ * an id that idr_alloc_cyclic() may have already handed out to a new
-+ * durable handle.
-+ */
-+ fp->persistent_id = KSMBD_NO_FID;
- }
-
- static void ksmbd_remove_durable_fd(struct ksmbd_file *fp)
-@@ -510,6 +518,20 @@ static struct ksmbd_file *__ksmbd_lookup_fd(struct ksmbd_file_table *ft,
-
- static void __put_fd_final(struct ksmbd_work *work, struct ksmbd_file *fp)
- {
-+ /*
-+ * Detached durable fp -- session_fd_check() cleared fp->conn at
-+ * preserve, so this fp is no longer tracked by any conn's
-+ * stats.open_files_count. This happens when
-+ * ksmbd_scavenger_dispose_dh() hands the final close off to an
-+ * m_fp_list walker (e.g. ksmbd_lookup_fd_inode()) whose work->conn
-+ * is unrelated to the conn that originally opened the handle; close
-+ * via the NULL-ft path so we do not underflow that unrelated
-+ * counter.
-+ */
-+ if (!fp->conn) {
-+ __ksmbd_close_fd(NULL, fp);
-+ return;
-+ }
- __ksmbd_close_fd(&work->sess->file_table, fp);
- atomic_dec(&work->conn->stats.open_files_count);
- }
-@@ -881,24 +903,37 @@ static bool ksmbd_durable_scavenger_alive(void)
- return true;
- }
-
--static void ksmbd_scavenger_dispose_dh(struct list_head *head)
-+static void ksmbd_scavenger_dispose_dh(struct ksmbd_file *fp)
- {
-- while (!list_empty(head)) {
-- struct ksmbd_file *fp;
-+ /*
-+ * Durable-preserved fp can remain linked on f_ci->m_fp_list for
-+ * share-mode checks. Unlink it before final close; fp->node is not
-+ * available as a scavenger-private list node because re-adding it to
-+ * another list corrupts m_fp_list.
-+ */
-+ down_write(&fp->f_ci->m_lock);
-+ list_del_init(&fp->node);
-+ up_write(&fp->f_ci->m_lock);
-
-- fp = list_first_entry(head, struct ksmbd_file, node);
-- list_del_init(&fp->node);
-+ /*
-+ * Drop both the durable lifetime reference and the transient reference
-+ * taken by the scavenger under global_ft.lock. If a concurrent
-+ * ksmbd_lookup_fd_inode() (or any other m_fp_list walker) snatched fp
-+ * before the unlink above, that holder owns the final close via
-+ * ksmbd_fd_put() -> __ksmbd_close_fd(). Otherwise the scavenger is
-+ * the last putter and finalises fp here.
-+ */
-+ if (atomic_sub_and_test(2, &fp->refcount))
- __ksmbd_close_fd(NULL, fp);
-- }
- }
-
- static int ksmbd_durable_scavenger(void *dummy)
- {
- struct ksmbd_file *fp = NULL;
-+ struct ksmbd_file *expired_fp;
- unsigned int id;
- unsigned int min_timeout = 1;
- bool found_fp_timeout;
-- LIST_HEAD(scavenger_list);
- unsigned long remaining_jiffies;
-
- __module_get(THIS_MODULE);
-@@ -908,8 +943,6 @@ static int ksmbd_durable_scavenger(void *dummy)
- if (try_to_freeze())
- continue;
-
-- found_fp_timeout = false;
--
- remaining_jiffies = wait_event_timeout(dh_wq,
- ksmbd_durable_scavenger_alive() == false,
- __msecs_to_jiffies(min_timeout));
-@@ -918,23 +951,39 @@ static int ksmbd_durable_scavenger(void *dummy)
- else
- min_timeout = DURABLE_HANDLE_MAX_TIMEOUT;
-
-- write_lock(&global_ft.lock);
-- idr_for_each_entry(global_ft.idr, fp, id) {
-- if (!fp->durable_timeout)
-- continue;
-+ do {
-+ expired_fp = NULL;
-+ found_fp_timeout = false;
-
-- if (atomic_read(&fp->refcount) > 1 ||
-- fp->conn)
-- continue;
--
-- found_fp_timeout = true;
-- if (fp->durable_scavenger_timeout <=
-- jiffies_to_msecs(jiffies)) {
-- __ksmbd_remove_durable_fd(fp);
-- list_add(&fp->node, &scavenger_list);
-- } else {
-+ write_lock(&global_ft.lock);
-+ idr_for_each_entry(global_ft.idr, fp, id) {
- unsigned long durable_timeout;
-
-+ if (!fp->durable_timeout)
-+ continue;
-+
-+ if (atomic_read(&fp->refcount) > 1 ||
-+ fp->conn)
-+ continue;
-+
-+ found_fp_timeout = true;
-+ if (fp->durable_scavenger_timeout <=
-+ jiffies_to_msecs(jiffies)) {
-+ __ksmbd_remove_durable_fd(fp);
-+ /*
-+ * Take a transient reference so fp
-+ * cannot be freed by an in-flight
-+ * ksmbd_lookup_fd_inode() that found
-+ * it through f_ci->m_fp_list while we
-+ * drop global_ft.lock and reach the
-+ * m_fp_list unlink in
-+ * ksmbd_scavenger_dispose_dh().
-+ */
-+ atomic_inc(&fp->refcount);
-+ expired_fp = fp;
-+ break;
-+ }
-+
- durable_timeout =
- fp->durable_scavenger_timeout -
- jiffies_to_msecs(jiffies);
-@@ -942,10 +991,11 @@ static int ksmbd_durable_scavenger(void *dummy)
- if (min_timeout > durable_timeout)
- min_timeout = durable_timeout;
- }
-- }
-- write_unlock(&global_ft.lock);
-+ write_unlock(&global_ft.lock);
-
-- ksmbd_scavenger_dispose_dh(&scavenger_list);
-+ if (expired_fp)
-+ ksmbd_scavenger_dispose_dh(expired_fp);
-+ } while (expired_fp);
-
- if (found_fp_timeout == false)
- break;
-diff --git a/include/crypto/krb5.h b/include/crypto/krb5.h
-index 71dd38f59be1..aac3ecf88467 100644
---- a/include/crypto/krb5.h
-+++ b/include/crypto/krb5.h
-@@ -121,9 +121,12 @@ size_t crypto_krb5_how_much_buffer(const struct krb5_enctype *krb5,
- size_t crypto_krb5_how_much_data(const struct krb5_enctype *krb5,
- enum krb5_crypto_mode mode,
- size_t *_buffer_size, size_t *_offset);
--void crypto_krb5_where_is_the_data(const struct krb5_enctype *krb5,
-- enum krb5_crypto_mode mode,
-- size_t *_offset, size_t *_len);
-+int crypto_krb5_where_is_the_data(const struct krb5_enctype *krb5,
-+ enum krb5_crypto_mode mode,
-+ size_t *_offset, size_t *_len);
-+int crypto_krb5_check_data_len(const struct krb5_enctype *krb5,
-+ enum krb5_crypto_mode mode,
-+ size_t len, size_t min_content);
- struct crypto_aead *crypto_krb5_prepare_encryption(const struct krb5_enctype *krb5,
- const struct krb5_buffer *TK,
- u32 usage, gfp_t gfp);
diff --git a/include/linux/efi.h b/include/linux/efi.h
index 664898d09ff5..34f476d02181 100644
--- a/include/linux/efi.h
@@ -8351,38 +7566,6 @@ index 664898d09ff5..34f476d02181 100644
static inline
enum efi_secureboot_mode efi_get_secureboot_mode(efi_get_variable_t *get_var)
{
-diff --git a/include/linux/libata.h b/include/linux/libata.h
-index 00346ce3af5e..93ab3595c640 100644
---- a/include/linux/libata.h
-+++ b/include/linux/libata.h
-@@ -371,6 +371,7 @@ enum {
- /* return values for ->qc_defer */
- ATA_DEFER_LINK = 1,
- ATA_DEFER_PORT = 2,
-+ ATA_DEFER_LINK_EXCL = 3,
-
- /* desc_len for ata_eh_info and context */
- ATA_EH_DESC_LEN = 80,
-@@ -854,6 +855,9 @@ struct ata_link {
- unsigned int sata_spd; /* current SATA PHY speed */
- enum ata_lpm_policy lpm_policy;
-
-+ struct work_struct deferred_qc_work;
-+ struct ata_queued_cmd *deferred_qc;
-+
- /* record runtime error info, protected by host_set lock */
- struct ata_eh_info eh_info;
- /* EH context */
-@@ -899,9 +903,6 @@ struct ata_port {
- u64 qc_active;
- int nr_active_links; /* #links with active qcs */
-
-- struct work_struct deferred_qc_work;
-- struct ata_queued_cmd *deferred_qc;
--
- struct ata_link link; /* host default link */
- struct ata_link *slave_link; /* see ata_slave_link_init() */
-
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index b4958167e381..64ffe8c2dacd 100644
--- a/include/linux/lsm_hook_defs.h
@@ -8448,18 +7631,6 @@ index 8d2d4856934e..d6b1aec4340f 100644
+#endif /* CONFIG_SECURITY_LOCKDOWN_LSM */
+
#endif /* ! __LINUX_SECURITY_H */
-diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h
-index 573f2df3a2c9..704a10de6670 100644
---- a/include/trace/events/rxrpc.h
-+++ b/include/trace/events/rxrpc.h
-@@ -71,6 +71,7 @@
- EM(rxkad_abort_resp_unknown_tkt, "rxkad-resp-unknown-tkt") \
- EM(rxkad_abort_resp_version, "rxkad-resp-version") \
- /* RxGK security errors */ \
-+ EM(rxgk_abort_1_short_header, "rxgk1-short-hdr") \
- EM(rxgk_abort_1_verify_mic_eproto, "rxgk1-vfy-mic-eproto") \
- EM(rxgk_abort_2_decrypt_eproto, "rxgk2-dec-eproto") \
- EM(rxgk_abort_2_short_data, "rxgk2-short-data") \
diff --git a/kernel/module/signing.c b/kernel/module/signing.c
index a2ff4242e623..f0d2be1ee4f1 100644
--- a/kernel/module/signing.c
@@ -8484,10 +7655,10 @@ index a2ff4242e623..f0d2be1ee4f1 100644
int module_sig_check(struct load_info *info, int flags)
diff --git a/net/core/gro.c b/net/core/gro.c
-index 9f8960789b2c..c7b8eab61e02 100644
+index a84753983467..3e20f61724ad 100644
--- a/net/core/gro.c
+++ b/net/core/gro.c
-@@ -123,6 +123,9 @@ int skb_gro_receive(struct sk_buff *p, struct sk_buff *skb)
+@@ -126,6 +126,9 @@ int skb_gro_receive(struct sk_buff *p, struct sk_buff *skb)
lp = NAPI_GRO_CB(p)->last;
pinfo = skb_shinfo(lp);
@@ -8543,1068 +7714,6 @@ index 9c06c5a1419d..0fad1dc558b8 100644
goto cow;
if (!skb_cloned(skb)) {
-diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h
-index 27c2aa2dd023..98f2165159d7 100644
---- a/net/rxrpc/ar-internal.h
-+++ b/net/rxrpc/ar-internal.h
-@@ -213,8 +213,6 @@ struct rxrpc_skb_priv {
- struct {
- u16 offset; /* Offset of data */
- u16 len; /* Length of data */
-- u8 flags;
--#define RXRPC_RX_VERIFIED 0x01
- };
- struct {
- rxrpc_seq_t first_ack; /* First packet in acks table */
-@@ -309,15 +307,16 @@ struct rxrpc_security {
- struct sk_buff *challenge);
-
- /* verify a response */
-- int (*verify_response)(struct rxrpc_connection *,
-- struct sk_buff *);
-+ int (*verify_response)(struct rxrpc_connection *conn,
-+ struct sk_buff *response_skb,
-+ void *response, unsigned int len);
-
- /* clear connection security */
- void (*clear)(struct rxrpc_connection *);
-
- /* Default ticket -> key decoder */
- int (*default_decode_ticket)(struct rxrpc_connection *conn, struct sk_buff *skb,
-- unsigned int ticket_offset, unsigned int ticket_len,
-+ void *ticket, unsigned int ticket_len,
- struct key **_key);
- };
-
-@@ -774,6 +773,11 @@ struct rxrpc_call {
- struct sk_buff_head recvmsg_queue; /* Queue of packets ready for recvmsg() */
- struct sk_buff_head rx_queue; /* Queue of packets for this call to receive */
- struct sk_buff_head rx_oos_queue; /* Queue of out of sequence packets */
-+ void *rx_dec_buffer; /* Decryption buffer */
-+ unsigned short rx_dec_bsize; /* rx_dec_buffer size */
-+ unsigned short rx_dec_offset; /* Decrypted packet data offset */
-+ unsigned short rx_dec_len; /* Decrypted packet data len */
-+ rxrpc_seq_t rx_dec_seq; /* Packet in decryption buffer */
-
- rxrpc_seq_t rx_highest_seq; /* Higest sequence number received */
- rxrpc_seq_t rx_consumed; /* Highest packet consumed */
-diff --git a/net/rxrpc/call_event.c b/net/rxrpc/call_event.c
-index 2b19b252225e..fec59d9338b9 100644
---- a/net/rxrpc/call_event.c
-+++ b/net/rxrpc/call_event.c
-@@ -332,27 +332,7 @@ bool rxrpc_input_call_event(struct rxrpc_call *call)
-
- saw_ack |= sp->hdr.type == RXRPC_PACKET_TYPE_ACK;
-
-- if (sp->hdr.type == RXRPC_PACKET_TYPE_DATA &&
-- sp->hdr.securityIndex != 0 &&
-- (skb_cloned(skb) ||
-- skb_has_frag_list(skb) ||
-- skb_has_shared_frag(skb))) {
-- /* Unshare the packet so that it can be
-- * modified by in-place decryption.
-- */
-- struct sk_buff *nskb = skb_copy(skb, GFP_ATOMIC);
--
-- if (nskb) {
-- rxrpc_new_skb(nskb, rxrpc_skb_new_unshared);
-- rxrpc_input_call_packet(call, nskb);
-- rxrpc_free_skb(nskb, rxrpc_skb_put_call_rx);
-- } else {
-- /* OOM - Drop the packet. */
-- rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem);
-- }
-- } else {
-- rxrpc_input_call_packet(call, skb);
-- }
-+ rxrpc_input_call_packet(call, skb);
- rxrpc_free_skb(skb, rxrpc_skb_put_call_rx);
- did_receive = true;
- }
-diff --git a/net/rxrpc/call_object.c b/net/rxrpc/call_object.c
-index f035f486c139..fcb9d38bb521 100644
---- a/net/rxrpc/call_object.c
-+++ b/net/rxrpc/call_object.c
-@@ -152,6 +152,7 @@ struct rxrpc_call *rxrpc_alloc_call(struct rxrpc_sock *rx, gfp_t gfp,
- spin_lock_init(&call->notify_lock);
- refcount_set(&call->ref, 1);
- call->debug_id = debug_id;
-+ call->rx_pkt_offset = USHRT_MAX;
- call->tx_total_len = -1;
- call->tx_jumbo_max = 1;
- call->next_rx_timo = 20 * HZ;
-@@ -553,6 +554,7 @@ static void rxrpc_cleanup_rx_buffers(struct rxrpc_call *call)
- rxrpc_purge_queue(&call->recvmsg_queue);
- rxrpc_purge_queue(&call->rx_queue);
- rxrpc_purge_queue(&call->rx_oos_queue);
-+ kfree(call->rx_dec_buffer);
- }
-
- /*
-diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c
-index 442414d90ba1..c96ca615b787 100644
---- a/net/rxrpc/conn_event.c
-+++ b/net/rxrpc/conn_event.c
-@@ -243,28 +243,22 @@ static void rxrpc_call_is_secure(struct rxrpc_call *call)
- static int rxrpc_verify_response(struct rxrpc_connection *conn,
- struct sk_buff *skb)
- {
-+ unsigned int len = skb->len - sizeof(struct rxrpc_wire_header);
-+ void *buffer;
- int ret;
-
-- if (skb_cloned(skb) || skb_has_frag_list(skb) ||
-- skb_has_shared_frag(skb)) {
-- /* Copy the packet if shared so that we can do in-place
-- * decryption.
-- */
-- struct sk_buff *nskb = skb_copy(skb, GFP_NOFS);
--
-- if (nskb) {
-- rxrpc_new_skb(nskb, rxrpc_skb_new_unshared);
-- ret = conn->security->verify_response(conn, nskb);
-- rxrpc_free_skb(nskb, rxrpc_skb_put_response_copy);
-- } else {
-- /* OOM - Drop the packet. */
-- rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem);
-- ret = -ENOMEM;
-- }
-- } else {
-- ret = conn->security->verify_response(conn, skb);
-- }
-+ buffer = kmalloc(len, GFP_NOFS);
-+ if (!buffer)
-+ return -ENOMEM;
-+
-+ ret = skb_copy_bits(skb, sizeof(struct rxrpc_wire_header), buffer, len);
-+ if (ret < 0)
-+ goto out;
-+
-+ ret = conn->security->verify_response(conn, skb, buffer, len);
-
-+out:
-+ kfree(buffer);
- return ret;
- }
-
-diff --git a/net/rxrpc/insecure.c b/net/rxrpc/insecure.c
-index 0a260df45d25..0b39046bdc61 100644
---- a/net/rxrpc/insecure.c
-+++ b/net/rxrpc/insecure.c
-@@ -32,9 +32,6 @@ static int none_secure_packet(struct rxrpc_call *call, struct rxrpc_txbuf *txb)
-
- static int none_verify_packet(struct rxrpc_call *call, struct sk_buff *skb)
- {
-- struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
--
-- sp->flags |= RXRPC_RX_VERIFIED;
- return 0;
- }
-
-@@ -57,9 +54,10 @@ static int none_sendmsg_respond_to_challenge(struct sk_buff *challenge,
- }
-
- static int none_verify_response(struct rxrpc_connection *conn,
-- struct sk_buff *skb)
-+ struct sk_buff *response_skb,
-+ void *response, unsigned int len)
- {
-- return rxrpc_abort_conn(conn, skb, RX_PROTOCOL_ERROR, -EPROTO,
-+ return rxrpc_abort_conn(conn, response_skb, RX_PROTOCOL_ERROR, -EPROTO,
- rxrpc_eproto_rxnull_response);
- }
-
-diff --git a/net/rxrpc/recvmsg.c b/net/rxrpc/recvmsg.c
-index e1f7513a46db..c940600117a4 100644
---- a/net/rxrpc/recvmsg.c
-+++ b/net/rxrpc/recvmsg.c
-@@ -147,15 +147,52 @@ static void rxrpc_rotate_rx_window(struct rxrpc_call *call)
- }
-
- /*
-- * Decrypt and verify a DATA packet.
-+ * Decrypt and verify a DATA packet. The content of the packet is pulled out
-+ * into a flat buffer rather than decrypting in place in the skbuff. This also
-+ * has the advantage of aligning the buffer correctly for the crypto routines.
-+ *
-+ * We keep track of the sequence number of the packet currently decrypted into
-+ * the buffer in ->rx_dec_seq. If MSG_PEEK is used and steps onto a new
-+ * packet, subsequent recvmsg() calls will have to go back and re-decrypt the
-+ * current packet.
- */
- static int rxrpc_verify_data(struct rxrpc_call *call, struct sk_buff *skb)
- {
- struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
-+ int ret;
-
-- if (sp->flags & RXRPC_RX_VERIFIED)
-- return 0;
-- return call->security->verify_packet(call, skb);
-+ if (sp->len > call->rx_dec_bsize) {
-+ /* Make sure we can hold a 1412-byte jumbo subpacket and make
-+ * sure that the buffer size is aligned to a crypto blocksize.
-+ */
-+ size_t size = clamp(round_up(sp->len, 32), 2048, 65535);
-+ void *buffer = krealloc(call->rx_dec_buffer, size, GFP_NOFS);
-+
-+ if (!buffer)
-+ return -ENOMEM;
-+ call->rx_dec_buffer = buffer;
-+ call->rx_dec_bsize = size;
-+ }
-+
-+ ret = -EFAULT;
-+ if (skb_copy_bits(skb, sp->offset, call->rx_dec_buffer, sp->len) < 0)
-+ goto err;
-+
-+ call->rx_dec_offset = 0;
-+ call->rx_dec_len = sp->len;
-+ call->rx_dec_seq = sp->hdr.seq;
-+ ret = call->security->verify_packet(call, skb);
-+ if (ret < 0)
-+ goto err;
-+ return 0;
-+
-+err:
-+ kfree(call->rx_dec_buffer);
-+ call->rx_dec_buffer = NULL;
-+ call->rx_dec_bsize = 0;
-+ call->rx_dec_offset = 0;
-+ call->rx_dec_len = 0;
-+ return ret;
- }
-
- /*
-@@ -283,16 +320,21 @@ static int rxrpc_recvmsg_data(struct socket *sock, struct rxrpc_call *call,
- if (msg)
- sock_recv_timestamp(msg, sock->sk, skb);
-
-- if (rx_pkt_offset == 0) {
-+ if (call->rx_dec_seq != sp->hdr.seq ||
-+ !call->rx_dec_buffer) {
- ret2 = rxrpc_verify_data(call, skb);
- trace_rxrpc_recvdata(call, rxrpc_recvmsg_next, seq,
-- sp->offset, sp->len, ret2);
-+ call->rx_dec_offset,
-+ call->rx_dec_len, ret2);
- if (ret2 < 0) {
- ret = ret2;
- goto out;
- }
-- rx_pkt_offset = sp->offset;
-- rx_pkt_len = sp->len;
-+ }
-+
-+ if (rx_pkt_offset == USHRT_MAX) {
-+ rx_pkt_offset = call->rx_dec_offset;
-+ rx_pkt_len = call->rx_dec_len;
- } else {
- trace_rxrpc_recvdata(call, rxrpc_recvmsg_cont, seq,
- rx_pkt_offset, rx_pkt_len, 0);
-@@ -304,10 +346,10 @@ static int rxrpc_recvmsg_data(struct socket *sock, struct rxrpc_call *call,
- if (copy > remain)
- copy = remain;
- if (copy > 0) {
-- ret2 = skb_copy_datagram_iter(skb, rx_pkt_offset, iter,
-- copy);
-- if (ret2 < 0) {
-- ret = ret2;
-+ ret2 = copy_to_iter(call->rx_dec_buffer + rx_pkt_offset,
-+ copy, iter);
-+ if (ret2 != copy) {
-+ ret = -EFAULT;
- goto out;
- }
-
-@@ -328,7 +370,7 @@ static int rxrpc_recvmsg_data(struct socket *sock, struct rxrpc_call *call,
- /* The whole packet has been transferred. */
- if (sp->hdr.flags & RXRPC_LAST_PACKET)
- ret = 1;
-- rx_pkt_offset = 0;
-+ rx_pkt_offset = USHRT_MAX;
- rx_pkt_len = 0;
-
- skb = skb_peek_next(skb, &call->recvmsg_queue);
-diff --git a/net/rxrpc/rxgk.c b/net/rxrpc/rxgk.c
-index 0d5e654da918..a1ee102abae1 100644
---- a/net/rxrpc/rxgk.c
-+++ b/net/rxrpc/rxgk.c
-@@ -473,15 +473,20 @@ static int rxgk_verify_packet_integrity(struct rxrpc_call *call,
- struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
- struct rxgk_header *hdr;
- struct krb5_buffer metadata;
-- unsigned int offset = sp->offset, len = sp->len;
-+ unsigned int len = call->rx_dec_len;
- size_t data_offset = 0, data_len = len;
-+ void *data = call->rx_dec_buffer, *p = data;
- u32 ac = 0;
- int ret = -ENOMEM;
-
- _enter("");
-
-- crypto_krb5_where_is_the_data(gk->krb5, KRB5_CHECKSUM_MODE,
-- &data_offset, &data_len);
-+ if (crypto_krb5_where_is_the_data(gk->krb5, KRB5_CHECKSUM_MODE,
-+ &data_offset, &data_len) < 0) {
-+ ret = rxrpc_abort_eproto(call, skb, RXGK_PACKETSHORT,
-+ rxgk_abort_1_short_header);
-+ goto put_gk;
-+ }
-
- hdr = kzalloc_obj(*hdr, GFP_NOFS);
- if (!hdr)
-@@ -496,16 +501,15 @@ static int rxgk_verify_packet_integrity(struct rxrpc_call *call,
-
- metadata.len = sizeof(*hdr);
- metadata.data = hdr;
-- ret = rxgk_verify_mic_skb(gk->krb5, gk->rx_Kc, &metadata,
-- skb, &offset, &len, &ac);
-+ ret = rxgk_verify_mic(gk->krb5, gk->rx_Kc, &metadata, &p, &len, &ac);
- kfree(hdr);
- if (ret < 0) {
- if (ret != -ENOMEM)
- rxrpc_abort_eproto(call, skb, ac,
- rxgk_abort_1_verify_mic_eproto);
- } else {
-- sp->offset = offset;
-- sp->len = len;
-+ call->rx_dec_offset = p - data;
-+ call->rx_dec_len = len;
- }
-
- put_gk:
-@@ -522,49 +526,53 @@ static int rxgk_verify_packet_encrypted(struct rxrpc_call *call,
- struct sk_buff *skb)
- {
- struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
-- struct rxgk_header hdr;
-- unsigned int offset = sp->offset, len = sp->len;
-+ struct rxgk_header *hdr;
-+ unsigned int offset = 0, len = call->rx_dec_len;
-+ void *data = call->rx_dec_buffer, *p = data;
- int ret;
- u32 ac = 0;
-
- _enter("");
-
-- ret = rxgk_decrypt_skb(gk->krb5, gk->rx_enc, skb, &offset, &len, &ac);
-+ if (crypto_krb5_check_data_len(gk->krb5, KRB5_ENCRYPT_MODE,
-+ len, sizeof(*hdr)) < 0) {
-+ ret = rxrpc_abort_eproto(call, skb, RXGK_PACKETSHORT,
-+ rxgk_abort_2_short_header);
-+ goto error;
-+ }
-+
-+ ret = rxgk_decrypt(gk->krb5, gk->rx_enc, &p, &len, &ac);
- if (ret < 0) {
- if (ret != -ENOMEM)
- rxrpc_abort_eproto(call, skb, ac, rxgk_abort_2_decrypt_eproto);
- goto error;
- }
-+ offset = p - data;
-
-- if (len < sizeof(hdr)) {
-+ if (len < sizeof(*hdr)) {
- ret = rxrpc_abort_eproto(call, skb, RXGK_PACKETSHORT,
- rxgk_abort_2_short_header);
- goto error;
- }
-
- /* Extract the header from the skb */
-- ret = skb_copy_bits(skb, offset, &hdr, sizeof(hdr));
-- if (ret < 0) {
-- ret = rxrpc_abort_eproto(call, skb, RXGK_PACKETSHORT,
-- rxgk_abort_2_short_encdata);
-- goto error;
-- }
-- offset += sizeof(hdr);
-- len -= sizeof(hdr);
--
-- if (ntohl(hdr.epoch) != call->conn->proto.epoch ||
-- ntohl(hdr.cid) != call->cid ||
-- ntohl(hdr.call_number) != call->call_id ||
-- ntohl(hdr.seq) != sp->hdr.seq ||
-- ntohl(hdr.sec_index) != call->security_ix ||
-- ntohl(hdr.data_len) > len) {
-+ hdr = data + offset;
-+ offset += sizeof(*hdr);
-+ len -= sizeof(*hdr);
-+
-+ if (ntohl(hdr->epoch) != call->conn->proto.epoch ||
-+ ntohl(hdr->cid) != call->cid ||
-+ ntohl(hdr->call_number) != call->call_id ||
-+ ntohl(hdr->seq) != sp->hdr.seq ||
-+ ntohl(hdr->sec_index) != call->security_ix ||
-+ ntohl(hdr->data_len) > len) {
- ret = rxrpc_abort_eproto(call, skb, RXGK_SEALEDINCON,
- rxgk_abort_2_short_data);
- goto error;
- }
-
-- sp->offset = offset;
-- sp->len = ntohl(hdr.data_len);
-+ call->rx_dec_offset = offset;
-+ call->rx_dec_len = ntohl(hdr->data_len);
- ret = 0;
- error:
- rxgk_put(gk);
-@@ -1076,11 +1084,12 @@ static int rxgk_sendmsg_respond_to_challenge(struct sk_buff *challenge,
- * unsigned int call_numbers<>;
- * };
- */
--static int rxgk_do_verify_authenticator(struct rxrpc_connection *conn,
-- const struct krb5_enctype *krb5,
-- struct sk_buff *skb,
-- __be32 *p, __be32 *end)
-+static int rxgk_verify_authenticator(struct rxrpc_connection *conn,
-+ const struct krb5_enctype *krb5,
-+ struct sk_buff *skb,
-+ void *auth, unsigned int auth_len)
- {
-+ __be32 *p = auth, *end = auth + auth_len;
- u32 app_len, call_count, level, epoch, cid, i;
-
- _enter("");
-@@ -1143,37 +1152,6 @@ static int rxgk_do_verify_authenticator(struct rxrpc_connection *conn,
- return 0;
- }
-
--/*
-- * Extract the authenticator and verify it.
-- */
--static int rxgk_verify_authenticator(struct rxrpc_connection *conn,
-- const struct krb5_enctype *krb5,
-- struct sk_buff *skb,
-- unsigned int auth_offset, unsigned int auth_len)
--{
-- void *auth;
-- __be32 *p;
-- int ret;
--
-- auth = kmalloc(auth_len, GFP_NOFS);
-- if (!auth)
-- return -ENOMEM;
--
-- ret = skb_copy_bits(skb, auth_offset, auth, auth_len);
-- if (ret < 0) {
-- ret = rxrpc_abort_conn(conn, skb, RXGK_NOTAUTH, -EPROTO,
-- rxgk_abort_resp_short_auth);
-- goto error;
-- }
--
-- p = auth;
-- ret = rxgk_do_verify_authenticator(conn, krb5, skb, p,
-- p + auth_len / sizeof(*p));
--error:
-- kfree(auth);
-- return ret;
--}
--
- /*
- * Verify a response.
- *
-@@ -1184,49 +1162,45 @@ static int rxgk_verify_authenticator(struct rxrpc_connection *conn,
- * };
- */
- static int rxgk_verify_response(struct rxrpc_connection *conn,
-- struct sk_buff *skb)
-+ struct sk_buff *skb,
-+ void *buffer, unsigned int len)
- {
- const struct krb5_enctype *krb5;
- struct rxrpc_key_token *token;
- struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
-- struct rxgk_response rhdr;
-+ struct rxgk_response *rhdr;
- struct rxgk_context *gk;
- struct key *key = NULL;
-- unsigned int offset = sizeof(struct rxrpc_wire_header);
-- unsigned int len = skb->len - sizeof(struct rxrpc_wire_header);
-- unsigned int token_offset, token_len;
-- unsigned int auth_offset, auth_len;
-+ unsigned int resp_token_len, auth_len;
-+ void *resp_token, *auth;
- __be32 xauth_len;
- int ret, ec;
-
- _enter("{%d}", conn->debug_id);
-
- /* Parse the RXGK_Response object */
-- if (sizeof(rhdr) + sizeof(__be32) > len)
-+ if (len < sizeof(*rhdr) + sizeof(__be32))
- goto short_packet;
--
-- if (skb_copy_bits(skb, offset, &rhdr, sizeof(rhdr)) < 0)
-- goto short_packet;
-- offset += sizeof(rhdr);
-- len -= sizeof(rhdr);
--
-- token_offset = offset;
-- token_len = ntohl(rhdr.token_len);
-- if (token_len > len ||
-- xdr_round_up(token_len) + sizeof(__be32) > len)
-+ rhdr = buffer;
-+ buffer += sizeof(*rhdr);
-+ len -= sizeof(*rhdr);
-+
-+ resp_token = buffer;
-+ resp_token_len = ntohl(rhdr->token_len);
-+ if (resp_token_len > len ||
-+ xdr_round_up(resp_token_len) + sizeof(__be32) > len)
- goto short_packet;
-
-- trace_rxrpc_rx_response(conn, sp->hdr.serial, 0, sp->hdr.cksum, token_len);
-+ trace_rxrpc_rx_response(conn, sp->hdr.serial, 0, sp->hdr.cksum, resp_token_len);
-
-- offset += xdr_round_up(token_len);
-- len -= xdr_round_up(token_len);
-+ buffer += xdr_round_up(resp_token_len);
-+ len -= xdr_round_up(resp_token_len);
-
-- if (skb_copy_bits(skb, offset, &xauth_len, sizeof(xauth_len)) < 0)
-- goto short_packet;
-- offset += sizeof(xauth_len);
-+ xauth_len = *(__be32 *)buffer;
-+ buffer += sizeof(xauth_len);
- len -= sizeof(xauth_len);
-
-- auth_offset = offset;
-+ auth = buffer;
- auth_len = ntohl(xauth_len);
- if (auth_len > len)
- goto short_packet;
-@@ -1241,7 +1215,7 @@ static int rxgk_verify_response(struct rxrpc_connection *conn,
- * to the app to deal with - which might mean a round trip to
- * userspace.
- */
-- ret = rxgk_extract_token(conn, skb, token_offset, token_len, &key);
-+ ret = rxgk_extract_token(conn, skb, resp_token, resp_token_len, &key);
- if (ret < 0)
- goto out;
-
-@@ -1255,7 +1229,7 @@ static int rxgk_verify_response(struct rxrpc_connection *conn,
- */
- token = key->payload.data[0];
- conn->security_level = token->rxgk->level;
-- conn->rxgk.start_time = __be64_to_cpu(rhdr.start_time);
-+ conn->rxgk.start_time = __be64_to_cpu(rhdr->start_time);
-
- gk = rxgk_generate_transport_key(conn, token->rxgk, sp->hdr.cksum, GFP_NOFS);
- if (IS_ERR(gk)) {
-@@ -1265,18 +1239,18 @@ static int rxgk_verify_response(struct rxrpc_connection *conn,
-
- krb5 = gk->krb5;
-
-- trace_rxrpc_rx_response(conn, sp->hdr.serial, krb5->etype, sp->hdr.cksum, token_len);
-+ trace_rxrpc_rx_response(conn, sp->hdr.serial, krb5->etype, sp->hdr.cksum,
-+ resp_token_len);
-
- /* Decrypt, parse and verify the authenticator. */
-- ret = rxgk_decrypt_skb(krb5, gk->resp_enc, skb,
-- &auth_offset, &auth_len, &ec);
-+ ret = rxgk_decrypt(krb5, gk->resp_enc, &auth, &auth_len, &ec);
- if (ret < 0) {
- rxrpc_abort_conn(conn, skb, RXGK_SEALEDINCON, ret,
- rxgk_abort_resp_auth_dec);
- goto out_gk;
- }
-
-- ret = rxgk_verify_authenticator(conn, krb5, skb, auth_offset, auth_len);
-+ ret = rxgk_verify_authenticator(conn, krb5, skb, auth, auth_len);
- if (ret < 0)
- goto out_gk;
-
-diff --git a/net/rxrpc/rxgk_app.c b/net/rxrpc/rxgk_app.c
-index 0ef2a29eb695..200a30064fae 100644
---- a/net/rxrpc/rxgk_app.c
-+++ b/net/rxrpc/rxgk_app.c
-@@ -40,7 +40,7 @@
- * };
- */
- int rxgk_yfs_decode_ticket(struct rxrpc_connection *conn, struct sk_buff *skb,
-- unsigned int ticket_offset, unsigned int ticket_len,
-+ void *buffer, unsigned int ticket_len,
- struct key **_key)
- {
- struct rxrpc_key_token *token;
-@@ -49,7 +49,7 @@ int rxgk_yfs_decode_ticket(struct rxrpc_connection *conn, struct sk_buff *skb,
- size_t pre_ticket_len, payload_len;
- unsigned int klen, enctype;
- void *payload, *ticket;
-- __be32 *t, *p, *q, tmp[2];
-+ __be32 *t, *p, *q, *tmp;
- int ret;
-
- _enter("");
-@@ -59,10 +59,7 @@ int rxgk_yfs_decode_ticket(struct rxrpc_connection *conn, struct sk_buff *skb,
- rxgk_abort_resp_short_yfs_tkt);
-
- /* Get the session key length */
-- ret = skb_copy_bits(skb, ticket_offset, tmp, sizeof(tmp));
-- if (ret < 0)
-- return rxrpc_abort_conn(conn, skb, RXGK_INCONSISTENCY, -EPROTO,
-- rxgk_abort_resp_short_yfs_klen);
-+ tmp = buffer;
- enctype = ntohl(tmp[0]);
- klen = ntohl(tmp[1]);
-
-@@ -84,12 +81,7 @@ int rxgk_yfs_decode_ticket(struct rxrpc_connection *conn, struct sk_buff *skb,
- * it.
- */
- ticket = payload + pre_ticket_len;
-- ret = skb_copy_bits(skb, ticket_offset, ticket, ticket_len);
-- if (ret < 0) {
-- ret = rxrpc_abort_conn(conn, skb, RXGK_INCONSISTENCY, -EPROTO,
-- rxgk_abort_resp_short_yfs_tkt);
-- goto error;
-- }
-+ memcpy(ticket, buffer, ticket_len);
-
- /* Fill out the form header. */
- p = payload;
-@@ -131,7 +123,7 @@ int rxgk_yfs_decode_ticket(struct rxrpc_connection *conn, struct sk_buff *skb,
- goto error;
- }
-
-- /* Ticket read in with skb_copy_bits above */
-+ /* Ticket appended above. */
- q += xdr_round_up(ticket_len) / 4;
- if (WARN_ON((unsigned long)q - (unsigned long)payload != payload_len)) {
- ret = -EIO;
-@@ -182,14 +174,15 @@ int rxgk_yfs_decode_ticket(struct rxrpc_connection *conn, struct sk_buff *skb,
- * [tools.ietf.org/html/draft-wilkinson-afs3-rxgk-afs-08 sec 6.1]
- */
- int rxgk_extract_token(struct rxrpc_connection *conn, struct sk_buff *skb,
-- unsigned int token_offset, unsigned int token_len,
-+ void *token, unsigned int token_len,
- struct key **_key)
- {
- const struct krb5_enctype *krb5;
- const struct krb5_buffer *server_secret;
- struct crypto_aead *token_enc = NULL;
- struct key *server_key;
-- unsigned int ticket_offset, ticket_len;
-+ unsigned int ticket_len;
-+ void *ticket;
- u32 kvno, enctype;
- int ret, ec = 0;
-
-@@ -197,24 +190,23 @@ int rxgk_extract_token(struct rxrpc_connection *conn, struct sk_buff *skb,
- __be32 kvno;
- __be32 enctype;
- __be32 token_len;
-- } container;
-+ } *container;
-
-- if (token_len < sizeof(container))
-+ if (token_len < sizeof(*container))
- goto short_packet;
-
- /* Decode the RXGK_TokenContainer object. This tells us which server
- * key we should be using. We can then fetch the key, get the secret
- * and set up the crypto to extract the token.
- */
-- if (skb_copy_bits(skb, token_offset, &container, sizeof(container)) < 0)
-- goto short_packet;
-+ container = token;
-+ token += sizeof(*container);
-
-- kvno = ntohl(container.kvno);
-- enctype = ntohl(container.enctype);
-- ticket_len = ntohl(container.token_len);
-- ticket_offset = token_offset + sizeof(container);
-+ kvno = ntohl(container->kvno);
-+ enctype = ntohl(container->enctype);
-+ ticket_len = ntohl(container->token_len);
-
-- if (ticket_len > xdr_round_down(token_len - sizeof(container)))
-+ if (ticket_len > xdr_round_down(token_len - sizeof(*container)))
- goto short_packet;
-
- _debug("KVNO %u", kvno);
-@@ -237,8 +229,8 @@ int rxgk_extract_token(struct rxrpc_connection *conn, struct sk_buff *skb,
- * gain access to K0, from which we can derive the transport key and
- * thence decode the authenticator.
- */
-- ret = rxgk_decrypt_skb(krb5, token_enc, skb,
-- &ticket_offset, &ticket_len, &ec);
-+ ticket = token;
-+ ret = rxgk_decrypt(krb5, token_enc, &ticket, &ticket_len, &ec);
- crypto_free_aead(token_enc);
- token_enc = NULL;
- if (ret < 0) {
-@@ -248,7 +240,7 @@ int rxgk_extract_token(struct rxrpc_connection *conn, struct sk_buff *skb,
- return ret;
- }
-
-- ret = conn->security->default_decode_ticket(conn, skb, ticket_offset,
-+ ret = conn->security->default_decode_ticket(conn, skb, ticket,
- ticket_len, _key);
- if (ret < 0)
- goto cant_get_token;
-diff --git a/net/rxrpc/rxgk_common.h b/net/rxrpc/rxgk_common.h
-index 1e257d7ab8ec..3deed5863f5a 100644
---- a/net/rxrpc/rxgk_common.h
-+++ b/net/rxrpc/rxgk_common.h
-@@ -41,10 +41,10 @@ struct rxgk_context {
- * rxgk_app.c
- */
- int rxgk_yfs_decode_ticket(struct rxrpc_connection *conn, struct sk_buff *skb,
-- unsigned int ticket_offset, unsigned int ticket_len,
-+ void *ticket, unsigned int ticket_len,
- struct key **_key);
- int rxgk_extract_token(struct rxrpc_connection *conn, struct sk_buff *skb,
-- unsigned int token_offset, unsigned int token_len,
-+ void *token, unsigned int token_len,
- struct key **_key);
-
- /*
-@@ -62,31 +62,30 @@ int rxgk_set_up_token_cipher(const struct krb5_buffer *server_key,
- gfp_t gfp);
-
- /*
-- * Apply decryption and checksumming functions to part of an skbuff. The
-- * offset and length are updated to reflect the actual content of the encrypted
-+ * Apply decryption and checksumming functions a flat data buffer. The data
-+ * point and length are updated to reflect the actual content of the encrypted
- * region.
- */
--static inline
--int rxgk_decrypt_skb(const struct krb5_enctype *krb5,
-- struct crypto_aead *aead,
-- struct sk_buff *skb,
-- unsigned int *_offset, unsigned int *_len,
-- int *_error_code)
-+static inline int rxgk_decrypt(const struct krb5_enctype *krb5,
-+ struct crypto_aead *aead,
-+ void **_data, unsigned int *_len,
-+ int *_error_code)
- {
-- struct scatterlist sg[16];
-+ struct scatterlist sg[1];
- size_t offset = 0, len = *_len;
-- int nr_sg, ret;
-+ int ret;
-
-- sg_init_table(sg, ARRAY_SIZE(sg));
-- nr_sg = skb_to_sgvec(skb, sg, *_offset, len);
-- if (unlikely(nr_sg < 0))
-- return nr_sg;
-+ sg_init_one(sg, *_data, len);
-
-- ret = crypto_krb5_decrypt(krb5, aead, sg, nr_sg,
-- &offset, &len);
-+ ret = crypto_krb5_decrypt(krb5, aead, sg, 1, &offset, &len);
- switch (ret) {
- case 0:
-- *_offset += offset;
-+ if (offset & 3) {
-+ *_error_code = RXGK_INCONSISTENCY;
-+ ret = -EPROTO;
-+ break;
-+ }
-+ *_data += offset;
- *_len = len;
- break;
- case -EBADMSG: /* Checksum mismatch. */
-@@ -106,31 +105,26 @@ int rxgk_decrypt_skb(const struct krb5_enctype *krb5,
- }
-
- /*
-- * Check the MIC on a region of an skbuff. The offset and length are updated
-- * to reflect the actual content of the secure region.
-+ * Check the MIC on a flat buffer. The data pointer and length are updated to
-+ * reflect the actual content of the secure region.
- */
- static inline
--int rxgk_verify_mic_skb(const struct krb5_enctype *krb5,
-- struct crypto_shash *shash,
-- const struct krb5_buffer *metadata,
-- struct sk_buff *skb,
-- unsigned int *_offset, unsigned int *_len,
-- u32 *_error_code)
-+int rxgk_verify_mic(const struct krb5_enctype *krb5,
-+ struct crypto_shash *shash,
-+ const struct krb5_buffer *metadata,
-+ void **_data, unsigned int *_len,
-+ u32 *_error_code)
- {
-- struct scatterlist sg[16];
-+ struct scatterlist sg[1];
- size_t offset = 0, len = *_len;
-- int nr_sg, ret;
-+ int ret;
-
-- sg_init_table(sg, ARRAY_SIZE(sg));
-- nr_sg = skb_to_sgvec(skb, sg, *_offset, len);
-- if (unlikely(nr_sg < 0))
-- return nr_sg;
-+ sg_init_one(sg, *_data, len);
-
-- ret = crypto_krb5_verify_mic(krb5, shash, metadata, sg, nr_sg,
-- &offset, &len);
-+ ret = crypto_krb5_verify_mic(krb5, shash, metadata, sg, 1, &offset, &len);
- switch (ret) {
- case 0:
-- *_offset += offset;
-+ *_data += offset;
- *_len = len;
- break;
- case -EBADMSG: /* Checksum mismatch */
-diff --git a/net/rxrpc/rxkad.c b/net/rxrpc/rxkad.c
-index cba7935977f0..6fbd883401ac 100644
---- a/net/rxrpc/rxkad.c
-+++ b/net/rxrpc/rxkad.c
-@@ -430,27 +430,25 @@ static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb,
- rxrpc_seq_t seq,
- struct skcipher_request *req)
- {
-- struct rxkad_level1_hdr sechdr;
-+ struct rxkad_level1_hdr *sechdr;
- struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
- struct rxrpc_crypt iv;
-- struct scatterlist sg[16];
-- u32 data_size, buf;
-+ struct scatterlist sg[1];
-+ void *data = call->rx_dec_buffer;
-+ u32 len = sp->len, data_size, buf;
- u16 check;
- int ret;
-
- _enter("");
-
-- if (sp->len < 8)
-+ if (len < 8)
- return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
- rxkad_abort_1_short_header);
-
- /* Decrypt the skbuff in-place. TODO: We really want to decrypt
- * directly into the target buffer.
- */
-- sg_init_table(sg, ARRAY_SIZE(sg));
-- ret = skb_to_sgvec(skb, sg, sp->offset, 8);
-- if (unlikely(ret < 0))
-- return ret;
-+ sg_init_one(sg, data, len);
-
- /* start the decryption afresh */
- memset(&iv, 0, sizeof(iv));
-@@ -464,13 +462,11 @@ static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb,
- return ret;
-
- /* Extract the decrypted packet length */
-- if (skb_copy_bits(skb, sp->offset, &sechdr, sizeof(sechdr)) < 0)
-- return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
-- rxkad_abort_1_short_encdata);
-- sp->offset += sizeof(sechdr);
-- sp->len -= sizeof(sechdr);
-+ sechdr = data;
-+ call->rx_dec_offset = sizeof(*sechdr);
-+ len -= sizeof(*sechdr);
-
-- buf = ntohl(sechdr.data_size);
-+ buf = ntohl(sechdr->data_size);
- data_size = buf & 0xffff;
-
- check = buf >> 16;
-@@ -479,10 +475,10 @@ static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb,
- if (check != 0)
- return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
- rxkad_abort_1_short_check);
-- if (data_size > sp->len)
-+ if (data_size > len)
- return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
- rxkad_abort_1_short_data);
-- sp->len = data_size;
-+ call->rx_dec_len = data_size;
-
- _leave(" = 0 [dlen=%x]", data_size);
- return 0;
-@@ -496,43 +492,28 @@ static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb,
- struct skcipher_request *req)
- {
- const struct rxrpc_key_token *token;
-- struct rxkad_level2_hdr sechdr;
-+ struct rxkad_level2_hdr *sechdr;
- struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
- struct rxrpc_crypt iv;
-- struct scatterlist _sg[4], *sg;
-- u32 data_size, buf;
-+ struct scatterlist sg[1];
-+ void *data = call->rx_dec_buffer;
-+ u32 len = sp->len, data_size, buf;
- u16 check;
-- int nsg, ret;
-+ int ret;
-
-- _enter(",{%d}", sp->len);
-+ _enter(",{%d}", len);
-
-- if (sp->len < 8)
-+ if (len < 8)
- return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
- rxkad_abort_2_short_header);
-
- /* Don't let the crypto algo see a misaligned length. */
-- sp->len = round_down(sp->len, 8);
-+ len = round_down(len, 8);
-
-- /* Decrypt the skbuff in-place. TODO: We really want to decrypt
-- * directly into the target buffer.
-+ /* Decrypt in place in the call's decryption buffer. TODO: We really
-+ * want to decrypt directly into the target buffer.
- */
-- sg = _sg;
-- nsg = skb_shinfo(skb)->nr_frags + 1;
-- if (nsg <= 4) {
-- nsg = 4;
-- } else {
-- sg = kmalloc_objs(*sg, nsg, GFP_NOIO);
-- if (!sg)
-- return -ENOMEM;
-- }
--
-- sg_init_table(sg, nsg);
-- ret = skb_to_sgvec(skb, sg, sp->offset, sp->len);
-- if (unlikely(ret < 0)) {
-- if (sg != _sg)
-- kfree(sg);
-- return ret;
-- }
-+ sg_init_one(sg, data, len);
-
- /* decrypt from the session key */
- token = call->conn->key->payload.data[0];
-@@ -540,11 +521,9 @@ static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb,
-
- skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
- skcipher_request_set_callback(req, 0, NULL, NULL);
-- skcipher_request_set_crypt(req, sg, sg, sp->len, iv.x);
-+ skcipher_request_set_crypt(req, sg, sg, len, iv.x);
- ret = crypto_skcipher_decrypt(req);
- skcipher_request_zero(req);
-- if (sg != _sg)
-- kfree(sg);
- if (ret < 0) {
- if (ret == -ENOMEM)
- return ret;
-@@ -553,13 +532,11 @@ static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb,
- }
-
- /* Extract the decrypted packet length */
-- if (skb_copy_bits(skb, sp->offset, &sechdr, sizeof(sechdr)) < 0)
-- return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
-- rxkad_abort_2_short_len);
-- sp->offset += sizeof(sechdr);
-- sp->len -= sizeof(sechdr);
-+ sechdr = data;
-+ call->rx_dec_offset = sizeof(*sechdr);
-+ len -= sizeof(*sechdr);
-
-- buf = ntohl(sechdr.data_size);
-+ buf = ntohl(sechdr->data_size);
- data_size = buf & 0xffff;
-
- check = buf >> 16;
-@@ -569,17 +546,18 @@ static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb,
- return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
- rxkad_abort_2_short_check);
-
-- if (data_size > sp->len)
-+ if (data_size > len)
- return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
- rxkad_abort_2_short_data);
-
-- sp->len = data_size;
-+ call->rx_dec_len = data_size;
- _leave(" = 0 [dlen=%x]", data_size);
- return 0;
- }
-
- /*
-- * Verify the security on a received packet and the subpackets therein.
-+ * Verify the security on a received (sub)packet. If the packet needs
-+ * modifying (e.g. decrypting), it must be copied.
- */
- static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb)
- {
-@@ -985,7 +963,6 @@ static int rxkad_decrypt_ticket(struct rxrpc_connection *conn,
- *_expiry = 0;
-
- ASSERT(server_key->payload.data[0] != NULL);
-- ASSERTCMP((unsigned long) ticket & 7UL, ==, 0);
-
- memcpy(&iv, &server_key->payload.data[2], sizeof(iv));
-
-@@ -1134,14 +1111,15 @@ static int rxkad_decrypt_response(struct rxrpc_connection *conn,
- * verify a response
- */
- static int rxkad_verify_response(struct rxrpc_connection *conn,
-- struct sk_buff *skb)
-+ struct sk_buff *skb,
-+ void *buffer, unsigned int len)
- {
- struct rxkad_response *response;
- struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
- struct rxrpc_crypt session_key;
- struct key *server_key;
- time64_t expiry;
-- void *ticket = NULL;
-+ void *ticket;
- u32 version, kvno, ticket_len, level;
- __be32 csum;
- int ret, i;
-@@ -1164,13 +1142,8 @@ static int rxkad_verify_response(struct rxrpc_connection *conn,
- }
- }
-
-- ret = -ENOMEM;
-- response = kzalloc_obj(struct rxkad_response, GFP_NOFS);
-- if (!response)
-- goto error;
--
-- if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
-- response, sizeof(*response)) < 0) {
-+ response = buffer;
-+ if (len < sizeof(*response)) {
- ret = rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
- rxkad_abort_resp_short);
- goto error;
-@@ -1182,6 +1155,9 @@ static int rxkad_verify_response(struct rxrpc_connection *conn,
-
- trace_rxrpc_rx_response(conn, sp->hdr.serial, version, kvno, ticket_len);
-
-+ buffer += sizeof(*response);
-+ len -= sizeof(*response);
-+
- if (version != RXKAD_VERSION) {
- ret = rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO,
- rxkad_abort_resp_version);
-@@ -1201,13 +1177,8 @@ static int rxkad_verify_response(struct rxrpc_connection *conn,
- }
-
- /* extract the kerberos ticket and decrypt and decode it */
-- ret = -ENOMEM;
-- ticket = kmalloc(ticket_len, GFP_NOFS);
-- if (!ticket)
-- goto error;
--
-- if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header) + sizeof(*response),
-- ticket, ticket_len) < 0) {
-+ ticket = buffer;
-+ if (ticket_len > len) {
- ret = rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
- rxkad_abort_resp_short_tkt);
- goto error;
-@@ -1287,8 +1258,6 @@ static int rxkad_verify_response(struct rxrpc_connection *conn,
- ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
-
- error:
-- kfree(ticket);
-- kfree(response);
- key_put(server_key);
- _leave(" = %d", ret);
- return ret;
diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
index bc20f08a2789..1aa95c34ad87 100644
--- a/net/sched/act_pedit.c
@@ -9826,7 +7935,7 @@ index 8d46886d2cca..14a9cdff942b 100644
LSM_HOOK_INIT(locked_down, lockdown_is_locked_down),
};
diff --git a/sound/soc/amd/acp/acp-sdw-legacy-mach.c b/sound/soc/amd/acp/acp-sdw-legacy-mach.c
-index a9c8d9545281..097e191cedde 100644
+index ae9579c8511e..7474dba97d24 100644
--- a/sound/soc/amd/acp/acp-sdw-legacy-mach.c
+++ b/sound/soc/amd/acp/acp-sdw-legacy-mach.c
@@ -95,6 +95,22 @@ static const struct dmi_system_id soc_sdw_quirk_table[] = {
diff --git a/sources b/sources
index 0afc867..2b92175 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (linux-7.0.10.tar.xz) = e4ffb6e3e742b1db74e40c135ef74baff36a62e925c6c541a0c38db40fbf0d95c173ab4405c394b28ac2cc917ca16cbe84e359920a336b03a05b444464b53f25
-SHA512 (kernel-abi-stablelists-7.0.10.tar.xz) = 75bacc60dfa4e391494e71e58d023a582d0d2c31e0d9818572586881a346a74dfa22f459a7d2297d8c1e8bc3ee5ca59fd7f2e32dc672740d2d944a0281f72072
-SHA512 (kernel-kabi-dw-7.0.10.tar.xz) = 34c87e6334c5ba4e840f0300a8f71bb9f100bb7c52eeb75983ea6e2aee14da2de8672c59f7060c683e400782ec2587218fe8456a3ddd8d557d1a2bf2ba6f1e64
+SHA512 (linux-7.0.11.tar.xz) = 4823d9d1aae69001983c865c7faa56f6cd67f27a548fa6e3532572e6800ddebfe9f04113d4b9e7a52232c16ced93a0cc115f1ac233883e540d03b1793bf76822
+SHA512 (kernel-abi-stablelists-7.0.11.tar.xz) = e36d3caf2ec32abf210ffd5e1c8a7b79ee3bf38d1450c27b9b147d3c11a1e17d1f8ffb27e136ecb9f5b4d0af898b0ec6c8de4bb170d1ec56bb381c017b0e5a64
+SHA512 (kernel-kabi-dw-7.0.11.tar.xz) = 6c63255f38b2027c8165a471eaa6875aa266caf97556e69339b2f146dd926f789a20034d923ee8e754a395cff04122f9c89a621eccd2bb6b2032b37053e073a2
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-06-01 22:00 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-01 22:00 [rpms/kernel] f44: kernel-7.0.11-200 Justin M. Forbes
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox