ocfs2-split-transactions-in-dio-completion-to-avoid-credit-exhaustion.patch
driver-core-don-t-let-a-device-probe-until-it-s-read.patch
loongarch-add-spectre-boundry-for-syscall-dispatch-t.patch
+zram-do-not-forget-to-endio-for-partial-discard-requests.patch
+wifi-rtw88-check-for-pci-upstream-bridge-existence.patch
+um-drivers-call-kernel_strrchr-explicitly-in-cow_user.c.patch
+spi-imx-fix-use-after-free-on-unbind.patch
--- /dev/null
+From 1c78c2002380a1fe31bfb01a3d5f29809e55a096 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 24 Mar 2026 09:23:22 +0100
+Subject: spi: imx: fix use-after-free on unbind
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 1c78c2002380a1fe31bfb01a3d5f29809e55a096 upstream.
+
+The SPI subsystem frees the controller and any subsystem allocated
+driver data as part of deregistration (unless the allocation is device
+managed).
+
+Take another reference before deregistering the controller so that the
+driver data is not freed until the driver is done with it.
+
+Fixes: 307c897db762 ("spi: spi-imx: replace struct spi_imx_data::bitbang by pointer to struct spi_controller")
+Cc: stable@vger.kernel.org # 5.19
+Acked-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260324082326.901043-2-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-imx.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/spi/spi-imx.c
++++ b/drivers/spi/spi-imx.c
+@@ -1898,6 +1898,8 @@ static void spi_imx_remove(struct platfo
+ struct spi_imx_data *spi_imx = spi_controller_get_devdata(controller);
+ int ret;
+
++ spi_controller_get(controller);
++
+ spi_unregister_controller(controller);
+
+ ret = pm_runtime_get_sync(spi_imx->dev);
+@@ -1911,6 +1913,8 @@ static void spi_imx_remove(struct platfo
+ pm_runtime_disable(spi_imx->dev);
+
+ spi_imx_sdma_exit(spi_imx);
++
++ spi_controller_put(controller);
+ }
+
+ static int __maybe_unused spi_imx_runtime_resume(struct device *dev)
--- /dev/null
+From 91e901c65b4da02a6fd543e3f0049829ae9645b7 Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Wed, 8 Apr 2026 03:01:02 -0400
+Subject: um: drivers: call kernel_strrchr() explicitly in cow_user.c
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit 91e901c65b4da02a6fd543e3f0049829ae9645b7 upstream.
+
+Building ARCH=um on glibc >= 2.43 fails:
+
+ arch/um/drivers/cow_user.c: error: implicit declaration of
+ function 'strrchr' [-Wimplicit-function-declaration]
+
+glibc 2.43's C23 const-preserving strrchr() macro does not survive
+UML's global -Dstrrchr=kernel_strrchr remap from arch/um/Makefile.
+Call kernel_strrchr() directly in cow_user.c so the source no longer
+depends on the -D rewrite.
+
+Fixes: 2c51a4bc0233 ("um: fix strrchr() problems")
+Suggested-by: Johannes Berg <johannes@sipsolutions.net>
+Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4-6
+Assisted-by: Codex:gpt-5-4
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Link: https://patch.msgid.link/20260408070102.2325572-1-michael.bommarito@gmail.com
+[remove unnecessary 'extern']
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/um/drivers/cow_user.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/arch/um/drivers/cow_user.c
++++ b/arch/um/drivers/cow_user.c
+@@ -15,6 +15,12 @@
+ #include "cow.h"
+ #include "cow_sys.h"
+
++/*
++ * arch/um/Makefile remaps strrchr to kernel_strrchr; call the kernel
++ * name directly to avoid glibc >= 2.43's C23 strrchr macro.
++ */
++char *kernel_strrchr(const char *, int);
++
+ #define PATH_LEN_V1 256
+
+ /* unsigned time_t works until year 2106 */
+@@ -153,7 +159,7 @@ static int absolutize(char *to, int size
+ errno);
+ return -1;
+ }
+- slash = strrchr(from, '/');
++ slash = kernel_strrchr(from, '/');
+ if (slash != NULL) {
+ *slash = '\0';
+ if (chdir(from)) {
--- /dev/null
+From eb101d2abdcccb514ca4fccd3b278dd8267374f6 Mon Sep 17 00:00:00 2001
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+Date: Fri, 20 Feb 2026 12:47:30 +0300
+Subject: wifi: rtw88: check for PCI upstream bridge existence
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+commit eb101d2abdcccb514ca4fccd3b278dd8267374f6 upstream.
+
+pci_upstream_bridge() returns NULL if the device is on a root bus. If
+8821CE is installed in the system with such a PCI topology, the probing
+routine will crash. This has probably been unnoticed as 8821CE is mostly
+supplied in laptops where there is a PCI-to-PCI bridge located upstream
+from the device. However the card might be installed on a system with
+different configuration.
+
+Check if the bridge does exist for the specific workaround to be applied.
+
+Found by Linux Verification Center (linuxtesting.org) with Svace static
+analysis tool.
+
+Fixes: 24f5e38a13b5 ("rtw88: Disable PCIe ASPM while doing NAPI poll on 8821CE")
+Cc: stable@vger.kernel.org
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Acked-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20260220094730.49791-1-pchelkin@ispras.ru
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/realtek/rtw88/pci.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/realtek/rtw88/pci.c
++++ b/drivers/net/wireless/realtek/rtw88/pci.c
+@@ -1749,7 +1749,8 @@ int rtw_pci_probe(struct pci_dev *pdev,
+ }
+
+ /* Disable PCIe ASPM L1 while doing NAPI poll for 8821CE */
+- if (rtwdev->chip->id == RTW_CHIP_TYPE_8821C && bridge->vendor == PCI_VENDOR_ID_INTEL)
++ if (rtwdev->chip->id == RTW_CHIP_TYPE_8821C &&
++ bridge && bridge->vendor == PCI_VENDOR_ID_INTEL)
+ rtwpci->rx_no_aspm = true;
+
+ rtw_pci_phy_cfg(rtwdev);
--- /dev/null
+From e3668b371329ea036ff022ce8ecc82f8befcf003 Mon Sep 17 00:00:00 2001
+From: Sergey Senozhatsky <senozhatsky@chromium.org>
+Date: Tue, 31 Mar 2026 16:42:44 +0900
+Subject: zram: do not forget to endio for partial discard requests
+
+From: Sergey Senozhatsky <senozhatsky@chromium.org>
+
+commit e3668b371329ea036ff022ce8ecc82f8befcf003 upstream.
+
+As reported by Qu Wenruo and Avinesh Kumar, the following
+
+ getconf PAGESIZE
+ 65536
+ blkdiscard -p 4k /dev/zram0
+
+takes literally forever to complete. zram doesn't support partial
+discards and just returns immediately w/o doing any discard work in such
+cases. The problem is that we forget to endio on our way out, so
+blkdiscard sleeps forever in submit_bio_wait(). Fix this by jumping to
+end_bio label, which does bio_endio().
+
+Link: https://lore.kernel.org/20260331074255.777019-1-senozhatsky@chromium.org
+Fixes: 0120dd6e4e20 ("zram: make zram_bio_discard more self-contained")
+Signed-off-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Reported-by: Qu Wenruo <wqu@suse.com>
+Closes: https://lore.kernel.org/linux-block/92361cd3-fb8b-482e-bc89-15ff1acb9a59@suse.com
+Tested-by: Qu Wenruo <wqu@suse.com>
+Reported-by: Avinesh Kumar <avinesh.kumar@suse.com>
+Closes: https://bugzilla.suse.com/show_bug.cgi?id=1256530
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Cc: Brian Geffon <bgeffon@google.com>
+Cc: Jens Axboe <axboe@kernel.dk>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/zram/zram_drv.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/block/zram/zram_drv.c
++++ b/drivers/block/zram/zram_drv.c
+@@ -1880,7 +1880,7 @@ static void zram_bio_discard(struct zram
+ */
+ if (offset) {
+ if (n <= (PAGE_SIZE - offset))
+- return;
++ goto end_bio;
+
+ n -= (PAGE_SIZE - offset);
+ index++;
+@@ -1895,6 +1895,7 @@ static void zram_bio_discard(struct zram
+ n -= PAGE_SIZE;
+ }
+
++end_bio:
+ bio_endio(bio);
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
