From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 30 Apr 2026 13:56:24 +0000 (+0200)
Subject: 6.6-stable patches
X-Git-Tag: v6.12.86~89
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5a2e7717832e23524409b5232fc0358834bf5c66;p=thirdparty%2Fkernel%2Fstable-queue.git

6.6-stable patches

added patches:
	spi-imx-fix-use-after-free-on-unbind.patch
	um-drivers-call-kernel_strrchr-explicitly-in-cow_user.c.patch
	wifi-rtw88-check-for-pci-upstream-bridge-existence.patch
	zram-do-not-forget-to-endio-for-partial-discard-requests.patch
---

diff --git a/queue-6.6/series b/queue-6.6/series
index 6366d05db4..e9fc592020 100644
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -21,3 +21,7 @@ device-property-make-modifications-of-fwnode-flags-thread-safe.patch
 ocfs2-split-transactions-in-dio-completion-to-avoid-credit-exhaustion.patch
 driver-core-don-t-let-a-device-probe-until-it-s-read.patch
 loongarch-add-spectre-boundry-for-syscall-dispatch-t.patch
+zram-do-not-forget-to-endio-for-partial-discard-requests.patch
+wifi-rtw88-check-for-pci-upstream-bridge-existence.patch
+um-drivers-call-kernel_strrchr-explicitly-in-cow_user.c.patch
+spi-imx-fix-use-after-free-on-unbind.patch
diff --git a/queue-6.6/spi-imx-fix-use-after-free-on-unbind.patch b/queue-6.6/spi-imx-fix-use-after-free-on-unbind.patch
new file mode 100644
index 0000000000..9af34dc0d4
--- /dev/null
+++ b/queue-6.6/spi-imx-fix-use-after-free-on-unbind.patch
@@ -0,0 +1,47 @@
+From 1c78c2002380a1fe31bfb01a3d5f29809e55a096 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 24 Mar 2026 09:23:22 +0100
+Subject: spi: imx: fix use-after-free on unbind
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 1c78c2002380a1fe31bfb01a3d5f29809e55a096 upstream.
+
+The SPI subsystem frees the controller and any subsystem allocated
+driver data as part of deregistration (unless the allocation is device
+managed).
+
+Take another reference before deregistering the controller so that the
+driver data is not freed until the driver is done with it.
+
+Fixes: 307c897db762 ("spi: spi-imx: replace struct spi_imx_data::bitbang by pointer to struct spi_controller")
+Cc: stable@vger.kernel.org	# 5.19
+Acked-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260324082326.901043-2-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-imx.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/spi/spi-imx.c
++++ b/drivers/spi/spi-imx.c
+@@ -1898,6 +1898,8 @@ static void spi_imx_remove(struct platfo
+ 	struct spi_imx_data *spi_imx = spi_controller_get_devdata(controller);
+ 	int ret;
+ 
++	spi_controller_get(controller);
++
+ 	spi_unregister_controller(controller);
+ 
+ 	ret = pm_runtime_get_sync(spi_imx->dev);
+@@ -1911,6 +1913,8 @@ static void spi_imx_remove(struct platfo
+ 	pm_runtime_disable(spi_imx->dev);
+ 
+ 	spi_imx_sdma_exit(spi_imx);
++
++	spi_controller_put(controller);
+ }
+ 
+ static int __maybe_unused spi_imx_runtime_resume(struct device *dev)
diff --git a/queue-6.6/um-drivers-call-kernel_strrchr-explicitly-in-cow_user.c.patch b/queue-6.6/um-drivers-call-kernel_strrchr-explicitly-in-cow_user.c.patch
new file mode 100644
index 0000000000..d64b730c12
--- /dev/null
+++ b/queue-6.6/um-drivers-call-kernel_strrchr-explicitly-in-cow_user.c.patch
@@ -0,0 +1,57 @@
+From 91e901c65b4da02a6fd543e3f0049829ae9645b7 Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Wed, 8 Apr 2026 03:01:02 -0400
+Subject: um: drivers: call kernel_strrchr() explicitly in cow_user.c
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit 91e901c65b4da02a6fd543e3f0049829ae9645b7 upstream.
+
+Building ARCH=um on glibc >= 2.43 fails:
+
+  arch/um/drivers/cow_user.c: error: implicit declaration of
+  function 'strrchr' [-Wimplicit-function-declaration]
+
+glibc 2.43's C23 const-preserving strrchr() macro does not survive
+UML's global -Dstrrchr=kernel_strrchr remap from arch/um/Makefile.
+Call kernel_strrchr() directly in cow_user.c so the source no longer
+depends on the -D rewrite.
+
+Fixes: 2c51a4bc0233 ("um: fix strrchr() problems")
+Suggested-by: Johannes Berg <johannes@sipsolutions.net>
+Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4-6
+Assisted-by: Codex:gpt-5-4
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Link: https://patch.msgid.link/20260408070102.2325572-1-michael.bommarito@gmail.com
+[remove unnecessary 'extern']
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/um/drivers/cow_user.c |    8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/arch/um/drivers/cow_user.c
++++ b/arch/um/drivers/cow_user.c
+@@ -15,6 +15,12 @@
+ #include "cow.h"
+ #include "cow_sys.h"
+ 
++/*
++ * arch/um/Makefile remaps strrchr to kernel_strrchr; call the kernel
++ * name directly to avoid glibc >= 2.43's C23 strrchr macro.
++ */
++char *kernel_strrchr(const char *, int);
++
+ #define PATH_LEN_V1 256
+ 
+ /* unsigned time_t works until year 2106 */
+@@ -153,7 +159,7 @@ static int absolutize(char *to, int size
+ 			   errno);
+ 		return -1;
+ 	}
+-	slash = strrchr(from, '/');
++	slash = kernel_strrchr(from, '/');
+ 	if (slash != NULL) {
+ 		*slash = '\0';
+ 		if (chdir(from)) {
diff --git a/queue-6.6/wifi-rtw88-check-for-pci-upstream-bridge-existence.patch b/queue-6.6/wifi-rtw88-check-for-pci-upstream-bridge-existence.patch
new file mode 100644
index 0000000000..6d44b3e20b
--- /dev/null
+++ b/queue-6.6/wifi-rtw88-check-for-pci-upstream-bridge-existence.patch
@@ -0,0 +1,44 @@
+From eb101d2abdcccb514ca4fccd3b278dd8267374f6 Mon Sep 17 00:00:00 2001
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+Date: Fri, 20 Feb 2026 12:47:30 +0300
+Subject: wifi: rtw88: check for PCI upstream bridge existence
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+commit eb101d2abdcccb514ca4fccd3b278dd8267374f6 upstream.
+
+pci_upstream_bridge() returns NULL if the device is on a root bus.  If
+8821CE is installed in the system with such a PCI topology, the probing
+routine will crash.  This has probably been unnoticed as 8821CE is mostly
+supplied in laptops where there is a PCI-to-PCI bridge located upstream
+from the device.  However the card might be installed on a system with
+different configuration.
+
+Check if the bridge does exist for the specific workaround to be applied.
+
+Found by Linux Verification Center (linuxtesting.org) with Svace static
+analysis tool.
+
+Fixes: 24f5e38a13b5 ("rtw88: Disable PCIe ASPM while doing NAPI poll on 8821CE")
+Cc: stable@vger.kernel.org
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Acked-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20260220094730.49791-1-pchelkin@ispras.ru
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/realtek/rtw88/pci.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/realtek/rtw88/pci.c
++++ b/drivers/net/wireless/realtek/rtw88/pci.c
+@@ -1749,7 +1749,8 @@ int rtw_pci_probe(struct pci_dev *pdev,
+ 	}
+ 
+ 	/* Disable PCIe ASPM L1 while doing NAPI poll for 8821CE */
+-	if (rtwdev->chip->id == RTW_CHIP_TYPE_8821C && bridge->vendor == PCI_VENDOR_ID_INTEL)
++	if (rtwdev->chip->id == RTW_CHIP_TYPE_8821C &&
++	    bridge && bridge->vendor == PCI_VENDOR_ID_INTEL)
+ 		rtwpci->rx_no_aspm = true;
+ 
+ 	rtw_pci_phy_cfg(rtwdev);
diff --git a/queue-6.6/zram-do-not-forget-to-endio-for-partial-discard-requests.patch b/queue-6.6/zram-do-not-forget-to-endio-for-partial-discard-requests.patch
new file mode 100644
index 0000000000..b81c4b8a8d
--- /dev/null
+++ b/queue-6.6/zram-do-not-forget-to-endio-for-partial-discard-requests.patch
@@ -0,0 +1,59 @@
+From e3668b371329ea036ff022ce8ecc82f8befcf003 Mon Sep 17 00:00:00 2001
+From: Sergey Senozhatsky <senozhatsky@chromium.org>
+Date: Tue, 31 Mar 2026 16:42:44 +0900
+Subject: zram: do not forget to endio for partial discard requests
+
+From: Sergey Senozhatsky <senozhatsky@chromium.org>
+
+commit e3668b371329ea036ff022ce8ecc82f8befcf003 upstream.
+
+As reported by Qu Wenruo and Avinesh Kumar, the following
+
+ getconf PAGESIZE
+ 65536
+ blkdiscard -p 4k /dev/zram0
+
+takes literally forever to complete.  zram doesn't support partial
+discards and just returns immediately w/o doing any discard work in such
+cases.  The problem is that we forget to endio on our way out, so
+blkdiscard sleeps forever in submit_bio_wait().  Fix this by jumping to
+end_bio label, which does bio_endio().
+
+Link: https://lore.kernel.org/20260331074255.777019-1-senozhatsky@chromium.org
+Fixes: 0120dd6e4e20 ("zram: make zram_bio_discard more self-contained")
+Signed-off-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Reported-by: Qu Wenruo <wqu@suse.com>
+Closes: https://lore.kernel.org/linux-block/92361cd3-fb8b-482e-bc89-15ff1acb9a59@suse.com
+Tested-by: Qu Wenruo <wqu@suse.com>
+Reported-by: Avinesh Kumar <avinesh.kumar@suse.com>
+Closes: https://bugzilla.suse.com/show_bug.cgi?id=1256530
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Cc: Brian Geffon <bgeffon@google.com>
+Cc: Jens Axboe <axboe@kernel.dk>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/zram/zram_drv.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/block/zram/zram_drv.c
++++ b/drivers/block/zram/zram_drv.c
+@@ -1880,7 +1880,7 @@ static void zram_bio_discard(struct zram
+ 	 */
+ 	if (offset) {
+ 		if (n <= (PAGE_SIZE - offset))
+-			return;
++			goto end_bio;
+ 
+ 		n -= (PAGE_SIZE - offset);
+ 		index++;
+@@ -1895,6 +1895,7 @@ static void zram_bio_discard(struct zram
+ 		n -= PAGE_SIZE;
+ 	}
+ 
++end_bio:
+ 	bio_endio(bio);
+ }
+