6.6-stable patches

added patches:
	kvm-x86-use-__declare_flex_array-for-uapi-structures-with-vlas.patch
	ocfs2-add-inline-inode-consistency-check-to-ocfs2_validate_inode_block.patch
	ocfs2-fix-out-of-bounds-write-in-ocfs2_write_end_inline.patch
	ocfs2-validate-inline-data-i_size-during-inode-read.patch
	pci-endpoint-pci-epf-vntb-stop-cmd_handler-work-in-epf_ntb_epc_cleanup.patch
	revert-wifi-cfg80211-stop-nan-and-p2p-in-cfg80211_leave.patch
	rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch
	scripts-generate_rust_analyzer.py-define-scripts.patch

diff --git a/queue-6.6/kvm-x86-use-__declare_flex_array-for-uapi-structures-with-vlas.patch b/queue-6.6/kvm-x86-use-__declare_flex_array-for-uapi-structures-with-vlas.patch
new file mode 100644 (file)
index 0000000..761c604
--- /dev/null
+++ b/queue-6.6/kvm-x86-use-__declare_flex_array-for-uapi-structures-with-vlas.patch
@@ -0,0 +1,154 @@
+From stable+bounces-236129-greg=kroah.com@vger.kernel.org Mon Apr 13 17:05:40 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Apr 2026 10:58:35 -0400
+Subject: KVM: x86: Use __DECLARE_FLEX_ARRAY() for UAPI structures with VLAs
+To: stable@vger.kernel.org
+Cc: David Woodhouse <dwmw@amazon.co.uk>, Sean Christopherson <seanjc@google.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260413145835.2969194-1-sashal@kernel.org>
+
+From: David Woodhouse <dwmw@amazon.co.uk>
+
+[ Upstream commit 2619da73bb2f10d88f7e1087125c40144fdf0987 ]
+
+Commit 94dfc73e7cf4 ("treewide: uapi: Replace zero-length arrays with
+flexible-array members") broke the userspace API for C++.
+
+These structures ending in VLAs are typically a *header*, which can be
+followed by an arbitrary number of entries. Userspace typically creates
+a larger structure with some non-zero number of entries, for example in
+QEMU's kvm_arch_get_supported_msr_feature():
+
+    struct {
+        struct kvm_msrs info;
+        struct kvm_msr_entry entries[1];
+    } msr_data = {};
+
+While that works in C, it fails in C++ with an error like:
+ flexible array member 'kvm_msrs::entries' not at end of 'struct msr_data'
+
+Fix this by using __DECLARE_FLEX_ARRAY() for the VLA, which uses [0]
+for C++ compilation.
+
+Fixes: 94dfc73e7cf4 ("treewide: uapi: Replace zero-length arrays with flexible-array members")
+Cc: stable@vger.kernel.org
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
+Link: https://patch.msgid.link/3abaf6aefd6e5efeff3b860ac38421d9dec908db.camel@infradead.org
+[sean: tag for stable@]
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+[ applied `__DECLARE_FLEX_ARRAY(char, name)` change directly instead of inside missing `#ifdef __KERNEL__` else branch ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/uapi/asm/kvm.h |   12 ++++++------
+ include/uapi/linux/kvm.h        |   11 ++++++-----
+ 2 files changed, 12 insertions(+), 11 deletions(-)
+
+--- a/arch/x86/include/uapi/asm/kvm.h
++++ b/arch/x86/include/uapi/asm/kvm.h
+@@ -191,13 +191,13 @@ struct kvm_msrs {
+       __u32 nmsrs; /* number of msrs in entries */
+       __u32 pad;
+ 
+-      struct kvm_msr_entry entries[];
++      __DECLARE_FLEX_ARRAY(struct kvm_msr_entry, entries);
+ };
+ 
+ /* for KVM_GET_MSR_INDEX_LIST */
+ struct kvm_msr_list {
+       __u32 nmsrs; /* number of msrs in entries */
+-      __u32 indices[];
++      __DECLARE_FLEX_ARRAY(__u32, indices);
+ };
+ 
+ /* Maximum size of any access bitmap in bytes */
+@@ -239,7 +239,7 @@ struct kvm_cpuid_entry {
+ struct kvm_cpuid {
+       __u32 nent;
+       __u32 padding;
+-      struct kvm_cpuid_entry entries[];
++      __DECLARE_FLEX_ARRAY(struct kvm_cpuid_entry, entries);
+ };
+ 
+ struct kvm_cpuid_entry2 {
+@@ -261,7 +261,7 @@ struct kvm_cpuid_entry2 {
+ struct kvm_cpuid2 {
+       __u32 nent;
+       __u32 padding;
+-      struct kvm_cpuid_entry2 entries[];
++      __DECLARE_FLEX_ARRAY(struct kvm_cpuid_entry2, entries);
+ };
+ 
+ /* for KVM_GET_PIT and KVM_SET_PIT */
+@@ -392,7 +392,7 @@ struct kvm_xsave {
+        * the contents of CPUID leaf 0xD on the host.
+        */
+       __u32 region[1024];
+-      __u32 extra[];
++      __DECLARE_FLEX_ARRAY(__u32, extra);
+ };
+ 
+ #define KVM_MAX_XCRS  16
+@@ -520,7 +520,7 @@ struct kvm_pmu_event_filter {
+       __u32 fixed_counter_bitmap;
+       __u32 flags;
+       __u32 pad[4];
+-      __u64 events[];
++      __DECLARE_FLEX_ARRAY(__u64, events);
+ };
+ 
+ #define KVM_PMU_EVENT_ALLOW 0
+--- a/include/uapi/linux/kvm.h
++++ b/include/uapi/linux/kvm.h
+@@ -11,6 +11,7 @@
+ #include <linux/const.h>
+ #include <linux/types.h>
+ #include <linux/compiler.h>
++#include <linux/stddef.h>
+ #include <linux/ioctl.h>
+ #include <asm/kvm.h>
+ 
+@@ -556,7 +557,7 @@ struct kvm_coalesced_mmio {
+ 
+ struct kvm_coalesced_mmio_ring {
+       __u32 first, last;
+-      struct kvm_coalesced_mmio coalesced_mmio[];
++      __DECLARE_FLEX_ARRAY(struct kvm_coalesced_mmio, coalesced_mmio);
+ };
+ 
+ #define KVM_COALESCED_MMIO_MAX \
+@@ -643,7 +644,7 @@ struct kvm_clear_dirty_log {
+ /* for KVM_SET_SIGNAL_MASK */
+ struct kvm_signal_mask {
+       __u32 len;
+-      __u8  sigset[];
++      __DECLARE_FLEX_ARRAY(__u8, sigset);
+ };
+ 
+ /* for KVM_TPR_ACCESS_REPORTING */
+@@ -1256,7 +1257,7 @@ struct kvm_irq_routing_entry {
+ struct kvm_irq_routing {
+       __u32 nr;
+       __u32 flags;
+-      struct kvm_irq_routing_entry entries[];
++      __DECLARE_FLEX_ARRAY(struct kvm_irq_routing_entry, entries);
+ };
+ 
+ #endif
+@@ -1377,7 +1378,7 @@ struct kvm_dirty_tlb {
+ 
+ struct kvm_reg_list {
+       __u64 n; /* number of regs */
+-      __u64 reg[];
++      __DECLARE_FLEX_ARRAY(__u64, reg);
+ };
+ 
+ struct kvm_one_reg {
+@@ -2211,7 +2212,7 @@ struct kvm_stats_desc {
+       __u16 size;
+       __u32 offset;
+       __u32 bucket_size;
+-      char name[];
++      __DECLARE_FLEX_ARRAY(char, name);
+ };
+ 
+ #define KVM_GET_STATS_FD  _IO(KVMIO,  0xce)

diff --git a/queue-6.6/ocfs2-add-inline-inode-consistency-check-to-ocfs2_validate_inode_block.patch b/queue-6.6/ocfs2-add-inline-inode-consistency-check-to-ocfs2_validate_inode_block.patch
new file mode 100644 (file)
index 0000000..1eb1ace
--- /dev/null
+++ b/queue-6.6/ocfs2-add-inline-inode-consistency-check-to-ocfs2_validate_inode_block.patch
@@ -0,0 +1,53 @@
+From stable+bounces-236144-greg=kroah.com@vger.kernel.org Mon Apr 13 17:35:38 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Apr 2026 11:35:28 -0400
+Subject: ocfs2: add inline inode consistency check to ocfs2_validate_inode_block()
+To: stable@vger.kernel.org
+Cc: Dmitry Antipov <dmantipov@yandex.ru>, syzbot+c16daba279a1161acfb0@syzkaller.appspotmail.com, Joseph Qi <joseph.qi@linux.alibaba.com>, Joseph Qi <jiangqi903@gmail.com>, Mark Fasheh <mark@fasheh.com>, Joel Becker <jlbec@evilplan.org>, Junxiao Bi <junxiao.bi@oracle.com>, Changwei Ge <gechangwei@live.cn>, Jun Piao <piaojun@huawei.com>, Heming Zhao <heming.zhao@suse.com>, Andrew Morton <akpm@linux-foundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260413153531.3097531-1-sashal@kernel.org>
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit a2b1c419ff72ec62ff5831684e30cd1d4f0b09ee ]
+
+In 'ocfs2_validate_inode_block()', add an extra check whether an inode
+with inline data (i.e.  self-contained) has no clusters, thus preventing
+an invalid inode from being passed to 'ocfs2_evict_inode()' and below.
+
+Link: https://lkml.kernel.org/r/20251023141650.417129-1-dmantipov@yandex.ru
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Reported-by: syzbot+c16daba279a1161acfb0@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=c16daba279a1161acfb0
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Joseph Qi <jiangqi903@gmail.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: Heming Zhao <heming.zhao@suse.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: 7bc5da4842be ("ocfs2: fix out-of-bounds write in ocfs2_write_end_inline")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/inode.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/ocfs2/inode.c
++++ b/fs/ocfs2/inode.c
+@@ -1419,6 +1419,14 @@ int ocfs2_validate_inode_block(struct su
+               goto bail;
+       }
+ 
++      if ((le16_to_cpu(di->i_dyn_features) & OCFS2_INLINE_DATA_FL) &&
++          le32_to_cpu(di->i_clusters)) {
++              rc = ocfs2_error(sb, "Invalid dinode %llu: %u clusters\n",
++                               (unsigned long long)bh->b_blocknr,
++                               le32_to_cpu(di->i_clusters));
++              goto bail;
++      }
++
+       rc = 0;
+ 
+ bail:

diff --git a/queue-6.6/ocfs2-fix-out-of-bounds-write-in-ocfs2_write_end_inline.patch b/queue-6.6/ocfs2-fix-out-of-bounds-write-in-ocfs2_write_end_inline.patch
new file mode 100644 (file)
index 0000000..f6d3cb0
--- /dev/null
+++ b/queue-6.6/ocfs2-fix-out-of-bounds-write-in-ocfs2_write_end_inline.patch
@@ -0,0 +1,77 @@
+From stable+bounces-236146-greg=kroah.com@vger.kernel.org Mon Apr 13 17:44:00 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Apr 2026 11:35:30 -0400
+Subject: ocfs2: fix out-of-bounds write in ocfs2_write_end_inline
+To: stable@vger.kernel.org
+Cc: Joseph Qi <joseph.qi@linux.alibaba.com>, syzbot+62c1793956716ea8b28a@syzkaller.appspotmail.com, Mark Fasheh <mark@fasheh.com>, Joel Becker <jlbec@evilplan.org>, Junxiao Bi <junxiao.bi@oracle.com>, Changwei Ge <gechangwei@live.cn>, Jun Piao <piaojun@huawei.com>, Heming Zhao <heming.zhao@suse.com>, Andrew Morton <akpm@linux-foundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260413153531.3097531-3-sashal@kernel.org>
+
+From: Joseph Qi <joseph.qi@linux.alibaba.com>
+
+[ Upstream commit 7bc5da4842bed3252d26e742213741a4d0ac1b14 ]
+
+KASAN reports a use-after-free write of 4086 bytes in
+ocfs2_write_end_inline, called from ocfs2_write_end_nolock during a
+copy_file_range splice fallback on a corrupted ocfs2 filesystem mounted on
+a loop device.  The actual bug is an out-of-bounds write past the inode
+block buffer, not a true use-after-free.  The write overflows into an
+adjacent freed page, which KASAN reports as UAF.
+
+The root cause is that ocfs2_try_to_write_inline_data trusts the on-disk
+id_count field to determine whether a write fits in inline data.  On a
+corrupted filesystem, id_count can exceed the physical maximum inline data
+capacity, causing writes to overflow the inode block buffer.
+
+Call trace (crash path):
+
+   vfs_copy_file_range (fs/read_write.c:1634)
+     do_splice_direct
+       splice_direct_to_actor
+         iter_file_splice_write
+           ocfs2_file_write_iter
+             generic_perform_write
+               ocfs2_write_end
+                 ocfs2_write_end_nolock (fs/ocfs2/aops.c:1949)
+                   ocfs2_write_end_inline (fs/ocfs2/aops.c:1915)
+                     memcpy_from_folio     <-- KASAN: write OOB
+
+So add id_count upper bound check in ocfs2_validate_inode_block() to
+alongside the existing i_size check to fix it.
+
+Link: https://lkml.kernel.org/r/20260403063830.3662739-1-joseph.qi@linux.alibaba.com
+Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Reported-by: syzbot+62c1793956716ea8b28a@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=62c1793956716ea8b28a
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: Heming Zhao <heming.zhao@suse.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/inode.c |   10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/fs/ocfs2/inode.c
++++ b/fs/ocfs2/inode.c
+@@ -1430,6 +1430,16 @@ int ocfs2_validate_inode_block(struct su
+                       goto bail;
+               }
+ 
++              if (le16_to_cpu(data->id_count) >
++                  ocfs2_max_inline_data_with_xattr(sb, di)) {
++                      rc = ocfs2_error(sb,
++                                       "Invalid dinode #%llu: inline data id_count %u exceeds max %d\n",
++                                       (unsigned long long)bh->b_blocknr,
++                                       le16_to_cpu(data->id_count),
++                                       ocfs2_max_inline_data_with_xattr(sb, di));
++                      goto bail;
++              }
++
+               if (le64_to_cpu(di->i_size) > le16_to_cpu(data->id_count)) {
+                       rc = ocfs2_error(sb,
+                                        "Invalid dinode #%llu: inline data i_size %llu exceeds id_count %u\n",

diff --git a/queue-6.6/ocfs2-validate-inline-data-i_size-during-inode-read.patch b/queue-6.6/ocfs2-validate-inline-data-i_size-during-inode-read.patch
new file mode 100644 (file)
index 0000000..27b2a50
--- /dev/null
+++ b/queue-6.6/ocfs2-validate-inline-data-i_size-during-inode-read.patch
@@ -0,0 +1,88 @@
+From stable+bounces-236145-greg=kroah.com@vger.kernel.org Mon Apr 13 17:37:38 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Apr 2026 11:35:29 -0400
+Subject: ocfs2: validate inline data i_size during inode read
+To: stable@vger.kernel.org
+Cc: Deepanshu Kartikey <kartikey406@gmail.com>, syzbot+c897823f699449cc3eb4@syzkaller.appspotmail.com, Joseph Qi <joseph.qi@linux.alibaba.com>, Mark Fasheh <mark@fasheh.com>, Joel Becker <jlbec@evilplan.org>, Junxiao Bi <junxiao.bi@oracle.com>, Changwei Ge <gechangwei@live.cn>, Jun Piao <piaojun@huawei.com>, Heming Zhao <heming.zhao@suse.com>, Andrew Morton <akpm@linux-foundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260413153531.3097531-2-sashal@kernel.org>
+
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+
+[ Upstream commit 1524af3685b35feac76662cc551cbc37bd14775f ]
+
+When reading an inode from disk, ocfs2_validate_inode_block() performs
+various sanity checks but does not validate the size of inline data.  If
+the filesystem is corrupted, an inode's i_size can exceed the actual
+inline data capacity (id_count).
+
+This causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline data
+buffer, triggering a use-after-free when accessing directory entries from
+freed memory.
+
+In the syzbot report:
+  - i_size was 1099511627576 bytes (~1TB)
+  - Actual inline data capacity (id_count) is typically <256 bytes
+  - A garbage rec_len (54648) caused ctx->pos to jump out of bounds
+  - This triggered a UAF in ocfs2_check_dir_entry()
+
+Fix by adding a validation check in ocfs2_validate_inode_block() to ensure
+inodes with inline data have i_size <= id_count.  This catches the
+corruption early during inode read and prevents all downstream code from
+operating on invalid data.
+
+Link: https://lkml.kernel.org/r/20251212052132.16750-1-kartikey406@gmail.com
+Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
+Reported-by: syzbot+c897823f699449cc3eb4@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=c897823f699449cc3eb4
+Tested-by: syzbot+c897823f699449cc3eb4@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/all/20251211115231.3560028-1-kartikey406@gmail.com/T/ [v1]
+Link: https://lore.kernel.org/all/20251212040400.6377-1-kartikey406@gmail.com/T/ [v2]
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: Heming Zhao <heming.zhao@suse.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: 7bc5da4842be ("ocfs2: fix out-of-bounds write in ocfs2_write_end_inline")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/inode.c |   25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+--- a/fs/ocfs2/inode.c
++++ b/fs/ocfs2/inode.c
+@@ -1419,12 +1419,25 @@ int ocfs2_validate_inode_block(struct su
+               goto bail;
+       }
+ 
+-      if ((le16_to_cpu(di->i_dyn_features) & OCFS2_INLINE_DATA_FL) &&
+-          le32_to_cpu(di->i_clusters)) {
+-              rc = ocfs2_error(sb, "Invalid dinode %llu: %u clusters\n",
+-                               (unsigned long long)bh->b_blocknr,
+-                               le32_to_cpu(di->i_clusters));
+-              goto bail;
++      if (le16_to_cpu(di->i_dyn_features) & OCFS2_INLINE_DATA_FL) {
++              struct ocfs2_inline_data *data = &di->id2.i_data;
++
++              if (le32_to_cpu(di->i_clusters)) {
++                      rc = ocfs2_error(sb,
++                                       "Invalid dinode %llu: %u clusters\n",
++                                       (unsigned long long)bh->b_blocknr,
++                                       le32_to_cpu(di->i_clusters));
++                      goto bail;
++              }
++
++              if (le64_to_cpu(di->i_size) > le16_to_cpu(data->id_count)) {
++                      rc = ocfs2_error(sb,
++                                       "Invalid dinode #%llu: inline data i_size %llu exceeds id_count %u\n",
++                                       (unsigned long long)bh->b_blocknr,
++                                       (unsigned long long)le64_to_cpu(di->i_size),
++                                       le16_to_cpu(data->id_count));
++                      goto bail;
++              }
+       }
+ 
+       rc = 0;

diff --git a/queue-6.6/pci-endpoint-pci-epf-vntb-stop-cmd_handler-work-in-epf_ntb_epc_cleanup.patch b/queue-6.6/pci-endpoint-pci-epf-vntb-stop-cmd_handler-work-in-epf_ntb_epc_cleanup.patch
new file mode 100644 (file)
index 0000000..be4cb50
--- /dev/null
+++ b/queue-6.6/pci-endpoint-pci-epf-vntb-stop-cmd_handler-work-in-epf_ntb_epc_cleanup.patch
@@ -0,0 +1,49 @@
+From stable+bounces-239958-greg=kroah.com@vger.kernel.org Mon Apr 20 19:18:08 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Apr 2026 13:18:01 -0400
+Subject: PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup
+To: stable@vger.kernel.org
+Cc: Koichiro Den <den@valinux.co.jp>, Manivannan Sadhasivam <mani@kernel.org>, Frank Li <Frank.Li@nxp.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260420171801.1388436-1-sashal@kernel.org>
+
+From: Koichiro Den <den@valinux.co.jp>
+
+[ Upstream commit d799984233a50abd2667a7d17a9a710a3f10ebe2 ]
+
+Disable the delayed work before clearing BAR mappings and doorbells to
+avoid running the handler after resources have been torn down.
+
+  Unable to handle kernel paging request at virtual address ffff800083f46004
+  [...]
+  Internal error: Oops: 0000000096000007 [#1]  SMP
+  [...]
+  Call trace:
+   epf_ntb_cmd_handler+0x54/0x200 [pci_epf_vntb] (P)
+   process_one_work+0x154/0x3b0
+   worker_thread+0x2c8/0x400
+   kthread+0x148/0x210
+   ret_from_fork+0x10/0x20
+
+Fixes: e35f56bb0330 ("PCI: endpoint: Support NTB transfer between RC and EP")
+Signed-off-by: Koichiro Den <den@valinux.co.jp>
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260226084142.2226875-4-den@valinux.co.jp
+[ replaced disable_delayed_work_sync() with cancel_delayed_work_sync() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/endpoint/functions/pci-epf-vntb.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/pci/endpoint/functions/pci-epf-vntb.c
++++ b/drivers/pci/endpoint/functions/pci-epf-vntb.c
+@@ -798,6 +798,7 @@ err_config_interrupt:
+  */
+ static void epf_ntb_epc_cleanup(struct epf_ntb *ntb)
+ {
++      cancel_delayed_work_sync(&ntb->cmd_handler);
+       epf_ntb_mw_bar_clear(ntb, ntb->num_mws);
+       epf_ntb_db_bar_clear(ntb);
+       epf_ntb_config_sspad_bar_clear(ntb);

diff --git a/queue-6.6/revert-wifi-cfg80211-stop-nan-and-p2p-in-cfg80211_leave.patch b/queue-6.6/revert-wifi-cfg80211-stop-nan-and-p2p-in-cfg80211_leave.patch
new file mode 100644 (file)
index 0000000..240208c
--- /dev/null
+++ b/queue-6.6/revert-wifi-cfg80211-stop-nan-and-p2p-in-cfg80211_leave.patch
@@ -0,0 +1,36 @@
+From stable+bounces-237706-greg=kroah.com@vger.kernel.org Tue Apr 14 04:47:26 2026
+From: guocai.he.cn@windriver.com
+Date: Tue, 14 Apr 2026 10:46:34 +0800
+Subject: Revert "wifi: cfg80211: stop NAN and P2P in cfg80211_leave"
+To: gregkh@linuxfoundation.org
+Cc: stable@vger.kernel.org, johannes.berg@intel.com, netdev@vger.kernel.org, regressions@lists.linux.dev, miriam.rachel.korenblit@intel.com, linux-kernel@vger.kernel.org
+Message-ID: <20260414024634.2826229-1-guocai.he.cn@windriver.com>
+
+From: Guocai He <guocai.he.cn@windriver.com>
+
+This reverts commit 4d7a05da767e5cbcf4db511b9289d7ebd380dc56 which is commit
+e1696c8bd0056bc1a5f7766f58ac333adc203e8a upstream.
+
+The reverted patch introduced a deadlock. The locking situation in mainline is
+totally different, so it is incorrect to directly backport the commit from mainline.
+
+Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/core.c |    4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/net/wireless/core.c
++++ b/net/wireless/core.c
+@@ -1332,10 +1332,8 @@ void __cfg80211_leave(struct cfg80211_re
+               __cfg80211_leave_ocb(rdev, dev);
+               break;
+       case NL80211_IFTYPE_P2P_DEVICE:
+-              cfg80211_stop_p2p_device(rdev, wdev);
+-              break;
+       case NL80211_IFTYPE_NAN:
+-              cfg80211_stop_nan(rdev, wdev);
++              /* cannot happen, has no netdev */
+               break;
+       case NL80211_IFTYPE_AP_VLAN:
+       case NL80211_IFTYPE_MONITOR:

diff --git a/queue-6.6/rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch b/queue-6.6/rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch
new file mode 100644 (file)
index 0000000..130121a
--- /dev/null
+++ b/queue-6.6/rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch
@@ -0,0 +1,63 @@
+From stable+bounces-237669-greg=kroah.com@vger.kernel.org Tue Apr 14 00:27:30 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Apr 2026 18:27:13 -0400
+Subject: rxrpc: Fix key quota calculation for multitoken keys
+To: stable@vger.kernel.org
+Cc: David Howells <dhowells@redhat.com>, Marc Dionne <marc.dionne@auristor.com>, Jeffrey Altman <jaltman@auristor.com>, Simon Horman <horms@kernel.org>, linux-afs@lists.infradead.org, stable@kernel.org, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260413222713.3754983-1-sashal@kernel.org>
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit bdbfead6d38979475df0c2f4bad2b19394fe9bdc ]
+
+In the rxrpc key preparsing, every token extracted sets the proposed quota
+value, but for multitoken keys, this will overwrite the previous proposed
+quota, losing it.
+
+Fix this by adding to the proposed quota instead.
+
+Fixes: 8a7a3eb4ddbe ("KEYS: RxRPC: Use key preparsing")
+Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40redhat.com
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: Jeffrey Altman <jaltman@auristor.com>
+cc: Simon Horman <horms@kernel.org>
+cc: linux-afs@lists.infradead.org
+cc: stable@kernel.org
+Link: https://patch.msgid.link/20260408121252.2249051-2-dhowells@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ dropped hunk for rxrpc_preparse_xdr_yfs_rxgk() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/key.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/rxrpc/key.c
++++ b/net/rxrpc/key.c
+@@ -72,7 +72,7 @@ static int rxrpc_preparse_xdr_rxkad(stru
+               return -EKEYREJECTED;
+ 
+       plen = sizeof(*token) + sizeof(*token->kad) + tktlen;
+-      prep->quotalen = datalen + plen;
++      prep->quotalen += datalen + plen;
+ 
+       plen -= sizeof(*token);
+       token = kzalloc(sizeof(*token), GFP_KERNEL);
+@@ -303,6 +303,7 @@ static int rxrpc_preparse(struct key_pre
+       memcpy(&kver, prep->data, sizeof(kver));
+       prep->data += sizeof(kver);
+       prep->datalen -= sizeof(kver);
++      prep->quotalen = 0;
+ 
+       _debug("KEY I/F VERSION: %u", kver);
+ 
+@@ -340,7 +341,7 @@ static int rxrpc_preparse(struct key_pre
+               goto error;
+ 
+       plen = sizeof(*token->kad) + v1->ticket_length;
+-      prep->quotalen = plen + sizeof(*token);
++      prep->quotalen += plen + sizeof(*token);
+ 
+       ret = -ENOMEM;
+       token = kzalloc(sizeof(*token), GFP_KERNEL);

diff --git a/queue-6.6/scripts-generate_rust_analyzer.py-define-scripts.patch b/queue-6.6/scripts-generate_rust_analyzer.py-define-scripts.patch
new file mode 100644 (file)
index 0000000..26ef292
--- /dev/null
+++ b/queue-6.6/scripts-generate_rust_analyzer.py-define-scripts.patch
@@ -0,0 +1,63 @@
+From stable+bounces-239942-greg=kroah.com@vger.kernel.org Mon Apr 20 19:02:26 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Apr 2026 12:25:12 -0400
+Subject: scripts: generate_rust_analyzer.py: define scripts
+To: stable@vger.kernel.org
+Cc: Tamir Duberstein <tamird@kernel.org>, Daniel Almeida <daniel.almeida@collabora.com>, Fiona Behrens <me@kloenk.dev>, Trevor Gross <tmgross@umich.edu>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260420162512.1267976-1-sashal@kernel.org>
+
+From: Tamir Duberstein <tamird@kernel.org>
+
+[ Upstream commit 36c619f6bd793493294becb10a02fea370b67a91 ]
+
+Add IDE support for host-side scripts written in Rust. This support has
+been missing since these scripts were initially added in commit
+9a8ff24ce584 ("scripts: add `generate_rust_target.rs`"), thus add it.
+
+Change the existing instance of extension stripping to
+`pathlib.Path.stem` to maintain code consistency.
+
+Fixes: 9a8ff24ce584 ("scripts: add `generate_rust_target.rs`")
+Cc: stable@vger.kernel.org
+Reviewed-by: Daniel Almeida <daniel.almeida@collabora.com>
+Reviewed-by: Fiona Behrens <me@kloenk.dev>
+Reviewed-by: Trevor Gross <tmgross@umich.edu>
+Link: https://patch.msgid.link/20260122-rust-analyzer-scripts-v1-1-ff6ba278170e@kernel.org
+Signed-off-by: Tamir Duberstein <tamird@kernel.org>
+[ changed `[std]` dep to `["std"]` and kept untyped `is_root_crate()` ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/generate_rust_analyzer.py |   14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/scripts/generate_rust_analyzer.py
++++ b/scripts/generate_rust_analyzer.py
+@@ -119,6 +119,18 @@ def generate_crates(srctree, objtree, sy
+         "exclude_dirs": [],
+     }
+ 
++    scripts = srctree / "scripts"
++    makefile = (scripts / "Makefile").read_text()
++    for path in scripts.glob("*.rs"):
++        name = path.stem
++        if f"{name}-rust" not in makefile:
++            continue
++        append_crate(
++            name,
++            path,
++            ["std"],
++        )
++
+     def is_root_crate(build_file, target):
+         try:
+             contents = build_file.read_text()
+@@ -135,7 +147,7 @@ def generate_crates(srctree, objtree, sy
+     for folder in extra_dirs:
+         for path in folder.rglob("*.rs"):
+             logging.info("Checking %s", path)
+-            name = path.name.replace(".rs", "")
++            name = path.stem
+ 
+             # Skip those that are not crate roots.
+             if not is_root_crate(path.parent / "Makefile", name) and \

diff --git a/queue-6.6/series b/queue-6.6/series
index 06f10262c7bc87f8b4505739f4230f0dee8d7b53..cd9d9d4c4b55bb8d8b5ee166e576ff700ce3260e 100644 (file)
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -131,3 +131,11 @@ wifi-mac80211-always-free-skb-on-ieee80211_tx_prepar.patch
 net-ethernet-mtk_eth_soc-initialize-ppe-per-tag-laye.patch
 i40e-fix-preempt-count-leak-in-napi-poll-tracepoint.patch
 net-annotate-data-races-around-sk-sk_-data_ready-wri.patch
+pci-endpoint-pci-epf-vntb-stop-cmd_handler-work-in-epf_ntb_epc_cleanup.patch
+scripts-generate_rust_analyzer.py-define-scripts.patch
+kvm-x86-use-__declare_flex_array-for-uapi-structures-with-vlas.patch
+rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch
+ocfs2-add-inline-inode-consistency-check-to-ocfs2_validate_inode_block.patch
+ocfs2-validate-inline-data-i_size-during-inode-read.patch
+ocfs2-fix-out-of-bounds-write-in-ocfs2_write_end_inline.patch
+revert-wifi-cfg80211-stop-nan-and-p2p-in-cfg80211_leave.patch