kernel: bump 6.12 to 6.12.53

Changelog: https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.53

Dropped patch
- /target/linux/generic/backport-6.12/541-v6.18-ksmbd-add-max-ip-connections-parameter.patch
merged upstream with commit https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-6.12.y&id=8173dcfafe116adb08f8daf21c09c71ac5882d8f

Added backport
- target/linux/generic/backport-6.12/510-v6.18-ksmbd-fix-recursive-locking-in-RPC-handle-list-access.patch
cherry picked from 88f170814f

All other patches automatically rebased.

Build system: x86/64
Build-tested: mediatek/filogic
Run-tested: mediatek/filogic

Signed-off-by: Edoardo Pinci <epinci@outlook.com>
Link: https://github.com/openwrt/openwrt/pull/20408
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

target/linux/bcm27xx/patches-6.12/950-0322-Bluetooth-hci_sync-Add-fallback-bd-address-prop.patch

@@ -20,7 +20,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.com>
 
 --- a/net/bluetooth/hci_sync.c
 +++ b/net/bluetooth/hci_sync.c
-@@ -4928,6 +4928,7 @@ static const struct {
+@@ -4930,6 +4930,7 @@ static const struct {
   */
  static int hci_dev_setup_sync(struct hci_dev *hdev)
  {
@@ -28,7 +28,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.com>
  	int ret = 0;
  	bool invalid_bdaddr;
  	size_t i;
-@@ -4956,7 +4957,8 @@ static int hci_dev_setup_sync(struct hci
+@@ -4958,7 +4959,8 @@ static int hci_dev_setup_sync(struct hci
  			 test_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks);
  	if (!ret) {
  		if (test_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks) &&

target/linux/bcm27xx/patches-6.12/950-0335-usb-xhci-add-XHCI_VLI_HUB_TT_QUIRK.patch

@@ -75,7 +75,7 @@ Signed-off-by: Jonathan Bell <jonathan@raspberrypi.com>
  	if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA &&
 --- a/drivers/usb/host/xhci-ring.c
 +++ b/drivers/usb/host/xhci-ring.c
-@@ -3664,6 +3664,48 @@ static int xhci_align_td(struct xhci_hcd
+@@ -3661,6 +3661,48 @@ static int xhci_align_td(struct xhci_hcd
  	return 1;
  }
  
@@ -124,7 +124,7 @@ Signed-off-by: Jonathan Bell <jonathan@raspberrypi.com>
  /* This is very similar to what ehci-q.c qtd_fill() does */
  int xhci_queue_bulk_tx(struct xhci_hcd *xhci, gfp_t mem_flags,
  		struct urb *urb, int slot_id, unsigned int ep_index)
-@@ -3818,6 +3860,8 @@ int xhci_queue_bulk_tx(struct xhci_hcd *
+@@ -3815,6 +3857,8 @@ int xhci_queue_bulk_tx(struct xhci_hcd *
  	}
  
  	check_trb_math(urb, enqd_len);
@@ -133,7 +133,7 @@ Signed-off-by: Jonathan Bell <jonathan@raspberrypi.com>
  	giveback_first_trb(xhci, slot_id, ep_index, urb->stream_id,
  			start_cycle, start_trb);
  	return 0;
-@@ -3966,6 +4010,8 @@ int xhci_queue_ctrl_tx(struct xhci_hcd *
+@@ -3963,6 +4007,8 @@ int xhci_queue_ctrl_tx(struct xhci_hcd *
  			/* Event on completion */
  			field | TRB_IOC | TRB_TYPE(TRB_STATUS) | ep_ring->cycle_state);
  

target/linux/bcm27xx/patches-6.12/950-0502-Bluetooth-hci_sync-Fix-crash-on-NULL-parent.patch

@@ -15,7 +15,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.com>
 
 --- a/net/bluetooth/hci_sync.c
 +++ b/net/bluetooth/hci_sync.c
-@@ -4928,7 +4928,8 @@ static const struct {
+@@ -4930,7 +4930,8 @@ static const struct {
   */
  static int hci_dev_setup_sync(struct hci_dev *hdev)
  {

target/linux/generic/backport-6.12/510-v6.18-ksmbd-fix-recursive-locking-in-RPC-handle-list-access.patch

@@ -0,0 +1,149 @@
+From 88f170814fea74911ceab798a43cbd7c5599bed4 Mon Sep 17 00:00:00 2001
+From: Marios Makassikis <mmakassikis@freebox.fr>
+Date: Wed, 15 Oct 2025 09:25:46 +0200
+Subject: [PATCH] ksmbd: fix recursive locking in RPC handle list access
+
+Since commit 305853cce3794 ("ksmbd: Fix race condition in RPC handle list
+access"), ksmbd_session_rpc_method() attempts to lock sess->rpc_lock.
+
+This causes hung connections / tasks when a client attempts to open
+a named pipe. Using Samba's rpcclient tool:
+
+ $ rpcclient //192.168.1.254 -U user%password
+ $ rpcclient $> srvinfo
+ <connection hung here>
+
+Kernel side:
+  "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+  task:kworker/0:0 state:D stack:0 pid:5021 tgid:5021 ppid:2 flags:0x00200000
+  Workqueue: ksmbd-io handle_ksmbd_work
+  Call trace:
+  __schedule from schedule+0x3c/0x58
+  schedule from schedule_preempt_disabled+0xc/0x10
+  schedule_preempt_disabled from rwsem_down_read_slowpath+0x1b0/0x1d8
+  rwsem_down_read_slowpath from down_read+0x28/0x30
+  down_read from ksmbd_session_rpc_method+0x18/0x3c
+  ksmbd_session_rpc_method from ksmbd_rpc_open+0x34/0x68
+  ksmbd_rpc_open from ksmbd_session_rpc_open+0x194/0x228
+  ksmbd_session_rpc_open from create_smb2_pipe+0x8c/0x2c8
+  create_smb2_pipe from smb2_open+0x10c/0x27ac
+  smb2_open from handle_ksmbd_work+0x238/0x3dc
+  handle_ksmbd_work from process_scheduled_works+0x160/0x25c
+  process_scheduled_works from worker_thread+0x16c/0x1e8
+  worker_thread from kthread+0xa8/0xb8
+  kthread from ret_from_fork+0x14/0x38
+  Exception stack(0x8529ffb0 to 0x8529fff8)
+
+The task deadlocks because the lock is already held:
+  ksmbd_session_rpc_open
+    down_write(&sess->rpc_lock)
+    ksmbd_rpc_open
+      ksmbd_session_rpc_method
+        down_read(&sess->rpc_lock)   <-- deadlock
+
+Adjust ksmbd_session_rpc_method() callers to take the lock when necessary.
+
+Fixes: 305853cce3794 ("ksmbd: Fix race condition in RPC handle list access")
+Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+---
+ fs/smb/server/mgmt/user_session.c |  7 ++-----
+ fs/smb/server/smb2pdu.c           |  9 ++++++++-
+ fs/smb/server/transport_ipc.c     | 12 ++++++++++++
+ 3 files changed, 22 insertions(+), 6 deletions(-)
+
+--- a/fs/smb/server/mgmt/user_session.c
++++ b/fs/smb/server/mgmt/user_session.c
+@@ -147,14 +147,11 @@ void ksmbd_session_rpc_close(struct ksmb
+ int ksmbd_session_rpc_method(struct ksmbd_session *sess, int id)
+ {
+ 	struct ksmbd_session_rpc *entry;
+-	int method;
+ 
+-	down_read(&sess->rpc_lock);
++	lockdep_assert_held(&sess->rpc_lock);
+ 	entry = xa_load(&sess->rpc_handle_list, id);
+-	method = entry ? entry->method : 0;
+-	up_read(&sess->rpc_lock);
+ 
+-	return method;
++	return entry ? entry->method : 0;
+ }
+ 
+ void ksmbd_session_destroy(struct ksmbd_session *sess)
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -4623,8 +4623,15 @@ static int smb2_get_info_file_pipe(struc
+ 	 * pipe without opening it, checking error condition here
+ 	 */
+ 	id = req->VolatileFileId;
+-	if (!ksmbd_session_rpc_method(sess, id))
++
++	lockdep_assert_not_held(&sess->rpc_lock);
++
++	down_read(&sess->rpc_lock);
++	if (!ksmbd_session_rpc_method(sess, id)) {
++		up_read(&sess->rpc_lock);
+ 		return -ENOENT;
++	}
++	up_read(&sess->rpc_lock);
+ 
+ 	ksmbd_debug(SMB, "FileInfoClass %u, FileId 0x%llx\n",
+ 		    req->FileInfoClass, req->VolatileFileId);
+--- a/fs/smb/server/transport_ipc.c
++++ b/fs/smb/server/transport_ipc.c
+@@ -825,6 +825,9 @@ struct ksmbd_rpc_command *ksmbd_rpc_writ
+ 	if (!msg)
+ 		return NULL;
+ 
++	lockdep_assert_not_held(&sess->rpc_lock);
++
++	down_read(&sess->rpc_lock);
+ 	msg->type = KSMBD_EVENT_RPC_REQUEST;
+ 	req = (struct ksmbd_rpc_command *)msg->payload;
+ 	req->handle = handle;
+@@ -833,6 +836,7 @@ struct ksmbd_rpc_command *ksmbd_rpc_writ
+ 	req->flags |= KSMBD_RPC_WRITE_METHOD;
+ 	req->payload_sz = payload_sz;
+ 	memcpy(req->payload, payload, payload_sz);
++	up_read(&sess->rpc_lock);
+ 
+ 	resp = ipc_msg_send_request(msg, req->handle);
+ 	ipc_msg_free(msg);
+@@ -849,6 +853,9 @@ struct ksmbd_rpc_command *ksmbd_rpc_read
+ 	if (!msg)
+ 		return NULL;
+ 
++	lockdep_assert_not_held(&sess->rpc_lock);
++
++	down_read(&sess->rpc_lock);
+ 	msg->type = KSMBD_EVENT_RPC_REQUEST;
+ 	req = (struct ksmbd_rpc_command *)msg->payload;
+ 	req->handle = handle;
+@@ -856,6 +863,7 @@ struct ksmbd_rpc_command *ksmbd_rpc_read
+ 	req->flags |= rpc_context_flags(sess);
+ 	req->flags |= KSMBD_RPC_READ_METHOD;
+ 	req->payload_sz = 0;
++	up_read(&sess->rpc_lock);
+ 
+ 	resp = ipc_msg_send_request(msg, req->handle);
+ 	ipc_msg_free(msg);
+@@ -876,6 +884,9 @@ struct ksmbd_rpc_command *ksmbd_rpc_ioct
+ 	if (!msg)
+ 		return NULL;
+ 
++	lockdep_assert_not_held(&sess->rpc_lock);
++
++	down_read(&sess->rpc_lock);
+ 	msg->type = KSMBD_EVENT_RPC_REQUEST;
+ 	req = (struct ksmbd_rpc_command *)msg->payload;
+ 	req->handle = handle;
+@@ -884,6 +895,7 @@ struct ksmbd_rpc_command *ksmbd_rpc_ioct
+ 	req->flags |= KSMBD_RPC_IOCTL_METHOD;
+ 	req->payload_sz = payload_sz;
+ 	memcpy(req->payload, payload, payload_sz);
++	up_read(&sess->rpc_lock);
+ 
+ 	resp = ipc_msg_send_request(msg, req->handle);
+ 	ipc_msg_free(msg);

target/linux/generic/backport-6.12/541-v6.18-ksmbd-add-max-ip-connections-parameter.patch

@@ -1,119 +0,0 @@
-From d8b6dc9256762293048bf122fc11c4e612d0ef5d Mon Sep 17 00:00:00 2001
-From: Namjae Jeon <linkinjeon@kernel.org>
-Date: Wed, 1 Oct 2025 09:25:35 +0900
-Subject: ksmbd: add max ip connections parameter
-
-This parameter set the maximum number of connections per ip address.
-The default is 8.
-
-Cc: stable@vger.kernel.org
-Fixes: c0d41112f1a5 ("ksmbd: extend the connection limiting mechanism to support IPv6")
-Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
-Signed-off-by: Steve French <stfrench@microsoft.com>
----
- fs/smb/server/ksmbd_netlink.h |  5 +++--
- fs/smb/server/server.h        |  1 +
- fs/smb/server/transport_ipc.c |  3 +++
- fs/smb/server/transport_tcp.c | 27 ++++++++++++++++-----------
- 4 files changed, 23 insertions(+), 13 deletions(-)
-
-(limited to 'fs/smb')
-
---- a/fs/smb/server/ksmbd_netlink.h
-+++ b/fs/smb/server/ksmbd_netlink.h
-@@ -112,10 +112,11 @@ struct ksmbd_startup_request {
- 	__u32	smbd_max_io_size;	/* smbd read write size */
- 	__u32	max_connections;	/* Number of maximum simultaneous connections */
- 	__s8	bind_interfaces_only;
--	__s8	reserved[503];		/* Reserved room */
-+	__u32	max_ip_connections;	/* Number of maximum connection per ip address */
-+	__s8	reserved[499];		/* Reserved room */
- 	__u32	ifc_list_sz;		/* interfaces list size */
- 	__s8	____payload[];
--};
-+} __packed;
- 
- #define KSMBD_STARTUP_CONFIG_INTERFACES(s)	((s)->____payload)
- 
---- a/fs/smb/server/server.h
-+++ b/fs/smb/server/server.h
-@@ -43,6 +43,7 @@ struct ksmbd_server_config {
- 	unsigned int		auth_mechs;
- 	unsigned int		max_connections;
- 	unsigned int		max_inflight_req;
-+	unsigned int		max_ip_connections;
- 
- 	char			*conf[SERVER_CONF_WORK_GROUP + 1];
- 	struct task_struct	*dh_task;
---- a/fs/smb/server/transport_ipc.c
-+++ b/fs/smb/server/transport_ipc.c
-@@ -335,6 +335,9 @@ static int ipc_server_config_on_startup(
- 	if (req->max_connections)
- 		server_conf.max_connections = req->max_connections;
- 
-+	if (req->max_ip_connections)
-+		server_conf.max_ip_connections = req->max_ip_connections;
-+
- 	ret = ksmbd_set_netbios_name(req->netbios_name);
- 	ret |= ksmbd_set_server_string(req->server_string);
- 	ret |= ksmbd_set_work_group(req->work_group);
---- a/fs/smb/server/transport_tcp.c
-+++ b/fs/smb/server/transport_tcp.c
-@@ -240,6 +240,7 @@ static int ksmbd_kthread_fn(void *p)
- 	struct interface *iface = (struct interface *)p;
- 	struct ksmbd_conn *conn;
- 	int ret;
-+	unsigned int max_ip_conns;
- 
- 	while (!kthread_should_stop()) {
- 		mutex_lock(&iface->sock_release_lock);
-@@ -257,34 +258,38 @@ static int ksmbd_kthread_fn(void *p)
- 			continue;
- 		}
- 
-+		if (!server_conf.max_ip_connections)
-+			goto skip_max_ip_conns_limit;
-+
- 		/*
- 		 * Limits repeated connections from clients with the same IP.
- 		 */
-+		max_ip_conns = 0;
- 		down_read(&conn_list_lock);
--		list_for_each_entry(conn, &conn_list, conns_list)
-+		list_for_each_entry(conn, &conn_list, conns_list) {
- #if IS_ENABLED(CONFIG_IPV6)
- 			if (client_sk->sk->sk_family == AF_INET6) {
- 				if (memcmp(&client_sk->sk->sk_v6_daddr,
--					   &conn->inet6_addr, 16) == 0) {
--					ret = -EAGAIN;
--					break;
--				}
-+					   &conn->inet6_addr, 16) == 0)
-+					max_ip_conns++;
- 			} else if (inet_sk(client_sk->sk)->inet_daddr ==
--				 conn->inet_addr) {
--				ret = -EAGAIN;
--				break;
--			}
-+				 conn->inet_addr)
-+				max_ip_conns++;
- #else
- 			if (inet_sk(client_sk->sk)->inet_daddr ==
--			    conn->inet_addr) {
-+			    conn->inet_addr)
-+				max_ip_conns++;
-+#endif
-+			if (server_conf.max_ip_connections <= max_ip_conns) {
- 				ret = -EAGAIN;
- 				break;
- 			}
--#endif
-+		}
- 		up_read(&conn_list_lock);
- 		if (ret == -EAGAIN)
- 			continue;
- 
-+skip_max_ip_conns_limit:
- 		if (server_conf.max_connections &&
- 		    atomic_inc_return(&active_num_conn) >= server_conf.max_connections) {
- 			pr_info_ratelimited("Limit the maximum number of connections(%u)\n",

target/linux/generic/hack-6.12/253-ksmbd-config.patch

@@ -10,7 +10,7 @@ Subject: [PATCH] Kconfig: add tristate for OID and ASNI string
 
 --- a/init/Kconfig
 +++ b/init/Kconfig
-@@ -2062,7 +2062,7 @@ config PADATA
+@@ -2063,7 +2063,7 @@ config PADATA
  	bool
  
  config ASN1

target/linux/generic/kernel-6.12

@@ -1,2 +1,2 @@
-LINUX_VERSION-6.12 = .52
-LINUX_KERNEL_HASH-6.12.52 = b4850cf670a032c70f38b713a27d62046c5f747caf028c5f50b18f98606a9eb1
+LINUX_VERSION-6.12 = .53
+LINUX_KERNEL_HASH-6.12.53 = 663507accae673afcf4e210b4ae8d4352e61d926202e5da3f04bf71ca1d2c0b5

target/linux/generic/pending-6.12/203-kallsyms_uncompressed.patch

@@ -14,7 +14,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 
 --- a/init/Kconfig
 +++ b/init/Kconfig
-@@ -1533,6 +1533,17 @@ config SYSCTL_ARCH_UNALIGN_ALLOW
+@@ -1534,6 +1534,17 @@ config SYSCTL_ARCH_UNALIGN_ALLOW
  	  the unaligned access emulation.
  	  see arch/parisc/kernel/unaligned.c for reference
  

target/linux/generic/pending-6.12/920-mangle_bootargs.patch

@@ -13,7 +13,7 @@ Signed-off-by: Imre Kaloz <kaloz@openwrt.org>
 
 --- a/init/Kconfig
 +++ b/init/Kconfig
-@@ -1887,6 +1887,15 @@ config ARCH_HAS_MEMBARRIER_CALLBACKS
+@@ -1888,6 +1888,15 @@ config ARCH_HAS_MEMBARRIER_CALLBACKS
  config ARCH_HAS_MEMBARRIER_SYNC_CORE
  	bool
  

target/linux/mediatek/patches-6.12/320-hwrng-add-driver-for-MediaTek-TRNG-SMC.patch

@@ -18,7 +18,7 @@ Signed-off-by: Daniel Golle <daniel@makrotopia.org>
 
 --- a/drivers/char/hw_random/Kconfig
 +++ b/drivers/char/hw_random/Kconfig
-@@ -451,6 +451,23 @@ config HW_RANDOM_MTK
+@@ -452,6 +452,23 @@ config HW_RANDOM_MTK
  
  	  If unsure, say Y.
  

target/linux/qualcommax/patches-6.12/0804-remoteproc-qcom-q6v5-Add-multipd-interrupts-support.patch

@@ -47,7 +47,7 @@ Signed-off-by: Manikanta Mylavarapu <quic_mmanikan@quicinc.com>
  
  /**
   * qcom_q6v5_wait_for_start() - wait for remote processor start signal
-@@ -177,7 +179,17 @@ static irqreturn_t q6v5_handover_interru
+@@ -174,7 +176,17 @@ static irqreturn_t q6v5_handover_interru
  	return IRQ_HANDLED;
  }
  
@@ -66,7 +66,7 @@ Signed-off-by: Manikanta Mylavarapu <quic_mmanikan@quicinc.com>
  {
  	struct qcom_q6v5 *q6v5 = data;
  
-@@ -185,6 +197,7 @@ static irqreturn_t q6v5_stop_interrupt(i
+@@ -182,6 +194,7 @@ static irqreturn_t q6v5_stop_interrupt(i
  
  	return IRQ_HANDLED;
  }
@@ -74,7 +74,7 @@ Signed-off-by: Manikanta Mylavarapu <quic_mmanikan@quicinc.com>
  
  /**
   * qcom_q6v5_request_stop() - request the remote processor to stop
-@@ -215,6 +228,28 @@ int qcom_q6v5_request_stop(struct qcom_q
+@@ -212,6 +225,28 @@ int qcom_q6v5_request_stop(struct qcom_q
  EXPORT_SYMBOL_GPL(qcom_q6v5_request_stop);
  
  /**

target/linux/rockchip/patches-6.12/031-06-v6.15-hwrng-rockchip-add-support-for-rk3588-s-standalone-T.patch

@@ -52,7 +52,7 @@ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
 
 --- a/drivers/char/hw_random/Kconfig
 +++ b/drivers/char/hw_random/Kconfig
-@@ -580,7 +580,8 @@ config HW_RANDOM_ROCKCHIP
+@@ -581,7 +581,8 @@ config HW_RANDOM_ROCKCHIP
  	default HW_RANDOM
  	help
  	  This driver provides kernel-side support for the True Random Number

target/linux/rockchip/patches-6.12/036-05-v6.14-phy-rockchip-naneng-combo-add-rk3576-support.patch

@@ -75,7 +75,7 @@ Signed-off-by: Vinod Koul <vkoul@kernel.org>
  	struct combphy_reg pipe_clk_25m;
  	struct combphy_reg pipe_clk_100m;
  	struct combphy_reg pipe_phymode_sel;
-@@ -587,6 +602,266 @@ static const struct rockchip_combphy_cfg
+@@ -599,6 +614,266 @@ static const struct rockchip_combphy_cfg
  	.combphy_cfg	= rk3568_combphy_cfg,
  };
  
@@ -342,7 +342,7 @@ Signed-off-by: Vinod Koul <vkoul@kernel.org>
  static int rk3588_combphy_cfg(struct rockchip_combphy_priv *priv)
  {
  	const struct rockchip_combphy_grfcfg *cfg = priv->cfg->grfcfg;
-@@ -779,6 +1054,10 @@ static const struct of_device_id rockchi
+@@ -791,6 +1066,10 @@ static const struct of_device_id rockchi
  		.data = &rk3568_combphy_cfgs,
  	},
  	{

target/linux/starfive/patches-6.12/1015-hwrng-Add-StarFive-JH7100-Random-Number-Generator-dr.patch

@@ -16,7 +16,7 @@ Signed-off-by: Emil Renner Berthing <kernel@esmil.dk>
 
 --- a/drivers/char/hw_random/Kconfig
 +++ b/drivers/char/hw_random/Kconfig
-@@ -322,6 +322,19 @@ config HW_RANDOM_POWERNV
+@@ -323,6 +323,19 @@ config HW_RANDOM_POWERNV
  
  	  If unsure, say Y.