From: Greg Kroah-Hartman Date: Thu, 23 Apr 2026 11:24:42 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v6.6.136~36 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cc7a8c782da35c890620acd7901ed211b5e1ed10;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: arm64-dts-imx8mq-librem5-bump-buck1-suspend-voltage-to-0.81v.patch arm64-dts-imx8mq-librem5-bump-buck1-suspend-voltage-up-to-0.85v.patch arm64-dts-imx8mq-librem5-set-the-dvs-voltages-lower.patch asoc-qcom-q6apm-move-component-registration-to-unmanaged-version.patch kvm-x86-use-__declare_flex_array-for-uapi-structures-with-vlas.patch ocfs2-add-inline-inode-consistency-check-to-ocfs2_validate_inode_block.patch ocfs2-fix-out-of-bounds-write-in-ocfs2_write_end_inline.patch ocfs2-validate-inline-data-i_size-during-inode-read.patch pci-endpoint-pci-epf-vntb-stop-cmd_handler-work-in-epf_ntb_epc_cleanup.patch revert-arm64-dts-imx8mq-librem5-set-the-dvs-voltages-lower.patch revert-wifi-cfg80211-stop-nan-and-p2p-in-cfg80211_leave.patch rxrpc-fix-call-removal-to-use-rcu-safe-deletion.patch rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch rxrpc-fix-recvmsg-unconditional-requeue.patch rxrpc-reject-undecryptable-rxkad-response-tickets.patch scripts-generate_rust_analyzer.py-define-scripts.patch scsi-ufs-core-fix-use-after-free-in-init-error-and-remove-paths.patch soc-qcom-apr-make-remove-callback-of-apr-driver-void-returned.patch ublk-fix-deadlock-when-reading-partition-table.patch --- diff --git a/queue-6.1/arm64-dts-imx8mq-librem5-bump-buck1-suspend-voltage-to-0.81v.patch b/queue-6.1/arm64-dts-imx8mq-librem5-bump-buck1-suspend-voltage-to-0.81v.patch new file mode 100644 index 0000000000..d25a054586 --- /dev/null +++ b/queue-6.1/arm64-dts-imx8mq-librem5-bump-buck1-suspend-voltage-to-0.81v.patch @@ -0,0 +1,36 @@ +From stable+bounces-236097-greg=kroah.com@vger.kernel.org Mon Apr 13 16:17:11 2026 +From: Sasha Levin +Date: Mon, 13 Apr 2026 10:07:40 -0400 +Subject: arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage to 0.81V +To: stable@vger.kernel.org +Cc: Sebastian Krzyszkowiak , Martin Kepplinger , Shawn Guo , Sasha Levin +Message-ID: <20260413140742.2903986-2-sashal@kernel.org> + +From: Sebastian Krzyszkowiak + +[ Upstream commit 94b91e3ca6688fafd6a5dd70bd89fe9d3aee88da ] + +0.8V is outside of the operating voltage specified for imx8mq, see +chapter 3.1.4 "Operating ranges" of the IMX8MDQLQCEC document. + +Signed-off-by: Sebastian Krzyszkowiak +Signed-off-by: Martin Kepplinger +Signed-off-by: Shawn Guo +Stable-dep-of: 511f76bf1dce ("arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi +@@ -821,7 +821,7 @@ + regulator-ramp-delay = <1250>; + rohm,dvs-run-voltage = <880000>; + rohm,dvs-idle-voltage = <820000>; +- rohm,dvs-suspend-voltage = <800000>; ++ rohm,dvs-suspend-voltage = <810000>; + regulator-always-on; + }; + diff --git a/queue-6.1/arm64-dts-imx8mq-librem5-bump-buck1-suspend-voltage-up-to-0.85v.patch b/queue-6.1/arm64-dts-imx8mq-librem5-bump-buck1-suspend-voltage-up-to-0.85v.patch new file mode 100644 index 0000000000..abdfcb9061 --- /dev/null +++ b/queue-6.1/arm64-dts-imx8mq-librem5-bump-buck1-suspend-voltage-up-to-0.85v.patch @@ -0,0 +1,41 @@ +From stable+bounces-236099-greg=kroah.com@vger.kernel.org Mon Apr 13 16:19:36 2026 +From: Sasha Levin +Date: Mon, 13 Apr 2026 10:07:42 -0400 +Subject: arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V +To: stable@vger.kernel.org +Cc: Sebastian Krzyszkowiak , Frank Li , Sasha Levin +Message-ID: <20260413140742.2903986-4-sashal@kernel.org> + +From: Sebastian Krzyszkowiak + +[ Upstream commit 511f76bf1dce5acf8907b65a7d1bc8f7e7c0d637 ] + +The minimal voltage of VDD_SOC sourced from BUCK1 is 0.81V, which +is the currently set value. However, BD71837 only guarantees accuracy +of ±0.01V, and this still doesn't factor other reasons for actual +voltage to slightly drop in, resulting in the possibility of running +out of the operational range. + +Bump the voltage up to 0.85V, which should give enough headroom. + +Cc: stable@vger.kernel.org +Fixes: 8f0216b006e5 ("arm64: dts: Add a device tree for the Librem 5 phone") +Signed-off-by: Sebastian Krzyszkowiak +Signed-off-by: Frank Li +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi +@@ -821,7 +821,7 @@ + regulator-ramp-delay = <1250>; + rohm,dvs-run-voltage = <900000>; + rohm,dvs-idle-voltage = <850000>; +- rohm,dvs-suspend-voltage = <810000>; ++ rohm,dvs-suspend-voltage = <850000>; + regulator-always-on; + }; + diff --git a/queue-6.1/arm64-dts-imx8mq-librem5-set-the-dvs-voltages-lower.patch b/queue-6.1/arm64-dts-imx8mq-librem5-set-the-dvs-voltages-lower.patch new file mode 100644 index 0000000000..39de907319 --- /dev/null +++ b/queue-6.1/arm64-dts-imx8mq-librem5-set-the-dvs-voltages-lower.patch @@ -0,0 +1,116 @@ +From stable+bounces-236096-greg=kroah.com@vger.kernel.org Mon Apr 13 16:16:10 2026 +From: Sasha Levin +Date: Mon, 13 Apr 2026 10:07:39 -0400 +Subject: arm64: dts: imx8mq-librem5: Set the DVS voltages lower +To: stable@vger.kernel.org +Cc: Sebastian Krzyszkowiak , Martin Kepplinger , Shawn Guo , Sasha Levin +Message-ID: <20260413140742.2903986-1-sashal@kernel.org> + +From: Sebastian Krzyszkowiak + +[ Upstream commit c24a9b698fb02cd0723fa8375abab07f94b97b10 ] + +They're still in the operating range according to i.MX 8M Quad +datasheet. There's some headroom added over minimal values to +account for voltage drop. + +Operational ranges (min - typ - max [selected]): + - VDD_SOC (BUCK1): 0.81 - 0.9 - 0.99 [0.88] + - VDD_ARM (BUCK2): 0.81 - 0.9 - 1.05 [0.84] (1000MHz) + 0.90 - 1.0 - 1.05 [0.93] (1500MHz) + - VDD_GPU (BUCK3): 0.81 - 0.9 - 1.05 [0.85] (800MHz) + 0.90 - 1.0 - 1.05 [ -- ] (1000MHz) + - VDD_VPU (BUCK4): 0.81 - 0.9 - 1.05 [ -- ] (550/500/588MHz) + 0.90 - 1.0 - 1.05 [0.93] (660/600/800MHz) + +Idle power consumption doesn't appear to be influenced much, +but a simple load test (`cat /dev/urandom | pigz - > /dev/null` +combined with running Animatch) seems to show about 0.3W of +difference. + +Care is advised, as there may be differences between each +units in how low can they be undervolted - in my experience, +reaching that point usually makes the phone fail to boot. +In my case, it appears that my Birch phone can go down the most. + +This is a somewhat conservative set of values that I've seen +working well on all my devices; I haven't tried very hard to +optimize it, so more experiments are welcome. + +Signed-off-by: Sebastian Krzyszkowiak +Signed-off-by: Martin Kepplinger +Signed-off-by: Shawn Guo +Stable-dep-of: 511f76bf1dce ("arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8mq-librem5-r3.dts | 2 - + arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi | 22 ++++++++++++++------ + 2 files changed, 17 insertions(+), 7 deletions(-) + +--- a/arch/arm64/boot/dts/freescale/imx8mq-librem5-r3.dts ++++ b/arch/arm64/boot/dts/freescale/imx8mq-librem5-r3.dts +@@ -7,7 +7,7 @@ + + &a53_opp_table { + opp-1000000000 { +- opp-microvolt = <1000000>; ++ opp-microvolt = <950000>; + }; + }; + +--- a/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi +@@ -819,8 +819,8 @@ + regulator-max-microvolt = <1300000>; + regulator-boot-on; + regulator-ramp-delay = <1250>; +- rohm,dvs-run-voltage = <900000>; +- rohm,dvs-idle-voltage = <850000>; ++ rohm,dvs-run-voltage = <880000>; ++ rohm,dvs-idle-voltage = <820000>; + rohm,dvs-suspend-voltage = <800000>; + regulator-always-on; + }; +@@ -831,8 +831,8 @@ + regulator-max-microvolt = <1300000>; + regulator-boot-on; + regulator-ramp-delay = <1250>; +- rohm,dvs-run-voltage = <1000000>; +- rohm,dvs-idle-voltage = <900000>; ++ rohm,dvs-run-voltage = <950000>; ++ rohm,dvs-idle-voltage = <850000>; + regulator-always-on; + }; + +@@ -841,14 +841,14 @@ + regulator-min-microvolt = <700000>; + regulator-max-microvolt = <1300000>; + regulator-boot-on; +- rohm,dvs-run-voltage = <900000>; ++ rohm,dvs-run-voltage = <850000>; + }; + + buck4_reg: BUCK4 { + regulator-name = "buck4"; + regulator-min-microvolt = <700000>; + regulator-max-microvolt = <1300000>; +- rohm,dvs-run-voltage = <1000000>; ++ rohm,dvs-run-voltage = <930000>; + }; + + buck5_reg: BUCK5 { +@@ -1379,3 +1379,13 @@ + fsl,ext-reset-output; + status = "okay"; + }; ++ ++&a53_opp_table { ++ opp-1000000000 { ++ opp-microvolt = <850000>; ++ }; ++ ++ opp-1500000000 { ++ opp-microvolt = <950000>; ++ }; ++}; diff --git a/queue-6.1/asoc-qcom-q6apm-move-component-registration-to-unmanaged-version.patch b/queue-6.1/asoc-qcom-q6apm-move-component-registration-to-unmanaged-version.patch new file mode 100644 index 0000000000..f78186158a --- /dev/null +++ b/queue-6.1/asoc-qcom-q6apm-move-component-registration-to-unmanaged-version.patch @@ -0,0 +1,153 @@ +From stable+bounces-239957-greg=kroah.com@vger.kernel.org Mon Apr 20 20:37:27 2026 +From: Sasha Levin +Date: Mon, 20 Apr 2026 13:17:43 -0400 +Subject: ASoC: qcom: q6apm: move component registration to unmanaged version +To: stable@vger.kernel.org +Cc: Srinivas Kandagatla , Stable@vger.kernel.org, Mark Brown , Sasha Levin +Message-ID: <20260420171743.1388144-2-sashal@kernel.org> + +From: Srinivas Kandagatla + +[ Upstream commit 6ec1235fc941dac6c011b30ee01d9220ff87e0cd ] + +q6apm component registers dais dynamically from ASoC toplology, which +are allocated using device managed version apis. Allocating both +component and dynamic dais using managed version could lead to incorrect +free ordering, dai will be freed while component still holding references +to it. + +Fix this issue by moving component to unmanged version so +that the dai pointers are only freeded after the component is removed. + +================================================================== +BUG: KASAN: slab-use-after-free in snd_soc_del_component_unlocked+0x3d4/0x400 [snd_soc_core] +Read of size 8 at addr ffff00084493a6e8 by task kworker/u48:0/3426 +Tainted: [W]=WARN +Hardware name: LENOVO 21N2ZC5PUS/21N2ZC5PUS, BIOS N42ET57W (1.31 ) 08/08/2024 +Workqueue: pdr_notifier_wq pdr_notifier_work [pdr_interface] +Call trace: + show_stack+0x28/0x7c (C) + dump_stack_lvl+0x60/0x80 + print_report+0x160/0x4b4 + kasan_report+0xac/0xfc + __asan_report_load8_noabort+0x20/0x34 + snd_soc_del_component_unlocked+0x3d4/0x400 [snd_soc_core] + snd_soc_unregister_component_by_driver+0x50/0x88 [snd_soc_core] + devm_component_release+0x30/0x5c [snd_soc_core] + devres_release_all+0x13c/0x210 + device_unbind_cleanup+0x20/0x190 + device_release_driver_internal+0x350/0x468 + device_release_driver+0x18/0x30 + bus_remove_device+0x1a0/0x35c + device_del+0x314/0x7f0 + device_unregister+0x20/0xbc + apr_remove_device+0x5c/0x7c [apr] + device_for_each_child+0xd8/0x160 + apr_pd_status+0x7c/0xa8 [apr] + pdr_notifier_work+0x114/0x240 [pdr_interface] + process_one_work+0x500/0xb70 + worker_thread+0x630/0xfb0 + kthread+0x370/0x6c0 + ret_from_fork+0x10/0x20 + +Allocated by task 77: + kasan_save_stack+0x40/0x68 + kasan_save_track+0x20/0x40 + kasan_save_alloc_info+0x44/0x58 + __kasan_kmalloc+0xbc/0xdc + __kmalloc_node_track_caller_noprof+0x1f4/0x620 + devm_kmalloc+0x7c/0x1c8 + snd_soc_register_dai+0x50/0x4f0 [snd_soc_core] + soc_tplg_pcm_elems_load+0x55c/0x1eb8 [snd_soc_core] + snd_soc_tplg_component_load+0x4f8/0xb60 [snd_soc_core] + audioreach_tplg_init+0x124/0x1fc [snd_q6apm] + q6apm_audio_probe+0x10/0x1c [snd_q6apm] + snd_soc_component_probe+0x5c/0x118 [snd_soc_core] + soc_probe_component+0x44c/0xaf0 [snd_soc_core] + snd_soc_bind_card+0xad0/0x2370 [snd_soc_core] + snd_soc_register_card+0x3b0/0x4c0 [snd_soc_core] + devm_snd_soc_register_card+0x50/0xc8 [snd_soc_core] + x1e80100_platform_probe+0x208/0x368 [snd_soc_x1e80100] + platform_probe+0xc0/0x188 + really_probe+0x188/0x804 + __driver_probe_device+0x158/0x358 + driver_probe_device+0x60/0x190 + __device_attach_driver+0x16c/0x2a8 + bus_for_each_drv+0x100/0x194 + __device_attach+0x174/0x380 + device_initial_probe+0x14/0x20 + bus_probe_device+0x124/0x154 + deferred_probe_work_func+0x140/0x220 + process_one_work+0x500/0xb70 + worker_thread+0x630/0xfb0 + kthread+0x370/0x6c0 + ret_from_fork+0x10/0x20 + +Freed by task 3426: + kasan_save_stack+0x40/0x68 + kasan_save_track+0x20/0x40 + __kasan_save_free_info+0x4c/0x80 + __kasan_slab_free+0x78/0xa0 + kfree+0x100/0x4a4 + devres_release_all+0x144/0x210 + device_unbind_cleanup+0x20/0x190 + device_release_driver_internal+0x350/0x468 + device_release_driver+0x18/0x30 + bus_remove_device+0x1a0/0x35c + device_del+0x314/0x7f0 + device_unregister+0x20/0xbc + apr_remove_device+0x5c/0x7c [apr] + device_for_each_child+0xd8/0x160 + apr_pd_status+0x7c/0xa8 [apr] + pdr_notifier_work+0x114/0x240 [pdr_interface] + process_one_work+0x500/0xb70 + worker_thread+0x630/0xfb0 + kthread+0x370/0x6c0 + ret_from_fork+0x10/0x20 + +Fixes: 5477518b8a0e ("ASoC: qdsp6: audioreach: add q6apm support") +Cc: Stable@vger.kernel.org +Signed-off-by: Srinivas Kandagatla +Link: https://patch.msgid.link/20260402081118.348071-2-srinivas.kandagatla@oss.qualcomm.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/qcom/qdsp6/q6apm.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/sound/soc/qcom/qdsp6/q6apm.c ++++ b/sound/soc/qcom/qdsp6/q6apm.c +@@ -746,13 +746,22 @@ static int apm_probe(gpr_device_t *gdev) + + q6apm_get_apm_state(apm); + +- ret = devm_snd_soc_register_component(dev, &q6apm_audio_component, NULL, 0); ++ ret = snd_soc_register_component(dev, &q6apm_audio_component, NULL, 0); + if (ret < 0) { + dev_err(dev, "failed to get register q6apm: %d\n", ret); + return ret; + } + +- return of_platform_populate(dev->of_node, NULL, NULL, dev); ++ ret = of_platform_populate(dev->of_node, NULL, NULL, dev); ++ if (ret) ++ snd_soc_unregister_component(dev); ++ ++ return ret; ++} ++ ++static void apm_remove(gpr_device_t *gdev) ++{ ++ snd_soc_unregister_component(&gdev->dev); + } + + struct audioreach_module *q6apm_find_module_by_mid(struct q6apm_graph *graph, uint32_t mid) +@@ -819,6 +828,7 @@ MODULE_DEVICE_TABLE(of, apm_device_id); + + static gpr_driver_t apm_driver = { + .probe = apm_probe, ++ .remove = apm_remove, + .gpr_callback = apm_callback, + .driver = { + .name = "qcom-apm", diff --git a/queue-6.1/kvm-x86-use-__declare_flex_array-for-uapi-structures-with-vlas.patch b/queue-6.1/kvm-x86-use-__declare_flex_array-for-uapi-structures-with-vlas.patch new file mode 100644 index 0000000000..ec04254eff --- /dev/null +++ b/queue-6.1/kvm-x86-use-__declare_flex_array-for-uapi-structures-with-vlas.patch @@ -0,0 +1,154 @@ +From stable+bounces-236136-greg=kroah.com@vger.kernel.org Mon Apr 13 17:26:04 2026 +From: Sasha Levin +Date: Mon, 13 Apr 2026 11:20:05 -0400 +Subject: KVM: x86: Use __DECLARE_FLEX_ARRAY() for UAPI structures with VLAs +To: stable@vger.kernel.org +Cc: David Woodhouse , Sean Christopherson , Sasha Levin +Message-ID: <20260413152005.3014972-1-sashal@kernel.org> + +From: David Woodhouse + +[ Upstream commit 2619da73bb2f10d88f7e1087125c40144fdf0987 ] + +Commit 94dfc73e7cf4 ("treewide: uapi: Replace zero-length arrays with +flexible-array members") broke the userspace API for C++. + +These structures ending in VLAs are typically a *header*, which can be +followed by an arbitrary number of entries. Userspace typically creates +a larger structure with some non-zero number of entries, for example in +QEMU's kvm_arch_get_supported_msr_feature(): + + struct { + struct kvm_msrs info; + struct kvm_msr_entry entries[1]; + } msr_data = {}; + +While that works in C, it fails in C++ with an error like: + flexible array member 'kvm_msrs::entries' not at end of 'struct msr_data' + +Fix this by using __DECLARE_FLEX_ARRAY() for the VLA, which uses [0] +for C++ compilation. + +Fixes: 94dfc73e7cf4 ("treewide: uapi: Replace zero-length arrays with flexible-array members") +Cc: stable@vger.kernel.org +Signed-off-by: David Woodhouse +Link: https://patch.msgid.link/3abaf6aefd6e5efeff3b860ac38421d9dec908db.camel@infradead.org +[sean: tag for stable@] +Signed-off-by: Sean Christopherson +[ applied `__DECLARE_FLEX_ARRAY(char, name)` change directly instead of inside missing `#ifdef __KERNEL__` else branch ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/uapi/asm/kvm.h | 12 ++++++------ + include/uapi/linux/kvm.h | 11 ++++++----- + 2 files changed, 12 insertions(+), 11 deletions(-) + +--- a/arch/x86/include/uapi/asm/kvm.h ++++ b/arch/x86/include/uapi/asm/kvm.h +@@ -198,13 +198,13 @@ struct kvm_msrs { + __u32 nmsrs; /* number of msrs in entries */ + __u32 pad; + +- struct kvm_msr_entry entries[]; ++ __DECLARE_FLEX_ARRAY(struct kvm_msr_entry, entries); + }; + + /* for KVM_GET_MSR_INDEX_LIST */ + struct kvm_msr_list { + __u32 nmsrs; /* number of msrs in entries */ +- __u32 indices[]; ++ __DECLARE_FLEX_ARRAY(__u32, indices); + }; + + /* Maximum size of any access bitmap in bytes */ +@@ -241,7 +241,7 @@ struct kvm_cpuid_entry { + struct kvm_cpuid { + __u32 nent; + __u32 padding; +- struct kvm_cpuid_entry entries[]; ++ __DECLARE_FLEX_ARRAY(struct kvm_cpuid_entry, entries); + }; + + struct kvm_cpuid_entry2 { +@@ -263,7 +263,7 @@ struct kvm_cpuid_entry2 { + struct kvm_cpuid2 { + __u32 nent; + __u32 padding; +- struct kvm_cpuid_entry2 entries[]; ++ __DECLARE_FLEX_ARRAY(struct kvm_cpuid_entry2, entries); + }; + + /* for KVM_GET_PIT and KVM_SET_PIT */ +@@ -394,7 +394,7 @@ struct kvm_xsave { + * the contents of CPUID leaf 0xD on the host. + */ + __u32 region[1024]; +- __u32 extra[]; ++ __DECLARE_FLEX_ARRAY(__u32, extra); + }; + + #define KVM_MAX_XCRS 16 +@@ -522,7 +522,7 @@ struct kvm_pmu_event_filter { + __u32 fixed_counter_bitmap; + __u32 flags; + __u32 pad[4]; +- __u64 events[]; ++ __DECLARE_FLEX_ARRAY(__u64, events); + }; + + #define KVM_PMU_EVENT_ALLOW 0 +--- a/include/uapi/linux/kvm.h ++++ b/include/uapi/linux/kvm.h +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -556,7 +557,7 @@ struct kvm_coalesced_mmio { + + struct kvm_coalesced_mmio_ring { + __u32 first, last; +- struct kvm_coalesced_mmio coalesced_mmio[]; ++ __DECLARE_FLEX_ARRAY(struct kvm_coalesced_mmio, coalesced_mmio); + }; + + #define KVM_COALESCED_MMIO_MAX \ +@@ -635,7 +636,7 @@ struct kvm_clear_dirty_log { + /* for KVM_SET_SIGNAL_MASK */ + struct kvm_signal_mask { + __u32 len; +- __u8 sigset[]; ++ __DECLARE_FLEX_ARRAY(__u8, sigset); + }; + + /* for KVM_TPR_ACCESS_REPORTING */ +@@ -1242,7 +1243,7 @@ struct kvm_irq_routing_entry { + struct kvm_irq_routing { + __u32 nr; + __u32 flags; +- struct kvm_irq_routing_entry entries[]; ++ __DECLARE_FLEX_ARRAY(struct kvm_irq_routing_entry, entries); + }; + + #endif +@@ -1362,7 +1363,7 @@ struct kvm_dirty_tlb { + + struct kvm_reg_list { + __u64 n; /* number of regs */ +- __u64 reg[]; ++ __DECLARE_FLEX_ARRAY(__u64, reg); + }; + + struct kvm_one_reg { +@@ -2183,7 +2184,7 @@ struct kvm_stats_desc { + __u16 size; + __u32 offset; + __u32 bucket_size; +- char name[]; ++ __DECLARE_FLEX_ARRAY(char, name); + }; + + #define KVM_GET_STATS_FD _IO(KVMIO, 0xce) diff --git a/queue-6.1/net-dsa-clean-up-fdb-mdb-vlan-entries-on-unbind.patch b/queue-6.1/net-dsa-clean-up-fdb-mdb-vlan-entries-on-unbind.patch index 9146e3702e..3985072279 100644 --- a/queue-6.1/net-dsa-clean-up-fdb-mdb-vlan-entries-on-unbind.patch +++ b/queue-6.1/net-dsa-clean-up-fdb-mdb-vlan-entries-on-unbind.patch @@ -61,14 +61,12 @@ renamed this file to net/dsa/dsa.c starting from v6.2. ] Signed-off-by: Alva Lan Signed-off-by: Sasha Levin --- - net/dsa/dsa2.c | 38 +++++++++++++++++++++++++++++++++++--- + net/dsa/dsa2.c | 38 +++++++++++++++++++++++++++++++++++--- 1 file changed, 35 insertions(+), 3 deletions(-) -diff --git a/net/dsa/dsa2.c b/net/dsa/dsa2.c -index 415e856ba0acf..9ecb5e34e484e 100644 --- a/net/dsa/dsa2.c +++ b/net/dsa/dsa2.c -@@ -1738,12 +1738,44 @@ static int dsa_switch_parse(struct dsa_switch *ds, struct dsa_chip_data *cd) +@@ -1738,12 +1738,44 @@ static int dsa_switch_parse(struct dsa_s static void dsa_switch_release_ports(struct dsa_switch *ds) { @@ -116,6 +114,3 @@ index 415e856ba0acf..9ecb5e34e484e 100644 list_del(&dp->list); kfree(dp); } --- -2.53.0 - diff --git a/queue-6.1/ocfs2-add-inline-inode-consistency-check-to-ocfs2_validate_inode_block.patch b/queue-6.1/ocfs2-add-inline-inode-consistency-check-to-ocfs2_validate_inode_block.patch new file mode 100644 index 0000000000..5bc8ac5377 --- /dev/null +++ b/queue-6.1/ocfs2-add-inline-inode-consistency-check-to-ocfs2_validate_inode_block.patch @@ -0,0 +1,53 @@ +From stable+bounces-236148-greg=kroah.com@vger.kernel.org Mon Apr 13 17:50:09 2026 +From: Sasha Levin +Date: Mon, 13 Apr 2026 11:43:43 -0400 +Subject: ocfs2: add inline inode consistency check to ocfs2_validate_inode_block() +To: stable@vger.kernel.org +Cc: Dmitry Antipov , syzbot+c16daba279a1161acfb0@syzkaller.appspotmail.com, Joseph Qi , Joseph Qi , Mark Fasheh , Joel Becker , Junxiao Bi , Changwei Ge , Jun Piao , Heming Zhao , Andrew Morton , Sasha Levin +Message-ID: <20260413154345.3124558-1-sashal@kernel.org> + +From: Dmitry Antipov + +[ Upstream commit a2b1c419ff72ec62ff5831684e30cd1d4f0b09ee ] + +In 'ocfs2_validate_inode_block()', add an extra check whether an inode +with inline data (i.e. self-contained) has no clusters, thus preventing +an invalid inode from being passed to 'ocfs2_evict_inode()' and below. + +Link: https://lkml.kernel.org/r/20251023141650.417129-1-dmantipov@yandex.ru +Signed-off-by: Dmitry Antipov +Reported-by: syzbot+c16daba279a1161acfb0@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=c16daba279a1161acfb0 +Reviewed-by: Joseph Qi +Cc: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: Heming Zhao +Signed-off-by: Andrew Morton +Stable-dep-of: 7bc5da4842be ("ocfs2: fix out-of-bounds write in ocfs2_write_end_inline") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/inode.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/ocfs2/inode.c ++++ b/fs/ocfs2/inode.c +@@ -1419,6 +1419,14 @@ int ocfs2_validate_inode_block(struct su + goto bail; + } + ++ if ((le16_to_cpu(di->i_dyn_features) & OCFS2_INLINE_DATA_FL) && ++ le32_to_cpu(di->i_clusters)) { ++ rc = ocfs2_error(sb, "Invalid dinode %llu: %u clusters\n", ++ (unsigned long long)bh->b_blocknr, ++ le32_to_cpu(di->i_clusters)); ++ goto bail; ++ } ++ + rc = 0; + + bail: diff --git a/queue-6.1/ocfs2-fix-out-of-bounds-write-in-ocfs2_write_end_inline.patch b/queue-6.1/ocfs2-fix-out-of-bounds-write-in-ocfs2_write_end_inline.patch new file mode 100644 index 0000000000..abf6e52690 --- /dev/null +++ b/queue-6.1/ocfs2-fix-out-of-bounds-write-in-ocfs2_write_end_inline.patch @@ -0,0 +1,77 @@ +From stable+bounces-236150-greg=kroah.com@vger.kernel.org Mon Apr 13 17:43:55 2026 +From: Sasha Levin +Date: Mon, 13 Apr 2026 11:43:45 -0400 +Subject: ocfs2: fix out-of-bounds write in ocfs2_write_end_inline +To: stable@vger.kernel.org +Cc: Joseph Qi , syzbot+62c1793956716ea8b28a@syzkaller.appspotmail.com, Mark Fasheh , Joel Becker , Junxiao Bi , Changwei Ge , Jun Piao , Heming Zhao , Andrew Morton , Sasha Levin +Message-ID: <20260413154345.3124558-3-sashal@kernel.org> + +From: Joseph Qi + +[ Upstream commit 7bc5da4842bed3252d26e742213741a4d0ac1b14 ] + +KASAN reports a use-after-free write of 4086 bytes in +ocfs2_write_end_inline, called from ocfs2_write_end_nolock during a +copy_file_range splice fallback on a corrupted ocfs2 filesystem mounted on +a loop device. The actual bug is an out-of-bounds write past the inode +block buffer, not a true use-after-free. The write overflows into an +adjacent freed page, which KASAN reports as UAF. + +The root cause is that ocfs2_try_to_write_inline_data trusts the on-disk +id_count field to determine whether a write fits in inline data. On a +corrupted filesystem, id_count can exceed the physical maximum inline data +capacity, causing writes to overflow the inode block buffer. + +Call trace (crash path): + + vfs_copy_file_range (fs/read_write.c:1634) + do_splice_direct + splice_direct_to_actor + iter_file_splice_write + ocfs2_file_write_iter + generic_perform_write + ocfs2_write_end + ocfs2_write_end_nolock (fs/ocfs2/aops.c:1949) + ocfs2_write_end_inline (fs/ocfs2/aops.c:1915) + memcpy_from_folio <-- KASAN: write OOB + +So add id_count upper bound check in ocfs2_validate_inode_block() to +alongside the existing i_size check to fix it. + +Link: https://lkml.kernel.org/r/20260403063830.3662739-1-joseph.qi@linux.alibaba.com +Signed-off-by: Joseph Qi +Reported-by: syzbot+62c1793956716ea8b28a@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=62c1793956716ea8b28a +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: Heming Zhao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/inode.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/fs/ocfs2/inode.c ++++ b/fs/ocfs2/inode.c +@@ -1430,6 +1430,16 @@ int ocfs2_validate_inode_block(struct su + goto bail; + } + ++ if (le16_to_cpu(data->id_count) > ++ ocfs2_max_inline_data_with_xattr(sb, di)) { ++ rc = ocfs2_error(sb, ++ "Invalid dinode #%llu: inline data id_count %u exceeds max %d\n", ++ (unsigned long long)bh->b_blocknr, ++ le16_to_cpu(data->id_count), ++ ocfs2_max_inline_data_with_xattr(sb, di)); ++ goto bail; ++ } ++ + if (le64_to_cpu(di->i_size) > le16_to_cpu(data->id_count)) { + rc = ocfs2_error(sb, + "Invalid dinode #%llu: inline data i_size %llu exceeds id_count %u\n", diff --git a/queue-6.1/ocfs2-validate-inline-data-i_size-during-inode-read.patch b/queue-6.1/ocfs2-validate-inline-data-i_size-during-inode-read.patch new file mode 100644 index 0000000000..fedb7d666f --- /dev/null +++ b/queue-6.1/ocfs2-validate-inline-data-i_size-during-inode-read.patch @@ -0,0 +1,88 @@ +From stable+bounces-236149-greg=kroah.com@vger.kernel.org Mon Apr 13 17:43:53 2026 +From: Sasha Levin +Date: Mon, 13 Apr 2026 11:43:44 -0400 +Subject: ocfs2: validate inline data i_size during inode read +To: stable@vger.kernel.org +Cc: Deepanshu Kartikey , syzbot+c897823f699449cc3eb4@syzkaller.appspotmail.com, Joseph Qi , Mark Fasheh , Joel Becker , Junxiao Bi , Changwei Ge , Jun Piao , Heming Zhao , Andrew Morton , Sasha Levin +Message-ID: <20260413154345.3124558-2-sashal@kernel.org> + +From: Deepanshu Kartikey + +[ Upstream commit 1524af3685b35feac76662cc551cbc37bd14775f ] + +When reading an inode from disk, ocfs2_validate_inode_block() performs +various sanity checks but does not validate the size of inline data. If +the filesystem is corrupted, an inode's i_size can exceed the actual +inline data capacity (id_count). + +This causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline data +buffer, triggering a use-after-free when accessing directory entries from +freed memory. + +In the syzbot report: + - i_size was 1099511627576 bytes (~1TB) + - Actual inline data capacity (id_count) is typically <256 bytes + - A garbage rec_len (54648) caused ctx->pos to jump out of bounds + - This triggered a UAF in ocfs2_check_dir_entry() + +Fix by adding a validation check in ocfs2_validate_inode_block() to ensure +inodes with inline data have i_size <= id_count. This catches the +corruption early during inode read and prevents all downstream code from +operating on invalid data. + +Link: https://lkml.kernel.org/r/20251212052132.16750-1-kartikey406@gmail.com +Signed-off-by: Deepanshu Kartikey +Reported-by: syzbot+c897823f699449cc3eb4@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=c897823f699449cc3eb4 +Tested-by: syzbot+c897823f699449cc3eb4@syzkaller.appspotmail.com +Link: https://lore.kernel.org/all/20251211115231.3560028-1-kartikey406@gmail.com/T/ [v1] +Link: https://lore.kernel.org/all/20251212040400.6377-1-kartikey406@gmail.com/T/ [v2] +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: Heming Zhao +Signed-off-by: Andrew Morton +Stable-dep-of: 7bc5da4842be ("ocfs2: fix out-of-bounds write in ocfs2_write_end_inline") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/inode.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +--- a/fs/ocfs2/inode.c ++++ b/fs/ocfs2/inode.c +@@ -1419,12 +1419,25 @@ int ocfs2_validate_inode_block(struct su + goto bail; + } + +- if ((le16_to_cpu(di->i_dyn_features) & OCFS2_INLINE_DATA_FL) && +- le32_to_cpu(di->i_clusters)) { +- rc = ocfs2_error(sb, "Invalid dinode %llu: %u clusters\n", +- (unsigned long long)bh->b_blocknr, +- le32_to_cpu(di->i_clusters)); +- goto bail; ++ if (le16_to_cpu(di->i_dyn_features) & OCFS2_INLINE_DATA_FL) { ++ struct ocfs2_inline_data *data = &di->id2.i_data; ++ ++ if (le32_to_cpu(di->i_clusters)) { ++ rc = ocfs2_error(sb, ++ "Invalid dinode %llu: %u clusters\n", ++ (unsigned long long)bh->b_blocknr, ++ le32_to_cpu(di->i_clusters)); ++ goto bail; ++ } ++ ++ if (le64_to_cpu(di->i_size) > le16_to_cpu(data->id_count)) { ++ rc = ocfs2_error(sb, ++ "Invalid dinode #%llu: inline data i_size %llu exceeds id_count %u\n", ++ (unsigned long long)bh->b_blocknr, ++ (unsigned long long)le64_to_cpu(di->i_size), ++ le16_to_cpu(data->id_count)); ++ goto bail; ++ } + } + + rc = 0; diff --git a/queue-6.1/pci-endpoint-pci-epf-vntb-stop-cmd_handler-work-in-epf_ntb_epc_cleanup.patch b/queue-6.1/pci-endpoint-pci-epf-vntb-stop-cmd_handler-work-in-epf_ntb_epc_cleanup.patch new file mode 100644 index 0000000000..f3f336d02f --- /dev/null +++ b/queue-6.1/pci-endpoint-pci-epf-vntb-stop-cmd_handler-work-in-epf_ntb_epc_cleanup.patch @@ -0,0 +1,49 @@ +From stable+bounces-239965-greg=kroah.com@vger.kernel.org Mon Apr 20 20:27:35 2026 +From: Sasha Levin +Date: Mon, 20 Apr 2026 13:29:14 -0400 +Subject: PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup +To: stable@vger.kernel.org +Cc: Koichiro Den , Manivannan Sadhasivam , Frank Li , Sasha Levin +Message-ID: <20260420172914.1421779-1-sashal@kernel.org> + +From: Koichiro Den + +[ Upstream commit d799984233a50abd2667a7d17a9a710a3f10ebe2 ] + +Disable the delayed work before clearing BAR mappings and doorbells to +avoid running the handler after resources have been torn down. + + Unable to handle kernel paging request at virtual address ffff800083f46004 + [...] + Internal error: Oops: 0000000096000007 [#1] SMP + [...] + Call trace: + epf_ntb_cmd_handler+0x54/0x200 [pci_epf_vntb] (P) + process_one_work+0x154/0x3b0 + worker_thread+0x2c8/0x400 + kthread+0x148/0x210 + ret_from_fork+0x10/0x20 + +Fixes: e35f56bb0330 ("PCI: endpoint: Support NTB transfer between RC and EP") +Signed-off-by: Koichiro Den +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Frank Li +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260226084142.2226875-4-den@valinux.co.jp +[ replaced disable_delayed_work_sync() with cancel_delayed_work_sync() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/endpoint/functions/pci-epf-vntb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/pci/endpoint/functions/pci-epf-vntb.c ++++ b/drivers/pci/endpoint/functions/pci-epf-vntb.c +@@ -801,6 +801,7 @@ err_config_interrupt: + */ + static void epf_ntb_epc_cleanup(struct epf_ntb *ntb) + { ++ cancel_delayed_work_sync(&ntb->cmd_handler); + epf_ntb_mw_bar_clear(ntb, ntb->num_mws); + epf_ntb_db_bar_clear(ntb); + epf_ntb_config_sspad_bar_clear(ntb); diff --git a/queue-6.1/revert-arm64-dts-imx8mq-librem5-set-the-dvs-voltages-lower.patch b/queue-6.1/revert-arm64-dts-imx8mq-librem5-set-the-dvs-voltages-lower.patch new file mode 100644 index 0000000000..c2e8c1c21f --- /dev/null +++ b/queue-6.1/revert-arm64-dts-imx8mq-librem5-set-the-dvs-voltages-lower.patch @@ -0,0 +1,97 @@ +From stable+bounces-236098-greg=kroah.com@vger.kernel.org Mon Apr 13 16:19:37 2026 +From: Sasha Levin +Date: Mon, 13 Apr 2026 10:07:41 -0400 +Subject: Revert "arm64: dts: imx8mq-librem5: Set the DVS voltages lower" +To: stable@vger.kernel.org +Cc: Sebastian Krzyszkowiak , Frank Li , Sasha Levin +Message-ID: <20260413140742.2903986-3-sashal@kernel.org> + +From: Sebastian Krzyszkowiak + +[ Upstream commit 4cd46ea0eb4504f7f4fea92cb4601c5c9a3e545e ] + +This reverts commit c24a9b698fb02cd0723fa8375abab07f94b97b10. + +It's been found that there's a significant per-unit variance in accepted +supply voltages and the current set still makes some units unstable. + +Revert back to nominal values. + +Cc: stable@vger.kernel.org +Fixes: c24a9b698fb0 ("arm64: dts: imx8mq-librem5: Set the DVS voltages lower") +Signed-off-by: Sebastian Krzyszkowiak +Signed-off-by: Frank Li +Stable-dep-of: 511f76bf1dce ("arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8mq-librem5-r3.dts | 2 - + arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi | 22 +++++--------------- + 2 files changed, 7 insertions(+), 17 deletions(-) + +--- a/arch/arm64/boot/dts/freescale/imx8mq-librem5-r3.dts ++++ b/arch/arm64/boot/dts/freescale/imx8mq-librem5-r3.dts +@@ -7,7 +7,7 @@ + + &a53_opp_table { + opp-1000000000 { +- opp-microvolt = <950000>; ++ opp-microvolt = <1000000>; + }; + }; + +--- a/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi +@@ -819,8 +819,8 @@ + regulator-max-microvolt = <1300000>; + regulator-boot-on; + regulator-ramp-delay = <1250>; +- rohm,dvs-run-voltage = <880000>; +- rohm,dvs-idle-voltage = <820000>; ++ rohm,dvs-run-voltage = <900000>; ++ rohm,dvs-idle-voltage = <850000>; + rohm,dvs-suspend-voltage = <810000>; + regulator-always-on; + }; +@@ -831,8 +831,8 @@ + regulator-max-microvolt = <1300000>; + regulator-boot-on; + regulator-ramp-delay = <1250>; +- rohm,dvs-run-voltage = <950000>; +- rohm,dvs-idle-voltage = <850000>; ++ rohm,dvs-run-voltage = <1000000>; ++ rohm,dvs-idle-voltage = <900000>; + regulator-always-on; + }; + +@@ -841,14 +841,14 @@ + regulator-min-microvolt = <700000>; + regulator-max-microvolt = <1300000>; + regulator-boot-on; +- rohm,dvs-run-voltage = <850000>; ++ rohm,dvs-run-voltage = <900000>; + }; + + buck4_reg: BUCK4 { + regulator-name = "buck4"; + regulator-min-microvolt = <700000>; + regulator-max-microvolt = <1300000>; +- rohm,dvs-run-voltage = <930000>; ++ rohm,dvs-run-voltage = <1000000>; + }; + + buck5_reg: BUCK5 { +@@ -1379,13 +1379,3 @@ + fsl,ext-reset-output; + status = "okay"; + }; +- +-&a53_opp_table { +- opp-1000000000 { +- opp-microvolt = <850000>; +- }; +- +- opp-1500000000 { +- opp-microvolt = <950000>; +- }; +-}; diff --git a/queue-6.1/revert-wifi-cfg80211-stop-nan-and-p2p-in-cfg80211_leave.patch b/queue-6.1/revert-wifi-cfg80211-stop-nan-and-p2p-in-cfg80211_leave.patch new file mode 100644 index 0000000000..39cd51e70a --- /dev/null +++ b/queue-6.1/revert-wifi-cfg80211-stop-nan-and-p2p-in-cfg80211_leave.patch @@ -0,0 +1,36 @@ +From regressions+bounces-16329-greg=kroah.com@lists.linux.dev Tue Apr 14 04:17:08 2026 +From: guocai.he.cn@windriver.com +Date: Tue, 14 Apr 2026 10:16:33 +0800 +Subject: Revert "wifi: cfg80211: stop NAN and P2P in cfg80211_leave" +To: stable@vger.kernel.org +Cc: gregkh@linuxfoundation.org, johannes.berg@intel.com, netdev@vger.kernel.org, regressions@lists.linux.dev, miriam.rachel.korenblit@intel.com +Message-ID: <20260414021633.2765982-1-guocai.he.cn@windriver.com> + +From: Guocai He + +This reverts commit 0c4f1c02d27a880b10b58c63f574f13bed4f711d which is commit +e1696c8bd0056bc1a5f7766f58ac333adc203e8a upstream. + +The reverted patch introduced a deadlock. The locking situation in mainline is +totally different, so it is incorrect to directly backport the commit from mainline. + +Signed-off-by: Guocai He +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/core.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/net/wireless/core.c ++++ b/net/wireless/core.c +@@ -1328,10 +1328,8 @@ void __cfg80211_leave(struct cfg80211_re + __cfg80211_leave_ocb(rdev, dev); + break; + case NL80211_IFTYPE_P2P_DEVICE: +- cfg80211_stop_p2p_device(rdev, wdev); +- break; + case NL80211_IFTYPE_NAN: +- cfg80211_stop_nan(rdev, wdev); ++ /* cannot happen, has no netdev */ + break; + case NL80211_IFTYPE_AP_VLAN: + case NL80211_IFTYPE_MONITOR: diff --git a/queue-6.1/rxrpc-fix-call-removal-to-use-rcu-safe-deletion.patch b/queue-6.1/rxrpc-fix-call-removal-to-use-rcu-safe-deletion.patch new file mode 100644 index 0000000000..ee7dee69ca --- /dev/null +++ b/queue-6.1/rxrpc-fix-call-removal-to-use-rcu-safe-deletion.patch @@ -0,0 +1,93 @@ +From stable+bounces-237694-greg=kroah.com@vger.kernel.org Tue Apr 14 03:28:56 2026 +From: Sasha Levin +Date: Mon, 13 Apr 2026 21:28:47 -0400 +Subject: rxrpc: Fix call removal to use RCU safe deletion +To: stable@vger.kernel.org +Cc: David Howells , Marc Dionne , Jeffrey Altman , Linus Torvalds , Simon Horman , linux-afs@lists.infradead.org, stable@kernel.org, Jakub Kicinski , Sasha Levin +Message-ID: <20260414012847.3835878-1-sashal@kernel.org> + +From: David Howells + +[ Upstream commit 146d4ab94cf129ee06cd467cb5c71368a6b5bad6 ] + +Fix rxrpc call removal from the rxnet->calls list to use list_del_rcu() +rather than list_del_init() to prevent stuffing up reading +/proc/net/rxrpc/calls from potentially getting into an infinite loop. + +This, however, means that list_empty() no longer works on an entry that's +been deleted from the list, making it harder to detect prior deletion. Fix +this by: + +Firstly, make rxrpc_destroy_all_calls() only dump the first ten calls that +are unexpectedly still on the list. Limiting the number of steps means +there's no need to call cond_resched() or to remove calls from the list +here, thereby eliminating the need for rxrpc_put_call() to check for that. + +rxrpc_put_call() can then be fixed to unconditionally delete the call from +the list as it is the only place that the deletion occurs. + +Fixes: 2baec2c3f854 ("rxrpc: Support network namespacing") +Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40redhat.com +Signed-off-by: David Howells +cc: Marc Dionne +cc: Jeffrey Altman +cc: Linus Torvalds +cc: Simon Horman +cc: linux-afs@lists.infradead.org +cc: stable@kernel.org +Link: https://patch.msgid.link/20260408121252.2249051-5-dhowells@redhat.com +Signed-off-by: Jakub Kicinski +[ adapted to older API ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/call_object.c | 22 ++++++++-------------- + 1 file changed, 8 insertions(+), 14 deletions(-) + +--- a/net/rxrpc/call_object.c ++++ b/net/rxrpc/call_object.c +@@ -634,11 +634,9 @@ void rxrpc_put_call(struct rxrpc_call *c + _debug("call %d dead", call->debug_id); + ASSERTCMP(call->state, ==, RXRPC_CALL_COMPLETE); + +- if (!list_empty(&call->link)) { +- spin_lock_bh(&rxnet->call_lock); +- list_del_init(&call->link); +- spin_unlock_bh(&rxnet->call_lock); +- } ++ spin_lock_bh(&rxnet->call_lock); ++ list_del_rcu(&call->link); ++ spin_unlock_bh(&rxnet->call_lock); + + rxrpc_cleanup_call(call); + } +@@ -709,24 +707,20 @@ void rxrpc_destroy_all_calls(struct rxrp + _enter(""); + + if (!list_empty(&rxnet->calls)) { +- spin_lock_bh(&rxnet->call_lock); ++ int shown = 0; + +- while (!list_empty(&rxnet->calls)) { +- call = list_entry(rxnet->calls.next, +- struct rxrpc_call, link); +- _debug("Zapping call %p", call); ++ spin_lock_bh(&rxnet->call_lock); + ++ list_for_each_entry(call, &rxnet->calls, link) { + rxrpc_see_call(call); +- list_del_init(&call->link); + + pr_err("Call %p still in use (%d,%s,%lx,%lx)!\n", + call, refcount_read(&call->ref), + rxrpc_call_states[call->state], + call->flags, call->events); + +- spin_unlock_bh(&rxnet->call_lock); +- cond_resched(); +- spin_lock_bh(&rxnet->call_lock); ++ if (++shown >= 10) ++ break; + } + + spin_unlock_bh(&rxnet->call_lock); diff --git a/queue-6.1/rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch b/queue-6.1/rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch new file mode 100644 index 0000000000..aae0d07bdd --- /dev/null +++ b/queue-6.1/rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch @@ -0,0 +1,63 @@ +From stable+bounces-237682-greg=kroah.com@vger.kernel.org Tue Apr 14 02:02:46 2026 +From: Sasha Levin +Date: Mon, 13 Apr 2026 20:02:39 -0400 +Subject: rxrpc: Fix key quota calculation for multitoken keys +To: stable@vger.kernel.org +Cc: David Howells , Marc Dionne , Jeffrey Altman , Simon Horman , linux-afs@lists.infradead.org, stable@kernel.org, Jakub Kicinski , Sasha Levin +Message-ID: <20260414000239.3782404-1-sashal@kernel.org> + +From: David Howells + +[ Upstream commit bdbfead6d38979475df0c2f4bad2b19394fe9bdc ] + +In the rxrpc key preparsing, every token extracted sets the proposed quota +value, but for multitoken keys, this will overwrite the previous proposed +quota, losing it. + +Fix this by adding to the proposed quota instead. + +Fixes: 8a7a3eb4ddbe ("KEYS: RxRPC: Use key preparsing") +Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40redhat.com +Signed-off-by: David Howells +cc: Marc Dionne +cc: Jeffrey Altman +cc: Simon Horman +cc: linux-afs@lists.infradead.org +cc: stable@kernel.org +Link: https://patch.msgid.link/20260408121252.2249051-2-dhowells@redhat.com +Signed-off-by: Jakub Kicinski +[ dropped hunk for rxrpc_preparse_xdr_yfs_rxgk() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/key.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/rxrpc/key.c ++++ b/net/rxrpc/key.c +@@ -72,7 +72,7 @@ static int rxrpc_preparse_xdr_rxkad(stru + return -EKEYREJECTED; + + plen = sizeof(*token) + sizeof(*token->kad) + tktlen; +- prep->quotalen = datalen + plen; ++ prep->quotalen += datalen + plen; + + plen -= sizeof(*token); + token = kzalloc(sizeof(*token), GFP_KERNEL); +@@ -303,6 +303,7 @@ static int rxrpc_preparse(struct key_pre + memcpy(&kver, prep->data, sizeof(kver)); + prep->data += sizeof(kver); + prep->datalen -= sizeof(kver); ++ prep->quotalen = 0; + + _debug("KEY I/F VERSION: %u", kver); + +@@ -340,7 +341,7 @@ static int rxrpc_preparse(struct key_pre + goto error; + + plen = sizeof(*token->kad) + v1->ticket_length; +- prep->quotalen = plen + sizeof(*token); ++ prep->quotalen += plen + sizeof(*token); + + ret = -ENOMEM; + token = kzalloc(sizeof(*token), GFP_KERNEL); diff --git a/queue-6.1/rxrpc-fix-recvmsg-unconditional-requeue.patch b/queue-6.1/rxrpc-fix-recvmsg-unconditional-requeue.patch new file mode 100644 index 0000000000..bd4fdba81a --- /dev/null +++ b/queue-6.1/rxrpc-fix-recvmsg-unconditional-requeue.patch @@ -0,0 +1,101 @@ +From stable+bounces-240393-greg=kroah.com@vger.kernel.org Thu Apr 23 00:25:09 2026 +From: Jay Wang +Date: Wed, 22 Apr 2026 22:24:31 +0000 +Subject: rxrpc: Fix recvmsg() unconditional requeue +To: +Cc: , , , , , , , , , Faith , Pumpkin Chang +Message-ID: <20260422222431.7187-1-wanjay@amazon.com> + +From: David Howells + +[ Upstream commit 2c28769a51deb6022d7fbd499987e237a01dd63a ] + +If rxrpc_recvmsg() fails because MSG_DONTWAIT was specified but the call +at the front of the recvmsg queue already has its mutex locked, it +requeues the call - whether or not the call is already queued. The call +may be on the queue because MSG_PEEK was also passed and so the call was +not dequeued or because the I/O thread requeued it. + +The unconditional requeue may then corrupt the recvmsg queue, leading to +things like UAFs or refcount underruns. + +Fix this by only requeuing the call if it isn't already on the queue - +and moving it to the front if it is already queued. If we don't queue +it, we have to put the ref we obtained by dequeuing it. + +Also, MSG_PEEK doesn't dequeue the call so shouldn't call +rxrpc_notify_socket() for the call if we didn't use up all the data on +the queue, so fix that also. + +Fixes: 540b1c48c37a ("rxrpc: Fix deadlock between call creation and sendmsg/recvmsg") +Reported-by: Faith +Reported-by: Pumpkin Chang +Signed-off-by: David Howells +Acked-by: Marc Dionne +Signed-off-by: Jakub Kicinski +Cc: stable@vger.kernel.org +[Adapted to 6.1: use write_lock_bh/write_unlock_bh, trace_rxrpc_call + directly for see-call tracing, and 6.1 trace enum naming convention.] +Signed-off-by: Jay Wang +Signed-off-by: Greg Kroah-Hartman +--- + include/trace/events/rxrpc.h | 4 ++++ + net/rxrpc/recvmsg.c | 22 ++++++++++++++++++---- + 2 files changed, 22 insertions(+), 4 deletions(-) + +--- a/include/trace/events/rxrpc.h ++++ b/include/trace/events/rxrpc.h +@@ -82,9 +82,13 @@ + EM(rxrpc_call_put_notimer, "PnT") \ + EM(rxrpc_call_put_timer, "PTM") \ + EM(rxrpc_call_put_userid, "Pus") \ ++ EM(rxrpc_call_put_recvmsg_peek_nowait, "PpN") \ + EM(rxrpc_call_queued, "QUE") \ + EM(rxrpc_call_queued_ref, "QUR") \ + EM(rxrpc_call_release, "RLS") \ ++ EM(rxrpc_call_see_recvmsg_requeue, "SrQ") \ ++ EM(rxrpc_call_see_recvmsg_requeue_first,"SrF") \ ++ EM(rxrpc_call_see_recvmsg_requeue_move, "SrM") \ + E_(rxrpc_call_seen, "SEE") + + #define rxrpc_transmit_traces \ +--- a/net/rxrpc/recvmsg.c ++++ b/net/rxrpc/recvmsg.c +@@ -607,7 +607,8 @@ try_again: + + if (after(call->rx_top, call->rx_hard_ack) && + call->rxtx_buffer[(call->rx_hard_ack + 1) & RXRPC_RXTX_BUFF_MASK]) +- rxrpc_notify_socket(call); ++ if (!(flags & MSG_PEEK)) ++ rxrpc_notify_socket(call); + break; + default: + ret = 0; +@@ -642,11 +643,24 @@ error_unlock_call: + error_requeue_call: + if (!(flags & MSG_PEEK)) { + write_lock_bh(&rx->recvmsg_lock); +- list_add(&call->recvmsg_link, &rx->recvmsg_q); +- write_unlock_bh(&rx->recvmsg_lock); ++ if (list_empty(&call->recvmsg_link)) { ++ list_add(&call->recvmsg_link, &rx->recvmsg_q); ++ trace_rxrpc_call(call->debug_id, ++ rxrpc_call_see_recvmsg_requeue, ++ refcount_read(&call->ref), ++ __builtin_return_address(0), NULL); ++ write_unlock_bh(&rx->recvmsg_lock); ++ } else if (list_is_first(&call->recvmsg_link, &rx->recvmsg_q)) { ++ write_unlock_bh(&rx->recvmsg_lock); ++ rxrpc_put_call(call, rxrpc_call_see_recvmsg_requeue_first); ++ } else { ++ list_move(&call->recvmsg_link, &rx->recvmsg_q); ++ write_unlock_bh(&rx->recvmsg_lock); ++ rxrpc_put_call(call, rxrpc_call_see_recvmsg_requeue_move); ++ } + trace_rxrpc_recvmsg(call, rxrpc_recvmsg_requeue, 0, 0, 0, 0); + } else { +- rxrpc_put_call(call, rxrpc_call_put); ++ rxrpc_put_call(call, rxrpc_call_put_recvmsg_peek_nowait); + } + error_no_call: + release_sock(&rx->sk); diff --git a/queue-6.1/rxrpc-reject-undecryptable-rxkad-response-tickets.patch b/queue-6.1/rxrpc-reject-undecryptable-rxkad-response-tickets.patch new file mode 100644 index 0000000000..a9d4d447a0 --- /dev/null +++ b/queue-6.1/rxrpc-reject-undecryptable-rxkad-response-tickets.patch @@ -0,0 +1,63 @@ +From stable+bounces-237838-greg=kroah.com@vger.kernel.org Tue Apr 14 13:56:27 2026 +From: Sasha Levin +Date: Tue, 14 Apr 2026 07:52:36 -0400 +Subject: rxrpc: reject undecryptable rxkad response tickets +To: stable@vger.kernel.org +Cc: Yuqi Xu , Yifan Wu , Juefei Pu , Yuan Tan , Xin Liu , Ren Wei , Ren Wei , David Howells , Marc Dionne , Simon Horman , linux-afs@lists.infradead.org, stable@kernel.org, Jakub Kicinski , Sasha Levin +Message-ID: <20260414115236.537968-1-sashal@kernel.org> + +From: Yuqi Xu + +[ Upstream commit fe4447cd95623b1cfacc15f280aab73a6d7340b2 ] + +rxkad_decrypt_ticket() decrypts the RXKAD response ticket and then +parses the buffer as plaintext without checking whether +crypto_skcipher_decrypt() succeeded. + +A malformed RESPONSE can therefore use a non-block-aligned ticket +length, make the decrypt operation fail, and still drive the ticket +parser with attacker-controlled bytes. + +Check the decrypt result and abort the connection with RXKADBADTICKET +when ticket decryption fails. + +Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ren Wei +Signed-off-by: Yuqi Xu +Signed-off-by: Ren Wei +Signed-off-by: David Howells +cc: Marc Dionne +cc: Simon Horman +cc: linux-afs@lists.infradead.org +cc: stable@kernel.org +Link: https://patch.msgid.link/20260408121252.2249051-12-dhowells@redhat.com +Signed-off-by: Jakub Kicinski +[ adapted `rxrpc_abort_conn()` call to existing `goto other_error` error-handling pattern ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/rxkad.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/rxrpc/rxkad.c ++++ b/net/rxrpc/rxkad.c +@@ -1013,8 +1013,13 @@ static int rxkad_decrypt_ticket(struct r + sg_init_one(&sg[0], ticket, ticket_len); + skcipher_request_set_callback(req, 0, NULL, NULL); + skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x); +- crypto_skcipher_decrypt(req); ++ ret = crypto_skcipher_decrypt(req); + skcipher_request_free(req); ++ if (ret < 0) { ++ abort_code = RXKADBADTICKET; ++ ret = -EPROTO; ++ goto other_error; ++ } + + p = ticket; + end = p + ticket_len; diff --git a/queue-6.1/scripts-generate_rust_analyzer.py-define-scripts.patch b/queue-6.1/scripts-generate_rust_analyzer.py-define-scripts.patch new file mode 100644 index 0000000000..ce810683df --- /dev/null +++ b/queue-6.1/scripts-generate_rust_analyzer.py-define-scripts.patch @@ -0,0 +1,63 @@ +From stable+bounces-239947-greg=kroah.com@vger.kernel.org Mon Apr 20 20:11:41 2026 +From: Sasha Levin +Date: Mon, 20 Apr 2026 12:38:51 -0400 +Subject: scripts: generate_rust_analyzer.py: define scripts +To: stable@vger.kernel.org +Cc: Tamir Duberstein , Daniel Almeida , Fiona Behrens , Trevor Gross , Sasha Levin +Message-ID: <20260420163851.1302521-1-sashal@kernel.org> + +From: Tamir Duberstein + +[ Upstream commit 36c619f6bd793493294becb10a02fea370b67a91 ] + +Add IDE support for host-side scripts written in Rust. This support has +been missing since these scripts were initially added in commit +9a8ff24ce584 ("scripts: add `generate_rust_target.rs`"), thus add it. + +Change the existing instance of extension stripping to +`pathlib.Path.stem` to maintain code consistency. + +Fixes: 9a8ff24ce584 ("scripts: add `generate_rust_target.rs`") +Cc: stable@vger.kernel.org +Reviewed-by: Daniel Almeida +Reviewed-by: Fiona Behrens +Reviewed-by: Trevor Gross +Link: https://patch.msgid.link/20260122-rust-analyzer-scripts-v1-1-ff6ba278170e@kernel.org +Signed-off-by: Tamir Duberstein +[ changed `[std]` dep to `["std"]` and kept untyped `is_root_crate()` ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + scripts/generate_rust_analyzer.py | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/scripts/generate_rust_analyzer.py ++++ b/scripts/generate_rust_analyzer.py +@@ -113,6 +113,18 @@ def generate_crates(srctree, objtree, sy + "exclude_dirs": [], + } + ++ scripts = srctree / "scripts" ++ makefile = (scripts / "Makefile").read_text() ++ for path in scripts.glob("*.rs"): ++ name = path.stem ++ if f"{name}-rust" not in makefile: ++ continue ++ append_crate( ++ name, ++ path, ++ ["std"], ++ ) ++ + def is_root_crate(build_file, target): + try: + contents = build_file.read_text() +@@ -129,7 +141,7 @@ def generate_crates(srctree, objtree, sy + for folder in extra_dirs: + for path in folder.rglob("*.rs"): + logging.info("Checking %s", path) +- name = path.name.replace(".rs", "") ++ name = path.stem + + # Skip those that are not crate roots. + if not is_root_crate(path.parent / "Makefile", name) and \ diff --git a/queue-6.1/scsi-ufs-core-fix-use-after-free-in-init-error-and-remove-paths.patch b/queue-6.1/scsi-ufs-core-fix-use-after-free-in-init-error-and-remove-paths.patch new file mode 100644 index 0000000000..a4c5a81b64 --- /dev/null +++ b/queue-6.1/scsi-ufs-core-fix-use-after-free-in-init-error-and-remove-paths.patch @@ -0,0 +1,244 @@ +From stable+bounces-240432-greg=kroah.com@vger.kernel.org Thu Apr 23 09:30:07 2026 +From: Robert Garcia +Date: Thu, 23 Apr 2026 15:28:21 +0800 +Subject: scsi: ufs: core: Fix use-after free in init error and remove paths +To: stable@vger.kernel.org, "André Draszik" +Cc: "Martin K . Petersen" , Robert Garcia , Bean Huo , Manivannan Sadhasivam , Eric Biggers , Alim Akhtar , Avri Altman , Bart Van Assche , "James E . J . Bottomley" , Sasha Levin , Peter Wang , Wang Shuaiwei , Eric Biggers , Manish Pandey , Brian Kao , Greg Kroah-Hartman , Adrian Hunter , Archana Patni , Arnd Bergmann , Jens Axboe , Ulf Hansson , Mike Snitzer , Satya Tangirala , linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org +Message-ID: <20260423072821.3454022-1-rob_garcia@163.com> + +From: André Draszik + +[ Upstream commit f8fb2403ddebb5eea0033d90d9daae4c88749ada ] + +devm_blk_crypto_profile_init() registers a cleanup handler to run when +the associated (platform-) device is being released. For UFS, the +crypto private data and pointers are stored as part of the ufs_hba's +data structure 'struct ufs_hba::crypto_profile'. This structure is +allocated as part of the underlying ufshcd and therefore Scsi_host +allocation. + +During driver release or during error handling in ufshcd_pltfrm_init(), +this structure is released as part of ufshcd_dealloc_host() before the +(platform-) device associated with the crypto call above is released. +Once this device is released, the crypto cleanup code will run, using +the just-released 'struct ufs_hba::crypto_profile'. This causes a +use-after-free situation: + + Call trace: + kfree+0x60/0x2d8 (P) + kvfree+0x44/0x60 + blk_crypto_profile_destroy_callback+0x28/0x70 + devm_action_release+0x1c/0x30 + release_nodes+0x6c/0x108 + devres_release_all+0x98/0x100 + device_unbind_cleanup+0x20/0x70 + really_probe+0x218/0x2d0 + +In other words, the initialisation code flow is: + + platform-device probe + ufshcd_pltfrm_init() + ufshcd_alloc_host() + scsi_host_alloc() + allocation of struct ufs_hba + creation of scsi-host devices + devm_blk_crypto_profile_init() + devm registration of cleanup handler using platform-device + +and during error handling of ufshcd_pltfrm_init() or during driver +removal: + + ufshcd_dealloc_host() + scsi_host_put() + put_device(scsi-host) + release of struct ufs_hba + put_device(platform-device) + crypto cleanup handler + +To fix this use-after free, change ufshcd_alloc_host() to register a +devres action to automatically cleanup the underlying SCSI device on +ufshcd destruction, without requiring explicit calls to +ufshcd_dealloc_host(). This way: + + * the crypto profile and all other ufs_hba-owned resources are + destroyed before SCSI (as they've been registered after) + * a memleak is plugged in tc-dwc-g210-pci.c remove() as a + side-effect + * EXPORT_SYMBOL_GPL(ufshcd_dealloc_host) can be removed fully as + it's not needed anymore + * no future drivers using ufshcd_alloc_host() could ever forget + adding the cleanup + +Fixes: cb77cb5abe1f ("blk-crypto: rename blk_keyslot_manager to blk_crypto_profile") +Fixes: d76d9d7d1009 ("scsi: ufs: use devm_blk_ksm_init()") +Cc: stable@vger.kernel.org +Signed-off-by: André Draszik +Link: https://lore.kernel.org/r/20250124-ufshcd-fix-v4-1-c5d0144aae59@linaro.org +Reviewed-by: Bean Huo +Reviewed-by: Manivannan Sadhasivam +Acked-by: Eric Biggers +Signed-off-by: Martin K. Petersen +[ Delete modifications about ufshcd_parse_operating_points() for it's added from +commit 72208ebe181e3("scsi: ufs: core: Add support for parsing OPP") +and that in ufshcd_pltfrm_remove() for it's added from commit +897df60c16d54("scsi: ufs: pltfrm: Dellocate HBA during ufshcd_pltfrm_remove()"). ] +Signed-off-by: Robert Garcia +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/core/ufshcd.c | 31 +++++++++++++++++++++---------- + drivers/ufs/host/ufshcd-pci.c | 2 -- + drivers/ufs/host/ufshcd-pltfrm.c | 25 ++++++++----------------- + include/ufs/ufshcd.h | 1 - + 4 files changed, 29 insertions(+), 30 deletions(-) + +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -9662,16 +9662,6 @@ void ufshcd_remove(struct ufs_hba *hba) + EXPORT_SYMBOL_GPL(ufshcd_remove); + + /** +- * ufshcd_dealloc_host - deallocate Host Bus Adapter (HBA) +- * @hba: pointer to Host Bus Adapter (HBA) +- */ +-void ufshcd_dealloc_host(struct ufs_hba *hba) +-{ +- scsi_host_put(hba->host); +-} +-EXPORT_SYMBOL_GPL(ufshcd_dealloc_host); +- +-/** + * ufshcd_set_dma_mask - Set dma mask based on the controller + * addressing capability + * @hba: per adapter instance +@@ -9690,10 +9680,24 @@ static int ufshcd_set_dma_mask(struct uf + } + + /** ++ * ufshcd_devres_release - devres cleanup handler, invoked during release of ++ * hba->dev ++ * @host: pointer to SCSI host ++ */ ++static void ufshcd_devres_release(void *host) ++{ ++ scsi_host_put(host); ++} ++ ++/** + * ufshcd_alloc_host - allocate Host Bus Adapter (HBA) + * @dev: pointer to device handle + * @hba_handle: driver private handle + * Returns 0 on success, non-zero value on failure ++ * ++ * NOTE: There is no corresponding ufshcd_dealloc_host() because this function ++ * keeps track of its allocations using devres and deallocates everything on ++ * device removal automatically. + */ + int ufshcd_alloc_host(struct device *dev, struct ufs_hba **hba_handle) + { +@@ -9715,6 +9719,13 @@ int ufshcd_alloc_host(struct device *dev + err = -ENOMEM; + goto out_error; + } ++ ++ err = devm_add_action_or_reset(dev, ufshcd_devres_release, ++ host); ++ if (err) ++ return dev_err_probe(dev, err, ++ "failed to add ufshcd dealloc action\n"); ++ + host->nr_maps = HCTX_TYPE_POLL + 1; + hba = shost_priv(host); + hba->host = host; +--- a/drivers/ufs/host/ufshcd-pci.c ++++ b/drivers/ufs/host/ufshcd-pci.c +@@ -629,7 +629,6 @@ static void ufshcd_pci_remove(struct pci + pm_runtime_forbid(&pdev->dev); + pm_runtime_get_noresume(&pdev->dev); + ufshcd_remove(hba); +- ufshcd_dealloc_host(hba); + } + + /** +@@ -674,7 +673,6 @@ ufshcd_pci_probe(struct pci_dev *pdev, c + err = ufshcd_init(hba, mmio_base, pdev->irq); + if (err) { + dev_err(&pdev->dev, "Initialization failed\n"); +- ufshcd_dealloc_host(hba); + return err; + } + +--- a/drivers/ufs/host/ufshcd-pltfrm.c ++++ b/drivers/ufs/host/ufshcd-pltfrm.c +@@ -343,21 +343,17 @@ int ufshcd_pltfrm_init(struct platform_d + struct device *dev = &pdev->dev; + + mmio_base = devm_platform_ioremap_resource(pdev, 0); +- if (IS_ERR(mmio_base)) { +- err = PTR_ERR(mmio_base); +- goto out; +- } ++ if (IS_ERR(mmio_base)) ++ return PTR_ERR(mmio_base); + + irq = platform_get_irq(pdev, 0); +- if (irq < 0) { +- err = irq; +- goto out; +- } ++ if (irq < 0) ++ return irq; + + err = ufshcd_alloc_host(dev, &hba); + if (err) { + dev_err(dev, "Allocation failed\n"); +- goto out; ++ return err; + } + + hba->vops = vops; +@@ -366,13 +362,13 @@ int ufshcd_pltfrm_init(struct platform_d + if (err) { + dev_err(dev, "%s: clock parse failed %d\n", + __func__, err); +- goto dealloc_host; ++ return err; + } + err = ufshcd_parse_regulator_info(hba); + if (err) { + dev_err(dev, "%s: regulator init failed %d\n", + __func__, err); +- goto dealloc_host; ++ return err; + } + + ufshcd_init_lanes_per_dir(hba); +@@ -380,18 +376,13 @@ int ufshcd_pltfrm_init(struct platform_d + err = ufshcd_init(hba, mmio_base, irq); + if (err) { + dev_err(dev, "Initialization failed\n"); +- goto dealloc_host; ++ return err; + } + + pm_runtime_set_active(dev); + pm_runtime_enable(dev); + + return 0; +- +-dealloc_host: +- ufshcd_dealloc_host(hba); +-out: +- return err; + } + EXPORT_SYMBOL_GPL(ufshcd_pltfrm_init); + +--- a/include/ufs/ufshcd.h ++++ b/include/ufs/ufshcd.h +@@ -1063,7 +1063,6 @@ static inline void ufshcd_rmwl(struct uf + } + + int ufshcd_alloc_host(struct device *, struct ufs_hba **); +-void ufshcd_dealloc_host(struct ufs_hba *); + int ufshcd_hba_enable(struct ufs_hba *hba); + int ufshcd_init(struct ufs_hba *, void __iomem *, unsigned int); + int ufshcd_link_recovery(struct ufs_hba *hba); diff --git a/queue-6.1/series b/queue-6.1/series index d9b1ebe001..e243e1fc24 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -115,3 +115,22 @@ gfs2-improve-gfs2_consist_inode-usage.patch gfs2-validate-i_depth-for-exhash-directories.patch wifi-mac80211-always-free-skb-on-ieee80211_tx_prepar.patch net-dsa-clean-up-fdb-mdb-vlan-entries-on-unbind.patch +arm64-dts-imx8mq-librem5-set-the-dvs-voltages-lower.patch +arm64-dts-imx8mq-librem5-bump-buck1-suspend-voltage-to-0.81v.patch +revert-arm64-dts-imx8mq-librem5-set-the-dvs-voltages-lower.patch +arm64-dts-imx8mq-librem5-bump-buck1-suspend-voltage-up-to-0.85v.patch +ocfs2-add-inline-inode-consistency-check-to-ocfs2_validate_inode_block.patch +ocfs2-validate-inline-data-i_size-during-inode-read.patch +ocfs2-fix-out-of-bounds-write-in-ocfs2_write_end_inline.patch +rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch +rxrpc-fix-call-removal-to-use-rcu-safe-deletion.patch +revert-wifi-cfg80211-stop-nan-and-p2p-in-cfg80211_leave.patch +rxrpc-reject-undecryptable-rxkad-response-tickets.patch +kvm-x86-use-__declare_flex_array-for-uapi-structures-with-vlas.patch +ublk-fix-deadlock-when-reading-partition-table.patch +scripts-generate_rust_analyzer.py-define-scripts.patch +pci-endpoint-pci-epf-vntb-stop-cmd_handler-work-in-epf_ntb_epc_cleanup.patch +soc-qcom-apr-make-remove-callback-of-apr-driver-void-returned.patch +asoc-qcom-q6apm-move-component-registration-to-unmanaged-version.patch +rxrpc-fix-recvmsg-unconditional-requeue.patch +scsi-ufs-core-fix-use-after-free-in-init-error-and-remove-paths.patch diff --git a/queue-6.1/soc-qcom-apr-make-remove-callback-of-apr-driver-void-returned.patch b/queue-6.1/soc-qcom-apr-make-remove-callback-of-apr-driver-void-returned.patch new file mode 100644 index 0000000000..9c966941ea --- /dev/null +++ b/queue-6.1/soc-qcom-apr-make-remove-callback-of-apr-driver-void-returned.patch @@ -0,0 +1,62 @@ +From stable+bounces-239956-greg=kroah.com@vger.kernel.org Mon Apr 20 19:57:37 2026 +From: Sasha Levin +Date: Mon, 20 Apr 2026 13:17:42 -0400 +Subject: soc: qcom: apr: make remove callback of apr driver void returned +To: stable@vger.kernel.org +Cc: Dawei Li , Bjorn Andersson , Sasha Levin +Message-ID: <20260420171743.1388144-1-sashal@kernel.org> + +From: Dawei Li + +[ Upstream commit 33ae3d0955943ac5bacfcb6911cf7cb74822bf8c ] + +Since commit fc7a6209d571 ("bus: Make remove callback return void") +forces bus_type::remove be void-returned, it doesn't make much sense +for any bus based driver implementing remove callbalk to return +non-void to its caller. + +As such, change the remove function for apr bus based drivers to +return void. + +Signed-off-by: Dawei Li +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/TYCP286MB23232B7968D34DB8323B0F16CAFB9@TYCP286MB2323.JPNP286.PROD.OUTLOOK.COM +Stable-dep-of: 6ec1235fc941 ("ASoC: qcom: q6apm: move component registration to unmanaged version") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/soc/qcom/apr.h | 2 +- + sound/soc/qcom/qdsp6/q6core.c | 4 +--- + 2 files changed, 2 insertions(+), 4 deletions(-) + +--- a/include/linux/soc/qcom/apr.h ++++ b/include/linux/soc/qcom/apr.h +@@ -153,7 +153,7 @@ typedef struct apr_device gpr_device_t; + + struct apr_driver { + int (*probe)(struct apr_device *sl); +- int (*remove)(struct apr_device *sl); ++ void (*remove)(struct apr_device *sl); + int (*callback)(struct apr_device *a, + struct apr_resp_pkt *d); + int (*gpr_callback)(struct gpr_resp_pkt *d, void *data, int op); +--- a/sound/soc/qcom/qdsp6/q6core.c ++++ b/sound/soc/qcom/qdsp6/q6core.c +@@ -339,7 +339,7 @@ static int q6core_probe(struct apr_devic + return 0; + } + +-static int q6core_exit(struct apr_device *adev) ++static void q6core_exit(struct apr_device *adev) + { + struct q6core *core = dev_get_drvdata(&adev->dev); + +@@ -350,8 +350,6 @@ static int q6core_exit(struct apr_device + + g_core = NULL; + kfree(core); +- +- return 0; + } + + #ifdef CONFIG_OF diff --git a/queue-6.1/ublk-fix-deadlock-when-reading-partition-table.patch b/queue-6.1/ublk-fix-deadlock-when-reading-partition-table.patch new file mode 100644 index 0000000000..eb634863b9 --- /dev/null +++ b/queue-6.1/ublk-fix-deadlock-when-reading-partition-table.patch @@ -0,0 +1,101 @@ +From stable+bounces-238739-greg=kroah.com@vger.kernel.org Mon Apr 20 14:05:19 2026 +From: Ruohan Lan +Date: Mon, 20 Apr 2026 20:01:10 +0800 +Subject: ublk: fix deadlock when reading partition table +To: gregkh@linuxfoundation.org, sashal@kernel.org, stable@vger.kernel.org +Cc: linux-block@vger.kernel.org, Ming Lei , Caleb Sander Mateos , Jens Axboe , Ruohan Lan +Message-ID: <20260420120110.864-1-ruohanlan@aliyun.com> + +From: Ming Lei + +[ Upstream commit c258f5c4502c9667bccf5d76fa731ab9c96687c1 ] + +When one process(such as udev) opens ublk block device (e.g., to read +the partition table via bdev_open()), a deadlock[1] can occur: + +1. bdev_open() grabs disk->open_mutex +2. The process issues read I/O to ublk backend to read partition table +3. In __ublk_complete_rq(), blk_update_request() or blk_mq_end_request() + runs bio->bi_end_io() callbacks +4. If this triggers fput() on file descriptor of ublk block device, the + work may be deferred to current task's task work (see fput() implementation) +5. This eventually calls blkdev_release() from the same context +6. blkdev_release() tries to grab disk->open_mutex again +7. Deadlock: same task waiting for a mutex it already holds + +The fix is to run blk_update_request() and blk_mq_end_request() with bottom +halves disabled. This forces blkdev_release() to run in kernel work-queue +context instead of current task work context, and allows ublk server to make +forward progress, and avoids the deadlock. + +Fixes: 71f28f3136af ("ublk_drv: add io_uring based userspace block driver") +Link: https://github.com/ublk-org/ublksrv/issues/170 [1] +Signed-off-by: Ming Lei +Reviewed-by: Caleb Sander Mateos +[axboe: rewrite comment in ublk] +Signed-off-by: Jens Axboe +[ The fix omits the change in __ublk_do_auto_buf_reg() since this function +doesn't exist in 6.1. ] +Signed-off-by: Ruohan Lan +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/ublk_drv.c | 28 ++++++++++++++++++++++++++-- + 1 file changed, 26 insertions(+), 2 deletions(-) + +--- a/drivers/block/ublk_drv.c ++++ b/drivers/block/ublk_drv.c +@@ -603,12 +603,20 @@ static inline bool ubq_daemon_is_dying(s + return ubq->ubq_daemon->flags & PF_EXITING; + } + ++static void ublk_end_request(struct request *req, blk_status_t error) ++{ ++ local_bh_disable(); ++ blk_mq_end_request(req, error); ++ local_bh_enable(); ++} ++ + /* todo: handle partial completion */ + static void ublk_complete_rq(struct request *req) + { + struct ublk_queue *ubq = req->mq_hctx->driver_data; + struct ublk_io *io = &ubq->ios[req->tag]; + unsigned int unmapped_bytes; ++ bool requeue; + + /* failed read IO if nothing is read */ + if (!io->res && req_op(req) == REQ_OP_READ) +@@ -641,7 +649,23 @@ static void ublk_complete_rq(struct requ + if (unlikely(unmapped_bytes < io->res)) + io->res = unmapped_bytes; + +- if (blk_update_request(req, BLK_STS_OK, io->res)) ++ /* ++ * Run bio->bi_end_io() with softirqs disabled. If the final fput ++ * happens off this path, then that will prevent ublk's blkdev_release() ++ * from being called on current's task work, see fput() implementation. ++ * ++ * Otherwise, ublk server may not provide forward progress in case of ++ * reading the partition table from bdev_open() with disk->open_mutex ++ * held, and causes dead lock as we could already be holding ++ * disk->open_mutex here. ++ * ++ * Preferably we would not be doing IO with a mutex held that is also ++ * used for release, but this work-around will suffice for now. ++ */ ++ local_bh_disable(); ++ requeue = blk_update_request(req, BLK_STS_OK, io->res); ++ local_bh_enable(); ++ if (requeue) + blk_mq_requeue_request(req, true); + else + __blk_mq_end_request(req, BLK_STS_OK); +@@ -694,7 +718,7 @@ static inline void __ublk_abort_rq(struc + if (ublk_queue_can_use_recovery(ubq)) + blk_mq_requeue_request(rq, false); + else +- blk_mq_end_request(rq, BLK_STS_IOERR); ++ ublk_end_request(rq, BLK_STS_IOERR); + + mod_delayed_work(system_wq, &ubq->dev->monitor_work, 0); + }