From 4f8df56b9bab63e77d1796fc472af546e31a735b Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 21 Jan 2026 18:23:05 +0100
Subject: [PATCH] 6.18-stable patches

added patches:
	revert-functionfs-fix-the-open-removal-races.patch
---
 ...unctionfs-fix-the-open-removal-races.patch | 119 ++++++++++++++++++
 queue-6.18/series                             |   1 +
 2 files changed, 120 insertions(+)
 create mode 100644 queue-6.18/revert-functionfs-fix-the-open-removal-races.patch

diff --git a/queue-6.18/revert-functionfs-fix-the-open-removal-races.patch b/queue-6.18/revert-functionfs-fix-the-open-removal-races.patch
new file mode 100644
index 0000000000..3a0aa1d6ca
--- /dev/null
+++ b/queue-6.18/revert-functionfs-fix-the-open-removal-races.patch
@@ -0,0 +1,119 @@
+From 5b6d9e8ab44740e7cab1f0cc5e12ea849007e078 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Wed, 21 Jan 2026 18:21:16 +0100
+Subject: Revert "functionfs: fix the open/removal races"
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+This reverts commit b49c766856fb5901490de577e046149ebf15e39d which is
+commit e5bf5ee266633cb18fff6f98f0b7d59a62819eee upstream.
+
+It has been reported to cause test problems in Android devices.  As the
+other functionfs changes were not also backported at the same time,
+something is out of sync.  So just revert this one for now and it can
+come back in the future as a patch series if it is tested.
+
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_fs.c |   53 ++++++-------------------------------
+ 1 file changed, 10 insertions(+), 43 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -640,22 +640,13 @@ done_mutex:
+ 
+ static int ffs_ep0_open(struct inode *inode, struct file *file)
+ {
+-	struct ffs_data *ffs = inode->i_sb->s_fs_info;
+-	int ret;
+-
+-	/* Acquire mutex */
+-	ret = ffs_mutex_lock(&ffs->mutex, file->f_flags & O_NONBLOCK);
+-	if (ret < 0)
+-		return ret;
++	struct ffs_data *ffs = inode->i_private;
+ 
+-	ffs_data_opened(ffs);
+-	if (ffs->state == FFS_CLOSING) {
+-		ffs_data_closed(ffs);
+-		mutex_unlock(&ffs->mutex);
++	if (ffs->state == FFS_CLOSING)
+ 		return -EBUSY;
+-	}
+-	mutex_unlock(&ffs->mutex);
++
+ 	file->private_data = ffs;
++	ffs_data_opened(ffs);
+ 
+ 	return stream_open(inode, file);
+ }
+@@ -1202,33 +1193,14 @@ error:
+ static int
+ ffs_epfile_open(struct inode *inode, struct file *file)
+ {
+-	struct ffs_data *ffs = inode->i_sb->s_fs_info;
+-	struct ffs_epfile *epfile;
+-	int ret;
+-
+-	/* Acquire mutex */
+-	ret = ffs_mutex_lock(&ffs->mutex, file->f_flags & O_NONBLOCK);
+-	if (ret < 0)
+-		return ret;
++	struct ffs_epfile *epfile = inode->i_private;
+ 
+-	if (!atomic_inc_not_zero(&ffs->opened)) {
+-		mutex_unlock(&ffs->mutex);
+-		return -ENODEV;
+-	}
+-	/*
+-	 * we want the state to be FFS_ACTIVE; FFS_ACTIVE alone is
+-	 * not enough, though - we might have been through FFS_CLOSING
+-	 * and back to FFS_ACTIVE, with our file already removed.
+-	 */
+-	epfile = smp_load_acquire(&inode->i_private);
+-	if (unlikely(ffs->state != FFS_ACTIVE || !epfile)) {
+-		mutex_unlock(&ffs->mutex);
+-		ffs_data_closed(ffs);
++	if (WARN_ON(epfile->ffs->state != FFS_ACTIVE))
+ 		return -ENODEV;
+-	}
+-	mutex_unlock(&ffs->mutex);
+ 
+ 	file->private_data = epfile;
++	ffs_data_opened(epfile->ffs);
++
+ 	return stream_open(inode, file);
+ }
+ 
+@@ -1360,7 +1332,7 @@ static void ffs_dmabuf_put(struct dma_bu
+ static int
+ ffs_epfile_release(struct inode *inode, struct file *file)
+ {
+-	struct ffs_epfile *epfile = file->private_data;
++	struct ffs_epfile *epfile = inode->i_private;
+ 	struct ffs_dmabuf_priv *priv, *tmp;
+ 	struct ffs_data *ffs = epfile->ffs;
+ 
+@@ -2380,11 +2352,6 @@ static int ffs_epfiles_create(struct ffs
+ 	return 0;
+ }
+ 
+-static void clear_one(struct dentry *dentry)
+-{
+-	smp_store_release(&dentry->d_inode->i_private, NULL);
+-}
+-
+ static void ffs_epfiles_destroy(struct ffs_epfile *epfiles, unsigned count)
+ {
+ 	struct ffs_epfile *epfile = epfiles;
+@@ -2392,7 +2359,7 @@ static void ffs_epfiles_destroy(struct f
+ 	for (; count; --count, ++epfile) {
+ 		BUG_ON(mutex_is_locked(&epfile->mutex));
+ 		if (epfile->dentry) {
+-			simple_recursive_removal(epfile->dentry, clear_one);
++			simple_recursive_removal(epfile->dentry, NULL);
+ 			epfile->dentry = NULL;
+ 		}
+ 	}
diff --git a/queue-6.18/series b/queue-6.18/series
index cb86c1f6d8..1032b9bc7e 100644
--- a/queue-6.18/series
+++ b/queue-6.18/series
@@ -194,3 +194,4 @@ btrfs-fix-deadlock-in-wait_current_trans-due-to-ignored-transaction-type.patch
 mm-page_alloc-vmstat-simplify-refresh_cpu_vm_stats-change-detection.patch
 mm-page_alloc-batch-page-freeing-in-decay_pcp_high.patch
 mm-page_alloc-prevent-pcp-corruption-with-smp-n.patch
+revert-functionfs-fix-the-open-removal-races.patch
-- 
2.47.3